|
@@ -6,39 +6,76 @@ It's possible to authenticate against the Kubernetes API using client certificat
|
|
|
|
|
|
|
|
## Example
|
|
## Example
|
|
|
|
|
|
|
|
-### SecretStore
|
|
|
|
|
|
|
+### K8s Cluster Secret
|
|
|
|
|
|
|
|
-The `Server` section specifies the url of the Kubernetes API and the location to fetch the CA. The `auth` section indicates the type of authentication to use, `cert`, `token` or `serviceAccount` and includes the path to fetch the certificates or the token.
|
|
|
|
|
|
|
|
|
|
|
|
+```
|
|
|
|
|
+apiVersion: v1
|
|
|
|
|
+kind: Secret
|
|
|
|
|
+metadata:
|
|
|
|
|
+ name: cluster-secrets
|
|
|
|
|
+data:
|
|
|
|
|
+ # Fill with your encoded base64 CA
|
|
|
|
|
+ ca: Cg==
|
|
|
|
|
+ # Fill with your encoded base64 Certificate
|
|
|
|
|
+ certificate: Cg==
|
|
|
|
|
+ # Fill with your encoded base64 Key
|
|
|
|
|
+ key: Cg==
|
|
|
|
|
+stringData:
|
|
|
|
|
+ # Fill with your a string Token
|
|
|
|
|
+ bearerToken: "my-token"
|
|
|
|
|
+```
|
|
|
|
|
+
|
|
|
|
|
+## SecretStore
|
|
|
|
|
+
|
|
|
|
|
+The `Server` section specifies the url of the Kubernetes API and the location to fetch the CA. The `auth` section indicates the type of authentication to use, `cert`, `token` or `serviceAccount` and includes the path to fetch the certificates or the token.
|
|
|
|
|
|
|
|
```
|
|
```
|
|
|
-apiVersion: external-secrets.io/v1alpha1
|
|
|
|
|
|
|
+apiVersion: external-secrets.io/v1beta1
|
|
|
kind: SecretStore
|
|
kind: SecretStore
|
|
|
metadata:
|
|
metadata:
|
|
|
name: example
|
|
name: example
|
|
|
spec:
|
|
spec:
|
|
|
provider:
|
|
provider:
|
|
|
- kubernetes:
|
|
|
|
|
|
|
+ kubernetes:
|
|
|
|
|
+ # If not remoteNamesapce is provided, default namespace is used
|
|
|
|
|
+ remoteNamespace: default
|
|
|
server:
|
|
server:
|
|
|
url: https://127.0.0.1:36473
|
|
url: https://127.0.0.1:36473
|
|
|
|
|
+ # Add your encoded base64 to caBundle or a referenced caProvider
|
|
|
|
|
+ # if both are provided caProvider will be ignored
|
|
|
|
|
+ caBundle: Cg==
|
|
|
caProvider:
|
|
caProvider:
|
|
|
type: Secret
|
|
type: Secret
|
|
|
- name : kind-cluster-secrets
|
|
|
|
|
|
|
+ name : cluster-secrets
|
|
|
key: ca
|
|
key: ca
|
|
|
auth:
|
|
auth:
|
|
|
|
|
+ # Add a referenced bearerToken or client certificates,
|
|
|
|
|
+ # if both are provided client certificates will be ignored
|
|
|
|
|
+ token:
|
|
|
|
|
+ bearerToken:
|
|
|
|
|
+ name: cluster-secrets
|
|
|
|
|
+ key: bearerToken
|
|
|
cert:
|
|
cert:
|
|
|
clientCert:
|
|
clientCert:
|
|
|
- name: kind-cluster-secrets
|
|
|
|
|
|
|
+ name: cluster-secrets
|
|
|
key: certificate
|
|
key: certificate
|
|
|
clientKey:
|
|
clientKey:
|
|
|
- name: kind-cluster-secrets
|
|
|
|
|
|
|
+ name: cluster-secrets
|
|
|
key: key
|
|
key: key
|
|
|
|
|
+---
|
|
|
|
|
+apiVersion: v1
|
|
|
|
|
+kind: Secret
|
|
|
|
|
+metadata:
|
|
|
|
|
+ name: secret-example
|
|
|
|
|
+data:
|
|
|
|
|
+ extra: YmFyCg==
|
|
|
```
|
|
```
|
|
|
|
|
|
|
|
### ExternalSecret
|
|
### ExternalSecret
|
|
|
|
|
|
|
|
```
|
|
```
|
|
|
-apiVersion: external-secrets.io/v1alpha1
|
|
|
|
|
|
|
+apiVersion: external-secrets.io/v1beta1
|
|
|
kind: ExternalSecret
|
|
kind: ExternalSecret
|
|
|
metadata:
|
|
metadata:
|
|
|
name: example
|
|
name: example
|
|
@@ -51,7 +88,7 @@ spec:
|
|
|
name: secret-to-be-created # name of the k8s Secret to be created
|
|
name: secret-to-be-created # name of the k8s Secret to be created
|
|
|
creationPolicy: Owner
|
|
creationPolicy: Owner
|
|
|
data:
|
|
data:
|
|
|
- - secretKey: extra #
|
|
|
|
|
|
|
+ - secretKey: extra
|
|
|
remoteRef:
|
|
remoteRef:
|
|
|
key: secret-example
|
|
key: secret-example
|
|
|
property: extra
|
|
property: extra
|
Docs