Secret Injection - Details

← Back to Secret Injection Tutorial

This document provides comprehensive information about secret injection, cloud integration, security best practices, and advanced features.

Detailed Documentation

Setup

We have a focused guide for creating secrets in your preferred cloud provider, check it out here.

Multiple Secrets

You can reference multiple secrets:

secrets:
  - name: demo-http-echo-api-keys
  - name: demo-http-echo-database-creds
  - name: shared-service-secrets

All secrets are merged and injected as environment variables, so be mindful of naming conflicts.

Secret Rotation

The External Secrets Operator automatically syncs secrets from the cloud:

Default sync interval: 1 minute
On update: Kubernetes secret is updated
Pod restart: Required to pick up new values

ArgoCD
kubectl

ArgoCD has a useful Resource Action that triggers the Manual Refreshes flow for External Secrets.

ArgoCD view of an external secret's menu, which has the items 'Details ', 'Delete' and 'Refresh'

To force immediate sync, you can create/update an annotation on the ExternalSecret, for more information check out their documentation on Manual Refreshes here

kubectl annotate externalsecret demo-http-echo-super-secret-data -n demo-http-echo force-sync="$(date +%s)" --overwrite

To pick up new secret values, restart the deployment, this might be triggered automatically depending on your setup, but you can also do it manually:

kubectl rollout restart deployment -n demo-http-echo

External Secrets Operator - ESO documentation
AWS Secrets Manager - AWS secret management
Azure Key Vault - Azure secret management
Kubernetes Secrets - Understanding Secrets

Detailed Documentation​

Setup​

Multiple Secrets​

Secret Rotation​

Related Documentation​

Detailed Documentation

Setup

Multiple Secrets

Secret Rotation

Related Documentation