Skip to content

External Secrets Operator -- Architecture Overview

External Secrets Operator (ESO) v2.4.0 runs in the external-secrets namespace and bridges Infisical secrets into native Kubernetes Secret objects. Workloads consume standard Secret resources; ESO handles synchronization in the background.

Decision

See ADR-0042 for the rationale for ESO over the native Infisical Kubernetes Operator.

Architecture

Infisical (REDACTED:[REDACTED])
  |
  | Universal Auth (Machine Identity: eso-archon-platform)
  |
ESO ClusterSecretStore (infisical-archon-platform)
  |
  | ExternalSecret CRD (per workload namespace)
  |
Kubernetes Secret (consumed by pods/Helm)

Components

Component Namespace Purpose
external-secrets deployment external-secrets Core controller -- reconciles ExternalSecret CRDs
external-secrets-cert-controller external-secrets Manages webhook TLS certs
external-secrets-webhook external-secrets Validates ESO CRD objects
ClusterSecretStore/infisical-archon-platform cluster-scoped Infisical backend config
ConfigMap/infisical-ca external-secrets Infisical self-signed CA cert for TLS trust

Secret Scoping

The ClusterSecretStore is cluster-scoped and reads from:

  • Project: archon-platform (slug: archon-platform-pzxu)
  • Environment: prod
  • Path: / (root)

Workloads in any namespace can reference the ClusterSecretStore by name.

Creating an ExternalSecret

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: my-secret
  namespace: my-namespace
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: infisical-archon-platform
    kind: ClusterSecretStore
  target:
    name: my-secret
  data:
    - secretKey: api-key          # key inside the resulting Kubernetes Secret
      remoteRef:
        key: MY_SECRET_NAME       # secret name in Infisical

After applying, verify sync:

kubectl get externalsecret my-secret -n my-namespace
kubectl get secret my-secret -n my-namespace

The ExternalSecret status will show SecretSynced when healthy.

TLS Note

Infisical at REDACTED:8443 uses a self-signed certificate (CN=REDACTED, valid until 2036-03-28). ESO is configured with caProvider pointing to the infisical-ca ConfigMap in the external-secrets namespace. When Infisical receives a CA-signed certificate (WI-248 scope), remove the caProvider block from the ClusterSecretStore and delete the ConfigMap.

Future Scope

  • Group 4: cert-manager Cloudflare DNS token via ExternalSecret
  • Group 5: workload basicAuth credentials via ExternalSecret
  • Multi-backend: If a second secrets backend is added (Azure KV, GCP SM), add a second ClusterSecretStore without changing workload manifests that target infisical-archon-platform.