-
Notifications
You must be signed in to change notification settings - Fork 2
/
inject.sh
67 lines (53 loc) · 2.52 KB
/
inject.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/bin/bash
# Iterate through list of all secrets in AWS Secrets Manager and inject into cluster as k8s secrets
if [[ $# -ne 5 ]] ; then
echo "usage: $0 secret_prefix cluster namespace region profile" >&2
exit 2
fi
secret_prefix=$1
cluster=$2
namespace=$3
AWS_REGION=$4
AWS_PROFILE=$5
# kubectl client 1.18 introduced some breaking changes with --dry-run
kubectl_ver=$(kubectl version --client=true -o json | jq -rj '.clientVersion | .major, ".", .minor')
dry_run_flag="--dry-run"
if [[ "$ver_major" -gt "1" ]] || [[ "$ver_minor" -gt "17" ]]; then
dry_run_flag="--dry-run=client"
fi
echo "Injecting all secrets under ${secret_prefix} from AWS Secrets Manager into cluster ${cluster}, namespace ${namespace}"
secret_count=0
# iterate through list of all secrets in AWS Secrets Manager for a given prefix
for secret_name in $(aws secretsmanager list-secrets --profile ${AWS_PROFILE} --region ${AWS_REGION} --query 'SecretList[?Name!=`null`]|[?starts_with(Name, `'${secret_prefix}'`) == `true`].Name' --output text); do
secret_count=$((secret_count+1))
if [[ $secret_name == "None" ]]; then
echo "error: aws secrets manager list-secrets returned None."
exit 1
fi
unset k8s_secret_name value
# make a k8s secrets-friendly name ($service-$secretname)
echo "secret name: $secret_name"
k8s_secret_name=$(echo ${secret_name#"$secret_prefix"/} | tr "/_" "-")
if [[ -z $k8s_secret_name ]]; then
echo "warning: k8s_secret_name empty for secret_name=$secret_name"
fi
value=$(aws secretsmanager get-secret-value --secret-id ${secret_name} --query 'SecretString' --output text --region ${AWS_REGION})
if [[ -z $value ]]; then
echo "warning: secret value is empty for secret_name=${secret_name}. not injecting this secret."
else
if [[ ${secret_count} -eq 1 ]]; then
# table header
echo
line=$(printf -- '=%.0s' {1..20}; echo "")
printf "%-65s----> %s\n" "AWS Secret name" "k8s Secret Name"
printf "%-70s %s\n" ${line} ${line}
fi
printf "%-70s %s\n" ${secret_name} ${k8s_secret_name}
# this is currently the best method to "upsert" a secret, other than deleting and recreating it.
kubectl create secret generic ${k8s_secret_name} --from-literal=password=${value} -n ${namespace} ${dry_run_flag} -o yaml | kubectl apply -f - > /dev/null
fi
done
unset value
if [[ $secret_count -eq 0 ]]; then
echo "No secrets found in AWS Secrets Manager for secret name prefix ${secret_prefix}."
fi