Skip to main content
Version: v0.26 Stable

External secrets

Enterprise-Only Feature

This feature is an Enterprise feature. See our pricing plans or contact our sales team for more information.

Prerequisites​

External secrets integration

Configuration Changes

The sync configuration for this integration has been updated.

Configuration for each resource type is now defined under the relevant toHost or fromHost section.
For more information, see the configuration reference.

Label selectors are now supported for all resources and follow the format used by the upstream Kubernetes API.

Previous configuration keys are deprecated starting in version 0.27.0.

To enable the external secret integration, set the following fields:

integrations:
  externalSecrets:
    enabled: true
    sync:
      toHost:
        stores:
          enabled: true
      fromHost:
        clusterStores:
          enabled: true

This enables the integration and the sync for all CRDs:

  • ExternalSecret: namespaced, synced from virtual cluster into host cluster and then bi-directionally
  • SecretStore: namespaced, synced from virtual cluster into host cluster
  • ClusterSecretStore: cluster scoped, synced from host cluster into virtual cluster

Once the virtual cluster is up and running, you can create a SecretStore inside the virtual cluster. For this guide, you use the fake store type, which prefills data instead of connecting to a distant secret store.

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: fake
spec:
  provider:
    fake:
      data:
      - key: "/foo/bar"
        value: "HELLO1"
        version: "v1"
      - key: "/foo/bar"
        value: "HELLO2"
        version: "v2"
      - key: "/foo/baz"
        value: '{"john": "doe"}'
        version: "v1"

Inside the virtual cluster, create the store with kubectl apply -f fake.yaml. This creates a corresponding store in the host cluster. You can then create an ExternalSecret in the virtual cluster, which references the SecretStore.

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: example
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: fake
    kind: SecretStore
  target:
    name: secret-to-be-created
  data:
  - secretKey: foo_bar
    remoteRef:
      key: /foo/bar
      version: v1
  dataFrom:
  - extract:
      key: /foo/baz
      version: v1

After the ExternalSecret is created in the virtual cluster, the integration creates a corresponding resource inside the host cluster. The external secret operator running in the host creates the corresponding Kubernetes secret which the integration imports into the virtual cluster. Running kubectl get secrets in the virtual cluster includes the secret-to-be-created in its output.

Config Reference​

externalSecrets required object ​

ExternalSecrets reuses a host external secret operator and makes certain CRDs from it available inside the vCluster.

  • ExternalSecrets will be synced from the virtual cluster to the host cluster.
  • SecretStores will be synced from the virtual cluster to the host cluster and then bi-directionally.
  • ClusterSecretStores will be synced from the host cluster to the virtual cluster.

enabled required boolean false ​

Enabled defines whether the external secret integration is enabled or not

webhook required object ​

Webhook defines whether the host webhooks are reused or not

enabled required boolean false ​

Enabled defines if this option should be enabled.

sync required object ​

Sync defines the syncing behavior for the integration

externalSecrets required object ​

ExternalSecrets defines if external secrets should get synced from the virtual cluster to the host cluster.

enabled required boolean true ​

Enabled defines if this option should be enabled.

stores required object ​

Stores defines if secret stores should get synced from the virtual cluster to the host cluster and then bi-directionally.

enabled required boolean false ​

Enabled defines if this option should be enabled.

clusterStores required object ​

ClusterStores defines if cluster secrets stores should get synced from the host cluster to the virtual cluster.

enabled required boolean false ​

Enabled defines if this option should be enabled.

selector required object ​

Selector defines what cluster stores should be synced

labels required object {} ​

Labels defines what labels should be looked for