Kubernetes Secrets Management: Level Up with External Secrets Operator
Managing secrets—such as API keys, passwords, and certificates—is essential for running secure Kubernetes environments. While Kubernetes provides built-in support for Secrets, these are limited when it comes to multi-cluster deployments or integrations with external secret management systems. This is where the External Secrets Operator (ESO) comes into play.
ESO allows you to synchronize secrets from external systems like AWS Secrets Manager directly into Kubernetes Secrets, improving security and streamlining operations.
Prerequisites
Before you begin, ensure you have the following in place:
- Kubernetes cluster (version 1.19 or later)
- kubectl configured for your cluster
- Helm 3 or later installed locally
- AWS account with access to Secrets Manager
Step 1: Installing External Secrets Operator
To get started, install the External Secrets Operator using Helm.
1.1 Add the External Secrets Helm Repository
helm repo add external-secrets https://charts.external-secrets.io
helm repo update
1.2 Install External Secrets Operator
helm install external-secrets \
external-secrets/external-secrets \
--namespace external-secrets \
--create-namespace \
--set installCRDs=true
This command creates a dedicated namespace and installs the operator along with the necessary Custom Resource Definitions (CRDs).
Step 2: Configuring IAM for AWS Integration
2.1 Associate OIDC Provider
If you’re using EKS, associate your cluster with the OIDC provider:
eksctl utils associate-iam-oidc-provider --cluster=your-cluster-name --approve
2.2 Create an IAM Role
Go to the AWS IAM Console and create a role with the following:
- Trusted entity: Web identity
- Select OIDC provider: Your cluster’s OIDC
- Attach Secrets Manager access policies
Name the role, create it, and copy the role ARN.
Step 3: Create a Service Account for External Secrets Operator
Create a ServiceAccount in Kubernetes to connect the cluster to your IAM role.
Create a file called sa.yaml
:
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-secrets-operator
namespace: external-secrets
annotations:
eks.amazonaws.com/role-arn: your-iam-role-arn
Apply the configuration:
kubectl apply -f sa.yaml
Step 4: Set Up a SecretStore for AWS
Create a ss.yaml
file to define the SecretStore, which tells ESO how to interact with AWS Secrets Manager.
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: aws-secrets-manager
namespace: external-secrets
spec:
provider:
aws:
service: SecretsManager
region: your-aws-region
auth:
jwt:
serviceAccountRef:
name: external-secrets-operator
Apply the configuration:
kubectl apply -f ss.yaml
Step 5: Create and Synchronize External Secrets
Define an ExternalSecret to fetch and synchronize a secret from AWS.
Create a file named secret.yaml
:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: secret
namespace: external-secrets
spec:
refreshInterval: 1h
secretStoreRef:
name: aws-secrets-manager
kind: SecretStore
target:
name: secrets-manager-secret
creationPolicy: Owner
data:
- secretKey: aws-secretsmanager
remoteRef:
key: your-secret-name
property: your-secret-key
Apply the configuration:
kubectl apply -f secret.yaml
Verify the secret creation:
kubectl get secret secrets-manager-secret -n external-secrets
Step 6: Use External Secrets in Deployments
To utilize the managed secrets in your Kubernetes deployments, add the following block to your Deployment manifest:
- name: AWS_SECRET
valueFrom:
secretKeyRef:
name: secrets-manager-secret
key: aws-secretsmanager
This block pulls the AWS secret into your deployment, ensuring your application can access it securely.
Conclusion
The External Secrets Operator is a powerful tool for managing Kubernetes secrets by integrating with external systems like AWS Secrets Manager. It automates the synchronization of secrets, ensuring your applications always have the latest credentials. By centralizing secret management and automating updates, ESO enhances security and simplifies Kubernetes operations.
With ESO in place, your clusters remain secure, scalable, and easy to manage.