Infrastructure

SecretProvider

Wraps an ESO ClusterSecretStore provider configuration. The spec.provider field is passed through verbatim to ESO — you write native ESO provider YAML and Lattice manages the ClusterSecretStore lifecycle. Referenced by LatticeService resources with type: secret and by CloudProvider resources in ESO mode.

group: lattice.dev version: v1alpha1 scope: namespaced

When a SecretProvider is created, the controller creates a corresponding ESO ClusterSecretStore whose spec.provider is populated verbatim from spec.provider. Exactly one top-level key (the provider type) must be present.

Examples

vault.yaml

apiVersion: lattice.dev/v1alpha1
kind: SecretProvider
metadata:
  name: vault-prod
spec:
  provider:
    vault:
      server: https://vault.example.com
      path: secret
      version: v2
      auth:
        tokenSecretRef:
          name: vault-token
          namespace: lattice-system
          key: token

aws-secrets-manager.yaml

apiVersion: lattice.dev/v1alpha1
kind: SecretProvider
metadata:
  name: aws-secrets
spec:
  provider:
    aws:
      service: SecretsManager
      region: eu-central-1
      auth:
        secretRef:
          accessKeyIDSecretRef:
            name: awssm-secret
            key: access-key
          secretAccessKeySecretRef:
            name: awssm-secret
            key: secret-access-key

webhook.yaml

apiVersion: lattice.dev/v1alpha1
kind: SecretProvider
metadata:
  name: webhook-local
spec:
  provider:
    webhook:
      url: "http://example.com/secret/{{ .remoteRef.key }}"
      method: GET
      result:
        jsonPath: "$"

Spec

SecretProvider spec fields
Field	Type	Description
`provider`	map<string, object>	ESO provider configuration. Must contain exactly one top-level key identifying the provider type. The value is passed through verbatim as `ClusterSecretStore.spec.provider`.

Built-in: lattice-local

Every cluster ships with a built-in provider called lattice-local. It makes Kubernetes Secrets from the lattice-secrets namespace available for use in LatticeService templates — no external secret store required.

How it works: The operator runs a webhook-backed ClusterSecretStore that serves secrets from the lattice-secrets namespace. Only secrets with the label lattice.dev/secret-source: "true" are exposed. Services reference it with provider: lattice-local and use the Secret name as the id.

local-secret.yaml

# Create a secret in the lattice-secrets namespace
apiVersion: v1
kind: Secret
metadata:
  name: db-creds
  namespace: lattice-secrets
  labels:
    lattice.dev/secret-source: "true"
type: Opaque
stringData:
  username: admin
  password: s3cret

service-using-local.yaml

apiVersion: lattice.dev/v1alpha1
kind: LatticeService
metadata:
  name: api
spec:
  workload:
    containers:
      main:
        image: myorg/api:v1
        variables:
          DB_PASS: ${resources.db-creds.password}
    resources:
      db-creds:
        type: secret
        id: db-creds              # Secret name in lattice-secrets namespace
        params:
          provider: lattice-local   # built-in local provider
          keys: [username, password]

Custom Providers

For external secret stores, create a SecretProvider resource. Any ESO-supported provider can be used. Common provider keys:

vault HashiCorp Vault. Supports token, Kubernetes, and AppRole auth.

aws AWS Secrets Manager or Parameter Store.

webhook HTTP webhook backend for custom APIs.

barbican OpenStack Barbican key manager.

Status

SecretProvider status fields
Field	Type	Description
`phase`	SecretProviderPhase	Current phase: `Pending`, `Ready`, or `Failed`.
`message`	string?	Human-readable status message.
`lastValidated`	string?	ISO 8601 timestamp of last successful connection validation.
`providerType`	string?	Detected provider type (first key of `spec.provider`, e.g. `"vault"`, `"aws"`).

Usage with LatticeService

Services reference a SecretProvider by name in their resource declarations. The controller creates ExternalSecret resources that sync secrets from the ClusterSecretStore into Kubernetes Secrets.

service-with-secrets.yaml

apiVersion: lattice.dev/v1alpha1
kind: LatticeService
metadata:
  name: api
spec:
  workload:
    containers:
      main:
        image: myorg/api:v1
        variables:
          DB_PASS: ${resources.db-creds.password}
    resources:
      db-creds:
        type: secret
        id: database/prod/creds    # path within the secret store
        params:
          provider: vault-prod        # SecretProvider name
          keys: [username, password]
          refreshInterval: 1h