Deckhouse Kubernetes Platform (DKP) supports native integration with several Yandex Cloud services. This allows for external monitoring, secure secret management, and automated data synchronization between the infrastructure and the cluster.

This section describes steps to configure the following integrations:

  • Yandex Lockbox via External Secrets Operator
  • Yandex Managed Service for Prometheus

Integration with Yandex Lockbox

DKP supports integration with Yandex Lockbox using the External Secrets Operator (ESO). This allows Kubernetes secrets in the cluster to be automatically synchronized with Lockbox secrets.

To set up the integration:

  1. Create a service account for External Secrets Operator:

    yc iam service-account create --name eso-service-account
    
  2. Create an authorized key for the service account and save it to a file:

    yc iam key create --service-account-name eso-service-account --output authorized-key.json
    
  3. Assign lockbox.editor, lockbox.payloadViewer, and kms.keys.encrypterDecrypter roles to the service account for accessing all secrets in the folder:

    folder_id=<folderID>
    yc resource-manager folder add-access-binding --id=${folder_id} --service-account-name eso-service-account --role lockbox.editor
    yc resource-manager folder add-access-binding --id=${folder_id} --service-account-name eso-service-account --role lockbox.payloadViewer
    yc resource-manager folder add-access-binding --id=${folder_id} --service-account-name eso-service-account --role kms.keys.encrypterDecrypter
    

    For fine-grained access control, refer to the Yandex Lockbox access documentation.

  4. Install External Secrets Operator using the Helm chart as described in this guide.

    Note that you may need to specify additional parameters such as nodeSelector, tolerations, etc. To do this, use the ./external-secrets/values.yaml file after extracting the Helm chart.

    Download and extract the chart using the following command:

    helm pull oci://cr.yandex/yc-marketplace/yandex-cloud/external-secrets/chart/external-secrets \
      --version 0.5.5 \
      --untar
    

    Install the chart:

    helm install -n external-secrets --create-namespace \
      --set-file auth.json=authorized-key.json \
      external-secrets ./external-secrets/
    

    Where:

    • authorized-key.json: The file created in step 2.
  5. Create a SecretStore resource containing the sa-creds secret:

    kubectl -n external-secrets apply -f - <<< '
    apiVersion: external-secrets.io/v1alpha1
    kind: SecretStore
    metadata:
      name: secret-store
    spec:
      provider:
        yandexlockbox:
          auth:
            authorizedKeySecretRef:
              name: sa-creds
              key: key'
    

    Where:

    • sa-creds: Name of the Secret containing the authorized key. The secret appears after the Helm chart is installed.
    • key: Name of the key in the .data field of the secret.
  6. Verify that External Secrets Operator is working:

    kubectl -n external-secrets get po
    

    Example output:

    NAME                                                READY   STATUS    RESTARTS   AGE
    external-secrets-55f78c44cf-dbf6q                   1/1     Running   0          77m
    external-secrets-cert-controller-78cbc7d9c8-rszhx   1/1     Running   0          77m
    external-secrets-webhook-6d7b66758-s7v9c            1/1     Running   0          77m
    

    Check the SecretStore status as well:

    kubectl -n external-secrets get secretstores.external-secrets.io 
    

    Example output:

    NAME           AGE   STATUS
    secret-store   69m   Valid
    
  7. Create a secret in Yandex Lockbox with the following parameters:

    • Name: lockbox-secret.
    • Key: Enter non-confidential ID password.
    • Value: Enter confidential data for storing p@$$w0rd.
  8. Create an ExternalSecret pointing to the lockbox-secret in the secret-store:

    kubectl -n external-secrets apply -f - <<< '
    apiVersion: external-secrets.io/v1alpha1
    kind: ExternalSecret
    metadata:
      name: external-secret
    spec:
      refreshInterval: 1h
      secretStoreRef:
        name: secret-store
        kind: SecretStore
      target:
        name: k8s-secret
      data:
      - secretKey: password
        remoteRef:
          key: <SECRET_ID>
          property: password'
    

    Where:

    • target.name: Name of the new secret. External Secret Operator will create this secret in the DKP cluster and put the lockbox-secret Yandex Lockbox secret parameters into it.
    • data[].secretKey: Name of the key in the .data field of the secret created by External Secret Operator.
    • data[].remoteRef.key: ID of the lockbox-secret Yandex Lockbox secret created earlier (for example, e6q28nvfmhu539******).
    • data[].remoteRef.property: Key for the lockbox-secret Yandex Lockbox secret.
  9. Verify that the new k8s-secret key contains the lockbox-secret secret value:

    kubectl -n external-secrets get secret k8s-secret -ojson | jq -r '.data.password' | base64 -d
    

    The output will contain the password key value of the lockbox-secret secret created earlier:

    p@$$w0rd
    

Integration with Yandex Managed Service for Prometheus

This integration lets you use Yandex Managed Service for Prometheus as an external storage for metrics (for example, for long-term retention).

To configure PrometheusRemoteWrite, follow these steps:

  1. Create a service account with the monitoring.editor role.
  2. Create an API key for the service account.
  3. Create a PrometheusRemoteWrite resource:

    kubectl apply -f - <<EOF
       
    apiVersion: deckhouse.io/v1
    kind: PrometheusRemoteWrite
    metadata:
      name: yc-remote-write
    spec:
      url: <REMOTE_WRITE_URL>
      bearerToken: <API_KEY>
    EOF
    

    Where:

    • <REMOTE_WRITE_URL>: URL from the Yandex Monitoring -> Prometheus -> Remote write page.
    • <API_KEY>: API key from the previous step (for example, AQVN1HHJReSrfo9jU3aopsXrJyfq_UHs********).

    You can specify additional parameters as described in the prometheus module documentation.

For more details on writing metrics, refer to the Yandex Cloud documentation.

To read metrics in Grafana:

  1. Create a service account with the monitoring.viewer role.
  2. Create an API key for the service account.
  3. Create a GrafanaAdditionalDatasource resource:

    apiVersion: deckhouse.io/v1
    kind: GrafanaAdditionalDatasource
    metadata:
      name: managed-prometheus
    spec:
      type: prometheus
      access: Proxy
      url: <GRAFANA_READ_URL>
      basicAuth: false
      jsonData:
        timeInterval: 30s
        httpMethod: POST
        httpHeaderName1: Authorization
      secureJsonData:
        httpHeaderValue1: Bearer <API_KEY>
    

    Where:

    • <GRAFANA_READ_URL>: URL from the Yandex Monitoring -> Prometheus -> Reading Grafana metrics page.
    • <API_KEY>: API key from the previous step (for example, AQVN1HHJReSrfo9jU3aopsXrJyfq_UHs********).

    You can specify additional parameters as described in the prometheus module documentation.

For more details on reading metrics with Grafana, refer to the Yandex Cloud documentation.