From 60f62a7df63ca981acc9b3bdd80b7bc00bbf9cb2 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Fri, 30 Aug 2024 16:26:19 +0200 Subject: [PATCH 1/2] Add a push secret blog post --- .wordlist.txt | 10 +++- content/blog/2024-08-30-push-secrets.md | 73 +++++++++++++++++++++++++ 2 files changed, 80 insertions(+), 3 deletions(-) create mode 100644 content/blog/2024-08-30-push-secrets.md diff --git a/.wordlist.txt b/.wordlist.txt index 42a10f44b..c58472cd7 100644 --- a/.wordlist.txt +++ b/.wordlist.txt @@ -1,6 +1,3 @@ -tei -synapseai -atest aab aap abd @@ -59,6 +56,7 @@ arslan arslankhanali arunhari arunkumar +atest atlassian atliqsqqydaykmfejpyhfvukgsgywv atuc @@ -77,6 +75,7 @@ baldessari baremetal baremetal integrations baseos +baz bcb bck bd @@ -724,6 +723,8 @@ pstools pubkey publickey purpu +pushsecret +pushsecrets pv pvcs pxe @@ -873,6 +874,7 @@ supportmatrix sur svc svg +synapseai synched syncpolicy sys @@ -885,6 +887,7 @@ targetport tbd tcp techpreview +tei tekron tekton tektoncd @@ -897,6 +900,7 @@ testfile testid testidtgi testlab +testme testsource tf tgfqgvpdh diff --git a/content/blog/2024-08-30-push-secrets.md b/content/blog/2024-08-30-push-secrets.md new file mode 100644 index 000000000..2fdbc1e11 --- /dev/null +++ b/content/blog/2024-08-30-push-secrets.md @@ -0,0 +1,73 @@ +--- + date: 2024-08-30 + title: Pushing secrets + summary: Pushing Secrets to Vault + author: Michele Baldessari + blog_tags: + - patterns +--- + +# Pushing Secrets to HashiCorp Vault + +With this post we'd like to Introduce a powerful new feature: Push Secrets Across Nodes and Namespaces. + +## Overview + +We’re excited to announce a new feature that enhances the flexibility and +security of your secret management workflows: you can now use the +`secret/pushsecrets` vault path to push secrets from any node or any namespace +to Vault. This feature allows secrets to be securely retrieved from a different +namespace or even a different cluster node, making it easier to manage and +distribute sensitive data across your infrastructure. + +Once stored in the Vault, these secrets can be accessed from either a different +namespace or a different cluster node, providing a seamless way to manage +secrets across a distributed environment. + +## How It Works + +To illustrate how this feature works, let’s walk through a simple example where +we push a secret using a PushSecret resource. + +```yaml +apiVersion: external-secrets.io/v1alpha1 +kind: PushSecret +metadata: + name: pushsecret + namespace: hello-world +spec: + data: + - conversionStrategy: None + match: + remoteRef: + remoteKey: pushsecrets/testme # the remote vault path + property: baz # the key in the path defined above inside the vault + secretKey: bar # The property of the local secret that will be pushed to `baz` in the vault + deletionPolicy: Delete + refreshInterval: 10s + secretStoreRefs: + - kind: ClusterSecretStore + name: vault-backend + selector: + secret: + name: existing-secret + updatePolicy: Replace +``` + +In this example, the PushSecret resource is defined in the hello-world +namespace and it will take the key `bar` of the k8s secret called +`existing-secret` and push it to Vault in the `pushsecrets/testme` path and +ultimately it will be copied under the `baz` key/property inside vault. + +Here is some more info on the other yaml fields: + +* `deletionPolicy` Determines what happens to the secret when the PushSecret is deleted. In this case, the secret will also be deleted from the Vault. +* `refreshInterval` Sets how often the secret will be refreshed. This is set to 10 seconds in the example, meaning the secret will be checked and updated every 10 seconds. +* `secretStoreRefs` Points to the ClusterSecretStore named vault-backend, which defines where the secret will be stored. +* `selector` Identifies the secret to be pushed. In this case, it is the secret named existing-secret within the hello-world namespace. +* `updatePolicy` Specifies the policy for updating the secret in the Vault. The Replace policy will overwrite any existing secret at the target location with the new value. + +This configuration effectively takes a specific property (baz) from an existing +secret in the hello-world namespace and pushes it to the Vault path +secret/pushsecrets/testme. The secret can then be retrieved from any other +namespace or node that has access to the Vault. From 8a8a719af60a52e5a566189319442d2dbb4f8739 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Fri, 30 Aug 2024 16:54:43 +0200 Subject: [PATCH 2/2] Clarify the explanation a bit --- content/blog/2024-08-30-push-secrets.md | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/content/blog/2024-08-30-push-secrets.md b/content/blog/2024-08-30-push-secrets.md index 2fdbc1e11..6fad88183 100644 --- a/content/blog/2024-08-30-push-secrets.md +++ b/content/blog/2024-08-30-push-secrets.md @@ -27,8 +27,21 @@ secrets across a distributed environment. ## How It Works To illustrate how this feature works, let’s walk through a simple example where -we push a secret using a PushSecret resource. +we push an existing kubernetes secret called `existing-secret` into the Vault +using a PushSecret resource. The existing secret could be the following: +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: existing-secret + namespace: hello-world +data: + bar: YmFyCg== # The secret field we are interested in pushing into the vault + foo: .... +``` +And here is the `PushSecret` resource that will fetch the `bar` key from the existing +secret above and push it into the vault. ```yaml apiVersion: external-secrets.io/v1alpha1 kind: PushSecret @@ -42,7 +55,7 @@ spec: remoteRef: remoteKey: pushsecrets/testme # the remote vault path property: baz # the key in the path defined above inside the vault - secretKey: bar # The property of the local secret that will be pushed to `baz` in the vault + secretKey: bar # The property of the local `existing-secret` secret that will be pushed to `pushsecrets/testme/baz` in the vault deletionPolicy: Delete refreshInterval: 10s secretStoreRefs: