Skip to content

feat: add openAI generator docs #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gusfcarvalho merged 2 commits into from
Jul 25, 2025
Merged

feat: add openAI generator docs #35

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d01ce67
feat: add openAI generator docs
iurisevero Jul 14, 2025
98cc35f
fix: update outputs
iurisevero Jul 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
126 changes: 126 additions & 0 deletions docs/enterprise/externalsecrets/generators/openai.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
---
title: 'OpenAI Generator'
description: 'Dynamically manage OpenAI Service Accounts and API Keys.'
---

<Note>
The External Secrets Enterprise product suite is a premium product.
It requires a specific subscription. Contact us for more information.
</Note>

<Tip>
To use the OpenAI Generator, you must have the Enterprise Distribution of ESO available via [ESI Agent](/docs/enterprise/externalsecrets/esi-agent/quickstart).
</Tip>

## Introduction

The OpenAI Generator allows automated management of **OpenAI Service Accounts** and their associated **API Keys** using the OpenAI Admin API. It simplifies the process of provisioning scoped credentials for different applications or environments, enabling secure, automated key rotation without manual intervention.

This approach reduces operational overhead and enhances security posture by providing each workload with its own unique, managed API key.

## Output Keys and Values

| Key | Description |
| --------- | ---------------------------------------- |
| `api_key` | The generated OpenAI API key (`sk-...`). |

## Parameters

| Key | Default | Description |
| -------------------------- | ------------------------------ | --------------------------------------------------------------------------------------------- |
| `projectId` | **Required** | The ID of the OpenAI project where the service account will be created. |
| `host` | `"https://api.openai.com/v1"` | Base URL for the OpenAI Admin API. Typically the default endpoint is sufficient. |
| `openAiAdminKey` | **Required** | Kubernetes secret reference holding the OpenAI Admin API Key used for authentication. |
| `serviceAccountNamePrefix` | Optional | Prefix for the generated service account name. |
| `serviceAccountNameSize` | `12` | Length of the randomly generated suffix for the service account name. |

## Set up

### Requirements

- An **OpenAI project** with **Admin API Key**.

### Authentication

The Admin API Key must be stored in a Kubernetes secret and referenced in the `openAiAdminKey` field.

Example secret:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: openai-admin-secret
namespace: default
type: Opaque
data:
api-key: <base64-admin-api-key>
```

### Generator Config
```yaml
apiVersion: generators.external-secrets.io/v1alpha1
kind: OpenAI
metadata:
name: openai-generator
namespace: default
spec:
projectId: my-openai-project-id
openAiAdminKey:
name: openai-admin-secret
key: api-key
host: https://api.openai.com/v1
serviceAccountNamePrefix: app
serviceAccountNameSize: 10
```

### ExternalSecret Config
```yaml
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: openai-credentials
namespace: default
spec:
refreshInterval: 1h
dataFrom:
- sourceRef:
generatorRef:
apiVersion: generators.external-secrets.io/v1alpha1
kind: OpenAI
name: openai-generator
```

### Using the generated secret
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: my-container
image: my-image:latest
env:
- name: OPENAI_API_KEY
valueFrom:
secretKeyRef:
name: openai-credentials
key: api_key
```

## Notes and Considerations

* Each time the secret rotates, a new service account and API key are created.
* Service accounts are deleted during cleanup, ensuring no orphaned resources remain.
* The generator strictly requires the OpenAI Admin API; standard API keys for model inference are not sufficient.
* serviceAccountNameSize controls only the suffix length after any optional prefix.