adds docs for using different secrets managers in k8s

ChrisJBurns · ChrisJBurns · commit dd83ddf28f8e · 2025-09-09T17:14:15.000+01:00
Signed-off-by: ChrisJBurns &lt;29541485+ChrisJBurns@users.noreply.github.com&gt;
diff --git a/docs/toolhive/guides-k8s/run-mcp-k8s.mdx b/docs/toolhive/guides-k8s/run-mcp-k8s.mdx
@@ -253,10 +253,14 @@ process.
 
 ### Run a server with secrets
 
-For MCP servers that require authentication tokens or other secrets, add the
-`secrets` field to the `MCPServer` resource. This example shows how to use a
-Kubernetes secret to pass a GitHub personal access token to the `github` MCP
-server.
+For MCP servers that require authentication tokens or other secrets, you can use
+secrets from multiple secrets managers:
+
+<Tabs groupId='secret-manager' queryString='secret-manager'>
+<TabItem value='kubernetes-native' label='Kubernetes' default>
+
+This example shows how to use an existing Kubernetes secret to pass a GitHub
+personal access token to the `github` MCP server.
 
 ```yaml {13-16} title="my-mcpserver-with-secrets.yaml"
 apiVersion: toolhive.stacklok.dev/v1alpha1
@@ -291,6 +295,62 @@ Apply the MCPServer resource:
 kubectl apply -f my-mcpserver-with-secrets.yaml
 ```
 
+</TabItem>
+<TabItem value='eso' label='External Secrets Operator'>
+
+This example shows how to use an existing Kubernetes secret created by the
+[External Secrets Operator](https://external-secrets.io/) to pass a GitHub
+personal access token to the `github` MCP server.
+
+:::info[Important]
+
+Given the External Secrets Operator creates standard Kubernetes secrets based on
+external secrets, the MCP server definition will look the same as the Kubernetes
+example.
+
+:::
+
+```yaml {13-16} title="my-mcpserver-with-secrets-eso.yaml"
+apiVersion: toolhive.stacklok.dev/v1alpha1
+kind: MCPServer
+metadata:
+  name: github
+  namespace: production # Can be any namespace
+spec:
+  image: ghcr.io/github/github-mcp-server
+  transport: stdio
+  port: 8080
+  permissionProfile:
+    type: builtin
+    name: network
+  secrets:
+    - name: github-token
+      key: token
+      targetEnvName: GITHUB_PERSONAL_ACCESS_TOKEN
+```
+
+First, create the secret by using
+[External Secrets Operator](https://external-secrets.io/latest/api/externalsecret).
+Note that the secret must be created in the same namespace as the MCP server and
+the key must match the one specified in the `MCPServer` resource.
+
+Apply the MCPServer resource:
+
+```bash
+kubectl apply -f my-mcpserver-with-secrets-eso.yaml
+```
+
+</TabItem>
+<TabItem value='vault' label='Vault Secret Injection'>
+
+This example shows how to use [Vault](https://developer.hashicorp.com/vault) to
+inject secrets into the ToolHive containers for consumption.
+
+Chris to flesh out with Jakub
+
+</TabItem>
+</Tabs>
+
 ### Mount a volume
 
 You can mount volumes into the MCP server pod to provide persistent storage or
