

Advanced Templating

With External Secrets Operator you can transform the data from the external secret provider before it is stored as Kind=Secret. You can do this with the Spec.Target.Template. Each data value is interpreted as a golang template.

Examples

You can use templates to inject your secrets into a configuration file that you mount into your pod:

apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  name: template
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: secretstore-sample
    kind: SecretStore
  target:
    name: secret-to-be-created
    # this is how the Kind=Secret will look like
    template:
      type: kubernetes.io/tls
      data:
        # multiline string
        config: |
          datasources:
          - name: Graphite
            type: graphite
            access: proxy
            url: http://localhost:8080
            password: "{{ .password | toString }}" # <-- convert []byte to string
            user: "{{ .user | toString }}"         # <-- convert []byte to string

  data:
  - secretKey: user
    remoteRef:
      key: /grafana/user
  - secretKey: password
    remoteRef:
      key: /grafana/password

You can also use pre-defined functions to extract data from your secrets. Here: extract key/cert from a pkcs12 archive and store it as PEM.

apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  name: template
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: secretstore-sample
    kind: SecretStore
  target:
    name: secret-to-be-created
    # this is how the Kind=Secret will look like
    template:
      type: kubernetes.io/tls
      data:
        tls.crt: "{{ .mysecret | pkcs12cert | pemCertificate }}"
        tls.key: "{{ .mysecret | pkcs12key | pemPrivateKey }}"

  data:
  # this is a pkcs12 archive that contains
  # a cert and a private key
  - secretKey: mysecret
    remoteRef:
      key: example

Helper functions

We provide a bunch of convenience functions that help you transform your secrets. A secret value is a []byte.

Function	Description	Input	Output
pkcs12key	extracts the private key from a pkcs12 archive	`[]byte`	`[]byte`
pkcs12keyPass	extracts the private key from a pkcs12 archive using the provided password	password `string`, data `[]byte`	`[]byte`
pkcs12cert	extracts the certificate from a pkcs12 archive	`[]byte`	`[]byte`
pkcs12certPass	extracts the certificate from a pkcs12 archive using the provided password	password `string`, data `[]byte`	`[]byte`
pemPrivateKey	PEM encodes the provided bytes as private key	`[]byte`	`string`
pemCertificate	PEM encodes the provided bytes as certificate	`[]byte`	`string`
base64decode	decodes the provided bytes as base64	`[]byte`	`[]byte`
base64encode	encodes the provided bytes as base64	`[]byte`	`[]byte`
fromJSON	parses the bytes as JSON so you can access individual properties	`[]byte`	`interface{}`
toJSON	encodes the provided object as json string	`interface{}`	`string`
toString	converts bytes to string	`[]byte`	`string`
toBytes	converts string to bytes	`string`	`[]byte`
upper	converts all characters to their upper case	`string`	`string`
lower	converts all character to their lower case	`string`	`string`