•
워크로드에 필요한 민감정보를 key-value형태로 저장 할 수 있는 데이터 오브젝트
•
base64 인코딩 상태로 저장
+ 모든 정보는 etcd에 저장된다.
> echo cGFzc3dvcmQ= | base64 -d
password
Shell
복사
External Secret
externalsecret.yaml에 있는 key부분에는 실제 aws 시크릿매니저에 있는 시크릿 이름을 기제하면 된다.
•
secretstore.yaml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: aws-secrets
namespace: <Namespace>
spec:
provider:
aws:
service: SecretsManager
region: ap-northeast-2
auth:
jwt:
serviceAccountRef:
name: external-secrets-cert-controller
YAML
복사
•
external-secret-operator.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: db-credentials
namespace: <Namespace>
spec:
refreshInterval: 30s
secretStoreRef:
name: aws-secrets
kind: SecretStore
target:
name: db-credentials
creationPolicy: Owner
data:
- secretKey: MYSQL_USER
remoteRef:
key: SECRET_NAME
property: username
- secretKey: MYSQL_PASSWORD
remoteRef:
key: SECRET_NAME
property: password
- secretKey: MYSQL_HOST
remoteRef:
key: SECRET_NAME
property: host
- secretKey: MYSQL_PORT
remoteRef:
key: SECRET_NAME
property: port
- secretKey: MYSQL_DBNAME
remoteRef:
key: SECRET_NAME
property: dbname
- secretKey: REGION
remoteRef:
key: SECRET_NAME
property: aws_region
YAML
복사
Settings
EKS_CLUSTER_NAME="<EKS_CLUSTER_NAME>"
EKS_NODE_GROUP_NAME="<EKS_NODE_GROUP_NAME>"
REGION_CORD=$(aws configure get region --output text)
NAMESPACE_NAME="<NAMESPPACE_NAME>"
SECRET_NAME="<Secret Manager Name>"
Shell
복사
cat >secret-policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": ["kms:Decrypt"],
"Resource": ["*"]
}
]
}
EOF
Shell
복사
POLICY_ARN=$(aws --region "$REGION_CORD" --query Policy.Arn --output text iam create-policy --policy-name secretsmanager-policy --policy-document file://secret-policy.json)
Shell
복사
eksctl create iamserviceaccount \
--name external-secrets-cert-controller \
--region="$REGION_CORD" \
--cluster "$CLUSTER_NAME" \
--namespace=<Namespace> \
--attach-policy-arn "$POLICY_ARN" \
--override-existing-serviceaccounts \
--approve
Shell
복사
helm repo add external-secrets https://charts.external-secrets.io
Shell
복사
kubectl annotate serviceaccount external-secrets-cert-controller \
meta.helm.sh/release-name=external-secrets \
meta.helm.sh/release-namespace=$NAMESPACE_NAME \
-n $NAMESPACE_NAME \
--overwrite
Shell
복사
kubectl label serviceaccount external-secrets-cert-controller \
app.kubernetes.io/managed-by=Helm \
-n $NAMESPACE_NAME \
--overwrite
Shell
복사
cat > values.yaml <<EOF
{
"installCRDs": true,
"nodeSelector": {
"eks.amazonaws.com/nodegroup": "$EKS_NODE_GROUP_NAME"
},
"webhook": {
"nodeSelector": {
"eks.amazonaws.com/nodegroup": "$EKS_NODE_GROUP_NAME"
}
},
"certController": {
"nodeSelector": {
"eks.amazonaws.com/nodegroup": "$EKS_NODE_GROUP_NAME"
}
}
}
EOF
Shell
복사
helm install external-secrets \
external-secrets/external-secrets \
-n kube-system \
-f values.yaml \
--set serviceAccount.create=false
Shell
복사
kubectl apply -f secretstore.yaml
sed -i "s|SECRET_NAME|$SECRET_NAME|g" external-secret-operator.yaml
kubectl apply -f external-secret-operator.yaml
Shell
복사