mirrors/external-secrets
1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-15 17:51:01 +00:00
Code Activity
external-secrets/docs/provider-kubernetes.md

146 lines
3.8 KiB
Markdown
Raw Blame History

External Secrets Operator allows to retrieve in-cluster secrets or from a remote Kubernetes Cluster.
### Authentication
It's possible to authenticate against the Kubernetes API using client certificates or a bearer token. Authentication using a service account has not yet been implemented. The operator enforces that exactly one authentication method is used.
**NOTE:** `SelfSubjectAccessReview` permission is required for the service account in order to validation work properly.
## Example
### In-cluster secrets using a Token
1. Create a K8s Secret with a client token for the default service account
```
apiVersion: v1
kind: Secret
metadata:
name: mydefaulttoken
annotations:
kubernetes.io/service-account.name: default
type: kubernetes.io/service-account-token
```
2. Create a SecretStore
The Servers `url` won't be present as it will default to `kubernetes.default`, add a proper value if needed. In this example the Certificate Authority is fetched using the referenced `caProvider`.
The `auth` section indicates that the type `token` will be used for authentication, it includes the path to fetch the token. Set `remoteNamespace` to the name of the namespace where your target secrets reside.
```
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: example
spec:
provider:
kubernetes:
server:
caProvider:
type: Secret
name: mydefaulttoken
key: ca.crt
auth:
token:
bearerToken:
name: mydefaulttoken
key: token
remoteNamespace: default
```
3. Create the local secret that will be synced
```
---
apiVersion: v1
kind: Secret
metadata:
name: secret-example
data:
extra: YmFyCg==
```
4. Finally create the ExternalSecret resource
```
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: example
spec:
refreshInterval: 1h
secretStoreRef:
kind: SecretStore
name: example # name of the SecretStore (or kind specified)
target:
name: secret-to-be-created # name of the k8s Secret to be created
creationPolicy: Owner
data:
- secretKey: extra
remoteRef:
key: secret-example
property: extra
```
### Remote Secret using a Token
1. Create a K8s Secret with the encoded base64 ca and client token.
```
apiVersion: v1
kind: Secret
metadata:
name: cluster-secrets
data:
# Fill with your encoded base64 CA
certificate-authority-data: Cg==
stringData:
# Fill with your string Token
bearerToken: "my-token"
```
2. Create a SecretStore
The Server section specifies the `url` of the remote Kubernetes API. In this example the Certificate Authority is fetch using the encoded base64 `caBundle`.
The `auth` section indicates that the `token` type will be used for authentication, it includes the path to fetch the token.
```
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: example
spec:
provider:
kubernetes:
# If not remoteNamesapce is provided, default namespace is used
remoteNamespace: remote-namespace
server:
url: https://remote.kubernetes.api-server.address
# Add your encoded base64 to caBundle
caBundle: Cg==
auth:
# Adds referenced bearerToken
token:
bearerToken:
name: cluster-secrets
key: bearerToken
```
4. Finally create the ExternalSecret resource
```
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: example
spec:
refreshInterval: 1h
secretStoreRef:
kind: SecretStore
name: example # name of the SecretStore (or kind specified)
target:
name: secret-to-be-created # name of the k8s Secret to be created
creationPolicy: Owner
data:
- secretKey: extra
remoteRef:
key: secret-remote-example
property: extra
```
View git blame Copy permalink