we just begin to use ExternalSecrets in our company.
We set a custom provider with the webhook provider.
In our R&D center, we have multiples teams and each one is responsible of one project.
We are 2 Dev-Ops for all the teams.
All passwords are in our provider and we(Dev-Ops) are managing them.
The teams have read access for the passwords.
What are the best practices to secure the link between externalSecrets and our password provider?
1- We(Dev-Ops) deploy a global helm chart external-secret with all passwords in their respective namespaces for each team? But we need to know, and be present in each team to verify the secret entry and the mapping with the code.
2- each team, in each project, is responsible to create the resources for their project? Then we(Dev-Ops) only create the externalSecretStore linked to our provider.
But, I don’t want the team A to create a external secret to retrieve a password from team B.
Thanks.