A tool used to retrieve and inject secrets from AWS SSM Parameter Store into helm value files.
Idea modified from: https://github.com/totango/helm-ssm
$ helm plugin install https://github.com/callrail/helm-ssm
$ helm plugin update ssm
In any non-default values file, replace values of secrets with ssm keywords ssm
, ssm-path
, and ssm-path-prefix
as shown below.
Replace a value-file value with a value from SSM Parameter Store:
mySecret: {{ssm <my-ssm-parameter-name>}}
Then run your helm install/update command as usual but with helm ssm
instead of just helm
.
For example,
$ helm ssm install my-release my-chart -f my-values-file.yaml
Note: You will need to run your helm command using credentials with access to SSM in the AWS account in which the parameter lives.
You can also include a map of key/value pairs by specifying a path that holds multiple parameters.
For example, say you have the following parameters in SSM:
/prod-config/example/secret-key-1 => "value-1"
/prod-config/example/secret-key-2 => "value-2"
/prod-config/example/secret-key-3 => "value-3"
Then the following values file will result in a dictionary of the key/value pairs.
myConfig: {{ssm-path /prod-config/example}}
=> becomes =>
myConfig: {secret-key-1: "value-1", secret-key-2: "value-2": secret-key-3: "value-3"}
Let's say I want to include multiple parameter paths that have a common prefix. For example,
/prod-config/prod_hosts/host_1_key => "secret-value"
/prod-config/prod_hosts/host_2_key => "secret-value"
/prod-config/api_tokens/app_1_token => "secret-value"
/prod-config/api_tokens/app_2_token => "secret-value"
/prod-config/api_tokens/app_3_token => "secret-value"
/prod-config/database_urls/db_url => "secret-value"
Then the following values file will result in a list of dictionaries of the key/value pairs.
myConfig: {{ssm-path-prefix /prod-config/}}
- prod_hosts
- api_tokens
- database_urls
{{end}}
=> becomes =>
myConfig:
- {host_1_key: "secret-value", host_2_key: "secret-value"}
- {app_1_token: "secret-value", app_2_token: "secret-value", app_3_token: "secret-value"}
- {db_url: "secret-value"}
This testing setup assumes you have the following parameters in SSM:
test-secret-value: (value can be anything)
/test-secret-group/value1: (value can be anything)
/test-secret-group/value2: (value can be anything)
/test-secret-group-2/config1/c1key1: (value can be anything)
/test-secret-group-2/config2/c2key1: (value can be anything)
/test-secret-group-2/config2/c2key2: (value can be anything)
...
(as many as you want under the path /test-secret-group/)
$ go run main.go install testing ./tests/testchart/ -f tests/testchart/override-values.yaml --dry-run --debug