2020-11-19 15:35:34 +00:00
# External Secrets
2021-02-10 14:14:02 +00:00
< img src = "assets/round_eso_logo.png" width = "100" >
2021-02-10 14:10:13 +00:00
----
2021-05-12 13:10:20 +00:00
The External Secrets Operator reads information from a third party service
2020-11-23 14:21:01 +00:00
like [AWS Secrets Manager ](https://aws.amazon.com/secrets-manager/ ) and automatically injects the values as [Kubernetes Secrets ](https://kubernetes.io/docs/concepts/configuration/secret/ ).
2020-11-19 15:35:34 +00:00
2020-11-23 14:21:01 +00:00
Multiple people and organizations are joining efforts to create a single External Secrets solution based on existing projects. If you are curious about the origins of this project, check out this [issue ](https://github.com/external-secrets/kubernetes-external-secrets/issues/47 ) and this [PR ](https://github.com/external-secrets/kubernetes-external-secrets/pull/477 ).
2020-11-19 15:35:34 +00:00
2021-05-12 13:10:20 +00:00
# Supported Backends
2020-11-19 15:35:34 +00:00
2021-05-12 13:10:20 +00:00
- [AWS Secrets Manager ](https://external-secrets.io/provider-aws-secrets-manager/ )
- [AWS Parameter Store ](https://external-secrets.io/provider-aws-parameter-store/ )
2021-05-12 20:50:05 +00:00
- [Hashicorp Vault ](https://www.vaultproject.io/ )
2021-05-27 10:38:24 +00:00
- [Google Cloud Secrets Manager ](https://external-secrets.io/provider-google-secrets-manager/ )
2021-05-12 13:10:20 +00:00
- [Azure Key Vault ](https://external-secrets.io/provider-azure-key-vault/ ) (being implemented)
2020-11-19 15:35:34 +00:00
2021-05-12 13:10:20 +00:00
## ESO installation with an AWS example
2020-11-19 15:35:34 +00:00
2021-05-12 13:10:20 +00:00
If you want to use Helm:
2020-11-19 15:35:34 +00:00
2020-11-23 14:21:01 +00:00
```shell
2021-05-12 13:10:20 +00:00
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets \
external-secrets/external-secrets \
-n external-secrets \
--create-namespace \
# --set installCRDs=true
2020-11-23 14:21:01 +00:00
```
2020-11-19 15:35:34 +00:00
2021-05-12 13:10:20 +00:00
If you want to run it locally against the active Kubernetes cluster context:
2020-11-23 14:21:01 +00:00
```shell
2021-05-12 13:10:20 +00:00
git clone https://github.com/external-secrets/external-secrets.git
make crds.install
2020-11-23 14:21:01 +00:00
make run
```
2020-11-19 15:35:34 +00:00
2021-05-12 13:10:20 +00:00
Create a secret containing your AWS credentials:
2020-11-23 14:21:01 +00:00
```shell
2021-05-12 13:10:20 +00:00
echo -n 'KEYID' > ./access-key
echo -n 'SECRETKEY' > ./secret-access-key
kubectl create secret generic awssm-secret --from-file=./access-key --from-file=./secret-access-key
2020-11-23 14:21:01 +00:00
```
2020-11-19 15:35:34 +00:00
2021-05-12 13:10:20 +00:00
Create a secret inside AWS Secret Manager with name `my-json-secret` with the following data:
```json
{
"name": {"first": "Tom", "last": "Anderson"},
"friends": [
{"first": "Dale", "last": "Murphy"},
{"first": "Roger", "last": "Craig"},
{"first": "Jane", "last": "Murphy"}
]
}
```
2021-05-06 10:45:34 +00:00
2021-05-12 13:10:20 +00:00
Apply the sample resources (omitting role and controller keys here, you should not omit them in production):
```yaml
# secretstore.yaml
apiVersion: external-secrets.io/v1alpha1
kind: SecretStore
metadata:
name: secretstore-sample
spec:
provider:
aws:
service: SecretsManager
region: us-east-2
auth:
secretRef:
accessKeyIDSecretRef:
name: awssm-secret
key: access-key
secretAccessKeySecretRef:
name: awssm-secret
key: secret-access-key
2021-05-06 10:45:34 +00:00
```
2021-05-12 13:10:20 +00:00
```yaml
# externalsecret.yaml
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
name: example
spec:
refreshInterval: 1m
secretStoreRef:
name: secretstore-sample
kind: SecretStore
target:
name: secret-to-be-created
creationPolicy: Owner
data:
- secretKey: firstname
remoteRef:
key: my-json-secret
property: name.first # Tom
- secretKey: first_friend
remoteRef:
key: my-json-secret
property: friends.1.first # Roger
```
```shell
kubectl apply -f secretstore.yaml
kubectl apply -f externalsecret.yaml
```
2020-11-19 15:35:34 +00:00
2021-05-12 13:10:20 +00:00
Running `kubectl get secret secret-to-be-created` should return a new secret created by the operator.
2020-11-19 15:35:34 +00:00
2021-05-12 13:10:20 +00:00
You can get one of its values with jsonpath (This should return `Roger` ):
2020-11-19 15:35:34 +00:00
2021-05-12 13:10:20 +00:00
```shell
kubectl get secret secret-to-be-created -o jsonpath='{.data.first_friend}' | base64 -d
```
2020-11-19 15:35:34 +00:00
2021-05-12 13:10:20 +00:00
We will add more documentation once we have the implementation for the different providers. You can find some here: https://external-secrets.io
2021-03-03 12:55:58 +00:00
## Contributing
We welcome and encourage contributions to this project! Please read the [Developer ](https://www.external-secrets.io/contributing-devguide/ ) and [Contribution process ](https://www.external-secrets.io/contributing-process/ ) guides. Also make sure to check the [Code of Conduct ](https://www.external-secrets.io/contributing-coc/ ) and adhere to its guidelines.
2020-11-23 14:21:01 +00:00
## Kicked off by
2020-11-19 15:35:34 +00:00
2020-11-23 14:21:01 +00:00
![](assets/CS_logo_1.png)
![](assets/Godaddylogo_2020.png)