External Secrets Integration

External Secrets Operator (ESO) is a Kubernetes controller that syncs secrets from external secret management systems (Vault, AWS Secrets Manager, Azure Key Vault) into Kubernetes Secret objects. Instead of storing database passwords, API keys, and certificates directly in K8s etcd (which is insecure), you store them in a purpose-built vault, and ESO automatically mirrors them into K8s. When the secret rotates (e.g., database password changes), ESO detects the change and updates the K8s Secret. Applications read from K8s Secrets as usual, but the underlying credential comes from an audited, encrypted vault.