Helm/External Secrets Operator

From Chorke Wiki
Jump to navigation Jump to search 
helm repo add external-secrets https://charts.external-secrets.io
helm repo update && helm repo list
kubectl config get-contexts

Helm » Context

Helm » Context 

export KUBECONFIG="${HOME}/.kube/aws-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/gcp-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/lke-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/config"

Helm » Install

Helm » Install 

helm show   values external-secrets/external-secrets --version=1.2.0|less
helm show   values external-secrets/external-secrets --version=1.2.1|less

export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
kubectl create ns   external-secrets-operator-system || true

kubectl get ns|grep external-secrets-operator-system
kubectl delete ns   external-secrets-operator-system || true
Install Notes 
cat <<'YML' | \
helm -n=external-secrets-operator-system upgrade \
-i eso  external-secrets/external-secrets --version=1.2.1 -f -
---
installCRDs: true
nameOverride: eso
fullnameOverride: eso

replicaCount: 1
revisionHistoryLimit: 5
image:
  repository: ghcr.io/external-secrets/external-secrets
  tag: v1.2.1

webhook:
  replicaCount: 1
  revisionHistoryLimit: 5
  image:
    repository: ghcr.io/external-secrets/external-secrets
    tag: v1.2.1
YML
Verify 
helm -n=external-secrets-operator-system status          eso
helm -n=external-secrets-operator-system get    manifest eso

Helm » Config

Helm » Config

Scale » Down Scale » Up 
kubectl -n=external-secrets-operator-system \
scale deploy/eso --replicas=0

kubectl -n=external-secrets-operator-system \
scale deploy/eso --replicas=1

kubectl -n=external-secrets-operator-system \
scale deploy/eso-webhook --replicas=0

kubectl -n=external-secrets-operator-system \
scale deploy/eso-webhook --replicas=1

kubectl -n=external-secrets-operator-system \
scale deploy/eso-cert-controller --replicas=0

kubectl -n=external-secrets-operator-system \
scale deploy/eso-cert-controller --replicas=1

Helm » Debug

Helm » Debug 

kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-cert-controller
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-webhook
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso

kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook -c webhook
kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook

Helm » Uninstall

Helm » Uninstall 

helm -n=external-secrets-operator-system status    vso
helm -n=external-secrets-operator-system get all   vso
helm -n=external-secrets-operator-system uninstall vso

kubectl -n=external-secrets-operator-system delete pvc --all
kubectl                                     delete ns  external-secrets-operator-system
kubectl                                     delete pv  vso-data-vso-0

Vault » Config

Vault » Config

Context Namespace 
export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
kubectl get service kubernetes -n default
kubectl config get-contexts
kubectl cluster-info


kubectl get --raw /.well-known/openid-configuration|yq -P
kubectl config view -o=yaml|yq '.contexts[0].name'


kubectl get ns shahed-academia
kubectl     -n=shahed-academia get SecretStore    store-shahed-ab
kubectl     -n=shahed-academia get ExternalSecret academia-audit-ext

cat <<'YML' | \
kubectl apply -f -
---
apiVersion: v1
kind: Namespace
metadata:
  name: shahed-academia
  labels:
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: kubectl
YML

kubectl get namespace shahed-academia -o=yaml
Vault » Policy Vault » Role 
cat <<'INI' | vault policy write policy-shahed-ab-eso -
# Mount : shahed/academia/dev
# Secret: audit
path "shahed/academia/dev/data/audit" {
  capabilities = ["read"]
}
INI

vault policy read  policy-shahed-ab-eso

vault kv get -mount=shahed/academia/dev audit
kubectl  get sa -n external-secrets-operator-system
kubectl  get --raw /.well-known/openid-configuration|yq -P .issuer

vault write auth/kubernetes/role/role-shahed-ab-eso bound_service_account_names=default \
  bound_service_account_namespaces=shahed-academia policies=policy-shahed-ab-eso \
  audience='https://kubernetes.default.svc.cluster.local' ttl=24h

vault read  auth/kubernetes/role/role-shahed-ab-eso

Config » Init

SecretStore ExternalSecret » data 
cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: store-shahed-ab
  namespace: shahed-academia
spec:
  provider:
    vault:
      server: http://vault.vault.svc.cluster.local:8200
      path: shahed/academia/dev
      version: v2
      auth:
        kubernetes:
          serviceAccountRef:
            name: default
            namespace: shahed-academia
          mountPath: kubernetes
          role: role-shahed-ab-eso

YML

kubectl get    clusterrolebinding|grep -i eso-
kubectl get    clusterrolebinding eso-controller      -o=yaml
kubectl get    clusterrolebinding eso-cert-controller -o=yaml

kubectl -n=shahed-academia get    SecretStore    store-shahed-ab -o=yaml
kubectl -n=shahed-academia delete SecretStore    store-shahed-ab

cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: academia-audit-eso
  namespace: shahed-academia
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: store-shahed-ab
    kind: SecretStore
  target:
    name: academia-audit-eso
  dataFrom:
  - extract:
      key: shahed/academia/dev/audit
    rewrite:
    - regexp:
        source: "([a-z])([A-Z])|[-.]"
        target: "${1}_${2}"
YML

kubectl -n=shahed-academia get    Secret         academia-audit-eso -o=yaml
kubectl -n=shahed-academia get    ExternalSecret academia-audit-eso -o=yaml


kubectl -n=shahed-academia delete Secret         academia-audit-eso
kubectl -n=shahed-academia delete ExternalSecret academia-audit-eso

Config » Advance

ExternalSecret » application.properties ExternalSecret » .env 
cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: academia-audit-eso
  namespace: shahed-academia
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: store-shahed-ab
    kind: SecretStore

  target:
    name: academia-audit-eso
    template:
      engineVersion: v2
      data:
        application.properties: |
          {{- range $k, $v := . }}
          {{ $k }}={{ $v }}
          {{- end }}

  dataFrom:
  - extract:
      key: audit
YML

cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: academia-audit-eso
  namespace: shahed-academia
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: store-shahed-ab
    kind: SecretStore

  target:
    name: academia-audit-eso
    template:
      engineVersion: v2
      data:
        .env: |
          {{- range $k, $v := . }}
          {{ $k | replace "-" "_" | replace "." "_" | upper }}={{ $v }}
          {{- end }}

  dataFrom:
  - extract:
      key: audit
YML
ExternalSecret » data ExternalSecret » Refresh 
cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: academia-audit-eso
  namespace: shahed-academia
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: store-shahed-ab
    kind: SecretStore

  target:
    name: academia-audit-eso
    template:
      engineVersion: v2
      templateFrom:
      - target: Data
        literal: |
          {{- range $k, $v := . }}
          {{ $k | toString | replace "-" "_" | replace "." "_" | upper }}: {{ $v | quote }}
          {{- end }}

  dataFrom:
  - extract:
      key: audit
YML

kubectl -n=shahed-academia describe ExternalSecret academia-audit-eso
kubectl -n=shahed-academia annotate ExternalSecret academia-audit-eso \
 force-sync=$(date +%s) --overwrite

kubectl -n shahed-academia get      ExternalSecret academia-audit-eso -w
kubectl -n=shahed-academia describe ExternalSecret academia-audit-eso

Playground

Playground 

helm -n=external-secrets-operator-system install    eso external-secrets/external-secrets --version=1.2.0
helm -n=external-secrets-operator-system upgrade -i eso external-secrets/external-secrets --version=1.2.1
helm show   values                                      external-secrets/external-secrets --version=1.2.1|less

kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso                 -c external-secrets
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-cert-controller -c cert-controller
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-webhook         -c webhook

kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-cert-controller
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-webhook
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso

kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook -c webhook
kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook
kubectl -n=external-secrets-operator-system get      pods --show-labels

kubectl -n=external-secrets-operator-system delete all --all
kubectl -n=external-secrets-operator-system delete ing --all
kubectl -n=external-secrets-operator-system delete sts --all

kubectl                                     delete pv  vso-data-vso-0
kubectl -n=external-secrets-operator-system delete svc --all
kubectl -n=external-secrets-operator-system delete pvc --all

kubectl -n=external-secrets-operator-system rollout history deploy/eso
kubectl -n=external-secrets-operator-system rollout restart deploy/eso
kubectl -n=external-secrets-operator-system rollout status  deploy/eso

kubectl -n=external-secrets-operator-system exec -it svc/eso-webhook -c webhook -- ash
kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook -c webhook
kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook

References

References

Retrieved from "https://wiki.chorke.org/index.php?title=Helm/External_Secrets_Operator&oldid=16392"