Skip to main content
Version: v0.34 Stable

External Secrets Operator

Supported Configurations
Running the control plane as a container with:
Enterprise-Only Feature

This feature is an Enterprise feature. See our pricing plans or contact our sales team for more information.

Prerequisites​

External secrets version

By default, vCluster uses the same CRD version as the External Secrets Operator installed on your control plane cluster. The version field allows you to explicitly set which CRD version to use (e.g., v1beta1 or v1). Ensure your chosen version is supported by the External Secrets Operator on your control plane cluster.

External secrets integration

To enable the external secret integration, set the following fields:

integrations:
  externalSecrets:
    enabled: true
    version: v1 # Optional. If not specified, uses the same CRD version as your host cluster's External Secrets Operator
    sync:
      toHost:
        stores:
          enabled: true
      fromHost:
        clusterStores:
          enabled: true

This enables the integration and the sync for all CRDs:

  • ExternalSecret: namespaced, synced from tenant cluster into control plane cluster and then bi-directionally
  • SecretStore: namespaced, synced from tenant cluster into control plane cluster
  • ClusterSecretStore: cluster scoped, synced from control plane cluster into tenant cluster

Once the tenant cluster is up and running, you can create a SecretStore inside the tenant cluster. For this guide, you use the fake store type, which prefills data instead of connecting to a distant secret store.

API Version Compatibility

External Secrets Operator v0.16.2 is the last supporting v1beta1 API version. For v0.17.0+ versions, it provides exclusively v1.

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: fake
spec:
  provider:
    fake:
      data:
      - key: "/foo/bar"
        value: "HELLO1"
        version: "v1"
      - key: "/foo/bar"
        value: "HELLO2"
        version: "v2"
      - key: "/foo/baz"
        value: '{"john": "doe"}'
        version: "v1"

Inside the tenant cluster, create the store with kubectl apply -f fake.yaml. This creates a corresponding store in the control plane cluster. You can then create an ExternalSecret in the tenant cluster, which references the SecretStore.

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: example
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: fake
    kind: SecretStore
  target:
    name: secret-to-be-created
  data:
  - secretKey: foo_bar
    remoteRef:
      key: /foo/bar
      version: v1
  dataFrom:
  - extract:
      key: /foo/baz
      version: v1

After the ExternalSecret is created in the tenant cluster, the integration creates a corresponding resource inside the control plane cluster. The external secret operator running in the control plane cluster creates the corresponding Kubernetes secret which the integration imports into the tenant cluster. Running kubectl get secrets in the tenant cluster includes the secret-to-be-created in its output.

Config reference​

externalSecrets required object ​

ExternalSecrets reuses a host external secret operator and makes certain CRDs from it available inside the vCluster.

  • ExternalSecrets will be synced from the virtual cluster to the host cluster.
  • SecretStores will be synced from the virtual cluster to the host cluster and then bi-directionally.
  • ClusterSecretStores will be synced from the host cluster to the virtual cluster.

enabled required boolean false ​

Enabled defines whether the external secret integration is enabled or not

version required string ​

Version defines the version of the external secrets operator to use. If empty, the storage version will be used.

webhook required object ​

Webhook defines whether the host webhooks are reused or not

enabled required boolean false ​

Enabled defines if this option should be enabled.

sync required object ​

Sync defines the syncing behavior for the integration

toHost required object ​

ToHost defines what resources are synced from the virtual cluster to the host

externalSecrets required object ​

ExternalSecrets allows to configure if only a subset of ExternalSecrets matching a label selector should get synced from the virtual cluster to the host cluster.

selector required object ​
matchLabels required object {} ​
matchExpressions required object[] ​
key required string ​
operator required string ​
values required string[] ​
stores required object ​

Stores defines if secret stores should get synced from the virtual cluster to the host cluster and then bi-directionally.

selector required object ​
matchLabels required object {} ​
matchExpressions required object[] ​
key required string ​
operator required string ​
values required string[] ​
enabled required boolean false ​

Enabled defines if this option should be enabled.

fromHost required object ​

FromHost defines what resources are synced from the host cluster to the virtual cluster

clusterStores required object ​

ClusterStores defines if cluster secrets stores should get synced from the host cluster to the virtual cluster.

selector required object ​
matchLabels required object {} ​
matchExpressions required object[] ​
key required string ​
operator required string ​
values required string[] ​
enabled required boolean false ​

Enabled defines if this option should be enabled.