|
|
@@ -2,6 +2,12 @@
|
|
|
|
|
|
With External Secrets Operator you can transform the data from the external secret provider before it is stored as `Kind=Secret`. You can do this with the `Spec.Target.Template`. Each data value is interpreted as a [golang template](https://golang.org/pkg/text/template/).
|
|
|
|
|
|
+!!! note
|
|
|
+
|
|
|
+ Consider using camelcase when defining **.'spec.data.secretkey'**, example: serviceAccountToken
|
|
|
+
|
|
|
+ If your secret keys contain **`-` (dashes)**, you will need to reference them using **`index`** </br>
|
|
|
+ Example: **`\{\{ index .data "service-account-token" \}\}`**
|
|
|
|
|
|
## Helm
|
|
|
|
|
|
@@ -26,12 +32,13 @@ Another example with two keys in the same secret:
|
|
|
```
|
|
|
|
|
|
### MergePolicy
|
|
|
+
|
|
|
By default, the templating mechanism will not use any information available from the original `data` and `dataFrom` queries to the provider, and only keep the templated information. It is possible to change this behavior through the use of the `mergePolicy` field. `mergePolicy` currently accepts two values: `Replace` (the default) and `Merge`. When using `Merge`, `data` and `dataFrom` keys will also be embedded into the templated secret, having lower priority than the template outcome. See the example for more information:
|
|
|
|
|
|
```yaml
|
|
|
{% include 'merge-template-v2-external-secret.yaml' %}
|
|
|
-
|
|
|
```
|
|
|
+
|
|
|
### TemplateFrom
|
|
|
|
|
|
You do not have to define your templates inline in an ExternalSecret but you can pull `ConfigMaps` or other Secrets that contain a template. Consider the following example:
|
|
|
@@ -113,17 +120,17 @@ In addition to that you can use over 200+ [sprig functions](http://masterminds.g
|
|
|
|
|
|
<br/>
|
|
|
|
|
|
-| Function | Description |
|
|
|
-| -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
|
-| pkcs12key | Extracts all private keys from a PKCS#12 archive and encodes them in **PKCS#8 PEM** format. |
|
|
|
-| pkcs12keyPass | Same as `pkcs12key`. Uses the provided password to decrypt the PKCS#12 archive. |
|
|
|
-| pkcs12cert | Extracts all certificates from a PKCS#12 archive and orders them if possible. If disjunct or multiple leaf certs are provided they are returned as-is. <br/> Sort order: `leaf / intermediate(s) / root`. |
|
|
|
-| pkcs12certPass | Same as `pkcs12cert`. Uses the provided password to decrypt the PKCS#12 archive. |
|
|
|
-| filterPEM | Filters PEM blocks with a specific type from a list of PEM blocks. |
|
|
|
-| jwkPublicKeyPem | Takes an json-serialized JWK and returns an PEM block of type `PUBLIC KEY` that contains the public key. [See here](https://golang.org/pkg/crypto/x509/#MarshalPKIXPublicKey) for details. |
|
|
|
+| Function | Description |
|
|
|
+| ---------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
|
+| pkcs12key | Extracts all private keys from a PKCS#12 archive and encodes them in **PKCS#8 PEM** format. |
|
|
|
+| pkcs12keyPass | Same as `pkcs12key`. Uses the provided password to decrypt the PKCS#12 archive. |
|
|
|
+| pkcs12cert | Extracts all certificates from a PKCS#12 archive and orders them if possible. If disjunct or multiple leaf certs are provided they are returned as-is. <br/> Sort order: `leaf / intermediate(s) / root`. |
|
|
|
+| pkcs12certPass | Same as `pkcs12cert`. Uses the provided password to decrypt the PKCS#12 archive. |
|
|
|
+| filterPEM | Filters PEM blocks with a specific type from a list of PEM blocks. |
|
|
|
+| jwkPublicKeyPem | Takes an json-serialized JWK and returns an PEM block of type `PUBLIC KEY` that contains the public key. [See here](https://golang.org/pkg/crypto/x509/#MarshalPKIXPublicKey) for details. |
|
|
|
| jwkPrivateKeyPem | Takes an json-serialized JWK as `string` and returns an PEM block of type `PRIVATE KEY` that contains the private key in PKCS #8 format. [See here](https://golang.org/pkg/crypto/x509/#MarshalPKCS8PrivateKey) for details. |
|
|
|
-| toYaml | Takes an interface, marshals it to yaml. It returns a string, even on marshal error (empty string). |
|
|
|
-| fromYaml | Function converts a YAML document into a map[string]interface{}. |
|
|
|
+| toYaml | Takes an interface, marshals it to yaml. It returns a string, even on marshal error (empty string). |
|
|
|
+| fromYaml | Function converts a YAML document into a map[string]interface{}. |
|
|
|
|
|
|
## Migrating from v1
|
|
|
|
Charl Klein