mirrors/external-secrets
1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-15 17:51:01 +00:00
Code Activity
external-secrets/docs/provider/yandex-lockbox.md
Moritz Johner 00249f1d43
Create OSSF scorecard job (#3032) 
* Create scorecard.yml

Adds a scorecard workflow to regularly check the repo.
See docs: https://github.com/marketplace/actions/ossf-scorecard-action#scorecard-badge

Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>
2024-01-18 21:03:07 +01:00

3 KiB
Raw Blame History

Yandex Lockbox

External Secrets Operator integrates with Yandex Lockbox for secret management.

Prerequisites

Authentication

At the moment, authorized key authentication is only supported:

yc iam service-account create --name eso-service-account
  • Create an authorized key for the service account and save it to authorized-key.json file:
yc iam key create \
  --service-account-name eso-service-account \
  --output authorized-key.json
  • Create a k8s secret containing the authorized key saved above:
kubectl create secret generic yc-auth --from-file=authorized-key=authorized-key.json

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: secret-store
spec:
  provider:
    yandexlockbox:
      auth:
        authorizedKeySecretRef:
          name: yc-auth
          key: authorized-key

NOTE: In case of a ClusterSecretStore, Be sure to provide namespace in all authorizedKeySecretRef with the namespace where the secret resides.

Creating external secret

To make External Secrets Operator sync a k8s secret with a Lockbox secret:

  • Create a Lockbox secret, if not already created:
yc lockbox secret create \
  --name lockbox-secret \
  --payload '[{"key": "password","textValue": "p@$$w0rd"}]'
  • Assign the lockbox.payloadViewer role for accessing the lockbox-secret payload to the service account used for authentication:
yc lockbox secret add-access-binding \
  --name lockbox-secret \
  --service-account-name eso-service-account \
  --role lockbox.payloadViewer

Run the following command to ensure that the correct access binding has been added:

yc lockbox secret list-access-bindings --name lockbox-secret
  • Create an ExternalSecret pointing to secret-store and lockbox-secret:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: external-secret
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: secret-store
    kind: SecretStore
  target:
    name: k8s-secret # the target k8s secret name
  data:
  - secretKey: password # the target k8s secret key
    remoteRef:
      key: ***** # ID of lockbox-secret
      property: password # (optional) payload entry key of lockbox-secret

The operator will fetch the Yandex Lockbox secret and inject it as a Kind=Secret

kubectl get secret k8s-secret -n <namespace> | -o jsonpath='{.data.password}' | base64 -d