Skip to content



Exernal Secrets comes with three components: Core Controller, Webhook and Cert Controller.

This is due to the need to implement conversion webhooks in order to convert custom resources between api versions and to provide a ValidatingWebhook for the ExternalSecret and SecretStore resources.

These features are optional but highly recommended. You can disable them with helm chart values certController.create=false and webhook.create=false.

Component Overview

TLS Bootstrap

Cert-controller is responsible for (1) generating TLS credentials which will be used by the webhook component and (2) injecting the certificate as caBundle into Kind=CustomResourceDefinition for conversion webhooks and Kind=ValidatingWebhookConfiguration for validating admission webhook. The TLS credentials are stored in a Kind=Secret which is consumed by the webhook.