Integrating External Secrets Operator (ESO) K8s plugin with CipherTrust Secrets Manager (Akeyless)
Prerequisites
A Kubernetes environment is deployed and working.
Helm is installed. Refer to https://helm.sh/docs/intro/install/ for details.
CipherTrust Manager is up and running. Refer to CipherTrust Manager Deployment for details.
Steps
On Helm CLI
Add the External Secrets Helm repository as shown below.
helm repo add external-secrets https://charts.external-secrets.ioCreate a new namespace. It will store all the external secret pods. In this integration we are using
akeyless-esoas the namespace.Install External Secrets using Helm.
helm install external-secrets external-secrets/external-secrets -n akeyless-eso --create-namespaceThe above steps will deploy the External Secrets to your Kubernetes cluster using Helm.
On Akeyless Console
Create a
akeylesscreds.yamlfile to store the access ID, access Key, and access type in form of secrets. This file is used during Secret Store creation.apiVersion: v1 kind: Secret metadata: name: akeyless-secret-creds type: Opaque stringData: accessId: "p-XXXX" accessType: # api_key accessTypeParam: # replace by the appropriate value for <access-key>
Create a
secretstore.yamlfile. This file is used to separate the concerns of authentication/access and the actual Secret and configuration needed for workloads.apiVersion: external-secrets.io/v1beta1 kind: SecretStore metadata: name: akeyless-secret-store spec: provider: akeyless: # URL of your akeyless API akeylessGWApiURL: "https://CM-IP/akeyless-api/v2" caBundle: # Provide the server cert of CM signed by CA having the IP SAN field authSecretRef: secretRef: accessID: name: akeyless-secret-creds key: accessId accessType: name: akeyless-secret-creds key: accessType accessTypeParam: name: akeyless-secret-creds key: accessTypeParam
For CSM, the
caBundleis essential for verifying the certificate. In the above code, we have used the IP address of the CipherTrust Manager. Consequently, we need the CA certificate of the CipherTrust Manager having IP SAN field. Otherwise, the gateway will trigger an "x509 certificate error" as it won't be able to validate the private CA certificate of the CipherTrust Manager. To generate the certificate, please refer to the steps provided in the Steps to generate CA certificate on CipherTrust Manager section.Create a file named
externalsecret.yamlto store akeyless secret. Fetch secret from Akeyless and store it as a K8s secret on your cluster underKind=ExternalSecretsection of theexternalsecret.yamlapiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: akeyless-external-secret-example spec: refreshInterval: 1h secretStoreRef: kind: SecretStore name: akeyless-secret-store # Must match SecretStore on the cluster target: name: akeyless-secret-to-create # Name for the secret to be created on the cluster creationPolicy: Owner data: - secretKey: secretKey # Key given to the secret to be created on the cluster remoteRef: key: /path/to/your/secret # Full path of the secret on Akeyless
Deploy all the
yamlfiles in the below sequence.kubectl apply -f <yaml-file-name> -n <namespace> kubectl apply -f akeylesscreds.yaml -n akeyless-eso kubectl apply -f secretstore.yaml -n akeyless-eso kubectl apply -f externalsecret.yaml -n akeyless-eso // Check the status and READY state of all the yaml files deployed to ensure there are no failures detected. If any of the deployment fails, debug and fix the error to proceed ahead. kubectl get externalsecret akeyless-external-secret-example -n akeyless-eso NAME STORE REFRESH INTERVAL STATUS READY akeyless-external-secret-example akeyless-secret-store 1h SecretSynced True kubectl get secretstore akeyless-secret-store -n akeyless-eso NAME AGE STATUS CAPABILITIES READY akeyless-secret-store 2d1h Valid ReadOnly TrueVerify whether the secret present at the path
/Static-Secret/Akeylessin your Akeyless account is successfully synced to K8s cluster using the below command.kubectl get secret akeyless-secret-to-create -o jsonpath='{.data.secretKey}' -n akeyless-eso | base64 -d
Steps to generate CA certificate on CipherTrust Manager
To generate CA certificate having IP SAN field used for caBundle, perform the following steps:
Log on to the CipherTrust Manager GUI.
Navigate to CA > CSR Generator. The CSR Generator screen appears.
Select Generic CSR radio button and provide the following details:
Common name
Algorithm as RSA
IP address of the CipherTrust Manager machine.
You may skip the remaining parameters as they are optional.
Click Generate CSR and download Private Key.
Make sure to save the generated CSR and private key.
Navigate to CA > Local. The list of available CAs is displayed.
Click name of the any local CA displayed on the page. The Certificate issued screen by that CA is displayed.
Click Upload CSR and provide the following details:
Display name
CSR
Certificate Purpose as Server.
Click Issue Certificate.
Click the ellipsis icon corresponding to the newly generated certificate and select download.
Save the downloaded certificate.
Navigate to Admin Settings > Interfaces.
Click the ellipsis icon corresponding to the web interface type and select Certificate Options.
The Interface Certificate Options on 'web' screen is displayed.
Select Upload New Certificate and click OK.
On the Upload Certificate screen, do the following steps:
Upload the certificate downloaded in the step 9 and the private key downloaded in the step 5.
Select Format as PEM.
Click Upload Certificate.
Restart the CipherTrust Manager services.
Navigate to Admin Settings > Interfaces.
Click the ellipsis icon corresponding to the web interface type and select Download Certificate.
Save the downloaded CA certificate.
Encrypt the downloaded certificate using Base64 encoding.
This encoded value is used for the caBundle.
Troubleshooting
| Error | Workaround |
|---|---|
| Encountering the following error while configuring caBundle: "x509 certificate error". | Provide the server cert of CipherTrust Manager signed by CA having the IP SAN field. To do so, refer to Steps to generate CA certificate on CipherTrust Manager. |
