Updates Kubernetes Secrets with values from AWS Parameter Store
- For example usage, see
example.yaml - Use the Helm chart to get up and running quickly
- Helm Chart (recommended):
make {lint|install|purge} - Go:
make test && make build - Docker:
make container
First, export required variables, then run make install.
export AWS_REGION=<region>
export AWS_SECRET_KEY=<secret>
export AWS_ACCESS_KEY=<access-key-id>
The AWS credentials should be associated with an IAM user/role that has the following permissions:
- @todo
The following chart values may be set. Only the required variables (AWS credentials) need provided by the user. Most of the time, the other defaults should work as-is.
| Req'd | Value | Default | Example | Description |
|---|---|---|---|---|
| YES | aws.region | "" | us-west-2 | The AWS region in which the Pod is deployed |
| YES | aws.access_key | "" | ||
| YES | aws.secret_key | "" | ||
| NO | kubeconfig64 | "" | The output of `$(cat $KUBE_CONFIG | |
| NO | metrics_port | 9999 | Serve metrics/healthchecks on this port | |
| NO | replicas | 1 | The number of Pods | |
| NO | image.name | cmattoon/aws-ssm | / | The Docker image to use for the Pod container |
| NO | image.tag | latest | The Docker tag for the image | |
| NO | resources | {} | Kubernetes Resource Requests/Limits | |
| NO | host_ssl_dir | "" | /etc/ssl/certs | If specified, mounts certs from the host. |
| NO | rbac.enabled | true | Whether or not to add Kubernetes RBAC stuff |
Run make container to build the Docker image
The following app config values can be provided via environment variables or CLI flags. CLI flags take precdence over environment variables.
A KUBE_CONFIG and MASTER_URL are only necessary when running outside of the cluster (e.g., dev)
| Environment | Flag | Default | Description |
|---|---|---|---|
| AWS_REGION | -region | us-west-2 | The AWS Region |
| METRICS_URL | -metrics-url | 0.0.0.0:9999 | Address for healthchecks/metrics |
| KUBE_CONFIG | -kube-config | The path to the kube config file | |
| MASTER_URL | -master-url | The Kubernetes master API URL |
- Create Parameter in AWS Parameter Store
my_value = foobar
- Create Kubernetes Secret with Annotations
apiVersion: v1
kind: Secret
metadata:
name: my-secret
annotations:
"alpha.ssm.cmattoon.com/k8s-secret-name": my-secret
"alpha.ssm.cmattoon.com/aws-param-name": my_value
"alpha.ssm.cmattoon.com/aws-param-type": SecureString
"alpha.ssm.cmattoon.com/aws-param-key": "alias/aws/ssm"
data: {}
-
Run Binary
-
A key with the name
$ParameterTypeshould have been added to your Secret
apiVersion: v1
kind: Secret
metadata:
name: my-secret
annotations:
"alpha.ssm.cmattoon.com/k8s-secret-name": my-secret
"alpha.ssm.cmattoon.com/aws-param-name": my_value
"alpha.ssm.cmattoon.com/aws-param-type": SecureString
"alpha.ssm.cmattoon.com/aws-param-key": "alias/aws/ssm"
data:
SecureString: foobar
make
make container
For ease of use, the ca-certificates package is installed on the final library/alpine image. If you're having SSL/TLS
connection issues, export HOST_SSL_DIR=/etc/ssl/certs before running make install. This will mount the SSL cert directory
on the EC2 instance.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent