Skip to content

Secrets management

Info

Despite the name External Secrets Operator, our Vault is deployed on the same cluster. HashiCorp Vault can be replaced with AWS Secret Manager, Google Cloud Secret Manager, Azure Key Vault, etc.

flowchart TD
  subgraph vault-namespace[vault namespace]
    bank-vaults[Bank Vaults side car] -. init and unseal .- vault[(HashiCorp Vault)]
    random-secret[Random secrets CronJob] -. generate secrets if not exist .-> vault[(HashiCorp Vault)]
  end

  subgraph app-namespace[application namespace]
    ExternalSecret -. generate .-> Secret
    App -- read --> Secret
  end

  ClusterSecretStore --> vault
  ClusterSecretStore --> ExternalSecret

Generate random secret

This is useful when you want to generate random secrets like admin password and store in Vault.

./platform/vault/files/generate-secrets/config.yaml
# Gitea
- path: gitea/admin
  data:
    - key: password
      length: 32
      special: true

# Dex
- path: dex/grafana
  data:
    - key: client_secret
      length: 32
      special: false

# Trow
- path: trow/admin
  data:
    - key: password
      length: 32
      special: true

Pulling secrets from Vault to Kubernetes

Commit and push an ExternalSecret object, for example:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: gitea-admin-secret
  namespace: gitea
spec:
  data:
  - remoteRef:
      conversionStrategy: Default
      key: /gitea/admin
      property: password
    secretKey: password
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    creationPolicy: Owner
    deletionPolicy: Retain
    template:
      data:
        password: '{{ .password }}'
        username: gitea_admin
      engineVersion: v2

This will create a corresponding Kubernetes secret:

kubectl describe secrets -n gitea gitea-admin-secret

Name:         gitea-admin-secret
Namespace:    gitea
Labels:       <none>
Annotations:  reconcile.external-secrets.io/data-hash: <REDACTED>

Type:  Opaque

Data
====
password:  32 bytes
username:  11 bytes

Please see the official documentation for more information: