{"id":40742,"date":"2023-10-02T19:56:09","date_gmt":"2023-10-02T19:56:09","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=40742"},"modified":"2023-10-02T19:56:10","modified_gmt":"2023-10-02T19:56:10","slug":"external-secrets-operator-difference-between-clustersecretstore-and-secretstore","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/external-secrets-operator-difference-between-clustersecretstore-and-secretstore\/","title":{"rendered":"External Secrets Operator: Difference between ClusterSecretStore and SecretStore?"},"content":{"rendered":"\n

The main difference between a ClusterSecretStore and a SecretStore is that a ClusterSecretStore is a cluster-wide SecretStore that can be referenced from all namespaces, while a SecretStore is a namespaced SecretStore that can only be referenced from a single namespace.<\/p>\n\n\n\n

Another difference is that a ClusterSecretStore can be used to store secrets that are shared across multiple namespaces, such as a database password or an API key. A SecretStore can only be used to store secrets that are specific to a single namespace, such as a database password for a specific application.<\/p>\n\n\n\n

Here is a table that summarizes the key differences between ClusterSecretStores and SecretStores:<\/p>\n\n\n\n

Feature<\/th>ClusterSecretStore<\/th>SecretStore<\/th><\/tr>
Scope<\/td>Cluster-wide<\/td>Namespaced<\/td><\/tr>
Use cases<\/td>Shared secrets across multiple namespaces<\/td>Namespace-specific secrets<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Here are some examples of when you might use a ClusterSecretStore:<\/p>\n\n\n\n

    \n
  • To store a database password that is shared across all of your applications.<\/li>\n\n\n\n
  • To store an API key that is used by multiple applications.<\/li>\n\n\n\n
  • To store a certificate that is used by multiple applications.<\/li>\n<\/ul>\n\n\n\n

    Here are some examples of when you might use a SecretStore:<\/p>\n\n\n\n

      \n
    • To store a database password for a specific application.<\/li>\n\n\n\n
    • To store an API key for a specific application.<\/li>\n\n\n\n
    • To store a certificate for a specific application.<\/li>\n<\/ul>\n\n\n\n

      SecretStore:<\/strong><\/h3>\n\n\n\n
        \n
      • SecretStore<\/code> is namespace-scoped. This means a SecretStore<\/code> resource is created within a specific namespace and can only be referenced by ExternalSecret<\/code> resources within the same namespace.<\/li>\n\n\n\n
      • This allows for more fine-grained access control and isolation between different namespaces, making it suitable for multi-tenant environments where different teams or applications have their isolated namespaces.<\/li>\n<\/ul>\n\n\n\n
        \n\n\n
        apiVersion: external-secrets.io\/v1alpha1\r\nkind: SecretStore\r\nmetadata:\r\n  name: my-secret-store\r\n  namespace<\/span>: my<\/span>-namespace<\/span>\r\nspec<\/span>:\r\n  provider<\/span>:\r\n    aws<\/span>:\r\n      service<\/span>: SecretsManager<\/span>\r\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
        \n\n\n\n
        ClusterSecretStore:<\/strong><\/h3>\n\n\n\n
          \n
        • ClusterSecretStore<\/code>, on the other hand, is cluster-scoped. This means it is not confined to a specific namespace and can be referenced by ExternalSecret<\/code> resources across all namespaces in the cluster.<\/li>\n\n\n\n
        • It is suitable for secrets that are shared and needed by applications residing in different namespaces across the cluster.<\/li>\n<\/ul>\n\n\n\n
          \n\n\n
          apiVersion: external-secrets.io\/v1alpha1\r\nkind: ClusterSecretStore\r\nmetadata:\r\n  name: my-cluster-secret-store\r\nspec:\r\n  provider:\r\n    aws:\r\n      service: SecretsManager\r\n<\/code><\/span><\/pre>\n\n\n
          \n","protected":false},"excerpt":{"rendered":"
          The main difference between a ClusterSecretStore and a SecretStore is that a ClusterSecretStore is a cluster-wide SecretStore that can be referenced from all namespaces, while a SecretStore is a namespaced… <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[2],"tags":[],"class_list":["post-40742","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/40742","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=40742"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/40742\/revisions"}],"predecessor-version":[{"id":40743,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/40742\/revisions\/40743"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=40742"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=40742"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=40742"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}