Skip to main content
Version: 0.22.0

Setup ESO Enterprise

Weave GitOps Enterprise now supports managing secrets using External Secrets Operator from the UI. External Secrets Operator is a Kubernetes operator that allows users to use secrets from external secrets management systems by reading their information using external APIs and injecting their values into Kubernetes secrets. To be able to use this functionality, users need to configure their External Secrets Operator and SecretStores using one of the guides below.



You should have your SecretStore CRs defined in a git repository. Those CRs will be installed to your cluster in the following steps and used by the creation UI.

ESO Profile

The ESO profile is packaged with the weaveworks-charts. If you have the usual profiles setup, you will not need to do anything extra. This profile installs the ESO controller, all the required CRDs, and the SecretStore CRs defined in the previous step.


There are several Kubernetes Secrets that need to exist on your management cluster for the whole flow to work.

If your SecretStores repository is private then you'll need a Secret, that contains the repo credentials, to access the repository. This is usually the Secret you created while bootstrapping flux on the management cluster and is copied to your leaf cluster during creation.

For each SecretStore CR, you'll need to add a Secret, that follows the format expected by this CR, to allow the operator to access the defined External Secret Store.

Follow this guide for bootstraping those secrets on leaf clusters.

Installation Steps

Install ESO on management cluster or existing leaf cluster

To install the ESO profile on an exisitng cluster, use Add an application from the Applications page and select external-secrets from weaveworks-charts. Check the Profile values section for more info about configuring the values.yaml.

Install ESO on leaf cluster

To bootstrap the ESO profile on a leaf cluster, select external-secrets from the profiles dropdown in the Create Cluster page. Check the Profile values section for more info about configuring the values.yaml.

Profile values

You should then configure the values.yaml to install the SecretStores on the cluster from a GitRepository. This is done by configuring the secretStores section.

Expand to see an example that creates a new git source from a specific tag
enabled: true
url: ssh:// # url for the git repository that contains the SecretStores
tag: v1.0.0
path: ./ # could be a path to the secrets dir or a kustomization.yaml file for the SecretStore in the GitRepository
secretRef: my-pat # the name of the Secret containing the repo credentials for private repositories
Expand to see an example that uses an existing git source
enabled: true
sourceRef: # Specify the name for an existing GitSource reference
kind: GitRepository
name: flux-system
namespace: flux-system