fluxcd
/
kustomize-controller
mirror of https://github.com/fluxcd/kustomize-controller.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add docs 

Signed-off-by: Sanskar Jaiswal <sanskar.jaiswal@weave.works>
This commit is contained in:
Sanskar Jaiswal 2022-04-28 22:49:45 +05:30
parent 53aded2596
commit c801f75458
4 changed files with 69 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
docs/spec/v1beta2/kustomization.md
View File

@ -1105,6 +1105,25 @@ data:
identity.asc: <BASE64> identity.asc: <BASE64>
``` ```
#### AWS KMS Secret Entry
To specify credentials for an AWS user account linked to the IAM role with access
to KMS, append a `.data` entry with a fixed `sops.aws-kms` key.
```yaml
---
apiVersion: v1
kind: Secret
metadata:
name: sops-keys
namespace: default
stringData:
sops.aws-kms: |
aws_access_key_id: some-access-key-id
aws_secret_access_key: some-aws-secret-access-key
aws_session_token: some-aws-session-token # this field is optional
```
#### Azure Key Vault Secret entry #### Azure Key Vault Secret entry
To specify credentials for Azure Key Vault in a Secret, append a `.data` entry To specify credentials for Azure Key Vault in a Secret, append a `.data` entry
@ -1233,7 +1252,8 @@ While making use of the [IAM OIDC provider](https://eksctl.io/usage/iamserviceac
on your EKS cluster, you can create an IAM Role and Service Account with access on your EKS cluster, you can create an IAM Role and Service Account with access
to AWS KMS (using at least `kms:Decrypt` and `kms:DescribeKey`). Once these are to AWS KMS (using at least `kms:Decrypt` and `kms:DescribeKey`). Once these are
created, you can annotate the kustomize-controller Service Account with the created, you can annotate the kustomize-controller Service Account with the
Role ARN, granting the controller permissions to decrypt the Secrets. Role ARN, granting the controller permissions to decrypt the Secrets. Please refer
to the [SOPS guide](https://fluxcd.io/docs/guides/mozilla-sops/#aws) for detailed steps.
```sh ```sh
kubectl -n flux-system annotate serviceaccount kustomize-controller \ kubectl -n flux-system annotate serviceaccount kustomize-controller \

22
internal/sops/awskms/keysource.go
View File

@ -1,3 +1,19 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package awskms package awskms
import ( import (
@ -32,16 +48,21 @@ type MasterKey struct {
credentials *credentials.Credentials credentials *credentials.Credentials
} }
// Creds is a wrapper around credentials.Credentials used for authenticating
// when using AWS KMS.
type Creds struct { type Creds struct {
credentials *credentials.Credentials credentials *credentials.Credentials
} }
// NewCreds creates new Creds object with the provided credentials.Credentials
func NewCreds(credentials *credentials.Credentials) *Creds { func NewCreds(credentials *credentials.Credentials) *Creds {
return &Creds{ return &Creds{
credentials: credentials, credentials: credentials,
} }
} }
// LoadAwsKmsCredsFromYaml parses the given yaml returns a Creds object, which contains
// the AWS credentials.
func LoadAwsKmsCredsFromYaml(b []byte) (*Creds, error) { func LoadAwsKmsCredsFromYaml(b []byte) (*Creds, error) {
credInfo := struct { credInfo := struct {
AccessKeyID string `json:"aws_access_key_id"` AccessKeyID string `json:"aws_access_key_id"`
@ -57,6 +78,7 @@ func LoadAwsKmsCredsFromYaml(b []byte) (*Creds, error) {
}, nil }, nil
} }
// ApplyToMasterKey configures the credentials the provided key.
func (c Creds) ApplyToMasterKey(key *MasterKey) { func (c Creds) ApplyToMasterKey(key *MasterKey) {
key.credentials = c.credentials key.credentials = c.credentials
} }

16
internal/sops/awskms/keysource_test.go
View File

@ -1,3 +1,19 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package awskms package awskms
import ( import (

18
internal/sops/keyservice/options.go
View File

@ -57,6 +57,16 @@ func (o WithAgeIdentities) ApplyToServer(s *Server) {
s.ageIdentities = age.ParsedIdentities(o) s.ageIdentities = age.ParsedIdentities(o)
} }
// WithAWSKeys configurs the AWS credentials on the Server
type WithAWSKeys struct {
creds *awskms.Creds
}
// ApplyToServer applies this configuration to the given Server.
func (o WithAWSKeys) ApplyToServer(s *Server) {
s.awsCreds = o.creds
}
// WithAzureToken configures the Azure credential token on the Server. // WithAzureToken configures the Azure credential token on the Server.
type WithAzureToken struct { type WithAzureToken struct {
Token *azkv.Token Token *azkv.Token
@ -76,11 +86,3 @@ type WithDefaultServer struct {
func (o WithDefaultServer) ApplyToServer(s *Server) { func (o WithDefaultServer) ApplyToServer(s *Server) {
s.defaultServer = o.Server s.defaultServer = o.Server
} }
type WithAWSKeys struct {
creds *awskms.Creds
}
func (o WithAWSKeys) ApplyToServer(s *Server) {
s.awsCreds = o.creds
}