From 4d9405d6267c18e795f3e89f93c4ee9a4ebd45e1 Mon Sep 17 00:00:00 2001 From: vallard Date: Fri, 8 Jul 2022 12:03:40 -0700 Subject: [PATCH] updated some docs and added external secrets --- 02/terraform/iam/iam.tf | 4 ++- app-api/app-api.yaml | 72 ++++++++++++++++++++++++++++++---------- app-api/app/lib/slack.py | 2 +- m02/README.md | 18 ++++++++++ 4 files changed, 77 insertions(+), 19 deletions(-) diff --git a/02/terraform/iam/iam.tf b/02/terraform/iam/iam.tf index 455dac2..41ddbec 100644 --- a/02/terraform/iam/iam.tf +++ b/02/terraform/iam/iam.tf @@ -341,6 +341,8 @@ resource "aws_iam_role" "eks_node_group" { managed_policy_arns = [ "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy", "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" + "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", + "arn:aws:iam::aws:policy/SecretsManagerReadWrite", + aws_iam_policy.EKSClusterAutoscaling.arn ] } diff --git a/app-api/app-api.yaml b/app-api/app-api.yaml index dca8cd1..4e67ed5 100644 --- a/app-api/app-api.yaml +++ b/app-api/app-api.yaml @@ -5,24 +5,62 @@ metadata: data: K8S_DB_HOST: mariadb K8S_DB_PORT: "3306" - K8S_DB_DATABASE: vanilla - MYSQL_DATABASE: vanilla - --- -# you should never store your secrets in code even if they are base64 encoded. -# I recommend using external-secrets operator with AWS secrets manager -apiVersion: v1 -data: - K8S_DB_USERNAME: YWRtaW4= - K8S_DB_PASSWORD: MWYyZDFlMmU2N2Rm - MYSQL_USER: YWRtaW4= - MYSQL_ROOT_PASSWORD: MWYyZDFlMmU2N2Rm - MYSQL_PASSWORD: MWYyZDFlMmU2N2Rm - -kind: Secret -metadata: - name: k8s-sample-db-secrets -type: Opaque +apiVersion: external-secrets.io/v1beta1 +kind: SecretStore +metadata: + name: my-aws-secrets +spec: + provider: + aws: + service: SecretsManager + region: us-west-2 +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: k8s-sample-db-secrets +spec: + refreshInterval: "0" + secretStoreRef: + name: my-aws-secrets + kind: SecretStore + target: + name: k8s-sample-db-secrets + creationPolicy: Owner + data: + - remoteRef: + key: sample-app-secret + property: SLACK_TOKEN + secretKey: SLACK_TOKEN + - remoteRef: + key: sample-app-secret + property: K8S_DB_USERNAME + secretKey: K8S_DB_USERNAME + - remoteRef: + key: sample-app-secret + property: K8S_DB_PASSWORD + secretKey: K8S_DB_PASSWORD + - remoteRef: + key: sample-app-secret + property: MYSQL_USER + secretKey: MYSQL_USER + - remoteRef: + key: sample-app-secret + property: MYSQL_ROOT_PASSWORD + secretKey: MYSQL_ROOT_PASSWORD + - remoteRef: + key: sample-app-secret + property: MYSQL_PASSWORD + secretKey: MYSQL_PASSWORD + - remoteRef: + key: sample-app-secret + property: K8S_DB_DATABASE + secretKey: K8S_DB_DATABASE + - remoteRef: + key: sample-app-secret + property: MYSQL_DATABASE + secretKey: MYSQL_DATABASE --- apiVersion: apps/v1 kind: Deployment diff --git a/app-api/app/lib/slack.py b/app-api/app/lib/slack.py index 6546b2b..8d0919e 100755 --- a/app-api/app/lib/slack.py +++ b/app-api/app/lib/slack.py @@ -7,7 +7,7 @@ class SlackClient: def __init__(self): self.slack_token = os.environ.get("SLACK_TOKEN") - self.default_channel = os.environ.get("SLACK_DEFAULT_CHANNEL") + self.default_channel = os.environ.get("SLACK_CHANNEL") def post_message(self, text, channel=None, blocks=None): headers = { diff --git a/m02/README.md b/m02/README.md index df16a7d..78ab521 100644 --- a/m02/README.md +++ b/m02/README.md @@ -15,3 +15,21 @@ Modify the DNS name to match the Load Balancer ``` kubectl apply -f cert-manager/prod-issuer.yaml ``` + + +## External Secrets + +We will also need external secrets to store our passwords for our application. + +This includes database permissions, slack APIs, etc. The cost to store this in AWS Secrets manager is $0.40/month. + + +``` +helm repo add external-secrets https://charts.external-secrets.io + +helm install external-secrets \ + external-secrets/external-secrets \ + -n kube-system \ + --create-namespace \ + --set installCRDs=true +```