Skip to content

ngrok

ngrok

External Secrets Operator integrates with ngrok to sync Kubernetes secrets with ngrok Secrets for Traffic Policy. Currently, only pushing secrets is supported.

Configuring ngrok Provider

Verify that ngrok provider is listed in the Kind=SecretStore. The properties vault and auth are required. The apiURL is optional and defaults to https://api.ngrok.com.

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: ngrok
spec:
  provider:
    ngrok:
      # apiURL: Default "https://api.ngrok.com", for enterprise ngrok instances uncomment and use your API URL.
      auth:
        apiKey:
          secretRef:
            name: ngrok-credentials
            key: api-key
      vault:
        name: my-vault # Name of the ngrok vault to use for storing secrets

Pushing secrets to ngrok

To sync a Kubernetes secret with an external ngrok secret we need to create a PushSecret, this means a Kind=PushSecret is needed.

apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: ngrok-push-secret-example
spec:
  deletionPolicy: Delete
  refreshInterval: 10m # Refresh interval for which push secret will reconcile
  secretStoreRefs: # A list of secret stores to push secrets to
    - name: ngrok # Must match SecretStore on the cluster
      kind: SecretStore
  selector:
    secret:
      name: SECRET_NAME # Source Kubernetes secret to be pushed
  data:
    - match:
        # The key in the Kubernetes secret to push. Leave empty to push all keys, JSON encoded.
        # secretKey: ""
        secretKey: MY_K8S_SECRET_KEY
        remoteRef:
          remoteKey: MY_NGROK_SECRET_NAME # The name of the secret in the ngrok vault:

PushSecret Metadata

Additionally, you can control the description and metadata of the secret in ngrok like so:

apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: ngrok-push-secret-example
spec:
  deletionPolicy: Delete
  refreshInterval: 10m # Refresh interval for which push secret will reconcile
  secretStoreRefs: # A list of secret stores to push secrets to
    - name: ngrok # Must match SecretStore on the cluster
      kind: SecretStore
  selector:
    secret:
      name: SECRET_NAME # Source Kubernetes secret to be pushed
  data:
    - match:
        # The key in the Kubernetes secret to push. Leave empty to push all keys, JSON encoded.
        # secretKey: ""
        secretKey: MY_K8S_SECRET_KEY
        remoteRef:
          remoteKey: MY_NGROK_SECRET_NAME # The name of the secret in the ngrok vault
      metadata:
        apiVersion: kubernetes.external-secrets.io/v1alpha1
        kind: PushSecretMetadata
        spec:
          # See https://ngrok.com/docs/api/resources/secrets/#parameters
          # We currently support customizing the description and metadata for the secret.
          description: "This is a secret for the API credentials"
          # Metadata for the secret in the ngrok vault. This will be merged with auto-generated metadata.
          metadata:
            environment: production
            team: devops