tencent cloud

PrevNext

masukan

cari berdasarkan kata kunci

Recent Pages

Dokumentasi
Tencent Kubernetes Engine
    Dokumentasi
    Download PDF

    Importing SSM Credentials via ExternalSecretOperator

    Terakhir diperbarui:2024-09-03 16:58:08
    Unduh PDF
      ExternalSecretOperator assists in uniformly storing and managing key credentials in Tencent Cloud Secrets Manager (SSM), importing them into the cluster in the form of Kubernetes native Secret objects, thereby enabling automatic synchronization of key data. This process facilitates SSM's centralized key storage and lifecycle management of these keys.

      Limitations

      Use of the ExternalSecrets component requires a Kubernetes version of v1.19 or later.
      The operating system image supports an x86 architecture.

      Enabling External Key Access Capability

      Installing the Add-on

      1. Log in to the TKE Console.
      2. Install the ExternalSecrets (external key access component) component for the cluster.
      If you have not created a cluster, you can install the ExternalSecrets component during the cluster creation process. For details, see Installing on the cluster creation page.
      Should you wish to enable external key access in a created cluster, install the ExternalSecrets component through component management. For details, see Installing on the add-on management page.
      
      
      
      3. Check the component status on the Component Management page. If the component status is Succeeded, it indicates successful deployment of the component.
      
      
      

      Use Methods

      Method 1: Authorize via AK/SK.

      Step 1: Configure authentication information using the AK/SK authorization method

      1. Log in to the CAM console and select Policy on the left sidebar.
      2. Navigate to the Policy page and click New Custom Policy > Create by Syntax.
      3. On the Create by Policy Syntax page, select Blank Template, as shown in the following figure:
      
      
      
      4. Click Next to access the Edit Policy page, where you can add the following content to the policy editing box:
      {
          "statement": [
              {
                  "action": [
                      "ssm:GetSecretValue"
                  ],
                  "effect": "allow",
                  "resource": [
                      "*"
                  ]
              }
          ],
          "version": "2.0"
      }
      5. Click Complete to add the policy.
      6. On the Policies page, view the created custom policy, then select Custom Policies > Associate User/User Group/Role, as shown below:
      
      
      
      On the Associate User/User Group/Role page, select the user you want to bind, as shown below:
      
      
      
      7. Click OK.

      Step 2: Instructions for component use

      This component involves two types of Custom Resource Definitions (CRDs): SecretStore for storing access credentials, and ExternalSecret for specifying SecretStore and storing the basic information of credentials that need to be synchronized. This achieves separation of permissions and data, enhancing flexibility in usage.
      In SSM, you need to add the following credentials:
      SecretName: hello-test
      SecretData: {"name":"jack","password":"123"}
      VersionId: v1
      You can refer to Tencent Cloud SSM Documentation for a detailed process of creating credentials.
      Note:
      The following secret, SecretStore, and ExternalSecret are all located in the default namespace.
      1. Create a secret.
      You can create a secret by executing the following command:
      echo -n 'KEYID' > ./accessKeyId
      echo -n 'SECRETKEY' > ./accessKeySecret
      kubectl create secret generic tencent-credentials --from-file=./accessKeyId --from-file=./accessKeySecret
      Note:
      The key can be obtained from CAM.
      2. Create a SecretStore.
      You can save the following content into a file named my-secretstore.yaml:
      apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: my-secretstore
spec:
  provider:
    tencent:
      regionID: ap-guangzhou
      auth:
        secretRef:
          accessKeyIDSecretRef:
            name: tencent-credentials
            key: accessKeyId
          accessKeySecretSecretRef:
            name: tencent-credentials
            key: accessKeySecret
      3. Create an ExternalSecret.
      You can save the following content into a file named my-externalsecret.yaml:
      apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: my-externalsecret
spec:
  refreshInterval: 1m
  secretStoreRef:
    kind: SecretStore
    name: my-secretstore
  target:
    name: my-secret-key-to-be-created
    creationPolicy: Owner
  data:
    - secretKey: secret-key-to-be-managed
      remoteRef:
        key: hello-test
        version: v1
        # option
        property: password
      4. To deploy the sample, run the following command:
      kubectl apply -f my-secretstore.yaml
kubectl apply -f my-externalsecret.yaml
      5. Use the obtained credentials.
      You can save the following content into a file named my-pod.yaml:
      apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  containers:
    - name: my-container
      image: busybox
      command:
        - /bin/sh
        - -c
        - 'echo "Secret value: ${SECRET_KEY_TO_BE_MANAGED}"'
      env:
        - name: SECRET_KEY_TO_BE_MANAGED
          valueFrom:
            secretKeyRef:
              name: my-secret-key-to-be-created
              key: secret-key-to-be-managed
  restartPolicy: Never
      Then, deploy the Pod resource by running the following command:
      kubectl apply -f my-pod.yaml
      Finally, view the obtained credentials by running the following command:
      kubectl logs my-pod
      You will see the information of the obtained credentials:
      # The credential information obtained from ExternalSecret is as follows.
Secret value: 123

      Method 2: Authorize via AKSK and Role Play

      Step 1. Create a policy to obtain SSM credentials

      1. Log in to the CAM console and select Policy on the left sidebar.
      2. Navigate to the Policy page and click New Custom Policy > Create by Policy Syntax.
      3. On the Create by Policy Syntax page, select Blank Template, as shown in the following figure:
      
      
      
      4. Click Next to access the Edit Policy page, where you can add the following content to the policy editing box:
      {
          "statement": [
              {
                  "action": [
                      "ssm:GetSecretValue"
                  ],
                  "effect": "allow",
                  "resource": [
                      "*"
                  ]
              }
          ],
          "version": "2.0"
      }
      5. Click Complete to add the policy.

      Step 2: Assign the role-play policy to the sub-account

      1. Log in to the Tencent Cloud CAM Console, and select Users > User List on the left sidebar.
      2. On the User List page, click Create User. For details on the process of creating a new user, refer to Creating a Sub-user.
      3. Assign a role-play policy to the created sub-user. For details, refer to Assigning Role-Playing Policy to Sub-account.

      Step 3: Assign a policy to the created sub-user for accessing SSM credentials

      1. On the Policies page, view the created custom policy and select Custom Policies > Associate User/User Group/Role, as shown in the following figure:
      
      
      
      2. On the Associate User/User Group/Role page, select the sub-user that needs to be associated, as shown below:
      
      
      
      3. Click OK.

      Step 4: Instructions for component use

      This component involves two types of CRDs: SecretStore for storing access credentials, and ExternalSecret for specifying SecretStore and storing the basic information of credentials that need to be synchronized. This achieves separation of permissions and data, enhancing flexibility in usage.
      In SSM, you need to add the following credentials:
      SecretName: hello-test
      SecretData: {"name":"jack","password":"123"}
      VersionId: v1
      You can refer to the Tencent Cloud SSM Documentation for a detailed process of creating credentials.
      Note:
      The following secret, SecretStore, and ExternalSecret are all located in the default namespace.
      1. Create a secret.
      You can create a secret by executing the following command:
      echo -n 'KEYID' > ./accessKeyId
      echo -n 'SECRETKEY' > ./accessKeySecret
      kubectl create secret generic tencent-credentials --from-file=./accessKeyId --from-file=./accessKeySecret
      Note:
      The key can be obtained from CAM.
      2. Create a SecretStore.
      You can save the following content into a file named my-secretstore.yaml:
      apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: secretstore-assumerole
spec:
  provider:
    tencent:
      regionID: ap-guangzhou
      role: "qcs::cam::uin/12345:roleName/test-assume-role"
      auth:
        secretRef:
          accessKeyIDSecretRef:
            name: tencent-credentials
            key: accessKeyId
          accessKeySecretSecretRef:
            name: tencent-credentials
            key: accessKeySecret
      Note:
      The role field is obtained in Step 2.
      3. Create an ExternalSecret.
      You can save the following content into a file named my-externalsecret.yaml:
      apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: external-secret-assumerole
spec:
  refreshInterval: 1m
  secretStoreRef:
    kind: SecretStore
    name: secretstore-assumerole
  target:
    name: my-secret-key-to-be-created
    creationPolicy: Owner
  data:
    - secretKey: secret-key-to-be-managed
      remoteRef:
        key: hello-test
        version: v1
        property: password
      4. To deploy the sample, run the following command:
      kubectl apply -f my-secretstore.yaml
kubectl apply -f my-externalsecret.yaml
      5. Use the obtained credentials.
      You can save the following content into a file named my-pod.yaml:
      apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  containers:
    - name: my-container
      image: busybox
      command:
        - /bin/sh
        - -c
        - 'echo "Secret value: ${SECRET_KEY_TO_BE_MANAGED}"'
      env:
        - name: SECRET_KEY_TO_BE_MANAGED
          valueFrom:
            secretKeyRef:
              name: my-secret-key-to-be-created
              key: secret-key-to-be-managed
  restartPolicy: Never


      
      Then, deploy Pod resources by running the following command:
      kubectl apply -f my-pod.yaml
      Finally, view the obtained credentials by running the following command:
      kubectl logs my-pod
      You will see the information of the obtained credentials:
      # The credential information obtained from ExternalSecret is as follows.
Secret value: 123

      Method 3: Authorize via TKE OIDC

      Step 1. Enable OIDC resource access control capabilities

      1. Log in to the TKE console and select Cluster on the left sidebar.
      2. On the Cluster Management page, select the cluster ID to enter the basic information page of the cluster.
      3. In the cluster basic information, click
      
      on the right side of the ServiceAccountIssuerDiscovery, as shown below:
      Note:
      If you wish to explore the ServiceAccountIssuerDiscovery feature, submit a ticket to apply.
      
      
      
      4. Navigate to the Edit ServiceAccountIssuerDiscovery Parameters page. If the system prompts that you cannot modify the relevant parameters, authorize the service first.
      
      
      On the Role Management page, check the authorization policy QcloudAccessForTKERoleInOIDCConfig, and click Grant.
      
      
      
      5. Once the authorization is completed, check the options of "Create CAM OIDC provider" and "Create webhook component", fill in the client ID, and click Confirm, as shown below:
      Note:
      Client ID is an optional parameter. When it is left blank, the default value is "sts.cloud.tencent.com". Here, Create CAM OIDC provider uses the default value.
      
      
      
      6. Return to the cluster details page. When the ServiceAccountIssuerDiscovery is again editable, it indicates the end of the current initiation of OIDC resource access control.
      Note
      The parameters "service-account-issuer" and "service-account-jwks-uri" are not editable and follow default rules.
      7. Navigate to the Modify ServiceAccountIssuerDiscovery Parameters page. You will see a prompt that 'You have created the identity provider. Check details'. Click Check details, as shown below:
      
      
      
      8. In Cluster Info > Component Management, if you find that the status of pod-identity-webhook is Succeeded, it indicates that the component has been successfully installed, as shown below:
      
      
      

      Step 2: Create a policy to retrieve SSM credentials

      1. Log in to the CAM console and select Policy on the left sidebar.
      2. Navigate to the Policy page and click New Custom Policy > Create by Policy Syntax.
      3. On the Create by Policy Syntax page, choose Blank Template, as shown below:
      
      
      
      4. Click Next to access the Edit Policy page, where you can add the following content to the policy editing box:
      {
          "statement": [
              {
                  "action": [
                      "ssm:GetSecretValue"
                  ],
                  "effect": "allow",
                  "resource": [
                      "*"
                  ]
              }
          ],
          "version": "2.0"
      }
      5. Click Complete to add the policy.

      Step 3. Create a new OIDC role

      1. Log in to the CAM console and select Roles on the left sidebar.
      2. On the Roles page, select New Role > Identity Provider.
      3. On the Create Custom Role page, you can refer to the following information for configuration.
      
      
      
      IdP Type: Select OIDC.
      Select IdP: Choose the identity provider for which the role is being created this time.
      Conditions: Enter the value of oidc:aud.
      Note:
      The Value identifier for the identity provider is $my_provider_id.
      The Value of oidc:aud should be consistent with that of the Client ID for the CAM OIDC provider.
      The Value identifier of oidc:aud is $my_pod_audience. When there are multiple Values for oidc:aud, choose any one of them.
      4. Click Next to proceed to the Configure Role Policy page, where you should select the policy for SSM that was created and obtained in Step 2, as shown in the following image:
      
      
      
      5. Click Next to proceed to the Set Role Tag page. If there is no need to set the tag, directly click Next, as shown below:
      
      
      
      6. Click Next to enter the Review page. Edit the Role Name and Description, as shown below:
      
      
      
      7. Click Complete. On the role details page, you can check RoleArn of the OIDC role and the corresponding permission, as shown below:
      
      
      
      Note:
      The value identifier of RoleArn is $my_pod_role_arn.

      Step 4: Instructions for component use

      1. Create a ServiceAccount.
      You can save the information below into a file called my-serviceaccount.yaml:
      apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-serviceaccount
  annotations:
    tke.cloud.tencent.com/role-arn: $my_pod_role_arn
    tke.cloud.tencent.com/audience: $my_pod_audience
    tke.cloud.tencent.com/providerID: $my_provider_id
      Note:
      Replace $my_pod_role_arn with the value of RoleArn.
      Replace $my_pod_audience with the value of oidc:aud.
      Replace $my_provider_id with "Identity Provider".
      2. Create a SecretStore.
      You can save the following content into my-secretstore.yaml:
      apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: secretstore-tkeoidc
spec:
  provider:
    tencent:
      regionID: ap-guangzhou
      auth:
        serviceAccountRef:
          name: my-serviceaccount
      3. Create an ExternalSecret.
      You can save the following content into my-externalsecret.yaml:
      apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: external-secret-tkeoidc
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: SecretStore
    name: secretstore-tkeoidc
  target:
    name: my-secret-key-to-be-created
    creationPolicy: Owner
  data:
    - secretKey: secret-key-to-be-managed
      remoteRef:
        key: hello-test
        version: v1
        # option
        property: password
      4. To deploy the sample, run the following command:
      kubectl apply -f my-serviceaccount.yaml
kubectl apply -f my-secretstore.yaml
kubectl apply -f my-externalsecret.yaml
      5. To check whether the target secret has been successfully created, run the following command:
      kubectl get secret my-secret-key-to-be-created -o yaml
      Note:
      Given that synchronization refresh has not been disabled, you can modify the key content in SSM. Upon reaching the refresh time, the target secret will be synchronized.
      
      Hubungi Kami

      Hubungi tim penjualan atau penasihat bisnis kami untuk membantu bisnis Anda.

      Hubungi Kami
      Dukungan Teknis

      Buka tiket jika Anda mencari bantuan lebih lanjut. Tiket kami tersedia 7x24.

      Kirim Tiket
      Dukungan Telepon 7x24
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Kebijakan PrivasiLegalKebijakan Cookie