Helm/External Secrets Operator: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
VisualWikitext
Created page with "==References== {|class='wikitable mw-collapsible' !scope='col' style='text-align:left' colspan='3'| References |- |valign='top' style='width:33%'| * [https://artifacthub.io/packages/helm/external-secrets-operator/external-secrets Helm » External Secrets Operator] * Helm » Vault Secrets Operator * Helm » Prometheus Stack * Helm » Cert Manager * Helm » Harbor * Helm/Pi-Ho..."
 
Tag: Manual revert
 
(34 intermediate revisions by the same user not shown)
Line 1: Line 1:
{|class='wikitable'
|valign='top' style='width:50%'|
<syntaxhighlight lang='bash'>
helm repo add external-secrets https://charts.external-secrets.io
helm repo update && helm repo list
kubectl config get-contexts
</syntaxhighlight>
|valign='top' style='width:50%'|
|}
==Helm » Context==
{|class='wikitable mw-collapsible'
!scope='col' style='text-align:left' colspan='2'|
Helm » Context
|-
|valign='top' style='width:50%'|
<syntaxhighlight lang='bash'>
export KUBECONFIG="${HOME}/.kube/aws-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/gcp-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/lke-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/config"
</syntaxhighlight>
|valign='top' style='width:50%'|
|}
==Helm » Install==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='text-align:left' colspan='2'|
Helm » Install
|-
|valign='top' colspan='2'|
<syntaxhighlight lang='bash'>
helm show  values external-secrets/external-secrets --version=1.2.0|less
helm show  values external-secrets/external-secrets --version=1.2.1|less
</syntaxhighlight>
|-
|valign='top' style='width:50%'|
<syntaxhighlight lang='bash'>
export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
kubectl create ns  external-secrets-operator-system || true
</syntaxhighlight>
|valign='top' style='width:50%'|
<syntaxhighlight lang='bash'>
kubectl get ns|grep external-secrets-operator-system
kubectl delete ns  external-secrets-operator-system || true
</syntaxhighlight>
|-
!scope='col'| Install
!scope='col'| Notes
|-
|valign='top'|
<syntaxhighlight lang='yaml'>
cat <<'YML' | \
helm -n=external-secrets-operator-system upgrade \
-i eso  external-secrets/external-secrets --version=1.2.1 -f -
---
installCRDs: true
nameOverride: eso
fullnameOverride: eso
replicaCount: 1
revisionHistoryLimit: 5
image:
  repository: ghcr.io/external-secrets/external-secrets
  tag: v1.2.1
webhook:
  replicaCount: 1
  revisionHistoryLimit: 5
  image:
    repository: ghcr.io/external-secrets/external-secrets
    tag: v1.2.1
YML
</syntaxhighlight>
|valign='top'|
|-
!scope='col'| Verify
!scope='col'|
|-
|valign='top'|
<syntaxhighlight lang='bash'>
helm -n=external-secrets-operator-system status          eso
helm -n=external-secrets-operator-system get    manifest eso
</syntaxhighlight>
|valign='top'|
|}
==Helm » Config==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='text-align:left' colspan='2'|
Helm » Config
|-
!scope='col' style='width:50%'| Scale » Down
!scope='col' style='width:50%'| Scale » Up
|-
|valign='top'|
<syntaxhighlight lang='bash'>
kubectl -n=external-secrets-operator-system \
scale deploy/eso --replicas=0
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang='bash'>
kubectl -n=external-secrets-operator-system \
scale deploy/eso --replicas=1
</syntaxhighlight>
|-
|valign='top'|
<syntaxhighlight lang='bash'>
kubectl -n=external-secrets-operator-system \
scale deploy/eso-webhook --replicas=0
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang='bash'>
kubectl -n=external-secrets-operator-system \
scale deploy/eso-webhook --replicas=1
</syntaxhighlight>
|-
|valign='top'|
<syntaxhighlight lang='bash'>
kubectl -n=external-secrets-operator-system \
scale deploy/eso-cert-controller --replicas=0
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang='bash'>
kubectl -n=external-secrets-operator-system \
scale deploy/eso-cert-controller --replicas=1
</syntaxhighlight>
|}
==Helm » Debug==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='text-align:left'|
Helm » Debug
|-
|valign='top'|
<syntaxhighlight lang='bash'>
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-cert-controller
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-webhook
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso
kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook -c webhook
kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook
</syntaxhighlight>
|}
==Helm » Uninstall==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='text-align:left' colspan='2'|
Helm » Uninstall
|-
|valign='top' style='width:50%'|
<syntaxhighlight lang='bash'>
helm -n=external-secrets-operator-system status    vso
helm -n=external-secrets-operator-system get all  vso
helm -n=external-secrets-operator-system uninstall vso
</syntaxhighlight>
|valign='top' style='width:50%'|
<syntaxhighlight lang='bash'>
kubectl -n=external-secrets-operator-system delete pvc --all
kubectl                                    delete ns  external-secrets-operator-system
kubectl                                    delete pv  vso-data-vso-0
</syntaxhighlight>
|}
==Vault » Config==
{|class='wikitable mw-collapsible'
!scope='col' style='text-align:left' colspan='2'|
Vault » Config
|-
!scope='col' style='width:50%'| Context
!scope='col' style='width:50%'| Namespace
|-
|valign='top'|
<syntaxhighlight lang='bash'>
export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
kubectl get service kubernetes -n default
kubectl config get-contexts
kubectl cluster-info
kubectl get --raw /.well-known/openid-configuration|yq -P
kubectl config view -o=yaml|yq '.contexts[0].name'
kubectl get ns shahed-academia
kubectl    -n=shahed-academia get SecretStore    store-shahed-ab
kubectl    -n=shahed-academia get ExternalSecret academia-audit-ext
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang='yaml'>
cat <<'YML' | \
kubectl apply -f -
---
apiVersion: v1
kind: Namespace
metadata:
  name: shahed-academia
  labels:
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: kubectl
YML
kubectl get namespace shahed-academia -o=yaml
</syntaxhighlight>
|-
|valign='top'|
{|class='wikitable'
|valign='top'|
* [[Vault#Auth|Skipped » Find More 👉 Vault » Auth]]
----
* [[Vault#Engine » KV|Skipped » Find More 👉 Vault » Engine » KV]]
|}
|valign='top'|
|-
|valign='top' colspan='2'|
{|class='wikitable mw-collapsible'
!scope='col' style='text-align:left' colspan='2'|
Config » Approle
|-
!scope='col' style='width:50%'| Vault » Policy
!scope='col' style='width:50%'| Vault » Role
|-
|valign='top'|
<syntaxhighlight lang='bash'>
cat <<'INI' | vault policy write policy-shahed-ab-eso-app -
# Mount : shahed/academia/dev
# Secret: audit
path "shahed/academia/dev/data/audit" {
  capabilities = ["read"]
}
INI
vault policy read policy-shahed-ab-eso-app
</syntaxhighlight>
<syntaxhighlight lang='bash'>
vault write    auth/approle/role/role-shahed-ab-eso-app \
    token_policies=policy-shahed-ab-eso-app token_ttl=1h token_max_ttl=3h
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang='bash'>
vault policy  read            policy-shahed-ab-eso-app
vault read    auth/approle/role/role-shahed-ab-eso-app
vault read    auth/approle/role/role-shahed-ab-eso-app/role-id
</syntaxhighlight>
<syntaxhighlight lang='bash'>
vault list    auth/approle/role/role-shahed-ab-eso-app/secret-id
vault write -f auth/approle/role/role-shahed-ab-eso-app/secret-id
</syntaxhighlight>
<syntaxhighlight lang='bash'>
vault list    auth/approle/role/role-shahed-ab-eso-app/secret-id
vault write    auth/approle/role/role-shahed-ab-eso-app/secret-id/destroy \
secret_id=26701c33-1362-e744-6b2a-c28250b3ee64
</syntaxhighlight>
|-
|valign='top' colspan='2'|
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='text-align:left' colspan='2'|
Approle » Init
|-
!scope='col' style='width:50%'| SecretStore
!scope='col' style='width:50%'| ExternalSecret » <code>data</code>
|-
|valign='top'|
<syntaxhighlight lang='bash'>
cat <<ENV | \
kubectl -n shahed-academia create secret generic store-shahed-ab-app \
--from-env-file=/dev/stdin --dry-run=client -o=yaml | kubectl apply -f -
secret_id_accessor=cf764c1d-b3c6-5e15-2e57-ccbf5f982a0b
secret_id=b7c1390e-a6e4-de2c-7c75-ee54bf3032b6
ENV
</syntaxhighlight>
<syntaxhighlight lang='bash'>
kubectl -n=shahed-academia get    Secret        store-shahed-ab-app -o=yaml
kubectl -n=shahed-academia delete Secret        store-shahed-ab-app
</syntaxhighlight>
<syntaxhighlight lang='yaml'>
cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: store-shahed-ab-app
  namespace: shahed-academia
spec:
  provider:
    vault:
      server: http://vault.vault.svc.cluster.local:8200
      path: shahed/academia/dev
      version: v2
      auth:
        appRole:
          path: approle
          roleId: ae4560db-53da-9610-64d5-efc2fda45bed
          secretRef:
            name: store-shahed-ab-app
            key: secret_id
YML
</syntaxhighlight>
<syntaxhighlight lang='bash'>
kubectl -n=shahed-academia get    SecretStore    store-shahed-ab-app -o=yaml
kubectl -n=shahed-academia delete SecretStore    store-shahed-ab-app
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang='yaml'>
cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: academia-audit-eso-app
  namespace: shahed-academia
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: store-shahed-ab-app
    kind: SecretStore
  target:
    name: academia-audit-eso-app
    template:
      engineVersion: v2
      templateFrom:
      - target: Data
        literal: |
          {{- range $k, $v := . }}
          {{ $k | toString | replace "-" "_" | replace "." "_" | upper }}: {{ $v | quote }}
          {{- end }}
  dataFrom:
  - extract:
      key: audit
YML
</syntaxhighlight>
<syntaxhighlight lang='bash'>
kubectl -n=shahed-academia get    Secret        academia-audit-eso-app -o=yaml
kubectl -n=shahed-academia get    ExternalSecret academia-audit-eso-app -o=yaml
</syntaxhighlight>
<syntaxhighlight lang='bash'>
kubectl -n=shahed-academia delete Secret        academia-audit-eso-app
kubectl -n=shahed-academia delete ExternalSecret academia-audit-eso-app
</syntaxhighlight>
|}
|}
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='text-align:left' colspan='2'|
Config » Kubernetes
|-
!scope='col' style='width:50%'| Vault » Policy
!scope='col' style='width:50%'| Vault » Role
|-
|valign='top'|
<syntaxhighlight lang='bash'>
cat <<'INI' | vault policy write policy-shahed-ab-eso -
# Mount : shahed/academia/dev
# Secret: audit
path "shahed/academia/dev/data/audit" {
  capabilities = ["read"]
}
INI
vault policy read  policy-shahed-ab-eso
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang='bash'>
vault kv get -mount=shahed/academia/dev audit
kubectl  get sa -n external-secrets-operator-system
kubectl  get --raw /.well-known/openid-configuration|yq -P .issuer
vault write auth/kubernetes/role/role-shahed-ab-eso bound_service_account_names=default \
  bound_service_account_namespaces=shahed-academia policies=policy-shahed-ab-eso \
  audience='https://kubernetes.default.svc.cluster.local' ttl=24h
vault read  auth/kubernetes/role/role-shahed-ab-eso
</syntaxhighlight>
|-
|valign='top' colspan='2'|
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='text-align:left' colspan='2'|
Kubernetes » Init
|-
!scope='col' style='width:50%'| SecretStore
!scope='col' style='width:50%'| ExternalSecret » <code>data</code>
|-
|valign='top'|
<syntaxhighlight lang='yaml'>
cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: store-shahed-ab
  namespace: shahed-academia
spec:
  provider:
    vault:
      server: http://vault.vault.svc.cluster.local:8200
      path: shahed/academia/dev
      version: v2
      auth:
        kubernetes:
          serviceAccountRef:
            name: default
            namespace: shahed-academia
          mountPath: kubernetes
          role: role-shahed-ab-eso
YML
</syntaxhighlight>
<syntaxhighlight lang='bash'>
kubectl get    clusterrolebinding|grep -i eso-
kubectl get    clusterrolebinding eso-controller      -o=yaml
kubectl get    clusterrolebinding eso-cert-controller -o=yaml
kubectl -n=shahed-academia get    SecretStore    store-shahed-ab -o=yaml
kubectl -n=shahed-academia delete SecretStore    store-shahed-ab
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang='yaml'>
cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: academia-audit-eso
  namespace: shahed-academia
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: store-shahed-ab
    kind: SecretStore
  target:
    name: academia-audit-eso
  dataFrom:
  - extract:
      key: audit
    rewrite:
    - regexp:
        source: "([a-z])([A-Z])|[-.]"
        target: "${1}_${2}"
YML
</syntaxhighlight>
<syntaxhighlight lang='bash'>
kubectl -n=shahed-academia get    Secret        academia-audit-eso -o=yaml
kubectl -n=shahed-academia get    ExternalSecret academia-audit-eso -o=yaml
kubectl -n=shahed-academia delete Secret        academia-audit-eso
kubectl -n=shahed-academia delete ExternalSecret academia-audit-eso
</syntaxhighlight>
|}
|-
|valign='top' colspan='2'|
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='text-align:left' colspan='2'|
Kubernetes » Advance
|-
!scope='col' style='width:50%'| ExternalSecret » <code>application.properties</code>
!scope='col' style='width:50%'| ExternalSecret » <code>.env</code>
|-
|valign='top'|
<syntaxhighlight lang='yaml'>
cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: academia-audit-eso
  namespace: shahed-academia
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: store-shahed-ab
    kind: SecretStore
  target:
    name: academia-audit-eso
    template:
      engineVersion: v2
      data:
        application.properties: |
          {{- range $k, $v := . }}
          {{ $k }}={{ $v }}
          {{- end }}
  dataFrom:
  - extract:
      key: audit
YML
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang='yaml'>
cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: academia-audit-eso
  namespace: shahed-academia
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: store-shahed-ab
    kind: SecretStore
  target:
    name: academia-audit-eso
    template:
      engineVersion: v2
      data:
        .env: |
          {{- range $k, $v := . }}
          {{ $k | replace "-" "_" | replace "." "_" | upper }}={{ $v }}
          {{- end }}
  dataFrom:
  - extract:
      key: audit
YML
</syntaxhighlight>
|-
!scope='col'| ExternalSecret » <code>data</code>
!scope='col'| ExternalSecret » Refresh
|-
|valign='top'|
<syntaxhighlight lang='yaml'>
cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: academia-audit-eso
  namespace: shahed-academia
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: store-shahed-ab
    kind: SecretStore
  target:
    name: academia-audit-eso
    template:
      engineVersion: v2
      templateFrom:
      - target: Data
        literal: |
          {{- range $k, $v := . }}
          {{ $k | toString | replace "-" "_" | replace "." "_" | upper }}: {{ $v | quote }}
          {{- end }}
  dataFrom:
  - extract:
      key: audit
YML
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang='bash'>
kubectl -n=shahed-academia describe ExternalSecret academia-audit-eso
kubectl -n=shahed-academia annotate ExternalSecret academia-audit-eso \
force-sync=$(date +%s) --overwrite
</syntaxhighlight>
<syntaxhighlight lang='bash'>
kubectl -n shahed-academia get      ExternalSecret academia-audit-eso -w
kubectl -n=shahed-academia describe ExternalSecret academia-audit-eso
</syntaxhighlight>
|}
|}
|}
==Playground==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='text-align:left' colspan='2'|
Playground
|-
|valign='top' colspan='2'|
<syntaxhighlight lang='bash'>
helm -n=external-secrets-operator-system install    eso external-secrets/external-secrets --version=1.2.0
helm -n=external-secrets-operator-system upgrade -i eso external-secrets/external-secrets --version=1.2.1
helm show  values                                      external-secrets/external-secrets --version=1.2.1|less
</syntaxhighlight>
|-
|valign='top' colspan='2'|
<syntaxhighlight lang='bash'>
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso                -c external-secrets
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-cert-controller -c cert-controller
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-webhook        -c webhook
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-cert-controller
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-webhook
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso
kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook -c webhook
kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook
kubectl -n=external-secrets-operator-system get      pods --show-labels
</syntaxhighlight>
|-
|valign='top' style='width:50%'|
<syntaxhighlight lang='bash'>
kubectl -n=external-secrets-operator-system delete all --all
kubectl -n=external-secrets-operator-system delete ing --all
kubectl -n=external-secrets-operator-system delete sts --all
</syntaxhighlight>
|valign='top' style='width:50%'|
<syntaxhighlight lang='bash'>
kubectl                                    delete pv  vso-data-vso-0
kubectl -n=external-secrets-operator-system delete svc --all
kubectl -n=external-secrets-operator-system delete pvc --all
</syntaxhighlight>
|-
|valign='top' colspan='2'|
<syntaxhighlight lang='bash'>
kubectl -n=external-secrets-operator-system rollout history deploy/eso
kubectl -n=external-secrets-operator-system rollout restart deploy/eso
kubectl -n=external-secrets-operator-system rollout status  deploy/eso
</syntaxhighlight>
|-
|valign='top' colspan='2'|
<syntaxhighlight lang='bash'>
kubectl -n=external-secrets-operator-system exec -it svc/eso-webhook -c webhook -- ash
kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook -c webhook
kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook
</syntaxhighlight>
|}
==References==
==References==
{|class='wikitable mw-collapsible'
{|class='wikitable mw-collapsible'

Latest revision as of 17:44, 24 January 2026

helm repo add external-secrets https://charts.external-secrets.io
helm repo update && helm repo list
kubectl config get-contexts

Helm » Context

Helm » Context 

export KUBECONFIG="${HOME}/.kube/aws-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/gcp-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/lke-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/config"

Helm » Install

Helm » Install 

helm show   values external-secrets/external-secrets --version=1.2.0|less
helm show   values external-secrets/external-secrets --version=1.2.1|less

export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
kubectl create ns   external-secrets-operator-system || true

kubectl get ns|grep external-secrets-operator-system
kubectl delete ns   external-secrets-operator-system || true
Install Notes 
cat <<'YML' | \
helm -n=external-secrets-operator-system upgrade \
-i eso  external-secrets/external-secrets --version=1.2.1 -f -
---
installCRDs: true
nameOverride: eso
fullnameOverride: eso

replicaCount: 1
revisionHistoryLimit: 5
image:
  repository: ghcr.io/external-secrets/external-secrets
  tag: v1.2.1

webhook:
  replicaCount: 1
  revisionHistoryLimit: 5
  image:
    repository: ghcr.io/external-secrets/external-secrets
    tag: v1.2.1
YML
Verify 
helm -n=external-secrets-operator-system status          eso
helm -n=external-secrets-operator-system get    manifest eso

Helm » Config

Helm » Config

Scale » Down Scale » Up 
kubectl -n=external-secrets-operator-system \
scale deploy/eso --replicas=0

kubectl -n=external-secrets-operator-system \
scale deploy/eso --replicas=1

kubectl -n=external-secrets-operator-system \
scale deploy/eso-webhook --replicas=0

kubectl -n=external-secrets-operator-system \
scale deploy/eso-webhook --replicas=1

kubectl -n=external-secrets-operator-system \
scale deploy/eso-cert-controller --replicas=0

kubectl -n=external-secrets-operator-system \
scale deploy/eso-cert-controller --replicas=1

Helm » Debug

Helm » Debug 

kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-cert-controller
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-webhook
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso

kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook -c webhook
kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook

Helm » Uninstall

Helm » Uninstall 

helm -n=external-secrets-operator-system status    vso
helm -n=external-secrets-operator-system get all   vso
helm -n=external-secrets-operator-system uninstall vso

kubectl -n=external-secrets-operator-system delete pvc --all
kubectl                                     delete ns  external-secrets-operator-system
kubectl                                     delete pv  vso-data-vso-0

Vault » Config

Vault » Config

Context Namespace 
export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
kubectl get service kubernetes -n default
kubectl config get-contexts
kubectl cluster-info


kubectl get --raw /.well-known/openid-configuration|yq -P
kubectl config view -o=yaml|yq '.contexts[0].name'


kubectl get ns shahed-academia
kubectl     -n=shahed-academia get SecretStore    store-shahed-ab
kubectl     -n=shahed-academia get ExternalSecret academia-audit-ext

cat <<'YML' | \
kubectl apply -f -
---
apiVersion: v1
kind: Namespace
metadata:
  name: shahed-academia
  labels:
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: kubectl
YML

kubectl get namespace shahed-academia -o=yaml

Config » Approle

Vault » Policy Vault » Role 
cat <<'INI' | vault policy write policy-shahed-ab-eso-app -
# Mount : shahed/academia/dev
# Secret: audit
path "shahed/academia/dev/data/audit" {
  capabilities = ["read"]
}
INI
vault policy read policy-shahed-ab-eso-app

vault write    auth/approle/role/role-shahed-ab-eso-app \
    token_policies=policy-shahed-ab-eso-app token_ttl=1h token_max_ttl=3h

vault policy   read            policy-shahed-ab-eso-app
vault read     auth/approle/role/role-shahed-ab-eso-app
vault read     auth/approle/role/role-shahed-ab-eso-app/role-id

vault list     auth/approle/role/role-shahed-ab-eso-app/secret-id
vault write -f auth/approle/role/role-shahed-ab-eso-app/secret-id

vault list     auth/approle/role/role-shahed-ab-eso-app/secret-id
vault write    auth/approle/role/role-shahed-ab-eso-app/secret-id/destroy \
 secret_id=26701c33-1362-e744-6b2a-c28250b3ee64

Approle » Init

SecretStore ExternalSecret » data 
cat <<ENV | \
kubectl -n shahed-academia create secret generic store-shahed-ab-app \
 --from-env-file=/dev/stdin --dry-run=client -o=yaml | kubectl apply -f -
secret_id_accessor=cf764c1d-b3c6-5e15-2e57-ccbf5f982a0b
secret_id=b7c1390e-a6e4-de2c-7c75-ee54bf3032b6
ENV

kubectl -n=shahed-academia get    Secret         store-shahed-ab-app -o=yaml
kubectl -n=shahed-academia delete Secret         store-shahed-ab-app

cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: store-shahed-ab-app
  namespace: shahed-academia
spec:
  provider:
    vault:
      server: http://vault.vault.svc.cluster.local:8200
      path: shahed/academia/dev
      version: v2
      auth:
        appRole:
          path: approle
          roleId: ae4560db-53da-9610-64d5-efc2fda45bed
          secretRef:
            name: store-shahed-ab-app
            key: secret_id
YML

kubectl -n=shahed-academia get    SecretStore    store-shahed-ab-app -o=yaml
kubectl -n=shahed-academia delete SecretStore    store-shahed-ab-app

cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: academia-audit-eso-app
  namespace: shahed-academia
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: store-shahed-ab-app
    kind: SecretStore

  target:
    name: academia-audit-eso-app
    template:
      engineVersion: v2
      templateFrom:
      - target: Data
        literal: |
          {{- range $k, $v := . }}
          {{ $k | toString | replace "-" "_" | replace "." "_" | upper }}: {{ $v | quote }}
          {{- end }}

  dataFrom:
  - extract:
      key: audit

YML

kubectl -n=shahed-academia get    Secret         academia-audit-eso-app -o=yaml
kubectl -n=shahed-academia get    ExternalSecret academia-audit-eso-app -o=yaml

kubectl -n=shahed-academia delete Secret         academia-audit-eso-app
kubectl -n=shahed-academia delete ExternalSecret academia-audit-eso-app

Config » Kubernetes

Vault » Policy Vault » Role 
cat <<'INI' | vault policy write policy-shahed-ab-eso -
# Mount : shahed/academia/dev
# Secret: audit
path "shahed/academia/dev/data/audit" {
  capabilities = ["read"]
}
INI

vault policy read  policy-shahed-ab-eso

vault kv get -mount=shahed/academia/dev audit
kubectl  get sa -n external-secrets-operator-system
kubectl  get --raw /.well-known/openid-configuration|yq -P .issuer

vault write auth/kubernetes/role/role-shahed-ab-eso bound_service_account_names=default \
  bound_service_account_namespaces=shahed-academia policies=policy-shahed-ab-eso \
  audience='https://kubernetes.default.svc.cluster.local' ttl=24h

vault read  auth/kubernetes/role/role-shahed-ab-eso

Kubernetes » Init

SecretStore ExternalSecret » data 
cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: store-shahed-ab
  namespace: shahed-academia
spec:
  provider:
    vault:
      server: http://vault.vault.svc.cluster.local:8200
      path: shahed/academia/dev
      version: v2
      auth:
        kubernetes:
          serviceAccountRef:
            name: default
            namespace: shahed-academia
          mountPath: kubernetes
          role: role-shahed-ab-eso

YML

kubectl get    clusterrolebinding|grep -i eso-
kubectl get    clusterrolebinding eso-controller      -o=yaml
kubectl get    clusterrolebinding eso-cert-controller -o=yaml

kubectl -n=shahed-academia get    SecretStore    store-shahed-ab -o=yaml
kubectl -n=shahed-academia delete SecretStore    store-shahed-ab

cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: academia-audit-eso
  namespace: shahed-academia
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: store-shahed-ab
    kind: SecretStore
  target:
    name: academia-audit-eso
  dataFrom:
  - extract:
      key: audit
    rewrite:
    - regexp:
        source: "([a-z])([A-Z])|[-.]"
        target: "${1}_${2}"
YML

kubectl -n=shahed-academia get    Secret         academia-audit-eso -o=yaml
kubectl -n=shahed-academia get    ExternalSecret academia-audit-eso -o=yaml


kubectl -n=shahed-academia delete Secret         academia-audit-eso
kubectl -n=shahed-academia delete ExternalSecret academia-audit-eso

Kubernetes » Advance

ExternalSecret » application.properties ExternalSecret » .env 
cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: academia-audit-eso
  namespace: shahed-academia
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: store-shahed-ab
    kind: SecretStore

  target:
    name: academia-audit-eso
    template:
      engineVersion: v2
      data:
        application.properties: |
          {{- range $k, $v := . }}
          {{ $k }}={{ $v }}
          {{- end }}

  dataFrom:
  - extract:
      key: audit
YML

cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: academia-audit-eso
  namespace: shahed-academia
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: store-shahed-ab
    kind: SecretStore

  target:
    name: academia-audit-eso
    template:
      engineVersion: v2
      data:
        .env: |
          {{- range $k, $v := . }}
          {{ $k | replace "-" "_" | replace "." "_" | upper }}={{ $v }}
          {{- end }}

  dataFrom:
  - extract:
      key: audit
YML
ExternalSecret » data ExternalSecret » Refresh 
cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: academia-audit-eso
  namespace: shahed-academia
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: store-shahed-ab
    kind: SecretStore

  target:
    name: academia-audit-eso
    template:
      engineVersion: v2
      templateFrom:
      - target: Data
        literal: |
          {{- range $k, $v := . }}
          {{ $k | toString | replace "-" "_" | replace "." "_" | upper }}: {{ $v | quote }}
          {{- end }}

  dataFrom:
  - extract:
      key: audit
YML

kubectl -n=shahed-academia describe ExternalSecret academia-audit-eso
kubectl -n=shahed-academia annotate ExternalSecret academia-audit-eso \
 force-sync=$(date +%s) --overwrite

kubectl -n shahed-academia get      ExternalSecret academia-audit-eso -w
kubectl -n=shahed-academia describe ExternalSecret academia-audit-eso

Playground

Playground 

helm -n=external-secrets-operator-system install    eso external-secrets/external-secrets --version=1.2.0
helm -n=external-secrets-operator-system upgrade -i eso external-secrets/external-secrets --version=1.2.1
helm show   values                                      external-secrets/external-secrets --version=1.2.1|less

kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso                 -c external-secrets
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-cert-controller -c cert-controller
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-webhook         -c webhook

kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-cert-controller
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-webhook
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso

kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook -c webhook
kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook
kubectl -n=external-secrets-operator-system get      pods --show-labels

kubectl -n=external-secrets-operator-system delete all --all
kubectl -n=external-secrets-operator-system delete ing --all
kubectl -n=external-secrets-operator-system delete sts --all

kubectl                                     delete pv  vso-data-vso-0
kubectl -n=external-secrets-operator-system delete svc --all
kubectl -n=external-secrets-operator-system delete pvc --all

kubectl -n=external-secrets-operator-system rollout history deploy/eso
kubectl -n=external-secrets-operator-system rollout restart deploy/eso
kubectl -n=external-secrets-operator-system rollout status  deploy/eso

kubectl -n=external-secrets-operator-system exec -it svc/eso-webhook -c webhook -- ash
kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook -c webhook
kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook

References

References

Retrieved from "https://wiki.chorke.org/index.php?title=Helm/External_Secrets_Operator&oldid=16412"