Developed by godaddy and given back to the community, External Secrets fill the gap between K8s secrets and secure credential storage.

Externals secrets are defined as K8s resources like this:

apiVersion: ''
kind: ExternalSecret
  name: dockerconfigjson
  namespace: someorg
  backendType: secretsManager
    - /someorg/dockerconfig_secret

In this case we have contacted AWS Secrets Manager to get the someorg/dockerconfig_secret secret. K8s namespace limit access to resources in the same namespace.

External secrets works by contacting a credential provider selected by backendType, eg AWS Secrets Manager and then creates a regular K8s secret if it can retrieve the value.

This gives transparent access to secrets from K8s while leaving the credential store as the point-of-truth for the secret value.