REGION_CORD="us-east-1"
CLUSTER_NAME="hrdkorea-cluster"
POLICY_ARN=$(aws iam list-policies --query "Policies[?PolicyName=='secretsmanager-policy'].Arn" --output text)
Shell
복사
eksctl create iamserviceaccount \
--name external-secrets-cert-controller \
--region="$REGION_CORD" \
--cluster "$CLUSTER_NAME" \
--namespace=hrdkorea \
--attach-policy-arn "$POLICY_ARN" \
--override-existing-serviceaccounts \
--approve
Shell
복사
helm repo add external-secrets https://charts.external-secrets.io
Shell
복사
kubectl annotate serviceaccount external-secrets-cert-controller \
meta.helm.sh/release-name=external-secrets \
meta.helm.sh/release-namespace=hrdkorea \
-n hrdkorea \
--overwrite
Shell
복사
kubectl label serviceaccount external-secrets-cert-controller \
app.kubernetes.io/managed-by=Helm \
-n hrdkorea \
--overwrite
Shell
복사
cat > values.yaml <<EOF
{
"installCRDs": true,
"podLabels": {
"skills/dedicated": "addon"
},
"webhook": {
"podLabels": {
"skills/dedicated": "addon"
}
},
"certController": {
"podLabels": {
"skills/dedicated": "addon"
}
}
}
EOF
Shell
복사
helm install external-secrets \
external-secrets/external-secrets \
-n hrdkorea \
-f values.yaml \
--set serviceAccount.create=false
Shell
복사
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: aws-secrets
namespace: hrdkorea
spec:
provider:
aws:
service: SecretsManager
region: us-east-1
auth:
jwt:
serviceAccountRef:
name: external-secrets-cert-controller
YAML
복사
kubectl apply -f secretstore.yaml
Shell
복사
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: rds-secaret
namespace: hrdkorea
spec:
refreshInterval: 24m
secretStoreRef:
name: aws-secrets
kind: SecretStore
target:
name: db-credentials
creationPolicy: Owner
data:
- secretKey: MYSQL_USER
remoteRef:
key: mysql/secret
property: username
- secretKey: MYSQL_PASSWORD
remoteRef:
key: mysql/secret
property: password
- secretKey: MYSQL_HOST
remoteRef:
key: mysql/secret
property: host
- secretKey: MYSQL_PORT
remoteRef:
key: mysql/secret
property: port
- secretKey: MYSQL_DBNAME
remoteRef:
key: mysql/secret
property: dbname
- secretKey: REGION
remoteRef:
key: mysql/secret
property: aws_region
YAML
복사
kubectl apply -f db-eso.yaml
Shell
복사