Alexei Ledenev alexei-led

## Markdium-Shell.sh
# create a cluster role
kubectl create -f deployment/clusterrole.yaml
# define a cluster role binding
kubectl create -f deployment/clusterrolebinding.yaml

## Markdium-Shell.sh
# environment variable passed to `secrets-init`
API_KEY=arn:aws:ssm:$AWS_REGION:$AWS_ACCOUNT_ID:parameter/api/key

# environment variable passed to child process, resolved by `secrets-init`
API_KEY=key-123456789

## Markdium-Shell.sh
# environment variable passed to `secrets-init`
DB_PASSWORD=gcp:secretmanager:projects/$PROJECT_ID/secrets/db/password
# OR versioned secret (with version or 'latest')
DB_PASSWORD=gcp:secretmanager:projects/$PROJECT_ID/secrets/db/password/versions/2

# environment variable passed to child process, resolved by `secrets-init`
DB_PASSWORD=very-secret-password

## Markdium-YAML.yaml
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ssm:GetParameter",
            "Resource": "arn:aws:ssm:us-west-2:123456789012:parameter/prod-*"
        }
    ]
}

## Markdium-YAML.yaml
[...]
      args:
      [...]
      - --tls-cert-file=/etc/webhook/certs/cert.pem
      - --tls-private-key-file=/etc/webhook/certs/key.pem
      volumeMounts:
      - name: webhook-certs
        mountPath: /etc/webhook/certs
        readOnly: true
[...]

## Markdium-Shell.sh
kubectl create -f deployment/mutatingwebhook-bundle.yaml

## Markdium-Shell.sh
kubectl create serviceaccount --namespace ${K8S_NAMESPACE} ${KSA_NAME}

## Markdium-Shell.sh
kubectl annotate serviceaccount --namespace ${K8S_NAMESPACE} ${KSA_NAME}
  amazonaws.com/role-arn=${AWS_ROLE_ARN}

## Markdium-Shell.sh
kubectl annotate serviceaccount --namespace ${K8S_NAMESPACE} ${KSA_NAME}
  iam.gke.io/gcp-service-account=${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com

## Markdium-Shell.sh
cat ./deployment/mutatingwebhook.yaml | ./deployment/webhook-patch-ca-bundle.sh > ./deployment/mutatingwebhook-bundle.yaml
	# create a cluster role
	kubectl create -f deployment/clusterrole.yaml
	# define a cluster role binding
	kubectl create -f deployment/clusterrolebinding.yaml
	# environment variable passed to `secrets-init`
	API_KEY=arn:aws:ssm:$AWS_REGION:$AWS_ACCOUNT_ID:parameter/api/key

	# environment variable passed to child process, resolved by `secrets-init`
	API_KEY=key-123456789
	# environment variable passed to `secrets-init`
	DB_PASSWORD=gcp:secretmanager:projects/$PROJECT_ID/secrets/db/password
	# OR versioned secret (with version or 'latest')
	DB_PASSWORD=gcp:secretmanager:projects/$PROJECT_ID/secrets/db/password/versions/2

	# environment variable passed to child process, resolved by `secrets-init`
	DB_PASSWORD=very-secret-password
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Action": "ssm:GetParameter",
	"Resource": "arn:aws:ssm:us-west-2:123456789012:parameter/prod-*"
	}
	]
	}
	[...]
	args:
	[...]
	- --tls-cert-file=/etc/webhook/certs/cert.pem
	- --tls-private-key-file=/etc/webhook/certs/key.pem
	volumeMounts:
	- name: webhook-certs
	mountPath: /etc/webhook/certs
	readOnly: true
	[...]
	kubectl annotate serviceaccount --namespace ${K8S_NAMESPACE} ${KSA_NAME}
	amazonaws.com/role-arn=${AWS_ROLE_ARN}
	kubectl annotate serviceaccount --namespace ${K8S_NAMESPACE} ${KSA_NAME}
	iam.gke.io/gcp-service-account=${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com