alexei-led
/ Markdium-Shell.sh
Created
December 26, 2019 12:59
Markdium-Kubernetes and Secrets Management in Cloud
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kubectl create secret generic db-credentials -n default --from-literal=user=dbuser --from-literal=password=quick.fox.5312 |
alexei-led
/ Markdium-YAML.yaml
Created
December 26, 2019 12:59
Markdium-Kubernetes and Secrets Management in Cloud
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Secret | |
| metadata: | |
| name: db-credentials | |
| type: Opaque | |
| data: | |
| password: cXVpY2suZm94LjUzMTI= | |
| user: ZGJ1c2Vy |
alexei-led
/ Markdium-YAML.yaml
Created
December 26, 2019 12:59
Markdium-Kubernetes and Secrets Management in Cloud
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: batch/v1 | |
| kind: Job | |
| metadata: | |
| name: printenv-job | |
| spec: | |
| template: | |
| spec: | |
| restartPolicy: Never | |
| serviceAccountName: iam-secrets-manager-ro | |
| initContainers: |
alexei-led
/ Markdium-Shell.sh
Created
December 26, 2019 12:59
Markdium-Kubernetes and Secrets Management in Cloud
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # environment variable referencing AWS Systems Manager Parameter Store secret | |
| MY_API_KEY=arn:aws:ssm:$AWS_REGION:$AWS_ACCOUNT_ID:parameter/api/key | |
| # environment variable passed to a child process, as resolved by `secrets-init` | |
| MY_API_KEY=key-123456789 |
alexei-led
/ Markdium-Shell.sh
Created
December 26, 2019 12:59
Markdium-Kubernetes and Secrets Management in Cloud
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # environment variable referencing Google Secret Manager secret (without version) | |
| MY_DB_PASSWORD=gcp:secretmanager:projects/$PROJECT_ID/secrets/mydbpassword | |
| # OR versioned secret (with numeric version or 'latest') | |
| MY_DB_PASSWORD=gcp:secretmanager:projects/$PROJECT_ID/secrets/mydbpassword/versions/2 | |
| # environment variable passed to a child process, as resolved by `secrets-init` | |
| MY_DB_PASSWORD=very-secret-password |
alexei-led
/ Markdium-Dockerfile.dockerfile
Created
December 26, 2019 12:59
Markdium-Kubernetes and Secrets Management in Cloud
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FROM node:alpine | |
| # download secrets-init binary | |
| ENV SECRETS_INIT_VERSION=v0.2.1 | |
| ENV SECRETS_INIT_URL=https://github.com/doitintl/secrets-init/releases/download/v0.2.1/secrets-init_Linux_amd64.tar.gz | |
| ENV SECRETS_INIT_SHA256=a2849460c650e9e7a29d9d0764e2b5fc679961e6667ad1c4416210fa791be29f | |
| RUN mkdir -p /opt/secrets-init && cd /opt/secrets-init \ | |
| && wget -qO secrets-init.tar.gz "$SECRETS_INIT_URL" \ | |
| && echo "$SECRETS_INIT_SHA256 secrets-init.tar.gz" | sha256sum -c - \ | |
| && tar -xzvf secrets-init.tar.gz \ |
alexei-led
/ Markdium-Shell.sh
Created
December 26, 2019 12:59
Markdium-Kubernetes and Secrets Management in Cloud
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kubectl create -f db-credentials.yaml |
alexei-led
/ Markdium-Shell.sh
Created
February 17, 2020 09:02
Markdium-Securely Access AWS from GKE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWS_ROLE_ARN=$(aws iam get-role --role-name ${ROLE_NAME} --query Role.Arn --output text) |
alexei-led
/ Markdium-Shell.sh
Created
February 17, 2020 09:02
Markdium-Securely Access AWS from GKE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| gcloud iam service-accounts add-iam-policy-binding \ | |
| --role roles/iam.workloadIdentityUser \ | |
| --role roles/iam.serviceAccountTokenCreator \ | |
| --member "serviceAccount:${PROJECT_ID}.svc.id.goog[${K8S_NAMESPACE}/${KSA_NAME}]" \ | |
| ${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com |
alexei-led
/ Markdium-YAML.yaml
Created
February 17, 2020 09:02
Markdium-Securely Access AWS from GKE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [...] | |
| args: | |
| [...] | |
| - --tls-cert-file=/etc/webhook/certs/cert.pem | |
| - --tls-private-key-file=/etc/webhook/certs/key.pem | |
| volumeMounts: | |
| - name: webhook-certs | |
| mountPath: /etc/webhook/certs | |
| readOnly: true | |
| [...] |