search

external-secrets / kes-to-eso

tool to help migrating from kes to eso
Apache License 2.0
30 stars 12 forks source link

Parsing base #1

Closed gusfcarvalho closed 2 years ago

gusfcarvalho commented 2 years ago

PR with alpha features of the project.

Working on AWS(auth with Env vars or Env from Secret Keys) and GCP(auth with Service account)

Implements already methods for Vault, AzureKV and IBM Cloud, but they need to be more tested yet.

CLI Examples

kestoeso -i path/to/kes/definition.yaml --to-stdout --kes-namespace=kes --kes-deployment-name=kubernetes-external-secrets

kestoeso -i path/to/kes/ --to-stdout --kes-namespace=kes --kes-deployment-name=my-custom-name

kestoeso -i path/to/kes -o path/to/eso

Testing Locally

To test locally, the first thing that needs to be done is to deploy kes for the given provider. After that, deploy eso.

After that, you can test adderence convertion with this one-liner:

kestoeso -i path/to/kes/ --to-stdout --kes-namespace=kes | kubectl apply --dry-run=server -f  -

Examples

input

output

apiVersion: external-secrets.io/v1alpha1
kind: ClusterSecretStore
metadata:
  creationTimestamp: null
  name: secretsmanager-secretstore-autogen-xvlbzgba
spec:
  controller: ""
  provider:
    aws:
      auth:
        secretRef:
          accessKeyIDSecretRef:
            key: access-key
            name: aws-secret
            namespace: kes
          secretAccessKeySecretRef:
            key: secret
            name: aws-secret
            namespace: kes
      region: eu-west-1
      role: arn:aws:iam::123412341234:role/let-other-account-access-secrets
      service: SecretsManager
status:
  conditions: null

---
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  creationTimestamp: null
  name: aws-secretsmanager
spec:
  data:
  - remoteRef:
      key: demo-service/credentials
      property: password
    secretKey: password
  - remoteRef:
      key: demo-service/credentials
      property: username
    secretKey: username
  secretStoreRef:
    kind: ClusterSecretStore
    name: secretsmanager-secretstore-autogen-xvlbzgba
  target:
    name: aws-secretsmanager
    template:
      metadata: {}
status:
  refreshTime: null

---

This PR is a draft mainly because It's too big, and because I think some design decisions can still be taken at this time (although it's not supposed to be a long-living tool).

gusfcarvalho commented 2 years ago

Hey all!

Today I've finished testing with the following providers:

I'm changing this PR from draft to an actual PR. Waiting on feedback.

moolen commented 2 years ago

Hey @gusfcarvalho nice work! I think we should clean up the code a bit before merging it. Could you please:

  1. remove comments of unneeded code (imports, example code)
  2. finish documentation of CLI help

I think then we're good to merge IMO.

bobbywatson3 commented 2 years ago

Looking forward to checking this out!

gusfcarvalho commented 2 years ago

Hey @moolen and @knelasevero ! Sorry for the long delay, got a little bit busy with work.

I also took the chance to improve a little bit the map of templates, in order to allow some templating (the easy ones) to be compatible with the tool.

knelasevero commented 2 years ago

Gonna merge this one. We can iterate further with more PRs :)

@gusfcarvalho maybe goreleaser makes sense for this project? Then it is easier for us to release and get people to use it. We can open an issue if it makes sense