Simple tool, that fetches a secret from AWS Secret Manager and pipes it into a kubernetes sealed secret
Simple tool, that fetches a secret from AWS Secret Manager and pipes it into a kubernetes sealed secret
for kubernetes-secret-sealer to work as intended, several prerequesites have to be fulfilled:
pipx installed github.com/pipxproject/pipxaws cli installed and permissions to access aws secretsmanager e.g. aws secretsmanager list-secrets docs.aws.amazon.com/cli/latest/userguide/cli-chap-installkubectl installed and permissions to access kubernetes secrest e.g. kubectl get secrets kubernetes.io/docs/tasks/tools/install-kubectl/kubeseal client installed github.com/bitnami-labs/sealed-secrets#homebrew
pipx install . # will install to `$HOME/.local/bin/kubernetes-secret-sealer`. set PATH# legacy: pipsi is no longer maintained. See pipx for an actively maintained alternativepipsi install .pipsi install --python /opt/local/bin/python3.7 . # on macos
pipsi (legacy) installation instructions
kubernetes-secret-sealer --help # show help message and exit# get secret from aws-secretsmanager and generate sealed-secret.ymlkubernetes-secret-sealer \-p $AWS_PROFILE \-n $AWS_SECRETS_NAME \-kns $KUBERNETES_NAMESPACE \--cert ./path/to/sealed-secret-cert.pem \-o yaml \-f ./path/to/sealed-secret.yaml \-b accountJsonAsString \-tt Opaque
secrets are only stored in the AWS Secretsmanager. This tools writes no unencrypted secrets to the filesystem. So the workflow for using this tool is, to
kubernetes-secret-sealer \-p $AWS_PROFILE \-n supersecret \-kns $KUBERNETES_NAMESPACE \--cert ./dev-cluster.pem \-o yaml \-f supersecret_sealedsecret.yaml
kubectl apply -f supersecret_sealedsecret.yamlAfter updating python via homebrew, the virtual environments created with pipx might be broken,
because the symlink in the venv points to the full path for python3 are changed by Homebrew with each patch. This can be fixed via:
pipx reinstall-all