Skills2026年4月15日·1 分钟阅读

External Secrets Operator — Sync Secrets from Any Vault to Kubernetes

CNCF operator that pulls secrets from AWS Secrets Manager, Vault, GCP, Azure, 1Password, Doppler, and 25+ other backends into native Kubernetes Secret objects.

AI Open Source · Community

Agent 就绪

这个资产会安全暂存

这个资产会先安全暂存。复制的指令会要求 Agent 读取暂存文件，并在激活脚本、MCP 配置或全局配置前先确认。

Stage only · 29/100策略：需暂存

Agent 入口

任意 MCP/CLI Agent

类型

Skill

安装

Stage only

信任

信任等级：Established

入口

External Secrets — Vault to K8s Secret Sync

安全暂存命令

npx -y tokrepo@latest install 9db65ce5-3900-11f1-9bc6-00163e2b0d79 --target codex

先暂存文件；激活前需要读取暂存 README 和安装计划。

TL;DR

External Secrets Operator pulls secrets from external vaults into native Kubernetes Secrets automatically.

§01

What it is

External Secrets Operator (ESO) is a CNCF project that synchronizes secrets from external management systems into Kubernetes Secret objects. It supports over 25 backends including AWS Secrets Manager, HashiCorp Vault, Google Cloud Secret Manager, Azure Key Vault, 1Password, and Doppler.

ESO targets platform engineers running Kubernetes clusters who need secrets from external vaults available as native Kubernetes Secrets. Instead of baking secrets into manifests or using init containers, ESO declares what secrets you need and keeps them synchronized.

§02

How it saves time or tokens

This workflow provides the Helm installation commands and a working ExternalSecret manifest. Instead of reading through ESO documentation to understand CRDs and provider configuration, you get a copy-paste setup that connects to your vault provider in minutes.

§03

How to use

Install ESO via Helm:

helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets \
  -n external-secrets --create-namespace

Create a SecretStore that points to your vault provider:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: aws-secrets
spec:
  provider:
    aws:
      service: SecretsManager
      region: us-east-1
      auth:
        secretRef:
          accessKeyIDSecretRef:
            name: aws-creds
            key: access-key-id
          secretAccessKeySecretRef:
            name: aws-creds
            key: secret-access-key

Create an ExternalSecret to sync a secret:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: my-app-secrets
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secrets
  target:
    name: my-app-secrets
  data:
    - secretKey: database-url
      remoteRef:
        key: prod/my-app/database-url

§04

Example

# ClusterSecretStore for org-wide Vault access
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: vault-store
spec:
  provider:
    vault:
      server: 'https://vault.internal:8200'
      path: 'secret'
      version: 'v2'
      auth:
        kubernetes:
          mountPath: 'kubernetes'
          role: 'external-secrets'

§05

Related on TokRepo

Security tools -- Secret management and security scanning
DevOps tools -- Kubernetes and infrastructure automation

§06

Common pitfalls

Forgetting to set the refreshInterval means secrets are only fetched once. Set it to a reasonable value (e.g., 1h) so rotated secrets propagate to your cluster.
Using SecretStore instead of ClusterSecretStore when you need cross-namespace access. ClusterSecretStore is cluster-scoped and accessible from any namespace.
IAM permissions are the most common setup failure. Ensure your cloud credentials have read access to the specific secrets you reference.

常见问题

What secret providers does ESO support?+

ESO supports AWS Secrets Manager, AWS Parameter Store, HashiCorp Vault, Google Cloud Secret Manager, Azure Key Vault, 1Password, Doppler, GitLab, IBM Secrets Manager, Oracle Vault, CyberArk, and over 25 additional backends.

How does secret rotation work?+

ESO periodically checks the external secret store based on the refreshInterval you configure. When a secret value changes in the external store, ESO updates the Kubernetes Secret automatically. Pods using the secret pick up the change on their next restart or via volume mount refresh.

What is the difference between SecretStore and ClusterSecretStore?+

SecretStore is namespace-scoped and can only be referenced by ExternalSecrets in the same namespace. ClusterSecretStore is cluster-scoped and accessible from any namespace. Use ClusterSecretStore for shared provider configurations.

Does ESO work with GitOps tools like ArgoCD?+

Yes. ESO CRDs (ExternalSecret, SecretStore) are standard Kubernetes resources that ArgoCD can manage. The actual Secret objects are created by ESO, not committed to Git, so sensitive values never appear in your repository.

Can I template the generated Secret?+

Yes. ESO supports templates in the target section of ExternalSecret. You can construct connection strings, config files, or any structured data by combining multiple remote secrets with Go template syntax.

引用来源 (3)

ESO GitHub— External Secrets Operator syncs secrets from 25+ backends to Kubernetes
ESO Documentation— CNCF project for secret management in Kubernetes
ESO Provider Docs— Supports AWS, Vault, GCP, Azure, 1Password providers

讨论

登录后参与讨论。

还没有评论，来写第一条吧。

External Secrets Operator — Sync Secrets from Any Vault to Kubernetes

这个资产会安全暂存

What it is

How it saves time or tokens

How to use

Example

Related on TokRepo

Common pitfalls

常见问题

引用来源 (3)

TokRepo 相关

讨论

相关资产

CloudNativePG — Production-Grade PostgreSQL Operator for Kubernetes

KubeBlocks — Unified Database Operator for Kubernetes

External-DNS — Automatic DNS Records for Kubernetes Services

Virtual Kubelet — Run Kubernetes Pods on Serverless and External Backends