Integrating External Secrets Operator (ESO) K8s plugin with CipherTrust Secrets Manager (Akeyless)
Prerequisites
- A Kubernetes environment is deployed and working. 
- Helm is installed. Refer to https://helm.sh/docs/intro/install/ for details. 
- CipherTrust Manager is up and running. Refer to CipherTrust Manager Deployment for details. 
Steps
On Helm CLI
- Add the External Secrets Helm repository as shown below. - helm repo add external-secrets https://charts.external-secrets.io
- Create a new namespace. It will store all the external secret pods. In this integration we are using - akeyless-esoas the namespace.
- Install External Secrets using Helm. - helm install external-secrets external-secrets/external-secrets -n akeyless-eso --create-namespace- The above steps will deploy the External Secrets to your Kubernetes cluster using Helm. 
On Akeyless Console
- Create a - akeylesscreds.yamlfile to store the access ID, access Key, and access type in form of secrets. This file is used during Secret Store creation.- apiVersion: v1 kind: Secret metadata: name: akeyless-secret-creds type: Opaque stringData: accessId: "p-XXXX" accessType: # api_key accessTypeParam: # replace by the appropriate value for <access-key> 
- Create a - secretstore.yamlfile. This file is used to separate the concerns of authentication/access and the actual Secret and configuration needed for workloads.- apiVersion: external-secrets.io/v1 kind: SecretStore metadata: name: akeyless-secret-store spec: provider: akeyless: # URL of your akeyless API akeylessGWApiURL: "https://CM-IP/akeyless-api/v2" caBundle: # Provide the server cert of CM signed by CA having the IP SAN field. The caBundle should be in base64 format. authSecretRef: secretRef: accessID: name: akeyless-secret-creds key: accessId accessType: name: akeyless-secret-creds key: accessType accessTypeParam: name: akeyless-secret-creds key: accessTypeParam - For CSM, the - caBundleis essential for verifying the certificate. In the above code, we have used the IP address of the CipherTrust Manager in the- akeylessGWApiURL. Consequently, we need the server certificate of the CipherTrust Manager to have the same IP address in the IP addresses SAN field. Otherwise, the gateway will trigger an "x509 certificate error" as it won't be able to validate the self signed CA certificate of the CipherTrust Manager. To generate the certificate, refer to the steps provided in the Generate server certificate using local CA on CipherTrust Manager and Generate server certificate using external CA on CipherTrust Manager sections.
- Create a file named - externalsecret.yamlto store akeyless secret. Fetch secret from Akeyless and store it as a K8s secret on your cluster under- Kind=ExternalSecretsection of the- externalsecret.yaml- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: akeyless-external-secret-example spec: refreshInterval: 1h secretStoreRef: kind: SecretStore name: akeyless-secret-store # Must match SecretStore on the cluster target: name: akeyless-secret-to-create # Name for the secret to be created on the cluster creationPolicy: Owner data: - secretKey: secretKey # Key given to the secret to be created on the cluster remoteRef: key: /path/to/your/secret # Full path of the secret on Akeyless 
- Deploy all the - yamlfiles in the below sequence.- kubectl apply -f <yaml-file-name> -n <namespace> kubectl apply -f akeylesscreds.yaml -n akeyless-eso kubectl apply -f secretstore.yaml -n akeyless-eso kubectl apply -f externalsecret.yaml -n akeyless-eso // Check the status and READY state of all the yaml files deployed to ensure there are no failures detected. If any of the deployment fails, debug and fix the error to proceed ahead. kubectl get externalsecret akeyless-external-secret-example -n akeyless-eso NAME STORE REFRESH INTERVAL STATUS READY akeyless-external-secret-example akeyless-secret-store 1h SecretSynced True kubectl get secretstore akeyless-secret-store -n akeyless-eso NAME AGE STATUS CAPABILITIES READY akeyless-secret-store 2d1h Valid ReadOnly True
- Verify whether the secret present at the path - /Static-Secret/Akeylessin your Akeyless account is successfully synced to K8s cluster using the below command.- kubectl get secret akeyless-secret-to-create -o jsonpath='{.data.secretKey}' -n akeyless-eso | base64 -d  
Generate server certificate using local CA on CipherTrust Manager
To generate server certificate having IP SAN field used for caBundle, perform the following steps:
- Log on to the CipherTrust Manager GUI. 
- Navigate to CA > CSR Generator. The CSR Generator screen appears. 
- Select Generic CSR radio button and provide the following details: - Common name 
- Algorithm as RSA 
- IP address of the CipherTrust Manager machine. 
 - You may skip the remaining parameters as they are optional. 
- Click Generate CSR and download Private Key. - Make sure to save the generated CSR and private key. 
- Navigate to CA > Local. The list of available CAs is displayed. 
- Click name of the any local CA displayed on the page. The Certificate issued screen by that CA is displayed. 
- Click Upload CSR and provide the following details: - Display name 
- CSR 
- Certificate Purpose as Server. 
 
- Click the ellipsis icon corresponding to the newly generated certificate and select download. - Save the downloaded certificate. 
- Go back to the corresponding local CA. Click the ellipsis icon and select download. - Save the downloaded CA. 
- Create a certificate chain by combining the following into a single file: - certificate 
- local CA certificate 
- private key 
 - Make sure to keep the private key at the bottom. 
- Navigate to Admin Settings > Interfaces. 
- Click the ellipsis icon corresponding to the web interface type and select Certificate Options. - The Interface Certificate Options on 'web' screen is displayed. 
- Select Upload New Certificate and click OK. 
- On the Upload Certificate screen, do the following steps: - Upload the file created in the step 11. 
- Select Format as PEM. 
 
- Click Upload Certificate. 
- Restart the CipherTrust Manager services. 
- Navigate to Admin Settings > Interfaces. 
- Click the ellipsis icon corresponding to the web interface type and select Download Certificate. - Save the downloaded server certificate. 
- Encode the downloaded certificate to Base64 format. - This encoded value is used for the caBundle. 
Generate server certificate using external CA on CipherTrust Manager
To generate server certificate having IP SAN field used for caBundle, perform the following steps:
- Log on to the CipherTrust Manager GUI. 
- Create a certificate chain (using external platforms such as OpenSSL) by combining the following into a single file. - certificate 
- external CA certificate 
- private key 
 - Make sure to keep the private key at the bottom. 
- Navigate to Admin Settings > Interfaces. 
- Click the ellipsis icon corresponding to the web interface type and select Certificate Options. - The Interface Certificate Options on 'web' screen is displayed. 
- Select Upload New Certificate and click OK. 
- On the Upload Certificate screen, do the following steps: - Upload the file created in the step 2. 
- Select Format as PEM. 
 
- Click Upload Certificate. 
- Restart the CipherTrust Manager services. 
- Navigate to Admin Settings > Interfaces. 
- Click the ellipsis icon corresponding to the web interface type and select Download Certificate. - Save the downloaded server certificate. 
- Encode the downloaded certificate to Base64 format. - This encoded value is used for the caBundle. 
Troubleshooting
| Error | Workaround | 
|---|---|
| Encountering the following error while configuring caBundle: "x509 certificate error". | Provide the server cert of CipherTrust Manager signed by CA having the IP SAN field. To do so, refer to the steps provided in the Generate server certificate using local CA on CipherTrust Manager and Generate server certificate using external CA on CipherTrust Manager sections. |