Kubernetes Secrets: Install External Secrets Operator

Kubernetes Secret ExternalSecret Operator SecretStore

2 min read | by Jordi Prats

The Kubernetes External Secrets have evolved into an Operator: External Secrets Operator What does it bring to the table?

The goal of KES and the External Secrets Operator is to synchronize secrets from external APIs into Kubernetes, like AWS Secrets Manager, HashiCorp Vault, Google Secrets Manager, Azure Key Vault, ...

With the introduction of External Secrets Operator it gets much easier to configure where to get secrets for, and since the configuration can become namespaces Kubernetes Objects you no longer need to rely on a global configuration for the cluster

The key objects that we can use are:

  • SecretStore: Object that will contain the configuration to be able to reach the secret source (Vault, AWS Secrets Manager...)
  • ExternalSecret: Definition to be able to fetch the secret from the SecretStore and tranform it into a Kubernetes Secret

And the global equivalents (not namespaced):

  • ClusterSecretStore: Equivalent to SecretStore but intended to be able to be referenced by all ExternalSecrets from all namespaces. Use it to offer a central gateway to your secret backend.
  • ClusterExternalSecret Equivalent to ExternalSecret intended to be used to push an ExternalSecret to specific namespaces.

For the not namespaced objects you can use the namespaceSelector to select namespaces: any matching namespaces will have it applied.

To install ESO we can use it's helm chart, unlike with KES, since all the config can be pushed as Kubernetes Objects there is not much to configure.

We can add the following source:

helm repo add external-secrets https://charts.external-secrets.io

And then install External Secrets Operator as follows:

helm install external-secrets \
    external-secrets/external-secrets \
    -n external-secrets \
    --create-namespace \
    --set installCRDs=true

Posted on 05/09/2022