External Secrets Operator
Sync BoltMCP's application Secrets from HashiCorp Vault (or a cloud secrets manager) using the External Secrets Operator.
This page expands on the Alternatives noted in Cluster Prep. It shows how to populate BoltMCP's three application Secrets (boltmcp-database, boltmcp-oidc, boltmcp-auth) from an external secrets manager instead of creating them manually with kubectl.
If your organisation already stores secrets in Vault (or AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, 1Password), the External Secrets Operator syncs them into Kubernetes Secret resources for the chart to read.
One-time cluster setup — install ESO and create a ClusterSecretStore pointing at your Vault:
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vault-backend
spec:
provider:
vault:
server: "https://vault.example.com:8200"
path: "secret"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "boltmcp-eso"
serviceAccountRef:
name: "external-secrets"
namespace: "external-secrets"kubectl apply -f cluster-secret-store-vault.yamlPer-release setup — populate the three Vault entries (secret/boltmcp/database, secret/boltmcp/oidc, secret/boltmcp/auth) with the key names listed in Cluster Prep (secret/boltmcp/oidc carries all five client secrets), then apply three ExternalSecret resources. Here's the database one as a worked example:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: boltmcp-database
namespace: boltmcp
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
kind: ClusterSecretStore
target:
name: boltmcp-database
creationPolicy: Owner
data:
- secretKey: superuser-password
remoteRef: { key: boltmcp/database, property: superuser-password }
- secretKey: migrate-core-password
remoteRef: { key: boltmcp/database, property: migrate-core-password }
- secretKey: web-password
remoteRef: { key: boltmcp/database, property: web-password }
- secretKey: rest-api-password
remoteRef: { key: boltmcp/database, property: rest-api-password }
- secretKey: mcp-server-password
remoteRef: { key: boltmcp/database, property: mcp-server-password }
- secretKey: keycloak-password
remoteRef: { key: boltmcp/database, property: keycloak-password }
- secretKey: vault-password
remoteRef: { key: boltmcp/database, property: vault-password }Full manifests for all three Secrets (database, OIDC, auth) live at charts/boltmcp/examples/secrets/external-secrets-vault.yaml. Wait for kubectl get externalsecret -n boltmcp to show STATUS=SecretSynced for all three before installing the chart.
For AWS Secrets Manager, GCP Secret Manager, or Azure Key Vault, swap only the provider block in the ClusterSecretStore — the ExternalSecret manifests stay the same.