REGION_CORD="ap-northeast-2"
CLUSTER_NAME="wsi-eks-cluster"
cat >secret-policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": ["kms:Decrypt"],
"Resource": ["*"]
}
]
}
EOF
POLICY_ARN=$(aws --region "$REGION_CORD" --query Policy.Arn --output text iam create-policy --policy-name secretsmanager-policy --policy-document file://secret-policy.json)
eksctl create iamserviceaccount \\
--name external-secrets-cert-controller \\
--region="$REGION_CORD" \\
--cluster "$CLUSTER_NAME" \\
--namespace=wsi \\
--attach-policy-arn "$POLICY_ARN" \\
--override-existing-serviceaccounts \\
--approve
helm repo add external-secrets <https://charts.external-secrets.io>
kubectl annotate serviceaccount external-secrets-cert-controller \\
meta.helm.sh/release-name=external-secrets \\
meta.helm.sh/release-namespace=wsi \\
-n wsi \\
--overwrite
kubectl label serviceaccount external-secrets-cert-controller \\
app.kubernetes.io/managed-by=Helm \\
-n wsi\\
--overwrite
cat > values.yaml <<EOF
{
"installCRDs": true,
"nodeSelector": {
"type": "addon"
},
"webhook": {
"nodeSelector": {
"type": "addon"
}
},
"certController": {
"nodeSelector": {
"type": "addon"
}
}
}
EOF
helm install external-secrets \\
external-secrets/external-secrets \\
-n wsi\\
-f values.yaml \\
--set serviceAccount.create=false
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: aws-secrets
namespace: wsi
spec:
provider:
aws:
service: SecretsManager
region: ap-northeast-2
auth:
jwt:
serviceAccountRef:
name: external-secrets-cert-controller