Developed by godaddy and given back to the community, External Secrets fill the gap between K8s secrets and secure credential storage.

Externals secrets are defined as K8s resources like this:

apiVersion: 'kubernetes-client.io/v1'
kind: ExternalSecret
metadata:
  name: dockerconfigjson
  namespace: someorg
spec:
  backendType: secretsManager
  template:
    type: kubernetes.io/dockerconfigjson
  dataFrom:
    - /someorg/dockerconfig_secret

In this case we have contacted AWS Secrets Manager to get the someorg/dockerconfig_secret secret. K8s namespace limit access to resources in the same namespace.

External secrets works by contacting a credential provider selected by backendType, eg AWS Secrets Manager and then creates a regular K8s secret if it can retrieve the value.

This gives transparent access to secrets from K8s while leaving the credential store as the point-of-truth for the secret value.