Let's Embark! Kubernetes Secrets and AWS SSM (Part 4)
Here we have a simple solution that can be used to inject secrets into your Kubernetes Clusters with minimal effort, when you do not have strict security requirements for your workloads.
Kubernetes and secrets is always a difficult problem. I've got a super simple solution using AWS SSM today that we can use during our CI/CD pipeline to inject our secrets into our services. This is so simple and quick, that you might miss it, so I'll get to it.
First, log into AWS and open up Systems Manager. Go to Parameter Store, and create a new Parameter. The parameter type needs to be SecureString, feel free to name it whatever you like; I like to go with /<cloud_provider>-secret/k8s/<application>/<environment>. Add the contents of secret.yaml as the parameter's value.
apiVersion: v1
kind: Secret
metadata:
name: wp-secrets
namespace: wp-custom-domain
data:
wordpress_db_password: QXdm .. mRUg=
Secondly, jump into your CI configuration and add the following as a step prior to creating your Kubernetes Deployment.
# create secrets
# /do/k8s/$APP_TYPE/$CI_ENVIRONMENT_NAME
aws ssm get-parameters-by-path \
--path "/${CLOUD_PROVIDER}-secret/k8s/${APP_TYPE}/" \
--query "Parameters[?Name==\`/do/k8s/${APP_TYPE}/${CI_ENVIRONMENT_NAME}\`].Value" \
--with-decryption --output text | kubectl apply -f -
Finally, configure your Deployment spec to include the value of the secret using the valueFrom directive.
spec:
containers:
- name: wordpress
image: _/wordpress:5.3.2
env:
- name: WORDPRESS_DB_PASSWORD
valueFrom:
secretKeyRef:
name: wp-secrets
key: wordpress_db_password
The only thing you need to do now is run your CI Deployment and your secrets will be available in Kubernetes! See, I told you it was simple! This is a simple, yet effective way to deploy secrets into your environment while keeping them out of source code.
