External Secrets Operator
This feature is available in the vCluster Pro tier. Contact us for more details and to start a trial.
Prerequisites​
This guide assumes you have the following prerequisites:
kubectl
installedexternal-secrets
operator installed on your host cluster. See instructions at https://external-secrets.io/latest/
External Secrets integration
To enable the external secret integration, set the following fields as shown below:
integrations:
externalSecrets:
enabled: true
sync:
externalSecrets:
enabled: true
stores:
enabled: true
clusterStores:
enabled: true
This will enable the integration, import cluster stores from the host cluster into the virtual cluster and export namespaced stores from the virtual cluster into the host cluster.
Once that the virtual cluster is up and running, you can create a secret store inside the virtual cluster. For the purpose of this guide, we will use the fake
store type, which prefills data instead of connecting to a distant secret store.
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: fake
spec:
provider:
fake:
data:
- key: "/foo/bar"
value: "HELLO1"
version: "v1"
- key: "/foo/bar"
value: "HELLO2"
version: "v2"
- key: "/foo/baz"
value: '{"john": "doe"}'
version: "v1"
Inside the virtual cluster, create the store with kubectl apply -f fake.yaml
. This should create a corresponding store in the host cluster. You can then create an ExternalSecret in the virtual cluster, which references the SecretStore.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: example
spec:
refreshInterval: 1h
secretStoreRef:
name: fake
kind: SecretStore
target:
name: secret-to-be-created
data:
- secretKey: foo_bar
remoteRef:
key: /foo/bar
version: v1
dataFrom:
- extract:
key: /foo/baz
version: v1beta1
Once that external secret is created in the virtual cluster, the integration will take care or creating a corresponding external secret inside the host cluster,
the external secret operator running in the host will take care of creating the corresponding Kubernetes secret, and the integration will import this
Kubernetes secret into the virtual cluster. Running kubectl get secrets
in the virtual cluster should now include the secret-to-be-created
in its output.
Config Reference​
externalSecrets
required object pro​
ExternalSecrets reuses a host external secret operator and makes certain CRDs from it available inside the vCluster
externalSecrets
required object pro​enabled
required boolean false pro​
Enabled defines whether the external secret integration is enabled or not
enabled
required boolean false pro​webhook
required object pro​
Webhook defines whether the host webhooks are reused or not
webhook
required object pro​enabled
required boolean false pro​
Enabled defines if this option should be enabled.
enabled
required boolean false pro​sync
required object pro​
Sync defines the syncing behavior for the integration
sync
required object pro​externalSecrets
required object pro​
ExternalSecrets defines whether to sync external secrets or not
externalSecrets
required object pro​enabled
required boolean true pro​
Enabled defines if this option should be enabled.
enabled
required boolean true pro​stores
required object pro​
Stores defines whether to sync stores or not
stores
required object pro​enabled
required boolean false pro​
Enabled defines if this option should be enabled.
enabled
required boolean false pro​clusterStores
required object pro​
ClusterStores defines whether to sync cluster stores or not
clusterStores
required object pro​