Populates Kubernetes Secrets from AWS Parameter Store
Updates Kubernetes
Secretswith values from AWS Parameter Store
make {lint|install|purge}
make test && make build
make container
First, export required variables, then run
make install.
export AWS_REGION=
Uses the default credential provider chain
The following chart values may be set. Only the required variables (AWS credentials) need provided by the user. Most of the time, the other defaults should work as-is.
| Req'd | Value | Default | Example | Description | |-------|----------------|------------------|-----------------------------|------------------------------------------------------------------| | YES | aws.region | "" | us-west-2 | The AWS region in which the Pod is deployed | | NO | aws.accesskey | "" | | REQUIRED when no other auth method available (e.g., IAM role) | | NO | aws.secretkey | "" | | REQUIRED when no other auth method available (e.g., IAM role) | | NO | kubeconfig64 | "" | | The output of
$(cat $KUBE_CONFIG \| base64). Stored as a Secret| | NO | metricsport | 9999 | | Serve metrics/healthchecks on this port | | NO | image.name | cmattoon/aws-ssm | / | The Docker image to use for the Pod container | | NO | image.tag | latest | | The Docker tag for the image | | NO | resources | {} | | Kubernetes Resource Requests/Limits | | NO | rbac.enabled | true | | Whether or not to add Kubernetes RBAC stuff | | NO | ssl.mounthost | false | | Mounts {ssl.hostpath} -> {ssl.mountpath} as hostVolume | | NO | ssl.hostpath | /etc/ssl/certs | | The SSL certs dir on the host | | NO | ssl.mountpath | /etc/ssl/certs | | The SSL certs dir in the container (dev) |
The following app config values can be provided via environment variables or CLI flags. CLI flags take precdence over environment variables.
A KUBECONFIG and MASTERURL are only necessary when running outside of the cluster (e.g., dev)
| Environment | Flag | Default | Description | |-------------|--------------|----------------|----------------------------------| | AWSREGION | -region | us-west-2 | The AWS Region | | METRICSURL | -metrics-url | 0.0.0.0:9999 | Address for healthchecks/metrics | | KUBECONFIG | -kube-config | | The path to the kube config file | | MASTERURL | -master-url | | The Kubernetes master API URL | | LOG_LEVEL | -log-level | info | The Logrus log level |
my-db-password=
foobar
apiVersion: v1 kind: Secret metadata: name: my-secret annotations: aws-ssm/k8s-secret-name: my-secret aws-ssm/aws-param-name: my-db-password aws-ssm/aws-param-type: SecureString data: {}
Run Binary
A key with the name
$ParameterTypeshould have been added to your Secret
apiVersion: v1 kind: Secret metadata: name: my-secret annotations: aws-ssm/k8s-secret-name: my-secret aws-ssm/aws-param-name: my-db-password aws-ssm/aws-param-type: SecureString data: SecureString: Zm9vYmFyCg==
| Annotation | Description | Default | |----------------------------|--------------------------------------------------------|-----------------| |
aws-ssm/k8s-secret-name| The name of the Kubernetes Secret to modify. | | |
aws-ssm/aws-param-name| The name of the AWS SSM Parameter. May be a path. | | |
aws-ssm/aws-param-type| Determines how values are parsed, if at all. |
String| |
aws-ssm/aws-param-key| Required if
aws-ssm/aws-param-typeis
SecureString|
alias/aws/ssm|
Values for
aws-ssm/aws-param-typeare:
| Value | Behavior | AWS Value | K8S Value(s) | |----------------|--------------------------|-----------------------------|-----------------------------------------| |
String| No parsing is performed |
foo=
bar|
foo: bar| |
SecureString| Requires
aws-param-key|
foo=
bar|
foo: bar| |
StringList| Splits CSV mapping |
foo=bar,bar=baz,baz=bat|
foo: bar
bar: baz
baz: bat| |
Directory| Get multiple values |
/path/to/values| |
make # Build binary make container # Build Docker image make push # Push Docker image
For ease of use, the
ca-certificatespackage is installed on the final
library/alpineimage. If you're having SSL/TLS connection issues,
export HOST_SSL_DIR=/etc/ssl/certsbefore running
make install. This will mount the SSL cert directory on the EC2 instance.