Skip to content

External Secrets and Configmaps

Overview#

This guide shows how to store and retrieve jans configmaps and secrets externally in AWS Secrets Manager, GCP Secret Manager and Vault.

Note

Configmaps and Secrets are stored as a collection of key-value pairs. A secret in AWS/GCP Secret Manager has a max size of 65536 bytes. So the collection of key-value pairs is splitted between secrets, and thus note that during secrets retrieval it's possible that a single key-value pair is to be splitted between 2 AWS/GCP secrets.

Create Secrets#

AWS#

There are 2 types of Secrets in AWS:

  1. String Secret where the secret can be created and retrieved from the console.

  2. Binary Secret where the secret is binary-encoded and can be created and retrieved only using the CLI/SDK.

Configmaps are stored in a single String Secret. It follows the naming convention of janssen_configs

Secrets are splitted and stored in multiple Binary Secrets due to the max size limitation.

  • Secrets follows the naming convention of janssen_secrets, janssen_secrets_1, janssen_secrets_2..etc

  • Every single secret doesn't have to be a valid json, but instead the collection of all secrets should have a valid json. For example:

    janssen_secrets: {"key1":"value1",

    janssen_secrets_1: "key2":"value2",

    janssen_secrets_2: "key3":"value3"}

Fresh Installation#

You will need the ACCESS_KEY_ID and SECRET_ACCESS_KEY of an IAM user with a SecretsManagerReadWrite policy attached.

Add the following configuration to your override.yaml:

global:
    configAdapterName: aws
    configSecretAdapter: aws 
config:
  configmap:
    cnAwsAccessKeyId: L30E10OME18S1220S221
    cnAwsSecretAccessKey: Z1A1M9A1L1EKALIeHHN~o
    cnAwsDefaultRegion: us-east-1 #Choose based on the desired region
    cnAwsSecretsEndpointUrl: https://secretsmanager.us-east-1.amazonaws.com #Choose based on the desired region
    cnAwsSecretsNamePrefix: janssen
    cnAwsProfile: janssen #Choose based on your aws named profile 
    cnAwsSecretsReplicaRegions: [] #Optional if you want secrets to be replicated. [{"Region": "us-west-1"}, {"Region": "us-west-2"}]

Run helm install or helm upgrade if Janssen is already installed:

helm upgrade <helm-release-name> janssen/janssen -f override.yaml -n <namespace>

Export/Migration#

Configmaps#
  • Get the json of the configmap

    kubectl get configmap -n <namespace> cn -o json 
    

  • Configmaps in AWS are stored as StringSecret, they can be created and retrieved from the console: Click Create Secret > Choose Other type of Secret > Click on Plaintext tab > Paste the json of the key-value pairs.

Secrets#
  • Get the json of the secret

    kubectl get secret -n <namespace> cn -o json 
    

  • Secrets in AWS are splitted across multiple BinarySecrets which is created and retrieved using the CLI/SDK

  • Assuming the json is stored in a file named binary-secrets.json:

    aws secretsmanager create-secret --name <secret-name> --secret-binary fileb://binary-secrets.json --region <secret-region>
    

GCP#

Fresh Installation#

Make sure you enabled Secret Manager API.

You will need a Service account with the roles/secretmanager.admin role. This service account json should then be base64 encoded.

Add the following configuration to your override.yaml:

global:
  configAdapterName: google
  configSecretAdapter: google 
config:
  configmap:
    cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= #base64 encoded service account json
    cnGoogleProjectId: google-project-to-save-config-and-secrets-to
    cnSecretGoogleSecretVersionId: "latest" # Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. 
    cnSecretGoogleSecretNamePrefix: janssen
    cnGoogleSecretManagerPassPhrase: Test1234# #Passphrase for Janssen secret in Google Secret Manager. Used for encrypting and decrypting data from Google's Secret Manager. 
    cnConfigGoogleSecretVersionId: "latest" #Secret version to be used for configuration. Defaults to latest and should normally always stay that way.
    cnConfigGoogleSecretNamePrefix: janssen

Run helm install or helm upgrade if Janssen is already installed:

helm upgrade <helm-release-name> janssen/janssen -f override.yaml -n <namespace>

Export/Migration#

Get the json of the secret/configmap

kubectl get configmap -n <namespace> cn -o json 

From the console, Go to Secret Manager> Click on Create Secret > Add a name > Upload a json file or add the json to the Secret value field > Create

Managing Versions#

While there's no limitation on how many versions a secret can have, the recommendation is to keep the number as low as possible, e.g. 5 active versions. If there are too many secret versions, it's best to disable older versions manually, for example:

gcloud secrets versions list flex-secret --filter="state = enabled" --filter="createTime < '2024-03-02'" | grep "NAME:" | tr -d "NAME: " > versions_to_disable.txt
while read -r line; do
  gcloud secrets versions disable "$line" --secret=flex-secret
done < "versions_to_disable.txt"

Vault#

Note

The deployment of Vault is hosted on-premises, not within the HashiCorp Cloud Platform service

  1. Enable the KV secrets engine version 1 in Vault. For example: vault secrets enable -path=secret -version=1 kv

    Note that the path i.e. secret will be mapped to cnVaultKvPath later.

  2. Create a policy, which will be attached later to the appRole.

    Create first a file named policy.hcl with the required capabilities.

    path "secret/<name>/*" {
     capabilities = ["create", "list", "read", "delete", "update"]
    }  
    

    Note that <name> will be mapped to cnVaultPrefix later.

    Create the policy: vault policy write <name> /path/to/policy.hcl

  3. Enable and configure appRole. You have also to reference the previously created policy. For example:

    vault auth enable -path=approle approle
    vault write auth/approle/role/<role-name> token_policies="<policy-name>"
    

    The default appRole path is approle which will be mapped to cnVaultAppRolePath later.

  4. Add the following configuration to your override.yaml:

    global:
      configSecretAdapter: vault
    config:
      configmap:  
        # -- Vault AppRole RoleID.
        cnVaultRoleId: ""
        # -- Vault AppRole SecretID.
        cnVaultSecretId: ""
        # -- Base URL of Vault.
        cnVaultAddr: http://localhost:8200
        # -- Verify connection to Vault.
        cnVaultVerify: false
        # -- Path to file contains Vault AppRole role ID.
        cnVaultRoleIdFile: /etc/certs/vault_role_id
        # -- Path to file contains Vault AppRole secret ID.
        cnVaultSecretIdFile: /etc/certs/vault_secret_id
        # -- Vault namespace used to access the secrets.
        cnVaultNamespace: ""
        # -- Path to Vault KV secrets engine.
        cnVaultKvPath: secret
        # -- Base prefix name used to access secrets.
        cnVaultPrefix: jans
        # -- Path to Vault AppRole.
        cnVaultAppRolePath: approle
    
    5. Run helm install or helm upgrade

Retrieve Secrets#

AWS#

String Secret: To retrieve the secret value from the Console, click on the secret name and then click on Retrieve Secret Value

Binary Secret: To retrieve the secret value using the cli

aws secretsmanager get-secret-value --secret-id <secret-name> --query 'SecretBinary' --output text --region <secret-region>

Note that the secret is binary encoded, so in order to have a decoded value, you can run the following

aws secretsmanager get-secret-value --secret-id <secret-name> --query 'SecretBinary' --output text --region <secret-region> | base64 --decode

Repeat these commands across all the secrets, to get the full key-value pairs.

GCP#

Review this to check multiple ways to retrieve secrets stored in GCP Secret Manager.


Last update: 2024-03-11
Created: 2023-04-18