AWS Secrets
The aws_secret helper fetches secret data from AWS Secrets Manager.
Example
.kubes/resources/shared/secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: demo
labels:
app: demo
data:
PASS: <%= aws_secret("demo-#{Kubes.env}-PASS") %>
USER: <%= aws_secret("demo-#{Kubes.env}-USER") %>
For example if you have these secret values:
$ aws secretsmanager get-secret-value --secret-id demo-dev-PASS | jq '.SecretString'
test1
$ aws secretsmanager get-secret-value --secret-id demo-dev-USER | jq '.SecretString'
test2
$
.kubes/output/shared/secret.yaml
metadata:
namespace: demo
name: demo-2a78a13682
labels:
app: demo
apiVersion: v1
kind: Secret
data:
PASS: dGVzdDEK
USER: dGVzdDIK
By default, the values are automatically base64 encoded.
Base64 Option
By default, the values are automatically base64 encoded. You can change the default behavior with a config option.
.kubes/config.rb
KubesAws.configure do |config|
config.secrets.base64 = false
end
Note: The use of KubesAws.configure instead of Kubes.configure here.
You can also set the base64 option to turn on and off the automated base64 encoding on a per secret basis.
aws_secret("demo-#{Kubes.env}-USER", base64: true) # default is base64=true
aws_secret("demo-#{Kubes.env}-PASS", base64: false)
Note, Kubernetes secrets are only base64 encoded. So users who have access to read Kubernetes secrets will be able to decode and get the value trivially. Depending on your security posture requirements, this may or may not suffice.