External secrets
This feature is only available when using the following worker node types:
- Host Nodes
This feature is an Enterprise feature. See our pricing plans or contact our sales team for more information.
Prerequisites​
- kubectlinstalled
- external-secretsoperator installed on your host cluster. See instructions at https://external-secrets.io/latest/
By default, vCluster uses the same CRD version as the External Secrets Operator installed on your host cluster.
The version field allows you to explicitly set which CRD version to use (e.g., v1beta1 or v1).
Ensure your chosen version is supported by the External Secrets Operator on your host cluster.
External secrets integration
To enable the external secret integration, set the following fields:
integrations:
  externalSecrets:
    enabled: true
    version: v1 # Optional. If not specified, uses the same CRD version as your host cluster's External Secrets Operator
    sync:
      toHost:
        stores:
          enabled: true
      fromHost:
        clusterStores:
          enabled: true
This enables the integration and the sync for all CRDs:
- ExternalSecret: namespaced, synced from virtual cluster into host cluster and then bi-directionally
- SecretStore: namespaced, synced from virtual cluster into host cluster
- ClusterSecretStore: cluster scoped, synced from host cluster into virtual cluster
Once the virtual cluster is up and running, you can create a SecretStore inside the virtual cluster.
For this guide, you use the fake store type, which prefills data instead of connecting to a distant secret store.
External Secrets Operator v0.16.2 is the last supporting v1beta1 API version.
For v0.17.0+ versions, it provides exclusively v1.
apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: fake
spec:
  provider:
    fake:
      data:
      - key: "/foo/bar"
        value: "HELLO1"
        version: "v1"
      - key: "/foo/bar"
        value: "HELLO2"
        version: "v2"
      - key: "/foo/baz"
        value: '{"john": "doe"}'
        version: "v1"
Inside the virtual cluster, create the store with kubectl apply -f fake.yaml.
This creates a corresponding store in the host cluster.
You can then create an ExternalSecret in the virtual cluster, which references the SecretStore.
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: example
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: fake
    kind: SecretStore
  target:
    name: secret-to-be-created
  data:
  - secretKey: foo_bar
    remoteRef:
      key: /foo/bar
      version: v1
  dataFrom:
  - extract:
      key: /foo/baz
      version: v1
After the ExternalSecret is created in the virtual cluster, the integration creates a corresponding resource inside the host cluster.
The external secret operator running in the host creates the corresponding Kubernetes secret which the integration imports into the virtual cluster.
Running kubectl get secrets in the virtual cluster includes the secret-to-be-created in its output.
Config Reference​
externalSecrets required object  ​
ExternalSecrets reuses a host external secret operator and makes certain CRDs from it available inside the vCluster.
- ExternalSecrets will be synced from the virtual cluster to the host cluster.
- SecretStores will be synced from the virtual cluster to the host cluster and then bi-directionally.
- ClusterSecretStores will be synced from the host cluster to the virtual cluster.
externalSecrets required object  ​enabled required boolean false ​
Enabled defines whether the external secret integration is enabled or not
enabled required boolean false ​webhook required object  ​
Webhook defines whether the host webhooks are reused or not
webhook required object  ​enabled required boolean false ​
Enabled defines if this option should be enabled.
enabled required boolean false ​sync required object  ​
Sync defines the syncing behavior for the integration
sync required object  ​toHost required object  ​
ToHost defines what resources are synced from the virtual cluster to the host
toHost required object  ​externalSecrets required object  ​
ExternalSecrets allows to configure if only a subset of ExternalSecrets matching a label selector should get synced from the virtual cluster to the host cluster.
externalSecrets required object  ​stores required object  ​
Stores defines if secret stores should get synced from the virtual cluster to the host cluster and then bi-directionally.
stores required object  ​fromHost required object  ​
FromHost defines what resources are synced from the host cluster to the virtual cluster
fromHost required object  ​clusterStores required object  ​
ClusterStores defines if cluster secrets stores should get synced from the host cluster to the virtual cluster.
clusterStores required object  ​externalSecrets required object  ​
ExternalSecrets defines if external secrets should get synced from the virtual cluster to the host cluster.
externalSecrets required object  ​enabled required boolean true ​
Enabled defines if this option should be enabled.
enabled required boolean true ​stores required object  ​
Stores defines if secret stores should get synced from the virtual cluster to the host cluster and then bi-directionally.
Deprecated: Use Integrations.ExternalSecrets.Sync.ToHost.Stores instead.
stores required object  ​enabled required boolean false ​
Enabled defines if this option should be enabled.
enabled required boolean false ​clusterStores required object  ​
ClusterStores defines if cluster secrets stores should get synced from the host cluster to the virtual cluster.
Deprecated: Use Integrations.ExternalSecrets.Sync.FromHost.ClusterStores instead.
clusterStores required object  ​