v0.1.4

CHANGELOG.md

@@ -1,6 +1,12 @@
 	Changelog
 	=========
 
+	[0.1.4] - 2018-09-11
+	--------------------
+	### Fixed
+	- Add ca-certificates package to final alpine image [Issue #7]
+	- Add Volume (Type=hostPath) for /etc/ssl/certs, to ensure AWS roots are available [Issue #7]
+
 	[0.1.3] - 2018-07-24
 	--------------------
 	### Added

Dockerfile

@@ -1,6 +1,6 @@
 FROM library/golang:1.10-alpine
 
-RUN apk add --update --no-cache git ca-certificates
+RUN apk add --update --no-cache git
 
 WORKDIR /go/src/github.com/cmattoon/aws-ssm
 
@@ -13,7 +13,7 @@ RUN go install -v ./...
 ## Stage 2
 FROM library/alpine
 LABEL org.label-schema.schema-version = "1.0.0"
-LABEL org.label-schema.version = "0.1.3"
+LABEL org.label-schema.version = "0.1.4"
 LABEL org.label-schema.name = "aws-ssm"
 LABEL org.label-schema.description = "Updates Kubernetes Secrets with AWS SSM Parameters"
 LABEL org.label-schema.vendor = "com.cmattoon"
@@ -28,6 +28,8 @@ ENV METRICS_URL    "0.0.0.0:9999"
 ENV MASTER_URL     ""
 ENV KUBE_CONFIG    ""
 
+RUN apk add --update ca-certificates
+
 COPY --from=0 /go/bin/aws-ssm /bin/aws-ssm
 
 CMD ["aws-ssm"]

Makefile

@@ -1,26 +1,28 @@
 .PHONY:
-AWS_REGION ?= us-west-2
-AWS_ACCESS_KEY ?= none
-AWS_SECRET_KEY ?= none
+AWS_REGION        ?= us-west-2
+AWS_ACCESS_KEY    ?= none
+AWS_SECRET_KEY    ?= none
 
-RELEASE_NAME ?= aws-ssm
+RELEASE_NAME      ?= aws-ssm
 RELEASE_NAMESPACE ?= kube-system
 
-DOCKER_REPO ?= cmattoon
-IMAGE_NAME ?= aws-ssm
-IMAGE_TAG ?= $(shell git log -1 --pretty=format:"%h")
+DOCKER_REPO       ?= cmattoon
+IMAGE_NAME        ?= aws-ssm
+IMAGE_TAG         ?= $(shell git log -1 --pretty=format:"%h")
 
-CURRENT_IMAGE=$(DOCKER_REPO)/$(IMAGE_NAME):$(IMAGE_TAG)
-LATEST_IMAGE=$(DOCKER_REPO)/$(IMAGE_NAME):latest
+CURRENT_IMAGE      = $(DOCKER_REPO)/$(IMAGE_NAME):$(IMAGE_TAG)
+LATEST_IMAGE       = $(DOCKER_REPO)/$(IMAGE_NAME):latest
 
-DOCKERFILE_DIR=.
-DOCKERFILE=Dockerfile
+DOCKERFILE_DIR     = .
+DOCKERFILE         = Dockerfile
 
 # Output file
-AWS_SSM_EXE=build/aws-ssm
+AWS_SSM_EXE        = build/aws-ssm
 
-CHART_DIR ?= $(IMAGE_NAME)
-EXTRA_ARGS ?= 
+CHART_DIR         ?= $(IMAGE_NAME)
+RBAC_ENABLED      ?= true
+HOST_SSL_DIR      ?= ""
+EXTRA_ARGS        ?= 
 
 .PHONY: test
 test:
@@ -51,6 +53,8 @@ install:
 	 	--set aws.region=$(AWS_REGION) \
 	 	--set aws.access_key=$(AWS_ACCESS_KEY) \
 	 	--set aws.secret_key=$(AWS_SECRET_KEY) \
+		--set rbac.enabled=$(RBAC_ENABLED) \
+		--set host_ssl_dir=$(HOST_SSL_DIR) \
 	 	$(EXTRA_ARGS) $(CHART_DIR)
 
 .PHONY: purge

README.md

@@ -6,6 +6,7 @@ cmattoon/aws-ssm
 ![Docker Pulls](https://img.shields.io/docker/pulls/cmattoon/aws-ssm.svg)
 [![codecov](https://codecov.io/gh/cmattoon/aws-ssm/branch/master/graph/badge.svg)](https://codecov.io/gh/cmattoon/aws-ssm)
 [![Go Report Card](https://goreportcard.com/badge/github.com/cmattoon/aws-ssm)](https://goreportcard.com/report/github.com/cmattoon/aws-ssm)
+[![Maintainability](https://api.codeclimate.com/v1/badges/764dddb334f5dc9fb986/maintainability)](https://codeclimate.com/github/cmattoon/aws-ssm/maintainability)
 
 
 Updates Kubernetes `Secrets` with values from AWS Parameter Store
@@ -43,17 +44,23 @@ The AWS credentials should be associated with an IAM user/role that has the foll
 
 ### Values
 
+The following chart values may be set. Only the required variables (AWS credentials) need provided by the user. Most of the time, the other
+defaults should work as-is.
 
-| Value        | Default          | Example                     | Description                                                      |
-|--------------|------------------|-----------------------------|------------------------------------------------------------------|
-| aws_region   |                  | us-west-2                   | The AWS region in which the Pod is deployed                      |
-| kubeconfig64 |                  | <string>                    | The output of `$(cat $KUBE_CONFIG | base64)`. Stored as a Secret |
-| metrics_port | 9999             | <int>                       | Serve metrics/healthchecks on this port                          |
-| replicas     | 1                | <int>                       | The number of Pods                                               |
-| image.name   | cmattoon/aws-ssm | <docker-repo>/<image-name>  | The Docker image to use for the Pod container                    |
-| image.tag    | latest           | <docker-tag>                | The Docker tag for the image                                     |
-| resources    | {}               | <dict>                      | Kubernetes Resource Requests/Limits                              |
-|              |                  |                             |                                                                  |
+
+| Req'd | Value          | Default          | Example                     | Description                                                      |
+|-------|----------------|------------------|-----------------------------|------------------------------------------------------------------|
+| YES   | aws.region     | ""               | us-west-2                   | The AWS region in which the Pod is deployed                      |
+| YES   | aws.access_key | ""               |                             |                                                                  |
+| YES   | aws.secret_key | ""               |                             |                                                                  |
+| NO    | kubeconfig64   | ""               | <string>                    | The output of `$(cat $KUBE_CONFIG | base64)`. Stored as a Secret |
+| NO    | metrics_port   | 9999             | <int>                       | Serve metrics/healthchecks on this port                          |
+| NO    | replicas       | 1                | <int>                       | The number of Pods                                               |
+| NO    | image.name     | cmattoon/aws-ssm | <docker-repo>/<image-name>  | The Docker image to use for the Pod container                    |
+| NO    | image.tag      | latest           | <docker-tag>                | The Docker tag for the image                                     |
+| NO    | resources      | {}               | <dict>                      | Kubernetes Resource Requests/Limits                              |
+| NO    | host_ssl_dir   | ""               | /etc/ssl/certs              | If specified, mounts certs from the host.                        |
+| NO    | rbac.enabled   | true             | <bool>                      | Whether or not to add Kubernetes RBAC stuff                      |
 
 
 Docker Container
@@ -127,3 +134,10 @@ Build
     make
     make container
 
+
+CA Certificates
+---------------
+
+For ease of use, the `ca-certificates` package is installed on the final `library/alpine` image. If you're having SSL/TLS
+connection issues, `export HOST_SSL_DIR=/etc/ssl/certs` before running `make install`. This will mount the SSL cert directory
+on the EC2 instance.

aws-ssm/Chart.yaml

@@ -2,4 +2,4 @@
 apiVersion: v1
 description: Dynamic secret management for Kubernetes
 name: aws-ssm
-version: 0.1.0
+version: 0.1.4

aws-ssm/templates/NOTES.txt

@@ -11,7 +11,7 @@
  AWS Region      : {{ .Values.aws.region }}
  Master URL      : {{ .Values.master_url }}
  Docker Image    : {{ .Values.image.name }}:{{ .Values.image.tag }}
+ RBAC Enabled    : {{ .Values.rbac.enabled }}
 
  List Pods:
      kubectl -n {{ .Release.Namespace }} get pods
-

aws-ssm/templates/deployment.yaml

@@ -54,9 +54,20 @@ spec:
 
             - name: AWS_SECRET_KEY
               value: "{{ .Values.aws.secret_key }}"
+          {{ if ne .Values.host_ssl_dir "" -}}
+          volumeMounts:
+            - mountPath: /etc/ssl/certs
+              name: aws-host-ca-certificates
+          {{ end -}}
           resources:
 {{ toYaml .Values.resources | indent 12 }}
       {{- if .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 8 }}
       {{- end }}
+      {{ if ne .Values.host_ssl_dir "" -}}
+      volumes:
+        - name: aws-host-ca-certificates
+          hostPath:
+            path: /etc/ssl/certs
+      {{- end }}

aws-ssm/values.yaml

@@ -3,6 +3,8 @@ aws:
   region: ""
   access_key: ""
   secret_key: ""
+# If != "", mounts /etc/ssl/certs in the container from {{ host_ssl_dir }}
+host_ssl_dir: ""
 # URL to Kubernetes master API
 master_url: ""
 # Healthcheck stuff

pkg/secret/secret.go

@@ -46,7 +46,7 @@ type Secret struct {
 	Data map[string]string
 }
 
-func NewSecret(sec v1.Secret, p provider.Provider, secret_name string, secret_namespace string, param_name string, param_type string, param_key string) *Secret {
+func NewSecret(sec v1.Secret, p provider.Provider, secret_name string, secret_namespace string, param_name string, param_type string, param_key string) (*Secret, error) {
 
 	s := &Secret{
 		Secret:     sec,
@@ -71,11 +71,12 @@ func NewSecret(sec v1.Secret, p provider.Provider, secret_name string, secret_na
 	if err != nil {
 		log.Infof("Couldn't get value for %s/%s: %s",
 			s.Namespace, s.Name, err)
+		return nil, err
 	} else {
 		s.ParamValue = value
 	}
 
-	return s
+	return s, nil
 }
 
 func FromKubernetesSecret(p provider.Provider, secret v1.Secret) (*Secret, error) {
@@ -105,7 +106,7 @@ func FromKubernetesSecret(p provider.Provider, secret v1.Secret) (*Secret, error
 		}
 	}
 
-	s := NewSecret(
+	s, err := NewSecret(
 		secret,
 		p,
 		secret.ObjectMeta.Name,
@@ -114,6 +115,9 @@ func FromKubernetesSecret(p provider.Provider, secret v1.Secret) (*Secret, error
 		param_type,
 		param_key)
 
+	if err != nil {
+		return nil, err
+	}
 	return s, nil
 }
 

version.txt

@@ -1 +1 @@
-0.1.3
+0.1.4