In today’s world, managing sensitive information, such as database credentials, is a critical task for any organization. In a Kubernetes-based environment, secrets are used to store and manage such sensitive information. However, in some cases, it may be desirable to store these secrets outside of the cluster, in an external secrets manager, such as AWS Secret Manager.
External secrets are a way to store sensitive information, such as credentials and tokens, outside of a Kubernetes cluster. This approach provides several benefits, such as increased security, better compliance, and ease of management. In this blog post, we will discuss how to implement external secrets using Secret Manager like AWS Secret Manager in a Kubernetes-based environment(01Cloud). We will also discuss the benefits of using external secrets, and provide a step-by-step guide on how to set up and use the feature in 01Cloud.
Benefits of Using external secrets in a Kubernetes-based environment
- Security: External secrets are typically stored in a secure location, such as a Hardware Security Module (HSM) or a Key Management System (KMS), which can provide additional security measures, such as encryption and access controls, to protect sensitive data.
- Scalability: External secrets can be managed centrally, which can make it easier to scale a Kubernetes-based environment as the number of secrets and the number of services that need them increases.
- Flexibility: External secrets can be used across different environments (e.g. development, staging, production) and different teams, making it easy to share secrets among different groups without having to copy them manually.
- Auditing: External secrets can be audited and tracked for changes, making it easier to identify and troubleshoot issues related to secrets.
- Compliance: External secrets can be used to comply with regulations, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA), which require sensitive data to be protected in specific ways.
Why use external secret in 01Cloud ?
01Cloud is a Cloud PaaS (Platform as a Service) that enables a complete development and deployment environment that contributes towards delivering any simple-cloud based applications to enterprise applications, tools and more that are now the essential of any enterprise and organizations. Our services are based on the Kubernetes Architecture and Security that allows a consistent and standard cloud environment ideal for your organizational projects. It groups containers that are the base of any applications onto logical units for easier and faster management and deployment. You can explore more about 01Cloud here.
01Cloud Platform supports different external secret provider such as AWS(Amazon Web Service), HashiCrop Vault and GCP(Google Cloud Platform). Using external secret in 01Cloud enables user to centralized and manage different secrets in 01Cloud applications. 01cloud manages application in kubernetes environment. After providing external secret provider credentials and secret name, 01Cloud external secret service will validate all the fields and if valid it will fetch the secret from external secret manager and inject those secret in our application in kubernetes cluster.
Setup external secret in 01Cloud for AWS
By utilizing AWS as the external secret provider in 01Cloud, you have the ability to utilize secrets stored in the AWS Secret Manager and implement them within your 01Cloud Application.
If you’re interested in using external secrets in 01Cloud, we have a detailed step-by-step guide on how to set up AWS secrets in 01Cloud. Check out here for more information.
Setup external secret in 01Cloud for HashiCrop Vault
By utilizing HashiCrop Vault as the external secret provider in 01Cloud, you have the ability to utilize secrets stored in the HashiCrop Vault and implement them within your 01Cloud Application.
If you’re interested in using external secrets in 01Cloud, we have a detailed step-by-step guide on how to set up HashiCrop Vault secrets in 01Cloud. Check out here for more information.
Setup external secret in 01Cloud for GCP
By utilizing GCP as the external secret provider in 01Cloud, you have the ability to utilize secrets stored in the GCP Secrets Manager and implement them within your 01Cloud Application.
If you’re interested in using external secrets in 01Cloud, we have a detailed step-by-step guide on how to set up GCP secrets in 01Cloud. You can view more about GCP here.
- Refresh Interval is the amount of time before the values are fetched again from the external secret provider Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h” . May be set to zero to fetch and create it once. Default is set to zero as each API call to external secret provider may cost some bucks.
- Creation Policy has values ‘Owner’, ‘Merge’, or ‘None’. Default value of ‘Owner’. Owner creates the secret and sets owner references of the resource. Merge does not create the secret, but merges in the data fields to the secret. None does not create a secret (future use with injector).
- Deletion Policy defines how/when to delete the Secret in Kubernetes. if the provider secret gets deleted. Valid values are Delete, Merge, Retain
More details on creation and deletion policy can be found here .
Template and Non Template Environment
In 01cloud, there are primarily two types of environments: template and non-template. Template environments are pre-configured and come with a specified format provided by 01cloud, allowing users to easily deploy and run their applications without having to worry about the underlying source code. On the other hand, non-template environments are user-defined and provide more customization options for developers as they can use their own source code to create and configure their desired environment to meet their specific needs.
The process of setting up external secrets differs between the two environments. In the template environment, we have previously configured the external secret feature and specified a secret name that encompasses all necessary fields for our WordPress environment across all three providers.
Now, let us create a new environment and provide it with a different secret name, ‘other-secret,’ which does not include all of the necessary keys for the template environment.
We get a error from external secret service which says:-
external secret doesn't contain keys wordpressEmail, wordpressBlogName, mariadb.db.user, mariadb.db.pass, mariadb.db.database, mariadb.rootUser.password, wordpressUsername, wordpressPassword
When working with a template environment such as WordPress, it is essential to include all required keys in order to use the external secret feature. If these keys are not provided, the environment creation process will not proceed. However, if necessary, additional keys can be added and the external secret can be edited or resynchronized from the external secret settings.
In contrast, non-template environments do not have these restrictions and users are able to create and implement external secrets without any limitations.
The use of external secret services in 01Cloud facilitates centralized secret management and enhances the security and ease of use for 01Cloud applications. 01Cloud has made the integration of external secrets into a Kubernetes cluster simple and user-friendly, resulting in improved security and compliance while also streamlining secret management. 01Cloud has made it easier for users to reap the benefits of using external secrets.