|
|
@@ -3001,14 +3001,15 @@
|
|
|
<h1>Push Secrets</h1>
|
|
|
|
|
|
<p>Contrary to what <code>ExternalSecret</code> does by pulling secrets from secret providers and creating <code>kind=Secret</code> in your cluster, <code>PushSecret</code> reads a local <code>kind=Secret</code> and pushes its content to a secret provider.</p>
|
|
|
-<p>If there's already a secret in the secrets provided with the intended name of the secret to be created by the <code>PushSecret</code> you'll see the <code>PushSecret</code> in Error state, and when described you'll see a message saying <code>secret not managed by external-secrets</code>.</p>
|
|
|
-<p>By default, the secret created in the secret provided will not be deleted even after deleting the <code>PushSecret</code>, unless you set <code>spec.deletionPolicy</code> to Delete. </p>
|
|
|
+<p>The update behavior of <code>PushSecret</code> is controlled by <code>spec.updatePolicy</code>. The default policy is <code>Replace</code>, such that secrets are overwritten in the provider, regardless of whether there already is a secret present in the provider at the given location. If you do not want <code>PushSecret</code> to overwrite existing secrets in the provider, you can set <code>spec.UpdatePolicy</code> to <code>IfNotExists</code>. With this policy, the provider becomes the source of truth. Please note that with using <code>spec.updatePolicy=IfNotExists</code> it is possible that the secret value referenced by the <code>PushSecret</code> within the cluster differs from the secret value at the given location in the provider.</p>
|
|
|
+<p>By default, the secret created in the secret provided will not be deleted even after deleting the <code>PushSecret</code>, unless you set <code>spec.deletionPolicy</code> to <code>Delete</code>. </p>
|
|
|
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
|
|
|
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecret</span>
|
|
|
<span class="nt">metadata</span><span class="p">:</span>
|
|
|
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pushsecret-example</span><span class="w"> </span><span class="c1"># Customisable</span>
|
|
|
<span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span><span class="w"> </span><span class="c1"># Same of the SecretStores</span>
|
|
|
<span class="nt">spec</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">updatePolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Replace</span><span class="w"> </span><span class="c1"># Policy to overwrite existing secrets in the provider on sync</span>
|
|
|
<span class="w"> </span><span class="nt">deletionPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Delete</span><span class="w"> </span><span class="c1"># the provider' secret will be deleted if the PushSecret is deleted</span>
|
|
|
<span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">10s</span><span class="w"> </span><span class="c1"># Refresh interval for which push secret will reconcile</span>
|
|
|
<span class="w"> </span><span class="nt">secretStoreRefs</span><span class="p">:</span><span class="w"> </span><span class="c1"># A list of secret stores to push secrets to</span>
|