Zero to Hero - external-secret-operator
Zola
2024-12-22T00:00:00+00:00
https://zerotohero.dev/tags/external-secret-operator/atom.xml
Using External Secrets Operator with HashiCorp Vault to Create Kubernetes Secrets
2024-12-22T00:00:00+00:00
2024-12-22T00:00:00+00:00
Volkan Özçelik
https://zerotohero.dev/inbox/eso-vault/
<p>When working with Kubernetes, securely managing secrets is a crucial part of your infrastructure. Traditional approaches—like directly embedding secrets in manifests or manually managing <code>Secret</code> objects—can become cumbersome and less secure over time. Enter the <a rel="external" href="https://external-secrets.io">External Secrets Operator (ESO)</a>, a powerful way to integrate external secret stores with Kubernetes. One such secret store is <a rel="external" href="https://www.vaultproject.io">HashiCorp Vault</a>, a proven solution for securely storing and accessing secrets.</p>
<p>In this post, we’ll walk through the key Custom Resource Definitions (CRDs) you need to set up in your cluster to fetch secrets from Vault and have them automatically synchronized as Kubernetes secrets.</p>
<h2 id="overview">Overview</h2>
<p>ESO acts as a bridge between external secret stores (in this case, Vault) and Kubernetes <code>Secret</code> objects. To make this happen, you’ll define a store resource that tells ESO <strong>where</strong> and <strong>how</strong> to retrieve secrets. You’ll then define another resource that specifies <strong>which</strong> secrets to fetch and how to transform them into Kubernetes secrets.</p>
<p>In other words:</p>
<ul>
<li><strong>SecretStore/ClusterSecretStore:</strong> Defines the external secret provider configuration</li>
<li><strong>ExternalSecret:</strong> Defines the specific secrets you want to pull from your chosen store and how to map them into Kubernetes secrets</li>
</ul>
<h2 id="key-resources">Key Resources</h2>
<h3 id="1-secretstore-or-clustersecretstore">1. SecretStore or ClusterSecretStore</h3>
<p>The <code>SecretStore</code> or <code>ClusterSecretStore</code> resource provides information about your Vault instance, including:</p>
<ul>
<li><strong>Endpoint:</strong> The URL of the Vault server</li>
<li><strong>Authentication method:</strong> How ESO should authenticate to Vault (e.g., using a Kubernetes Service Account token, Vault token, or another method)</li>
<li><strong>Paths and parameters:</strong> Details like which Vault mount paths and keys to read from</li>
</ul>
<p><strong>When to use <code>SecretStore</code> vs. <code>ClusterSecretStore</code>?</strong></p>
<ul>
<li><strong>SecretStore:</strong> Used when you want the configuration to be namespace-specific</li>
<li><strong>ClusterSecretStore:</strong> Used when you want a cluster-wide configuration accessible by multiple namespaces</li>
</ul>
<p><strong>Example:</strong></p>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="yaml"><span class="giallo-l"><span style="color: #8EC07C;">apiVersion</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> external-secrets.io/v1beta1</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">kind</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> ClusterSecretStore</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">metadata</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> vault-backend</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">spec</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> provider</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> vault</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> server</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">https://vault.example.com</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> path</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">secret</span><span style="color: #A89984;">"</span><span style="color: #928374;font-style: italic;"> # The path where secrets are stored in Vault</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> version</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">v2</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> auth</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> tokenSecretRef</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> vault-token</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> key</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> token</span></span></code></pre>
<p>This <code>ClusterSecretStore</code> tells ESO how to communicate with a Vault server at <code>vault.example.com</code>, using a token stored in the <code>vault-token</code> Secret.</p>
<h3 id="2-externalsecret">2. ExternalSecret</h3>
<p>The <code>ExternalSecret</code> resource references the <code>SecretStore</code> or <code>ClusterSecretStore</code> and tells ESO which keys from Vault to sync and how to project them into a Kubernetes Secret.</p>
<p><strong>Example:</strong></p>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="yaml"><span class="giallo-l"><span style="color: #8EC07C;">apiVersion</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> external-secrets.io/v1beta1</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">kind</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> ExternalSecret</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">metadata</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> my-app-secret</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> namespace</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> default</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">spec</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> refreshInterval</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> 1h</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> secretStoreRef</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> kind</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> ClusterSecretStore</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> vault-backend</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> target</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> my-app-k8s-secret</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> creationPolicy</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> Owner</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> data</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #A89984;"> -</span><span style="color: #8EC07C;"> secretKey</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> api-key</span><span style="color: #928374;font-style: italic;"> # Key in the resulting K8s Secret</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> remoteRef</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> key</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> my-app/api-key</span><span style="color: #928374;font-style: italic;"> # Path/key in Vault</span></span></code></pre>
<p>In this <code>ExternalSecret</code>:</p>
<ul>
<li><code>secretStoreRef</code> points to the <code>ClusterSecretStore</code> named <code>vault-backend</code></li>
<li>It requests a secret named <code>my-app/api-key</code> from Vault</li>
<li>It maps that key into a Kubernetes Secret named <code>my-app-k8s-secret</code> under the <code>api-key</code> key</li>
</ul>
<h2 id="how-it-works">How it Works</h2>
<ol>
<li>
<p><strong>Define the Store:</strong>
Set up a <code>ClusterSecretStore</code> or <code>SecretStore</code> resource that points to your Vault instance and specifies authentication details.</p>
</li>
<li>
<p><strong>Request the Secret:</strong>
Create an <code>ExternalSecret</code> resource that references the store and specifies the exact secrets you need.</p>
</li>
<li>
<p><strong>ESO Synchronizes the Secret:</strong>
The External Secrets Operator continuously reconciles resources. When it sees your <code>ExternalSecret</code>, it connects to Vault (using the instructions from the store resource), fetches the requested secret, and creates or updates the corresponding Kubernetes Secret object in your cluster.</p>
</li>
</ol>
<h2 id="analogies">Analogies</h2>
<ul>
<li>Think of the <code>ClusterSecretStore</code> as a “GPS coordinate” that tells ESO where to find the treasure (your secrets) in Vault.</li>
<li>The <code>ExternalSecret</code> is your “shopping list,” telling ESO which items (specific keys/values) to bring back from that secret store and how to pack them into a Kubernetes Secret.</li>
</ul>
<h2 id="pros-and-cons">Pros and Cons</h2>
<h3 id="pros">Pros:</h3>
<ul>
<li>Separation of concerns: Store configuration is separate from secret retrieval specifications</li>
<li>Reusability: You can reuse the same <code>ClusterSecretStore</code> for multiple <code>ExternalSecrets</code></li>
<li>Security: Keeps sensitive data in Vault, only syncing what’s necessary to Kubernetes</li>
</ul>
<h3 id="cons">Cons:</h3>
<ul>
<li>Initial complexity: Requires understanding CRDs and writing additional YAML manifests</li>
<li>Extra components: Relies on running ESO and Vault integrations</li>
</ul>
<h2 id="summary">Summary</h2>
<p>By defining a <code>SecretStore</code> or <code>ClusterSecretStore</code> and one or more <code>ExternalSecrets</code>, you can seamlessly integrate HashiCorp Vault secrets into your Kubernetes cluster with the External Secrets Operator. This pattern centralizes and secures your secret management workflow, providing a more maintainable and secure approach than manually managing Secret objects.</p>
<h3 id="key-takeaways">Key Takeaways:</h3>
<ul>
<li>Use <code>SecretStore</code> or <code>ClusterSecretStore</code> to define how to connect to Vault</li>
<li>Use <code>ExternalSecret</code> to specify which secrets to pull from Vault</li>
<li>ESO automatically keeps your Kubernetes secrets in sync with Vault’s secrets</li>
</ul>
<h2 id="further-reading">Further Reading</h2>
<ul>
<li><a rel="external" href="https://external-secrets.io">External Secrets Operator Documentation</a></li>
<li><a rel="external" href="https://www.vaultproject.io">HashiCorp Vault Documentation</a></li>
</ul>
Building a Custom Webhook Provider for External Secrets Operator: A Step-by-Step Guide
2024-12-12T00:00:00+00:00
2024-12-12T00:00:00+00:00
Volkan Özçelik
https://zerotohero.dev/go/eso-webhook-pitfalls/
<p>In this tutorial, we’ll walk through creating a custom webhook provider for External Secrets Operator (ESO) from scratch. We’ll build a simple Go server that serves as a webhook, deploy it to Kubernetes, and configure ESO to use it for secret management.</p>
<h2 id="understanding-the-architecture">Understanding the Architecture</h2>
<p>The External Secrets Operator (ESO) can fetch secrets from various providers, including custom webhooks. In this setup:</p>
<ol>
<li>ESO sends requests to our webhook with a key</li>
<li>The webhook returns a structured JSON response</li>
<li>ESO processes this response and creates Kubernetes secrets accordingly</li>
</ol>
<h2 id="step-1-creating-the-webhook-server">Step 1: Creating the Webhook Server</h2>
<p>First, let’s create a simple Go server that responds to webhook requests. Here’s a basic implementation:</p>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="go"><span class="giallo-l"><span style="color: #8EC07C;">package</span><span> main</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #FB4934;">import</span><span style="color: #A89984;"> (</span></span>
<span class="giallo-l"><span style="color: #A89984;"> "</span><span style="color: #B8BB26;">encoding/json</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span style="color: #A89984;"> "</span><span style="color: #B8BB26;">fmt</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span style="color: #A89984;"> "</span><span style="color: #B8BB26;">log</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span style="color: #A89984;"> "</span><span style="color: #B8BB26;">net/http</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span style="color: #A89984;">)</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #928374;font-style: italic;">// Response structure matching ESO's expectations</span></span>
<span class="giallo-l"><span style="color: #FB4934;">type</span><span> Response</span><span style="color: #83A598;"> struct</span><span style="color: #A89984;"> {</span></span>
<span class="giallo-l"><span style="color: #83A598;"> Namespaces</span><span style="color: #FB4934;"> map</span><span style="color: #A89984;">[</span><span style="color: #FABD2F;">string</span><span style="color: #A89984;">]</span><span>NamespaceData</span><span style="color: #A89984;"> `</span><span style="color: #B8BB26;">json:"namespaces"</span><span style="color: #A89984;">`</span></span>
<span class="giallo-l"><span style="color: #A89984;">}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #FB4934;">type</span><span> NamespaceData</span><span style="color: #83A598;"> struct</span><span style="color: #A89984;"> {</span></span>
<span class="giallo-l"><span style="color: #83A598;"> Secrets</span><span style="color: #FB4934;"> map</span><span style="color: #A89984;">[</span><span style="color: #FABD2F;">string</span><span style="color: #A89984;">]</span><span>Secret</span><span style="color: #A89984;"> `</span><span style="color: #B8BB26;">json:"secrets"</span><span style="color: #A89984;">`</span></span>
<span class="giallo-l"><span style="color: #A89984;">}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #FB4934;">type</span><span> Secret</span><span style="color: #83A598;"> struct</span><span style="color: #A89984;"> {</span></span>
<span class="giallo-l"><span style="color: #83A598;"> Type</span><span style="color: #FABD2F;"> string</span><span style="color: #A89984;"> `</span><span style="color: #B8BB26;">json:"type"</span><span style="color: #A89984;">`</span></span>
<span class="giallo-l"><span style="color: #83A598;"> Value</span><span style="color: #FABD2F;"> string</span><span style="color: #A89984;"> `</span><span style="color: #B8BB26;">json:"value"</span><span style="color: #A89984;">`</span></span>
<span class="giallo-l"><span style="color: #83A598;"> Metadata</span><span> SecretMetadata</span><span style="color: #A89984;"> `</span><span style="color: #B8BB26;">json:"metadata"</span><span style="color: #A89984;">`</span></span>
<span class="giallo-l"><span style="color: #83A598;"> Expires</span><span style="color: #FABD2F;"> string</span><span style="color: #A89984;"> `</span><span style="color: #B8BB26;">json:"expires"</span><span style="color: #A89984;">`</span></span>
<span class="giallo-l"><span style="color: #83A598;"> NotBefore</span><span style="color: #FABD2F;"> string</span><span style="color: #A89984;"> `</span><span style="color: #B8BB26;">json:"notBefore"</span><span style="color: #A89984;">`</span></span>
<span class="giallo-l"><span style="color: #A89984;">}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #FB4934;">type</span><span> SecretMetadata</span><span style="color: #83A598;"> struct</span><span style="color: #A89984;"> {</span></span>
<span class="giallo-l"><span style="color: #83A598;"> Labels</span><span style="color: #FB4934;"> map</span><span style="color: #A89984;">[</span><span style="color: #FABD2F;">string</span><span style="color: #A89984;">]</span><span style="color: #FABD2F;">string</span><span style="color: #A89984;"> `</span><span style="color: #B8BB26;">json:"labels"</span><span style="color: #A89984;">`</span></span>
<span class="giallo-l"><span style="color: #83A598;"> Annotations</span><span style="color: #FB4934;"> map</span><span style="color: #A89984;">[</span><span style="color: #FABD2F;">string</span><span style="color: #A89984;">]</span><span style="color: #FABD2F;">string</span><span style="color: #A89984;"> `</span><span style="color: #B8BB26;">json:"annotations"</span><span style="color: #A89984;">`</span></span>
<span class="giallo-l"><span style="color: #83A598;"> CreationTimestamp</span><span style="color: #FABD2F;"> string</span><span style="color: #A89984;"> `</span><span style="color: #B8BB26;">json:"creationTimestamp"</span><span style="color: #A89984;">`</span></span>
<span class="giallo-l"><span style="color: #83A598;"> LastUpdated</span><span style="color: #FABD2F;"> string</span><span style="color: #A89984;"> `</span><span style="color: #B8BB26;">json:"lastUpdated"</span><span style="color: #A89984;">`</span></span>
<span class="giallo-l"><span style="color: #A89984;">}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #FB4934;">func</span><span style="color: #D3869B;"> main</span><span style="color: #A89984;">() {</span></span>
<span class="giallo-l"><span style="color: #83A598;"> http</span><span style="color: #A89984;">.</span><span style="color: #D3869B;">HandleFunc</span><span style="color: #A89984;">("</span><span style="color: #B8BB26;">/webhook</span><span style="color: #A89984;">",</span><span style="color: #83A598;"> webhookHandler</span><span style="color: #A89984;">)</span></span>
<span class="giallo-l"><span style="color: #83A598;"> fmt</span><span style="color: #A89984;">.</span><span style="color: #D3869B;">Println</span><span style="color: #A89984;">("</span><span style="color: #B8BB26;">Server is running on :8080</span><span style="color: #A89984;">")</span></span>
<span class="giallo-l"><span style="color: #83A598;"> log</span><span style="color: #A89984;">.</span><span style="color: #D3869B;">Fatal</span><span style="color: #A89984;">(</span><span style="color: #83A598;">http</span><span style="color: #A89984;">.</span><span style="color: #D3869B;">ListenAndServe</span><span style="color: #A89984;">("</span><span style="color: #B8BB26;">:8080</span><span style="color: #A89984;">",</span><span style="color: #D3869B;"> nil</span><span style="color: #A89984;">))</span></span>
<span class="giallo-l"><span style="color: #A89984;">}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #FB4934;">func</span><span style="color: #D3869B;"> webhookHandler</span><span style="color: #A89984;">(</span><span style="color: #83A598;">w</span><span> http</span><span style="color: #A89984;">.</span><span>ResponseWriter</span><span style="color: #A89984;">,</span><span style="color: #83A598;"> r</span><span style="color: #8EC07C;"> *</span><span>http</span><span style="color: #A89984;">.</span><span>Request</span><span style="color: #A89984;">) {</span></span>
<span class="giallo-l"><span style="color: #FB4934;"> if</span><span style="color: #83A598;"> r</span><span style="color: #A89984;">.</span><span style="color: #83A598;">Method</span><span style="color: #8EC07C;"> !=</span><span style="color: #83A598;"> http</span><span style="color: #A89984;">.</span><span style="color: #83A598;">MethodGet</span><span style="color: #A89984;"> {</span></span>
<span class="giallo-l"><span style="color: #83A598;"> http</span><span style="color: #A89984;">.</span><span style="color: #D3869B;">Error</span><span style="color: #A89984;">(</span><span style="color: #83A598;">w</span><span style="color: #A89984;">, "</span><span style="color: #B8BB26;">Method not allowed</span><span style="color: #A89984;">",</span><span style="color: #83A598;"> http</span><span style="color: #A89984;">.</span><span style="color: #83A598;">StatusMethodNotAllowed</span><span style="color: #A89984;">)</span></span>
<span class="giallo-l"><span style="color: #FB4934;"> return</span></span>
<span class="giallo-l"><span style="color: #A89984;"> }</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #83A598;"> key</span><span style="color: #8EC07C;"> :=</span><span style="color: #83A598;"> r</span><span style="color: #A89984;">.</span><span style="color: #83A598;">URL</span><span style="color: #A89984;">.</span><span style="color: #D3869B;">Query</span><span style="color: #A89984;">().</span><span style="color: #D3869B;">Get</span><span style="color: #A89984;">("</span><span style="color: #B8BB26;">key</span><span style="color: #A89984;">")</span></span>
<span class="giallo-l"><span style="color: #FB4934;"> if</span><span style="color: #83A598;"> key</span><span style="color: #8EC07C;"> !=</span><span style="color: #A89984;"> "</span><span style="color: #B8BB26;">coca-cola.cluster-001</span><span style="color: #A89984;">" {</span></span>
<span class="giallo-l"><span style="color: #83A598;"> http</span><span style="color: #A89984;">.</span><span style="color: #D3869B;">Error</span><span style="color: #A89984;">(</span><span style="color: #83A598;">w</span><span style="color: #A89984;">, "</span><span style="color: #B8BB26;">Invalid key</span><span style="color: #A89984;">",</span><span style="color: #83A598;"> http</span><span style="color: #A89984;">.</span><span style="color: #83A598;">StatusBadRequest</span><span style="color: #A89984;">)</span></span>
<span class="giallo-l"><span style="color: #FB4934;"> return</span></span>
<span class="giallo-l"><span style="color: #A89984;"> }</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #83A598;"> response</span><span style="color: #8EC07C;"> :=</span><span> Response</span><span style="color: #A89984;">{</span></span>
<span class="giallo-l"><span style="color: #83A598;"> Namespaces</span><span style="color: #A89984;">:</span><span style="color: #FB4934;"> map</span><span style="color: #A89984;">[</span><span style="color: #FABD2F;">string</span><span style="color: #A89984;">]</span><span>NamespaceData</span><span style="color: #A89984;">{</span></span>
<span class="giallo-l"><span style="color: #A89984;"> "</span><span style="color: #B8BB26;">coke-system</span><span style="color: #A89984;">": {</span></span>
<span class="giallo-l"><span style="color: #83A598;"> Secrets</span><span style="color: #A89984;">:</span><span style="color: #FB4934;"> map</span><span style="color: #A89984;">[</span><span style="color: #FABD2F;">string</span><span style="color: #A89984;">]</span><span>Secret</span><span style="color: #A89984;">{</span></span>
<span class="giallo-l"><span style="color: #A89984;"> "</span><span style="color: #B8BB26;">admin-credentials</span><span style="color: #A89984;">": {</span></span>
<span class="giallo-l"><span style="color: #83A598;"> Type</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">k8s</span><span style="color: #A89984;">",</span></span>
<span class="giallo-l"><span style="color: #83A598;"> Value</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">super-secret-secret</span><span style="color: #A89984;">",</span></span>
<span class="giallo-l"><span style="color: #83A598;"> Metadata</span><span style="color: #A89984;">:</span><span> SecretMetadata</span><span style="color: #A89984;">{</span></span>
<span class="giallo-l"><span style="color: #83A598;"> Labels</span><span style="color: #A89984;">:</span><span style="color: #FB4934;"> map</span><span style="color: #A89984;">[</span><span style="color: #FABD2F;">string</span><span style="color: #A89984;">]</span><span style="color: #FABD2F;">string</span><span style="color: #A89984;">{</span></span>
<span class="giallo-l"><span style="color: #A89984;"> "</span><span style="color: #B8BB26;">managed-by</span><span style="color: #A89984;">": "</span><span style="color: #B8BB26;">coke-system</span><span style="color: #A89984;">",</span></span>
<span class="giallo-l"><span style="color: #A89984;"> },</span></span>
<span class="giallo-l"><span style="color: #83A598;"> Annotations</span><span style="color: #A89984;">:</span><span style="color: #FB4934;"> map</span><span style="color: #A89984;">[</span><span style="color: #FABD2F;">string</span><span style="color: #A89984;">]</span><span style="color: #FABD2F;">string</span><span style="color: #A89984;">{</span></span>
<span class="giallo-l"><span style="color: #A89984;"> "</span><span style="color: #B8BB26;">inject-sidecar</span><span style="color: #A89984;">": "</span><span style="color: #B8BB26;">true</span><span style="color: #A89984;">",</span></span>
<span class="giallo-l"><span style="color: #A89984;"> },</span></span>
<span class="giallo-l"><span style="color: #83A598;"> CreationTimestamp</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">2024-01-01</span><span style="color: #A89984;">",</span></span>
<span class="giallo-l"><span style="color: #83A598;"> LastUpdated</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">2024-01-01</span><span style="color: #A89984;">",</span></span>
<span class="giallo-l"><span style="color: #A89984;"> },</span></span>
<span class="giallo-l"><span style="color: #83A598;"> Expires</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">2024-01-01</span><span style="color: #A89984;">",</span></span>
<span class="giallo-l"><span style="color: #83A598;"> NotBefore</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">2024-01-01</span><span style="color: #A89984;">",</span></span>
<span class="giallo-l"><span style="color: #A89984;"> },</span></span>
<span class="giallo-l"><span style="color: #A89984;"> },</span></span>
<span class="giallo-l"><span style="color: #A89984;"> },</span></span>
<span class="giallo-l"><span style="color: #A89984;"> },</span></span>
<span class="giallo-l"><span style="color: #A89984;"> }</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #83A598;"> w</span><span style="color: #A89984;">.</span><span style="color: #D3869B;">Header</span><span style="color: #A89984;">().</span><span style="color: #D3869B;">Set</span><span style="color: #A89984;">("</span><span style="color: #B8BB26;">Content-Type</span><span style="color: #A89984;">", "</span><span style="color: #B8BB26;">application/json</span><span style="color: #A89984;">")</span></span>
<span class="giallo-l"><span style="color: #83A598;"> json</span><span style="color: #A89984;">.</span><span style="color: #D3869B;">NewEncoder</span><span style="color: #A89984;">(</span><span style="color: #83A598;">w</span><span style="color: #A89984;">).</span><span style="color: #D3869B;">Encode</span><span style="color: #A89984;">(</span><span style="color: #83A598;">response</span><span style="color: #A89984;">)</span></span>
<span class="giallo-l"><span style="color: #A89984;">}</span></span></code></pre><h2 id="step-2-containerizing-the-webhook">Step 2: Containerizing the Webhook</h2>
<p>Create a Dockerfile to package the webhook:</p>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="docker"><span class="giallo-l"><span style="color: #FB4934;">FROM</span><span> golang:1.20-alpine </span><span style="color: #FB4934;">AS</span><span> builder</span></span>
<span class="giallo-l"><span style="color: #FB4934;">WORKDIR</span><span> /app</span></span>
<span class="giallo-l"><span style="color: #FB4934;">COPY</span><span> main.go .</span></span>
<span class="giallo-l"><span style="color: #FB4934;">RUN</span><span> go build -o webhook-server main.go</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #FB4934;">FROM</span><span> alpine:latest</span></span>
<span class="giallo-l"><span style="color: #FB4934;">WORKDIR</span><span> /root/</span></span>
<span class="giallo-l"><span style="color: #FB4934;">COPY</span><span> --from=builder /app/webhook-server .</span></span>
<span class="giallo-l"><span style="color: #FB4934;">EXPOSE</span><span> 8080</span></span>
<span class="giallo-l"><span style="color: #FB4934;">CMD</span><span> [</span><span style="color: #B8BB26;">"./webhook-server"</span><span>]</span></span></code></pre><h2 id="step-3-deploying-to-kubernetes">Step 3: Deploying to Kubernetes</h2>
<p>Deploy the webhook using a Kubernetes Deployment and Service:</p>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="yaml"><span class="giallo-l"><span style="color: #8EC07C;">apiVersion</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> apps/v1</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">kind</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> Deployment</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">metadata</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> eso-webhook</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> labels</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> app</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> eso-webhook</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">spec</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> replicas</span><span style="color: #A89984;">:</span><span style="color: #D3869B;"> 1</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> selector</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> matchLabels</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> app</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> eso-webhook</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> template</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> metadata</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> labels</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> app</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> eso-webhook</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> spec</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> containers</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #A89984;"> -</span><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> eso-webhook</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> image</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> localhost:5000/eso-webhook:v1</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> ports</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #A89984;"> -</span><span style="color: #8EC07C;"> containerPort</span><span style="color: #A89984;">:</span><span style="color: #D3869B;"> 8080</span></span>
<span class="giallo-l"><span>---</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">apiVersion</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> v1</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">kind</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> Service</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">metadata</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> eso-webhook</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">spec</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> type</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> LoadBalancer</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> selector</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> app</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> eso-webhook</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> ports</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #A89984;"> -</span><span style="color: #8EC07C;"> protocol</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> TCP</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> port</span><span style="color: #A89984;">:</span><span style="color: #D3869B;"> 80</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> targetPort</span><span style="color: #A89984;">:</span><span style="color: #D3869B;"> 8080</span></span></code></pre><h2 id="step-4-configuring-external-secrets-operator">Step 4: Configuring External Secrets Operator</h2>
<p>Now comes the crucial part: configuring ESO to use our webhook. This involves two components:</p>
<ol>
<li>A ClusterSecretStore that defines how to access our webhook</li>
<li>An ExternalSecret that specifies what secrets to fetch</li>
</ol>
<h3 id="clustersecretstore-configuration">ClusterSecretStore Configuration</h3>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="yaml"><span class="giallo-l"><span style="color: #8EC07C;">apiVersion</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> external-secrets.io/v1beta1</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">kind</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> ClusterSecretStore</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">metadata</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> webhook-backend</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">spec</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> provider</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> webhook</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> url</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">http://eso-webhook.default.svc.cluster.local/webhook?key={{ .remoteRef.key }}</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> method</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> GET</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> result</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> jsonPath</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">$.namespaces</span><span style="color: #A89984;">"</span></span></code></pre><h3 id="externalsecret-configuration-with-advanced-templating">ExternalSecret Configuration with Advanced Templating</h3>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="yaml"><span class="giallo-l"><span style="color: #8EC07C;">apiVersion</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> external-secrets.io/v1beta1</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">kind</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> ExternalSecret</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">metadata</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> coke-admin-credentials</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> namespace</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> coke-system</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">spec</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> refreshInterval</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">15s</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> secretStoreRef</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> webhook-backend</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> kind</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> ClusterSecretStore</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> target</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> admin-credentials</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> creationPolicy</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> Owner</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> template</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> engineVersion</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> v2</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> metadata</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> labels</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> managed-by</span><span style="color: #A89984;">: '</span><span style="color: #B8BB26;">{{ index .coke-system.secrets.admin-credentials.metadata.labels "managed-by" }}</span><span style="color: #A89984;">'</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> annotations</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> inject-sidecar</span><span style="color: #A89984;">: '</span><span style="color: #B8BB26;">{{ index .coke-system.secrets.admin-credentials.metadata.annotations "inject-sidecar" }}</span><span style="color: #A89984;">'</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> type</span><span style="color: #A89984;">: '</span><span style="color: #B8BB26;">{{ .coke-system.secrets.admin-credentials.type }}</span><span style="color: #A89984;">'</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> data</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> username</span><span style="color: #A89984;">: '</span><span style="color: #B8BB26;">{{ .coke-system.secrets.admin-credentials.value | b64dec }}</span><span style="color: #A89984;">'</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> password</span><span style="color: #A89984;">: '</span><span style="color: #B8BB26;">{{ .coke-system.secrets.admin-credentials.value | b64dec | upper }}</span><span style="color: #A89984;">'</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> created-at</span><span style="color: #A89984;">: '</span><span style="color: #B8BB26;">{{ now | date "2006-01-02T15:04:05Z07:00" }}</span><span style="color: #A89984;">'</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> data</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #A89984;"> -</span><span style="color: #8EC07C;"> secretKey</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> coke-system</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> remoteRef</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> key</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> coca-cola.cluster-001</span></span></code></pre><h2 id="understanding-the-template-engine">Understanding the Template Engine</h2>
<p>The ExternalSecret configuration uses ESO’s v2 template engine, which provides powerful features for transforming secret data:</p>
<ol>
<li><strong>Engine Version</strong>: We specify <code>engineVersion: v2</code> to use the latest templating capabilities.</li>
<li><strong>Accessing Hyphenated Fields</strong>: Fields with hyphens require the <code>index</code> function, e.g., <code>{{ index .metadata.labels "managed-by" }}</code>.</li>
<li><strong>Data Transformation</strong>: We can use functions like <code>b64dec</code> for base64 decoding and <code>upper</code> for uppercase conversion.</li>
<li><strong>Time Functions</strong>: The <code>now</code> function with date formatting helps track secret creation times.</li>
</ol>
<h2 id="common-pitfalls-and-solutions">Common Pitfalls and Solutions</h2>
<ol>
<li><strong>Hyphenated Field Access</strong>: Always use the <code>index</code> function for fields with hyphens.</li>
<li><strong>JSON Path</strong>: Ensure your <code>jsonPath</code> in the ClusterSecretStore matches your webhook’s response structure.</li>
<li><strong>Service Discovery</strong>: Use the full Kubernetes service DNS name for reliable webhook access.</li>
<li><strong>Template Engine Version</strong>: Always specify <code>engineVersion: v2</code> for advanced templating features.</li>
</ol>
<h2 id="conclusion">Conclusion</h2>
<p>Creating a custom webhook provider for External Secrets Operator involves careful consideration of:</p>
<ul>
<li>Webhook response structure</li>
<li>Kubernetes deployment configuration</li>
<li>ESO template engine features</li>
<li>Service networking and discovery</li>
</ul>
<p>By following this guide, you can create a flexible secret management solution that integrates seamlessly with your Kubernetes infrastructure while maintaining security and scalability.</p>
Debugging URL Encoding Issues with External Secrets Operator's Webhook Provider
2024-12-12T00:00:00+00:00
2024-12-12T00:00:00+00:00
Volkan Özçelik
https://zerotohero.dev/inbox/eso-urlencode/
<p>When working with Kubernetes External Secrets Operator (ESO) and its webhook provider, you might encounter some interesting URL encoding challenges. In this post, I’ll walk through a specific issue we encountered and how we solved it, which might help others facing similar problems.</p>
<h2 id="the-setup">The Setup</h2>
<p>We started with a basic <code>ClusterSecretStore</code> configuration using ESO’s webhook provider:</p>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="yaml"><span class="giallo-l"><span style="color: #8EC07C;">apiVersion</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> external-secrets.io/v1beta1</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">kind</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> ClusterSecretStore</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">metadata</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> webhook-backend</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">spec</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> provider</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> webhook</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> url</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">http://eso-webhook.default.svc.cluster.local:80/webhook?{{ .remoteRef.key }}</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> method</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> GET</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> result</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> jsonPath</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">$</span><span style="color: #A89984;">"</span></span></code></pre>
<p>Our webhook server was a simple Go application designed to handle requests and return secret values based on a path parameter. We expected clean, separate query parameters, but reality had different plans.</p>
<h2 id="the-problem">The Problem</h2>
<p>When we started debugging why our webhook wasn’t working as expected, we added some basic logging to our Go server:</p>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="go"><span class="giallo-l"><span style="color: #83A598;">key</span><span style="color: #8EC07C;"> :=</span><span style="color: #83A598;"> r</span><span style="color: #A89984;">.</span><span style="color: #83A598;">URL</span><span style="color: #A89984;">.</span><span style="color: #D3869B;">Query</span><span style="color: #A89984;">().</span><span style="color: #D3869B;">Get</span><span style="color: #A89984;">("</span><span style="color: #B8BB26;">key</span><span style="color: #A89984;">")</span></span>
<span class="giallo-l"><span style="color: #83A598;">fmt</span><span style="color: #A89984;">.</span><span style="color: #D3869B;">Println</span><span style="color: #A89984;">("</span><span style="color: #B8BB26;">key</span><span style="color: #A89984;">",</span><span style="color: #83A598;"> key</span><span style="color: #A89984;">)</span></span></code></pre>
<p>To our surprise, the key was empty! Further investigation by printing the raw URL revealed something interesting:</p>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="plain"><span class="giallo-l"><span>Method: GET</span></span>
<span class="giallo-l"><span>URL: /webhook?key%3Dcoca-cola.cluster-001%26path%3Dnamespaces.cokeSystem.secrets.adminCredentials.value</span></span>
<span class="giallo-l"><span>Protocol: HTTP/1.1</span></span></code></pre>
<p>The entire query string was URL-encoded as a single parameter. Instead of getting our parameters separately, everything was encoded within the <code>key</code> parameter.</p>
<h2 id="the-solution">The Solution</h2>
<h3 id="understanding-what-s-happening">Understanding What’s Happening</h3>
<p>When ESO processes the template in our ClusterSecretStore URL, it’s taking the entire <code>remoteRef.key</code> value and inserting it as-is into the URL. If our <code>remoteRef.key</code> contains URL-special characters (like <code>=</code> and <code>&</code>), they get encoded, resulting in our doubly-nested query string.</p>
<h3 id="fixing-the-server-code">Fixing the Server Code</h3>
<p>Here’s how we modified our webhook server to handle this situation properly:</p>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="go"><span class="giallo-l"><span style="color: #FB4934;">func</span><span style="color: #D3869B;"> webhookHandler</span><span style="color: #A89984;">(</span><span style="color: #83A598;">w</span><span> http</span><span style="color: #A89984;">.</span><span>ResponseWriter</span><span style="color: #A89984;">,</span><span style="color: #83A598;"> r</span><span style="color: #8EC07C;"> *</span><span>http</span><span style="color: #A89984;">.</span><span>Request</span><span style="color: #A89984;">) {</span></span>
<span class="giallo-l"><span style="color: #928374;font-style: italic;"> // Get the 'key' query parameter</span></span>
<span class="giallo-l"><span style="color: #83A598;"> encodedKey</span><span style="color: #8EC07C;"> :=</span><span style="color: #83A598;"> r</span><span style="color: #A89984;">.</span><span style="color: #83A598;">URL</span><span style="color: #A89984;">.</span><span style="color: #D3869B;">Query</span><span style="color: #A89984;">().</span><span style="color: #D3869B;">Get</span><span style="color: #A89984;">("</span><span style="color: #B8BB26;">key</span><span style="color: #A89984;">")</span></span>
<span class="giallo-l"><span> </span></span>
<span class="giallo-l"><span style="color: #928374;font-style: italic;"> // Unescape the key parameter</span></span>
<span class="giallo-l"><span style="color: #83A598;"> decodedKey</span><span style="color: #A89984;">,</span><span style="color: #83A598;"> err</span><span style="color: #8EC07C;"> :=</span><span style="color: #83A598;"> url</span><span style="color: #A89984;">.</span><span style="color: #D3869B;">QueryUnescape</span><span style="color: #A89984;">(</span><span style="color: #83A598;">encodedKey</span><span style="color: #A89984;">)</span></span>
<span class="giallo-l"><span style="color: #FB4934;"> if</span><span style="color: #83A598;"> err</span><span style="color: #8EC07C;"> !=</span><span style="color: #D3869B;"> nil</span><span style="color: #A89984;"> {</span></span>
<span class="giallo-l"><span style="color: #83A598;"> http</span><span style="color: #A89984;">.</span><span style="color: #D3869B;">Error</span><span style="color: #A89984;">(</span><span style="color: #83A598;">w</span><span style="color: #A89984;">, "</span><span style="color: #B8BB26;">Failed to decode key parameter</span><span style="color: #A89984;">",</span><span style="color: #83A598;"> http</span><span style="color: #A89984;">.</span><span style="color: #83A598;">StatusBadRequest</span><span style="color: #A89984;">)</span></span>
<span class="giallo-l"><span style="color: #FB4934;"> return</span></span>
<span class="giallo-l"><span style="color: #A89984;"> }</span></span>
<span class="giallo-l"><span> </span></span>
<span class="giallo-l"><span style="color: #928374;font-style: italic;"> // Parse the decoded key as a query string</span></span>
<span class="giallo-l"><span style="color: #83A598;"> values</span><span style="color: #A89984;">,</span><span style="color: #83A598;"> err</span><span style="color: #8EC07C;"> :=</span><span style="color: #83A598;"> url</span><span style="color: #A89984;">.</span><span style="color: #D3869B;">ParseQuery</span><span style="color: #A89984;">(</span><span style="color: #83A598;">decodedKey</span><span style="color: #A89984;">)</span></span>
<span class="giallo-l"><span style="color: #FB4934;"> if</span><span style="color: #83A598;"> err</span><span style="color: #8EC07C;"> !=</span><span style="color: #D3869B;"> nil</span><span style="color: #A89984;"> {</span></span>
<span class="giallo-l"><span style="color: #83A598;"> http</span><span style="color: #A89984;">.</span><span style="color: #D3869B;">Error</span><span style="color: #A89984;">(</span><span style="color: #83A598;">w</span><span style="color: #A89984;">, "</span><span style="color: #B8BB26;">Invalid key format</span><span style="color: #A89984;">",</span><span style="color: #83A598;"> http</span><span style="color: #A89984;">.</span><span style="color: #83A598;">StatusBadRequest</span><span style="color: #A89984;">)</span></span>
<span class="giallo-l"><span style="color: #FB4934;"> return</span></span>
<span class="giallo-l"><span style="color: #A89984;"> }</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #83A598;"> authKey</span><span style="color: #8EC07C;"> :=</span><span style="color: #83A598;"> values</span><span style="color: #A89984;">.</span><span style="color: #D3869B;">Get</span><span style="color: #A89984;">("</span><span style="color: #B8BB26;">key</span><span style="color: #A89984;">")</span></span>
<span class="giallo-l"><span style="color: #83A598;"> path</span><span style="color: #8EC07C;"> :=</span><span style="color: #83A598;"> values</span><span style="color: #A89984;">.</span><span style="color: #D3869B;">Get</span><span style="color: #A89984;">("</span><span style="color: #B8BB26;">path</span><span style="color: #A89984;">")</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #928374;font-style: italic;"> // Validate and use the parameters</span></span>
<span class="giallo-l"><span style="color: #FB4934;"> if</span><span style="color: #83A598;"> authKey</span><span style="color: #8EC07C;"> !=</span><span style="color: #A89984;"> "</span><span style="color: #B8BB26;">coca-cola.cluster-001</span><span style="color: #A89984;">" {</span></span>
<span class="giallo-l"><span style="color: #83A598;"> http</span><span style="color: #A89984;">.</span><span style="color: #D3869B;">Error</span><span style="color: #A89984;">(</span><span style="color: #83A598;">w</span><span style="color: #A89984;">, "</span><span style="color: #B8BB26;">Invalid authentication key</span><span style="color: #A89984;">",</span><span style="color: #83A598;"> http</span><span style="color: #A89984;">.</span><span style="color: #83A598;">StatusUnauthorized</span><span style="color: #A89984;">)</span></span>
<span class="giallo-l"><span style="color: #FB4934;"> return</span></span>
<span class="giallo-l"><span style="color: #A89984;"> }</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #FB4934;"> if</span><span style="color: #83A598;"> path</span><span style="color: #8EC07C;"> ==</span><span style="color: #A89984;"> "" {</span></span>
<span class="giallo-l"><span style="color: #83A598;"> http</span><span style="color: #A89984;">.</span><span style="color: #D3869B;">Error</span><span style="color: #A89984;">(</span><span style="color: #83A598;">w</span><span style="color: #A89984;">, "</span><span style="color: #B8BB26;">Path is required</span><span style="color: #A89984;">",</span><span style="color: #83A598;"> http</span><span style="color: #A89984;">.</span><span style="color: #83A598;">StatusBadRequest</span><span style="color: #A89984;">)</span></span>
<span class="giallo-l"><span style="color: #FB4934;"> return</span></span>
<span class="giallo-l"><span style="color: #A89984;"> }</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #928374;font-style: italic;"> // Process the request...</span></span>
<span class="giallo-l"><span style="color: #A89984;">}</span></span></code></pre>
<p>The key improvements in this solution are:</p>
<ol>
<li>Using <code>url.QueryUnescape()</code> to properly decode the URL-encoded parameter</li>
<li>Using <code>url.ParseQuery()</code> to parse the decoded string as a query string itself</li>
<li>Extracting the actual key and path values from the parsed query parameters</li>
</ol>
<h3 id="using-the-clustersecretstore">Using the ClusterSecretStore</h3>
<p>With this server implementation, we can now use our ClusterSecretStore like this:</p>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="yaml"><span class="giallo-l"><span style="color: #8EC07C;">apiVersion</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> external-secrets.io/v1beta1</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">kind</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> ExternalSecret</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">metadata</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> example-external-secret</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">spec</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> secretStoreRef</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> webhook-backend</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> kind</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> ClusterSecretStore</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> target</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> example-secret</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> data</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #A89984;"> -</span><span style="color: #8EC07C;"> secretKey</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> adminPassword</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> remoteRef</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> key</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">key=coca-cola.cluster-001&path=namespaces.cokeSystem.secrets.adminCredentials.value</span><span style="color: #A89984;">"</span></span></code></pre><h2 id="lessons-learned">Lessons Learned</h2>
<ol>
<li>Always implement detailed request logging when debugging webhook issues</li>
<li>Don’t assume how parameters will be encoded or structured in webhook requests</li>
<li>Use standard library functions for URL parsing and decoding instead of custom string manipulation</li>
<li>Remember that template variables in Kubernetes resources might be processed differently than you expect</li>
</ol>
<h2 id="conclusion">Conclusion</h2>
<p>URL encoding issues can be tricky to debug, especially when dealing with nested query parameters. By understanding how ESO processes template variables and using proper URL parsing tools, we can build robust webhook handlers that correctly handle these scenarios.</p>
<p>Remember to always implement proper logging during development and testing phases - it makes debugging these kinds of issues much easier. The Go standard library provides excellent tools for handling URL encoding and parsing, so make use of them instead of trying to parse query strings manually.</p>
<p>This solution provides a clean way to handle the URL encoding challenges while maintaining the security and functionality requirements of our webhook provider.</p>
Using External Secrets Operator with HTTP Endpoints: A Complete Guide
2024-12-12T00:00:00+00:00
2024-12-12T00:00:00+00:00
Volkan Özçelik
https://zerotohero.dev/inbox/eso-webhook-provider/
<p>External Secrets Operator (ESO) is a powerful Kubernetes operator that helps manage secrets from external sources. While it’s commonly used with cloud provider secret managers like AWS Secrets Manager or HashiCorp Vault, ESO also supports fetching secrets from HTTP endpoints. In this guide, we’ll explore how to configure ESO to poll an HTTP endpoint and automatically create Kubernetes secrets from the response.</p>
<h2 id="understanding-the-webhook-provider">Understanding the Webhook Provider</h2>
<p>The Webhook provider in ESO allows you to fetch secrets from any HTTP endpoint that returns a JSON response. This is particularly useful when:</p>
<ul>
<li>You have an existing internal secrets service</li>
<li>You need to integrate with a custom secrets management system</li>
<li>You want to generate secrets dynamically through an API</li>
</ul>
<h2 id="configuration-steps">Configuration Steps</h2>
<h3 id="1-setting-up-the-secretstore">1. Setting up the SecretStore</h3>
<p>First, we need to configure a SecretStore that defines our HTTP endpoint and how to interact with it:</p>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="yaml"><span class="giallo-l"><span style="color: #8EC07C;">apiVersion</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> external-secrets.io/v1beta1</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">kind</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> SecretStore</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">metadata</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> webhook-secret-store</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">spec</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> provider</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> webhook</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> url</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> https://your-http-endpoint.com/secrets</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> result</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> jsonPath</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">$.secrets[*]</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> headers</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #A89984;"> -</span><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">Authorization</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> value</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">Bearer <your-token-here></span><span style="color: #A89984;">"</span></span></code></pre>
<p>This configuration tells ESO:</p>
<ul>
<li>Which endpoint to call (<code>url</code>)</li>
<li>How to extract secrets from the response (<code>jsonPath</code>)</li>
<li>What headers to include in the request (<code>headers</code>)</li>
</ul>
<h3 id="2-creating-the-externalsecret">2. Creating the ExternalSecret</h3>
<p>Next, we define an ExternalSecret that specifies which secrets to fetch and how often to refresh them:</p>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="yaml"><span class="giallo-l"><span style="color: #8EC07C;">apiVersion</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> external-secrets.io/v1beta1</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">kind</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> ExternalSecret</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">metadata</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> webhook-external-secret</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">spec</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> refreshInterval</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">1h</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> secretStoreRef</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> webhook-secret-store</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> kind</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> SecretStore</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> target</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> my-secret</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> creationPolicy</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> Owner</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> data</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #A89984;"> -</span><span style="color: #8EC07C;"> secretKey</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> username</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> remoteRef</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> key</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> username</span></span>
<span class="giallo-l"><span style="color: #A89984;"> -</span><span style="color: #8EC07C;"> secretKey</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> password</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> remoteRef</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> key</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> password</span></span></code></pre>
<p>This configuration:</p>
<ul>
<li>Sets a refresh interval of 1 hour</li>
<li>References our SecretStore</li>
<li>Defines which secrets to fetch and how to map them to Kubernetes secret keys</li>
</ul>
<h2 id="best-practices-and-security-considerations">Best Practices and Security Considerations</h2>
<p>When implementing this solution, consider the following best practices:</p>
<ol>
<li>
<p><strong>HTTPS</strong>: Always use HTTPS endpoints to ensure secret data is encrypted in transit.</p>
</li>
<li>
<p><strong>Authentication</strong>: Implement proper authentication using headers or other mechanisms to secure your endpoint.</p>
</li>
<li>
<p><strong>Rate Limiting</strong>: Set appropriate refresh intervals to avoid overwhelming your HTTP endpoint.</p>
</li>
<li>
<p><strong>Error Handling</strong>: Ensure your HTTP endpoint returns appropriate error codes and that ESO can handle them gracefully.</p>
</li>
<li>
<p><strong>Access Control</strong>: Use Kubernetes RBAC to control which pods can access the created secrets.</p>
</li>
</ol>
<h2 id="expected-http-response-format">Expected HTTP Response Format</h2>
<p>Your HTTP endpoint should return a JSON response that matches your configured JSONPath. For example:</p>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="json"><span class="giallo-l"><span style="color: #A89984;">{</span></span>
<span class="giallo-l"><span style="color: #A89984;"> "</span><span style="color: #689D6A;">secrets</span><span style="color: #A89984;">": [</span></span>
<span class="giallo-l"><span style="color: #A89984;"> {</span></span>
<span class="giallo-l"><span style="color: #A89984;"> "</span><span style="color: #689D6A;">username</span><span style="color: #A89984;">": "</span><span style="color: #83A598;">admin</span><span style="color: #A89984;">",</span></span>
<span class="giallo-l"><span style="color: #A89984;"> "</span><span style="color: #689D6A;">password</span><span style="color: #A89984;">": "</span><span style="color: #83A598;">secure-password-123</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span style="color: #A89984;"> }</span></span>
<span class="giallo-l"><span style="color: #A89984;"> ]</span></span>
<span class="giallo-l"><span style="color: #A89984;">}</span></span></code></pre><h2 id="troubleshooting">Troubleshooting</h2>
<p>If you encounter issues:</p>
<ol>
<li>
<p>Check the ESO operator logs using:</p>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #FABD2F;">kubectl</span><span style="color: #B8BB26;"> logs</span><span style="color: #D3869B;"> -n</span><span style="color: #B8BB26;"> external-secrets</span><span style="color: #D3869B;"> -l</span><span style="color: #B8BB26;"> app.kubernetes.io/name=external-secrets</span></span></code></pre></li>
<li>
<p>Verify your HTTP endpoint is accessible from the cluster</p>
</li>
<li>
<p>Confirm the JSONPath expression matches your response structure</p>
</li>
<li>
<p>Ensure all required headers are properly configured</p>
</li>
</ol>
<h2 id="conclusion">Conclusion</h2>
<p>Using External Secrets Operator with HTTP endpoints provides a flexible way to integrate custom secret management solutions with Kubernetes. By following this guide and best practices, you can securely manage and automatically update your Kubernetes secrets from any HTTP source.</p>
<p>Remember to always follow security best practices and thoroughly test your configuration in a non-production environment first.</p>
<p>For more information, refer to the <a rel="external" href="https://external-secrets.io/latest/">External Secrets Operator documentation</a>.</p>
HUnderstanding ClusterSecretStore with JWT Authentication in Kubernetes
2024-12-03T00:00:00+00:00
2024-12-03T00:00:00+00:00
Volkan Özçelik
https://zerotohero.dev/inbox/cluster-secrets-store/
<h1 id="understanding-clustersecretstore-with-jwt-authentication-in-kubernetes">Understanding ClusterSecretStore with JWT Authentication in Kubernetes</h1>
<p>When working with External Secrets Operator (ESO) in Kubernetes, configuring a ClusterSecretStore with JWT authentication requires careful consideration of several aspects. Let’s explore how to set this up correctly and understand its limitations.</p>
<h2 id="understanding-the-components">Understanding the Components</h2>
<p>A typical setup involves:</p>
<ol>
<li>A webhook service that validates JWT tokens</li>
<li>A Kubernetes secret storing the JWT token</li>
<li>A ClusterSecretStore configuration that uses the token for authentication</li>
</ol>
<h2 id="basic-configuration">Basic Configuration</h2>
<p>Here’s a basic ClusterSecretStore configuration with JWT authentication:</p>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="yaml"><span class="giallo-l"><span style="color: #8EC07C;">apiVersion</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> external-secrets.io/v1beta1</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">kind</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> ClusterSecretStore</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">metadata</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> vsecm-scout</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">spec</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> provider</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> webhook</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> url</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">https://vsecm-scout.default.svc.cluster.local:8443/webhook?key={{ .remoteRef.key }}</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> method</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> GET</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> result</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> jsonPath</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">$</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> headers</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> Authorization</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">Bearer {{ .jwt.token }}</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> secrets</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #A89984;"> -</span><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> jwt</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> secretRef</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> jwt-token</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> key</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> token</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> caBundle</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">your-ca-bundle-here</span><span style="color: #A89984;">"</span></span></code></pre><h2 id="token-management-challenges">Token Management Challenges</h2>
<h3 id="static-nature-of-configuration">Static Nature of Configuration</h3>
<p>One critical limitation to understand is that ClusterSecretStore configurations are static. When you rotate the JWT token by updating the Kubernetes secret, the ClusterSecretStore doesn’t automatically pick up the changes.</p>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="yaml"><span class="giallo-l"><span style="color: #928374;font-style: italic;"># This secret update won't automatically reflect in ClusterSecretStore</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">apiVersion</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> v1</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">kind</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> Secret</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">metadata</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> jwt-token</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">type</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> Opaque</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">stringData</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> token</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">your-new-jwt-token</span><span style="color: #A89984;">"</span></span></code></pre><h3 id="handling-token-rotation">Handling Token Rotation</h3>
<p>Given this limitation, there are several approaches to handle token rotation:</p>
<ol>
<li><strong>Manual Update Approach</strong>:</li>
</ol>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #928374;font-style: italic;"># Update the JWT secret</span></span>
<span class="giallo-l"><span style="color: #FABD2F;">kubectl</span><span style="color: #B8BB26;"> create secret generic jwt-token</span><span style="color: #D3869B;"> --from-literal=token=new-jwt-token -n</span><span style="color: #B8BB26;"> default</span><span style="color: #D3869B;"> --dry-run=client -o</span><span style="color: #B8BB26;"> yaml</span><span style="color: #8EC07C;"> |</span><span style="color: #FABD2F;"> kubectl</span><span style="color: #B8BB26;"> apply</span><span style="color: #D3869B;"> -f</span><span style="color: #B8BB26;"> -</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #928374;font-style: italic;"># Force update of ClusterSecretStore</span></span>
<span class="giallo-l"><span style="color: #FABD2F;">kubectl</span><span style="color: #B8BB26;"> replace</span><span style="color: #D3869B;"> -f</span><span style="color: #B8BB26;"> clusterSecretStore.yaml</span></span></code></pre>
<ol start="2">
<li>
<p><strong>Custom Controller Approach</strong>:
Create a controller that watches for secret changes and updates the ClusterSecretStore accordingly.</p>
</li>
<li>
<p><strong>Webhook Service Adaptation</strong>:
Modify your webhook service to handle token fetching differently:</p>
</li>
</ol>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="go"><span class="giallo-l"><span style="color: #FB4934;">func</span><span style="color: #D3869B;"> webhookHandler</span><span style="color: #A89984;">(</span><span style="color: #83A598;">w</span><span> http</span><span style="color: #A89984;">.</span><span>ResponseWriter</span><span style="color: #A89984;">,</span><span style="color: #83A598;"> r</span><span style="color: #8EC07C;"> *</span><span>http</span><span style="color: #A89984;">.</span><span>Request</span><span style="color: #A89984;">) {</span></span>
<span class="giallo-l"><span style="color: #928374;font-style: italic;"> // Instead of validating a static token,</span></span>
<span class="giallo-l"><span style="color: #928374;font-style: italic;"> // fetch the current token from Kubernetes and validate against that</span></span>
<span class="giallo-l"><span style="color: #83A598;"> currentToken</span><span style="color: #A89984;">,</span><span style="color: #83A598;"> err</span><span style="color: #8EC07C;"> :=</span><span style="color: #D3869B;"> getCurrentTokenFromK8s</span><span style="color: #A89984;">()</span></span>
<span class="giallo-l"><span style="color: #FB4934;"> if</span><span style="color: #83A598;"> err</span><span style="color: #8EC07C;"> !=</span><span style="color: #D3869B;"> nil</span><span style="color: #A89984;"> {</span></span>
<span class="giallo-l"><span style="color: #83A598;"> http</span><span style="color: #A89984;">.</span><span style="color: #D3869B;">Error</span><span style="color: #A89984;">(</span><span style="color: #83A598;">w</span><span style="color: #A89984;">, "</span><span style="color: #B8BB26;">Error fetching token</span><span style="color: #A89984;">",</span><span style="color: #83A598;"> http</span><span style="color: #A89984;">.</span><span style="color: #83A598;">StatusInternalServerError</span><span style="color: #A89984;">)</span></span>
<span class="giallo-l"><span style="color: #FB4934;"> return</span></span>
<span class="giallo-l"><span style="color: #A89984;"> }</span></span>
<span class="giallo-l"><span> </span></span>
<span class="giallo-l"><span style="color: #928374;font-style: italic;"> // Validate the incoming token against the current token</span></span>
<span class="giallo-l"><span style="color: #928374;font-style: italic;"> // Rest of your handler logic...</span></span>
<span class="giallo-l"><span style="color: #A89984;">}</span></span></code></pre><h2 id="security-considerations">Security Considerations</h2>
<h3 id="1-token-lifetime">1. Token Lifetime</h3>
<p>Consider the implications of token expiration:</p>
<ul>
<li>Long-lived tokens are easier to manage but pose higher security risks</li>
<li>Short-lived tokens are more secure but require more complex rotation mechanisms</li>
</ul>
<h3 id="2-secret-access">2. Secret Access</h3>
<p>Ensure proper RBAC for accessing the JWT secret:</p>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="yaml"><span class="giallo-l"><span style="color: #8EC07C;">apiVersion</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> rbac.authorization.k8s.io/v1</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">kind</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> Role</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">metadata</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> jwt-secret-reader</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">rules</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #A89984;">-</span><span style="color: #8EC07C;"> apiGroups</span><span style="color: #A89984;">: [""]</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> resources</span><span style="color: #A89984;">: ["</span><span style="color: #B8BB26;">secrets</span><span style="color: #A89984;">"]</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> resourceNames</span><span style="color: #A89984;">: ["</span><span style="color: #B8BB26;">jwt-token</span><span style="color: #A89984;">"]</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> verbs</span><span style="color: #A89984;">: ["</span><span style="color: #B8BB26;">get</span><span style="color: #A89984;">"]</span></span></code></pre><h3 id="3-tls-configuration">3. TLS Configuration</h3>
<p>Always use TLS for the webhook endpoint:</p>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="go"><span class="giallo-l"><span style="color: #83A598;">tlsConfig</span><span style="color: #8EC07C;"> := &</span><span>tls</span><span style="color: #A89984;">.</span><span>Config</span><span style="color: #A89984;">{</span></span>
<span class="giallo-l"><span style="color: #83A598;"> MinVersion</span><span style="color: #A89984;">:</span><span style="color: #83A598;"> tls</span><span style="color: #A89984;">.</span><span style="color: #83A598;">VersionTLS12</span><span style="color: #A89984;">,</span></span>
<span class="giallo-l"><span style="color: #83A598;"> CipherSuites</span><span style="color: #A89984;">: []</span><span style="color: #FABD2F;">uint16</span><span style="color: #A89984;">{</span></span>
<span class="giallo-l"><span style="color: #83A598;"> tls</span><span style="color: #A89984;">.</span><span style="color: #83A598;">TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</span><span style="color: #A89984;">,</span></span>
<span class="giallo-l"><span style="color: #83A598;"> tls</span><span style="color: #A89984;">.</span><span style="color: #83A598;">TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</span><span style="color: #A89984;">,</span></span>
<span class="giallo-l"><span style="color: #A89984;"> },</span></span>
<span class="giallo-l"><span style="color: #A89984;">}</span></span></code></pre><h2 id="best-practices">Best Practices</h2>
<ol>
<li>
<p><strong>Monitoring</strong>:</p>
<ul>
<li>Monitor token expiration</li>
<li>Set up alerts for failed secret fetches</li>
<li>Track webhook endpoint health</li>
</ul>
</li>
<li>
<p><strong>Error Handling</strong>:</p>
<ul>
<li>Implement proper error reporting</li>
<li>Use appropriate HTTP status codes</li>
<li>Log authentication failures (but not sensitive data)</li>
</ul>
</li>
<li>
<p><strong>Documentation</strong>:</p>
<ul>
<li>Document token rotation procedures</li>
<li>Maintain runbooks for common issues</li>
<li>Keep configuration templates updated</li>
</ul>
</li>
</ol>
<h2 id="example-complete-setup">Example: Complete Setup</h2>
<p>Here’s a complete example bringing everything together:</p>
<pre class="giallo" style="color: #EBDBB2; background-color: #1D2021;"><code data-lang="yaml"><span class="giallo-l"><span style="color: #928374;font-style: italic;"># JWT Secret</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">apiVersion</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> v1</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">kind</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> Secret</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">metadata</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> jwt-token</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">type</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> Opaque</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">stringData</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> token</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">your-jwt-token</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span>---</span></span>
<span class="giallo-l"><span style="color: #928374;font-style: italic;"># ClusterSecretStore</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">apiVersion</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> external-secrets.io/v1beta1</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">kind</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> ClusterSecretStore</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">metadata</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> vsecm-scout</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">spec</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> provider</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> webhook</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> url</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">https://vsecm-scout.default.svc.cluster.local:8443/webhook?key={{ .remoteRef.key }}</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> method</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> GET</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> result</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> jsonPath</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">$</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> headers</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> Authorization</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">Bearer {{ .jwt.token }}</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> secrets</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #A89984;"> -</span><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> jwt</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> secretRef</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> jwt-token</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> key</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> token</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> caBundle</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">your-ca-bundle-here</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span>---</span></span>
<span class="giallo-l"><span style="color: #928374;font-style: italic;"># ExternalSecret Example</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">apiVersion</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> external-secrets.io/v1beta1</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">kind</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> ExternalSecret</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">metadata</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> example-external-secret</span></span>
<span class="giallo-l"><span style="color: #8EC07C;">spec</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> refreshInterval</span><span style="color: #A89984;">: "</span><span style="color: #B8BB26;">1h</span><span style="color: #A89984;">"</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> secretStoreRef</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> kind</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> ClusterSecretStore</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> vsecm-scout</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> target</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> name</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> example-secret</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> data</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #A89984;"> -</span><span style="color: #8EC07C;"> secretKey</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> mykey</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> remoteRef</span><span style="color: #A89984;">:</span></span>
<span class="giallo-l"><span style="color: #8EC07C;"> key</span><span style="color: #A89984;">:</span><span style="color: #B8BB26;"> myremotekey</span></span></code></pre><h2 id="conclusion">Conclusion</h2>
<p>While ClusterSecretStore with JWT authentication provides a robust way to secure external secrets access, it comes with important limitations regarding token rotation. Understanding these limitations and implementing appropriate strategies for token management is crucial for maintaining a secure and operational system.</p>
<p>Remember that security is a continuous process, and regular reviews of your authentication mechanisms, including JWT token management, should be part of your security practices.</p>
<p>When implementing this setup, always consider your specific use case and requirements, and be prepared to adapt these patterns to match your security needs and operational capabilities.</p>