External Secrets Operator: Generate secrets using a template

2 min read | by Jordi Prats

We can use the External Secrets Operator to retrieve secrets from some backend and push it into a vanilla Kubernetes Secrets to be consumed as usual as a key-value. Not all applications work in the same way so we might need to format it in a way that the application is able to consume it.

Let's take as an example the following ExternalSecret:

apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata:  name: vault-example spec:  refreshInterval: "15s"  secretStoreRef:  name: vault-backend  kind: SecretStore  data:  - secretKey: demo  remoteRef:  key: secret/demo  property: secret

We'll get a Secret that contains the data retrieved under the data.demo key:

$ kubectl get secret vault-example -o jsonpath='{.data}' {"demo":"czNjcjN0"}

We might need to use some other format under a different key name, for example:

sometingelse: "data retrieved from Vault is VALUE"

We can use spec.target.template for this:

apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata:  name: vault-example-with-template spec:  refreshInterval: "15s"  secretStoreRef:  name: vault-backend  kind: SecretStore  target:  template:  data:  somekey: |  somethingelse: "data retrieved from Vault is {{ .demo }}"  data:  - secretKey: demo  remoteRef:  key: secret/demo  property: secret

Applying this ExternalSecret we'll be able to see how it creates the Secret using the alternate key:

$ kubectl get secret vault-example-with-template -o jsonpath='{.data}' {"somekey":"cHV0YSBFc3BhbnlhIGkgbGEgcHV0YSBtYXJlIHF1ZSBlbHMgdmEgcGFyaXIgYSB0b3RzCg=="}

With the format we have defined as a template:

$ kubectl get secret vault-example-with-template -o jsonpath='{.data.somekey}' | base64 -d somethingelse: "data retrieved from Vault is s3cr3t"

Posted on 08/11/2022

External Secrets Operator: Generate secrets using a template

Categories