Kubernetes External Secrets
Kubernetes External Secrets allows you to use external secret management systems, like AWS Secrets Manager or HashiCorp Vault, to securely add secrets in Kubernetes.
We have installed external secrets and configured it to use SSM Parameter store as a backend. This means that we can store secrets in SSM and eventually have them made available as a Kubernetes secret resource that we can reference in our deployment manifests.
Example
Create an SSM parameter:
aws ssm put-parameter --name "/postgres/adminpass" --value "P@sSwW)rd" --type "SecureString"
Kubernetes External Secrets adds a Custom Resource Definition (CRD). We use this CRD to make use of the correct backend; SSM (system Manager) in this case and the path to the SSM secret.
apiVersion: 'kubernetes-client.io/v1'
kind: ExternalSecret
metadata:
name: postgres-config
spec:
backendType: systemManager
data:
- key: /postgres/adminpass
name: admin_passwordWhen this definition is applied to the cluster with
kubectl apply -f {secret.yaml} --namespace {your-namespace}it will result in a Kubernetes secret being created.
apiVersion: v1
kind: Secret
metadata:
name: postgres-config
type: Opaque
data:
admin_password: ...
Inspect the secrets you just applied with:
kubectl get secrets --namespace {your-namespace}
kubectl describe secret postgres-config --namespace {your-namespace}
If you have a Postgres Deployment, add the following env configuration to let your pods get the POSTGRES_PASSWORD environment variable set on startup (the deployment needs to be in the same namespace as the secret):
spec:
containers:
- image: your-docker-image:0.0.1
name: application-name
env:
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-config
key: admin_passwordConclusion
This article demonstrates how external secrets can be used to synchronize secrets in AWS SSM to Kubernetes secrets, which can be used by your application.