Integrate Cloak Secrets (#2108)

* Integrate Cloak Secrets

Signed-off-by: Ian Purton <ian.purton@gmail.com>

* Fix link

Signed-off-by: Ian Purton <36966+ianpurton@users.noreply.github.com>

---------

Signed-off-by: Ian Purton <ian.purton@gmail.com>
Signed-off-by: Ian Purton <36966+ianpurton@users.noreply.github.com>

docs/provider/cloak.md

@@ -0,0 +1,47 @@
+![Cloak End 2 End Encrypted Secrets](../pictures/cloak-provider-header.png)
+
+## Cloak
+
+Sync secrets from the [Cloak Encrypted Secrets Platform](https://cloak.software) to Kubernetes using the External Secrets Operator.
+
+Cloak uses the webhook provider built into the External Secrets Operator but also required a proxy service to handle decrypting secrets when they arrive into your cluster.
+
+## Key Setup
+
+From the Cloak user interface [create a service account](https://cloak.software/docs/getting-started/03-cli/) and store the private key on your file system.
+
+Now create a kubernetes secret in the same namespace as the External Secrets Operator.
+
+```sh
+HISTIGNORE='*kubectl*' kubectl --namespace=external-secrets \
+    create secret generic cloak-key \
+    --from-file=ecdh_private_key=$LOCATION_OF_YOUR_PEM_FILE
+```
+
+## Deploy the decryption proxy
+
+```yaml
+{% include 'cloak-proxy-deployment.yaml' %}
+```
+
+And a Kubernetes Service so External Secrets Operator can access the proxy.
+
+```yaml
+{% include 'cloak-proxy-service.yaml' %}
+```
+
+## Create a secret store
+
+You can now place the configuration in any Kubernetes Namespace.
+
+```yaml
+{% include 'cloak-secret-store.yaml' %}
+```
+
+## Connect a secret to the provider
+
+Each `secretKey` reference in the yaml should point to the name of the secret as it is stored in Cloak.
+
+```yaml
+{% include 'cloak-external-secret.yaml' %}
+```

docs/snippets/cloak-external-secret.yaml

@@ -0,0 +1,19 @@
+# Access a secret
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: cloak-example
+spec:
+  refreshInterval: "15m"
+  secretStoreRef:
+    name: cloak-backend
+    kind: SecretStore
+  target:
+    name: example-sync
+  data:
+  - secretKey: access-token
+    remoteRef:
+      key: PULUMI_ACCESS_TOKEN
+  - secretKey: do-access-token
+    remoteRef:
+      key: DIGITALOCEAN_ACCESS_TOKEN

docs/snippets/cloak-proxy-deployment.yaml

@@ -0,0 +1,28 @@
+# The cloak external secrets proxy
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cloak-external-secrets
+  namespace: external-secrets
+spec:
+  selector:
+    matchLabels:
+      app: cloak-external-secrets
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: cloak-external-secrets
+    spec:
+      containers:
+      - name: cloak-external-secrets
+        image: purtontech/cloak-external-secrets:latest
+        imagePullPolicy: IfNotPresent
+        env: 
+          - name: ECDH_PRIVATE_KEY 
+            valueFrom: 
+              secretKeyRef: 
+                name: cloak-key 
+                key: ecdh_private_key 
+        ports:
+        - containerPort: 7105

docs/snippets/cloak-proxy-service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: cloak-external-secrets-service
+  namespace: external-secrets
+spec:
+  selector:
+    app: cloak-external-secrets
+  ports:
+    - protocol: TCP
+      port: 7105
+      targetPort: 7105

docs/snippets/cloak-secret-store.yaml

@@ -0,0 +1,15 @@
+{% raw %}
+# An External secrets webhookl
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: cloak-backend
+spec:
+  provider:
+    webhook:
+      url: "http://cloak-external-secrets-service:7105/{{ .remoteRef.key }}"
+      result:
+        jsonPath: "$.value"
+      headers:
+        Content-Type: application/json
+{%- endraw %}

hack/api-docs/mkdocs.yml

@@ -105,6 +105,7 @@ nav:
     - senhasegura DevOps Secrets Management (DSM): provider/senhasegura-dsm.md
     - Doppler: provider/doppler.md
     - Keeper Security: provider/keeper-security.md
+    - Cloak End 2 End Encrypted Secrets: provider/cloak.md
     - Scaleway: provider/scaleway.md
     - Delinea: provider/delinea.md
   - Examples: