Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Syncing with Yandex Lockbox secrets

Written by
Updated at May 7, 2025

External Secrets Operator enables you to set up syncing of Yandex Lockbox secrets with Yandex Managed Service for Kubernetes cluster secrets.

There are several schemas for integrating Yandex Lockbox with Managed Service for Kubernetes. The example below describes ESO as a Service:

To set up secret syncing:

  1. Install the External Secrets Operator and set up Yandex Lockbox.
  2. Configure the Managed Service for Kubernetes cluster.
  3. Create an External Secret.

If you no longer need the resources you created, delete them.

You can also deploy an infrastructure for syncing Yandex Lockbox secrets with Managed Service for Kubernetes cluster secrets via Terraform using a ready-made configuration file.

Getting started

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The cost of resources for syncing secrets includes:

Create an infrastructure

  1. If you do not have a network yet, create one.

  2. If you do not have any subnets yet, create them in the availability zones where your Managed Service for Kubernetes cluster and node group will be created.

  3. Create service accounts:

    • Service account for the Kubernetes resources with the k8s.clusters.agent and vpc.publicAdmin role for the folder where the Managed Service for Kubernetes cluster is created.
    • Service account for Managed Service for Kubernetes nodes with the container-registry.images.puller role for the folder containing the Docker image registry. Managed Service for Kubernetes nodes will pull the required Docker images from the registry on behalf of this account.

    Tip

    You can use the same service account for all operations.

  4. Create security groups for the Managed Service for Kubernetes cluster and its node groups.

    Warning

    The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

  5. Create a Managed Service for Kubernetes cluster and a node group. When creating a Managed Service for Kubernetes cluster, specify the previously created service accounts for resources and nodes and the security group.

  6. Create a Yandex Lockbox secret with the following properties:

    • Name: lockbox-secret.
    • Key: Enter password as the non-secret ID.
    • Value: Enter the confidential data for storing p@$$w0rd.

    Save the ID of the secret. You will need it later.

  1. If you do not have Terraform yet, install it.

  2. Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.

  3. Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it.

  4. Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.

  5. Download the k8s-cluster-and-lockbox.tf configuration file of the Managed Service for Kubernetes cluster to the same working directory.

    This file describes:

    • Network.

    • Subnet.

    • Yandex Lockbox secret.

    • Managed Service for Kubernetes cluster.

    • Service account for Managed Service for Kubernetes resources and nodes.

    • Security groups which contain rules required for the Managed Service for Kubernetes cluster and its node groups.

      Warning

      The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

  6. Specify the following in the configuration file:

    • Folder ID.
    • Kubernetes version for the Managed Service for Kubernetes cluster and node groups.
    • Name of the service account for Managed Service for Kubernetes resources and nodes.

  7. Make sure the Terraform configuration files are correct using this command:

    terraform validate

    If there are any errors in the configuration files, Terraform will point them out.

  8. Create the required infrastructure:

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

    All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.

  9. Save the created secret's ID that you entered in the terminal. You will need it later.

Set up your environment

  1. If you do not have the Yandex Cloud CLI yet, install and initialize it.

    The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  2. Install the jq utility:

    sudo apt update && sudo apt install jq

  3. Install kubect and configure it to work with the new cluster.

Install the External Secrets Operator and set up Yandex Lockbox

  1. Follow this guide to install the External Secrets Operator.
  2. Assign the service account you created when installing the External Secrets Operator the lockbox.payloadViewer role for the previously created lockbox-secret.

Configure the Managed Service for Kubernetes cluster

  1. Create a ns namespace to store External Secrets Operator objects in:

    kubectl create namespace ns

  2. Create a yc-auth secret with the sa-key.json key you created when installing the External Secrets Operator:

    kubectl --namespace ns create secret generic yc-auth \
  --from-file=authorized-key=sa-key.json

  3. Create a SecretStore containing the yc-auth secret:

    kubectl --namespace ns apply -f - <<< '
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: secret-store
spec:
  provider:
    yandexlockbox:
      auth:
        authorizedKeySecretRef:
          name: yc-auth
          key: authorized-key'

Create an External Secret

  1. Create an object named ExternalSecret pointing to lockbox-secret in secret-store:

    kubectl --namespace ns apply -f - <<< '
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: external-secret
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: secret-store
    kind: SecretStore
  target:
    name: k8s-secret
  data:
  - secretKey: password
    remoteRef:
      key: <secret_ID>
      property: password'

    Where:

    • key: ID of the Yandex Lockbox lockbox-secret secret you created.
    • spec.target.name: New key name, k8s-secret. The External Secrets Operator will create this key and place the lockbox-secret parameters in it.

  2. Make sure the new k8s-secret key contains the lockbox-secret value:

    kubectl --namespace ns get secret k8s-secret \
  --output=json | \
  jq --raw-output ."data"."password" | \
  base64 --decode

    The command result will contain the value of the password key of lockbox-secret:

    p@$$w0rd

Delete the resources you created

Delete the resources you no longer need to avoid paying for them:

  1. Delete the Managed Service for Kubernetes cluster.
  2. Delete the Managed Service for Kubernetes cluster's public static IP address if you had reserved one.
  3. Delete lockbox-secret.

  1. In the terminal window, go to the directory containing the infrastructure plan.

    Warning

    Make sure the directory has no Terraform manifests with the resources you want to keep. Terraform deletes all resources that were created using the manifests in the current directory.

  2. Delete resources:

    1. Run this command:

      terraform destroy

    2. Confirm deleting the resources and wait for the operation to complete.

    All the resources described in the Terraform manifests will be deleted.

Previous
Integration with Crossplane
Next
Configuring Fluent Bit for Cloud Logging