Secret Manager integrations

Available in VPC

in Ncloud Kubernetes Service, you can use secrets stored in Secret Manager through integration. This feature is supported by Secrets Store CSI Driver provided by Kubernetes and secrets-store-csi-drvier-provider-ncp provided by Ncloud Kubernetes Service.

Service limits

Secret Manager is only available in Korea and Japan Regions.

Requirements

You must be already using Secret Manager.
For Secret Manager lookups, the NCP_SECRETMANAGER_USER permission is required for sub accounts.

Features

Secrets stored in Secret Manager can be used by mounting them as volumes in a pod.
When secrets stored in Secret Manager are rotated, secrets mounted in the pod can also be automatically rotated.
Secrets stored in Secret Manager can be synchronized with Kubernetes secrets.

Installation

For integration with Secret Manager, you need to install secrets-store-csi-driver and secrets-store-csi-driver-provider-ncp.

Run the command shown below to install secrets-store-csi-driver.
- To enable secret rotation, add the --set enableSecretRotation=true setting.
- To enable synchronization with Kubernetes secrets, add the --set syncSecret.enabled=true setting.
```
$ helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
$ helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --namespace kube-system
```
Generate authentication information for Secret Manager API calls.
- ncloud_access_key_id: Ncloud AcessKey
- ncloud_secret_access_key: Ncloud SecretKey
- secretmanager_api_url
  - Korea: https://ocapi-kr.ncloud.com/secretmanager/api/v1
  - Japan: https://ocapi-jp.ncloud.com/secretmanager/api/v1
```
$ vi configure
ncloud_access_key_id=<ACCESS_KEY_ID>
ncloud_secret_access_key=<SECRET_ACESS_KEY>
secretmanager_api_url=<SecretManager API URL>
```

Run the command shown below to generate the authentication information as a Kubernetes secret.

$ kubectl -n kube-system create secret generic ncp-secrets-store-credentials --from-file=./configure

Run the command shown below to install the secrets-store-csi-driver-provider-ncp for your region.

# Korea Region
$ kubectl --kubeconfig=$KUBE_CONFIG apply -f https://kr.object.ncloudstorage.com/nks-download/secrets-store-csi-driver-provider-ncp/pub/kr/v0.1.0/provider-ncp.yaml

# Japan Region
$ kubectl --kubeconfig=$KUBE_CONFIG apply -f https://kr.object.ncloudstorage.com/nks-download/secrets-store-csi-driver-provider-ncp/pub/jp/v0.1.0/provider-ncp.yaml

Run the command below to verify that the installed pods are working properly.

$ kubectl -n kube-system get po -l app.kubernetes.io/instance=csi-secrets-store
$ kubectl -n kube-system get po -l app=secrets-store-csi-driver-provider-ncp

Use

Defining SecretProviderClass

You can use secrets integrated with Secret Manager by defining SecretProviderClass.

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: my-secret
  namespace: my-namespace
spec:
  provider: ncp
  parameters:
    objects: |
      - objectName: "my-secret"
        objectType: "secretmanager"
        path: "my-secret.txt"
      - objectName: "my-secret"
        objectType: "secretmanager"
        secretKey: "id"
        path: "id.txt"
      - objectName: "my-secret"
        objectType: "secretmanager"
        secretKey: "password"
        path: "password.txt"
  secretObjects:
  - secretName: my-secret
    type: Opaque
    data:
    - objectName: my-secret.txt
      key: my-key

provider: ncp
objects: Define the secret to be mounted as a file.
- objectName: The name of the secret you created in SecretManager.
- objectType: secretmanager
- path: The name of the file to be mounted in the pod.
- secretKey (optional): Among the secrets stored in SecretManager, only the value of the corresponding key is used. If not defined, all keys/values stored in that secret are used in the form of JSON.
secretObjects (optional): Set when you need synchronization with Kubernetes secrets.
- secretName: The Kubernetes secret to be created.
- data.objectName: The name of the file mounted in the pod (path).
- data.key: Key name of the generated secret data.

Pod mount configuration

You can enable the use of volumes in the pod by configuring the secretProviderClass.

  volumes:
  - name: my-secret
    csi:
      driver: secrets-store.csi.k8s.io
      readOnly: true
      volumeAttributes:
        secretProviderClass: "my-secret"

Checking the mount status of secret

You can check the status of the secret currently mounted in the pod by looking up SecretProviderClassPodStatus.

$ kubectl get secretproviderclasspodstatuses <pod_name>-<namespace>-<secretproviderclass_name> -o yaml
...
status:
  mounted: true
  objects:
  - id: secretmanager/my-secret
    version: "1"
  podName: my-pod
  secretProviderClassName: my-secret
  targetPath: /var/lib/kubelet/pods/1d401b1a-9a16-4335-b015-59e11e87b349/volumes/kubernetes.io~csi/my-secret/mount

Using secret rotation feature

You can rotate a secret by referring to Set secret rotation in Secret Manager. When a secret in Secret Manager is rotated, the file mounted with that secret is also automatically synchronized. This feature is available in an alpha version of secrets-store-csi-driver. Before using it, refer to the official guide