+
Skip to content

Add External Secrets Operator for centralized secret management #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 7, 2025
Merged

Add External Secrets Operator for centralized secret management #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
190 changes: 188 additions & 2 deletions CLAUDE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,35 @@ done
tk show tanka/environments/mop-edge | kubectl apply --dry-run=client -f -
```

### External Secrets Operator (ESO)
```bash
# Check ESO deployment status
kubectl get pods -n mop -l app.kubernetes.io/name=external-secrets

# View installed CRDs
kubectl get crds | grep external-secrets

# List SecretStores
kubectl get secretstores -n mop
kubectl get clustersecretstores

# List ExternalSecrets and their sync status
kubectl get externalsecrets -n mop
kubectl describe externalsecret <name> -n mop

# Check if secrets were created successfully
kubectl get secrets -n mop

# View ESO logs for troubleshooting
kubectl logs -n mop -l app.kubernetes.io/name=external-secrets --tail=100

# Apply example SecretStore
kubectl apply -f <(tk show . <<< 'import "examples/eso-secretstore.jsonnet"' | yq 'select(.kind == "SecretStore")')

# Apply example ExternalSecret
kubectl apply -f <(tk show . <<< 'import "examples/eso-externalsecret.jsonnet"' | yq 'select(.kind == "ExternalSecret")')
```

## Architecture and Structure

### Core Technologies
Expand All @@ -61,7 +90,7 @@ tk show tanka/environments/mop-edge | kubectl apply --dry-run=client -f -
- **Kubernetes**: Deployment platform (configured for minikube context)

### Observability Stack Components
The platform deploys: Prometheus, Grafana, Loki, Mimir, Tempo, Alloy/Alloy Operator, and optionally Backstage.
The platform deploys: Prometheus, Grafana, Loki, Mimir, Tempo, Alloy/Alloy Operator, External Secrets Operator, and optionally Backstage.

### Three-Tier Environment Model
- **mop-central**: Central management environment
Expand All @@ -78,8 +107,13 @@ Each environment is a separate Tanka environment with its own:
tanka/
├── lib/ # Shared Jsonnet libraries
│ ├── common.libsonnet # Common configurations and defaults
│ ├── eso.libsonnet # External Secrets Operator helpers
│ ├── k.libsonnet # Kubernetes utilities
│ └── utils.libsonnet # Utility functions
├── examples/ # Example configurations and patterns
│ ├── eso-secretstore.jsonnet # SecretStore examples
│ ├── eso-externalsecret.jsonnet # ExternalSecret examples
│ └── eso-backstage-migration.jsonnet # Backstage ESO migration
├── environments/ # Environment-specific configurations
└── vendor/ # Vendored Jsonnet dependencies
```
Expand All @@ -101,4 +135,156 @@ tanka/
- Environment-specific values are parameterized in `main.jsonnet`
- Common configurations are abstracted in `tanka/lib/common.libsonnet`
- Kubernetes utilities are available via `tanka/lib/k.libsonnet`
- All environments target minikube context by default
- All environments target minikube context by default

## Secret Management with External Secrets Operator

### ESO Architecture
External Secrets Operator (ESO) syncs secrets from external secret management systems (AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault, Kubernetes Secrets, etc.) into Kubernetes Secrets.

**Key Components:**
- **SecretStore**: Namespace-scoped configuration for secret backend
- **ClusterSecretStore**: Cluster-scoped configuration for secret backend (recommended for production)
- **ExternalSecret**: Defines which secrets to sync and how to map them

### Using ESO Library (tanka/lib/eso.libsonnet)

The ESO library provides helpers for common secret patterns:

```jsonnet
local eso = import 'eso.libsonnet';

{
// Create a SecretStore for Kubernetes backend (dev/testing)
secretStore: eso.secretStore.new('kubernetes-backend', namespace='mop'),

// Create a ClusterSecretStore for AWS Secrets Manager
awsStore: eso.clusterSecretStore.awsSecretsManager(
name='aws-backend',
region='us-east-1',
role='arn:aws:iam::123456789012:role/external-secrets'
),

// Create an API token secret
apiToken: eso.patterns.apiTokenSecret(
name='my-api-token',
namespace='mop',
secretStore='kubernetes-backend',
tokenKey='source-secret-name'
),

// Create database credentials
dbCreds: eso.patterns.databaseSecret(
name='postgres-creds',
namespace='mop',
secretStore='kubernetes-backend',
dbSecretKey='postgres-config'
),
}
```

### Backend Configurations

**Kubernetes Backend (Development):**
```jsonnet
local eso = import 'eso.libsonnet';
{
store: eso.secretStore.new('kubernetes-backend', 'mop'),
}
```

**AWS Secrets Manager:**
```jsonnet
local eso = import 'eso.libsonnet';
{
store: eso.clusterSecretStore.awsSecretsManager(
name='aws-backend',
region='us-east-1',
role='arn:aws:iam::ACCOUNT:role/external-secrets'
),
}
```

**GCP Secret Manager:**
```jsonnet
local eso = import 'eso.libsonnet';
{
store: eso.clusterSecretStore.gcpSecretManager(
name='gcp-backend',
projectID='my-project'
),
}
```

**HashiCorp Vault:**
```jsonnet
local eso = import 'eso.libsonnet';
{
store: eso.clusterSecretStore.vault(
name='vault-backend',
server='https://vault.example.com:8200',
path='secret'
),
}
```

### Creating ExternalSecrets

**Simple pattern:**
```jsonnet
local eso = import 'eso.libsonnet';
{
secret: eso.externalSecret.new(
name='my-secret',
namespace='mop',
secretStore='kubernetes-backend',
refreshInterval='1h'
) + eso.externalSecret.withData('key', 'remote-secret-name'),
}
```

**With property selection (for JSON secrets):**
```jsonnet
local eso = import 'eso.libsonnet';
{
secret: eso.externalSecret.new(
name='my-secret',
namespace='mop',
secretStore='kubernetes-backend'
) + eso.externalSecret.withDataProperty('password', 'db-config', 'password'),
}
```

**Using ClusterSecretStore:**
```jsonnet
local eso = import 'eso.libsonnet';
{
secret: eso.externalSecret.new(
name='my-secret',
namespace='mop',
secretStore='aws-backend'
) + eso.externalSecret.withClusterSecretStore('aws-backend')
+ eso.externalSecret.withData('token', '/prod/api/token'),
}
```

### Examples

See `tanka/examples/` for comprehensive examples:
- `eso-secretstore.jsonnet`: SecretStore and ClusterSecretStore examples for all backends
- `eso-externalsecret.jsonnet`: ExternalSecret patterns (API tokens, database creds, TLS certs)
- `eso-backstage-migration.jsonnet`: Real-world migration example for Backstage secrets
- `README.md`: Detailed usage guide with troubleshooting

### Migration Pattern

To migrate existing hardcoded secrets to ESO:

1. Create source secrets in your backend
2. Create a SecretStore/ClusterSecretStore
3. Create ExternalSecrets to sync from backend
4. Update application manifests to reference ESO-managed secrets
5. Verify secrets are syncing correctly
6. Remove hardcoded secrets

See `tanka/examples/eso-backstage-migration.jsonnet` for a complete example.
Loading
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载