Awesome
External Secret Operator
This operator reads information from a third party service like AWS Secrets Manager or AWS SSM and automatically injects the values as Kubernetes Secrets.
Disclaimer ⚠️
This project will not be maintained anymore, and we are trying to concentrate afforts on this new colaboration:
external-secrets/external-secrets
Website: https://www.external-secrets.io/
Table of Contents
- Features
- Quick start
- Kustomize
- What does it do?
- Architecture
- Running Tests
- Spec
- Other Supported Backends
- Contributing
<a name="features"></a>
Features
- Secrets are refreshed from time to time allowing you to rotate secrets in your providers and still keep everything up to date inside your k8s cluster.
- Change the refresh interval of the secrets to match your needs. You can even make it 10s if you need to debug something (beware of API rate limits).
- For the AWS Backend we support both simple secrets and binfiles.
- You can get speciffic versions of the secrets or just get latest versions of them.
- If you change something in your ExternalSecret CR, the operator will reconcile it (Even if your refresh interval is big).
- AWS Secret Manager, Credstash (AWS KMS), Azure Key Vault, Google Secret Manager and Gitlab backends supported currently!
<a name="quick-start"></a>
Quick start
<!-- If you want to jump right into action you can deploy the External Secrets Operator using the provided [helm chart](./deployments/helm/externalsecret-operator/README.md) or [manifests](./deploy). The following examples are specific to the AWS Secret Manager backend. --> <!-- <a name="helm"></a> --> <!-- ## Helm Here's how you can deploy the External Secret Operator in the `default`. ```shell export AWS_ACCESS_KEY_ID="AKIAYOURSECRETKEYID" export AWS_DEFAULT_REGION="eu-west-1" export AWS_SECRET_ACCESS_KEY="OoXie5Mai6Qu3fakemeezoo4ahfoo6IHahch0rai" helm upgrade --install asm1 --wait \ --set operatorName="asm-example" \ --set secret.data.Type="asm" \ --set secret.data.Parameters.accessKeyID="$AWS_ACCESS_KEY_ID" \ --set secret.data.Parameters.region="$AWS_DEFAULT_REGION" \ --set secret.data.Parameters.secretAccessKey="$AWS_SECRET_ACCESS_KEY" \ ./deployments/helm/externalsecret-operator/. ``` It will watch for `ExternalSecrets` with `Backend: asm-example` resources in the `default` namespace and it will inject a corresponding `Secret` with the value retrieved from AWS Secret Manager. --><a name="kustomize"></a>
Using Kustomize
Install the operator CRDs
- Install CRDs
make install
<a name="#what-does-it-do"></a>
What does it do?
Given a secret defined in AWS Secrets Manager:
% aws secretsmanager create-secret \
--name=example-externalsecret-key \
--secret-string='this string is a secret'
and updated aws credentials to be used in config/credentials/kustomization.yaml with valid AWS credentials:
%cat config/credentials/kustomization.yaml
resources:
# - credentials-gsm.yaml
- credentials-asm.yaml
# - credentials-dummy.yaml
# - credentials-gitlab.yaml
# - credentials-akv.yaml
%cat config/credentials/credentials-asm.yaml
...
credentials.json: |-
{
"accessKeyID": "AKIA...",
"secretAccessKey": "cmFuZG9tS2VZb25Eb2Nz...",
"sessionToken": ""
}
and an SecretStore resource definition like this one:
% cat config/samples/store_v1alpha1_secretstore.yaml
apiVersion: store.externalsecret-operator.container-solutions.com/v1alpha1
kind: SecretStore
metadata:
name: secretstore-sample
spec:
controller: staging
store:
type: asm
auth:
secretRef:
name: externalsecret-operator-credentials-asm
parameters:
region: eu-west-2
and an ExternalSecret resource definition like this one:
% cat config/samples/secrets_v1alpha1_externalsecret.yaml
apiVersion: secrets.externalsecret-operator.container-solutions.com/v1alpha1
kind: ExternalSecret
metadata:
name: externalsecret-sample
spec:
storeRef:
name: externalsecret-operator-secretstore-sample
data:
- key: example-externalsecret-key
version: latest
The operator fetches the secret from AWS Secrets Manager and injects it as a secret:
% make deploy
% kubectl get secret externalsecret-operator-externalsecret-sample -n externalsecret-operator-system \
-o jsonpath='{.data.example-externalsecret-key}' | base64 -d
this string is a secret
<a name="architecture"></a>
Architecture
In this article you can find more information about the architecture and design choices.
Here's a high-level diagram of how things are put together.
<a name="running-tests"></a>
Running tests
Requirements:
- Golang 1.15 or later
- Kubebuilder installed at
/usr/local/kubebuilder
Then just:
make test
<a name="spec"></a>
CRDs Spec
- See the CRD spec
<a name="secrets-backends"></a>
Other Supported Backends
We would like to support as many backends as possible and it should be rather easy to write new ones. Currently supported backends are:
<a name="contributing"></a>
Contributing
Yay! We welcome and encourage contributions to this project!
See our contributing document and Issues for planned improvements and additions.