k8s/Kubernetes>> lastpass-operator>> 返回
项目作者: edgelevel

项目描述 :
A Kubernetes Operator to manage secrets stored in LastPass password manager
高级语言: Go
项目地址: git://github.com/edgelevel/lastpass-operator.git
创建时间: 2019-06-27T18:50:42Z
项目社区:https://github.com/edgelevel/lastpass-operator
开源协议:MIT License
下载


lastpass-operator

Build Status
Docker Tag
Docker Pulls

A Kubernetes Operator to manage secrets stored in LastPass password manager

How it works

Suppose you have some credentials stored in LastPass

  1. $ lpass show example/my-secret --json
  2. [
  3.   {
  4.     "id": "8190226423897406876",
  5.     "name": "my-secret",
  6.     "fullname": "example/my-secret",
  7.     "username": "whoami",
  8.     "password": "s3cr3t",
  9.     "last_modified_gmt": "1562690587",
  10.     "last_touch": "0",
  11.     "group": "example",
  12.     "url": "https://lastpass.com",
  13.     "note": "{\"myKey\":\"myValue\"}"
  14.   }
  15. ]

Define a LastPass or LastPassGroup Custom Resource to automatically manage the lifecycle of your secrets in Kubernetes

  1. $ cat example/edgelevel_v1alpha1_lastpass_cr.yaml
  2. apiVersion: edgelevel.com/v1alpha1
  3. kind: LastPass
  4. metadata:
  5.   name: example-lastpass
  6. spec:
  7.   secretRef:
  8.     group: example
  9.     name: my-secret
  10.     withUsername: true
  11.     withPassword: true
  12.     withUrl: true
  13.     withNote: true
  14.   syncPolicy:
  15.     enabled: true
  16.     refresh: 10
  18. # create a custom resource
  19. $ kubectl apply -f example/edgelevel_v1alpha1_lastpass_cr.yaml

NOTE: The LastPassGroup custom resource will sync all the secrets in a lastpass folder to kubernetes. The lastpass group will not sync subfolders.

  1. $ cat example/edgelevel_v1alpha1_lastpassgroup_cr.yaml
  2. apiVersion: edgelevel.com/v1alpha1
  3. kind: LastPassGroup
  4. metadata:
  5.   name: example-lastpassgruop
  6. spec:
  7.   secretRef:
  8.     group: example
  9.     withUsername: true
  10.     withPassword: true
  11.     withUrl: true
  12.     withNote: true
  13.   syncPolicy:
  14.     enabled: true
  15.     refresh: 10
  17. # create a custom resource
  18. $ kubectl apply -f example/edgelevel_v1alpha1_lastpassgroup_cr.yaml

The operator will take care of create native Kubernetes secrets and keep them up to date that if they change

  1. # verify
  2. $ kubectl get lastpass
  3. $ kubectl get secrets
  5. # inspect
  6. $ kubectl get secret example-lastpass-8190226423897406876 -o yaml
  7. apiVersion: v1
  8. data:
  9.   NOTE: eyJteUtleSI6Im15VmFsdWUifQ==
  10.   PASSWORD: czNjcjN0
  11.   URL: aHR0cHM6Ly9sYXN0cGFzcy5jb20=
  12.   USERNAME: d2hvYW1p
  13. kind: Secret
  14. metadata:
  15.   annotations:
  16.     fullname: example/my-secret
  17.     group: example
  18.     id: "8190226423897406876"
  19.     lastModifiedGmt: "1562690587"
  20.     lastTouch: "0"
  21.     name: my-secret
  22.   creationTimestamp: "2019-07-09T15:00:13Z"
  23.   labels:
  24.     app: lastpass-operator
  25.   name: example-lastpass-8190226423897406876
  26.   namespace: default
  27.   ownerReferences:
  28.   - apiVersion: edgelevel.com/v1alpha1
  29.     blockOwnerDeletion: true
  30.     controller: true
  31.     kind: LastPass
  32.     name: example-lastpass
  33.     uid: 0687d5a7-5f02-4ee4-a6c4-011c734f4149
  34.   resourceVersion: "113312"
  35.   selfLink: /api/v1/namespaces/default/secrets/example-lastpass-8190226423897406876
  36.   uid: 382008d2-8999-444d-86c8-e4f29eecbe9f
  37. type: Opaque
  39. # check values
  40. $ echo 'czNjcjN0' | base64 --decode
  41. s3cr3t
  42. $ echo 'eyJteUtleSI6Im15VmFsdWUifQ==' | base64 --decode | jq -c
  43. {"myKey":"myValue"}

Metrics are exposed by default in Prometheus format, see an example

  1. # port forward
  2. kubectl port-forward service/lastpass-operator -n lastpass 8080:8383
  4. # request metrics
  5. http :8080/metrics

Considerations

  • If you want to understand how the operator works, you should have a look at the Reconcile method defined in lastpass_controller and at the CustomResourceDefinition
  • The diagram below explains the core logic of the reconcile loop


reconcile-loop

  • The recommended way to install the operator in a cluster is by applying the provided Helm chart
  • TODO for a working example you should have a look at niqdev/do-k8s
  • This operator has been mainly developed to simplify the secret management of low security environments, if you are a security paranoid you should audit this project and assess if it meets the security standard of your organization
  • The operator, for obvious reasons, won’t work if you have MFA enabled on LastPass or your credentials “Require Password Reprompt”
  • Once this Argo CD feature will be implemented it should allow to bind secrets directly to an Application

Development

  1. # download source
  2. mkdir -p $GOPATH/src/github.com/edgelevel && cd $_
  3. git clone git@github.com:edgelevel/lastpass-operator.git
  4. cd lastpass-operator
  6. # install operator-sdk
  7. .travis/install_operator_sdk.sh
  9. # install dependencies
  10. go mod download -x

Run locally outside the cluster on minkube

  1. # requires virtualbox
  2. minikube start
  4. # run locally
  5. export OPERATOR_NAME=lastpass-operator
  6. export LASTPASS_USERNAME=myUsername
  7. export LASTPASS_PASSWORD=myPassword
  9. # Install CRDs into cluster
  10. make install
  12. # Start lastpass operator
  13. make run
  15. # Alternatively you can install and run with
  16. make install run

Run as a Deployment inside the cluster

  1. # apply chart
  2. helm template \
  3.   --values chart/values.yaml \
  4.   --set lastpass.username="myUsername" \
  5.   --set lastpass.password="myPassword" \
  6.   chart/ | kubectl apply -n lastpass -f -

Debug issues

  1. # verify logs
  2. kubectl logs deployment/lastpass-operator -n lastpass -f

Publish a new version on DockerHub

  1. # build and publish manually (unsafe)
  2. make docker-build IMG=edgelevel/lastpass-operator:X.Y.Z
  3. make docker-push IMG=edgelevel/lastpass-operator:X.Y.Z
  5. # build and publish using travis
  6. git tag vX.Y.Z
  7. git push origin --tags

TODO