Skip to content
This repository has been archived by the owner on Jul 11, 2023. It is now read-only.

Commit

Permalink
Add support for configurable ExternalSecrets backendType (#157)
Browse files Browse the repository at this point in the history 
* add placeholder for ExternalSecret backendType

* Update README

* Update additional secret for profiles
  • Loading branch information
@soleares
soleares committed Jul 2, 2021
1 parent 06aa512 commit d4e8aba
Show file tree
Hide file tree
Showing 13 changed files with 20 additions and 10 deletions.
6 changes: 6 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,13 @@ In addition, we need to grant each role limited access to secrets. We have chose
- Example ARN: `arn:aws:iam::123456789012:role/my-cluster_istio-system`
- Policy: [link](./docs/iam_policies/external-secrets_istio-system.json)

#### Backend types

There are two supported AWS backend types:
- [Secrets Manager](https://aws.amazon.com/secrets-manager/) is the default type set in [setup.conf](./examples/setup.conf).
- `<<__external_secrets.backend_type__>>=secretsManager`
- [System Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html) can be used instead by updating the following placeholder value in [setup.conf](./examples/setup.conf) to `systemManager`.
- `<<__external_secrets.backend_type__>>=systemManager`
---
# AWS Users

Expand Down
2 changes: 1 addition & 1 deletion distribution/argocd/overlays/private-repo/secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
name: git-repo-secret
namespace: argocd
spec:
backendType: secretsManager
backendType: <<__external_secrets.backend_type__>>
roleArn: <<__role_arn.external_secrets.argocd__>>
data:
- key: <<__external_secret_name.git_repo.https_username__>>
Expand Down
2 changes: 1 addition & 1 deletion distribution/certificates/overlays/imported/auth-certificate-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
name: auth-ingressgateway-certs
namespace: istio-system
spec:
backendType: secretsManager
backendType: <<__external_secrets.backend_type__>>
template:
type: kubernetes.io/tls
roleArn: <<__role_arn.external_secrets.istio_system__>>
Expand Down
2 changes: 1 addition & 1 deletion distribution/certificates/overlays/imported/kubeflow-gateway-cert-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
name: kubeflow-ingressgateway-certs
namespace: istio-system
spec:
backendType: secretsManager
backendType: <<__external_secrets.backend_type__>>
template:
type: kubernetes.io/tls
roleArn: <<__role_arn.external_secrets.istio_system__>>
Expand Down
2 changes: 1 addition & 1 deletion distribution/certificates/overlays/imported/monitoring-certificate-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
name: monitoring-ingressgateway-certs
namespace: istio-system
spec:
backendType: secretsManager
backendType: <<__external_secrets.backend_type__>>
template:
type: kubernetes.io/tls
roleArn: <<__role_arn.external_secrets.istio_system__>>
Expand Down
2 changes: 1 addition & 1 deletion distribution/kubeflow/katib/rds-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
name: katib-rds-secret
namespace: kubeflow
spec:
backendType: secretsManager
backendType: <<__external_secrets.backend_type__>>
roleArn: <<__role_arn.external_secrets.kubeflow__>>
data:
- key: <<__external_secret_name.kubeflow.rds_username__>>
Expand Down
2 changes: 2 additions & 0 deletions distribution/kubeflow/pipelines/base/patches/kubeflow-pipelines-profile-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ spec:
value: <<__external_secret_name.kubeflow.s3_secretkey__>>
- name: EXTERNAL_SECRET_ROLE_ARN
value: <<__role_arn.external_secrets.kubeflow__>>
- name: EXTERNAL_SECRET_BACKEND_TYPE
value: <<__external_secrets.backend_type__>>

# remove minio-related params
- $patch: delete
Expand Down
3 changes: 2 additions & 1 deletion distribution/kubeflow/pipelines/base/patches/sync_with_s3.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
secret_name_s3_accesskey = os.environ.get("SECRET_NAME_S3_ACCESSKEY")
secret_name_s3_secretkey = os.environ.get("SECRET_NAME_S3_SECRETKEY")
external_secret_role_arn = os.environ.get("EXTERNAL_SECRET_ROLE_ARN")
external_secret_backend_type = os.environ.get("EXTERNAL_SECRET_BACKEND_TYPE")


class Controller(BaseHTTPRequestHandler):
Expand Down Expand Up @@ -226,7 +227,7 @@ def sync(self, parent, children):
"namespace": namespace,
},
"spec": {
"backendType": "secretsManager",
"backendType": external_secret_backend_type,
"roleArn": external_secret_role_arn,
"data": [
{
Expand Down
2 changes: 1 addition & 1 deletion distribution/kubeflow/pipelines/base/resources/rds-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
name: pipelines-rds-secret
namespace: kubeflow
spec:
backendType: secretsManager
backendType: <<__external_secrets.backend_type__>>
roleArn: <<__role_arn.external_secrets.kubeflow__>>
data:
- key: <<__external_secret_name.kubeflow.rds_username__>>
Expand Down
2 changes: 1 addition & 1 deletion distribution/kubeflow/pipelines/base/resources/s3-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
name: pipelines-s3-secret
namespace: kubeflow
spec:
backendType: secretsManager
backendType: <<__external_secrets.backend_type__>>
roleArn: <<__role_arn.external_secrets.kubeflow__>>
data:
- key: <<__external_secret_name.kubeflow.s3_accesskey__>>
Expand Down
2 changes: 1 addition & 1 deletion distribution/mlflow/secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
name: mlflow-secret
namespace: mlflow
spec:
backendType: secretsManager
backendType: <<__external_secrets.backend_type__>>
roleArn: <<__role_arn.external_secrets.mlflow__>>
data:
- key: <<__external_secret_name.mlflow.rds_username__>>
Expand Down
2 changes: 1 addition & 1 deletion distribution/oidc-auth/base/oauth2-proxy-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
name: oauth2-proxy
namespace: auth
spec:
backendType: secretsManager
backendType: <<__external_secrets.backend_type__>>
roleArn: <<__role_arn.external_secrets.auth__>>
data:
- key: <<__external_secret_name.auth.oidc_client_id__>>
Expand Down
1 change: 1 addition & 0 deletions examples/setup.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,3 +69,4 @@
<<__oidc.scope__>>=openid profile email
<<__oidc.user_id_claim__>>=email
<<__enable_registration_flow__>>="true"
<<__external_secrets.backend_type__>>=secretsManager

0 comments on commit d4e8aba

Please sign in to comment.