external secrets

createIRSA-eksctl.sh

@@ -0,0 +1,54 @@
+##!/bin/bash
+CLUSTER_NAME="k8s-gitops-cluster"
+REGION=us-east-1
+SERVICE_ACCOUNT_NAMESPACE=sealed-secrets
+SERVICE_ACCOUNT_NAME=external-secrets
+SERVICE_ACCOUNT_IAM_ROLE=EKS-ExteranlSecrets-ServiceAccount-Role
+SERVICE_ACCOUNT_IAM_POLICY=EKS-SecretsManager-Policy
+
+#
+# Set up the permission policy 
+#
+cat <<EOF > PermissionPolicy.json
+{
+   "Version":"2012-10-17",
+   "Statement":[
+      {
+         "Effect":"Allow",
+         "Action":[
+            "secretsmanager:GetSecretValue",
+            "secretsmanager:DescribeSecret",
+            "ssm:GetParameters"
+         ],
+         "Resource":"*"
+      },
+      {
+         "Effect":"Allow",
+         "Action":[
+            "kms:Decrypt"
+         ],
+         "Resource":"*"
+      }
+   ]
+}
+EOF
+
+SERVICE_ACCOUNT_IAM_POLICY_ARN=$(aws iam create-policy --policy-name $SERVICE_ACCOUNT_IAM_POLICY \
+--policy-document file://PermissionPolicy.json \
+--query 'Policy.Arn' --output text)
+
+
+eksctl utils associate-iam-oidc-provider \
+--cluster=$CLUSTER_NAME \
+--approve
+
+eksctl create iamserviceaccount \
+--cluster=$CLUSTER_NAME \
+--region=$REGION \
+--name=$SERVICE_ACCOUNT_NAME \
+--namespace=$SERVICE_ACCOUNT_NAMESPACE \
+--role-name=$SERVICE_ACCOUNT_IAM_ROLE \
+--attach-policy-arn=$SERVICE_ACCOUNT_IAM_POLICY_ARN \
+--override-existing-serviceaccounts \
+--approve
+

crossplane/crossplane-provider-package.yaml

@@ -17,6 +17,13 @@ spec:
   - kind: Deployment
     name: sealed-secrets-controller
     namespace: sealed-secrets
+    #
+    # Note that the Provider lands on the cluster as a Deployment resources
+    # The name of the resource has a random suffix such as 'crossplane-provider-aws-45985ebe751d'
+    # This suffix depends on the provider revision and some string generated using some digest. 
+    # https://github.com/crossplane/crossplane/blob/c0de80c1ea2102b9569754d78bea292c46e62927/internal/controller/pkg/manager/revisioner.go#L67
+    # This suffix is not predictable a priori but it will be the same for the same provider name/version
+    #    
   - kind: Deployment
     name: crossplane-provider-aws-45985ebe751d
     namespace: crossplane-system

deploy/crossplane-aws-provider/aws-provider.yaml

@@ -4,4 +4,12 @@ kind: Provider
 metadata:
   name: crossplane-provider-aws
 spec:
-  package: "public.ecr.aws/awsvijisarathy/crossplane-provider-aws:v0.23.0"
+  package: "public.ecr.aws/awsvijisarathy/crossplane-provider-aws:v0.27.0"  
+  #
+  # Note that the Provider lands on the cluster as a Deployment resources
+  # The name of the resource has a random suffix such as 'crossplane-provider-aws-45985ebe751d'
+  # This suffix depends on the provider revision and some string generated using some digest. 
+  # https://github.com/crossplane/crossplane/blob/c0de80c1ea2102b9569754d78bea292c46e62927/internal/controller/pkg/manager/revisioner.go#L67
+  # This suffix is not predictable a priori but it will be the same for the same provider name/version
+  #
+

deploy/crossplane-aws-provider/sealed-secrets-controller.yaml

@@ -2,11 +2,20 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
+  annotations: {}
   labels:
     name: sealed-secrets-service-proxier
   name: sealed-secrets-service-proxier
   namespace: sealed-secrets
 rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - sealed-secrets-controller
+  resources:
+  - services
+  verbs:
+  - get
 - apiGroups:
   - ""
   resourceNames:
@@ -21,6 +30,7 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
+  annotations: {}
   labels:
     name: sealed-secrets-key-admin
   name: sealed-secrets-key-admin
@@ -34,84 +44,10 @@ rules:
   - create
   - list
 ---
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    name: sealed-secrets-controller
-  name: sealed-secrets-controller
-  namespace: sealed-secrets
-spec:
-  ports:
-  - port: 8080
-    targetPort: 8080
-  selector:
-    name: sealed-secrets-controller
-  type: ClusterIP
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    name: sealed-secrets-service-proxier
-  name: sealed-secrets-service-proxier
-  namespace: sealed-secrets
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: sealed-secrets-service-proxier
-subjects:
-- apiGroup: rbac.authorization.k8s.io
-  kind: Group
-  name: system:authenticated
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: sealedsecrets.bitnami.com
-spec:
-  group: bitnami.com
-  names:
-    kind: SealedSecret
-    listKind: SealedSecretList
-    plural: sealedsecrets
-    singular: sealedsecret
-  scope: Namespaced
-  versions:
-  - name: v1alpha1
-    schema:
-      openAPIV3Schema:
-        properties:
-          spec:
-            type: object
-            x-kubernetes-preserve-unknown-fields: true
-          status:
-            x-kubernetes-preserve-unknown-fields: true
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    name: sealed-secrets-controller
-  name: sealed-secrets-controller
-  namespace: sealed-secrets
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: sealed-secrets-key-admin
-subjects:
-- kind: ServiceAccount
-  name: sealed-secrets-controller
-  namespace: sealed-secrets
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  annotations: {}
   labels:
     name: sealed-secrets-controller
   name: sealed-secrets-controller
@@ -127,6 +63,7 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  annotations: {}
   labels:
     name: secrets-unsealer
   name: secrets-unsealer
@@ -151,6 +88,7 @@ rules:
   - secrets
   verbs:
   - get
+  - list
   - create
   - update
   - delete
@@ -165,6 +103,7 @@ rules:
 apiVersion: v1
 kind: ServiceAccount
 metadata:
+  annotations: {}
   labels:
     name: sealed-secrets-controller
   name: sealed-secrets-controller
@@ -173,6 +112,7 @@ metadata:
 apiVersion: apps/v1
 kind: Deployment
 metadata:
+  annotations: {}
   labels:
     name: sealed-secrets-controller
   name: sealed-secrets-controller
@@ -200,7 +140,7 @@ spec:
         command:
         - controller
         env: []
-        image: quay.io/bitnami/sealed-secrets-controller:v0.16.0
+        image: docker.io/bitnami/sealed-secrets-controller:v0.17.5
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -232,3 +172,81 @@ spec:
       volumes:
       - emptyDir: {}
         name: tmp
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: sealedsecrets.bitnami.com
+spec:
+  group: bitnami.com
+  names:
+    kind: SealedSecret
+    listKind: SealedSecretList
+    plural: sealedsecrets
+    singular: sealedsecret
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+          status:
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations: {}
+  labels:
+    name: sealed-secrets-controller
+  name: sealed-secrets-controller
+  namespace: sealed-secrets
+spec:
+  ports:
+  - port: 8080
+    targetPort: 8080
+  selector:
+    name: sealed-secrets-controller
+  type: ClusterIP
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: sealed-secrets-service-proxier
+  name: sealed-secrets-service-proxier
+  namespace: sealed-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: sealed-secrets-service-proxier
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:authenticated
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: sealed-secrets-controller
+  name: sealed-secrets-controller
+  namespace: sealed-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: sealed-secrets-key-admin
+subjects:
+- kind: ServiceAccount
+  name: sealed-secrets-controller
+  namespace: sealed-secrets

deploy/crossplane-composition/crossplane-eks-composition.yaml

@@ -4,7 +4,7 @@ metadata:
   name: crossplane-eks-composition
 spec:
   ignoreCrossplaneConstraints: false
-  package: public.ecr.aws/awsvijisarathy/crossplane-eks-composition:7.0.0
+  package: public.ecr.aws/awsvijisarathy/crossplane-eks-composition:9.0.0
   packagePullPolicy: IfNotPresent
   revisionActivationPolicy: Automatic
   revisionHistoryLimit: 0

external-secret.yaml

@@ -0,0 +1,42 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: aws-secrets-manager
+  namespace: sealed-secrets
+spec:
+  provider:
+    aws:
+      service: SecretsManager
+      region: us-east-1
+      auth:
+        jwt:
+          serviceAccountRef:
+            name: external-secrets
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: sealed-secrets
+  namespace: sealed-secrets
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: aws-secrets-manager
+    kind: SecretStore
+  target:
+    name: sarathy-sealing-keys
+    creationPolicy: Owner
+    template:
+      type: kubernetes.io/tls
+      metadata:
+        labels:
+          sealedsecrets.bitnami.com/sealed-secrets-key: active
+  data:
+  - secretKey: tls.crt
+    remoteRef:
+      key: sealed-secrets-sealing-crt	
+  - secretKey: tls.key
+    remoteRef:
+      key: sealed-secrets-sealing-key