We’re excited to introduce the Humanitec Operator, a powerful addition to the Humanitec ecosystem. This Kubernetes operator controls deployments made with Humanitec, opening the door to enhanced security scenarios. With the Humanitec Operator, you gain full flexibility in managing secrets, controlling cluster access, and enabling deployment models such as GitOps for your development teams.
Curious to explore what the Humanitec Operator is all about and how it works? This article serves as an introductory guide, offering insights into its capabilities and contextualizing its role within your workflow.
Your secrets, your way
The Humanitec Operator is driven by the need for increased flexibility in managing secrets within your Internal Developer Platform (IDP). There are many ways in which secrets can be used with the Humanitec Platform Orchestrator. For example as shared values and secrets in your apps, for certain types of Resource Definitions, or when configuring Drivers. By default, Humanitec stores and retrieves these secrets from its internal secrets store. Since this approach might not align with your organization’s preferred secrets management practices, the Humanitec Operator introduces a new deployment model. This model enables you to manage secrets within your infrastructure, granting you full control over storage location and access rights.
Humanitec’s spectrum of security
When assessing whether the Humanitec Operator could be beneficial for your use case, it's valuable to understand where you position yourself on Humanitec’s security spectrum. Apart from hosting secrets, you might consider self-hosting other components of your IDP, like Humanitec’s Resource Drivers or the Platform Orchestrator. Humanitec’s security spectrum is defined by four different modes:
- Full SaaS (default): Your secrets are stored by Humanitec’s internal secret store. The Platform Orchestrator has full access to the secret store. Operating in this default mode, known as direct cluster, doesn’t require the use of the Humanitec Operator.
- Secrets stored by the customer but can be used outside the customer’s network: Your secrets are stored in a secret store within your own infrastructure. In this mode, the Humanitec Operator runs inside your cluster. It is responsible for retrieving and injecting secrets as necessary to generate Kubernetes manifests and facilitate resource provisioning for your deployment. Optionally, users of the Platform Orchestrator can still be permitted to write secrets to the secret store just like in direct cluster mode.
- Secrets stored by the customer that do not leave the customer’s network: This is similar to the above method, but with an added layer of control. The Drivers, responsible for Resource provisioning, are hosted within your infrastructure. In this mode, the Operator transfers secrets exclusively through your internal network.
- Self-hosted: All data remains within your network. You internally host both the Platform Orchestrator and Drivers, with optional use of the Operator.
These options offer increasing levels of control and security, allowing you to select the mode that best aligns with your organization's preferences and security requirements.
Activating Operator mode
When you’re ready to dive in and start mapping out your desired architecture with the Humanitec Operator, our documentation is your go-to resource. It provides a guide covering various usage scenarios, installation steps, and testing options. In this section, we’ll present a brief TL;DR outlining the inner workings of the Operator.
Humanitec Operator mode
Starting with default mode, the Platform Orchestrator stores secrets in its internal secrets store. When you deploy an app, it pulls those secrets from there to do its magic, such as creating Kubernetes manifests and provisioning Resources in the target cluster. Now, if you use your own secret store over Humanitec’s, the Platform Orchestrator can’t access it to retrieve secret values needed to complete the deployment.
This is where the Humanitec Operator comes into play. Once installed in your cluster, Humanitec switches gears into “Operator mode”. This means the Platform Orchestrator now renders Kubernetes manifests partially — as much as possible without access to secrets — and generates a set of instructions outlining how to complete the rendering procedure. The Operator picks these up to complete the job, obtaining secrets from your secret store, calling the drivers, and finally creating the required Kubernetes manifests.
Learn more about this mode over at the Humanitec Operator article.
If you’re following a GitOps deployment approach, you can direct the Platform Orchestrator to send its instructions straight to a repository. Then, a GitOps operator such as ArgoCD or Flux comes in to pull those instructions into your cluster. The Humanitec Operator will then again be able to execute the instructions represented by the custom Resources just like before.
Learn more about this mode here.
Get started now
We hope you enjoy exploring the new feature and if you have questions or need any help, please get in touch. Our team is always here to make sure you have the best experience.