Payments LnD 2020

Overview

  • External Secrets
  • ArgoCD for Infra

External Secrets

  • Programmatic Access to Hosted Secrets
  • We point to AWS Secrets Manager
  • Requires IAM User and Policy
SecretsManagerUser:
  Type: AWS::IAM::User
  Properties:
    UserName: secrets-manager-user
    Path: "/"
    Policies:
      - PolicyName: SecretsManagerAccessPolicy
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action:
                - "secretsmanager:GetResourcePolicy"
                - "secretsmanager:GetSecretValue"
                - "secretsmanager:DescribeSecret"
                - "secretsmanager:ListSecretVersionIds"
              Resource: "*"
# Add the required repositories

helm repo add external-secrets https://godaddy.github.io/kubernetes-external-secrets/

helm repo update

# Install external-secrets

helm upgrade -i aws-secrets-manager \
  external-secrets/kubernetes-external-secrets \
  --namespace secrets --create-namespace --skip-crds \
  -f ./helm/secrets/aws-secrets-manager/values.yaml
SecretsManagerAccessKey:
  Type: AWS::IAM::AccessKey
  Properties:
    UserName: !Ref SecretsManagerUser

SecretsManagerCredentials:
  Type: AWS::SecretsManager::Secret
  Properties:
    Name: secrets-manager/credentials
    SecretString: !Sub |
      {
        "accessKeyId": "${SecretsManagerAccessKey}",
        "secretAccessKey": "${SecretsManagerAccessKey.SecretAccessKey}"
      }
apiVersion: kubernetes-client.io/v1
kind: ExternalSecret
metadata:
  name: aws-cloudwatch
spec:
  backendType: secretsManager
  data:
    - key: cloudwatch/credentials
      name: access_key 
      property: accessKeyId
    - key: cloudwatch/credentials
      name: secret_key
      property: secretAccessKey
% kubectl get externalsecret,secret aws-cloudwatch -n metrics
NAME                            LAST SYNC   STATUS    AGE
externalsecret/aws-cloudwatch   78s         SUCCESS   2d4h

NAME                    TYPE     DATA   AGE
secret/aws-cloudwatch   Opaque   2      2d4h

ArgoCD for Infra

Managed declarative deployments for our internal cluster infrastructure and tooling.

❤️

apiVersion: v2
description: Grafana monitoring and observability tool
name: grafana
version: 1.0.0
dependencies:
  - name: grafana
    version: 5.5.5
    repository: https://kubernetes-charts.storage.googleapis.com
- name: grafana
  project: infra
  source:
    repoURL: git@github.com:vgw/pay-infra.git
    path: helm/metrics/grafana
    helm:
      valueFiles:
        - pay-dev.yaml
  destination:
    server: https://kubernetes.default.svc
    namespace: metrics

Side Note - Grafana Sidecars!

apiVersion: v1
kind: ConfigMap
metadata:
  name: "dashboards.purchase-metrics"
labels:
  grafana_dashboard: "true"
data:
  {...}

Whats Next?

  • pgweb (PR Open)
  • pay-config (PR Open)
  • ingress namespace (targeting zero-downtime)

Payments LnD 2020

By Macklin Hartley

Payments LnD 2020

My notes from the Payments LnD week.

  • 54

More from Macklin Hartley