BlogSecrets

External Secrets Operator: sync Vault into Kubernetes

Keep the source of truth in Vault and let the operator materialize Kubernetes Secrets your pods can mount.

Jul 29, 2025·9 min readIntermediate

External Secrets Operator (ESO) keeps the source of truth in Vault (or AWS/GCP/Azure) and materializes it as a native Kubernetes Secret your pods mount normally. You get one place to manage secrets and zero custom glue in your apps.

The sync path
1
Vault
source of truth
2
SecretStore
how ESO connects
3
ExternalSecret
what to sync
4
K8s Secret
pod mounts it

Point ESO at Vault

secretstore.yaml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata: { name: vault, namespace: shop }
spec:
provider:
vault:
server: "https://vault.acme.internal:8200"
path: "secret"
auth:
kubernetes:
mountPath: "kubernetes"
role: "payments"

Declare what to sync

externalsecret.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata: { name: db, namespace: shop }
spec:
refreshInterval: 1h
secretStoreRef: { name: vault, kind: SecretStore }
target: { name: db-credentials }
data:
- secretKey: password
remoteRef: { key: database/payments, property: password }
Rotation flows through automatically
Rotate the value in Vault and ESO refreshes the Kubernetes Secret on its interval. Pair with a reloader so pods pick up the change without a manual restart.
Go deeper in a courseVault from dev to productionAuth methods, dynamic secrets, and Kubernetes integration.View course

Related posts