How to Propagate Secrets Everywhere with External Secrets Operator (ESO) and Crossplane

preview_player
Показать описание
We dive into the powerful synergy between External Secrets Operator (ESO) and Crossplane to efficiently manage and propagate secrets across your Kubernetes clusters, databases, and secrets managers. Learn how to securely and seamlessly integrate with cloud providers' secret management systems using ESO, and see how to leverage Crossplane's infrastructure as code capabilities to ensure your secrets are consistently deployed wherever they're needed.

#ExternalSecretsOperator #Crossplane #KubernetesSecrets #ESO

▬▬▬▬▬▬ 🔗 Additional Info 🔗 ▬▬▬▬▬▬

▬▬▬▬▬▬ 💰 Sponsorships 💰 ▬▬▬▬▬▬

▬▬▬▬▬▬ 👋 Contact me 👋 ▬▬▬▬▬▬

▬▬▬▬▬▬ 🚀 Other Channels 🚀 ▬▬▬▬▬▬

▬▬▬▬▬▬ ⏱ Timecodes ⏱ ▬▬▬▬▬▬
00:00 Introduction
01:09 The Problem
05:51 Secrets Between Kubernetes Clusters
14:48 Pushing and Pulling PostgreSQL Database Secrets
  1. DevOps Toolkit
  2. Cloud Provider Secrets
  3. Cloud Secrets Integration
  4. Cloud-native Security
  5. Crossplane
  6. Crossplane Secrets Propagation
Рекомендации по теме
How to Propagate 0:20:36

How to Propagate Secrets Everywhere with External Secrets Operator (ESO) and Crossplane

How to Make 0:00:34

How to Make Plants Grow FASTER | creative_explained

Grow The Best 0:01:00

Grow The Best Tomatoes This Summer By Pruning! Especially If You’re Growing Indeterminate Tomatoes!...

How To Grow 0:00:37

How To Grow Taller ☝🏼 #shorts

Unlock the Secrets 0:04:13

Unlock the Secrets to Propagate Houseplants in Water

Propagate Golden Pothos 0:00:21

Propagate Golden Pothos | Cycle of Plant

The secrets of 0:11:22

The secrets of propagating trees from root cuttings - super easy!

4 instructions that 0:02:37

4 instructions that will grow any church anywhere that God gave me by Bishop David Oyedepo

How To Grow 0:01:00

How To Grow Grass #shorts

Growing Aloe Vera 0:00:55

Growing Aloe Vera tree from leaf cuttings #aloe_vera #shorts

5 reasons you 0:00:17

5 reasons you should grow Moringa 🌿 at home

How to GROW 0:00:51

How to GROW SWEET POTATOES from a grocery store potato! #sweetpotatoes #texasgarden #gardeningtips

GROW YOUR ARMS 0:00:23

GROW YOUR ARMS WITHOUT ANY EQUIPMENT!

How to Propagate 0:16:14

How to Propagate Plants: 4 Methods to Master

How to grow 0:00:18

How to grow money plants cutting properly in water

5 Secrets to 0:08:08

5 Secrets to grow more big and juicy Pineapples from the Top/Crown

Grow more potatoes 0:00:35

Grow more potatoes in a grow bag

GROW A BEARD 0:00:45

GROW A BEARD IN 90 DAYS OR LESS (SECRET)

One Thing To 0:00:34

One Thing To Know About Succulent Cuttings #shorts

When you grow 0:00:24

When you grow up with three sisters 😂 #sacconejolys #sisters #shorts

Planting sweet potato 0:00:59

Planting sweet potato slips in grow bags | Container Vegetable Gardening

Grow These Plants 0:08:15

Grow These Plants in Water / Discover The Secrets to Growing Without Soil and Without a Mess

Aspirin Tablet Trick 0:00:13

Aspirin Tablet Trick for Faster Rooting

I wasn’t ready 0:00:54

I wasn’t ready to watch Lily grow up 😭 #Shorts #ModernFamily #LilyTucker

Комментарии
Автор

Thanks for another great video! I'd like to explore databases as a service with your videos.
About secrets management with ESO, I use it all the time and I love it.
I still find copying secret directly between kubernetes clusters a useful option, especially when you have a control plane cluster managing other clusters and secrets are consumed in kubernetes.
This way you don't need to install (and secure) multiple ESO instances.
I think it would be also useful to see an example of secret rotation in action (meaning not waiting for the secret to update in kubernetes but rotating it transparently while applications are using it).

IvanRizzante
Автор

thanks, love this advanced use cases!! I use reflector, to clone secret between namespaces within the same cluster and or eso with kubernetes provider to share secrets between clusters

javisartdesign
Автор

Plot twist: If you send your secret to a "secret manager" or an ESO, the secret is no longer "secret". Just because something works, it does not mean it works securely...

clauzone
Автор

Hey Viktor, Thanks for the information! your videos help me get the bigger picture of how things are managed in a mature k8s environment at scale. I'm a beginner starting out with Kubernetes and related tools in general, although I understand these approaches oftentimes there's confusion on how and whether are these applicable in my practice environment. (on prem cluster). Would be great if you could recommend a somewhat advanced project in order to get better at Kubernetes and the related tools. Thank you for your time reading this long paragraph.

aditya-iqcp
Автор

We use it in my job the ESO, but the big problem in crossplane is reading secrets in composition without using a status for retaining this information.

JesherHelielRodrigues
Автор

Read the title singing Lando's song... "Secrets up and down side to side like a roller coaster..." 😂

DanielPradoBurgos
Автор

Hi Victor, firstly thank you for sharing your wisdom :) I have one small question - looking on the final diagram. (besides other) you have created "external secret" in order to pull "root password" from aws secrets manager. How that "root password" was created? How did you put the password there? Was it generated? Or does the aws rds have even the capability to create secrets manager secret after the creation of rds? thank you

ML
Автор

Is ESO now the preferred method of integrating secrets with an external store (thinking Azure KeyVault in my case) considering it supports both push and pull now? Also, does this mean Crossplane's ESS (External Secret Stores) alpha feature will be dropped, or do they serve slightly different purposes?

phillipsma
Автор

Not directly related but doesn't have Cross plane a depends on tree for delaying execution loops until requirements are met?
Been using vault webhook mutate and seems better for apps since injects secrets into running scope but it's harder to integrate

juanitoMint
Автор

Is it generally a bad practice for a namespaced claim (and consequently the composition) to refer (via k8 secret object observing) to a secret created by another claim's composition in a different namespace? Or should the latter's claim composition push to a common cluster secret store and then the former can pull it using ESO? Not thinking about cluster resources here, just something simpler that requires secret knowledge across namespaced resource claims.

phillipsma
Автор

Have you seen by any chance ESO constantly updating K8s secrets, even though the value hasn't changed? Currently when looking at Events, some "externalsecret" objects are sitting at 27k+ Count..

simonkp
Автор

Isn't password rotation an issue here? There would clearly be an outage when the password is changed depending on how often the secretsmanager contents are synced.
The proper way to roll a password over without downtime would be to allow the old and new password during a certain time window but it seems to leak the entire "magic" of this setup when done

rlstrength
Автор

I'm confused about this external secrets operator in general; seems like we alreay need a secret to connect to the "external source of secrets". Doesn't that basically defeat the purpose? I mean the secret will be there if a bad actor gets access to the cluster, and they can use it to get the actual secrets, no?

farzadmf