In today’s digital world, the protection of sensitive information has become paramount. So while working with microservices orchestrator tools such as kubernetes it is important to handle the secrets securely such as username or password, DB Password, or API Keys. Kubernetes has a built-in feature for managing secrets called secrets. But the downside of Secrets is that It doesn’t support storing or retrieving the secrets from external secret management systems like AWS Secrets Manager, HashiCorp Vault, Google Secrets Manager, Azure Key Vault, IBM Cloud Secrets Manager, and many more.
Moreover, external secret management provides encryption at rest, secret rotation policies, and many more. So in this blog, we will talk about the solution GoDaddy came up with an open-source solution called External Secrets Operator.
What is External Secret Operator?
External Secrets Operator is a tool or component that extends the functionality of Kubernetes to manage external secrets in a more secure and efficient manner. It acts as a bridge between Kubernetes and external secret management systems, allowing you to securely store and retrieve secrets from external sources. It integrates with external secret providers such as HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or other similar systems. This enables Kubernetes applications to access and utilize secrets stored in these external systems without exposing them directly within the cluster.
Architecture of External Secret Operator:
ESO controller is installed in a Kubernetes cluster and is a cluster-specific object. To communicate with other secret managers, the API resource — SecretStore / ClusterSecretStore is deployed within the namespace/ cluster and is responsible for the authentication with external APIs.
Components of External Secrets Operator:
External Secrets comes with three components: Core Controller, Webhook, and Cert Controller.
- Core Controller: The core controller is the central component of an external secret operator. It manages the lifecycle of secrets, including their creation, retrieval, deletion, and rotation. The core controller interacts with the underlying secret storage system and ensures that secrets are securely managed and accessible to authorized entities.
- Webhook: A webhook is a mechanism used for event-driven communication between systems. In the context of an external secret operator, a webhook may be used to trigger actions or updates based on specific events related to secrets. For example, a webhook could be used to notify external systems when a secret is created or updated, allowing them to take appropriate actions.
- Cert Controller: A certificate controller, or cert controller, is a component of an external secret operator that specifically deals with the management of TLS certificates. It automates the process of obtaining, renewing, and distributing TLS certificates for secure communication within a Kubernetes cluster. The cert controller may integrate with a certificate authority (CA) or certificate management system to handle certificate operations.
Core Resources of External Secret Operator:
1. SecretStore:
SecretStore is namespace specific resource and contains the authentication credentials details of the external secret manager that we want to access or want to make external API calls.
If you want to design cross-namespace SecretStores you must use ClusterSecretStores.
2. ClusterSecretStore:
ClusterSecretStore is a cluster-specific SecretStore that can be referenced by all externalSecrets for all namespaces.
3. External Secret:
External secret describes what data is to be fetched and how it should be transformed and saved as a kind of secret. It has a reference to SecretStore/ClusterSecretStores which knows how to access the external secret manager data.
4. ClusterExternalSecret:
ClusterExternalSecret is a cluster-scoped resource that can be used to manage ExternalSecret resources in specific namespaces.
Benefits of External Secret Operator:
- Enhanced Security: The External Secrets Operator allows you to securely store and retrieve sensitive information from external secret management systems such as HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault. These external systems provide advanced security features like encryption at rest, secret rotation policies, and access controls, ensuring the confidentiality and integrity of your secrets.
- Seamless Integration: External Secrets Operator seamlessly integrates with Kubernetes, allowing applications running in the cluster to access and utilize secrets stored in external systems without exposing them directly.
- Open-Source Community Support: The External Secrets Operator is an open-source solution developed by GoDaddy. This means it benefits from active community support, regular updates, and contributions from developers worldwide. The open-source nature of the operator fosters innovation, encourages collaboration, and ensures the availability of ongoing improvements and new features.
- Flexibility and Scalability: External Secret Operator works with a wide range of external secret management systems, with flexibility in choosing the one that best suits your requirements.
Conclusion:
External Secrets Operator is a valuable tool for securely managing secrets in Kubernetes by bridging the gap between the platform and external secret management systems. By integrating with popular providers like HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault, it allows for the secure storage and retrieval of sensitive information without exposing it directly within the cluster.
So In this blog, we have covered an introduction to External Secret Operator. In the next blog, we will be covering the real-time implementation of external secret operators with GKE using Google Secret Manager.
Blog Pundits: Deepak Gupta and Sandeep Rawat
OpsTree is an End-to-End DevOps Solution Provider.
Connect with Us
One thought on “Introduction to External Secret Operator”