External Secrets Operator (ESO)

Overview

The External Secrets Operator (ESO) is now available in the Kube. This feature allows applications to manage secrets securely by synchronizing them from our Vault to Kubernetes Secrets.

Enabling External Secrets Operator

To use ESO, set the following parameter when submitting your application request:

esoServiceAccount: true

What Gets Deployed

The following resources are automatically created in your namespace:

• ServiceAccount - A dedicated service account for the External Secrets Operator, name ends with -eso.
• SecretStore - A configuration object that defines how to connect to Vault.
• Vault Engine - A corresponding Vault engine is provisioned at https://vault.uni-muenster.de.

Access Control

Namespace Admin Groups automatically get access to the corresponding Vault secrets. Regular namespace administrator do not!

Usage Example

Create an ExternalSecret resource to define which secrets you want to sync from Vault to Kubernetes:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: my-app-secrets
  namespace: my-namespace
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend
    kind: SecretStore
  target:
    name: my-app-secret
    creationPolicy: Owner
  data:
    - secretKey: database-url
      remoteRef:
        key: secret/data/my-app
        property: DATABASE_URL
    - secretKey: api-key
      remoteRef:
        key: secret/data/my-app
        property: API_KEY

It is also possible to use templating for the secrets.

Additional Resources

For detailed ESO configuration and usage examples, please refer to the official External Secrets Operator Documentation.