Skip to content
This repository was archived by the owner on Jul 26, 2022. It is now read-only.

Commit 03f5c65

Browse files
smcavallosmcavallo
authored
feat(aws): allow custom endpoints for aws services (#602)
* allow custom endpoints for aws services Signed-off-by: S.Cavallo <[email protected]> * camel case variables Signed-off-by: S.Cavallo <[email protected]> * documentation for custom endpoints Signed-off-by: smcavallo <[email protected]>
1 parent 7618898 commit 03f5c65

File tree

3 files changed

+26
-0
lines changed

3 files changed

+26
-0
lines changed

README.md

+6
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,12 @@ Access to AWS secrets backends (SSM & secrets manager) can be granted in various
7979

8080
4. Directly provide AWS access credentials to the `kubernetes-external-secrets` pod by environmental variables.
8181

82+
5. Optionally configure custom endpoints using environment variables
83+
* [AWS_SM_ENDPOINT](https://docs.aws.amazon.com/general/latest/gr/asm.html) - Useful to set endpoints for FIPS compliance.
84+
* [AWS_STS_ENDPOINT](https://docs.aws.amazon.com/general/latest/gr/sts.html) - Useful to set endpoints for FIPS compliance or regional latency.
85+
* [AWS_SSM_ENDPOINT](https://docs.aws.amazon.com/general/latest/gr/ssm.html) - Useful to set endpoints for FIPS compliance or custom VPC endpoint.
86+
87+
8288
##### Using AWS access credentials
8389

8490
Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env vars in the `kubernetes-external-secrets` session/pod.

charts/kubernetes-external-secrets/values.yaml

+4
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,10 @@ env:
2626
# Set a role to be used when assuming roles specified in external secret (AWS only)
2727
# AWS_INTERMEDIATE_ROLE_ARN:
2828
# GOOGLE_APPLICATION_CREDENTIALS: /app/gcp-creds/gcp-creds.json
29+
# Use custom endpoints for FIPS compliance
30+
# AWS_STS_ENDPOINT: https://sts-fips.us-east-1.amazonaws.com
31+
# AWS_SSM_ENDPOINT: http://ssm-fips.us-east-1.amazonaws.com
32+
# AWS_SM_ENDPOINT: http://secretsmanager-fips.us-east-1.amazonaws.com
2933

3034
# Create environment variables from existing k8s secrets
3135
# envVarsFromSecret:

config/aws-config.js

+16
Original file line numberDiff line numberDiff line change
@@ -18,13 +18,29 @@ const localstack = process.env.LOCALSTACK || 0
1818

1919
const intermediateRole = process.env.AWS_INTERMEDIATE_ROLE_ARN || 0
2020

21+
const stsEndpoint = process.env.AWS_STS_ENDPOINT || 0
22+
const ssmEndpoint = process.env.AWS_SSM_ENDPOINT || 0
23+
const smEndpoint = process.env.AWS_SM_ENDPOINT || 0
24+
2125
let secretsManagerConfig = {}
2226
let systemManagerConfig = {}
2327
let stsConfig = {
2428
region: process.env.AWS_REGION || 'us-west-2',
2529
stsRegionalEndpoints: process.env.AWS_STS_ENDPOINT_TYPE || 'regional'
2630
}
2731

32+
if (smEndpoint) {
33+
secretsManagerConfig.endpoint = smEndpoint
34+
}
35+
36+
if (ssmEndpoint) {
37+
systemManagerConfig.endpoint = ssmEndpoint
38+
}
39+
40+
if (stsEndpoint) {
41+
stsConfig.endpoint = stsEndpoint
42+
}
43+
2844
if (localstack) {
2945
secretsManagerConfig = {
3046
endpoint: process.env.LOCALSTACK_SM_URL || 'http://localhost:4584',

0 commit comments

Comments
 (0)