Kubernetes External Secrets allows you to use external secret management systems such as IBM Secrets Manager to securely add secrets in Kubernetes. Read more about the design and motivation for Kubernetes External Secrets on the GoDaddy Engineering Blog.
This is a sample chart to demonstrate running it on IBM Cloud
-
Create your IAM API credentials.
$ ibmcloud iam api-key-create kubernetes-external-secret-key ID ApiKey-0705eaa9-c6f3-4c03-815e-dbc84c59d6db Name kubernetes-external-secret-key Description Created At 2021-03-14T17:44+0000 API Key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Locked false -
Get the secret manager instance info where
Secrets Manager-01is the name of your secrets manager instance.$ ibmcloud resource service-instance "Secrets Manager-01" Name: Secrets Manager-01 ID: crn:v1:bluemix:public:secrets-manager:us-south:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:: GUID: yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy Location: us-south Service Name: secrets-manager Service Plan Name: lite Resource Group Name: default State: active Type: service_instance Sub Type: Created at: 2020-10-19T19:45:05Z Created by: awhalley@ie.ibm.com Updated at: 2020-10-19T19:49:56Z -
Create the kubernetes secrets using the API Key and GUID and location info from the output in the previous commands
kubectl create secret generic ibmcloud-credentials --from-literal=apikey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --from-literal=endpoint=https://yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy.<Location>.secrets-manager.appdomain.cloud --from-literal=authtype=iam -
To install the chart with the release named
kubernetes-external-secrets-release:$ git clone /~https://github.com/external-secrets/kubernetes-external-secrets.git $ cd kubernetes-external-secrets -
Edit the following values in the values.yaml in the kubernetes-external-secrets repo. The file
values-exanple.yamlin this repo is there for reference.IBM_CLOUD_SECRETS_MANAGER_API_APIKEY: secretKeyRef: ibmcloud-credentials key: apikey IBM_CLOUD_SECRETS_MANAGER_API_ENDPOINT: secretKeyRef: ibmcloud-credentials key: endpoint IBM_CLOUD_SECRETS_MANAGER_API_AUTH_TYPE: secretKeyRef: ibmcloud-credentials key: authtype -
To install the chart with the release named
kubernetes-external-secrets-release:$ helm install kubernetes-external-secrets-release .Tip: A namespace can be specified by the
Helmoption '--namespace kube-external-secrets', however know this will not autocreate a namespace like in Helm V2. To do that, also add the--create-namespaceflag.
Now the service is installed we need to create a username_password secret in Secret Manager that we will make available in k8s.
-
Ensure the secret manager environment variable is set
$ export SECRETS_MANAGER_URL=https://yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy.<Location>.secrets-manager.appdomain.cloud -
Now add a secret to secret manager taking note of the id generated
$ ibmcloud secrets-manager secret-create --secret-type username_password --resources '[{"name": "example-username-password-test-secret","description": "Extended description for my secret.","username": "user123","password": "cloudy-rainy-coffee-book"}]' ..id.. ..zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz.. -
Now we will create a CRD that will pull the secrets from the secret manager and add it to the namespace in the cluster. Get the id from the output of the created secret and add update the
keyfield inusername-password-example.ymlapiVersion: kubernetes-client.io/v1 kind: ExternalSecret metadata: name: username-password-example spec: backendType: ibmcloudSecretsManager data: # The guid id of the secret - key: <guid> name: username property: username secretType: username_password - key: <guid> name: password property: password secretType: username_password -
Apply the secret CRD to the cluster
$ kubectl apply -f username-password-example.yml -
View the created secrets in the cluster
$ kubectl describe secrets username-password-example Name: username-password-example Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== password: 9 bytes username: 5 bytes
Now the service is installed we need to create a arbitrary secret in Secret Manager that we will make available in k8s.
-
Ensure the secret manager environment variable is set
$ export SECRETS_MANAGER_URL=https://yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy.<Location>.secrets-manager.appdomain.cloud -
Now add a secret to secret manager taking note of the id generated
$ ibmcloud secrets-manager secret-create --secret-type arbitrary --resources '[{"name": "example-arbitrary-test-secret","description": "Extended description for my secret.", "payload":"avalue"}]' ..id.. ..zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz.. -
Now we will create a CRD that will pull the secrets from the secret manager and add it to the namespace in the cluster. Get the id from the output of the created secret and add update the
keyfield inarbitrary-example.ymlapiVersion: kubernetes-client.io/v1 kind: ExternalSecret metadata: name: arbritrary-example spec: backendType: ibmcloudSecretsManager data: - key: b6f0c056-382c-3ea9-991b-9172a1652c9e name: example-arbitrary-test-secret property: payload secretType: arbitrary -
Apply the secret CRD to the cluster
$ kubectl apply -f arbitrary-example.yml -
View the created secrets in the cluster
$ kubectl describe secrets arbritrary-example Name: arbritrary-example Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== example-arbitrary-test-secret: 6 bytes