How to Propagate Secrets Everywhere with External Secrets Operator (ESO) and Crossplane

Thanks for another great video! I'd like to explore databases as a service with your videos.
About secrets management with ESO, I use it all the time and I love it.
I still find copying secret directly between kubernetes clusters a useful option, especially when you have a control plane cluster managing other clusters and secrets are consumed in kubernetes.
This way you don't need to install (and secure) multiple ESO instances.
I think it would be also useful to see an example of secret rotation in action (meaning not waiting for the secret to update in kubernetes but rotating it transparently while applications are using it).

Hey Viktor, Thanks for the information! your videos help me get the bigger picture of how things are managed in a mature k8s environment at scale. I'm a beginner starting out with Kubernetes and related tools in general, although I understand these approaches oftentimes there's confusion on how and whether are these applicable in my practice environment. (on prem cluster). Would be great if you could recommend a somewhat advanced project in order to get better at Kubernetes and the related tools. Thank you for your time reading this long paragraph.

thanks, love this advanced use cases!! I use reflector, to clone secret between namespaces within the same cluster and or eso with kubernetes provider to share secrets between clusters

We use it in my job the ESO, but the big problem in crossplane is reading secrets in composition without using a status for retaining this information.

Read the title singing Lando's song... "Secrets up and down side to side like a roller coaster..." 😂

Plot twist: If you send your secret to a "secret manager" or an ESO, the secret is no longer "secret". Just because something works, it does not mean it works securely...

Not directly related but doesn't have Cross plane a depends on tree for delaying execution loops until requirements are met?
Been using vault webhook mutate and seems better for apps since injects secrets into running scope but it's harder to integrate

Hi Victor, firstly thank you for sharing your wisdom :) I have one small question - looking on the final diagram. (besides other) you have created "external secret" in order to pull "root password" from aws secrets manager. How that "root password" was created? How did you put the password there? Was it generated? Or does the aws rds have even the capability to create secrets manager secret after the creation of rds? thank you

Have you seen by any chance ESO constantly updating K8s secrets, even though the value hasn't changed? Currently when looking at Events, some "externalsecret" objects are sitting at 27k+ Count..

Is ESO now the preferred method of integrating secrets with an external store (thinking Azure KeyVault in my case) considering it supports both push and pull now? Also, does this mean Crossplane's ESS (External Secret Stores) alpha feature will be dropped, or do they serve slightly different purposes?

Isn't password rotation an issue here? There would clearly be an outage when the password is changed depending on how often the secretsmanager contents are synced.
The proper way to roll a password over without downtime would be to allow the old and new password during a certain time window but it seems to leak the entire "magic" of this setup when done

I'm confused about this external secrets operator in general; seems like we alreay need a secret to connect to the "external source of secrets". Doesn't that basically defeat the purpose? I mean the secret will be there if a bad actor gets access to the cluster, and they can use it to get the actual secrets, no?