When working with Kubernetes, securely managing secrets is a crucial part of your infrastructure. Traditional approaches—like directly embedding secrets in manifests or manually managing Secret objects—can become cumbersome and less secure over time. Enter the External Secrets Operator (ESO), a powerful way to integrate external secret stores with Kubernetes. One such secret store is HashiCorp Vault, a proven solution for securely storing and accessing secrets.
In this post, we’ll walk through the key Custom Resource Definitions (CRDs) you need to set up in your cluster to fetch secrets from Vault and have them automatically synchronized as Kubernetes secrets.
Overview
ESO acts as a bridge between external secret stores (in this case, Vault) and Kubernetes Secret objects. To make this happen, you’ll define a store resource that tells ESO where and how to retrieve secrets. You’ll then define another resource that specifies which secrets to fetch and how to transform them into Kubernetes secrets.
In other words:
- SecretStore/ClusterSecretStore: Defines the external secret provider configuration
- ExternalSecret: Defines the specific secrets you want to pull from your chosen store and how to map them into Kubernetes secrets
Key Resources
1. SecretStore or ClusterSecretStore
The SecretStore or ClusterSecretStore resource provides information about your Vault instance, including:
- Endpoint: The URL of the Vault server
- Authentication method: How ESO should authenticate to Vault (e.g., using a Kubernetes Service Account token, Vault token, or another method)
- Paths and parameters: Details like which Vault mount paths and keys to read from
When to use SecretStore vs. ClusterSecretStore?
- SecretStore: Used when you want the configuration to be namespace-specific
- ClusterSecretStore: Used when you want a cluster-wide configuration accessible by multiple namespaces
Example:
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vault-backend
spec:
provider:
vault:
server: "https://vault.example.com"
path: "secret" # The path where secrets are stored in Vault
version: "v2"
auth:
tokenSecretRef:
name: vault-token
key: tokenThis ClusterSecretStore tells ESO how to communicate with a Vault server at vault.example.com, using a token stored in the vault-token Secret.
2. ExternalSecret
The ExternalSecret resource references the SecretStore or ClusterSecretStore and tells ESO which keys from Vault to sync and how to project them into a Kubernetes Secret.
Example:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: my-app-secret
namespace: default
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: vault-backend
target:
name: my-app-k8s-secret
creationPolicy: Owner
data:
- secretKey: api-key # Key in the resulting K8s Secret
remoteRef:
key: my-app/api-key # Path/key in VaultIn this ExternalSecret:
secretStoreRefpoints to theClusterSecretStorenamedvault-backend- It requests a secret named
my-app/api-keyfrom Vault - It maps that key into a Kubernetes Secret named
my-app-k8s-secretunder theapi-keykey
How it Works
Define the Store: Set up a
ClusterSecretStoreorSecretStoreresource that points to your Vault instance and specifies authentication details.Request the Secret: Create an
ExternalSecretresource that references the store and specifies the exact secrets you need.ESO Synchronizes the Secret: The External Secrets Operator continuously reconciles resources. When it sees your
ExternalSecret, it connects to Vault (using the instructions from the store resource), fetches the requested secret, and creates or updates the corresponding Kubernetes Secret object in your cluster.
Analogies
- Think of the
ClusterSecretStoreas a “GPS coordinate” that tells ESO where to find the treasure (your secrets) in Vault. - The
ExternalSecretis your “shopping list,” telling ESO which items (specific keys/values) to bring back from that secret store and how to pack them into a Kubernetes Secret.
Pros and Cons
Pros:
- Separation of concerns: Store configuration is separate from secret retrieval specifications
- Reusability: You can reuse the same
ClusterSecretStorefor multipleExternalSecrets - Security: Keeps sensitive data in Vault, only syncing what’s necessary to Kubernetes
Cons:
- Initial complexity: Requires understanding CRDs and writing additional YAML manifests
- Extra components: Relies on running ESO and Vault integrations
Summary
By defining a SecretStore or ClusterSecretStore and one or more ExternalSecrets, you can seamlessly integrate HashiCorp Vault secrets into your Kubernetes cluster with the External Secrets Operator. This pattern centralizes and secures your secret management workflow, providing a more maintainable and secure approach than manually managing Secret objects.
Key Takeaways:
- Use
SecretStoreorClusterSecretStoreto define how to connect to Vault - Use
ExternalSecretto specify which secrets to pull from Vault - ESO automatically keeps your Kubernetes secrets in sync with Vault’s secrets