External Secrets Operator — Commands & Recipes
Installation
# Install via Helm
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets \
-n external-secrets --create-namespace
# Verify
kubectl get pods -n external-secrets
SecretStore (Vault)
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: vault-backend
spec:
provider:
vault:
server: "https://vault.example.com:8200"
path: "secret"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "myapp"
ExternalSecret
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: myapp-secret
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
kind: SecretStore
target:
name: myapp-secret
creationPolicy: Owner
data:
- secretKey: DB_PASSWORD
remoteRef:
key: secret/data/myapp/db
property: password
- secretKey: API_KEY
remoteRef:
key: secret/data/myapp/api
property: key
AWS Secrets Manager
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: aws-secrets
spec:
provider:
aws:
service: SecretsManager
region: us-east-1
auth:
jwt:
serviceAccountRef:
name: external-secrets-sa
namespace: external-secrets
Debugging
# Check sync status
kubectl get externalsecret -A
kubectl describe externalsecret myapp-secret
# Check events
kubectl get events --field-selector involvedObject.kind=ExternalSecret
Sources