Skip to content

A Kubernetes controller to manage configs with a mix of secret and non-secret data

License

Notifications You must be signed in to change notification settings

machinezone/configmapsecrets

Repository files navigation

ConfigMapSecrets

Release API Reference Go Report Card License

Problem

I have a config that contains a mixture of secret and non-secret data. For some reason I can't use environment variables to reference the secret data. I want to check my config into source control, keep my secret data secure, and keep my non-secret data easily readable and editable.

Solution

Use a ConfigMapSecret which is safe to store in source control. It's like a ConfigMap that includes your non-secret data, but it can reference Secret variables, similar to how container args can reference env variables. The controller will expand and render it into a Secret in the same namespace, keeping it updated to reflect changes to the ConfigMapSecret or its referenced variables.

Use SealedSecrets to keep your referenced Secret data secure.

Installation

kubectl apply -f manifest/*.yaml

Example

Input

apiVersion: secrets.mz.com/v1alpha1
kind: ConfigMapSecret
metadata:
  name: alertmanager-config
  namespace: monitoring
  labels:
    app: alertmanager
spec:
  template:
    metadata:
      # optional: name defaults to same as ConfigMapSecret
      name: alertmanager-config
      labels:
        app: alertmanager
    data:
      alertmanager.yaml: |
          global:
            resolve_timeout: 5m
            opsgenie_api_key: $(OPSGENIE_API_KEY)
            slack_api_url: $(SLACK_API_URL)
          route:
            receiver: default
            group_by: ["alertname", "job", "team"]
            group_wait: 30s
            group_interval: 5m
            repeat_interval: 12h
            routes:
              - receiver: foobar-sre
                match:
                  team: foobar-sre
              - receiver: widget-sre
                match:
                  team: widget-sre
          receivers:
            - name: default
              slack_configs:
                - channel: unrouted-alerts
            - name: foobar-sre
              opsgenie_configs:
                - responders:
                    - name: foobar-sre
                      type: team
              slack_configs:
                - channel: foobar-sre-alerts
            - name: widget-sre
              opsgenie_configs:
                - responders:
                    - name: widget-sre
                      type: team
              slack_configs:
                - channel: widget-sre
  vars:
    - name: OPSGENIE_API_KEY
      secretValue:
        name: alertmanager-keys
        key: opsgenieKey
    - name: SLACK_API_URL
      secretValue:
        name: alertmanager-keys
        key: slackURL
---
apiVersion: v1
kind: Secret
metadata:
  name: alertmanager-keys
  namespace: monitoring
  labels:
    app: alertmanager
stringData:
  opsgenieKey: 9eccf784-bbad-11e9-9cb5-2a2ae2dbcce4
  slackURL: https://hooks.slack.com/services/EFNPN1/EVU44X/J51NVTYSKwuPtCz3
type: Opaque

Output

apiVersion: v1
kind: Secret
metadata:
  name: alertmanager-config
  namespace: monitoring
  labels:
    app: alertmanager
stringData:
  alertmanager.yaml: |
    global:
      resolve_timeout: 5m
      opsgenie_api_key: 9eccf784-bbad-11e9-9cb5-2a2ae2dbcce4
      slack_api_url: https://hooks.slack.com/services/EFNPN1/EVU44X/J51NVTYSKwuPtCz3
    route:
      receiver: default
      group_by: ["alertname", "job", "team"]
      group_wait: 30s
      group_interval: 5m
      repeat_interval: 12h
      routes:
        - receiver: foobar-sre
          match:
           team: foobar-sre
        - receiver: widget-sre
          match:
            team: widget-sre
    receivers:
      - name: default
        slack_configs:
          - channel: unrouted-alerts
      - name: foobar-sre
        opsgenie_configs:
          - responders:
              - name: foobar-sre
                type: team
        slack_configs:
          - channel: foobar-sre
      - name: widget-sre
        opsgenie_configs:
          - responders:
              - name: widget-sre
                type: team
        slack_configs:
          - channel: widget-sre
type: Opaque

About

A Kubernetes controller to manage configs with a mix of secret and non-secret data

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published