Skip to content

Commit

Permalink
updated some docs and added external secrets
Browse files Browse the repository at this point in the history
  • Loading branch information
@vallard
vallard committed Jul 8, 2022
1 parent 2e2ee78 commit 4d9405d
Show file tree
Hide file tree
Showing 4 changed files with 77 additions and 19 deletions.
4 changes: 3 additions & 1 deletion 02/terraform/iam/iam.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -341,6 +341,8 @@ resource "aws_iam_role" "eks_node_group" {
managed_policy_arns = [
"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
"arn:aws:iam::aws:policy/SecretsManagerReadWrite",
aws_iam_policy.EKSClusterAutoscaling.arn
]
}
72 changes: 55 additions & 17 deletions app-api/app-api.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,24 +5,62 @@ metadata:
data:
K8S_DB_HOST: mariadb
K8S_DB_PORT: "3306"
K8S_DB_DATABASE: vanilla
MYSQL_DATABASE: vanilla

---
# you should never store your secrets in code even if they are base64 encoded.
# I recommend using external-secrets operator with AWS secrets manager
apiVersion: v1
data:
K8S_DB_USERNAME: YWRtaW4=
K8S_DB_PASSWORD: MWYyZDFlMmU2N2Rm
MYSQL_USER: YWRtaW4=
MYSQL_ROOT_PASSWORD: MWYyZDFlMmU2N2Rm
MYSQL_PASSWORD: MWYyZDFlMmU2N2Rm

kind: Secret
metadata:
name: k8s-sample-db-secrets
type: Opaque
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: my-aws-secrets
spec:
provider:
aws:
service: SecretsManager
region: us-west-2
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: k8s-sample-db-secrets
spec:
refreshInterval: "0"
secretStoreRef:
name: my-aws-secrets
kind: SecretStore
target:
name: k8s-sample-db-secrets
creationPolicy: Owner
data:
- remoteRef:
key: sample-app-secret
property: SLACK_TOKEN
secretKey: SLACK_TOKEN
- remoteRef:
key: sample-app-secret
property: K8S_DB_USERNAME
secretKey: K8S_DB_USERNAME
- remoteRef:
key: sample-app-secret
property: K8S_DB_PASSWORD
secretKey: K8S_DB_PASSWORD
- remoteRef:
key: sample-app-secret
property: MYSQL_USER
secretKey: MYSQL_USER
- remoteRef:
key: sample-app-secret
property: MYSQL_ROOT_PASSWORD
secretKey: MYSQL_ROOT_PASSWORD
- remoteRef:
key: sample-app-secret
property: MYSQL_PASSWORD
secretKey: MYSQL_PASSWORD
- remoteRef:
key: sample-app-secret
property: K8S_DB_DATABASE
secretKey: K8S_DB_DATABASE
- remoteRef:
key: sample-app-secret
property: MYSQL_DATABASE
secretKey: MYSQL_DATABASE
---
apiVersion: apps/v1
kind: Deployment
Expand Down
2 changes: 1 addition & 1 deletion app-api/app/lib/slack.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
class SlackClient:
def __init__(self):
self.slack_token = os.environ.get("SLACK_TOKEN")
self.default_channel = os.environ.get("SLACK_DEFAULT_CHANNEL")
self.default_channel = os.environ.get("SLACK_CHANNEL")

def post_message(self, text, channel=None, blocks=None):
headers = {
Expand Down
18 changes: 18 additions & 0 deletions m02/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,21 @@ Modify the DNS name to match the Load Balancer
```
kubectl apply -f cert-manager/prod-issuer.yaml
```


## External Secrets

We will also need external secrets to store our passwords for our application.

This includes database permissions, slack APIs, etc. The cost to store this in AWS Secrets manager is $0.40/month.


```
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets \
external-secrets/external-secrets \
-n kube-system \
--create-namespace \
--set installCRDs=true
```

0 comments on commit 4d9405d

Please sign in to comment.