QUICKSTART.md 9.5 KB
Quick Start: Deploy External Secrets with Providers
This guide will help you quickly deploy External Secrets with provider support.
Prerequisites
- Kubernetes cluster (1.19+)
- Helm 3.x
- kubectl configured
Quick Start
1. Add Helm Repository (if not already added)
helm repo add external-secrets https://charts.external-secrets.io
helm repo update
2. Basic Installation with Single Provider
Create a values.yaml file:
# Basic controller configuration
installCRDs: true
replicaCount: 1
# Enable provider deployments
providers:
enabled: true
list:
- name: aws
type: aws
enabled: true
replicaCount: 2
image:
repository: oci.external-secrets.io/external-secrets/provider-aws
serviceAccount:
create: true
# Add your cloud IAM annotations here
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::YOUR-ACCOUNT:role/YOUR-ROLE
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 64Mi
config:
region: us-east-1
3. Install
helm install external-secrets external-secrets/external-secrets -f values.yaml
4. Verify Installation
# Check controller
kubectl get pods -l app.kubernetes.io/name=external-secrets
# Check provider
kubectl get pods -l app.kubernetes.io/component=provider
# Check all resources
kubectl get all -l app.kubernetes.io/instance=external-secrets
Provider-Specific Examples
AWS with IRSA
providers:
enabled: true
list:
- name: aws
type: aws
enabled: true
replicaCount: 2
image:
repository: oci.external-secrets.io/external-secrets/provider-aws
serviceAccount:
create: true
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/external-secrets-provider
config:
region: us-east-1
authMethod: irsa
Required AWS IAM Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": "*"
}
]
}
GCP with Workload Identity
providers:
enabled: true
list:
- name: gcp
type: gcp
enabled: true
replicaCount: 2
image:
repository: oci.external-secrets.io/external-secrets/provider-gcp
serviceAccount:
create: true
annotations:
iam.gke.io/gcp-service-account: external-secrets@PROJECT-ID.iam.gserviceaccount.com
config:
projectID: PROJECT-ID
Required GCP IAM Role:
gcloud projects add-iam-policy-binding PROJECT-ID \
--member="serviceAccount:external-secrets@PROJECT-ID.iam.gserviceaccount.com" \
--role="roles/secretmanager.secretAccessor"
Azure with Workload Identity
providers:
enabled: true
list:
- name: azure
type: azure
enabled: true
replicaCount: 2
image:
repository: oci.external-secrets.io/external-secrets/provider-azure
serviceAccount:
create: true
annotations:
azure.workload.identity/client-id: "00000000-0000-0000-0000-000000000000"
podLabels:
azure.workload.identity/use: "true"
config:
vaultURL: https://my-keyvault.vault.azure.net
tenantID: "00000000-0000-0000-0000-000000000000"
HashiCorp Vault
providers:
enabled: true
list:
- name: vault
type: vault
enabled: true
replicaCount: 2
image:
repository: oci.external-secrets.io/external-secrets/provider-vault
serviceAccount:
create: true
config:
vaultAddr: https://vault.example.com
authMethod: kubernetes
extraEnv:
- name: VAULT_NAMESPACE
value: "admin"
Multiple Providers Example
providers:
enabled: true
list:
# AWS Provider
- name: aws-prod
type: aws
enabled: true
replicaCount: 3
image:
repository: oci.external-secrets.io/external-secrets/provider-aws
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/eso-aws
config:
region: us-east-1
# GCP Provider
- name: gcp-prod
type: gcp
enabled: true
replicaCount: 2
image:
repository: oci.external-secrets.io/external-secrets/provider-gcp
serviceAccount:
annotations:
iam.gke.io/gcp-service-account: eso@project.iam.gserviceaccount.com
config:
projectID: my-project
Common Configurations
Enable Auto-Scaling
providers:
list:
- name: aws
# ...other config...
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 10
targetCPUUtilizationPercentage: 80
Enable Metrics & Monitoring
providers:
list:
- name: aws
# ...other config...
metrics:
enabled: true
port: 8081
serviceMonitor:
enabled: true
interval: 30s
High Availability Configuration
providers:
list:
- name: aws
replicaCount: 3
podDisruptionBudget:
enabled: true
minAvailable: 2
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
external-secrets.io/provider: aws
topologyKey: kubernetes.io/hostname
topologySpreadConstraints:
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
external-secrets.io/provider: aws
Verification Commands
# Check all resources
kubectl get all -l app.kubernetes.io/instance=external-secrets
# Check provider deployments
kubectl get deployment -l app.kubernetes.io/component=provider
# Check provider pods
kubectl get pods -l app.kubernetes.io/component=provider
# Check provider services
kubectl get svc -l app.kubernetes.io/component=provider
# View provider logs
kubectl logs -l external-secrets.io/provider=aws -f
# Check metrics
kubectl port-forward svc/external-secrets-provider-aws 8081:8081 &
curl http://localhost:8081/metrics
# Check health
kubectl port-forward svc/external-secrets-provider-aws 8082:8082 &
curl http://localhost:8082/healthz
curl http://localhost:8082/readyz
Troubleshooting
Provider Pod Not Starting
# Check pod status
kubectl describe pod -l external-secrets.io/provider=aws
# Check logs
kubectl logs -l external-secrets.io/provider=aws --tail=50
# Check events
kubectl get events --sort-by='.lastTimestamp' | grep provider
Authentication Issues
AWS IRSA:
# Check service account annotations
kubectl describe sa external-secrets-provider-aws
# Check if role is properly configured
aws sts get-caller-identity
# Check if pod has the right environment variables
kubectl exec -it deployment/external-secrets-provider-aws -- env | grep AWS
GCP Workload Identity:
# Check service account annotations
kubectl describe sa external-secrets-provider-gcp
# Verify workload identity binding
gcloud iam service-accounts get-iam-policy \
external-secrets@PROJECT-ID.iam.gserviceaccount.com
Check Connectivity
# Check if provider service is accessible
kubectl get svc -l app.kubernetes.io/component=provider
# Test connectivity from controller to provider
kubectl exec -it deployment/external-secrets -- \
nc -zv external-secrets-provider-aws 8080
Next Steps
Create a SecretStore pointing to your provider:
apiVersion: external-secrets.io/v1beta1 kind: SecretStore metadata: name: aws-secrets spec: provider: aws: service: SecretsManager region: us-east-1Create an ExternalSecret to sync secrets:
apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: my-secret spec: refreshInterval: 1h secretStoreRef: name: aws-secrets kind: SecretStore target: name: my-k8s-secret data: - secretKey: password remoteRef: key: my-secret-nameVerify the secret was created:
kubectl get externalsecret kubectl get secret my-k8s-secret
Additional Resources
- Provider Deployment Guide - Comprehensive provider configuration reference
- Official Documentation
- GitHub Repository
- Example Values Files
Common Helm Commands
# Install
helm install external-secrets external-secrets/external-secrets -f values.yaml
# Upgrade
helm upgrade external-secrets external-secrets/external-secrets -f values.yaml
# Uninstall
helm uninstall external-secrets
# Dry-run (test without installing)
helm install external-secrets external-secrets/external-secrets -f values.yaml --dry-run
# Template (see generated manifests)
helm template external-secrets external-secrets/external-secrets -f values.yaml
# Get values
helm get values external-secrets
# Get all information
helm status external-secrets