Michael Treacher treacher

## rolebinding.yaml
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: kubernetes-team-1
  namespace: team-1
subjects:
- kind: Group
  name: kubernetes-team-1
  apiGroup: rbac.authorization.k8s.io

## controller.go
// NamespaceController watches the kubernetes api for changes to namespaces and
// creates a RoleBinding for that particular namespace.
type NamespaceController struct {
	namespaceInformer cache.SharedIndexInformer
	kclient           *kubernetes.Clientset
}

// Run starts the process for listening for namespace changes and acting upon those changes.
func (c *NamespaceController) Run(stopCh <-chan struct{}, wg *sync.WaitGroup) {
	// When this function completes, mark the go function as done

## controller.go
func (c *NamespaceController) createRoleBinding(obj interface{}) {
	namespaceObj := obj.(*v1.Namespace)
	namespaceName := namespaceObj.Name

	roleBinding := &v1beta1.RoleBinding{
		TypeMeta: metav1.TypeMeta{
			Kind:       "RoleBinding",
			APIVersion: "rbac.authorization.k8s.io/v1beta1",
		},
		ObjectMeta: metav1.ObjectMeta{

## controller.go
// Run starts the process for listening for namespace changes and acting upon those changes.
func (c *NamespaceController) Run(stopCh <-chan struct{}, wg *sync.WaitGroup) {
	// When this function completes, mark the go function as done
	defer wg.Done()

	// Increment wait group as we're about to execute a go function
	wg.Add(1)

	// Execute go function
	go c.namespaceInformer.Run(stopCh)

## controller.go
// NamespaceController watches the kubernetes api for changes to namespaces and
// creates a RoleBinding for that particular namespace.
type NamespaceController struct {
	namespaceInformer cache.SharedIndexInformer
	kclient           *kubernetes.Clientset
}

// NewNamespaceController creates a new NewNamespaceController
func NewNamespaceController(kclient *kubernetes.Clientset) *NamespaceController {
	namespaceWatcher := &NamespaceController{}

## pod-with-secrets.yaml
apiVersion: v1
kind: Pod
metadata:
  name: container-with-secrets
spec:
  containers:
  - name: container-with-secrets
    image: redis
    env:
      - name: SECRET_PASSWORD

## secrets.txt
DB_PASSWORD=foobar123
DB_USER=foo
API_KEY=12345abcd
SERVICE_PASSWORD=bbaabb45

## install-shush
curl -sL -o /usr/local/bin/shush \
    https://github.com/realestate-com-au/shush/releases/download/v1.3.0/shush_linux_amd64 \
 && chmod +x /usr/local/bin/shush

## feed-secrets-to-shush.sh
#!/bin/bash

file_location=$1
kms_key=$2

display_usage() {
  echo "Usage: $0 <file-with-secrets> <kms-key-alias>"
  exit 1
}

## secrets.yaml
KMS_ENCRYPTED_DB_PASSWORD: "AQICAHj5jPUgYWAnjEXVeSvtg98gusmUcncxTb1pg+/p9W6NOAHd4xDeWtNSGUWMyqOf7h6cAAAAZzBlBgkqhkiG9w0BBwagWDBWAgEAMFEGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM7tDQv7h73zQftY5tAgEQgCTlI1uXcgBrNdvsBoXb2ytkkya+VJRHl2zZWMW5qzheJ2YKeSg="
KMS_ENCRYPTED_DB_USER: "AQICAHj5jPUgYWAnjEXVeSvtg98gusmUcncxTb1pg+/p9W6NOAHrz68itBGQ6jgbmK6HgzDRAAAAYTBfBgkqhkiG9w0BBwagUjBQAgEAMEsGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMJj0q65b8KZo4sRY6AgEQgB7cksi/tq9lmyQtBh4uK6HfmyoMHIMm+a72gu4o8Qo="
KMS_ENCRYPTED_API_KEY: "AQICAHj5jPUgYWAnjEXVeSvtg98gusmUcncxTb1pg+/p9W6NOAFobUiYON7DRYoe3ZtSC5nNAAAAZzBlBgkqhkiG9w0BBwagWDBWAgEAMFEGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMSsYpPDJvAnRITyNsAgEQgCREj7SdmKYG7gX+JOMJfYG4ILnujd0ZLfXYrJcxrTy4XTCkTzU="
KMS_ENCRYPTED_SERVICE_PASSWORD: "AQICAHj5jPUgYWAnjEXVeSvtg98gusmUcncxTb1pg+/p9W6NOAElX/reSqpDqhuY1RgYaQ72AAAAZjBkBgkqhkiG9w0BBwagVzBVAgEAMFAGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMy8al1te4FCu+pdEjAgEQgCNlNfdZamx7R5cHhX6uQSFRCsaIx58lN2bA97wQlhtRAQYPuw=="
	---
	kind: RoleBinding
	apiVersion: rbac.authorization.k8s.io/v1beta1
	metadata:
	name: kubernetes-team-1
	namespace: team-1
	subjects:
	- kind: Group
	name: kubernetes-team-1
	apiGroup: rbac.authorization.k8s.io
	// NamespaceController watches the kubernetes api for changes to namespaces and
	// creates a RoleBinding for that particular namespace.
	type NamespaceController struct {
	namespaceInformer cache.SharedIndexInformer
	kclient *kubernetes.Clientset
	}

	// Run starts the process for listening for namespace changes and acting upon those changes.
	func (c NamespaceController) Run(stopCh <-chan struct{}, wg sync.WaitGroup) {
	// When this function completes, mark the go function as done
	func (c *NamespaceController) createRoleBinding(obj interface{}) {
	namespaceObj := obj.(*v1.Namespace)
	namespaceName := namespaceObj.Name

	roleBinding := &v1beta1.RoleBinding{
	TypeMeta: metav1.TypeMeta{
	Kind: "RoleBinding",
	APIVersion: "rbac.authorization.k8s.io/v1beta1",
	},
	ObjectMeta: metav1.ObjectMeta{
	apiVersion: v1
	kind: Pod
	metadata:
	name: container-with-secrets
	spec:
	containers:
	- name: container-with-secrets
	image: redis
	env:
	- name: SECRET_PASSWORD
	DB_PASSWORD=foobar123
	DB_USER=foo
	API_KEY=12345abcd
	SERVICE_PASSWORD=bbaabb45
	curl -sL -o /usr/local/bin/shush \
	https://github.com/realestate-com-au/shush/releases/download/v1.3.0/shush_linux_amd64 \
	&& chmod +x /usr/local/bin/shush
	#!/bin/bash

	file_location=$1
	kms_key=$2

	display_usage() {
	echo "Usage: $0 <file-with-secrets> <kms-key-alias>"
	exit 1
	}
	KMS_ENCRYPTED_DB_PASSWORD: "AQICAHj5jPUgYWAnjEXVeSvtg98gusmUcncxTb1pg+/p9W6NOAHd4xDeWtNSGUWMyqOf7h6cAAAAZzBlBgkqhkiG9w0BBwagWDBWAgEAMFEGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM7tDQv7h73zQftY5tAgEQgCTlI1uXcgBrNdvsBoXb2ytkkya+VJRHl2zZWMW5qzheJ2YKeSg="
	KMS_ENCRYPTED_DB_USER: "AQICAHj5jPUgYWAnjEXVeSvtg98gusmUcncxTb1pg+/p9W6NOAHrz68itBGQ6jgbmK6HgzDRAAAAYTBfBgkqhkiG9w0BBwagUjBQAgEAMEsGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMJj0q65b8KZo4sRY6AgEQgB7cksi/tq9lmyQtBh4uK6HfmyoMHIMm+a72gu4o8Qo="
	KMS_ENCRYPTED_API_KEY: "AQICAHj5jPUgYWAnjEXVeSvtg98gusmUcncxTb1pg+/p9W6NOAFobUiYON7DRYoe3ZtSC5nNAAAAZzBlBgkqhkiG9w0BBwagWDBWAgEAMFEGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMSsYpPDJvAnRITyNsAgEQgCREj7SdmKYG7gX+JOMJfYG4ILnujd0ZLfXYrJcxrTy4XTCkTzU="
	KMS_ENCRYPTED_SERVICE_PASSWORD: "AQICAHj5jPUgYWAnjEXVeSvtg98gusmUcncxTb1pg+/p9W6NOAElX/reSqpDqhuY1RgYaQ72AAAAZjBkBgkqhkiG9w0BBwagVzBVAgEAMFAGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMy8al1te4FCu+pdEjAgEQgCNlNfdZamx7R5cHhX6uQSFRCsaIx58lN2bA97wQlhtRAQYPuw=="