Show HN: konfd – Manage Kubernetes secrets and configmaps with Go templates

More great stuff from Kelsey...<p>My tldr; konfd writes out k8s configmaps based on other k8s resources like secrets, configmaps, etc. Really useful for writing out complete config files into a pod namespace without relying on external config backends.<p>Question: While looping on a syncInterval is certainly clean and understandable, it feels suboptimal when all the templates sources are themselves watchable with a k8s client. Benefits of switching to a watch model:<p>1. Speed: It&#x27;d be nice to have the template rendering fire immediately after a source secret changed versus waiting for syncInterval.<p>2. Resource Utilization: Switching from syncInterval to a watch should save significant cycles by avoiding reprocessing templates when config hasn&#x27;t changed.

Kelsey, I (and others) would kindly appreciate it if you&#x27;d stop calling anything in Kubernetes as it exists today a &quot;secret&quot; and writing new code to further encourage its use. People should be aware in no uncertain terms that the &quot;secrets&quot; store in etcd is totally unencrypted and insecure.<p>If you&#x27;d like to find a place to help, I&#x27;d suggest focusing your efforts on connecting Kubernetes to Hashicorp Vault, which is truly secure, and deprecating the old unencrypted etcd-backed implementation.

Hi kelsey, this is pretty nice ! Is there any way to bribe you into slowing down on the awesome sauce delivery pipeline so people can catch up !? asking for a friend.<p>If you find the time can you elaborate on why you elected to use ConfigMaps for the templates too instead of building a 3rd party ressource ? This way you wouldn&#x27;t have to use annotations and the definition might be a little more terse (or not)<p>Is there something about configmaps that make implementation easier ? or provides additional behavior wrt to pod lifecycle or something like that ?

I propose an alternative to templates: Use go objects to define your config. Better dynamicity, readability and typesafety. See my post <a href="https:&#x2F;&#x2F;kozikow.com&#x2F;2016&#x2F;09&#x2F;02&#x2F;using-go-to-autogenerate-kubernetes-configs&#x2F;" rel="nofollow">https:&#x2F;&#x2F;kozikow.com&#x2F;2016&#x2F;09&#x2F;02&#x2F;using-go-to-autogenerate-kube...</a> .

Aren&#x27;t secrets stored unecrypted in kube? I&#x27;d hesitate to call them secrets, though config looks good.