Secretize is a kustomize plugin that helps generating kubernetes secrets from various sources.
It's like a swiss army knife, but for kubernetes secrets.

---

Sources

Secretize is able to generate secrets using the following providers:

• AWS Secret Manager
• Azure Vault
• Hashicorp Vault
• Other K8S secrets
• Environment variables

It is possible to use multiple providers at once.

Installation

Install secretize to your $XDG_CONFIG_HOME/kustomize/plugin folder:

1. Export the XDG_CONFIG_HOME variable if it's not already set:

export XDG_CONFIG_HOME=~/.config

2. Download the release binary into the kustomize plugin folder:

export SECRETIZE_DIR="$XDG_CONFIG_HOME/kustomize/plugin/secretize/v1/secretgenerator"
mkdir -p "$SECRETIZE_DIR"
curl -L https://github.com/bbl/secretize/releases/download/v0.0.1/secretize-v0.0.1-linux-amd64.tar.gz  | tar -xz -C $SECRETIZE_DIR

Usage

All providers can generate two types of secrets: literals and kv (Key-Value secrets).
Literal secrets simply generate a single string output, while KV secrets will output with a dictionary of the key-value pairs.

The full configuration API could be found in the examples/secret-generator.yaml file.

AWS Secrets Manager

Fetching literal secrets is as simple, as using a default kustomize secretGenerator plugin:

apiVersion: secretize/v1
kind: SecretGenerator
metadata:
  name: aws-sm-secrets
sources:
    - provider: aws-sm
      literals: 
        - mySecret
        - newName=mySecret 

The above config would query AWS Secrets Manager provider to get the mySecret string value. As a result, the following manifest will be generated:

apiVersion: v1
kind: Secret
metadata:
  name: aws-sm-secrets
data:
  mySecret: c2VjcmV0X3ZhbHVlXzE= # a sample base64 encoded data 
  newName: c2VjcmV0X3ZhbHVlXzE=

Now let's assume that value of mySecret is a json string:

{
  "secret_key_1":"secret_value_1", 
  "secret_key_2": "secret_value_2"
}

The generator config can be slightly modified, to generate a kv secret:

apiVersion: secretize/v1
kind: SecretGenerator
metadata:
  name: aws-sm-secrets
sources:
    - provider: aws-sm
      kv: 
        - mySecret

As a result, the following secret is generated:

apiVersion: v1
kind: Secret
metadata:
  name: aws-sm-secrets
data:
  secret_key_1: c2VjcmV0X3ZhbHVlXzE=
  secret_key_2: c2VjcmV0X3ZhbHVlXzI=

Azure Vault

Azure Vault configuration is pretty similar to the above examples. However, there's additional params field, which is used to specify the Vault Name:

apiVersion: secretize/v1
kind: SecretGenerator
metadata:
  name: aws-sm-secrets
sources:
  - provider: azure-vault
    params:
      name: vault-name
    kv:
      - kv-secrets # will treat this as JSON, the same way as in the AWS example
    literals:
      - literal-secret-1
      - new_name=literal-secret-1

Hashicorp Vault

Some providers only support key-value output, e.g. Hashicorp Vault and K8S Secret. For instance, the mySecret in Hashicorp Vault might look like the following:

vault kv get secret/mySecret
====== Data ======
Key           Value
---           -----
secret_key_1  secret_value_1
secret_key_2  secret_value_2

Querying provider's kv secrets will generate the corresponding key-value data:

apiVersion: secretize/v1
kind: SecretGenerator
metadata:
  name: hashicorp-vault-secrets
sources:
    - provider: hashicorp-vault
      kv: 
        - secret/data/mySecret # you need to specify the full path in hashicorp vault provider

apiVersion: v1
kind: Secret
metadata:
  name: hashicorp-vault-secrets
data:
  secret_key_1: c2VjcmV0X3ZhbHVlXzE=
  secret_key_2: c2VjcmV0X3ZhbHVlXzI=

However you're able to query a certain literal in the key-value output using the following syntax: secret-name:key, e.g.:

apiVersion: secretize/v1
kind: SecretGenerator
metadata:
  name: hashicorp-vault-secrets
sources:
    - provider: hashicorp-vault
      literals:
          - secret/data/mySecret-1:secret_key_1

As a result, the following manifest will be generated:

apiVersion: v1
kind: Secret
metadata:
  name: hashicorp-vault-secrets
data:
  secret_key_1: c2VjcmV0X3ZhbHVlXzE=

Kubernetes Secret

Kubernetes secret provider is similar to the Hashicorp Vault. Additionally, this provider expects the params field with the namespace specification.
You're able to get the entire secret data using the kv query, or get a particular key using the literals query with the : delimiter syntax:

# The original secret in a default namespace
#
apiVersion: v1
kind: Secret
metadata:
  name: original-secret
  namespace: default
data:
  secret_key_1: c2VjcmV0X3ZhbHVlXzE=
  secret_key_2: c2VjcmV0X3ZhbHVlXzI=
---
# Secret generator configuration
#
apiVersion: secretize/v1
kind: SecretGenerator
metadata:
  name: kubernetes-secrets
sources:
    - provider: k8s-secret
      params:
        namespace: default
      kv:
        - original-secret
      literals:
        - new_name=original-secret:secret_key_1
---
# Generated secret
#
apiVersion: v1
kind: Secret
metadata:
  name: kubernetes-secrets
data:
  secret_key_1: c2VjcmV0X3ZhbHVlXzE=
  secret_key_2: c2VjcmV0X3ZhbHVlXzI=
  new_name: c2VjcmV0X3ZhbHVlXzE=

Env

The environment variables plugin is similar to the AWS and Azure plugins. The literals would simply fetch corresponding environment variables, while kv would treat each variable as JSON and try to parse it:

apiVersion: secretize/v1
kind: SecretGenerator
metadata:
  name: env-secrets
sources:
    - provider: env
      kv:
        - MY_KV_SECRET
      literals: 
        - MY_LITERAL_SECRET

Secretize will fetch the corresponding environment variables during the kustomize build command:

export MY_KV_SECRET='{"secret_key_1":"secret_value_1", "secret_key_2": "secret_value_2"}'
export MY_LITERAL_SECRET=super_secret

kustomize build

The following secret is generated:

apiVersion: v1
kind: Secret
metadata:
  name: env-kv-secrets
data:
  MY_LITERAL_SECRET: c3VwZXJfc2VjcmV0
  secret_key_1: c2VjcmV0X3ZhbHVlXzE=
  secret_key_2: c2VjcmV0X3ZhbHVlXzI=