Skip to main content

External Secrets Operator

External Secrets Operator (ESO) syncs secrets from external providers (e.g., Azure Key Vault) into Kubernetes Secrets. This keeps credentials out of Git and lets you rotate secrets in Key Vault without redeploying.

Install ESO

helm repo add external-secrets https://charts.external-secrets.io
helm repo update

helm install external-secrets external-secrets/external-secrets \
  --namespace external-secrets-system \
  --create-namespace

Azure Key Vault with Workload Identity

Create a SecretStore that uses Workload Identity:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: azure-keyvault-secret-store
  namespace: your-namespace
spec:
  provider:
    azurekv:
      authType: WorkloadIdentity
      vaultUrl: "https://<your-keyvault-name>.vault.azure.net"
      serviceAccountRef:
        name: external-secrets-operator
        namespace: external-secrets-system

The ESO service account must have Workload Identity annotations pointing to a Managed Identity with Key Vault Secrets User role on the vault.

Create an ExternalSecret

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: my-secret
  namespace: your-namespace
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: azure-keyvault-secret-store
    kind: SecretStore
  target:
    name: my-kubernetes-secret
  data:
    - secretKey: password
      remoteRef:
        key: my-secret-name

ClusterSecretStore

Use ClusterSecretStore to share Key Vault access across namespaces:

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: azure-keyvault-cluster-store
spec:
  provider:
    azurekv:
      authType: WorkloadIdentity
      vaultUrl: "https://<your-keyvault-name>.vault.azure.net"
      serviceAccountRef:
        name: external-secrets-operator
        namespace: external-secrets-system

ExternalSecrets in any namespace can reference the ClusterSecretStore:

spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: azure-keyvault-cluster-store

Key Vault RBAC

If your Key Vault uses RBAC (not access policies):

  • The ESO runtime identity needs Key Vault Secrets User (read)
  • Bootstrap users need Key Vault Secrets Officer (write) to create secrets

RBAC propagation for Key Vault can take 60–120 seconds.

Verify Installation

# Check CRDs
kubectl get crd | grep externalsecrets

# Check operator
kubectl get pods -n external-secrets-system

# Check SecretStore status
kubectl get secretstore -n your-namespace
kubectl describe secretstore azure-keyvault-secret-store -n your-namespace

References