mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-14 11:57:59 +00:00
86 lines
2.8 KiB
Markdown
86 lines
2.8 KiB
Markdown
## Yandex Lockbox
|
|
|
|
External Secrets Operator integrates with [Yandex Lockbox](https://cloud.yandex.com/docs/lockbox/)
|
|
for secret management.
|
|
|
|
### Prerequisites
|
|
* [External Secrets Operator installed](../guides-getting-started/#installing-with-helm)
|
|
* [Yandex.Cloud CLI installed](https://cloud.yandex.com/docs/cli/quickstart)
|
|
|
|
### Authentication
|
|
At the moment, [authorized key](https://cloud.yandex.com/docs/iam/concepts/authorization/key) authentication is only supported:
|
|
|
|
* Create a [service account](https://cloud.yandex.com/docs/iam/concepts/users/service-accounts) in Yandex.Cloud:
|
|
```bash
|
|
yc iam service-account create --name eso-service-account
|
|
```
|
|
* Create an authorized key for the service account and save it to `authorized-key.json` file:
|
|
```bash
|
|
yc iam key create \
|
|
--service-account-name eso-service-account \
|
|
--output authorized-key.json
|
|
```
|
|
* Create a k8s secret containing the authorized key saved above:
|
|
```bash
|
|
kubectl create secret generic yc-auth --from-file=authorized-key=authorized-key.json
|
|
```
|
|
* Create a [SecretStore](../api-secretstore/) pointing to `yc-auth` k8s secret:
|
|
```yaml
|
|
apiVersion: external-secrets.io/v1alpha1
|
|
kind: SecretStore
|
|
metadata:
|
|
name: secret-store
|
|
spec:
|
|
provider:
|
|
yandexlockbox:
|
|
auth:
|
|
authorizedKeySecretRef:
|
|
name: yc-auth
|
|
key: authorized-key
|
|
```
|
|
|
|
### Creating external secret
|
|
To make External Secrets Operator sync a k8s secret with a Lockbox secret:
|
|
|
|
* Create a Lockbox secret, if not already created:
|
|
```bash
|
|
yc lockbox secret create \
|
|
--name lockbox-secret \
|
|
--payload '[{"key": "password","textValue": "p@$$w0rd"}]'
|
|
```
|
|
* Assign the [`lockbox.payloadViewer`](https://cloud.yandex.com/docs/lockbox/security/#roles-list) role
|
|
for accessing the `lockbox-secret` payload to the service account used for authentication:
|
|
```bash
|
|
yc lockbox secret add-access-binding \
|
|
--name lockbox-secret \
|
|
--service-account-name eso-service-account \
|
|
--role lockbox.payloadViewer
|
|
```
|
|
Run the following command to ensure that the correct access binding has been added:
|
|
```bash
|
|
yc lockbox secret list-access-bindings --name lockbox-secret
|
|
```
|
|
* Create an [ExternalSecret](../api-externalsecret/) pointing to `secret-store` and `lockbox-secret`:
|
|
```yaml
|
|
apiVersion: external-secrets.io/v1alpha1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: external-secret
|
|
spec:
|
|
refreshInterval: 1h
|
|
secretStoreRef:
|
|
name: secret-store
|
|
kind: SecretStore
|
|
target:
|
|
name: k8s-secret # the target k8s secret name
|
|
data:
|
|
- secretKey: password # the target k8s secret key
|
|
remoteRef:
|
|
key: ***** # ID of lockbox-secret
|
|
property: password # (optional) payload entry key of lockbox-secret
|
|
```
|
|
|
|
The operator will fetch the Yandex Lockbox secret and inject it as a `Kind=Secret`
|
|
```yaml
|
|
kubectl get secret k8s-secret -n <namespace> | -o jsonpath='{.data.password}' | base64 -d
|
|
```
|