Skip to content

Securely sync secrets and environment variables with Phase in your Kubernetes cluster

License

Notifications You must be signed in to change notification settings

phasehq/kubernetes-secrets-operator

Repository files navigation

Phase Kubernetes Operator

Securely sync secrets and environment variables with Phase in your Kubernetes cluster.

                     @@@
              @@@@@@@@@@
          @@@@@@@@@@@@@@@@
       P@@@@@&@@@?&@@&@@@@@P
     P@@@@#        @&@    @P@@@
    &@@@#         *@&      #@@@&
   &@@@5          &@?       5@@@&
  Y@@@#          ^@@         #@@@J
  #@@@7          B@5         7@@@#
  #@@@?         .@@.         ?@@@#
  @@@@&         5@G          &@@@7
   #@@@B        @@^         #@@@B
    B@@@@      .@#        7@@@@B
     @@@@@@    &.@       P@@@@@7
       @@@@@@@@@@@@@@@@@@@@@
          @@@@@@@@@@@@@@@
             @@@@@@@@
             @@@

Features

  • Automatically sync secrets to your Kubernetes cluster
  • End-to-End encryption
  • Automatically redeploy deployments when a secret is updated
  • Sync secrets based on environment (dev, staging, prod), folders and tags
  • Transform secrets via secret processors
metadata:
  annotations:
    secrets.phase.dev/redeploy: "true"

Installation:

1. Install the Operator via Helm

Add the Phase Helm repository and update it:

helm repo add phase https://helm.phase.dev && helm repo update

Install the Phase Secrets Operator:

helm install phase-secrets-operator phase/phase-kubernetes-operator --set image.tag=v1.0.1
It's best practice to specify the version in production environments to avoid
unintended upgrades. Find available versions on our [GitHub
releases](https://github.com/phasehq/kubernetes-secrets-operator/releases).

2. Create a Service Token Secret in Kubernetes

Securely create a Service Token Secret using read (recommended for more security as it avoids writing the token to disk or shell history)

Run this command, paste the Phase Service Token and hit enter:

read -s TOKEN
kubectl create secret generic phase-service-token \
  --from-literal=token=$TOKEN \
  --type=Opaque \
  --namespace=default
unset TOKEN

Alternatively, create it directly using kubectl:

kubectl create secret generic phase-service-token \
  --from-literal=token=<TOKEN> \
  --type=Opaque \
  --namespace=default

3. Deploy the Phase Secrets Operator CR (Custom Resource)

Create a custom resource file: phase-secrets-operator-cr.yaml

apiVersion: secrets.phase.dev/v1alpha1
kind: PhaseSecret
metadata:
  name: example-phase-secret
  namespace: default
spec:
  phaseApp: "the-name-of-your-phase-app" # The name of your Phase application
  phaseAppEnv: "prod" # OPTIONAL - The Phase application environment to fetch secrets from
  phaseHost: "https://console.phase.dev" # OPTIONAL - URL of the Phase Console instance
  authentication:
    serviceToken:
      serviceTokenSecretReference:
        secretName: "phase-service-token" # Name of the service token with access to your Phase application
        secretNamespace: "default"
  managedSecretReferences:
    - secretName: "my-application-secret" # Name of the Kubernetes managed secret that Phase will sync
      secretNamespace: "default"

Deploy the custom resource:

kubectl apply -f phase-secrets-operator-cr.yaml

Watch for my-application-secret managed secret being created:

watch kubectl get secrets

View the secrets:

kubectl get secret my-application-secret -o yaml
The operator automatically synchronizes secrets every 60 seconds.

Phase Kubernetes Operator - Docs

Development:

  1. Install python dependencies
pip3 install -r requirements.txt
  1. Create a local kind cluster (skip if you have one already setup)
kind create cluster
  1. Export kindconfig
kind get kubeconfig --name "kind" > ~/.kube/config

Verify that the cluster is up:

kubectl get nodes
  1. Create a copy of the CR (Custom Resource) and CRD (Custom Resource Definition):
cp cr-template.yaml dev-cr.yaml
cp crd-template.yaml dev-crd.yaml

Feel free to make changes

  1. Create a secret in kubernetes containing the Phase Service Token
kubectl create secret generic phase-service-token \
 --from-literal=token=<YOUR_PHASE_SERVICE_TOKEN> \
 --type=Opaque \
 --namespace=default
  1. Apply the CRD and CR respectively
kubectl apply -f dev-crd.yaml
kubectl apply -f dev-cr.yaml
  1. Start the operator via Kopf
kopf run src/main.py