Secrets
This guide covers configuring the pgt-secrets Helm chart for managing external secrets in Kubernetes. The chart integrates with External Secrets Operator to sync secrets from cloud providers into Kubernetes Secrets.
Supported Providers
AWS
Secrets Manager
IAM Roles for Service Accounts (IRSA)
Azure
Key Vault
Workload Identity or Managed Identity
Prerequisites
Add the chart as a dependency in your Chart.yaml:
apiVersion: v2
name: my-secrets
version: 0.0.1
dependencies:
- name: pgt-secrets
version: 0.0.4
repository: oci://public.ecr.aws/w9m9e0e9/pgt-helm-chartsAfter adding the dependency, run:
helm dependency updateHow It Works
The chart creates three types of resources:
ServiceAccount - Used for authenticating with the cloud provider via IRSA (AWS) or Workload Identity (Azure)
SecretStore - Configures the connection to your cloud provider's secret store
ExternalSecret - Defines which secrets to fetch and how to map them to Kubernetes Secrets
The External Secrets Operator watches ExternalSecret resources and automatically syncs the referenced secrets into Kubernetes Secrets, refreshing them every minute.
AWS Secrets Manager
Basic AWS Configuration
AWS IAM Role Requirements
The IAM role referenced in the ServiceAccount annotation must have:
A trust policy allowing the Kubernetes ServiceAccount to assume the role via IRSA
A policy granting
secretsmanager:GetSecretValueandsecretsmanager:DescribeSecretpermissions
For detailed instructions on creating IAM roles, including Terraform examples, see AWS IAM Roles (IRSA).
Fetching Multiple Secrets (AWS)
Azure Key Vault
Basic Azure Configuration (Workload Identity)
Azure Workload Identity Requirements
The User Assigned Managed Identity referenced in the ServiceAccount annotations must have:
A federated credential configured for the Kubernetes ServiceAccount
The
Key Vault Secrets Userrole assignment on the Key Vault
For detailed instructions on creating managed identities, including Terraform examples, see Azure Workload Identity.
Azure Managed Identity (Legacy)
For clusters not using Workload Identity:
Fetching Multiple Secrets (Azure)
Secret Templates
Use templates to customise the structure of the created Kubernetes Secret. This is useful for creating secrets in specific formats required by applications.
Creating a Docker Registry Secret
Creating a TLS Secret
Troubleshooting
Use Argo CD to investigate issues with external secrets. The application tree provides visibility into all resources and their status.
Secret Not Syncing
Navigate to your application in the Argo CD UI
Locate the ExternalSecret resource in the application tree
Click on the ExternalSecret to view its details
Check the Status section for sync conditions
Look for these common status conditions:
SecretSyncedError: The SecretStore cannot connect to the provider
SecretNotFound: The referenced secret doesn't exist in the provider
Select the Events tab to see detailed error messages from the External Secrets Operator.
SecretStore Connection Issues
In the Argo CD application tree, locate the SecretStore resource
Click on the SecretStore to view its details
Check the Status section - a healthy SecretStore shows
Ready: TrueSelect the Events tab for connection error details
Common causes:
ServiceAccount doesn't have correct IAM role annotation
IAM role doesn't have permission to access secrets
Incorrect region or vault URL
ServiceAccount Issues
In the Argo CD application tree, locate the ServiceAccount resource
Click on the ServiceAccount to view its details
Check the Annotations section in the resource manifest
For AWS, verify the eks.amazonaws.com/role-arn annotation is present and correct. For Azure, verify both azure.workload.identity/client-id and azure.workload.identity/tenant-id annotations are present.
Viewing the Created Secret
Once an ExternalSecret syncs successfully, the Kubernetes Secret is created:
In the Argo CD application tree, locate the Secret resource
Click on the Secret to view its details
The Data section shows the secret keys (values are hidden by default)
Values Reference
enabled
bool
false
Enable the chart
organisationName
string
""
Organisation name for labeling
serviceAccount.create
bool
false
Create a ServiceAccount
serviceAccount.name
string
""
ServiceAccount name
serviceAccount.annotations
object
{}
ServiceAccount annotations (for IRSA/Workload Identity)
aws.enabled
bool
false
Use AWS Secrets Manager
aws.secretRegion
string
""
AWS region for secrets
azure.enabled
bool
false
Use Azure Key Vault
azure.managedIdentity.useWorkloadIdentity
bool
true
Use Workload Identity (recommended)
azure.managedIdentity.clientId
string
""
Azure client ID (for Managed Identity)
azure.managedIdentity.tenantId
string
""
Azure tenant ID (for Managed Identity)
items
list
[]
List of secret configurations
items[].secretStoreName
string
""
Name of the SecretStore to create
items[].kubernetesSecretName
string
""
Name of the Kubernetes Secret to create
items[].azure.vaultUrl
string
""
Azure Key Vault URL (Azure only)
items[].template
object
{}
Secret template configuration
items[].template.type
string
""
Kubernetes Secret type
items[].template.data
object
{}
Template data mapping
items[].data
list
[]
List of secret key mappings
items[].data[].secretKey
string
""
Key name in Kubernetes Secret
items[].data[].remoteRef.key
string
""
Secret name/path in provider
items[].data[].remoteRef.property
string
""
Property within the secret (AWS only)
Last updated
Was this helpful?