EKS External Secret

2024년 12월 27일

wngnl05
작성자
2024.12.27.:19

External Secret 역활 & 정책 만들기

REGION=""
CLUSTER_NAME=""
NAMESPACE=""

cat >secret-policy.json <<EOF
{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "VisualEditor0",
         "Effect": "Allow",
         "Action": [
            "secretsmanager:GetResourcePolicy",
            "secretsmanager:GetSecretValue",
            "secretsmanager:DescribeSecret",
            "secretsmanager:ListSecretVersionIds"
         ],
         "Resource": ["*"]
      },
      {
        "Effect": "Allow",
        "Action": ["kms:Decrypt"],
        "Resource": ["*"]
      }
    ]
}
EOF
aws iam create-policy \
    --policy-name wngnl-external-secrets \
    --policy-document file://secret-policy.json
    
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
eksctl create iamserviceaccount \
    --name wngnl-external-secrets-cert-controller \
    --region $REGION \
    --cluster $CLUSTER_NAME \
    --namespace=$NAMESPACE \
    --attach-policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/wngnl-external-secrets \
    --override-existing-serviceaccounts \
    --approve

External Secret 설치하기

helm repo add external-secrets https://charts.external-secrets.io
 
helm install external-secrets \
   external-secrets/external-secrets \
   -n kube-system \
   --set serviceAccount.create=false

Secret Reloader 설치하기

helm repo add stakater https://stakater.github.io/stakater-charts
helm repo update

helm install reloader stakater/reloader

Down File

wget https://raw.githubusercontent.com/wngnl-dev/AWS/main/EKS/External-Secret/external-secret.yaml
wget https://raw.githubusercontent.com/wngnl-dev/AWS/main/EKS/External-Secret/secret-store.yaml
wget https://raw.githubusercontent.com/wngnl-dev/AWS/main/EKS/External-Secret/deployment.yaml

확인하기

aws secretsmanager rotate-secret --secret-id $(aws secretsmanager list-secrets --query 'SecretList[?starts_with(Name, `rds!`)].Name' --output text)
sleep 2m
aws secretsmanager get-secret-value --secret-id $(aws secretsmanager list-secrets --query 'SecretList[?starts_with(Name, `rds!`)].Name' --output text) --query "SecretString" --output text | jq -r .password
kubectl exec -n wsi -it $(kubectl get pods -n wsi --no-headers -o custom-columns=":metadata.name" | grep customer | head -n 1) -- /bin/sh -c 'echo $MYSQL_PASSWORD' 
kubectl exec -n wsi -it $(kubectl get pods -n wsi --no-headers -o custom-columns=":metadata.name" | grep product | head -n 1) -- /bin/sh -c 'echo $MYSQL_PASSWORD'

저작자표시 비영리 변경금지 (새창열림)

'Aws' 카테고리의 다른 글

WAF를 이용하여 POST Body에 특정 Key만 허용하기 (0)	2024.12.27
EKS Node의 Pod Limit 해제하기 (0)	2024.12.27
EKS RBAC (0)	2024.12.27
Lambda@edge로 S3 presigned URL 반환하기 (0)	2024.12.27
Linux에서 lynx 사용하기 (0)	2024.12.27

다음 글이 없습니다.

이전 글이 없습니다.

'Aws' 카테고리의 다른 글

티스토리툴바