[Feature][Add] Added AWS secret manager support (#10)

* Added Badges for Project

Signed-off-by: iamabhishek-dubey <[email protected]>

* Added Badges for Project

Signed-off-by: iamabhishek-dubey <[email protected]>

* Added Badges for Project

Signed-off-by: iamabhishek-dubey <[email protected]>

* Added Badges for Project

Signed-off-by: iamabhishek-dubey <[email protected]>

* Added AWS secret manager support

Signed-off-by: iamabhishek-dubey <[email protected]>

* Added an example for AWS

Signed-off-by: iamabhishek-dubey <[email protected]>

* Added AWS information in README

Signed-off-by: iamabhishek-dubey <[email protected]>

* Added AWS information in README

Signed-off-by: iamabhishek-dubey <[email protected]>

* Updated docs with latest information

Signed-off-by: iamabhishek-dubey <[email protected]>

CHANGELOG.md

@@ -1,3 +1,12 @@
+### v2.0
+##### May 8, 2021
+
+#### :tada: [Features Added]
+
+- Added AWS Secret Manager support
+- Inject secret directly to pods/containers from AWS Secret Manager
+- Authentication with AWS Secret Manager with access key and iam role 
+
 ### v1.0
 ##### April 11, 2021
 

Makefile

@@ -2,7 +2,7 @@
 REGISTRY ?= quay.io
 REPOSITORY ?= $(REGISTRY)/opstree
 ARTIFACT_NAME=k8s-vault-webhook
-VERSION = 1.0
+VERSION = 2.0
 
 all: build-code build-image
 

README.md

@@ -31,10 +31,10 @@ Documentation is available here:- https://ot-container-kit.github.io/k8s-vault-w
 The secret managers which are currently supported:-
 
 - **[Hashicorp Vault](https://www.vaultproject.io/)**
+- **[AWS Secret Manager](https://aws.amazon.com/secrets-manager/)**
 
 There are some secret managers which are planned to be implemented in future.
 
-- **[AWS Secret Manager](https://aws.amazon.com/secrets-manager/)**
 - **[Azure Key Vault](https://azure.microsoft.com/en-in/services/key-vault/)**
 - **[GCP Secret Manager](https://cloud.google.com/secret-manager)**
 
@@ -43,6 +43,8 @@ There are some secret managers which are planned to be implemented in future.
 - Authentication to Hashicorp vault using Kubernetes service-account
 - RBAC implementation of vault using different policies of vault and association of policy with service-account
 - Inject secret directly to pods/containers running inside Kubernetes
+- Inject secret directly to pods/containers from AWS Secret Manager
+- Authentication with AWS Secret Manager with access key and iam role
 - Support regex to inject all secrets from a certain path of Vault
 - Inject secrets directly to the process of container, i.e. after the injection you cannot read secrets from the environment variable
 
@@ -64,16 +66,6 @@ $ helm upgrade k8s-vault-webhook ot-helm/k8s-vault-webhook --namespace <namespac
 
 If you want to pass your custom values file while installing the chart, you can find the values file [here](https://github.com/OT-CONTAINER-KIT/helm-charts/blob/main/charts/k8s-vault-webhook/values.yaml)
 
-### Annotations
-
-|**Name**|**Description**|**Required**|**Default**|
-|--------|---------------|------------|-----------|
-|`vault.opstree.secret.manager/enabled`| Enables the vault secret manager | - | false |
-|`vault.opstree.secret.manager/service`| Vault cluster address with http prefix | yes | - |
-|`vault.opstree.secret.manager/tls-secret`| Vault TLS secret name if vault is configured on TLS | no | - |
-|`vault.opstree.secret.manager/role`| Vault role created with Kubernetes serviceaccount | yes | - |
-|`vault.opstree.secret.manager/path`| Path of the secret in vault | no | - |
-
 ### Quickstart
 
 For setting up a quickstart environment for demo, you can start quickstart from [here](https://ot-container-kit.github.io/k8s-vault-webhook/)

annotations.go

@@ -1,6 +1,21 @@
 package main
 
 const (
+	// AnnotationAWSSecretManagerEnabled if enabled it will use AWS secret manager
+	AnnotationAWSSecretManagerEnabled = "aws.opstree.secret.manager/enabled"
+
+	// AnnotationAWSSecretManagerRegion the region for which the secret manager is set
+	AnnotationAWSSecretManagerRegion = "aws.opstree.secret.manager/region"
+
+	// AnnotationAWSSecretManagerRoleARN if specified it will assume the role for fetching the secret
+	AnnotationAWSSecretManagerRoleARN = "aws.opstree.secret.manager/role-arn"
+
+	// AnnotationAWSSecretManagerSecretName aws secret manager secret name to fetch
+	AnnotationAWSSecretManagerSecretName = "aws.opstree.secret.manager/secret-name"
+
+	// AnnotationAWSSecretManagerPreviousVersion when used will retrive the previous version for the secret
+	// note that AWS only supports single previous version
+	AnnotationAWSSecretManagerPreviousVersion = "aws.opstree.secret.manager/previous-version"
 
 	// AnnotationVaultEnabled if enabled use vault as the secret manager
 	AnnotationVaultEnabled = "vault.opstree.secret.manager/enabled"

aws.go

@@ -0,0 +1,43 @@
+package main
+
+import (
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+)
+
+type aws struct {
+	config struct {
+		enabled         bool
+		region          string
+		secretName      string
+		previousVersion string
+		roleARN         string
+	}
+}
+
+func (aws *aws) mutateContainer(container corev1.Container) corev1.Container {
+	container = aws.setArgs(container)
+	return container
+}
+
+func (aws *aws) setArgs(c corev1.Container) corev1.Container {
+	args := []string{"aws"}
+	args = append(args, fmt.Sprintf("--region=%s", aws.config.region))
+
+	if aws.config.secretName != "" {
+		args = append(args, fmt.Sprintf("--secret-name=%s", aws.config.secretName))
+	}
+
+	if aws.config.roleARN != "" {
+		args = append(args, fmt.Sprintf("--role-arn=%s", aws.config.roleARN))
+	}
+
+	if aws.config.secretName != "" {
+		args = append(args, fmt.Sprintf("--previous-version=%s", aws.config.previousVersion))
+	}
+
+	args = append(args, "--")
+	c.Args = append(args, c.Args...)
+	return c
+}

docs/src/.vuepress/config.js

@@ -69,13 +69,15 @@ module.exports = {
           collapsable: false,
           children: [
             'hashicorp-vault',
+            'aws-secret-manager',
           ]
         },
         {
           title: 'Examples',
           collapsable: false,
           children: [
             'hashicorp-vault-example',
+            'aws-secret-manager-example',
           ]
         },
         {

docs/src/guide/README.md

@@ -12,10 +12,10 @@ Documentation is available here:- [https://ot-container-kit.github.io/k8s-vault-
 The secret managers which are currently supported:-
 
 - **[Hashicorp Vault](https://www.vaultproject.io/)**
+- **[AWS Secret Manager](https://aws.amazon.com/secrets-manager/)**
 
 There are some secret managers which are planned to be implemented in future.
 
-- **[AWS Secret Manager](https://aws.amazon.com/secrets-manager/)**
 - **[Azure Key Vault](https://azure.microsoft.com/en-in/services/key-vault/)**
 - **[GCP Secret Manager](https://cloud.google.com/secret-manager)**
 
@@ -24,11 +24,21 @@ There are some secret managers which are planned to be implemented in future.
 - Authentication to Hashicorp vault using Kubernetes service-account
 - RBAC implementation of vault using different policies of vault and association of policy with service-account
 - Inject secret directly to pods/containers running inside Kubernetes
+- Inject secret directly to pods/containers from AWS Secret Manager
+- Authentication with AWS Secret Manager with access key and iam role
 - Support regex to inject all secrets from a certain path of Vault
 - Inject secrets directly to the process of container, i.e. after the injection you cannot read secrets from the environment variable
 
 ## Architecture
 
-<div align="center">
-    <img src="./images/k8s-vault-webhook-arc.png">
+### Hashicorp Vault
+
+<div align="center" style="padding-top: 25px;">
+    <img src="./images/k8s-vault-webhook-arc-vault.png">
+</div>
+
+### AWS Secret Manager
+
+<div align="center" style="padding-top: 25px;">
+    <img src="./images/k8s-vault-webhook-arc-aws.png">
 </div>

docs/src/guide/annotations.md

@@ -6,10 +6,10 @@ Based on these annotations, the secrets will be mutated.
 The annotations which are currently supported:-
 
 - **[Hashicorp Vault](https://www.vaultproject.io/)**
+- **[AWS Secret Manager](https://aws.amazon.com/secrets-manager/)**
 
 There are some other annotations which are planned to be implemented in future.
 
-- **[AWS Secret Manager](https://aws.amazon.com/secrets-manager/)**
 - **[Azure Key Vault](https://azure.microsoft.com/en-in/services/key-vault/)**
 - **[GCP Secret Manager](https://cloud.google.com/secret-manager)**
 
@@ -29,3 +29,13 @@ The available annotations for k8s vault webhook are:-
 |`vault.opstree.secret.manager/secret-version` | Vault secret version (if using v2 secret engine) | Yes | - | 
 |`vault.opstree.secret.manager/use-secret-names-as-keys` | treat secret path ending with / as directory where secret name is the key and a single value in each | No | - |
 |`vault.opstree.secret.manager/auth-path`| alternate kubernetes backend auth path | No | `auth/kubernetes/login` |
+
+## AWS Annotations
+
+|**Name**|**Description**|**Required**|**Default**|
+|--------|---------------|------------|-----------|
+|`aws.secret.manager/enabled`| Enable the AWS secret manager | - | false |
+|`aws.secret.manager/region`| AWS secret manager region | no | us-east-1 |
+|`aws.secret.manager/role-arn`| AWS IAM Role to access the secret | no | |
+|`aws.secret.manager/secret-name`| Name of the AWS secret | no | |
+|`aws.secret.manager/previous-version`| If the secret is rotated, set to "true" | no | |

docs/src/guide/aws-secret-manager-example.md

@@ -0,0 +1,79 @@
+# AWS Secret Manager
+
+Let's try to create a deployment to inject secrets directly from AWS Secret Manager. For example, purpose we are taking mysql as deployment and then we will try to set mysql root password using k8s-vault-webhook.
+
+We can use our [example](https://github.com/OT-CONTAINER-KIT/k8s-vault-webhook/tree/master/example) folder.
+
+The environment variables will get substitute automatically, we just have to provide some custom annotations.
+
+```yaml
+  template:
+    metadata:
+      labels:
+        app: k8s-aws-mysql
+        tier: mysql
+      annotations:
+        aws.opstree.secret.manager/enabled: "true"
+        aws.opstree.secret.manager/region: "us-west-2"
+# Use this role-arn if cluster is configured in AWS
+        # aws.opstree.secret.manager/role-arn: "arn:aws:iam::999:role/secretManager"
+        aws.opstree.secret.manager/secret-name: "test-secret"
+    spec:
+      containers:
+      - image: opstree/mysql:latest
+        name: mysql
+# If running outside AWS
+        env:
+        - name: AWS_ACCESS_KEY_ID
+          valueFrom:
+            secretKeyRef:
+              name: aws-secret
+              key: AWS_ACCESS_KEY_ID
+        - name: AWS_SECRET_ACCESS_KEY
+          valueFrom:
+            secretKeyRef:
+              name: aws-secret
+              key: AWS_SECRET_ACCESS_KEY
+```
+
+Let's try to apply the deployment manifest.
+
+```shell
+$ kubectl apply -f example/aws-mysql-example.yaml
+...
+deployment.apps/k8s-aws-mysql configured
+```
+
+Verify the mysql pods are running or not by using `kubectl` command line.
+
+```shell
+$ kubectl get pods
+...
+NAME                                       READY   STATUS    RESTARTS   AGE
+k8s-aws-mysql-5fcb986486-npjql             1/1     Running   0          16h
+```
+
+Now let's try to get inside the `mysql` pod and see if the AWS Secret Manager's password is working fine or not.
+
+```shell
+$ kubectl exec -it k8s-aws-mysql-5fcb986486-npjql \
+    -- mysql -u root -pawspassword -e "show databases;"
+...
+Warning: Using a password on the command line interface can be insecure.
++--------------------+
+| Database           |
++--------------------+
+| information_schema |
+| mysql              |
+| performance_schema |
++--------------------+
+```
+
+Also, try to check the value in environment variable of MySQL pod.
+
+```shell
+$ kubectl exec -it k8s-aws-mysql-5fcb986486-npjql \
+    -- env | grep ROOT
+...
+No output
+```

docs/src/guide/aws-secret-manager.md

@@ -0,0 +1,25 @@
+# AWS Secret Manager
+
+For integrating AWS Secret Manager with the K8s Vault Webhook, first we need to setup AWS Secret Manager inside AWS account.
+
+Here we will talk about the integration of AWS Secret Manager inside Kubernetes.
+
+## Secret Manager Setup
+
+Login into the [AWS Management Console](https://console.aws.amazon.com/console/home?nc2=h_ct&src=header-signin) and select [AWS Secret Manager](https://aws.amazon.com/secrets-manager/) service.
+
+![](./images/aws-secret-manager-aws.png)
+
+Create a secret in the secret-manager and select the secret type `Other type of secrets` and specify the key value pairs with these details.
+
+|**Key**|**Value**|
+|-------|---------|
+| MYSQL_ROOT_PASSWORD | awspassword |
+
+![](./images/aws-secret-manager-config.png)
+
+You should provide and description as well to the secret.
+
+![](./images/aws-secret-manager-name.png)
+
+Create the secret after all configuration to use it inside Kubernetes.

docs/src/guide/changelog.md

@@ -1,3 +1,12 @@
+### v2.0
+**May 8, 2021**
+
+**:tada: [Features Added]**
+
+- Added AWS Secret Manager support
+- Inject secret directly to pods/containers from AWS Secret Manager
+- Authentication with AWS Secret Manager with access key and iam role 
+
 ### v1.0
 **April 11, 2021**
 

docs/src/guide/configuration.md

@@ -10,7 +10,7 @@ There is not alot of configuration changes requires to deploy K8s Vault Webhook.
 |debug| debug logs for webhook | `false` |
 |image.pullPolicy| image pull policy | `IfNotPresent`|
 |image.repository| image repo that contains the admission server | `quay.io/opstree/k8s-vault-webhook` |
-|image.tag| image tag for admission server | `1.0` |
+|image.tag| image tag for admission server | `2.0` |
 |image.imagePullSecrets| image pull secrets for private repositories | `[]` |
 |namespaceSelector| namespace selector to use, will limit webhook scope | `{}` |
 |nodeSelector|node selector to use | `{}` |
@@ -24,7 +24,7 @@ There is not alot of configuration changes requires to deploy K8s Vault Webhook.
 |rbac.enabled |use rbac | `true` |
 |rbac.psp.enabled |use pod security policy | `true` |
 |env.VAULT_IMAGE | vault image  | `vault:latest` |
-|env.SECRET_CONSUMER_ENV_IMAGE | vault-env image  | `quay.io/opstree/k8s-secret-injector:1.0` |
+|env.K8S_SECRET_INJECTOR_IMAGE | vault-env image  | `quay.io/opstree/k8s-secret-injector:2.0` |
 |volumes |extra volume definitions  | `[]` |
 |volumeMounts |extra volume mounts  | `[]` |
 | configMapMutation                | enable injecting values from Vault to ConfigMaps                             | `false`                             |

docs/src/guide/secret-manager.md

@@ -25,6 +25,8 @@ Vault comes with various pluggable components called secrets engines and authent
 
 AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
 
+![](./images/aws-secret-manager-arc.jpg)
+
 ## Azure Key Vault
 
 Azure Key Vault is cloud service to securely store and accessing credentials such as API Keys, passwords, certificates or cryptographic keys.

docs/src/index.md

@@ -1,6 +1,6 @@
 ---
 home: true
-heroImage: https://github.com/OT-CONTAINER-KIT/k8s-vault-webhook/raw/master/static/k8s-vault-webhook-logo.svg
+heroImage: https://github.com/OT-CONTAINER-KIT/k8s-vault-webhook/raw/master/docs/src/guide/images/k8s-vault-webhook-logo.svg
 tagline: A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers
 actionText: Quick Start →
 actionLink: /guide/