externalsecret-operator
externalsecret-operator copied to clipboard
An operator to fetch secrets from cloud services and inject them in Kubernetes
External Secret Operator
This operator reads information from a third party service like AWS Secrets Manager or AWS SSM and automatically injects the values as Kubernetes Secrets.
Disclaimer ⚠️
This project will not be maintained anymore, and we are trying to concentrate afforts on this new colaboration:
external-secrets/external-secrets
Website: https://www.external-secrets.io/
Table of Contents
- Features
- Quick start
- Kustomize
- What does it do?
- Architecture
- Running Tests
- Spec
- Other Supported Backends
- Contributing
Features
- Secrets are refreshed from time to time allowing you to rotate secrets in your providers and still keep everything up to date inside your k8s cluster.
- Change the refresh interval of the secrets to match your needs. You can even make it 10s if you need to debug something (beware of API rate limits).
- For the AWS Backend we support both simple secrets and binfiles.
- You can get speciffic versions of the secrets or just get latest versions of them.
- If you change something in your ExternalSecret CR, the operator will reconcile it (Even if your refresh interval is big).
- AWS Secret Manager, Credstash (AWS KMS), Azure Key Vault, Google Secret Manager and Gitlab backends supported currently!
Quick start
Using Kustomize
Install the operator CRDs
- Install CRDs
make install
What does it do?
Given a secret defined in AWS Secrets Manager:
% aws secretsmanager create-secret \
--name=example-externalsecret-key \
--secret-string='this string is a secret'
and updated aws credentials to be used in config/credentials/kustomization.yaml
with valid AWS credentials:
%cat config/credentials/kustomization.yaml
resources:
# - credentials-gsm.yaml
- credentials-asm.yaml
# - credentials-dummy.yaml
# - credentials-gitlab.yaml
# - credentials-akv.yaml
%cat config/credentials/credentials-asm.yaml
...
credentials.json: |-
{
"accessKeyID": "AKIA...",
"secretAccessKey": "cmFuZG9tS2VZb25Eb2Nz...",
"sessionToken": ""
}
and an SecretStore
resource definition like this one:
% cat config/samples/store_v1alpha1_secretstore.yaml
apiVersion: store.externalsecret-operator.container-solutions.com/v1alpha1
kind: SecretStore
metadata:
name: secretstore-sample
spec:
controller: staging
store:
type: asm
auth:
secretRef:
name: externalsecret-operator-credentials-asm
parameters:
region: eu-west-2
and an ExternalSecret
resource definition like this one:
% cat config/samples/secrets_v1alpha1_externalsecret.yaml
apiVersion: secrets.externalsecret-operator.container-solutions.com/v1alpha1
kind: ExternalSecret
metadata:
name: externalsecret-sample
spec:
storeRef:
name: externalsecret-operator-secretstore-sample
data:
- key: example-externalsecret-key
version: latest
The operator fetches the secret from AWS Secrets Manager and injects it as a secret:
% make deploy
% kubectl get secret externalsecret-operator-externalsecret-sample -n externalsecret-operator-system \
-o jsonpath='{.data.example-externalsecret-key}' | base64 -d
this string is a secret
Architecture
In this article you can find more information about the architecture and design choices.
Here's a high-level diagram of how things are put together.
Running tests
Requirements:
- Golang 1.15 or later
-
Kubebuilder installed at
/usr/local/kubebuilder
Then just:
make test
CRDs Spec
- See the CRD spec
- ExternalSecret
- SecretStore
Other Supported Backends
We would like to support as many backends as possible and it should be rather easy to write new ones. Currently supported backends are:
Provider | Backend Doc |
---|---|
AWS Secrets Manager Info | AWS Secrets Manager Backend Docs |
Credstash Info | Credstash (AWS KMS) Docs |
GCP Secret Manager Info | GCP Secret Manager Backend Docs |
Gitlab CI/CD Variables Info | Gitlab CI/CD Variables Backend Docs |
Azure Key Vault Info | Azure Key Vault Backend Docs |
Contributing
Yay! We welcome and encourage contributions to this project!
See our contributing document and Issues for planned improvements and additions.