Overview:
This documentation outlines the workflow and functionality of the External Secret Microservice within the 01Cloud ecosystem. The External Secret Microservice plays a pivotal role in securely managing external secrets and integrating them into the environment creation process. This document provides an in-depth understanding of its operation and usage.
External Secret Workflow:
The External Secret Microservice facilitates the seamless integration of external secrets into the 01Cloud environment creation process. This workflow involves four key microservices: UI, API, CI/CD, and External Secret.
1. User Interaction through UI
- Users enable and fill out the necessary form in the UI.
- The external secret field in the JSON payload of the environment creation is populated based on user input.
2. Data Transmission to API Microservice
- The UI sends the populated data to the API Microservice.
- If the external secret field is not empty, the external secret data is prepared and sent to the External Secret Queue for further processing.
3. External Secret Process
3a. Creation of Credential Secret
- Upon receiving the queue with the required payload, the External Secret Microservice initiates its processing workflow.
- A pivotal step is the creation of a credential secret tailored to the specified external secret provider. This secret is an essential component in establishing secure access to external secrets.
3b. Creation of Secret Store
- Following the successful creation of the credential secret, the External Secret Microservice proceeds to create a Secret Store.
- The Secret Store is namespaced and serves as a crucial bridge to access the external API. It maps precisely to a single instance of an external API and utilizes the credentials stored in the previously created credential secret.
3c. Creation of External Secret
- With the Secret Store in place, the External Secret Microservice proceeds to generate the External Secret resource.
- This resource is responsible for validating and retrieving external secret data from the specified external secret provider.
3d. Storage of Secret Data
- Finally, the External Secret Microservice inserts the retrieved data into a newly created secret.
- The secret is stored in a key-value format, securely maintained within the Kubernetes cluster.
4. Validation and Error Handling
- The service checks if all keys required in the case of a template environment are present in the fetched secret data.
- If any required keys are missing, an error is generated, indicating the missing keys.
5. User-Friendly Error Handling
- If any validation fails, secret name or key mismatches occur, or any technical issues arise, the user is notified with an error message in the UI.
- The environment creation process is halted until the external secret issues are resolved.
6. User Intervention and Resume
- Users can edit credentials and secret keys/names through the External Secret Settings tab in the UI.
- Once the external secret is successfully fetched from the provider or external secret manager, the environment creation process resumes as expected.
7. Sync and Update Functionality
- Users can perform updates or synchronization of external secrets.
- Sync functionality is available with a dedicated API that handles synchronization accordingly.
Note: Sync functionality can be initiated by making updates to the external secret manifest. Specifically, it involves modifying an annotation within the external secret manifest known as force-sync.
kubectl annotate es my-es force-sync=$(date +%s) --overwrite
Conclusion:
The External Secret Microservice streamlines the management of external secrets in the 01Cloud environment creation process. By following the workflow and understanding the error handling mechanisms, users can ensure the secure integration of external secrets into their environments. This documentation serves as a comprehensive guide for effectively utilizing the External Secret Microservice within the 01Cloud ecosystem.