Helm/External Secrets Operator: Difference between revisions

Latest revision as of 17:44, 24 January 2026

helm repo add external-secrets https://charts.external-secrets.io helm repo update && helm repo list kubectl config get-contexts

Helm » Context

export KUBECONFIG="${HOME}/.kube/aws-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/gcp-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/lke-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/config"

Helm » Install

Helm » Install
helm show values external-secrets/external-secrets --version=1.2.0\|less helm show values external-secrets/external-secrets --version=1.2.1\|less
export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml" kubectl create ns external-secrets-operator-system \|\| true	kubectl get ns\|grep external-secrets-operator-system kubectl delete ns external-secrets-operator-system \|\| true
Install	Notes
cat <<'YML' \| \ helm -n=external-secrets-operator-system upgrade \ -i eso external-secrets/external-secrets --version=1.2.1 -f - --- installCRDs: true nameOverride: eso fullnameOverride: eso replicaCount: 1 revisionHistoryLimit: 5 image: repository: ghcr.io/external-secrets/external-secrets tag: v1.2.1 webhook: replicaCount: 1 revisionHistoryLimit: 5 image: repository: ghcr.io/external-secrets/external-secrets tag: v1.2.1 YML
Verify
helm -n=external-secrets-operator-system status eso helm -n=external-secrets-operator-system get manifest eso

Helm » Config

Helm » Config
Scale » Down	Scale » Up
kubectl -n=external-secrets-operator-system \ scale deploy/eso --replicas=0	kubectl -n=external-secrets-operator-system \ scale deploy/eso --replicas=1
kubectl -n=external-secrets-operator-system \ scale deploy/eso-webhook --replicas=0	kubectl -n=external-secrets-operator-system \ scale deploy/eso-webhook --replicas=1
kubectl -n=external-secrets-operator-system \ scale deploy/eso-cert-controller --replicas=0	kubectl -n=external-secrets-operator-system \ scale deploy/eso-cert-controller --replicas=1

Helm » Debug

kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-cert-controller
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-webhook
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso

kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook -c webhook
kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook

Helm » Uninstall

helm -n=external-secrets-operator-system status    vso
helm -n=external-secrets-operator-system get all   vso
helm -n=external-secrets-operator-system uninstall vso

kubectl -n=external-secrets-operator-system delete pvc --all
kubectl                                     delete ns  external-secrets-operator-system
kubectl                                     delete pv  vso-data-vso-0

Vault » Config

Context Namespace

export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
kubectl get service kubernetes -n default
kubectl config get-contexts
kubectl cluster-info


kubectl get --raw /.well-known/openid-configuration|yq -P
kubectl config view -o=yaml|yq '.contexts[0].name'


kubectl get ns shahed-academia
kubectl     -n=shahed-academia get SecretStore    store-shahed-ab
kubectl     -n=shahed-academia get ExternalSecret academia-audit-ext

cat <<'YML' | \
kubectl apply -f -
---
apiVersion: v1
kind: Namespace
metadata:
  name: shahed-academia
  labels:
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: kubectl
YML

kubectl get namespace shahed-academia -o=yaml

Skipped » Find More 👉 Vault » Auth Skipped » Find More 👉 Vault » Engine » KV

Config » Approle

Vault » Policy Vault » Role

cat <<'INI' | vault policy write policy-shahed-ab-eso-app -
# Mount : shahed/academia/dev
# Secret: audit
path "shahed/academia/dev/data/audit" {
  capabilities = ["read"]
}
INI
vault policy read policy-shahed-ab-eso-app

vault write    auth/approle/role/role-shahed-ab-eso-app \
    token_policies=policy-shahed-ab-eso-app token_ttl=1h token_max_ttl=3h

vault policy   read            policy-shahed-ab-eso-app
vault read     auth/approle/role/role-shahed-ab-eso-app
vault read     auth/approle/role/role-shahed-ab-eso-app/role-id

vault list     auth/approle/role/role-shahed-ab-eso-app/secret-id
vault write -f auth/approle/role/role-shahed-ab-eso-app/secret-id

vault list     auth/approle/role/role-shahed-ab-eso-app/secret-id
vault write    auth/approle/role/role-shahed-ab-eso-app/secret-id/destroy \
 secret_id=26701c33-1362-e744-6b2a-c28250b3ee64

Approle » Init

SecretStore ExternalSecret » data

cat <<ENV | \
kubectl -n shahed-academia create secret generic store-shahed-ab-app \
 --from-env-file=/dev/stdin --dry-run=client -o=yaml | kubectl apply -f -
secret_id_accessor=cf764c1d-b3c6-5e15-2e57-ccbf5f982a0b
secret_id=b7c1390e-a6e4-de2c-7c75-ee54bf3032b6
ENV

kubectl -n=shahed-academia get    Secret         store-shahed-ab-app -o=yaml
kubectl -n=shahed-academia delete Secret         store-shahed-ab-app

cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: store-shahed-ab-app
  namespace: shahed-academia
spec:
  provider:
    vault:
      server: http://vault.vault.svc.cluster.local:8200
      path: shahed/academia/dev
      version: v2
      auth:
        appRole:
          path: approle
          roleId: ae4560db-53da-9610-64d5-efc2fda45bed
          secretRef:
            name: store-shahed-ab-app
            key: secret_id
YML

kubectl -n=shahed-academia get    SecretStore    store-shahed-ab-app -o=yaml
kubectl -n=shahed-academia delete SecretStore    store-shahed-ab-app

cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: academia-audit-eso-app
  namespace: shahed-academia
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: store-shahed-ab-app
    kind: SecretStore

  target:
    name: academia-audit-eso-app
    template:
      engineVersion: v2
      templateFrom:
      - target: Data
        literal: |
          {{- range $k, $v := . }}
          {{ $k | toString | replace "-" "_" | replace "." "_" | upper }}: {{ $v | quote }}
          {{- end }}

  dataFrom:
  - extract:
      key: audit

YML

kubectl -n=shahed-academia get    Secret         academia-audit-eso-app -o=yaml
kubectl -n=shahed-academia get    ExternalSecret academia-audit-eso-app -o=yaml

kubectl -n=shahed-academia delete Secret         academia-audit-eso-app
kubectl -n=shahed-academia delete ExternalSecret academia-audit-eso-app

Config » Kubernetes

Vault » Policy Vault » Role

cat <<'INI' | vault policy write policy-shahed-ab-eso -
# Mount : shahed/academia/dev
# Secret: audit
path "shahed/academia/dev/data/audit" {
  capabilities = ["read"]
}
INI

vault policy read  policy-shahed-ab-eso

vault kv get -mount=shahed/academia/dev audit
kubectl  get sa -n external-secrets-operator-system
kubectl  get --raw /.well-known/openid-configuration|yq -P .issuer

vault write auth/kubernetes/role/role-shahed-ab-eso bound_service_account_names=default \
  bound_service_account_namespaces=shahed-academia policies=policy-shahed-ab-eso \
  audience='https://kubernetes.default.svc.cluster.local' ttl=24h

vault read  auth/kubernetes/role/role-shahed-ab-eso

Kubernetes » Init

SecretStore ExternalSecret » data

cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: store-shahed-ab
  namespace: shahed-academia
spec:
  provider:
    vault:
      server: http://vault.vault.svc.cluster.local:8200
      path: shahed/academia/dev
      version: v2
      auth:
        kubernetes:
          serviceAccountRef:
            name: default
            namespace: shahed-academia
          mountPath: kubernetes
          role: role-shahed-ab-eso

YML

kubectl get    clusterrolebinding|grep -i eso-
kubectl get    clusterrolebinding eso-controller      -o=yaml
kubectl get    clusterrolebinding eso-cert-controller -o=yaml

kubectl -n=shahed-academia get    SecretStore    store-shahed-ab -o=yaml
kubectl -n=shahed-academia delete SecretStore    store-shahed-ab

cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: academia-audit-eso
  namespace: shahed-academia
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: store-shahed-ab
    kind: SecretStore
  target:
    name: academia-audit-eso
  dataFrom:
  - extract:
      key: audit
    rewrite:
    - regexp:
        source: "([a-z])([A-Z])|[-.]"
        target: "${1}_${2}"
YML

kubectl -n=shahed-academia get    Secret         academia-audit-eso -o=yaml
kubectl -n=shahed-academia get    ExternalSecret academia-audit-eso -o=yaml


kubectl -n=shahed-academia delete Secret         academia-audit-eso
kubectl -n=shahed-academia delete ExternalSecret academia-audit-eso

Kubernetes » Advance
ExternalSecret » `application.properties`	ExternalSecret » `.env`
cat <<'YML' \| \ kubectl -n shahed-academia apply -f - --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: academia-audit-eso namespace: shahed-academia spec: refreshInterval: 1h secretStoreRef: name: store-shahed-ab kind: SecretStore target: name: academia-audit-eso template: engineVersion: v2 data: application.properties: \| {{- range $k, $v := . }} {{ $k }}={{ $v }} {{- end }} dataFrom: - extract: key: audit YML	cat <<'YML' \| \ kubectl -n shahed-academia apply -f - --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: academia-audit-eso namespace: shahed-academia spec: refreshInterval: 1h secretStoreRef: name: store-shahed-ab kind: SecretStore target: name: academia-audit-eso template: engineVersion: v2 data: .env: \| {{- range $k, $v := . }} {{ $k \| replace "-" "_" \| replace "." "_" \| upper }}={{ $v }} {{- end }} dataFrom: - extract: key: audit YML
ExternalSecret » `data`	ExternalSecret » Refresh
cat <<'YML' \| \ kubectl -n shahed-academia apply -f - --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: academia-audit-eso namespace: shahed-academia spec: refreshInterval: 1h secretStoreRef: name: store-shahed-ab kind: SecretStore target: name: academia-audit-eso template: engineVersion: v2 templateFrom: - target: Data literal: \| {{- range $k, $v := . }} {{ $k \| toString \| replace "-" "_" \| replace "." "_" \| upper }}: {{ $v \| quote }} {{- end }} dataFrom: - extract: key: audit YML	kubectl -n=shahed-academia describe ExternalSecret academia-audit-eso kubectl -n=shahed-academia annotate ExternalSecret academia-audit-eso \ force-sync=$(date +%s) --overwrite kubectl -n shahed-academia get ExternalSecret academia-audit-eso -w kubectl -n=shahed-academia describe ExternalSecret academia-audit-eso

Playground

Playground
helm -n=external-secrets-operator-system install eso external-secrets/external-secrets --version=1.2.0 helm -n=external-secrets-operator-system upgrade -i eso external-secrets/external-secrets --version=1.2.1 helm show values external-secrets/external-secrets --version=1.2.1\|less
kubectl -n=external-secrets-operator-system logs -f -l app.kubernetes.io/name=eso -c external-secrets kubectl -n=external-secrets-operator-system logs -f -l app.kubernetes.io/name=eso-cert-controller -c cert-controller kubectl -n=external-secrets-operator-system logs -f -l app.kubernetes.io/name=eso-webhook -c webhook kubectl -n=external-secrets-operator-system logs -f -l app.kubernetes.io/name=eso-cert-controller kubectl -n=external-secrets-operator-system logs -f -l app.kubernetes.io/name=eso-webhook kubectl -n=external-secrets-operator-system logs -f -l app.kubernetes.io/name=eso kubectl -n=external-secrets-operator-system logs -f svc/eso-webhook -c webhook kubectl -n=external-secrets-operator-system logs -f svc/eso-webhook kubectl -n=external-secrets-operator-system get pods --show-labels
kubectl -n=external-secrets-operator-system delete all --all kubectl -n=external-secrets-operator-system delete ing --all kubectl -n=external-secrets-operator-system delete sts --all	kubectl delete pv vso-data-vso-0 kubectl -n=external-secrets-operator-system delete svc --all kubectl -n=external-secrets-operator-system delete pvc --all
kubectl -n=external-secrets-operator-system rollout history deploy/eso kubectl -n=external-secrets-operator-system rollout restart deploy/eso kubectl -n=external-secrets-operator-system rollout status deploy/eso
kubectl -n=external-secrets-operator-system exec -it svc/eso-webhook -c webhook -- ash kubectl -n=external-secrets-operator-system logs -f svc/eso-webhook -c webhook kubectl -n=external-secrets-operator-system logs -f svc/eso-webhook

References

References
Helm » External Secrets Operator Helm » Vault Secrets Operator Helm » Prometheus Stack Helm » Cert Manager Helm » Harbor Helm » Pi-Hole Helm » Vault Helm	Vault » Docs » Secrets management Vault » Docs » Build your CA Vault » Docs » Monitoring Vault » Docs » How Vault » Docs » Why Vault » Install Vault
K8s » Configure Service Accounts for Pods K8s » Restart Pods With Kubectl K8s » Interactive Pod K8s » Restart Pods Docker » Makefile Kubernetes Minikube Kubectl CURL K8s	K8s » `kubectl rollout` K8s » CSI Hostpath Driver Security » Password K8s » Storage K8s » Ingress K8s » Service K8s » Run MinIO CIDR UFW	Bind9 » Authoritative DNS Server Bind9 » Secondary DNS Server Minikube » Ingress DNS Minikube » Systemd Minikube » MetalLB Minikube » Registry Minikube » Tunnel Localtunnel ZA Proxy

Helm/External Secrets Operator: Difference between revisions

Latest revision as of 17:44, 24 January 2026

Contents

Helm » Context

Helm » Install

Helm » Config

Helm » Debug

Helm » Uninstall

Vault » Config

Playground

References

Navigation menu

@@ Line 221: / Line 221: @@
 |valign='top'|
 |-
-!scope='col'| Vault » Policy
+|valign='top' colspan='2'|
-!scope='col'| Vault » Role
+{|class='wikitable mw-collapsible'
+!scope='col' style='text-align:left' colspan='2'|
+Config » Approle
+|-
+!scope='col' style='width:50%'| Vault » Policy
+!scope='col' style='width:50%'| Vault » Role
+|-
+|valign='top'|
+<syntaxhighlight lang='bash'>
+cat <<'INI' | vault policy write policy-shahed-ab-eso-app -
+# Mount : shahed/academia/dev
+# Secret: audit
+path "shahed/academia/dev/data/audit" {
+  capabilities = ["read"]
+}
+INI
+vault policy read policy-shahed-ab-eso-app
+</syntaxhighlight>
+<syntaxhighlight lang='bash'>
+vault write    auth/approle/role/role-shahed-ab-eso-app \
+    token_policies=policy-shahed-ab-eso-app token_ttl=1h token_max_ttl=3h
+</syntaxhighlight>
+|valign='top'|
+<syntaxhighlight lang='bash'>
+vault policy   read            policy-shahed-ab-eso-app
+vault read     auth/approle/role/role-shahed-ab-eso-app
+vault read     auth/approle/role/role-shahed-ab-eso-app/role-id
+</syntaxhighlight>
+<syntaxhighlight lang='bash'>
+vault list     auth/approle/role/role-shahed-ab-eso-app/secret-id
+vault write -f auth/approle/role/role-shahed-ab-eso-app/secret-id
+</syntaxhighlight>
+<syntaxhighlight lang='bash'>
+vault list     auth/approle/role/role-shahed-ab-eso-app/secret-id
+vault write    auth/approle/role/role-shahed-ab-eso-app/secret-id/destroy \
+ secret_id=26701c33-1362-e744-6b2a-c28250b3ee64
+</syntaxhighlight>
+|-
+|valign='top' colspan='2'|
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' style='text-align:left' colspan='2'|
+Approle » Init
+|-
+!scope='col' style='width:50%'| SecretStore
+!scope='col' style='width:50%'| ExternalSecret » <code>data</code>
+|-
+|valign='top'|
+<syntaxhighlight lang='bash'>
+cat <<ENV | \
+kubectl -n shahed-academia create secret generic store-shahed-ab-app \
+ --from-env-file=/dev/stdin --dry-run=client -o=yaml | kubectl apply -f -
+secret_id_accessor=cf764c1d-b3c6-5e15-2e57-ccbf5f982a0b
+secret_id=b7c1390e-a6e4-de2c-7c75-ee54bf3032b6
+ENV
+</syntaxhighlight>
+<syntaxhighlight lang='bash'>
+kubectl -n=shahed-academia get    Secret         store-shahed-ab-app -o=yaml
+kubectl -n=shahed-academia delete Secret         store-shahed-ab-app
+</syntaxhighlight>
+<syntaxhighlight lang='yaml'>
+cat <<'YML' | \
+kubectl -n shahed-academia apply -f -
+---
+apiVersion: external-secrets.io/v1
+kind: SecretStore
+metadata:
+  name: store-shahed-ab-app
+  namespace: shahed-academia
+spec:
+  provider:
+    vault:
+      server: http://vault.vault.svc.cluster.local:8200
+      path: shahed/academia/dev
+      version: v2
+      auth:
+        appRole:
+          path: approle
+          roleId: ae4560db-53da-9610-64d5-efc2fda45bed
+          secretRef:
+            name: store-shahed-ab-app
+            key: secret_id
+YML
+</syntaxhighlight>
+<syntaxhighlight lang='bash'>
+kubectl -n=shahed-academia get    SecretStore    store-shahed-ab-app -o=yaml
+kubectl -n=shahed-academia delete SecretStore    store-shahed-ab-app
+</syntaxhighlight>
+|valign='top'|
+<syntaxhighlight lang='yaml'>
+cat <<'YML' | \
+kubectl -n shahed-academia apply -f -
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: academia-audit-eso-app
+  namespace: shahed-academia
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: store-shahed-ab-app
+    kind: SecretStore
+  target:
+    name: academia-audit-eso-app
+    template:
+      engineVersion: v2
+      templateFrom:
+      - target: Data
+        literal: |
+          {{- range $k, $v := . }}
+          {{ $k | toString | replace "-" "_" | replace "." "_" | upper }}: {{ $v | quote }}
+          {{- end }}
+  dataFrom:
+  - extract:
+      key: audit
+YML
+</syntaxhighlight>
+<syntaxhighlight lang='bash'>
+kubectl -n=shahed-academia get    Secret         academia-audit-eso-app -o=yaml
+kubectl -n=shahed-academia get    ExternalSecret academia-audit-eso-app -o=yaml
+</syntaxhighlight>
+<syntaxhighlight lang='bash'>
+kubectl -n=shahed-academia delete Secret         academia-audit-eso-app
+kubectl -n=shahed-academia delete ExternalSecret academia-audit-eso-app
+</syntaxhighlight>
+|}
+|}
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' style='text-align:left' colspan='2'|
+Config » Kubernetes
+|-
+!scope='col' style='width:50%'| Vault » Policy
+!scope='col' style='width:50%'| Vault » Role
 |-
 |valign='top'|
@@ Line 250: / Line 395: @@
 </syntaxhighlight>
 |-
-!scope='col'| SecretStore
+|valign='top' colspan='2'|
-!scope='col'| ExternalSecret » <code>data</code>
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' style='text-align:left' colspan='2'|
+Kubernetes » Init
+|-
+!scope='col' style='width:50%'| SecretStore
+!scope='col' style='width:50%'| ExternalSecret » <code>data</code>
 |-
 |valign='top'|
@@ Line 276: / Line 426: @@
            mountPath: kubernetes
            role: role-shahed-ab-eso
 YML
 </syntaxhighlight>
@@ Line 281: / Line 432: @@
 <syntaxhighlight lang='bash'>
 kubectl get    clusterrolebinding|grep -i eso-
 kubectl get    clusterrolebinding eso-controller      -o=yaml
 kubectl get    clusterrolebinding eso-cert-controller -o=yaml
@@ Line 308: / Line 458: @@
    dataFrom:
    - extract:
-       key: shahed/academia/dev/audit
+       key: audit
      rewrite:
      - regexp:
@@ Line 324: / Line 474: @@
 kubectl -n=shahed-academia delete ExternalSecret academia-audit-eso
 </syntaxhighlight>
+|}
+|-
+|valign='top' colspan='2'|
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' style='text-align:left' colspan='2'|
+Kubernetes » Advance
 |-
-!scope='col'| ExternalSecret » <code>application.properties</code>
+!scope='col' style='width:50%'| ExternalSecret » <code>application.properties</code>
-!scope='col'| ExternalSecret » <code>.env</code>
+!scope='col' style='width:50%'| ExternalSecret » <code>.env</code>
 |-
 |valign='top'|
@@ Line 439: / Line 595: @@
 kubectl -n=shahed-academia describe ExternalSecret academia-audit-eso
 </syntaxhighlight>
+|}
+|}
 |}

Helm/External Secrets Operator: Difference between revisions

Latest revision as of 17:44, 24 January 2026

Helm » Context

Helm » Install

Helm » Config

Helm » Debug

Helm » Uninstall

Vault » Config

Playground

References

Navigation menu

Search