Secrets in External Store

[consult-kk]

Hi, This is a useful tool for any DevOps/SRE teams managing K8S clusters and apps. One question though, will this be able to detect changes to Secrets stored in an external store like the GoDday one or the HashiCorp Vault. thanks, KK

[faizanahmad055]

No, currently reloader doesn't support this, reloader can only detect secrets within the cluster. But this sounds like a really good thing to have. Would you like to open a PR for this :)

[consult-kk]

No, currently reloader doesn't support this, reloader can only detect secrets within the cluster. But this sounds like a really good thing to have. Would you like to open a PR for this :)

I am not a Golang developer, else would have tried a few things. But I would think this should not be too difficult since the kube api server can still provide info regarding the secrets as it will have knowledge about it. Only the data store is external. You could probably grab some event from the kube api server to achieve this.

[rasheedamir]

@consult-kk we are planning to add support for Hashicorp Vault!

[stephenh1991]

Hey 👋 I'm happy to have a go at this as we have a requirement for this and we already use reloader (great tool btw!). Do you have any ideas on a rough implementation?

[RichiCoder1]

For people interested in this, unless you're married to the Vault API either https://github.com/external-secrets/kubernetes-external-secrets or https://github.com/kubernetes-sigs/secrets-store-csi-driver + https://www.vaultproject.io/docs/platform/k8s/csi might be a more robust solution that doesn't add potentially fragile/unmaintained code

[kenans]

Agreed with @RichiCoder1. Wonder if there's any plan to support the Secret store CSI driver, such as the Azure KeyVault implementation?

[faizanahmad055]

Support for the Secret store CSI driver is indeed a good addition and we are planning to add similar in the future. We also welcome the community contributions via Pull Requests

[salecharohit]

Totaly agree with @RichiCoder1 to have some support for https://github.com/kubernetes-sigs/secrets-store-csi-driver as the secrets-store-csi-driver , when implemented with secrets sync functionality it syncs using a CRD like below

kind: SecretProviderClass
metadata:
  name: nginx-deployment-aws-secrets
spec:
  provider: aws
  parameters:
    objects: |
        - objectName: "MySecret"
          objectType: "secretsmanager"

Hence using Reloader we have no way to tag/annotate the specific secret. So in addition to configmaps and secrets if you could add SecretProviderClass it'll be of massive help.

[ericmeadows]

We use https://github.com/external-secrets/kubernetes-external-secrets and it works great

[LO764640]

Hi Has this been implemented yet ?

[domeales-paloit]

Hi folks,

I am using https://external-secrets.io/v0.5.7/ and it is updating my Secret resources when the underlying AWS SecretsManager secret values are updated.

I am attempting to integrate this with Reloader. I have added the reloader.stakater.com/auto: "true" annotation to my Deployment and when External Secrets update my Secret the Deployment pods are not restarting (as expected).

Am I missing something here?

Cheers

[domeales-paloit]

@ericmeadows Can you explain how it is working for you? Are you using reloader.stakater.com/auto: "true" on Deployment resources?

[ericmeadows]

We don't use Stakater, but we use 2 charts. ExternalSecrets, and deployments. I found it relevant to this thread to mention using ExternalSecrets as an alternative solution to the issue.

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: Dom Eales @ PaloIT @.> Sent: Thursday, June 23, 2022 10:57:38 PM To: stakater/Reloader @.> Cc: Meadows, Eric A. @.>; Mention @.> Subject: Re: [stakater/Reloader] Secrets in External Store (#185)

@ericmeadows Can you explain how it is working for you? Are you using reloader.stakater.com/auto: "true" on Deployment resources? — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were

@ericmeadowshttps://urldefense.com/v3/__https://github.com/ericmeadows__;!!KGKeukY!2kdaE-99EViXZCvHLPYhL9CuIvWwQHL1yuWnVdsTCE4aK9OBAZCNUxfW3BgJF5yTiD2dKAygpwmFPeju05luFPaNTz42bJMaAEFKemQ$ Can you explain how it is working for you? Are you using reloader.stakater.com/auto: "true" on Deployment resources?

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https://github.com/stakater/Reloader/issues/185*issuecomment-1165142211__;Iw!!KGKeukY!2kdaE-99EViXZCvHLPYhL9CuIvWwQHL1yuWnVdsTCE4aK9OBAZCNUxfW3BgJF5yTiD2dKAygpwmFPeju05luFPaNTz42bJMaFvL4cyU$, or unsubscribehttps://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/ADFBP64RFDAVMUDPYDTEMPTVQUP2FANCNFSM4U6MIRTQ__;!!KGKeukY!2kdaE-99EViXZCvHLPYhL9CuIvWwQHL1yuWnVdsTCE4aK9OBAZCNUxfW3BgJF5yTiD2dKAygpwmFPeju05luFPaNTz42bJMaEkr92Us$. You are receiving this because you were mentioned.Message ID: @.***>

[domeales-paloit]

@ericmeadows yeah ExternalSecrets is great. I would like to get it working with Reloader if possible. I suspect the way that ExternalSecrets is updating the secrets is not triggering an event in Reloader.

Thanks anyway

[domeales-paloit]

Scratch that, it seems that Reloader is working with ExternalSecrets, perhaps it just has a delay. 👍

[sapher]

I have tried reloader with external secret today and it worked => https://gist.github.com/sapher/ed2eabb7820973caa19dd4753e69955b here the gist if someone want to try

[faizanahmad055]

Marking it as stale and closing it. Please reopen if required.

[manuvenkatesh1]

is it available now? I am using external secret . secret stored in aws secret manager. tried auto annotation. but not working.