Images
>external-secrets

external-secrets

Synchronizes secrets from external secret managers into Kubernetes Secrets.

sealed-secrets
sealed-secrets
vault
vault
doppler
doppler
sops
sops

What is external-secrets?

The external-secrets image packages External Secrets Operator, an open-source Kubernetes controller that integrates with external secret managers such as AWS Secrets Manager, Google Secret Manager, HashiCorp Vault, and Azure Key Vault.

It watches for ExternalSecret custom resources in Kubernetes and fetches the specified values from the external provider, then creates or updates native Kubernetes Secrets with those values. This allows applications in the cluster to use Kubernetes-native secrets while ensuring the source of truth remains in a secure secret management system.

By bridging Kubernetes and enterprise-grade secret managers, external-secrets helps platform teams centralize secret management, improve security, and avoid duplicating sensitive credentials across environments.

How to use this image

The external-secrets image is usually deployed as a controller within a Kubernetes cluster.

Examples:

# Install External Secrets Operator with Helm
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets \
  -n external-secrets --create-namespace

# Create an ExternalSecret resource that pulls from AWS Secrets Manager
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: my-db-secret
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secrets
    kind: SecretStore
  target:
    name: db-secret
  data:
    - secretKey: password
      remoteRef:
        key: prod/db
        property: password

This example keeps a Kubernetes Secret (db-secret) in sync with a password stored in AWS Secrets Manager.

Image variants

The external-secrets image is generally released under ghcr.io/external-secrets/external-secrets and published in these forms:

external-secrets:<version>

Version-pinned images (e.g., external-secrets:v0.9.11) are recommended for production deployments.

external-secrets:latest

Tracks the most recent stable release. Useful for evaluation but not ideal for production clusters.

external-secrets:canary / dev

Built from the development branch. Intended for contributors or teams testing upcoming features.

Interested in base images that start and stay clean?

This is a not a valid email
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Chat with a product expert