KubesealR is a pure-Ruby implementation of the CLI client kubeseal
component
of Bitnami's Kubernetes sealed-secrets
system.
KubesealR also embeds a transformer plugin for KustomizeR, a pure-Ruby Kustomize implementation. This plugin allows KustomizeR to seal [generated or provided] secrets, as a resource-config transformation pass.
Add this line to your application's Gemfile:
gem 'kubesealr'
And then execute:
$ bundle install
Or install it yourself as:
$ gem install kubesealr
(TODO; will mostly match CLI usage of kubeseal
)
KubesealR provides one Kustomize transformer plugin,
SealSecretsTransform
, with the following K8s document-type:
apiVersion: kubesealr.covalenthq.com/v1
kind: SealSecretsTransform
Possible fields on this configuration:
.spec.match: "all" | [String] | {pattern: RegexpString}
.spec.match
controls which secrets will be sealed.
- The literal string
all
will match all secrets. - A list of strings means "match secrets with these names exactly."
- Setting
.spec.match.pattern
to a string will treat that string as a regular expression and use it to match secret names.
Defaults to all
.
.spec.keepUnsealed: true | false
.spec.keepUnsealed
controls whether the original, unsealed versions of
the secrets will be emitted by the transform alongside the sealed versions.
Defaults to false
. You may want to set this to true
if you have further
transformation passes that depend on the unsealed secrets in some way.
Add a new resource path to the transformers
resource-list in your
kustomization.yaml
. For example:
In kustomization.yaml
:
---
transformers:
- seal-secrets.yaml
In seal-secrets.yaml
:
---
apiVersion: kubesealr.covalenthq.com/v1
kind: SealSecretsTransform
spec:
match:
pattern: "-conn$"
keepUnsealed: false
After checking out the repo, run bin/setup
to install dependencies. Then, run rake spec
to run the tests. You can also run bin/console
for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install
. To release a new version, update the version number in version.rb
, and then run bundle exec rake release
, which will create a git tag for the version, push git commits and the created tag, and push the .gem
file to rubygems.org.
Bug reports and pull requests are welcome on GitHub at https://github.com/tsutsu/kubesealr.
The gem is available as open source under the terms of the MIT License.