External Secrets Management Integration

2 min read Infrastructure & DevOps Security

External Secrets Management Integration

While Kubernetes-native Secrets provide basic functionality, external secrets management systems offer enhanced security capabilities. HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, and Google Secret Manager provide features like dynamic secrets, automatic rotation, and detailed audit logging. Integration approaches vary from operator patterns to webhook injection.

The Secrets Store CSI Driver provides a standard interface for integrating external secret stores. This driver mounts secrets from external systems as volumes in pods, avoiding storage in Kubernetes Secrets. The CSI driver supports multiple providers through a plugin architecture, enabling organizations to choose appropriate secret stores for their needs.

# SecretProviderClass for Azure Key Vault integration
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: azure-keyvault-secrets
  namespace: production
spec:
  provider: azure
  parameters:
    usePodIdentity: "true"
    keyvaultName: "production-keyvault"
    cloudName: "AzurePublicCloud"
    objects: |
      array:
        - |
          objectName: database-password
          objectType: secret
          objectAlias: DB_PASSWORD
        - |
          objectName: api-key
          objectType: secret
          objectAlias: API_KEY
        - |
          objectName: app-certificate
          objectType: certificate
          objectAlias: TLS_CERT
    tenantId: "${AZURE_TENANT_ID}"

---
# Pod using CSI driver for secrets
apiVersion: v1
kind: Pod
metadata:
  name: app-pod
  namespace: production
spec:
  serviceAccountName: app-workload-identity
  containers:
  - name: app
    image: myapp:latest
    volumeMounts:
    - name: secrets-store
      mountPath: "/mnt/secrets"
      readOnly: true
    env:
    - name: DB_PASSWORD
      valueFrom:
        secretKeyRef:
          name: database-secret
          key: password
  volumes:
  - name: secrets-store
    csi:
      driver: secrets-store.csi.k8s.io
      readOnly: true
      volumeAttributes:
        secretProviderClass: azure-keyvault-secrets
      nodePublishSecretRef:
        name: secrets-store-creds

---
# Vault integration using Agent Injector
apiVersion: v1
kind: Pod
metadata:
  name: vault-integrated-app
  namespace: production
  annotations:
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/role: "production-app"
    vault.hashicorp.com/agent-inject-secret-database: "database/creds/production"
    vault.hashicorp.com/agent-inject-template-database: |
      {{- with secret "database/creds/production" -}}
      export DB_USERNAME="{{ .Data.username }}"
      export DB_PASSWORD="{{ .Data.password }}"
      {{- end }}
spec:
  serviceAccountName: vault-auth
  containers:
  - name: app
    image: myapp:latest
    command: ["sh", "-c"]
    args: ["source /vault/secrets/database && exec myapp"]

External Secrets Operator provides Kubernetes-native integration with external secret stores. This operator synchronizes secrets from external systems into Kubernetes Secrets, maintaining familiar workflows while leveraging external security features. The operator supports multiple providers and can transform secret formats during synchronization.