Add support for Yandex Lockbox: docs

README.md

@@ -17,6 +17,7 @@ Multiple people and organizations are joining efforts to create a single Externa
 - [Google Cloud Secrets Manager](https://external-secrets.io/provider-google-secrets-manager/)
 - [Azure Key Vault](https://external-secrets.io/provider-azure-key-vault/)
 - [IBM Cloud Secrets Manager](https://external-secrets.io/provider-ibm-secrets-manager/)
+- [Yandex Lockbox](https://external-secrets.io/provider-yandex-lockbox/)
 
 ## Stability and Support Level
 
@@ -35,6 +36,7 @@ Multiple people and organizations are joining efforts to create a single Externa
 | ------------------------------------------------------------------- | :-------: | :----------------------------------------: |
 | [Azure KV](https://external-secrets.io/provider-azure-key-vault/)   |   alpha   | @ahmedmus-1A @asnowfix @ncourbet-1A @1A-mj |
 | [IBM SM](https://external-secrets.io/provider-ibm-secrets-manager/) |   alpha   |   @knelasevero @sebagomez @ricardoptcosta  |
+| [Yandex Lockbox](https://external-secrets.io/provider-yandex-lockbox/) |   alpha   |   @AndreyZamyslov @knelasevero         |
 
 ## Documentation
 

apis/externalsecrets/v1alpha1/secretstore_yandexlockbox_types.go

@@ -19,7 +19,7 @@ import (
 )
 
 type YandexLockboxAuth struct {
-	// The AuthorizedKey is used for authentication
+	// The authorized key used for authentication
 	// +optional
 	AuthorizedKey esmeta.SecretKeySelector `json:"authorizedKeySecretRef,omitempty"`
 }

deploy/crds/external-secrets.io_clustersecretstores.yaml

@@ -617,7 +617,7 @@ spec:
                           against Yandex Lockbox
                         properties:
                           authorizedKeySecretRef:
-                            description: The AuthorizedKey is used for authentication
+                            description: The authorized key used for authentication
                             properties:
                               key:
                                 description: The key of the entry in the Secret resource's

deploy/crds/external-secrets.io_secretstores.yaml

@@ -617,7 +617,7 @@ spec:
                           against Yandex Lockbox
                         properties:
                           authorizedKeySecretRef:
-                            description: The AuthorizedKey is used for authentication
+                            description: The authorized key used for authentication
                             properties:
                               key:
                                 description: The key of the entry in the Secret resource's

docs/provider-yandex-lockbox.md

@@ -0,0 +1,86 @@
+## Yandex Lockbox
+
+External Secrets Operator integrates with [Yandex Lockbox](https://cloud.yandex.com/docs/lockbox/)
+for secret management.
+
+### Prerequisites
+* [External Secrets Operator installed](../guides-getting-started/#installing-with-helm)
+* [Yandex.Cloud CLI installed](https://cloud.yandex.com/docs/cli/quickstart)
+
+### Authentication
+At the moment, [authorized key](https://cloud.yandex.com/docs/iam/concepts/authorization/key) authentication is only supported:
+
+* Create a [service account](https://cloud.yandex.com/docs/iam/concepts/users/service-accounts) in Yandex.Cloud:
+```bash
+yc iam service-account create --name eso-service-account
+```
+* Create an authorized key for the service account and save it to `authorized-key.json` file:
+```bash
+yc iam key create \
+  --service-account-name eso-service-account \
+  --output authorized-key.json
+```
+* Create a k8s secret containing the authorized key saved above:
+```bash
+kubectl create secret generic yc-auth --from-file=authorized-key=authorized-key.json
+```
+* Create a [SecretStore](../api-secretstore/) pointing to `yc-auth` k8s secret:
+```yaml
+apiVersion: external-secrets.io/v1alpha1
+kind: SecretStore
+metadata:
+  name: secret-store
+spec:
+  provider:
+    yandexlockbox:
+      auth:
+        authorizedKeySecretRef:
+          name: yc-auth
+          key: authorized-key
+```
+
+### Creating external secret
+To make External Secrets Operator sync a k8s secret with a Lockbox secret:
+
+* Create a Lockbox secret, if not already created:
+```bash
+yc lockbox secret create \
+  --name lockbox-secret \
+  --payload '[{"key": "password","textValue": "p@$$w0rd"}]'
+```
+* Assign the [`lockbox.payloadViewer`](https://cloud.yandex.com/docs/lockbox/security/#roles-list) role
+  for accessing the `lockbox-secret` payload to the service account used for authentication:
+```bash
+yc lockbox secret add-access-binding \
+  --name lockbox-secret \
+  --service-account-name eso-service-account \
+  --role lockbox.payloadViewer
+```
+Run the following command to ensure that the correct access binding has been added:
+```bash
+yc lockbox secret list-access-bindings --name lockbox-secret
+```
+* Create an [ExternalSecret](../api-externalsecret/) pointing to `secret-store` and `lockbox-secret`:
+```yaml
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: external-secret
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: secret-store
+    kind: SecretStore
+  target:
+    name: k8s-secret # the target k8s secret name
+  data:
+  - secretKey: password # the target k8s secret key
+    remoteRef:
+      key: ***** # ID of lockbox-secret
+      property: password # (optional) payload entry key of lockbox-secret
+```
+
+The operator will fetch the Yandex Lockbox secret and inject it as a `Kind=Secret`
+```yaml
+kubectl get secret k8s-secret -n <namespace> | -o jsonpath='{.data.password}' | base64 -d
+```

docs/spec.md

@@ -543,7 +543,9 @@ ExternalSecretStatus
 <th>Description</th>
 </tr>
 </thead>
-<tbody><tr><td><p>&#34;Ready&#34;</p></td>
+<tbody><tr><td><p>&#34;Deleted&#34;</p></td>
+<td></td>
+</tr><tr><td><p>&#34;Ready&#34;</p></td>
 <td></td>
 </tr></tbody>
 </table>
@@ -1466,6 +1468,20 @@ IBMProvider
 <p>IBM configures this store to sync secrets using IBM Cloud provider</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>yandexlockbox</code></br>
+<em>
+<a href="#external-secrets.io/v1alpha1.YandexLockboxProvider">
+YandexLockboxProvider
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>YandexLockbox configures this store to sync secrets using Yandex Lockbox provider</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="external-secrets.io/v1alpha1.SecretStoreRef">SecretStoreRef
@@ -2274,6 +2290,79 @@ are used to validate the TLS connection.</p>
 </tr>
 </tbody>
 </table>
+<h3 id="external-secrets.io/v1alpha1.YandexLockboxAuth">YandexLockboxAuth
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#external-secrets.io/v1alpha1.YandexLockboxProvider">YandexLockboxProvider</a>)
+</p>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>authorizedKeySecretRef</code></br>
+<em>
+github.com/external-secrets/external-secrets/apis/meta/v1.SecretKeySelector
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>The authorized key used for authentication</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="external-secrets.io/v1alpha1.YandexLockboxProvider">YandexLockboxProvider
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#external-secrets.io/v1alpha1.SecretStoreProvider">SecretStoreProvider</a>)
+</p>
+<p>
+<p>YandexLockboxProvider Configures a store to sync secrets using the Yandex Lockbox provider.</p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>endpoint</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Yandex.Cloud API endpoint</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>auth</code></br>
+<em>
+<a href="#external-secrets.io/v1alpha1.YandexLockboxAuth">
+YandexLockboxAuth
+</a>
+</em>
+</td>
+<td>
+<p>Auth defines the information necessary to authenticate against Yandex Lockbox</p>
+</td>
+</tr>
+</tbody>
+</table>
 <hr/>
 <p><em>
 Generated with <code>gen-crd-api-reference-docs</code>.

hack/api-docs/mkdocs.yml

@@ -46,6 +46,8 @@ nav:
     - IBM:
       - Secrets Manager: provider-ibm-secrets-manager.md
     - HashiCorp Vault: provider-hashicorp-vault.md
+    - Yandex:
+        - Lockbox: provider-yandex-lockbox.md
   - References:
     - API specification: spec.md
   - Contributing: