BlogSecrets
External Secrets Operator: sync Vault into Kubernetes
Keep the source of truth in Vault and let the operator materialize Kubernetes Secrets your pods can mount.
External Secrets Operator (ESO) keeps the source of truth in Vault (or AWS/GCP/Azure) and materializes it as a native Kubernetes Secret your pods mount normally. You get one place to manage secrets and zero custom glue in your apps.
1
Vault
source of truth
2
SecretStore
how ESO connects
3
ExternalSecret
what to sync
4
K8s Secret
pod mounts it
Point ESO at Vault
secretstore.yaml
apiVersion: external-secrets.io/v1beta1kind: SecretStoremetadata: { name: vault, namespace: shop }spec:provider:vault:server: "https://vault.acme.internal:8200"path: "secret"auth:kubernetes:mountPath: "kubernetes"role: "payments"
Declare what to sync
externalsecret.yaml
apiVersion: external-secrets.io/v1beta1kind: ExternalSecretmetadata: { name: db, namespace: shop }spec:refreshInterval: 1hsecretStoreRef: { name: vault, kind: SecretStore }target: { name: db-credentials }data:- secretKey: passwordremoteRef: { key: database/payments, property: password }
Rotation flows through automatically
Rotate the value in Vault and ESO refreshes the Kubernetes Secret on its interval. Pair with a reloader so pods pick up the change without a manual restart.