External Secret Operator
A Kubernetes secret contains sensitive information decoupled from the application code and stored in key-value pairs. The Secret object provides a declarative API that makes it easy for application pods to access secret data. Kubernetes secrets however do not support storing or retrieving secret data from external secret management systems, such as HashiCorp Vault.
External Secrets solves this problem by providing access to secrets stored externally. It does this by adding an
ExternalSecret object to Kubernetes using a CustomResourceDefinition. Developers specify the secret management system as
backendType and the access properties in the manifest.
SAAP uses the External Secrets Operator to integrate HashiCorp Vault. The operator synchronizes secrets from external APIs into Kubernetes with the help of custom API resources:
A secret store defines how to fetch the data. It defines the provider, such as Vault, its server address, the path for secrets, and its authentication method, e.g. service account bound with Vault role and policy:
apiVersion: external-secrets.io/v1alpha1 kind: SecretStore metadata: name: tenant-vault-secret-store spec: provider: vault: server: "http://vault.stakater-vault:8200" path: "gabbar/kv" version: "v2" auth: kubernetes: mountPath: "kubernetes" role: "gabbar-dev" serviceAccountRef: name: "tenant-vault-access" namespace: "gabbar-dev"
An external secret declares what data to fetch. It has a reference to a SecretStore which knows how to access that data:
apiVersion: external-secrets.io/v1alpha1 kind: ExternalSecret metadata: name: example spec: refreshInterval: 1h secretStoreRef: name: tenant-vault-secret-store kind: SecretStore data: - secretKey: secret-key-to-be-managed remoteRef: key: provider-key property: provider-key-property dataFrom: - key: remote-key-in-the-provider
Cluster Secret Store
A cluster secret store is a global, cluster-wide
SecretStore that can be referenced from all namespaces. It is used for secrets that need to be distributed across all namespaces.