|
| 1 | +# External Secrets Setup |
| 2 | + |
| 3 | +## Using AWS Secret Manager |
| 4 | + |
| 5 | +### Create AWS IAM User |
| 6 | + |
| 7 | +- Create a new user e.g `external-secret-access-user`. |
| 8 | +- Generate security credentials. You do not need to provide Console Access. |
| 9 | +- Keep the `ARN` handy with you. |
| 10 | + |
| 11 | +### Create AWS IAM Policy |
| 12 | + |
| 13 | +In the below example, we are saving this policy as `external-secret-access-policy` |
| 14 | + |
| 15 | +```json |
| 16 | +{ |
| 17 | + "Version": "2012-10-17", |
| 18 | + "Statement": [ |
| 19 | + { |
| 20 | + "Effect": "Allow", |
| 21 | + "Action": [ |
| 22 | + "secretsmanager:GetResourcePolicy", |
| 23 | + "secretsmanager:GetSecretValue", |
| 24 | + "secretsmanager:DescribeSecret", |
| 25 | + "secretsmanager:ListSecretVersionIds" |
| 26 | + ], |
| 27 | + "Resource": [ |
| 28 | + "arn:aws:secretsmanager:<REGION>:<ACCOUNT-ID>:secret:*" |
| 29 | + ] |
| 30 | + } |
| 31 | + ] |
| 32 | +} |
| 33 | +``` |
| 34 | + |
| 35 | +### Create AWS IAM Role |
| 36 | + |
| 37 | +In the below example, we are saving this role as `external-secret-access-role` |
| 38 | + |
| 39 | +Use the AWS IAM User ARN and replace it below |
| 40 | + |
| 41 | +```json |
| 42 | +{ |
| 43 | + "Version": "2012-10-17", |
| 44 | + "Statement": [ |
| 45 | + { |
| 46 | + "Effect": "Allow", |
| 47 | + "Principal": { |
| 48 | + "AWS": "<IAM-USER-ARN>" |
| 49 | + }, |
| 50 | + "Action": "sts:AssumeRole" |
| 51 | + } |
| 52 | + ] |
| 53 | +} |
| 54 | +``` |
| 55 | + |
| 56 | +While creating this role, you need to select the previously saved policy `external-secret-access-policy` |
| 57 | + |
| 58 | +### Create AWS Secrets |
| 59 | + |
| 60 | +> As an example, we are creating **RABBITMQ** Secrets |
| 61 | +
|
| 62 | +| KEY | Value | |
| 63 | +| --- | --- | |
| 64 | +| RABBITMQ_DEFAULT_USER | plane | |
| 65 | +| RABBITMQ_DEFAULT_PASS | plane123 | |
| 66 | + |
| 67 | +Save it as e.g `prod/secrets/rabbitmq` |
| 68 | + |
| 69 | +NOTE: The secret with AWS Credentials needs to be created in the particular application namespace |
| 70 | + |
| 71 | +```sh |
| 72 | +kubectl create secret generic aws-creds-secret \ |
| 73 | + --from-literal=access-key=<AWS_ACCESS_KEY_ID> \ |
| 74 | + --from-literal=secret-access-key=<AWS_SECRET_ACCESS_KEY> \ |
| 75 | + -n <application_namespace> |
| 76 | +``` |
| 77 | + |
| 78 | +### Create ClusterSecretStore |
| 79 | + |
| 80 | +```yaml |
| 81 | +apiVersion: external-secrets.io/v1beta1 |
| 82 | +kind: ClusterSecretStore |
| 83 | +metadata: |
| 84 | + name: cluster-aws-secretsmanager |
| 85 | +spec: |
| 86 | + provider: |
| 87 | + aws: |
| 88 | + service: SecretsManager |
| 89 | + role: arn:aws:iam::<ACCOUNT-ID>:role/<IAM ROLE> |
| 90 | + region: eu-west-1 |
| 91 | + auth: |
| 92 | + secretRef: |
| 93 | + accessKeyIDSecretRef: |
| 94 | + name: aws-creds-secret |
| 95 | + key: access-key |
| 96 | + secretAccessKeySecretRef: |
| 97 | + name: aws-creds-secret |
| 98 | + key: secret-access-key |
| 99 | +``` |
| 100 | +
|
| 101 | +### Create ExternalSecret |
| 102 | +
|
| 103 | +```yaml |
| 104 | +apiVersion: external-secrets.io/v1beta1 |
| 105 | +kind: ExternalSecret |
| 106 | +metadata: |
| 107 | + name: secret |
| 108 | + namespace: <application_namespace> |
| 109 | +spec: |
| 110 | + refreshInterval: 1m |
| 111 | + secretStoreRef: |
| 112 | + name: cluster-aws-secretsmanager # ClusterSecretStore name |
| 113 | + kind: ClusterSecretStore |
| 114 | + target: |
| 115 | + name: rabbitmq-secret # Target Kubernetes secret name |
| 116 | + creationPolicy: Owner |
| 117 | + data: |
| 118 | + - secretKey: RABBITMQ_DEFAULT_USER # Specifies the key name for the secret value in the Kubernetes secret. |
| 119 | + remoteRef: |
| 120 | + key: prod/secrets/rabbitmq # Specifies the name to the secret in the AWS Secrets Manager |
| 121 | + property: RABBITMQ_DEFAULT_USER # Specifies the name of the secret property to retrieve from the AWS Secrets Manager |
| 122 | + - secretKey: RABBITMQ_DEFAULT_PASS |
| 123 | + remoteRef: |
| 124 | + key: prod/secrets/rabbitmq |
| 125 | + property: RABBITMQ_DEFAULT_PASS |
| 126 | +``` |
| 127 | +
|
| 128 | +In this way, please make sure to set all [environment variables ](https://github.com/makeplane/helm-charts/blob/e4ee1f26ab4e1f4c1a1703e1dc459fdca7171a43/charts/plane-ce/README.md#external-secrets-config) related to the plane application in the AWS Secrets Manager, and access them using the `ExternalSecret` resource. |
| 129 | + |
| 130 | +## Using Hashicorp Vault |
| 131 | + |
| 132 | +### Create the kv secrets engine |
| 133 | + |
| 134 | + Create the `rabbitmq-secret` using the Vault CLI or the Vault UI. |
| 135 | + |
| 136 | +**Using the Vault UI:** |
| 137 | + |
| 138 | +Access the Vault UI at https://<vault-domain>/. |
| 139 | + |
| 140 | +In the Secrets Engines section, setup a new KV secrets engine. |
| 141 | + |
| 142 | +Navigate to the KV secrets engine and create a new secret (eg. `secrets/rabbitmq_secrets` ). |
| 143 | + |
| 144 | +\ |
| 145 | +Add the following keys and their respective values: |
| 146 | + |
| 147 | +> *Below values just for reference only considering RABBITMQ secret* |
| 148 | + |
| 149 | +| KEY | Value | |
| 150 | +| --- | --- | |
| 151 | +| RABBITMQ_DEFAULT_USER | plane | |
| 152 | +| RABBITMQ_DEFAULT_PASS | plane123 | |
| 153 | + |
| 154 | +NOTE: The secret with the Vault token needs to be created in the particular **application_namespace**. |
| 155 | + |
| 156 | +```sh |
| 157 | +kubectl create secret generic vault-token -n <application_namespace> --from-literal=token=<VAULT-TOKEN> |
| 158 | +``` |
| 159 | + |
| 160 | +### Create ClusterSecretStore |
| 161 | + |
| 162 | +```yaml |
| 163 | +# cluster-store.yaml |
| 164 | +apiVersion: external-secrets.io/v1beta1 |
| 165 | +kind: ClusterSecretStore |
| 166 | +metadata: |
| 167 | + name: vault-backend |
| 168 | +spec: |
| 169 | + provider: |
| 170 | + vault: |
| 171 | + server: "https://<vault-domain>" #the address of your vault instance |
| 172 | + path: "secrets" #path for accessing the secrets |
| 173 | + version: "v2" #Vault API version |
| 174 | + auth: |
| 175 | + tokenSecretRef: |
| 176 | + name: "vault-token" #Use a k8s secret called vault-token |
| 177 | + key: "token" #Use this key to access the vault token |
| 178 | +``` |
| 179 | + |
| 180 | +### Create ExternalSecret |
| 181 | + |
| 182 | +```yaml |
| 183 | +apiVersion: external-secrets.io/v1beta1 |
| 184 | +kind: ExternalSecret |
| 185 | +metadata: |
| 186 | + name: rabbitmq-external-secrets |
| 187 | + namespace: <application_namespace> # application-namespace |
| 188 | +spec: |
| 189 | + refreshInterval: "1m" |
| 190 | + secretStoreRef: |
| 191 | + name: vault-backend # ClusterSecretStore name |
| 192 | + kind: ClusterSecretStore |
| 193 | + target: |
| 194 | + name: rabbitmq-secret # Target Kubernetes secret name |
| 195 | + creationPolicy: Owner |
| 196 | + data: |
| 197 | + - secretKey: RABBITMQ_DEFAULT_USER # Specifies the key name for the secret value stored in the Kubernetes secret. |
| 198 | + remoteRef: |
| 199 | + key: secrets/data/rabbitmq_secrets # Specifies the name to the secret in the Vault secret store. |
| 200 | + property: RABBITMQ_DEFAULT_USER # Specifies the name of the secret property to retrieve from the Vault secret store. |
| 201 | + - secretKey: RABBITMQ_DEFAULT_PASS |
| 202 | + remoteRef: |
| 203 | + key: secrets/data/rabbitmq_secrets |
| 204 | + property: RABBITMQ_DEFAULT_PASS |
| 205 | +``` |
| 206 | + |
| 207 | +In this way, please make sure to set all [environment variables ](https://github.com/makeplane/helm-charts/blob/e4ee1f26ab4e1f4c1a1703e1dc459fdca7171a43/charts/plane-ce/README.md#external-secrets-config)related to the plane application in the Vault, and access them using the `ExternalSecret` resource. |
0 commit comments