cmattoon/aws-ssm
Updates Kubernetes Secrets
with values from AWS Parameter Store
- For example usage, see
example.yaml
- Use the Helm chart to get up and running quickly
Build Options
- Helm Chart (recommended):
make {lint|install|purge}
- Go:
make test && make build
- Docker:
make container
Helm Chart
Install Helm Chart
First, export required variables, then run make install
. This will result in your $KUBE_CONFIG
being loaded as
export AWS_REGION=<region>
export AWS_SECRET_KEY=<secret>
export AWS_ACCESS_KEY=<access-key-id>
AWS User/Role
The AWS credentials should be associated with an IAM user/role that has the following permissions:
Values
Value |
Default |
Example |
Description |
aws_region |
|
us-west-2 |
The AWS region in which the Pod is deployed |
kubeconfig64 |
|
|
The output of `$(cat $KUBE_CONFIG |
metrics_port |
9999 |
|
Serve metrics/healthchecks on this port |
replicas |
1 |
|
The number of Pods |
image.name |
cmattoon/aws-ssm |
/ |
The Docker image to use for the Pod container |
image.tag |
latest |
|
The Docker tag for the image |
resources |
{} |
|
Kubernetes Resource Requests/Limits |
|
|
|
|
Docker Container
Build
Run make container
to build the Docker image
Configuration
The following app config values can be provided via environment variables or CLI flags.
CLI flags take precdence over environment variables.
A KUBE_CONFIG and MASTER_URL are only necessary when running outside of the cluster (e.g., dev)
Environment |
Flag |
Default |
Description |
AWS_REGION |
-region |
us-west-2 |
The AWS Region |
METRICS_URL |
-metrics-url |
0.0.0.0:9999 |
Address for healthchecks/metrics |
KUBE_CONFIG |
-kube-config |
|
The path to the kube config file |
MASTER_URL |
-master-url |
|
The Kubernetes master API URL |
MVP Working (go binary)
- Create Parameter in AWS Parameter Store
my_value = foobar
- Create Kubernetes Secret with Annotations
apiVersion: v1
kind: Secret
metadata:
name: my-secret
annotations:
"alpha.ssm.cmattoon.com/k8s-secret-name": my-secret
"alpha.ssm.cmattoon.com/aws-param-name": my_value
"alpha.ssm.cmattoon.com/aws-param-type": SecureString
"alpha.ssm.cmattoon.com/aws-param-key": "alias/aws/ssm"
data: {}
-
Run Binary
-
A key with the name $ParameterType
should have been added to your Secret
apiVersion: v1
kind: Secret
metadata:
name: my-secret
annotations:
"alpha.ssm.cmattoon.com/k8s-secret-name": my-secret
"alpha.ssm.cmattoon.com/aws-param-name": my_value
"alpha.ssm.cmattoon.com/aws-param-type": SecureString
"alpha.ssm.cmattoon.com/aws-param-key": "alias/aws/ssm"
data:
SecureString: foobar
Build
make
make container