Skip to content

A generic tool to backup kubernetes secrets, encrypt the backup and upload it to an AWS S3 bucket.

License

Notifications You must be signed in to change notification settings

RocketChat/k8s-secrets-backup

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

k8s-secrets-backup

🤔 What is it?

A generic tool to backup kubernetes secrets, encrypt the backup and upload it to a S3 bucket.

It was designed to run as a cronjob inside our Kubernetes clusters to backup sealed secrets controller's keys, but it can be used to backup any secret, or secrets depending if the env variable SECRET_NAME is set, or LABEL_KEY and LABEL_VALUE is. If a label key and value to filter a set of secrets is set, then the output is a k8s SecretList.

Important note: It assumes a configmap with the k8s cluster name is previously created on the kube-system namespace. More info on Kubernetes manifests examples section.

Another less important note: Age encryption is done to an ASCII-only "armored" encoding, decryption is transparent for the age command.

☑️ Environment variables (required, except if explicity says optional)

Name Example Help
SECRET_NAME "mongodb-secret" Optional, the secret name to backup
NAMESPACE "kube-system" The namespace where the secret to backup is
LABEL_KEY "sealedsecrets.bitnami.com/sealed-secrets-key" Optional, secret label key to filter secrets to backup
LABEL_VALUE "active" Optional, secret label value to filter secrets to backup
BUCKET_NAME "secretsbackups.your.domain" AWS s3 bucket name to upload the backups
S3_FOLDER "sealed_secrets_keys/" AWS s3 folder name to upload the backups
S3_REGION "us-east-2" AWS s3 region name
AWS_ACCESS_KEY_ID "ADSFASDFAF23423" AWS access key that has upload permission on the s3 bucket
AWS_SECRET_ACCESS_KEY "asdASFadfasdfñiouo3Q334" AWS access secret that has upload permission on the s3 bucket
AGE_PUBLIC_KEY "age435fgañdfgjñdsflgjgadf" Age public key matching your private key for decrypt

🧞 Kubernetes manifests (examples)

Backup sealed secrets controller's keys once per month

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: sealed-secrets-keys-sentinel
  namespace: operations
spec:
  schedule: "0 1 10 * *"  # every month on the 10th
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: sealed-secrets-keys-sentinel
          containers:
          - name: sealed-secrets-keys-sentinel
            image: rocketchat/k8s-secrets-backup
            imagePullPolicy: Always
            env:
            - name: NAMESPACE
              value: kube-system
            - name: LABEL_KEY
              value: sealedsecrets.bitnami.com/sealed-secrets-key
            - name: LABEL_VALUE
              value: active
            - name: BUCKET_NAME
              value: secretsbackups.your.domain
            - name: S3_FOLDER
              value: sealed_secrets_keys/
            - name: S3_REGION
              value: us-east-2
            - name: AGE_PUBLIC_KEY
              value: age435fgañdfgjñdsflgjgadf
            - name: AWS_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  key: awsAccessKeyID
                  name: sealed-secrets-keys-sentinel-secret
            - name: AWS_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  key: awsSecretAccessKey
                  name: sealed-secrets-keys-sentinel-secret
            command: ["/app/k8s-secrets-backup"]
            resources:
              limits:
                cpu: "1"
                memory: 300Mi
              requests:
                cpu: "0.2"
                memory: 100Mi
          restartPolicy: OnFailure
  successfulJobsHistoryLimit: 3
  failedJobsHistoryLimit: 1

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: sealed-secrets-keys-sentinel-kubesystem
  namespace: kube-system
rules:
- apiGroups: [""]
  resources: ["secrets", "configmaps"]
  verbs: ["list", "get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: sealed-secrets-keys-sentinel-kubesystem
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: sealed-secrets-keys-sentinel-kubesystem
subjects:
- kind: ServiceAccount
  name: sealed-secrets-keys-sentinel
  namespace: operations
---
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: operations
  name: sealed-secrets-keys-sentinel
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: sealed-secrets-keys-sentinel-operations
  namespace: operations
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["sealed-secrets-keys-sentinel-secret"]
    verbs: ["list", "get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: sealed-secrets-keys-sentinel-operations
  namespace: operations
subjects:
  - kind: ServiceAccount
    name: sealed-secrets-keys-sentinel
    namespace: operations
roleRef:
  kind: Role
  name: sealed-secrets-keys-sentinel-operations
  apiGroup: rbac.authorization.k8s.io

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-info
  namespace: kube-system
data:
  cluster-name: your-cluster-name

About

A generic tool to backup kubernetes secrets, encrypt the backup and upload it to an AWS S3 bucket.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published