Secrets Store
Stackland uses two main tools for safe storage of secrets and their injection:
- Secrets Injector: Uploads secrets via a Vault-compatible API and injects them into cluster resources.
- Vault-compatible secrets storage.
If you use the default Secrets Injector configuration, the cluster's secret storage will be OpenBao, a fork of Vault.
You can change the default settings using the SecretsStoreConfig custom resource properties.
Access to OpenBao
The OpenBao interface and API access are disabled by default.
- To open access to the OpenBao API from outside the cluster, you need to set the
server.ingress.enabled = trueflag. - To open access to the OpenBao interface from outside the cluster, you need to set the
server.ingress.enabled = trueandui.enabled = trueflag.
The interface and API will be available at https://secrets.sys.<cluster domain>. If ui.enabled is set to true, and server.ingress.enabled, to false, accessing the interface will only be available within the cluster.
Using Secrets Injector
Secrets Injector is ready to work right after cluster deployment and does not require any additional configuration. Secrets Injector uses OpenBao storage in Stackland. If required, you can configure the use of your own secret storage in a custom resource using the secretsAddr property.
Secrets Injector uses the OpenBao API to authenticate service accounts that inject secrets into manifests. By default, the auth/kubernetes endpoint is used; however, you can change it by modifying the authPath property.
Configuration
Here is an example:
apiVersion: stackland.yandex.cloud/v1alpha1
kind: SecretsStoreConfig
metadata:
name: main # This is a required field you must set to `main`
spec:
enabled: true
settings:
stacklandSecretsInjector: # Secrets Injector settings
authPath: kubernetes
enabled: true
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 50m
memory: 64Mi
secretsAddr: ''
skipTLSVerify: false
webhookTimeout: 30
server: # OpenBao pod settings
dataStorage:
size: 2Gi
storageClass: stackland-default
enabled: true
ingress:
clusterIssuer: stackland-default
enabled: false
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
updateStrategyType: RollingUpdate
ui:
enabled: true # Whether to use the OpenBao interface
Secrets Injector settings
stacklandSecretsInjector:
authPath: kubernetes
enabled: true
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 50m
memory: 64Mi
secretsAddr: ''
skipTLSVerify: false
webhookTimeout: 30
authPath: Specifies the OpenBao API endpoint for authentication and authorization via Kubernetes. The default value isauth/kubernetes.enabled: Enables the use of Secrets Injector.resources: Limits resources (CPU and memory) for the pod.secretsAddr: Specifies the HTTPS address of the OpenBao API.skipTLSVerify: Allows you to skip checking the TLS certificate if it is not in the list of trusted certificates.webhookTimeout: Determines the time to wait for a response from Secrets Injector.
OpenBao pod settings
server:
dataStorage:
size: 2Gi
storageClass: stackland-default
enabled: true
ingress:
clusterIssuer: stackland-default
enabled: false
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
updateStrategyType: RollingUpdate
dataStorage: Sets advanced settings for the storage.enabled: Enables the use of a pod.ingress: Specifies the settings of the Ingress object.resources: Limits resources (CPU and memory) for the pod.updateStrategyType: Determines the type of update.
Using the interface
ui:
enabled: true
enabled: Enables the OpenBao interface athttps://secrets.sys.<cluster domain>.