Skip to main content

External Secrets Operator


Pro Feature

This feature is available in the vCluster Pro tier. Contact us for more details and to start a trial.

Prerequisites​

This guide assumes you have the following prerequisites:

External Secrets integration

To enable the external secret integration, set the following fields as shown below:

integrations:
externalSecrets:
enabled: true
sync:
externalSecrets:
enabled: true
stores:
enabled: true
clusterStores:
enabled: true

This will enable the integration, import cluster stores from the host cluster into the virtual cluster and export namespaced stores from the virtual cluster into the host cluster.

Once that the virtual cluster is up and running, you can create a secret store inside the virtual cluster. For the purpose of this guide, we will use the fake store type, which prefills data instead of connecting to a distant secret store.

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: fake
spec:
provider:
fake:
data:
- key: "/foo/bar"
value: "HELLO1"
version: "v1"
- key: "/foo/bar"
value: "HELLO2"
version: "v2"
- key: "/foo/baz"
value: '{"john": "doe"}'
version: "v1"

Inside the virtual cluster, create the store with kubectl apply -f fake.yaml. This should create a corresponding store in the host cluster. You can then create an ExternalSecret in the virtual cluster, which references the SecretStore.

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: example
spec:
refreshInterval: 1h
secretStoreRef:
name: fake
kind: SecretStore
target:
name: secret-to-be-created
data:
- secretKey: foo_bar
remoteRef:
key: /foo/bar
version: v1
dataFrom:
- extract:
key: /foo/baz
version: v1beta1

Once that external secret is created in the virtual cluster, the integration will take care or creating a corresponding external secret inside the host cluster, the external secret operator running in the host will take care of creating the corresponding Kubernetes secret, and the integration will import this Kubernetes secret into the virtual cluster. Running kubectl get secrets in the virtual cluster should now include the secret-to-be-created in its output.

Config Reference​

externalSecrets required object pro​

ExternalSecrets reuses a host external secret operator and makes certain CRDs from it available inside the vCluster

enabled required boolean false pro​

Enabled defines whether the external secret integration is enabled or not

webhook required object pro​

Webhook defines whether the host webhooks are reused or not

enabled required boolean false pro​

Enabled defines if this option should be enabled.

sync required object pro​

Sync defines the syncing behavior for the integration

externalSecrets required object pro​

ExternalSecrets defines whether to sync external secrets or not

enabled required boolean true pro​

Enabled defines if this option should be enabled.

stores required object pro​

Stores defines whether to sync stores or not

enabled required boolean false pro​

Enabled defines if this option should be enabled.

clusterStores required object pro​

ClusterStores defines whether to sync cluster stores or not

enabled required boolean false pro​

Enabled defines if this option should be enabled.

selector required object pro​

Selector defines what cluster stores should be synced

labels required object {} pro​

Labels defines what labels should be looked for