ContainerSolutions / externalsecret-operator

An operator to fetch secrets from cloud services and inject them in Kubernetes
Apache License 2.0
189 stars 28 forks source link
aws azure cloud cloud-native gcp hacktoberfest kubernetes security

External Secret Operator

github actions Go Report Card codecov

This operator reads information from a third party service like AWS Secrets Manager or AWS SSM and automatically injects the values as Kubernetes Secrets.

Disclaimer ⚠️

This project will not be maintained anymore, and we are trying to concentrate afforts on this new colaboration:

external-secrets/external-secrets

Website: https://www.external-secrets.io/

Table of Contents

Features

Quick start

Using Kustomize

Install the operator CRDs

make install

What does it do?

Given a secret defined in AWS Secrets Manager:

% aws secretsmanager create-secret \
  --name=example-externalsecret-key \
  --secret-string='this string is a secret'

and updated aws credentials to be used in config/credentials/kustomization.yaml with valid AWS credentials:

%cat config/credentials/kustomization.yaml
resources:
# - credentials-gsm.yaml
- credentials-asm.yaml
# - credentials-dummy.yaml
# - credentials-gitlab.yaml
# - credentials-akv.yaml
%cat config/credentials/credentials-asm.yaml
...
credentials.json: |-
    {
      "accessKeyID": "AKIA...",
      "secretAccessKey": "cmFuZG9tS2VZb25Eb2Nz...",
      "sessionToken": "" 
    }

and an SecretStore resource definition like this one:

% cat config/samples/store_v1alpha1_secretstore.yaml
apiVersion: store.externalsecret-operator.container-solutions.com/v1alpha1
kind: SecretStore
metadata:
  name: secretstore-sample
spec:
  controller: staging
  store:
    type: asm
    auth: 
      secretRef: 
        name: externalsecret-operator-credentials-asm
    parameters:
      region: eu-west-2

and an ExternalSecret resource definition like this one:

% cat config/samples/secrets_v1alpha1_externalsecret.yaml
apiVersion: secrets.externalsecret-operator.container-solutions.com/v1alpha1
kind: ExternalSecret
metadata:
  name: externalsecret-sample
spec:
  storeRef: 
    name: externalsecret-operator-secretstore-sample
  data:
    - key: example-externalsecret-key
      version: latest

The operator fetches the secret from AWS Secrets Manager and injects it as a secret:

% make deploy
% kubectl get secret externalsecret-operator-externalsecret-sample -n externalsecret-operator-system \
  -o jsonpath='{.data.example-externalsecret-key}' | base64 -d
this string is a secret

Architecture

In this article you can find more information about the architecture and design choices.

Here's a high-level diagram of how things are put together.

architecture

Running tests

Requirements:

Then just:

make test

CRDs Spec

Other Supported Backends

We would like to support as many backends as possible and it should be rather easy to write new ones. Currently supported backends are: Provider Backend Doc
AWS Secrets Manager Info AWS Secrets Manager Backend Docs
Credstash Info Credstash (AWS KMS) Docs
GCP Secret Manager Info GCP Secret Manager Backend Docs
Gitlab CI/CD Variables Info Gitlab CI/CD Variables Backend Docs
Azure Key Vault Info Azure Key Vault Backend Docs

Contributing

Yay! We welcome and encourage contributions to this project!

See our contributing document and Issues for planned improvements and additions.