external-secrets/docs/provider/yandex-certificate-manager.md at 24d6114a5b39e179630f7c8f2f55c63e169d5ae0

mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00

* Create scorecard.yml

Adds a scorecard workflow to regularly check the repo.
See docs: https://github.com/marketplace/actions/ossf-scorecard-action#scorecard-badge

Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>

2024-01-18 21:03:07 +01:00

3.6 KiB

Raw Blame History

Yandex Certificate Manager

External Secrets Operator integrates with Yandex Certificate Manager for secret management.

Prerequisites

Authentication

At the moment, authorized key authentication is only supported:

Create a service account in Yandex.Cloud:

yc iam service-account create --name eso-service-account

Create an authorized key for the service account and save it to authorized-key.json file:

yc iam key create \
  --service-account-name eso-service-account \
  --output authorized-key.json

Create a k8s secret containing the authorized key saved above:

kubectl create secret generic yc-auth --from-file=authorized-key=authorized-key.json

Create a SecretStore pointing to yc-auth k8s secret:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: secret-store
spec:
  provider:
    yandexcertificatemanager:
      auth:
        authorizedKeySecretRef:
          name: yc-auth
          key: authorized-key

NOTE: In case of a ClusterSecretStore, Be sure to provide namespace in all authorizedKeySecretRef with the namespace where the secret resides.

Creating external secret

To make External Secrets Operator sync a k8s secret with a Certificate Manager certificate:

Create a Certificate Manager certificate (follow the instructions), if not already created.
Assign the certificate-manager.certificates.downloader role for accessing the certificate content to the service account used for authentication (***** is the certificate ID):

yc cm certificate add-access-binding \
  --id ***** \
  --service-account-name eso-service-account \
  --role certificate-manager.certificates.downloader

Run the following command to ensure that the correct access binding has been added:

yc cm certificate list-access-bindings --id *****

Create an ExternalSecret pointing to secret-store and the certificate in Certificate Manager:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: external-secret
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: secret-store
    kind: SecretStore
  target:
    name: k8s-secret # the target k8s secret name
    template:
      type: kubernetes.io/tls
  data:
    - secretKey: tls.crt # the target k8s secret key
      remoteRef:
        key: ***** # the certificate ID
        property: chain
    - secretKey: tls.key # the target k8s secret key
      remoteRef:
        key: ***** # the certificate ID
        property: privateKey

The following property values are possible: * chain – to fetch PEM-encoded certificate chain * privateKey – to fetch PEM-encoded private key * chainAndPrivateKey or missing property – to fetch both chain and private key

The operator will fetch the Yandex Certificate Manager certificate and inject it as a Kind=Secret

kubectl get secret k8s-secret -ojson | jq '."data"."tls.crt"' -r | base64 --decode
kubectl get secret k8s-secret -ojson | jq '."data"."tls.key"' -r | base64 --decode

3.6 KiB Raw Blame History Unescape Escape

Yandex Certificate Manager

Prerequisites

Authentication

Creating external secret

3.6 KiB

Raw Blame History