Search

Add prefix to External Secret

ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) REGION_CODE=$(aws configure get default.region --output text)
Shell
복사
helm repo add external-secrets https://charts.external-secrets.io helm repo update helm install external-secrets external-secrets/external-secrets \ --namespace external-secrets \ --create-namespace
Shell
복사
Create Secrets
aws secretsmanager create-secret \ --name project/test \ --description "test" \ --secret-string '{"username":"wlstmd","project":"dya"}'
Shell
복사
cat << EOF > policy.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": "arn:aws:secretsmanager:$REGION_CODE:$ACCOUNT_ID:secret:project/test*" } ] } EOF
Shell
복사
aws iam create-policy \ --policy-name ExternalSecretsPodPolicy \ --policy-document file://policy.json
Shell
복사
aws iam create-role \ --role-name ExternalSecretsPodRole \ --assume-role-policy-document file://<(cat <<EOP { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOP )
Shell
복사
aws iam attach-role-policy \ --role-name ExternalSecretsPodRole \ --policy-arn arn:aws:iam::$ACCOUNT_ID:policy/ExternalSecretsPodPolicy
Shell
복사
cat << EOF > sa.yaml apiVersion: v1 kind: ServiceAccount metadata: name: eso-sa namespace: external-secrets annotations: eks.amazonaws.com/role-arn: arn:aws:iam::$ACCOUNT_ID:role/ExternalSecretsPodRole EOF
Shell
복사
kubectl apply -f sa.yaml
Shell
복사
cat << EOF > secretstore.yaml apiVersion: external-secrets.io/v1 kind: ClusterSecretStore metadata: name: aws-secretsmanager spec: provider: aws: service: SecretsManager region: ap-northeast-2 auth: jwt: serviceAccountRef: name: eso-sa namespace: external-secrets EOF
Shell
복사
kubectl apply -f secretstore.yaml
Shell
복사
cat << EOF > kyverno.yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: add-prefix-to-externalsecret spec: rules: - name: add-prefix-to-externalsecret-key match: resources: kinds: - external-secrets.io/v1/ExternalSecret mutate: foreach: - list: "request.object.spec.data" patchesJson6902: |- - op: replace path: /spec/data/{{elementIndex}}/remoteRef/key value: "prefix-{{element.remoteRef.key}}" EOF
Shell
복사
kubectl apply -f kyverno.yaml
Shell
복사
cat << EOF > eso.yaml apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: test-secret namespace: external-secrets spec: refreshInterval: 1h secretStoreRef: name: aws-secretsmanager kind: ClusterSecretStore target: name: project-test creationPolicy: Owner data: - secretKey: username remoteRef: key: project/test property: username - secretKey: project remoteRef: key: project/test property: project EOF
Shell
복사
kubectl apply -f eso.yaml
Shell
복사