values.yaml 27 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819
  1. ---
  2. global:
  3. nodeSelector: {}
  4. tolerations: []
  5. topologySpreadConstraints: []
  6. # - maxSkew: 1
  7. # topologyKey: topology.kubernetes.io/zone
  8. # whenUnsatisfiable: ScheduleAnyway
  9. # matchLabelKeys:
  10. # - pod-template-hash
  11. # - maxSkew: 1
  12. # topologyKey: kubernetes.io/hostname
  13. # whenUnsatisfiable: DoNotSchedule
  14. # matchLabelKeys:
  15. # - pod-template-hash
  16. affinity: {}
  17. # -- Global hostAliases to be applied to all deployments
  18. hostAliases: []
  19. # -- Global pod labels to be applied to all deployments
  20. podLabels: {}
  21. # -- Global pod annotations to be applied to all deployments
  22. podAnnotations: {}
  23. # -- Global imagePullSecrets to be applied to all deployments
  24. imagePullSecrets: []
  25. # -- Global image repository to be applied to all deployments
  26. repository: ""
  27. compatibility:
  28. openshift:
  29. # -- Manages the securityContext properties to make them compatible with OpenShift.
  30. # Possible values:
  31. # auto - Apply configurations if it is detected that OpenShift is the target platform.
  32. # force - Always apply configurations.
  33. # disabled - No modification applied.
  34. adaptSecurityContext: auto
  35. replicaCount: 1
  36. bitwarden-sdk-server:
  37. enabled: false
  38. namespaceOverride: ""
  39. # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
  40. revisionHistoryLimit: 10
  41. image:
  42. repository: ghcr.io/external-secrets/external-secrets
  43. pullPolicy: IfNotPresent
  44. # -- The image tag to use. The default is the chart appVersion.
  45. tag: ""
  46. # -- The flavour of tag you want to use
  47. # There are different image flavours available, like distroless and ubi.
  48. # Please see GitHub release notes for image tags for these flavors.
  49. # By default, the distroless image is used.
  50. flavour: ""
  51. # -- If set, install and upgrade CRDs through helm chart.
  52. installCRDs: true
  53. crds:
  54. # -- If true, create CRDs for Cluster External Secret. If set to false you must also set processClusterExternalSecret: false.
  55. createClusterExternalSecret: true
  56. # -- If true, create CRDs for Cluster Secret Store. If set to false you must also set processClusterStore: false.
  57. createClusterSecretStore: true
  58. # -- If true, create CRDs for Secret Store. If set to false you must also set processSecretStore: false.
  59. createSecretStore: true
  60. # -- If true, create CRDs for Cluster Generator. If set to false you must also set processClusterGenerator: false.
  61. createClusterGenerator: true
  62. # -- If true, create CRDs for Cluster Push Secret. If set to false you must also set processClusterPushSecret: false.
  63. createClusterPushSecret: true
  64. # -- If true, create CRDs for Push Secret. If set to false you must also set processPushSecret: false.
  65. createPushSecret: true
  66. annotations: {}
  67. conversion:
  68. # -- Conversion is disabled by default as we stopped supporting v1alpha1.
  69. enabled: false
  70. # -- If true, enable v1beta1 API version serving for ExternalSecret, ClusterExternalSecret, SecretStore, and ClusterSecretStore CRDs.
  71. # v1beta1 is deprecated. Only enable this for backward compatibility if you have existing v1beta1 resources.
  72. # Warning: This flag will be removed on 2026.05.01.
  73. unsafeServeV1Beta1: false
  74. imagePullSecrets: []
  75. nameOverride: ""
  76. fullnameOverride: ""
  77. namespaceOverride: ""
  78. # -- Additional labels added to all helm chart resources.
  79. commonLabels: {}
  80. # -- If true, external-secrets will perform leader election between instances to ensure no more
  81. # than one instance of external-secrets operates at a time.
  82. leaderElect: false
  83. # -- ID of the lease object used for leader election.
  84. # Leave empty to use the default ('external-secrets-controller').
  85. # Set to a unique value when running multiple independent ESO deployments in the same namespace.
  86. # @default -- "external-secrets-controller"
  87. leaderElectionID: ""
  88. # -- If set external secrets will filter matching
  89. # Secret Stores with the appropriate controller values.
  90. controllerClass: ""
  91. # -- If true external secrets will use recommended kubernetes
  92. # annotations as prometheus metric labels.
  93. extendedMetricLabels: false
  94. # -- If set external secrets are only reconciled in the
  95. # provided namespace
  96. scopedNamespace: ""
  97. # -- Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace
  98. # and implicitly disable cluster stores and cluster external secrets
  99. scopedRBAC: false
  100. # -- If true the OpenShift finalizer permissions will be added to RBAC
  101. openshiftFinalizers: true
  102. # -- If true the system:auth-delegator ClusterRole will be added to RBAC
  103. systemAuthDelegator: false
  104. # -- if true, the operator will process cluster external secret. Else, it will ignore them.
  105. # When enabled, this adds update/patch permissions on namespaces to handle finalizers for proper
  106. # cleanup during namespace deletion, preventing race conditions with ExternalSecrets.
  107. processClusterExternalSecret: true
  108. # -- if true, the operator will process cluster push secret. Else, it will ignore them.
  109. processClusterPushSecret: true
  110. # -- if true, the operator will process cluster store. Else, it will ignore them.
  111. processClusterStore: true
  112. # -- if true, the operator will process secret store. Else, it will ignore them.
  113. processSecretStore: true
  114. # -- if true, the operator will process cluster generator. Else, it will ignore them.
  115. processClusterGenerator: true
  116. # -- if true, the operator will process push secret. Else, it will ignore them.
  117. processPushSecret: true
  118. # -- Enable support for generic targets (ConfigMaps, Custom Resources).
  119. # Warning: Using generic target. Make sure access policies and encryption are properly configured.
  120. # When enabled, this grants the controller permissions to create/update/delete
  121. # ConfigMaps and optionally other resource types specified in generic.resources.
  122. genericTargets:
  123. # -- Enable generic target support
  124. enabled: false
  125. # -- List of additional resource types to grant permissions for.
  126. # Each entry should specify apiGroup, resources, and verbs.
  127. # Example:
  128. # resources:
  129. # - apiGroup: "argoproj.io"
  130. # resources: ["applications"]
  131. # verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  132. resources: []
  133. # -- Specifies whether an external secret operator deployment be created.
  134. createOperator: true
  135. # -- if true, HTTP2 will be enabled for the services created by all controllers, curently metrics and webhook.
  136. enableHTTP2: false
  137. # -- Vault token cache configuration
  138. vault:
  139. # -- Enable Vault token cache. External secrets will reuse the Vault token without creating a new one on each request.
  140. enableTokenCache: false
  141. # -- Maximum size of Vault token cache. Only used if enableTokenCache is true.
  142. tokenCacheSize: 262144
  143. # -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at
  144. # a time.
  145. concurrent: 1
  146. # -- Specifies Log Params to the External Secrets Operator
  147. log:
  148. level: info
  149. timeEncoding: epoch
  150. service:
  151. # -- Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
  152. ipFamilyPolicy: ""
  153. # -- Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
  154. ipFamilies: []
  155. serviceAccount:
  156. # -- Specifies whether a service account should be created.
  157. create: true
  158. # -- Automounts the service account token in all containers of the pod
  159. automount: true
  160. # -- Annotations to add to the service account.
  161. annotations: {}
  162. # -- Extra Labels to add to the service account.
  163. extraLabels: {}
  164. # -- The name of the service account to use.
  165. # If not set and create is true, a name is generated using the fullname template.
  166. name: ""
  167. rbac:
  168. # -- Specifies whether role and rolebinding resources should be created.
  169. create: true
  170. # -- Specifies whether the serviceaccounts/token create permission is included in the controller RBAC.
  171. # When set to false, users must create per-ServiceAccount Role/RoleBinding with resourceNames constraint
  172. # to grant ESO token creation for specific ServiceAccounts referenced in SecretStore specs.
  173. serviceAccountTokenCreate: true
  174. servicebindings:
  175. # -- Specifies whether a clusterrole to give servicebindings read access should be created.
  176. create: true
  177. # -- Specifies whether permissions are aggregated to the view ClusterRole
  178. aggregateToView: true
  179. # -- Specifies whether permissions are aggregated to the edit ClusterRole
  180. aggregateToEdit: true
  181. ## -- Extra environment variables to add to container.
  182. extraEnv: []
  183. ## -- Map of extra arguments to pass to container.
  184. extraArgs: {}
  185. ## -- Extra volumes to pass to pod.
  186. extraVolumes: []
  187. ## -- Extra Kubernetes objects to deploy with the helm chart
  188. extraObjects: []
  189. ## -- Extra volumes to mount to the container.
  190. extraVolumeMounts: []
  191. ## -- Extra init containers to add to the pod.
  192. extraInitContainers: []
  193. ## -- Extra containers to add to the pod.
  194. extraContainers: []
  195. # -- Annotations to add to Deployment
  196. deploymentAnnotations: {}
  197. # -- Set deployment strategy
  198. strategy: {}
  199. # -- Annotations to add to Pod
  200. podAnnotations: {}
  201. podLabels: {}
  202. podSecurityContext:
  203. enabled: true
  204. # fsGroup: 2000
  205. securityContext:
  206. allowPrivilegeEscalation: false
  207. capabilities:
  208. drop:
  209. - ALL
  210. enabled: true
  211. readOnlyRootFilesystem: true
  212. runAsNonRoot: true
  213. runAsUser: 1000
  214. seccompProfile:
  215. type: RuntimeDefault
  216. resources: {}
  217. # requests:
  218. # cpu: 10m
  219. # memory: 32Mi
  220. serviceMonitor:
  221. # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
  222. enabled: false
  223. # -- How should we react to missing CRD "`monitoring.coreos.com/v1/ServiceMonitor`"
  224. #
  225. # Possible values:
  226. # - `skipIfMissing`: Only render ServiceMonitor resources if CRD is present, skip if missing.
  227. # - `failIfMissing`: Fail Helm install if CRD is not present.
  228. # - `alwaysRender` : Always render ServiceMonitor resources, do not check for CRD.
  229. # @schema
  230. # enum:
  231. # - skipIfMissing
  232. # - failIfMissing
  233. # - alwaysRender
  234. # @schema
  235. renderMode: skipIfMissing # @schema enum: [skipIfMissing, failIfMissing, alwaysRender]
  236. # -- namespace where you want to install ServiceMonitors
  237. namespace: ""
  238. # -- Additional labels
  239. additionalLabels: {}
  240. # -- Interval to scrape metrics
  241. interval: 30s
  242. # -- Timeout if metrics can't be retrieved in given time interval
  243. scrapeTimeout: 25s
  244. # -- Let prometheus add an exported_ prefix to conflicting labels
  245. honorLabels: false
  246. # -- Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)
  247. metricRelabelings: []
  248. # - action: replace
  249. # regex: (.*)
  250. # replacement: $1
  251. # sourceLabels:
  252. # - exported_namespace
  253. # targetLabel: namespace
  254. # -- Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config)
  255. relabelings: []
  256. # - sourceLabels: [__meta_kubernetes_pod_node_name]
  257. # separator: ;
  258. # regex: ^(.*)$
  259. # targetLabel: nodename
  260. # replacement: $1
  261. # action: replace
  262. metrics:
  263. listen:
  264. port: 8080
  265. secure:
  266. enabled: false
  267. # -- if those are not set or invalid, self-signed certs will be generated
  268. # -- TLS cert directory path
  269. certDir: /etc/tls
  270. # -- TLS cert file path
  271. certFile: /etc/tls/tls.crt
  272. # -- TLS key file path
  273. keyFile: /etc/tls/tls.key
  274. service:
  275. # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
  276. enabled: false
  277. # -- Metrics service port to scrape
  278. port: 8080
  279. # -- Additional service annotations
  280. annotations: {}
  281. grafanaDashboard:
  282. # -- If true creates a Grafana dashboard.
  283. enabled: false
  284. # -- Label that ConfigMaps should have to be loaded as dashboards.
  285. sidecarLabel: "grafana_dashboard"
  286. # -- Label value that ConfigMaps should have to be loaded as dashboards.
  287. sidecarLabelValue: "1"
  288. # -- Annotations that ConfigMaps can have to get configured in Grafana,
  289. # See: sidecar.dashboards.folderAnnotation for specifying the dashboard folder.
  290. # https://github.com/grafana/helm-charts/tree/main/charts/grafana
  291. annotations: {}
  292. # -- Extra labels to add to the Grafana dashboard ConfigMap.
  293. extraLabels: {}
  294. livenessProbe:
  295. # -- Enabled determines if the liveness probe should be used or not. By default it's disabled.
  296. enabled: false
  297. # -- The body of the liveness probe settings.
  298. spec:
  299. # -- Bind address for the health server used by both liveness and readiness probes (--live-addr flag).
  300. address: ""
  301. # -- Port for the health server used by both liveness and readiness probes (--live-addr flag).
  302. port: 8082
  303. # -- Specify the maximum amount of time to wait for a probe to respond before considering it fails.
  304. timeoutSeconds: 5
  305. # -- Number of consecutive probe failures that should occur before considering the probe as failed.
  306. failureThreshold: 5
  307. # -- Period in seconds for K8s to start performing probes.
  308. periodSeconds: 10
  309. # -- Number of successful probes to mark probe successful.
  310. successThreshold: 1
  311. # -- Delay in seconds for the container to start before performing the initial probe.
  312. initialDelaySeconds: 10
  313. # -- Handler for liveness probe.
  314. httpGet:
  315. # -- Set this value to 'live' (for named port) or an an integer for liveness probes.
  316. # @schema type: [string, integer]
  317. port: live
  318. # -- Path for liveness probe.
  319. path: /healthz
  320. readinessProbe:
  321. # -- Determines whether the readiness probe is enabled. Disabled by default. Enabling this will auto-start the health server (--live-addr) even if livenessProbe is disabled. Health server address/port are configured via livenessProbe.spec.address and livenessProbe.spec.port.
  322. enabled: false
  323. # -- The body of the readiness probe settings (standard Kubernetes probe spec).
  324. spec:
  325. # -- Specify the maximum amount of time to wait for a probe to respond before considering it fails.
  326. timeoutSeconds: 5
  327. # -- Number of consecutive probe failures that should occur before considering the probe as failed.
  328. failureThreshold: 3
  329. # -- Period in seconds for K8s to start performing probes.
  330. periodSeconds: 10
  331. # -- Number of successful probes to mark probe successful.
  332. successThreshold: 1
  333. # -- Delay in seconds for the container to start before performing the initial probe.
  334. initialDelaySeconds: 10
  335. # -- Handler for readiness probe.
  336. httpGet:
  337. # -- Set this value to 'live' (for named port) or an integer for readiness probes.
  338. # @schema type: [string, integer]
  339. port: live
  340. # -- Path for readiness probe.
  341. path: /readyz
  342. nodeSelector: {}
  343. tolerations: []
  344. topologySpreadConstraints: []
  345. affinity: {}
  346. # -- Pod priority class name.
  347. priorityClassName: ""
  348. # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
  349. podDisruptionBudget:
  350. enabled: false
  351. minAvailable: 1 # @schema type:[integer, string]
  352. nameOverride: ""
  353. # maxUnavailable: "50%"
  354. # -- Run the controller on the host network
  355. hostNetwork: false
  356. # -- (bool) Specifies if controller pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33.
  357. # @schema type: [boolean, null]
  358. hostUsers:
  359. webhook:
  360. # -- Annotations to place on validating webhook configuration.
  361. annotations: {}
  362. # -- Specifies whether a webhook deployment be created. If set to false, crds.conversion.enabled should also be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint.
  363. create: true
  364. # -- Specifies the time to check if the cert is valid
  365. certCheckInterval: "5m"
  366. # -- Specifies the lookaheadInterval for certificate validity
  367. lookaheadInterval: ""
  368. replicaCount: 1
  369. # -- Specifies Log Params to the Webhook
  370. log:
  371. level: info
  372. timeEncoding: epoch
  373. # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
  374. revisionHistoryLimit: 10
  375. certDir: /tmp/certs
  376. # -- Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore
  377. failurePolicy: Fail
  378. # -- Specifies if webhook pod should use hostNetwork or not.
  379. hostNetwork: false
  380. # -- (bool) Specifies if webhook pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33.
  381. # @schema type: [boolean, null]
  382. hostUsers:
  383. image:
  384. repository: ghcr.io/external-secrets/external-secrets
  385. pullPolicy: IfNotPresent
  386. # -- The image tag to use. The default is the chart appVersion.
  387. tag: ""
  388. # -- The flavour of tag you want to use
  389. flavour: ""
  390. imagePullSecrets: []
  391. # -- The port the webhook will listen to
  392. port: 10250
  393. serviceAccount:
  394. # -- Specifies whether a service account should be created.
  395. create: true
  396. # -- Automounts the service account token in all containers of the pod
  397. automount: true
  398. # -- Annotations to add to the service account.
  399. annotations: {}
  400. # -- Extra Labels to add to the service account.
  401. extraLabels: {}
  402. # -- The name of the service account to use.
  403. # If not set and create is true, a name is generated using the fullname template.
  404. name: ""
  405. nodeSelector: {}
  406. # -- Specifies `hostAliases` to webhook deployment
  407. hostAliases: []
  408. certManager:
  409. # -- Enabling cert-manager support will disable the built in secret and
  410. # switch to using cert-manager (installed separately) to automatically issue
  411. # and renew the webhook certificate. This chart does not install
  412. # cert-manager for you, See https://cert-manager.io/docs/
  413. enabled: false
  414. # -- Automatically add the cert-manager.io/inject-ca-from annotation to the
  415. # webhooks and CRDs. As long as you have the cert-manager CA Injector
  416. # enabled, this will automatically setup your webhook's CA to the one used
  417. # by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector
  418. addInjectorAnnotations: true
  419. cert:
  420. # -- Create a certificate resource within this chart. See
  421. # https://cert-manager.io/docs/usage/certificate/
  422. create: true
  423. # -- For the Certificate created by this chart, setup the issuer. See
  424. # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec
  425. issuerRef:
  426. group: cert-manager.io
  427. kind: "Issuer"
  428. name: "my-issuer"
  429. # -- Set the requested duration (i.e. lifetime) of the Certificate. See
  430. # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
  431. # One year by default.
  432. duration: "8760h0m0s"
  433. # -- Set the revisionHistoryLimit on the Certificate. See
  434. # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
  435. # Defaults to 0 (ignored).
  436. revisionHistoryLimit: 0
  437. # -- How long before the currently issued certificate’s expiry
  438. # cert-manager should renew the certificate. See
  439. # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
  440. # Note that renewBefore should be greater than .webhook.lookaheadInterval
  441. # since the webhook will check this far in advance that the certificate is
  442. # valid.
  443. renewBefore: ""
  444. # -- Specific settings on the privateKey and its generation
  445. privateKey: {}
  446. # rotationPolicy: Always
  447. # algorithm: RSA
  448. # size: 2048
  449. # -- Specific settings on the signatureAlgorithm used on the cert.
  450. # signatureAlgorithm is only valid for cert-manager v1.18.0+
  451. signatureAlgorithm: ""
  452. # -- Add extra annotations to the Certificate resource.
  453. annotations: {}
  454. tolerations: []
  455. topologySpreadConstraints: []
  456. affinity: {}
  457. # -- Set deployment strategy
  458. strategy: {}
  459. # -- Pod priority class name.
  460. priorityClassName: ""
  461. # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
  462. podDisruptionBudget:
  463. enabled: false
  464. minAvailable: 1 # @schema type:[integer, string]
  465. nameOverride: ""
  466. # maxUnavailable: "50%"
  467. metrics:
  468. listen:
  469. port: 8080
  470. service:
  471. # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
  472. enabled: false
  473. # -- Metrics service port to scrape
  474. port: 8080
  475. # -- Additional service annotations
  476. annotations: {}
  477. livenessProbe:
  478. enabled: false
  479. # -- Set this value to 'live' (for named port) or an integer for liveness probes.
  480. # @schema type: [string, integer]
  481. port: 8081
  482. timeoutSeconds: 5
  483. failureThreshold: 5
  484. periodSeconds: 10
  485. successThreshold: 1
  486. initialDelaySeconds: 10
  487. readinessProbe:
  488. enabled: true
  489. address: ""
  490. # -- Set this value to 'ready' (for named port) or an integer for readiness probes.
  491. # @schema type: [string, integer]
  492. port: 8081
  493. timeoutSeconds: 5
  494. failureThreshold: 3
  495. periodSeconds: 5
  496. successThreshold: 1
  497. initialDelaySeconds: 20
  498. ## -- Extra environment variables to add to container.
  499. extraEnv: []
  500. ## -- Map of extra arguments to pass to container.
  501. extraArgs: {}
  502. ## -- Extra init containers to add to the pod.
  503. extraInitContainers: []
  504. ## -- Extra volumes to pass to pod.
  505. extraVolumes: []
  506. ## -- Extra volumes to mount to the container.
  507. extraVolumeMounts: []
  508. # -- Annotations to add to Secret
  509. secretAnnotations: {}
  510. # -- Annotations to add to Deployment
  511. deploymentAnnotations: {}
  512. # -- Annotations to add to Pod
  513. podAnnotations: {}
  514. podLabels: {}
  515. podSecurityContext:
  516. enabled: true
  517. # fsGroup: 2000
  518. securityContext:
  519. allowPrivilegeEscalation: false
  520. capabilities:
  521. drop:
  522. - ALL
  523. enabled: true
  524. readOnlyRootFilesystem: true
  525. runAsNonRoot: true
  526. runAsUser: 1000
  527. seccompProfile:
  528. type: RuntimeDefault
  529. resources: {}
  530. # requests:
  531. # cpu: 10m
  532. # memory: 32Mi
  533. # -- Manage the service through which the webhook is reached.
  534. service:
  535. # -- Whether the service object should be enabled or not (it is expected to exist).
  536. enabled: true
  537. # -- Custom annotations for the webhook service.
  538. annotations: {}
  539. # -- Custom labels for the webhook service.
  540. labels: {}
  541. # -- The service type of the webhook service.
  542. type: ClusterIP
  543. # -- If the webhook service type is LoadBalancer, you can assign a specific load balancer IP here.
  544. # Check the documentation of your load balancer provider to see if/how this should be used.
  545. loadBalancerIP: ""
  546. certController:
  547. # -- Specifies whether a certificate controller deployment be created.
  548. create: true
  549. requeueInterval: "5m"
  550. replicaCount: 1
  551. # -- Specifies Log Params to the Certificate Controller
  552. log:
  553. level: info
  554. timeEncoding: epoch
  555. # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
  556. revisionHistoryLimit: 10
  557. image:
  558. repository: ghcr.io/external-secrets/external-secrets
  559. pullPolicy: IfNotPresent
  560. tag: ""
  561. flavour: ""
  562. imagePullSecrets: []
  563. rbac:
  564. # -- Specifies whether role and rolebinding resources should be created.
  565. create: true
  566. serviceAccount:
  567. # -- Specifies whether a service account should be created.
  568. create: true
  569. # -- Automounts the service account token in all containers of the pod
  570. automount: true
  571. # -- Annotations to add to the service account.
  572. annotations: {}
  573. # -- Extra Labels to add to the service account.
  574. extraLabels: {}
  575. # -- The name of the service account to use.
  576. # If not set and create is true, a name is generated using the fullname template.
  577. name: ""
  578. nodeSelector: {}
  579. # -- Specifies `hostAliases` to cert-controller deployment
  580. hostAliases: []
  581. tolerations: []
  582. topologySpreadConstraints: []
  583. affinity: {}
  584. # -- Set deployment strategy
  585. strategy: {}
  586. # -- Run the certController on the host network
  587. hostNetwork: false
  588. # -- (bool) Specifies if certController pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33.
  589. # @schema type: [boolean, null]
  590. hostUsers:
  591. # -- Pod priority class name.
  592. priorityClassName: ""
  593. # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
  594. podDisruptionBudget:
  595. enabled: false
  596. minAvailable: 1 # @schema type:[integer, string]
  597. nameOverride: ""
  598. # maxUnavailable: "50%"
  599. metrics:
  600. listen:
  601. port: 8080
  602. service:
  603. # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
  604. enabled: false
  605. # -- Metrics service port to scrape
  606. port: 8080
  607. # -- Additional service annotations
  608. annotations: {}
  609. livenessProbe:
  610. enabled: false
  611. # -- Set this value to 'live' (for named port) or an integer for liveness probes.
  612. # @schema type: [string, integer]
  613. port: 8081
  614. timeoutSeconds: 5
  615. failureThreshold: 5
  616. periodSeconds: 10
  617. successThreshold: 1
  618. initialDelaySeconds: 10
  619. readinessProbe:
  620. enabled: true
  621. address: ""
  622. # -- Set this value to 'ready' (for named port) or an integer for readiness probes.
  623. # @schema type: [string, integer]
  624. port: 8081
  625. timeoutSeconds: 5
  626. failureThreshold: 3
  627. periodSeconds: 5
  628. successThreshold: 1
  629. initialDelaySeconds: 20
  630. startupProbe:
  631. # -- Enabled determines if the startup probe should be used or not. By default it's enabled
  632. enabled: false
  633. # -- whether to use the readiness probe port for startup probe.
  634. useReadinessProbePort: true
  635. # -- Port for startup probe.
  636. port: ""
  637. ## -- Extra environment variables to add to container.
  638. extraEnv: []
  639. ## -- Map of extra arguments to pass to container.
  640. extraArgs: {}
  641. ## -- Extra init containers to add to the pod.
  642. extraInitContainers: []
  643. ## -- Extra volumes to pass to pod.
  644. extraVolumes: []
  645. ## -- Extra volumes to mount to the container.
  646. extraVolumeMounts: []
  647. # -- Annotations to add to Deployment
  648. deploymentAnnotations: {}
  649. # -- Annotations to add to Pod
  650. podAnnotations: {}
  651. podLabels: {}
  652. podSecurityContext:
  653. enabled: true
  654. # fsGroup: 2000
  655. securityContext:
  656. allowPrivilegeEscalation: false
  657. capabilities:
  658. drop:
  659. - ALL
  660. enabled: true
  661. readOnlyRootFilesystem: true
  662. runAsNonRoot: true
  663. runAsUser: 1000
  664. seccompProfile:
  665. type: RuntimeDefault
  666. resources: {}
  667. # requests:
  668. # cpu: 10m
  669. # memory: 32Mi
  670. # -- Specifies `dnsPolicy` to deployment
  671. dnsPolicy: ClusterFirst
  672. # -- Specifies `dnsOptions` to deployment
  673. dnsConfig: {}
  674. # -- Specifies `hostAliases` to deployment
  675. hostAliases: []
  676. # -- Any extra pod spec on the deployment
  677. podSpecExtra: {}