mirrors/external-secrets
1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
Code Activity
external-secrets/docs/guides-common-k8s-secret-types.md

2.9 KiB
Raw Blame History

A few common k8s secret types examples

Here we will give some examples of how to work with a few common k8s secret types. We will give this examples here with the gcp provider (should work with other providers in the same way). Please also check the guides on Advanced Templating to understand the details.

Please follow the authentication and SecretStore steps of the Google Cloud Secrets Manager guide to setup access to your google cloud account first.

Dockerconfigjson example

First create a secret in Google Cloud Secrets Manager containing your docker config:

iam

Let's call this secret docker-config-example on Google Cloud.

Then create a ExternalSecret resource taking advantage of templating to populate the generated secret:

{% include 'gcpsm-docker-config-externalsecret.yaml' %}

For Helm users: since Helm interprets the template above, the ExternalSecret resource can be written this way:

{% include 'gcpsm-docker-config-helm-externalsecret.yaml' %}

For more information, please see this issue

This will generate a valid dockerconfigjson secret for you to use!

You can get the final value with:

kubectl get secret secret-to-be-created -n <namespace> | -o jsonpath="{.data\.dockerconfigjson}" | base64 -d

TLS Cert example

We are assuming here that you already have valid certificates, maybe generated with letsencrypt or any other CA. So to simplify you can use openssl to generate a single secret pkcs12 cert based on your cert.pem and privkey.pen files.

openssl pkcs12 -export -out certificate.p12 -inkey privkey.pem -in cert.pem

With a certificate.p12 you can upload it to Google Cloud Secrets Manager:

p12

And now you can create an ExternalSecret that gets it. You will end up with a k8s secret of type tls with pem values.

{% include 'gcpsm-tls-externalsecret.yaml' %}

You can get their values with:

kubectl get secret secret-to-be-created -n <namespace> | -o jsonpath="{.data.tls\.crt}" | base64 -d
kubectl get secret secret-to-be-created -n <namespace> | -o jsonpath="{.data.tls\.key}" | base64 -d

SSH Auth example

Add the ssh privkey to a new Google Cloud Secrets Manager secret:

ssh

And now you can create an ExternalSecret that gets it. You will end up with a k8s secret of type ssh-auth with the privatekey value.

{% include 'gcpsm-ssh-auth-externalsecret.yaml' %}

You can get the privkey value with:

kubectl get secret secret-to-be-created -n <namespace> | -o jsonpath="{.data.ssh-privatekey}" | base64 -d

More examples

!!! note "We need more examples here" Feel free to contribute with our docs and add more examples here!