Reads secrets from AWS SecretsManager and writes to a file. Intended to be run as a kubernetes Init Container to create a secrets.properties file in a volume mount that is accessible to other containers in the pod.
Key | Required | Description | Example value |
---|---|---|---|
secret.name |
Yes | Friendly name of the AWS Secret | valws/lab.main.t.aor.valws.vaw2 |
region |
Yes | AWS Region where secrets are stored | us-east-1 |
secrets.filename |
Yes | The relative path and filename of the output file. | /secrets/secrets.properties |
is.local.run |
No | Whether this is a local run. Defaults to false |
true |
If is.local.run
is true
:
- /local/config/service.properties is used.
- local AWS credentials are used.
Variable | Required | Description | Example value |
---|---|---|---|
DOCKER_REPO |
Yes | The Docker repository to deploy the image to | testrepo |
Alternatively, this can be passed in to the maven command using the -D
option. For example:
mvn clean install -Denv.DOCKER_REPO=test
Run run.sh
This runs the Docker container.
- An IAM Role with permissions to access SecretsManager is required.
- AWS Secrets Agent is configured as an Init Container.
- AWS Secrets Agent mounts and writes to a volume that is also mounted by another container in the pod.
- AWS Secrets Agent mounts the config volume and location that matches ConfigMap.yaml.
In the example below, the following keys are used for AWS Secrets Agent:
spec.template.metadata.annotations.iam.amazonaws.com/role
spec.template.spec.initContainers
spec.template.spec.containers.<valws>.volumeMounts.<app-secrets>
spec.template.spec.volumes.<awssec-config>
spec.template.spec.volumes.<app-secrets>
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: lab-main-t-aor-valws-vaw2
namespace: workflow
labels:
environmentShortName: lab
regionShortName: main
partitionShortName: t
serviceShortName: valws
clusterSuffix: vaw2
clusterTitle: lab-main-t-aor-valws-vaw2
spec:
replicas: 2
revisionHistoryLimit: 2
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
selector:
matchLabels:
clusterTitle: lab-main-t-aor-valws-vaw2
template:
metadata:
annotations:
iam.amazonaws.com/role: arn:aws:iam::0000000001:role/CustomerManaged-ValidationWebService
labels:
environmentShortName: lab
regionShortName: main
partitionShortName: t
serviceShortName: valws
clusterSuffix: vaw2
clusterTitle: lab-main-t-aor-valws-vaw2
spec:
initContainers:
- name: awssec
image: docker-lab.repo.com/awssec:0.0.3
volumeMounts:
- name: awssec-config
mountPath: /app/config
- name: app-secrets
mountPath: /app/secrets
containers:
- name: valws
image: docker-lab.repo.com/valws:2.0.8
imagePullPolicy: Always
ports:
- containerPort: 8080
name: service
resources:
requests:
cpu: 100m
memory: 2048Mi
limits:
cpu: 4000m
memory: 2048Mi
readinessProbe:
httpGet:
path: validation/management/alive
port: 8080
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 60
successThreshold: 1
failureThreshold: 30
livenessProbe:
httpGet:
path: validation/management/alive
port: 8080
initialDelaySeconds: 30
periodSeconds: 20
timeoutSeconds: 60
successThreshold: 1
failureThreshold: 3
volumeMounts:
- name: config
mountPath: /app/config
- name: app-secrets
mountPath: /app/secrets
volumes:
- name: config
configMap:
name: lab-main-t-aor-valws-vaw2
items:
- key: service-properties
path: service.properties
- key: env-properties
path: env.properties
- name: awssec-config
configMap:
name: lab-main-t-aor-valws-vaw2
items:
- key: awssec-properties
path: service.properties
- key: awssec-env-properties
path: env.properties
- name: app-secrets
emptyDir: {}
In the example below, the following keys are used for AWS Secrets Agent:
data.awssec-env-properties
data.awssec-properties
---
apiVersion: v1
kind: ConfigMap
metadata:
name: lab-main-t-aor-valws-vaw2
namespace: workflow
labels:
environmentShortName: lab
regionShortName: main
partitionShortName: t
serviceShortName: valws
clusterSuffix: vaw2
clusterTitle: lab-main-t-aor-valws-vaw2
data:
env-properties: |
ALIVE_MBEAN="application=ValidationService,name=aliveCheckConfiguration"
service-properties: |
ws.base.url=http://validation.test.corp.mycompany.com/validation/web
ws.instance.name=Test
awssec-env-properties: |
LOG_CONFIG=/app/monitors/logback-syslog.xml
LOG_LEVEL=INFO
awssec-properties: |
secret.name=valws/lab.main.t.aor.valws.vaw2
region=us-east-1
secrets.filename=/secrets/secrets.properties