S P O T L I G H T O N

Equinix Product Readiness

FUNCTIONAL LEARNING DEMO

SmartKey Webhook for Kubernetes Secrets Part 2 of 3SmartKeyChristian Melendez, Solutions Architect

The first step is to create a namespace for the plugin or the Webhook that we would like to use for deploying the Webhook. For that I'm going to use, "smartkey-vault" and once I create that secret the next step is to create a generic secret.

1

The idea is that I need a place to store the configuration for interacting with the SmartKey API which is the URL. Thus, SmartKey object UI UIV that I'm going to use for encrypting the secrets in Kubernetes and this SmartKey credentials key that I would like to use. This will be the command that I want to use. Notice that I can have the secret here and this is the preconfiguration that you need to follow.

The Github repository has a deployment script which is this one. Type, "deploy.sh" and if I run it, it's going to install everything that it needs but that is not included in the examples. First, I'm going to, "deploy.sh" and it's going to generate the local certificate. It’s going to generate the objects and the crds that you will be using for installing the Webhook in your cluster.

SMARTKEY WEBHOOK FORKUBERNETES SECRETS

2

Now I can get the list of mutation Webhooks that I have in the cluster. You can see that I have something here that says SmartKey Webhook. That means I can actually describe that object and I can see that it applies to secrets and bots and how it really works. I can get the details of this and the certificates that it's going to be using and so on. I can see all the objects that this plugin has deployed into my cluster and it's basically a pod. The one in charge for doing the mutation phase of the secret. Before the secret is a stored, Kubernetes is going to call the SmartKey API to encrypt that secret and store that in a special structure and not the plain text that I uploaded when I created a secret. I'm going to clear this screen here for clarity.

The next thing that you need to do is once you have this Webhook installed the scope of that Webhook is going to be at the namespace level. The Webhook has the logic for encrypting secrets only to those namespaces that are say we would like to encrypt the secrets. Otherwise you will encrypt all the secrets and we don't want to do that. The first thing that you need to do is to include a label to the namespace where you would like to deploy the secrets and want to encrypt those secrets with SmartKey. Let's continue using the default namespace and the first thing that you need to do is to label that namespace. You can see that I have here the kubectl label namespace default and the label that I would like to add is, "SmartKey-vault=enabled". I can click it and run that command and that's the first thing to enable the mutation logic that we want.

SMARTKEY WEBHOOK FORKUBERNETES SECRETS

I'm going to go again to the examples and create a secret again, and if I create the secret again everything should be working correctly. I can actually get the details of that secret in the same way as I did before but notice that the output here for the password is something different. I can copy this data here and just for demo purposes I can decode that value with base64. So, I'm going to use this and I'm going to say base64 the code and notice that it has something different. It doesn't really matter what it has here, but it has some logic that I'm going to be using for the SmartKey Webhook plugin for decrypting that data. This is the logic that it will understand, and it will basically decrypt that data. That completes part 2 of 3. This demo will continue in part 3 of 3.

3© 2021 Equinix, Inc.