External Secrets

Kubernetes operator that syncs secrets from external secret stores into Kubernetes Secrets.

External Secrets Operator reads values from external secret management systems (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager, and others) and writes them as Kubernetes Secret objects. It is used in this cluster to pull secrets from a configured backend store, decoupling secret values from the Git repository and complementing the SOPS-based secret management already in use.

Alternatives considered

Self Hosted

Tool	Open Source	Full Features	Notes
Sealed Secrets	Yes	Yes	Encrypts secrets in Git; no external store needed
Vault Agent Injector	Yes	Yes	Requires HashiCorp Vault; sidecar injection model
SOPS + Flux	Yes	Yes	Git-native encryption; used alongside ESO in this cluster

Installation

Architecture

HelmRelease external-secrets in namespace external-secrets, chart version 2.2.0 from https://charts.external-secrets.io. CRDs installed via installCRDs: true. Installs the operator (controller), webhook, and cert-controller components. Grafana dashboard enabled. Installs ExternalSecret, SecretStore, ClusterSecretStore, PushSecret, and related CRDs.

Security

Both the operator and webhook run with hardened securityContext: runAsNonRoot: true, runAsUser: 1000, allowPrivilegeEscalation: false, capabilities: drop: ALL, readOnlyRootFilesystem: true, seccompProfile: RuntimeDefault. Pod-level securityContext enabled. RBAC is cluster-wide for ClusterSecretStore usage.

Updates

Managed by Renovate. Chart version is semver-pinned (2.2.0).

Administration

Usage

Operators create ClusterSecretStore resources to register a secret backend, then create ExternalSecret resources in application namespaces to pull specific values. The operator reconciles on a configurable interval and keeps Kubernetes Secrets up to date with the external source. Applications reference the resulting Secrets as they would any native Kubernetes Secret.

Cluster-specific deviations from the above live in the per-cluster README — see k8s/infrastructure/talos/controllers/external-secrets/README.md.

Cluster Deployment

External Secrets — Talos cluster

Cluster-specific notes only. General product info, "why we use it", and alternatives live in docusaurus/docs/platform/external-secrets.mdx.

Deviations from defaults

Defaults live in docusaurus/docs/platform/external-secrets.mdx — document anything this cluster does differently here, with a one-line reason.

Kubernetes Metadata

HelmRelease: external-secrets@2.6.0
HelmRepo: external-secrets (https://charts.external-secrets.io)

Rendered manifests (kustomize build)

apiVersion: v1
data:
  values.yaml: >
    # yaml-language-server:
    $schema=https://raw.githubusercontent.com/external-secrets/external-secrets/refs/heads/main/deploy/charts/external-secrets/values.schema.json


    installCRDs: true


    resources:
      requests:
        cpu: 10m
        memory: 32Mi

    grafanaDashboard:
      enabled: true

    image:
      podSecurityContext:
        enabled: true

      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - ALL
        enabled: true
        readOnlyRootFilesystem: true
        runAsNonRoot: true
        runAsUser: 1000
        seccompProfile:
          type: RuntimeDefault

    webhook:
      podSecurityContext:
        enabled: true

      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - ALL
        enabled: true
        readOnlyRootFilesystem: true
        runAsNonRoot: true
        runAsUser: 1000
        seccompProfile:
          type: RuntimeDefault
kind: ConfigMap
metadata:
  name: external-secrets-values-c8b9ft47c8
  namespace: external-secrets

Alternatives considered​

Installation​

Architecture​

Security​

Updates​

Administration​

Usage​

Cluster Deployment​

Deviations from defaults​