Syncing with Yandex Managed Service for Kubernetes secrets
External Secrets Operator
There are several schemas for integrating
To set up secret syncing:
- Install the External Secrets Operator and set up Yandex Lockbox.
- Configure the Managed Service for Kubernetes cluster.
- Create an External Secret.
If you no longer need the resources you created, delete them.
You can also deploy an infrastructure for syncing Yandex Lockbox secrets with Managed Service for Kubernetes cluster secrets via Terraform using a ready-made configuration file.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The cost of resources for syncing secrets includes:
- Fee for using the Managed Service for Kubernetes master (see Managed Service for Kubernetes pricing).
- Fee for a Managed Service for Kubernetes node group's computing resources and disks (see Yandex Compute Cloud pricing).
Create an infrastructure
-
If you do not have a network yet, create one.
-
If you do not have any subnets, create them in the availability zones where your Managed Service for Kubernetes cluster and node group will be created.
-
- Service account for Kubernetes resources with the editor role for the folder where the Managed Service for Kubernetes cluster is created.
- Service account for Managed Service for Kubernetes nodes with the container-registry.images.puller role for the folder with the Docker image registry. Managed Service for Kubernetes nodes will pull the required Docker images from the registry on behalf of this account.
Tip
You can use the same service account for all operations.
-
Create a Managed Service for Kubernetes cluster and a node group. When creating a Managed Service for Kubernetes cluster, specify the previously created service accounts for the resources and nodes.
-
Configure security groups for the Managed Service for Kubernetes cluster to run.
-
Create a Yandex Lockbox secret with the following properties:
- Name:
lockbox-secret
. - Key: Enter the
password
non-secret ID. - Value: Enter the confidential data for storing
p@$$w0rd
.
Save the ID of the secret. You will need it later.
- Name:
-
If you do not have Terraform yet, install it.
-
Download the file with provider settings
. Place it in a separate working directory and specify the parameter values. -
Download the k8s-cluster-and-lockbox.tf
configuration file of the Managed Service for Kubernetes cluster to the same working directory.This file describes:
- Network
- Subnet
- Security group and rules required for the operation of the Managed Service for Kubernetes cluster and node group:
- Rules for service traffic.
- Rules for accessing the Kubernetes API and managing the Managed Service for Kubernetes cluster with
kubectl
through ports 443 and 6443. - Rules for connecting to services from the internet.
- Managed Service for Kubernetes cluster.
- Service account for Managed Service for Kubernetes resources and nodes.
- Yandex Lockbox secret.
-
Specify the following in the configuration file:
- Folder ID.
- Kubernetes version for the Managed Service for Kubernetes cluster and node groups.
- Name of the service account for Managed Service for Kubernetes resources and nodes.
-
Run the
terraform init
command in the directory with the configuration files. This command initializes the provider specified in the configuration files and enables you to use the provider resources and data sources. -
Make sure the Terraform configuration files are correct using this command:
terraform validate
If there are any errors in the configuration files, Terraform will point them out.
-
Create the required infrastructure:
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console
. -
-
Save the created secret's ID that you entered in the terminal. You will need it later.
Configure the environment
-
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the
--folder-name
or--folder-id
parameter. -
Install the
jq
utility:sudo apt update && sudo apt install jq
-
Install kubectl
and configure it to work with the created cluster.
Install the External Secrets Operator and set up Yandex Lockbox
- Follow this guide to install the External Secrets Operator.
- Assign to the service account you created when installing the External Secrets Operator the
lockbox.payloadViewer
role for the previously createdlockbox-secret
.
Configure a Managed Service for Kubernetes
-
Create a
ns
namespace to store External Secrets Operator objects in:kubectl create namespace ns
-
Create a
yc-auth
secret with thesa-key.json
key that you created when installing the External Secrets Operator:kubectl --namespace ns create secret generic yc-auth \ --from-file=authorized-key=sa-key.json
-
Create a SecretStore
that contains theyc-auth
secret:kubectl --namespace ns apply -f - <<< ' apiVersion: external-secrets.io/v1alpha1 kind: SecretStore metadata: name: secret-store spec: provider: yandexlockbox: auth: authorizedKeySecretRef: name: yc-auth key: authorized-key'
Create an External Secret
-
Create an object named ExternalSecret
pointing tolockbox-secret
insecret-store
:kubectl --namespace ns apply -f - <<< ' apiVersion: external-secrets.io/v1alpha1 kind: ExternalSecret metadata: name: external-secret spec: refreshInterval: 1h secretStoreRef: name: secret-store kind: SecretStore target: name: k8s-secret data: - secretKey: password remoteRef: key: <secret_id> property: password'
Where:
key
: ID of the previously created Yandex Lockbox secret namedlockbox-secret
.spec.target.name
: Name of the new key (k8s-secret
). The External Secrets Operator creates this key and inserts the parameters oflockbox-secret
.
-
Make sure that the new
k8s-secret
key contains thelockbox-secret
value:kubectl --namespace ns get secret k8s-secret \ --output=json | \ jq --raw-output ."data"."password" | \ base64 --decode
The command result will contain the value of the
password
key oflockbox-secret
:p@$$w0rd
Delete the resources you created
Delete the resources you no longer need to avoid paying for them:
- Delete the Managed Service for Kubernetes cluster.
- If you reserved a public static IP address for your Managed Service for Kubernetes cluster, delete it.
- Delete
lockbox-secret
.
-
In the terminal, go to the directory that contains the current Terraform configuration file with an infrastructure plan.
-
Delete the
k8s-cluster-and-lockbox.tf
configuration file. -
Make sure the Terraform configuration files are correct using this command:
terraform validate
If there are any errors in the configuration files, Terraform will point them out.
-
Confirm updating the resources.
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
All the resources described in the
k8s-cluster-and-lockbox.tf
configuration file will be deleted. -