External Secrets Operator (noble)

Syncs secrets from external systems into Kubernetes Secret objects via ExternalSecret / ClusterExternalSecret CRDs.

Chart: external-secrets/external-secrets 2.2.0 (app v2.2.0)
Namespace: external-secrets
Helm release name: external-secrets (matches the operator ServiceAccount name external-secrets)

Install

helm repo add external-secrets https://charts.external-secrets.io
helm repo update
kubectl apply -f clusters/noble/bootstrap/external-secrets/namespace.yaml
helm upgrade --install external-secrets external-secrets/external-secrets -n external-secrets \
  --version 2.2.0 -f clusters/noble/bootstrap/external-secrets/values.yaml --wait

Verify:

kubectl -n external-secrets get deploy,pods
kubectl get crd | grep external-secrets

Vault `ClusterSecretStore` (after Vault is deployed)

The checklist expects a Vault-backed store. Install Vault first (talos/CLUSTER-BUILD.md Phase E — Vault on Longhorn + auto-unseal), then:

Enable KV v2 secrets engine and Kubernetes auth in Vault; create a role (e.g. external-secrets) that maps the cluster’s external-secrets / external-secrets service account to a policy that can read the paths you need.
Copy examples/vault-cluster-secret-store.yaml, set spec.provider.vault.server to your Vault URL. This repo’s Vault Helm values use HTTP on port 8200 (global.tlsDisable: true): http://vault.vault.svc.cluster.local:8200. Use https:// if you enable TLS on the Vault listener.
If Vault uses a private TLS CA, configure caProvider or caBundle on the Vault provider — see HashiCorp Vault provider. Do not commit private CA material to public git unless intended.
Apply: kubectl apply -f …/vault-cluster-secret-store.yaml
Confirm the store is ready: kubectl describe clustersecretstore vault

Example ExternalSecret (after the store is healthy):

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: demo
  namespace: default
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  target:
    name: demo-synced
  data:
    - secretKey: password
      remoteRef:
        key: secret/data/myapp
        property: password

Upgrades

Pin the chart version in values.yaml header comments; run the same helm upgrade --install with the new --version after reviewing release notes.

README.md Unescape Escape

External Secrets Operator (noble)

Install

Vault ClusterSecretStore (after Vault is deployed)

Upgrades

README.md

Vault `ClusterSecretStore` (after Vault is deployed)