The External Secrets Enterprise is product suite is a premium product.
It requires a specific subscription. Contact us for more information.
Example 1: Basic Environment Variable Injection
Inject all key-value pairs from the my-app-db-config ExternalSecret as environment variables into the my-app-container.
apiVersion: v1
kind: Pod
metadata:
name: my-app-env-vars
namespace: default
annotations:
secretless.externalsecrets.com/externalsecret: "my-app-db-config" # Name of your ExternalSecret
secretless.externalsecrets.com/env-vars: "true" # Enable environment variable injection
# secretless.externalsecrets.com/image-pull-secrets: "my-registry-secret" # Optional: if esi-cli image is private
spec:
containers:
- name: my-app-container
image: myapplication:latest
command: ["/app/run.sh"]
# Environment variables from 'my-app-db-config' will be available here
# e.g., DB_USER, DB_PASSWORD (assuming keys in ExternalSecret are 'db-user', 'db-password')
- The webhook sees
env-vars: "true".
- It injects an init container running
esi-cli --mode=init.
esi-cli fetches data from the my-app-db-config ExternalSecret.- The application
my-app-container starts with these secrets as environment variables.
Example 2: Basic File-Based Secret Injection
Inject all key-value pairs from the my-app-tls-certs ExternalSecret into the /secrets/secrets.json file, accessible by my-secure-app-container.
apiVersion: v1
kind: Pod
metadata:
name: my-app-file-secrets
namespace: default
annotations:
secretless.externalsecrets.com/externalsecret: "my-app-tls-certs" # Name of your ExternalSecret
secretless.externalsecrets.com/file-secrets: "true" # Enable file-based injection
spec:
containers:
- name: my-secure-app-container
image: mysecureapp:latest
command: ["/app/server", "--config=/secrets/secrets.json"]
volumeMounts:
- name: secretless-secrets # This name is automatically assigned by the webhook
mountPath: /secrets
readOnly: true # Application should typically read only
# The application can now read /secrets/secrets.json
# This file will contain a JSON object of all secrets from 'my-app-tls-certs'.
- The webhook sees
file-secrets: "true".
- It injects a sidecar container running
esi-cli --mode=daemon.
- It also creates an
emptyDir volume (named secretless-secrets by default) and mounts it to both the sidecar and your application container(s) at /secrets.
esi-cli in the sidecar writes the fetched secrets to /secrets/secrets.json.- The sidecar continues running and can refresh
secrets.json if the ExternalSecret changes (application needs to support reloading).
Example 3: Environment Variables with esi-cli Federation
Fetch a specific secret (API_TOKEN) using esi-cli’s federation capabilities from a federated ESI server and inject it as an environment variable.
apiVersion: v1
kind: Pod
metadata:
name: my-federated-app
namespace: finance
annotations:
secretless.externalsecrets.com/externalsecret: "placeholder-es" # Still required, but actual source is federated
secretless.externalsecrets.com/env-vars: "true"
secretless.externalsecrets.com/federated-server-url: "https://esi-federation.corp.example.com"
secretless.externalsecrets.com/federated-store: "central-vault-prod"
# This uses esi-cli's --inject-on-env to map a specific federated secret key
secretless.externalsecrets.com/inject-on-env: "API_TOKEN=remote-secret-name.api-key"
spec:
serviceAccountName: finance-app-sa # Ensure this SA has a token esi-cli can use
containers:
- name: data-processor
image: dataproxy:v2.1
# The API_TOKEN environment variable will be available here
The secretless.externalsecrets.com/externalsecret annotation is still technically required by the webhook to trigger its logic, even if the primary secret source is federated. You can point it to a minimal or placeholder ExternalSecret in the pod’s namespace.
env-vars: "true" enables the init container with esi-cli.- The
federated-server-url and federated-store annotations configure esi-cli to talk to the federation server.
inject-on-env: "API_TOKEN=remote-secret-name.api-key" tells esi-cli to fetch api-key from remote-secret-name (via the federated store) and expose it as API_TOKEN.
Example 4: Both Environment and File Injection
While less common, you might want some secrets as environment variables and the full set as a file.
apiVersion: v1
kind: Pod
metadata:
name: my-flexible-app
namespace: default
annotations:
secretless.externalsecrets.com/externalsecret: "app-comprehensive-secrets"
secretless.externalsecrets.com/env-vars: "true" # Inject env vars via init container
secretless.externalsecrets.com/file-secrets: "true" # Inject files via sidecar
# Use esi-cli's --inject-on-env to pick specific env vars
secretless.externalsecrets.com/inject-on-env: "PRIMARY_DB_HOST=db.host,PRIMARY_DB_PORT=db.port"
spec:
containers:
- name: main-app
image: myflexibleapp:latest
# PRIMARY_DB_HOST and PRIMARY_DB_PORT will be available as env vars.
# The full set of secrets from 'app-comprehensive-secrets' will be in /secrets/secrets.json.
- The webhook will add an init container (for
env-vars and inject-on-env) AND a sidecar container (for file-secrets).
- The init container will use
esi-cli to set PRIMARY_DB_HOST and PRIMARY_DB_PORT.
- The sidecar will provide
/secrets/secrets.json with all data from app-comprehensive-secrets.
These examples cover common use cases. Remember to consult the Pod Annotations documentation for a full list of options and the esi-cli documentation for details on its specific flags and behaviors when using passthrough annotations.
