Open Source on GitHub

The Kubernetes
Smart Agent.

Extend our Identity-Driven, Zero-Persistence architecture directly into your clusters. A single Smart Agent maintains a persistent gRPC connection to push updates instantly. No polling delays, no sidecars.

Install First Agent Read Documentation

~ kubectl get secrets

NAME                  TYPE       AGE

en-prod-secrets       Opaque     2s


~ kubectl get pods

NAME                  READY      STATUS

ennote-agent-7f8a9    1/1        Running


# Secret updated.

# Smart Agent triggered rollout restart.

Single
Pod per Cluster
< 1s
Sync Latency
Ed25519
Machine Identity
gRPC
Outbound Stream

How it works

Ennote CloudKubernetes ClusterSmart AgentEd25519 (15m TTL)K8s SecretApp Pod
Auto Rollout Active
  • 1

    Solving "Secret Zero"

    Deploy using a Bootstrap Token that expires in 2 hours. Upon startup, the Agent generates an Ed25519 keypair in memory, registers its public key with Ennote Cloud, and exchanges it for a 15-minute rotating access token. No long-lived credentials reside in your cluster.

  • 2

    Real-Time Push

    The Agent maintains a persistent outbound gRPC connection via HTTP/2 (port 443). Updates are streamed instantly. No inbound firewall rules required.

  • 3

    Smart Rollouts

    When a secret updates, the Agent updates the Native K8s Secret and automatically triggers a Rolling Restart for annotated Deployments/StatefulSet/DaemonSet.

Zero-Trust Architecture & RBAC

Zero-Ingress Posture

Operates as a Headless Worker Pod with absolutely no listening network ports.

Memory Hygiene

Data Encryption Keys (DEKs) and raw JSON byte arrays are explicitly wiped from the JVM heap post-processing to defeat memory scraping attacks.

Ephemeral Cryptography

For every synchronization loop, the agent generates a new, ephemeral session KeyPair to request secrets. No long-lived encryption keys are held.

Collision Defense

The reconciliation loop checks labels before overwriting K8s secrets. If a secret wasn't created by Ennote, it gracefully skips it to prevent destroying user data.

Surgical Rollouts

The Workload Reloader safely executes a Strategic Merge Patch for annotated Deployments/StatefulSet/DaemonSet.

LEAST PRIVILEGE

Strict Kubernetes RBAC

Strictly namespace-scoped. The agent explicitly lacks the update or delete verbs on workloads, ensuring a compromised agent cannot delete a database or rewrite an image.

Install in seconds via Helm

The Agent is available as a signed Helm chart. It features a self-healing architecture and works on any K8s distribution (EKS, GKE, AKS, OpenShift).

Developer Experience

Infrastructure as Code. Not "Infrastructure as Pain".

Forget sidecars that eat RAM or custom CRDs that confuse developers. Ennote syncs to native Kubernetes Secrets in <1s, so your existing Helm charts just work.

1

Install Agent

Deploy via Helm into your namespace. The agent establishes an outbound-only gRPC stream for real-time updates.

2

Reference Secrets

Use standard envFrom: secretRef. No proprietary SDKs inside your application code.

3

Enable Auto-Rollout

Add the restart annotation. When secrets change in the dashboard, the agent rotates the pods automatically.

Why Ennote is different

Feature
Ennote Agent
External Secrets
Vault Sidecars
Sync Architecture
Push (Real-time)
Pull (Polling interval)
Inject on Pod Start
Secret Zero / Auth
Ed25519 (15m TTL)
Long-lived IAM/Token
K8s Auth Method
Update Latency
< 1s
Minutes (Default 1-5m)
Slows down startup
Auto-Rollout
Native Built-in
Requires "Reloader"
Manual Restart
Setup Complexity
1 Helm Chart
CRDs + Store + Auth
Annotations Hell
Resource Efficiency
1 Pod (Stateless)
Controller Manager
Sidecar per Pod (High RAM)

Ready to secure your clusters?

Install First Agent Read Docs