mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-14 11:57:59 +00:00
00249f1d43
* Create scorecard.yml Adds a scorecard workflow to regularly check the repo. See docs: https://github.com/marketplace/actions/ossf-scorecard-action#scorecard-badge Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>
3 KiB
3 KiB
Yandex Lockbox
External Secrets Operator integrates with Yandex Lockbox for secret management.
Prerequisites
Authentication
At the moment, authorized key authentication is only supported:
- Create a service account in Yandex.Cloud:
yc iam service-account create --name eso-service-account
- Create an authorized key for the service account and save it to
authorized-key.json
file:
yc iam key create \
--service-account-name eso-service-account \
--output authorized-key.json
- Create a k8s secret containing the authorized key saved above:
kubectl create secret generic yc-auth --from-file=authorized-key=authorized-key.json
- Create a SecretStore pointing to
yc-auth
k8s secret:
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: secret-store
spec:
provider:
yandexlockbox:
auth:
authorizedKeySecretRef:
name: yc-auth
key: authorized-key
NOTE: In case of a ClusterSecretStore
, Be sure to provide namespace
in all authorizedKeySecretRef
with the namespace where the secret resides.
Creating external secret
To make External Secrets Operator sync a k8s secret with a Lockbox secret:
- Create a Lockbox secret, if not already created:
yc lockbox secret create \
--name lockbox-secret \
--payload '[{"key": "password","textValue": "p@$$w0rd"}]'
- Assign the
lockbox.payloadViewer
role for accessing thelockbox-secret
payload to the service account used for authentication:
yc lockbox secret add-access-binding \
--name lockbox-secret \
--service-account-name eso-service-account \
--role lockbox.payloadViewer
Run the following command to ensure that the correct access binding has been added:
yc lockbox secret list-access-bindings --name lockbox-secret
- Create an ExternalSecret pointing to
secret-store
andlockbox-secret
:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: external-secret
spec:
refreshInterval: 1h
secretStoreRef:
name: secret-store
kind: SecretStore
target:
name: k8s-secret # the target k8s secret name
data:
- secretKey: password # the target k8s secret key
remoteRef:
key: ***** # ID of lockbox-secret
property: password # (optional) payload entry key of lockbox-secret
The operator will fetch the Yandex Lockbox secret and inject it as a Kind=Secret
kubectl get secret k8s-secret -n <namespace> | -o jsonpath='{.data.password}' | base64 -d