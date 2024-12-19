1. Create an IBM Cloud Secrets Manager instance

Create an IBM Cloud Secrets Manager instance and secret group to host your secrets. Learn more about Creating a Secrets Manager service instance:

resource "ibm_resource_instance" "sm_instance" { name = var.sm_instance_name service = "secrets-manager" plan = var.sm_instance_plan location = var.sm_instance_region timeouts { create = "60m" delete = "2h" } } resource "ibm_sm_secret_group" "sm_secret_group" { instance_id = ibm_resource_instance.sm_instance.guid region = ibm_resource_instance.sm_instance.location name = var.sm_secret_group_name description = var.sm_secret_group_description }

2. Set up service-to-service authorization through IAM

See more about what configurations are needed to enable service-to-service communication:

resource "ibm_iam_authorization_policy" "sm_auth" { source_service_name = "containers-kubernetes" target_service_name = "secrets-manager" roles = ["Manager"] }

3. Register the Secrets Manager instance to the IBM Cloud Kubernetes Service cluster

When you register a Secrets Manager instance to your cluster as the default, all new Ingress subdomain certificates are stored in that instance:

resource "ibm_container_ingress_instance" "instance" { cluster = var.cluster_name_or_id secret_group_id = ibm_sm_secret_group.sm_secret_group.secret_group_id instance_crn = ibm_resource_instance.sm_instance.id is_default = true }

4. Create secrets in Secrets Manager and enable automatic rotation

Create an arbitrary and username credential secret in Secrets Manager. Learn more about different secret types:

resource "ibm_sm_arbitrary_secret" "sm_arbitrary_secret" { instance_id = ibm_resource_instance.sm_instance.guid region = ibm_resource_instance.sm_instance.location endpoint_type = var.sm_endpoint_type name = var.sm_arbitrary_secret_name description = var.sm_arbitrary_secret_description expiration_date = var.sm_arbitrary_secret_expiration_date labels = var.sm_arbitrary_secret_labels secret_group_id = ibm_sm_secret_group.sm_secret_group.secret_group_id payload = var.sm_arbitrary_secret_payload } resource "ibm_sm_username_password_secret" "sm_username_password_secret" { instance_id = ibm_resource_instance.sm_instance.guid region = ibm_resource_instance.sm_instance.location endpoint_type = var.sm_endpoint_type name = var.sm_username_password_secret_name description = var.sm_username_password_secret_description expiration_date = var.sm_username_password_secret_expiration_date labels = var.sm_username_password_secret_labels secret_group_id = ibm_sm_secret_group.sm_secret_group.secret_group_id rotation { auto_rotate = true interval = 1 unit = "day" } username = var.sm_username_password_secret_username password = var.sm_username_password_secret_password }

5. In the cluster, create a persistent Opaque secret that is backed by the CRN of the secrets in Secrets Manager

Create an Ingress Opaque secret in the cluster. Now, anytime the secrets in Secrets Manager are updated, the corresponding Kubernetes Opaque secret will be updated once a day. The persistence field ensures that if a user inadvertently deletes the secret from the cluster, it will be re-created: