mirrors/external-secrets
1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
Code Activity

Adding notes on configuring ClusterSecretStores for every provider

Browse source 
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
This commit is contained in:
Gustavo Carvalho 2022-02-03 08:39:46 -03:00
parent c99236334c
commit 696a9e9c92
17 changed files with 23 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
docs/provider-akeyless.md
View file

@ -40,7 +40,7 @@ Be sure the `akeyless` provider is listed in the `Kind=SecretStore` and the `ake
```yaml
{% include 'akeyless-secret-store.yaml' %}
```
**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` for `accessID`, `accessType` and `accessTypeParam` with the namespaces where the secrets reside.
### Creating external secret
To get a secret from Akeyless and secret it on the Kubernetes cluster, a `Kind=ExternalSecret` is needed.
@ -49,6 +49,7 @@ To get a secret from Akeyless and secret it on the Kubernetes cluster, a `Kind=E
{% include 'akeyless-external-secret.yaml' %}
```
#### Using DataFrom
DataFrom can be used to get a secret as a JSON string and attempt to parse it.

1
docs/provider-aws-parameter-store.md
View file

@ -11,6 +11,7 @@ way users of the `SecretStore` can only access the secrets necessary.
``` yaml
{% include 'aws-parameter-store.yaml' %}
```
**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `accessKeyIDSecretRef` and `secretAccessKeySecretRef` with the namespaces where the secrets reside.
!!! warning "API Pricing & Throttling"
The SSM Parameter Store API is charged by throughput and

2
docs/provider-aws-secrets-manager.md
View file

@ -11,7 +11,7 @@ way users of the `SecretStore` can only access the secrets necessary.
``` yaml
{% include 'aws-sm-store.yaml' %}
```
**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `accessKeyIDSecretRef` and `secretAccessKeySecretRef` with the namespaces where the secrets reside.
### IAM Policy
Create a IAM Policy to pin down access to secrets matching `dev-*`.

1
docs/provider-azure-key-vault.md
View file

@ -31,6 +31,7 @@ Be sure the `azurekv` provider is listed in the `Kind=SecretStore`
```yaml
{% include 'azkv-secret-store.yaml' %}
```
**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `clientId` and `clientSecret` with the namespaces where the secrets reside.
Or in case of Managed Idenetity authentication:

1
docs/provider-gitlab-project-variables.md
View file

@ -27,6 +27,7 @@ Be sure the `gitlab` provider is listed in the `Kind=SecretStore` and the Projec
```yaml
{% include 'gitlab-secret-store.yaml' %}
```
**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `accessToken` with the namespace where the secret resides.
Your project ID can be found on your project's page.
![projectID](./pictures/screenshot_gitlab_projectID.png)

3
docs/provider-google-secrets-manager.md
View file

@ -84,7 +84,6 @@ You can use [GCP Service Account](https://cloud.google.com/iam/docs/service-acco
{% include 'gcpsm-credentials-secret.yaml' %}
```
**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` for `SecretAccessKeyRef` with the namespace of the secret that we just created.
#### Update secret store
Be sure the `gcpsm` provider is listed in the `Kind=SecretStore`
@ -93,6 +92,8 @@ Be sure the `gcpsm` provider is listed in the `Kind=SecretStore`
{% include 'gcpsm-secret-store.yaml' %}
```
**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` for `SecretAccessKeyRef` with the namespace of the secret that we just created.
#### Creating external secret
To create a kubernetes secret from the GCP Secret Manager secret a `Kind=ExternalSecret` is needed.

7
docs/provider-hashicorp-vault.md
View file

@ -26,7 +26,6 @@ spec:
# https://www.vaultproject.io/docs/auth/token
tokenSecretRef:
name: "vault-token"
namespace: "default"
key: "token"
---
apiVersion: v1
@ -36,6 +35,7 @@ metadata:
data:
token: cm9vdA== # "root"
```
**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` for `tokenSecretRef` with the namespace of the secret that we just created.
Then create a simple k/v pair at path `secret/foo`:
@ -92,6 +92,7 @@ A static token is stored in a `Kind=Secret` and is used to authenticate with vau
```yaml
{% include 'vault-token-store.yaml' %}
```
**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `tokenSecretRef` with the namespace where the secret resides.
#### AppRole authentication example
@ -101,6 +102,7 @@ A static token is stored in a `Kind=Secret` and is used to authenticate with vau
```yaml
{% include 'vault-approle-store.yaml' %}
```
**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `secretRef` with the namespace where the secret resides.
#### Kubernetes authentication
@ -115,6 +117,7 @@ options of optaining credentials for vault:
```yaml
{% include 'vault-kubernetes-store.yaml' %}
```
**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `serviceAccountRef` or in `secretRef`, if used.
#### LDAP authentication
@ -126,6 +129,7 @@ in a `Kind=Secret` referenced by the `secretRef`.
```yaml
{% include 'vault-ldap-store.yaml' %}
```
**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `secretRef` with the namespace where the secret resides.
#### JWT/OIDC authentication
@ -137,6 +141,7 @@ or `Kind=ClusterSecretStore` resource.
```yaml
{% include 'vault-jwt-store.yaml' %}
```
**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `secretRef` with the namespace where the secret resides.
### Vault Enterprise and Eventual Consistency

1
docs/provider-ibm-secrets-manager.md
View file

@ -40,6 +40,7 @@ Be sure the `ibm` provider is listed in the `Kind=SecretStore`
```yaml
{% include 'ibm-secret-store.yaml' %}
```
**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `secretApiKeySecretRef` with the namespace where the secret resides.
To find your serviceURL, under your Secrets Manager resource, go to "Endpoints" on the left.
Note: Use the url without the `/api` suffix that is presented in the UI.

1
docs/provider-oracle-vault.md
View file

@ -38,6 +38,7 @@ Be sure the `oracle` provider is listed in the `Kind=SecretStore`.
{% include 'oracle-secret-store.yaml' %}
```
**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `privatekey` and `fingerprint` with the namespaces where the secrets reside.
### Creating external secret
To create a kubernetes secret from the Oracle Cloud Interface secret a`Kind=ExternalSecret` is needed.

6
docs/provider-webhook.md
View file

@ -38,6 +38,8 @@ data:
NB: This is obviously not practical because it just returns the key as the result, but it shows how it works
**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in all `secrets` references with the namespaces where the secrets reside.
Now create an ExternalSecret that uses the above SecretStore:
```yaml
@ -107,14 +109,14 @@ spec:
# Use this name to refer to this secret in templating, above
- name: <name>
secretRef:
namespace: <namespace>
namespace: <namespace> # Only used in ClusterSecretStores
name: <name>
# Add CAs here for the TLS handshake
caBundle: <base64 encoded cabundle>
caProvider:
type: Secret or COnfigMap
name: <name of secret or configmap>
namespace: <namespace>
namespace: <namespace> # Only used in ClusterSecretStores
key: <key inside secret>
```

1
docs/provider-yandex-lockbox.md
View file

@ -39,6 +39,7 @@ spec:
key: authorized-key
```
**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in all `authorizedKeySecretRef` with the namespace where the secret resides.
### Creating external secret
To make External Secrets Operator sync a k8s secret with a Lockbox secret:

2
docs/snippets/provider-aws-access.md
View file

@ -50,6 +50,7 @@ spec:
name: awssm-secret
key: secret-access-key
```
**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `accessKeyIDSecretRef`, `secretAccessKeySecretRef` with the namespaces where the secrets reside.
### EKS Service Account credentials
@ -86,3 +87,4 @@ spec:
serviceAccountRef:
name: my-serviceaccount
```
**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` for `serviceAccountRef` with the namespace where the service account resides.

1
docs/snippets/vault-approle-store.yaml
View file

@ -21,5 +21,4 @@ spec:
# Reference to a key in a K8 Secret that contains the App Role SecretId
secretRef:
name: "my-secret"
namespace: "secret-admin"
key: "secret-id"

1
docs/snippets/vault-jwt-store.yaml
View file

@ -19,5 +19,4 @@ spec:
role: "vault-jwt-role"
secretRef:
name: "my-secret"
namespace: "secret-admin"
key: "jwt-token"

2
docs/snippets/vault-kubernetes-store.yaml
View file

@ -22,10 +22,8 @@ spec:
# of a kubernetes ServiceAccount
serviceAccountRef:
name: "my-sa"
namespace: "secret-admin"
# Optional secret field containing a Kubernetes ServiceAccount JWT
# used for authenticating with Vault
secretRef:
name: "my-secret"
namespace: "secret-admin"
key: "vault"

1
docs/snippets/vault-ldap-store.yaml
View file

@ -19,5 +19,4 @@ spec:
username: "username"
secretRef:
name: "my-secret"
namespace: "secret-admin"
key: "ldap-password"

1
docs/snippets/vault-token-store.yaml
View file

@ -14,5 +14,4 @@ spec:
# https://www.vaultproject.io/docs/auth/token
tokenSecretRef:
name: "my-secret"
namespace: "secret-admin"
key: "vault-token"