Sync secrets from external sources to ngrok with Kubernetes External Secrets

•

Oct 21, 2025

•

408 words

The External Secrets Operator (ESO)—a Kubernetes controller for synchronizing secrets with external stores—now integrates with ngrok Vaults and Secrets for Traffic Policy.

If you manage secrets as part of your infrastructure today, chances are they already live in a platform like HashiCorp Vault, AWS Secrets Manager, or Google Secret Manager. With a one-time ESO setup, your existing store remains the source of truth and ESO mirrors the required keys into ngrok Vaults on a schedule.

This is how we run things inside of ngrok: We wire ESO once per cluster, map the keys we need, and let the controller reconcile changes so traffic policies always reference the most up-to-date values. Our ops team is happy because rotation, access, and audit live in one place—no parallel inventories or hand-copied values—while our security team gets clean, controlled propagation across environments without sprawl or consistency issues.

To get started, store your ngrok API key in a Kubernetes secret:

kubectl create secret generic ngrok-credentials \
  --from-literal=api-key=<YOUR_NGROK_API_KEY>

Create a SecretStore that connects to ngrok’s API:

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: ngrok
spec:
  provider:
    ngrok:
      auth:
        apiKey:
          secretRef:
            name: ngrok-credentials
            key: api-key
      vault:
        name: my-vault # ngrok vault name for storing secrets

We suggest updating the vault.name to configure your SecretStore with a meaningful name for your environment.

To sync a Kubernetes secret with ngrok, create a PushSecret resource.

apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: ngrok-push-secret-example
spec:
  deletionPolicy: Delete
  refreshInterval: 10m  # Reconciliation interval
  secretStoreRefs:  # A list of secret stores to push secrets to
    - name: ngrok  # Must match SecretStore on the cluster
      kind: SecretStore
  selector:
    secret:
      name: SECRET_NAME  # Source Kubernetes secret to be pushed
  data:
    - match:
      # The key in the Kubernetes secret to push. Leave empty to push all keys, JSON encoded.
      # secretKey: ""
      secretKey: MY_K8S_SECRET_KEY
    remoteRef:
      remoteKey: MY_NGROK_SECRET_NAME  # The name of the secret in the ngrok vault

Optionally decorate your ngrok secrets with descriptions and custom metadata:

data:
  - match:
      # The key in the Kubernetes secret to push. Leave empty to push all keys, JSON encoded.
      # secretKey: ""
      secretKey: MY_K8S_SECRET_KEY
    remoteRef:
      remoteKey: MY_NGROK_SECRET_NAME # The name of the secret in the ngrok vault
    metadata:
      apiVersion: kubernetes.external-secrets.io/v1alpha1
      kind: PushSecretMetadata
      spec:
        description: "This is a secret for the API credentials"
        metadata:
          environment: production
          team: devops

Get started

Check out the docs on Traffic Policy Secrets to learn how to create vaults, store secrets, and use them in your policies.

Plus other resources to help you get started: