{"id":16939,"date":"2024-01-23T12:38:39","date_gmt":"2024-01-23T07:08:39","guid":{"rendered":"https:\/\/opstree.com\/blog\/\/?p=16939"},"modified":"2024-01-23T12:42:35","modified_gmt":"2024-01-23T07:12:35","slug":"implementation-of-eso-external-secret-operator-with-google-secret-manager","status":"publish","type":"post","link":"https:\/\/opstree.com\/blog\/2024\/01\/23\/implementation-of-eso-external-secret-operator-with-google-secret-manager\/","title":{"rendered":"Implementation of ESO (External Secret Operator) with Google Secret Manager\u200a"},"content":{"rendered":"\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"330\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2024\/01\/image-10.png\" alt=\"\" class=\"wp-image-17103\" srcset=\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-10.png 800w, https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-10-300x124.png 300w, https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-10-768x317.png 768w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><figcaption class=\"wp-element-caption\"><a href=\"https:\/\/www.kubecost.com\/images\/kubernetes-devops-tools\/kubernetes-external-secrets-1.png\" rel=\"noreferrer noopener\" target=\"_blank\">ESO IMAGE<\/a><\/figcaption><\/figure>\n\n\n\n<p><a href=\"https:\/\/opstree.com\/blog\/\/2023\/08\/08\/introduction-to-external-secret-operator\/\" rel=\"noreferrer noopener\" target=\"_blank\">In the Previous Blog<\/a>, we discussed the significant role that ESO(External Secret Operator) plays within in Kubernetes cluster in handling sensitive information. How it is bridging the gap between the external secret manager and Kubernetes cluster.<\/p>\n\n\n\n<p>Today I\u2019m going to discuss one of the problems that we faced on our client side in terms of managing secrets in Kubernetes. Kubernetes makes use of basic <a href=\"https:\/\/www.base64encoder.io\/learn\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Base64<\/strong><\/a> encoding to encrypt the secrets and anyone who has access to the Kubernetes cluster can easily access those secrets which can get compromised. So to overcome this problem we found a solution called <a href=\"https:\/\/external-secrets.io\/latest\/introduction\/getting-started\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>ESO<\/strong><\/a>.<\/p>\n\n\n\n<p>So In this blog, I will walk you through how we implemented <strong>ESO <\/strong>in the<strong> GKE Kubernetes Cluster <\/strong>while making use<strong> <\/strong>of<strong> Google Secret Manager<\/strong>.<\/p>\n\n\n\n<!--more-->\n\n\n\n<h4 class=\"wp-block-heading\">PREREQUISITES:<\/h4>\n\n\n\n<p>To Follow the steps in this blog, you will need the setup<\/p>\n\n\n\n<ul>\n<li>A Kubernetes cluster is up &amp; running with version 1.24+.<\/li>\n\n\n\n<li>Kubectl CLI is installed and configured to talk to your Kubernetes cluster.<\/li>\n\n\n\n<li>Google Account for storing secrets in <strong>Google Secret Manager<\/strong> service.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">STEP1: Installing ESO using&nbsp;Helm<\/h4>\n\n\n\n<p>Let\u2019s go ahead with the installation of an External secret Operator using the <a href=\"https:\/\/artifacthub.io\/packages\/helm\/external-secrets-operator\/external-secrets\" rel=\"noreferrer noopener\" target=\"_blank\">official Helm Repo<\/a>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">helm repo add external-secrets https:\/\/charts.external-secrets.io<br>helm install external-secrets \\<br>  external-secrets\/external-secrets \\<br>    --namespace external-secrets \\<br>    --create-namespace \\<br>    --set installCRDs=true<\/pre>\n\n\n\n<p>Once the external secret is successfully deployed you will see the below message.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"224\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2024\/01\/image-17.png\" alt=\"\" class=\"wp-image-17110\" srcset=\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-17.png 800w, https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-17-300x84.png 300w, https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-17-768x215.png 768w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><figcaption class=\"wp-element-caption\">ESO Deployed<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">STEP2: Creating a Secret in Google Secret&nbsp;Manager<\/h4>\n\n\n\n<p>Now we will store the database secret in Google Secret Manager and later it will get fetched by ESO and will expose it inside our deployment.<\/p>\n\n\n\n<p>You can create 2 types of secrets in Google Secret Manager<\/p>\n\n\n\n<ol>\n<li>Secret with Single Key value pair as shown in the Below image<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"736\" height=\"341\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2024\/01\/image-15.png\" alt=\"\" class=\"wp-image-17108\" srcset=\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-15.png 736w, https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-15-300x139.png 300w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><figcaption class=\"wp-element-caption\">Figure 1.0<\/figcaption><\/figure>\n\n\n\n<p>2. Secret with multiple values but for these types of secrets we have to make sure that values are JSON formatted.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"307\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2024\/01\/image-20.png\" alt=\"\" class=\"wp-image-17113\" srcset=\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-20.png 800w, https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-20-300x115.png 300w, https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-20-768x295.png 768w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><figcaption class=\"wp-element-caption\">Figure 1.1<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">STEP3: Creating IAM role and Service&nbsp;Account<\/h4>\n\n\n\n<p>Once secrets are created in the GCP secret Manager. Now, we will have to create a serviceaccount that will be used by Secretstore later through which ESO will access Secret Manager to fetch secrets.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"38\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2024\/01\/image-11.png\" alt=\"\" class=\"wp-image-17104\" srcset=\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-11.png 800w, https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-11-300x14.png 300w, https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-11-768x36.png 768w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/figure>\n\n\n\n<p>Attach the below role with serviceaccount to access Secret Manager.<\/p>\n\n\n\n<ul>\n<li><strong>roles\/secretmanager.secretAccessor<\/strong><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>STEP4: Create <\/strong>a Kubernetes Secret Using Service Account Authentication Credentials<\/h4>\n\n\n\n<p>Once the role is attached to the serviceaccount then download the JSON file of the serviceaccount and create a Secret in Kubernetes to store the GCP authentication creds which will be used by SecretStore.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">apiVersion: v1<br>kind: Secret<br>metadata:<br>  name: gcpsm-secret<br>  labels:<br>    type: gcpsm<br>type: Opaque<br>stringData:<br>  secret-access-credentials: |-<br>    {<br>        \"type\": \"service_account\",<br>        \"project_id\": \"test-dev\",<br>        \"private_key_id\": \"46066dab6a694b0bcf655c30a50956356fefd624\",<br>        \"private_key\": \"-----BEGIN PRIVATE KEY-----\\n9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3EarE3p4lYj\/s\\n\/JnrfUrdCsQnDdjvVLjLPz56wlDxDrG9X9GT8\/8fNWJODDFqtlUqbh0+TC+YmlF8dn+yNmbwgIhVll+E8q4\/IMcn2fFDnBNOrBCIouAxEwrl5\\nngJqJacs+TdVDEwYJxrsadNcCmDTa\/ruJ6tAjv44DYuNRhWEcr19aL51bntlHZfO\\nBjdy2faDI3Gkcixm\/LNHz3A=\\n-----END PRIVATE KEY-----\\n\",<br>        \"client_email\": \"secret@test-dev.iam.gserviceaccount.com\",<br>        \"client_id\": \"*************\",<br>        \"auth_uri\": \"https:\/\/accounts.google.com\/o\/oauth2\/auth\",<br>        \"token_uri\": \"https:\/\/oauth2.googleapis.com\/token\",<br>        \"auth_provider_x509_cert_url\": \"https:\/\/www.googleapis.com\/oauth2\/v1\/certs\",<br>        \"client_x509_cert_url\": \"https:\/\/www.googleapis.com\/robot\/v1\/metadata\/x509\/secret%40test-dev.iam.gserviceaccount.com\",<br>        \"universe_domain\": \"googleapis.com\"<br>    }<\/pre>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>NOTE: Make sure you replace the above json file content with you\u2019re json file content that you have just downloaded in previous step<\/p>\n<\/blockquote>\n\n\n\n<p>Now create the secret in Kubernetes by applying the above manifest.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">kubectl apply -f gcp-secret.yaml<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">STEP5: Creating a SecretStore<\/h4>\n\n\n\n<p>Once GCP serviceaccount credentials are stored in Kubernetes secrets we can call these credentials inside the Secret Store.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">apiVersion: external-secrets.io\/v1beta1<br>kind: SecretStore<br>metadata:<br>  name: gcp-store<br>spec:<br>  provider:<br>    gcpsm:        # gcpsm provider                         <br>      auth:<br>        secretRef:<br>          secretAccessKeySecretRef:   <br>            name: gcpsm-secret       # secret name containing SA key          <br>            key: secret-access-credentials  # key name containing SA key<br>      projectID: test-dev         # name of Google Cloud project<\/pre>\n\n\n\n<p>Now create the SecretStore by applying the manifest.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">kubectl apply -f secret-store.yaml<\/pre>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"63\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2024\/01\/image-21.png\" alt=\"\" class=\"wp-image-17114\" srcset=\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-21.png 800w, https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-21-300x24.png 300w, https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-21-768x60.png 768w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><figcaption class=\"wp-element-caption\">SecretStore<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">STEP6: Creating External&nbsp;Secret<\/h4>\n\n\n\n<p>Now finally create an external secret that will fetch the secrets from Google Secret Manager using the authentication credential from the secretstore that we created in the above step.<\/p>\n\n\n\n<ol>\n<li>First, we will fetch a secret from the GCP Secret Manager, which contains a secret with a singular key-value pair.<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-preformatted\">apiVersion: external-secrets.io\/v1alpha1<br>kind: ExternalSecret<br>metadata:<br>  name: db-password  <br>spec:<br>  refreshInterval: 1h           <br>  secretStoreRef:<br>    kind: SecretStore<br>    name: gcp-store           # name of the SecretStore (or kind specified)<br>  target:<br>    name: mysql-password  # name of the k8s Secret to be created<br>    creationPolicy: Owner<br>  data:<br>  - secretKey: MYSQL_ROOT_PASSWORD<br>    remoteRef:<br>      key: Password # name of the GCPSM secret keyAbove external secret will create the secret in key value format as it will be created in GCP secret Manager.<\/pre>\n\n\n\n<p>Now create the SecretStore by applying the manifest.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">kubectl apply -f mysql-secret.yaml<\/pre>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"766\" height=\"64\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2024\/01\/image-19.png\" alt=\"\" class=\"wp-image-17112\" srcset=\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-19.png 766w, https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-19-300x25.png 300w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><figcaption class=\"wp-element-caption\">External Secret<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"729\" height=\"62\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2024\/01\/image-18.png\" alt=\"\" class=\"wp-image-17111\" srcset=\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-18.png 729w, https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-18-300x26.png 300w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><figcaption class=\"wp-element-caption\">Secret create by External&nbsp;Secret<\/figcaption><\/figure>\n\n\n\n<p>2. Next, to access a secret from the GCP Secret Manager that consists of multiple values, we will make use of the below manifest.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">apiVersion: external-secrets.io\/v1alpha1<br>kind: ExternalSecret<br>metadata:<br>  name: test-dev  <br>spec:<br>  refreshInterval: 1h           # rate SecretManager pulls GCPSM<br>  secretStoreRef:<br>    kind: SecretStore<br>    name: gcp-store              # name of the SecretStore (or kind specified)<br>  target:<br>    name: test-api              # name of the k8s Secret to be created<br>    creationPolicy: Owner<br>  dataFrom:<br>  - key: test-api-dev<\/pre>\n\n\n\n<p>Now create the external secret by applying these YAML manifests.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">kubectl apply -f external-secret.yaml<\/pre>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"685\" height=\"64\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2024\/01\/image-12.png\" alt=\"\" class=\"wp-image-17105\" srcset=\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-12.png 685w, https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-12-300x28.png 300w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><figcaption class=\"wp-element-caption\">ES with multiple&nbsp;values<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"676\" height=\"63\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2024\/01\/image-13.png\" alt=\"\" class=\"wp-image-17106\" srcset=\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-13.png 676w, https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-13-300x28.png 300w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><figcaption class=\"wp-element-caption\">Secret create by&nbsp;ES<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">STEP7: Database Deployment<\/h4>\n\n\n\n<p>Now we will create a dummy database deployment to use the secrets that are created by ESO.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">apiVersion: apps\/v1<br>kind: Deployment<br>metadata:<br>  name: mysql<br>spec:<br>  replicas: 1<br>  selector:<br>    matchLabels:<br>      app: mysql<br>  template:<br>    metadata:<br>      labels:<br>        app: mysql<br>    spec:<br>      terminationGracePeriodSeconds: 10<br>      containers:<br>        - name: mysql<br>          image: mysql:5.7<br>          ports:<br>            - name: tcp<br>              protocol: TCP<br>              containerPort: 3306<br>          envFrom:<br>            - secretRef:<br>                name: \"mysql-password\"<\/pre>\n\n\n\n<p>Now create the resources by applying these YAML manifests.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">kubectl apply -f deployment.yaml<\/pre>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"688\" height=\"114\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2024\/01\/image-14.png\" alt=\"\" class=\"wp-image-17107\" srcset=\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-14.png 688w, https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-14-300x50.png 300w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><figcaption class=\"wp-element-caption\">DB Deployment<\/figcaption><\/figure>\n\n\n\n<p>Once deployment is done you can check the value of the secret which is created by ESO inside the deployment as shown below<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"31\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2024\/01\/image-16.png\" alt=\"\" class=\"wp-image-17109\" srcset=\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-16.png 800w, https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-16-300x12.png 300w, https:\/\/opstree.com\/blog\/wp-content\/uploads\/2024\/01\/image-16-768x30.png 768w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><figcaption class=\"wp-element-caption\">ENV<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Conclusion:<\/h4>\n\n\n\n<p>Implementing the External Secret Operator (ESO) with Google Secret Manager in a GKE Kubernetes cluster provides a robust and secure solution for managing sensitive data. This integration not only enhances security by centralizing secret management but also streamlines operations, reducing the complexity involved in handling secrets within Kubernetes. This step-by-step guide demonstrates the practicality and efficiency of the ESO, showcasing its ability to effectively bridge Kubernetes with external secret management systems.\u00a0<\/p>\n\n\n\n<p>It\u2019s important to note that while this scenario specifically demonstrates the use of ESO with GKE, ESO is compatible with all major cloud providers\u2019 managed vault services. Whether you\u2019re working with <strong>AWS Secret Manager<\/strong>, <strong>Azure Key Vault<\/strong>, or other cloud platforms, ESO offers a versatile solution to meet the unique needs of different environments. For more details about <strong>ESO &amp; <\/strong>its integration with different cloud providers, you can refer to the below links.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">REFERENCES:<\/h4>\n\n\n\n<ul>\n<li><a href=\"https:\/\/external-secrets.io\/latest\/introduction\/getting-started\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/external-secrets.io\/latest\/introduction\/getting-started\/<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/external-secrets.io\/latest\/provider\/azure-key-vault\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/external-secrets.io\/latest\/provider\/azure-key-vault\/<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/external-secrets.io\/latest\/provider\/aws-secrets-manager\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/external-secrets.io\/latest\/provider\/aws-secrets-manager\/<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/external-secrets.io\/latest\/provider\/google-secrets-manager\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/external-secrets.io\/latest\/provider\/google-secrets-manager\/<\/a><\/li>\n<\/ul>\n\n\n\n<p><strong>Blog Pundits: &nbsp;<a href=\"https:\/\/opstree.com\/blog\/\/author\/shwetatyagiot\/\" target=\"_blank\" rel=\"noreferrer noopener\">Shweta Tyagi<\/a> and <a href=\"https:\/\/opstree.com\/blog\/\/author\/sandeep7c51ad81ba\/\" target=\"_blank\" rel=\"noreferrer noopener\">Sandeep Rawat<\/a><\/strong><\/p>\n\n\n\n<p><strong>OpsTree is an End-to-End <a href=\"https:\/\/opstree.com\/services\/\" target=\"_blank\" rel=\"noreferrer noopener\">DevOps Solution<\/a> Provider.<\/strong><\/p>\n\n\n\n<div class=\"wp-block-buttons is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/opstree.com\/contact-us\/?utm_source=WordPress&amp;utm_medium=Blog&amp;utm_campaign=Implementation+of+ESO+%28External+Secret+Operator%29+with+Google+Secret+Manager%E2%80%8A\" target=\"_blank\" rel=\"noreferrer noopener\">Contact Us<\/a><\/div>\n<\/div>\n\n\n\n<p class=\"has-text-align-center\"><strong>Connect with Us<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-social-links aligncenter is-content-justification-center is-layout-flex wp-container-core-social-links-is-layout-1 wp-block-social-links-is-layout-flex\"><li class=\"wp-social-link wp-social-link-linkedin  wp-block-social-link\"><a rel=\"noopener nofollow\" target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/opstree-solutions\" class=\"wp-block-social-link-anchor\"><svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" focusable=\"false\"><path d=\"M19.7,3H4.3C3.582,3,3,3.582,3,4.3v15.4C3,20.418,3.582,21,4.3,21h15.4c0.718,0,1.3-0.582,1.3-1.3V4.3 C21,3.582,20.418,3,19.7,3z M8.339,18.338H5.667v-8.59h2.672V18.338z M7.004,8.574c-0.857,0-1.549-0.694-1.549-1.548 c0-0.855,0.691-1.548,1.549-1.548c0.854,0,1.547,0.694,1.547,1.548C8.551,7.881,7.858,8.574,7.004,8.574z M18.339,18.338h-2.669 v-4.177c0-0.996-0.017-2.278-1.387-2.278c-1.389,0-1.601,1.086-1.601,2.206v4.249h-2.667v-8.59h2.559v1.174h0.037 c0.356-0.675,1.227-1.387,2.526-1.387c2.703,0,3.203,1.779,3.203,4.092V18.338z\"><\/path><\/svg><span class=\"wp-block-social-link-label screen-reader-text\">LinkedIn<\/span><\/a><\/li>\n\n<li class=\"wp-social-link wp-social-link-youtube  wp-block-social-link\"><a rel=\"noopener nofollow\" target=\"_blank\" href=\"https:\/\/www.youtube.com\/channel\/UCeLma6SpNYH7jjYKSBNSexw\" class=\"wp-block-social-link-anchor\"><svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" focusable=\"false\"><path d=\"M21.8,8.001c0,0-0.195-1.378-0.795-1.985c-0.76-0.797-1.613-0.801-2.004-0.847c-2.799-0.202-6.997-0.202-6.997-0.202 h-0.009c0,0-4.198,0-6.997,0.202C4.608,5.216,3.756,5.22,2.995,6.016C2.395,6.623,2.2,8.001,2.2,8.001S2,9.62,2,11.238v1.517 c0,1.618,0.2,3.237,0.2,3.237s0.195,1.378,0.795,1.985c0.761,0.797,1.76,0.771,2.205,0.855c1.6,0.153,6.8,0.201,6.8,0.201 s4.203-0.006,7.001-0.209c0.391-0.047,1.243-0.051,2.004-0.847c0.6-0.607,0.795-1.985,0.795-1.985s0.2-1.618,0.2-3.237v-1.517 C22,9.62,21.8,8.001,21.8,8.001z M9.935,14.594l-0.001-5.62l5.404,2.82L9.935,14.594z\"><\/path><\/svg><span class=\"wp-block-social-link-label screen-reader-text\">YouTube<\/span><\/a><\/li>\n\n<li class=\"wp-social-link wp-social-link-github  wp-block-social-link\"><a rel=\"noopener nofollow\" target=\"_blank\" href=\"https:\/\/github.com\/OpsTree\" class=\"wp-block-social-link-anchor\"><svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" focusable=\"false\"><path d=\"M12,2C6.477,2,2,6.477,2,12c0,4.419,2.865,8.166,6.839,9.489c0.5,0.09,0.682-0.218,0.682-0.484 c0-0.236-0.009-0.866-0.014-1.699c-2.782,0.602-3.369-1.34-3.369-1.34c-0.455-1.157-1.11-1.465-1.11-1.465 c-0.909-0.62,0.069-0.608,0.069-0.608c1.004,0.071,1.532,1.03,1.532,1.03c0.891,1.529,2.341,1.089,2.91,0.833 c0.091-0.647,0.349-1.086,0.635-1.337c-2.22-0.251-4.555-1.111-4.555-4.943c0-1.091,0.39-1.984,1.03-2.682 C6.546,8.54,6.202,7.524,6.746,6.148c0,0,0.84-0.269,2.75,1.025C10.295,6.95,11.15,6.84,12,6.836 c0.85,0.004,1.705,0.114,2.504,0.336c1.909-1.294,2.748-1.025,2.748-1.025c0.546,1.376,0.202,2.394,0.1,2.646 c0.64,0.699,1.026,1.591,1.026,2.682c0,3.841-2.337,4.687-4.565,4.935c0.359,0.307,0.679,0.917,0.679,1.852 c0,1.335-0.012,2.415-0.012,2.741c0,0.269,0.18,0.579,0.688,0.481C19.138,20.161,22,16.416,22,12C22,6.477,17.523,2,12,2z\"><\/path><\/svg><span class=\"wp-block-social-link-label screen-reader-text\">GitHub<\/span><\/a><\/li>\n\n<li class=\"wp-social-link wp-social-link-facebook  wp-block-social-link\"><a rel=\"noopener nofollow\" target=\"_blank\" href=\"https:\/\/www.facebook.com\/opstree\" class=\"wp-block-social-link-anchor\"><svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" focusable=\"false\"><path d=\"M12 2C6.5 2 2 6.5 2 12c0 5 3.7 9.1 8.4 9.9v-7H7.9V12h2.5V9.8c0-2.5 1.5-3.9 3.8-3.9 1.1 0 2.2.2 2.2.2v2.5h-1.3c-1.2 0-1.6.8-1.6 1.6V12h2.8l-.4 2.9h-2.3v7C18.3 21.1 22 17 22 12c0-5.5-4.5-10-10-10z\"><\/path><\/svg><span class=\"wp-block-social-link-label screen-reader-text\">Facebook<\/span><\/a><\/li>\n\n<li class=\"wp-social-link wp-social-link-medium  wp-block-social-link\"><a rel=\"noopener nofollow\" target=\"_blank\" href=\"https:\/\/medium.com\/buildpiper\" class=\"wp-block-social-link-anchor\"><svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" focusable=\"false\"><path d=\"M20.962,7.257l-5.457,8.867l-3.923-6.375l3.126-5.08c0.112-0.182,0.319-0.286,0.527-0.286c0.05,0,0.1,0.008,0.149,0.02 c0.039,0.01,0.078,0.023,0.114,0.041l5.43,2.715l0.006,0.003c0.004,0.002,0.007,0.006,0.011,0.008 C20.971,7.191,20.98,7.227,20.962,7.257z M9.86,8.592v5.783l5.14,2.57L9.86,8.592z M15.772,17.331l4.231,2.115 C20.554,19.721,21,19.529,21,19.016V8.835L15.772,17.331z M8.968,7.178L3.665,4.527C3.569,4.479,3.478,4.456,3.395,4.456 C3.163,4.456,3,4.636,3,4.938v11.45c0,0.306,0.224,0.669,0.498,0.806l4.671,2.335c0.12,0.06,0.234,0.088,0.337,0.088 c0.29,0,0.494-0.225,0.494-0.602V7.231C9,7.208,8.988,7.188,8.968,7.178z\"><\/path><\/svg><span class=\"wp-block-social-link-label screen-reader-text\">Medium<\/span><\/a><\/li>\n\n<li class=\"wp-social-link wp-social-link-twitter  wp-block-social-link\"><a rel=\"noopener nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/opstreedevops\" class=\"wp-block-social-link-anchor\"><svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" focusable=\"false\"><path d=\"M22.23,5.924c-0.736,0.326-1.527,0.547-2.357,0.646c0.847-0.508,1.498-1.312,1.804-2.27 c-0.793,0.47-1.671,0.812-2.606,0.996C18.324,4.498,17.257,4,16.077,4c-2.266,0-4.103,1.837-4.103,4.103 c0,0.322,0.036,0.635,0.106,0.935C8.67,8.867,5.647,7.234,3.623,4.751C3.27,5.357,3.067,6.062,3.067,6.814 c0,1.424,0.724,2.679,1.825,3.415c-0.673-0.021-1.305-0.206-1.859-0.513c0,0.017,0,0.034,0,0.052c0,1.988,1.414,3.647,3.292,4.023 c-0.344,0.094-0.707,0.144-1.081,0.144c-0.264,0-0.521-0.026-0.772-0.074c0.522,1.63,2.038,2.816,3.833,2.85 c-1.404,1.1-3.174,1.756-5.096,1.756c-0.331,0-0.658-0.019-0.979-0.057c1.816,1.164,3.973,1.843,6.29,1.843 c7.547,0,11.675-6.252,11.675-11.675c0-0.178-0.004-0.355-0.012-0.531C20.985,7.47,21.68,6.747,22.23,5.924z\"><\/path><\/svg><span class=\"wp-block-social-link-label screen-reader-text\">Twitter<\/span><\/a><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>In the Previous Blog, we discussed the significant role that ESO(External Secret Operator) plays within in Kubernetes cluster in handling sensitive information. How it is bridging the gap between the external secret manager and Kubernetes cluster. Today I\u2019m going to discuss one of the problems that we faced on our client side in terms of &hellip; <a href=\"https:\/\/opstree.com\/blog\/2024\/01\/23\/implementation-of-eso-external-secret-operator-with-google-secret-manager\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Implementation of ESO (External Secret Operator) with Google Secret Manager\u200a&#8221;<\/span><\/a><\/p>\n","protected":false},"author":237666321,"featured_media":29900,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[28070474],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/11\/DevSecOps-1.jpg","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pfDBOm-4pd","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/16939"}],"collection":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/users\/237666321"}],"replies":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/comments?post=16939"}],"version-history":[{"count":10,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/16939\/revisions"}],"predecessor-version":[{"id":17117,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/16939\/revisions\/17117"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/media\/29900"}],"wp:attachment":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/media?parent=16939"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/categories?post=16939"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/tags?post=16939"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}