The External Secrets Enterprise is product suite is a premium product. It requires a specific subscription. Contact us for more information.

Overview

The ESI Pod Webhook is a Kubernetes admission webhook that seamlessly injects secrets managed by the External Secrets Operator (ESO) directly into your pods. This allows applications to consume secrets as environment variables or files without requiring any code changes or awareness of ESO. The webhook intercepts pod creation and update events. Based on specific annotations you add to your pods, it modifies the pod specification to include mechanisms for secret injection, primarily using the esi-cli tool.

Why Use ESI Pod Webhook?

  • Simplified Secret Consumption: Applications can access secrets as standard environment variables or files, without needing to integrate with ESO or specific secret backends.
  • No Application Code Changes: Inject secrets into existing applications without modifying their codebase.
  • Centralized Secret Management: Continue managing your secrets centrally with External Secrets Operator, while the webhook handles the delivery to pods.
  • Dynamic Injection: Secrets are fetched and injected when the pod starts.
  • Flexible Injection Methods: Choose between environment variable injection (via an init container) or file-based injection (via a sidecar container).

How It Works

The ESI Pod Webhook modifies pods during their admission (creation/update) process:
  1. Annotation-Driven: You annotate your pods to tell the webhook which ExternalSecret to use and how to inject the data.
  2. esi-cli Powered: The webhook injects either an init container or a sidecar container into your pod. These containers run esi-cli.
    • Init Container (for Environment Variables): esi-cli runs in init mode, fetches secrets, exports them as environment variables, and then executes your application’s main process.
    • Sidecar Container (for Files): esi-cli runs in daemon mode, fetches secrets, and writes them to a shared volume (e.g., /secrets/secrets.json). It can also watch for changes.
  3. Pod Modification: The webhook adds the necessary containers, volumes, and volume mounts to the pod specification.

Get Started

Ready to dive in? Explore the following sections to learn how to install, configure, and use the ESI Pod Webhook:

Installation

Install the ESI Pod Webhook in your Kubernetes cluster.

Pod Annotations

Learn about all the available annotations to control secret injection.

Usage Examples

See practical examples of how to use the webhook.

Troubleshooting

Find solutions to common issues.

Next Steps

After familiarizing yourself with the ESI Pod Webhook, you might also be interested in: