External Secrets Operator (ESO)

Precondition

Cluster has to be deployed with the httpbin sample. Otherwise this demo wouldn't work.

OpenBao is automatically deployed with this example. If you already have a deployed OpenBao instance, this script will skip the installation.

Installation

You can install External Secrets Operator with the following startup command:

cd examples/external-secrets
bash setup.sh

The following components are installed with the setup.sh:

• All components described in this section
• Key/Value Store is configured on OpenBao server
  • An example secret is added to new KV secret store (hello/world)
• ESO is deployed via HELM Chart to new namespace external-secrets
• Connection to OpenBao is configured as ClusterSecretStore (clusterwide)
• Two ExternalSecret samples are deployed to namespace demo
  • example-secret - automatically creates a new K8s secret, named k8s-secret, from OpenBao to namespace demo
  • example-secret2 - automatically creates a new K8s secret, named k8s-secret2, from OpenBao to namespace demo

Test

You can test and watch the newly created K8s secrets with the following command:

BASE64_STRING=$(kubectl -n demo get secrets k8s-secret -o json | jq -r .data.helloKey)
echo $BASE64_STRING | base64 -d
# should return "world"

Troubleshooting

There could be some problems with existing filehandles, for example on the rootCA, installed into OpenBao. In this case please drop the namespaces and try again:

kubectl delete ns openbao
kubectl delete ns cert-manager
kubectl delete ns external-secrets