Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for external secrets #1

Open
denisovval opened this issue Nov 20, 2023 · 5 comments
Open

Add support for external secrets #1

denisovval opened this issue Nov 20, 2023 · 5 comments

Comments

@denisovval
Copy link

Hello team,

many teams use external secrets in kubernetes, for example BSSE admin password is stored in AWS secret manager and is fetched via vault/ESO or similar tool to kubernetes.

Currently, it's not possible to insert reference to the existing secret like this:
- name: BSEE_AGENT_REPOSITORY_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.database.scanningResourcePasswordSecret.name }}
key: {{ .Values.database.scanningResourcePasswordSecret.key }}

Please, improve helm templates and values to support existing secrets in k8s.
@peter-svensson
Copy link

If you're using external-secrets it's possible to merge the secrets together with values from AWS Secrets manager.
Something like this can be used as a work-around at least:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: burpsuite-enterprise-server-secret
  namespace: burpsuite
spec:
  dataFrom:
    - extract:
        conversionStrategy: Default
        decodingStrategy: None
        key: service/burpsuite/database
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: default
  target:
    creationPolicy: Owner
    deletionPolicy: Retain
    template:
      data:
        BSEE_ADMIN_REPOSITORY_PASSWORD: '{{ .password }}'
        BSEE_ADMIN_REPOSITORY_URL: jdbc:postgresql://{{ .host }}:{{ .port }}/{{ .dbname}}
        BSEE_ADMIN_REPOSITORY_USERNAME: '{{ .username }}'
        BSEE_AGENT_REPOSITORY_PASSWORD: '{{ .password }}'
        BSEE_AGENT_REPOSITORY_URL: jdbc:postgresql://{{ .host }}:{{ .port }}/{{ .dbname}}
        BSEE_AGENT_REPOSITORY_USERNAME: '{{ .username }}'
      engineVersion: v2
      mergePolicy: Merge

@denisovval
Copy link
Author

Hello,

it's a bit unclear - how to refer to these secrets in the helm chart if it requires them in plain text?
we don't need to merge anything, as all our secrets are stored inside the vault not in the IaC configuration or else where.

@peter-svensson
Copy link

Hello,

it's a bit unclear - how to refer to these secrets in the helm chart if it requires them in plain text? we don't need to merge anything, as all our secrets are stored inside the vault not in the IaC configuration or else where.

I don't understand the question 😊
External secret (operator) will create plain k8s secrets based on the template, and if there exist a secret already (in this case the one from the helm chart) the contents will be merged together in the k8s secret.

@denisovval
Copy link
Author

So, we have all the credentials like BSEE_ADMIN_REPOSITORY_PASSWORD/BSEE_AGENT_REPOSITORY_PASSWORD stored in vault.

ESO creates secrets in k8s - how to refer thme inside helm chart ?

Secret is there (in k8s) but we can't pass it like this:
helm install ${RELEASE_NAME} bsee/burp-suite-enterprise-edition
--set database.enterpriseServerPassword=${DATABASE_ENTERPRISE_SERVER_PASSWORD}

Because we don't have DATABASE_ENTERPRISE_SERVER_PASSWORD secret string in helm values or in IaC configuration.

So how to use ESO secrets ?

@peter-svensson
Copy link

So, we have all the credentials like BSEE_ADMIN_REPOSITORY_PASSWORD/BSEE_AGENT_REPOSITORY_PASSWORD stored in vault.

ESO creates secrets in k8s - how to refer thme inside helm chart ?

Secret is there (in k8s) but we can't pass it like this: helm install ${RELEASE_NAME} bsee/burp-suite-enterprise-edition --set database.enterpriseServerPassword=${DATABASE_ENTERPRISE_SERVER_PASSWORD}

Because we don't have DATABASE_ENTERPRISE_SERVER_PASSWORD secret string in helm values or in IaC configuration.

So how to use ESO secrets ?

Don't pass the secret values when doing helm install, instead provide them using your external secret, i.e export a secret value for DATABASE_ENTERPRISE_SERVER_PASSWORD using external secrets to your k8s secret.
Something like:

 template:
      data:
        DATABASE_ENTERPRISE_SERVER_PASSWORD: '{{ .password }}'

in the example above

Exactly what password should be in your case depends on how your Vault secret looks like. In my case it's an AWS Secret looking like:

{
  "dbClusterIdentifier": "burpsuite-cluster",
  "password": "asdasdasd",
  "dbname": "burpsuite",
  "engine": "postgres",
  "port": 5432,
  "host": "burpsuite-cluster..asdasdasdrds.amazonaws.com",
  "username": "burpsuite"
}

So i can easily extract the password using .password in the template. Your situation might be different, check the docs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@peter-svensson @denisovval