Kubernetes Secrets Management: Level Up with External Secrets Operator
Overview :-
Kubernetes has become a popular platform for deploying and managing containerized applications. As applications grow in complexity, managing secrets such as API keys, passwords, and certificates becomes increasingly important. While Kubernetes provides a built-in Secrets resource, it has limitations when it comes to managing secrets across multiple clusters or integrating with external secret management systems. This is where the External Secrets Operator (ESO) comes into play. ESO is an open-source Kubernetes operator that allows you to manage secrets from external secret management systems and synchronize them as Kubernetes Secrets.
Prerequisites :-
Before you can start using the External Secrets Operator, you’ll need to have the following in place:
A Kubernetes cluster (version 1.19 or later)
kubectl command-line tool configured to communicate with your cluster
Helm (version 3 or later) installed on your local machine
AWS Account to Access to a supported external secret management system(Secrets Manager).
Procedure :-
1 .Setting Up External Secrets Operator
The first step in leveraging External Secrets in Kubernetes is installing the External Secrets Operator. Here’s how:
1.1 Add the External Secrets Repository
Execute the following command to add the External Secrets Operator repository:
helm repo add external-secrets https://charts.external-secrets.io
1.2 Install External Secrets Operator
Use Helm to install the operator:
helm install external-secrets \
external-secrets/external-secrets \
--namespace external-secrets \
--create-namespace \
--set installCRDs=true
This command creates a dedicated namespace and installs the operator with necessary Custom Resource Definitions (CRDs).
Configuring IAM for External Secrets
2.1 Associate OIDC Provider
Before creating an IAM role, associate your EKS cluster with an OIDC provider:
eksctl utils associate-iam-oidc-provider --cluster=your-cluster-name --approve
2.2 Create IAM Role
Navigate to IAM in AWS Console and create a role with the following specifications:
Trusted entity type: Web identity
Select your cluster’s OIDC provider
Attach policies for Secrets Manager access
- Name the role and click on create role and copy the role arn.
- Implementing Service Account for External Secrets
A service account to link Kubernetes with your IAM role: Create a file named (sa.yaml) to create a service account. Specify the above created Iam role arn in the below service account.
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-secrets-operator
namespace: external-secrets
annotations:
eks.amazonaws.com/role-arn: your-iam-role-arn
Apply this configuration:
kubectl apply -f sa.yml
Establishing a SecretStore
Create a file(ss.yaml) to Set up a SecretStore to define how External Secrets interacts with AWS Secrets Manager. Don’t forget to add your aws region, in which the secret exists in your aws account.
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: aws-secrets-manager
namespace: external-secrets
spec:
provider:
aws:
service: SecretsManager
region: your-aws-region
auth:
jwt:
serviceAccountRef:
name: external-secrets-operator
Apply this configuration:
kubectl apply -f ss.yml
Creating External Secrets
Next create a file(secret.yaml) to define an ExternalSecret to fetch and manage secrets. Specify the your-secret-name and the your-key-name values in the below secret.yaml file
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: secret
namespace: external-secrets
spec:
refreshInterval: 1h
secretStoreRef:
name: aws-secrets-manager
kind: SecretStore
target:
name: secrets-manager-secret
creationPolicy: Owner
data:
- secretKey: aws-secretsmanager
remoteRef:
key: your-secret-name
property: your-secret-key
Apply this configuration:
kubectl apply -f secret.yml
Utilizing External Secrets in Deployments
To use the managed secrets in your deployments, add the following block:
- name: AWS_SECRET
valueFrom:
secretKeyRef:
name: secrets-manager-secret
key: aws-secretsmanager
Conclusion :-
The External Secrets Operator provides a powerful way to manage secrets in Kubernetes while leveraging the security and features of external secret management systems. By centralizing secret management and automating the synchronization process, ESO helps improve security and simplify operations for Kubernetes applications.