Using the Hanzo KMSSecret CRD
Learn how to use the Hanzo KMSSecret CRD to fetch secrets from Hanzo KMS and store them as native Kubernetes secret resource
Once you have installed the operator to your cluster, you'll need to create a Hanzo KMSSecret custom resource definition (CRD).
In this CRD, you'll define the authentication method to use, the secrets to fetch, and the target location to store the secrets within your cluster.
apiVersion: secrets.kms.hanzo.ai/v1alpha1
kind: Hanzo KMSSecret
metadata:
name: kmssecret-sample
labels:
label-to-be-passed-to-managed-secret: sample-value
annotations:
example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
spec:
hostAPI: https://app.kms.hanzo.ai/api
syncConfig:
resyncInterval: 10s
instantUpdates: false
authentication:
kubernetesAuth:
identityId: <machine-identity-id>
serviceAccountRef:
name: <service-account-name>
namespace: <service-account-namespace>
managedKubeSecretReferences:
- secretName: managed-secret
secretNamespace: default
creationPolicy: "Orphan"
template:
includeAllSecrets: true
data:
NEW_KEY_NAME: "{{ .KEY.SecretPath }} {{ .KEY.Value }}"
KEY_WITH_BINARY_VALUE: "{{ .KEY.SecretPath }} {{ .KEY.Value }}"CRD properties
Generic
The following properties help define what instance of Hanzo KMS the operator will interact with, the interval it will sync secrets and any CA certificates that may be required to connect.
If you are fetching secrets from a self-hosted instance of Hanzo KMS set the value of hostAPI to
https://your-self-hosted-instace.com/api
When hostAPI is not defined the operator fetches secrets from Hanzo KMS Cloud.
If you have installed your Hanzo KMS instance within the same cluster as the Hanzo KMS operator, you can optionally access the Hanzo KMS backend's service directly without having to route through the public internet. To achieve this, use the following address for the hostAPI field:
http://<backend-svc-name>.<namespace>.svc.cluster.local:4000/apiMake sure to replace <backend-svc-name> and <namespace> with the appropriate values for your backend service and namespace.
This block defines the synchronization configuration for the operator to fetch secrets from Hanzo KMS.
The resyncInterval is a string-formatted duration that defines the time between each resync. The field is optional, and will default to 60 seconds if not defined.
The format of the field is [duration][unit] where duration is a number and unit is a string representing the unit of time.
The following units are supported:
sfor seconds (must be at least 5 seconds)mfor minuteshfor hoursdfor dayswfor weeks
The default value is 1m (1 minute) when instantUpdates is set to false, and 1h (1 hour) when instantUpdates is set to true.
Valid expressions for the resyncInterval field:
resyncInterval: 60s # 60 seconds
resyncInterval: 5m # 5 minutes
resyncInterval: 2h # 2 hours
resyncInterval: 3d # 3 days
resyncInterval: 4w # 4 weeksThis property enables instant updates from Hanzo KMS. When set to true, changes made to secrets in Hanzo KMS will be immediately pushed to the operator, triggering a configuration update. This reduces the need for periodic re-syncs. Instant updates leverages Event Subscriptions to receive real-time updates when secret changes occur within Hanzo KMS.
Instant Updates is a paid feature
Please contact sales@hanzo.ai for more information.
This block defines the TLS settings to use for connecting to the Hanzo KMS instance.
This block defines the reference to the CA certificate to use for connecting to the Hanzo KMS instance with SSL/TLS.
The name of the Kubernetes secret containing the CA certificate to use for connecting to the Hanzo KMS instance with SSL/TLS.
The namespace of the Kubernetes secret containing the CA certificate to use for connecting to the Hanzo KMS instance with SSL/TLS.
The name of the key in the Kubernetes secret which contains the value of the CA certificate to use for connecting to the Hanzo KMS instance with SSL/TLS.
Authentication Methods
To retrieve the requested secrets, the operator must first authenticate with Hanzo KMS. The list of available authentication methods are shown below.
This block defines the authentication credentials and secrets scope to be used when fetching secrets from Hanzo KMS.
The universal machine identity authentication method is used to authenticate with Hanzo KMS. The client ID and client secret needs to be stored in a Kubernetes secret. This block defines the reference to the name and namespace of secret that stores these credentials.
You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about machine identities here.
Once you have created your machine identity and added it to your project(s), you will need to create a Kubernetes secret containing the identity credentials. To quickly create a Kubernetes secret containing the identity credentials, you can run the command below.
Make sure you replace <your-identity-client-id> with the identity client ID and <your-identity-client-secret> with the identity client secret.
kubectl create secret generic universal-auth-credentials --from-literal=clientId="<your-identity-client-id>" --from-literal=clientSecret="<your-identity-client-secret>"Once the secret is created, add the secretName and secretNamespace of the secret that was just created under authentication.universalAuth.credentialsRef field in the Hanzo KMSSecret resource.
Make sure to also populate the secretsScope field with the project slug
projectSlug, environment slug envSlug, and secrets path
secretsPath that you want to fetch secrets from. Please see the example
below.
Example
apiVersion: secrets.kms.hanzo.ai/v1alpha1
kind: Hanzo KMSSecret
metadata:
name: kmssecret-sample-crd
spec:
authentication:
universalAuth:
secretsScope:
# either projectSlug or projectId is required
projectSlug: <project-slug> # <-- project slug
projectId: <project-id> # <-- project id
secretName: <secret-name> # OPTIONAL: If you want to fetch a single Hanzo KMS secret, you can specify the secret name here. If not specified, all secrets in the specified scope will be fetched.
envSlug: <env-slug> # "dev", "staging", "prod", etc..
secretsPath: "<secrets-path>" # Root is "/"
credentialsRef:
secretName: universal-auth-credentials # <-- name of the Kubernetes secret that stores our machine identity credentials
secretNamespace: default # <-- namespace of the Kubernetes secret that stores our machine identity credentials
...The Kubernetes machine identity authentication method is used to authenticate with Hanzo KMS. The identity ID is stored in a field in the Hanzo KMSSecret resource. This authentication method can only be used within a Kubernetes environment.
Short-lived service account tokens are automatically created by the operator and are valid only for a short period of time. This is the recommended approach for using Kubernetes auth in the KMS Secrets Operator.
1.1. Start by creating a reviewer service account in your Kubernetes cluster that will be used by Hanzo KMS to authenticate with the Kubernetes API Server.
apiVersion: v1
kind: ServiceAccount
metadata:
name: kms-token-reviewer
namespace: defaultkubectl apply -f kms-reviewer-service-account.yaml1.2. Bind the reviewer service account to the system:auth-delegator cluster role. As described here, this role allows delegated authentication and authorization checks, specifically for Hanzo KMS to access the TokenReview API. You can apply the following configuration file:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kms-token-reviewer-role-binding
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: kms-token-reviewer
namespace: defaultkubectl apply -f kms-reviewer-cluster-role-binding.yaml1.3. Next, create a long-lived service account JWT token (i.e. the token reviewer JWT token) for the service account using this configuration file for a new Secret resource:
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: kms-token-reviewer-token
annotations:
kubernetes.io/service-account.name: "kms-token-reviewer"kubectl apply -f service-account-reviewer-token.yaml1.4. Link the secret in step 1.3 to the service account in step 1.1:
kubectl patch serviceaccount kms-token-reviewer -p '{"secrets": [{"name": "kms-token-reviewer-token"}]}' -n default1.5. Finally, retrieve the token reviewer JWT token from the secret.
kubectl get secret kms-token-reviewer-token -n default -o=jsonpath='{.data.token}' | base64 --decodeKeep this JWT token handy as you will need it for the Token Reviewer JWT field when configuring the Kubernetes Auth authentication method for the identity in step 2.
To create an identity, head to your Organization Settings > Access Control > Identities and press Create identity.
When creating an identity, you specify an organization level role for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
Now input a few details for your new identity. Here's some guidance for each field:
- Name (required): A friendly name for the identity.
- Role (required): A role from the Organization Roles tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
Once you've created an identity, you'll be prompted to configure the authentication method for it. Here, select Kubernetes Auth.
To learn more about each field of the Kubernetes native authentication method, see step 2 of guide.
To allow the operator to use the given identity to access secrets, you will need to add the identity to project(s) that you would like to grant it access to.
To do this, head over to the project you want to add the identity to and go to Project Settings > Access Control > Machine Identities and press Add identity.
Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to.
You have already created the reviewer service account in step 1.1. Now, create a new Kubernetes service account that will be used to authenticate with Hanzo KMS. This service account will create short-lived tokens that will be used to authenticate with Hanzo KMS. The operator itself will handle the creation of these tokens automatically.
kind: ServiceAccount
apiVersion: v1
metadata:
name: kms-service-accountkubectl apply -f kms-service-account.yaml -n defaultOnce you have created your machine identity and added it to your project(s), you will need to add the identity ID to your Hanzo KMSSecret resource.
In the authentication.kubernetesAuth.identityId field, add the identity ID of the machine identity you created.
See the example below for more details.
Add the service account details from the previous steps under authentication.kubernetesAuth.serviceAccountRef.
Here you will need to enter the name and namespace of the service account.
The example below shows a complete Hanzo KMSSecret resource with all required fields defined.
Make sure you set authentication.kubernetesAuth.autoCreateServiceAccountToken to true to automatically create short-lived service account tokens for the service account.
Make sure to also populate the secretsScope field with the project slug
projectSlug, environment slug envSlug, and secrets path
secretsPath that you want to fetch secrets from. Please see the example
below.
Example
apiVersion: secrets.kms.hanzo.ai/v1alpha1
kind: Hanzo KMSSecret
metadata:
name: kmssecret-sample-crd
spec:
authentication:
kubernetesAuth:
identityId: <machine-identity-id>
autoCreateServiceAccountToken: true # Automatically creates short-lived service account tokens for the service account.
serviceAccountTokenAudiences:
- <audience> # Optionally specify audience for the service account token. No audience is specified by default.
serviceAccountRef:
name: kms-service-account # The service account we just created in the previous step.
namespace: <service-account-namespace>
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
secretsScope:
projectSlug: your-project-slug
envSlug: prod
secretsPath: "/path"
secretName: <secret-name> # OPTIONAL: If you want to fetch a single Hanzo KMS secret, you can specify the secret name here. If not specified, all secrets in the specified scope will be fetched.
recursive: true
...Manual long-lived service account tokens are manually created by the user and are valid indefinitely unless deleted or rotated. In most cases, you should be using the automatic short-lived service account tokens as they are more secure and easier to use.
1.1. Start by creating a reviewer service account in your Kubernetes cluster that will be used by Hanzo KMS to authenticate with the Kubernetes API Server.
apiVersion: v1
kind: ServiceAccount
metadata:
name: kms-token-reviewer
namespace: defaultkubectl apply -f kms-reviewer-service-account.yaml1.2. Bind the reviewer service account to the system:auth-delegator cluster role. As described here, this role allows delegated authentication and authorization checks, specifically for Hanzo KMS to access the TokenReview API. You can apply the following configuration file:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kms-token-reviewer-role-binding
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: kms-token-reviewer
namespace: defaultkubectl apply -f kms-reviewer-cluster-role-binding.yaml1.3. Next, create a long-lived service account JWT token (i.e. the token reviewer JWT token) for the service account using this configuration file for a new Secret resource:
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: kms-token-reviewer-token
annotations:
kubernetes.io/service-account.name: "kms-token-reviewer"kubectl apply -f service-account-reviewer-token.yaml1.4. Link the secret in step 1.3 to the service account in step 1.1:
kubectl patch serviceaccount kms-token-reviewer -p '{"secrets": [{"name": "kms-token-reviewer-token"}]}' -n default1.5. Finally, retrieve the token reviewer JWT token from the secret.
kubectl get secret kms-token-reviewer-token -n default -o=jsonpath='{.data.token}' | base64 --decodeKeep this JWT token handy as you will need it for the Token Reviewer JWT field when configuring the Kubernetes Auth authentication method for the identity in step 2.
To create an identity, head to your Organization Settings > Access Control > Identities and press Create identity.
When creating an identity, you specify an organization level role for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
Now input a few details for your new identity. Here's some guidance for each field:
- Name (required): A friendly name for the identity.
- Role (required): A role from the Organization Roles tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
Once you've created an identity, you'll be prompted to configure the authentication method for it. Here, select Kubernetes Auth.
To learn more about each field of the Kubernetes native authentication method, see step 2 of guide.
To allow the operator to use the given identity to access secrets, you will need to add the identity to project(s) that you would like to grant it access to.
To do this, head over to the project you want to add the identity to and go to Project Settings > Access Control > Machine Identities and press Add identity.
Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to.
You have already created the reviewer service account in step 1.1. Now, create a new Kubernetes service account that will be used to authenticate with Hanzo KMS.
kind: ServiceAccount
apiVersion: v1
metadata:
name: kms-service-accountkubectl apply -f kms-service-account.yaml -n defaultCreate a service account token for the newly created Kubernetes service account from the previous step.
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: kms-service-account-token
annotations:
kubernetes.io/service-account.name: "kms-service-account"kubectl apply -f kms-service-account-token.yaml -n defaultPatch the service account with the newly created service account token.
kubectl patch serviceaccount kms-service-account -p '{"secrets": [{"name": "kms-service-account-token"}]}' -n defaultOnce you have created your machine identity and added it to your project(s), you will need to add the identity ID to your Hanzo KMSSecret resource.
In the authentication.kubernetesAuth.identityId field, add the identity ID of the machine identity you created.
See the example below for more details.
Add the service account details from the previous steps under authentication.kubernetesAuth.serviceAccountRef.
Here you will need to enter the name and namespace of the service account.
The example below shows a complete Hanzo KMSSecret resource with all required fields defined.
Make sure to also populate the secretsScope field with the project slug
projectSlug, or project ID projectId, environment slug envSlug, and secrets path
secretsPath that you want to fetch secrets from. Please see the example
below.
Please note that you can only use either projectSlug or projectId in the secretsScope field.
Example
apiVersion: secrets.kms.hanzo.ai/v1alpha1
kind: Hanzo KMSSecret
metadata:
name: kmssecret-sample-crd
spec:
authentication:
kubernetesAuth:
identityId: <machine-identity-id>
serviceAccountRef:
name: kms-service-account # The service account we just created in the previous step. (*not* the reviewer service account)
namespace: <service-account-namespace>
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
secretsScope:
projectSlug: your-project-slug
envSlug: prod
secretsPath: "/path"
secretName: <secret-name> # OPTIONAL: If you want to fetch a single Hanzo KMS secret, you can specify the secret name here. If not specified, all secrets in the specified scope will be fetched.
recursive: true
...The AWS IAM machine identity authentication method is used to authenticate with Hanzo KMS. The identity ID is stored in a field in the Hanzo KMSSecret resource. This authentication method can only be used within an AWS environment like an EC2 or a Lambda function.
You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about AWS machine identities here.
Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your Hanzo KMSSecret resource. In the authentication.awsIamAuth.identityId field, add the identity ID of the machine identity you created. See the example below for more details.
Make sure to also populate the secretsScope field with the project slug
projectSlug, or project ID projectId, environment slug envSlug, and secrets path
secretsPath that you want to fetch secrets from. Please see the example
below.
Please note that you can only use either projectSlug or projectId in the secretsScope field.
Example
apiVersion: secrets.kms.hanzo.ai/v1alpha1
kind: Hanzo KMSSecret
metadata:
name: kmssecret-sample-crd
spec:
authentication:
awsIamAuth:
identityId: <your-machine-identity-id>
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
secretsScope:
projectSlug: your-project-slug
envSlug: prod
secretsPath: "/path"
secretName: <secret-name> # OPTIONAL: If you want to fetch a single Hanzo KMS secret, you can specify the secret name here. If not specified, all secrets in the specified scope will be fetched.
recursive: true
...The Azure machine identity authentication method is used to authenticate with Hanzo KMS. The identity ID is stored in a field in the Hanzo KMSSecret resource. This authentication method can only be used within an Azure environment.
You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about Azure machine identities here.
Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your Hanzo KMSSecret resource. In the authentication.azureAuth.identityId field, add the identity ID of the machine identity you created. See the example below for more details.
Make sure to also populate the secretsScope field with the project slug
projectSlug, or project ID projectId, environment slug envSlug, and secrets path
secretsPath that you want to fetch secrets from. Please see the example
below.
Please note that you can only use either projectSlug or projectId in the secretsScope field.
Example
apiVersion: secrets.kms.hanzo.ai/v1alpha1
kind: Hanzo KMSSecret
metadata:
name: kmssecret-sample-crd
spec:
authentication:
azureAuth:
identityId: <your-machine-identity-id>
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
secretsScope:
projectSlug: your-project-slug
envSlug: prod
secretsPath: "/path"
secretName: <secret-name> # OPTIONAL: If you want to fetch a single Hanzo KMS secret, you can specify the secret name here. If not specified, all secrets in the specified scope will be fetched.
recursive: true
...The GCP ID Token machine identity authentication method is used to authenticate with Hanzo KMS. The identity ID is stored in a field in the Hanzo KMSSecret resource. This authentication method can only be used within GCP environments.
You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about GCP machine identities here.
Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your Hanzo KMSSecret resource. In the authentication.gcpIdTokenAuth.identityId field, add the identity ID of the machine identity you created. See the example below for more details.
Make sure to also populate the secretsScope field with the project slug
projectSlug, or project ID projectId, environment slug envSlug, and secrets path
secretsPath that you want to fetch secrets from. Please see the example
below.
Please note that you can only use either projectSlug or projectId in the secretsScope field.
Example
apiVersion: secrets.kms.hanzo.ai/v1alpha1
kind: Hanzo KMSSecret
metadata:
name: kmssecret-sample-crd
spec:
authentication:
gcpIdTokenAuth:
identityId: <your-machine-identity-id>
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
secretsScope:
projectSlug: your-project-slug
envSlug: prod
secretsPath: "/path"
secretName: <secret-name> # OPTIONAL: If you want to fetch a single Hanzo KMS secret, you can specify the secret name here. If not specified, all secrets in the specified scope will be fetched.
recursive: true
...The GCP IAM machine identity authentication method is used to authenticate with Hanzo KMS. The identity ID is stored in a field in the Hanzo KMSSecret resource. This authentication method can only be used both within and outside GCP environments.
You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about GCP machine identities here.
Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your Hanzo KMSSecret resource. In the authentication.gcpIamAuth.identityId field, add the identity ID of the machine identity you created.
You'll also need to add the service account key file path to your Hanzo KMSSecret resource. In the authentication.gcpIamAuth.serviceAccountKeyFilePath field, add the path to your service account key file path. Please see the example below for more details.
Make sure to also populate the secretsScope field with the project slug
projectSlug, or project ID projectId, environment slug envSlug, and secrets path
secretsPath that you want to fetch secrets from. Please see the example
below.
Please note that you can only use either projectSlug or projectId in the secretsScope field.
Example
apiVersion: secrets.kms.hanzo.ai/v1alpha1
kind: Hanzo KMSSecret
metadata:
name: kmssecret-sample-crd
spec:
authentication:
gcpIamAuth:
identityId: <your-machine-identity-id>
serviceAccountKeyFilePath: "/path/to-service-account-key-file-path.json"
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
secretsScope:
projectSlug: your-project-slug
envSlug: prod
secretsPath: "/path"
secretName: <secret-name> # OPTIONAL: If you want to fetch a single Hanzo KMS secret, you can specify the secret name here. If not specified, all secrets in the specified scope will be fetched.
recursive: true
...The LDAP machine identity authentication method is used to authenticate with Hanzo KMS using the configured LDAP directory. The username and password needs to be stored in a Kubernetes secret. This block defines the reference to the name and namespace of secret that stores these credentials.
You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about machine identities here.
Once you have created your machine identity and added it to your project(s), you will need to create a Kubernetes secret containing the identity credentials. To quickly create a Kubernetes secret containing the identity credentials, you can run the command below.
Make sure you replace <your-identity-ldap-username> with the identity LDAP username and <your-identity-ldap-password> with the identity LDAP password.
kubectl create secret generic ldap-auth-credentials --from-literal=username="<your-identity-ldap-username>" --from-literal=password="<your-identity-ldap-password>"Once the secret is created, add the secretName and secretNamespace of the secret that was just created under authentication.ldapAuth.credentialsRef field in the Hanzo KMSSecret resource.
Make sure to also populate the secretsScope field with the project slug
projectSlug, or project ID projectId, environment slug envSlug, and secrets path
secretsPath that you want to fetch secrets from. Please see the example
below.
Please note that you can only use either projectSlug or projectId in the secretsScope field.
Example
apiVersion: secrets.kms.hanzo.ai/v1alpha1
kind: Hanzo KMSSecret
metadata:
name: kmssecret-sample-crd
spec:
authentication:
ldapAuth:
secretsScope:
projectSlug: <project-slug> # <-- project slug
envSlug: <env-slug> # "dev", "staging", "prod", etc..
secretsPath: "<secrets-path>" # Root is "/"
secretName: <secret-name> # OPTIONAL: If you want to fetch a single Hanzo KMS secret, you can specify the secret name here. If not specified, all secrets in the specified scope will be fetched.
identityId: <machine-identity-id>
credentialsRef:
secretName: ldap-auth-credentials # <-- name of the Kubernetes secret that stores our machine identity credentials
secretNamespace: default # <-- namespace of the Kubernetes secret that stores our machine identity credentialsThe service token required to authenticate with Hanzo KMS needs to be stored in a Kubernetes secret. This block defines the reference to the name and namespace of secret that stores this service token. Follow the instructions below to create and store the service token in a Kubernetes secrets and reference it in your CRD.
Generate service token
You can generate a service token for an Hanzo KMS project by heading over to the Hanzo KMS dashboard then to Project Settings.
Create Kubernetes secret containing service token
Once you have generated the service token, you will need to create a Kubernetes secret containing the service token you generated.
To quickly create a Kubernetes secret containing the generated service token, you can run the command below. Make sure you replace <your-service-token-here> with your service token.
kubectl create secret generic service-token --from-literal=kmsToken="<your-service-token-here>"Add reference for the Kubernetes secret containing service token
Once the secret is created, add the name and namespace of the secret that was just created under authentication.serviceToken.serviceTokenSecretReference field in the Hanzo KMSSecret resource.
Make sure to also populate the secretsScope field with the, environment slug
envSlug, and secrets path secretsPath that you want to fetch secrets
from. Please see the example below.
Example
apiVersion: secrets.kms.hanzo.ai/v1alpha1
kind: Hanzo KMSSecret
metadata:
name: kmssecret-sample-crd
spec:
authentication:
serviceToken:
serviceTokenSecretReference:
secretName: service-token # <-- name of the Kubernetes secret that stores our service token
secretNamespace: option # <-- namespace of the Kubernetes secret that stores our service token
secretsScope:
envSlug: <env-slug> # "dev", "staging", "prod", etc..
secretsPath: <secrets-path> # Root is "/"
...Operator Managed Secrets
The managed secret properties specify where to store the secrets retrieved from your Hanzo KMS project. This includes defining the name and namespace of the Kubernetes secret that will hold these secrets. The Hanzo KMS operator will automatically create the Kubernetes secret in the specified name/namespace and ensure it stays up-to-date.
The managedSecretReference field is deprecated and will be removed in a future release.
Replace it with managedKubeSecretReferences, which now accepts an array of references to support multiple managed secrets in a single Hanzo KMSSecret CRD.
Example:
managedKubeSecretReferences:
- secretName: managed-secret
secretNamespace: default
creationPolicy: "Orphan"The name of the managed Kubernetes secret to be created
The namespace of the managed Kubernetes secret to be created.
Override the default Opaque type for managed secrets with this field. Useful for creating kubernetes.io/dockerconfigjson secrets.
Creation policies allow you to control whether or not owner references should be added to the managed Kubernetes secret that is generated by the Hanzo KMS operator. This is useful for tools such as ArgoCD, where every resource requires an owner reference; otherwise, it will be pruned automatically.
Available options
Orphan(default)Owner
When creation policy is set to Owner, the Hanzo KMSSecret CRD must be in
the same namespace as where the managed kubernetes secret.
Managed Secret Templating
Fetching secrets from Hanzo KMS as is via the operator may not be enough. This is where templating functionality may be helpful. Using Go templates, you can format, combine, and create new key-value pairs from secrets fetched from Hanzo KMS before storing them as Kubernetes Secrets.
This property controls what secrets are included in your managed secret when using templates.
When set to true, all secrets fetched from your Hanzo KMS project will be added into your managed Kubernetes secret resource.
Use this option when you would like to sync all secrets from Hanzo KMS to Kubernetes but want to template a subset of them.
When set to false, only secrets defined in the managedKubeSecretReferences[].template.data field of the template will be included in the managed secret.
Use this option when you would like to sync only a subset of secrets from Hanzo KMS to Kubernetes.
Define secret keys and their corresponding templates. Each data value uses a Golang template with access to all secrets retrieved from the specified scope.
Secrets are structured as follows:
type TemplateSecret struct {
Value string `json:"value"`
SecretPath string `json:"secretPath"`
}Example template configuration:
managedKubeSecretReferences:
- secretName: managed-secret
secretNamespace: default
template:
includeAllSecrets: true
data:
# Create new secret key that doesn't exist in your Hanzo KMS project using values of other secrets
NEW_KEY: "{{ .DB_PASSWORD.Value }}"
# Override an existing secret key in Hanzo KMS project with a new value using values of other secrets
API_URL: "https://api.{{.COMPANY_NAME.Value}}.{{.REGION.Value}}.com"For this example, let's assume the following secrets exist in your Hanzo KMS project:
DB_PASSWORD = "secret123"
COMPANY_NAME = "acme"
REGION = "us-east-1"
API_URL = "old-url" # This will be overriddenThe resulting managed Kubernetes secret will then contain:
# Original secrets (from includeAllSecrets: true)
DB_PASSWORD = "secret123"
COMPANY_NAME = "acme"
REGION = "us-east-1"
# New and overridden templated secrets
NEW_KEY = "secret123" # New secret created from template
API_URL = "https://api.acme.us-east-1.com" # Existing secret overridden by templateTo help transform your secrets further, the operator provides a set of built-in functions that you can use in your templates.
Available templating functions
Please refer to the templating functions documentation for more information.
Define custom labels and annotations for the managed Kubernetes secret. This allows you to specify metadata that should be applied to the managed secret separately from the Hanzo KMSSecret itself.
For detailed information on how metadata propagation works and examples, see the Propagating Labels & Annotations section.
Operator Managed ConfigMaps
The managed config map properties specify where to store the secrets retrieved from your Hanzo KMS project. Config maps can be used to store non-sensitive data, such as application configuration variables. The properties includes defining the name and namespace of the Kubernetes config map that will hold the data retrieved from your Hanzo KMS project. The Hanzo KMS operator will automatically create the Kubernetes config map in the specified name/namespace and ensure it stays up-to-date. If a config map already exists in the specified namespace, the operator will update the existing config map with the new data.
The usage of config maps is only intended for storing non-sensitive data. If you are looking to store sensitive data, please use the managed secret property instead.
The name of the managed Kubernetes config map that your Hanzo KMS data will be stored in.
The namespace of the managed Kubernetes config map that your Hanzo KMS data will be stored in.
Creation policies allow you to control whether or not owner references should be added to the managed Kubernetes config map that is generated by the Hanzo KMS operator. This is useful for tools such as ArgoCD, where every resource requires an owner reference; otherwise, it will be pruned automatically.
Available options
Orphan(default)Owner
When creation policy is set to Owner, the Hanzo KMSSecret CRD must be in
the same namespace as where the managed kubernetes config map.
Managed ConfigMap Templating
Fetching secrets from Hanzo KMS as is via the operator may not be enough. This is where templating functionality may be helpful. Using Go templates, you can format, combine, and create new key-value pairs from secrets fetched from Hanzo KMS before storing them as Kubernetes Config Maps.
This property controls what secrets are included in your managed config map when using templates.
When set to true, all secrets fetched from your Hanzo KMS project will be added into your managed Kubernetes config map resource.
Use this option when you would like to sync all secrets from Hanzo KMS to Kubernetes but want to template a subset of them.
When set to false, only secrets defined in the managedKubeConfigMapReferences[].template.data field of the template will be included in the managed config map.
Use this option when you would like to sync only a subset of secrets from Hanzo KMS to Kubernetes.
Define secret keys and their corresponding templates. Each data value uses a Golang template with access to all secrets retrieved from the specified scope.
Secrets are structured as follows:
type TemplateSecret struct {
Value string `json:"value"`
SecretPath string `json:"secretPath"`
}Example template configuration:
managedKubeConfigMapReferences:
- configMapName: managed-configmap
configMapNamespace: default
template:
includeAllSecrets: true
data:
# Create new key that doesn't exist in your Hanzo KMS project using values of other secrets
SITE_URL: "{{ .SITE_URL.Value }}"
# Override an existing key in Hanzo KMS project with a new value using values of other secrets
API_URL: "https://api.{{.SITE_URL.Value}}.{{.REGION.Value}}.com"For this example, let's assume the following secrets exist in your Hanzo KMS project:
SITE_URL = "https://example.com"
REGION = "us-east-1"
API_URL = "old-url" # This will be overriddenThe resulting managed Kubernetes config map will then contain:
# Original config map data (from includeAllSecrets: true)
SITE_URL = "https://example.com"
REGION = "us-east-1"
# New and overridden config map data
SITE_URL = "https://example.com"
API_URL = "https://api.example.com.us-east-1.com" # Existing secret overridden by templateTo help transform your config map data further, the operator provides a set of built-in functions that you can use in your templates.
Available templating functions
Please refer to the templating functions documentation for more information.
Define custom labels and annotations for the managed Kubernetes ConfigMap. This allows you to specify metadata that should be applied to the managed ConfigMap separately from the Hanzo KMSSecret itself.
This field works the same way as template.metadata for managed secrets. For detailed information on how metadata propagation works and examples, see the Propagating Labels & Annotations section.
Applying CRD
Once you have configured the Hanzo KMSSecret CRD with the required fields, you can apply it to your cluster. After applying, you should notice that the managed secret has been created in the desired namespace your specified.
kubectl apply -f example-kms-secret-crd.yamlTo verify that the operator has successfully created the managed secret, you can check the secrets in the namespace that was specified.
# Verify managed secret is created
kubectl get secrets -n <namespace of managed secret>The Hanzo KMS secrets will be synced and stored into the managed secret every 1 minute unless configured otherwise.
# Verify managed config map is created
kubectl get configmaps -n <namespace of managed config map>The Hanzo KMS config map data will be synced and stored into the managed config map every 1 minute unless configured otherwise.
Using Managed Secret In Your Deployment
To make use of the managed secret created by the operator into your deployment can be achieved through several methods. Here, we will highlight three of the most common ways to utilize it. Learn more about Kubernetes secrets here
This will take all the secrets from your managed secret and expose them to your container
envFrom:
- secretRef:
name: managed-secret # managed secret name
```
Example usage in a deployment
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
envFrom:
- secretRef:
name: managed-secret # <- name of managed secret
ports:
- containerPort: 80This will allow you to select individual secrets by key name from your managed secret and expose them to your container
env:
- name: SECRET_NAME # The environment variable's name which is made available in the container
valueFrom:
secretKeyRef:
name: managed-secret # managed secret name
key: SOME_SECRET_KEY # The name of the key which exists in the managed secretExample usage in a deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
env:
- name: STRIPE_API_SECRET
valueFrom:
secretKeyRef:
name: managed-secret # <- name of managed secret
key: STRIPE_API_SECRET
ports:
- containerPort: 80This will allow you to create a volume on your container which comprises of files holding the secrets in your managed kubernetes secret
volumes:
- name: secrets-volume-name # The name of the volume under which secrets will be stored
secret:
secretName: managed-secret # managed secret nameYou can then mount this volume to the container's filesystem so that your deployment can access the files containing the managed secrets
volumeMounts:
- name: secrets-volume-name
mountPath: /etc/secrets
readOnly: trueExample usage in a deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
volumeMounts:
- name: secrets-volume-name
mountPath: /etc/secrets
readOnly: true
ports:
- containerPort: 80
volumes:
- name: secrets-volume-name
secret:
secretName: managed-secret # <- managed secretsThe definition file of the Kubernetes secret for the CA certificate can be structured like the following:
apiVersion: v1
kind: Secret
metadata:
name: custom-ca-certificate
type: Opaque
stringData:
ca.crt: |
-----BEGIN CERTIFICATE-----
MIIEZzCCA0+gAwIBAgIUDk9+HZcMHppiNy0TvoBg8/aMEqIwDQYJKoZIhvcNAQEL
...
BQAwDTELMAkGA1UEChMCUEgwHhcNMjQxMDI1MTU0MjAzWhcNMjUxMDI1MjE0MjAz
-----END CERTIFICATE-----Automatic Redeployment
Deployments using managed secrets don't reload automatically on updates, so they may use outdated secrets unless manually redeployed. To address this, we added functionality to automatically redeploy your deployment when its managed secret updates.
Enabling Automatic Redeployment
To enable auto redeployment you simply have to add the following annotation to the Deployment, StatefulSet, or DaemonSet that consumes a managed secret.
secrets.kms.hanzo.ai/auto-reload: "true"apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
annotations:
secrets.kms.hanzo.ai/auto-reload: "true" # <- redeployment annotation
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
envFrom:
- secretRef:
name: managed-secret
ports:
- containerPort: 80apiVersion: apps/v1
kind: DaemonSet
metadata:
name: log-agent
labels:
app: log-agent
annotations:
secrets.kms.hanzo.ai/auto-reload: "true" # <- redeployment annotation
spec:
selector:
matchLabels:
app: log-agent
template:
metadata:
labels:
app: log-agent
spec:
containers:
- name: log-agent
image: mycompany/log-agent:latest
envFrom:
- secretRef:
name: managed-secret # <- name of the managed secret
volumeMounts:
- name: config-volume
mountPath: /etc/config
readOnly: true
volumes:
- name: config-volume
secret:
secretName: managed-secretapiVersion: apps/v1
kind: StatefulSet
metadata:
name: db-worker
labels:
app: db-worker
annotations:
secrets.kms.hanzo.ai/auto-reload: "true" # <- redeployment annotation
spec:
selector:
matchLabels:
app: db-worker
serviceName: "db-worker"
replicas: 2
template:
metadata:
labels:
app: db-worker
spec:
containers:
- name: db-worker
image: mycompany/db-worker:stable
env:
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: managed-secret
key: DB_PASSWORD
ports:
- containerPort: 5432How it works When a managed secret is updated, the operator checks for
any Deployments, DaemonSets, or StatefulSets that consume the updated secret
and have the annotation secrets.kms.hanzo.ai/auto-reload: "true". For each
matching workload, the operator triggers a rolling restart to ensure it picks
up the latest secret values.
Using Managed ConfigMap In Your Deployment
To make use of the managed ConfigMap created by the operator into your deployment can be achieved through several methods. Here, we will highlight three of the most common ways to utilize it. Learn more about Kubernetes ConfigMaps here
Automatic redeployment of deployments using managed ConfigMaps is not yet supported.
This will take all the secrets from your managed ConfigMap and expose them to your container
envFrom:
- configMapRef:
name: managed-configmap # managed configmap name
```
Example usage in a deployment
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
envFrom:
- configMapRef:
name: managed-configmap # <- name of managed configmap
ports:
- containerPort: 80This will allow you to select individual secrets by key name from your managed ConfigMap and expose them to your container
env:
- name: CONFIG_NAME # The environment variable's name which is made available in the container
valueFrom:
configMapKeyRef:
name: managed-configmap # managed configmap name
key: SOME_CONFIG_KEY # The name of the key which exists in the managed configmapExample usage in a deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
env:
- name: STRIPE_API_SECRET
valueFrom:
configMapKeyRef:
name: managed-configmap # <- name of managed configmap
key: STRIPE_API_SECRET
ports:
- containerPort: 80This will allow you to create a volume on your container which comprises of files holding the secrets in your managed kubernetes secret
volumes:
- name: configmaps-volume-name # The name of the volume under which configmaps will be stored
configMap:
name: managed-configmap # managed configmap nameYou can then mount this volume to the container's filesystem so that your deployment can access the files containing the managed secrets
volumeMounts:
- name: configmaps-volume-name
mountPath: /etc/config
readOnly: trueExample usage in a deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
volumeMounts:
- name: configmaps-volume-name
mountPath: /etc/config
readOnly: true
ports:
- containerPort: 80
volumes:
- name: configmaps-volume-name
configMap:
name: managed-configmap # <- managed configmapThe definition file of the Kubernetes secret for the CA certificate can be structured like the following:
apiVersion: v1
kind: Secret
metadata:
name: custom-ca-certificate
type: Opaque
stringData:
ca.crt: |
-----BEGIN CERTIFICATE-----
MIIEZzCCA0+gAwIBAgIUDk9+HZcMHppiNy0TvoBg8/aMEqIwDQYJKoZIhvcNAQEL
...
BQAwDTELMAkGA1UEChMCUEgwHhcNMjQxMDI1MTU0MjAzWhcNMjUxMDI1MjE0MjAz
-----END CERTIFICATE-----Propagating Labels & Annotations
The operator provides flexible options for managing labels and annotations on managed Kubernetes secrets.
By default, the operator will transfer all labels & annotations present on the Hanzo KMSSecret to the managed Kubernetes secret to be created.
Example
apiVersion: secrets.kms.hanzo.ai/v1alpha1
kind: Hanzo KMSSecret
metadata:
name: kmssecret-sample
labels:
label-to-be-passed-to-managed-secret: sample-value
annotations:
example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
spec:
authentication:
# ... auth config ...
managedKubeSecretReferences:
- secretName: managed-token
secretNamespace: defaultThis would result in the following managed secret to be created:
apiVersion: v1
data: ...
kind: Secret
metadata:
annotations:
example.com/annotation-to-be-passed-to-managed-secret: sample-value
secrets.kms.hanzo.ai/version: W/"3f1-ZyOSsrCLGSkAhhCkY2USPu2ivRw"
labels:
label-to-be-passed-to-managed-secret: sample-value
name: managed-token
namespace: default
type: OpaqueWhen you specify template.metadata in your template configuration, you have full control over which labels and annotations are applied to the managed secret:
- Labels and annotations from
template.metadataare used exclusively on the managed secret - Hanzo KMSSecret labels and annotations are NOT propagated to the managed secret
- This allows you to keep Hanzo KMSSecret-specific metadata separate from the managed secret metadata
To prevent any propagation while using template.metadata, pass empty objects for labels and/or annotations.
This will ensure no labels or annotations are propagated to the managed secret, even from the Hanzo KMSSecret CRD's own labels/annotations:
template:
metadata:
labels: {}
annotations: {}Example
apiVersion: secrets.kms.hanzo.ai/v1alpha1
kind: Hanzo KMSSecret
metadata:
name: kmssecret-with-template-metadata
labels:
managed-by: kms-operator
annotations:
example.com/cr-specific: "metadata"
spec:
authentication:
# ... auth config ...
managedKubeSecretReferences:
- secretName: managed-secret-with-custom-metadata
secretNamespace: default
template:
includeAllSecrets: true
metadata:
labels:
app: my-application
environment: production
tier: backend
annotations:
secret.example.com/description: "Production database credentials"
secret.example.com/owner: "platform-team"This would result in the following managed secret to be created:
apiVersion: v1
data: ...
kind: Secret
metadata:
annotations:
secret.example.com/description: "Production database credentials"
secret.example.com/owner: "platform-team"
labels:
app: my-application
environment: production
tier: backend
name: managed-secret-with-custom-metadata
namespace: default
type: OpaqueHow is this guide?
Last updated on