Deckhouse Kubernetes Platform (DKP) supports native integration with several Yandex Cloud services. This allows for external monitoring, secure secret management, and automated data synchronization between the infrastructure and the cluster.
This section describes steps to configure the following integrations:
- Yandex Lockbox via External Secrets Operator
- Yandex Managed Service for Prometheus
Integration with Yandex Lockbox
DKP supports integration with Yandex Lockbox using the External Secrets Operator (ESO). This allows Kubernetes secrets in the cluster to be automatically synchronized with Lockbox secrets.
To set up the integration:
-
Create a service account for External Secrets Operator:
yc iam service-account create --name eso-service-account
-
Create an authorized key for the service account and save it to a file:
yc iam key create --service-account-name eso-service-account --output authorized-key.json
-
Assign
lockbox.editor
,lockbox.payloadViewer
, andkms.keys.encrypterDecrypter
roles to the service account for accessing all secrets in the folder:folder_id=<folderID> yc resource-manager folder add-access-binding --id=${folder_id} --service-account-name eso-service-account --role lockbox.editor yc resource-manager folder add-access-binding --id=${folder_id} --service-account-name eso-service-account --role lockbox.payloadViewer yc resource-manager folder add-access-binding --id=${folder_id} --service-account-name eso-service-account --role kms.keys.encrypterDecrypter
For fine-grained access control, refer to the Yandex Lockbox access documentation.
-
Install External Secrets Operator using the Helm chart as described in this guide.
Note that you may need to specify additional parameters such as
nodeSelector
,tolerations
, etc. To do this, use the./external-secrets/values.yaml
file after extracting the Helm chart.Download and extract the chart using the following command:
helm pull oci://cr.yandex/yc-marketplace/yandex-cloud/external-secrets/chart/external-secrets \ --version 0.5.5 \ --untar
Install the chart:
helm install -n external-secrets --create-namespace \ --set-file auth.json=authorized-key.json \ external-secrets ./external-secrets/
Where:
authorized-key.json
: The file created in step 2.
-
Create a SecretStore resource containing the
sa-creds
secret:kubectl -n external-secrets apply -f - <<< ' apiVersion: external-secrets.io/v1alpha1 kind: SecretStore metadata: name: secret-store spec: provider: yandexlockbox: auth: authorizedKeySecretRef: name: sa-creds key: key'
Where:
sa-creds
: Name of the Secret containing the authorized key. The secret appears after the Helm chart is installed.key
: Name of the key in the.data
field of the secret.
-
Verify that External Secrets Operator is working:
kubectl -n external-secrets get po
Example output:
NAME READY STATUS RESTARTS AGE external-secrets-55f78c44cf-dbf6q 1/1 Running 0 77m external-secrets-cert-controller-78cbc7d9c8-rszhx 1/1 Running 0 77m external-secrets-webhook-6d7b66758-s7v9c 1/1 Running 0 77m
Check the SecretStore status as well:
kubectl -n external-secrets get secretstores.external-secrets.io
Example output:
NAME AGE STATUS secret-store 69m Valid
-
Create a secret in Yandex Lockbox with the following parameters:
- Name:
lockbox-secret
. - Key: Enter non-confidential ID
password
. - Value: Enter confidential data for storing
p@$$w0rd
.
- Name:
-
Create an ExternalSecret pointing to the
lockbox-secret
in thesecret-store
:kubectl -n external-secrets apply -f - <<< ' apiVersion: external-secrets.io/v1alpha1 kind: ExternalSecret metadata: name: external-secret spec: refreshInterval: 1h secretStoreRef: name: secret-store kind: SecretStore target: name: k8s-secret data: - secretKey: password remoteRef: key: <SECRET_ID> property: password'
Where:
target.name
: Name of the new secret. External Secret Operator will create this secret in the DKP cluster and put thelockbox-secret
Yandex Lockbox secret parameters into it.data[].secretKey
: Name of the key in the.data
field of the secret created by External Secret Operator.data[].remoteRef.key
: ID of thelockbox-secret
Yandex Lockbox secret created earlier (for example,e6q28nvfmhu539******
).data[].remoteRef.property
: Key for thelockbox-secret
Yandex Lockbox secret.
-
Verify that the new
k8s-secret
key contains thelockbox-secret
secret value:kubectl -n external-secrets get secret k8s-secret -ojson | jq -r '.data.password' | base64 -d
The output will contain the
password
key value of thelockbox-secret
secret created earlier:p@$$w0rd
Integration with Yandex Managed Service for Prometheus
This integration lets you use Yandex Managed Service for Prometheus as an external storage for metrics (for example, for long-term retention).
To configure PrometheusRemoteWrite, follow these steps:
- Create a service account with the
monitoring.editor
role. - Create an API key for the service account.
-
Create a PrometheusRemoteWrite resource:
kubectl apply -f - <<EOF apiVersion: deckhouse.io/v1 kind: PrometheusRemoteWrite metadata: name: yc-remote-write spec: url: <REMOTE_WRITE_URL> bearerToken: <API_KEY> EOF
Where:
<REMOTE_WRITE_URL>
: URL from the Yandex Monitoring -> Prometheus -> Remote write page.<API_KEY>
: API key from the previous step (for example,AQVN1HHJReSrfo9jU3aopsXrJyfq_UHs********
).
You can specify additional parameters as described in the
prometheus
module documentation.
For more details on writing metrics, refer to the Yandex Cloud documentation.
To read metrics in Grafana:
- Create a service account with the
monitoring.viewer
role. - Create an API key for the service account.
-
Create a GrafanaAdditionalDatasource resource:
apiVersion: deckhouse.io/v1 kind: GrafanaAdditionalDatasource metadata: name: managed-prometheus spec: type: prometheus access: Proxy url: <GRAFANA_READ_URL> basicAuth: false jsonData: timeInterval: 30s httpMethod: POST httpHeaderName1: Authorization secureJsonData: httpHeaderValue1: Bearer <API_KEY>
Where:
<GRAFANA_READ_URL>
: URL from the Yandex Monitoring -> Prometheus -> Reading Grafana metrics page.<API_KEY>
: API key from the previous step (for example,AQVN1HHJReSrfo9jU3aopsXrJyfq_UHs********
).
You can specify additional parameters as described in the
prometheus
module documentation.
For more details on reading metrics with Grafana, refer to the Yandex Cloud documentation.