背景

k8s secret是一种用于存储敏感信息的机制，但是它存在一些安全问题，因为他是内容固定且长期存在的

external-secrets是如何解决的

external-secret的元数据来自外部secretstore,比如aws secretsmanager,hashicorp vault等
external-secret通过ExternalSecret配置来创建k8s secret,如果其中配置了refreshPolicy为Periodic且refreshInterval大于0

需要配合程序热加载secret或者搭配https://github.com/stakater/Reloader来滚动更新pod

使用

来自文档https://external-secrets.io/main/introduction/getting-started/

安装

kubectl apply -k "https://raw.githubusercontent.com/external-secrets/external-secrets/v0.17.0/deploy/crds/bundle.yaml"

demo

创建SecretStore

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: secretstore-sample
spec:
  provider:
    aws:
      service: SecretsManager
      region: us-east-1
      auth:
        secretRef:
          accessKeyIDSecretRef:
            name: awssm-secret
            key: access-key
          secretAccessKeySecretRef:
            name: awssm-secret
            key: secret-access-key

创建ExternalSecret

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: example
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: secretstore-sample
    kind: SecretStore
  target:
    name: secret-to-be-created
    creationPolicy: Owner
  data:
  - secretKey: secret-key-to-be-managed
    remoteRef:
      key: provider-key
      version: provider-key-version
      property: provider-key-property
  dataFrom:
  - extract:
      key: remote-key-in-the-provider