Skip to main content

Secret Management

External Secrets Operator

If your organization requires sensitive data to be stored in a secret store such as Vault and Secrets Manager, you may need a way to retrieve secrets from your secret store into your cluster. External Secrets Operator is a Kubernetes Operator that fetches secrets from external APIs and creates Kubernetes secrets.

The reference implementation uses this operator to sync secrets between the cluster and AWS Secrets Manager. Information such as generated user password, Keycloak admin password, and database password are stored as an entity in AWS secrets manager.

TLS Certificates

If you opted to use cert manager to manage certificates for you endpoints, certificates and their private keys are stored as Kubernetes secrets. If this does not meet your security standard, you can store it in a secret store of your choice, then use External Secrets Operator to sync it. An example manifest for Secrets Manager would look something like this. 

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: backstage-prod-tls
  namespace: backstage
spec:
  refreshInterval: 12h
  secretStoreRef:
    name: keycloak
    kind: SecretStore
  target:
    name: backstage-prod-tls
    template:
      type: kubernetes.io/tls
      data:
        tls.crt: "{{ .public }}"
        tls.key: "{{ .private }}"
  data:
    - secretKey: private
      remoteRef:
        key: cnoe/tls/dev # path to the tls cert in Secrets Manager
        property: PRIVATE_KEY
    - secretKey: public
      remoteRef:
        key: cnoe/tls/dev
        property: CERT

When removing the reference implementation installation from your cluster, the uninstall script will back up the secrets to a local directory. This is to avoid re-issuing Let's Encrypt certificate for the same host because Let's Encrypt has a limit on how many times you can request certificates in a given time.