[Yandex Cloud documentation](../../index.md) > [Yandex Managed Service for Kubernetes](../index.md) > [Tutorials](index.md) > Using Cloud Marketplace products > Syncing with Yandex Lockbox secrets

# Syncing with Yandex Lockbox secrets

[External Secrets Operator](https://external-secrets.io/latest/provider/yandex-lockbox/) enables you to set up syncing [secrets](../../lockbox/concepts/secret.md) in [Yandex Lockbox](../../lockbox/index.md) with [those](../concepts/encryption.md) in a [Yandex Managed Service for Kubernetes cluster](../concepts/index.md#kubernetes-cluster).

There are [various options for integrating](https://external-secrets.io/latest/guides/multi-tenancy/) Yandex Lockbox with Managed Service for Kubernetes. As an example, we will use [ESO as a Service](https://external-secrets.io/latest/guides/multi-tenancy/#eso-as-a-service):

![image](../../_assets/managed-kubernetes/mks-lockbox-eso.svg)

To set up secret syncing:
1. [Install the External Secrets Operator and set up Yandex Lockbox](#install-eso-lockbox).
1. [Configure the Managed Service for Kubernetes cluster](#configure-k8s).
1. [Create an External Secret](#create-es).

If you no longer need the resources you created, [delete them](#clear-out).

You can also deploy an infrastructure for syncing Yandex Lockbox secrets with Managed Service for Kubernetes cluster secrets via Terraform using a ready-made configuration file. For more information, see [Create an infrastructure](#deploy-infrastructure) on the Terraform tab.

## Getting started {#before-you-begin}

Sign up for Yandex Cloud and create a [billing account](../../billing/concepts/billing-account.md):
1. Navigate to the [management console](https://console.yandex.cloud) and log in to Yandex Cloud or create a new account.
1. On the **[Yandex Cloud Billing](https://center.yandex.cloud/billing/accounts)** page, make sure you have a billing account linked and it has the `ACTIVE` or `TRIAL_ACTIVE` [status](../../billing/concepts/billing-account-statuses.md). If you do not have a billing account, [create one](../../billing/quickstart/index.md) and [link](../../billing/operations/pin-cloud.md) a cloud to it.

If you have an active billing account, you can create or select a [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) for your infrastructure on the [cloud page](https://console.yandex.cloud/cloud).

[Learn more about clouds and folders here](../../resource-manager/concepts/resources-hierarchy.md).

### Required paid resources {#paid-resources}

The cost of resources for syncing secrets includes:
* Fee for using the [Managed Service for Kubernetes master](../concepts/index.md#master) (see [Managed Service for Kubernetes pricing](../pricing.md)).
* Fee for [Managed Service for Kubernetes node group's](../concepts/index.md#node-group) [computing resources](../../compute/concepts/vm-platforms.md) and [disks](../../compute/concepts/disk.md) (see [Yandex Compute Cloud pricing](../../compute/pricing.md)).

### Create the infrastructure {#deploy-infrastructure}

{% list tabs group=instructions %}

- Manually {#manual}

  1. If you do not have a [network](../../vpc/concepts/network.md#network) yet, [create one](../../vpc/operations/network-create.md).
  1. If you do not have any [subnets](../../vpc/concepts/network.md#subnet) yet, [create them](../../vpc/operations/subnet-create.md) in the [availability zones](../../overview/concepts/geo-scope.md) where the new Managed Service for Kubernetes cluster and node group will reside.
  1. [Create these service accounts](../../iam/operations/sa/create.md):
     * [Service account](../../iam/concepts/users/service-accounts.md) for the Kubernetes resources with the `k8s.clusters.agent` and `vpc.publicAdmin` [roles](../../iam/concepts/access-control/roles.md) for the [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) where the Managed Service for Kubernetes cluster is created.
     * Service account for Managed Service for Kubernetes nodes with the [container-registry.images.puller](../../container-registry/security/index.md#container-registry-images-puller) role for the folder containing the [Docker image](../../container-registry/concepts/docker-image.md) [registry](../../container-registry/concepts/registry.md). The Managed Service for Kubernetes nodes will use this account to pull the required Docker images from the registry.

     {% note tip %}

     You can use the same service account for all operations.

     {% endnote %}

  1. [Create security groups](../operations/connect/security-groups.md) for the Managed Service for Kubernetes cluster and its node groups.

        {% note warning %}
        
        The configuration of security groups determines performance and availability of the cluster and the services and applications running in it.
        
        {% endnote %}

  1. [Create a Managed Service for Kubernetes cluster](../operations/kubernetes-cluster/kubernetes-cluster-create.md#kubernetes-cluster-create) and [node group](../operations/node-group/node-group-create.md). When creating a Managed Service for Kubernetes cluster, specify the previously created service accounts for resources and nodes, as well as the security groups.

  1. [Create a Yandex Lockbox secret](../../lockbox/operations/secret-create.md) with the following properties:
     * **Name**: `lockbox-secret`.
     * **Key**: Enter `password` as the non-secret ID.
     * **Value**: Enter the confidential data for storing `p@$$w0rd`.

     Save the ID of the secret. You will need it later.

- Terraform {#tf}

  1. If you do not have Terraform yet, [install it](../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  1. [Get the authentication credentials](../../tutorials/infrastructure-management/terraform-quickstart.md#get-credentials). You can add them to environment variables or specify them later in the provider configuration file.
  1. [Configure and initialize a provider](../../tutorials/infrastructure-management/terraform-quickstart.md#configure-provider). There is no need to create a provider configuration file manually, you can [download it](https://github.com/yandex-cloud-examples/yc-terraform-provider-settings/blob/main/provider.tf).
  1. Place the configuration file in a separate working directory and [specify the parameter values](../../tutorials/infrastructure-management/terraform-quickstart.md#configure-provider). If you did not add the authentication credentials to environment variables, specify them in the configuration file.
  1. Download the [k8s-cluster-and-lockbox.tf](https://github.com/yandex-cloud-examples/yc-mk8s-lockbox/blob/main/k8s-cluster-and-lockbox.tf) configuration file of the Managed Service for Kubernetes cluster to the same working directory.

     This file describes:
     * [Network](../../vpc/concepts/network.md#network).
     * [Subnet](../../vpc/concepts/network.md#subnet).
     * Yandex Lockbox secret.
     * Managed Service for Kubernetes cluster.
     * [Service account](../../iam/concepts/users/service-accounts.md) for Managed Service for Kubernetes resources and nodes.
     * [Security groups](../../vpc/concepts/security-groups.md) which contain [rules](../operations/connect/security-groups.md) required for the Managed Service for Kubernetes cluster and its node groups.

        {% note warning %}
        
        The configuration of security groups determines performance and availability of the cluster and the services and applications running in it.
        
        {% endnote %}

  1. Specify the following in the configuration file:
     * [Folder ID](../../resource-manager/operations/folder/get-id.md).
     * [Kubernetes version](../concepts/release-channels-and-updates.md) for the Managed Service for Kubernetes cluster and node groups.
     * Name of the service account for Managed Service for Kubernetes resources and nodes.
  1. Make sure the Terraform configuration files are correct using this command:

     ```bash
     terraform validate
     ```

     Terraform will display any configuration errors detected in your files.
  1. Create the required infrastructure:

     1. Run this command to view the planned changes:
     
        ```bash
        terraform plan
        ```
     
        If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
     
     1. If everything looks correct, apply the changes:
        1. Run this command:
     
           ```bash
           terraform apply
           ```
     
        1. Confirm updating the resources.
        1. Wait for the operation to complete.

     All the required resources will be created in the specified folder. You can check resource availability and their settings in the [management console](https://console.yandex.cloud).

  1. Save the created secret's ID that you entered in the terminal. You will need it later.

{% endlist %}

### Set up your environment {#environment-set-up}

1. If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

   The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

1. Install `jq`:

   ```bash
   sudo apt update && sudo apt install jq
   ```

1. [Install kubect](https://kubernetes.io/docs/tasks/tools/install-kubectl) and [configure it to work with the new cluster](../operations/connect/index.md#kubectl-connect).

## Install the External Secrets Operator and set up Yandex Lockbox {#install-eso-lockbox}

1. Install [External Secrets Operator](https://yandex.cloud/en/marketplace/products/yc/external-secrets) by following [this guide](../operations/applications/external-secrets-operator.md).
1. [Assign the service account](../../lockbox/operations/secret-access.md) you created when installing the External Secrets Operator the `lockbox.payloadViewer` role for the [previously created](#deploy-infrastructure) `lockbox-secret`.

## Set up a Managed Service for Kubernetes cluster {#configure-k8s}

1. Create a `ns` [namespace](../concepts/index.md#namespace) to store External Secrets Operator objects in:

   ```bash
   kubectl create namespace ns
   ```

1. Create a `yc-auth` secret with the `sa-key.json` key you created when [installing](#install-eso) the External Secrets Operator:

   ```bash
   kubectl --namespace ns create secret generic yc-auth \
     --from-file=authorized-key=sa-key.json
   ```

1. Create a [SecretStore](https://external-secrets.io/latest/api/secretstore/) containing the `yc-auth` secret:


   ```bash
   kubectl --namespace ns apply -f - <<< '
   apiVersion: external-secrets.io/v1beta1
   kind: SecretStore
   metadata:
     name: secret-store
   spec:
     provider:
       yandexlockbox:
         auth:
           authorizedKeySecretRef:
             name: yc-auth
             key: authorized-key'
   ```


## Create an External Secret {#create-es}

1. Create an object named [ExternalSecret](https://external-secrets.io/latest/api/externalsecret/) pointing to `lockbox-secret` in `secret-store`:

   ```bash
   kubectl --namespace ns apply -f - <<< '
   apiVersion: external-secrets.io/v1beta1
   kind: ExternalSecret
   metadata:
     name: external-secret
   spec:
     refreshInterval: 1h
     secretStoreRef:
       name: secret-store
       kind: SecretStore
     target:
       name: k8s-secret
     data:
     - secretKey: password
       remoteRef:
         key: <secret_ID>
         property: password'
   ```

   Where:
   * `key`: ID of the Yandex Lockbox `lockbox-secret` secret [you created](#deploy-infrastructure).
   * `spec.target.name`: New key name, `k8s-secret`. The External Secrets Operator will create this key and place the `lockbox-secret` parameters in it.
1. Make sure the new `k8s-secret` key contains the `lockbox-secret` value:

   ```bash
   kubectl --namespace ns get secret k8s-secret \
     --output=json | \
     jq --raw-output '."data"."password"' | \
     base64 --decode
   ```

   The command result will contain the value of the `password` key of `lockbox-secret`:

   ```text
   p@$$w0rd
   ```

## Delete the resources you created {#clear-out}

Delete the resources you no longer need to avoid paying for them:

{% list tabs group=instructions %}

- Manually {#manual}

  1. [Delete the Managed Service for Kubernetes cluster](../operations/kubernetes-cluster/kubernetes-cluster-delete.md).
  1. [Delete](../../vpc/operations/address-delete.md) the Managed Service for Kubernetes cluster's [public static IP address](../../vpc/concepts/address.md#public-addresses) if you had reserved one.
  1. [Delete `lockbox-secret`](../../lockbox/operations/secret-delete.md).

- Terraform {#tf}

  1. In the terminal window, go to the directory containing the infrastructure plan.
  
      {% note warning %}
  
      Make sure the directory has no Terraform manifests with the resources you want to keep. Terraform deletes all resources that were created using the manifests in the current directory.
  
      {% endnote %}
  
  1. Delete resources:
  
      1. Run this command:
  
          ```bash
          terraform destroy
          ```
  
      1. Confirm deleting the resources and wait for the operation to complete.
  
      All the resources described in the Terraform manifests will be deleted.

{% endlist %}