External Secrets Operator
This feature is only available when using the following worker node types:
This feature is an Enterprise feature. See our pricing plans or contact our sales team for more information.
Prerequisites​
kubectlinstalledexternal-secretsoperator installed on your host cluster. See instructions at https://external-secrets.io/v0.15.1/
This feature is currently only compatible with CRD version v1beta1 of the external-secrets operator.
External secrets integration
The sync configuration for this integration has been updated.
Configuration for each resource type is now defined under the relevant toHost or fromHost section.
For more information, see the configuration reference.
Label selectors are now supported for all resources and follow the format used by the upstream Kubernetes API.
Previous configuration keys are deprecated starting in version 0.27.0.
To enable the external secret integration, set the following fields:
integrations:
externalSecrets:
enabled: true
sync:
toHost:
stores:
enabled: true
fromHost:
clusterStores:
enabled: true
This enables the integration and the sync for all CRDs:
ExternalSecret: namespaced, synced from virtual cluster into host cluster and then bi-directionallySecretStore: namespaced, synced from virtual cluster into host clusterClusterSecretStore: cluster scoped, synced from host cluster into virtual cluster
Once the virtual cluster is up and running, you can create a SecretStore inside the virtual cluster.
For this guide, you use the fake store type, which prefills data instead of connecting to a distant secret store.
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: fake
spec:
provider:
fake:
data:
- key: "/foo/bar"
value: "HELLO1"
version: "v1"
- key: "/foo/bar"
value: "HELLO2"
version: "v2"
- key: "/foo/baz"
value: '{"john": "doe"}'
version: "v1"
Inside the virtual cluster, create the store with kubectl apply -f fake.yaml.
This creates a corresponding store in the host cluster.
You can then create an ExternalSecret in the virtual cluster, which references the SecretStore.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: example
spec:
refreshInterval: 1h
secretStoreRef:
name: fake
kind: SecretStore
target:
name: secret-to-be-created
data:
- secretKey: foo_bar
remoteRef:
key: /foo/bar
version: v1
dataFrom:
- extract:
key: /foo/baz
version: v1
After the ExternalSecret is created in the virtual cluster, the integration creates a corresponding resource inside the host cluster.
The external secret operator running in the host creates the corresponding Kubernetes secret which the integration imports into the virtual cluster.
Running kubectl get secrets in the virtual cluster includes the secret-to-be-created in its output.
Config reference​
externalSecrets required object ​
ExternalSecrets reuses a host external secret operator and makes certain CRDs from it available inside the vCluster.
- ExternalSecrets will be synced from the virtual cluster to the host cluster.
- SecretStores will be synced from the virtual cluster to the host cluster and then bi-directionally.
- ClusterSecretStores will be synced from the host cluster to the virtual cluster.
externalSecrets required object ​enabled required boolean false ​
Enabled defines whether the external secret integration is enabled or not
enabled required boolean false ​webhook required object ​
Webhook defines whether the host webhooks are reused or not
webhook required object ​enabled required boolean false ​
Enabled defines if this option should be enabled.
enabled required boolean false ​sync required object ​
Sync defines the syncing behavior for the integration
sync required object ​toHost required object ​
ToHost defines what resources are synced from the virtual cluster to the host
toHost required object ​externalSecrets required object ​
ExternalSecrets allows to configure if only a subset of ExternalSecrets matching a label selector should get synced from the virtual cluster to the host cluster.
externalSecrets required object ​stores required object ​
Stores defines if secret stores should get synced from the virtual cluster to the host cluster and then bi-directionally.
stores required object ​fromHost required object ​
FromHost defines what resources are synced from the host cluster to the virtual cluster
fromHost required object ​clusterStores required object ​
ClusterStores defines if cluster secrets stores should get synced from the host cluster to the virtual cluster.
clusterStores required object ​externalSecrets required object ​
ExternalSecrets defines if external secrets should get synced from the virtual cluster to the host cluster.
externalSecrets required object ​enabled required boolean true ​
Enabled defines if this option should be enabled.
enabled required boolean true ​stores required object ​
Stores defines if secret stores should get synced from the virtual cluster to the host cluster and then bi-directionally.
Deprecated: Use Integrations.ExternalSecrets.Sync.ToHost.Stores instead.
stores required object ​enabled required boolean false ​
Enabled defines if this option should be enabled.
enabled required boolean false ​clusterStores required object ​
ClusterStores defines if cluster secrets stores should get synced from the host cluster to the virtual cluster.
Deprecated: Use Integrations.ExternalSecrets.Sync.FromHost.ClusterStores instead.
clusterStores required object ​