Secrets Manager
IBM Cloud Secret Manager
External Secrets Operator integrates with IBM Secret Manager for secret management.
Authentication
At the moment, we only support API key authentication for this provider. To generate your key (for test purposes we are going to generate from your user), first got to your (Access IAM) page:
On the left, click "IBM Cloud API Keys":
Press "Create an IBM Cloud API Key":
Pick a name and description for your key:
You have created a key. Press the eyeball to show the key. Copy or save it because keys can't be displayed or downloaded twice.
API key secret
Create a secret containing your apiKey:
kubectl create secret generic ibm-secret --from-literal=apiKey='API_KEY_VALUE'
Update secret store
Be sure the ibm
provider is listed in the Kind=SecretStore
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: secretstore-sample
spec:
provider:
ibm:
serviceUrl: "https://SECRETS_MANAGER_ID.REGION.secrets-manager.appdomain.cloud"
auth:
secretRef:
secretApiKeySecretRef:
name: ibm-secret
key: apiKey
ClusterSecretStore
, Be sure to provide namespace
in secretApiKeySecretRef
with the namespace where the secret resides.
To find your serviceURL, under your Secrets Manager resource, go to "Endpoints" on the left.
Note: Use the url without the /api
suffix that is presented in the UI.
See here for a list of publicly available endpoints.
Secret Types
We support the following secret types of IBM Secrets Manager:
arbitrary
username_password
iam_credentials
imported_cert
public_cert
private_cert
kv
To define the type of secret you would like to sync you need to prefix the secret id with the desired type. If the secret type is not specified it is defaulted to arbitrary
:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: ibm-sample
spec:
# [...]
data:
- secretKey: test
remoteRef:
# defaults to type=arbitrary
key: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
- secretKey: usr_pass
remoteRef:
key: username_password/yyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy
property: username
- secretKey: iam_cred
remoteRef:
key: iam_credentials/zzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz
- secretKey: imp_cert
remoteRef:
key: imported_cert/zzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz
property: certificate
- secretKey: pub_cert
remoteRef:
key: public_cert/zzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz
property: certificate
- secretKey: prvt_cert
remoteRef:
key: private_cert/zzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz
property: certificate
- secretKey: kv_without_key
remoteRef:
key: kv/zzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz
- secretKey: kv_key
remoteRef:
key: kv/zzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz
property: 'keyid'
- secretKey: kv_key_with_path
remoteRef:
key: kv/zzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz
property: 'key.path'
dataFrom:
The behavior for the different secret types is as following:
arbitrary
remoteRef
retrieves a string from secrets manager and sets it for specifiedsecretKey
dataFrom
retrieves a string from secrets manager and tries to parse it as JSON object setting the key:values pairs in resulting Kubernetes secret if successful
username_password
remoteRef
requires aproperty
to be set for eitherusername
orpassword
to retrieve respective fields from the secrets manager secret and set in specifiedsecretKey
dataFrom
retrieves bothusername
andpassword
fields from the secrets manager secret and sets appropriate key:value pairs in the resulting Kubernetes secret
iam_credentials
remoteRef
retrieves an apikey from secrets manager and sets it for specifiedsecretKey
dataFrom
retrieves an apikey from secrets manager and sets it for theapikey
Kubernetes secret key
imported_cert, public_cert and private_cert
remoteRef
requires aproperty
to be set for eithercertificate
,private_key
orintermediate
to retrieve respective fields from the secrets manager secret and set in specifiedsecretKey
dataFrom
retrieves allcertificate
,private_key
andintermediate
fields from the secrets manager secret and sets appropriate key:value pairs in the resulting Kubernetes secret
kv
- An optional
property
field can be set toremoteRef
to select requested key from the KV secret. If not set, the entire secret will be returned dataFrom
retrieves a string from secrets manager and tries to parse it as JSON object setting the key:values pairs in resulting Kubernetes secret if successful
{
"key1": "val1",
"key2": "val2",
"key3": {
"keyA": "valA",
"keyB": "valB"
},
"special.key": "special-content"
}
data:
- secretKey: key3_keyB
remoteRef:
key: 'kv/aaaaa-bbbb-cccc-dddd-eeeeee'
property: 'key3.keyB'
- secretKey: special_key
remoteRef:
key: 'kv/aaaaa-bbbb-cccc-dddd-eeeeee'
property: 'special.key'
- secretKey: key_all
remoteRef:
key: 'kv/aaaaa-bbbb-cccc-dddd-eeeeee'
dataFrom:
- key: 'kv/aaaaa-bbbb-cccc-dddd-eeeeee'
property: 'key3'
results in
data:
# secrets from data
key3_keyB: ... #valB
special_key: ... #special-content
key_all: ... #{"key1":"val1","key2":"val2", ..."special.key":"special-content"}
# secrets from dataFrom
keyA: ... #valA
keyB: ... #valB
Creating external secret
To create a kubernetes secret from the IBM Secrets Manager, a Kind=ExternalSecret
is needed.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: external-secret-sample
spec:
refreshInterval: 60m
secretStoreRef:
name: secretstore-sample
kind: SecretStore
target:
name: secret-to-be-created
creationPolicy: Owner
data:
- secretKey: test
remoteRef:
key: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Currently we can only get the secret by its id and not its name, so something like 565287ce-578f-8d96-a746-9409d531fe2a
.
Getting the Kubernetes secret
The operator will fetch the IBM Secret Manager secret and inject it as a Kind=Secret
kubectl get secret secret-to-be-created -n <namespace> | -o jsonpath='{.data.test}' | base64 -d