Alexei Ledenev alexei-led

## Markdium-YAML.yaml
[...]
      service:
        name: secrets-init-webhook-svc
        namespace: default
        path: "/pods"
      caBundle: ${CA_BUNDLE}
[...]

## Markdium-Shell.sh
# create a cluster role
kubectl create -f deployment/clusterrole.yaml
# define a cluster role binding
kubectl create -f deployment/clusterrolebinding.yaml

## Markdium-Shell.sh
# environment variable passed to `secrets-init`
API_KEY=arn:aws:ssm:$AWS_REGION:$AWS_ACCOUNT_ID:parameter/api/key

# environment variable passed to child process, resolved by `secrets-init`
API_KEY=key-123456789

## Markdium-Shell.sh
# environment variable passed to `secrets-init`
DB_PASSWORD=gcp:secretmanager:projects/$PROJECT_ID/secrets/db/password
# OR versioned secret (with version or 'latest')
DB_PASSWORD=gcp:secretmanager:projects/$PROJECT_ID/secrets/db/password/versions/2

# environment variable passed to child process, resolved by `secrets-init`
DB_PASSWORD=very-secret-password

## Markdium-YAML.yaml
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ssm:GetParameter",
            "Resource": "arn:aws:ssm:us-west-2:123456789012:parameter/prod-*"
        }
    ]
}

## Markdium-YAML.yaml
[...]
      args:
      [...]
      - --tls-cert-file=/etc/webhook/certs/cert.pem
      - --tls-private-key-file=/etc/webhook/certs/key.pem
      volumeMounts:
      - name: webhook-certs
        mountPath: /etc/webhook/certs
        readOnly: true
[...]

## Dockerfile
FROM "<bases image>":"<version>"

WORKDIR "<path>"

# install packages required to run app and tests
RUN apt-get update && apt-get install -y \
    "<app runtime> and <dependencies>" \  # add app runtime and required packages
    "<test tools> and <dependencies>" \     # add testing tools and required packages
    && rm -rf /var/lib/apt/lists/*

## Markdium-Shell.sh
kubectl create -f deployment/mutatingwebhook-bundle.yaml

## Markdium-Shell.sh
kubectl create serviceaccount --namespace ${K8S_NAMESPACE} ${KSA_NAME}

## Markdium-Shell.sh
kubectl annotate serviceaccount --namespace ${K8S_NAMESPACE} ${KSA_NAME}
  amazonaws.com/role-arn=${AWS_ROLE_ARN}
	[...]
	service:
	name: secrets-init-webhook-svc
	namespace: default
	path: "/pods"
	caBundle: ${CA_BUNDLE}
	[...]
	# create a cluster role
	kubectl create -f deployment/clusterrole.yaml
	# define a cluster role binding
	kubectl create -f deployment/clusterrolebinding.yaml
	# environment variable passed to `secrets-init`
	API_KEY=arn:aws:ssm:$AWS_REGION:$AWS_ACCOUNT_ID:parameter/api/key

	# environment variable passed to child process, resolved by `secrets-init`
	API_KEY=key-123456789
	# environment variable passed to `secrets-init`
	DB_PASSWORD=gcp:secretmanager:projects/$PROJECT_ID/secrets/db/password
	# OR versioned secret (with version or 'latest')
	DB_PASSWORD=gcp:secretmanager:projects/$PROJECT_ID/secrets/db/password/versions/2

	# environment variable passed to child process, resolved by `secrets-init`
	DB_PASSWORD=very-secret-password
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Action": "ssm:GetParameter",
	"Resource": "arn:aws:ssm:us-west-2:123456789012:parameter/prod-*"
	}
	]
	}
	[...]
	args:
	[...]
	- --tls-cert-file=/etc/webhook/certs/cert.pem
	- --tls-private-key-file=/etc/webhook/certs/key.pem
	volumeMounts:
	- name: webhook-certs
	mountPath: /etc/webhook/certs
	readOnly: true
	[...]
	FROM "<bases image>":"<version>"

	WORKDIR "<path>"

	# install packages required to run app and tests
	RUN apt-get update && apt-get install -y \
	"<app runtime> and <dependencies>" \ # add app runtime and required packages
	"<test tools> and <dependencies>" \ # add testing tools and required packages
	&& rm -rf /var/lib/apt/lists/*
	kubectl annotate serviceaccount --namespace ${K8S_NAMESPACE} ${KSA_NAME}
	amazonaws.com/role-arn=${AWS_ROLE_ARN}