Kubernetesdevops~30 mins

External secret management integration in Kubernetes - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

External Secret Management Integration in Kubernetes

📖 Scenario: You are managing a Kubernetes cluster for a small company. You want to keep sensitive information like database passwords outside of your cluster configuration files. To do this safely, you will use an external secret management tool and integrate it with Kubernetes.

🎯 Goal: Learn how to create a Kubernetes Secret that pulls data from an external secret manager using External Secrets Operator. You will create a secret definition, configure the external secret reference, and verify the secret is available inside the cluster.

📋 What You'll Learn

Create a Kubernetes Secret manifest referencing an external secret

Add configuration to specify the external secret provider and secret key

Apply the manifest to the cluster to create the external secret

Verify the secret data is available inside Kubernetes

💡 Why This Matters

🌍 Real World

Many companies keep sensitive data like passwords and API keys outside their Kubernetes manifests to improve security. External secret management tools help automate this securely.

💼 Career

DevOps engineers and Kubernetes administrators often integrate external secret managers to protect sensitive information and comply with security best practices.

Progress0 / 4 steps

Create ExternalSecret manifest skeleton

Create a YAML manifest named external-secret.yaml with kind ExternalSecret and apiVersion external-secrets.io/v1beta1. Set metadata name to my-db-secret and namespace to default. Add an empty spec section.

Kubernetes

# Create the ExternalSecret manifest skeleton with metadata and empty spec

Need a hint?

Start by defining the basic structure of the ExternalSecret resource with metadata and an empty spec.

Add external secret provider configuration

In the spec section of external-secret.yaml, add secretStoreRef with name: my-secret-store and kind: SecretStore. Then add target with name: my-db-secret and creationPolicy: Owner.

Kubernetes

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: my-db-secret
  namespace: default
spec:
  # Add secretStoreRef and target configuration here

Need a hint?

Configure which external secret store to use and how to create the Kubernetes secret.

Add data mapping for external secret keys

Inside the spec of external-secret.yaml, add a data list with one item. The item should have secretKey: password and remoteRef: key: db-password to map the external secret key db-password to the Kubernetes secret key password.

Kubernetes

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: my-db-secret
  namespace: default
spec:
  secretStoreRef:
    name: my-secret-store
    kind: SecretStore
  target:
    name: my-db-secret
    creationPolicy: Owner
  # Add data mapping here

Need a hint?

Map the external secret key to the Kubernetes secret key using the data list.

Apply manifest and verify secret

Run kubectl apply -f external-secret.yaml to create the ExternalSecret. Then run kubectl get secret my-db-secret -o jsonpath='{.data.password}' to verify the secret data is present (base64 encoded).

Kubernetes

# Run the commands below in your terminal
# kubectl apply -f external-secret.yaml
# kubectl get secret my-db-secret -o jsonpath='{.data.password}'

Need a hint?

The output should be the base64 encoded string of the password, for example cGFzc3dvcmQ= for 'password'.