Introducing Dockhand Secrets Operator

by Matthew DeVenny | Wednesday, Oct 20, 2021 | Kubernetes Secrets Dockhand

Secrets Management on Kubernetes with GitOps can be challenging. Often times, engineers resort to creating secrets manually, injecting secrets through scripts with a CI/CD tool, or even worse, just committing the secrets directly to git.

The Dockhand Secrets Operator solves that problem by allowing you to make arbitrary secrets in a standard way with only the secret bits stored in the backend(s) of your choice. At this time the following secrets managers are supported: AWS Secrets Manager, Azure Key Vault, GCP Secrets Manager or HashiCorp Vault.

How it Works

The operator is built on top of another one of our CI/CD tools called dockcmd. dockcmd is a CLI tool written to facilitate secrets injection by your CI/CD pipelines. Dockhand Secrets Operator leverages that proven codebase to move secrets creation into the cluster where it belongs - which increases the security of your secrets by minimizing attack vectors for secret leakage

The primary goal of the operator is to provide ease of use within GitOps tools like Fleet, Flux or Argo CD, but the design is flexible to allow you to use it with pretty much any deployment method. The Kubernetes CRDs allow for easy drop in to a helm chart and support sprig go template functions using alternative delims << >>, which allows you to mix in the secrets functions with helm chart templating.

Usage Example

Suppose you need a Kubernetes Secret named postgres-secret with data.postgresURL, the following Dockhand Secret would do that for you.

---
apiVersion: dhs.dockhand.dev/v1alpha2
kind: Secret
metadata:
  name: dockhand-postgres-secret
profile:
  name: dockhand-profile
secretSpec:
  name: postgres-secret
  type: Opaque
data:
  postgresURL: 'postgresql://postgres:<< (vault "secret/postgres?version=latest" "password") >>@postgres:5432/db'

Let's extend the example above for the scenario where you have a helm chart that needs to work for multiple environments. It might look something like this:

---
apiVersion: dhs.dockhand.dev/v1alpha2
kind: Secret
metadata:
  name: dockhand-postgres-secret
profile:
  name: dockhand-profile
secretSpec:
  name: postgres-secret
  type: Opaque
data:
  postgresURL: 'postgresql://{{ .Values.postgres.username }}:<< (vault "secret/postgres?version={{ .Values.postgres.secretVersion }}" "password") >>@{{ .Values.postgres.host }}:{{ .Values.postgres.port }}/{{ .Values.postgres.db }}'

In both of the examples above, you simply reference postgres-secret as you would if you manually created it. dockhand-secrets-operator takes care of the heavy lifting.

Features

• Automatic Deployment, StatefulSet and DaemonSet updates when a Dockhand Secret updates a Kubernetes Secret. This is accomplished through the use of a MutatingWebhook and a label - dhs.dockhand.dev/autoUpdate: "true".
• Supports AWS Secrets Manager, Azure Key Vault, GCP Secrets Manager and HashiCorp Vault
• Dockhand Profiles allow you to specify 1 or more secrets backends.
• Dockhand Secrets can be any Kubernetes Secret Type
• Dockhand Secrets can be tied to specific versions of the secret stored in your secrets backend.

How to Get Started

You can find installation instructions and more examples on the documentation website.

Contributions, issues and comments are welcome at the GitHub project page!