IBM Cloud Secrets Manager and the External Secrets Operator

Source: https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-tutorial-kubernetes-secrets

Create your Instance

Create your Secrets

Add the External Secrets Operator

helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets \
-n external-secrets \
--create-namespace \
--set installCRDs=true

The Pipeline

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: ibmcloud-secrets-manager
spec:
provider:
ibm:
serviceUrl: {{SECRETS_MANAGER_URL}}
auth:
secretRef:
secretApiKeySecretRef:
name: secret-api-key
key: apiKey
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: external-secret
spec:
secretStoreRef:
name: ibmcloud-secrets-manager
kind: SecretStore
target:
name: external-secret
data:
- secretKey: CLOUDANT_APIKEY
remoteRef:
key: kv/<id>
property: CLOUDANT_APIKEY
- secretKey: CLOUDANT_DB
remoteRef:
key: kv/<id>
property: CLOUDANT_DB
- secretKey: CLOUDANT_URL
remoteRef:
key: kv/<id>
property: CLOUDANT_URL
- secretKey: SLACK_BOT_TOKEN
remoteRef:
key: kv/<id>
property: SLACK_BOT_TOKEN
- secretKey: SLACK_SIGNING_SECRET
remoteRef:
key: kv/<id>
property: SLACK_SIGNING_SECRET
$ export SECRETS_MANAGER_URL=`ibmcloud resource service-instance ibmcloud-secrets-manager — output json | jq -r ‘.[].dashboard_url | .[0:-3]’`; echo $SECRETS_MANAGER_URL
https://<id>.<region>.secrets-manager.appdomain.cloud
sed "s|{{SECRETS_MANAGER_URL}}|${SECRETS_MANAGER}|" \
"./external-secrets.yaml" | kubectl apply -f -

The Authentication

kubectl create secret generic secret-api-key \
--from-literal=apiKey='API_KEY_VALUE'

Validation

$ kubectl describe SecretStores ibmcloud-secrets-manager
[...]
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Valid 3m31s (x770 over 2d21h) secret-store store validated

$ kubectl describe ExternalSecrets external-secret
[...]
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Updated 2m32s (x5 over 132m) external-secrets Updated Secret
$ kubectl get secret external-secret -o json | jq '.data'
{
"CLOUDANT_APIKEY": <base64 encoded data>,
"CLOUDANT_DB": <base64 encoded data>,
"CLOUDANT_URL": <base64 encoded data>,
"SLACK_BOT_TOKEN": <base64 encoded data>,
"SLACK_SIGNING_SECRET": <base64 encoded data>
}
    env:
- name: CLOUDANT_APIKEY
valueFrom:
secretKeyRef:
name: cloudant-apikey
key: CLOUDANT_APIKEY
- name: CLOUDANT_DB
valueFrom:
secretKeyRef:
name: cloudant-db
key: CLOUDANT_DB
- name: CLOUDANT_URL
valueFrom:
secretKeyRef:
name: cloudant-url
key: CLOUDANT_URL
- name: SLACK_BOT_TOKEN
valueFrom:
secretKeyRef:
name: slackbot-token
key: SLACK_BOT_TOKEN
- name: SLACK_SIGNING_SECRET
valueFrom:
secretKeyRef:
name: slack-signing-secret
key: SLACK_SIGNING_SECRET
env:
- name: CLOUDANT_APIKEY
valueFrom:
secretKeyRef:
name: external-secret
key: CLOUDANT_APIKEY
- name: CLOUDANT_DB
valueFrom:
secretKeyRef:
name: external-secret
key: CLOUDANT_DB
- name: CLOUDANT_URL
valueFrom:
secretKeyRef:
name: external-secret
key: CLOUDANT_URL
- name: SLACK_BOT_TOKEN
valueFrom:
secretKeyRef:
name: external-secret
key: SLACK_BOT_TOKEN
- name: SLACK_SIGNING_SECRET
valueFrom:
secretKeyRef:
name: external-secret
key: SLACK_SIGNING_SECRET

Conclusion

--

--

Cloud Security | IBM Inventor | IBM AoT Member | Open Source Advocate | ex-OpenBSD | https://infosec.exchange/@0x58 | https://0x58.substack.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store