2.1 KiB
2.1 KiB
Quick Start: Copy to your repository
This file shows the minimal steps to get external-secrets working
in your application repository.
Step 1: Create the folder structure
mkdir -p k8s/secrets-<your-app-name>
cd k8s/secrets-<your-app-name>
Step 2: Copy template files
Copy the following template files to your secrets-<your-app-name>/ folder:
# Choose based on your secret backend:
# For Vault:
cp secretstore-vault.yaml ./
# For Kubernetes secrets:
cp secretstore-kubernetes.yaml ./
# Choose based on what you want to sync:
# For individual secret properties:
cp externalsecret-basic.yaml ./
# For entire secret objects:
cp externalsecret-extract.yaml ./
# For advanced templating:
cp externalsecret-advanced.yaml ./
Step 3: Customize the files
Edit each file and replace the CHANGE markers:
# Edit secretstore
vim secretstore-vault.yaml
# Edit externalsecret
vim externalsecret-basic.yaml
Key things to customize:
- Namespace (where your app runs)
- Vault server URL
- Vault secret paths
- Secret property names
- Refresh interval
Step 4: Apply to your cluster
kubectl apply -f k8s/secrets-<your-app-name>/
Step 5: Verify
# Check if the ExternalSecret synced successfully
kubectl get externalsecret -n <your-namespace>
# Check if the secret was created
kubectl get secret app-secrets -n <your-namespace>
# View the secret contents (be careful with sensitive data!)
kubectl get secret app-secrets -n <your-namespace> -o jsonpath='{.data}' | jq .
Step 6: Use in your Deployment
Reference the synced secret in your Deployment/StatefulSet/DaemonSet:
envFrom:
- secretRef:
name: app-secrets
See deployment-example.yaml for more usage patterns.
Troubleshooting
If the ExternalSecret doesn't sync:
# Check status
kubectl describe externalsecret app-secrets -n <your-namespace>
# Check operator logs
kubectl logs -n external-secrets deployment/external-secrets
# Verify SecretStore is reachable
kubectl describe secretstore vault-secretstore -n <your-namespace>
See USAGE.md in the external-secrets chart for detailed troubleshooting.