External Secrets Operator (ESO) in Kubernetes einrichten (Azure)

Operator mit Helm installieren

helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets

Erstellung eines Azure Service Principals

provider "azurerm" {
  features {}
}

provider "kubernetes" {
  config_path = "~/.kube/config"
}

provider "azuread" {
  tenant_id = data.azurerm_client_config.current.tenant_id
}

data "azurerm_client_config" "current" {}

resource "azuread_application" "eso_app" {
  display_name = "external-secrets-operator"
}

resource "azuread_service_principal" "eso_sp" {
  application_id = azuread_application.eso_app.application_id
}

resource "azuread_service_principal_password" "eso_sp_password" {
  service_principal_id = azuread_service_principal.eso_sp.id
  value                = random_password.sp_password.result
  end_date             = "2099-01-01T00:00:00Z"
}

resource "random_password" "sp_password" {
  length  = 32
  special = true
}

resource "azurerm_role_assignment" "kv_role_assignment" {
  principal_id   = azuread_service_principal.eso_sp.id
  role_definition_name = "Key Vault Secrets User"
  scope          = azurerm_key_vault.example.id
}

# Optional: Erstelle ein JSON-Dokument im Azure SDK-Format (wie azure-credentials.json)
locals {
  azure_credentials = jsonencode({
    clientId     = azuread_service_principal.eso_sp.application_id
    clientSecret = azuread_service_principal_password.eso_sp_password.value
    tenantId     = data.azurerm_client_config.current.tenant_id
    subscriptionId = data.azurerm_client_config.current.subscription_id
    activeDirectoryEndpointUrl = "https://login.microsoftonline.com"
    resourceManagerEndpointUrl = "https://management.azure.com/"
    activeDirectoryGraphResourceId = "https://graph.windows.net/"
    sqlManagementEndpointUrl = "https://management.core.windows.net:8443/"
    galleryEndpointUrl = "https://gallery.azure.com/"
    managementEndpointUrl = "https://management.core.windows.net/"
  })
}

# Kubernetes Secret für Service Principal erstellen
resource "kubernetes_secret" "azure_secrets" {
  metadata {
    name      = "azure-secrets"
    namespace = "default"
  }

  data = {
    "azure-credentials.json" = base64encode(local.azure_credentials)
  }
}

Erklärung der Ressourcen:

• azuread_application: Erstellt die Azure AD Anwendung, die den Service Principal repräsentiert.
• azuread_service_principal: Erstellt den Service Principal für die Anwendung.
• azuread_service_principal_password: Erstellt ein Kennwort (Client Secret) für den Service Principal.
• azurerm_role_assignment: Weist dem Service Principal die Rolle Key Vault Secrets User für den Zugriff auf den Key Vault zu.
• kubernetes_secret: Erstellt ein Kubernetes Secret, das die Azure-Anmeldeinformationen im azure-credentials.json-Format speichert. Das JSON wird mithilfe der local-Variable generiert.

Oder per CLI:

$ az ad sp create-for-rbac --name "external-secrets-operator" --sdk-auth > azure-credentials.json

$ kubectl create secret generic azure-secrets --from-env-file <(jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]" azure-credentials.json)

Secretstore anlegen

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: example-secret-store
spec:
  provider:
    azurekv:
      tenantId: "xxxxx-xxx-xxxx-xxxx-xxxxxxx"
      vaultUrl: "https://xxxxx.vault.azure.net"
      authSecretRef:
        clientId:
          name: azure-secrets
          key: clientId
        clientSecret:
          name: azure-secrets
          key: clientSecret

Externalsecret anlegen

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: example-external-secret
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: SecretStore
    name: example-secret-store

  target:
    name: secret-to-be-created
    creationPolicy: Owner

  data:
  - secretKey: secret-key
    remoteRef:
      key: secret-key