XtraSecurity + Kubernetes Integration

Use XtraSecurity as a secrets provider in Kubernetes clusters.

Installation

Install External Secrets Operator

helm repo add external-secrets https://charts.external-secrets.io
helm repo update

helm install external-secrets \
  external-secrets/external-secrets \
  -n external-secrets-system \
  --create-namespace

Create XtraSecurity API Key Secret

kubectl create secret generic xtra-api-key \
  -n production \
  --from-literal=apiKey=sk_live_xxx

Create SecretStore

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: xtrasecurity
  namespace: production
spec:
  provider:
    xtrasecurity:
      projectId: proj_xxx
      auth:
        secretRef:
          apiKey:
            name: xtra-api-key
            key: apiKey

Create ExternalSecret

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: app-secrets
  namespace: production
spec:
  refreshInterval: 3600s
  secretStoreRef:
    name: xtrasecurity
    kind: SecretStore
  target:
    name: app-secrets
    creationPolicy: Owner
  data:
  - secretKey: database_url
    remoteRef:
      key: db_url
  - secretKey: stripe_key
    remoteRef:
      key: stripe_api_key

Use in Pods

apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp
  namespace: production
spec:
  template:
    spec:
      containers:
      - name: app
        image: myapp:latest
        envFrom:
        - secretRef:
            name: app-secrets

Complete Example

---
apiVersion: v1
kind: Namespace
metadata:
  name: production

---
apiVersion: v1
kind: Secret
metadata:
  name: xtra-api-key
  namespace: production
stringData:
  apiKey: sk_live_prod_xxx

---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: xtrasecurity
  namespace: production
spec:
  provider:
    xtrasecurity:
      projectId: proj_prod
      auth:
        secretRef:
          apiKey:
            name: xtra-api-key
            key: apiKey

---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: app-config
  namespace: production
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: xtrasecurity
  target:
    name: app-config
  data:
  - secretKey: databaseUrl
    remoteRef:
      key: postgres_password
  - secretKey: stripeKey
    remoteRef:
      key: stripe_live_key

Troubleshooting

# Check ExternalSecret status
kubectl describe externalsecret app-secrets -n production

# View operator logs
kubectl logs -n external-secrets-system deployment/external-secrets

# Verify secret was created
kubectl get secret app-secrets -n production -o yaml