Kubernetes External Secrets Operator
Synchronize Secrets from Keeper Secrets Manager with the K8s External Secrets Operator
Overview
Kubernetes External Secrets Operator injects secrets into Kubernetes by synchronizing them from various external APIs. This guide primarily focuses on the setup process for External Secrets, facilitating the synchronization of secrets from your Keeper Vault into Kubernetes.
Features
Seamless synchronization of secrets from Keeper Vault into Kubernetes via External Secrets.
Real-time access to secrets from Keeper Vault across all pods.
Prerequisites
Before proceeding with the setup, ensure you have the following:
Keeper Secrets Manager (KSM) access (See the Quick Start Guide for more details)
Secrets Manager add-on enabled for your Keeper account
Membership in a Role with the Secrets Manager enforcement policy enabled
A Keeper Secrets Manager Application with secrets shared to it
See the Quick Start Guide for instructions on creating an Application
Make sure you add the proper permissions to your device in order to be able to read and write secrets
An initialized Keeper Secrets Manager Configuration
Setup
Install External Secrets With Helm
To install External Secrets with Helm, run the following commands:
Create Kubernetes Secret to store Base64 KSM Config
After creating a Secrets Manager Configuration for your device, you will have a Base64 JSON string that contains connection tokens, encryption keys, identifiers and domain information used to authenticate and decrypt data from the Keeper Secrets Manager APIs.
The Base64 JSON config string will be set by External Secrets to authenticate against Keeper Security and defined in a regular Kubernetes Secret.
Invoking the following command will create a Kubernetes Secret which is used to authenticate to Keeper Secrets Manager:
Note: Lines 2-8 in the above code snippet can be stored in a YAML file and applied with the command kubectl apply
. For example, you can store lines 2-8 in secrets.yaml
and execute the following:
Create SecretStore
After creating a Kubernetes Secret with ksm_config
defined to your Base64 JSON string, you can now create your SecretStore.
Invoking the following command will create your SecretStore:
In the above code snippet, define folderID
with the UID of the shared folder where the records are stored in your Vault
In case of a ClusterSecretStore
, Be sure to provide namespace
for SecretAccessKeyRef
with the namespace of the secret that we just created.
Note: Lines 2-13 in the above code snippet can be stored in a YAML file and applied with the command kubectl apply
. For example, you can store lines 2-13 in secretstore.yaml
and execute the following:
Create ExternalSecret
Next, you need to create your ExternalSecret.
The following code snippet will create your External Secret and store the values of the login & password field for the specified record into the Kubernetes Secret. These fields are defined in the target.template.data
section and refreshed every 30 seconds. For a full list of supported fields, visit this page.
In the above code snippet, replace "[RECORD UID]" with the UID of your desired record
For complex types, like name
, phone
, bankAccount
, which does not match with a single string value, external secrets will return the complete JSON string. Use the JSON template functions to decode.
Note: Lines 2-27 in the above code snippet can be stored in a YAML file and applied with the command kubectl apply
. For example, you can store lines 2-27 in externalsecret.yaml
and execute the following:
Behavior
How a Record is equated to an ExternalSecret:
remoteRef.key
is equated to a Record's IDremoteRef.property
is equated to one of the following options:Fields: Record's field's Type
CustomFields: Record's field's Label
Files: Record's file's Name
If empty, defaults to the complete Record in JSON format
remoteRef.version
is currently not supported.
dataFrom
:find.path
is currently not supported.find.name.regexp
is equated to one of the following options:Fields: Record's field's Type
CustomFields: Record's field's Label
Files: Record's file's Name
find.tags
are not supported at this time.
Limitations
There are some limitations using this provider.
Keeper Secret Manager does not work with legacy non-typed records
Using tags
find.tags
is not supported by KSMUsing path
find.path
is not supported at the moment
Push Secrets
Push Secret will only work with a custom KeeperSecurity Record type ExternalSecrets
Behavior
selector
:secret.name
: name of the kubernetes secret to be pusheddata.match
:secretKey
: key on the selected secret to be pushedremoteRef.remoteKey
: Secret and key to be created on the remote providerFormat: SecretName/SecretKey
Create PushSecret
To create a Keeper Security record from Kubernetes a Kind=PushSecret
is needed.
Note: Lines 2-19 in the above code snippet can be stored in a YAML file and applied with the command kubectl apply
. For example, you can store lines 2-19 in pushsecret.yaml
and execute the following:
Make sure there's only one record with the title remote-secret-name
in the KSM Application in use.
Limitations
Only possible to push one key per secret at the moment
If the record with the selected name exists but the key does not exists the record can not be updated.
Verifying Setup
After setting up your Kubernetes Secret, SecretStore, and ExternalSecret, you can extract secrets with the command kubectl get secrets
In the above code snippets, the name of the secret is my-external-secrets-values and we store the following record values:
To get the login and password values, invoke the following command:
The above response is encoded, to decode, invoke the following:
Conclusion
In conclusion, this guide has detailed a step-by-step process for integrating the Keeper Secrets Manager with Kubernetes via the Kubernetes External Secrets Operator. By following these steps, you'll be able to seamlessly synchronize your secrets stored in Keeper Vault into your Kubernetes environment. This not only provides a secure method to manage your secrets but also facilitates real-time access across all your pods.
The processes outlined, including setting up the External Secrets operator, creating a Kubernetes Secret, SecretStore, and ExternalSecret, are key to this integration. Upon successful setup, the provided commands allow you to verify the integration and retrieve stored secrets effortlessly.
The integration of Keeper Secrets Manager with Kubernetes enhances the security infrastructure of your applications running in the Kubernetes environment. It provides a solid foundation for managing your secrets, thereby improving overall operational efficiency and security posture.
Remember to replace all placeholders in the command snippets with your specific information, and don't hesitate to refer back to this guide anytime you need to set up or manage your External Secrets in Kubernetes.
Last updated