The brain behind your secrets.
Unified secrets control plane for cloud-native teams.
secrets-bridge.io · all repos

---

secrets-bridge / controller

Kubernetes operator + CRDs for Secrets Bridge — written with kubebuilder + controller-runtime. Reconciles the sync.secrets-bridge.io/v1alpha1 SecretsSync CRD and dispatches sync work via the core provider abstraction.

Status

Issue	Step	Status
#1	Migrate v0.1.0 operator onto core	✅ merged
#2	GitOps CRD integration (Flow 4)	open

The api-side GitOps observation integration (BRD §26 — read-only ArgoCD visibility tied to the request lifecycle) shipped via secrets-bridge/api#25 + secrets-bridge/worker#3 (opt-in, gated on SB_GITOPS_ENABLED). This controller's separate GitOps CRD integration (Flow 4) tracks a different surface — pulling SecretsSync declarations from GitOps repos rather than admin endpoints.

Architecture

The controller imports only core/providers — never api/pkg/storage, api/pkg/runtime, or any Control Plane internal — per the polyrepo dependency rule. Reading and writing actual secret values is the agent's job per BRD §12.4; this controller:

1. Watches SecretsSync CRs
2. Validates the CR by resolving source + destination providers from the Registry
3. Surfaces a Ready condition on .status.conditions
4. Re-queues every spec.refreshInterval (default 5m)

Once the agent registration loop (secrets-bridge/agent#1) and the job loop (#2) land, the controller will dispatch sync jobs to the Control Plane API which the agent then claims and executes inside the target boundary.

CRD

SecretsSync is cluster-scoped (one CR per source ↔ destination pair). Spec shape:

apiVersion: sync.secrets-bridge.io/v1alpha1
kind: SecretsSync
metadata:
  name: vault-to-aws-mirror
spec:
  source:
    type: vault
    config:
      address: https://vault.example.com
      authMethod: kubernetes
      kubernetesRole: secrets-bridge
      kvMount: kv
      kvPrefix: apps
  destination:
    type: aws-sm
    config:
      region: us-east-1
  direction: SourceToDestination
  refreshInterval: 5m

See core/providers/{vault,awssecretsmanager} for the full list of accepted config keys per provider.

Layout

cmd/                       manager entrypoint + flags + provider registration
api/v1alpha1/              CRD types (SecretsSync) + deepcopy + scheme
internal/controller/       reconciler implementation
config/crd/                generated CustomResourceDefinition
config/rbac/               role / role binding / service account for the operator
config/samples/            example SecretsSync CR

Hard rules (per CLAUDE.md)

• Imports core/providers only. No api/pkg/storage, no Redis client, no Postgres driver.
• No secret values in CR status, conditions, events, or logs.
• Operator runs as nonroot on distroless/static.

Local development

go build ./...
go vet ./...
go test -race -count=1 ./...

Container

docker build -t secrets-bridge-controller:dev .

Multi-stage build on golang:1.26-alpine → distroless/static:nonroot. No shell, no package manager.