Skip to content

senhasegura DevOps Secrets Management (DSM)

Segura® DevOps Secret Manager (DSM)

External Secrets Operator integrates with Segura® DevOps Secret Manager (DSM) module to sync application secrets to secrets held on the Kubernetes cluster.

Authentication

Authentication in Segura® uses DevOps Secret Manager (DSM) application authorization schema. Instructions to setup Authorizations and Secrets in Segura® DSM can be found at Segura docs for DSM.

You will need to create an Kubernetes Secret with desired auth parameters, for example:

---
apiVersion: v1
kind: Secret
metadata:
  name: senhasegura-dsm-auth
stringData:
  CLIENT_SECRET: "CHANGEME"

Examples

To sync secrets between Segura® DSM and Kubernetes with External Secrets, you need to define a SecretStore or ClusterSecretStore resource with Segura® provider, setting up authentication in the DSM module with the Secret you defined before.

SecretStore

---
apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: senhasegura
spec:
  provider:
    senhasegura:
      url: "https://senhasegura.changeme.com"
      module: DSM # Select senhasegura DSM module to sync secrets
      auth:
        clientId: "CHANGEME"
        clientSecretSecretRef:
          name: senhasegura-dsm-auth
          key: CLIENT_SECRET
      ignoreSslCertificate: false # Optional

ClusterSecretStore

---
apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
  name: senhasegura
spec:
  provider:
    senhasegura:
      url: "https://senhasegura.changeme.com"
      module: DSM # Select senhasegura DSM module to sync secrets
      auth:
        clientId: "CHANGEME"
        clientSecretSecretRef:
          name: senhasegura-dsm-auth
          key: CLIENT_SECRET
          namespace: senhasegura # Namespace of Secret "senhasegura-dsm-auth"
      ignoreSslCertificate: false # Optional

Syncing secrets

In examples below, consider that three secrets (api-settings, db-settings and hsm-settings) are defined in Segura® DSM

**Secret Identifier: ** api-settings

Secret data: 

URL=https://example.com/api/example
TOKEN=example-token-value

**Secret Identifier: ** db-settings

Secret data: 

DB_HOST='db.example'
DB_PORT='5432'
DB_USERNAME='example'
DB_PASSWORD='example'

**Secret Identifier: ** hsm-settings

Secret data: 

HSM_ADDRESS='hsm.example'
HSM_PORT='9223'

Sync DSM secrets using Secret Identifiers

You can fetch all key/value pairs for a given secret identifier if you leave the remoteRef.property empty. This returns the json-encoded secret value for that path.

If you only need a specific key, you can select it using remoteRef.property as the key name.

In this method, you can overwrites data name in Kubernetes Secret object (e.g API_SETTINGS and API_SETTINGS_TOKEN)

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: example-secret
spec:
  refreshInterval: "30s"
  secretStoreRef:
    name: senhasegura
    kind: SecretStore
  target:
    name: example-secret
  data:
  # Define API_SETTINGS Kubernetes Secret key, with json-encoded values from senhasegura secret with identifier "api-settings"
  - secretKey: API_SETTINGS
    remoteRef:
      key: api-settings # Secret Identifier in senhasegura
  # Define API_SETTINGS_TOKEN Kubernetes Secret key, with single secret key (TOKEN) from senhasegura as string
  - secretKey: API_SETTINGS_TOKEN
    remoteRef:
      key: api-settings # Secret Identifier in senhasegura
      property: TOKEN # Optional, Key name within secret

Kubernetes Secret will be create with follow .data.X

API_SETTINGS='[{"TOKEN":"example-token-value","URL":"https://example.com/api/example"}]'
API_SETTINGS_TOKEN='example-token-value'

Sync DSM secrets using Secret Identifiers with automatically name assignments

If your app requires multiples secrets, it is not required to create multiple ExternalSecret resources, as you can aggregate secrets using a single ExternalSecret resource.

In this method, every secret data in Segura® creates a Kubernetes Secret .data.X field

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: example-secret
spec:
  refreshInterval: "30s"
  secretStoreRef:
    name: senhasegura
    kind: SecretStore
  target:
    name: example-secret
  dataFrom:
  # Define Kubernetes Secret key with any k/v pair in senhasegura Secret with identifier "api-settings" or "db-settings"
  - extract:
      key: api-settings
  - extract:
      key: db-settings

Kubernetes Secret will be created with the following .data.X

URL='https://example.com/api/example'
TOKEN='example-token-value'
DB_HOST='db.example'
DB_PORT='5432'
DB_USERNAME='example'
DB_PASSWORD='example'