/ack-secret-manager

ACK Secret Manager allows you to use external secret management systems (*e.g.*, Alibaba Cloud Secrets Manager) to securely add secrets in Kubernetes.

Primary LanguageGoApache License 2.0Apache-2.0

ACK Secret Manager

English | 简体中文

ack-secret-manager can help you import ciphertext stored in Alibaba Cloud KMS Secrets Manager into the cluster in the form of Kubernetes native Secret objects and achieve automatic synchronization of key data, you can securely inject the ciphertext, which is stored in the Secrets Manager, into your application by mounting a Secret within the application's Pod. This practice helps to prevent the leakage and proliferation of sensitive data throughout the application supply chain.

Install

  1. Please make sure that the credentials used by the ack-secret-manager have enough permissions to access the Alibaba Cloud KMS Secrets Manager. You can use the following two configuration methods, and we recommend you to use the second RRSA method to achieve authorization in the Pod level.
  • Add permissions to the WorkerRole corresponding to the cluster

    • Log in to the Container Service console

    • Select the cluster to enter the cluster details page

    • Navigate to the Cluster Resources page in the cluster information. Once there, click on the Worker RAM role with the corresponding name KubernetesWorkerRole-xxxxxxxxxxxxxxx. This will automatically take you to the console page associated with the RAM role.

    • Add kms RAM policy below into the policy bind to the worker role

      {
          "Action": [
             "kms:GetSecretValue",
             "kms:Decrypt"
          ],
          "Resource": [
              "*"
          ],
          "Effect": "Allow"
      }
  • Implement Pod dimension authorization through RRSA method

  1. Log in to the Container Service console

    • Select Marketplace -> Marketplace in the left navigation bar, enter ack-secret-manager in the search bar, and select to enter the application page;

    • Select the target cluster, namespace, and release name to be installed;

    • Configure custom parameters on the parameter configuration page, including rrsa.enable in values.yaml and related parameters in envVarsFromSecret. For parameter descriptions, see the configuration instructions below;

    • Click the OK button to complete the installation.

Upgrade

  1. Log in to the Container Service console;
  2. Select the target cluster and click to enter the cluster details page;
  3. Select Applications -> Helm in the navigation bar on the left, find the Update button corresponding to ack-secret-manager, modify the configuration and click the OK button to complete the installation.

Uninstall

  1. Log in to the Container Service console;
  2. Select the target cluster and click to enter the cluster details page;
  3. Select Applications -> Helm in the navigation bar on the left, find the Delete button corresponding to ack-secret-manager, and click the Delete button in the operation bar to delete it.

Configuration instructions

parameter introduction default value
env.WATCH_NAMESPACE Specify the namespace of the component watch (the default empty value represents all namespaces of watch)
envVarsFromSecret.ACCESS_KEY_ID You can build the SDK client by specifying the credential AK by setting the ACCESS_KEY_ID variable, which needs to be defined in the secret instance named alibaba-credentials
envVarsFromSecret.SECRET_ACCESS_KEY You can build the SDK client by specifying the credential SK by setting the SECRET_ACCESS_KEY variable, which needs to be defined in the secret instance named alibaba-credentials
envVarsFromSecret.ALICLOUD_ROLE_ARN You can specify the RAM role ARN used to build the SDK client by setting the ALICLOUD_ROLE_ARN variable, which needs to be defined in the secret instance named alibaba-credentials
envVarsFromSecret.ALICLOUD_ROLE_SESSION_NAME You can specify the RAM role session name by setting the ALICLOUD_ROLE_SESSION_NAME variable to build the SDK client, which needs to be defined in the secret instance named alibaba-credentials
envVarsFromSecret.ALICLOUD_ROLE_SESSION_EXPIRATION You can specify the RAM role session expiration length by setting the ALICLOUD_ROLE_SESSION_EXPIRATION variable to build the SDK client. It needs to be defined in the secret instance named alibaba-credentials.
envVarsFromSecret. ALICLOUD_OIDC_PROVIDER_ARN You can specify the ARN of the RAM OIDC provider by setting the ALICLOUD_OIDC_PROVIDER_ARN variable to build the SDK client, which needs to be defined in the secret instance named alibaba-credentials
envVarsFromSecret.ALICLOUD_OIDC_TOKEN_FILE You can specify the oidc token file path in the pod by setting the ALICLOUD_OIDC_TOKEN_FILE variable to build the SDK client. It needs to be defined in the secret instance named alibaba-credentials.
envVarsFromSecret.ALICLOUD_REMOTE_ROLE_ARN You can specify the RAM Role Arn of another account by setting the ALICLOUD_REMOTE_ROLE_ARN variable for role playing when pulling credential data across accounts.
envVarsFromSecret.ALICLOUD_REMOTE_ROLE_SESSION_NAME You can specify the RAM Role Session Name by setting the ALICLOUD_REMOTE_ROLE_SESSION_NAME variable to perform role play when pulling credential data across accounts.
rrsa.enable Whether to enable the RRSA feature, the default is false. After enabling, you need to configure the ALICLOUD_ROLE_ARN and ALICLOUD_OIDC_PROVIDER_ARN parameters in envVarsFromSecret. false
command.backend The docked external key management system backend currently only supports Alibaba Cloud Secrets Manager, configured as alicloud-kms alicloud-kms
command.reconcilePeriod The interval for the controller to re-coordinate the externalSecret instance, the default is 5 seconds 5s
command.reconcileCount Specify the number of workers to concurrently coordinate the externalSecret instance. The default is 1 1
command.tokenRotationPeriod Polling time to check whether the KMS client access STS token has expired 120s
command.region Pull secret credentials from the specified region
command.disablePolling Turn off automatic synchronization of pulling the latest credential content from the KMS backend, default false false
command.pollingInterval The interval for synchronizing existing secret instances from the KMS backend 120s
image.repository Specified ack-secret-manager mirror warehouse name acs/ack-secret-manager
image.tag Specified ack-secret-manager image tag v0.5.0
image.pullPolicy Image pull strategy, default is Always Always
nameOverride Override app name nil
fullnameOverride Override application full name nil
rbac.create Whether to create and use RBAC resources, the default is true true
securityContext.fsGroup Specify the security context configuration of the application {}
serviceAccount.create Whether to create serviceaccount true
serviceAccount.name Specify the name of the created serviceaccount Automatic generated
serviceAccount.annotations Specify adding the serviceaccount annotation tag nil
podAnnotations Specify the annotation label added to the pod {}
podLabels Specify the Label added to the pod {}
replicaCount Number of controller copies 1
nodeSelector The specified nodeSelector tag {}
tolerations Specified taint tolerance configuration []
affinity Specified Pod affinity configuration {}
resources Specified Pod requests and limits configuration {}

Instructions for use

The following will add a test credential in Alibaba Cloud KMS Secrets Manager, synchronize the credentials through dedicated KMS and shared KMS, and demonstrate some extended functions.

ack-secret-manager involves two CRDs. SecretStore is used to store access credentials (such as RRSA configuration, ClientKey, AK configuration, etc.), and ExternalSecret is used to store basic credential information that needs to be synchronized (such as credential name, version, etc.) and specify the SecretStore. It helps to enhance the isolation of credentials permission and the usability. Please check the parameters guide

  1. Create credentials

    Add the following credentials in the KMS Secrets Manager. For detailed procedures, please refer to Manage Common Credentials

    SecretName: test1
    SecretData: {"name":"tom","age":"14","friends":[{"name":"lili"},{"name":"edf"}]} 
    VersionId: v1
  2. Create SecretStore & ExternalSecret

    Prerequisite: Enable RRSA for the cluster and correctly configure the relevant RAM Role permissions

    Create a test instance of SecretStore. The test template is as follows. Some fields need to be replaced.

    apiVersion: 'alibabacloud.com/v1alpha1'
    kind: SecretStore
    metadata:
      name: scdemo
    spec:
      KMS:
        KMSAuth:
          oidcProviderARN: "acs:ram::{accountID}:oidc-provider/ack-rrsa-{clusterID}"
          ramRoleARN: "acs:ram::{accountID}:role/{roleName}"

    Create a test instance of ExternalSecret. The test template is as follows:

    apiVersion: 'alibabacloud.com/v1alpha1'
    kind: ExternalSecret
    metadata:
      name: esdemo
    spec:
      data: #Data sources that require no special processing
        - key: 	test1 # kms credential name
          name: test1 # Fields stored in secret
          versionId: v1 # kms credential version
          secretStoreRef:
            name: scdemo
            namespace: default

    Execute the command to create an externalsecret test instance:

    kubectl apply -f hello-service-external-secret.yml

    Check whether the target secret is created successfully:

    kubectl get secret esdemo -oyaml

    If the creation is successful, view the secret content as follows:

    apiVersion: v1
    data:
      test1: eyJuYW1lIjoidG9tIiwiYWdlIjoiMTQiLCJmcmllbmRzIjpbeyJuYW1lIjoibGlsaSJ9LHsibmFtZSI6ImVkZiJ9XX0=
    kind: Secret
    metadata:
      creationTimestamp: "2023-10-09T13:03:09Z"
      labels:
        lastUpdatedAt: 2023-10-09T13.03.09Z
      name: esdemo
      namespace: default
      resourceVersion: "7311947"
      uid: 163c6a33-0bee-40b6-8ffe-6897277036cd
    type: Opaque

    Without turning off the automatic synchronization configuration, you can modify the key content in the KMS Secrets Manager and wait for a while to check whether the target secret has been synchronized.

    We supports cross-account synchronization of credentials. Just configure remoteRamRoleArn and remoteRamRoleSessionName in SecretStore.Spec.KMS.KMSAuth. The following is a sample SecretStore

    apiVersion: 'alibabacloud.com/v1alpha1'
    kind: SecretStore
    metadata:
      name: scdemo
    spec:
      KMS:
        KMSAuth:
          oidcProviderARN: "acs:ram::{accountID}:oidc-provider/ack-rrsa-{clusterID}"
          ramRoleARN: "acs:ram::{accountID}:role/{roleName}"
          remoteRamRoleArn: "acs:ram::{accountID}:role/{roleName}"
          remoteRamRoleSessionName: "
  3. JSON-formatted support

  • jmesPath

    If you want to parse a JSON-formatted secret and synchronize the key-value pairs specified in it to the k8s secret, you can use the jmesPath field. The following is an example using the jmesPath field, which we deploy in the cluster

    apiVersion: 'alibabacloud.com/v1alpha1'
    kind: ExternalSecret
    metadata:
      name: es-json-demo
    spec:
      data: 
        - key: 	test1 
          name: test1 
          versionId: v1 
          secretStoreRef:
            name: scdemo
            namespace: default
          jmesPath: # Parse some fields in json string
            - path: "name"
              objectAlias: "name"
            - path: "friends[0].name"
              objectAlias: "friendname"

    After deployment, check whether the secret is created successfully

    kubectl get secret es-json-demo -oyaml

    If the synchronization is successful, you will see the following results:

    apiVersion: v1
    data:
      friendname: bGlsaQ==
      name: dG9t
    kind: Secret
    metadata:
      creationTimestamp: "2023-10-09T13:11:05Z"
      labels:
        lastUpdatedAt: 2023-10-09T13.11.05Z
      name: es-json-demo
      namespace: default
      resourceVersion: "7313940"
      uid: 18d84558-f526-4ff5-ab9a-720ec1861c30
    type: Opaque

    When you use the jmesPath field, you must specify the following two subfields:

    • path: Required, parses the specified field in json based on the JMES path specification

    • objectAlias: Required, used to specify the parsed field to be synchronized to the key name in the k8s secret

  • dataProcess

    If you want to parse JSON credentials and store them in a secret but don't know the specific structure of the credentials, you can use the self-extraction feature, which is the dataProcess.Extract field. You can also perform rule-based replacements on the parsed field keys using the dataProcess.replaceRule field to prevent irregular secret data keys from causing issues when creating a secret. The following is an example of an ExternalSecret:

    apiVersion: 'alibabacloud.com/v1alpha1'
    kind: ExternalSecret
    metadata:
      name: extract-secret
    spec:
      dataProcess:
        - extract:
            key: test1
            name: extract
            versionId: v1
            secretStoreRef:
              name: dkms-client
              namespace: default
          replaceRule:
            - source: "^n.*e$" # To replace keys that start with 'n' and end with 'e' with 'alibabacloud'
              target: "alibabacloud"
            - source: "^f.*s$"
              target: "ack"

    Once the synchronization is successful, you will be able to see the following results. The JSON credentials are parsed into three parts, and their respective keys are replaced according to the replaceRule rules.

    apiVersion: v1
    data:
      ack: W3sibmFtZSI6ImxpbGkifSx7Im5hbWUiOiJlZGYifV0=
      age: IjE0Ig==
      alibabacloud: InRvbSI=
    kind: Secret
    metadata:
      creationTimestamp: "2023-10-09T14:07:35Z"
      labels:
        lastUpdatedAt: 2023-10-09T14.07.35Z
      name: extract-secret
      namespace: default
      resourceVersion: "7328187"
      uid: a3ab5278-02bd-4544-bae7-b502acccfe3c
    type: Opaque

Security

Please report vulnerabilities by email to kubernetes-security@service.aliyun.com. Also see our SECURITY.md file for details.

Release Note

Version Date Changes
0.4.0 2022/12/22 Support sync specific key-value pairs extract from a JSON-formatted secret based on JMES path
0.5.0 2023/10/10 1.dedicated KMS credential synchronization
2.multiple Alibaba Cloud access credentials management,
3.self-resolving credentials and key rule replacement
4.shared KMS cross-account credential synchronization.