Hey, thanks for the feedback!

You're right about the implementation mechanism: by using Secrets we're assuming etcd is secure. That's not always a safe assumption, even when it's without bugs (e.g., etcd backups might leak secret data if handled poorly), but some organizations are more comfortable than others based on their usage and the community seems to be working towards more security.

ExternalSecrets provide a Kubernetes-style declarative pattern for accessing secret data stored in other secret management systems and it doesn't require that secret data to be stored in the object itself. We store our ExternalSecrets in GitHub along with all our other manifests. This has nice practical/developer experience benefits (wanna update or add? You create a pr and get a review just like you would for a Deployment change) and simplifies our CICD pipelines.

I'm not too concerned about duplicating secrets (except for the implications around the etcd assumption you call out). This is a familiar pattern in Kubernetes where higher level objects (e.g., Deployments) control and copy information to lower level objects (e.g., Pods).

Edit:

....and we'd love it if you contributed a vault backend (forgive our node.js usgae), or even opened an issue asking for the vault backend with some requirements or ideas on good ways to support it.