Syncing with Yandex Lockbox secrets
External Secrets Operator
There are several schemas for integrating
To set up secret syncing:
- Install the External Secrets Operator and set up Yandex Lockbox.
- Configure the Managed Service for Kubernetes cluster.
- Create an External Secret.
If you no longer need the resources you created, delete them.
You can also deploy an infrastructure for syncing Yandex Lockbox secrets with Managed Service for Kubernetes cluster secrets via Terraform using a ready-made configuration file.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The cost of resources for syncing secrets includes:
- Fee for using the Managed Service for Kubernetes master (see Managed Service for Kubernetes pricing).
- Fee for a Managed Service for Kubernetes node group's computing resources and disks (see Yandex Compute Cloud pricing).
- Fee for secret storage and operations (see Yandex Lockbox pricing).
Create an infrastructure
-
If you do not have a network yet, create one.
-
If you do not have any subnets yet, create them in the availability zones where your Managed Service for Kubernetes cluster and node group will be created.
-
- Service account for Kubernetes resources with the editor role for the folder where the Managed Service for Kubernetes cluster is created.
- Service account for Managed Service for Kubernetes nodes with the container-registry.images.puller role for the folder containing the Docker image registry. Managed Service for Kubernetes nodes will pull the required Docker images from the registry on behalf of this account.
Tip
You can use the same service account for all operations.
-
Create security groups for the Managed Service for Kubernetes cluster and its node groups.
Warning
The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.
-
Create a Managed Service for Kubernetes cluster and a node group. When creating a Managed Service for Kubernetes cluster, specify the previously created service accounts for the resources and nodes as well as the security group.
-
Create a Yandex Lockbox secret with the following properties:
- Name:
lockbox-secret
. - Key: Enter the
password
non-secret ID. - Value: Enter the confidential data for storing
p@$$w0rd
.
Save the ID of the secret. You will need it later.
- Name:
-
If you do not have Terraform yet, install it.
-
Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.
-
Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it
. -
Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.
-
Download the k8s-cluster-and-lockbox.tf
configuration file of the Managed Service for Kubernetes cluster to the same working directory.This file describes:
-
Yandex Lockbox secret.
-
Managed Service for Kubernetes cluster.
-
Service account for Managed Service for Kubernetes resources and nodes.
-
Security groups which contain rules required for the Managed Service for Kubernetes cluster and its node groups.
Warning
The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.
-
Specify the following in the configuration file:
- Folder ID.
- Kubernetes version for the Managed Service for Kubernetes cluster and node groups.
- Name of the service account for Managed Service for Kubernetes resources and nodes.
-
Check that the Terraform configuration files are correct using this command:
terraform validate
If there are any errors in the configuration files, Terraform will point them out.
-
Create the required infrastructure:
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console
. -
-
Save the created secret's ID that you entered in the terminal. You will need it later.
Configure the environment
-
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the
--folder-name
or--folder-id
parameter. -
Install the
jq
utility:sudo apt update && sudo apt install jq
-
Install kubectl
and configure it to work with the created cluster.
Install the External Secrets Operator and set up Yandex Lockbox
- Follow this guide to install the External Secrets Operator.
- Assign the service account you created when installing the External Secrets Operator the
lockbox.payloadViewer
role for the previously createdlockbox-secret
.
Configure the Managed Service for Kubernetes cluster
-
Create a
ns
namespace to store External Secrets Operator objects in:kubectl create namespace ns
-
Create a
yc-auth
secret with thesa-key.json
key you created when installing the External Secrets Operator:kubectl --namespace ns create secret generic yc-auth \ --from-file=authorized-key=sa-key.json
-
Create a SecretStore
containing theyc-auth
secret:kubectl --namespace ns apply -f - <<< ' apiVersion: external-secrets.io/v1beta1 kind: SecretStore metadata: name: secret-store spec: provider: yandexlockbox: auth: authorizedKeySecretRef: name: yc-auth key: authorized-key'
Create an External Secret
-
Create an object named ExternalSecret
pointing tolockbox-secret
insecret-store
:kubectl --namespace ns apply -f - <<< ' apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: external-secret spec: refreshInterval: 1h secretStoreRef: name: secret-store kind: SecretStore target: name: k8s-secret data: - secretKey: password remoteRef: key: <secret_ID> property: password'
Where:
key
: ID of the Yandex Lockboxlockbox-secret
secret you created.spec.target.name
: New key name,k8s-secret
. The External Secrets Operator will create this key and place thelockbox-secret
parameters in it.
-
Make sure the new
k8s-secret
key contains thelockbox-secret
value:kubectl --namespace ns get secret k8s-secret \ --output=json | \ jq --raw-output ."data"."password" | \ base64 --decode
The command result will contain the value of the
password
key oflockbox-secret
:p@$$w0rd
Delete the resources you created
Delete the resources you no longer need to avoid paying for them:
- Delete the Managed Service for Kubernetes cluster.
- Delete the Managed Service for Kubernetes cluster's public static IP address if you had reserved one.
- Delete
lockbox-secret
.
-
In the terminal window, go to the directory containing the infrastructure plan.
Warning
Make sure the directory has no Terraform manifests with the resources you want to keep. Terraform deletes all resources that were created using the manifests in the current directory.
-
Delete resources:
-
Run this command:
terraform destroy
-
Confirm deleting the resources and wait for the operation to complete.
All the resources described in the Terraform manifests will be deleted.
-