Oracle Vault
Oracle Vault
External Secrets Operator integrates with the Oracle Cloud Infrastructure (OCI) REST API to manage secrets in Oracle Vault. All secret operations exposed by External Secrets Operator are supported by the Oracle provider.
For more information on managing OCI Vaults and OCI Vault Secrets, see the following documentation:
Authentication
External Secrets Operator may authenticate to OCI Vault using User Principal, Instance Principal, or Workload Identity.
To specify the authenticating principal in a secret store, set the spec.provider.oracle.principalType value. Note that the value of principalType defaults InstancePrincipal if not set.
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: my-secret-store
spec:
provider:
oracle:
# May be UserPrincipal, InstancePrincipal, or Workload
principalType:
User Principal Authentication
For user principal authentication, region, user OCID, tenancy OCID, private key, and fingerprint are required. The private key and fingerprint must be supplied in a Kubernetes secret, while the user OCID, tenancy OCID, and region should be set in the secret store.
To get your user principal information, find url for the OCI region you are accessing.
Select tenancy in the top right to see your tenancy OCID as shown below.
Select your user in the top right to see your user OCID as shown below.
Your fingerprint will be attatched to your API key, once it has been generated. Private keys can be created or uploaded on the same page as the your user OCID.
Once you click "Add API Key" you will be shown the following, where you can download the key in the necessary PEM format for API requests. Creating a private key will automatically generate a fingerprint.
Next, create a secret containing your private key and fingerprint:
apiVersion: v1
kind: Secret
metadata:
name: oracle-secret
labels:
type: oracle
type: Opaque
stringData:
privateKey:
fingerprint:
After creating the credentials secret, the secret store can be configured:
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: example-auth
spec:
provider:
oracle:
vault: # The vault OCID
region: # The vault region
principalType: UserPrincipal
auth:
user: # A user OCID
tenancy: # A user's tenancy
secretRef:
privatekey:
name: oracle-secret
key: privateKey
fingerprint:
name: oracle-secret
key: fingerprint
NOTE: In case of a ClusterSecretStore, Be sure to provide namespace in privatekey and fingerprint with the namespaces where the secrets reside.
Instance Principal Authentication (OCI)
Instance Principal uses a pod's instance principal to authenticate to OCI Vault. Ensure your cluster instances have the appropriate policies to use Instance Principal.
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: my-secret-store
spec:
provider:
oracle:
vault: # The vault OCID
principalType: InstancePrincipal
Workload Identity Authentication (OCI/OKE)
Workload Identity can be used to grant the External Secrets Operator pod policy driven access to OCI Vault when running on Oracle Container Engine for Kubernetes (OKE).
Note that if a service account is not provided in the secret store, the Oracle provider will authenticate using the service account token of the External Secrets Operator.
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: my-secret-store
spec:
provider:
oracle:
vault: # The vault OCID
principalType: Workload
# If serviceAccountRef is not specified, the Oracle provider will authenticate using the service account token of the External Secrets Operator.
serviceAccountRef:
# If using a namespaced secret store, this service account must exist in the same namespace as the secret store.
# namespace: service account namespace. Required if using ClusterSecretStore, otherwise cannot be specified.
name: # The service account name to use for authentication.
Creating an External Secret
To create a Kubernetes secret from an OCI Vault secret a Kind=ExternalSecret is needed. The External Secret will reference an OCI Vault instance containing secrets with either JSON or plaintext data.
External Secret targeting JSON data
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: example
spec:
refreshInterval: 0.03m
secretStoreRef:
kind: SecretStore
name: example # Must match SecretStore on the cluster
target:
name: secret-to-be-created # Name for the secret on the cluster
creationPolicy: Owner
dataFrom:
- extract:
key: the-secret-name
External Secret targeting plaintext data
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: example
spec:
refreshInterval: 0.03m
secretStoreRef:
kind: SecretStore
name: example # Must match SecretStore on the cluster
target:
name: secret-to-be-created # Name for the secret on the cluster
creationPolicy: Owner
data:
- secretKey: key
remoteRef:
key: my-eso-secret
Getting the Kubernetes secret
The operator will fetch the OCI Vault Secret and inject it as a Kind=Secret.
kubectl get secret oracle-secret-to-create -o jsonpath='{.data.dev-secret-test}' | base64 -d
PushSecrets and retrieving multiple secrets.
When using PushSecrets, the compartment OCID and encryption key OCID must be specified in the Oracle SecretStore. You can find your compartment and encrpytion key OCIDs in the OCI console.
If retrieving multiple secrets by tag or regex, only the compartment OCID must be specified.
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: example-instance-principal
spec:
provider:
oracle:
vault: # The vault OCID
compartment: # The compartment OCID where the vault is located. Required when using PushSecrets or retrieving multiple secrets.
encryptionKey: # The OCID of the master encryption key that will be used for PushSecret encryption. Must exist in the vault, required when using PushSecrets.
principalType: Workload