No examples for Oracle Cloud Vault integration with Workload Identity

[brokedba]

Describe the bug

I am trying to implement it in my OKE using workload identity but the Oracle Vault provider documentation ( see Oracle Vault) haven't really been updated to reflect that Principal use case.
I only see the user principal steps but not those for Workload Identity.

• Can we have that updated to reflect that case too? I could help if needed and once I understand the right syntax in the manifest?

Thank you !

To Reproduce
Steps to reproduce the behavior:

• So far I only see the below without serviceAccountRef:

---

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: example-workload-identity
spec:
  provider:
    oracle:
      vault: # The vault OCID
      region: # The vault region
      principalType: Workload

Expected behavior

• Do you confirm that the right WI definition should rather be as below ?

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: example-workload-identity
spec:
  provider:
    oracle:
      vault: # The vault OCID
      region: # The vault region
      principalType: Workload
      auth:
 #      jwt:
           serviceAccountRef:
             name: my-serviceaccount

Additional context
I know @anders-swanson worked to implement this part in #2771 (Fixed by #2781 and #2817) but the documentation could be improved. Here's what we could add for the policy part (see oci doc

Allow any-user to use keys and secret-family in compartment finance where all {
  request.principal.type = 'workload',
  request.principal.namespace = 'finance',
  request.principal.service_account = 'financeserviceaccount',
  request.principal.cluster_id = 'ocid1.cluster.oc1.iad.aaaaaaaaaf______jrd',
  request.resource.vault.id = 'ocid1.vault.oc1.iad.aaaaaaaaaf______jrd'
}

[brokedba]

This is the error I get:

# Clusterstore for cluster scoped secrets
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: oci-secretstore
spec:
  provider:
    oracle:
      vault: ocid1.vault.oc1.uk-london-1.xx
      region: uk-london-1                            # Replace with your OCI region
      principalType: Workload
      auth:
        serviceAccountRef:
          name: sec-sa
          namespace: kube-system

error:

Error from server (BadRequest): error when creating "oci-secretstore.yml": 
ClusterSecretStore in version "v1beta1" cannot be handled as a ClusterSecretStore: 
strict decoding error: unknown field "spec.provider.oracle.auth.serviceAccountRef"

Same if I use namespaced SecretStore

error when creating "oci-secretstore.yml": SecretStore in version "v1beta1" cannot be handled as a SecretStore: strict decoding error: unknown field "spec.provider.oracle.auth.serviceAccountRef"

Can anyone help here ? we're really stuck without doc.

Also , are your sure #2781 added the service account ref for OCI Vault ?

[anders-swanson]

Hi @brokedba

Can you try something like this?

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: sa-ref-secretstore
spec:
  provider:
    oracle:
      serviceAccountRef:
        name: <your service account>
      principalType: Workload
      vault: <your vault id>
      region: <your region>
     # compartment is required for PushSecret, GetAllSecret APIs only
     # compartment: <your compartment id>

See:

• Oracle Provider API

We can certainly add some documentation+snippets here 👍
There's a snippet for workload identity, but it doesn't show how to use a service account ref.

HTH

[anders-swanson]

Note that External Secret's OKE Workload Identity authentication will use the operator's service account if serviceAccountRef is not supplied.

[brokedba]

Hi @anders-swanson here is what I tried after fixing the syntax , given my goal was to leverage ClusterSecretStore
note: IAM policies were configured accordingly .

# Clusterstore for cluster scoped secrets
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: oci-secretstore
spec:
  provider:
    oracle:
      vault: ocid1.vault.oc1.uk-london-1.erxx  
      region: uk-london-1                             
        principalType: Workload
        serviceAccountRef:
          name: sec-sa
          namespace: kube-system

• The syntax works as I assume you put everything under oracle section and the auth section is for user principals (had no choice but second guess)

kubectl apply -f oci-secretstore.yml
secretstore.external-secrets.io/oci-secretstore created

-But when I checked the status I saw that the validation failed

kubectl get clustersecretstore -n kube-system
NAME              AGE   STATUS             CAPABILITIES   READY
oci-secretstore   13s   ValidationFailed                  False

kubectl describe clustersecretstore oci-secretstore -n kube-system
Events:
  Type     Reason            Age                     From                  Message
  ----     ------            ----                    ----                  -------
  Warning  ValidationFailed  2m17s (x16 over 5m30s)  cluster-secret-store  Get "https://kms.uk-london-1\".oraclecloud.com/20180608/vaults/ocid1.vault.oc1.uk-london-1.xx": 
                                                       dial tcp: lookup kms.uk-london-1".oraclecloud.com: no such host

I don't understand the URL as it doesn't even match the OCI vault API endpoint URL.
the real vault endpoint for REST API calls has this format.

https://xxxx-management.kms.uk-london-1.oraclecloud.com/

I started to look at your merged PRs in vain . any clue why this is happening ? I also tried that with a namespaced secretstore and I had the same issue

[brokedba]

@anders-swanson , I'll gladly help with the documentation snippets once this issue is fixed .
On top of my previous clustersecretStore example, I can provide IAM policy samples for the sa, and this definition is for a simple secretstore syntax.

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: oci-secretstore
  namespace: kube-system
spec:
  provider:
    oracle:
      vault: ocid1.vault.oc1.uk-london-1.xxx
      region: uk-london-1"
      principalType: Workload
      serviceAccountRef:
          name: sec-sa

but I need to fix this URL ValidationFailed problem first . any help is welcome!

[anders-swanson]

Try with this YAML. There appear to be some syntax errors with the above YAML:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: oci-secretstore
  namespace: kube-system
spec:
  provider:
    oracle:
      vault: ocid1.vault.oc1.uk-london-1.xxx
      region: uk-london-1
      principalType: Workload
      serviceAccountRef:
        name: sec-sa

[brokedba]

It's working. thanks @anders-swanson 👀. could it be a tab /indentation in namespace ?

NAME              AGE   STATUS   CAPABILITIES   READY
oci-secretstore   10m   Valid    ReadOnly       True

Thank you . I initially wanted to create a ClustersecretStore . Do you confirm the below syntax is correct ?

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: oci-secretstore
spec:
  provider:
    oracle:
      vault: ocid1.vault.oc1.uk-london-1.xxx
      region: uk-london-1
      principalType: Workload
      serviceAccountRef:
        name: sec-sa
        namespace: kube-system

Follow up question: same here, I planned to create an external secret.
do you confirm the below syntax is also correct? (secret oci-db-password already created in the vault)

apiVersion: external-secrets.io/v1beta1
kind: ClusterExternalSecret
metadata:
  name: "cluster-es"
spec:
  externalSecretName: ext-db-secret
  # How often the ClusterExternalSecret should reconcile itself
  refreshTime: "10m"

  # This is the spec of the ExternalSecrets to be created
  externalSecretSpec:
    secretStoreRef:
      name: oci-clustersecretstore
      kind: ClusterSecretStore

    refreshInterval: "10m"
    target:
      name: db-secret
      creationPolicy: Owner
    dataFrom:
    - extract:
        key: oci-db-password

[brokedba]

Both syntax are good I have now my clustersecretstore and cluster exnternal secret but I can't find any target secrets .
I have no idea where the heck did the secret go!!!

kubectl get externalsecrets -A
NAME                                                   STORE                    REFRESH INTERVAL   READY
clusterexternalsecret.external-secrets.io/cluster-es   oci-clustersecretstore   10m                True

NAME                                                            AGE     STATUS   CAPABILITIES   READY
clustersecretstore.external-secrets.io/oci-clustersecretstore   9m27s   Valid    ReadOnly       True

describe:

$ kubectl describe clusterexternalsecret cluster-es
Name:         cluster-es
Namespace:
Labels:       <none>
Annotations:  <none>
API Version:  external-secrets.io/v1beta1
Kind:         ClusterExternalSecret
Metadata:
  Creation Timestamp:  2024-05-30T00:20:26Z
  Generation:          1
  Resource Version:    25582377
  UID:                 699e4712-xxxxxxxxxx
Spec:
  External Secret Name:  ext-db-secret
  External Secret Spec:
    Data From:
      Extract:
        Conversion Strategy:  Default
        Decoding Strategy:    None
        Key:                  oci-db-password
        Metadata Policy:      None
    Refresh Interval:         10m
    Secret Store Ref:
      Kind:  ClusterSecretStore
      Name:  oci-clustersecretstore
    Target:
      Creation Policy:  Owner
      Deletion Policy:  Retain
      Name:             db-secret
  Refresh Time:         10m
Status:
  Conditions:
    Status:              True
    Type:                Ready
  External Secret Name:  ext-db-secret
Events:                  <none>

0 secrets found :

$ kubectl get externalsecret ext-db-secret -n kube-system  --- I tried each namespace
Error from server (NotFound): externalsecrets.external-secrets.io "ext-db-secret" not found

$ kubectl get secrets -A
NAMESPACE     NAME                                     TYPE                 DATA   AGE
kube-system   external-secrets-webhook                 Opaque               4      5h12m
kube-system   kubernetes-dashboard-certs               Opaque               0      56d
kube-system   kubernetes-dashboard-csrf                Opaque               1      56d
kube-system   kubernetes-dashboard-key-holder          Opaque               2      56d
kube-system   sh.helm.release.v1.external-secrets.v1   helm.sh/release.v1   1      5h12m

I really don't understand what's going on. ANY clue ???

[brokedba]

Hi , @anders-swanson let me know if you need additional info, because OCI workload identity is literally unusable using external-secret operator, at this time (wonder if it was ecer tested).

[anders-swanson]

Hi @brokedba,

I think this may be user error. Workload Identity authentication also seems to be working in your case, since the secret store is both valid and ready:

kubectl get externalsecrets -A
NAME                                                   STORE                    REFRESH INTERVAL   READY
clusterexternalsecret.external-secrets.io/cluster-es   oci-clustersecretstore   10m                True

NAME                                                            AGE     STATUS   CAPABILITIES   READY
clustersecretstore.external-secrets.io/oci-clustersecretstore   9m27s   Valid    ReadOnly       True

Let's take a look at the external secrets cluster external secret APIs -> the cluster external secret API requires a namespace selector.

OK, so we're missing a namespace selector. Let's compose a new example that shows how the cluster secret API may be used with OKE Workload Identity and a namespace selector:

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: chicago
spec:
  provider:
    oracle:
      serviceAccountRef:
        namespace: kube-system
        name: chicago-vault
      principalType: Workload
      compartment: <my compartment>
      vault: <my vault>
      region: us-chicago-1
---
apiVersion: external-secrets.io/v1beta1
kind: ClusterExternalSecret
metadata:
  name: chicago-es
spec:
  externalSecretName: mysecret
  refreshTime: "10m"

  namespaceSelector:
    matchLabels:
      inject-vault-secret: 'true' # note this label. It is required to inject the secrets into namespaces
  externalSecretSpec:
    secretStoreRef:
      name: chicago
      kind: ClusterSecretStore
    refreshInterval: "10m"
    target:
      name: mysecret # the name of the secret that will be created in kubernetes
      creationPolicy: Owner
    dataFrom:
    - extract:
        key: mysecret # the name of the secret in the vault

These are helpful kubectl commands that may be used when setting up the required kubernetes resources.

# Create a service account for workload identity
kubectl create sa chicago-vault -n kube-system
# Create an label a namespace for secret injection via the cluster secret store / cluster external secret.
kubectl create namespace application
kubectl label namespace application inject-vault-secret=true

If this is done correctly, we should see a secret store created in the labelled namespace like so:

kubectl get externalsecret -n application
NAME       STORE     REFRESH INTERVAL   STATUS         READY
mysecret   chicago   10m0s              SecretSynced   True

Finally, I hope this helps you or any other reads configure External Secrets with OCI Vault and OKE Workload Identity.

Best,
Anders Swanson.

[brokedba]

thanks a lot @anders-swanson ,
it's working .I tried it with a default namespace (used data: instead of dataFrom:)

$ kubectl get ces cluster-es
NAME         STORE                    REFRESH INTERVAL   READY
cluster-es   oci-clustersecretstore   10m                True
$ kubectl get externalsecret ext-db-secret
AME            STORE                    REFRESH INTERVAL   STATUS         READY
ext-db-secret   oci-clustersecretstore   10m0s              SecretSynced   True

$ kubectl get secret db-secret
NAME        TYPE     DATA   AGE
db-secret   Opaque   1      35m

---
$ kubectl get secret my-oke-secret -o json | jq -r ."data.key" | base64 -d
YouGottaBeKiddingM

I have to say that the doc doesn't say anywhere which section is mandatory and which isn't hence my remark around the lack of clarity completeness in the examples . I mean most of the doc is outdated ( 0.5.7 vs current is 0.9.18).
if you didn't reply we'd probably be stuck forever and have looked for alternatives.

Again if you need help documenting this part I'll be glad to help. And I already got a green light for a blog entry in the oracle dev medium syndication about this use case (from Ellie schilling).

last question:

• If we wanted to have a namespaced secret store based on an workload identity :
• would we need the service account to live within the same namespace than the secretstore and workload consuming the secret?

example:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: oci-secretstore
  namespace: kube-system   # same namespace than the service account ?
spec:
  provider:
    oracle:
      vault: ocid1.vault.oc1.uk-london-1.xxx
      region: uk-london-1
      principalType: Workload
      serviceAccountRef:
        name: sec-sa
----
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: oci-es
  namespace: kube-system # same namespace than the service account ?
spec:
  refreshInterval: 10m
  secretStoreRef:
    name: oci-secretstore
    kind: SecretStore
  target:
    name: db-secret-demo
    creationPolicy: Owner
  data:   # datafrom only works for json based secret it seems
  - secretKey: key
    remoteRef:
      key: oci-db-password 

I did try this way and it worked . just wanted to confirm from you .:)
thanks again

[anders-swanson]

it worked

🎉 🎉 🎉

For your question about workload identity and namespaced secret stores:

If a secret store is namespaced, the ServiceAccount must be in the same namespace as the secret store. This design avoids cross-namespace token hijacking.

Imagine a use has access to a specific namespace in a kubernetes cluster. If that user can escalate permissions through the External Secrets Operator by taking the service account token from another namespace, this gives them permissions they would otherwise not be allowed to have.

--

Again if you need help documenting this part I'll be glad to help. And I already got a green light for a blog entry in the oracle dev medium syndication about this use case (from Ellie schilling).

This is great news. I'll take a crack at documenting this for ESO, and run it by you/add you to the pull request. I don't believe our existing documentation passes the "hallway usability test".

[brokedba]

This is great news. I'll take a crack at documenting this for ESO, and run it by you/add you to the pull request. I don't believe our existing documentation passes the "hallway usability test".

Perfect , I already added you in linkedin (kosseila hd) we can exchange our emails there if you want .
Thanks again for your help (saved my day : )).