Skip to content

Password Depot

External Secrets Operator integrates with Password Depot API to sync Password Depot to secrets held on the Kubernetes cluster.

Authentication

The API requires a username and password. 

apiVersion: v1
kind: Secret
metadata:
  name: password-depot-secret
  labels: 
    type: password-depot
type: Opaque 
stringData:
  username: the-username-for-password-depot
  password: the secret password

Update secret store

Be sure the passworddepot provider is listed in the Kind=SecretStore and host and database are set.

apiVersion: external-secrets.io/v1alpha1
kind: ClusterSecretStore
metadata:
  name: external-secrets-store
spec:

  # provider field contains the configuration to access the provider
  # which contains the secret exactly one provider must be configured.
  provider:

    passworddepot:
      host: host-of-password-depot # port is 8714 by default
      database: "password depot database name"
      auth:
        SecretRef:
          credentials:
            name: password-depot-secret
            namespace: external-secrets

Creating external secret

To sync a Password Depot variable to a secret on the Kubernetes cluster, a Kind=ExternalSecret is needed.

apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  name: passworddepot-external-secret-example
spec:
  refreshInterval: 1h

  secretStoreRef:
    kind: SecretStore
    name: passworddepot-secret-store # Must match SecretStore on the cluster

  target:
    name: passworddepot-secret-to-create # Name for the secret to be created on the cluster
    creationPolicy: Owner

  data:
    - secretKey: username # Key given to the secret to be created on the cluster
      remoteRef: 
        key: Production.mySecret
        property: login # field named in passworddepot

Using DataFrom

DataFrom can be used to get a variable as a JSON string and attempt to parse it.

apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  name: passworddepot-external-secret-example
spec:
  refreshInterval: 1h

  secretStoreRef:
    kind: SecretStore
    name: passworddepot-secret-store # Must match SecretStore on the cluster

  target:
    name: passworddepot-secret-to-create # Name for the secret to be created on the cluster
    creationPolicy: Owner

  # each property in the secret will be used as the secret key in the SECRET k8s target object
  dataFrom:
  - key: "Production.mySecret" # Key of the secret

Getting the Kubernetes secret

The operator will fetch the project variable and inject it as a Kind=Secret. 

kubectl get secret passworddepot-secret-to-create -o jsonpath='{.data.secretKey}' | base64 -d