sagar blog

Streamlining Kubernetes secrets with external secret operator and aws secret manager

Sagar Rawat's photo
Sagar Rawat
·

4 min read

Streamlining Kubernetes secrets with external secret operator and aws secret manager

content

  • Why we using external secret operator

  • Step 1: Creating a service account or IAM user & secret key and access key in Aws.

  • Step 2: Installation of an external secret operator.

  • Step 3: Creating secret store , secrets , and external secret

  • Step 4: Create deployment files and deploy

Why we using external secret operator.

As we know secret management and security is very crucial and essential part of k8s. We can’t compromise with secrets, so we store our secrets in the cloud management secret.

To fetch the secret we used external secret operator it is recommended by kubernetes and most of the company prefered to used.

we can easily rotate the secrets just change the value in secret manager in aws operator automatically fetch or change the secret into deployment

Most of the comapany like to be prefer private docker image in repository in the production due to security concern and privacy. so that why i use private docker image.

STEP 1: Creating service account or IAM user in AWS.

First, go to the Iam, create a user, and assign the policy SecretsManagerReadWrite policy to the user and then create.

After that create one access key and save their credential secret key and access key.

Step 2: install EXTERNAL SECRET OPERATOR IN K8S

      helm repo add external-secrets https://charts.external-secrets.io
      helm repo update
      helm install external-secrets external-secrets/external-secrets

it look like this after installing

Step 3: Creating secret store , secrets , and external secret store

  • vim secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: aws-iam-secret
type: Opaque
data:
  access-key: <enter your acess key >     # make sure its base64 encoded 
  secret-access-key: < enter your secret access key >   # make sure its base64 encoded

apply the file using this command

 kubectl aaply -f secrets.yaml  

 kubectl get secret  # used to check that your secrets are created  name is like aws-iam-secret

now create secret store

  • vim ss.yaml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: aws-secretsmanager        # name of the secret store that will create
spec:
  provider:
    aws:
      service: SecretsManager
      region: ap-south-1       # give your region 
      auth:
        secretRef:
          accessKeyIDSecretRef:
            name: aws-iam-secret       # name of secret that is created 
            key: access-key
          secretAccessKeySecretRef:
            name: aws-iam-secret         # name of secret that is created 
            key: secret-access-key

apply the file

kubectl apply -f ss.yaml

kubectl get secretstore   # used to check secret store is created with a name of  aws-secretsmanager

Now create external secret store file

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: docker-credentials
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secretsmanager      # give their secret store name which was created 
    kind: SecretStore
  target:
    name: aws-ex-secret           # name of the external secret store that will be create
    template:
      type: kubernetes.io/dockerconfigjson
      data:
        .dockerconfigjson: |
          {
            "auths": {
              "https://index.docker.io/v1/": {
                "username": "{{ .username }}",
                "password": "{{ .password }}",
                "auth": "{{ list .username .password | join `:` | b64enc }}"
              }
            }
          }
  data:
  - secretKey: username
    remoteRef:
      key: docker-credentials          # secret name in aws 
      property: username               # key name         
  - secretKey: password
    remoteRef:
      key: docker-credentials         # secret name in aws 
      property: password              # key name

apply the file

kubectl apply externalstore.yaml

kubectl get externalsecret    # used to check  external  secret is created

the secrets status must be synced

step 4: created deployment file

create the deployment file where your private docker image will be pull

  • vim frontend.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: frontend-deployment
  labels:
    app: frontend-deployment
spec:
  replicas: 2   # Number of pod replicas
  selector:
    matchLabels:
      app: frontend
  template:
    metadata:
      labels:
        app: frontend
    spec:        # Container specifications
      imagePullSecrets:
      - name: aws-ex-secret # name of the external secret that was create previously
      containers:
      - name: frontend-container  # Name of the container
        image: sagarrawat/wanderlust_frontend:v1  # Image to be pulled
        ports:
        - containerPort: 5173  # Port exposed by the container

now apply the file

kubectl apply -f frontend.yaml

kubectl get po --watch     # used to watch that your po is creating or not

AWSsecretsAWS secret managerKuberneteskubernetes-secretsDockerdocker images