|
|
@@ -0,0 +1,118 @@
|
|
|
+## Generic Webhook
|
|
|
+
|
|
|
+External Secrets Operator can integrate with simple web apis by specifying the endpoint
|
|
|
+
|
|
|
+### Example
|
|
|
+
|
|
|
+First, create a SecretStore with a webhook backend. We'll use a static user/password `root`:
|
|
|
+
|
|
|
+```yaml
|
|
|
+apiVersion: external-secrets.io/v1alpha1
|
|
|
+kind: SecretStore
|
|
|
+metadata:
|
|
|
+ name: webhook-backend
|
|
|
+spec:
|
|
|
+ provider:
|
|
|
+ webhook:
|
|
|
+ url: "http://httpbin.org/get?parameter={{ .remoteRef.key }}"
|
|
|
+ result:
|
|
|
+ jsonPath: "$.args.parameter"
|
|
|
+ headers:
|
|
|
+ Content-Type: application/json
|
|
|
+ Authorization: Basic {{ print .auth.username ":" .auth.password | b64enc }}
|
|
|
+ secrets:
|
|
|
+ - name: auth
|
|
|
+ secretRef:
|
|
|
+ name: webhook-credentials
|
|
|
+---
|
|
|
+apiVersion: v1
|
|
|
+kind: Secret
|
|
|
+metadata:
|
|
|
+ name: webhook-credentials
|
|
|
+data:
|
|
|
+ username: dGVzdA== # "test"
|
|
|
+ password: dGVzdA== # "test"
|
|
|
+```
|
|
|
+
|
|
|
+NB: This is obviously not practical because it just returns the key as the result, but it shows how it works
|
|
|
+
|
|
|
+Now create an ExternalSecret that uses the above SecretStore:
|
|
|
+
|
|
|
+```yaml
|
|
|
+apiVersion: external-secrets.io/v1alpha1
|
|
|
+kind: ExternalSecret
|
|
|
+metadata:
|
|
|
+ name: webhook-example
|
|
|
+spec:
|
|
|
+ refreshInterval: "15s"
|
|
|
+ secretStoreRef:
|
|
|
+ name: webhook-backend
|
|
|
+ kind: SecretStore
|
|
|
+ target:
|
|
|
+ name: example-sync
|
|
|
+ data:
|
|
|
+ - secretKey: foobar
|
|
|
+ remoteRef:
|
|
|
+ key: secret
|
|
|
+---
|
|
|
+# will create a secret with:
|
|
|
+kind: Secret
|
|
|
+metadata:
|
|
|
+ name: example-sync
|
|
|
+data:
|
|
|
+ foobar: c2VjcmV0
|
|
|
+```
|
|
|
+
|
|
|
+#### Limitations
|
|
|
+
|
|
|
+Webhook does not support authorization, other than what can be sent by generating http headers
|
|
|
+
|
|
|
+### Templating
|
|
|
+
|
|
|
+Generic WebHook provider uses the templating engine to generate the API call. It can be used in the url, headers, body and result.jsonPath fields.
|
|
|
+
|
|
|
+The provider inserts the secret to be retrieved in the object named `remoteRef`.
|
|
|
+
|
|
|
+In addition, secrets can be added as named objects, for example to use in authorization headers.
|
|
|
+Each secret has a `name` property which determines the name of the object in the templating engine.
|
|
|
+
|
|
|
+### All Parameters
|
|
|
+
|
|
|
+```yaml
|
|
|
+apiVersion: external-secrets.io/v1alpha1
|
|
|
+kind: ClusterSecretStore
|
|
|
+metadata:
|
|
|
+ name: statervault
|
|
|
+spec:
|
|
|
+ provider:
|
|
|
+ webhook:
|
|
|
+ # Url to call. Use templating engine to fill in the request parameters
|
|
|
+ url: <url>
|
|
|
+ # http method, defaults to GET
|
|
|
+ method: <method>
|
|
|
+ # Timeout in duration (1s, 1m, etc)
|
|
|
+ timeout: 1s
|
|
|
+ result:
|
|
|
+ # [jsonPath](https://jsonpath.com) syntax, which also can be templated
|
|
|
+ jsonPath: <jsonPath>
|
|
|
+ # Map of headers, can be templated
|
|
|
+ headers:
|
|
|
+ <Header-Name>: <header contents>
|
|
|
+ # Body to sent as request, can be templated (optional)
|
|
|
+ body: <body>
|
|
|
+ # List of secrets to expose to the templating engine
|
|
|
+ secrets:
|
|
|
+ # Use this name to refer to this secret in templating, above
|
|
|
+ - name: <name>
|
|
|
+ secretRef:
|
|
|
+ namespace: <namespace>
|
|
|
+ name: <name>
|
|
|
+ # Add CAs here for the TLS handshake
|
|
|
+ caBundle: <base64 encoded cabundle>
|
|
|
+ caProvider:
|
|
|
+ type: Secret or COnfigMap
|
|
|
+ name: <name of secret or configmap>
|
|
|
+ namespace: <namespace>
|
|
|
+ key: <key inside secret>
|
|
|
+```
|
|
|
+
|
Willem Monsuwe