Operations¶

Scope

Production deployment patterns, operational procedures, performance tuning, and troubleshooting for External Secrets Operator.

Deployment¶

helm install external-secrets external-secrets/external-secrets   --namespace external-secrets --create-namespace

Provider Setup¶

AWS Secrets Manager¶

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: aws-secrets
spec:
  provider:
    aws:
      service: SecretsManager
      region: us-east-1
      auth:
        jwt:
          serviceAccountRef:
            name: external-secrets-sa

HashiCorp Vault¶

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: vault-backend
spec:
  provider:
    vault:
      server: "https://vault.example.com"
      path: "secret"
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "external-secrets"

ExternalSecret Definition¶

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: db-credentials
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secrets
  target:
    name: db-credentials
  data:
  - secretKey: password
    remoteRef:
      key: production/database
      property: password

Common Issues¶

Issue	Diagnosis	Fix
Secret not syncing	`kubectl describe externalsecret`	Check SecretStore connectivity
Auth failure	ESO pod logs	Verify IRSA/ServiceAccount setup
Refresh not working	Check `refreshInterval`	Ensure > 0, check provider limits

Commands & Recipes¶

Installation¶

# Install via Helm
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets \
  -n external-secrets --create-namespace

# Verify
kubectl get pods -n external-secrets

SecretStore (Vault)¶

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: vault-backend
spec:
  provider:
    vault:
      server: "https://vault.example.com:8200"
      path: "secret"
      version: "v2"
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "myapp"

ExternalSecret¶

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: myapp-secret
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend
    kind: SecretStore
  target:
    name: myapp-secret
    creationPolicy: Owner
  data:
    - secretKey: DB_PASSWORD
      remoteRef:
        key: secret/data/myapp/db
        property: password
    - secretKey: API_KEY
      remoteRef:
        key: secret/data/myapp/api
        property: key

AWS Secrets Manager¶

apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
  name: aws-secrets
spec:
  provider:
    aws:
      service: SecretsManager
      region: us-east-1
      auth:
        jwt:
          serviceAccountRef:
            name: external-secrets-sa
            namespace: external-secrets

Debugging¶

# Check sync status
kubectl get externalsecret -A
kubectl describe externalsecret myapp-secret

# Check events
kubectl get events --field-selector involvedObject.kind=ExternalSecret

Sources¶

ESO Guides