Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Installing the External Secrets Operator with Yandex Lockbox support

Written by
Improved by
Updated at May 5, 2025

External Secrets Operator is a Kubernetes operator integrating external secret management systems, such as Yandex Lockbox, AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, Google Secrets Manager, and more. The operator reads external APIs and automatically inserts values into a Kubernetes secret.

The External Secrets Operator with Yandex Lockbox support enables you to configure syncing Yandex Lockbox secrets with Managed Service for Kubernetes cluster secrets.

Getting started

  1. If you do not have the Yandex Cloud CLI yet, install and initialize it.

    The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  2. Create a service account for the External Secrets Operator.

  3. Assign the required role to the service account:

  4. Create an authorized key for the service account and save it to the sa-key.json file:

    yc iam key create \
  --service-account-name <service_account_name> \
  --output sa-key.json

  5. Make sure that the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If any rule is missing, add it.

    Warning

    The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

Installing the External Secrets Operator through Yandex Cloud Marketplace

  1. Navigate to the folder dashboard and select Managed Service for Kubernetes.
  2. Click the name of the Managed Service for Kubernetes cluster you need and select the Marketplace tab.
  3. Under Application available for installation, select External Secrets Operator with Yandex Lockbox support and click Go to install.
  4. Configure the application:
    • Namespace: Create a new namespace, e.g., external-secrets-operator-space. If you leave the default namespace, External Secrets Operator may work incorrectly.
    • Application name: Specify the application name.
    • Service account key: Paste the contents of sa-key.json.
  5. Click Install.
  6. Wait for the application to change its status to Deployed.

Installation using a Helm chart

  1. Install Helm v3.8.0 or higher.

  2. Install kubect and configure it to work with the new cluster.

  3. To install a Helm chart with the External Secrets Operator, run the following command:

    helm pull oci://cr.yandex/yc-marketplace/yandex-cloud/external-secrets/chart/external-secrets \
  --version 0.10.5 \
  --untar && \
helm install \
  --namespace <namespace> \
  --create-namespace \
  --set-file auth.json=<path_to_sa-key.json> \
  external-secrets ./external-secrets/

    This command creates a new namespace required for using the External Secrets Operator.

    If you set namespace to the default namespace, External Secrets Operator may work incorrectly. We recommend you to specify a value different from all existing namespaces (e.g., external-secrets-operator-space).

    Note

    If you are using a Helm version below 3.8.0, append the export HELM_EXPERIMENTAL_OCI=1 && \ string to the command to enable Open Container Initiative (OCI) support in the Helm client.

Use cases

See also

Previous
Installing Crossplane
Next
Installing ExternalDNS with a plugin for Cloud DNS