Confd on Business Information Technology Services https://www.bitservices.io/categories/confd/ Recent content in Confd on Business Information Technology Services Hugo -- gohugo.io en BITServices Ltd Mon, 06 Aug 2018 19:22:56 +0100 Using confd to Inject Secrets into Kubernetes Pods https://www.bitservices.io/blog/confd-kubernetes/ Mon, 06 Aug 2018 19:22:56 +0100 https://www.bitservices.io/blog/confd-kubernetes/ <h1 id="introduction">Introduction </h1><p>Whilst using Kubernetes over the past few months, one challenge I repeatedly faced was to get secrets - such as passwords, SSH keys or certificate keys - securely into applications running on Kubernetes.</p> <p>Whilst this is quite easy if the container image is under your full control, to achieve this with an &lsquo;off the shelf&rsquo; image is a little more tricky.</p> <p>One tool I came across recently was <strong><a class="link" href="https://github.com/kelseyhightower/confd" target="_blank" rel="noopener" >confd</a></strong> - which has helped a lot with this challenge and below I will outline how.</p> <h1 id="confd-basics">confd Basics </h1><p><a class="link" href="https://github.com/kelseyhightower/confd" target="_blank" rel="noopener" >confd</a> is a tool for rendering configuration files from predefined templates using values (secrets) that are stored in a backend. A backend could be <a class="link" href="https://coreos.com/etcd/" target="_blank" rel="noopener" >etcd</a>, Amazon <a class="link" href="https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-paramstore.html" target="_blank" rel="noopener" >SSM Parameter Store</a>, Hashicorp <a class="link" href="https://www.vaultproject.io/" target="_blank" rel="noopener" >Vault</a> or many others.</p> <p>The examples below will be using the Amazon <a class="link" href="https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-paramstore.html" target="_blank" rel="noopener" >SSM Parameter Store</a> backend. For Kubernetes clusters running on AWS this works really well as Amazon <a class="link" href="https://aws.amazon.com/iam/" target="_blank" rel="noopener" >IAM</a> roles can be used, mitigating the use for storing the backend password anywhere.</p> <p>I won&rsquo;t go into too much detail on the basics of <a class="link" href="https://github.com/kelseyhightower/confd" target="_blank" rel="noopener" >confd</a>. I would recommend you look at the below links:</p> <ul> <li><a class="link" href="https://github.com/kelseyhightower/confd" target="_blank" rel="noopener" >confd Github Page</a></li> <li><a class="link" href="https://github.com/kelseyhightower/confd/blob/master/docs/quick-start-guide.md" target="_blank" rel="noopener" >confd Quick Start Guide</a></li> </ul> <h1 id="confd-image">confd Image </h1><p>First a Docker container that has <a class="link" href="https://github.com/kelseyhightower/confd" target="_blank" rel="noopener" >confd</a> available will be required. At the time of writing I could not find an official image available - so baked my own. This should be a simple and small image, based on something like <a class="link" href="https://alpinelinux.org/" target="_blank" rel="noopener" >Alpine Linux</a> with only <a class="link" href="https://github.com/kelseyhightower/confd" target="_blank" rel="noopener" >confd</a> installed and not much else.</p> <span style="color: #ff3333;">Since creating this guide, many better ways of handling secrets in Kubernetes are available such as CSI drivers and the use of Terraform with Kubernetes secrets. Due to this and the fact confd has not had a release since 2018 the pre-baked images are no longer available.</span> <h1 id="example-1-injecting-secrets-into-environment">Example 1: Injecting Secrets into Environment </h1><p>Many &lsquo;off the shelf&rsquo; images allow for loading secrets from environment variables. One example of this is <a class="link" href="https://grafana.com/" target="_blank" rel="noopener" >Grafana</a>.</p> <h2 id="starting-example">Starting Example </h2><p>Lets start with injecting secrets as simply as possible - plain text in the deployment spec:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">grafana</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">imagePullPolicy</span>: <span style="color:#ae81ff">IfNotPresent</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">image</span>: <span style="color:#e6db74">&#34;grafana/grafana:latest&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">env</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">GF_SECURITY_ADMIN_USER</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">value</span>: <span style="color:#ae81ff">admin</span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">GF_SECURITY_ADMIN_PASSWORD</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">value</span>: <span style="color:#ae81ff">supersecurepassword123</span></span></span></code></pre></div> <p>We want the Grafana image to get the secrets above, by itself, without having to manage the Grafana image ourselves.</p> <h2 id="add-the-secrets-to-amazon-ssm-parameter-store">Add the Secrets to Amazon SSM Parameter Store </h2><p>Add the two secrets to the Amazon SSM Parameter store using the AWS console.</p> <ul> <li><code>/grafana-username</code>: the Grafana administrators username</li> <li><code>/grafana-password</code>: the Grafana administrators password</li> </ul> <h2 id="create-an-amazon-iam-role">Create an Amazon <a class="link" href="https://aws.amazon.com/iam/" target="_blank" rel="noopener" >IAM</a> Role </h2><p>To allow the containers to access the SSM Parameters, they need to be granted access by IAM.</p> <p>In addition, access to decrypt using the Amazon <a class="link" href="https://aws.amazon.com/kms/" target="_blank" rel="noopener" >KMS</a> key used to encypt the parameters will also need to be granted.</p> <p>Example (do not copy and paste!):</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Version&#34;</span>: <span style="color:#e6db74">&#34;2012-10-17&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Statement&#34;</span>: [ </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Effect&#34;</span>: <span style="color:#e6db74">&#34;Allow&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Action&#34;</span>: [ </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;ssm:GetParameter&#34;</span> </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Resource&#34;</span>: [ </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;arn:aws:ssm:eu-west-1:123456123:parameter/grafana-username&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;arn:aws:ssm:eu-west-1:123456123:parameter/grafana-password&#34;</span> </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Effect&#34;</span>: <span style="color:#e6db74">&#34;Allow&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Action&#34;</span>: [ </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;kms:Decrypt&#34;</span> </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Resource&#34;</span>: <span style="color:#e6db74">&#34;arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span>}</span></span></code></pre></div> <h2 id="confd-configurations">confd Configurations </h2><p><a class="link" href="https://github.com/kelseyhightower/confd" target="_blank" rel="noopener" >confd</a> uses TOML configuration files to define what you want it to process. The below TOML will process template <code>grafana.env.tmpl</code> (defined later) and put the output in <code>/shared-config/grafana.env</code> with mode <code>0400</code>. As Grafana by default runs as UID:GID <code>472:472</code> we make sure the environment file is owned by the same user &amp; group.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ConfigMap</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">grafana-confd-configs</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">namespace</span>: <span style="color:#ae81ff">monitoring</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">data</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">grafana.env.toml</span>: |<span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> [template] </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> src = &#34;grafana.env.tmpl&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> dest = &#34;/shared-config/grafana.env&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> uid = 472 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> gid = 472 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mode = &#34;0400&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> keys = [ </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;/grafana-username&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;/grafana-password&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ]</span> </span></span></code></pre></div> <h2 id="confd-templates">confd Templates </h2><p>The templates are the configuration files to render. As we want to set environment variables, the following template works well:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ConfigMap</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">grafana-confd-templates</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">namespace</span>: <span style="color:#ae81ff">monitoring</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">data</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">grafana.env.tmpl</span>: |<span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> export GF_SECURITY_ADMIN_USER=&#34;{{ getv &#34;/grafana-username&#34; }}&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> export GF_SECURITY_ADMIN_PASSWORD=&#34;{{ getv &#34;/grafana-password&#34; }}&#34;</span> </span></span></code></pre></div> <h2 id="override-launcher">Override Launcher </h2><p>A new launcher script should be created for the main container (Grafana in this example). The new launcher script should import rendered environment variables and then start the original entrypoint script.</p> <p>Please note the following:</p> <ul> <li>Always use <code>.</code> instead of <code>source</code>. A <strong>lot</strong> of containers do not have a full bash shell.</li> <li>Always <code>exec</code> to start the original entry point - so that it remains as PID 1.</li> <li><code>/run.sh</code> is the original entry point of the Grafana image.</li> <li>Make sure <code>&quot;${@}&quot;</code> is passed to the original entry point, so arguments still work.</li> </ul> <p>To find the original entry point of an image, download the image with <code>docker pull</code> and then use <code>docker inspect</code> to find the entry point.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ConfigMap</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">grafana-launcher</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">namespace</span>: <span style="color:#ae81ff">monitoring</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">data</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">launcher.sh</span>: |<span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> #!/bin/bash -e </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ############################################################################### </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> echo &#34;:: Loading extra environment variables...&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> . &#34;/shared-config/grafana.env&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ############################################################################### </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> echo &#34;:: Launching Grafana...&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> exec &#34;/run.sh&#34; &#34;${@}&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ###############################################################################</span> </span></span></code></pre></div> <h2 id="modifying-the-deployment">Modifying the Deployment </h2><p>The final step is to make the Grafana deployment run <a class="link" href="https://github.com/kelseyhightower/confd" target="_blank" rel="noopener" >confd</a> based on the supplied configuration before Grafana is started. To do that we use an <code>initContainer</code>.</p> <p>Notice:</p> <ul> <li>We set the region to <code>eu-west-1</code>, but you need to set this to the region your SSM parameters are stored.</li> <li>We have three volume mounts: <ul> <li><code>grafana-shared-config</code> is a shared <code>emptyDir</code> volume for the main Grafana container and the confd initContainer.</li> <li><code>grafana-confd-configs</code> will refer to the <a class="link" href="https://github.com/kelseyhightower/confd" target="_blank" rel="noopener" >confd</a> configurations configuration map defined above.</li> <li><code>grafana-confd-templates</code> will refer to the <a class="link" href="https://github.com/kelseyhightower/confd" target="_blank" rel="noopener" >confd</a> templates configuration map defined above.</li> </ul> </li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">initContainers</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">grafana-confd</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">image</span>: <span style="color:#e6db74">&#34;rlees85/secrets-loader:latest&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">command</span>: [ <span style="color:#e6db74">&#39;confd&#39;</span>, <span style="color:#e6db74">&#39;-onetime&#39;</span>, <span style="color:#e6db74">&#39;-backend&#39;</span>, <span style="color:#e6db74">&#39;ssm&#39;</span> ] </span></span><span style="display:flex;"><span> <span style="color:#f92672">env</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">AWS_DEFAULT_REGION</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">value</span>: <span style="color:#ae81ff">eu-west-1</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">volumeMounts</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">grafana-shared-config</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">mountPath</span>: <span style="color:#ae81ff">/shared-config</span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">grafana-confd-configs</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">mountPath</span>: <span style="color:#ae81ff">/etc/confd/conf.d</span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">grafana-confd-templates</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">mountPath</span>: <span style="color:#ae81ff">/etc/confd/templates</span></span></span></code></pre></div> <p>The <code>grafana-shared-config</code> and <code>grafana-launcher</code> mount should be added to the main Grafana container.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">grafana-shared-config</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">mountPath</span>: <span style="color:#ae81ff">/shared-config</span> </span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">grafana-launcher</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">mountPath</span>: <span style="color:#ae81ff">/launcher</span></span></span></code></pre></div> <p>All volumes should be correctly defined in the deployment. Please note that in the particular deployment used in this example <code>grafana-config</code> was already present.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">volumes</span>: </span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">grafana-config</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">configMap</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">grafana</span> </span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">grafana-shared-config</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">emptyDir</span>: {} </span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">grafana-confd-configs</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">configMap</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">defaultMode</span>: <span style="color:#ae81ff">0400</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">grafana-confd-configs</span> </span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">grafana-confd-templates</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">configMap</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">defaultMode</span>: <span style="color:#ae81ff">0400</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">grafana-confd-templates</span> </span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">grafana-launcher</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">configMap</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">defaultMode</span>: <span style="color:#ae81ff">0500</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">grafana-launcher</span></span></span></code></pre></div> <p>The initContainer needs access to Amazon SSM Parameter store. Make sure <a class="link" href="https://github.com/jtblin/kube2iam" target="_blank" rel="noopener" >kube2iam</a> is configured on the Kubernetes Cluster and add the appropriate annotation to the Grafana deployment.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">annotations</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">iam.amazonaws.com/role</span>: <span style="color:#ae81ff">grafana</span></span></span></code></pre></div> <p>Finally, we can override the Grafana containers start-up command to use the new launcher script:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">grafana</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">imagePullPolicy</span>: <span style="color:#ae81ff">IfNotPresent</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">image</span>: <span style="color:#e6db74">&#34;grafana/grafana:latest&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">command</span>: [ <span style="color:#e6db74">&#39;/launcher/launcher.sh&#39;</span> ]</span></span></code></pre></div> <h2 id="conclusion">Conclusion </h2><p>The <a class="link" href="https://github.com/kelseyhightower/confd" target="_blank" rel="noopener" >confd</a> initContainer now runs before Grafana starts and outputs the templated secrets to shared storage. The main Grafana container then sources these secrets from shared storage before running the original image entry point.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-console" data-lang="console"><span style="display:flex;"><span>$ kubectl -n monitoring logs grafana-7646488856-4f4gx -c grafana-confd </span></span><span style="display:flex;"><span>2018-08-06T19:34:55Z grafana-7646488856-4f4gx confd[1]: INFO Backend set to ssm </span></span><span style="display:flex;"><span>2018-08-06T19:34:55Z grafana-7646488856-4f4gx confd[1]: INFO Starting confd </span></span><span style="display:flex;"><span>2018-08-06T19:34:55Z grafana-7646488856-4f4gx confd[1]: INFO Backend source(s) set to </span></span><span style="display:flex;"><span>2018-08-06T19:34:56Z grafana-7646488856-4f4gx confd[1]: INFO Target config /shared-config/grafana.env out of sync </span></span><span style="display:flex;"><span>2018-08-06T19:34:56Z grafana-7646488856-4f4gx confd[1]: INFO Target config /shared-config/grafana.env has been updated </span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010"></span>$ kubectl -n monitoring logs grafana-7646488856-4f4gx </span></span><span style="display:flex;"><span>t=2018-08-06T19:35:07+0000 lvl=info msg=&#34;Starting Grafana&#34; logger=server version=5.2.1 commit=2040f61 compiled=2018-06-29T09:17:46+0000 </span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010"></span>... </span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010"></span>t=2018-08-06T19:35:07+0000 lvl=info msg=&#34;Config overridden from Environment variable&#34; logger=settings var=&#34;GF_SECURITY_ADMIN_USER=admin&#34; </span></span><span style="display:flex;"><span>t=2018-08-06T19:35:07+0000 lvl=info msg=&#34;Config overridden from Environment variable&#34; logger=settings var=&#34;GF_SECURITY_ADMIN_PASSWORD=*********&#34; </span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010"></span>... </span></span></code></pre></div> <h1 id="example-2-rendering-configuration-files-andor-keys">Example 2: Rendering Configuration Files and/or Keys </h1><p>Please read through example 1 first. A lot of things will not be covered again and are assumed to be already set up (SSM parameters, KMS keys and IAM permissions).</p> <p>In this example we have a much more complicated application, that requires secrets to be loaded into its configuration files. Additionally, the application integrates with other services - and therefore needs an SSH private key to be injected at run-time.</p> <h2 id="starting-example-1">Starting Example </h2><p>In this example, the deployment spec has no secrets in. The secrets are baked directly in to the image. This may be undesirable for example if the image has to pass through a pipeline - developers perhaps should not have access to production secrets.</p> <p>Let&rsquo;s say the following file is baked directly into the image:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-console" data-lang="console"><span style="display:flex;"><span>$ cat /etc/application.d/50-config.properties </span></span><span style="display:flex;"><span>mysql.db.username=application </span></span><span style="display:flex;"><span>mysql.db.password=application123 </span></span><span style="display:flex;"><span>integration.ssh-key=/etc/application/ssh.pem </span></span></code></pre></div> <p><strong>NOTE:</strong> When loading multi-line parameters (such as SSH keys) into Amazon SSM Parameter store use the CLI tool and not the console! If the console is used new lines are lost.</p> <h2 id="confd-configurations-1">confd Configurations </h2><p>In a similar fashion to the first example, we template a configuration file and SSH key based on templates to shared storage.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ConfigMap</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">application-confd-configs</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">data</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">99-secrets.properties.toml</span>: |<span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> [template] </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> src = &#34;99-secrets.properties.tmpl&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> dest = &#34;/shared-config/99-secrets.properties&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mode = &#34;0400&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> keys = [ </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;/application-db-username&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;/application-db-password&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ]</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">integration-key.pem.toml</span>: |<span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> [template] </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> src = &#34;integration-key.pem.tmpl&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> dest = &#34;/shared-config/integration-key.pem&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mode = &#34;0400&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> keys = [ </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;/application-integration-key&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ]</span> </span></span></code></pre></div> <h2 id="confd-templates-1">confd Templates </h2><p>As before, the templates referred to by the TOML configurations are defined below:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ConfigMap</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">application-confd-templates</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">data</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">99-secrets.properties.tmpl</span>: |<span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mysql.db.username={{ getv &#34;/application-db-username&#34; }} </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mysql.db.password={{ getv &#34;/application-db-password&#34; }} </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> integration.ssh-key=/shared-config/integration-key.pem</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">integration-key.pem.tmpl</span>: |<span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> {{ getv &#34;/application-integration-key&#34; }}</span> </span></span></code></pre></div> <h2 id="override-launcher-1">Override Launcher </h2><p>The same as the first example a new launcher script should be created for the main container. The script should import rendered configuration files into a folder that the application can pick them up.</p> <p>The extra configuration file already points to the rendered SSH key so no further action is required for the key.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ConfigMap</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">application-launcher</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">namespace</span>: <span style="color:#ae81ff">monitoring</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">data</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">launcher.sh</span>: |<span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> #!/bin/bash -e </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ############################################################################### </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> echo &#34;:: Loading extra configuration files...&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> find &#34;/shared-config&#34; -maxdepth 1 -type f -name &#34;*.properties&#34; -exec cp -sfv {} &#34;/etc/application.d/&#34; \; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ############################################################################### </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> echo &#34;:: Launching Application...&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> exec &#34;/opt/startup/startup.sh&#34; &#34;${@}&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ###############################################################################</span> </span></span></code></pre></div> <p>If the image you are working with does not have <code>find</code> there are many other ways to achieve the same thing.</p> <h2 id="modifying-the-deployment-1">Modifying the Deployment </h2><p>The deployment needs to be modified the same way as in <strong>example 1</strong> above.</p> <h2 id="conclusion-1">Conclusion </h2><p>This shows even complicated configurations can be setup with <a class="link" href="https://github.com/kelseyhightower/confd" target="_blank" rel="noopener" >confd</a> whilst still using off-the-shelf images.</p> <!-- raw HTML omitted -->