How to create a multy-key Kubernetes secret from an external secret?

Question

I have an external secret storage - Azure Key Vault with a secret password.

I need to create a Kubernetes secret with multiple fields: password - only comes from an Azure Key Vault, username hardcoded, url hardcoded, with hardcoded annotations and lables.

Like this:

apiVersion: v1
kind: Secret
metadata:
  name: my-external-secret
  labels:
    mylable: external
  annotations:
    myannotation: external
type: Opaque
stringData:
  name: credentials
  url: https://example.com
  username: user
  password: <from-Azure-Key-Vault>

I use Azure Kubernetes Service if it matters.

score 0 · Answer 1 · answered Jan 11 '23 at 18:21

0

The azure key vault integration with AKS creates and controls the secret, so you wont be able to modify it.

I would suggest moving the non KV secrets to their own secret, then in your deployment mount both secrets.

answered Jan 11 '23 at 18:21

akathimi

1,393
11

score 0 · Answer 2 · answered Jan 19 '23 at 21:45

This can be easily achieved with external-secrets software installed in a Kubernets cluster. external-secrets supports many different secret storages including Azure Key Vault. external-secrets has a template engine and can generate a secret with multiple fields and labels and annotations.

Example: Connect with external-secrets to a Key Vault using managed identity

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: external-secrets-kv
  namespace: myspace
spec:
  provider:
    azurekv:
      authType: ManagedIdentity
      identityId: "<ManagedIdentityID>"
      vaultUrl: "https://<keyvault-name>.vault.azure.net"

Now lets create a template with annotations and labels and multiple fields:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: template-my-external-secret
  namespace: myspace
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: SecretStore
    name: external-secrets-kv
  target:
    name: my-external-secret
    template:
      type: Opaque
      engineVersion: v2
      metadata:
        labels:
          mylable: external
        annotations:
          myannotation: external
      data:
        name: credentials
        url: https://example.com
        password: '{{ .password }}'
        username: '{{ .username }}'
  data:
  - secretKey: password
    remoteRef:
      key: azure-kv-password
  - secretKey: username
    remoteRef:
      key: azure-kv-username

Then external-secrets will create a real secret with username and password fields with values from Azure Key Vault.

apiVersion: v1
kind: Secret
metadata:
  name: my-external-secret
  namespace: myspace
  labels:
    mylable: external
  annotations:
    myannotation: external
type: Opaque
stringData:
  name: credentials
  url: https://example.com
  username: <from-Azure-Key-Vault>
  password: <from-Azure-Key-Vault>

How to create a multy-key Kubernetes secret from an external secret?

2 Answers2