cmattoon/ aws-ssm
About the developer
157 Stars 
31 Forks 
Apache License 2.0 
128 Commits 
19 Opened issues 
Description
Populates Kubernetes Secrets from AWS Parameter Store
Services available
Contributors list
cmattoon/aws-ssm
Updates Kubernetes
Secretswith values from AWS Parameter Store
Build Options
- Helm Chart (recommended):
make {lint|install|purge} - Go:
make test && make build
- Docker:
make container
Helm Chart
Install Helm Chart
First, export required variables, then run
make install.
export AWS_REGION=
AWS Credentials
Uses the default credential provider chain
Values
The following chart values may be set. Only the required variables (AWS credentials) need provided by the user. Most of the time, the other defaults should work as-is.
| Req'd | Value | Default | Example | Description | |-------|----------------|------------------|-----------------------------|------------------------------------------------------------------| | YES | aws.region | "" | us-west-2 | The AWS region in which the Pod is deployed | | NO | aws.accesskey | "" | | REQUIRED when no other auth method available (e.g., IAM role) | | NO | aws.secretkey | "" | | REQUIRED when no other auth method available (e.g., IAM role) | | NO | kubeconfig64 | "" | | The output of
$(cat $KUBE_CONFIG \| base64). Stored as a Secret| | NO | metricsport | 9999 | | Serve metrics/healthchecks on this port | | NO | image.name | cmattoon/aws-ssm | / | The Docker image to use for the Pod container | | NO | image.tag | latest | | The Docker tag for the image | | NO | resources | {} | | Kubernetes Resource Requests/Limits | | NO | rbac.enabled | true | | Whether or not to add Kubernetes RBAC stuff | | NO | ssl.mounthost | false | | Mounts {ssl.hostpath} -> {ssl.mountpath} as hostVolume | | NO | ssl.hostpath | /etc/ssl/certs | | The SSL certs dir on the host | | NO | ssl.mountpath | /etc/ssl/certs | | The SSL certs dir in the container (dev) |
Configuration
The following app config values can be provided via environment variables or CLI flags. CLI flags take precdence over environment variables.
A KUBECONFIG and MASTERURL are only necessary when running outside of the cluster (e.g., dev)
| Environment | Flag | Default | Description | |-------------|--------------|----------------|----------------------------------| | AWSREGION | -region | us-west-2 | The AWS Region | | METRICSURL | -metrics-url | 0.0.0.0:9999 | Address for healthchecks/metrics | | KUBECONFIG | -kube-config | | The path to the kube config file | | MASTERURL | -master-url | | The Kubernetes master API URL | | LOG_LEVEL | -log-level | info | The Logrus log level |
Basic Usage
- Create Parameter in AWS Parameter Store
my-db-password=
foobar
- Create Kubernetes Secret with Annotations
apiVersion: v1
kind: Secret
metadata:
name: my-secret
annotations:
aws-ssm/k8s-secret-name: my-secret
aws-ssm/aws-param-name: my-db-password
aws-ssm/aws-param-type: SecureString
data: {}
Run Binary
-
A key with the name
$ParameterType
should have been added to your Secret
apiVersion: v1
kind: Secret
metadata:
name: my-secret
annotations:
aws-ssm/k8s-secret-name: my-secret
aws-ssm/aws-param-name: my-db-password
aws-ssm/aws-param-type: SecureString
data:
SecureString: Zm9vYmFyCg==
Annotations
| Annotation | Description | Default | |----------------------------|--------------------------------------------------------|-----------------| |
aws-ssm/k8s-secret-name| The name of the Kubernetes Secret to modify. | | |
aws-ssm/aws-param-name| The name of the AWS SSM Parameter. May be a path. | | |
aws-ssm/aws-param-type| Determines how values are parsed, if at all. |
String| |
aws-ssm/aws-param-key| Required if
aws-ssm/aws-param-typeis
SecureString|
alias/aws/ssm|
AWS Parameter Types
Values for
aws-ssm/aws-param-typeare:
| Value | Behavior | AWS Value | K8S Value(s) | |----------------|--------------------------|-----------------------------|-----------------------------------------| |
String| No parsing is performed |
foo=
bar|
foo: bar| |
SecureString| Requires
aws-param-key|
foo=
bar|
foo: bar| |
StringList| Splits CSV mapping |
foo=bar,bar=baz,baz=bat|
foo: bar
bar: baz
baz: bat| |
Directory| Get multiple values |
/path/to/values| |
Build
make # Build binary make container # Build Docker image make push # Push Docker image
CA Certificates
For ease of use, the
ca-certificatespackage is installed on the final
library/alpineimage. If you're having SSL/TLS connection issues,
export HOST_SSL_DIR=/etc/ssl/certsbefore running
make install. This will mount the SSL cert directory on the EC2 instance.