Skip to content

Yandex Certificate Manager

Yandex Certificate Manager

External Secrets Operator integrates with Yandex Certificate Manager for secret management.

Prerequisites

Authentication

At the moment, authorized key authentication is only supported:

  • Create a service account in Yandex.Cloud:
    yc iam service-account create --name eso-service-account
    
  • Create an authorized key for the service account and save it to authorized-key.json file:
    yc iam key create \
      --service-account-name eso-service-account \
      --output authorized-key.json
    
  • Create a k8s secret containing the authorized key saved above:
    kubectl create secret generic yc-auth --from-file=authorized-key=authorized-key.json
    
  • Create a SecretStore pointing to yc-auth k8s secret:
    apiVersion: external-secrets.io/v1beta1
    kind: SecretStore
    metadata:
      name: secret-store
    spec:
      provider:
        yandexcertificatemanager:
          auth:
            authorizedKeySecretRef:
              name: yc-auth
              key: authorized-key
    

NOTE: In case of a ClusterSecretStore, Be sure to provide namespace in all authorizedKeySecretRef with the namespace where the secret resides.

Creating external secret

To make External Secrets Operator sync a k8s secret with a Certificate Manager certificate:

  • Create a Certificate Manager certificate (follow the instructions), if not already created.
  • Assign the certificate-manager.certificates.downloader role for accessing the certificate content to the service account used for authentication (***** is the certificate ID):
    yc cm certificate add-access-binding \
      --id ***** \
      --service-account-name eso-service-account \
      --role certificate-manager.certificates.downloader
    
    Run the following command to ensure that the correct access binding has been added:
    yc cm certificate list-access-bindings --id *****
    
  • Create an ExternalSecret pointing to secret-store and the certificate in Certificate Manager:
    apiVersion: external-secrets.io/v1beta1
    kind: ExternalSecret
    metadata:
      name: external-secret
    spec:
      refreshInterval: 1h
      secretStoreRef:
        name: secret-store
        kind: SecretStore
      target:
        name: k8s-secret # the target k8s secret name
        template:
          type: kubernetes.io/tls
      data:
        - secretKey: tls.crt # the target k8s secret key
          remoteRef:
            key: ***** # the certificate ID
            property: chain
        - secretKey: tls.key # the target k8s secret key
          remoteRef:
            key: ***** # the certificate ID
            property: privateKey
    
    The following property values are possible:
    • chain – to fetch PEM-encoded certificate chain
    • privateKey – to fetch PEM-encoded private key
    • chainAndPrivateKey or missing property – to fetch both chain and private key

The operator will fetch the Yandex Certificate Manager certificate and inject it as a Kind=Secret

kubectl get secret k8s-secret -ojson | jq '."data"."tls.crt"' -r | base64 --decode
kubectl get secret k8s-secret -ojson | jq '."data"."tls.key"' -r | base64 --decode