Reference
Architecture
External Secrets Inc. Agent Architecture
The External Secrets Inc. Agent is product suite is a premium product.
It requires a specific subscription. Contact us for more information.
Agent Overview
External Secrets Inc. Agent is a component that helps you manage the installation and upgrades of External Secrets Operator deployments. It is also the easiest way to install External Secrets Inc. distribution of External Secrets Operator. Agent’s main features includes:- Deployment of any number of External Secrets Operators across namespaces
- Management of
ClusterRoles/RolesandClusterRoleBindings/RoleBindingsas needed - Coordination CRD upgrades according to ExternalSecrets versions
- Image updates with nightly builds
Architecture Overview
External Secrets Inc. Agent
The Agent works by managing any new External Secrets Operator via the ESODeployment Custom Resource.
By innstalling one, the Agent will automatically deploy everything needed to make External Secrets Operator work.
The Agent supports installing multiple Deployments at once, for complex tenant-based scenarios.
It supports both cluster scoped and namespaced deployments of External Secrets Operator.
Lastly - the Agent communicates back to External Secrets Inc. infrastructure for licensing reasons
Network Flows
| URL | Port | Direction | Description |
|---|---|---|---|
| api.externalsecrets.com | 443 | Outbound | License Validation |
Cluster Permissions
The agent needs the following cluster permissions to operate:| Resource | Verbs | Description |
|---|---|---|
namespaces | get list watch | Monitor namespaces for installation |
secrets | create update patch | Distribute ImagePullSecrets across Namespaces |
serviceaccounts | create get list watch | Create ServiceAccounts for deployments |
serviceaccounts/external-secrets | create delete patch update | Management of external-secrets service account |
customresourcedefinitions | create delete get list patch update watch | Install ESO CRDs |
deployments | create get list watch | Install deployment |
deployments/external-secrets | create delete patch update | Management of external-secrets deployment |
leases | create get patch update | Leader election |
esodeployments | create delete get list patch update | Manage ESODeployments |
esodeployments/finalizers | update | Manage ESODeployments |
esodeployments/status | get patch update | Manage ESODeployments |
clusterrolebindings | create get list watch | Manage RBAC for ESO Deployments |
rolebindings | create get list watch | Manage RBAC for ESO Deployments |
clusterroles | create get list watch | Manage RBAC for ESO Deployments |
roles | create get list watch | Manage RBAC for ESO Deployments |
clusterrolebindings/external-secrets | delete patch update | Manage RBAC for ESO Deployments |
rolebindings/external-secrets | delete patch update | Manage RBAC for ESO Deployments |
clusterroles/external-secrets | bind delete elevate patch update | Manage RBAC for ESO Deployments |
roles/external-secrets | bind delete elevate patch update | Manage RBAC for ESO Deployments |