Cloud-native patterns: Why you should use External Secrets Operator with ArgoCD¶
ArgoCD is a great tool for managing deployments and keeping your applications up to date. However, one of the challenges with using ArgoCD is secrets management. ArgoCD does not natively support secrets management, so you have to use an external secrets operator. In this blog post, we'll show you why you should use the External Secrets Operator with ArgoCD.
External Secrets Operator¶
The External Secrets Operator is a Kubernetes operator that gives you the ability to manage secrets outside of ArgoCD. This means that you can use your existing secrets management solution with ArgoCD. The External Secrets Operator provides a way to synchronize secrets from an external secrets management system into Kubernetes.
External Secrets Operator (ESO) can be used with secret backends such as AWS Secrets Manager/GCP Secret Manager/Hashicorp Vault and many more to pull credentials, keys, and secrets using the External Secrets Operator needed by ArgoCD in a GitOps fashion. It provides a secure and automated way to populate secrets in Kubernetes whilst maintaining a strong security stance and with ArgoCD we are able to synchronise these across clusters, and applications.
Why use External Secrets Operator with ArgoCD?¶
1. Security¶
The External Secrets Operator provides a secure way to manage secrets. It allows you to store secrets in an external secrets management system and synchronize them into Kubernetes. This means that you don't have to store secrets in your Git repository, which is a security risk.
2. Scalability¶
The External Secrets Operator is designed to scale. It can handle a large number of secrets and can be used across multiple clusters. This makes it a great choice for large organizations that need to manage secrets across multiple environments.
3. Flexibility¶
The External Secrets Operator is flexible. It supports a wide range of external secrets management systems, including AWS Secrets Manager, GCP Secret Manager, and Hashicorp Vault. This means that you can use your existing secrets management solution with ArgoCD.
How to use External Secrets Operator with ArgoCD¶
To use the External Secrets Operator with ArgoCD, you need to install the External Secrets Operator on your Kubernetes cluster and configure it to synchronize secrets from your external secrets management system.
Here's an example of how to configure the External Secrets Operator to synchronize secrets from AWS Secrets Manager:
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: aws-secrets-manager
spec:
provider:
aws:
service: SecretsManager
region: us-east-1
auth:
role: arn:aws:iam::123456789012:role/external-secrets-role
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: example-secret
spec:
refreshInterval: 1h
secretStoreRef:
name: aws-secrets-manager
kind: SecretStore
target:
name: example-secret
creationPolicy: Owner
data:
- secretKey: password
remoteRef:
key: /path/to/secret
property: password
This configuration creates a SecretStore that connects to AWS Secrets Manager and an ExternalSecret that synchronizes a secret from AWS Secrets Manager into a Kubernetes secret.
Conclusion¶
The External Secrets Operator is a great tool for managing secrets with ArgoCD. It provides a secure, scalable, and flexible way to synchronize secrets from external secrets management systems into Kubernetes. By using the External Secrets Operator with ArgoCD, you can improve the security of your applications and simplify the management of secrets across multiple environments.
If you're using ArgoCD and need to manage secrets, we highly recommend using the External Secrets Operator. It's a best practice that will help you build more secure and scalable applications.