Kubernetes Secrets Management: Level Up with External Secrets Operator

Overview :-

Kubernetes has become a popular platform for deploying and managing containerized applications. As applications grow in complexity, managing secrets such as API keys, passwords, and certificates becomes increasingly important. While Kubernetes provides a built-in Secrets resource, it has limitations when it comes to managing secrets across multiple clusters or integrating with external secret management systems. This is where the External Secrets Operator (ESO) comes into play. ESO is an open-source Kubernetes operator that allows you to manage secrets from external secret management systems and synchronize them as Kubernetes Secrets.

Prerequisites :-

Before you can start using the External Secrets Operator, you’ll need to have the following in place:

• A Kubernetes cluster (version 1.19 or later)
• kubectl command-line tool configured to communicate with your cluster
• Helm (version 3 or later) installed on your local machine
• AWS Account to Access to a supported external secret management system(Secrets Manager).

Procedure :-

1 .Setting Up External Secrets Operator

The first step in leveraging External Secrets in Kubernetes is installing the External Secrets Operator. Here’s how:

1.1 Add the External Secrets Repository

Execute the following command to add the External Secrets Operator repository:

helm repo add external-secrets https://charts.external-secrets.io

1.2 Install External Secrets Operator

Use Helm to install the operator:

helm install external-secrets \
  external-secrets/external-secrets \
    --namespace external-secrets \
    --create-namespace \
    --set installCRDs=true

This command creates a dedicated namespace and installs the operator with necessary Custom Resource Definitions (CRDs).

Configuring IAM for External Secrets

2.1 Associate OIDC Provider

Before creating an IAM role, associate your EKS cluster with an OIDC provider:

eksctl utils associate-iam-oidc-provider --cluster=your-cluster-name --approve

2.2 Create IAM Role

Navigate to IAM in AWS Console and create a role with the following specifications:

• Trusted entity type: Web identity
• Select your cluster’s OIDC provider
• Attach policies for Secrets Manager access

• Name the role and click on create role and copy the role arn.

1. Implementing Service Account for External Secrets

A service account to link Kubernetes with your IAM role: Create a file named (sa.yaml) to create a service account. Specify the above created Iam role arn in the below service account.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: external-secrets-operator
  namespace: external-secrets
  annotations:
    eks.amazonaws.com/role-arn: your-iam-role-arn

Apply this configuration:

kubectl apply -f sa.yml

Establishing a SecretStore

Create a file(ss.yaml) to Set up a SecretStore to define how External Secrets interacts with AWS Secrets Manager. Don’t forget to add your aws region, in which the secret exists in your aws account.

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: aws-secrets-manager
  namespace: external-secrets
spec:
  provider:
    aws:
      service: SecretsManager
      region: your-aws-region
      auth:
        jwt:
          serviceAccountRef:
            name: external-secrets-operator

Apply this configuration:

kubectl apply -f ss.yml

Creating External Secrets

Next create a file(secret.yaml) to define an ExternalSecret to fetch and manage secrets. Specify the your-secret-name and the your-key-name values in the below secret.yaml file

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: secret
  namespace: external-secrets
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secrets-manager
    kind: SecretStore
  target:
    name: secrets-manager-secret
    creationPolicy: Owner
  data:
  - secretKey: aws-secretsmanager
    remoteRef:
      key: your-secret-name
      property: your-secret-key

Apply this configuration:

kubectl apply -f secret.yml

Run the following command to check if the secret has been created successfully

kubectl get secret secrets-manager-secret -n external-secrets

Utilizing External Secrets in Deployments

To use the managed secrets in your deployments, add the following block:

- name: AWS_SECRET
  valueFrom:
     secretKeyRef:
        name: secrets-manager-secret
        key: aws-secretsmanager

Conclusion :-

The External Secrets Operator provides a powerful way to manage secrets in Kubernetes while leveraging the security and features of external secret management systems. By centralizing secret management and automating the synchronization process, ESO helps improve security and simplify operations for Kubernetes applications.