|
|
@@ -4,71 +4,131 @@
|
|
|
|
|
|
----
|
|
|
|
|
|
-The External Secrets Kubernetes operator reads information from a third party service
|
|
|
+The External Secrets Operator reads information from a third party service
|
|
|
like [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) and automatically injects the values as [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/).
|
|
|
|
|
|
Multiple people and organizations are joining efforts to create a single External Secrets solution based on existing projects. If you are curious about the origins of this project, check out this [issue](https://github.com/external-secrets/kubernetes-external-secrets/issues/47) and this [PR](https://github.com/external-secrets/kubernetes-external-secrets/pull/477).
|
|
|
|
|
|
-<a name="original-projects"></a>
|
|
|
+# Supported Backends
|
|
|
|
|
|
-# ⚠️ Please bear in mind
|
|
|
+- [AWS Secrets Manager](https://external-secrets.io/provider-aws-secrets-manager/)
|
|
|
+- [AWS Parameter Store](https://external-secrets.io/provider-aws-parameter-store/)
|
|
|
+- Hashicorp Vault
|
|
|
+- [Azure Key Vault](https://external-secrets.io/provider-azure-key-vault/) (being implemented)
|
|
|
+- [Google Cloud Secrets Manager](https://external-secrets.io/provider-google-secrets-manager/) (being implemented)
|
|
|
|
|
|
-While this project is not ready, you might consider using the following:
|
|
|
+## ESO installation with an AWS example
|
|
|
|
|
|
-- [Kubernetes External Secrets](https://github.com/external-secrets/kubernetes-external-secrets)
|
|
|
-- [Secrets Manager](https://github.com/itscontained/secret-manager)
|
|
|
-- [External Secrets Operator](https://github.com/ContainerSolutions/externalsecret-operator/)
|
|
|
|
|
|
-## Installation
|
|
|
-Clone this repository:
|
|
|
-```shell
|
|
|
-git clone https://github.com/external-secrets/external-secrets.git
|
|
|
-```
|
|
|
+If you want to use Helm:
|
|
|
|
|
|
-Install the Custom Resource Definitions:
|
|
|
```shell
|
|
|
-make install
|
|
|
+helm repo add external-secrets https://charts.external-secrets.io
|
|
|
+
|
|
|
+helm install external-secrets \
|
|
|
+ external-secrets/external-secrets \
|
|
|
+ -n external-secrets \
|
|
|
+ --create-namespace \
|
|
|
+ # --set installCRDs=true
|
|
|
```
|
|
|
|
|
|
-Run the controller against the active Kubernetes cluster context:
|
|
|
+If you want to run it locally against the active Kubernetes cluster context:
|
|
|
+
|
|
|
```shell
|
|
|
+git clone https://github.com/external-secrets/external-secrets.git
|
|
|
+make crds.install
|
|
|
make run
|
|
|
```
|
|
|
|
|
|
-Apply the sample resources:
|
|
|
+Create a secret containing your AWS credentials:
|
|
|
+
|
|
|
```shell
|
|
|
-kubectl apply -f config/samples/external-secrets_v1alpha1_secretstore.yaml
|
|
|
-kubectl apply -f config/samples/external-secrets_v1alpha1_externalsecret.yaml
|
|
|
+echo -n 'KEYID' > ./access-key
|
|
|
+echo -n 'SECRETKEY' > ./secret-access-key
|
|
|
+kubectl create secret generic awssm-secret --from-file=./access-key --from-file=./secret-access-key
|
|
|
```
|
|
|
|
|
|
-If you want to use helm:
|
|
|
+Create a secret inside AWS Secret Manager with name `my-json-secret` with the following data:
|
|
|
+
|
|
|
+```json
|
|
|
+{
|
|
|
+ "name": {"first": "Tom", "last": "Anderson"},
|
|
|
+ "friends": [
|
|
|
+ {"first": "Dale", "last": "Murphy"},
|
|
|
+ {"first": "Roger", "last": "Craig"},
|
|
|
+ {"first": "Jane", "last": "Murphy"}
|
|
|
+ ]
|
|
|
+}
|
|
|
+```
|
|
|
|
|
|
-```shell
|
|
|
-helm repo add external-secrets https://charts.external-secrets.io
|
|
|
-helm install RELEASE_NAME external-secrets/external-secrets
|
|
|
+Apply the sample resources (omitting role and controller keys here, you should not omit them in production):
|
|
|
+
|
|
|
+```yaml
|
|
|
+# secretstore.yaml
|
|
|
+apiVersion: external-secrets.io/v1alpha1
|
|
|
+kind: SecretStore
|
|
|
+metadata:
|
|
|
+ name: secretstore-sample
|
|
|
+spec:
|
|
|
+ provider:
|
|
|
+ aws:
|
|
|
+ service: SecretsManager
|
|
|
+ region: us-east-2
|
|
|
+ auth:
|
|
|
+ secretRef:
|
|
|
+ accessKeyIDSecretRef:
|
|
|
+ name: awssm-secret
|
|
|
+ key: access-key
|
|
|
+ secretAccessKeySecretRef:
|
|
|
+ name: awssm-secret
|
|
|
+ key: secret-access-key
|
|
|
```
|
|
|
|
|
|
-We will add more documentation once we have the implementation for the different providers. You can find some here: https://external-secrets.io
|
|
|
+```yaml
|
|
|
+# externalsecret.yaml
|
|
|
+apiVersion: external-secrets.io/v1alpha1
|
|
|
+kind: ExternalSecret
|
|
|
+metadata:
|
|
|
+ name: example
|
|
|
+spec:
|
|
|
+ refreshInterval: 1m
|
|
|
+ secretStoreRef:
|
|
|
+ name: secretstore-sample
|
|
|
+ kind: SecretStore
|
|
|
+ target:
|
|
|
+ name: secret-to-be-created
|
|
|
+ creationPolicy: Owner
|
|
|
+ data:
|
|
|
+ - secretKey: firstname
|
|
|
+ remoteRef:
|
|
|
+ key: my-json-secret
|
|
|
+ property: name.first # Tom
|
|
|
+ - secretKey: first_friend
|
|
|
+ remoteRef:
|
|
|
+ key: my-json-secret
|
|
|
+ property: friends.1.first # Roger
|
|
|
+```
|
|
|
+
|
|
|
+```shell
|
|
|
+kubectl apply -f secretstore.yaml
|
|
|
+kubectl apply -f externalsecret.yaml
|
|
|
+```
|
|
|
|
|
|
-<a name="features"></a>
|
|
|
+Running `kubectl get secret secret-to-be-created` should return a new secret created by the operator.
|
|
|
|
|
|
-## Features
|
|
|
+You can get one of its values with jsonpath (This should return `Roger`):
|
|
|
|
|
|
-- Support to multiple Provider stores (AWS Secret Manager, GCP Secret Manger, Vault and more) simultaneously.
|
|
|
-- Multiple External Secrets operator instances for different contexts/environments.
|
|
|
-- A custom refresh interval to sync the data from the Providers, syncing your Kubernetes Secrets up to date.
|
|
|
-- Select specific versions of the Provider data.
|
|
|
-- Advanced [templating](https://external-secrets.io/guides-templating/)
|
|
|
+```shell
|
|
|
+kubectl get secret secret-to-be-created -o jsonpath='{.data.first_friend}' | base64 -d
|
|
|
+```
|
|
|
|
|
|
+We will add more documentation once we have the implementation for the different providers. You can find some here: https://external-secrets.io
|
|
|
|
|
|
-<a name="contributing"></a>
|
|
|
|
|
|
## Contributing
|
|
|
|
|
|
We welcome and encourage contributions to this project! Please read the [Developer](https://www.external-secrets.io/contributing-devguide/) and [Contribution process](https://www.external-secrets.io/contributing-process/) guides. Also make sure to check the [Code of Conduct](https://www.external-secrets.io/contributing-coc/) and adhere to its guidelines.
|
|
|
|
|
|
-<a name="partners"></a>
|
|
|
-
|
|
|
## Kicked off by
|
|
|
|
|
|
|
Lucas Severo Alves