Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

A Kubernetes controller to manage configs with a mix of secret and non-secret data

License

Notifications You must be signed in to change notification settings

machinezone/configmapsecrets

Repository files navigation

ConfigMapSecrets

Release API Reference Go Report Card License

Problem

I have a config that contains a mixture of secret and non-secret data. For some reason I can't use environment variables to reference the secret data. I want to check my config into source control, keep my secret data secure, and keep my non-secret data easily readable and editable.

Solution

Use a ConfigMapSecret which is safe to store in source control. It's like a ConfigMap that includes your non-secret data, but it can reference Secret variables, similar to how container args can reference env variables. The controller will expand and render it into a Secret in the same namespace, keeping it updated to reflect changes to the ConfigMapSecret or its referenced variables.

Use SealedSecrets to keep your referenced Secret data secure.

Installation

kubectl apply -f manifest/*.yaml

Example

Input

apiVersion: secrets.mz.com/v1alpha1
kind: ConfigMapSecret
metadata:
 name: alertmanager-config
 namespace: monitoring
 labels:
 app: alertmanager
spec:
 template:
 metadata:
 # optional: name defaults to same as ConfigMapSecret
 name: alertmanager-config
 labels:
 app: alertmanager
 data:
 alertmanager.yaml: |
 global:
 resolve_timeout: 5m
 opsgenie_api_key: $(OPSGENIE_API_KEY)
 slack_api_url: $(SLACK_API_URL)
 route:
 receiver: default
 group_by: ["alertname", "job", "team"]
 group_wait: 30s
 group_interval: 5m
 repeat_interval: 12h
 routes:
 - receiver: foobar-sre
 match:
 team: foobar-sre
 - receiver: widget-sre
 match:
 team: widget-sre
 receivers:
 - name: default
 slack_configs:
 - channel: unrouted-alerts
 - name: foobar-sre
 opsgenie_configs:
 - responders:
 - name: foobar-sre
 type: team
 slack_configs:
 - channel: foobar-sre-alerts
 - name: widget-sre
 opsgenie_configs:
 - responders:
 - name: widget-sre
 type: team
 slack_configs:
 - channel: widget-sre
 vars:
 - name: OPSGENIE_API_KEY
 secretValue:
 name: alertmanager-keys
 key: opsgenieKey
 - name: SLACK_API_URL
 secretValue:
 name: alertmanager-keys
 key: slackURL
---
apiVersion: v1
kind: Secret
metadata:
 name: alertmanager-keys
 namespace: monitoring
 labels:
 app: alertmanager
stringData:
 opsgenieKey: 9eccf784-bbad-11e9-9cb5-2a2ae2dbcce4
 slackURL: https://hooks.slack.com/services/EFNPN1/EVU44X/J51NVTYSKwuPtCz3
type: Opaque

Output

apiVersion: v1
kind: Secret
metadata:
 name: alertmanager-config
 namespace: monitoring
 labels:
 app: alertmanager
stringData:
 alertmanager.yaml: |
 global:
 resolve_timeout: 5m
 opsgenie_api_key: 9eccf784-bbad-11e9-9cb5-2a2ae2dbcce4
 slack_api_url: https://hooks.slack.com/services/EFNPN1/EVU44X/J51NVTYSKwuPtCz3
 route:
 receiver: default
 group_by: ["alertname", "job", "team"]
 group_wait: 30s
 group_interval: 5m
 repeat_interval: 12h
 routes:
 - receiver: foobar-sre
 match:
 team: foobar-sre
 - receiver: widget-sre
 match:
 team: widget-sre
 receivers:
 - name: default
 slack_configs:
 - channel: unrouted-alerts
 - name: foobar-sre
 opsgenie_configs:
 - responders:
 - name: foobar-sre
 type: team
 slack_configs:
 - channel: foobar-sre
 - name: widget-sre
 opsgenie_configs:
 - responders:
 - name: widget-sre
 type: team
 slack_configs:
 - channel: widget-sre
type: Opaque

About

A Kubernetes controller to manage configs with a mix of secret and non-secret data

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

AltStyle によって変換されたページ (->オリジナル) /