External Secrets Operator — Operations¶
Scope
Production deployment patterns, operational procedures, performance tuning, and troubleshooting for External Secrets Operator.
Deployment¶
helm install external-secrets external-secrets/external-secrets --namespace external-secrets --create-namespace
Provider Setup¶
AWS Secrets Manager¶
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: aws-secrets
spec:
provider:
aws:
service: SecretsManager
region: us-east-1
auth:
jwt:
serviceAccountRef:
name: external-secrets-sa
HashiCorp Vault¶
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: vault-backend
spec:
provider:
vault:
server: "https://vault.example.com"
path: "secret"
auth:
kubernetes:
mountPath: "kubernetes"
role: "external-secrets"
ExternalSecret Definition¶
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: db-credentials
spec:
refreshInterval: 1h
secretStoreRef:
name: aws-secrets
target:
name: db-credentials
data:
- secretKey: password
remoteRef:
key: production/database
property: password
Common Issues¶
| Issue | Diagnosis | Fix |
|---|---|---|
| Secret not syncing | kubectl describe externalsecret |
Check SecretStore connectivity |
| Auth failure | ESO pod logs | Verify IRSA/ServiceAccount setup |
| Refresh not working | Check refreshInterval |
Ensure > 0, check provider limits |