|
|
@@ -657,17 +657,44 @@
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#creating-the-secret-inside-the-provider" class="md-nav__link">
|
|
|
- Creating the secret inside the provider
|
|
|
+ <a href="#secret-types" class="md-nav__link">
|
|
|
+ Secret Types
|
|
|
+ </a>
|
|
|
+
|
|
|
+ <nav class="md-nav" aria-label="Secret Types">
|
|
|
+ <ul class="md-nav__list">
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#arbitrary" class="md-nav__link">
|
|
|
+ arbitrary
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#username_password" class="md-nav__link">
|
|
|
+ username_password
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#iam_credentials" class="md-nav__link">
|
|
|
+ iam_credentials
|
|
|
</a>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#other-types-of-secret" class="md-nav__link">
|
|
|
- Other types of secret
|
|
|
+ <a href="#imported_cert" class="md-nav__link">
|
|
|
+ imported_cert
|
|
|
</a>
|
|
|
|
|
|
+</li>
|
|
|
+
|
|
|
+ </ul>
|
|
|
+ </nav>
|
|
|
+
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
@@ -903,17 +930,44 @@
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#creating-the-secret-inside-the-provider" class="md-nav__link">
|
|
|
- Creating the secret inside the provider
|
|
|
+ <a href="#secret-types" class="md-nav__link">
|
|
|
+ Secret Types
|
|
|
+ </a>
|
|
|
+
|
|
|
+ <nav class="md-nav" aria-label="Secret Types">
|
|
|
+ <ul class="md-nav__list">
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#arbitrary" class="md-nav__link">
|
|
|
+ arbitrary
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#username_password" class="md-nav__link">
|
|
|
+ username_password
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#iam_credentials" class="md-nav__link">
|
|
|
+ iam_credentials
|
|
|
</a>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#other-types-of-secret" class="md-nav__link">
|
|
|
- Other types of secret
|
|
|
+ <a href="#imported_cert" class="md-nav__link">
|
|
|
+ imported_cert
|
|
|
</a>
|
|
|
|
|
|
+</li>
|
|
|
+
|
|
|
+ </ul>
|
|
|
+ </nav>
|
|
|
+
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
@@ -969,7 +1023,7 @@
|
|
|
<p><img alt="iam-create-success" src="../pictures/screenshot_api_keys_create_successful.png" /></p>
|
|
|
<h4 id="api-key-secret">API key secret</h4>
|
|
|
<p>Create a secret containing your apiKey:</p>
|
|
|
-<div class="highlight"><pre><span></span><code>kubectl create secret generic ibm-secret --from-literal<span class="o">=</span><span class="nv">apiKey</span><span class="o">=</span><span class="s1">'API_KEY_VALUE'</span>
|
|
|
+<div class="highlight"><pre><span></span><code>kubectl create secret generic ibm-secret --from-literal<span class="o">=</span><span class="nv">apiKey</span><span class="o">=</span><span class="s1">'API_KEY_VALUE'</span>
|
|
|
</code></pre></div>
|
|
|
|
|
|
<h3 id="update-secret-store">Update secret store</h3>
|
|
|
@@ -981,23 +1035,63 @@
|
|
|
<span class="nt">spec</span><span class="p">:</span>
|
|
|
<span class="nt">provider</span><span class="p">:</span>
|
|
|
<span class="nt">ibm</span><span class="p">:</span>
|
|
|
+ <span class="nt">serviceUrl</span><span class="p">:</span> <span class="s">"https://SECRETS_MANAGER_ID.REGION.secrets-manager.appdomain.cloud"</span>
|
|
|
<span class="nt">auth</span><span class="p">:</span>
|
|
|
<span class="nt">secretRef</span><span class="p">:</span>
|
|
|
<span class="nt">secretApiKeySecretRef</span><span class="p">:</span>
|
|
|
<span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ibm-secret</span>
|
|
|
<span class="nt">key</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">apiKey</span>
|
|
|
- <span class="nt">serviceUrl</span><span class="p">:</span> <span class="s">"https://SECRETS_MANAGER_ID.REGION.secrets-manager.appdomain.cloud"</span>
|
|
|
</code></pre></div>
|
|
|
|
|
|
-<p>To find your serviceURL, under your Secrets Manager resource, go to "Endpoints" on the left:</p>
|
|
|
+<p>To find your serviceURL, under your Secrets Manager resource, go to "Endpoints" on the left.
|
|
|
+Note: Use the url without the <code>/api</code> suffix that is presented in the UI.
|
|
|
+See here for a list of <a href="https://cloud.ibm.com/apidocs/secrets-manager#getting-started-endpoints">publicly available endpoints</a>.</p>
|
|
|
<p><img alt="iam-create-success" src="../pictures/screenshot_service_url.png" /></p>
|
|
|
-<h3 id="creating-the-secret-inside-the-provider">Creating the secret inside the provider</h3>
|
|
|
-<p>For now we only support secrets of type arbitrary. So you need to go to your Secrets Manager UI and, click 'Add Secret', and then choose 'Other Secret Type'. You can now enter your value as text or as a file. This will be the value synchronized with the secret directly.</p>
|
|
|
-<h3 id="other-types-of-secret">Other types of secret</h3>
|
|
|
-<div class="admonition note">
|
|
|
-<p class="admonition-title">Not implemented</p>
|
|
|
-<p>This is currently not yet implemented. See <a href="https://github.com/external-secrets/external-secrets/issues/242">#242</a> for details. Feel free to contribute.</p>
|
|
|
-</div>
|
|
|
+<h3 id="secret-types">Secret Types</h3>
|
|
|
+<p>We support all secret types of <a href="https://cloud.ibm.com/apidocs/secrets-manager">IBM Secrets Manager</a>: <code>arbitrary</code>, <code>username_password</code>, <code>iam_credentials</code> and <code>imported_cert</code>. To define the type of secret you would like to sync you need to prefix the secret id with the desired type. If the secret type is not specified it is defaulted to <code>arbitrary</code>:</p>
|
|
|
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
|
|
|
+<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
|
|
|
+<span class="nt">metadata</span><span class="p">:</span>
|
|
|
+ <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ibm-sample</span>
|
|
|
+<span class="nt">spec</span><span class="p">:</span>
|
|
|
+ <span class="c1"># [...]</span>
|
|
|
+ <span class="nt">data</span><span class="p">:</span>
|
|
|
+ <span class="p p-Indicator">-</span> <span class="nt">secretKey</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">test</span>
|
|
|
+ <span class="nt">remoteRef</span><span class="p">:</span>
|
|
|
+ <span class="c1"># defaults to type=arbitrary</span>
|
|
|
+ <span class="nt">key</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</span>
|
|
|
+ <span class="p p-Indicator">-</span> <span class="nt">secretKey</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">foo</span>
|
|
|
+ <span class="nt">remoteRef</span><span class="p">:</span>
|
|
|
+ <span class="nt">key</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">username_password/yyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy</span>
|
|
|
+ <span class="p p-Indicator">-</span> <span class="nt">secretKey</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">bar</span>
|
|
|
+ <span class="nt">remoteRef</span><span class="p">:</span>
|
|
|
+ <span class="nt">key</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">iam_credentials/zzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz</span>
|
|
|
+ <span class="p p-Indicator">-</span> <span class="nt">secretKey</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">baz</span>
|
|
|
+ <span class="nt">remoteRef</span><span class="p">:</span>
|
|
|
+ <span class="nt">key</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">imported_cert/zzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz</span>
|
|
|
+</code></pre></div>
|
|
|
+
|
|
|
+<p>The behavior for the different secret types is as following:</p>
|
|
|
+<h4 id="arbitrary">arbitrary</h4>
|
|
|
+<ul>
|
|
|
+<li><code>remoteRef</code> retrieves a string from secrets manager and sets it for specified <code>secretKey</code></li>
|
|
|
+<li><code>dataFrom</code> retrieves a string from secrets manager and tries to parse it as JSON object setting the key:values pairs in resulting Kubernetes secret if successful</li>
|
|
|
+</ul>
|
|
|
+<h4 id="username_password">username_password</h4>
|
|
|
+<ul>
|
|
|
+<li><code>remoteRef</code> requires a <code>property</code> to be set for either <code>username</code> or <code>password</code> to retrieve respective fields from the secrets manager secret and set in specified <code>secretKey</code></li>
|
|
|
+<li><code>dataFrom</code> retrieves both <code>username</code> and <code>password</code> fields from the secrets manager secret and sets appropriate key:value pairs in the resulting Kubernetes secret</li>
|
|
|
+</ul>
|
|
|
+<h4 id="iam_credentials">iam_credentials</h4>
|
|
|
+<ul>
|
|
|
+<li><code>remoteRef</code> retrieves an apikey from secrets manager and sets it for specified <code>secretKey</code></li>
|
|
|
+<li><code>dataFrom</code> retrieves an apikey from secrets manager and sets it for the <code>apikey</code> Kubernetes secret key</li>
|
|
|
+</ul>
|
|
|
+<h4 id="imported_cert">imported_cert</h4>
|
|
|
+<ul>
|
|
|
+<li><code>remoteRef</code> requires a <code>property</code> to be set for either <code>certificate</code>, <code>private_key</code> or <code>intermediate</code> to retrieve respective fields from the secrets manager secret and set in specified <code>secretKey</code></li>
|
|
|
+<li><code>dataFrom</code> retrieves all <code>certificate</code>, <code>private_key</code> and <code>intermediate</code> fields from the secrets manager secret and sets appropriate key:value pairs in the resulting Kubernetes secret</li>
|
|
|
+</ul>
|
|
|
<h3 id="creating-external-secret">Creating external secret</h3>
|
|
|
<p>To create a kubernetes secret from the IBM Secrets Manager, a <code>Kind=ExternalSecret</code> is needed.</p>
|
|
|
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
|
paul-the-alien[bot]