External Secrets Operator 0.9: Kubernetes Secret Management
Table of Contents
Introduction
External Secrets Operator 0.9, released on August 22, 2022, continues to evolve as the leading solution for integrating external secret management systems with Kubernetes. This release improves provider support, enhances security features, and delivers better reliability for secret synchronization in cloud-native environments.
Security features matter most when you’re trying to enforce guardrails without blocking delivery. This release is useful if you’re tightening policy, improving visibility, or hardening defaults across Kubernetes workloads.
Provider Support Expansion
- Cloud provider integrations expand support for AWS Secrets Manager, Azure Key Vault, Google Secret Manager, and HashiCorp Vault.
- Secret store improvements enhance compatibility with additional secret management systems.
- Multi-provider support enables managing secrets from multiple external systems.
- Provider-specific features leverage unique capabilities of each secret store.
Security Enhancements
- Secret rotation support enables automatic synchronization of rotated secrets from external stores.
- Encryption improvements ensure secrets are encrypted at rest and in transit.
- RBAC integration provides fine-grained access control for secret management.
- Audit logging tracks all secret access and synchronization events.
Kubernetes Integration
- CRD support enables managing secrets as Kubernetes-native resources.
- Secret synchronization automatically keeps Kubernetes secrets in sync with external stores.
- Namespace isolation ensures secrets are scoped to appropriate namespaces.
- Label selectors enable flexible secret management based on resource labels.
Advanced Features
- Secret templating enables dynamic secret generation based on templates.
- Multi-secret support allows combining multiple external secrets into single Kubernetes secrets.
- Health checks monitor secret store connectivity and synchronization status.
- Metrics integration exposes secret synchronization metrics for Prometheus.
Getting Started
kubectl apply -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.9.0/deploy/crds/bundle.yaml
kubectl apply -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.9.0/deploy/charts/external-secrets/templates/rbac.yaml
kubectl apply -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.9.0/deploy/charts/external-secrets/templates/deployment.yaml
Create a SecretStore:
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: aws-secrets-manager
spec:
provider:
aws:
service: SecretsManager
region: us-west-2
auth:
jwt:
serviceAccountRef:
name: external-secrets-sa
Create an ExternalSecret:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: my-secret
spec:
refreshInterval: 1h
secretStoreRef:
name: aws-secrets-manager
kind: SecretStore
target:
name: my-kubernetes-secret
creationPolicy: Owner
data:
- secretKey: password
remoteRef:
key: my-secret-key
property: password
Summary
| Aspect | Details |
|---|---|
| Release Date | August 22, 2022 |
| Headline Features | Enhanced provider support, improved security, better Kubernetes integration |
| Why it Matters | Integrates external secret management systems with Kubernetes, providing secure, automated secret synchronization |
External Secrets Operator 0.9 continues to evolve as the standard solution for secret management in Kubernetes, providing teams with secure integration with external secret stores.