Secrets management
Overview
- Global secrets are stored in the
global-secrets
namespace. - Integrate with GitOps using External Secrets Operator.
- Secrets that can be generated are automatically generated and stored in the
global-secrets
namespace.
Info
Despite the name External Secrets Operator, global secrets are created in the same cluster and synced to other namespaces using the Kubernetes provider.
While not supported by default in this project, you can also use other external providers such as HashiCorp Vault, AWS Secret Manager, Google Cloud Secret Manager, Azure Key Vault, 1Password, etc.
flowchart TD
subgraph global-secrets-namespace[global-secrets namespace]
secret-generator[Secret Generator] -- generate if not exist --> source-secrets[Source Secrets]
end
subgraph app-namespace[application namespace]
ExternalSecret -- create --> Secret
App -- read --> Secret
end
ClusterSecretStore -- read --> source-secrets
ExternalSecret --- ClusterSecretStore
Randomly generated secrets
This is useful when you want to generate random secrets like admin password and store in global secrets.
# Gitea
- name: gitea.admin
data:
- key: password
length: 32
special: true
# Dex
- name: dex.grafana
data:
- key: client_secret
length: 32
special: false
- name: dex.gitea
data:
- key: client_secret
length: 32
special: false
# Registry
- name: registry.admin
data:
- key: password
length: 32
special: true
# Woodpecker
- name: woodpecker.agent
data:
- key: secret
length: 32
special: false
# Paperless
- name: paperless.admin
data:
- key: PAPERLESS_ADMIN_PASSWORD
length: 32
special: true
Extra third-party secrets
For third-party secrets that you don't control, add them to external/terraform.tfvars
under the extra_secrets
key,
then run make external
.
They will be available as a Secret named external
in the global-secrets
namespace.
You can use it with ExternalSecret
just like any other global secret.
How secrets are pulled from global secrets to other namespaces
When you apply an ExternalSecret
object, for example:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gitea-admin-secret
namespace: gitea
spec:
data:
- remoteRef:
conversionStrategy: Default
key: gitea.admin
property: password
secretKey: password
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: global-secrets
target:
creationPolicy: Owner
deletionPolicy: Retain
template:
data:
password: '{{ .password }}'
username: gitea_admin
engineVersion: v2
This will create a corresponding Kubernetes secret:
kubectl describe secrets -n gitea gitea-admin-secret
Name: gitea-admin-secret
Namespace: gitea
Labels: <none>
Annotations: reconcile.external-secrets.io/data-hash: <REDACTED>
Type: Opaque
Data
====
password: 32 bytes
username: 11 bytes
Please see the official documentation for more information: