This operator reads information from a third party service like AWS Secrets Manager or AWS SSM and automatically injects the values as Kubernetes Secrets.
This project will not be maintained anymore, and we are trying to concentrate afforts on this new colaboration:
external-secrets/external-secrets
Website: https://www.external-secrets.io/
- Features
- Quick start
- Kustomize
- What does it do?
- Architecture
- Running Tests
- Spec
- Other Supported Backends
- Contributing
- Secrets are refreshed from time to time allowing you to rotate secrets in your providers and still keep everything up to date inside your k8s cluster.
- Change the refresh interval of the secrets to match your needs. You can even make it 10s if you need to debug something (beware of API rate limits).
- For the AWS Backend we support both simple secrets and binfiles.
- You can get speciffic versions of the secrets or just get latest versions of them.
- If you change something in your ExternalSecret CR, the operator will reconcile it (Even if your refresh interval is big).
- AWS Secret Manager, Credstash (AWS KMS), Azure Key Vault, Google Secret Manager and Gitlab backends supported currently!
- Install CRDs
make install
Given a secret defined in AWS Secrets Manager:
% aws secretsmanager create-secret \
--name=example-externalsecret-key \
--secret-string='this string is a secret'
and updated aws credentials to be used in config/credentials/kustomization.yaml
with valid AWS credentials:
�t config/credentials/kustomization.yaml
resources:
# - credentials-gsm.yaml
- credentials-asm.yaml
# - credentials-dummy.yaml
# - credentials-gitlab.yaml
# - credentials-akv.yaml
�t config/credentials/credentials-asm.yaml
...
credentials.json: |-
{
"accessKeyID": "AKIA...",
"secretAccessKey": "cmFuZG9tS2VZb25Eb2Nz...",
"sessionToken": ""
}
and an SecretStore
resource definition like this one:
% cat config/samples/store_v1alpha1_secretstore.yaml
apiVersion: store.externalsecret-operator.container-solutions.com/v1alpha1
kind: SecretStore
metadata:
name: secretstore-sample
spec:
controller: staging
store:
type: asm
auth:
secretRef:
name: externalsecret-operator-credentials-asm
parameters:
region: eu-west-2
and an ExternalSecret
resource definition like this one:
% cat config/samples/secrets_v1alpha1_externalsecret.yaml
apiVersion: secrets.externalsecret-operator.container-solutions.com/v1alpha1
kind: ExternalSecret
metadata:
name: externalsecret-sample
spec:
storeRef:
name: externalsecret-operator-secretstore-sample
data:
- key: example-externalsecret-key
version: latest
The operator fetches the secret from AWS Secrets Manager and injects it as a secret:
% make deploy
% kubectl get secret externalsecret-operator-externalsecret-sample -n externalsecret-operator-system \
-o jsonpath='{.data.example-externalsecret-key}' | base64 -d
this string is a secret
In this article you can find more information about the architecture and design choices.
Here's a high-level diagram of how things are put together.
Requirements:
- Golang 1.15 or later
- Kubebuilder installed at
/usr/local/kubebuilder
Then just:
make test
- See the CRD spec
We would like to support as many backends as possible and it should be rather easy to write new ones. Currently supported backends are:
Yay! We welcome and encourage contributions to this project!
See our contributing document and Issues for planned improvements and additions.