What Is an External Secret?
An external secret references a secret stored in an external system, such as a cloud secret manager or vault, and an operator fetches it and creates or updates a native cluster secret to match. The authoritative value stays in the external store, and the cluster copy is refreshed automatically. Manifests reference the secret without ever containing the value.
Why it matters
External secrets centralize credential management in a dedicated store while still feeding workloads in the cluster. Rotations in the source store propagate without editing manifests.
Related guides
What Is a Sealed Secret?A sealed secret is an encrypted secret safe to store in Git, which only an in-cluster controller can decrypt…
What Is a Vault Agent Injector?A vault agent injector adds a sidecar to a pod that authenticates to Vault and writes fetched secrets into a…
What Is a Secret Rotation Policy?A secret rotation policy defines how often credentials are replaced and how the change propagates, limiting h…