diff --git a/README.md b/README.md index bc31d6d0..78e77cde 100644 --- a/README.md +++ b/README.md @@ -166,7 +166,13 @@ In addition, we need to grant each role limited access to secrets. We have chose - Example ARN: `arn:aws:iam::123456789012:role/my-cluster_istio-system` - Policy: [link](./docs/iam_policies/external-secrets_istio-system.json) +#### Backend types +There are two supported AWS backend types: +- [Secrets Manager](https://aws.amazon.com/secrets-manager/) is the default type set in [setup.conf](./examples/setup.conf). + - `<<__external_secrets.backend_type__>>=secretsManager` +- [System Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html) can be used instead by updating the following placeholder value in [setup.conf](./examples/setup.conf) to `systemManager`. + - `<<__external_secrets.backend_type__>>=systemManager` --- # AWS Users diff --git a/distribution/argocd/overlays/private-repo/secret.yaml b/distribution/argocd/overlays/private-repo/secret.yaml index 115cff03..23517814 100644 --- a/distribution/argocd/overlays/private-repo/secret.yaml +++ b/distribution/argocd/overlays/private-repo/secret.yaml @@ -4,7 +4,7 @@ metadata: name: git-repo-secret namespace: argocd spec: - backendType: secretsManager + backendType: <<__external_secrets.backend_type__>> roleArn: <<__role_arn.external_secrets.argocd__>> data: - key: <<__external_secret_name.git_repo.https_username__>> diff --git a/distribution/certificates/overlays/imported/auth-certificate-secret.yaml b/distribution/certificates/overlays/imported/auth-certificate-secret.yaml index bd4431cc..c554b4f9 100644 --- a/distribution/certificates/overlays/imported/auth-certificate-secret.yaml +++ b/distribution/certificates/overlays/imported/auth-certificate-secret.yaml @@ -4,7 +4,7 @@ metadata: name: auth-ingressgateway-certs namespace: istio-system spec: - backendType: secretsManager + backendType: <<__external_secrets.backend_type__>> template: type: kubernetes.io/tls roleArn: <<__role_arn.external_secrets.istio_system__>> diff --git a/distribution/certificates/overlays/imported/kubeflow-gateway-cert-secret.yaml b/distribution/certificates/overlays/imported/kubeflow-gateway-cert-secret.yaml index 97736cba..bad00121 100644 --- a/distribution/certificates/overlays/imported/kubeflow-gateway-cert-secret.yaml +++ b/distribution/certificates/overlays/imported/kubeflow-gateway-cert-secret.yaml @@ -4,7 +4,7 @@ metadata: name: kubeflow-ingressgateway-certs namespace: istio-system spec: - backendType: secretsManager + backendType: <<__external_secrets.backend_type__>> template: type: kubernetes.io/tls roleArn: <<__role_arn.external_secrets.istio_system__>> diff --git a/distribution/certificates/overlays/imported/monitoring-certificate-secret.yaml b/distribution/certificates/overlays/imported/monitoring-certificate-secret.yaml index 6332d872..cb0519bd 100644 --- a/distribution/certificates/overlays/imported/monitoring-certificate-secret.yaml +++ b/distribution/certificates/overlays/imported/monitoring-certificate-secret.yaml @@ -4,7 +4,7 @@ metadata: name: monitoring-ingressgateway-certs namespace: istio-system spec: - backendType: secretsManager + backendType: <<__external_secrets.backend_type__>> template: type: kubernetes.io/tls roleArn: <<__role_arn.external_secrets.istio_system__>> diff --git a/distribution/kubeflow/katib/rds-secret.yaml b/distribution/kubeflow/katib/rds-secret.yaml index 9addb690..f2a2c1d9 100644 --- a/distribution/kubeflow/katib/rds-secret.yaml +++ b/distribution/kubeflow/katib/rds-secret.yaml @@ -4,7 +4,7 @@ metadata: name: katib-rds-secret namespace: kubeflow spec: - backendType: secretsManager + backendType: <<__external_secrets.backend_type__>> roleArn: <<__role_arn.external_secrets.kubeflow__>> data: - key: <<__external_secret_name.kubeflow.rds_username__>> diff --git a/distribution/kubeflow/pipelines/base/patches/kubeflow-pipelines-profile-controller.yaml b/distribution/kubeflow/pipelines/base/patches/kubeflow-pipelines-profile-controller.yaml index 6c86d431..afe778a1 100644 --- a/distribution/kubeflow/pipelines/base/patches/kubeflow-pipelines-profile-controller.yaml +++ b/distribution/kubeflow/pipelines/base/patches/kubeflow-pipelines-profile-controller.yaml @@ -19,6 +19,8 @@ spec: value: <<__external_secret_name.kubeflow.s3_secretkey__>> - name: EXTERNAL_SECRET_ROLE_ARN value: <<__role_arn.external_secrets.kubeflow__>> + - name: EXTERNAL_SECRET_BACKEND_TYPE + value: <<__external_secrets.backend_type__>> # remove minio-related params - $patch: delete diff --git a/distribution/kubeflow/pipelines/base/patches/sync_with_s3.py b/distribution/kubeflow/pipelines/base/patches/sync_with_s3.py index 3d4093e2..f408c2ea 100644 --- a/distribution/kubeflow/pipelines/base/patches/sync_with_s3.py +++ b/distribution/kubeflow/pipelines/base/patches/sync_with_s3.py @@ -22,6 +22,7 @@ secret_name_s3_accesskey = os.environ.get("SECRET_NAME_S3_ACCESSKEY") secret_name_s3_secretkey = os.environ.get("SECRET_NAME_S3_SECRETKEY") external_secret_role_arn = os.environ.get("EXTERNAL_SECRET_ROLE_ARN") +external_secret_backend_type = os.environ.get("EXTERNAL_SECRET_BACKEND_TYPE") class Controller(BaseHTTPRequestHandler): @@ -226,7 +227,7 @@ def sync(self, parent, children): "namespace": namespace, }, "spec": { - "backendType": "secretsManager", + "backendType": external_secret_backend_type, "roleArn": external_secret_role_arn, "data": [ { diff --git a/distribution/kubeflow/pipelines/base/resources/rds-secret.yaml b/distribution/kubeflow/pipelines/base/resources/rds-secret.yaml index 10223d55..b23d0765 100644 --- a/distribution/kubeflow/pipelines/base/resources/rds-secret.yaml +++ b/distribution/kubeflow/pipelines/base/resources/rds-secret.yaml @@ -4,7 +4,7 @@ metadata: name: pipelines-rds-secret namespace: kubeflow spec: - backendType: secretsManager + backendType: <<__external_secrets.backend_type__>> roleArn: <<__role_arn.external_secrets.kubeflow__>> data: - key: <<__external_secret_name.kubeflow.rds_username__>> diff --git a/distribution/kubeflow/pipelines/base/resources/s3-secret.yaml b/distribution/kubeflow/pipelines/base/resources/s3-secret.yaml index c818ab09..2c859837 100644 --- a/distribution/kubeflow/pipelines/base/resources/s3-secret.yaml +++ b/distribution/kubeflow/pipelines/base/resources/s3-secret.yaml @@ -4,7 +4,7 @@ metadata: name: pipelines-s3-secret namespace: kubeflow spec: - backendType: secretsManager + backendType: <<__external_secrets.backend_type__>> roleArn: <<__role_arn.external_secrets.kubeflow__>> data: - key: <<__external_secret_name.kubeflow.s3_accesskey__>> diff --git a/distribution/mlflow/secret.yaml b/distribution/mlflow/secret.yaml index 93e925e3..9a52ebad 100644 --- a/distribution/mlflow/secret.yaml +++ b/distribution/mlflow/secret.yaml @@ -4,7 +4,7 @@ metadata: name: mlflow-secret namespace: mlflow spec: - backendType: secretsManager + backendType: <<__external_secrets.backend_type__>> roleArn: <<__role_arn.external_secrets.mlflow__>> data: - key: <<__external_secret_name.mlflow.rds_username__>> diff --git a/distribution/oidc-auth/base/oauth2-proxy-secret.yaml b/distribution/oidc-auth/base/oauth2-proxy-secret.yaml index d6dba052..6a444b54 100644 --- a/distribution/oidc-auth/base/oauth2-proxy-secret.yaml +++ b/distribution/oidc-auth/base/oauth2-proxy-secret.yaml @@ -4,7 +4,7 @@ metadata: name: oauth2-proxy namespace: auth spec: - backendType: secretsManager + backendType: <<__external_secrets.backend_type__>> roleArn: <<__role_arn.external_secrets.auth__>> data: - key: <<__external_secret_name.auth.oidc_client_id__>> diff --git a/examples/setup.conf b/examples/setup.conf index fc4966e2..199bdc4e 100644 --- a/examples/setup.conf +++ b/examples/setup.conf @@ -69,3 +69,4 @@ <<__oidc.scope__>>=openid profile email <<__oidc.user_id_claim__>>=email <<__enable_registration_flow__>>="true" +<<__external_secrets.backend_type__>>=secretsManager