Get started
Yandex Lockbox

Syncing with Yandex Managed Service for Kubernetes secrets

Written by

External Secrets Operator lets you set up the synchronization of Yandex Lockbox secrets with Managed Service for Kubernetes cluster secrets.

There are multiple integration schemes for Yandex Lockbox and Managed Service for Kubernetes. The example below describes ESO as a Service:

To set up secret syncing:

  1. Install the External Secrets Operator.
  2. Configure Yandex Lockbox.
  3. Configure the Kubernetes cluster.
  4. Create an External Secret.

If you no longer need these resources, delete them.

Before you begin

  1. If you don't have the Yandex Cloud command line interface yet, install and initialize it.

    The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  2. Install the Helm package manager.

  3. Install the jq utility:

    sudo apt update && sudo apt install jq

  4. Create a service account named eso-service-account. You'll need it to work with the External Secrets Operator.

  5. Create an authorized key for the service account and save it to the file authorized-key.json:

    yc iam key create \
  --service-account-name eso-service-account \
  --output authorized-key.json

  6. Create a Managed Service for Kubernetes cluster and a node group in any suitable configuration.

  7. Install the kubectl and configure it to work with the created cluster.

Install the External Secrets Operator

To install External Secrets Operator using Cloud Marketplace, follow the instructions.

  1. Install the Helm package manager.

  2. Add a Helm repository named external-secrets:

    helm repo add external-secrets https://charts.external-secrets.io

  3. Install the External Secrets Operator in the Kubernetes cluster:

    helm install external-secrets \
  external-secrets/external-secrets \
  --namespace external-secrets \
  --create-namespace

    Note

    This command creates a new external-secrets namespace required for using the External Secrets Operator.

    Result:

    NAME: external-secrets
LAST DEPLOYED: Sun Sep 19 11:20:58 2021
NAMESPACE: external-secrets
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
external-secrets has been deployed successfully!
...

Configure Yandex Lockbox

  1. Create a secret:

    • Name: lockbox-secret.
    • Key/Value:
      • Key: password.
      • ValueText: p@$$w0rd.

  2. Get the secret ID:

    yc lockbox secret list

    Result:

    +--------------------------------------------+----------------+------------+---------------------+----------------------+--------+
|                     ID                     |      NAME      | KMS KEY ID |     CREATED AT      |  CURRENT VERSION ID  | STATUS |
+--------------------------------------------+----------------+------------+---------------------+----------------------+--------+
| <Yandex Lockbox secret ID>             | lockbox-secret |            | 2021-09-19 04:33:44 | e6qlkguf0hs4q3i6jpen | ACTIVE |
+--------------------------------------------+----------------+------------+---------------------+----------------------+--------+

  3. To make sure that eso-service-account has access to the secret, assign it the lockbox.payloadViewer role:

    yc lockbox secret add-access-binding \
  --name lockbox-secret \
  --service-account-name eso-service-account \
  --role lockbox.payloadViewer

Configure a Kubernetes

  1. Create a ns namespace to store External Secrets Operator objects in:

    kubectl create namespace ns

  2. Create a yc-auth secret with the eso-service-account key:

    kubectl --namespace ns create secret generic yc-auth \
  --from-file=authorized-key=authorized-key.json

  3. Create a SecretStore that contains the yc-auth secret:

    kubectl --namespace ns apply -f - <<< '
apiVersion: external-secrets.io/v1alpha1
kind: SecretStore
metadata:
  name: secret-store
spec:
  provider:
    yandexlockbox:
      auth:
        authorizedKeySecretRef:
          name: yc-auth
          key: authorized-key'

Create an External Secret

  1. Create an object named ExternalSecret pointing to lockbox-secret in secret-store:

    kubectl --namespace ns apply -f - <<< '
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  name: external-secret
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: secret-store
    kind: SecretStore
  target:
    name: k8s-secret
  data:
  - secretKey: password
    remoteRef:
      key: <Yandex Lockbox secret ID>
      property: password'

    The spec.target.name parameter specifies the name of a new key: k8s-secret. The External Secrets Operator creates this key and inserts the parameters of lockbox-secret.

  2. Make sure that the new k8s-secret key contains the lockbox-secret value:

    kubectl --namespace ns get secret k8s-secret \
  --output=json | \
  jq --raw-output ."data"."password" | \
  base64 --decode

    The command result will contain the value of the password key of lockbox-secret:

    p@$$w0rd

Delete the resources you created

If you no longer need these resources, delete them:

  1. Delete a Managed Service for Kubernetes cluster.
  2. If you reserved a public static IP address for the cluster, delete it.
  3. Delete lockbox-secret.
In this article: