@@@
@@@@@@@@@@
@@@@@@@@@@@@@@@@
P@@@@@&@@@?&@@&@@@@@P
P@@@@# @&@ @P@@@
&@@@# *@& #@@@&
&@@@5 &@? 5@@@&
Y@@@# ^@@ #@@@J
#@@@7 B@5 7@@@#
#@@@? .@@. ?@@@#
@@@@& 5@G &@@@7
#@@@B @@^ #@@@B
B@@@@ .@# 7@@@@B
@@@@@@ &.@ P@@@@@7
@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@
@@@@@@@@
@@@
- Automatically sync secrets to your Kubernetes cluster
- End-to-End encryption
- Automatically redeploy deployments when a secret is updated
- Sync secrets based on environment (dev, staging, prod), folders and tags
- Transform secrets via secret processors
metadata:
annotations:
secrets.phase.dev/redeploy: "true"Add the Phase Helm repository and update it:
helm repo add phase https://helm.phase.dev && helm repo updateInstall the Phase Secrets Operator:
helm install phase-secrets-operator phase/phase-kubernetes-operator --set image.tag=v1.0.1It's best practice to specify the version in production environments to avoid
unintended upgrades. Find available versions on our [GitHub
releases](https://github.com/phasehq/kubernetes-secrets-operator/releases).
Securely create a Service Token Secret using read (recommended for more security as it avoids writing the token to disk or shell history)
Run this command, paste the Phase Service Token and hit enter:
read -s TOKEN
kubectl create secret generic phase-service-token \
--from-literal=token=$TOKEN \
--type=Opaque \
--namespace=default
unset TOKENAlternatively, create it directly using kubectl:
kubectl create secret generic phase-service-token \
--from-literal=token=<TOKEN> \
--type=Opaque \
--namespace=defaultCreate a custom resource file: phase-secrets-operator-cr.yaml
apiVersion: secrets.phase.dev/v1alpha1
kind: PhaseSecret
metadata:
name: example-phase-secret
namespace: default
spec:
phaseApp: "the-name-of-your-phase-app" # The name of your Phase application
phaseAppEnv: "prod" # OPTIONAL - The Phase application environment to fetch secrets from
phaseHost: "https://console.phase.dev" # OPTIONAL - URL of the Phase Console instance
authentication:
serviceToken:
serviceTokenSecretReference:
secretName: "phase-service-token" # Name of the service token with access to your Phase application
secretNamespace: "default"
managedSecretReferences:
- secretName: "my-application-secret" # Name of the Kubernetes managed secret that Phase will sync
secretNamespace: "default"Deploy the custom resource:
kubectl apply -f phase-secrets-operator-cr.yamlWatch for my-application-secret managed secret being created:
watch kubectl get secretsView the secrets:
kubectl get secret my-application-secret -o yamlThe operator automatically synchronizes secrets every 60 seconds.
Phase Kubernetes Operator - Docs
- Install python dependencies
pip3 install -r requirements.txt
- Create a local kind cluster (skip if you have one already setup)
kind create cluster- Export kindconfig
kind get kubeconfig --name "kind" > ~/.kube/config
Verify that the cluster is up:
kubectl get nodes
- Create a copy of the CR (Custom Resource) and CRD (Custom Resource Definition):
cp cr-template.yaml dev-cr.yaml
cp crd-template.yaml dev-crd.yaml
Feel free to make changes
- Create a secret in kubernetes containing the Phase Service Token
kubectl create secret generic phase-service-token \
--from-literal=token=<YOUR_PHASE_SERVICE_TOKEN> \
--type=Opaque \
--namespace=default- Apply the CRD and CR respectively
kubectl apply -f dev-crd.yamlkubectl apply -f dev-cr.yaml- Start the operator via Kopf
kopf run src/main.py