K8s External Secrets

Kubernetes (K8s) External Secrets



The Kubernetes External Secrets project has been deprecated.
It is recommended to use the External Secrets Operator (ESO) instead.
(see official Git: https://github.com/external-secrets/external-secrets)

Kubernetes External Secrets enable you to use external secret management systems, such as the Akeyless Platform, to securely add secrets in Kubernetes.



External Secrets Operator (ESO)
Check out Akeyless official Provider of External Secret project

Complete the following steps to allow Akeyless to add secrets in Kubernetes.

  1. Add the K8s external secrets repository:
helm repo add external-secrets https://external-secrets.github.io/kubernetes-external-secrets/
  1. Modify the access credential values in the charts/kubernetes-external-secrets/values.yaml file.
#Akeyless rest-v2 endpoint 
AKEYLESS_API_ENDPOINT: https://api.akeyless.io 
#AKEYLESS_ACCESS_TYPE can be one of the following: k8s/aws_iam/azure_ad/gcp/api_key
#AKEYLESS_ACCESS_TYPE_PARAM can be one of the following: gcp-audience/azure-obj-id/access-key



  • Ensure that an Access Role is defined in Akeyless for the credentials you specify, and that the Access Role is associated with an Authentication Method that allows access to the required secret.

  • If you use a customer fragment, define the value of AKEYLESS_API_ENDPOINT as the URL of your Akeyless Gateway in the following format: https:/your.akeyless.gw:8080/v2.

  • If you define the value of AKEYLESS_ACCESS_TYPE as api_key, define the
    value of AKEYLESS_ACCESS_TYPE_PARAM as your access key.

  1. Deploy the helm chart by running:
helm install <RELEASE NAME> external-secrets/kubernetes-external-secrets -f charts/kubernetes-external-secrets/values.yaml



Define the value of data.key as the path to the required secret in Akeyless.

  1. Create an ExternalSecret.yaml file using the following format:
apiVersion: 'kubernetes-client.io/v1'
kind: ExternalSecret
  name: hello-secret
  backendType: akeyless
    - key: </Path/To/Your/Secret>
      name: creds
  1. Apply the ExternalSecret.yaml resource by running:
kubectl apply -f ExternalSecret.yaml
  1. Retrieve your secret value by running:
kubectl get secret hello-secret -o=yaml