build secretize binary
git clone https://github.com/bbl/secretize
cd secretize
# build secretize binary named secretize
make
export XDG_CONFIG_HOME=~/.config
export SECRETIZE_DIR="$XDG_CONFIG_HOME/kustomize/plugin/secretize/v1/secretgenerator"
mkdir -p "$SECRETIZE_DIR"
# copy the binary to the plugin dir as SecretGenerator
cp secretize /Users/yoichi.kawasaki/.config/kustomize/plugin/secretize/v1/secretgenerator/SecretGenerator
External secret service to use: AWS Secret Manager
First, add the following secret named mySecret
in AWS Secret Manager
# secret name: mySecret
{
"secret_key_1":"secret_value_1",
"secret_key_2": "secret_value_2"
}
Then, create the manifest file named secretize.yaml
like this to query AWS Secrets Manager provider to get the mySecret string value
cat << EOF > secretize.yaml
apiVersion: secretize/v1
kind: SecretGenerator
metadata:
name: aws-sm-secrets
sources:
- provider: aws-sm
kv:
- mySecret
EOF
Also create the kustomization file
cat << EOF > kustomization.yaml
generators:
- secretize.yaml
EOF
Finally build the manifest like this:
kustomize build --enable-alpha-plugins .
NOTICE
Don't forget to add
--enable-alpha-plugins
option in runing kustomize build, otherwise you'll see the following error message:Error: loading generator plugins: external plugins disabled; unable to load external plugin 'SecretGenerator'
You'll see the following secret is generated:
apiVersion: v1
data:
secret_key_1: c2VjcmV0X3ZhbHVlXzE=
secret_key_2: c2VjcmV0X3ZhbHVlXzI=
kind: Secret
metadata:
name: aws-sm-secrets
NOTICE
In accessing AWS resources, don't forget to export the enviroment variables like this for AWS CLI/SDK to access the resources:
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- AWS_REGION
You might want to set like this before running kustomize
export AWS_REGION=ap-northeast-1
See also https://docs.aws.amazon.com/ja_jp/sdk-for-go/v1/developer-guide/configuring-sdk.html