External Secrets Operator: Generate secrets using a template
2 min read | by Jordi Prats
We can use the External Secrets Operator to retrieve secrets from some backend and push it into a vanilla Kubernetes Secrets to be consumed as usual as a key-value. Not all applications work in the same way so we might need to format it in a way that the application is able to consume it.
Let's take as an example the following ExternalSecret:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-example
spec:
refreshInterval: "15s"
secretStoreRef:
name: vault-backend
kind: SecretStore
data:
- secretKey: demo
remoteRef:
key: secret/demo
property: secret
We'll get a Secret that contains the data retrieved under the data.demo key:
$ kubectl get secret vault-example -o jsonpath='{.data}'
{"demo":"czNjcjN0"}
We might need to use some other format under a different key name, for example:
sometingelse: "data retrieved from Vault is VALUE"
We can use spec.target.template for this:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-example-with-template
spec:
refreshInterval: "15s"
secretStoreRef:
name: vault-backend
kind: SecretStore
target:
template:
data:
somekey: |
somethingelse: "data retrieved from Vault is {{ .demo }}"
data:
- secretKey: demo
remoteRef:
key: secret/demo
property: secret
Applying this ExternalSecret we'll be able to see how it creates the Secret using the alternate key:
$ kubectl get secret vault-example-with-template -o jsonpath='{.data}'
{"somekey":"cHV0YSBFc3BhbnlhIGkgbGEgcHV0YSBtYXJlIHF1ZSBlbHMgdmEgcGFyaXIgYSB0b3RzCg=="}
With the format we have defined as a template:
$ kubectl get secret vault-example-with-template -o jsonpath='{.data.somekey}' | base64 -d
somethingelse: "data retrieved from Vault is s3cr3t"
Posted on 08/11/2022