external-secrets
External Secrets operator installation and site-specific ESO configuration.
Deployment Scope
- Cluster scope: global or site
- Values keys:
global.external_secrets,site.external_secrets - ArgoCD Application template:
charts/argocd-understack/templates/application-external-secrets.yaml
How ArgoCD Builds It
- ArgoCD renders Kustomize path
operators/external-secrets. - The current template does not read a deploy-repo
values.yamlfor this component. - The current template does not apply a deploy-repo overlay directory for this component.
How to Enable
Enable this component by setting one or both options under the scope that matches your deployment model:
$CLUSTER_NAME/deploy.yaml
global:
external_secrets:
installApp: true
site:
external_secrets:
installApp: true
Options
| Key | Default | Description |
|---|---|---|
installApp |
false |
Deploy the External Secrets Operator from the understack repo |
installConfigs |
false |
Deploy site-specific ESO configs from the deploy repo |
To use an externally-managed ESO installation (e.g. the operator is already installed by another team) while still deploying your site's ESO resources:
Deployment Repo Content
Use any secret delivery mechanism you prefer. The contract that matters is the final Kubernetes Secret or manifest shape described below.
When installConfigs: true, the Application reads from:
Place any site-specific ESO resources here, for example:
ClusterSecretStoremanifests connecting to your secrets backendExternalSecretobjects for secrets that don't belong to a specific component
Required or commonly required items:
- None required. With
installApp: truethe operator manifests are deployed directly from the understack repo with no deploy-repo content needed.
Optional additions:
- Provider-specific
ClusterSecretStoreand authenticationSecretobjects in theexternal-secrets/deploy-repo path wheninstallConfigs: true.