kubes 0.4.3 → 0.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +22 -0
- data/docs/_docs/config/reference.md +1 -0
- data/docs/_docs/config/skip.md +1 -1
- data/docs/_docs/dsl/multiple-resources.md +3 -3
- data/docs/_docs/dsl/resources/job.md +62 -0
- data/docs/_docs/extra-env/dsl.md +2 -2
- data/docs/_docs/extra-env/yaml.md +1 -1
- data/docs/_docs/generators.md +41 -0
- data/docs/_docs/helpers.md +10 -3
- data/docs/_docs/helpers/aws.md +15 -0
- data/docs/_docs/helpers/aws/iam-role.md +91 -0
- data/docs/_docs/helpers/aws/secrets.md +129 -0
- data/docs/_docs/helpers/aws/ssm.md +76 -0
- data/docs/_docs/helpers/custom.md +40 -0
- data/docs/_docs/helpers/google.md +17 -0
- data/docs/_docs/helpers/google/secrets.md +76 -0
- data/docs/_docs/helpers/google/service-account.md +60 -0
- data/docs/_docs/intro.md +3 -1
- data/docs/_docs/intro/docker-image.md +66 -0
- data/docs/_docs/layering/merge.md +1 -1
- data/docs/_docs/learn/dsl/delete.md +10 -2
- data/docs/_docs/learn/dsl/review-project.md +2 -2
- data/docs/_docs/learn/yaml/delete.md +10 -2
- data/docs/_docs/learn/yaml/review-project.md +2 -2
- data/docs/_docs/patterns/clock-web-worker.md +3 -3
- data/docs/_docs/patterns/migrations.md +1 -1
- data/docs/_docs/patterns/secrets.md +0 -2
- data/docs/_docs/yaml.md +2 -2
- data/docs/_includes/commands.html +2 -2
- data/docs/_includes/helpers/base64.md +1 -0
- data/docs/_includes/layering/layers.md +1 -1
- data/docs/_includes/sidebar.html +23 -1
- data/docs/_reference/kubes-delete.md +1 -1
- data/docs/_reference/kubes-exec.md +17 -1
- data/docs/_reference/kubes-init.md +2 -2
- data/docs/_reference/kubes-logs.md +2 -1
- data/docs/_reference/kubes-new.md +58 -0
- data/docs/_reference/kubes-prune.md +22 -0
- data/docs/reference.md +2 -0
- data/kubes.gemspec +1 -0
- data/lib/kubes.rb +3 -1
- data/lib/kubes/autoloader.rb +9 -0
- data/lib/kubes/cli.rb +9 -1
- data/lib/kubes/cli/build.rb +6 -0
- data/lib/kubes/cli/compile.rb +7 -0
- data/lib/kubes/cli/deploy.rb +1 -6
- data/lib/kubes/cli/exec.rb +5 -1
- data/lib/kubes/cli/help/exec.md +15 -0
- data/lib/kubes/cli/help/new.md +30 -0
- data/lib/kubes/cli/init.rb +1 -1
- data/lib/kubes/cli/new.rb +97 -0
- data/lib/kubes/cli/sequence.rb +1 -0
- data/lib/kubes/command.rb +7 -0
- data/lib/kubes/compiler.rb +19 -21
- data/lib/kubes/compiler/dsl/syntax/job.rb +217 -0
- data/lib/kubes/compiler/shared/custom_helpers.rb +17 -0
- data/lib/kubes/compiler/shared/helpers.rb +12 -3
- data/lib/kubes/compiler/shared/helpers/deprecated.rb +37 -0
- data/lib/kubes/compiler/strategy/base.rb +3 -3
- data/lib/kubes/compiler/strategy/dsl.rb +3 -2
- data/lib/kubes/compiler/strategy/erb.rb +10 -1
- data/lib/kubes/compiler/strategy/erb/yaml_error.rb +60 -0
- data/lib/kubes/compiler/util/normalize.rb +1 -1
- data/lib/kubes/compiler/util/save_file.rb +8 -0
- data/lib/kubes/config.rb +1 -1
- data/lib/kubes/core.rb +6 -0
- data/lib/kubes/docker/strategy/image_name.rb +1 -1
- data/lib/kubes/kubectl.rb +5 -23
- data/lib/kubes/kubectl/batch.rb +27 -33
- data/lib/kubes/kubectl/ordering.rb +42 -0
- data/lib/kubes/version.rb +1 -1
- data/lib/templates/base/.kubes/config.rb.tt +1 -1
- data/lib/templates/base/.kubes/config/env/dev.rb +1 -1
- data/lib/templates/base/.kubes/config/env/prod.rb +1 -1
- data/lib/templates/dsl/.kubes/resources/web/deployment.rb +1 -1
- data/lib/templates/new/dsl/backend_config.rb +10 -0
- data/lib/templates/new/dsl/config_map.rb +5 -0
- data/lib/templates/new/dsl/daemon_set.rb +11 -0
- data/lib/templates/new/dsl/deployment.rb +4 -0
- data/lib/templates/new/dsl/ingress.rb +3 -0
- data/lib/templates/new/dsl/job.rb +2 -0
- data/lib/templates/new/dsl/managed_certificate.rb +2 -0
- data/lib/templates/new/dsl/namespace.rb +2 -0
- data/lib/templates/new/dsl/network_policy.rb +7 -0
- data/lib/templates/new/dsl/pod.rb +6 -0
- data/lib/templates/new/dsl/role.rb +4 -0
- data/lib/templates/new/dsl/role_binding.rb +7 -0
- data/lib/templates/new/dsl/secret.rb +5 -0
- data/lib/templates/new/dsl/service.rb +2 -0
- data/lib/templates/new/dsl/service_account.rb +1 -0
- data/lib/templates/new/yaml/backend_config.yaml +10 -0
- data/lib/templates/new/yaml/config_map.yaml +9 -0
- data/lib/templates/new/yaml/daemon_set.yaml +11 -0
- data/lib/templates/new/yaml/deployment.yaml +20 -0
- data/lib/templates/new/yaml/ingress.yaml +12 -0
- data/lib/templates/new/yaml/job.yaml +19 -0
- data/lib/templates/new/yaml/managed_certificate.yaml +7 -0
- data/lib/templates/new/yaml/namespace.yaml +6 -0
- data/lib/templates/new/yaml/network_policy.yaml +20 -0
- data/lib/templates/new/yaml/pod.yaml +11 -0
- data/lib/templates/new/yaml/role.yaml +13 -0
- data/lib/templates/new/yaml/role_binding.yaml +11 -0
- data/lib/templates/new/yaml/secret.yaml +9 -0
- data/lib/templates/new/yaml/service.yaml +14 -0
- data/lib/templates/new/yaml/service_account.yaml +4 -0
- data/lib/templates/yaml/.kubes/resources/base/all.yaml.tt +2 -0
- data/lib/templates/yaml/.kubes/resources/web/deployment.yaml.tt +1 -1
- data/spec/kubes/cli/prune_spec.rb +1 -0
- data/spec/kubes/compiler_spec.rb +5 -1
- metadata +67 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 32e7414b0e237ec67d21e06089571c57671f5ec2fb946eb89a1b2220bc1ba87d
|
4
|
+
data.tar.gz: 76d393eee8b25ee806ca455efe521d4a690795a1f94690d16ba39a1a0dd05d4c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 4e5a7c052aaae9e0893293a9862979502f7bba65465d189691647ee5f4a4786c3e166c5e6ad2c908d72c3586a64db153253fe4e8f109fd278570c007d9ad6c53
|
7
|
+
data.tar.gz: ea95f2f305b03a32f2283ca103a4b69914229a238ace8527cea56898af33b7b15f563d8cc5041279758c98c9150e713a03b5acb96b08d789202c966ba34ecc03
|
data/CHANGELOG.md
CHANGED
@@ -3,6 +3,28 @@
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
4
4
|
This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
|
5
5
|
|
6
|
+
## [0.5.0]
|
7
|
+
- #34 Generators, docker_image helper, check project, also write full.yaml #34
|
8
|
+
- new generators: docs: https://kubes.guru/docs/generators/
|
9
|
+
- `docker_image` helper. deprecated `built_image`. `config.image` option support.
|
10
|
+
- check_project: check within a Kubes project
|
11
|
+
- job dsl
|
12
|
+
- kubes compile: auto run docker build and push when if needed
|
13
|
+
- also write .kubes/output/full.yaml
|
14
|
+
|
15
|
+
## [0.4.7]
|
16
|
+
- #33 improve switch context: earlier and only when needed
|
17
|
+
|
18
|
+
## [0.4.6]
|
19
|
+
- #32 custom helpers support
|
20
|
+
|
21
|
+
## [0.4.5]
|
22
|
+
- #31 kubes AWS helpers
|
23
|
+
|
24
|
+
## [0.4.4]
|
25
|
+
- #30 friendly message for rendered erb yaml and dsl errors
|
26
|
+
- fix backtrace_reject pattern
|
27
|
+
|
6
28
|
## [0.4.3]
|
7
29
|
- #29 fix edge case when user provides hook on option for non-kubectl hooks
|
8
30
|
|
@@ -6,6 +6,7 @@ Name | Description | Default
|
|
6
6
|
---|---|---
|
7
7
|
auto_prune | Prune and delete old hashed resources like Secret and ConfigMap. | true
|
8
8
|
builder | What docker build command to use. Can use `docker` or `gcloud` to build the Docker image. | docker
|
9
|
+
image | Set a prebuilt Docker image to use. This is optional. Usually, you want to build an image from the Dockerfile. Setting this will change the `docker_image` helper to use a predefined image. See: [Docker Image]({% link _docs/intro/docker-image.md %}) | nil
|
9
10
|
kubectl.context | What kubectl context to auto-switch to. | nil
|
10
11
|
kubectl.context_keep | Whether or not to keep the context switched | true
|
11
12
|
kubectl.exit_on_fail.apply | Whether or not continue if the `kubectl apply` fails. Note, can use `KUBES_EXIT_ON_FAIL=0` env var to set to false. | true
|
data/docs/_docs/config/skip.md
CHANGED
@@ -51,13 +51,13 @@ You can also use a block form to create multiple resources. You name the resour
|
|
51
51
|
deployment "demo-web" do
|
52
52
|
labels(role: "web")
|
53
53
|
replicas 1
|
54
|
-
image
|
54
|
+
image docker_image # IE: user/demo:kubes-2020-06-13T19-55-16-43afc6e
|
55
55
|
end
|
56
56
|
|
57
57
|
deployment "demo-web-2" do
|
58
58
|
labels(role: "web")
|
59
59
|
replicas 1
|
60
|
-
image
|
60
|
+
image docker_image # IE: user/demo:kubes-2020-06-13T19-55-16-43afc6e
|
61
61
|
end
|
62
62
|
```
|
63
63
|
|
@@ -70,7 +70,7 @@ You can also mix and matched resources. When you use the block form, the file na
|
|
70
70
|
deployment "demo-web" do
|
71
71
|
labels(role: "web")
|
72
72
|
replicas 1
|
73
|
-
image
|
73
|
+
image docker_image # IE: user/demo:kubes-2020-06-13T19-55-16-43afc6e
|
74
74
|
end
|
75
75
|
|
76
76
|
service "demo-web" do
|
@@ -0,0 +1,62 @@
|
|
1
|
+
---
|
2
|
+
title: Job
|
3
|
+
categories: dsl
|
4
|
+
---
|
5
|
+
|
6
|
+
## Example 1
|
7
|
+
|
8
|
+
Here's an example of an job.
|
9
|
+
|
10
|
+
.kubes/resources/migrate/job.rb
|
11
|
+
|
12
|
+
```ruby
|
13
|
+
name "<%= app %>"
|
14
|
+
image(docker_image)
|
15
|
+
```
|
16
|
+
|
17
|
+
Produces:
|
18
|
+
|
19
|
+
.kubes/output/migrate/job.yaml
|
20
|
+
|
21
|
+
```yaml
|
22
|
+
---
|
23
|
+
apiVersion: batch/v1
|
24
|
+
kind: Job
|
25
|
+
metadata:
|
26
|
+
name: demo
|
27
|
+
labels:
|
28
|
+
app: demo
|
29
|
+
namespace: demo-dev
|
30
|
+
spec:
|
31
|
+
template:
|
32
|
+
metadata:
|
33
|
+
labels:
|
34
|
+
app: demo
|
35
|
+
spec:
|
36
|
+
containers:
|
37
|
+
- image: 111111111111.dkr.ecr.us-west-2.amazonaws.com/demo:kubes-2020-10-26T20-25-43
|
38
|
+
name: demo
|
39
|
+
```
|
40
|
+
|
41
|
+
## DSL Methods
|
42
|
+
|
43
|
+
Here's a list of more common methods:
|
44
|
+
|
45
|
+
job.spec.template.spec.containers fields:
|
46
|
+
|
47
|
+
* args
|
48
|
+
* command
|
49
|
+
* env
|
50
|
+
* envFrom
|
51
|
+
* image
|
52
|
+
* imagePullPolicy
|
53
|
+
* lifecycle
|
54
|
+
* livenessProbe
|
55
|
+
* containerName
|
56
|
+
* ports
|
57
|
+
* readinessProbe
|
58
|
+
* volumeDevices
|
59
|
+
* volumeMounts
|
60
|
+
* workingDir
|
61
|
+
|
62
|
+
{% include dsl/methods.md name="job" %}
|
data/docs/_docs/extra-env/dsl.md
CHANGED
@@ -14,7 +14,7 @@ labels(role: "web")
|
|
14
14
|
namespace with_extra("default")
|
15
15
|
|
16
16
|
replicas 1
|
17
|
-
image
|
17
|
+
image docker_image # IE: user/demo-web:kubes-2020-06-13T19-55-16-43afc6e
|
18
18
|
```
|
19
19
|
|
20
20
|
.kubes/resources/web/service.rb
|
@@ -50,7 +50,7 @@ labels(app: name, extra: extra)
|
|
50
50
|
namespace "default"
|
51
51
|
|
52
52
|
replicas 1
|
53
|
-
image
|
53
|
+
image docker_image # IE: user/demo-web:kubes-2020-06-13T19-55-16-43afc6e
|
54
54
|
```
|
55
55
|
|
56
56
|
.kubes/resources/web/service.rb
|
@@ -0,0 +1,41 @@
|
|
1
|
+
---
|
2
|
+
title: Generators
|
3
|
+
---
|
4
|
+
|
5
|
+
Kubes ships with a few generators to help you get building with Kubernetes quickly. The generated starter YAML should be modified and customized for your needs.
|
6
|
+
|
7
|
+
## Examples
|
8
|
+
|
9
|
+
Here are a few examples:
|
10
|
+
|
11
|
+
$ kubes new ingress
|
12
|
+
create .kubes/resources/web/ingress.yaml
|
13
|
+
$ kubes new service_account
|
14
|
+
create .kubes/resources/shared/service_account.yaml
|
15
|
+
$
|
16
|
+
|
17
|
+
Use `-h` to see the cli options:
|
18
|
+
|
19
|
+
kubes new -h
|
20
|
+
|
21
|
+
## Supported Resources
|
22
|
+
|
23
|
+
Here's a list of some of the supported resources.
|
24
|
+
|
25
|
+
backend_config
|
26
|
+
config_map
|
27
|
+
daemon_set
|
28
|
+
deployment
|
29
|
+
ingress
|
30
|
+
job
|
31
|
+
managed_certificate
|
32
|
+
namespace
|
33
|
+
network_policy
|
34
|
+
pod
|
35
|
+
role_binding
|
36
|
+
role
|
37
|
+
secret
|
38
|
+
service_account
|
39
|
+
service
|
40
|
+
|
41
|
+
Refer to the [source code](https://github.com/boltops-tools/kubes/blob/master/lib/templates/new/yaml) to all the resources that the generator supports.
|
data/docs/_docs/helpers.md
CHANGED
@@ -6,8 +6,8 @@ Kubes provides some helper methods to help write Kubernetes YAML files. Here's
|
|
6
6
|
|
7
7
|
Helper | Description
|
8
8
|
--- | ---
|
9
|
-
|
10
|
-
|
9
|
+
decode64 | Basey64 decode a string.
|
10
|
+
docker_image | Method refers to the latest Docker image built by Kubes. This spares you from having to update the image manually in the deployment resource. Note, this can be overridden with the `--image` cli option or the `Kubes.config.image` setting. See: [Docker Image]({% link _docs/intro/docker-image.md %})
|
11
11
|
dockerfile_port | Exposed port extracted from the Dockerfile of the project.
|
12
12
|
encode64 | Basey64 encode a string. Also available as `base64` method.
|
13
13
|
extra | The `KUBES_EXTRA` value.
|
@@ -17,4 +17,11 @@ Here's also the source code with most of the helpers: [helpers.rb](https://githu
|
|
17
17
|
|
18
18
|
## DSL Specific Methods
|
19
19
|
|
20
|
-
Each DSL resource has it's own specific methods. Refer to the [DSL Docs]({% link _docs/dsl.md %}) for their methods.
|
20
|
+
Each DSL resource has it's own specific methods. Refer to the [DSL Docs]({% link _docs/dsl.md %}) for their methods.
|
21
|
+
|
22
|
+
## Provider Helpers
|
23
|
+
|
24
|
+
There are also provider-specific helpers:
|
25
|
+
|
26
|
+
* [AWS Helpers]({% link _docs/helpers/aws.md %})
|
27
|
+
* [Google Helpers]({% link _docs/helpers/google.md %})
|
@@ -0,0 +1,15 @@
|
|
1
|
+
---
|
2
|
+
title: AWS Helpers
|
3
|
+
---
|
4
|
+
|
5
|
+
List of AWS helpers:
|
6
|
+
|
7
|
+
{% assign docs = site.docs | where: "categories","helpers-aws" %}
|
8
|
+
{% for doc in docs -%}
|
9
|
+
* [{{ doc.nav_text }}]({{ doc.url }})
|
10
|
+
{% endfor %}
|
11
|
+
|
12
|
+
## Notes
|
13
|
+
|
14
|
+
* By default, `KubeGoogle.logger = Kubes.logger`. This means, you can set `logger.level = "debug"` in `.kubes/config.rb` to see more details.
|
15
|
+
* The AWS helpers are provided by the [boltops-tools/kubes_aws](https://github.com/boltops-tools/kubes_aws) library.
|
@@ -0,0 +1,91 @@
|
|
1
|
+
---
|
2
|
+
title: AWS IAM Role
|
3
|
+
nav_text: IAM Role
|
4
|
+
categories: helpers-aws
|
5
|
+
---
|
6
|
+
|
7
|
+
You can automatically create the IAM Role associated with the Kubernetes Service Account, covered in [Introducing fine-grained IAM roles for service accounts](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/).
|
8
|
+
|
9
|
+
Here's a Kubes hook that creates an IAM Role:
|
10
|
+
|
11
|
+
.kubes/config/hooks/kubes.rb
|
12
|
+
|
13
|
+
```ruby
|
14
|
+
iam_role = KubesAws::IamRole.new(
|
15
|
+
app: "demo",
|
16
|
+
namespace: "demo-#{Kubes.env}", # defaults to APP-ENV when not set. IE: demo-dev
|
17
|
+
managed_policies: ["AmazonS3ReadOnlyAccess", "AmazonSSMReadOnlyAccess"], # defaults to empty when not set
|
18
|
+
inline_policies: [:secrets_read_only], # See Secrets Read Only Inline Policy at the bottom
|
19
|
+
)
|
20
|
+
before("apply",
|
21
|
+
label: "create iam role",
|
22
|
+
execute: iam_role,
|
23
|
+
)
|
24
|
+
KubesAws::IamRole.role_arn = iam_role.arn # used in .kubes/resources/shared/service_account.yaml
|
25
|
+
```
|
26
|
+
|
27
|
+
The corresponding Kubernetes Service account looks like this:
|
28
|
+
|
29
|
+
.kubes/resources/shared/service_account.yaml
|
30
|
+
|
31
|
+
```yaml
|
32
|
+
apiVersion: v1
|
33
|
+
kind: ServiceAccount
|
34
|
+
metadata:
|
35
|
+
annotations:
|
36
|
+
eks.amazonaws.com/role-arn: <%= KubesAws::IamRole.role_arn %>
|
37
|
+
name: demo
|
38
|
+
labels:
|
39
|
+
app: demo
|
40
|
+
```
|
41
|
+
|
42
|
+
The role policy permissions are currently always added to the existing permissions. So removing roles that were previously added does not remove them.
|
43
|
+
|
44
|
+
IamRole#initialize options:
|
45
|
+
|
46
|
+
Variable | Description | Default
|
47
|
+
---|---|---
|
48
|
+
app | The app name. It's used to set other variables conventionally. This is required. | nil
|
49
|
+
ksa | The Kubernetes Service Account name. The conventional name is APP. IE: demo | APP
|
50
|
+
namespace | The Kubernetes namespace. Defaults to the APP-ENV. IE: demo-dev. | APP-ENV
|
51
|
+
policies | IAM policies to add. This adds permissions to the IAM Role. | []
|
52
|
+
role_name | The IAM Role name. The conventional name is APP-ENV. IE: demo-dev. | APP-ENV
|
53
|
+
|
54
|
+
## OpenID Connect Provider
|
55
|
+
|
56
|
+
The `KubesAws::IamRole` class also automatically creates the OpenID Connect Provider if it doesn't already exist.
|
57
|
+
|
58
|
+
## Secrets Read-Only Inline Policy
|
59
|
+
|
60
|
+
Note the the `:secrets_read_only` is a way to generate an Inline Policy that represents read-only access for Secrets. Kubes does this since there's no managed policy for this yet. For example:
|
61
|
+
|
62
|
+
```ruby
|
63
|
+
inline_policies: [:secrets_read_only]
|
64
|
+
```
|
65
|
+
|
66
|
+
Is the same as:
|
67
|
+
|
68
|
+
```ruby
|
69
|
+
inline_secrets_read_only = {
|
70
|
+
policy_document: {
|
71
|
+
Version: "2012-10-17",
|
72
|
+
Statement: {
|
73
|
+
Effect: "Allow",
|
74
|
+
Action: [
|
75
|
+
"secretsmanager:Describe*",
|
76
|
+
"secretsmanager:Get*",
|
77
|
+
"secretsmanager:List*"
|
78
|
+
],
|
79
|
+
Resource: "*"
|
80
|
+
}
|
81
|
+
},
|
82
|
+
policy_name: "SecretsReadOnly",
|
83
|
+
}
|
84
|
+
iam_role = KubesAws::IamRole.new(
|
85
|
+
app: "rails",
|
86
|
+
cluster: "dev-cluster",
|
87
|
+
namespace: "rails-#{Kubes.env}", # defaults to APP-ENV when not set. IE: rails-dev
|
88
|
+
managed_policies: ["AmazonS3ReadOnlyAccess", "AmazonSSMReadOnlyAccess"], # defaults to empty when not set
|
89
|
+
inline_policies: [inline_secrets_read_only],
|
90
|
+
)
|
91
|
+
```
|
@@ -0,0 +1,129 @@
|
|
1
|
+
---
|
2
|
+
title: AWS Secrets
|
3
|
+
nav_text: Secrets
|
4
|
+
categories: helpers-aws
|
5
|
+
---
|
6
|
+
|
7
|
+
## Simple Values
|
8
|
+
|
9
|
+
For example if you have these secret values:
|
10
|
+
|
11
|
+
$ aws secretsmanager get-secret-value --secret-id demo/dev/db_user | jq '.SecretString'
|
12
|
+
user
|
13
|
+
$ aws secretsmanager get-secret-value --secret-id demo/dev/db_pass | jq '.SecretString'
|
14
|
+
pass
|
15
|
+
|
16
|
+
Set up a [Kubes hook](https://kubes.guru/docs/config/hooks/kubes/).
|
17
|
+
|
18
|
+
.kubes/config/hooks/kubes.rb
|
19
|
+
|
20
|
+
```ruby
|
21
|
+
secrets = KubesAws::Secrets.new(upcase: true, prefix: "demo/dev/")
|
22
|
+
before("compile",
|
23
|
+
label: "Get secrets from AWS Secrets Manager",
|
24
|
+
execute: secrets,
|
25
|
+
)
|
26
|
+
```
|
27
|
+
|
28
|
+
Then set the secrets in the YAML:
|
29
|
+
|
30
|
+
.kubes/resources/shared/secret.yaml
|
31
|
+
|
32
|
+
```yaml
|
33
|
+
apiVersion: v1
|
34
|
+
kind: Secret
|
35
|
+
metadata:
|
36
|
+
name: demo
|
37
|
+
labels:
|
38
|
+
app: demo
|
39
|
+
data:
|
40
|
+
<% KubesAws::Secrets.data.each do |k,v| -%>
|
41
|
+
<%= k %>: <%= base64(v) %>
|
42
|
+
<% end -%>
|
43
|
+
```
|
44
|
+
|
45
|
+
This results in AWS secrets with the prefix the `demo/dev/` being added to the Kubernetes secret data. The values are automatically base64 encoded. Produces:
|
46
|
+
|
47
|
+
.kubes/output/shared/secret.yaml
|
48
|
+
|
49
|
+
```yaml
|
50
|
+
metadata:
|
51
|
+
namespace: demo
|
52
|
+
name: demo-2a78a13682
|
53
|
+
labels:
|
54
|
+
app: demo
|
55
|
+
apiVersion: v1
|
56
|
+
kind: Secret
|
57
|
+
data:
|
58
|
+
db_pass: dGVzdDEK
|
59
|
+
db_user: dGVzdDIK
|
60
|
+
```
|
61
|
+
|
62
|
+
## JSON Values
|
63
|
+
|
64
|
+
For example if you have these secret values:
|
65
|
+
|
66
|
+
$ aws secretsmanager get-secret-value --secret-id demo/dev/k2 | jq '.SecretString'
|
67
|
+
{\"a\":1,\"b\":2}"
|
68
|
+
|
69
|
+
Set up a [Kubes hook](https://kubes.guru/docs/config/hooks/kubes/).
|
70
|
+
|
71
|
+
.kubes/config/hooks/kubes.rb
|
72
|
+
|
73
|
+
```ruby
|
74
|
+
secrets = KubesAws::Secrets.new(prefix: "rails/dev/")
|
75
|
+
before("compile",
|
76
|
+
label: "Get secrets from AWS Secrets Manager",
|
77
|
+
execute: secrets,
|
78
|
+
)
|
79
|
+
```
|
80
|
+
|
81
|
+
Then set the secrets in the YAML:
|
82
|
+
|
83
|
+
.kubes/resources/shared/secret.yaml
|
84
|
+
|
85
|
+
```yaml
|
86
|
+
apiVersion: v1
|
87
|
+
kind: Secret
|
88
|
+
metadata:
|
89
|
+
name: demo
|
90
|
+
labels:
|
91
|
+
app: demo
|
92
|
+
data:
|
93
|
+
<% k2 = JSON.load(KubesAws::Secrets.data["k2"]) %>
|
94
|
+
a: <%= base64(k2["a"]) %>
|
95
|
+
b: <%= base64(k2["b"]) %>
|
96
|
+
```
|
97
|
+
|
98
|
+
Produces:
|
99
|
+
|
100
|
+
```yaml
|
101
|
+
metadata:
|
102
|
+
namespace: demo-dev
|
103
|
+
name: demo-a4cd604a95
|
104
|
+
labels:
|
105
|
+
app: demo
|
106
|
+
apiVersion: v1
|
107
|
+
kind: Secret
|
108
|
+
data:
|
109
|
+
a: MQ==
|
110
|
+
b: Mg==
|
111
|
+
```
|
112
|
+
|
113
|
+
## Variables
|
114
|
+
|
115
|
+
These environment variables can be set:
|
116
|
+
|
117
|
+
Name | Description
|
118
|
+
---|---
|
119
|
+
AWS_SECRET_PREFIX | Prefixed used to list and filter AWS secrets. IE: `demo/dev/`.
|
120
|
+
|
121
|
+
Secrets#initialize options:
|
122
|
+
|
123
|
+
Variable | Description | Default
|
124
|
+
---|---|---
|
125
|
+
base64 | Automatically base64 encode the values. | false
|
126
|
+
upcase | Automatically upcase the Kubernetes secret data keys. | false
|
127
|
+
prefix | Prefixed used to list and filter AWS secrets. IE: `demo/dev/`. Can also be set with the `AWS_SECRET_PREFIX` env variable. The env variable takes the highest precedence. | nil
|
128
|
+
|
129
|
+
{% include helpers/base64.md %}
|