This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kubectl create secret generic db-credentials -n default --from-literal=user=dbuser --from-literal=password=quick.fox.5312 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: Secret | |
metadata: | |
name: db-credentials | |
type: Opaque | |
data: | |
password: cXVpY2suZm94LjUzMTI= | |
user: ZGJ1c2Vy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: batch/v1 | |
kind: Job | |
metadata: | |
name: printenv-job | |
spec: | |
template: | |
spec: | |
restartPolicy: Never | |
serviceAccountName: iam-secrets-manager-ro | |
initContainers: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# environment variable referencing AWS Systems Manager Parameter Store secret | |
MY_API_KEY=arn:aws:ssm:$AWS_REGION:$AWS_ACCOUNT_ID:parameter/api/key | |
# environment variable passed to a child process, as resolved by `secrets-init` | |
MY_API_KEY=key-123456789 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# environment variable referencing Google Secret Manager secret (without version) | |
MY_DB_PASSWORD=gcp:secretmanager:projects/$PROJECT_ID/secrets/mydbpassword | |
# OR versioned secret (with numeric version or 'latest') | |
MY_DB_PASSWORD=gcp:secretmanager:projects/$PROJECT_ID/secrets/mydbpassword/versions/2 | |
# environment variable passed to a child process, as resolved by `secrets-init` | |
MY_DB_PASSWORD=very-secret-password |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FROM node:alpine | |
# download secrets-init binary | |
ENV SECRETS_INIT_VERSION=v0.2.1 | |
ENV SECRETS_INIT_URL=https://github.com/doitintl/secrets-init/releases/download/v0.2.1/secrets-init_Linux_amd64.tar.gz | |
ENV SECRETS_INIT_SHA256=a2849460c650e9e7a29d9d0764e2b5fc679961e6667ad1c4416210fa791be29f | |
RUN mkdir -p /opt/secrets-init && cd /opt/secrets-init \ | |
&& wget -qO secrets-init.tar.gz "$SECRETS_INIT_URL" \ | |
&& echo "$SECRETS_INIT_SHA256 secrets-init.tar.gz" | sha256sum -c - \ | |
&& tar -xzvf secrets-init.tar.gz \ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kubectl create -f db-credentials.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWS_ROLE_ARN=$(aws iam get-role --role-name ${ROLE_NAME} --query Role.Arn --output text) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gcloud iam service-accounts add-iam-policy-binding \ | |
--role roles/iam.workloadIdentityUser \ | |
--role roles/iam.serviceAccountTokenCreator \ | |
--member "serviceAccount:${PROJECT_ID}.svc.id.goog[${K8S_NAMESPACE}/${KSA_NAME}]" \ | |
${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[...] | |
args: | |
[...] | |
- --tls-cert-file=/etc/webhook/certs/cert.pem | |
- --tls-private-key-file=/etc/webhook/certs/key.pem | |
volumeMounts: | |
- name: webhook-certs | |
mountPath: /etc/webhook/certs | |
readOnly: true | |
[...] |