External Secret Stores
External secret stores provide enterprise-grade secret management with features like automatic rotation, audit logging, and fine-grained access control. They integrate with Kubernetes through operators that sync secrets.
Why External Secret Stores?
External secret stores offer:
- Automatic rotation - Secrets rotate automatically
- Audit logging - Track secret access
- Centralized management - Single source of truth
- Access control - Fine-grained permissions
- Encryption - Built-in encryption
HashiCorp Vault
Vault is a popular secret management solution:
Install Vault Operator
kubectl apply -f https://raw.githubusercontent.com/hashicorp/vault-k8s/main/operator/deploy/operator.yaml
Create Secret
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: database-credentials
spec:
type: kv-v2
path: secret/data/database
destination:
create: true
name: database-secret
type: Opaque
External Secrets Operator
External Secrets Operator syncs secrets from external stores:
Install
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets
Create SecretStore
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: vault-backend
spec:
provider:
vault:
server: "https://vault.example.com"
path: "secret"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "external-secrets"
Create ExternalSecret
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: database-secret
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
kind: SecretStore
target:
name: database-secret
creationPolicy: Owner
data:
- secretKey: password
remoteRef:
key: secret/data/database
property: password
Sealed Secrets
Sealed Secrets encrypt secrets so they can be stored in Git:
Install
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/latest/download/controller.yaml
Create Sealed Secret
kubectl create secret generic my-secret \
--from-literal=password=secret \
--dry-run=client -o yaml | \
kubeseal -o yaml > sealed-secret.yaml
Best Practices
- Use for production - External stores for production workloads
- Enable rotation - Automate secret rotation
- Monitor access - Track who accesses secrets
- Limit access - Use RBAC and secret store permissions
See Also
- Secrets Management - Overview of secrets management
- Encryption at Rest - Encrypting Kubernetes secrets