diff --git a/argocd/manifests/external-secrets/kustomization.yaml b/argocd/manifests/external-secrets/kustomization.yaml
index 574aaa7..c25a7d5 100644
--- a/argocd/manifests/external-secrets/kustomization.yaml
+++ b/argocd/manifests/external-secrets/kustomization.yaml
@@ -12,4 +12,5 @@ resources:
 
 images:
   - name: ghcr.io/external-secrets/external-secrets
-    newTag: v2.2.0
+    newName: registry.ops.eblu.me/blumeops/external-secrets
+    newTag: v2.2.0-2985007
diff --git a/containers/external-secrets/container.py b/containers/external-secrets/container.py
new file mode 100644
index 0000000..6be5765
--- /dev/null
+++ b/containers/external-secrets/container.py
@@ -0,0 +1,51 @@
+"""External Secrets Operator — native Dagger build.
+
+Two-stage build: Go binary (all providers), Alpine runtime.
+Source cloned from forge mirror.
+
+A single binary serves as the controller, webhook, and cert-controller; the
+Deployments select the role via a subcommand passed in `args:`, so the image
+ENTRYPOINT must be the binary itself (matching upstream's distroless image).
+"""
+
+import dagger
+
+from blumeops.containers import (
+    alpine_runtime,
+    clone_from_forge,
+    go_build,
+    oci_labels,
+)
+
+VERSION = "v2.2.0"
+
+
+async def build(src: dagger.Directory) -> dagger.Container:
+    source = clone_from_forge("external-secrets", VERSION)
+
+    # Upstream `make build` compiles every secret provider into a single
+    # static binary (`-tags all_providers`, CGO disabled). Mirror that so the
+    # local image is functionally identical to ghcr.io/.../external-secrets.
+    backend = go_build(
+        source,
+        "/external-secrets",
+        tags="all_providers",
+    )
+
+    runtime = alpine_runtime(
+        extra_apk=["ca-certificates"],
+        create_user=False,
+    )
+    runtime = oci_labels(
+        runtime,
+        title="External Secrets Operator",
+        description=(
+            "Kubernetes operator that integrates external secret management systems"
+        ),
+        version=VERSION,
+    )
+    return (
+        runtime.with_file("/bin/external-secrets", backend.file("/external-secrets"))
+        .with_user("65534")
+        .with_entrypoint(["/bin/external-secrets"])
+    )
diff --git a/docs/changelog.d/local-external-secrets.infra.md b/docs/changelog.d/local-external-secrets.infra.md
new file mode 100644
index 0000000..13cbb05
--- /dev/null
+++ b/docs/changelog.d/local-external-secrets.infra.md
@@ -0,0 +1 @@
+Localized the external-secrets controller image. It now builds from the forge mirror via a native Dagger `container.py` (single `all_providers` static Go binary, faithful to upstream's `make build`) and is served from `registry.ops.eblu.me/blumeops/external-secrets` instead of `ghcr.io`, bringing another platform component under local supply-chain control.
diff --git a/service-versions.yaml b/service-versions.yaml
index 11ec9f9..cc9dc9e 100644
--- a/service-versions.yaml
+++ b/service-versions.yaml
@@ -159,10 +159,13 @@ services:
 
   - name: external-secrets
     type: argocd
-    last-reviewed: 2026-03-25
+    last-reviewed: 2026-06-04
     current-version: "v2.2.0"
     upstream-source: https://github.com/external-secrets/external-secrets/releases
-    notes: Static kustomize manifests rendered from upstream Helm chart
+    notes: >-
+      Static kustomize manifests rendered from upstream Helm chart. Controller
+      image is locally built from the forge mirror via containers/external-secrets/container.py
+      (single all_providers static Go binary).
 
   - name: 1password-connect
     type: argocd