secret-store.yaml

#
#  Author: Hari Sekhon
#  Date: 2022-12-09 22:18:51 +0000 (Fri, 09 Dec 2022)
#
#  vim:ts=2:sts=2:sw=2:et
#  lint: k8s
#
#  https://github.com/HariSekhon/Kubernetes-configs
#
#  License: see accompanying Hari Sekhon LICENSE file
#
#  If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
#
#  https://www.linkedin.com/in/HariSekhon
#

# ============================================================================ #
#          E x t e r n a l   S e c r e t s   -   S e c r e t S t o r e
# ============================================================================ #

# https://external-secrets.io/v0.8.1/api/secretstore/

# https://external-secrets.io/v0.8.1/api/clustersecretstore/

# Old - load AWS key to a secret - use newer external-secrets-serviceaccount.jsonpatch.yaml IRSA integration instead
#
#   aws_csv_creds.sh ~/.aws/keys/eks-external-secrets_accessKeys.csv | kubectl_kv_to_secret.sh NAMESPACE awssm-secret

---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
#kind: ClusterSecretStore
metadata:
  name: aws-secrets-manager
  namespace: NAMESPACE  # XXX: Edit
spec:
  provider:
    aws:
      # https://external-secrets.io/v0.8.1/provider/aws-secrets-manager/
      service: SecretsManager
      # https://external-secrets.io/v0.8.1/provider/aws-parameter-store/
      #service: ParameterStore
      # define a specific role to limit access to certain secrets
      #role: iam-role
      region: eu-west-2
      auth:
        #secretRef:
        #  accessKeyIDSecretRef:
        #    name: awssm-secret
        #    key: AWS_ACCESS_KEY_ID
        #  secretAccessKeySecretRef:
        #    name: awssm-secret
        #    key: AWS_SECRET_ACCESS_KEY
        #
        # XXX: use EKS IRSA role on service account instead
        jwt:
          serviceAccountRef:
            name: aws-secret-store
            #namespace: NAMESPACE  # XXX: Edit for ClusterSecretStore

    # https://external-secrets.io/v0.8.1/provider/google-secrets-manager/
    gcpsm:
      projectID: MY-PROJECT  # XXX: Edit
      auth:
        # only this should be needed if using a service account assigned to the ESO pod
        #projectID: MYPROJECT  # XXX: Edit
        workloadIdentity:
          clusterLocation: europe-west2
          clusterName: MYCLUSTER  # XXX: Edit
          clusterProjectID: MYPROJECT  # XXX: Edit
          # XXX: specify service account if not assigned to the ESO pod via the serviceAccount field in the pod spec
          serviceAccountRef:
            name: SERVICEACCOUNTNAME  # XXX: Edit
            #namespace: NAMESPACE      # XXX: Edit: ignored for SecretStore, uses same local namespace

    # https://external-secrets.io/v0.8.1/provider/azure-key-vault/
    #azurekv:
    #  authType: WorkloadIdentity
    #  vaultUrl: "https://xx-xxxx-xx.vault.azure.net"
    #  serviceAccountRef:
    #    name: workload-identity-sa
    # OR
    #  authType: ManagedIdentity
    #  # Optionally set the Id of the Managed Identity, if multiple identities are assigned to external-secrets operator
    #  identityId: "<MI_clientId>"
    #  # URL of your vault instance, see: https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates
    #  vaultUrl: "https://my-keyvault-name.vault.azure.net"