The External Secrets Enterprise product suite is a premium product.
It requires a specific subscription. Contact us for more information.
To use the Federation Generator, you must have the Enterprise Distribution of ESO available via ESI Agent or via our Helm chart bundle

Introduction

The Federation Generator allows you to delegate secret generation to a remote ESO instance.
Instead of generating the secret locally, it proxies the request to a federated cluster that owns and maintains the generator logic. This is ideal for scenarios where:
  • Secret generation must occur in a centralized or isolated environment.
  • One team or cluster owns and maintains generator logic, and others consume it.
  • Compliance or boundary requirements prevent running generators locally.

Output Keys and Values

KeyDescription
<key>The output keys returned by the federated generator (dynamic per target)

Parameters

FieldDefaultDescription
server.url-URL of the remote federation server (usually another ESO instance).
generator.namespace-Namespace of the generator in the remote cluster.
generator.kind-Kind of the generator in the remote cluster (e.g., Password, MongoDB, SSH).
generator.name-Name of the generator object to call in the remote cluster.
auth.tokenSecretRef-Kubernetes secret reference containing a Bearer token used for authenticating with the federation server.
auth.caCertSecretRefOptionalKubernetes secret reference containing a CA certificate to validate TLS connections with the federation server.

Set up

Remote Generator Example (MongoDB in remote-cluster)

The following object exists in the remote ESO instance: 
apiVersion: generators.external-secrets.io/v1alpha1
kind: MongoDB
metadata:
  name: mongodb-generator
  namespace: infra
spec:
  # generator spec...

Federation Auth Secret Example

apiVersion: v1
kind: Secret
metadata:
  name: federation-auth
  namespace: default
type: Opaque
data:
  token: <base64-bearer-token>
  ca.crt: <base64-ca-cert> # optional

Federation Generator (local cluster)

apiVersion: generators.external-secrets.io/v1alpha1
kind: Federation
metadata:
  name: mongodb-via-federation
  namespace: default
spec:
  server:
    url: https://remote-eso.example.com
  generator:
    kind: MongoDB
    name: mongodb-generator
    namespace: infra
  auth:
    tokenSecretRef:
      name: federation-auth
      key: token
    caCertSecretRef:
      name: federation-auth
      key: ca.crt

ExternalSecret Config

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: federated-mongodb-creds
  namespace: default
spec:
  refreshInterval: 1h
  dataFrom:
    - sourceRef:
        generatorRef:
          apiVersion: generators.external-secrets.io/v1alpha1
          kind: Federation
          name: mongodb-via-federation

Notes and Considerations

  • Federation generators do not perform secret generation locally. They proxy the request to a remote ESO instance.
  • The auth.tokenSecretRef must contain a valid Bearer token accepted by the remote server.
  • The remote generator must exist and be functional.
  • The federation server is expected to expose an HTTP endpoint and respond with a JSON object containing key-value pairs at:
POST {server.url}/generators/{namespace}/{kind}/{name}
  • On cleanup, a DELETE request is issued to the same URL.
Ensure the federation server is protected and only accessible from trusted environments.