Skip to content

Commit

Permalink
Add support for AWS Secrets Manager (helm#6245)
Browse files Browse the repository at this point in the history
* Add support for AWS Secrets Manager

* Rename credentialManager.secretsmanager to credentialManager.awsSecretsManager

* Bump minor version for new feature

Signed-off-by: voron <av@arilot.com>
Kurt McAlpine authored and voron committed Sep 5, 2018
1 parent b76adb2 commit 3a5b2cc
Showing 5 changed files with 109 additions and 1 deletion.
2 changes: 1 addition & 1 deletion stable/concourse/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: concourse
version: 1.9.1
version: 1.10.0
appVersion: 3.14.1
description: Concourse is a simple and scalable CI system.
icon: https://avatars1.githubusercontent.com/u/7809479
41 changes: 41 additions & 0 deletions stable/concourse/README.md
Original file line number Diff line number Diff line change
@@ -159,6 +159,10 @@ The following table lists the configurable parameters of the Concourse chart and
| `credentialManager.ssm.region` | AWS Region to use for SSM | `nil` |
| `credentialManager.ssm.pipelineSecretsTemplate` | Pipeline secrets template | `nil` |
| `credentialManager.ssm.teamSecretsTemplate` | Team secrets template | `nil` |
| `credentialManager.awsSecretsManager.enabled` | Use AWS Secrets Manager as a Credential Manager | `false` |
| `credentialManager.awsSecretsManager.region` | AWS Region to use for Secrets Manager | `nil` |
| `credentialManager.awsSecretsManager.pipelineSecretsTemplate` | Pipeline secrets template | `nil` |
| `credentialManager.awsSecretsManager.teamSecretsTemplate` | Team secrets template | `nil` |
| `credentialManager.vault.enabled` | Use Hashicorp Vault as a Credential Manager | `false` |
| `credentialManager.vault.url` | Vault Server URL | `nil` |
| `credentialManager.vault.pathPrefix` | Vault path to namespace secrets | `/concourse` |
@@ -429,3 +433,40 @@ The minimum IAM policy you need to use SSM with Concourse is:
```

Where `<kms-key-arn>` is the ARN of the KMS key used to encrypt the secrets in Paraemter Store, and the `<...arn...>` should be replaced with a correct ARN for your account and region's Parameter Store.

#### AWS Secrets Manager

To use Secrets Manager, set `credentialManager.kubernetes.enabled` to false, and set `credentialManager.awsSecretsManager.enabled` to true.

For a given Concourse *team*, a pipeline will look for secrets in Secrets Manager using either `/concourse/{team}/{secret}` or `/concourse/{team}/{pipeline}/{secret}`; the patterns can be overridden using the `credentialManager.awsSecretsManager.teamSecretTemplate` and `credentialManager.awsSecretsManager.pipelineSecretTemplate` settings.

Concourse requires AWS credentials which are able to read from Secrets Manager for this feature to function. Credentials can be set in the `secrets.awsSecretsmanager*` settings; if your cluster is running in a different AWS region, you may also need to set `credentialManager.awsSecretsManager.region`.

The minimum IAM policy you need to use Secrets Manager with Concourse is:

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessToSecretManagerParameters",
"Effect": "Allow",
"Action": [
"secretsmanager:ListSecrets"
],
"Resource": "*"
},
{
"Sid": "AllowAccessGetSecret",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": [
"arn:aws:secretsmanager:::secret:/concourse/*"
]
}
]
}
```
7 changes: 7 additions & 0 deletions stable/concourse/templates/secrets.yaml
Original file line number Diff line number Diff line change
@@ -53,6 +53,13 @@ data:
aws-ssm-session-token: {{ .Values.secrets.awsSsmSessionToken | b64enc | quote }}
{{- end }}
{{- end }}
{{- if .Values.credentialManager.awsSecretsManager.enabled }}
aws-secretsmanager-access-key: {{ default "" .Values.secrets.awsSecretsmanagerAccessKey | b64enc | quote }}
aws-secretsmanager-secret-key: {{ default "" .Values.secrets.awsSecretsmanagerSecretKey | b64enc | quote }}
{{- if .Values.secrets.awsSecretsmanagerSessionToken }}
aws-secretsmanager-session-token: {{ .Values.secrets.awsSecretsmanagerSessionToken | b64enc | quote }}
{{- end }}
{{- end }}
{{- if .Values.web.metrics.influxdb.enabled }}
influxdb-password: {{ default "" .Values.secrets.influxdbPassword | b64enc | quote }}
{{- end }}
35 changes: 35 additions & 0 deletions stable/concourse/templates/web-deployment.yaml
Original file line number Diff line number Diff line change
@@ -39,6 +39,10 @@ spec:
- "--aws-ssm-region"
- "$(CONCOURSE_AWS_SSM_REGION)"
{{- end }}
{{- if .Values.credentialManager.awsSecretsManager.enabled }}
- "--aws-secretsmanager-region"
- "$(CONCOURSE_AWS_SECRETSMANAGER_REGION)"
{{- end }}
{{- if .Values.web.metrics.datadog.enabled }}
- "--datadog-agent-host"
- "$(CONCOURSE_DATADOG_AGENT_HOST)"
@@ -263,6 +267,37 @@ spec:
value: {{ .Values.credentialManager.ssm.teamSecretTemplate | quote }}
{{- end }}
{{- end }}
{{- if .Values.credentialManager.awsSecretsManager.enabled }}
- name: CONCOURSE_AWS_SECRETSMANAGER_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: aws-secretsmanager-access-key
- name: CONCOURSE_AWS_SECRETSMANAGER_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: aws-secretsmanager-secret-key
{{- if .Values.secrets.awsSsmSessionToken }}
- name: CONCOURSE_AWS_SECRETSMANAGER_SESSION_TOKEN
valueFrom:
secretKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: aws-secretsmanager-session-token
{{- end }}
{{- if .Values.credentialManager.awsSecretsManager.region }}
- name: CONCOURSE_AWS_SECRETSMANAGER_REGION
value: {{ .Values.credentialManager.awsSecretsManager.region | quote }}
{{- end }}
{{- if .Values.credentialManager.awsSecretsManager.pipelineSecretTemplate }}
- name: CONCOURSE_AWS_SECRETSMANAGER_PIPELINE_SECRET_TEMPLATE
value: {{ .Values.credentialManager.awsSecretsManager.pipelineSecretTemplate | quote }}
{{- end }}
{{- if .Values.credentialManager.awsSecretsManager.teamSecretTemplate }}
- name: CONCOURSE_AWS_SECRETSMANAGER_TEAM_SECRET_TEMPLATE
value: {{ .Values.credentialManager.awsSecretsManager.teamSecretTemplate | quote }}
{{- end }}
{{- end }}
{{- if .Values.web.metrics.prometheus.enabled }}
- name: CONCOURSE_PROMETHEUS_BIND_IP
value: "0.0.0.0"
25 changes: 25 additions & 0 deletions stable/concourse/values.yaml
Original file line number Diff line number Diff line change
@@ -538,6 +538,26 @@ credentialManager:
##
# teamSecretTemplate: ''

## Configuration for AWS Secrets Manager as the Credential Manager. Supported in Concourse 3.11.0.
##
awsSecretsManager:

## Enable the use of AWS Secrets Manager.
##
enabled: false

## AWS region to use when reading from Secrets Manager
##
# region:

## pipeline-specific template for Secrets Manager parameters, defaults to: /concourse/{team}/{pipeline}/{secret}
##
# pipelineSecretTemplate:

## team-specific template for Secrets Manager parameters, defaults to: /concourse/{team}/{secret}
##
# teamSecretTemplate: ''

## Configuration for Hashicorp Vault as the Credential Manager.
##
vault:
@@ -698,6 +718,11 @@ secrets:
# awsSsmSecretKey:
# awsSsmSessionToken:

## Secrets for Secrets Manager AWS access
# awsSecretsmanagerAccessKey:
# awsSecretsmanagerSecretKey:
# awsSecretsmanagerSessionToken:

## Secrets for Concourse basic auth
##
basicAuthUsername: concourse

0 comments on commit 3a5b2cc

Please sign in to comment.