Skip to content

Lockbox

Yandex Lockbox

External Secrets Operator integrates with Yandex Lockbox for secret management.

Prerequisites

Authentication

At the moment, authorized key authentication is only supported:

  • Create a service account in Yandex.Cloud:
    yc iam service-account create --name eso-service-account
    
  • Create an authorized key for the service account and save it to authorized-key.json file:
    yc iam key create \
      --service-account-name eso-service-account \
      --output authorized-key.json
    
  • Create a k8s secret containing the authorized key saved above:
    kubectl create secret generic yc-auth --from-file=authorized-key=authorized-key.json
    
  • Create a SecretStore pointing to yc-auth k8s secret:
    apiVersion: external-secrets.io/v1alpha1
    kind: SecretStore
    metadata:
      name: secret-store
    spec:
      provider:
        yandexlockbox:
          auth:
            authorizedKeySecretRef:
              name: yc-auth
              key: authorized-key
    

NOTE: In case of a ClusterSecretStore, Be sure to provide namespace in all authorizedKeySecretRef with the namespace where the secret resides.

Creating external secret

To make External Secrets Operator sync a k8s secret with a Lockbox secret:

  • Create a Lockbox secret, if not already created:
    yc lockbox secret create \
      --name lockbox-secret \
      --payload '[{"key": "password","textValue": "p@$$w0rd"}]'
    
  • Assign the lockbox.payloadViewer role for accessing the lockbox-secret payload to the service account used for authentication:
    yc lockbox secret add-access-binding \
      --name lockbox-secret \
      --service-account-name eso-service-account \
      --role lockbox.payloadViewer
    
    Run the following command to ensure that the correct access binding has been added:
    yc lockbox secret list-access-bindings --name lockbox-secret
    
  • Create an ExternalSecret pointing to secret-store and lockbox-secret:
    apiVersion: external-secrets.io/v1alpha1
    kind: ExternalSecret
    metadata:
      name: external-secret
    spec:
      refreshInterval: 1h
      secretStoreRef:
        name: secret-store
        kind: SecretStore
      target:
        name: k8s-secret # the target k8s secret name
      data:
      - secretKey: password # the target k8s secret key
        remoteRef:
          key: ***** # ID of lockbox-secret
          property: password # (optional) payload entry key of lockbox-secret
    

The operator will fetch the Yandex Lockbox secret and inject it as a Kind=Secret

kubectl get secret k8s-secret -n <namespace> | -o jsonpath='{.data.password}' | base64 -d