Cette page est affichée en anglais. Une traduction française est en cours.

SkillsApr 15, 2026·3 min de lecture

External Secrets Operator — Sync Secrets from Any Vault to Kubernetes

CNCF operator that pulls secrets from AWS Secrets Manager, Vault, GCP, Azure, 1Password, Doppler, and 25+ other backends into native Kubernetes Secret objects.

AI Open Source · Community

Prêt pour agents

Staging sûr pour cet actif

Cet actif est d'abord staged. Le prompt copié demande à l'agent d'inspecter les fichiers staged avant d'activer scripts, config MCP ou config globale.

Stage only · 29/100Policy : staging

Surface agent

Tout agent MCP/CLI

Type

Skill

Installation

Stage only

Confiance

Confiance : Established

Point d'entrée

External Secrets — Vault to K8s Secret Sync

Commande de staging sûr

npx -y tokrepo@latest install 9db65ce5-3900-11f1-9bc6-00163e2b0d79 --target codex

Stage les fichiers d'abord; l'activation exige la revue du README et du plan staged.

TL;DR

External Secrets Operator pulls secrets from external vaults into native Kubernetes Secrets automatically.

§01

What it is

External Secrets Operator (ESO) is a CNCF project that synchronizes secrets from external management systems into Kubernetes Secret objects. It supports over 25 backends including AWS Secrets Manager, HashiCorp Vault, Google Cloud Secret Manager, Azure Key Vault, 1Password, and Doppler.

ESO targets platform engineers running Kubernetes clusters who need secrets from external vaults available as native Kubernetes Secrets. Instead of baking secrets into manifests or using init containers, ESO declares what secrets you need and keeps them synchronized.

§02

How it saves time or tokens

This workflow provides the Helm installation commands and a working ExternalSecret manifest. Instead of reading through ESO documentation to understand CRDs and provider configuration, you get a copy-paste setup that connects to your vault provider in minutes.

§03

How to use

Install ESO via Helm:

helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets \
  -n external-secrets --create-namespace

Create a SecretStore that points to your vault provider:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: aws-secrets
spec:
  provider:
    aws:
      service: SecretsManager
      region: us-east-1
      auth:
        secretRef:
          accessKeyIDSecretRef:
            name: aws-creds
            key: access-key-id
          secretAccessKeySecretRef:
            name: aws-creds
            key: secret-access-key

Create an ExternalSecret to sync a secret:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: my-app-secrets
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secrets
  target:
    name: my-app-secrets
  data:
    - secretKey: database-url
      remoteRef:
        key: prod/my-app/database-url

§04

Example

# ClusterSecretStore for org-wide Vault access
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: vault-store
spec:
  provider:
    vault:
      server: 'https://vault.internal:8200'
      path: 'secret'
      version: 'v2'
      auth:
        kubernetes:
          mountPath: 'kubernetes'
          role: 'external-secrets'

§05

Related on TokRepo

Security tools -- Secret management and security scanning
DevOps tools -- Kubernetes and infrastructure automation

§06

Common pitfalls

Forgetting to set the refreshInterval means secrets are only fetched once. Set it to a reasonable value (e.g., 1h) so rotated secrets propagate to your cluster.
Using SecretStore instead of ClusterSecretStore when you need cross-namespace access. ClusterSecretStore is cluster-scoped and accessible from any namespace.
IAM permissions are the most common setup failure. Ensure your cloud credentials have read access to the specific secrets you reference.

Questions fréquentes

What secret providers does ESO support?+

ESO supports AWS Secrets Manager, AWS Parameter Store, HashiCorp Vault, Google Cloud Secret Manager, Azure Key Vault, 1Password, Doppler, GitLab, IBM Secrets Manager, Oracle Vault, CyberArk, and over 25 additional backends.

How does secret rotation work?+

ESO periodically checks the external secret store based on the refreshInterval you configure. When a secret value changes in the external store, ESO updates the Kubernetes Secret automatically. Pods using the secret pick up the change on their next restart or via volume mount refresh.

What is the difference between SecretStore and ClusterSecretStore?+

SecretStore is namespace-scoped and can only be referenced by ExternalSecrets in the same namespace. ClusterSecretStore is cluster-scoped and accessible from any namespace. Use ClusterSecretStore for shared provider configurations.

Does ESO work with GitOps tools like ArgoCD?+

Yes. ESO CRDs (ExternalSecret, SecretStore) are standard Kubernetes resources that ArgoCD can manage. The actual Secret objects are created by ESO, not committed to Git, so sensitive values never appear in your repository.

Can I template the generated Secret?+

Yes. ESO supports templates in the target section of ExternalSecret. You can construct connection strings, config files, or any structured data by combining multiple remote secrets with Go template syntax.

Sources citées (3)

ESO GitHub— External Secrets Operator syncs secrets from 25+ backends to Kubernetes
ESO Documentation— CNCF project for secret management in Kubernetes
ESO Provider Docs— Supports AWS, Vault, GCP, Azure, 1Password providers

En lien sur TokRepo

Security tools DevOps tools Featured workflows

Fil de discussion

Connectez-vous pour rejoindre la discussion.

Aucun commentaire pour l'instant. Soyez le premier à partager votre avis.

Actifs similaires

CloudNativePG — Production-Grade PostgreSQL Operator for Kubernetes

CloudNativePG is a Level V Kubernetes operator that manages PostgreSQL clusters with streaming replication, online backups, point-in-time recovery and rolling upgrades — without any external pgBouncer-like layer.

Skills

AI Open Source

KubeBlocks — Unified Database Operator for Kubernetes

KubeBlocks is a Kubernetes operator that manages the full lifecycle of multiple database engines including MySQL, PostgreSQL, MongoDB, Redis, and Kafka on any Kubernetes cluster.

Skills

AI Open Source

External-DNS — Automatic DNS Records for Kubernetes Services

External-DNS watches Kubernetes Services and Ingresses and automatically creates, updates, and deletes DNS records in providers like Route53, Cloudflare, and Google Cloud DNS to keep DNS in sync with your cluster.

Skills

AI Open Source

Virtual Kubelet — Run Kubernetes Pods on Serverless and External Backends

Virtual Kubelet implements the Kubernetes kubelet interface as a pluggable provider, allowing pods to be scheduled onto serverless platforms, IoT edge nodes, or any non-traditional compute backend.

Skills

AI Open Source