Deploying External Secrets Operatorπ
The External Secrets Operator may be deployed like any other bigbang package. Use this YAML as an example:
addons:
externalSecrets:
enabled: true
git:
repo: https://repo1.dso.mil/big-bang/product/packages/external-secrets.git
path: chart
values:
bbtests:
enabled: true
β¦ and you can deploy it normally, as part of the bigbang umbrella chart:
bbctl deploy bigbang -- -f externalsecrets.yaml
β¦ or manually with helm (assuming an appropriately configured environment with a namespace, registry secrets, etc):
helm upgrade -i --wait external-secrets chart/ -n external-secrets
Helm testsπ
If you want to run helm tests against your deployment, you will need to deploy with bbtests enabled:
addons:
externalSecrets:
values:
bbtests:
enabled: true
This will create a skeleton secret store that is sufficient to prove that ESO is working. Then you can execute the helm tests:
$ helm test external-secrets -n external-secrets
Deploy Standardized ESO ClusterSecretStore for AWS Secret Managerπ
The complete data model/schema is located in the ESO package values.yaml file under secretConfiguration section.
This section is to demo what is required to deploy ClusterSecretStore and ExternalSecrets. User needs to look at what is required and adjust to what is feasible in their own environment.
Create a secret containing your AWS credentialsπ
echo -n 'KEYID' > ./access-key
echo -n 'SECRETKEY' > ./secret-access-key
kubectl create secret generic awssm-secret --from-file=./access-key --from-file=./secret-access-key [-n namespace]
Examples of the override file - required to provide AWS informationπ
There are three types of authentication methods: accesskey, serveraccount or identity. Pick one of the methods and reference an example below.
Authentication method: accesskey exampleπ
Note: When using the accesskey method for authentication, the kubernetes secret that stores the access key pair (as create in the section Create a secret containing your AWS credentials) need to be present in the same name space as the target or the namespace specified in the secretConfiguration.secretList.
packages:
external-secrets:
enabled: true
git:
repo: https://repo1.dso.mil/big-bang/apps/sandbox/external-secrets.git
tag: 0.10.2-bb.3
values:
bbtests:
enabled: true
secretConfiguration:
enabled: true
secretList:
- name: "team-a-store"
namespace: ""
labels: ""
annotations: ""
## define types of authentication: ##
source:
## AWS secrets manager only - other services can be added later ##
provider: aws
## Specify type of service, i.e., SecretsManager (default) ##
service: SecretsManager
## Specify AWS region, i.e. us-gov-west-1 (default) ##
region: "us-gov-west-1"
## Frequency to check for updates ##
refreshInterval: "1m"
auth:
## Specify authType is required: identity, accesskey or serviceaccount ##
authType: "accesskey"
## Optional: Role that defines fine-grained access control ##
role: ""
## Name of the accessKeyID and secretAccessKey pair ##
accessKeyName: "awssm-secret"
## Specify AWS Access Key ID file ##
accessKeyID: "access-key"
## Specify AWS Secret Access Key file ##
secretAccessKey: "secret-access-key"
Authentication method: serviceaccount exampleπ
Note: Be sure to provide namespace where the service account resides.
packages:
external-secrets:
enabled: true
git:
repo: https://repo1.dso.mil/big-bang/apps/sandbox/external-secrets.git
tag: 0.10.2-bb.3
values:
bbtests:
enabled: true
secretConfiguration:
enabled: true
secretList:
- name: "team-b-store"
namespace: default
source:
provider: aws
service: SecretsManager
region: "us-gov-west-1"
refreshInterval: "1m"
auth:
authType: "serviceaccount"
## Optional: Name of role that defines fine-grained access ##
role: ""
# Required: Specify the service account ##
serviceAccount: "my-serviceaccount"
Authentication method: identity exampleπ
packages:
external-secrets:
enabled: true
git:
repo: https://repo1.dso.mil/big-bang/apps/sandbox/external-secrets.git
tag: 0.10.2-bb.3
values:
bbtests:
enabled: true
secretConfiguration:
enabled: true
secretList:
- name: "team-c-store"
source:
provider: aws
service: SecretsManager
region: "us-gov-west-1"
refreshInterval: "1m"
auth:
## Specify authType is required: identity ##
authType: "identity"
## Optional: Name of role that defines fine-grained access ##
role: ""