Skip to content

Github Actions Secrets

Github

External Secrets Operator integrates with Github to sync Kubernetes secrets with Github Actions secrets.

Configuring Github provider

The Github API requires to install the ESO app to your Github organisation in order to use the Github provider features.

Configuring the secret store

Verify that github provider is listed in the Kind=SecretStore. The properties appID, installationID, organization are required to register the provider. In addition, authentication has to be provided.

Optionally, to target repository and environment secrets, the fields repository and environment need also to be added.

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: github
spec:
  provider:
    # provider type: github
    github:
      appID: "**app ID goes here**"
      # url: Default "https://github.com/", for enterprise Github instances uncomment and add your domain like "https://github.domain.com/"
      # uploadURL: Default "https://github.com"
      auth:
        privateKey:
          name: github-app-private-key
          key: privateKey.pem
      installationID: "**installation ID goes here**"
      organization: "Github **organization name goes here**"
      #repository: "Optional. set this for repository/environment secrets"
      #environment: "Optional. set this for environment secrets"

NOTE: In case of a ClusterSecretStore, Be sure to provide namespace in accessToken with the namespace where the secret resides.

Pushing to an external secret

To sync a Kubernetes secret with an external Github secret we need to create a PushSecret, this means a Kind=PushSecret is needed.

apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: github-push-secret-example
spec:
  deletionPolicy: Delete
  refreshInterval: 10m # Refresh interval for which push secret will reconcile
  secretStoreRefs: # A list of secret stores to push secrets to
    - name: github # Must match SecretStore on the cluster
      kind: SecretStore
  selector:
    secret:
      name: EXTSERCRET # Remote Github actions secret that we want to sync with the kubernetes secret
  data:
    - match:
        secretKey: extsecret # Source Kubernetes secret key containing the secret
        remoteRef:
          remoteKey: EXTSECRET # Key of the kubernetes secret to push