From 3a5b2cc786fec928176f309037ae4520ab6c8b50 Mon Sep 17 00:00:00 2001 From: Kurt McAlpine Date: Wed, 27 Jun 2018 03:48:51 +1200 Subject: [PATCH] Add support for AWS Secrets Manager (#6245) * Add support for AWS Secrets Manager * Rename credentialManager.secretsmanager to credentialManager.awsSecretsManager * Bump minor version for new feature Signed-off-by: voron --- stable/concourse/Chart.yaml | 2 +- stable/concourse/README.md | 41 +++++++++++++++++++ stable/concourse/templates/secrets.yaml | 7 ++++ .../concourse/templates/web-deployment.yaml | 35 ++++++++++++++++ stable/concourse/values.yaml | 25 +++++++++++ 5 files changed, 109 insertions(+), 1 deletion(-) diff --git a/stable/concourse/Chart.yaml b/stable/concourse/Chart.yaml index bbbd07da3d23..cdfa7273caa4 100644 --- a/stable/concourse/Chart.yaml +++ b/stable/concourse/Chart.yaml @@ -1,5 +1,5 @@ name: concourse -version: 1.9.1 +version: 1.10.0 appVersion: 3.14.1 description: Concourse is a simple and scalable CI system. icon: https://avatars1.githubusercontent.com/u/7809479 diff --git a/stable/concourse/README.md b/stable/concourse/README.md index 41b995951406..59aad2aeec75 100644 --- a/stable/concourse/README.md +++ b/stable/concourse/README.md @@ -159,6 +159,10 @@ The following table lists the configurable parameters of the Concourse chart and | `credentialManager.ssm.region` | AWS Region to use for SSM | `nil` | | `credentialManager.ssm.pipelineSecretsTemplate` | Pipeline secrets template | `nil` | | `credentialManager.ssm.teamSecretsTemplate` | Team secrets template | `nil` | +| `credentialManager.awsSecretsManager.enabled` | Use AWS Secrets Manager as a Credential Manager | `false` | +| `credentialManager.awsSecretsManager.region` | AWS Region to use for Secrets Manager | `nil` | +| `credentialManager.awsSecretsManager.pipelineSecretsTemplate` | Pipeline secrets template | `nil` | +| `credentialManager.awsSecretsManager.teamSecretsTemplate` | Team secrets template | `nil` | | `credentialManager.vault.enabled` | Use Hashicorp Vault as a Credential Manager | `false` | | `credentialManager.vault.url` | Vault Server URL | `nil` | | `credentialManager.vault.pathPrefix` | Vault path to namespace secrets | `/concourse` | @@ -429,3 +433,40 @@ The minimum IAM policy you need to use SSM with Concourse is: ``` Where `` is the ARN of the KMS key used to encrypt the secrets in Paraemter Store, and the `<...arn...>` should be replaced with a correct ARN for your account and region's Parameter Store. + +#### AWS Secrets Manager + +To use Secrets Manager, set `credentialManager.kubernetes.enabled` to false, and set `credentialManager.awsSecretsManager.enabled` to true. + +For a given Concourse *team*, a pipeline will look for secrets in Secrets Manager using either `/concourse/{team}/{secret}` or `/concourse/{team}/{pipeline}/{secret}`; the patterns can be overridden using the `credentialManager.awsSecretsManager.teamSecretTemplate` and `credentialManager.awsSecretsManager.pipelineSecretTemplate` settings. + +Concourse requires AWS credentials which are able to read from Secrets Manager for this feature to function. Credentials can be set in the `secrets.awsSecretsmanager*` settings; if your cluster is running in a different AWS region, you may also need to set `credentialManager.awsSecretsManager.region`. + +The minimum IAM policy you need to use Secrets Manager with Concourse is: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowAccessToSecretManagerParameters", + "Effect": "Allow", + "Action": [ + "secretsmanager:ListSecrets" + ], + "Resource": "*" + }, + { + "Sid": "AllowAccessGetSecret", + "Effect": "Allow", + "Action": [ + "secretsmanager:GetSecretValue", + "secretsmanager:DescribeSecret" + ], + "Resource": [ + "arn:aws:secretsmanager:::secret:/concourse/*" + ] + } + ] +} +``` diff --git a/stable/concourse/templates/secrets.yaml b/stable/concourse/templates/secrets.yaml index 8201102b913b..02151d9b0f09 100644 --- a/stable/concourse/templates/secrets.yaml +++ b/stable/concourse/templates/secrets.yaml @@ -53,6 +53,13 @@ data: aws-ssm-session-token: {{ .Values.secrets.awsSsmSessionToken | b64enc | quote }} {{- end }} {{- end }} + {{- if .Values.credentialManager.awsSecretsManager.enabled }} + aws-secretsmanager-access-key: {{ default "" .Values.secrets.awsSecretsmanagerAccessKey | b64enc | quote }} + aws-secretsmanager-secret-key: {{ default "" .Values.secrets.awsSecretsmanagerSecretKey | b64enc | quote }} + {{- if .Values.secrets.awsSecretsmanagerSessionToken }} + aws-secretsmanager-session-token: {{ .Values.secrets.awsSecretsmanagerSessionToken | b64enc | quote }} + {{- end }} + {{- end }} {{- if .Values.web.metrics.influxdb.enabled }} influxdb-password: {{ default "" .Values.secrets.influxdbPassword | b64enc | quote }} {{- end }} diff --git a/stable/concourse/templates/web-deployment.yaml b/stable/concourse/templates/web-deployment.yaml index cdff83f28172..49d560c313d2 100644 --- a/stable/concourse/templates/web-deployment.yaml +++ b/stable/concourse/templates/web-deployment.yaml @@ -39,6 +39,10 @@ spec: - "--aws-ssm-region" - "$(CONCOURSE_AWS_SSM_REGION)" {{- end }} + {{- if .Values.credentialManager.awsSecretsManager.enabled }} + - "--aws-secretsmanager-region" + - "$(CONCOURSE_AWS_SECRETSMANAGER_REGION)" + {{- end }} {{- if .Values.web.metrics.datadog.enabled }} - "--datadog-agent-host" - "$(CONCOURSE_DATADOG_AGENT_HOST)" @@ -263,6 +267,37 @@ spec: value: {{ .Values.credentialManager.ssm.teamSecretTemplate | quote }} {{- end }} {{- end }} + {{- if .Values.credentialManager.awsSecretsManager.enabled }} + - name: CONCOURSE_AWS_SECRETSMANAGER_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ template "concourse.concourse.fullname" . }} + key: aws-secretsmanager-access-key + - name: CONCOURSE_AWS_SECRETSMANAGER_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ template "concourse.concourse.fullname" . }} + key: aws-secretsmanager-secret-key + {{- if .Values.secrets.awsSsmSessionToken }} + - name: CONCOURSE_AWS_SECRETSMANAGER_SESSION_TOKEN + valueFrom: + secretKeyRef: + name: {{ template "concourse.concourse.fullname" . }} + key: aws-secretsmanager-session-token + {{- end }} + {{- if .Values.credentialManager.awsSecretsManager.region }} + - name: CONCOURSE_AWS_SECRETSMANAGER_REGION + value: {{ .Values.credentialManager.awsSecretsManager.region | quote }} + {{- end }} + {{- if .Values.credentialManager.awsSecretsManager.pipelineSecretTemplate }} + - name: CONCOURSE_AWS_SECRETSMANAGER_PIPELINE_SECRET_TEMPLATE + value: {{ .Values.credentialManager.awsSecretsManager.pipelineSecretTemplate | quote }} + {{- end }} + {{- if .Values.credentialManager.awsSecretsManager.teamSecretTemplate }} + - name: CONCOURSE_AWS_SECRETSMANAGER_TEAM_SECRET_TEMPLATE + value: {{ .Values.credentialManager.awsSecretsManager.teamSecretTemplate | quote }} + {{- end }} + {{- end }} {{- if .Values.web.metrics.prometheus.enabled }} - name: CONCOURSE_PROMETHEUS_BIND_IP value: "0.0.0.0" diff --git a/stable/concourse/values.yaml b/stable/concourse/values.yaml index 338efedd790d..ffbc7cca99f4 100644 --- a/stable/concourse/values.yaml +++ b/stable/concourse/values.yaml @@ -538,6 +538,26 @@ credentialManager: ## # teamSecretTemplate: '' + ## Configuration for AWS Secrets Manager as the Credential Manager. Supported in Concourse 3.11.0. + ## + awsSecretsManager: + + ## Enable the use of AWS Secrets Manager. + ## + enabled: false + + ## AWS region to use when reading from Secrets Manager + ## + # region: + + ## pipeline-specific template for Secrets Manager parameters, defaults to: /concourse/{team}/{pipeline}/{secret} + ## + # pipelineSecretTemplate: + + ## team-specific template for Secrets Manager parameters, defaults to: /concourse/{team}/{secret} + ## + # teamSecretTemplate: '' + ## Configuration for Hashicorp Vault as the Credential Manager. ## vault: @@ -698,6 +718,11 @@ secrets: # awsSsmSecretKey: # awsSsmSessionToken: + ## Secrets for Secrets Manager AWS access + # awsSecretsmanagerAccessKey: + # awsSecretsmanagerSecretKey: + # awsSecretsmanagerSessionToken: + ## Secrets for Concourse basic auth ## basicAuthUsername: concourse