| .github | ||
| apis | ||
| assets | ||
| deploy | ||
| design | ||
| docs | ||
| e2e | ||
| hack | ||
| pkg | ||
| .editorconfig | ||
| .gitignore | ||
| .golangci.yaml | ||
| changelog.json | ||
| CNAME | ||
| Dockerfile | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| main.go | ||
| Makefile | ||
| PROJECT | ||
| README.md | ||
| RELEASE.md | ||
| SECURITY.md | ||
| tools.go | ||
External Secrets
The External Secrets Operator reads information from a third party service like AWS Secrets Manager and automatically injects the values as Kubernetes Secrets.
Multiple people and organizations are joining efforts to create a single External Secrets solution based on existing projects. If you are curious about the origins of this project, check out this issue and this PR.
Supported Backends
- AWS Secrets Manager
- AWS Parameter Store
- Hashicorp Vault
- Azure Key Vault (being implemented)
- Google Cloud Secrets Manager (being implemented)
ESO installation with an AWS example
If you want to use Helm:
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets \
external-secrets/external-secrets \
-n external-secrets \
--create-namespace \
# --set installCRDs=true
If you want to run it locally against the active Kubernetes cluster context:
git clone https://github.com/external-secrets/external-secrets.git
make crds.install
make run
Create a secret containing your AWS credentials:
echo -n 'KEYID' > ./access-key
echo -n 'SECRETKEY' > ./secret-access-key
kubectl create secret generic awssm-secret --from-file=./access-key --from-file=./secret-access-key
Create a secret inside AWS Secret Manager with name my-json-secret with the following data:
{
"name": {"first": "Tom", "last": "Anderson"},
"friends": [
{"first": "Dale", "last": "Murphy"},
{"first": "Roger", "last": "Craig"},
{"first": "Jane", "last": "Murphy"}
]
}
Apply the sample resources (omitting role and controller keys here, you should not omit them in production):
# secretstore.yaml
apiVersion: external-secrets.io/v1alpha1
kind: SecretStore
metadata:
name: secretstore-sample
spec:
provider:
aws:
service: SecretsManager
region: us-east-2
auth:
secretRef:
accessKeyIDSecretRef:
name: awssm-secret
key: access-key
secretAccessKeySecretRef:
name: awssm-secret
key: secret-access-key
# externalsecret.yaml
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
name: example
spec:
refreshInterval: 1m
secretStoreRef:
name: secretstore-sample
kind: SecretStore
target:
name: secret-to-be-created
creationPolicy: Owner
data:
- secretKey: firstname
remoteRef:
key: my-json-secret
property: name.first # Tom
- secretKey: first_friend
remoteRef:
key: my-json-secret
property: friends.1.first # Roger
kubectl apply -f secretstore.yaml
kubectl apply -f externalsecret.yaml
Running kubectl get secret secret-to-be-created should return a new secret created by the operator.
You can get one of its values with jsonpath (This should return Roger):
kubectl get secret secret-to-be-created -o jsonpath='{.data.first_friend}' | base64 -d
We will add more documentation once we have the implementation for the different providers. You can find some here: https://external-secrets.io
Contributing
We welcome and encourage contributions to this project! Please read the Developer and Contribution process guides. Also make sure to check the Code of Conduct and adhere to its guidelines.
Kicked off by
