Awesome

Secret backup operator

An operator to backup secrets on a Kubernetes cluster.
Backup happens when secrets are modified.
Backup data is stored in an other secret <secret-name>-backup, that has a single key BACKUP containing the secrets versions in a JSON encoded list.

Setup

To be able to run this on a cluster you need to deploy a Deployment that runs an image built using the provided Dockerfile, the pods need to run with a ServiceAccount that is authorized to create, read, watch and edit secrets. Eg.:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: secret-operator-service-account
  namespace: some-namepace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: secret-reader
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "watch", create", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-secrets
  namespace: default
subjects:
  - kind: ServiceAccount
    name: secret-operator-service-account
    namespace: some-namepace
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io