The External Secrets Helm chart has been enhanced to support deploying one or multiple secret providers alongside the controller in a single, monolithic installation. This provides a unified deployment model where both the controller and providers are managed through a single Helm release.
New template files added:
templates/provider-deployment.yaml - Provider deployment with full configurationtemplates/provider-service.yaml - Provider gRPC servicetemplates/provider-serviceaccount.yaml - Provider service accounts with cloud IAM annotationstemplates/provider-poddisruptionbudget.yaml - Pod disruption budgets for HAtemplates/provider-hpa.yaml - Horizontal Pod Autoscalertemplates/provider-servicemonitor.yaml - Prometheus ServiceMonitorHelper templates in _helpers.tpl:
external-secrets.provider.fullname - Generate provider resource namesexternal-secrets.provider.labels - Generate provider labelsexternal-secrets.provider.selectorLabels - Generate selector labelsexternal-secrets.provider.serviceAccountName - Get service account nameexternal-secrets.provider.image - Construct provider image nameSet providers.enabled: true and define providers in the providers.list array:
providers:
enabled: true
list:
- name: aws-primary
type: aws
enabled: true
# ... configuration
Each provider supports:
Identity & Metadata:
name - Unique identifier for the provider instancetype - Provider type (aws, gcp, azure, vault, etc.)enabled - Enable/disable the providerContainer Configuration:
image.repository - Container image repositoryimage.pullPolicy - Pull policy (IfNotPresent, Always, Never)image.tag - Image tag (defaults to chart appVersion)imagePullSecrets - Pull secrets for private registriesreplicaCount - Number of replicas (default: 2)Service Account & Authentication:
serviceAccount.create - Create service accountserviceAccount.annotations - Annotations for cloud IAM (IRSA, Workload Identity, etc.)serviceAccount.name - Custom service account nameserviceAccount.automount - Automount service account tokenSecurity:
podSecurityContext - Pod-level security settingssecurityContext - Container-level security settingsNetworking:
service.type - Service type (ClusterIP, LoadBalancer, etc.)service.port - gRPC port (default: 8080)service.annotations - Service annotationsResources & Scaling:
resources.limits - CPU and memory limitsresources.requests - CPU and memory requestsautoscaling.enabled - Enable HPAautoscaling.minReplicas - Minimum replicasautoscaling.maxReplicas - Maximum replicasautoscaling.targetCPUUtilizationPercentage - CPU targetautoscaling.targetMemoryUtilizationPercentage - Memory targetHigh Availability:
podDisruptionBudget.enabled - Enable PDBpodDisruptionBudget.minAvailable - Minimum available podspodDisruptionBudget.maxUnavailable - Maximum unavailable podsaffinity - Pod affinity/anti-affinity rulestopologySpreadConstraints - Topology spread constraintstolerations - Node taints tolerationsnodeSelector - Node selection constraintspriorityClassName - Priority classTLS Configuration:
tls.enabled - Enable TLStls.certPath - Certificate mount pathtls.caSecretName - CA certificate secret nametls.mountCA - Mount CA certificateProvider-Specific Config:
config - Key-value map for provider settings
config.region: us-east-1 → REGION=us-east-1Logging:
logging.level - Log level (debug, info, warn, error)logging.format - Log format (json, console)logging.development - Development modeMetrics:
metrics.enabled - Enable metrics endpointmetrics.port - Metrics port (default: 8081)metrics.serviceMonitor.enabled - Create Prometheus ServiceMonitormetrics.serviceMonitor.namespace - ServiceMonitor namespacemetrics.serviceMonitor.interval - Scrape intervalmetrics.serviceMonitor.scrapeTimeout - Scrape timeoutmetrics.serviceMonitor.labels - Additional labelsHealth Checks:
health.port - Health check port (default: 8082)health.livenessProbe.enabled - Enable liveness probehealth.livenessProbe.* - Liveness probe settingshealth.readinessProbe.enabled - Enable readiness probehealth.readinessProbe.* - Readiness probe settingsExtra Configuration:
extraEnv - Additional environment variablesextraVolumes - Additional volumesextraVolumeMounts - Additional volume mountspodAnnotations - Pod annotationspodLabels - Pod labelsproviders:
enabled: true
list:
- name: aws
type: aws
enabled: true
replicaCount: 2
image:
repository: oci.external-secrets.io/external-secrets/provider-aws
serviceAccount:
create: true
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/eso-provider-aws
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 64Mi
config:
region: us-east-1
authMethod: irsa
metrics:
enabled: true
serviceMonitor:
enabled: true
providers:
enabled: true
list:
# AWS Provider
- name: aws
type: aws
enabled: true
replicaCount: 2
image:
repository: oci.external-secrets.io/external-secrets/provider-aws
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/eso-aws
config:
region: us-east-1
# GCP Provider
- name: gcp
type: gcp
enabled: true
replicaCount: 2
image:
repository: oci.external-secrets.io/external-secrets/provider-gcp
serviceAccount:
annotations:
iam.gke.io/gcp-service-account: eso@project.iam.gserviceaccount.com
config:
projectID: my-project
# Azure Provider
- name: azure
type: azure
enabled: true
replicaCount: 2
image:
repository: oci.external-secrets.io/external-secrets/provider-azure
serviceAccount:
annotations:
azure.workload.identity/client-id: "client-id"
podLabels:
azure.workload.identity/use: "true"
helm install external-secrets ./deploy/charts/external-secrets \
-f values-with-providers.yaml
helm upgrade external-secrets ./deploy/charts/external-secrets \
-f values-with-providers.yaml
helm template test ./deploy/charts/external-secrets \
-f values-with-providers.yaml
deploy/charts/external-secrets/templates/provider-deployment.yamldeploy/charts/external-secrets/templates/provider-service.yamldeploy/charts/external-secrets/templates/provider-serviceaccount.yamldeploy/charts/external-secrets/templates/provider-poddisruptionbudget.yamldeploy/charts/external-secrets/templates/provider-hpa.yamldeploy/charts/external-secrets/templates/provider-servicemonitor.yamldeploy/charts/external-secrets/values-with-providers-example.yamldeploy/charts/external-secrets/values-test.yamldeploy/charts/external-secrets/PROVIDERS.mddeploy/charts/external-secrets/values.yaml - Added providers sectiondeploy/charts/external-secrets/templates/_helpers.tpl - Added provider helpersdeploy/charts/external-secrets/README.md - Added provider documentationResources are named using the pattern:
<release-name>-external-secrets-provider-<provider-name>
For example, with release name "test" and provider name "aws":
test-external-secrets-provider-awstest-external-secrets-provider-awstest-external-secrets-provider-awsAll provider resources include:
app.kubernetes.io/name: external-secrets-provider-<provider-name>app.kubernetes.io/instance: <release-name>app.kubernetes.io/component: providerexternal-secrets.io/provider: <provider-type>Test configuration rendering:
cd deploy/charts/external-secrets
helm template test . -f values-test.yaml
Validate against Kubernetes:
helm template test . -f values-test.yaml | kubectl apply --dry-run=client -f -
Possible future improvements:
If you're currently using separate provider Helm charts, you can migrate to this monolithic chart by:
providers.list array in the monolithic chartkubectl get deployments -l app.kubernetes.io/component=provider
kubectl get pods -l app.kubernetes.io/component=provider
kubectl logs -l external-secrets.io/provider=aws -f
kubectl port-forward svc/external-secrets-provider-aws 8081:8081
curl http://localhost:8081/metrics
kubectl describe sa external-secrets-provider-aws
kubectl get secrets -l app.kubernetes.io/component=provider