Michael Treacher treacher

## kube2iam.yaml
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: kube2iam
  namespace: kube-system
  labels:
    app: kube2iam
spec:
  template:
    metadata:

## deployment.yaml
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: kube-kms-example
  namespace: default
  labels:
    app: kube-kms-example
spec:
  replicas: 2

## node-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "sts:AssumeRole"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:iam::{AccountId}:role/k8s/*"
    }

## Dockerfile.kube-kms-example
FROM alpine:3.5

RUN apk add --update bash curl && rm -rf /var/cache/apk/*

# Install shush
RUN curl -sL -o /usr/local/bin/shush \
  https://github.com/realestate-com-au/shush/releases/download/v1.3.0/shush_linux_amd64 \
  && chmod +x /usr/local/bin/shush

# Add a user so that we're not running our executables as root.

## secrets.yaml
KMS_ENCRYPTED_DB_PASSWORD: "AQICAHj5jPUgYWAnjEXVeSvtg98gusmUcncxTb1pg+/p9W6NOAHd4xDeWtNSGUWMyqOf7h6cAAAAZzBlBgkqhkiG9w0BBwagWDBWAgEAMFEGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM7tDQv7h73zQftY5tAgEQgCTlI1uXcgBrNdvsBoXb2ytkkya+VJRHl2zZWMW5qzheJ2YKeSg="
KMS_ENCRYPTED_DB_USER: "AQICAHj5jPUgYWAnjEXVeSvtg98gusmUcncxTb1pg+/p9W6NOAHrz68itBGQ6jgbmK6HgzDRAAAAYTBfBgkqhkiG9w0BBwagUjBQAgEAMEsGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMJj0q65b8KZo4sRY6AgEQgB7cksi/tq9lmyQtBh4uK6HfmyoMHIMm+a72gu4o8Qo="
KMS_ENCRYPTED_API_KEY: "AQICAHj5jPUgYWAnjEXVeSvtg98gusmUcncxTb1pg+/p9W6NOAFobUiYON7DRYoe3ZtSC5nNAAAAZzBlBgkqhkiG9w0BBwagWDBWAgEAMFEGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMSsYpPDJvAnRITyNsAgEQgCREj7SdmKYG7gX+JOMJfYG4ILnujd0ZLfXYrJcxrTy4XTCkTzU="
KMS_ENCRYPTED_SERVICE_PASSWORD: "AQICAHj5jPUgYWAnjEXVeSvtg98gusmUcncxTb1pg+/p9W6NOAElX/reSqpDqhuY1RgYaQ72AAAAZjBkBgkqhkiG9w0BBwagVzBVAgEAMFAGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMy8al1te4FCu+pdEjAgEQgCNlNfdZamx7R5cHhX6uQSFRCsaIx58lN2bA97wQlhtRAQYPuw=="

## feed-secrets-to-shush.sh
#!/bin/bash

file_location=$1
kms_key=$2

display_usage() {
  echo "Usage: $0 <file-with-secrets> <kms-key-alias>"
  exit 1
}

## install-shush
curl -sL -o /usr/local/bin/shush \
    https://github.com/realestate-com-au/shush/releases/download/v1.3.0/shush_linux_amd64 \
 && chmod +x /usr/local/bin/shush

## kms.yaml
AWSTemplateFormatVersion: 2010-09-09
Resources:
  # KMS Key which we'll be using to encrypt our environment variables
  Key:
    Type: AWS::KMS::Key
    Properties:
      Description: kube-kms-example application secrets key
      KeyPolicy:
        Version: 2012-10-17
        Id: allow-root-access-to-key

## secrets.txt
DB_PASSWORD=foobar123
DB_USER=foo
API_KEY=12345abcd
SERVICE_PASSWORD=bbaabb45

## pod-with-secrets.yaml
apiVersion: v1
kind: Pod
metadata:
  name: container-with-secrets
spec:
  containers:
  - name: container-with-secrets
    image: redis
    env:
      - name: SECRET_PASSWORD
	apiVersion: extensions/v1beta1
	kind: DaemonSet
	metadata:
	name: kube2iam
	namespace: kube-system
	labels:
	app: kube2iam
	spec:
	template:
	metadata:
	---
	kind: Deployment
	apiVersion: extensions/v1beta1
	metadata:
	name: kube-kms-example
	namespace: default
	labels:
	app: kube-kms-example
	spec:
	replicas: 2
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Action": [
	"sts:AssumeRole"
	],
	"Effect": "Allow",
	"Resource": "arn:aws:iam::{AccountId}:role/k8s/*"
	}
	FROM alpine:3.5

	RUN apk add --update bash curl && rm -rf /var/cache/apk/*

	# Install shush
	RUN curl -sL -o /usr/local/bin/shush \
	https://github.com/realestate-com-au/shush/releases/download/v1.3.0/shush_linux_amd64 \
	&& chmod +x /usr/local/bin/shush

	# Add a user so that we're not running our executables as root.
	KMS_ENCRYPTED_DB_PASSWORD: "AQICAHj5jPUgYWAnjEXVeSvtg98gusmUcncxTb1pg+/p9W6NOAHd4xDeWtNSGUWMyqOf7h6cAAAAZzBlBgkqhkiG9w0BBwagWDBWAgEAMFEGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM7tDQv7h73zQftY5tAgEQgCTlI1uXcgBrNdvsBoXb2ytkkya+VJRHl2zZWMW5qzheJ2YKeSg="
	KMS_ENCRYPTED_DB_USER: "AQICAHj5jPUgYWAnjEXVeSvtg98gusmUcncxTb1pg+/p9W6NOAHrz68itBGQ6jgbmK6HgzDRAAAAYTBfBgkqhkiG9w0BBwagUjBQAgEAMEsGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMJj0q65b8KZo4sRY6AgEQgB7cksi/tq9lmyQtBh4uK6HfmyoMHIMm+a72gu4o8Qo="
	KMS_ENCRYPTED_API_KEY: "AQICAHj5jPUgYWAnjEXVeSvtg98gusmUcncxTb1pg+/p9W6NOAFobUiYON7DRYoe3ZtSC5nNAAAAZzBlBgkqhkiG9w0BBwagWDBWAgEAMFEGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMSsYpPDJvAnRITyNsAgEQgCREj7SdmKYG7gX+JOMJfYG4ILnujd0ZLfXYrJcxrTy4XTCkTzU="
	KMS_ENCRYPTED_SERVICE_PASSWORD: "AQICAHj5jPUgYWAnjEXVeSvtg98gusmUcncxTb1pg+/p9W6NOAElX/reSqpDqhuY1RgYaQ72AAAAZjBkBgkqhkiG9w0BBwagVzBVAgEAMFAGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMy8al1te4FCu+pdEjAgEQgCNlNfdZamx7R5cHhX6uQSFRCsaIx58lN2bA97wQlhtRAQYPuw=="
	#!/bin/bash

	file_location=$1
	kms_key=$2

	display_usage() {
	echo "Usage: $0 <file-with-secrets> <kms-key-alias>"
	exit 1
	}
	curl -sL -o /usr/local/bin/shush \
	https://github.com/realestate-com-au/shush/releases/download/v1.3.0/shush_linux_amd64 \
	&& chmod +x /usr/local/bin/shush
	AWSTemplateFormatVersion: 2010-09-09
	Resources:
	# KMS Key which we'll be using to encrypt our environment variables
	Key:
	Type: AWS::KMS::Key
	Properties:
	Description: kube-kms-example application secrets key
	KeyPolicy:
	Version: 2012-10-17
	Id: allow-root-access-to-key
	DB_PASSWORD=foobar123
	DB_USER=foo
	API_KEY=12345abcd
	SERVICE_PASSWORD=bbaabb45
	apiVersion: v1
	kind: Pod
	metadata:
	name: container-with-secrets
	spec:
	containers:
	- name: container-with-secrets
	image: redis
	env:
	- name: SECRET_PASSWORD