|
| 1 | +--- |
| 2 | + date: 2024-08-30 |
| 3 | + title: Pushing secrets |
| 4 | + summary: Pushing Secrets to Vault |
| 5 | + author: Michele Baldessari |
| 6 | + blog_tags: |
| 7 | + - patterns |
| 8 | +--- |
| 9 | + |
| 10 | +# Pushing Secrets to HashiCorp Vault |
| 11 | + |
| 12 | +With this post we'd like to Introduce a powerful new feature: Push Secrets Across Nodes and Namespaces. |
| 13 | + |
| 14 | +## Overview |
| 15 | + |
| 16 | +We’re excited to announce a new feature that enhances the flexibility and |
| 17 | +security of your secret management workflows: you can now use the |
| 18 | +`secret/pushsecrets` vault path to push secrets from any node or any namespace |
| 19 | +to Vault. This feature allows secrets to be securely retrieved from a different |
| 20 | +namespace or even a different cluster node, making it easier to manage and |
| 21 | +distribute sensitive data across your infrastructure. |
| 22 | + |
| 23 | +Once stored in the Vault, these secrets can be accessed from either a different |
| 24 | +namespace or a different cluster node, providing a seamless way to manage |
| 25 | +secrets across a distributed environment. |
| 26 | + |
| 27 | +## How It Works |
| 28 | + |
| 29 | +To illustrate how this feature works, let’s walk through a simple example where |
| 30 | +we push an existing kubernetes secret called `existing-secret` into the Vault |
| 31 | +using a PushSecret resource. The existing secret could be the following: |
| 32 | +```yaml |
| 33 | +apiVersion: v1 |
| 34 | +kind: Secret |
| 35 | +metadata: |
| 36 | + name: existing-secret |
| 37 | + namespace: hello-world |
| 38 | +data: |
| 39 | + bar: YmFyCg== # The secret field we are interested in pushing into the vault |
| 40 | + foo: .... |
| 41 | +``` |
| 42 | +
|
| 43 | +And here is the `PushSecret` resource that will fetch the `bar` key from the existing |
| 44 | +secret above and push it into the vault. |
| 45 | +```yaml |
| 46 | +apiVersion: external-secrets.io/v1alpha1 |
| 47 | +kind: PushSecret |
| 48 | +metadata: |
| 49 | + name: pushsecret |
| 50 | + namespace: hello-world |
| 51 | +spec: |
| 52 | + data: |
| 53 | + - conversionStrategy: None |
| 54 | + match: |
| 55 | + remoteRef: |
| 56 | + remoteKey: pushsecrets/testme # the remote vault path |
| 57 | + property: baz # the key in the path defined above inside the vault |
| 58 | + secretKey: bar # The property of the local `existing-secret` secret that will be pushed to `pushsecrets/testme/baz` in the vault |
| 59 | + deletionPolicy: Delete |
| 60 | + refreshInterval: 10s |
| 61 | + secretStoreRefs: |
| 62 | + - kind: ClusterSecretStore |
| 63 | + name: vault-backend |
| 64 | + selector: |
| 65 | + secret: |
| 66 | + name: existing-secret |
| 67 | + updatePolicy: Replace |
| 68 | +``` |
| 69 | +
|
| 70 | +In this example, the PushSecret resource is defined in the hello-world |
| 71 | +namespace and it will take the key `bar` of the k8s secret called |
| 72 | +`existing-secret` and push it to Vault in the `pushsecrets/testme` path and |
| 73 | +ultimately it will be copied under the `baz` key/property inside vault. |
| 74 | + |
| 75 | +Here is some more info on the other yaml fields: |
| 76 | + |
| 77 | +* `deletionPolicy` Determines what happens to the secret when the PushSecret is deleted. In this case, the secret will also be deleted from the Vault. |
| 78 | +* `refreshInterval` Sets how often the secret will be refreshed. This is set to 10 seconds in the example, meaning the secret will be checked and updated every 10 seconds. |
| 79 | +* `secretStoreRefs` Points to the ClusterSecretStore named vault-backend, which defines where the secret will be stored. |
| 80 | +* `selector` Identifies the secret to be pushed. In this case, it is the secret named existing-secret within the hello-world namespace. |
| 81 | +* `updatePolicy` Specifies the policy for updating the secret in the Vault. The Replace policy will overwrite any existing secret at the target location with the new value. |
| 82 | + |
| 83 | +This configuration effectively takes a specific property (baz) from an existing |
| 84 | +secret in the hello-world namespace and pushes it to the Vault path |
| 85 | +secret/pushsecrets/testme. The secret can then be retrieved from any other |
| 86 | +namespace or node that has access to the Vault. |
0 commit comments