Skip to content

Instantly share code, notes, and snippets.

@yokawasa
Last active October 17, 2021 09:59
Show Gist options
  • Save yokawasa/6c0da6064a3e7395ade1479d1eb55cb2 to your computer and use it in GitHub Desktop.
Save yokawasa/6c0da6064a3e7395ade1479d1eb55cb2 to your computer and use it in GitHub Desktop.
secretize - SecretGenerator plugin for external secret services

Quickstart

Build secretize binary

build secretize binary

git clone https://github.com/bbl/secretize
cd secretize
# build secretize binary named secretize
make

Install secetize

export XDG_CONFIG_HOME=~/.config
export SECRETIZE_DIR="$XDG_CONFIG_HOME/kustomize/plugin/secretize/v1/secretgenerator"
mkdir -p "$SECRETIZE_DIR"
# copy the binary to the plugin dir as SecretGenerator
cp secretize /Users/yoichi.kawasaki/.config/kustomize/plugin/secretize/v1/secretgenerator/SecretGenerator

Test secretize

External secret service to use: AWS Secret Manager

First, add the following secret named mySecret in AWS Secret Manager

# secret name: mySecret
{
  "secret_key_1":"secret_value_1", 
  "secret_key_2": "secret_value_2"
}

Then, create the manifest file named secretize.yaml like this to query AWS Secrets Manager provider to get the mySecret string value

cat << EOF > secretize.yaml
apiVersion: secretize/v1
kind: SecretGenerator
metadata:
  name: aws-sm-secrets
sources:
    - provider: aws-sm
      kv:
        - mySecret
EOF

Also create the kustomization file

cat << EOF > kustomization.yaml
generators:
  - secretize.yaml
EOF

Finally build the manifest like this:

kustomize build --enable-alpha-plugins .

NOTICE

Don't forget to add --enable-alpha-plugins option in runing kustomize build, otherwise you'll see the following error message:

Error: loading generator plugins: external plugins disabled; unable to load external plugin 'SecretGenerator'

You'll see the following secret is generated:

apiVersion: v1
data:
  secret_key_1: c2VjcmV0X3ZhbHVlXzE=
  secret_key_2: c2VjcmV0X3ZhbHVlXzI=
kind: Secret
metadata:
  name: aws-sm-secrets

NOTICE

In accessing AWS resources, don't forget to export the enviroment variables like this for AWS CLI/SDK to access the resources:

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY
  • AWS_REGION

You might want to set like this before running kustomize

 export AWS_REGION=ap-northeast-1

See also https://docs.aws.amazon.com/ja_jp/sdk-for-go/v1/developer-guide/configuring-sdk.html

REFERENCES

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment