deploy: 8c8064e0e155843d197e4e51564df4ffa16d387b

guides-templating/index.html

@@ -77,6 +77,10 @@
     <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
     <label class="md-overlay" data-md-component="overlay" for="__drawer"></label>
     
+      <a href="#examples" tabindex="1" class="md-skip">
+        Skip to content
+      </a>
+    
     
       <header class="md-header" data-md-component="header">
   <nav class="md-header-nav md-grid">
@@ -345,10 +349,44 @@
     <input class="md-toggle md-nav__toggle" data-md-toggle="toc" type="checkbox" id="__toc">
     
     
+      <label class="md-nav__link md-nav__link--active" for="__toc">
+        Advanced Templating
+      </label>
+    
     <a href="./" title="Advanced Templating" class="md-nav__link md-nav__link--active">
       Advanced Templating
     </a>
     
+      
+<nav class="md-nav md-nav--secondary">
+  
+  
+  
+    <label class="md-nav__title" for="__toc">Table of contents</label>
+    <ul class="md-nav__list" data-md-scrollfix>
+      
+        <li class="md-nav__item">
+  <a href="#examples" class="md-nav__link">
+    Examples
+  </a>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#helper-functions" class="md-nav__link">
+    Helper functions
+  </a>
+  
+</li>
+      
+      
+      
+      
+      
+    </ul>
+  
+</nav>
+    
   </li>
 
         
@@ -640,6 +678,42 @@
               </div>
             
             
+              <div class="md-sidebar md-sidebar--secondary" data-md-component="toc">
+                <div class="md-sidebar__scrollwrap">
+                  <div class="md-sidebar__inner">
+                    
+<nav class="md-nav md-nav--secondary">
+  
+  
+  
+    <label class="md-nav__title" for="__toc">Table of contents</label>
+    <ul class="md-nav__list" data-md-scrollfix>
+      
+        <li class="md-nav__item">
+  <a href="#examples" class="md-nav__link">
+    Examples
+  </a>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#helper-functions" class="md-nav__link">
+    Helper functions
+  </a>
+  
+</li>
+      
+      
+      
+      
+      
+    </ul>
+  
+</nav>
+                  </div>
+                </div>
+              </div>
+            
           
           <div class="md-content">
             <article class="md-content__inner md-typeset">
@@ -650,11 +724,166 @@
                 
                   <h1>Advanced Templating</h1>
                 
-                <div class="admonition note">
-<p class="admonition-title">Not implemented</p>
-<p>This is currently <strong>not yet</strong> implemented. See <a href="https://github.com/external-secrets/external-secrets/issues/28">#28</a>
-for details. Feel free to contribute.</p>
-</div>
+                <p>With External Secrets Operator you can transform the data from the external secret provider before it is stored as <code>Kind=Secret</code>. You can do this with the <code>Spec.Target.Template</code>. Each data value is interpreted as a <a href="https://golang.org/pkg/text/template/">golang template</a>.</p>
+<h2 id="examples">Examples</h2>
+<p>You can use templates to inject your secrets into a configuration file that you mount into your pod:
+<div class="highlight"><pre><span></span><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
+<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
+<span class="nt">metadata</span><span class="p">:</span>
+  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">template</span>
+<span class="nt">spec</span><span class="p">:</span>
+  <span class="nt">refreshInterval</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">1h</span>
+  <span class="nt">secretStoreRef</span><span class="p">:</span>
+    <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">secretstore-sample</span>
+    <span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
+  <span class="nt">target</span><span class="p">:</span>
+    <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">secret-to-be-created</span>
+    <span class="c1"># this is how the Kind=Secret will look like</span>
+    <span class="nt">template</span><span class="p">:</span>
+      <span class="nt">type</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">kubernetes.io/tls</span>
+      <span class="nt">data</span><span class="p">:</span>
+        <span class="c1"># multiline string</span>
+        <span class="nt">config</span><span class="p">:</span> <span class="p p-Indicator">|</span>
+          <span class="no">datasources:</span>
+          <span class="no">- name: Graphite</span>
+            <span class="no">type: graphite</span>
+            <span class="no">access: proxy</span>
+            <span class="no">url: http://localhost:8080</span>
+            <span class="no">password: &quot;{{ .password | toString }}&quot; # &lt;-- convert []byte to string</span>
+            <span class="no">user: &quot;{{ .user | toString }}&quot;         # &lt;-- convert []byte to string</span>
+
+  <span class="nt">data</span><span class="p">:</span>
+  <span class="p p-Indicator">-</span> <span class="nt">secretKey</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">user</span>
+    <span class="nt">remoteRef</span><span class="p">:</span>
+      <span class="nt">key</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">/grafana/user</span>
+  <span class="p p-Indicator">-</span> <span class="nt">secretKey</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">password</span>
+    <span class="nt">remoteRef</span><span class="p">:</span>
+      <span class="nt">key</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">/grafana/password</span>
+</pre></div></p>
+<p>You can also use pre-defined functions to extract data from your secrets. Here: extract key/cert from a pkcs12 archive and store it as PEM.
+<div class="highlight"><pre><span></span><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
+<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
+<span class="nt">metadata</span><span class="p">:</span>
+  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">template</span>
+<span class="nt">spec</span><span class="p">:</span>
+  <span class="nt">refreshInterval</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">1h</span>
+  <span class="nt">secretStoreRef</span><span class="p">:</span>
+    <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">secretstore-sample</span>
+    <span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
+  <span class="nt">target</span><span class="p">:</span>
+    <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">secret-to-be-created</span>
+    <span class="c1"># this is how the Kind=Secret will look like</span>
+    <span class="nt">template</span><span class="p">:</span>
+      <span class="nt">type</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">kubernetes.io/tls</span>
+      <span class="nt">data</span><span class="p">:</span>
+        <span class="nt">tls.crt</span><span class="p">:</span> <span class="s">&quot;{{</span><span class="nv"> </span><span class="s">.mysecret</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">pkcs12cert</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">pemCertificate</span><span class="nv"> </span><span class="s">}}&quot;</span>
+        <span class="nt">tls.key</span><span class="p">:</span> <span class="s">&quot;{{</span><span class="nv"> </span><span class="s">.mysecret</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">pkcs12key</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">pemPrivateKey</span><span class="nv"> </span><span class="s">}}&quot;</span>
+
+  <span class="nt">data</span><span class="p">:</span>
+  <span class="c1"># this is a pkcs12 archive that contains</span>
+  <span class="c1"># a cert and a private key</span>
+  <span class="p p-Indicator">-</span> <span class="nt">secretKey</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">mysecret</span>
+    <span class="nt">remoteRef</span><span class="p">:</span>
+      <span class="nt">key</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example</span>
+</pre></div></p>
+<h2 id="helper-functions">Helper functions</h2>
+<p>We provide a bunch of convenience functions that help you transform your secrets. A secret value is a <code>[]byte</code>.</p>
+<table>
+<thead>
+<tr>
+<th>Function</th>
+<th>Description</th>
+<th>Input</th>
+<th>Output</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>pkcs12key</td>
+<td>extracts the private key from a pkcs12 archive</td>
+<td><code>[]byte</code></td>
+<td><code>[]byte</code></td>
+</tr>
+<tr>
+<td>pkcs12keyPass</td>
+<td>extracts the private key from a pkcs12 archive using the provided password</td>
+<td>password <code>string</code>, data <code>[]byte</code></td>
+<td><code>[]byte</code></td>
+</tr>
+<tr>
+<td>pkcs12cert</td>
+<td>extracts the certificate from a pkcs12 archive</td>
+<td><code>[]byte</code></td>
+<td><code>[]byte</code></td>
+</tr>
+<tr>
+<td>pkcs12certPass</td>
+<td>extracts the certificate from a pkcs12 archive using the provided password</td>
+<td>password <code>string</code>, data <code>[]byte</code></td>
+<td><code>[]byte</code></td>
+</tr>
+<tr>
+<td>pemPrivateKey</td>
+<td>PEM encodes the provided bytes as private key</td>
+<td><code>[]byte</code></td>
+<td><code>string</code></td>
+</tr>
+<tr>
+<td>pemCertificate</td>
+<td>PEM encodes the provided bytes as certificate</td>
+<td><code>[]byte</code></td>
+<td><code>string</code></td>
+</tr>
+<tr>
+<td>base64decode</td>
+<td>decodes the provided bytes as base64</td>
+<td><code>[]byte</code></td>
+<td><code>[]byte</code></td>
+</tr>
+<tr>
+<td>base64encode</td>
+<td>encodes the provided bytes as base64</td>
+<td><code>[]byte</code></td>
+<td><code>[]byte</code></td>
+</tr>
+<tr>
+<td>fromJSON</td>
+<td>parses the bytes as JSON so you can access individual properties</td>
+<td><code>[]byte</code></td>
+<td><code>interface{}</code></td>
+</tr>
+<tr>
+<td>toJSON</td>
+<td>encodes the provided object as json string</td>
+<td><code>interface{}</code></td>
+<td><code>string</code></td>
+</tr>
+<tr>
+<td>toString</td>
+<td>converts bytes to string</td>
+<td><code>[]byte</code></td>
+<td><code>string</code></td>
+</tr>
+<tr>
+<td>toBytes</td>
+<td>converts string to bytes</td>
+<td><code>string</code></td>
+<td><code>[]byte</code></td>
+</tr>
+<tr>
+<td>upper</td>
+<td>converts all characters to their upper case</td>
+<td><code>string</code></td>
+<td><code>string</code></td>
+</tr>
+<tr>
+<td>lower</td>
+<td>converts all character to their lower case</td>
+<td><code>string</code></td>
+<td><code>string</code></td>
+</tr>
+</tbody>
+</table>
                 
                   
                 

sitemap.xml

@@ -2,97 +2,97 @@
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
     <url>
      <loc>None</loc>
-     <lastmod>2021-04-22</lastmod>
+     <lastmod>2021-04-23</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-04-22</lastmod>
+     <lastmod>2021-04-23</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-04-22</lastmod>
+     <lastmod>2021-04-23</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-04-22</lastmod>
+     <lastmod>2021-04-23</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-04-22</lastmod>
+     <lastmod>2021-04-23</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-04-22</lastmod>
+     <lastmod>2021-04-23</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-04-22</lastmod>
+     <lastmod>2021-04-23</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-04-22</lastmod>
+     <lastmod>2021-04-23</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-04-22</lastmod>
+     <lastmod>2021-04-23</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-04-22</lastmod>
+     <lastmod>2021-04-23</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-04-22</lastmod>
+     <lastmod>2021-04-23</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-04-22</lastmod>
+     <lastmod>2021-04-23</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-04-22</lastmod>
+     <lastmod>2021-04-23</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-04-22</lastmod>
+     <lastmod>2021-04-23</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-04-22</lastmod>
+     <lastmod>2021-04-23</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-04-22</lastmod>
+     <lastmod>2021-04-23</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-04-22</lastmod>
+     <lastmod>2021-04-23</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-04-22</lastmod>
+     <lastmod>2021-04-23</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-04-22</lastmod>
+     <lastmod>2021-04-23</lastmod>
      <changefreq>daily</changefreq>
     </url>
 </urlset>

snippets/multiline-template-external-secret.yaml

@@ -0,0 +1,34 @@
+{% raw %}
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: template
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: secretstore-sample
+    kind: SecretStore
+  target:
+    name: secret-to-be-created
+    # this is how the Kind=Secret will look like
+    template:
+      type: kubernetes.io/tls
+      data:
+        # multiline string
+        config: |
+          datasources:
+          - name: Graphite
+            type: graphite
+            access: proxy
+            url: http://localhost:8080
+            password: "{{ .password | toString }}" # <-- convert []byte to string
+            user: "{{ .user | toString }}"         # <-- convert []byte to string
+
+  data:
+  - secretKey: user
+    remoteRef:
+      key: /grafana/user
+  - secretKey: password
+    remoteRef:
+      key: /grafana/password
+{% endraw %}

snippets/pkcs12-template-external-secret.yaml

@@ -0,0 +1,26 @@
+{% raw %}
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: template
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: secretstore-sample
+    kind: SecretStore
+  target:
+    name: secret-to-be-created
+    # this is how the Kind=Secret will look like
+    template:
+      type: kubernetes.io/tls
+      data:
+        tls.crt: "{{ .mysecret | pkcs12cert | pemCertificate }}"
+        tls.key: "{{ .mysecret | pkcs12key | pemPrivateKey }}"
+
+  data:
+  # this is a pkcs12 archive that contains
+  # a cert and a private key
+  - secretKey: mysecret
+    remoteRef:
+      key: example
+{% endraw %}

spec/index.html

@@ -1430,12 +1430,31 @@ ExternalSecretCreationPolicy
 Defaults to &lsquo;Owner&rsquo;</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>template</code></br>
+<em>
+<a href="#external-secrets.io/v1alpha1.ExternalSecretTemplate">
+ExternalSecretTemplate
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Template defines a blueprint for the created Secret resource.</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="external-secrets.io/v1alpha1.ExternalSecretTemplate">ExternalSecretTemplate
 </h3>
 <p>
-<p>ExternalSecretTemplate defines a blueprint for the created Secret resource.</p>
+(<em>Appears on:</em>
+<a href="#external-secrets.io/v1alpha1.ExternalSecretTarget">ExternalSecretTarget</a>)
+</p>
+<p>
+<p>ExternalSecretTemplate defines a blueprint for the created Secret resource.
+we can not use native corev1.Secret, it will have empty ObjectMeta values: <a href="https://github.com/kubernetes-sigs/controller-tools/issues/448">https://github.com/kubernetes-sigs/controller-tools/issues/448</a></p>
 </p>
 <table>
 <thead>
@@ -1471,6 +1490,17 @@ ExternalSecretTemplateMetadata
 <em>(Optional)</em>
 </td>
 </tr>
+<tr>
+<td>
+<code>data</code></br>
+<em>
+map[string][]byte
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="external-secrets.io/v1alpha1.ExternalSecretTemplateMetadata">ExternalSecretTemplateMetadata