Certificate Manager
Yandex Certificate Manager
External Secrets Operator integrates with Yandex Certificate Manager for secret management.
Prerequisites
Authentication
At the moment, authorized key authentication is only supported:
- Create a service account in Yandex.Cloud:
yc iam service-account create --name eso-service-account
- Create an authorized key for the service account and save it to
authorized-key.json
file:yc iam key create \ --service-account-name eso-service-account \ --output authorized-key.json
- Create a k8s secret containing the authorized key saved above:
kubectl create secret generic yc-auth --from-file=authorized-key=authorized-key.json
- Create a SecretStore pointing to
yc-auth
k8s secret:apiVersion: external-secrets.io/v1beta1 kind: SecretStore metadata: name: secret-store spec: provider: yandexcertificatemanager: auth: authorizedKeySecretRef: name: yc-auth key: authorized-key
NOTE: In case of a ClusterSecretStore
, Be sure to provide namespace
in all authorizedKeySecretRef
with the namespace where the secret resides.
Creating external secret
To make External Secrets Operator sync a k8s secret with a Certificate Manager certificate:
- Create a Certificate Manager certificate (follow the instructions), if not already created.
- Assign the
certificate-manager.certificates.downloader
role for accessing the certificate content to the service account used for authentication (*****
is the certificate ID):Run the following command to ensure that the correct access binding has been added:yc cm certificate add-access-binding \ --id ***** \ --service-account-name eso-service-account \ --role certificate-manager.certificates.downloader
yc cm certificate list-access-bindings --id *****
- Create an ExternalSecret pointing to
secret-store
and the certificate in Certificate Manager:The following property values are possible:apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: external-secret spec: refreshInterval: 1h secretStoreRef: name: secret-store kind: SecretStore target: name: k8s-secret # the target k8s secret name template: type: kubernetes.io/tls data: - secretKey: tls.crt # the target k8s secret key remoteRef: key: ***** # the certificate ID property: chain - secretKey: tls.key # the target k8s secret key remoteRef: key: ***** # the certificate ID property: privateKey
chain
– to fetch PEM-encoded certificate chainprivateKey
– to fetch PEM-encoded private keychainAndPrivateKey
or missing property – to fetch both chain and private key
The operator will fetch the Yandex Certificate Manager certificate and inject it as a Kind=Secret
kubectl get secret k8s-secret -ojson | jq '."data"."tls.crt"' -r | base64 --decode
kubectl get secret k8s-secret -ojson | jq '."data"."tls.key"' -r | base64 --decode