External Secrets Operator

Capsule Integration with External Secrets Operator

With External Secrets Operator it’s possible to delegate Secrets Management to an external system while keeping the actual management of the secrets within Kubernetes. This guide provides a simple automation example with External Secrets Operator. Before starting, you might want to explore the existing documentation regarding multi-tenancy:

https://external-secrets.io/latest/guides/multi-tenancy/

Secure ClusterSecretStores

If you have any ClusterSecretStores, which are not intended to be used by Tenants, you must make sure Tenants can not reference the ClusterSecretStore. You can achieve this by unselecting all Tenant Namespaces like so:

---
apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
  name: platform-vault
spec:
  conditions:
    - namespaceSelector:
        matchExpressions:
          - key: capsule.clastix.io/tenant  # Forbid the use of this platform keyvault by tenants
            operator: DoesNotExist
  provider:
    azurekv:
      tenantId: {TENANT}
      vaultUrl: {VAULT}
      authSecretRef:
        clientId:
          name: external-secrets-secret
          key: azure.clientID
          namespace: external-secrets
        clientSecret:
          name: external-secrets-secret
          key: azure.clientSecret
          namespace: external-secrets

ClusterSecretStores

Last modified February 20, 2026: feat: add events (48d9110)