| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293 |
- {% raw %}
- ---
- # The source secret that will be pushed to the destination secret by ClusterPushSecret.
- apiVersion: v1
- kind: Secret
- metadata:
- name: source-secret
- stringData:
- best-pokemon-src: "Pikachu"
- ---
- apiVersion: external-secrets.io/v1alpha1
- kind: ClusterPushSecret
- metadata:
- name: "hello-world"
- spec:
- # The name to be used on the PushSecrets
- pushSecretName: "hello-world-ps"
- # This is a list of basic label selector to select the namespaces to deploy PushSecrets to.
- # you can read more about them here https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements
- # The list is OR'd together, so if any of the namespaceSelectors match the namespace,
- # the ExternalSecret will be deployed to that namespace.
- namespaceSelectors:
- - matchLabels:
- cool: label
- # How often the ClusterPushSecret should reconcile itself
- # This will decide how often to check and make sure that the PushSecrets exist in the matching namespaces
- refreshTime: "1m"
- # This is the spec of the PushSecrets to be created
- # The content of this was taken from our PushSecret example
- pushSecretSpec:
- updatePolicy: Replace # Policy to overwrite existing secrets in the provider on sync
- deletionPolicy: Delete # the provider' secret will be deleted if the PushSecret is deleted
- refreshInterval: 1h # Refresh interval for which push secret will reconcile
- secretStoreRefs: # A list of secret stores to push secrets to
- - name: aws-parameterstore
- kind: SecretStore
- selector:
- secret:
- name: source-secret # Source Kubernetes secret to be pushed
- # Alternatively, you can point to a generator that produces values to be pushed
- generatorRef:
- apiVersion: external-secrets.io/v1alpha1
- kind: ECRAuthorizationToken
- name: prod-registry-credentials
- template:
- metadata:
- annotations: { }
- labels: { }
- data:
- # If the key source secret key has dashes, then it cannot be accessed directly,
- # and the "index" function should be used.
- best-pokemon: "{{ index . \"best-pokemon-src\" | toString | upper }} is the really best!"
- # Also, it's possible to use an existing template from configmap where Secret is fetched,
- # merged and templated within the referenced configMap data.
- # It does not update the configmap, it creates a secret with: data["config.yml"] = ...result...
- templateFrom:
- - configMap:
- name: application-config-tmpl
- items:
- - key: config.yml
- data:
- - conversionStrategy: None # Also supports the ReverseUnicode strategy
- match:
- # The secretKey is used within ClusterPushSecret (it should match key under spec.pushSecretSpec.template.data)
- secretKey: best-pokemon
- remoteRef:
- remoteKey: destination-secret # The destination secret object name (where the secret is going to be pushed)
- property: best-pokemon-dst # The key within the destination secret object.
- status:
- # This will list any namespaces where the creation of the ExternalSecret failed
- # This will not list any issues with the ExternalSecrets, you will have to check the
- # ExternalSecrets to see any issues with them.
- failedNamespaces:
- - namespace: "matching-ns-1"
- # This is one of the possible messages, and likely the most common
- reason: "external secret already exists in namespace"
- # You can find all matching and successfully deployed namespaces here
- provisionedNamespaces:
- - "matching-ns-3"
- - "matching-ns-2"
- # The condition can be Ready, PartiallyReady, or NotReady
- # PartiallyReady would indicate an error in 1 or more namespaces
- # NotReady would indicate errors in all namespaces meaning all ExternalSecrets resulted in errors
- conditions:
- - type: PartiallyReady
- status: "True"
- lastTransitionTime: "2022-01-12T12:33:02Z"
- {% endraw %}
|
