Skip to content

External Secrets Operator — How It Works

Controller reconciliation loop, secret store authentication, and sync lifecycle.

Reconciliation Flow

sequenceDiagram
    participant K8sAPI as K8s API
    participant ESO_H as ESO Controller
    participant Store as SecretStore config
    participant Provider as External Provider (Vault/AWS/GCP)
    participant Secret_H as K8s Secret

    ESO_H->>K8sAPI: Watch ExternalSecret resources
    K8sAPI-->>ESO_H: ExternalSecret created/updated
    ESO_H->>Store: Read SecretStore connection config
    ESO_H->>Provider: Authenticate (SA/IAM/AppRole)
    ESO_H->>Provider: Fetch secret values
    Provider-->>ESO_H: Secret data
    ESO_H->>ESO_H: Apply template (if defined)
    ESO_H->>Secret_H: Create/Update K8s Secret
    Note over ESO_H: Re-sync every refreshInterval (e.g., 1h)

PushSecret Flow (Reverse Sync)

flowchart LR
    K8sS["K8s Secret"] -->|"PushSecret CRD"| ESO_PS["ESO Controller"]
    ESO_PS -->|"push"| Vault_PS["Vault / AWS SM / GCP SM"]

    style ESO_PS fill:#1565c0,color:#fff

Sources