Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CTE-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Widows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Secrets Management Administration

Integrating External Secrets Operator (ESO) K8s plugin with CipherTrust Secrets Manager (Akeyless)

search

Please Note:

You are not viewing the most recent version of this page. 2.19 is the latest version available.

printsuggest an editpdf paneldownload

Integrating External Secrets Operator (ESO) K8s plugin with CipherTrust Secrets Manager (Akeyless)

copy link to clipboardPrerequisites

copy link to clipboardSteps

On Helm CLI

  1. Add the External Secrets Helm repository as shown below.

    helm repo add external-secrets https://charts.external-secrets.io

  2. Create a new namespace. It will store all the external secret pods. In this integration we are using akeyless-eso as the namespace.

  3. Install External Secrets using Helm.

    helm install external-secrets external-secrets/external-secrets -n akeyless-eso --create-namespace

    The above steps will deploy the External Secrets to your Kubernetes cluster using Helm.

On Akeyless Console

  1. Create a akeylesscreds.yaml file to store the access ID, access Key, and access type in form of secrets. This file is used during Secret Store creation.

    apiVersion: v1
kind: Secret
metadata:
  name: akeyless-secret-creds
type: Opaque
stringData:
  accessId: "p-XXXX"
  accessType:  # api_key
  accessTypeParam:  # replace by the appropriate value for <access-key>

    akeylesscreds.yaml

  2. Create a secretstore.yaml file. This file is used to separate the concerns of authentication/access and the actual Secret and configuration needed for workloads.

    apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: akeyless-secret-store
spec:
  provider:
    akeyless:
      # URL of your akeyless API
      akeylessGWApiURL: "https://CM-IP/akeyless-api/v2"
      caBundle: # Provide the server cert of CM signed by CA having the IP SAN field
      authSecretRef:
        secretRef:
          accessID:
            name: akeyless-secret-creds
            key: accessId
          accessType:
            name: akeyless-secret-creds
            key: accessType
          accessTypeParam:
            name: akeyless-secret-creds
            key: accessTypeParam

    secretstore.yaml

    For CSM, the caBundle is essential for verifying the certificate. In the above code, we have used the IP address of the CipherTrust Manager. Consequently, we need the CA certificate of the CipherTrust Manager having IP SAN field. Otherwise, the gateway will trigger an "x509 certificate error" as it won't be able to validate the private CA certificate of the CipherTrust Manager. To generate the certificate, please refer to the steps provided in the Steps to generate server certificate on CipherTrust Manager section.

  3. Create a file named externalsecret.yaml to store akeyless secret. Fetch secret from Akeyless and store it as a K8s secret on your cluster under Kind=ExternalSecret section of the externalsecret.yaml

    apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: akeyless-external-secret-example
spec:
  refreshInterval: 1h

  secretStoreRef:
    kind: SecretStore
    name: akeyless-secret-store # Must match SecretStore on the cluster

  target:
    name: akeyless-secret-to-create # Name for the secret to be created on the cluster
    creationPolicy: Owner

  data:
    - secretKey: secretKey # Key given to the secret to be created on the cluster
      remoteRef:
        key: /path/to/your/secret # Full path of the secret on Akeyless

    secretstore.yaml

  4. Deploy all the yaml files in the below sequence.

    kubectl apply -f <yaml-file-name> -n <namespace>

kubectl apply -f akeylesscreds.yaml -n akeyless-eso
kubectl apply -f secretstore.yaml -n akeyless-eso
kubectl apply -f externalsecret.yaml -n akeyless-eso

// Check the status and READY state of all the yaml files deployed to ensure there are no failures detected. If any of the deployment fails, debug and fix the error to proceed ahead.

kubectl get externalsecret akeyless-external-secret-example -n akeyless-eso
NAME                                               STORE                          REFRESH INTERVAL    STATUS             READY
akeyless-external-secret-example   akeyless-secret-store   1h                               SecretSynced   True

kubectl get secretstore akeyless-secret-store -n akeyless-eso
NAME                           AGE    STATUS   CAPABILITIES   READY
akeyless-secret-store   2d1h   Valid       ReadOnly         True

  5. Verify whether the secret present at the path /Static-Secret/Akeyless in your Akeyless account is successfully synced to K8s cluster using the below command.

    kubectl get secret akeyless-secret-to-create -o jsonpath='{.data.secretKey}' -n akeyless-eso | base64 -d

    sync of K8s cluster in akeyless account

    sync of K8s cluster in akeyless account

copy link to clipboardSteps to generate server certificate using local CA on CipherTrust Manager

To generate server certificate having IP SAN field used for caBundle, perform the following steps:

  1. Log on to the CipherTrust Manager GUI.

  2. Navigate to CA > CSR Generator. The CSR Generator screen appears.

  3. Select Generic CSR radio button and provide the following details:

    • Common name

    • Algorithm as RSA

    • IP address of the CipherTrust Manager machine.

    You may skip the remaining parameters as they are optional.

  4. Click Generate CSR and download Private Key.

    Make sure to save the generated CSR and private key.

  5. Navigate to CA > Local. The list of available CAs is displayed.

  6. Click name of the any local CA displayed on the page. The Certificate issued screen by that CA is displayed.

  7. Click Upload CSR and provide the following details:

    • Display name

    • CSR

    • Certificate Purpose as Server.

  8. Click the ellipsis icon corresponding to the newly generated certificate and select download.

    Save the downloaded certificate.

  9. Go back to the corresponding local CA. Click the ellipsis icon and select download.

    Save the downloaded CA.

  10. Create a certificate chain by combining the following into a single file:

    • certificate

    • local CA certificate

    • private key

    Make sure to keep the private key at the bottom.

  11. Navigate to Admin Settings > Interfaces.

  12. Click the ellipsis icon corresponding to the web interface type and select Certificate Options.

    The Interface Certificate Options on 'web' screen is displayed.

  13. Select Upload New Certificate and click OK.

  14. On the Upload Certificate screen, do the following steps:

    • Upload the file created in the step 11.

    • Select Format as PEM.

  15. Click Upload Certificate.

  16. Restart the CipherTrust Manager services.

  17. Navigate to Admin Settings > Interfaces.

  18. Click the ellipsis icon corresponding to the web interface type and select Download Certificate.

    Save the downloaded server certificate.

  19. Encode the downloaded certificate to Base64 format.

    This encoded value is used for the caBundle.

copy link to clipboardSteps to generate server certificate using external CA on CipherTrust Manager

To generate server certificate having IP SAN field used for caBundle, perform the following steps:

  1. Log on to the CipherTrust Manager GUI.

  2. Create a certificate chain (using external platforms such as OpenSSL) by combining the following into a single file.

    • certificate

    • external CA certificate

    • private key

    Make sure to keep the private key at the bottom.

  3. Navigate to Admin Settings > Interfaces.

  4. Click the ellipsis icon corresponding to the web interface type and select Certificate Options.

    The Interface Certificate Options on 'web' screen is displayed.

  5. Select Upload New Certificate and click OK.

  6. On the Upload Certificate screen, do the following steps:

    • Upload the file created in the step 2.

    • Select Format as PEM.

  7. Click Upload Certificate.

  8. Restart the CipherTrust Manager services.

  9. Navigate to Admin Settings > Interfaces.

  10. Click the ellipsis icon corresponding to the web interface type and select Download Certificate.

    Save the downloaded server certificate.

  11. Encode the downloaded certificate to Base64 format.

    This encoded value is used for the caBundle.

copy link to clipboardTroubleshooting

ErrorWorkaround
Encountering the following error while configuring caBundle: "x509 certificate error".Provide the server cert of CipherTrust Manager signed by CA having the IP SAN field. To do so, refer to Steps to generate server certificate on CipherTrust Manager.

On this page