2 min read DevOps

External Secrets Operator: Real Patterns for Vault, AWS, Azure

External Secrets Operator brought sanity to secret management on K8s. The patterns that work across Vault, AWS, and Azure.

  • DevOps
  • Kubernetes
  • Security
External Secrets Operator: Real Patterns for Vault, AWS, Azure

External Secrets Operator (ESO) brought substantial sanity to secret management on Kubernetes. The substantial pattern: secrets live in substantial external systems (Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, plus the various); ESO substantially synchronizes them into Kubernetes Secrets that pods consume normally. This post walks through the substantial patterns that work across substantial providers.

What ESO solves#

The substantial problems ESO addresses:

Substantial secrets in Git. Substantial common anti-pattern — secrets in repos. ESO eliminates by referencing external store.

Substantial separate secret-management substantial workflows. Substantial duplicated work across substantial application teams. ESO standardizes.

Substantial rotation. Secrets change in external store; ESO substantially propagates to Kubernetes.

Substantial substantial access control. External store enforces substantial granular access; Kubernetes consumes via ESO.

Substantial substantial multi-cluster. Same secret-management substantially used across substantial multiple clusters.

Substantial audit. Substantial substantial external store logs substantial substantial access.

The substantial provider patterns#

Substantial ESO supports substantial multiple providers:

HashiCorp Vault. Substantial enterprise standard. Substantial substantial mature integration. Substantial dynamic secrets capability.

AWS Secrets Manager. Substantial AWS-native. Substantial substantial AWS-anchored deployments.

AWS Parameter Store. Substantial substantial cheaper than Secrets Manager. Substantial used for substantial less-sensitive configuration.

Azure Key Vault. Substantial Azure-native.

GCP Secret Manager. Substantial GCP-native.

Substantial Kubernetes Secret backend for substantial multi-cluster secret distribution.

Substantial substantial 1Password, Doppler, Akeyless, plus the various — substantial substantial commercial alternatives.

The substantial deployment patterns#

Several substantial production patterns:

Substantial ClusterSecretStore. Substantial cluster-wide secret store definition; substantial multiple namespaces consume.

Substantial SecretStore per namespace for substantial substantial multi-tenant scenarios.

Substantial ExternalSecret custom resources that substantial reference external secret and substantial create Kubernetes Secret.

Substantial substantial templated secrets. Substantial multiple external secrets combined into substantial single Kubernetes Secret.

Substantial substantial rotation. Substantial ESO refreshes secrets on substantial interval; substantial applications consume substantial fresh values.

Substantial reloader integration. Substantial reloader or substantial similar restarts pods when substantial secret changes.

The substantial authentication patterns#

ESO needs substantial authentication to substantial external stores. Substantial patterns:

Substantial AWS IRSA. Substantial IAM Roles for Service Accounts; substantial cleanest AWS pattern.

Substantial Azure Workload Identity — substantial equivalent for Azure.

Substantial GKE Workload Identity — substantial equivalent for GCP.

Substantial Vault Kubernetes Auth. Substantial Kubernetes-native Vault authentication.

Substantial JWT/OIDC patterns for substantial cloud-agnostic.

The substantial pattern choice substantially affects substantial operational complexity.

The decision framework#

For most substantial teams in 2026:

Adopt ESO if you have substantial Kubernetes deployments with substantial external secret stores.

Pick Vault for substantial cloud-agnostic and substantial enterprise-grade secret management.

Pick cloud-native (Secrets Manager, Key Vault, Secret Manager) for substantial cloud-anchored deployments where simplicity matters.

Combine — Vault for substantial primary; cloud-native for substantial specific use cases.

What we typically see at clients#

Common patterns:

No external secret integration. Substantial common at substantial earlier-stage organizations. Substantial security gap.

ESO + cloud-native at substantial cloud-anchored organizations.

ESO + Vault at substantial multi-cloud or substantial enterprise-anchored deployments.

Substantial Sealed Secrets or SOPS as substantial alternatives where ESO doesn’t fit.

Where pdpspectra fits#

Our DevOps practice builds production Kubernetes platforms with substantial appropriate secret-management architecture.

Related reading: the K8s network policies post, the Vault production secrets post, and the Kubernetes secrets post.

External Secrets Operator is substantial table-stakes K8s pattern. Talk to our team about your secret-management strategy.

Keep reading

Related posts.

DevOps

Falco vs Tetragon: Runtime Security on Kubernetes in 2026

Runtime security moved from optional to compliance requirement. Falco and Tetragon compared on detection, performance, and ops.

Read post →
DevOps

Network Policies on K8s: From Default-Deny to Workable

Default-deny network policies are the gold standard and rarely deployed. The patterns that get you there without breaking apps.

Read post →
Helm

Helm vs Kustomize for Kubernetes: When Each One Wins

Both can deploy your Kubernetes app. The choice is about templating philosophy, upgrade ergonomics, and how much config drift you tolerate.

Read post →