Deckhouse Kubernetes Platform (DKP) supports native integration with several Yandex Cloud services. This allows for external monitoring, secure secret management, and automated data synchronization between the infrastructure and the cluster.

This section describes steps to configure the following integrations:

  • Yandex Lockbox via External Secrets Operator
  • Yandex Managed Service for Prometheus

Integration with Yandex Lockbox

DKP supports integration with Yandex Lockbox using the External Secrets Operator (ESO). This allows Kubernetes secrets in the cluster to be automatically synchronized with Lockbox secrets.

To set up the integration:

  1. Create a service account for External Secrets Operator:

    yc iam service-account create --name eso-service-account

  2. Create an authorized key for the service account and save it to a file:

    yc iam key create --service-account-name eso-service-account --output authorized-key.json

  3. Assign lockbox.editor, lockbox.payloadViewer, and kms.keys.encrypterDecrypter roles to the service account for accessing all secrets in the folder:

    folder_id=<folderID>
yc resource-manager folder add-access-binding --id=${folder_id} --service-account-name eso-service-account --role lockbox.editor
yc resource-manager folder add-access-binding --id=${folder_id} --service-account-name eso-service-account --role lockbox.payloadViewer
yc resource-manager folder add-access-binding --id=${folder_id} --service-account-name eso-service-account --role kms.keys.encrypterDecrypter

    For fine-grained access control, refer to the Yandex Lockbox access documentation.

  4. Install External Secrets Operator using the Helm chart as described in this guide.

    Note that you may need to specify additional parameters such as nodeSelector, tolerations, etc. To do this, use the ./external-secrets/values.yaml file after extracting the Helm chart.

    Download and extract the chart using the following command:

    helm pull oci://cr.yandex/yc-marketplace/yandex-cloud/external-secrets/chart/external-secrets \
  --version 0.5.5 \
  --untar

    Install the chart:

    helm install -n external-secrets --create-namespace \
  --set-file auth.json=authorized-key.json \
  external-secrets ./external-secrets/

    Where:

    • authorized-key.json: The file created in step 2.

  5. Create a SecretStore resource containing the sa-creds secret:

    kubectl -n external-secrets apply -f - <<< '
apiVersion: external-secrets.io/v1alpha1
kind: SecretStore
metadata:
  name: secret-store
spec:
  provider:
    yandexlockbox:
      auth:
        authorizedKeySecretRef:
          name: sa-creds
          key: key'

    Where:

    • sa-creds: Name of the Secret containing the authorized key. The secret appears after the Helm chart is installed.
    • key: Name of the key in the .data field of the secret.

  6. Verify that External Secrets Operator is working:

    kubectl -n external-secrets get po

    Example output:

    NAME                                                READY   STATUS    RESTARTS   AGE
external-secrets-55f78c44cf-dbf6q                   1/1     Running   0          77m
external-secrets-cert-controller-78cbc7d9c8-rszhx   1/1     Running   0          77m
external-secrets-webhook-6d7b66758-s7v9c            1/1     Running   0          77m

    Check the SecretStore status as well:

    kubectl -n external-secrets get secretstores.external-secrets.io

    Example output:

    NAME           AGE   STATUS
secret-store   69m   Valid

  7. Create a secret in Yandex Lockbox with the following parameters:

    • Name: lockbox-secret.
    • Key: Enter non-confidential ID password.
    • Value: Enter confidential data for storing p@$$w0rd.

  8. Create an ExternalSecret pointing to the lockbox-secret in the secret-store:

    kubectl -n external-secrets apply -f - <<< '
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  name: external-secret
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: secret-store
    kind: SecretStore
  target:
    name: k8s-secret
  data:
  - secretKey: password
    remoteRef:
      key: <SECRET_ID>
      property: password'

    Where:

    • target.name: Name of the new secret. External Secret Operator will create this secret in the DKP cluster and put the lockbox-secret Yandex Lockbox secret parameters into it.
    • data[].secretKey: Name of the key in the .data field of the secret created by External Secret Operator.
    • data[].remoteRef.key: ID of the lockbox-secret Yandex Lockbox secret created earlier (for example, e6q28nvfmhu539******).
    • data[].remoteRef.property: Key for the lockbox-secret Yandex Lockbox secret.

  9. Verify that the new k8s-secret key contains the lockbox-secret secret value:

    kubectl -n external-secrets get secret k8s-secret -ojson | jq -r '.data.password' | base64 -d

    The output will contain the password key value of the lockbox-secret secret created earlier:

    p@$$w0rd

Integration with Yandex Managed Service for Prometheus

This integration lets you use Yandex Managed Service for Prometheus as an external storage for metrics (for example, for long-term retention).

To configure PrometheusRemoteWrite, follow these steps:

  1. Create a service account with the monitoring.editor role.
  2. Create an API key for the service account.

  3. Create a PrometheusRemoteWrite resource:

    kubectl apply -f - <<EOF
   
apiVersion: deckhouse.io/v1
kind: PrometheusRemoteWrite
metadata:
  name: yc-remote-write
spec:
  url: <REMOTE_WRITE_URL>
  bearerToken: <API_KEY>
EOF

    Where:

    • <REMOTE_WRITE_URL>: URL from the Yandex Monitoring -> Prometheus -> Remote write page.
    • <API_KEY>: API key from the previous step (for example, AQVN1HHJReSrfo9jU3aopsXrJyfq_UHs********).

    You can specify additional parameters as described in the prometheus module documentation.

For more details on writing metrics, refer to the Yandex Cloud documentation.

To read metrics in Grafana:

  1. Create a service account with the monitoring.viewer role.
  2. Create an API key for the service account.

  3. Create a GrafanaAdditionalDatasource resource:

    apiVersion: deckhouse.io/v1
kind: GrafanaAdditionalDatasource
metadata:
  name: managed-prometheus
spec:
  type: prometheus
  access: Proxy
  url: <GRAFANA_READ_URL>
  basicAuth: false
  jsonData:
    timeInterval: 30s
    httpMethod: POST
    httpHeaderName1: Authorization
  secureJsonData:
    httpHeaderValue1: Bearer <API_KEY>

    Where:

    • <GRAFANA_READ_URL>: URL from the Yandex Monitoring -> Prometheus -> Reading Grafana metrics page.
    • <API_KEY>: API key from the previous step (for example, AQVN1HHJReSrfo9jU3aopsXrJyfq_UHs********).

    You can specify additional parameters as described in the prometheus module documentation.

For more details on reading metrics with Grafana, refer to the Yandex Cloud documentation.