| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163 |
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- name: my-store
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: Role
- metadata:
- namespace: default
- name: eso-store-role
- rules:
- - apiGroups: [""]
- resources:
- - secrets
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - delete
- - apiGroups:
- - authorization.k8s.io
- resources:
- - selfsubjectrulesreviews
- verbs:
- - create
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- name: my-store
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: eso-store-role
- subjects:
- - kind: ServiceAccount
- name: my-store
- namespace: default
- ---
- apiVersion: external-secrets.io/v1beta1
- kind: SecretStore
- metadata:
- name: kubernetes
- spec:
- provider:
- kubernetes:
- remoteNamespace: default
- server:
- url: https://localhost:44245
- caProvider:
- type: ConfigMap
- name: kube-root-ca.crt
- key: ca.crt
- auth:
- serviceAccount:
- name: "my-store"
- ---
- apiVersion: external-secrets.io/v1beta1
- kind: SecretStore
- metadata:
- name: aws-parameterstore
- spec:
- provider:
- aws:
- service: ParameterStore
- region: eu-central-1
- ---
- apiVersion: external-secrets.io/v1beta1
- kind: SecretStore
- metadata:
- name: aws-secrets-manager
- spec:
- provider:
- aws:
- region: eu-central-1
- service: SecretsManager
- ---
- apiVersion: external-secrets.io/v1alpha1
- kind: Workflow
- metadata:
- name: "backend-secrets-with-config"
- spec:
- workflows:
-
- # 1: fetch the database credentials from AWS Secrets Manager
- - name: "db_credentials"
- # steps are executed in order
- steps:
- - name: "fetch-mysql-credentials"
- pull:
- source:
- storeRef:
- name: "aws-secrets-manager"
- dataFrom:
- - extract:
- key: "app-creds"
- data:
- - secretKey: "color"
- remoteRef:
- metadataPolicy: Fetch
- key: "app-creds"
- property: "color"
-
- - name: "encode_db_credentials"
- template:
- data:
- color: "{{ .workflow.data.color }}"
- encodedAppCreds: mysql://{{ .workflow.data.foo }}:{{ .workflow.data.baz }}@db.mycorp:3306/{{ .workflow.data.color }}
-
- # 2. fetch the configuration from SSM
- - name: "ami_config"
- steps:
- - name: "fetch-config"
- pull:
- source:
- storeRef:
- name: "aws-parameterstore"
- data:
- - secretKey: "ami"
- remoteRef:
- key: "/aws/service/eks/optimized-ami/1.29/amazon-linux-2/recommended/image_id"
-
- # 3. aggregate the secrets
- - name: "aggregate"
- steps:
- - name: "aggregate-secrets"
- # takes inputs from previous workflows
- # inputs
- template:
- metadata:
- labels:
- color: "{{ .workflows.db_credentials.data.color }}"
- data:
- credentials: "{{ .workflows.db_credentials.data.encodedAppCreds }}"
- ami: "{{ .workflows.ami_config.data.ami }}"
-
- # Note: A workflow always starts a new output map which aggregates values over the steps in a workflow.
- #
- # For that reason, the "push" step needs a preceding step to have a value for the secret
- # which is about to be pushed.
- - name: "push-secrets"
- push:
- destination:
- storeRef:
- name: "kubernetes"
- # TODO: support pushing to multiple stores with matchLabels
- # TODO: allow Kubernetes provider (CSS) to push to multiple namespaces
- data:
- - match:
- # TODO: support accessing previous workflow outputs
- secretKey: "credentials"
- remoteRef:
- remoteKey: "app-credentials"
- property: "credentials"
- - match:
- secretKey: "ami"
- remoteRef:
- remoteKey: "app-credentials"
- property: "ami"
-
|
