Skip to content

Secrets in METIS

Introduction

METIS is using the External Secrets Operator to provide secrets to applications in Kubernetes.

This section describes how to configure the External Secrets Operator to use a Kubernetes namespace as a secret store.

Usage of the Kubernetes namespace vault to store secrets is recommended as METIS modules are pre-configured to use this namespace.

Installation

Deploy External Secrets Operator with Argo CD

Get the External-secrets Argo application from the Base module:

kubectl apply -f examples/external-secrets.yaml

For more detailed explanations, please read the External Secrets documentation.

Deploy the Kubernetes vault

Deploy the Kubernetes manifests for using Kubernetes as a Secret Store backend from the Base module:

kubectl apply -f example/vault.yaml

Add secrets in Vault

To add a secret in Vault, you can:

  • either manually create Kubernetes secret in the vault namespace.
  • or use the vault-manager.py script that writes secrets from a input file to the vault namespace.

From an input file

Download the vault-manager.py script.

Create a secrets.yaml file listing the secrets to create (you may copy secrets/vault-secrets.yaml from the module you're installing):

# vault-secrets.yaml
secrets:
    <name of the secret 1>:
        <name of secret key 1>: <value of secret 1 key 1>
        <name of secret key 2>: <value of secret 1 key 2>
        [...]
    <name of the secret 2>:
        <name of secret key 1>: <value of secret 2 key 1>
        <name of secret key 2>: <value of secret 2 key 2>
        [...]
    [...]

Secret values can be automatically generated by using these keywords as values:

  • GENERATE_API_TOKEN: to generate an API token
  • GENERATE_CLIENT_SECRET: to generate a client secret or a UUID
  • GENERATE_SIMPLE_PASSWORD: to generate a basic password
  • GENERATE_STRONG_PASSWORD: to generate a complex password

For oidc client secrets, you have to generate them with Keycloak and copy/paste them in your secret.yaml file.

# Load the secrets from secrets.yaml
python3 vault-manager.py vault-secrets.yaml

This script will add all your secrets in the vault.

Use secrets

External secrets will be created by each METIS module as needed.

They will refer to Vault secrets as provided by standard METIS.

External-secrets are store inside each module in the folder examples/ along with the application that uses them. They can be deployed at the same time as the application. Each manifest inside the examples/ folder will include the external-secret, but it's possible to disable some external-secret creations by removing them from the manifest file before deploying it.