External Secrets Operator

License: Apache 2.0

We use the External Secrets Operator (ESO) to synchronize Kubernetes secrets whose data is extracted from third-party secret managers, such as AWS Secrets Manager, HashiCorp Vault, and Azure Key Vault.

A popular integration for the Common Platform is HashiCorp Vault, and a setup guide is available here: Sync Secrets from Vault. The guide explains how ESO's custom resource definitions (ExternalSecret, SecretStore and ClusterSecretStore) provide an interface to Vault, and how to create a role and policy that allow ESO to synchronize Vault-managed secret data.

Links

• Code: https://github.com/external-secrets/external-secrets

• Releases: https://github.com/external-secrets/external-secrets/releases

• Helm: https://github.com/external-secrets/external-secrets/tree/main/deploy/charts/external-secrets

• Documentation:

  • Tutorial: https://external-secrets.io/latest/introduction/getting-started/
  • Guides: https://external-secrets.io/latest/guides/introduction/
  • Stability and Support: https://external-secrets.io/latest/introduction/stability-support/

• Implementation:

  • Install External Secrets Operator:
    https://code.vt.edu/it-common-platform/infrastructure/eks-cluster/-/blob/main/cluster-bootstrap/external-secrets.tf

  • Requisite Vault Config: https://code.vt.edu/es/Vault/config

  • Testing: https://code.vt.edu/it-common-platform/testing/-/tree/main/infrastructure/eks-cluster/external_secret

Update Concerns

External Secrets Operator is currently in v1beta1. Before upgrading to v1, make sure to check the online documentation for an upgrade guide.