Skip to content

Passbolt

External Secrets Operator integrates with Passbolt API to sync Passbolt to secrets held on the Kubernetes cluster.

Creating a Passbolt secret store

Be sure the passbolt provider is listed in the Kind=SecretStore and auth and host are set. The API requires a password and private key provided in a secret.

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: passbolt
spec:
  provider:
    passbolt:
      host: https://passbolt.passbolt.svc.cluster.local
      auth:
        passwordSecretRef:
          key: password
          name: passbolt-credentials
        privateKeySecretRef:
          key: privateKey
          name: passbolt-credentials

Custom CA certificate

If your Passbolt instance uses a certificate signed by a private or custom Certificate Authority, you can configure the CA bundle that ESO uses to validate the Passbolt server certificate. Either supply the PEM-encoded bundle inline via caBundle, or reference a Secret/ConfigMap via caProvider.

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: passbolt-with-custom-ca
spec:
  provider:
    passbolt:
      host: https://passbolt.example.com
      # Reference a ConfigMap or Secret containing the CA bundle that signed
      # the Passbolt server certificate.
      caProvider:
        type: ConfigMap
        name: passbolt-ca-bundle
        key: ca.crt
      auth:
        passwordSecretRef:
          key: password
          name: passbolt-credentials
        privateKeySecretRef:
          key: privateKey
          name: passbolt-credentials

If neither caBundle nor caProvider is set, ESO uses the system root certificates to validate the TLS connection.

Creating an external secret

To sync a Passbolt secret to a Kubernetes secret, a Kind=ExternalSecret is needed. By default the secret contains name, username, uri, password and description.

To only select a single property add the property key.

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: passbolt-example-simple
spec:
  refreshInterval: "1h0m0s"
  secretStoreRef:
    name: passbolt
    kind: SecretStore
  target:
    name: passbolt-example
  data:
  - secretKey: full_secret
    remoteRef:
      key: e22487a8-feb8-4591-95aa-14b193930cb4 # Replace with ID of exising Passbolt secret
  - secretKey: password_only
    remoteRef:
      key: e22487a8-feb8-4591-95aa-14b193930cb4 # Replace with ID of exising Passbolt secret
      property: password # You can limit the secret to only display one property

The above external secret will lead to the creation of a secret in the following form:

apiVersion: v1
kind: Secret
metadata:
  name: passbolt-example
data:
  full_secret: '{"name":"passbolt-secret","username":"some-username","password":"supersecretpassword","uri":"passbolt.com","description":"some description"}'
  password_only: supersecretpassword
type: Opaque

Finding a secret by name

Instead of retrieving secrets by ID you can also use dataFrom to search for secrets by name.

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: passbolt-example
spec:
  refreshInterval: "1h0m0s"
  secretStoreRef:
    name: passbolt
    kind: SecretStore
  target:
    name: passbolt-example
  dataFrom:
    - find:
        name:
          regexp: ".*"