How to Propagate Secrets Everywhere with External Secrets Operator (ESO) and Crossplane

00:00

[Music]

00:06

today I want to talk about Secrets but

00:08

don't go away don't go away just yet I

00:11

know that for many Secrets is either

00:14

boring or you think you already know

00:17

everything there is to know about

00:18

managing Secrets I will not talk about

00:22

obvious secret stuff instead I want to

00:24

try to answer some less often asked yet

00:28

important questions how do we make

00:30

Secrets easy and irrelevant to users how

00:34

do we propagate Secrets without making

00:36

them exposed how do we generate secrets

00:40

in one place but use them in another

00:44

safely and a few others today's video

00:47

will be different than what you might

00:48

expect from Secrets today I want to

00:51

explore and solve a few problems I was

00:54

facing not long ago and that I believe I

00:58

solved without making anyone suffer let

01:03

me explain the problem before I show you

01:05

a possible

01:08

solution I tend to manage a number of

01:11

resources there are clusters

01:13

applications databases and so on and so

01:15

forth most of those generate or consume

01:19

Secrets some of them do both some

01:22

secrets were added manually to a Secret

01:23

store like a Google secret manager AWS

01:26

secret manager Azure key Vault or

01:28

whatever else you you are using or I'm

01:31

using others however are generated as

01:34

kubernetes secrets and not stored in any

01:38

of those secret stores which by itself

01:41

is a bad situation which I will explain

01:44

in a moment so far you probably do not

01:46

see a problem you might be inclined to

01:48

say that a tool like external Secrets

01:50

operator can solve those issues it can

01:54

pull secrets from almost any secret

01:56

manager if you're already using it you

01:59

might even be aware that it can also

02:01

push secrets to a secret manager choice

02:05

if you're not familiar with external

02:06

secrets you might want to watch that

02:08

video just don't do it right now finish

02:11

this one first if that's what you're

02:13

thinking you're right external Secrets

02:15

operator or any other similar tool

02:18

solves some of my problems but not all

02:22

let me explain what I need I have a

02:24

control plane cluster in my case that's

02:26

cross plane and in yours that might be

02:28

something else it's could be a simple

02:31

server from which you run terraform or a

02:33

pipeline or anything else from where you

02:35

do stuff it does not matter for now what

02:39

does matter is that kubernetes clusters

02:41

are created managed and removed from

02:43

that control plane now those clusters

02:45

need to have a number of secrets that

02:48

enable them to interact with outside

02:50

Services a good example would be

02:52

credentials that must be used to pull or

02:54

even push images from or to a container

02:58

image registry almost almost every

03:00

cluster needs some secrets to operate

03:02

correctly now those Secrets should be

03:04

pulled from whichever Secrets manager I

03:07

might be using and that means that they

03:09

all have to have external Secrets

03:12

operator or whichever other similar tool

03:15

we might be using however that operator

03:18

needs a secret with authentication so

03:21

that it can fetch secrets from the

03:23

secrets manager to be honest I know that

03:25

there are many many ways to accomplish

03:28

all that but to tend to complicate My

03:30

Life by treating all those requirements

03:32

as Baseline requirements as table Stakes

03:35

when I do create a cluster all those

03:37

need to be there from the start and I

03:41

don't want to have to perform many steps

03:43

to get them ideally I should say create

03:46

a cluster and apart from a cluster being

03:49

created it should come pre-loaded with

03:51

the external Secrets operator

03:52

credentials it needs and secrets pulled

03:56

I don't want to work to get those they

03:58

just need to get their automatically

04:00

there's more though sometimes I will set

04:03

up a new database in one place but run

04:05

an application that consumes that

04:07

database in another I might for example

04:10

instruct the control plane to create and

04:12

manage a database and that will among

04:15

other things result in a secret with

04:17

database authentication being created in

04:19

the control plane cluster I don't need

04:22

that secret there I need it somewhere

04:25

else I need it in the cluster where the

04:28

application that consumes assumes the

04:30

database is running hence that secret

04:32

needs to be moved from one place to

04:34

another actually that's not correct it

04:37

should not be moved but rather copied

04:40

however I cannot just copy the secret

04:42

that would be silly since I'm supposed

04:44

to keep secrets in the secret manager

04:46

hence I need to push that secret to the

04:49

secret manager from one place and pull

04:52

it from the secret manager to another

04:55

there's still more though I don't want

04:58

those things to be a burden to others

05:00

creating and managing databases or

05:03

applications or whatever they're

05:04

managing I want all that to be

05:06

transparent no invisible I want people

05:09

to be secure yet not to have to learn

05:13

all the details or worry about those

05:15

things it should be like magic people

05:18

should be in control of things that

05:20

matter to them while those that don't

05:22

should just happen Secrets or even

05:25

Security in general fall into the I do

05:28

not care that I am safe category

05:32

normally I have quite a few other

05:33

requirements but those I discussed so

05:36

far are enough to give you an idea what

05:38

I'm trying to accomplish that was enough

05:41

talk let me show you how I solved those

05:43

issues let me show you how to deal with

05:46

Secrets without making anyone

05:51

suffer before we proceed I should tell

05:54

you that all the commands I will execute

05:56

in this video are available in aist and

05:58

the link to it is in the description

06:01

please use it if you would like to

06:02

reproduce what I'm showcasing right now

06:05

my cube cutle is pointing to the control

06:07

plane cluster over there if you take a

06:09

look at the crossplane system Nam space

06:13

we can see that aw crets is available I

06:16

created that secret manually and

06:18

hopefully hopefully that's the only

06:21

secret I will manage myself that secret

06:24

contains AWS credentials which for

06:27

example are used by crossplane to

06:28

communicate with my AWS account to

06:30

create kubernetes clusters databases and

06:32

whatever else I need at the same time

06:35

that secret is also used by external

06:37

Secrets operator to pull Secrets I

06:40

instructed to pull by the way I made an

06:43

assumption that you're familiar with

06:44

crossplane if you're not please watch

06:47

those videos or even better watch the

06:50

crossplay tutorial I published uh as a

06:52

set of videos short file ago the link to

06:55

the playlist is in the description

06:57

alternatively you can explore the

06:59

composition yourself the link to the

07:01

repo is in the description as well the

07:03

important note within the context of

07:05

today's subject is that I need that

07:07

secret to be available in clusters I

07:10

will create from this control plane so

07:12

let's take a look at one example and

07:14

this is the part that makes everything

07:16

simple for the end users it is a cluster

07:18

claim that creates everything required

07:20

to run a kubernetes cluster in AWS if

07:22

you followed my work you already saw a

07:24

variation of such crossplay composition

07:26

so I will not go into details the

07:28

interesting part is the creds entry that

07:31

font tells crossplane to take the AWS

07:33

creds secret and put it into the

07:36

crossplane system namespace that secret

07:38

in that cluster should contain the creds

07:41

access key ID and secret access key keys

07:45

as a result crossplane will create a

07:47

cluster and everything it needs and it

07:49

will copy the AWS cret secret into that

07:52

new cluster now to be completely clear

07:56

that's not the best way to propagate

07:58

secrets from one place to another a

08:00

better way would be to use external

08:02

Secrets operator and instruct it to pull

08:04

a secret from a secret manager however

08:08

to do that we need external secrets to

08:10

be able to authenticate with the secrets

08:12

manager and that's the primary purpose

08:14

of coping AWS creds secret an important

08:18

note is that the end user has freedom to

08:21

choose which secret to copy to which

08:23

namespace to place it and which keys to

08:26

include on the other hand the end user

08:28

does not need to worry about the details

08:30

there's no need to know how it was done

08:33

and what's the magic behind the process

08:35

further on we have the open function

08:38

field which installs open function in

08:40

that cluster that one is not directly

08:42

related to Secrets however among other

08:45

things open function builds container

08:47

images and stores them in a registry for

08:49

that to work it needs credentials stored

08:52

in a kubernetes secret by the way if

08:54

you're not familiar with open function

08:57

please check out that video uh since I

09:00

already explained it over there I will

09:01

not go into details of how it works and

09:04

what it does in in this one in this

09:06

video to accommodate the need for a

09:09

secret with container registry

09:10

authentication as well as other secrets

09:13

we might need that is the external

09:15

Secrets section in it we have the

09:18

enabled field that will ensure that

09:20

external Secrets operator is deployed to

09:22

the cluster and the store which will

09:24

create cluster Secrets store resource

09:28

that's the one that needs a secret that

09:30

allows it to connect to the secret

09:31

manager that secret is retrieved from

09:34

the aw crets we explored earlier and all

09:36

we have to do is specify the keys

09:40

finally with external Secrets operator

09:42

fully operational and capable of

09:44

fetching secrets from the secrets

09:45

manager we are listing all the secrets

09:48

we would like to pull into that cluster

09:51

in this specific case there is one that

09:54

provides authentication to The Container

09:56

image registry needed for oper function

09:59

now now you might be thinking that the

10:00

whole setup is not secure and you would

10:03

be right secrets are stored safely in

10:05

the secrets manager but anyone could

10:08

create a cluster with any or all of the

10:11

secrets that's where policies would come

10:13

in typically I would set up CNO policies

10:15

that would define who can do what and

10:18

more specifically who can create those

10:20

cluster claims and which values are

10:22

allowed that combined with the fact that

10:24

secrets are safely pulled from a Secrets

10:27

manager makes it pretty safe except the

10:29

fact that kubernetes Secrets themselves

10:31

are not always safe but that would be a

10:33

subject for a separate video the good

10:36

news is that the end users do not need

10:39

to worry about any of the things we

10:41

discussed all they have to do is write

10:43

those 30s something lines of yam and

10:45

send it to the kubernetes API so let's

10:48

do just that now we can observe what's

10:51

happening with the crossplane trace

10:53

command quite a few resources were

10:55

created in the control plane cluster

10:57

some of them will create and manage a WS

10:59

resources others will create stuff in

11:01

the control plane cluster while some

11:03

will set up things in the new cluster

11:06

once it's operational you will notice

11:08

that quite a few resources are having

11:09

errors that's okay some of them like for

11:13

example Nam spaces cannot be created yet

11:15

since the cluster where they should be

11:17

applied is not yet operational

11:19

everything will be eventually consistent

11:22

and while waiting for that to happen we

11:24

can focus on the few of those resources

11:27

related to the secrets we discussed by

11:29

the way I explored eventual consistency

11:31

both from the theoretical and from the

11:33

Practical perspectives in those videos

11:36

over there uh so please check them out

11:38

if you would like to understand better

11:40

what I meant by uh all this by eventual

11:44

consistency we have the ATM cluster

11:47

credits resources that is copying the

11:49

hyperscaler credentials from the control

11:51

plane cluster to the new cluster that's

11:53

the one external Secrets needs to

11:55

authenticate with the secrets manager

11:58

which in my case is in AWS then we have

12:01

a cluster Secret store that will create

12:05

external Secret store that uses those

12:07

credentials finally there is the push

12:09

secret that will be pulled from the

12:12

secrets manager and which will be used

12:14

by open function to push those images

12:17

that's it that was yet another

12:19

explanation that matters to you the

12:21

person that builds who builds services

12:24

like the one we are exploring today but

12:26

not to the end users they do not need to

12:29

care yet they will be safe all that's

12:32

left to do is to wait until all the

12:34

resources are up and running so let's

12:37

fast forward and Trace the claim one

12:40

more time there might be a problem with

12:41

open function it is still in creating

12:43

state or to be more precise crossplay

12:46

things that it is creating but it's

12:47

probably up and running it's a massive

12:49

massive Helm chart that takes ages to

12:51

deploy as and it's probably timing out I

12:54

I'll fix that later it's that's not

12:57

relevant for this story what does matter

12:59

is that we can now retrieve Cube config

13:03

and retrieve secrets from the crossplane

13:06

system namespace it's there the AWS cred

13:10

secret was automatically created in this

13:12

new cluster we can also list external

13:14

Secret store and observe that that it

13:19

was created correctly the fact that the

13:21

status is valid means that it was able

13:24

to connect to the secrets manager in AWS

13:27

in this case we can also list external

13:29

Secrets resources and observe that push

13:33

secret was synced that means that it

13:35

succeeded in pulling the register secret

13:38

from the secret manager we can confirm

13:40

that as well by retrieving kubernetes

13:42

secrets from the production Nam space

13:44

the push secret is there that's the one

13:47

that contains the authentication to The

13:49

Container image registry open function

13:51

needs what did we do let me paint it for

13:55

you let me show you a diagram of what we

13:57

did the control plane cluster contained

13:59

crossplane and a secret with the AWS

14:02

authentication from there on we applied

14:04

a crossplane composite claim that

14:06

created a new kubernetes cluster in my

14:08

case eks with everything that it

14:12

requires the secret from the control

14:14

plane was copied to the new cluster and

14:15

external Secrets operator was installed

14:18

and configured using that secret to

14:20

communicate with the aw Secrets manager

14:23

finally external Secrets operator pulled

14:26

the secret with credentials from the

14:28

container image registry which will be

14:30

used by open function that was also

14:33

installed and configured inside that new

14:36

cluster but here's a big part that's not

14:41

enough I have a potentially more

14:44

interesting example to

14:47

demonstrate databases are special they

14:51

often do not run in the same place where

14:53

applications are running for example I

14:56

might have an awsrds database and then

14:58

applic running in a kubernetes cluster

15:00

if RDS is created with crossplane

15:02

crossplane will create a kubernetes

15:05

secret with the authentication details

15:07

however that secret will be created in

15:10

the control plane cluster the one where

15:12

cross plane is running while the

15:13

application that should use it might be

15:15

running in a different cluster that

15:17

means that we might need to safely

15:19

propagate the secret from one cluster to

15:22

another ideally we should not just copy

15:25

the secret but push it to the secrets

15:26

manager and pull it from there wherever

15:29

we need it that's exactly what we will

15:31

do next and I already prepared a

15:33

composition that will do just that so

15:36

let's take a look at the Manifest that

15:38

will claim it that manifest will create

15:40

a poql server and everything else needed

15:44

for it to run in AWS a database inside

15:48

that server and quite a few other things

15:51

those are not important right now what

15:53

matters is the secrets section by the

15:56

way please let me know through comments

15:57

in this video if it would be interesting

16:00

to explore database as a service in one

16:03

of the upcoming videos that claim will

16:05

create a secret in the control plane

16:07

cluster the one that runs cross plane

16:09

but as I already mentioned we need it

16:11

elsewhere that elsewhere could be the

16:13

new cluster we created earlier it

16:15

already contains open function which is

16:17

a great way to define build and deploy

16:20

applications which might need to connect

16:22

to a database hence we need the secret

16:24

in that other cluster the store name

16:27

defines the external Secret store that's

16:29

the one we created earlier when we

16:31

created the cluster RDS requires a root

16:34

password so we are fetching it from the

16:35

aw SEC manager through the pull root

16:39

password key value that's similar to

16:41

what we did before the interesting part

16:43

comes next the push to store parameter

16:46

tells the composite resource to push

16:48

that secret it will create in the

16:50

control plane cluster to the secret

16:52

manager the van LS external Secrets

16:55

operator which we are propping here has

16:58

the capability not only to pull but also

17:00

to push Secrets further on we are

17:03

telling the claim to pull the secret

17:06

from the secret manager into the

17:08

production name space inside The A Team

17:11

cluster let's apply the claim and see

17:13

what happens first I will unset Cube

17:16

config so add Cube cutle points to the

17:18

control plane cluster and apply the

17:21

claim let's see what we got with the

17:23

cross PL phas command among others we

17:25

got the secret pull resource that pulls

17:29

root password from The hyperscalers

17:31

Secret store then there is the push

17:34

store resource that pushes DB secret to

17:36

The Secret store and finally the pull

17:38

cluster resource that pulls the secret

17:41

with the creds to the other cluster it

17:44

will take a while until all the

17:45

resources available so let's fast

17:48

forward and Trace the claim again all

17:51

the resources are available and we can

17:53

take a look at what we got to begin with

17:55

there should be the secret with the root

17:57

password in the control plane cluster

17:59

since that's the data crossplane itself

18:02

needs we can see that the external

18:04

secret was created which in turn created

18:08

the mightyb kubernetes secret with the

18:10

password pulled from the Clusters uh not

18:12

clusters but Secrets manager once the

18:15

database server was created crossplane

18:17

created a secret with the IP port

18:20

username and password that can be used

18:21

to access the database server since we

18:23

need that info in the other cluster the

18:26

one where the application that might use

18:29

that database should be running the

18:31

composite resource created the external

18:33

Secrets push secret which in turn pushed

18:36

it to the secrets manager we can confirm

18:39

that's indeed what happened by going to

18:41

the AWS console and there we go the

18:43

secret was indeed created finally the

18:46

secret should be pulled into the other

18:48

cluster so let's export Cube config

18:51

again and list all external secrets in

18:55

the production name space the myb

18:57

external secret is there and you know

18:59

what that means right if you L the

19:01

secrets in the production name space we

19:04

can see that it was pulled from the

19:06

secrets manager so what did I do what

19:08

did we do from the control plane cluster

19:10

the one with cross plane we created a

19:13

composite claim that created all the AWS

19:15

resources required to run uh RDS

19:18

database server and it created database

19:21

inside it among other things the server

19:23

needed a root password so the composite

19:26

resource created an external Secret

19:29

which in turn pulled the root password

19:31

from the aw Secrets manager and used it

19:34

to create a kubernetes secret once the

19:37

database was created cross created a

19:39

secret with the connection info since we

19:42

needed that info in a secret in a

19:44

different cluster it also created

19:46

external Secrets push secret which

19:49

pushed it to the secrets manager finally

19:52

it created an external secrets in the

19:55

cluster where the application should run

19:57

which in turn pulled the connection info

20:00

from the secrets manager and created

20:03

kubernetes secret from there on an

20:06

application can connect to the database

20:08

from that cluster by simply mounting the

20:12

secret that must have been overwhelming

20:15

but hopefully useful to see what can be

20:17

done by combining crossplane with

20:18

external secrets and a few other tools

20:20

thank you for watching see you in the

20:22

next one

20:27

cheers