如何使用aws-cdk从AWS Secrets Manager导入EKS机密? [英] How to import EKS secrets from AWS Secrets Manager using aws-cdk?

问题描述

我有:

由aws-cdk脚本部署的
• EKS(已启用kubectl)，由 eks.Cluster.addResource()
部署的应用程序
• AWS Secrets Manager，其中包含我希望可用于EKS应用程序的一组秘密

• EKS deployed by aws-cdk script, with kubectl enabled, and apps deployed by eks.Cluster.addResource()
• AWS Secrets Manager with a set of secrets I want to be available for EKS application

我试图通过这种方式部署Secret:

I tried to deploy Secret this way:

  import * as sm from "@aws-cdk/aws-secretsmanager";

  getSecret(secretKey: string): string {
    let secretTokens = sm.Secret.fromSecretArn(scope, "ImportedSecrets", awsSecretStorageArn);
    return secretTokens.secretValueFromJson(secretKey).toString();
  }

  createKubernetesImagePullSecrets(k8s: eks.Cluster): void {
    let eksSecretStorageName = this.env.awsResourcesConfig.k8sImagePullSecretStorageName;
    k8s.addResource(eksSecretStorageName, {
      apiVersion: "v1",
      kind: "Secret",
      metadata: {
        name: eksSecretStorageName,
      },
      data: {
        ".dockerconfigjson": this.getSecret('hub-secret'),
      },
      type: "kubernetes.io/dockerconfigjson",
    });
  }

我从CloudFormation遇到错误:

I'm getting an error from CloudFormation:

版本"v1"中的秘密不能作为秘密处理:v1.Secret.ObjectMeta:v1.ObjectMeta.TypeMeta:种类:数据:解码base64:输入字节0处的非法base64数据

Secret in version "v1" cannot be handled as a Secret: v1.Secret.ObjectMeta: v1.ObjectMeta.TypeMeta: Kind: Data: decode base64: illegal base64 data at input byte 0

之所以发生这种情况，是因为秘密令牌未扩展，并且".dockerconfigjson"字段值在这种情况下看起来像是 $ {Token [TOKEN.417]}

This happens because the secret token is not expanded and the ".dockerconfigjson" field value, in this case, looks like ${Token[TOKEN.417]}

是否有一种方法可以在部署过程中正确部署EKS秘密资源并扩展秘密令牌?

Is there a way to deploy the EKS Secret resource and expand secret tokens correctly during deployment?

推荐答案

为此，我创建了一个临时解决方法，方法是使用 aws-cli 下载纯文本版本的机密.不是安全的方法，但是可以.如果您有更安全的解决方案，请不要使用它.

I created a temporary workaround for this, by downloading a plain-text version of secrets with aws-cli. Not a safe way, but works. Do not use this if you have a more secure solution.

import { execSync } from "child_process";

  extractSecretValues(awsSecretStorageArn: string) : Map<string, string> {
    let map = new Map<string, string>();
    let secretsContent = execSync(`aws secretsmanager get-secret-value --secret-id ${awsSecretStorageArn}`).toString();
    let secrets = JSON.parse(secretsContent);
    if (!secrets)
      throw new Error(`Secret values could not be extracted from ${awsSecretStorageArn}`);
    if (secrets.SecretString) {
      let secretValuesObj = JSON.parse(secrets.SecretString);
      for (let [secretKey, secretValue] of Object.entries<string>(secretValuesObj)) {
        map.set(secretKey, secretValue);
      }
    }
    return map;
  }

  let secretValueMap = extractSecretValues();

  createKubernetesImagePullSecrets(k8s: eks.Cluster): void {
    let eksSecretStorageName = this.env.awsResourcesConfig.k8sImagePullSecretStorageName;
    k8s.addResource(eksSecretStorageName, {
      apiVersion: "v1",
      kind: "Secret",
      metadata: {
        name: eksSecretStorageName,
      },
      data: {
        ".dockerconfigjson": secretValueMap.get('hub-secret'),
      },
      type: "kubernetes.io/dockerconfigjson",
    });
  }

这篇关于如何使用aws-cdk从AWS Secrets Manager导入EKS机密?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！