@@@
@@@@@@@@@@
@@@@@@@@@@@@@@@@
P@@@@@&@@@?&@@&@@@@@P
P@@@@# @&@ @P@@@
&@@@# *@& #@@@&
&@@@5 &@? 5@@@&
Y@@@# ^@@ #@@@J
#@@@7 B@5 7@@@#
#@@@? .@@. ?@@@#
@@@@& 5@G &@@@7
#@@@B @@^ #@@@B
B@@@@ .@# 7@@@@B
@@@@@@ &.@ P@@@@@7
@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@
@@@@@@@@
@@@
- Automatically sync secrets to your Kubernetes cluster
- End-to-End encryption
- Automatically redeploy deployments when a secret is updated
- Sync secrets based on environment (dev, staging, prod), folders and tags
- Transform secrets via secret processors
metadata:
annotations:
secrets.phase.dev/redeploy: "true"
Add the Phase Helm repository and update it:
helm repo add phase https://helm.phase.dev && helm repo update
Install the Phase Secrets Operator:
helm install phase-secrets-operator phase/phase-kubernetes-operator --set image.tag=v1.0.1
It's best practice to specify the version in production environments to avoid
unintended upgrades. Find available versions on our [GitHub
releases](https://github.com/phasehq/kubernetes-secrets-operator/releases).
Securely create a Service Token Secret using read
(recommended for more security as it avoids writing the token to disk or shell history)
Run this command, paste the Phase Service Token and hit enter:
read -s TOKEN
kubectl create secret generic phase-service-token \
--from-literal=token=$TOKEN \
--type=Opaque \
--namespace=default
unset TOKEN
Alternatively, create it directly using kubectl
:
kubectl create secret generic phase-service-token \
--from-literal=token=<TOKEN> \
--type=Opaque \
--namespace=default
Create a custom resource file: phase-secrets-operator-cr.yaml
apiVersion: secrets.phase.dev/v1alpha1
kind: PhaseSecret
metadata:
name: example-phase-secret
namespace: default
spec:
phaseApp: "the-name-of-your-phase-app" # The name of your Phase application
phaseAppEnv: "prod" # OPTIONAL - The Phase application environment to fetch secrets from
phaseHost: "https://console.phase.dev" # OPTIONAL - URL of the Phase Console instance
authentication:
serviceToken:
serviceTokenSecretReference:
secretName: "phase-service-token" # Name of the service token with access to your Phase application
secretNamespace: "default"
managedSecretReferences:
- secretName: "my-application-secret" # Name of the Kubernetes managed secret that Phase will sync
secretNamespace: "default"
Deploy the custom resource:
kubectl apply -f phase-secrets-operator-cr.yaml
Watch for my-application-secret
managed secret being created:
watch kubectl get secrets
View the secrets:
kubectl get secret my-application-secret -o yaml
The operator automatically synchronizes secrets every 60 seconds.
Phase Kubernetes Operator - Docs
- Install python dependencies
pip3 install -r requirements.txt
- Create a local kind cluster (skip if you have one already setup)
kind create cluster
- Export kindconfig
kind get kubeconfig --name "kind" > ~/.kube/config
Verify that the cluster is up:
kubectl get nodes
- Create a copy of the CR (Custom Resource) and CRD (Custom Resource Definition):
cp cr-template.yaml dev-cr.yaml
cp crd-template.yaml dev-crd.yaml
Feel free to make changes
- Create a secret in kubernetes containing the Phase Service Token
kubectl create secret generic phase-service-token \
--from-literal=token=<YOUR_PHASE_SERVICE_TOKEN> \
--type=Opaque \
--namespace=default
- Apply the CRD and CR respectively
kubectl apply -f dev-crd.yaml
kubectl apply -f dev-cr.yaml
- Start the operator via Kopf
kopf run src/main.py