YC K8s KMS NLB ALB Lockbox DNS CL CR
October 8, 2022
Lockbox
Это надёжное хранилище для секретных ключей. Здесь можно держать IAM ключи, API ключи, OAUTH токен, etc.
Создаём секрет в Lockbox c ключом шифрования KMS.
export KMS=$(yc kms symmetric-key get k8s-key --format json | jq -r ".id")
export FOLDER=$(yc config get folder-id)
yc lockbox secret create \
--folder-id $FOLDER \
--name lockbox-secret \
--description "k8s+lockbox" \
--labels prod=lb-k8s \
--kms-key-id $KMS \
--payload "[{'key': 'ssh', 'text_value': 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDI98mJDBN9cnp6HOdBYTQILeAhUSDvDfoqA9iLmVPDyPLFRWs7tE4BjCAcFD6a3M50QIboCaohfa7h+PWksYibab7I3QHOR7y9pCW8FGonGRw2ACvt906qlaWHFj7jWOxuihFoiRROKqLCW5YE/Yc4XFIvW1gu3JQdvQ1wemWvujsI8EHE6PI1pEg7/41y6kn3IhNHIr8WRLe4dPyPGjwc4LpBCcaRSJiX4YjVXynSIHNk365UrL+nGv8ix7bW5FNCgGqSgfUTVCfMYLzQ/gYHPVQrcIvCeHjkwluH8Z3gXeN3OliejBjpLi+IWIzd9K6UADSUNU8oL+9941tDidp8APoe7RbB4h3bY6k8Bhy0yxohgQS2OWSYd1mjeEx8Ba5wzJKqfpUgmcPdrBJnBwLgLMFQyEfYG6vTPkYWAKEvkkJ6ZiA4tdoQvCb+B0xJV/ivHyLtoi3LFE59mbQFDUy8O51vX9JjBDLwzyTEeslWp7uOP66Ti5Q5ucNXbs5yXTU= cameda@cameda-osx'}]" \
--deletion-protection \
--asyncДанное хранилище будет защищено от случайного удаления. А внутри лежит пароль от какого-то ресурса. password=p@$w0rd. Также, данное хранилище использует для передачи данных во внешний источник шифрование. Шифруется соединение с помощью ключа KMS.
export Lockbox=$(yc lockbox secret get lockbox-secret --format json | jq -r ".id")
Добавить прав на хранилище для SA.
yc lockbox secret add-access-binding $Lockbox \ --service-account-name cameda-service \ --role lockbox.admin,lockbox.payloadViewer \ --async
Собрать информацию про Lockbox.
yc lockbox secret list +----------------------+----------------+----------------------+---------------------+----------------------+--------+ | ID | NAME | KMS KEY ID | CREATED AT | CURRENT VERSION ID | STATUS | +----------------------+----------------+----------------------+---------------------+----------------------+--------+ | e6q201r57rfu4b0o0s5k | lockbox-secret | abjesk4gh0vo91lm3ia6 | 2022-06-03 21:16:14 | e6qcnqo2aveh39mbu1p6 | ACTIVE | +----------------------+----------------+----------------------+---------------------+----------------------+--------+
yc lockbox secret get $Lockbox
id: e6q201r57rfu4b0o0s5k
folder_id: $FOLDER
created_at: "2022-06-03T21:16:14.558Z"
name: lockbox-secret
description: k8s+lockbox
labels:
prod: lb-k8s
kms_key_id: abjesk4gh0vo91lm3ia6
status: ACTIVE
current_version:
id: e6qcnqo2aveh39mbu1p6
secret_id: e6q201r57rfu4b0o0s5k
created_at: "2022-06-03T21:16:14.558Z"
status: ACTIVE
payload_entry_keys:
- password
deletion_protection: trueyc lockbox secret list-operations $Lockbox +----------------------+---------------------+----------------------+---------------------+--------+-------------------------------+ | ID | CREATED AT | CREATED BY | MODIFIED AT | STATUS | DESCRIPTION | +----------------------+---------------------+----------------------+---------------------+--------+-------------------------------+ | e6qn8kcsa6o1up1lg3es | 2022-10-08 14:12:49 | $USER | 2022-10-08 14:12:49 | DONE | Update secret | | e6qlmgnl8q6178vjdjd9 | 2022-06-03 21:22:47 | $USER | 2022-06-03 21:22:47 | DONE | Update secret access bindings | | e6qj2p02jv06igvo478j | 2022-06-03 21:16:14 | $USER | 2022-06-03 21:16:14 | DONE | Create secret | +----------------------+---------------------+----------------------+---------------------+--------+-------------------------------+
yc lockbox secret list-versions $Lockbox +----------------------+---------------------+--------+--------------+ | ID | CREATED AT | STATUS | PAYLOAD KEYS | +----------------------+---------------------+--------+--------------+ | e6qcnqo2aveh39mbu1p6 | 2022-06-03 21:16:14 | ACTIVE | password | +----------------------+---------------------+--------+--------------+
yc lockbox secret list-access-bindings $Lockbox +---------+--------------+------------+ | ROLE ID | SUBJECT TYPE | SUBJECT ID | +---------+--------------+------------+ +---------+--------------+------------+
yc lockbox payload get $Lockbox
version_id: e6qk7ol1lqcimvmvs4eh
entries:
- key: password
text_value: p@$w0rdДополнительные действия с хранилищем.
yc lockbox secret deactivate $Lockbox yc lockbox secret activate $Lockbox yc lockbox secret add-version $Lockbox yc lockbox secret delete $Lockbox
Добавим ещё один секрет в хранилище
yc lockbox secret add-version $Lockbox \
--payload '[{"key": "OAUTH","textValue": "AAAA435bjhjhsdfjsdsjdbfjsdbf"}]' \
--asyncПри добавлении секрета старый секрет не удаляется!
Полезные ссылки.
Про шифрование с помощью KMS: https://teletype.in/@cameda/vBIMDOZi7vV