Use ack-secret-manager to import secrets from KMS - Container Service for Kubernetes

ack-secret-manager allows you to import or synchronize secrets from Key Management Service (KMS) to Container Service for Kubernetes (ACK) clusters as Kubernetes Secrets, which are used to store sensitive information in the clusters. You can use this component to automate the synchronization of secrets from KMS to your ACK cluster. This way, applications in your cluster can use a file system to mount the specified Secrets in order to use the up-to-date KMS secrets. This helps improve the compatibility between your applications and Secrets Manager.

Security considerations

In most cases, information about the KMS secret is stored in files for applications to retrieve. This situation poses a compatibility issue with directly retrieving secrets from the KMS Secrets Manager. The ack-secret-manager component can resolve this compatibility issue. You can also use this component to synchronize secrets from KMS to Kubernetes Secrets in your ACK cluster. Then, you can mount and use the Kubernetes Secrets as environment variables. Before you use this component, assess the following security risks:

When secrets in your cluster are accessible through the file system, attackers can exploit Common Vulnerabilities and Exposures (CVE) vulnerabilities in applications to traverse the directories in the cluster. As a result, the secrets may be leaked.
Improper configuration of debug breakpoints or excessive log access permissions may expose secrets in your cluster. We recommend that you do not reference secrets through environment variables to avoid potential security risks.
When you enable secret synchronization, strictly follow the least privilege principle to limit access permissions.

If you do not need to persist secrets for your application, we recommend that you refer to Use RRSA to authorize different pods to access different cloud services to grant the least access permissions to pods. Then, obtain the secrets in the application by calling the GetSecretValue operations directly. This reduces the chances of exposing the secrets in the pod file system or Kubernetes Secrets.

Prerequisites

An ACK cluster is created in the same region as the KMS secret that you want to use. For more information, see Create an ACK managed cluster, Create ACK One registered clusters, and Create an ACK Serverless cluster.

Step 1: Install ack-secret-manager

Log on to the ACK console. In the navigation pane on the left, click Clusters.
On the Clusters page, find the cluster you want and click its name. In the left-side navigation pane, choose Applications > Helm.
On the Helm page, click Deploy. In the Chart section of the Deploy panel, find and select ack-secret-manager, use the default values for other parameters, and then click Next.
In the Confirm message, the displayed information indicates that the chart will be installed in the kube-system namespace by default and the default application name will be used. Click Yes. To use a custom application and a custom namespace, configure the Application Name and Namespace parameters in the Basic Information step.
In the Parameters step, select the latest chart version, configure other parameters, and then click OK.
- To enable Resource Access Management (RAM) Roles for Service Accounts (RRSA) for authentication, set the rrsa.enable parameter to true.
- To enable scheduled synchronization of secrets, configure the parameters shown in the following figure.
  - command.disablePolling: specifies whether to disable round-robin for secrets. A value of false enables round-robin for secrets.
  - command.pollingInterval: the synchronization frequency. A value of 120s specifies that the secrets are synchronized every 2 minutes. You can specify a custom value based on your business requirements.
- To throttle Secrets in clusters containing many ExternalSecrets, which are KMS secrets pending synchronization, improper configuration may trigger throttling on the KMS or RAM side. Therefore, set the following throttling parameter to avoid such issues:
  command.maxConcurrentKmsSecretPulls: The maximum number of KMS secrets that can be synchronized within one second. The default value is 10.
- To specify a KMS endpoint address, configure the kmsEndpoint parameter.
  command.kmsEndpoint: shared gateways and dedicated gateways for KMS. This parameter is a global configuration and currently also supports secret-level configuration.
After you install the component, you are redirected to the ack-secret-manager page. You can check whether the component is installed. If the resources shown in the following figure are created, the component is installed.

Step 2: Authorize ack-secret-manager to access KMS secrets

You need to create a SecretStore to authorize ack-secret-manager to access KMS secrets. Otherwise, ack-secret-manager cannot import or synchronize secrets from KMS to your ACK cluster. You can use the following methods to authorize ack-secret-manager to access KMS secrets:

Use RRSA to grant permissions: This method applies to ACK managed clusters and ACK Serverless clusters that run Kubernetes 1.22 or later.
Grant permissions to the worker RAM role of the cluster: This method applies to ACK managed clusters, ACK dedicated clusters, and registered clusters.
Specify an AccessKey pair used to assume a RAM role: This method applies to all types of ACK clusters.

Use RRSA to grant permissions

This method applies to ACK managed clusters and ACK Serverless clusters that run Kubernetes 1.22 or later. You can use the RRSA feature to implement pod-level permission control. RRSA can also prevent secret leaks because this method does not need AccessKey pairs.

Enable the RRSA feature for the ACK cluster in the ACK console. This allows you to create identity providers (IdPs) for your cluster. For more information, see Enable RRSA.

Create a RAM role whose trusted entity is identity provider for ack-secret-manager.

Set Principal Type to Identity Provider. The following table describes the key parameters of the RAM role. For more information, see Create a RAM role for an OIDC IdP.

Parameter	Description
Identity Provider Type	Select OIDC.
Identity Provider	Select ack-rrsa-<cluster_id>. <cluster_id> is the ID of your cluster.
Condition	oidc:iss: Keep the default settings. oidc:aud: Keep the default settings. oidc:sub: You must manually add this condition. Key: Select oidc:sub. Operator: Select StringEquals. Value: Enter system:serviceaccount:<namespace>:<serviceAccountName>. Replace `<namespace>` with the namespace of your application. Replace `<serviceAccountName>` with the name of the service account. In this example, `system:serviceaccount:kube-system:ack-secret-manager` is specified. Note If you install ack-secret-manager in a namespace other than `kube-system`, specify the actual namespace.

Create a custom RAM policy and attach the policy to the RAM role.
1. Create a custom RAM policy that authorizes ack-secret-manager to import KMS secrets. The following code block shows the content of the policy. For more information, see Create custom policies.
```
{
    "Action": [
       "kms:GetSecretValue",
       "kms:Decrypt"
    ],
    "Resource": [
        "*"
    ],
    "Effect": "Allow"
}
```
2. Attach the policy to the RAM role. For more information, see Grant permissions to a RAM role.
Create a SecretStore to specify the authentication method.
1. Modify the following code block based on the following description. Then, create a file named secretstore-rrsa.yaml based on the modified code block.
  - {accountID}: Replace the value with the ID of the Alibaba Cloud account that is used to synchronize KMS secrets.
  - {clusterID}: Replace the value with the ID of your cluster.
  - {roleName}: Replace the value with the name of the RAM role you created in Step 2.
```
apiVersion: 'alibabacloud.com/v1alpha1'
kind: SecretStore
metadata:
  name: scdemo-rrsa
spec:
  KMS:
    KMSAuth:
      oidcProviderARN: "acs:ram::{accountID}:oidc-provider/ack-rrsa-{clusterID}"
      ramRoleARN: "acs:ram::{accountID}:role/{roleName}"	                     
```
2. Run the following command to create the SecretStore:
```
kubectl apply -f secretstore-rrsa.yaml
```

Grant permissions to the worker RAM role of the cluster

This method applies to ACK managed clusters, ACK dedicated clusters, and registered clusters. This method does not apply to ACK Serverless clusters because no worker RAM role is assigned to ACK Serverless clusters.

Create a custom RAM policy based on the following code block. For more information, see Create custom policies.

{
  "Action": [
    "kms:GetSecretValue",
    "kms:Decrypt"
  ],
  "Resource": [
    "*"
  ],
  "Effect": "Allow"
}

Attach the custom policy to the worker RAM role of the cluster. For more information, see Grant permissions to the worker RAM role.

Specify an AccessKey pair used to assume a RAM role

This method applies to all types of ACK clusters.

Create a RAM role whose trusted entity is an Alibaba Cloud account for ack-secret-manager. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
Note
When you specify the trusted Alibaba Cloud account, select Current Account.
Create a custom RAM policy and attach the policy to the RAM role you created in the previous step.
1. Create a custom RAM policy that provides the permissions to access KMS secrets. The following code block shows the content of the policy. For more information, see Create custom policies.
```
{
  "Action": [
    "kms:GetSecretValue",
    "kms:Decrypt"
  ],
  "Resource": [
    "*"
  ],
  "Effect": "Allow"
}
```
2. Attach the policy to the RAM role you created in the previous step. For more information, see Grant permissions to a RAM role.
Create a custom RAM policy that provides the permissions to assume the RAM role you created and then attach the policy to the RAM user that you want to use.
1. Create a custom RAM policy that contains the permissions to assume the RAM role you created. The following code block shows the content of the policy. For more information, see Create custom policies.
```
{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "acs:ram:*:<account-id>:role/<role-name>"  
        }
    ],
    "Version": "1"
}
```
  The Resource field in the preceding code block specifies the ARN of the RAM role. Replace <account-id> with the Alibaba Cloud account to which the RAM role you created belongs and <role-name> with the RAM role you created. For more information about how to obtain the ARN of a RAM role, see How do I view the ARN of a RAM role?
2. Attach the policy to the RAM user that you want to use. This way, the RAM user can assume the RAM role. For more information about how to grant permissions to a RAM user, see Grant permissions to RAM users.
Create a Secret to store the AccessKey pair of the RAM user that you want to use.
1. Replace the AccessKey pair in the following code block with the actual AccessKey pair that is encoded in Base64. Then, create a file named ramuser.yaml based on the modified code block.
```
apiVersion: v1
data:
  accessKey: {AccessKey ID encoded in Base64}
  accessKeySecret: {AccessKey secret encoded in Base64}
kind: Secret
metadata:
  name: ramuser
  namespace: kube-system
type: Opaque
```
2. Run the following command to create the ramuser Secret:
```
kubectl apply -f ramuser.yaml
```
Create a SecretStore to specify the authentication method.
1. Modify the following code block based on the following description. Then, create a file named secretstore-ramrole.yaml based on the modified code block.
  - {accountID}: Replace the value with the ID of the Alibaba Cloud account that is used to synchronize KMS secrets.
  - {roleName}: Replace the value with the name of the RAM role you created in Step 1.
  - {secretName}: Replace the value with the name of the Secret that stores the AccessKey pair.
  - {secretNamespace}: Replace the value with the namespace of the Secret that stores the AccessKey pair.
  - {secretKey}: Replace the value with the key of the Secret that stores the AccessKey pair.
  - {roleSessionName}: Replace the value with the name of the role session. You can specify a custom string.
```
apiVersion: 'alibabacloud.com/v1alpha1'
kind: SecretStore
metadata:
  name: scdemo-ramrole
spec:
  KMS:
    KMSAuth:
      accessKey:
        name: {secretName}
        namespace: {secretNamespace}
        key: {secretKey}
      accessKeySecret:
        name: {secretName}
        namespace: {secretNamespace}
        key: {secretKey}
      ramRoleARN: "acs:ram::{accountID}:role/{roleName}"  
      ramRoleSessionName: {roleSessionName}
```
2. Run the following command to create the SecretStore:
```
kubectl apply -f secretstore-ramrole.yaml
```

Step 3: Specify synchronization details

After you authorize ack-secret-manager to access KMS secrets, you need to create an ExternalSecret to specify the details of the KMS secrets that you want to access. This way, you can import a secret from KMS to a Kubernetes Secret in your cluster.

Note

The namespace and name of the Kubernetes Secret must be the same as the namespace and name of the ExternalSecret.

Create an ExternalSecret.

Modify the following code block based on the following description. Then, create a file named external.yaml based on the modified code block.

Parameter	Description
`{KMS secret name}`	Required. Replace the value with the name of the KMS secret that you want to access.
`{Kubernetes secret key}`	Required. This is a collection of key-value pairs. The data of a KMS secret is stored as a key-value pair in a Kubernetes Secret. You must replace `{Kubernetes secret key}` with the key of the corresponding key-value pair.
`{KMS secret version stage}`	Optional. Replace the value with the stage label of the KMS secret instead of the version number of the KMS secret. Example: ACSCurrent. RDS secrets, PolarDB secrets, Redis/Tair secrets, RAM secrets, and ECS secrets can only retrieve the secret versions corresponding to the ACSPrevious and ACSCurrent parameters. To specify the version number of the KMS secret for synchronization, you can replace the `versionStage` field in the following template with `versionId`, and fill in the version number of the KMS secret. RDS secrets, PolarDB secrets, Redis/Tair secrets, RAM secrets, and ECS secrets do not support specifying the VersionId parameter. The setting of this parameter is ignored. For more information about the secret version and version status, see the secret versions in Secret elements.
`{KMS Service endpoint address}`	Optional. If you want to specify the KMS request endpoint, replace this parameter with the corresponding endpoint address. Shared gateways and dedicated gateways for KMS are supported and can be configured based on your business requirements. This parameter is a secret-level configuration, which allows you to configure the endpoint address specifically for KMS secrets. Global configuration is also supported. For more information about the configuration description, see Configure KMS endpoint addresses. After this parameter is set, the global configuration and default configuration are overridden, and the endpoint address for the secret request is the value of this parameter.
`{secret store name}`	Optional. Replace the value with the name of the `SecretStore` you created. The `SecretStore` is used to authorize ack-secret-manager to access the KMS secret. Note You can leave this parameter empty if the component is authorized by the worker RAM role.
`{secret store namespace}`	Optional. Replace the value with the namespace of the `SecretStore` you created. Note You can leave this parameter empty if the component is authorized by the worker RAM role.

apiVersion: 'alibabacloud.com/v1alpha1'
kind: ExternalSecret
metadata:
  name: esdemo
spec:
  provider: kms # By default, the type of Alibaba Cloud Services to be synchronized is KMS. When synchronizing KMS secrets, this field can be left empty or assigned the value kms.
  data: # No additional configurations are required for the data source. 
    - key: {KMS secret name}
      name: {Kubernetes secret key}
      versionStage: {KMS secret version stage}
      secretStoreRef: # This parameter is not required when the component is authorized through the worker RAM role.
        name: {secret store name}
        namespace: {secret store namespace}
            - key: {KMS secret name}
      name: {Kubernetes secret key}
      versionStage: {KMS secret version stage}
      kmsEndpoint: {KMS Service endpoint address}

Run the following command to create the ExternalSecret:
```
kubectl apply -f external.yaml
```

Run the following command to check whether a Kubernetes Secret exists:
```
kubectl get secret esdemo
```
If a Kubernetes Secret exists, the KMS secret is synchronized from KMS to your cluster.

Advanced ack-secret-manager configurations

Synchronize KMS secrets across Alibaba Cloud accounts

If the KMS instance that you want to access belongs to Alibaba Cloud Account A but the ACK cluster that you use belongs to Alibaba Cloud Account B, you need to use the ack-secret-manager component to synchronize the KMS secret to the cluster across Alibaba Cloud accounts. This section describes how to use the RRSA feature to enable ack-secret-manager to access the KMS instance in Alibaba Cloud Account A from the cluster in Alibaba Cloud Account B. The component can use an OIDC provider to assume a RAM role that belongs to Alibaba Cloud Account A. This way, the component can access the KMS instance in Alibaba Cloud Account A and import the KMS instance from Alibaba Cloud Account A to the cluster in Alibaba Cloud Account B.

Configure permissions for Alibaba Cloud Account A

Use Alibaba Cloud Account A to create a RAM role whose trusted entity is Alibaba Cloud Account B. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
Important
When you select the trusted Alibaba Cloud account, select Other Account and then enter the ID of Alibaba Cloud Account B.
Create a custom RAM policy that provides the permissions to access KMS secrets.
The following code block shows the content of the policy. For more information, see Create custom policies.
```
{
    "Action": [
       "kms:GetSecretValue",
       "kms:Decrypt"
    ],
    "Resource": [
        "*"
    ],
    "Effect": "Allow"
}
```
Attach the policy to the RAM role. For more information, see Grant permissions to a RAM role.

Configure permissions for Alibaba Cloud B

Enable the RRSA feature for the ACK cluster in the ACK console. This allows you to create IdPs for your cluster. For more information, see Enable RRSA.
Note
When you install ack-secret-manager, set the rrsa.enable parameter to true to enable RRSA.

Create a RAM role whose trusted entity is identity provider for ack-secret-manager.

Set Principal Type to Identity Provider. The following table describes the key parameters of the RAM role. For more information, see Create a RAM role for an OIDC IdP.

Parameter	Description
Identity Provider Type	Select OIDC.
Identity Provider	Select ack-rrsa-<cluster_id>. <cluster_id> is the ID of your cluster.
Condition	oidc:iss: Keep the default settings. oidc:aud: Keep the default settings. oidc:sub: You must manually add this condition. Key: Select oidc:sub. Operator: Select StringEquals. Value: Enter system:serviceaccount:<namespace>:<serviceAccountName>. Replace `<namespace>` with the namespace of your application. Replace `<serviceAccountName>` with the name of the service account. In this example, `system:serviceaccount:kube-system:ack-secret-manager` is specified. Note If you install ack-secret-manager in a namespace other than `kube-system`, specify the actual namespace.

Create a custom RAM policy and attach the policy to the RAM role you created by using Alibaba Cloud Account B in the previous step.
1. Create a custom RAM policy that authorizes ack-secret-manager to import KMS secrets. The following code block shows the content of the policy. For more information, see Create custom policies.
```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Resource": "acs:ram:*:<account-id>:role/<role-name>" # The ARN of the RAM role you created by using Alibaba Cloud Account A.
    }
  ],
  "Version": "1"
}
```
  The Resource field in the preceding code block specifies the ARN of the RAM role. Replace <account-id> with the ID of Alibaba Cloud Account A and <role-name> with the RAM role you created by using Alibaba Cloud Account A. For more information about how to obtain the ARN of a RAM role, see How do I view the ARN of a RAM role?
2. Create a custom RAM policy and attach the policy to the RAM role you created by using Alibaba Cloud Account B in the previous step.
Create a SecretStore.
1. Modify the following code block based on the following description. Then, create a file named secretstore-ramrole.yaml based on the modified code block.
  - {ACK-accountID}: Replace the value with the ID of Alibaba Cloud Account B.
  - {clusterID}: Replace the value with the ID of your cluster.
  - {ACK-roleName}: Replace the value with the name of the RAM role you created by using Alibaba Cloud Account B.
  - {KMS-accountID}: Replace the value with the ID of Alibaba Cloud Account A.
  - {KMS-roleName}: Replace the value with the ID of Alibaba Cloud Account B.
  - {roleSessionName}: Replace the value with the name of the role session. You can specify a custom string.
```
apiVersion: 'alibabacloud.com/v1alpha1'
kind: SecretStore
metadata:
  name: scdemo-cross-account
spec:
  KMS:
    KMSAuth:
      oidcProviderARN: "acs:ram::{ACK-accountID}:oidc-provider/ack-rrsa-{clusterID}"
      ramRoleARN: "acs:ram::{ACK-accountID}:role/{ACK-roleName}"
      remoteRamRoleARN: "acs:ram::{KMS-accountID}:role/{KMS-roleName}"
      remoteRamRoleSessionName: {roleSessionName}
```
Specify synchronization details. For more information, see Step 3: Specify synchronization details.

KMS secret parsing and key replacement

The following section describes how to parse the specified keys in a JSON/YAML secret.

Parse encryption parameters in JSON format

Parse the specified keys in JSON

If you want to parse a KMS secret in JSON format and synchronize the specified key-value pairs from the KMS secret to a Kubernetes Secret, you can configure the jmesPath parameter. For example, the following JSON secret is stored in KMS Secrets Manager:

{"name":"tom","friends":[{"name":"lily"},{"name":"mark"}]}

Create an ExternalSecret based on the following sample code. You must specify the following fields in the jmesPath parameter:

path: parses the specified JSON fields based on the JMESPath specification. This parameter is required.
objectAlias: specifies the key of the key-value pair in the Kubernetes Secret that is synchronized based on the parsed field.

apiVersion: 'alibabacloud.com/v1alpha1'
kind: ExternalSecret
metadata:
  name: es-json-demo
spec:
  provider: kms
  data: 
    - key: {KMS secret name}
      versionStage: {KMS secret version stage}
      secretStoreRef:
        name: {secret store name}
        namespace: {secret store namespace}
      jmesPath: # Parse some json fields 
        - path: "name"
          objectAlias: "myname"
        - path: "friends[0].name"
          objectAlias: "friendname"

Automatic JSON secret parsing

If you do not know the data structure of a JSON secret but still need to parse the secret and store the parsed data in a Kubernetes Secret, you can configure the dataProcess.extract parameter to enable automatic JSON secret parsing. In addition, you can configure the dataProcess.replaceRule parameter to specify rules for replacing keys in the parsed data. This prevents Kubernetes Secret creation failures caused by irregular Secret data keys.

For example, the following JSON secret is stored in KMS Secrets Manager:

{"/name-invalid":"lily","name-invalid/":[{"name":"mark"}]}

Create an ExternalSecret based on the following sample code:

apiVersion: 'alibabacloud.com/v1alpha1'
kind: ExternalSecret
metadata:
  name: extract-secret
spec:
  provider: kms
  dataProcess:
    - extract:
        key: {KMS secret name}
        versionStage: ACSCurrent # The version of the KMS secret.
        secretStoreRef:
          name: {secret store name}
          namespace: {secret store namespace}
      replaceRule: # The rules for replacing keys. 
        - source: "^/.*d$" # Replace the keys that start with a forward slash (/) and end with a lowercase letter d with tom. 
          target: "tom"
        - source: "^n.*/$" # Replace the keys that start with a lowercase letter n and end with a forward slash (/) with mark. 
          target: "mark"

Parse encryption parameters in YAML format

Parse the specified keys in YAML

If you want to parse a KMS secret in YAML format and synchronize the specified key-value pairs from the KMS secret to a Kubernetes Secret, you can configure the jmesPath parameter. For example, the following YAML secret is stored in KMS Secrets Manager:

name: tom
friends:
  - name: lily
  - name: mark

Create an ExternalSecret based on the following sample code. You must specify the following fields in the jmesPath parameter:

path: parses the specified YAML fields based on the JMESPath specification. This parameter is required.
objectAlias: specifies the key of the key-value pair in the Kubernetes Secret that is synchronized based on the parsed field.

apiVersion: 'alibabacloud.com/v1alpha1'
kind: ExternalSecret
metadata:
  name: es-json-demo
spec:
  provider: kms
  data: 
    - key: {KMS secret name}
      versionStage: {KMS secret version stage}
      secretStoreRef:
        name: {secret store name}
        namespace: {secret store namespace}
      jmesPath: # Parse some fields in yaml string
        - path: "name"
          objectAlias: "myname"
        - path: "friends[0].name"
          objectAlias: "friendname"

Automatic YAML secret parsing

If you do not know the data structure of a YAML secret but still need to parse the secret and store the parsed data in a Kubernetes Secret, you can configure the dataProcess.extract parameter to enable automatic YAML secret parsing. In addition, you can configure the dataProcess.replaceRule parameter to specify rules for replacing keys in the parsed data. This prevents Kubernetes Secret creation failures caused by irregular Secret data keys.

For example, the following YAML secret is stored in KMS Secrets Manager:

/name-invalid: lily
name-invalid/:
  - name: mark

Create an ExternalSecret based on the following sample code:

apiVersion: 'alibabacloud.com/v1alpha1'
kind: ExternalSecret
metadata:
  name: extract-secret
spec:
  provider: kms
  dataProcess:
    - extract:
        key: {KMS secret name}
        versionStage: ACSCurrent # The version of the KMS secret.
        secretStoreRef:
          name: {secret store name}
          namespace: {secret store namespace}
      replaceRule: # The rules for replacing keys. 
        - source: "^/.*d$" # Replace the keys that start with a forward slash (/) and end with a lowercase letter d with tom. 
          target: "tom"
        - source: "^n.*/$" # Replace the keys that start with a lowercase letter n and end with a forward slash (/) with mark. 
          target: "mark"

Configure KMS endpoint addresses

You can access KMS to obtain secrets through the dedicated gateway or the shared gateway. The following table shows the requirements for endpoint configuration. For more information about the differences between dedicated gateway and shared gateways for accessing KMS, see Differences between shared and dedicated gateways for accessing KMS.

KMS endpoint priority rules

Type	Field	Purpose	Priority	Description
Secert-level configuration	`ExternalSecret.spec.data.kmsEndpoint`	Specify the endpoint address for each KMS secret that needs to be imported.	Highest	This configuration takes priority for individual secrets and overrides global and default configurations.
Global configuration	`command.kmsEndpoint` (startup parameter)	Used for all KMS requests.	Medium	This configuration provides the endpoint address used by other KMS secrets besides the secret-level configuration.
Default configuration	None	Used when the endpoint address is not configured.	Lowest	The default KMS endpoint address is `kms-vpc.{region}.aliyuncs.com`. Replace `{region}` with the region where the KMS secret is located.

apiVersion: "alibabacloud.com/v1alpha1"
kind: ExternalSecret
metadata:
  name: esdemo
spec:
  provider: kms
  data:
    - key: test-hangzhou # Actual endpoint address: Use the global configuration if it exists. Otherwise, use the default configuration: kms-vpc.{region}.aliyuncs.com
      name: hangzhou-vpc
      versionId: v1
    - key: test-hangzhou # Actual endpoint address: The endpoint specified by the kmsEndpoint field is kms.cn-hangzhou.aliyuncs.com
      name: hangzhou-public
      versionId: v1
      kmsEndpoint: kms.cn-hangzhou.aliyuncs.com

KMS endpoint configuration description

Gateway type	Domain type	Endpoint	Description
Dedicated gateway	KMS private domain	{kms-instance-id}.cryptoservice.kms.aliyuncs.com	The KMS secret instance and cluster are in the same region and the same virtual private cloud (VPC). Replace `{kms-instance-id}` with the ID of the KMS secret instance. The version of the KMS secret instance must be 3.0 or later.
Shared gateway	VPC domain	kms-vpc.{region}.aliyuncs.com	The KMS secret and cluster are in the same region. Replace `{region}` with the region where the KMS secret is located. This address can be used with the default configuration without additional setup.
Shared gateway	Public domain	kms.{region}.aliyuncs.com	Replace `{region}` with the region where the KMS secret is located. The cluster can access the public network.

References

To secure Kubernetes Secrets that are synchronized from KMS secrets and cached in ACK clusters, we recommend that you enable the Secret encryption feature. For more information, see Use KMS to encrypt Kubernetes Secrets.