Kubernetes External Secrets Operator

Overview

Kubernetes External Secrets Operator injects secrets into Kubernetes by synchronizing them from various external APIs. This guide primarily focuses on the setup process for External Secrets, facilitating the synchronization of secrets from your Keeper Vault into Kubernetes.

Features

• Seamless synchronization of secrets from Keeper Vault into Kubernetes via External Secrets.

• Real-time access to secrets from Keeper Vault across all pods.

Prerequisites

Before proceeding with the setup, ensure you have the following:

• Keeper Secrets Manager (KSM) access (See the Quick Start Guide for more details)

  • Secrets Manager add-on enabled for your Keeper account

  • Membership in a Role with the Secrets Manager enforcement policy enabled

• A Keeper Secrets Manager Application with secrets shared to it

  • See the Quick Start Guide for instructions on creating an Application

• An initialized Keeper Secrets Manager Configuration

• The following commands installed:

  • helm - package manager for Kubernetes

  • kubectl - command line tool for Kubernetes

Setup

Install External Secrets With Helm

To install External Secrets with Helm, run the following commands:

helm repo add external-secrets https://charts.external-secrets.io

helm install external-secrets \
    external-secrets/external-secrets \
    -n external-secrets \
    --create-namespace

Create Kubernetes Secret to store Base64 KSM Config

After creating a Secrets Manager Configuration for your device, you will have a Base64 JSON string that contains connection tokens, encryption keys, identifiers and domain information used to authenticate and decrypt data from the Keeper Secrets Manager APIs.

The Base64 JSON config string will be set by External Secrets to authenticate against Keeper Security and defined in a regular Kubernetes Secret.

Invoking the following command will create a Kubernetes Secret which is used to authenticate to Keeper Secrets Manager:

kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: ksm-config-secret # name of the k8s Secret where KSM config is stored
type: Opaque
data:
  ksm_config: "[REPLACE WITH YOUR BASE64 JSON string]"
EOF

Note: Lines 2-8 in the above code snippet can be stored in a YAML file and applied with the command kubectl apply. For example, you can store lines 2-8 in secrets.yaml and execute the following:

kubectl apply -f secret.yaml

Create SecretStore

After creating a Kubernetes Secret with ksm_config defined to your Base64 JSON string, you can now create your SecretStore.

Invoking the following command will create your SecretStore:

kubectl apply -f - <<EOF
apiVersion: external-secrets.io/v1beta1   
kind: SecretStore
metadata:
  name: my-external-secrets-secretstore   # name of the SecretStore where retrieved secrets will be stored once fetched from Keeper Secrets Manager (KSM)
spec:
  provider:
    keepersecurity:                       # name of the SecretStore provider, in this case KeeperSecurity
      authRef:
        name: ksm-config-secret           # name of the k8s Secret where KSM config is stored
        key: ksm_config                   # key in the k8s Secret where KSM config is stored
      folderID: "[SHARED FOLDER UID]"     # UID of the shared folder in KeeperSecurity where the records 
                                          #   are stored. Make sure the folder is shared into the KSM Application
EOF

Note: Lines 2-13 in the above code snippet can be stored in a YAML file and applied with the command kubectl apply. For example, you can store lines 2-13 in secretstore.yaml and execute the following:

kubectl apply -f secretstore.yaml

Create ExternalSecret

Next, you need to create your ExternalSecret.

The following code snippet will create your External Secret and store the values of the login & password field for the specified record into the Kubernetes Secret. These fields are defined in the target.template.data section and refreshed every 30 seconds. For a full list of supported fields, visit this page.

kubectl apply -f - <<EOF
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
 name: ksm-external-secret
spec:
 refreshInterval: 12h               # rate how often SecretManager pulls KeeperSecurity. 
                                    #   In this case every 12 hours, for the example. 
                                    #   We recommend this value to be 12h or more.
 secretStoreRef:                    # reference to the SecretStore defined above to authenticate against Keeper Security
   kind: SecretStore                # tells External Secrets the type of the secret store, should be same as the one defined above
   name: my-external-secrets-secretstore  

 dataFrom:                          # tells External Secrets which record to use to fetch from Keeper Secrets Manager (KSM)
   - extract:
       key: "[RECORD UID]"          # UID of the record in Keeper where the secrets are going to be fetched from
 target:                            # tells External Secrets the target location where to store the secrets once fetched from Keeper Security
   name: my-external-secrets-values # name of the k8s Secret to be created
   creationPolicy: Owner            # tells External Secrets to create the k8s Secret if it doesn't exist
   template:
     engineVersion: v2          
     data:
       username: "{{ .login }}"     # tells External Secrets to store the value of 
                                    # the login field in Keeper Security into the k8s Secret under the key username
       password: "{{ .password }}"  # tells External Secrets to store the value of 
                                    # the password field in Keeper Security into the k8s Secret under the key password
EOF

Note: Lines 2-26 in the above code snippet can be stored in a YAML file and applied with the command kubectl apply. For example, you can store lines 2-26 in externalsecret.yaml and execute the following:

kubectl apply -f externalsecret.yaml

Verifying Setup

After setting up your Kubernetes Secret, SecretStore, and ExternalSecret, you can extract secrets with the command kubectl get secrets

In the above code snippets, the name of the secret is my-external-secrets-values and we store the following record values:

data:
       username: "{{ .login }}"                                      
       password: "{{ .password }}"

To get the login and password values, invoke the following command:

$ kubectl get secret my-external-secrets-values -o jsonpath="{.data}"
{"password":"a2lsbCB5b3U=","username":"SSB3aWxs"}

The above response is encoded, to decode, invoke the following:

$ kubectl get secret my-external-secrets-values -o jsonpath="{.data.password}" | base64 --decode
pAs$w0rd

Conclusion

In conclusion, this guide has detailed a step-by-step process for integrating the Keeper Secrets Manager with Kubernetes via the Kubernetes External Secrets Operator. By following these steps, you'll be able to seamlessly synchronize your secrets stored in Keeper Vault into your Kubernetes environment. This not only provides a secure method to manage your secrets but also facilitates real-time access across all your pods.

The processes outlined, including setting up the External Secrets operator, creating a Kubernetes Secret, SecretStore, and ExternalSecret, are key to this integration. Upon successful setup, the provided commands allow you to verify the integration and retrieve stored secrets effortlessly.

The integration of Keeper Secrets Manager with Kubernetes enhances the security infrastructure of your applications running in the Kubernetes environment. It provides a solid foundation for managing your secrets, thereby improving overall operational efficiency and security posture.

Remember to replace all placeholders in the command snippets with your specific information, and don't hesitate to refer back to this guide anytime you need to set up or manage your External Secrets in Kubernetes.