Skip to main content

External Secrets

Another, more traditional, approach to secrets is based on the External Secrets controller. It is an application that runs on your cluster, and it is able to create Kubernetes Secret resources out of secrets stored in the cloud based secret manager of your choice.

  • AWS Secrets Manager
  • Hashicorp Vault
  • Azure Key Vault
  • GCP Secret Manager

See the full list of supported backends

Concepts

The project augments the Kubernetes API by adding an ExternalSecrets object using Custom Resource Definition and a controller to implement the behavior of the object itself.

An ExternalSecret declares how to fetch the secret data, while the controller converts all ExternalSecrets to Secrets. The conversion is completely transparent to Pods that can access Secrets normally.

  1. ExternalSecrets are added in the cluster (e.g., kubectl apply -f external-secret-example.yml)
  2. Controller fetches ExternalSecrets using the Kubernetes API
  3. Controller uses ExternalSecrets to fetch secret data from external providers (e.g, AWS Secrets Manager)
  4. Controller upserts Secrets
  5. Pods can access Secrets normally