externalsecret-operator icon indicating copy to clipboard operation
externalsecret-operator copied to clipboard

Feature Proposal: Git Backend (would mean some Keybase.io support too)

Open zemanel opened this issue 6 years ago • 1 comments

Feature Proposal: Git Backend (also Keybase.io)

General

Keybase.io provides end-to-end encrypted shared filesystem and Git repositories.

The service they provide also requires no infrastructure other than the client setup.

A Keybase backend would be able to read secrets from a Keybase filesystem and/or a Keybase repo, either from an individual or team account.

Keybase Git repos are better for secrets (IMHO) since Git has change history and repos are not as easy to mistakenly delete.

Git repos also have branches. This could be utilised to provide separate secrets per environment.

Keybase Git Repos are regular Git repos, with a keybase:// protocol.

So implementing a Git backend, would also add support for Keybase repos.

Authentication to Keybase

Keybase client requires username and a "paper key" for keybase git helper to work. Can be specified in environment variables:

$ keybase oneshot
OPTIONS:
   --paperkey 		DANGEROUS: specify a paper key (or try the KEYBASE_PAPERKEY environment variable)
   -u, --username 	specify a username (or try the KEYBASE_USERNAME environment variable)

In case of keybase:// or any other repo source, the operator would be responsible for setting up a deployment Docker image with Keybase support (or any other authentication like SSH)

Implementation

CRD example

% cat deploy/crds/externalsecret-operator_v1alpha1_externalsecret_cr.yaml
apiVersion: externalsecret-operator.container-solutions.com/v1alpha1
kind: ExternalSecret
metadata:
  name: example-externalsecret
spec:
  key: /path/in/repo/my-secret.yml
  backend: git

The key is a path to a file from the target repo. The operator reads the file and creates a K8 secret with the value.

The operator

There is a pure Golang Git client, https://github.com/src-d/go-git. That client can checkout repos in memory, so no storage required.

zemanel avatar May 23 '19 09:05 zemanel

This is great! Thanks @zemanel !

riccardomc avatar May 23 '19 11:05 riccardomc