mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-14 11:57:59 +00:00
0321657a69
* Integrate Cloak Secrets Signed-off-by: Ian Purton <ian.purton@gmail.com> * Fix link Signed-off-by: Ian Purton <36966+ianpurton@users.noreply.github.com> --------- Signed-off-by: Ian Purton <ian.purton@gmail.com> Signed-off-by: Ian Purton <36966+ianpurton@users.noreply.github.com>
47 lines
1.4 KiB
Markdown
47 lines
1.4 KiB
Markdown
|
|
|
|
## Cloak
|
|
|
|
Sync secrets from the [Cloak Encrypted Secrets Platform](https://cloak.software) to Kubernetes using the External Secrets Operator.
|
|
|
|
Cloak uses the webhook provider built into the External Secrets Operator but also required a proxy service to handle decrypting secrets when they arrive into your cluster.
|
|
|
|
## Key Setup
|
|
|
|
From the Cloak user interface [create a service account](https://cloak.software/docs/getting-started/03-cli/) and store the private key on your file system.
|
|
|
|
Now create a kubernetes secret in the same namespace as the External Secrets Operator.
|
|
|
|
```sh
|
|
HISTIGNORE='*kubectl*' kubectl --namespace=external-secrets \
|
|
create secret generic cloak-key \
|
|
--from-file=ecdh_private_key=$LOCATION_OF_YOUR_PEM_FILE
|
|
```
|
|
|
|
## Deploy the decryption proxy
|
|
|
|
```yaml
|
|
{% include 'cloak-proxy-deployment.yaml' %}
|
|
```
|
|
|
|
And a Kubernetes Service so External Secrets Operator can access the proxy.
|
|
|
|
```yaml
|
|
{% include 'cloak-proxy-service.yaml' %}
|
|
```
|
|
|
|
## Create a secret store
|
|
|
|
You can now place the configuration in any Kubernetes Namespace.
|
|
|
|
```yaml
|
|
{% include 'cloak-secret-store.yaml' %}
|
|
```
|
|
|
|
## Connect a secret to the provider
|
|
|
|
Each `secretKey` reference in the yaml should point to the name of the secret as it is stored in Cloak.
|
|
|
|
```yaml
|
|
{% include 'cloak-external-secret.yaml' %}
|
|
```
|