Skip to main content

PushSecret

Normally, ESO pulls secrets from the external provider (e.g., AWS Secrets Manager) to create or update Secrets in Kubernetes.

PushSecret is the reverse path: you create or update a Secret in Kubernetes and have ESO push that data to the external provider, meaning ESO can send (push) cluster updates to the backend (AWS, Vault, etc).

  • You can manage secrets in Kubernetes and automatically synchronize/update the external provider.
  • Useful in workflows where Kubernetes is the source of truth, and you want to keep the external provider updated.
  • Avoids having to access the backend manually to update secrets.

PushSecret monitors a specific secret in Kubernetes and when it changes, it pushes to the provider (chosen backend).

  • Not all providers support push.
  • Not all ESO versions support push (it's a newer feature).
  • Configure permissions properly so ESO has write access to the backend, but we already discussed this in SecretStore.

You can perfectly use it to synchronize secrets between clouds.

  • AWS → GCP
  • Vault → AWS
  • Kubernetes (locally generated) → any supported provider

Let's go to a quick example! We'll take a secret below and push it to AWS Secret Manager.

❯ k get secrets
NAME               TYPE                       DATA   AGE
app-auth           kubernetes.io/basic-auth   2      154m # This one for example
minha-secret       Opaque                     1      86m
minha-secret-k8s   Opaque                     4      178m

In fact, this secret is coming from an External Secret configuration, meaning we would keep two AWS secrets synchronized.

apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: push-secret-aws
  namespace: default
spec:
  deletionPolicy: Delete # Pay attention to this.
  refreshInterval: 1m
  secretStoreRefs:
    - name: aws-secrets-manager
      kind: ClusterSecretStore
  selector: # Selects the secret in the same namespace as the push secret above.
    secret:
      name: app-auth
  data:
    - match:
        secretKey: ""       # Sends the entire local secret (all data)
        remoteRef:
          remoteKey: dev-app-test1 # this will be the secret created
      metadata:
        apiVersion: kubernetes.external-secrets.io/v1alpha1
        kind: PushSecretMetadata
        spec:
          secretPushFormat: string
          description: "Full app-auth secret as JSON"
  updatePolicy: Replace # Or merge which will only update the keys defined in the secret if the key has more things.

PushSecret is still in development phase. Once we delete the secret, we can no longer use it because it's marked for deletion. Only after a certain time (usually 30 days) will the same key be available when it's officially deleted.

For now, I recommend not using PushSecret in production, but if necessary, changing deletionPolicy: Retain is a way to partially solve the problem. This prevents AWS from marking it for deletion and allows you to reuse it by overwriting it.