Helm/External Secrets Operator: Difference between revisions

Revision as of 07:27, 25 January 2026

helm repo add external-secrets https://charts.external-secrets.io helm repo update && helm repo list kubectl config get-contexts

Helm » Context

export KUBECONFIG="${HOME}/.kube/aws-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/gcp-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/lke-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/config"

Helm » Install

Helm » Install
helm show values external-secrets/external-secrets --version=1.2.0\|less helm show values external-secrets/external-secrets --version=1.2.1\|less
export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml" kubectl create ns external-secrets-operator-system \|\| true	kubectl get ns\|grep external-secrets-operator-system kubectl delete ns external-secrets-operator-system \|\| true
Install	Notes
cat <<'YML' \| \ helm -n=external-secrets-operator-system upgrade \ -i eso external-secrets/external-secrets --version=1.2.1 -f - --- installCRDs: true nameOverride: eso fullnameOverride: eso replicaCount: 1 revisionHistoryLimit: 5 image: repository: ghcr.io/external-secrets/external-secrets tag: v1.2.1 webhook: replicaCount: 1 revisionHistoryLimit: 5 image: repository: ghcr.io/external-secrets/external-secrets tag: v1.2.1 YML
Verify
helm -n=external-secrets-operator-system status eso helm -n=external-secrets-operator-system get manifest eso

Helm » Config

Helm » Config
Scale » Down	Scale » Up
kubectl -n=external-secrets-operator-system \ scale deploy/eso --replicas=0	kubectl -n=external-secrets-operator-system \ scale deploy/eso --replicas=1
kubectl -n=external-secrets-operator-system \ scale deploy/eso-webhook --replicas=0	kubectl -n=external-secrets-operator-system \ scale deploy/eso-webhook --replicas=1
kubectl -n=external-secrets-operator-system \ scale deploy/eso-cert-controller --replicas=0	kubectl -n=external-secrets-operator-system \ scale deploy/eso-cert-controller --replicas=1

Helm » Debug

kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-cert-controller
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso-webhook
kubectl -n=external-secrets-operator-system logs -f  -l app.kubernetes.io/name=eso

kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook -c webhook
kubectl -n=external-secrets-operator-system logs -f  svc/eso-webhook

Helm » Uninstall

helm -n=external-secrets-operator-system status    vso
helm -n=external-secrets-operator-system get all   vso
helm -n=external-secrets-operator-system uninstall vso

kubectl -n=external-secrets-operator-system delete pvc --all
kubectl                                     delete ns  external-secrets-operator-system
kubectl                                     delete pv  vso-data-vso-0

Vault » Config

Context Namespace

export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
kubectl get service kubernetes -n default
kubectl config get-contexts
kubectl cluster-info


kubectl get --raw /.well-known/openid-configuration|yq -P
kubectl config view -o=yaml|yq '.contexts[0].name'


kubectl get ns shahed-academia
kubectl     -n=shahed-academia get SecretStore    store-shahed-ab
kubectl     -n=shahed-academia get ExternalSecret academia-audit-eso

cat <<'YML' | \
kubectl apply -f -
---
apiVersion: v1
kind: Namespace
metadata:
  name: shahed-academia
  labels:
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: kubectl
YML

kubectl get namespace shahed-academia -o=yaml

Skipped » Find More 👉 Vault » Auth Skipped » Find More 👉 Vault » Engine » KV Skipped » Find More 👉 Vault » Config » Reloader

Config » Approle

Vault » Policy Vault » Role

cat <<'INI' | vault policy write policy-shahed-ab-eso-app -
# Mount : shahed/academia/dev
# Secret: audit
path "shahed/academia/dev/data/audit" {
  capabilities = ["read"]
}
INI
vault policy read policy-shahed-ab-eso-app

vault write    auth/approle/role/role-shahed-ab-eso-app \
    token_policies=policy-shahed-ab-eso-app token_ttl=1h token_max_ttl=3h

vault policy   read            policy-shahed-ab-eso-app
vault read     auth/approle/role/role-shahed-ab-eso-app
vault read     auth/approle/role/role-shahed-ab-eso-app/role-id

vault list     auth/approle/role/role-shahed-ab-eso-app/secret-id
vault write -f auth/approle/role/role-shahed-ab-eso-app/secret-id

vault list     auth/approle/role/role-shahed-ab-eso-app/secret-id
vault write    auth/approle/role/role-shahed-ab-eso-app/secret-id/destroy \
 secret_id=26701c33-1362-e744-6b2a-c28250b3ee64

Approle » Init
SecretStore	ExternalSecret » `data`
cat <<ENV \| \ kubectl -n shahed-academia create secret generic store-shahed-ab-app \ --from-env-file=/dev/stdin --dry-run=client -o=yaml \| kubectl apply -f - secret_id_accessor=cf764c1d-b3c6-5e15-2e57-ccbf5f982a0b secret_id=b7c1390e-a6e4-de2c-7c75-ee54bf3032b6 ENV kubectl -n=shahed-academia get Secret store-shahed-ab-app -o=yaml kubectl -n=shahed-academia delete Secret store-shahed-ab-app cat <<'YML' \| \ kubectl -n shahed-academia apply -f - --- apiVersion: external-secrets.io/v1 kind: SecretStore metadata: name: store-shahed-ab-app namespace: shahed-academia spec: provider: vault: server: http://vault.vault.svc.cluster.local:8200 path: shahed/academia/dev version: v2 auth: appRole: path: approle roleId: ae4560db-53da-9610-64d5-efc2fda45bed secretRef: name: store-shahed-ab-app key: secret_id YML kubectl -n=shahed-academia get SecretStore store-shahed-ab-app -o=yaml kubectl -n=shahed-academia delete SecretStore store-shahed-ab-app	cat <<'YML' \| \ kubectl -n shahed-academia apply -f - --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: academia-audit-eso-app namespace: shahed-academia spec: refreshInterval: 1h secretStoreRef: name: store-shahed-ab-app kind: SecretStore target: name: academia-audit-eso-app template: engineVersion: v2 templateFrom: - target: Data literal: \| {{- range $k, $v := . }} {{ $k \| toString \| replace "-" "_" \| replace "." "_" \| upper }}: {{ $v \| quote }} {{- end }} dataFrom: - extract: key: audit YML kubectl -n=shahed-academia get Secret academia-audit-eso-app -o=yaml kubectl -n=shahed-academia get ExternalSecret academia-audit-eso-app -o=yaml kubectl -n=shahed-academia delete Secret academia-audit-eso-app kubectl -n=shahed-academia delete ExternalSecret academia-audit-eso-app
Refresh	Watch
kubectl -n=shahed-academia describe ExternalSecret academia-audit-eso-app kubectl -n=shahed-academia annotate ExternalSecret academia-audit-eso-app \ force-sync=$(date +%s) --overwrite	kubectl -n=shahed-academia get Secret academia-audit-eso-app -o=yaml kubectl -n shahed-academia get ExternalSecret academia-audit-eso-app -w kubectl -n=shahed-academia describe ExternalSecret academia-audit-eso-app

Config » Kubernetes

Vault » Policy Vault » Role

cat <<'INI' | vault policy write policy-shahed-ab-eso -
# Mount : shahed/academia/dev
# Secret: audit
path "shahed/academia/dev/data/audit" {
  capabilities = ["read"]
}
INI

vault policy read  policy-shahed-ab-eso

vault kv get -mount=shahed/academia/dev audit
kubectl  get sa -n external-secrets-operator-system
kubectl  get --raw /.well-known/openid-configuration|yq -P .issuer

vault write auth/kubernetes/role/role-shahed-ab-eso bound_service_account_names=default \
  bound_service_account_namespaces=shahed-academia policies=policy-shahed-ab-eso \
  audience='https://kubernetes.default.svc.cluster.local' ttl=24h

vault read  auth/kubernetes/role/role-shahed-ab-eso

Kubernetes » Init

SecretStore ExternalSecret » data

cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: store-shahed-ab
  namespace: shahed-academia
spec:
  provider:
    vault:
      server: http://vault.vault.svc.cluster.local:8200
      path: shahed/academia/dev
      version: v2
      auth:
        kubernetes:
          serviceAccountRef:
            name: default
            namespace: shahed-academia
          mountPath: kubernetes
          role: role-shahed-ab-eso

YML

kubectl get    clusterrolebinding|grep -i eso-
kubectl get    clusterrolebinding eso-controller      -o=yaml
kubectl get    clusterrolebinding eso-cert-controller -o=yaml

kubectl -n=shahed-academia get    SecretStore    store-shahed-ab -o=yaml
kubectl -n=shahed-academia delete SecretStore    store-shahed-ab

cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: academia-audit-eso
  namespace: shahed-academia
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: store-shahed-ab
    kind: SecretStore
  target:
    name: academia-audit-eso
  dataFrom:
  - extract:
      key: audit
    rewrite:
    - regexp:
        source: "([a-z])([A-Z])|[-.]"
        target: "${1}_${2}"
YML

kubectl -n=shahed-academia get    Secret         academia-audit-eso -o=yaml
kubectl -n=shahed-academia get    ExternalSecret academia-audit-eso -o=yaml


kubectl -n=shahed-academia delete Secret         academia-audit-eso
kubectl -n=shahed-academia delete ExternalSecret academia-audit-eso

Kubernetes » Advance
ExternalSecret » `application.properties`	ExternalSecret » `.env`
cat <<'YML' \| \ kubectl -n shahed-academia apply -f - --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: academia-audit-eso namespace: shahed-academia spec: refreshInterval: 1h secretStoreRef: name: store-shahed-ab kind: SecretStore target: name: academia-audit-eso template: engineVersion: v2 data: application.properties: \| {{- range $k, $v := . }} {{ $k }}={{ $v }} {{- end }} dataFrom: - extract: key: audit YML	cat <<'YML' \| \ kubectl -n shahed-academia apply -f - --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: academia-audit-eso namespace: shahed-academia spec: refreshInterval: 1h secretStoreRef: name: store-shahed-ab kind: SecretStore target: name: academia-audit-eso template: engineVersion: v2 data: .env: \| {{- range $k, $v := . }} {{ $k \| replace "-" "_" \| replace "." "_" \| upper }}={{ $v }} {{- end }} dataFrom: - extract: key: audit YML
ExternalSecret » `data`	ExternalSecret » Refresh
cat <<'YML' \| \ kubectl -n shahed-academia apply -f - --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: academia-audit-eso namespace: shahed-academia spec: refreshInterval: 1h secretStoreRef: name: store-shahed-ab kind: SecretStore target: name: academia-audit-eso template: engineVersion: v2 templateFrom: - target: Data literal: \| {{- range $k, $v := . }} {{ $k \| toString \| replace "-" "_" \| replace "." "_" \| upper }}: {{ $v \| quote }} {{- end }} dataFrom: - extract: key: audit YML	kubectl -n=shahed-academia describe ExternalSecret academia-audit-eso kubectl -n=shahed-academia annotate ExternalSecret academia-audit-eso \ force-sync=$(date +%s) --overwrite kubectl -n shahed-academia get ExternalSecret academia-audit-eso -w kubectl -n=shahed-academia describe ExternalSecret academia-audit-eso

Playground

Playground
helm -n=external-secrets-operator-system install eso external-secrets/external-secrets --version=1.2.0 helm -n=external-secrets-operator-system upgrade -i eso external-secrets/external-secrets --version=1.2.1 helm show values external-secrets/external-secrets --version=1.2.1\|less
kubectl -n=external-secrets-operator-system logs -f -l app.kubernetes.io/name=eso -c external-secrets kubectl -n=external-secrets-operator-system logs -f -l app.kubernetes.io/name=eso-cert-controller -c cert-controller kubectl -n=external-secrets-operator-system logs -f -l app.kubernetes.io/name=eso-webhook -c webhook kubectl -n=external-secrets-operator-system logs -f -l app.kubernetes.io/name=eso-cert-controller kubectl -n=external-secrets-operator-system logs -f -l app.kubernetes.io/name=eso-webhook kubectl -n=external-secrets-operator-system logs -f -l app.kubernetes.io/name=eso kubectl -n=external-secrets-operator-system logs -f svc/eso-webhook -c webhook kubectl -n=external-secrets-operator-system logs -f svc/eso-webhook kubectl -n=external-secrets-operator-system get pods --show-labels
kubectl -n=external-secrets-operator-system delete all --all kubectl -n=external-secrets-operator-system delete ing --all kubectl -n=external-secrets-operator-system delete sts --all	kubectl delete pv vso-data-vso-0 kubectl -n=external-secrets-operator-system delete svc --all kubectl -n=external-secrets-operator-system delete pvc --all
kubectl -n=external-secrets-operator-system rollout history deploy/eso kubectl -n=external-secrets-operator-system rollout restart deploy/eso kubectl -n=external-secrets-operator-system rollout status deploy/eso
kubectl -n=external-secrets-operator-system exec -it svc/eso-webhook -c webhook -- ash kubectl -n=external-secrets-operator-system logs -f svc/eso-webhook -c webhook kubectl -n=external-secrets-operator-system logs -f svc/eso-webhook

References

References
Helm » External Secrets Operator Helm » Vault Secrets Operator Helm » Prometheus Stack Helm » Cert Manager Helm » Reloader Helm » Harbor Helm » Pi-Hole Helm » Vault Helm	Vault » Docs » Secrets management Vault » Docs » Build your CA Vault » Docs » Monitoring Vault » Docs » How Vault » Docs » Why Vault » Install Vault
K8s » Configure Service Accounts for Pods K8s » Restart Pods With Kubectl K8s » Interactive Pod K8s » Restart Pods Docker » Makefile Kubernetes Minikube Kubectl CURL K8s	K8s » `kubectl rollout` K8s » CSI Hostpath Driver Security » Password K8s » Storage K8s » Ingress K8s » Service K8s » Run MinIO CIDR UFW	Bind9 » Authoritative DNS Server Bind9 » Secondary DNS Server Minikube » Ingress DNS Minikube » Systemd Minikube » MetalLB Minikube » Registry Minikube » Tunnel Localtunnel ZA Proxy

@@ Line 192: / Line 192: @@
 kubectl get ns shahed-academia
 kubectl     -n=shahed-academia get SecretStore    store-shahed-ab
-kubectl     -n=shahed-academia get ExternalSecret academia-audit-ext
+kubectl     -n=shahed-academia get ExternalSecret academia-audit-eso
 </syntaxhighlight>
@@ Line 218: / Line 218: @@
 ----
 * [[Vault#Engine » KV|Skipped » Find More 👉 Vault » Engine » KV]]
+----
+* [[Helm/Reloader#Reloader » Config|Skipped » Find More 👉 Vault » Config » Reloader]]
 |}
 |valign='top'|
 |-
 |valign='top' colspan='2'|
-{|class='wikitable mw-collapsible'
+{|class='wikitable mw-collapsible mw-collapsed'
 !scope='col' style='text-align:left' colspan='2'|
 Config » Approle
@@ Line 359: / Line 361: @@
 kubectl -n=shahed-academia delete Secret         academia-audit-eso-app
 kubectl -n=shahed-academia delete ExternalSecret academia-audit-eso-app
+</syntaxhighlight>
+|-
+!scope='col'| Refresh
+!scope='col'| Watch
+|-
+|valign='top'|
+<syntaxhighlight lang='bash'>
+kubectl -n=shahed-academia describe ExternalSecret academia-audit-eso-app
+kubectl -n=shahed-academia annotate ExternalSecret academia-audit-eso-app \
+ force-sync=$(date +%s) --overwrite
+</syntaxhighlight>
+|valign='top'|
+<syntaxhighlight lang='bash'>
+kubectl -n=shahed-academia get      Secret         academia-audit-eso-app -o=yaml
+kubectl -n shahed-academia get      ExternalSecret academia-audit-eso-app -w
+kubectl -n=shahed-academia describe ExternalSecret academia-audit-eso-app
 </syntaxhighlight>
 |}
@@ Line 665: / Line 684: @@
 * [[Helm/Prometheus Stack|Helm » Prometheus Stack]]
 * [[Helm/Cert Manager|Helm » Cert Manager]]
+* [[Helm/Reloader|Helm » Reloader]]
 * [[Helm/Harbor|Helm » Harbor]]
 * [[Helm/Pi-Hole|Helm » Pi-Hole]]

Helm/External Secrets Operator: Difference between revisions

Revision as of 07:27, 25 January 2026

Contents

Helm » Context

Helm » Install

Helm » Config

Helm » Debug

Helm » Uninstall

Vault » Config

Playground

References

Navigation menu

Helm/External Secrets Operator: Difference between revisions

Revision as of 07:27, 25 January 2026

Helm » Context

Helm » Install

Helm » Config

Helm » Debug

Helm » Uninstall

Vault » Config

Playground

References

Navigation menu

Search