Created
August 6, 2020 16:48
-
-
Save clok/a810114a454beee90d5134e9c8c533e8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .nh | |
| .TH gwsm 8 | |
| .SH NAME | |
| .PP | |
| gwsm \- interact with config map and secret manager variables | |
| .SH SYNOPSIS | |
| .PP | |
| gwsm | |
| .PP | |
| \fBUsage\fP: | |
| .PP | |
| .RS | |
| .nf | |
| gwsm [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...] | |
| .fi | |
| .RE | |
| .SH COMMANDS | |
| .SH version, v | |
| .PP | |
| Print version info | |
| .SH s3 | |
| .PP | |
| simple S3 commands | |
| .SS get | |
| .PP | |
| [object path] [destination path] | |
| .PP | |
| .RS | |
| .nf | |
| The '[object path]' MUST always start with 's3://' | |
| The '[destination path]' direcotry MUST exists, but file will be created or overwritten | |
| Example: | |
| $ gwsm s3 get s3://coll\-bucket\-name/with/path/filename /tmp/filename | |
| .fi | |
| .RE | |
| .SH secretsmanager, sm | |
| .PP | |
| Secrets Manager commands | |
| .PP | |
| \fB\-\-binary, \-b\fP: get the SecretBinary value | |
| .SS list | |
| .PP | |
| display table of all secrets with meta data | |
| .SS describe | |
| .PP | |
| print description of secret to STDOUT | |
| .PP | |
| \fB\-\-secret\-id, \-s\fP="": Specific Secret to describe, will bypass select/search | |
| .SS get, view | |
| .PP | |
| select from list or pass in specific secret | |
| .PP | |
| \fB\-\-secret\-id, \-s\fP="": Specific Secret to view, will bypass select/search | |
| .SS edit, e | |
| .PP | |
| interactive edit of a secret String Value | |
| .PP | |
| \fB\-\-secret\-id, \-s\fP="": Specific Secret to edit, will bypass select/search | |
| .SS create, c | |
| .PP | |
| create new secret in Secrets Manager | |
| .PP | |
| \fB\-\-description, \-\-desc\fP="": Additional description text. | |
| .PP | |
| \fB\-\-interactive, \-i\fP: Open interactive editor to create secret value. | |
| .PP | |
| \fB\-\-secret\-id, \-s\fP="": Secret name | |
| .PP | |
| \fB\-\-tags\fP="": key=value tags (CSV list) | |
| .PP | |
| \fB\-\-value, \-v\fP="": Secret Value. Will store as a string, unless binary flag is set. | |
| .SS put | |
| .PP | |
| non\-interactive update to a specific secret | |
| .PP | |
| \fB\-\-description, \-\-desc\fP="": Additional description text. | |
| .PP | |
| \fB\-\-interactive, \-i\fP: Open interactive editor to create secret value. | |
| .PP | |
| \fB\-\-secret\-id, \-s\fP="": Secret name | |
| .PP | |
| \fB\-\-tags\fP="": key=value tags (CSV list) | |
| .PP | |
| \fB\-\-value, \-v\fP="": Secret Value. Will store as a string, unless binary flag is set. | |
| .SS delete, del | |
| .PP | |
| delete a specific secret | |
| .PP | |
| \fB\-\-force, \-f\fP: Bypass recovery window (30 days) and immediately delete Secret. | |
| .PP | |
| \fB\-\-secret\-id, \-s\fP="": Specific Secret to delete | |
| .SH local, l | |
| .PP | |
| Interact with local env files | |
| .SS view, v | |
| .PP | |
| View values based on local settings | |
| .PP | |
| .RS | |
| .nf | |
| View the current environment variables for a given ConfigMap and summon secrets.yml. | |
| This will retrieve the stored secrets within AWS Secrets Manager and map them via | |
| the secrets.yml file used by the 'summon' CLI tool to generate the current state of | |
| Environment Variables for a given stage. | |
| The AWS Secrets Manager names are assumed to be stored as '<SECRETS\_GROUP>\_NAME' | |
| in the ConfigMap. Example: 'RDS\_SECRET\_NAME: rds/staging/service\-yolo' | |
| From the root of the service, the required files are typically found below: | |
| The path to the configmap.yaml file is within the kubernetes deployment. | |
| This is typically .kube/<stage>/05\-configmap.yaml | |
| The path to the secrets.yml is typically .docker/secrets.yaml | |
| The 'filter\-prefix' flag will exclude any values that start with the flagged prefixes from display. | |
| The 'exclude' flag will exclude any values where the KEY matches exactly from display. | |
| .fi | |
| .RE | |
| .PP | |
| \fB\-\-configmap, \-c\fP="": Path to configmap.yaml | |
| .PP | |
| \fB\-\-secret\-suffix\fP="": Suffix used to find ENV variables that denote the Secret Manager Secrets to lookup (default: \_NAME) | |
| .PP | |
| \fB\-\-secrets, \-s\fP="": Path to secrets.yml (default: .docker/secrets.yml) | |
| .SS ansible, legacy, a | |
| .PP | |
| View value from ansible\-vault encrypted Kube Secret file. | |
| .PP | |
| .RS | |
| .nf | |
| View a legacy ansible\-vault encrypted Kubenetes Secret file. This will output the contents of | |
| the 'data.<accsessor flag>' block. This defaults to 'data..env'. | |
| Supported ansible\-vault encryption version: $ANSIBLE\_VAULT;1.1;AES256 | |
| Example file structure of decrypted file: | |
| \-\-\- | |
| apiVersion: v1 | |
| kind: Secret | |
| type: Opaque | |
| data: | |
| .env: <BASE64 ENCODED STRING> | |
| .fi | |
| .RE | |
| .PP | |
| \fB\-\-accessor, \-a\fP="": Accessor key to pull data out of Data block. (default: .env) | |
| .PP | |
| \fB\-\-encrypted\-env\-file, \-e\fP="": Path to encrypted Kube Secret file | |
| .PP | |
| \fB\-\-vault\-password\-file\fP="": vault password file \fB\fCVAULT\_PASSWORD\_FILE\fR | |
| .SH namespace, ns | |
| .PP | |
| Interact with env on a running Pod within a Namespace | |
| .SS view, v | |
| .PP | |
| View values configured withing a namespace | |
| .PP | |
| .RS | |
| .nf | |
| View the current environment for a specific process running within a Pod in a given Namespace. | |
| This is achieved by inspecting the /proc/<PID>/environ for the given process. This method uses | |
| '/bin/bash \-c' as the base command to perform the PID inspection via 'ps faux'. | |
| The 'filter\-prefix' flag will exclude any values that start with the flagged prefixes from display. | |
| The 'exclude' flag will exclude any values where the KEY matches exactly from display. | |
| .fi | |
| .RE | |
| .PP | |
| \fB\-\-cmd\fP="": Command to inspect (default: node) | |
| .PP | |
| \fB\-\-exclude\fP="": List (csv) of specific env vars to exclude values from display. Set to "" to remove any exclusions. (default: PATH,SHLVL,HOSTNAME) | |
| .PP | |
| \fB\-\-filter\-prefix, \-f\fP="": List of prefixes (csv) used to filter values from display. Set to "" to remove any filters. (default: npm\fI,KUBERNETES\fP,API\_PORT) | |
| .PP | |
| \fB\-\-namespace, \-n\fP="": Kube Namespace list Pods from | |
| .SH diff, d | |
| .PP | |
| View diff of local vs. namespace | |
| .PP | |
| .RS | |
| .nf | |
| View the diff of the local environment against a given command running on a pod within a namespace. | |
| This will retrieve the stored secrets within AWS Secrets Manager and map them via | |
| the secrets.yml file used by the 'summon' CLI tool to generate the current state of | |
| Environment Variables for a given stage. | |
| The AWS Secrets Manager names are assumed to be stored as '<SECRETS\_GROUP>\_NAME' | |
| in the ConfigMap. Example: 'RDS\_SECRET\_NAME: rds/staging/service\-yolo' | |
| From the root of the service, the required files are typically found below: | |
| The path to the configmap.yaml file is within the kubernetes deployment. | |
| This is typically .kube/<stage>/05\-configmap.yaml | |
| The path to the secrets.yml is typically .docker/secrets.yaml | |
| It will then grab current environment for a specific process running within a Pod in a given Namespace. | |
| This is achieved by inspecting the /proc/<PID>/environ for the given process. This method uses | |
| '/bin/bash \-c' as the base command to perform the PID inspection via 'ps faux'. | |
| The 'filter\-prefix' flag will exclude any values that start with the flagged prefixes from display. | |
| The 'exclude' flag will exclude any values where the KEY matches exactly from display. | |
| .fi | |
| .RE | |
| .PP | |
| \fB\-\-cmd\fP="": Command to inspect (default: node) | |
| .PP | |
| \fB\-\-configmap, \-c\fP="": Path to configmap.yaml | |
| .PP | |
| \fB\-\-exclude\fP="": List (csv) of specific env vars to exclude values from display. Set to "" to remove any exclusions. (default: PATH,SHLVL,HOSTNAME) | |
| .PP | |
| \fB\-\-filter\-prefix, \-f\fP="": List of prefixes (csv) used to filter values from display. Set to "" to remove any filters. (default: npm\fI,KUBERNETES\fP,API\_PORT) | |
| .PP | |
| \fB\-\-namespace, \-n\fP="": Kube Namespace list Pods from | |
| .PP | |
| \fB\-\-secret\-suffix\fP="": Suffix used to find ENV variables that denote the Secret Manager Secrets to lookup (default: \_NAME) | |
| .PP | |
| \fB\-\-secrets, \-s\fP="": Path to secrets.yml (default: .docker/secrets.yml) | |
| .SH diff:legacy, diff:ansible | |
| .PP | |
| View diff of local (ansible encrypted) vs. namespace | |
| .PP | |
| .RS | |
| .nf | |
| View the diff of the local ansible\-vault encrypted Kubenetes Secret file against a given dotenv | |
| file on a pod within a namespace. | |
| The local file will use the contents of the 'data.<accsessor flag>' block. This defaults to 'data..env'. | |
| Supported ansible\-vault encryption version: $ANSIBLE\_VAULT;1.1;AES256 | |
| Example file structure of decrypted file: | |
| \-\-\- | |
| apiVersion: v1 | |
| kind: Secret | |
| type: Opaque | |
| data: | |
| .env: <BASE64 ENCODED STRING> | |
| It will then grab contents of the dotenv filr on a Pod in a given Namespace. | |
| This defaults to inspecting the '$PWD/.env on' when executing a 'cat' command. This method uses | |
| '/bin/bash \-c' as the base command to perform inspection. | |
| .fi | |
| .RE | |
| .PP | |
| \fB\-\-accessor, \-a\fP="": Accessor key to pull data out of Data block. (default: .env) | |
| .PP | |
| \fB\-\-dotenv\fP="": Path to .env file on Pod (default: $PWD/.env) | |
| .PP | |
| \fB\-\-encrypted\-env\-file, \-e\fP="": Path to encrypted Kube Secret file | |
| .PP | |
| \fB\-\-namespace, \-n\fP="": Kube Namespace list Pods from | |
| .PP | |
| \fB\-\-vault\-password\-file\fP="": vault password file \fB\fCVAULT\_PASSWORD\_FILE\fR | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment