index.html 31 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163
  1. <!doctype html>
  2. <html lang="en" class="no-js">
  3. <head>
  4. <meta charset="utf-8">
  5. <meta name="viewport" content="width=device-width,initial-scale=1">
  6. <link rel="icon" href="../assets/images/favicon.png">
  7. <meta name="generator" content="mkdocs-1.1, mkdocs-material-7.1.8">
  8. <title>Multi Tenancy - External Secrets Operator</title>
  9. <link rel="stylesheet" href="../assets/stylesheets/main.ca7ac06f.min.css">
  10. <link rel="stylesheet" href="../assets/stylesheets/palette.f1a3b89f.min.css">
  11. <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
  12. <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
  13. <style>:root{--md-text-font-family:"Roboto";--md-code-font-family:"Roboto Mono"}</style>
  14. <script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],gtag("js",new Date),gtag("config","G-QP38TD8K7V"),document.addEventListener("DOMContentLoaded",function(){"undefined"!=typeof location$&&location$.subscribe(function(t){gtag("config","G-QP38TD8K7V",{page_path:t.pathname})})})</script>
  15. <script async src="https://www.googletagmanager.com/gtag/js?id=G-QP38TD8K7V"></script>
  16. </head>
  17. <body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none">
  18. <script>function __prefix(e){return new URL("..",location).pathname+"."+e}function __get(e,t=localStorage){return JSON.parse(t.getItem(__prefix(e)))}</script>
  19. <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
  20. <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
  21. <label class="md-overlay" for="__drawer"></label>
  22. <div data-md-component="skip">
  23. <a href="#shared-clustersecretstore" class="md-skip">
  24. Skip to content
  25. </a>
  26. </div>
  27. <div data-md-component="announce">
  28. </div>
  29. <header class="md-header" data-md-component="header">
  30. <nav class="md-header__inner md-grid" aria-label="Header">
  31. <a href=".." title="External Secrets Operator" class="md-header__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
  32. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54z"/></svg>
  33. </a>
  34. <label class="md-header__button md-icon" for="__drawer">
  35. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
  36. </label>
  37. <div class="md-header__title" data-md-component="header-title">
  38. <div class="md-header__ellipsis">
  39. <div class="md-header__topic">
  40. <span class="md-ellipsis">
  41. External Secrets Operator
  42. </span>
  43. </div>
  44. <div class="md-header__topic" data-md-component="header-topic">
  45. <span class="md-ellipsis">
  46. Multi Tenancy
  47. </span>
  48. </div>
  49. </div>
  50. </div>
  51. <label class="md-header__button md-icon" for="__search">
  52. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
  53. </label>
  54. <div class="md-search" data-md-component="search" role="dialog">
  55. <label class="md-search__overlay" for="__search"></label>
  56. <div class="md-search__inner" role="search">
  57. <form class="md-search__form" name="search">
  58. <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" data-md-state="active" required>
  59. <label class="md-search__icon md-icon" for="__search">
  60. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
  61. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
  62. </label>
  63. <button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
  64. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
  65. </button>
  66. </form>
  67. <div class="md-search__output">
  68. <div class="md-search__scrollwrap" data-md-scrollfix>
  69. <div class="md-search-result" data-md-component="search-result">
  70. <div class="md-search-result__meta">
  71. Initializing search
  72. </div>
  73. <ol class="md-search-result__list"></ol>
  74. </div>
  75. </div>
  76. </div>
  77. </div>
  78. </div>
  79. <div class="md-header__source">
  80. <a href="https://github.com/external-secrets/external-secrets/" title="Go to repository" class="md-source" data-md-component="source">
  81. <div class="md-source__icon md-icon">
  82. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
  83. </div>
  84. <div class="md-source__repository">
  85. External Secrets Operator
  86. </div>
  87. </a>
  88. </div>
  89. </nav>
  90. </header>
  91. <div class="md-container" data-md-component="container">
  92. <main class="md-main" data-md-component="main">
  93. <div class="md-main__inner md-grid">
  94. <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
  95. <div class="md-sidebar__scrollwrap">
  96. <div class="md-sidebar__inner">
  97. <nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
  98. <label class="md-nav__title" for="__drawer">
  99. <a href=".." title="External Secrets Operator" class="md-nav__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
  100. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54z"/></svg>
  101. </a>
  102. External Secrets Operator
  103. </label>
  104. <div class="md-nav__source">
  105. <a href="https://github.com/external-secrets/external-secrets/" title="Go to repository" class="md-source" data-md-component="source">
  106. <div class="md-source__icon md-icon">
  107. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
  108. </div>
  109. <div class="md-source__repository">
  110. External Secrets Operator
  111. </div>
  112. </a>
  113. </div>
  114. <ul class="md-nav__list" data-md-scrollfix>
  115. <li class="md-nav__item">
  116. <a href=".." class="md-nav__link">
  117. Introduction
  118. </a>
  119. </li>
  120. <li class="md-nav__item">
  121. <a href="../api-overview/" class="md-nav__link">
  122. Overview
  123. </a>
  124. </li>
  125. <li class="md-nav__item md-nav__item--nested">
  126. <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3" type="checkbox" id="__nav_3" >
  127. <label class="md-nav__link" for="__nav_3">
  128. API Types
  129. <span class="md-nav__icon md-icon"></span>
  130. </label>
  131. <nav class="md-nav" aria-label="API Types" data-md-level="1">
  132. <label class="md-nav__title" for="__nav_3">
  133. <span class="md-nav__icon md-icon"></span>
  134. API Types
  135. </label>
  136. <ul class="md-nav__list" data-md-scrollfix>
  137. <li class="md-nav__item">
  138. <a href="../api-externalsecret/" class="md-nav__link">
  139. ExternalSecret
  140. </a>
  141. </li>
  142. <li class="md-nav__item">
  143. <a href="../api-secretstore/" class="md-nav__link">
  144. SecretStore
  145. </a>
  146. </li>
  147. <li class="md-nav__item">
  148. <a href="../api-clustersecretstore/" class="md-nav__link">
  149. ClusterSecretStore
  150. </a>
  151. </li>
  152. </ul>
  153. </nav>
  154. </li>
  155. <li class="md-nav__item md-nav__item--active md-nav__item--nested">
  156. <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" checked>
  157. <label class="md-nav__link" for="__nav_4">
  158. Guides
  159. <span class="md-nav__icon md-icon"></span>
  160. </label>
  161. <nav class="md-nav" aria-label="Guides" data-md-level="1">
  162. <label class="md-nav__title" for="__nav_4">
  163. <span class="md-nav__icon md-icon"></span>
  164. Guides
  165. </label>
  166. <ul class="md-nav__list" data-md-scrollfix>
  167. <li class="md-nav__item">
  168. <a href="../guides-introduction/" class="md-nav__link">
  169. Introduction
  170. </a>
  171. </li>
  172. <li class="md-nav__item">
  173. <a href="../guides-getting-started/" class="md-nav__link">
  174. Getting started
  175. </a>
  176. </li>
  177. <li class="md-nav__item">
  178. <a href="../guides-templating/" class="md-nav__link">
  179. Advanced Templating
  180. </a>
  181. </li>
  182. <li class="md-nav__item">
  183. <a href="../guides-controller-class/" class="md-nav__link">
  184. Controller Classes
  185. </a>
  186. </li>
  187. <li class="md-nav__item">
  188. <a href="../guides-all-keys-one-secret/" class="md-nav__link">
  189. All keys, One secret
  190. </a>
  191. </li>
  192. <li class="md-nav__item">
  193. <a href="../guides-common-k8s-secret-types/" class="md-nav__link">
  194. Common K8S Secret Types
  195. </a>
  196. </li>
  197. <li class="md-nav__item md-nav__item--active">
  198. <input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
  199. <label class="md-nav__link md-nav__link--active" for="__toc">
  200. Multi Tenancy
  201. <span class="md-nav__icon md-icon"></span>
  202. </label>
  203. <a href="./" class="md-nav__link md-nav__link--active">
  204. Multi Tenancy
  205. </a>
  206. <nav class="md-nav md-nav--secondary" aria-label="Table of contents">
  207. <label class="md-nav__title" for="__toc">
  208. <span class="md-nav__icon md-icon"></span>
  209. Table of contents
  210. </label>
  211. <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
  212. <li class="md-nav__item">
  213. <a href="#shared-clustersecretstore" class="md-nav__link">
  214. Shared ClusterSecretStore
  215. </a>
  216. </li>
  217. <li class="md-nav__item">
  218. <a href="#managed-secretstore-per-namespace" class="md-nav__link">
  219. Managed SecretStore per Namespace
  220. </a>
  221. </li>
  222. <li class="md-nav__item">
  223. <a href="#eso-as-a-service" class="md-nav__link">
  224. ESO as a Service
  225. </a>
  226. </li>
  227. </ul>
  228. </nav>
  229. </li>
  230. <li class="md-nav__item">
  231. <a href="../guides-metrics/" class="md-nav__link">
  232. Metrics
  233. </a>
  234. </li>
  235. <li class="md-nav__item">
  236. <a href="../guides-using-latest-image/" class="md-nav__link">
  237. Using Latest Image
  238. </a>
  239. </li>
  240. <li class="md-nav__item">
  241. <a href="../guides-gitops-using-fluxcd/" class="md-nav__link">
  242. GitOps using FluxCD
  243. </a>
  244. </li>
  245. </ul>
  246. </nav>
  247. </li>
  248. <li class="md-nav__item md-nav__item--nested">
  249. <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5" type="checkbox" id="__nav_5" >
  250. <label class="md-nav__link" for="__nav_5">
  251. Provider
  252. <span class="md-nav__icon md-icon"></span>
  253. </label>
  254. <nav class="md-nav" aria-label="Provider" data-md-level="1">
  255. <label class="md-nav__title" for="__nav_5">
  256. <span class="md-nav__icon md-icon"></span>
  257. Provider
  258. </label>
  259. <ul class="md-nav__list" data-md-scrollfix>
  260. <li class="md-nav__item md-nav__item--nested">
  261. <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_1" type="checkbox" id="__nav_5_1" >
  262. <label class="md-nav__link" for="__nav_5_1">
  263. AWS
  264. <span class="md-nav__icon md-icon"></span>
  265. </label>
  266. <nav class="md-nav" aria-label="AWS" data-md-level="2">
  267. <label class="md-nav__title" for="__nav_5_1">
  268. <span class="md-nav__icon md-icon"></span>
  269. AWS
  270. </label>
  271. <ul class="md-nav__list" data-md-scrollfix>
  272. <li class="md-nav__item">
  273. <a href="../provider-aws-secrets-manager/" class="md-nav__link">
  274. Secrets Manager
  275. </a>
  276. </li>
  277. <li class="md-nav__item">
  278. <a href="../provider-aws-parameter-store/" class="md-nav__link">
  279. Parameter Store
  280. </a>
  281. </li>
  282. </ul>
  283. </nav>
  284. </li>
  285. <li class="md-nav__item md-nav__item--nested">
  286. <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_2" type="checkbox" id="__nav_5_2" >
  287. <label class="md-nav__link" for="__nav_5_2">
  288. Azure
  289. <span class="md-nav__icon md-icon"></span>
  290. </label>
  291. <nav class="md-nav" aria-label="Azure" data-md-level="2">
  292. <label class="md-nav__title" for="__nav_5_2">
  293. <span class="md-nav__icon md-icon"></span>
  294. Azure
  295. </label>
  296. <ul class="md-nav__list" data-md-scrollfix>
  297. <li class="md-nav__item">
  298. <a href="../provider-azure-key-vault/" class="md-nav__link">
  299. Key Vault
  300. </a>
  301. </li>
  302. </ul>
  303. </nav>
  304. </li>
  305. <li class="md-nav__item md-nav__item--nested">
  306. <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_3" type="checkbox" id="__nav_5_3" >
  307. <label class="md-nav__link" for="__nav_5_3">
  308. Google
  309. <span class="md-nav__icon md-icon"></span>
  310. </label>
  311. <nav class="md-nav" aria-label="Google" data-md-level="2">
  312. <label class="md-nav__title" for="__nav_5_3">
  313. <span class="md-nav__icon md-icon"></span>
  314. Google
  315. </label>
  316. <ul class="md-nav__list" data-md-scrollfix>
  317. <li class="md-nav__item">
  318. <a href="../provider-google-secrets-manager/" class="md-nav__link">
  319. Secrets Manager
  320. </a>
  321. </li>
  322. </ul>
  323. </nav>
  324. </li>
  325. <li class="md-nav__item md-nav__item--nested">
  326. <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_4" type="checkbox" id="__nav_5_4" >
  327. <label class="md-nav__link" for="__nav_5_4">
  328. IBM
  329. <span class="md-nav__icon md-icon"></span>
  330. </label>
  331. <nav class="md-nav" aria-label="IBM" data-md-level="2">
  332. <label class="md-nav__title" for="__nav_5_4">
  333. <span class="md-nav__icon md-icon"></span>
  334. IBM
  335. </label>
  336. <ul class="md-nav__list" data-md-scrollfix>
  337. <li class="md-nav__item">
  338. <a href="../provider-ibm-secrets-manager/" class="md-nav__link">
  339. Secrets Manager
  340. </a>
  341. </li>
  342. </ul>
  343. </nav>
  344. </li>
  345. <li class="md-nav__item">
  346. <a href="../provider-akeyless/" class="md-nav__link">
  347. Akeyless
  348. </a>
  349. </li>
  350. <li class="md-nav__item">
  351. <a href="../provider-hashicorp-vault/" class="md-nav__link">
  352. HashiCorp Vault
  353. </a>
  354. </li>
  355. <li class="md-nav__item md-nav__item--nested">
  356. <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_7" type="checkbox" id="__nav_5_7" >
  357. <label class="md-nav__link" for="__nav_5_7">
  358. Yandex
  359. <span class="md-nav__icon md-icon"></span>
  360. </label>
  361. <nav class="md-nav" aria-label="Yandex" data-md-level="2">
  362. <label class="md-nav__title" for="__nav_5_7">
  363. <span class="md-nav__icon md-icon"></span>
  364. Yandex
  365. </label>
  366. <ul class="md-nav__list" data-md-scrollfix>
  367. <li class="md-nav__item">
  368. <a href="../provider-yandex-lockbox/" class="md-nav__link">
  369. Lockbox
  370. </a>
  371. </li>
  372. </ul>
  373. </nav>
  374. </li>
  375. <li class="md-nav__item md-nav__item--nested">
  376. <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_8" type="checkbox" id="__nav_5_8" >
  377. <label class="md-nav__link" for="__nav_5_8">
  378. Gitlab
  379. <span class="md-nav__icon md-icon"></span>
  380. </label>
  381. <nav class="md-nav" aria-label="Gitlab" data-md-level="2">
  382. <label class="md-nav__title" for="__nav_5_8">
  383. <span class="md-nav__icon md-icon"></span>
  384. Gitlab
  385. </label>
  386. <ul class="md-nav__list" data-md-scrollfix>
  387. <li class="md-nav__item">
  388. <a href="../provider-gitlab-project-variables/" class="md-nav__link">
  389. Gitlab Project Variables
  390. </a>
  391. </li>
  392. </ul>
  393. </nav>
  394. </li>
  395. <li class="md-nav__item md-nav__item--nested">
  396. <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_9" type="checkbox" id="__nav_5_9" >
  397. <label class="md-nav__link" for="__nav_5_9">
  398. Oracle
  399. <span class="md-nav__icon md-icon"></span>
  400. </label>
  401. <nav class="md-nav" aria-label="Oracle" data-md-level="2">
  402. <label class="md-nav__title" for="__nav_5_9">
  403. <span class="md-nav__icon md-icon"></span>
  404. Oracle
  405. </label>
  406. <ul class="md-nav__list" data-md-scrollfix>
  407. <li class="md-nav__item">
  408. <a href="../provider-oracle-vault/" class="md-nav__link">
  409. Oracle Vault
  410. </a>
  411. </li>
  412. </ul>
  413. </nav>
  414. </li>
  415. <li class="md-nav__item">
  416. <a href="../provider-webhook/" class="md-nav__link">
  417. Webhook
  418. </a>
  419. </li>
  420. </ul>
  421. </nav>
  422. </li>
  423. <li class="md-nav__item md-nav__item--nested">
  424. <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_6" type="checkbox" id="__nav_6" >
  425. <label class="md-nav__link" for="__nav_6">
  426. References
  427. <span class="md-nav__icon md-icon"></span>
  428. </label>
  429. <nav class="md-nav" aria-label="References" data-md-level="1">
  430. <label class="md-nav__title" for="__nav_6">
  431. <span class="md-nav__icon md-icon"></span>
  432. References
  433. </label>
  434. <ul class="md-nav__list" data-md-scrollfix>
  435. <li class="md-nav__item">
  436. <a href="../spec/" class="md-nav__link">
  437. API specification
  438. </a>
  439. </li>
  440. </ul>
  441. </nav>
  442. </li>
  443. <li class="md-nav__item md-nav__item--nested">
  444. <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7" type="checkbox" id="__nav_7" >
  445. <label class="md-nav__link" for="__nav_7">
  446. Contributing
  447. <span class="md-nav__icon md-icon"></span>
  448. </label>
  449. <nav class="md-nav" aria-label="Contributing" data-md-level="1">
  450. <label class="md-nav__title" for="__nav_7">
  451. <span class="md-nav__icon md-icon"></span>
  452. Contributing
  453. </label>
  454. <ul class="md-nav__list" data-md-scrollfix>
  455. <li class="md-nav__item">
  456. <a href="../contributing-devguide/" class="md-nav__link">
  457. Developer guide
  458. </a>
  459. </li>
  460. <li class="md-nav__item">
  461. <a href="../contributing-process/" class="md-nav__link">
  462. Contributing Process
  463. </a>
  464. </li>
  465. <li class="md-nav__item">
  466. <a href="../contributing-coc/" class="md-nav__link">
  467. Code of Conduct
  468. </a>
  469. </li>
  470. </ul>
  471. </nav>
  472. </li>
  473. <li class="md-nav__item">
  474. <a href="../deprecation-policy/" class="md-nav__link">
  475. Deprecation Policy
  476. </a>
  477. </li>
  478. </ul>
  479. </nav>
  480. </div>
  481. </div>
  482. </div>
  483. <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
  484. <div class="md-sidebar__scrollwrap">
  485. <div class="md-sidebar__inner">
  486. <nav class="md-nav md-nav--secondary" aria-label="Table of contents">
  487. <label class="md-nav__title" for="__toc">
  488. <span class="md-nav__icon md-icon"></span>
  489. Table of contents
  490. </label>
  491. <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
  492. <li class="md-nav__item">
  493. <a href="#shared-clustersecretstore" class="md-nav__link">
  494. Shared ClusterSecretStore
  495. </a>
  496. </li>
  497. <li class="md-nav__item">
  498. <a href="#managed-secretstore-per-namespace" class="md-nav__link">
  499. Managed SecretStore per Namespace
  500. </a>
  501. </li>
  502. <li class="md-nav__item">
  503. <a href="#eso-as-a-service" class="md-nav__link">
  504. ESO as a Service
  505. </a>
  506. </li>
  507. </ul>
  508. </nav>
  509. </div>
  510. </div>
  511. </div>
  512. <div class="md-content" data-md-component="content">
  513. <article class="md-content__inner md-typeset">
  514. <a href="https://github.com/external-secrets/external-secrets/edit/master/docs/guides-multi-tenancy.md" title="Edit this page" class="md-content__button md-icon">
  515. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20.71 7.04c.39-.39.39-1.04 0-1.41l-2.34-2.34c-.37-.39-1.02-.39-1.41 0l-1.84 1.83 3.75 3.75M3 17.25V21h3.75L17.81 9.93l-3.75-3.75L3 17.25z"/></svg>
  516. </a>
  517. <h1>Multi Tenancy</h1>
  518. <p>External Secrets Operator provides different modes of operation to fulfill
  519. ogranizational needs. This guide outlines the flexibility of ESO and should give
  520. you a first impression of how you can employ this operator in your organization.</p>
  521. <p>For a multi-tenant deployment you should first examine your organizational
  522. structure:</p>
  523. <ol>
  524. <li>what roles (i.e. <em>Application Developers</em>, <em>Cluster Admins</em>, ...) do you have
  525. in your organization,</li>
  526. <li>what responsibilities do they have and</li>
  527. <li>how does that map to Kubernetes RBAC roles.</li>
  528. </ol>
  529. <p>Further, you should examine how your external API provider manages access
  530. control for your secrets. Can you limit access by secret names (e.g.
  531. <code>db/dev/*</code>)? Or only on a bucket level? Please keep in mind that not all
  532. external APIs provide fine-grained access management for secrets.</p>
  533. <p><strong>Note:</strong> The following examples should <strong>not</strong> be considered as best practice
  534. but rather as a example to show how to combine different mechanics and
  535. techniques for tenant isolation.</p>
  536. <h3 id="shared-clustersecretstore">Shared ClusterSecretStore</h3>
  537. <p><img alt="Shared CSS" src="../pictures/diagrams-multi-tenancy-shared.png" /></p>
  538. <p>A Cluster Administrator deploys a <code>ClusterSecretStore</code> (CSS) and manages access
  539. to the external API. The CSS is shared by all tenants within the cluster.
  540. Application Developers do reference it in a <code>ExternalSecret</code> but can not create
  541. a ClusterSecretStores or SecretStores on their own. Now all application
  542. developers have access to all the secrets. You probably want to limit access to
  543. certain keys or prefixes that should be used. ESO does not provide a mechanic
  544. to limit access to certain keys per namespace. More advanced validation should be
  545. done with an Admission Webhook, e.g. with <a href="https://kyverno.io/">Kyverno</a> or
  546. <a href="https://www.openpolicyagent.org/">Open Policy Agent</a>).</p>
  547. <p>This setup suites well if you have one central bucket that contains all of your
  548. secrets and your Cluster Administrators should manage access to it. This setup
  549. is very simple but does not scale very well.</p>
  550. <h3 id="managed-secretstore-per-namespace">Managed SecretStore per Namespace</h3>
  551. <p><img alt="Shared CSS" src="../pictures/diagrams-multi-tenancy-managed-store.png" /></p>
  552. <p>Cluster Administrators manage one or multipe <code>SecretStores</code> per Namespace. Each
  553. SecretStore uses it's own <em>role</em> that limits access to a small set of keys. The
  554. peculiarity of this is approach is, that <strong>access is actually managed by the
  555. external API</strong> which provides the roles. The Cluster Administrator does just the
  556. wiring. This approach may be desirable if you have an external entity - let's
  557. call it <strong>Secret Administrator</strong> - that manages access and lifecycle of the
  558. secrets.</p>
  559. <h3 id="eso-as-a-service">ESO as a Service</h3>
  560. <p><img alt="Shared CSS" src="../pictures/diagrams-multi-tenancy-self-service.png" /></p>
  561. <p>Every namespace is self-contained. Application developers manage <code>SecretStore</code>,
  562. <code>ExternalSecret</code> and secret infrastructure on their own. Cluster Administrators
  563. <em>just</em> provide the External Secrets Operator as a service.</p>
  564. <p>This makes sense if application developers should be completely autonomous while
  565. a central team provides common services.</p>
  566. </article>
  567. </div>
  568. </div>
  569. </main>
  570. <footer class="md-footer">
  571. <nav class="md-footer__inner md-grid" aria-label="Footer">
  572. <a href="../guides-common-k8s-secret-types/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Common K8S Secret Types" rel="prev">
  573. <div class="md-footer__button md-icon">
  574. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
  575. </div>
  576. <div class="md-footer__title">
  577. <div class="md-ellipsis">
  578. <span class="md-footer__direction">
  579. Previous
  580. </span>
  581. Common K8S Secret Types
  582. </div>
  583. </div>
  584. </a>
  585. <a href="../guides-metrics/" class="md-footer__link md-footer__link--next" aria-label="Next: Metrics" rel="next">
  586. <div class="md-footer__title">
  587. <div class="md-ellipsis">
  588. <span class="md-footer__direction">
  589. Next
  590. </span>
  591. Metrics
  592. </div>
  593. </div>
  594. <div class="md-footer__button md-icon">
  595. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg>
  596. </div>
  597. </a>
  598. </nav>
  599. <div class="md-footer-meta md-typeset">
  600. <div class="md-footer-meta__inner md-grid">
  601. <div class="md-footer-copyright">
  602. Made with
  603. <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
  604. Material for MkDocs
  605. </a>
  606. </div>
  607. </div>
  608. </div>
  609. </footer>
  610. </div>
  611. <div class="md-dialog" data-md-component="dialog">
  612. <div class="md-dialog__inner md-typeset"></div>
  613. </div>
  614. <script id="__config" type="application/json">{"base": "..", "features": [], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "../assets/javascripts/workers/search.b0710199.min.js", "version": {"provider": "mike"}}</script>
  615. <script src="../assets/javascripts/bundle.76f349be.min.js"></script>
  616. </body>
  617. </html>