Skip to content

Oracle Vault

Oracle Vault

External Secrets Operator integrates with OCI API to sync secret on the Oracle Vault to secrets held on the Kubernetes cluster.

Authentication

The API requires a userOCID, tenancyOCID, fingerprint, key file and a region. The fingerprint and key file should be supplied in the secret with the rest being provided in the secret store.

See url for what region you you are accessing. userOCID-details

Select tenancy in the top right to see your user OCID as shown below. tenancyOCID-details

Select your user in the top right to see your user OCID as shown below. region-details

Service account key authentication

Create a secret containing your private key and fingerprint:

apiVersion: v1
kind: Secret
metadata:
  name: oracle-secret
  labels: 
    type: oracle
type: Opaque
stringData:
  privateKey: 
  fingerprint:

Your fingerprint will be attatched to your API key, once it has been generated. Found on the same page as the user OCID. fingerprint-details

Once you click "Add API Key" you will be shown the following, where you can download the RSA key in the necessary PEM format for API requests. This will automatically generate a fingerprint. API-key-details

Update secret store

Be sure the oracle provider is listed in the Kind=SecretStore.

apiVersion: external-secrets.io/v1alpha1
kind: SecretStore
metadata:
  name: example
spec:
  provider:
    oracle: #Needs to match value in secretstore_types.go
      vault: # The vault OCID
      user:
      tenancy:
      region:
      auth:
        secretRef:
          privatekey:
            name: oracle-secret
            key: privateKey #Needs to match stringData val in secret_oracle.yml
          fingerprint:
            name: oracle-secret
            key: fingerprint

Creating external secret

To create a kubernetes secret from the Oracle Cloud Interface secret aKind=ExternalSecret is needed.

apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  name: example
spec:
  refreshInterval: 0.03m
  secretStoreRef:
    kind: SecretStore
    name: example # Must match SecretStore on the cluster
  target:
    name: secret-to-be-created # Name for the secret on the cluster
    creationPolicy: Owner
  dataFrom:
    - key: the-secret-name

Getting the Kubernetes secret

The operator will fetch the project variable and inject it as a Kind=Secret. 

kubectl get secret oracle-secret-to-create -o jsonpath='{.data.dev-secret-test}' | base64 -d