Oct 21, 2025

Sync secrets from external sources to ngrok with Kubernetes External Secrets

•

444 words

•

The External Secrets Operator (ESO)—a Kubernetes controller for synchronizing secrets with external stores—now integrates with ngrok Vaults and Secrets for Traffic Policy.

If you manage secrets as part of your infrastructure today, chances are they already live in a platform like HashiCorp Vault, AWS Secrets Manager, or Google Secret Manager. With a one-time ESO setup, your existing store remains the source of truth and ESO mirrors the required keys into ngrok Vaults on a schedule.

This is how we run things inside of ngrok: We wire ESO once per cluster, map the keys we need, and let the controller reconcile changes so traffic policies always reference the most up-to-date values. Our ops team is happy because rotation, access, and audit live in one place—no parallel inventories or hand-copied values—while our security team gets clean, controlled propagation across environments without sprawl or consistency issues.

To get started, store your ngrok API key in a Kubernetes secret:

1kubectl create secret generic ngrok-credentials \2  --from-literal=api-key=<YOUR_NGROK_API_KEY>

Create a SecretStore that connects to ngrok’s API:

1apiVersion: external-secrets.io/v12kind: SecretStore3metadata:4  name: ngrok5spec:6  provider:7    ngrok:8      auth:9        apiKey:10          secretRef:11            name: ngrok-credentials12            key: api-key13      vault:14        name: my-vault # ngrok vault name for storing secrets

We suggest updating the vault.name to configure your SecretStore with a meaningful name for your environment.

To sync a Kubernetes secret with ngrok, create a PushSecret resource.

1apiVersion: external-secrets.io/v1alpha12kind: PushSecret3metadata:4  name: ngrok-push-secret-example5spec:6  deletionPolicy: Delete7  refreshInterval: 10m  # Reconciliation interval8  secretStoreRefs:  # A list of secret stores to push secrets to9    - name: ngrok  # Must match SecretStore on the cluster10      kind: SecretStore11  selector:12    secret:13      name: SECRET_NAME  # Source Kubernetes secret to be pushed14  data:15    - match:16      # The key in the Kubernetes secret to push. Leave empty to push all keys, JSON encoded.17      # secretKey: ""18      secretKey: MY_K8S_SECRET_KEY19    remoteRef:20      remoteKey: MY_NGROK_SECRET_NAME  # The name of the secret in the ngrok vault

Optionally decorate your ngrok secrets with descriptions and custom metadata:

1data:2  - match:3      # The key in the Kubernetes secret to push. Leave empty to push all keys, JSON encoded.4      # secretKey: ""5      secretKey: MY_K8S_SECRET_KEY6    remoteRef:7      remoteKey: MY_NGROK_SECRET_NAME # The name of the secret in the ngrok vault8    metadata:9      apiVersion: kubernetes.external-secrets.io/v1alpha110      kind: PushSecretMetadata11      spec:12        description: "This is a secret for the API credentials"13        metadata:14          environment: production15          team: devops

Get started

Check out the docs on Traffic Policy Secrets to learn how to create vaults, store secrets, and use them in your policies.

Plus other resources to help you get started: