Setup ESO Enterprise
Weave GitOps Enterprise now supports managing secrets using External Secrets Operator from the UI. External Secrets Operator is a Kubernetes operator that allows users to use secrets from external secrets management systems by reading their information using external APIs and injecting their values into Kubernetes secrets. To be able to use this functionality, users need to configure their External Secrets Operator and SecretStores using one of the guides below.
You should have your SecretStore CRs defined in a git repository. Those CRs will be installed to your cluster in the following steps and used by the creation UI.
The ESO profile is packaged with the weaveworks-charts. If you have the usual profiles setup, you will not need to do anything extra. This profile installs the ESO controller, all the required CRDs, and the SecretStore CRs defined in the previous step.
There are several Kubernetes Secrets that need to exist on your management cluster for the whole flow to work.
If your SecretStores repository is private then you'll need a Secret, that contains the repo credentials, to access the repository. This is usually the Secret you created while bootstrapping flux on the management cluster and is copied to your leaf cluster during creation.
For each SecretStore CR, you'll need to add a Secret, that follows the format expected by this CR, to allow the operator to access the defined External Secret Store.
Follow this guide for bootstraping those secrets on leaf clusters.
Install ESO on management cluster or existing leaf cluster
To install the ESO profile on an exisitng cluster, use
Add an application from the
Applications page and select
weaveworks-charts. Check the Profile values section for more info about configuring the
Install ESO on leaf cluster
To bootstrap the ESO profile on a leaf cluster, select
external-secrets from the profiles dropdown in the
Create Cluster page. Check the Profile values section for more info about configuring the
You should then configure the
values.yaml to install the
SecretStores on the cluster from a
This is done by configuring the
Expand to see an example that creates a new git source from a specific tag
url: ssh://email@example.com/github-owner/repo-name # url for the git repository that contains the SecretStores
path: ./ # could be a path to the secrets dir or a kustomization.yaml file for the SecretStore in the GitRepository
secretRef: my-pat # the name of the Secret containing the repo credentials for private repositories
Expand to see an example that uses an existing git source
sourceRef: # Specify the name for an existing GitSource reference