Install External Secrets Operator via its Helm chart into a dedicated namespace
Create a `SecretStore` (or `ClusterSecretStore`) resource that references your Vault address and authentication method (e.g., Kubernetes auth role)
Grant the ESO service account a Vault policy allowing `read` on the KV paths it needs to sync
Author an `ExternalSecret` resource specifying the SecretStore, the Vault path and key, and the target Kubernetes Secret name and key mapping
Apply the ExternalSecret; ESO fetches the value from Vault and creates or updates the Kubernetes Secret automatically
Set `spec.refreshInterval` on the ExternalSecret to control how often ESO re-fetches from Vault to pick up rotated secrets
Known gotchas
ESO creates a Kubernetes Secret containing the fetched value in plaintext — ensure RBAC restricts access to that Secret to only the pods that need it
If the Vault token or Kubernetes auth role expires, ESO will log sync errors but leave the existing Secret in place (potentially stale) rather than deleting it
ClusterSecretStore is cluster-scoped; a misconfigured policy can allow any namespace to read sensitive Vault paths — prefer namespace-scoped SecretStores in multi-tenant clusters
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp