If I have ExternalSecretsOperator running in the management cluster, can Sveltos take secrets created in the management cluster by ESO and deploy those to managed cluster?

[gianlucam76]

External Secrets Operator bridges the gap between external secret stores (like HashiCorp Vault) and Kubernetes. It automatically synchronizes secrets from these external systems into Kubernetes Secrets. However, the question remains: If the External Secrets Operator is only deployed in the management cluster, can Sveltos leverage those secrets and deploy them to the managed clusters?

This question was asked on the Projectsveltos slack channel. Reporting it with an answer as it is a pretty common use case.

[gianlucam76]

Short answer is yes.

Let's say this is the secret External Secrets Operator created in the management cluster

apiVersion: v1
data:
  key1: dmFsdWUx
  key2: dmFsdWUy
kind: Secret
metadata:
  creationTimestamp: "2024-05-27T13:51:00Z"
  name: external-secret-operator
  namespace: default
  resourceVersion: "28731"
  uid: 99411506-8f5e-4846-9628-58f82b3d01be
type: Opaque

we can create a ConfigMap whose data section is a template

apiVersion: v1
kind: ConfigMap
metadata:
  name: replicate-external-secret-operator-secret
  namespace: default
  annotations:
    projectsveltos.io/template: "true"  # add annotation to indicate Sveltos content is a template
data:
  secret.yaml: |
    # ESOSecret now references the Secret default/external-secret-operator
    apiVersion: v1
    kind: Secret
    metadata:
      name: {{ (index .MgmtResources "ESOSecret").metadata.name }}
      namespace: {{ (index .MgmtResources "ESOSecret").metadata.namespace }}
    data:
      {{ range $key, $value := (index .MgmtResources "ESOSecret").data }}
        {{$key}}: {{ $value }}
      {{ end }}

Then have a ClusterProfile that collects the secret created by ExternalSecretOperator (using TemplateResourceRefs section), and reference ConfigMap created above

apiVersion: config.projectsveltos.io/v1alpha1
kind: ClusterProfile
metadata:
  name: replicate-external-secret-operator-secret
spec:
  clusterSelector: env=fv
  templateResourceRefs:
  - resource:
      apiVersion: v1 
      kind: Secret
      name: external-secret-operator
      namespace: default
    identifier: ESOSecret
  policyRefs:
  - kind: ConfigMap
    name: replicate-external-secret-operator-secret
    namespace: default

The result is that secret External Secret Operator created in the management cluster will be replicated by Sveltos in any managed cluster matching above selector.
If the secret created by external secret operator changes, Sveltos will send an update to all managed clusters.

This is also covered in the documentation