K8s em Exemplos: Secrets Externos

External Secrets Operator sincroniza secrets do AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager, Azure Key Vault, etc. Secrets ficam no seu vault, sincronizados para Kubernetes automaticamente.
external-secret.yaml

ExternalSecret define quais secrets sincronizar. refreshInterval controla frequência de sync. secretStoreRef aponta para o provedor. remoteRef especifica o caminho e propriedade do secret.

 
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: app-secrets
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secrets-manager
    kind: ClusterSecretStore
  target:
    name: app-secrets
  data:
    - secretKey: DATABASE_URL
      remoteRef:
        key: my-app/database
        property: url
secret-store.yaml

ClusterSecretStore define a conexão com seu provedor de secrets. Tipicamente um por cluster ou ambiente. SecretStore é alternativa com escopo de namespace. Usa IRSA/Workload Identity para auth.

 
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: aws-secrets-manager
spec:
  provider:
    aws:
      service: SecretsManager
      region: us-west-2
      auth:
        jwt:
          serviceAccountRef:
            name: external-secrets
            namespace: external-secrets
---
kind: SecretStore
metadata:
  name: team-vault
  namespace: my-team
spec:
  provider:
    vault:
      server: "https://vault.example.com"
      path: "secret"
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "my-team"
external-secret-aws.yaml

Provedor AWS Secrets Manager. Armazene secrets como JSON, extraia propriedades específicas. Funciona com IRSA para autenticação segura sem access keys.

 
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: app-secrets
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secrets-manager
    kind: ClusterSecretStore
  target:
    name: app-secrets
  data:
    - secretKey: DATABASE_URL
      remoteRef:
        key: my-app/prod
        property: db_url
    - secretKey: API_KEY
      remoteRef:
        key: my-app/prod
        property: api_key
external-secret-vault.yaml

Provedor HashiCorp Vault. Suporta KV v1, KV v2 e outras secret engines. Use Kubernetes auth para autenticação segura de Pod.

 
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: vault
spec:
  provider:
    vault:
      server: "https://vault.example.com:8200"
      path: "secret"
      version: "v2"
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "external-secrets"
          serviceAccountRef:
            name: external-secrets
            namespace: external-secrets
---
kind: ExternalSecret
spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  data:
    - secretKey: password
      remoteRef:
        key: apps/my-app
        property: password
external-secret-datafrom.yaml

Sincronize todas as chaves de um secret com dataFrom. Cada chave no secret remoto se torna uma chave no Secret do Kubernetes. Útil para secrets com muitas chaves.

 
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: app-secrets
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secrets-manager
    kind: ClusterSecretStore
  target:
    name: app-secrets
  dataFrom:
    - extract:
        key: my-app/production
external-secret-template.yaml

Opções de target controlam o Secret criado. Defina labels, annotations, type e creation policy. Use templates para transformações complexas.

 
spec:
  target:
    name: app-secrets
    creationPolicy: Owner
    template:
      type: kubernetes.io/tls
      metadata:
        labels:
          app: my-app
        annotations:
          description: "Synced from AWS"
      data:
        tls.crt: "{{ .cert }}"
        tls.key: "{{ .key }}"
  data:
    - secretKey: cert
      remoteRef:
        key: my-app/tls-cert
    - secretKey: key
      remoteRef:
        key: my-app/tls-key
secret-store-cloud.yaml

Provedores GCP Secret Manager e Azure Key Vault. Use Workload Identity (GCP) ou Azure AD Pod Identity para autenticação segura.

 
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: gcp-secrets
spec:
  provider:
    gcpsm:
      projectID: my-project-123
      auth:
        workloadIdentity:
          clusterLocation: us-central1
          clusterName: my-cluster
          serviceAccountRef:
            name: external-secrets
            namespace: external-secrets
---
kind: ClusterSecretStore
metadata:
  name: azure-keyvault
spec:
  provider:
    azurekv:
      vaultUrl: "https://my-vault.vault.azure.net"
      authType: WorkloadIdentity
      serviceAccountRef:
        name: external-secrets
        namespace: external-secrets
terminal

Verifique status de sync e solucione problemas. ExternalSecret cria um Secret Kubernetes regular que Pods usam normalmente. Force sync anotando. Problemas comuns: falha de auth do SecretStore (verifique IAM/RBAC), secret não encontrado (verifique caminho da chave remota), propriedade não encontrada (verifique estrutura JSON).

 
$ kubectl get externalsecret
NAME          STORE                  REFRESH   STATUS
app-secrets   aws-secrets-manager    1h        SecretSynced

$ kubectl describe externalsecret app-secrets
Status:
  Conditions:
    Type:   Ready
    Status: True
  Refresh Time: 2024-01-15T10:30:00Z

$ kubectl get secret app-secrets -o yaml

$ kubectl annotate externalsecret app-secrets \
    force-sync=$(date +%s) --overwrite

$ kubectl logs -n external-secrets \
    -l app.kubernetes.io/name=external-secrets

Índice | GitHub | Use as setas do teclado para navegar |