An operator to fetch secrets from cloud services and inject them in Kubernetes
This operator reads information from a third party service like AWS Secrets Manager or AWS SSM and automatically injects the values as Kubernetes Secrets.
make install
Given a secret defined in AWS Secrets Manager:
% aws secretsmanager create-secret \ --name=example-externalsecret-key \ --secret-string='this string is a secret'
and updated aws credentials to be used in
config/credentials/kustomization.yamlwith valid AWS credentials:
%cat config/credentials/kustomization.yaml resources: # - credentials-gsm.yaml - credentials-asm.yaml # - credentials-dummy.yaml # - credentials-gitlab.yaml # - credentials-akv.yaml
%cat config/credentials/credentials-asm.yaml ... credentials.json: |- { "accessKeyID": "AKIA...", "secretAccessKey": "cmFuZG9tS2VZb25Eb2Nz...", "sessionToken": "" }
and an
SecretStoreresource definition like this one:
% cat config/samples/store_v1alpha1_secretstore.yaml apiVersion: store.externalsecret-operator.container-solutions.com/v1alpha1 kind: SecretStore metadata: name: secretstore-sample spec: controller: staging store: type: asm auth: secretRef: name: externalsecret-operator-credentials-asm parameters: region: eu-west-2
and an
ExternalSecretresource definition like this one:
% cat config/samples/secrets_v1alpha1_externalsecret.yaml apiVersion: secrets.externalsecret-operator.container-solutions.com/v1alpha1 kind: ExternalSecret metadata: name: externalsecret-sample spec: storeRef: name: externalsecret-operator-secretstore-sample data: - key: example-externalsecret-key version: latest
The operator fetches the secret from AWS Secrets Manager and injects it as a secret:
% make deploy % kubectl get secret externalsecret-operator-externalsecret-sample -n externalsecret-operator-system \ -o jsonpath='{.data.example-externalsecret-key}' | base64 -d this string is a secret
In this article you can find more information about the architecture and design choices.
Here's a high-level diagram of how things are put together.
Requirements:
/usr/local/kubebuilder
Then just:
make test
We would like to support as many backends as possible and it should be rather easy to write new ones. Currently supported backends are: | Provider | Backend Doc | |--------------------------------------------------------------------|--------------------------------------------------------------------| |AWS Secrets Manager Info | AWS Secrets Manager Backend Docs | |Credstash Info | Credstash (AWS KMS) Docs | |GCP Secret Manager Info | GCP Secret Manager Backend Docs | |Gitlab CI/CD Variables Info | Gitlab CI/CD Variables Backend Docs | |Azure Key Vault Info | Azure Key Vault Backend Docs |
Yay! We welcome and encourage contributions to this project!
See our contributing document and Issues for planned improvements and additions.