Kubernetes External Secrets
Kubernetes External Secrets allows you to use external secret management systems, like AWS Secrets Manager or HashiCorp Vault, to securely add secrets in Kubernetes. Read more about the design and motivation for Kubernetes External Secrets on the GoDaddy Engineering Blog.
The community and maintainers of this project and related Kubernetes secret management projects use
channel on the Kubernetes slack for discussion and brainstorming.
How it works
The project extends the Kubernetes API by adding an
using Custom Resource Definition
and a controller to implement the behavior of the object itself.
ExternalSecret declares how to fetch the secret data, while the controller converts all
Secrets. The conversion is completely transparent to
Pods that can access
Secrets are not encrypted at rest and are open to attack, either via the etcd server or via backups of etcd
data. To mitigate this risk, use an
external secret management system with a KMS plugin
Secrets stored in etcd.
See https://github.com/external-secrets/kubernetes-external-secrets/blob/master/README.md for the usage of the different backends