credentials-operator
Automatically register and generate AWS, GCP & Azure IAM roles, X.509 certificates and username/password pairs for Kubernetes pods using cert-manager, CNCF SPIRE or Otterize Cloud (by otterize)
bouncer
JWT-based authentication and authorization service (by kaancfidan)
| credentials-operator | bouncer | |
|---|---|---|
| 6 | 1 | |
| 54 | 9 | |
| - | - | |
| 8.5 | 10.0 | |
| about 19 hours ago | over 1 year ago | |
| Go | Go | |
| Apache License 2.0 | MIT License |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
credentials-operator
Posts with mentions or reviews of credentials-operator.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2024-01-10.
-
Otterize launches open-source, declarative IAM permissions for workloads on AWS EKS clusters
No more! The open-source intents-operator and credentials-operator enable you to achieve the same, except without all that work: do it all from Kubernetes, declaratively, and just-in-time, through the magic of IBAC (intent-based access control).
-
How to have SSL certificates for all my home lab Kubernetes apps?
Otterize Credential Operator ( https://github.com/otterize/credentials-operator ) helps you automatically provision credentials as Kubernetes secrets (using a self-hosted SPIRE or a free SaaS solution). You can use pod annotations to determine the certificate's domain names (as well as many other properties). I think it is a straightforward approach to managing trust, especially for a relatively small cluster where you manage everything. (Full disclosure: I am one of the contributors to this project)
-
Ask r/kubernetes: What are you working on this week?
Have you taken a look at using SPIRE to create the TLS certificates and attesting about the workload identity? You could couple SPIRE server with the Otterize SPIRE integration operator to declaratively generate TLS certificates. This could be easier to deploy than a service mesh and sidecars, depending on your use case - what the clients are and what the servers are.
-
How to authenticate microservices?
You could create JWT or mTLS-based identities, and then verify those in your middleware. If you are on Kubernetes, you might try using SPIRE together with the SPIRE integration operator to automatically issue identities as Kubernetes secrets, which you could then use to connect between services.
-
Who defines secret management / certificate management in your company
In practice, the technical part is implemented by the DevOps/platform team. The way in which you declare and get access to these secrets varies, but can be one of the cloud provider secret managers (e.g. AWS Secret Manager), Hashicorp Vault, or if you're on Kubernetes, could be something like cert-manager, Hashicorp Vault sidecars, or SPIRE coupled with the Otterize SPIRE integration.
-
How to automate certificate renewal with Azure Key vault?
If this seems a bit complicated, you could use SPIRE server to issue certificates and Otterize SPIRE integration operator to renew them in Kubernetes and update Secrets.
bouncer
Posts with mentions or reviews of bouncer.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2022-11-26.
-
How to authenticate microservices?
OPA is a full fledged solution as an external auth provider to reverse proxies like Nginx, Envoy or Traefik...etc. It can be a bit complex and overkill for smaller systems. I have a solution called bouncer as a much simpler and opinionated replacement to OPA. Have a look at it, at least it can give you ideas.
What are some alternatives?
When comparing credentials-operator and bouncer you can also consider the following projects:
heimdall - A cloud native Identity Aware Proxy and Access Control Decision service
Ory Oathkeeper - A cloud native Identity & Access Proxy / API (IAP) and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP(s) requests. Inspired by the BeyondCorp / Zero Trust white paper. Written in Go.
auth - A JWT based API for managing users and issuing JWT tokens
OPA (Open Policy Agent) - Open Policy Agent (OPA) is an open source, general-purpose policy engine.
jwt - Community maintained clone of https://github.com/dgrijalva/jwt-go
caddy-security - 🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐