The External Secrets Operator reads information from a third party service like AWS Secrets Manager and automatically injects the values as Kubernetes Secrets.
Multiple people and organizations are joining efforts to create a single External Secrets solution based on existing projects. If you are curious about the origins of this project, check out this issue and this PR.
- AWS Secrets Manager
- AWS Parameter Store
- Hashicorp Vault
- Google Cloud Secrets Manager
- Azure Key Vault (being implemented)
If you want to use Helm:
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets \
external-secrets/external-secrets \
-n external-secrets \
--create-namespace \
# --set installCRDs=true
If you want to run it locally against the active Kubernetes cluster context:
git clone https://github.com/external-secrets/external-secrets.git
make crds.install
make run
Create a secret containing your AWS credentials:
echo -n 'KEYID' > ./access-key
echo -n 'SECRETKEY' > ./secret-access-key
kubectl create secret generic awssm-secret --from-file=./access-key --from-file=./secret-access-key
Create a secret inside AWS Secret Manager with name my-json-secret
with the following data:
{
"name": {"first": "Tom", "last": "Anderson"},
"friends": [
{"first": "Dale", "last": "Murphy"},
{"first": "Roger", "last": "Craig"},
{"first": "Jane", "last": "Murphy"}
]
}
Apply the sample resources (omitting role and controller keys here, you should not omit them in production):
# secretstore.yaml
apiVersion: external-secrets.io/v1alpha1
kind: SecretStore
metadata:
name: secretstore-sample
spec:
provider:
aws:
service: SecretsManager
region: us-east-2
auth:
secretRef:
accessKeyIDSecretRef:
name: awssm-secret
key: access-key
secretAccessKeySecretRef:
name: awssm-secret
key: secret-access-key
# externalsecret.yaml
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
name: example
spec:
refreshInterval: 1m
secretStoreRef:
name: secretstore-sample
kind: SecretStore
target:
name: secret-to-be-created
creationPolicy: Owner
data:
- secretKey: firstname
remoteRef:
key: my-json-secret
property: name.first # Tom
- secretKey: first_friend
remoteRef:
key: my-json-secret
property: friends.1.first # Roger
kubectl apply -f secretstore.yaml
kubectl apply -f externalsecret.yaml
Running kubectl get secret secret-to-be-created
should return a new secret created by the operator.
You can get one of its values with jsonpath (This should return Roger
):
kubectl get secret secret-to-be-created -o jsonpath='{.data.first_friend}' | base64 -d
We will add more documentation once we have the implementation for the different providers. You can find some here: https://external-secrets.io
We welcome and encourage contributions to this project! Please read the Developer and Contribution process guides. Also make sure to check the Code of Conduct and adhere to its guidelines.