Add support for external secrets

[denisovval]

Hello team,

many teams use external secrets in kubernetes, for example BSSE admin password is stored in AWS secret manager and is fetched via vault/ESO or similar tool to kubernetes.

Currently, it's not possible to insert reference to the existing secret like this:

• name: BSEE_AGENT_REPOSITORY_PASSWORD valueFrom: secretKeyRef: name: {{ .Values.database.scanningResourcePasswordSecret.name }} key: {{ .Values.database.scanningResourcePasswordSecret.key }}

Please, improve helm templates and values to support existing secrets in k8s.

[peter-svensson]

If you're using external-secrets it's possible to merge the secrets together with values from AWS Secrets manager. Something like this can be used as a work-around at least:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: burpsuite-enterprise-server-secret
  namespace: burpsuite
spec:
  dataFrom:
    - extract:
        conversionStrategy: Default
        decodingStrategy: None
        key: service/burpsuite/database
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: default
  target:
    creationPolicy: Owner
    deletionPolicy: Retain
    template:
      data:
        BSEE_ADMIN_REPOSITORY_PASSWORD: '{{ .password }}'
        BSEE_ADMIN_REPOSITORY_URL: jdbc:postgresql://{{ .host }}:{{ .port }}/{{ .dbname}}
        BSEE_ADMIN_REPOSITORY_USERNAME: '{{ .username }}'
        BSEE_AGENT_REPOSITORY_PASSWORD: '{{ .password }}'
        BSEE_AGENT_REPOSITORY_URL: jdbc:postgresql://{{ .host }}:{{ .port }}/{{ .dbname}}
        BSEE_AGENT_REPOSITORY_USERNAME: '{{ .username }}'
      engineVersion: v2
      mergePolicy: Merge

[denisovval]

Hello,

it's a bit unclear - how to refer to these secrets in the helm chart if it requires them in plain text? we don't need to merge anything, as all our secrets are stored inside the vault not in the IaC configuration or else where.

[peter-svensson]

Hello,

it's a bit unclear - how to refer to these secrets in the helm chart if it requires them in plain text? we don't need to merge anything, as all our secrets are stored inside the vault not in the IaC configuration or else where.

I don't understand the question 😊 External secret (operator) will create plain k8s secrets based on the template, and if there exist a secret already (in this case the one from the helm chart) the contents will be merged together in the k8s secret.

[denisovval]

So, we have all the credentials like BSEE_ADMIN_REPOSITORY_PASSWORD/BSEE_AGENT_REPOSITORY_PASSWORD stored in vault.

ESO creates secrets in k8s - how to refer thme inside helm chart ?

Secret is there (in k8s) but we can't pass it like this: helm install ${RELEASE_NAME} bsee/burp-suite-enterprise-edition \ --set database.enterpriseServerPassword=${DATABASE_ENTERPRISE_SERVER_PASSWORD}

Because we don't have DATABASE_ENTERPRISE_SERVER_PASSWORD secret string in helm values or in IaC configuration.

So how to use ESO secrets ?

[peter-svensson]

So, we have all the credentials like BSEE_ADMIN_REPOSITORY_PASSWORD/BSEE_AGENT_REPOSITORY_PASSWORD stored in vault.

ESO creates secrets in k8s - how to refer thme inside helm chart ?

Secret is there (in k8s) but we can't pass it like this: helm install ${RELEASE_NAME} bsee/burp-suite-enterprise-edition --set database.enterpriseServerPassword=${DATABASE_ENTERPRISE_SERVER_PASSWORD}

Because we don't have DATABASE_ENTERPRISE_SERVER_PASSWORD secret string in helm values or in IaC configuration.

So how to use ESO secrets ?

Don't pass the secret values when doing helm install, instead provide them using your external secret, i.e export a secret value for DATABASE_ENTERPRISE_SERVER_PASSWORD using external secrets to your k8s secret. Something like:

 template:
      data:
        DATABASE_ENTERPRISE_SERVER_PASSWORD: '{{ .password }}'

in the example above

Exactly what password should be in your case depends on how your Vault secret looks like. In my case it's an AWS Secret looking like:

{
  "dbClusterIdentifier": "burpsuite-cluster",
  "password": "asdasdasd",
  "dbname": "burpsuite",
  "engine": "postgres",
  "port": 5432,
  "host": "burpsuite-cluster..asdasdasdrds.amazonaws.com",
  "username": "burpsuite"
}

So i can easily extract the password using .password in the template. Your situation might be different, check the docs