Extend our Identity-Driven, Zero-Persistence architecture directly into your clusters. A single Smart Agent maintains a persistent gRPC connection to push updates instantly. No polling delays, no sidecars.
➜ ~ kubectl get secrets
NAME TYPE AGE
en-prod-secrets Opaque 2s
➜ ~ kubectl get pods
NAME READY STATUS
ennote-agent-7f8a9 1/1 Running
# Secret updated.
# Smart Agent triggered rollout restart.
Deploy seamlessly using a secure Bootstrap Token that expires in 2 hours. Upon initial startup, the Smart Agent generates a dedicated Ed25519 machine identity keypair, committing the identity state to a local namespace secret to ensure flawless state recovery if the agent pod is restarted or evicted. The agent registers its public key with the Ennote Cloud to maintain an outbound gRPC stream, exchanging its identity for a strictly enforced 15-minute rotating access token. No static data credentials or long-lived master keys ever reside inside your cluster.
The Agent maintains a persistent outbound gRPC connection via HTTP/2 (port 443). Updates are streamed instantly. No inbound firewall rules required.
When a secret updates, the Agent updates the Native K8s Secret and automatically triggers a Rolling Restart for annotated Deployments/StatefulSet/DaemonSet.
Operates as a Headless Worker Pod with absolutely no listening network ports.
Data Encryption Keys (DEKs) and raw JSON byte arrays are explicitly wiped from the JVM heap post-processing to defeat memory scraping attacks.
For every synchronization loop, the agent generates a new, ephemeral session KeyPair to request secrets. No long-lived encryption keys are held.
The reconciliation loop checks labels before overwriting K8s secrets. If a secret wasn't created by Ennote, it gracefully skips it to prevent destroying user data.
The Workload Reloader safely executes a Strategic Merge Patch for annotated Deployments/StatefulSet/DaemonSet.
Strictly namespace-scoped. The agent explicitly lacks the update or delete verbs on workloads, ensuring a compromised agent cannot delete a database or rewrite an image.
The Agent is available as a signed Helm chart. It features a self-healing architecture and works on any K8s distribution (EKS, GKE, AKS, OpenShift).
Forget sidecars that eat RAM or custom CRDs that confuse developers. Ennote syncs to native Kubernetes Secrets in <1s, so your existing Helm charts just work.
Deploy via Helm into your namespace. The agent establishes an outbound-only gRPC stream for real-time updates.
Use standard envFrom: secretRef. No proprietary SDKs inside your application code.
Add the restart annotation. When secrets change in the dashboard, the agent rotates the pods automatically.