Overview

The External Secret Syncer is a marketplace application that can be used to continuously sync externally-stored secrets/parameters with Control Plane secrets. If you store your secrets externally, you can use this app to automatically keep Control Plane configuration options up to date.

Supported External Services

Setup

Prerequisies

  1. Have a secret/parameter set up in one of the external services supported
  2. Get an IAM account ready that allow read permissions for the desired secret

Steps

  1. Click the ESS application on the Console marketplace
  2. Configure the options for your external secrets. See configuration
  3. (optional) Add cloud access to identity if available, instead of supplying keys in configuration.

Configuration

providers:
  - name: my-vault # unique across all providers
    syncInterval: 20s # override the default interval of 30s
    vault:
      address: https://myvault.com:6443 # required for vault
      token: <my vault token> # required for vault
  - name: my-param-store
    awsParameterStore:
      region: us-west-2
      enpoint: <endpoint> # optional
      accessKeyId: <access key ID> # optional
      secretAccessKey: <secret access key> # optional
  - name: my-secret-manager
    awsSecretManager:
      region: us-west-2
      enpoint: <endpoint> # optional
      accessKeyId: <access key ID> # optional
      secretAccessKey: <secret access key> # optional
secrets:
  - name: hello # creates a dictionary secret named "hello" with these key-value pairs
    provider: my-vault
    syncInterval: 1m # override vault specific sync interval for this secret
    dictionary:
      PORT:
        path: /v1/secret/data/app
        parse: data.port
        default: 5432
      PASSWORD:
        path: /v1/secret/data/app
        parse: data.password
        default: 'no pass'
  - name: hello2 # creates an opaque secret named "hello2" containing the value of "user" key in /path/to/secret
    provider: my-secret-manager
    opaque:
      path: /path/to/secret
      parse: user
  - name: hello3 # creates an opaque secret named "hello3" containing the full /path/to/secret payload
    provider: my-secret-manager
    opaque: /path/to/secret # stores whole aws secret (potentially JSON) in opaque secret

Vault KV engine secrets look like:

{
  "data": {
    "PORT": "1234"
  },
  "metadata": {
    "created_time": "2025-03-11T20:05:41.865209462Z",
    "custom_metadata": null,
    "deletion_time": "",
    "destroyed": false,
    "version": 1
  }
}

If you use parse, make sure to start with data to get the secret content

Secret

A secret generated by ESS will look like:

kind: secret
name: hello
description: hello
tags:
  syncer.cpln.io/lastError: '' # if ESS is experiencing an error, it will populate this tag
  syncer.cpln.io/source: //gvc/<gvc name>/workload/<name of ess workload>
type: dictionary
data:
  PORT: '1234'
  PASSWORD: 'no pass' # if USERNAME was not found on the secret, the default is used

api

The ESS has a helpful utiliy api

# for liveness probe
GET /about 

# json with sensitive data masked
GET /config

# lists providers
GET /provider

# delete all secrets ESS created
POST /admin/-cleanUp

# list of secrets for the provider, whether or not they can be fetched
POST /provider/{name}/-check

# sync all secrets for provider
POST /provider/{name}/-sync
  OK, not OK