https://github.com/hops-ops/aws-secret-stack
Crossplane XRD: external-secrets Helm release with AWS Pod Identity for Secrets Manager and SSM Parameter Store access
https://github.com/hops-ops/aws-secret-stack
aws crossplane crossplane-xrd external-secrets helm kubernetes pod-identity
Last synced: 18 days ago
JSON representation
Crossplane XRD: external-secrets Helm release with AWS Pod Identity for Secrets Manager and SSM Parameter Store access
- Host: GitHub
- URL: https://github.com/hops-ops/aws-secret-stack
- Owner: hops-ops
- Created: 2026-02-01T00:00:24.000Z (4 months ago)
- Default Branch: main
- Last Pushed: 2026-03-24T13:38:15.000Z (3 months ago)
- Last Synced: 2026-03-25T06:38:41.506Z (3 months ago)
- Topics: aws, crossplane, crossplane-xrd, external-secrets, helm, kubernetes, pod-identity
- Language: KCL
- Size: 41 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# aws-secret-stack
Installs external-secrets with AWS Pod Identity for Secrets Manager and SSM Parameter Store access. Optionally creates a SecretStore.
## Overview
Composes a `helm.m.crossplane.io/Release` for external-secrets with `aws.hops.ops.com.ai/PodIdentity`.
Automatically provisions IAM role and Pod Identity association for external-secrets' service account.
Additionally:
- Creates a **SecretStore** (namespaced by default) or **ClusterSecretStore** (opt-in) pointing to AWS Secrets Manager, so ExternalSecrets can pull secrets immediately
## Usage
Minimal — installs ESO, PodIdentity, and SecretStore:
```yaml
apiVersion: aws.hops.ops.com.ai/v1alpha1
kind: SecretStack
metadata:
name: external-secrets
namespace: default
spec:
clusterName: my-cluster
aws:
region: us-east-1
```
With custom values and role prefix:
```yaml
apiVersion: aws.hops.ops.com.ai/v1alpha1
kind: SecretStack
metadata:
name: external-secrets
namespace: default
spec:
clusterName: production-cluster
namespace: external-secrets
values:
serviceAccount:
create: true
aws:
region: us-west-2
rolePrefix: prod-
tags:
environment: production
```
ClusterSecretStore (cluster-wide access):
```yaml
apiVersion: aws.hops.ops.com.ai/v1alpha1
kind: SecretStack
metadata:
name: external-secrets
namespace: default
spec:
clusterName: my-cluster
secretStore:
scope: Cluster
aws:
region: us-east-1
```
ESO only — no SecretStore:
```yaml
apiVersion: aws.hops.ops.com.ai/v1alpha1
kind: SecretStack
metadata:
name: external-secrets
namespace: default
spec:
clusterName: my-cluster
secretStore:
enabled: false
aws:
region: us-east-1
```
## What Gets Created
| Resource | Condition | Description |
|----------|-----------|-------------|
| `helm.m.crossplane.io/Release` | Always | external-secrets Helm release (chart v2.2.0) |
| `aws.hops.ops.com.ai/PodIdentity` | Always | IAM role + Pod Identity with Secrets Manager, SSM, and KMS permissions |
| `kubernetes.m.crossplane.io/Object` (SecretStore) | `secretStore.enabled` (default true) | ClusterSecretStore or SecretStore wired to AWS Secrets Manager via PodIdentity JWT auth |
## SecretStore Options
| Field | Default | Description |
|-------|---------|-------------|
| `secretStore.enabled` | `true` | Create a SecretStore resource |
| `secretStore.scope` | `Namespaced` | `Namespaced` for SecretStore, `Cluster` for ClusterSecretStore |
| `secretStore.name` | `default` | Name of the SecretStore resource |
## Status
| Field | Description |
|-------|-------------|
| `ready` | Overall stack readiness |
## Development
```bash
make render # render all examples
make validate # validate rendered output
make test # run KCL unit tests
make e2e # run E2E tests (requires AWS credentials)
```