Secured Secrets Management for Application Deployment
This use case demonstrates how to securely manage sensitive data, such as passwords, API keys, and other credentials, that are consumed by an application during development or runtime in production. The approach involves storing sensitive data in an external secret store located in a "vault" namespace (which can be Vault, AWS Secret Store, or any other provider). The process entails transmitting confidential information from the vault namespace to the deployed namespace to establish a connection to a database.
In this scenario, the KubeRocketCI platform is used to facilitate the management of sensitive data. By leveraging an external secret store, developers can ensure that confidential information is securely stored and accessed only when needed. This approach enhances the security of the deployment environment and mitigates the risk of exposing sensitive data.
To implement this approach, the following steps are involved:
-
Configure the KubeRocketCI platform with the desired external secret store provider, such as Vault or AWS Secret Store.
-
Create a separate namespace, referred to as the "vault" namespace, to store the sensitive data securely.
-
Store the sensitive data, such as passwords, API keys, and credentials, in the vault namespace using the chosen external secret store provider.
-
Establish a connection between the deployed namespace and the vault namespace to securely access the sensitive data when required.
By following these steps, developers can ensure that sensitive data is protected and accessed securely within the KubeRocketCI platform. This approach enhances the overall security of the application and reduces the risk of unauthorized access to confidential information.
Rolesβ
This documentation is tailored for the Developers and Team Leads.
Goalsβ
- Make confidential information usage secure in the deployment environment.
Preconditionsβ
- KubeRocketCI instance is configured with Gerrit, Tekton and Argo CD;
- External Secrets is installed;
- Developer has access to the KubeRocketCI instances using the Single-Sign-On approach;
- Developer has the
Administrator
role (to perform merge in Gerrit); - Developer has access to manage secrets in demo-vault namespace.
Scenarioβ
To utilize External Secrets in the KubeRocketCI platform, follow the steps outlined below:
Add Applicationβ
To begin, you will need an application first. Here are the steps to create it:
-
Open the UI Portal. Use the
Sign-In
option: -
In the top right corner, enter the
Cluster settings
and ensure that bothDefault namespace
andAllowed namespace
are set: -
Create the new
Codebase
with theApplication
type using theCreate
strategy. To do this, click theEDP
tab: -
Select the
Components
section under theEDP
tab and push the+
button: -
Select the
Application
Codebase type because we are going to deliver our application as a container and deploy it inside the Kubernetes cluster. Select theCreate
strategy to use predefined template: -
On the
Application Info
tab, define the following values and press theProceed
button:- Application name:
es-usage
- Default branch:
master
- Application code language:
Java
- Language version/framework:
Java 17
- Build tool:
Maven
- Application name:
-
On the
Advanced Settings
tab, define the below values and push theApply
button:- CI tool:
Tekton
- Codebase versioning type:
default
- CI tool:
-
Check the application status. It should be green:
Create CD Pipelineβ
This section outlines the process of establishing a CD pipeline within UI Portal. There are two fundamental steps in this procedure:
-
Build the application from the last commit of the
master
branch; -
Create a
CD Pipeline
to establish continuous delivery to the SIT environment.
To succeed with the steps above, follow the instructions below:
-
Create CD Pipeline. To enable application deployment, create a CD Pipeline with a single environment - System Integration Testing (SIT for short). Select the
CD Pipelines
section under theEDP
tab and push the+
button: -
On the
Pipeline
tab, define the following values and press theProceed
button:- Pipeline name:
deploy
- Deployment type:
Container
- Pipeline name:
-
On the
Applications
tab, addes-usage
application, selectmaster
branch, leavePromote in pipeline
unchecked and press theProceed
button: -
On the
Stage
tab, add thesit
stage with the values below and push theApply
button:- Stage name:
sit
- Description:
System integration testing
- Trigger type:
Manual
. We plan to deploy applications to this environment manually - Quality gate type:
Manual
- Step name:
approve
- Stage name:
Configure RBAC for External Secret Storeβ
In this scenario, three namespaces are used: demo
, which is the namespace where KubeRocketCI is deployed, demo-vault
, which is the vault where developers store secrets, and demo-deploy-sit
, which is the namespace used for deploying the application. The target namespace name for deploying the application is formed with the pattern: edp-<cd_pipeline_name>-<stage_name>
.
To ensure the proper functioning of the system, it is crucial to create the following resources:
-
Create namespace
demo-vault
to store secrets:kubectl create namespace demo-vault
-
Create Secret:
apiVersion: v1
kind: Secret
metadata:
name: mongo
namespace: demo-vault
stringData:
password: pass
username: user
type: Opaque -
Create Role to access the secret:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: demo-vault
name: external-secret-store
rules:
- apiGroups: [""]
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- authorization.k8s.io
resources:
- selfsubjectrulesreviews
verbs:
- create -
Create RoleBinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: eso-from-edp
namespace: demo-vault
subjects:
- kind: ServiceAccount
name: secret-manager
namespace: demo-deploy-sit
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: external-secret-store
Add External Secret to Helm Chartβ
Now that RBAC is configured properly, it is time to add external secrets templates to application Helm chart. Follow the instructions provided below:
-
Navigate to
UI Portal
->EDP
->Overview
, and push the Gerrit link: -
Log in to Gerrit UI, select
Repositories
and selectes-usage
project: -
In the
Commands
section of the project, push theCreate Change
button: -
In the
Create Change
dialog, provide the branchmaster
and fill in theDescription
(commit message) field and push theCreate
button:Add external secrets templates
-
Push the
Edit
button of the merge request and then theADD/OPEN/UPLOAD
button and add files:Once the file menu is opened, and click
SAVE
after editing each of the files:-
deploy-templates/templates/sa.yaml:
apiVersion: v1
kind: ServiceAccount
metadata:
name: secret-manager
namespace: demo-deploy-sit -
deploy-templates/templates/secret-store.yaml:
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: demo
namespace: demo-deploy-sit
spec:
provider:
kubernetes:
remoteNamespace: demo-vault
auth:
serviceAccount:
name: secret-manager
server:
caProvider:
type: ConfigMap
name: kube-root-ca.crt
key: ca.crt -
deploy-templates/templates/external-secret.yaml:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: mongo # target secret name
namespace: demo-deploy-sit # target namespace
spec:
refreshInterval: 1h
secretStoreRef:
kind: SecretStore
name: demo
data:
- secretKey: username # target value property
remoteRef:
key: mongo # remote secret key
property: username # value will be fetched from this field
- secretKey: password # target value property
remoteRef:
key: mongo # remote secret key
property: password # value will be fetched from this field -
deploy-templates/templates/deployment.yaml. Add the environment variable for mongodb to the existing deployment configuration that used the secret:
env:
- name: MONGO_USERNAME
valueFrom:
secretKeyRef:
name: mongo
key: username
- name: MONGO_PASSWORD
valueFrom:
secretKeyRef:
name: mongo
key: password
-
-
Push the
Publish Edit
button. -
As soon as review pipeline finished, and you get
Verified +1
from CI, you are ready for review. ClickMark as Active
->Code-Review +2
->Submit
:
Deploy Applicationβ
Deploy the application by following the steps provided below:
-
When build pipeline is finished, navigate to
UI Portal
->EDP
->CD-Pipeline
and selectdeploy
pipeline. -
Deploy the initial version of the application to the SIT environment:
- Select the
sit
stage from the Stages tab; - In the
Image stream version
, select latest version and push theDeploy
button.
- Select the
-
Ensure application status is
Healthy
andSynced
:
Check Application Statusβ
To ensure the application is deployed successfully, do the following:
-
Check that the resources are deployed:
kubectl get secretstore -n demo-deploy-sit
NAME AGE STATUS READY
demo 5m57s Valid Truekubectl get externalsecret -n demo-deploy-sit
NAME STORE REFRESH INTERVAL STATUS READY
mongo demo 1h SecretSynced True -
In the top right corner, enter the
Cluster settings
and adddemo-deploy-sit
to theAllowed namespace
. -
Navigate
UI Portal
->Configuration
->Secrets
and ensure that secret was created: -
Navigate
UI Portal
->Workloads
->Pods
and select deployed application: