Open denisovval opened 10 months ago
If you're using external-secrets it's possible to merge the secrets together with values from AWS Secrets manager. Something like this can be used as a work-around at least:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: burpsuite-enterprise-server-secret
namespace: burpsuite
spec:
dataFrom:
- extract:
conversionStrategy: Default
decodingStrategy: None
key: service/burpsuite/database
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: default
target:
creationPolicy: Owner
deletionPolicy: Retain
template:
data:
BSEE_ADMIN_REPOSITORY_PASSWORD: '{{ .password }}'
BSEE_ADMIN_REPOSITORY_URL: jdbc:postgresql://{{ .host }}:{{ .port }}/{{ .dbname}}
BSEE_ADMIN_REPOSITORY_USERNAME: '{{ .username }}'
BSEE_AGENT_REPOSITORY_PASSWORD: '{{ .password }}'
BSEE_AGENT_REPOSITORY_URL: jdbc:postgresql://{{ .host }}:{{ .port }}/{{ .dbname}}
BSEE_AGENT_REPOSITORY_USERNAME: '{{ .username }}'
engineVersion: v2
mergePolicy: Merge
Hello,
it's a bit unclear - how to refer to these secrets in the helm chart if it requires them in plain text? we don't need to merge anything, as all our secrets are stored inside the vault not in the IaC configuration or else where.
Hello,
it's a bit unclear - how to refer to these secrets in the helm chart if it requires them in plain text? we don't need to merge anything, as all our secrets are stored inside the vault not in the IaC configuration or else where.
I don't understand the question 😊 External secret (operator) will create plain k8s secrets based on the template, and if there exist a secret already (in this case the one from the helm chart) the contents will be merged together in the k8s secret.
So, we have all the credentials like BSEE_ADMIN_REPOSITORY_PASSWORD/BSEE_AGENT_REPOSITORY_PASSWORD stored in vault.
ESO creates secrets in k8s - how to refer thme inside helm chart ?
Secret is there (in k8s) but we can't pass it like this: helm install ${RELEASE_NAME} bsee/burp-suite-enterprise-edition \ --set database.enterpriseServerPassword=${DATABASE_ENTERPRISE_SERVER_PASSWORD}
Because we don't have DATABASE_ENTERPRISE_SERVER_PASSWORD secret string in helm values or in IaC configuration.
So how to use ESO secrets ?
So, we have all the credentials like BSEE_ADMIN_REPOSITORY_PASSWORD/BSEE_AGENT_REPOSITORY_PASSWORD stored in vault.
ESO creates secrets in k8s - how to refer thme inside helm chart ?
Secret is there (in k8s) but we can't pass it like this: helm install ${RELEASE_NAME} bsee/burp-suite-enterprise-edition --set database.enterpriseServerPassword=${DATABASE_ENTERPRISE_SERVER_PASSWORD}
Because we don't have DATABASE_ENTERPRISE_SERVER_PASSWORD secret string in helm values or in IaC configuration.
So how to use ESO secrets ?
Don't pass the secret values when doing helm install
, instead provide them using your external secret, i.e export a secret value for DATABASE_ENTERPRISE_SERVER_PASSWORD
using external secrets to your k8s secret.
Something like:
template:
data:
DATABASE_ENTERPRISE_SERVER_PASSWORD: '{{ .password }}'
in the example above
Exactly what password
should be in your case depends on how your Vault secret looks like. In my case it's an AWS Secret looking like:
{
"dbClusterIdentifier": "burpsuite-cluster",
"password": "asdasdasd",
"dbname": "burpsuite",
"engine": "postgres",
"port": 5432,
"host": "burpsuite-cluster..asdasdasdrds.amazonaws.com",
"username": "burpsuite"
}
So i can easily extract the password using .password
in the template. Your situation might be different, check the docs
Hello team,
many teams use external secrets in kubernetes, for example BSSE admin password is stored in AWS secret manager and is fetched via vault/ESO or similar tool to kubernetes.
Currently, it's not possible to insert reference to the existing secret like this:
Please, improve helm templates and values to support existing secrets in k8s.