Kubernetesdevops~7 mins

External secret management integration in Kubernetes - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Managing sensitive data like passwords or API keys directly in Kubernetes can be risky. External secret management integration helps keep these secrets safe by storing them outside Kubernetes and injecting them securely when needed.

When you want to keep database passwords out of Kubernetes configuration files to reduce risk of leaks.

When multiple applications need access to the same secret stored centrally and updated automatically.

When you want to rotate secrets regularly without redeploying your Kubernetes workloads.

When compliance rules require secrets to be stored in a dedicated secure vault.

When you want to audit who accessed or changed secrets outside Kubernetes.

Config File - externalsecret.yaml

externalsecret.yaml

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: my-database-secret
  namespace: default
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: my-vault
    kind: ClusterSecretStore
  target:
    name: database-credentials
    creationPolicy: Owner
  data:
  - secretKey: username
    remoteRef:
      key: database/creds
      property: username
  - secretKey: password
    remoteRef:
      key: database/creds
      property: password

This file defines an ExternalSecret resource that tells Kubernetes to fetch secrets from an external vault.

apiVersion and kind specify the resource type.

metadata names the secret and sets the namespace.

spec contains the details: how often to refresh, which external secret store to use, and what keys to fetch.

target defines the Kubernetes Secret name to create with the fetched data.

data maps keys from the external vault to keys in the Kubernetes Secret.

Commands

This command creates the ExternalSecret resource in Kubernetes, which starts the process of fetching secrets from the external vault and creating a Kubernetes Secret.

Terminal

kubectl apply -f externalsecret.yaml

Expected OutputExpected

externalsecret.external-secrets.io/my-database-secret created

This command checks that the Kubernetes Secret named 'database-credentials' was created and contains the data fetched from the external secret store.

Terminal

kubectl get secret database-credentials -o yaml

Expected OutputExpected

apiVersion: v1 data: password: cGFzc3dvcmQ= username: dXNlcg== kind: Secret metadata: name: database-credentials namespace: default type: Opaque

→

-o yaml - Outputs the secret in YAML format to see its contents (base64 encoded)

This command shows details about the ExternalSecret resource, including status and any errors fetching secrets.

Terminal

kubectl describe externalsecret my-database-secret

Expected OutputExpected

Name: my-database-secret Namespace: default Labels: <none> Annotations: <none> API Version: external-secrets.io/v1beta1 Kind: ExternalSecret Metadata: Creation Timestamp: 2024-06-01T12:00:00Z Spec: Refresh Interval: 1h Secret Store Ref: Kind: ClusterSecretStore Name: my-vault Target: Creation Policy: Owner Name: database-credentials Data: Secret Key: username Remote Ref: Key: database/creds Property: username Secret Key: password Remote Ref: Key: database/creds Property: password Status: Conditions: Type: Ready Status: True

Key Concept

If you remember nothing else from this pattern, remember: External secrets keep sensitive data safe by fetching it securely from outside Kubernetes and injecting it only when needed.

Common Mistakes

Not creating or configuring the external secret store (like Vault) before applying the ExternalSecret resource.

Kubernetes cannot fetch secrets without a properly configured external secret store, so the ExternalSecret will fail.

Set up and configure the external secret store and the ClusterSecretStore resource in Kubernetes before creating ExternalSecret resources.

Using incorrect keys or property names in the ExternalSecret data mapping.

If the keys do not match those in the external vault, the secret data will not be fetched correctly.

Verify the exact keys and properties in the external vault and use those names in the ExternalSecret spec.

Trying to access the Kubernetes Secret before the ExternalSecret controller has fetched and created it.

The Secret will not exist yet, causing errors in applications that depend on it.

Wait a few moments after applying the ExternalSecret and check its status before using the Kubernetes Secret.

Summary

Create an ExternalSecret resource to define which secrets to fetch from an external vault.

Apply the ExternalSecret with kubectl to start syncing secrets into Kubernetes.

Verify the Kubernetes Secret is created with the fetched data using kubectl get secret.

Use kubectl describe to check the ExternalSecret status and troubleshoot if needed.