senhasegura DevOps Secrets Management (DSM)
senhasegura DevOps Secrets Management (DSM)
External Secrets Operator integrates with senhasegura DevOps Secrets Management (DSM) module to sync application secrets to secrets held on the Kubernetes cluster.
Authentication
Authentication in senhasegura uses DevOps Secrets Management (DSM) application authorization schema
You need to create an Kubernetes Secret with desired auth parameters, for example:
Instructions to setup authorizations and secrets in senhasegura DSM can be found at senhasegura docs for DSM and senhasegura YouTube channel
---
apiVersion: v1
kind: Secret
metadata:
name: senhasegura-dsm-auth
stringData:
CLIENT_SECRET: "CHANGEME"
Examples
To sync secrets between senhasegura and Kubernetes with External Secrets, we need to define an SecretStore or ClusterSecretStore resource with senhasegura provider, setting authentication in DSM module with Secret defined before
SecretStore
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: senhasegura
spec:
provider:
senhasegura:
url: "https://senhasegura.changeme.com"
module: DSM # Select senhasegura DSM module to sync secrets
auth:
clientId: "CHANGEME"
clientSecretSecretRef:
name: senhasegura-dsm-auth
key: CLIENT_SECRET
ignoreSslCertificate: false # Optional
ClusterSecretStore
---
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: senhasegura
spec:
provider:
senhasegura:
url: "https://senhasegura.changeme.com"
module: DSM # Select senhasegura DSM module to sync secrets
auth:
clientId: "CHANGEME"
clientSecretSecretRef:
name: senhasegura-dsm-auth
key: CLIENT_SECRET
namespace: senhasegura # Namespace of Secret "senhasegura-dsm-auth"
ignoreSslCertificate: false # Optional
Syncing secrets
In examples below, consider that three secrets (api-settings, db-settings and hsm-settings) are defined in senhasegura DSM
Secret Identifier: api-settings
Secret data:
URL=https://example.com/api/example
TOKEN=example-token-value
Secret Identifier: db-settings
Secret data:
DB_HOST='db.example'
DB_PORT='5432'
DB_USERNAME='example'
DB_PASSWORD='example'
Secret Identifier: hsm-settings
Secret data:
HSM_ADDRESS='hsm.example'
HSM_PORT='9223'
Sync DSM secrets using Secret Identifiers
You can fetch all key/value pairs for a given secret identifier If you leave the remoteRef.property empty. This returns the json-encoded secret value for that path.
If you only need a specific key, you can select it using remoteRef.property as the key name.
In this method, you can overwrites data name in Kubernetes Secret object (e.g API_SETTINGS and API_SETTINGS_TOKEN)
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: example-secret
spec:
refreshInterval: "30s"
secretStoreRef:
name: senhasegura
kind: SecretStore
target:
name: example-secret
data:
# Define API_SETTINGS Kubernetes Secret key, with json-encoded values from senhasegura secret with identifier "api-settings"
- secretKey: API_SETTINGS
remoteRef:
key: api-settings # Secret Identifier in senhasegura
# Define API_SETTINGS_TOKEN Kubernetes Secret key, with single secret key (TOKEN) from senhasegura as string
- secretKey: API_SETTINGS_TOKEN
remoteRef:
key: api-settings # Secret Identifier in senhasegura
property: TOKEN # Optional, Key name within secret
Kubernetes Secret will be create with follow .data.X
API_SETTINGS='[{"TOKEN":"example-token-value","URL":"https://example.com/api/example"}]'
API_SETTINGS_TOKEN='example-token-value'
Sync DSM secrets using Secret Identifiers with automatically name assignments
If your app requires multiples secrets, it is not required to create multiple ExternalSecret resources, you can aggregate secrets using a single ExternalSecret resource
In this method, every secret data in senhasegura creates an Kubernetes Secret .data.X
field
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: example-secret
spec:
refreshInterval: "30s"
secretStoreRef:
name: senhasegura
kind: SecretStore
target:
name: example-secret
dataFrom:
# Define Kubernetes Secret key with any k/v pair in senhasegura Secret with identifier "api-settings" or "db-settings"
- extract:
key: api-settings
- extract:
key: db-settings
Kubernetes Secret will be create with follow .data.X
URL='https://example.com/api/example'
TOKEN='example-token-value'
DB_HOST='db.example'
DB_PORT='5432'
DB_USERNAME='example'
DB_PASSWORD='example'