Skip to main content

External Secrets Operator

External Secrets Operator (ESO) syncs Google Secret Manager into Kubernetes Secrets.

Install

helm repo add external-secrets https://charts.external-secrets.io

helm install external-secrets \
external-secrets/external-secrets \
-n external-secrets \
--create-namespace \
--set bitwarden-sdk-server.enabled=false

Prerequisites

As part of bighammer helm deployment, secretstore object will be created in bh-control-plane namespace using the k8s serviceAccountName external-secrets-operator. It uses workload identity to access the secrets in GCP secret manager. Thus following are the prerequisites:

  1. GCP SA external-secrets-operator@<PROJECT>.iam.gserviceaccount.com with roles/secretmanager.secretAccessor.
  2. WI binding: K8s SA bh-control-plane/external-secrets-operator → GCP SA (Terraform wif_service_accounts).
  3. Update the helm chart values file global.secretStore with relevant values as mentioned in values.yaml. Example -
secretStore:
name: gcp-secret-store
projectId: <your-gcp-project>
serviceAccountName: external-secrets-operator #enable wif in tf
gcpServiceAccount: external-secrets-operator@<your-gcp-project>.iam.gserviceaccount.com

Verify

Once bighammer helm chart is deployed validate the below k8s object to ensure secret access is enabled and secrets synced.

kubectl describe secretstore gcp-secret-store -n bh-control-plane
kubectl get externalsecret -n bh-control-plane

Troubleshooting

SymptomCheck
SecretStore invalidWI annotation on K8s SA; GCP SA exists
ExternalSecret pendingGSM secret name matches global.remoteSecrets
Permission deniedsecretAccessor on project or secret

See Troubleshooting.