// the find
external-secrets/kubernetes-external-secrets
Integrate external secret management systems with Kubernetes
A Kubernetes operator (originally from GoDaddy) that syncs secrets from AWS Secrets Manager, SSM Parameter Store, HashiCorp Vault, Azure Key Vault, GCP Secret Manager, and others into native Kubernetes Secrets. The README opens with 'Deprecated' — this project has been dead since 2022, replaced by the External Secrets Operator (external-secrets/external-secrets). Anyone landing here should go there instead.
The CRD design is clean: ExternalSecret declaratively describes what to fetch and where, and the controller handles the sync loop — that pattern was genuinely ahead of its time. Backend coverage was broad, including AWS, GCP, Azure, Vault, Akeyless, Alibaba, and IBM, with each having its own pluggable module. The lodash-based templating for generating complex Secret shapes (combining multiple backend keys into one Secret with computed labels) is a practical feature that's hard to retrofit later. E2E tests run against real localstack and kind clusters, which is the right call for something this close to infrastructure.
It is deprecated and has had no commits since May 2022 — there is no path forward here, only migration. It's written in JavaScript/Node, which is an unusual choice for a Kubernetes controller that has to handle long-running watch loops and RBAC correctly; the Go-based ESO rewrite fixed real reliability issues. The 'Secrets are written as plaintext Kubernetes Secrets' model means the actual sensitive data still lands in etcd unless you've separately configured KMS encryption — the docs acknowledge this but bury it. The `WATCHED_NAMESPACES` and `INSTANCE_ID` scoping mechanisms provide only logical separation with no actual security enforcement, which the docs also admit but is a footgun in multi-tenant clusters.