External Secrets Operator
External Secrets Operator (ESO) syncs Google Secret Manager into Kubernetes Secrets.
Install
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets \
external-secrets/external-secrets \
-n external-secrets \
--create-namespace \
--set bitwarden-sdk-server.enabled=false
Prerequisites
As part of bighammer helm deployment, secretstore object will be created in bh-control-plane namespace using the k8s serviceAccountName external-secrets-operator. It uses workload identity to access the secrets in GCP secret manager. Thus following are the prerequisites:
- GCP SA
external-secrets-operator@<PROJECT>.iam.gserviceaccount.comwithroles/secretmanager.secretAccessor. - WI binding: K8s SA
bh-control-plane/external-secrets-operator→ GCP SA (Terraformwif_service_accounts). - Update the helm chart values file global.secretStore with relevant values as mentioned in
values.yaml. Example -
secretStore:
name: gcp-secret-store
projectId: <your-gcp-project>
serviceAccountName: external-secrets-operator #enable wif in tf
gcpServiceAccount: external-secrets-operator@<your-gcp-project>.iam.gserviceaccount.com
Verify
Once bighammer helm chart is deployed validate the below k8s object to ensure secret access is enabled and secrets synced.
kubectl describe secretstore gcp-secret-store -n bh-control-plane
kubectl get externalsecret -n bh-control-plane
Troubleshooting
| Symptom | Check |
|---|---|
| SecretStore invalid | WI annotation on K8s SA; GCP SA exists |
| ExternalSecret pending | GSM secret name matches global.remoteSecrets |
| Permission denied | secretAccessor on project or secret |
See Troubleshooting.