Skip to content

Passbolt

External Secrets Operator integrates with Passbolt API to sync Passbolt to secrets held on the Kubernetes cluster.

Creating a Passbolt secret store

Be sure the passbolt provider is listed in the Kind=SecretStore and auth and host are set. The API requires a password and private key provided in a secret.

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: passbolt
spec:
  provider:
    passbolt:
      host: https://passbolt.passbolt.svc.cluster.local
      auth:
        passwordSecretRef:
          key: password
          name: passbolt-credentials
        privateKeySecretRef:
          key: privateKey
          name: passbolt-credentials

Creating an external secret

To sync a Passbolt secret to a Kubernetes secret, a Kind=ExternalSecret is needed. By default the secret contains name, username, uri, password and description.

To only select a single property add the property key.

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: passbolt-example-simple
spec:
  refreshInterval: "15s"
  secretStoreRef:
    name: passbolt
    kind: SecretStore
  target:
    name: passbolt-example
  data:
  - secretKey: full_secret
    remoteRef:
      key: e22487a8-feb8-4591-95aa-14b193930cb4 # Replace with ID of exising Passbolt secret
  - secretKey: password_only
    remoteRef:
      key: e22487a8-feb8-4591-95aa-14b193930cb4 # Replace with ID of exising Passbolt secret
      property: password # You can limit the secret to only display one property

The above external secret will lead to the creation of a secret in the following form:

apiVersion: v1
kind: Secret
metadata:
  name: passbolt-example
data:
  full_secret: '{"name":"passbolt-secret","username":"some-username","password":"supersecretpassword","uri":"passbolt.com","description":"some description"}'
  password_only: supersecretpassword
type: Opaque

Finding a secret by name

Instead of retrieving secrets by ID you can also use dataFrom to search for secrets by name.

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: passbolt-example
spec:
  refreshInterval: "15s"
  secretStoreRef:
    name: passbolt
    kind: SecretStore
  target:
    name: passbolt-example
  dataFrom:
    - find:
        name:
          regexp: ".*"