Skip to content

openmcp-project/service-provider-external-secrets

BranchesTags

Repository files navigation

REUSE status

Service Provider External Secrets Operator

A service provider for managing External Secrets Operator within Open Control Plane environments.

Architecture Overview

Service Provider External Secrets runs on the platform cluster of an Open Control Plane installation. It reconciles ExternalSecretOperator resources and installs the External Secrets Operator to the control plane of the requesting tenant (see Service Provider Deployment Model for more information).

flowchart LR

  subgraph PC[Platform Cluster]
      speso[Service Provider External-Secrets]
  end

  subgraph OC[Onboarding Cluster]
    spapi([ExternalSecretsOperator])
    mcpapi([ManagedControlPlane])

    spapi -- references --> mcpapi
  end

  subgraph mcp[ManagedControlPlane]
    esocontroller[External Secrets Controller]
    esocrd([External Secret CRDs])

    esocontroller -- reconciles --> esocrd
  end

  speso -- reconciles --> spapi
  speso -- installs --> esocontroller
  mcpapi -- represents --> mcp
Loading

API Reference

ExternalSecretsOperator

The ExternalSecretsOperator resource represents an External Secret Operator installation for a ManagedControlPlane.

apiVersion: external-secrets.services.open-control-plane.io/v1alpha1
kind: ExternalSecretsOperator
metadata:
  name: mcp-tenant-a
spec:
  version: "2.2.0"
Field Type Description
spec.version string The Helm chart version of External Secrets Operator to install

Note that any version that should be available to users has to be defined in the ProviderConfig.

ProviderConfig

The ProviderConfig resource configures deployment settings for each version of External Secret Operator that the service provider supports.

apiVersion: external-secrets.services.open-control-plane.io/v1alpha1
kind: ProviderConfig
metadata:
  name: externalsecretsoperator
spec:
  versions:
    - version: "v2.1.0"
      chartVersion: "2.1.0"
      chartURL: oci://ghcr.io/external-secrets/charts/external-secrets
      chartPullSecret: privateregcred
      helmValues:
        namespaceOverride: eso-system
        global:
          repository: ghcr.io/external-secrets/external-secrets
          imagePullSecrets:
            - name: privateregcred
    - version: "v2.2.0"
      chartVersion: "2.2.0"
      chartURL: oci://ghcr.io/external-secrets/charts/external-secrets
      helmValues:
        namespaceOverride: eso-system
        image:
          repository: ghcr.io/external-secrets/external-secrets
          # -- The image tag to use. The default is the chart appVersion.
          tag: "v2.2.0"
        webhook:
          image:
            repository: ghcr.io/external-secrets/external-secrets
            # -- The image tag to use. The default is the chart appVersion.
            tag: "v2.2.0"
        certController:
          image:
            repository: ghcr.io/external-secrets/external-secrets
            # -- The image tag to use. The default is the chart appVersion.
            tag: "v2.2.0"
Field Type Description
spec.pollInterval duration periodic reconcile interval to prevent drift of managed MCP resources
spec.versions array The versions of Flux that can be installed

A version item is defined as follows:

Field Type Description
version string The External Secrets Operator version that this item defines
chartVersion string The External Secrets Operator Helm chart version to install
chartURL string OCI registry URL for the Helm chart
chartPullSecret string Secret name for chart registry authentication
helmValues object Custom Helm values for the External Secrets Operator deployment

For private and air-gapped environments, image locations and pull secrets can be adjusted via spec.helmValues global settings (see the example above). Pull secrets will be synced to each tenant control plane.

Development Tasks

Command Description
task build Build the binary
task build:img:build-test Build the container image
task test Run unit tests
task test-e2e Run end-to-end tests
task generate Generate CRDs and code after API changes
task validate Run linters and formatters

Service Provider Runtime Flags

The generated service provider supports the following runtime flags:

  • --verbosity: Logging verbosity level (see controller-runtime logging)
  • --environment: Name of the environment (required for operation)
  • --provider-name: Name of the provider resource (required for operation)
  • --metrics-bind-address: Address for the metrics endpoint (default: 0, use :8443 for HTTPS or :8080 for HTTP)
  • --health-probe-bind-address: Address for health probe endpoint (default: :8081)
  • --leader-elect: Enable leader election for controller manager (default: false)
  • --metrics-secure: Serve metrics endpoint securely via HTTPS (default: true)
  • --enable-http2: Enable HTTP/2 for metrics and webhook servers (default: false)

For a complete list of available flags, run the generated binary with -h or --help.

Additional Resources

Quality Criteria

Quality: Incubating

Criterion Status. Notes
Deletion behaviour ⚠️ A finalizer ensures the Service Provider managed resources like Flux' OCIRepository and HelmRelease are cleaned-up. But there is no behaviour that ensures deletion is blocked if custom resources (e.g. ESO' ExternalSecret objects) in a ControlPlane still exist.
Status reporting & error messages
Operation annotations ⚠️ openmcp.cloud/operation: ignore is processed by opencontrolplane-runtime. openmcp.cloud/operation: reconcile is not processed.
API stability policy
Custom CA support Custom CA bundle propagation to ESO components is not implemented.
Release artifacts (image + OCM)
Testing
Ownership and maintenance docs

See the OpenControlPlane Quality Criteria for definitions.

Support, Feedback, Contributing

This project is open to feature requests/suggestions, bug reports etc. via GitHub issues. Contribution and feedback are encouraged and always welcome. For more information about how to contribute, the project structure, as well as additional contribution information, see our Contribution Guidelines.

Security / Disclosure

If you find any bug that may be a security problem, please follow our instructions at in our security policy on how to report it. Please do not create GitHub issues for security-related doubts or problems.

Code of Conduct

We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone. By participating in this project, you agree to abide by its Code of Conduct at all times.

Licensing

Copyright OpenControlPlane contributors. Please see our LICENSE for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available via the REUSE tool.

BMWK-EU funding logo

OpenControlPlane is part of ApeiroRA, an EU Important Project of Common European Interest (IPCEI-CIS).

Copyright Linux Foundation Europe. For web site terms of use, trademark policy and other project policies please see https://linuxfoundation.eu/en/policies.

About

Service provider ESO manages the lifecycle of External Secrets Operator instances

Topics

service-provider external-secrets apeirora opencontrolplane

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 4

Release v1.0.0 Latest
Jun 9, 2026
+ 3 releases

Packages

 
 
 

Contributors

Languages

Generated from openmcp-project/repository-template