⚠️ Important Notice (Scope & Support Disclaimer)
Use of an external secrets manager is outside the scope of Virtru-managed deployment support.
- Virtru does not own, manage, or maintain external secrets platforms (e.g., AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, etc.)
- Configuration, access control, networking, and troubleshooting for these systems are the responsibility of your organization
- Support for provider-specific issues must be handled internally or through your cloud/provider support channels
This document is intended as a generic reference only.
⚠️ Due to variability across providers, environments, and authentication models, Virtru can provide limited guidance beyond this high-level process.
Overview
This is a high level guide on how to integrate an external secrets manager with the Virtru Private Keystore for Virtru solutions deployed in Kubernetes.
Instead of embedding secrets in Helm:
- Store secrets in an external provider
- Sync them into Kubernetes using External Secrets Operator (ESO)
- Reference them in your Helm deployment
Reference: Supported Providers
External Secrets Operator supports a wide range of providers, including:
- AWS Secrets Manager
- Azure Key Vault
- Google Secret Manager
- HashiCorp Vault
- Kubernetes (remote cluster)
- Many others
Full provider documentation:
https://external-secrets.io/latest/provider
According to the official docs, ESO integrates with external APIs and injects values into Kubernetes Secrets, acting as a bridge between your secret store and your workloads. (GitHub)
Prerequisites
- Kubernetes cluster
-
kubectlconfigured - Helm installed
- CKS Helm chart available
- External secrets provider configured
Step 1: Install External Secrets Operator
helm repo add external-secrets https://charts.external-secrets.io helm repo update helm install external-secrets external-secrets/external-secrets \ -n external-secrets \ --create-namespace
Verify:
kubectl get pods -n external-secrets
Step 2: Configure Secret Store
Create a SecretStore or ClusterSecretStore to define how to connect to your provider.
Example (generic):
apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
name: virtru-secret-store
spec:
provider:
# provider-specific configuration
Refer to provider-specific docs:
https://external-secrets.io
Step 3: Create External Secrets
Auth Token Example
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: cks-auth
namespace: virtru
spec:
refreshInterval: 1h
secretStoreRef:
name: virtru-secret-store
kind: ClusterSecretStore
target:
name: virtru-auth
data:
- secretKey: authTokenJson
remoteRef:
key: virtru/cks/auth
property: authTokenJsonRSA Keys Example
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: cks-keys
namespace: virtru
spec:
refreshInterval: 1h
secretStoreRef:
name: virtru-secret-store
kind: ClusterSecretStore
target:
name: virtru-keys
data:
- secretKey: rsa001.pub
remoteRef:
key: virtru/cks/keys
property: rsa001.pub
- secretKey: rsa001.pem
remoteRef:
key: virtru/cks/keys
property: rsa001.pemStep 4: (Optional) TLS Secret via External Secrets
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: cks-tls
namespace: virtru
spec:
secretStoreRef:
name: virtru-secret-store
kind: ClusterSecretStore
target:
name: cks-tls
template:
type: kubernetes.io/tls
data:
tls.crt: "{{ .fullchain }}"
tls.key: "{{ .privkey }}"
data:
- secretKey: fullchain
remoteRef:
key: virtru/cks/tls
property: fullchain.pem
- secretKey: privkey
remoteRef:
key: virtru/cks/tls
property: privkey.pemStep 5: Verify Secrets
kubectl get externalsecret -n virtru kubectl get secret -n virtru
Step 6: Update Helm Values
externalAppSecrets:
enabled: true
auth:
secretName: virtru-auth
key: authTokenJson
keys:
secretName: virtru-keys
ingress:
tls:
- secretName: cks-tls
hosts:
- cks.example.comStep 7: Deploy CKS
helm upgrade --install cks . \ -n virtru \ -f values.yaml \ --create-namespace
Step 8: Validate
kubectl get pods -n virtru kubectl get ingress -n virtru curl https://cks.example.com/status