NatronTech Logo
Security

External Secrets

Availability
Extended tier
Stage
Experimental
Requires
KubernetesSecurity
External Secrets Logo

External Secrets in Natron Managed Kubernetes Service allows you to securely manage and synchronize secrets from external secret management systems into your Kubernetes clusters. This chapter provides an overview of how to set up and use External Secrets to enhance the security and management of sensitive information within your Kubernetes environment.

Overview of External Secrets

External Secrets is a Kubernetes operator that integrates with various external secret management systems, such as HashiCorp Vault, AWS Secrets Manager, and others. It enables you to define Kubernetes secrets that are automatically populated and kept in sync with the external secret stores.

Setup with Azure Key Vault

This setup is valid for on-premises Kubernetes clusters wishing to access Azure Key Vault secrets. For AKS clusters, consider using direct integrations via Workload Identities.

Key Vault Configuration

Ensure you are logged in via az login and have selected the correct subscription.

Create a Service Principal for the role assignment:

az ad sp create-for-rbac --name "natr-demo-002-kv-01-sp" --skip-assignment

Store the output credentials (appID = ClientID, password = ClientSecret) in a Kubernetes Secret:

apiVersion: v1
kind: Secret
metadata:
    name: natr-demo-001-kv-01-sp
type: Opaque
stringData:
  ClientID: <redacted>
  ClientSecret: <redacted>

Grant Permissions

Assign the Key Vault Secrets User role to the Service Principal.

Retrieve the Object ID of the Service Principal's Enterprise Application from the Azure Portal (App Registrations -> Select App -> Link to Enterprise Application -> Object ID).

az role assignment create --assignee <Object ID> --role "Key Vault Secrets User" --scope /subscriptions/<Subcription ID>/resourceGroups/<Resource Group>/providers/Microsoft.KeyVault/vaults/<key vault>

Define SecretStore

Configure the SecretStore CRD to use the Service Principal.

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: natr-demo-001-kv-01
spec:
  provider:
    azurekv:
      tenantId: <Tenant ID>
      vaultUrl: "https://<key-vault-name>.vault.azure.net"
      authType: ServicePrincipal
      authSecretRef:
        clientId:
          name: natr-demo-001-kv-01-sp
          key: ClientID
        clientSecret:
          name: natr-demo-001-kv-01-sp
          key: ClientSecret

User Namespaces

Previous Page

Cluster Issuer

Next Page

On this page

Overview of External SecretsSetup with Azure Key VaultKey Vault ConfigurationGrant PermissionsDefine SecretStore