Developed by godaddy and given back to the community, External Secrets fill the gap between K8s secrets and secure credential storage.
Externals secrets are defined as K8s resources like this:
apiVersion: 'kubernetes-client.io/v1' kind: ExternalSecret metadata: name: dockerconfigjson namespace: someorg spec: backendType: secretsManager template: type: kubernetes.io/dockerconfigjson dataFrom: - /someorg/dockerconfig_secret
In this case we have contacted AWS Secrets Manager to get the
someorg/dockerconfig_secret secret. K8s namespace limit access to resources
in the same namespace.
External secrets works by contacting a credential provider selected by
backendType, eg AWS Secrets Manager and then creates a regular K8s secret
if it can retrieve the value.
This gives transparent access to secrets from K8s while leaving the credential store as the point-of-truth for the secret value.