Skip to content

Yandex Certificate Manager

Yandex Certificate Manager

External Secrets Operator integrates with Yandex Certificate Manager for secret management.

Prerequisites

Authentication

At the moment, authorized key authentication is only supported:

  • Create a service account in Yandex.Cloud: 
    yc iam service-account create --name eso-service-account
  • Create an authorized key for the service account and save it to authorized-key.json file: 
    yc iam key create \
  --service-account-name eso-service-account \
  --output authorized-key.json
  • Create a k8s secret containing the authorized key saved above: 
    kubectl create secret generic yc-auth --from-file=authorized-key=authorized-key.json
  • Create a SecretStore pointing to yc-auth k8s secret: 
    apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: secret-store
spec:
  provider:
    yandexcertificatemanager:
      auth:
        authorizedKeySecretRef:
          name: yc-auth
          key: authorized-key

NOTE: In case of a ClusterSecretStore, Be sure to provide namespace in all authorizedKeySecretRef with the namespace where the secret resides.

Creating external secret

To make External Secrets Operator sync a k8s secret with a Certificate Manager certificate:

  • Create a Certificate Manager certificate (follow the instructions), if not already created.
  • Assign the certificate-manager.certificates.downloader role for accessing the certificate content to the service account used for authentication (***** is the certificate ID): 
    yc cm certificate add-access-binding \
  --id ***** \
  --service-account-name eso-service-account \
  --role certificate-manager.certificates.downloader
    Run the following command to ensure that the correct access binding has been added: 
    yc cm certificate list-access-bindings --id *****
  • Create an ExternalSecret pointing to secret-store and the certificate in Certificate Manager: 
    apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: external-secret
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: secret-store
    kind: SecretStore
  target:
    name: k8s-secret # the target k8s secret name
    template:
      type: kubernetes.io/tls
  data:
    - secretKey: tls.crt # the target k8s secret key
      remoteRef:
        key: ***** # the certificate ID
        property: chain
    - secretKey: tls.key # the target k8s secret key
      remoteRef:
        key: ***** # the certificate ID
        property: privateKey
    The following property values are possible:
    • chain – to fetch PEM-encoded certificate chain
    • privateKey – to fetch PEM-encoded private key
    • chainAndPrivateKey or missing property – to fetch both chain and private key

The operator will fetch the Yandex Certificate Manager certificate and inject it as a Kind=Secret 

kubectl get secret k8s-secret -ojson | jq '."data"."tls.crt"' -r | base64 --decode
kubectl get secret k8s-secret -ojson | jq '."data"."tls.key"' -r | base64 --decode