K8s External Secrets
Developed by godaddy and given back to the community, External Secrets fill the gap between K8s secrets and secure credential storage.
Externals secrets are defined as K8s resources like this:
apiVersion: 'kubernetes-client.io/v1'
kind: ExternalSecret
metadata:
name: dockerconfigjson
namespace: someorg
spec:
backendType: secretsManager
template:
type: kubernetes.io/dockerconfigjson
dataFrom:
- /someorg/dockerconfig_secret
In this case we have contacted AWS Secrets Manager to get the
someorg/dockerconfig_secret secret. K8s namespace limit access to resources
in the same namespace.
External secrets works by contacting a credential provider selected by
backendType, eg AWS Secrets Manager and then creates a regular K8s secret
if it can retrieve the value.
This gives transparent access to secrets from K8s while leaving the credential store as the point-of-truth for the secret value.