a012f4829c
* Adding the details for chef provider secret store. Issue: https://github.com/external-secrets/external-secrets/issues/2905 This commit intends to add the chef provider structure to the existing list of external-secrets providers. It defines the structure of the SecretStore and ClusterSecretStore for chef Provider. The yaml resource will contain 3 important parts to identify and connect to chef server to reconcile secrets. They are: 1. serverurl: This is the URL to the chef server. 2. username: The username to connect to the chef server. 3. auth: The password to connect to the chef server. It is a reference to an already existing kubernetes secret containing the password. This commit also contains the auto generated CRDs using the `make generate` command. Signed-off-by: Subroto Roy <subrotoroy007@gmail.com> * Implementation for Chef ESO provided Signed-off-by: vardhanreddy13 <vvv.vardhanreddy@gmail.com> * - implemented Chef eso, added required methods - added unit test cases - added sample documentation Issue: https://github.com/external-secrets/external-secrets/issues/2905 Signed-off-by: Sourav Patnaik <souravpatnaik123@gmail.com> * Added Documentation for Authentication Signed-off-by: Subroto Roy <subrotoroy007@gmail.com> * added documentation for Chef eso Issue: https://github.com/external-secrets/external-secrets/issues/2905 Signed-off-by: Sourav Patnaik <souravpatnaik123@gmail.com> * Updated chef ESO documentation Signed-off-by: vardhanreddy13 <vvv.vardhanreddy@gmail.com> * updated ValidateStore method signature Issue: https://github.com/external-secrets/external-secrets/issues/2905 Signed-off-by: Sourav Patnaik <souravpatnaik123@gmail.com> * made changes in chef provider to satisfy 'make docs' Issue: https://github.com/external-secrets/external-secrets/issues/2905 Signed-off-by: Sourav Patnaik <souravpatnaik123@gmail.com> * - updated code as per review comment, make reviewable suggestions Issue: https://github.com/external-secrets/external-secrets/issues/2905 Signed-off-by: Sourav Patnaik <souravpatnaik123@gmail.com> * modified chef provider code as per review comment Issue: https://github.com/external-secrets/external-secrets/issues/2905 Signed-off-by: Sourav Patnaik <souravpatnaik123@gmail.com> --------- Signed-off-by: Subroto Roy <subrotoroy007@gmail.com> Signed-off-by: vardhanreddy13 <vvv.vardhanreddy@gmail.com> Signed-off-by: Sourav Patnaik <souravpatnaik123@gmail.com> Co-authored-by: Subroto Roy <subrotoroy007@gmail.com> Co-authored-by: vardhanreddy13 <vvv.vardhanreddy@gmail.com>
5.4 KiB
Chef
Chef External Secrets provider will enable users to seamlessly integrate their Chef-based secret management with Kubernetes through the existing External Secrets framework.
In many enterprises, legacy applications and infrastructure are still tightly integrated with the Chef/Chef Infra Server/Chef Server Cluster for configuration and secrets management. Teams often rely on Chef data bags to securely store sensitive information such as application secrets and infrastructure configurations. These data bags serve as a centralized repository for managing and distributing sensitive data across the Chef ecosystem.
NOTE: Chef External Secrets provider is designed only to fetch data from the Chef data bags into Kubernetes secrets, it won't update/delete any item in the data bags.
Authentication
Every request made to the Chef Infra server needs to be authenticated. Authentication is done using the Private keys of the Chef Users. The User needs to have appropriate Permissions to the data bags containing the data that they want to fetch using the External Secrets Operator.
The following command can be used to create Chef Users:
chef-server-ctl user-create USER_NAME FIRST_NAME [MIDDLE_NAME] LAST_NAME EMAIL 'PASSWORD' (options)
More details on the above command are available here Chef User Create Option. The above command will return the default private key (PRIVATE_KEY_VALUE), which we will use for authentication. Additionally, a Chef User with access to specific data bags, a private key pair with an expiration date can be created with the help of the knife user key command.
Create a secret containing your private key
We need to store the above User's API key into a secret resource. Example:
kubectl create secret generic chef-user-secret -n vivid --from-literal=user-private-key='PRIVATE_KEY_VALUE'
Creating ClusterSecretStore
The Chef ClusterSecretStore is a cluster-scoped SecretStore that can be referenced by all Chef ExternalSecrets from all namespaces. You can follow the below example to create a ClusterSecretStore resource.
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vivid-clustersecretstore # name of ClusterSecretStore
spec:
provider:
chef:
username: user # Chef User name
serverUrl: https://manage.chef.io/organizations/testuser/ # Chef server URL
auth:
secretRef:
privateKeySecretRef:
key: user-private-key # name of the key inside Secret resource
name: chef-user-secret # name of Kubernetes Secret resource containing the Chef User's private key
namespace: vivid # the namespace in which the above Secret resource resides
Creating SecretStore
Chef SecretStores are bound to a namespace and can not reference resources across namespaces. For cross-namespace SecretStores, you must use Chef ClusterSecretStores.
You can follow the below example to create a SecretStore resource.
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: vivid-secretstore # name of SecretStore
namespace: vivid # must be required for kind: SecretStore
spec:
provider:
chef:
username: user # Chef User name
serverUrl: https://manage.chef.io/organizations/testuser/ # Chef server URL
auth:
secretRef:
privateKeySecretRef:
name: chef-user-secret # name of Kubernetes Secret resource containing the Chef User's private key
key: user-private-key # name of the key inside Secret resource
namespace: vivid # the ns where the k8s secret resource containing Chef User's private key resides
Creating ExternalSecret
The Chef ExternalSecret describes what data should be fetched from Chef Data bags, and how the data should be transformed and saved as a Kind=Secret.
You can follow the below example to create an ExternalSecret resource.
{% include 'chef-external-secret.yaml' %}
When the above ClusterSecretStore and ExternalSecret resources are created, the ExternalSecret will connect to the Chef Server using the private key and will fetch the data bags contained in the vivid-credentials secret resource.
To get all data items inside the data bag, you can use the dataFrom directive:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vivid-external-secrets # name of ExternalSecret
namespace: vivid # namespace inside which the ExternalSecret will be created
annotations:
company/contacts: user.a@company.com, user.b@company.com
company/team: vivid-dev
labels:
app.kubernetes.io/name: external-secrets
spec:
refreshInterval: 15m
secretStoreRef:
name: vivid-clustersecretstore # name of ClusterSecretStore
kind: ClusterSecretStore
dataFrom:
- extract:
key: vivid_global # only data bag name
target:
name: vivid_global_all_cred # name of Kubernetes Secret resource that will be created and will contain the obtained secrets
creationPolicy: Owner
follow : this file for more info