Need help with aws-ssm?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

cmattoon
157 Stars 31 Forks Apache License 2.0 128 Commits 19 Opened issues

Description

Populates Kubernetes Secrets from AWS Parameter Store

Services available

!
?

Need anything else?

Contributors list

# 82,440
PHP
Markdow...
Kuberne...
Amazon ...
95 commits
# 472,594
Go
Terrafo...
kuberne...
aws-ssm
5 commits
# 27,525
Go
Kuberne...
Scala
React N...
4 commits
# 148,536
Go
Jenkins
prometh...
network...
2 commits
# 602,067
Shell
Go
kuberne...
aws-ssm
1 commit
# 566,180
Shell
JavaScr...
Go
kuberne...
1 commit
# 122,226
Terrafo...
Go
jenkins...
HTML
1 commit
# 521,715
Shell
Go
go-kit
golang
1 commit

cmattoon/aws-ssm

Build Status GitHub tag Docker Pulls codecov Go Report Card Maintainability

Updates Kubernetes

Secrets
with values from AWS Parameter Store

Build Options

  • Helm Chart (recommended):
    make {lint|install|purge}
  • Go:
    make test && make build
  • Docker:
    make container

Helm Chart

Install Helm Chart

First, export required variables, then run

make install
.
export AWS_REGION=

AWS Credentials

Uses the default credential provider chain

Values

The following chart values may be set. Only the required variables (AWS credentials) need provided by the user. Most of the time, the other defaults should work as-is.

| Req'd | Value | Default | Example | Description | |-------|----------------|------------------|-----------------------------|------------------------------------------------------------------| | YES | aws.region | "" | us-west-2 | The AWS region in which the Pod is deployed | | NO | aws.accesskey | "" | | REQUIRED when no other auth method available (e.g., IAM role) | | NO | aws.secretkey | "" | | REQUIRED when no other auth method available (e.g., IAM role) | | NO | kubeconfig64 | "" | | The output of

$(cat $KUBE_CONFIG \| base64)
. Stored as a Secret| | NO | metricsport | 9999 | | Serve metrics/healthchecks on this port | | NO | image.name | cmattoon/aws-ssm | / | The Docker image to use for the Pod container | | NO | image.tag | latest | | The Docker tag for the image | | NO | resources | {} | | Kubernetes Resource Requests/Limits | | NO | rbac.enabled | true | | Whether or not to add Kubernetes RBAC stuff | | NO | ssl.mounthost | false | | Mounts {ssl.hostpath} -> {ssl.mountpath} as hostVolume | | NO | ssl.hostpath | /etc/ssl/certs | | The SSL certs dir on the host | | NO | ssl.mountpath | /etc/ssl/certs | | The SSL certs dir in the container (dev) |

Configuration

The following app config values can be provided via environment variables or CLI flags. CLI flags take precdence over environment variables.

A KUBECONFIG and MASTERURL are only necessary when running outside of the cluster (e.g., dev)

| Environment | Flag | Default | Description | |-------------|--------------|----------------|----------------------------------| | AWSREGION | -region | us-west-2 | The AWS Region | | METRICSURL | -metrics-url | 0.0.0.0:9999 | Address for healthchecks/metrics | | KUBECONFIG | -kube-config | | The path to the kube config file | | MASTERURL | -master-url | | The Kubernetes master API URL | | LOG_LEVEL | -log-level | info | The Logrus log level |

Basic Usage

  1. Create Parameter in AWS Parameter Store

my-db-password
=
foobar
  1. Create Kubernetes Secret with Annotations
apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  annotations:
    aws-ssm/k8s-secret-name: my-secret
    aws-ssm/aws-param-name: my-db-password
    aws-ssm/aws-param-type: SecureString
data: {}
  1. Run Binary

  2. A key with the name

    $ParameterType
    should have been added to your Secret
apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  annotations:
    aws-ssm/k8s-secret-name: my-secret
    aws-ssm/aws-param-name: my-db-password
    aws-ssm/aws-param-type: SecureString
data:
  SecureString: Zm9vYmFyCg==

Annotations

| Annotation | Description | Default | |----------------------------|--------------------------------------------------------|-----------------| |

aws-ssm/k8s-secret-name
| The name of the Kubernetes Secret to modify. |
        |
| 
aws-ssm/aws-param-name
| The name of the AWS SSM Parameter. May be a path. |
        |
| 
aws-ssm/aws-param-type
| Determines how values are parsed, if at all. |
String
| |
aws-ssm/aws-param-key
| Required if
aws-ssm/aws-param-type
is
SecureString
|
alias/aws/ssm
|

AWS Parameter Types

Values for

aws-ssm/aws-param-type
are:

| Value | Behavior | AWS Value | K8S Value(s) | |----------------|--------------------------|-----------------------------|-----------------------------------------| |

String
| No parsing is performed |
foo
=
bar
|
foo: bar
| |
SecureString
| Requires
aws-param-key
|
foo
=
bar
|
foo: bar
| |
StringList
| Splits CSV mapping |
foo=bar,bar=baz,baz=bat
|
foo: bar

bar: baz

baz: bat
| |
Directory
| Get multiple values |
/path/to/values
| |

Build

make           # Build binary
make container # Build Docker image
make push      # Push Docker image

CA Certificates

For ease of use, the

ca-certificates
package is installed on the final
library/alpine
image. If you're having SSL/TLS connection issues,
export HOST_SSL_DIR=/etc/ssl/certs
before running
make install
. This will mount the SSL cert directory on the EC2 instance.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.