项目作者: mgoltzsche

项目描述 :
Experimental K8s CRD and controller to transform Secrets and ConfigMaps using jq queries
高级语言: Go
项目地址: git://github.com/mgoltzsche/ktransform.git
创建时间: 2020-07-12T15:23:56Z
项目社区:https://github.com/mgoltzsche/ktransform

开源协议:Apache License 2.0

下载


ktransform

Kubernetes CRD and controller to transform Secrets and ConfigMaps using jq queries.

Installation

Install CRDs:

  1. kubectl apply -k github.com/mgoltzsche/ktransform/deploy/crds

Install the operator in the current namespace:

  1. kubectl apply -k github.com/mgoltzsche/ktransform/deploy

Usage

The following example transforms two docker registry Secrets and a ConfigMap into a makisu config Secret.

Create the input Secrets:

  1. for i in 1 2; do
  2. kubectl create secret docker-registry regcred$i \
  3. --docker-server=registry${i}.example.org \
  4. --docker-username=usr --docker-password=pw$i \
  5. --docker-email=johndoe@example.org
  6. done

Create an input ConfigMap:

  1. kubectl create configmap myconf \
  2. --from-literal=myconf=$'registries:\n- registry0.example.org\n- registry1.example.org' \
  3. --from-literal=myval=somevalue

Merge and convert all three resources to a single Secret:

  1. kubectl apply -f - <<-EOF
  2. apiVersion: ktransform.mgoltzsche.github.com/v1alpha1
  3. kind: SecretTransform
  4. metadata:
  5. name: dockertomakisuconf
  6. spec:
  7. input:
  8. secret1:
  9. secret: regcred1
  10. secret2:
  11. secret: regcred2
  12. config:
  13. configMap: myconf
  14. output:
  15. - secret:
  16. name: makisu-conf
  17. type: Opaque
  18. transformation:
  19. primary: .config.myconf.object.registries[0]
  20. secondary: .config.myconf.object.registries[1]
  21. myval: .config.myval.string
  22. makisu.conf: |
  23. (.secret1[".dockerconfigjson"].object.auths * .secret2[".dockerconfigjson"].object.auths) |
  24. with_entries(.value |= {
  25. ".*": {
  26. security: {
  27. basic: .auth | @base64d | split(":") | {
  28. username: .[0],
  29. password: .[1]
  30. }
  31. }
  32. }
  33. })
  34. EOF

A SecretTransform‘s status is reflected in its Synced condition.
In case of an error this condition provides more information.

When the condition is met the Secret makisu-conf has been written:

  1. $ kubectl get secret makisu-conf -o jsonpath='{.data.primary}' | base64 -d && echo
  2. registry0.example.org
  3. $ kubectl get secret makisu-conf -o jsonpath='{.data.secondary}' | base64 -d && echo
  4. registry1.example.org
  5. $ kubectl get secret makisu-conf -o jsonpath='{.data.myval}' | base64 -d && echo
  6. somevalue
  7. $ kubectl get secret makisu-conf -o jsonpath='{.data.makisu\.conf}' | base64 -d | jq .
  8. {
  9. "registry1.example.org": {
  10. ".*": {
  11. "security": {
  12. "basic": {
  13. "password": "pw1",
  14. "username": "usr"
  15. }
  16. }
  17. }
  18. },
  19. "registry2.example.org": {
  20. ".*": {
  21. "security": {
  22. "basic": {
  23. "password": "pw2",
  24. "username": "usr"
  25. }
  26. }
  27. }
  28. }
  29. }

When any input or output resource changes the transformation is reconciled.
If an input resource does not (yet) exist or is deleted the transformation is reconciled after 30 seconds.

Updating workloads referring to transformation outputs

While ktransform continuously applies transformations when any input or output changes
it does not update Deployments/StatefulSets/DaemonSets that refer to output resources.
However this can be achieved using wave.

How to build

  1. make

How to test

Run unit tests:

  1. make unit-tests

Run e2e tests:

  1. make start-minikube
  2. make e2e-tests