{% raw %} --- # The source secret that will be pushed to the destination secret by PushSecret. apiVersion: v1 kind: Secret metadata: name: pushsecret-example stringData: best-pokemon-src: "Pikachu" --- apiVersion: external-secrets.io/v1alpha1 kind: PushSecret metadata: name: pushsecret-example # Customisable namespace: default # Same of the SecretStores spec: updatePolicy: Replace # Policy to overwrite existing secrets in the provider on sync deletionPolicy: Delete # the provider' secret will be deleted if the PushSecret is deleted refreshInterval: 1h0m0s # Refresh interval for which push secret will reconcile secretStoreRefs: # A list of secret stores to push secrets to - name: aws-parameterstore kind: SecretStore selector: secret: name: pokedex-credentials # Source Kubernetes secret to be pushed # Alternatively, you can point to a generator that produces values to be pushed generatorRef: apiVersion: generators.external-secrets.io/v1alpha1 kind: ECRAuthorizationToken name: prod-registry-credentials template: metadata: annotations: { } labels: { } data: # If the key source secret key has dashes, then it cannot be accessed directly, # and the "index" function should be used. best-pokemon: "{{ index . \"best-pokemon-src\" | toString | upper }} is the really best!" # Also, it's possible to use an existing template from configmap where Secret is fetched, # merged and templated within the referenced configMap data. # It does not update the configmap, it creates a secret with: data["config.yml"] = ...result... templateFrom: - configMap: name: application-config-tmpl items: - key: config.yml data: - conversionStrategy: None # Also supports the ReverseUnicode strategy match: # The secretKey is used within PushSecret (it should match key under spec.template.data) secretKey: best-pokemon remoteRef: remoteKey: destination-secret # The destination secret object name (where the secret is going to be pushed) property: best-pokemon-dst # The key within the destination secret object. {% endraw %}