External Secret Operator

This operator reads information from a third party service like AWS Secrets Manager or AWS SSM and automatically injects the values as Kubernetes Secrets.

Table of Contents

• Features
• Quick start
• Kustomize
• What does it do?
• Architecture
• Running Tests
• Spec
• Other Supported Backends
• Contributing

Features

• Secrets are refreshed from time to time allowing you to rotate secrets in your providers and still keep everything up to date inside your k8s cluster.
• Change the refresh interval of the secrets to match your needs. You can even make it 10s if you need to debug something (beware of API rate limits).
• For the AWS Backend we support both simple secrets and binfiles.
• You can get speciffic versions of the secrets or just get latest versions of them.
• If you change something in your ExternalSecret CR, the operator will reconcile it (Even if your refresh interval is big).
• AWS Secret Manager, Credstash (AWS KMS), Azure Key Vault, Google Secret Manager and Gitlab backends supported currently!

Quick start

Using Kustomize

Install the operator CRDs

• Install CRDs

make install

What does it do?

Given a secret defined in AWS Secrets Manager:

% aws secretsmanager create-secret \
  --name=example-externalsecret-key \
  --secret-string='this string is a secret'

and updated aws credentials to be used in

config/credentials/kustomization.yaml

%cat config/credentials/kustomization.yaml
resources:
# - credentials-gsm.yaml
- credentials-asm.yaml
# - credentials-dummy.yaml
# - credentials-gitlab.yaml
# - credentials-akv.yaml

%cat config/credentials/credentials-asm.yaml
...
credentials.json: |-
    {
      "accessKeyID": "AKIA...",
      "secretAccessKey": "cmFuZG9tS2VZb25Eb2Nz...",
      "sessionToken": "" 
    }

and an

SecretStore

% cat config/samples/store_v1alpha1_secretstore.yaml
apiVersion: store.externalsecret-operator.container-solutions.com/v1alpha1
kind: SecretStore
metadata:
  name: secretstore-sample
spec:
  controller: staging
  store:
    type: asm
    auth: 
      secretRef: 
        name: externalsecret-operator-credentials-asm
    parameters:
      region: eu-west-2

and an

ExternalSecret

% cat config/samples/secrets_v1alpha1_externalsecret.yaml
apiVersion: secrets.externalsecret-operator.container-solutions.com/v1alpha1
kind: ExternalSecret
metadata:
  name: externalsecret-sample
spec:
  storeRef: 
    name: externalsecret-operator-secretstore-sample
  data:
    - key: example-externalsecret-key
      version: latest

The operator fetches the secret from AWS Secrets Manager and injects it as a secret:

% make deploy
% kubectl get secret externalsecret-operator-externalsecret-sample -n externalsecret-operator-system \
  -o jsonpath='{.data.example-externalsecret-key}' | base64 -d
this string is a secret

Architecture

In this article you can find more information about the architecture and design choices.

Here's a high-level diagram of how things are put together.

Running tests

Requirements:

• Golang 1.15 or later
• Kubebuilder installed at

  /usr/local/kubebuilder

Then just:

make test

CRDs Spec

• See the CRD spec
  • ExternalSecret
  • SecretStore

Other Supported Backends

We would like to support as many backends as possible and it should be rather easy to write new ones. Currently supported backends are: | Provider | Backend Doc | |--------------------------------------------------------------------|--------------------------------------------------------------------| |AWS Secrets Manager Info | AWS Secrets Manager Backend Docs | |Credstash Info | Credstash (AWS KMS) Docs | |GCP Secret Manager Info | GCP Secret Manager Backend Docs | |Gitlab CI/CD Variables Info | Gitlab CI/CD Variables Backend Docs | |Azure Key Vault Info | Azure Key Vault Backend Docs |

Contributing

Yay! We welcome and encourage contributions to this project!

See our contributing document and Issues for planned improvements and additions.