| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177 |
- apiVersion: external-secrets.io/v1beta1
- kind: ClusterSecretStore
- metadata:
- name: example
- spec:
- # Used to select the correct ESO controller (think: ingress.ingressClassName)
- # The ESO controller is instantiated with a specific controller name
- # and filters ES based on this property
- # Optional
- controller: dev
- # provider field contains the configuration to access the provider
- # which contains the secret exactly one provider must be configured.
- provider:
- # (1): AWS Secrets Manager
- # aws configures this store to sync secrets using AWS Secret Manager provider
- aws:
- service: SecretsManager
- # Role is a Role ARN which the SecretManager provider will assume
- role: iam-role
- # AWS Region to be used for the provider
- region: eu-central-1
- # Auth defines the information necessary to authenticate against AWS
- auth:
- # Getting the accessKeyID and secretAccessKey from an already created Kubernetes Secret
- secretRef:
- accessKeyIDSecretRef:
- name: awssm-secret
- key: access-key
- secretAccessKeySecretRef:
- name: awssm-secret
- key: secret-access-key
- # IAM roles for service accounts
- # https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
- jwt:
- serviceAccountRef:
- name: my-serviceaccount
- namespace: sa-namespace
- vault:
- server: "https://vault.acme.org"
- # Path is the mount path of the Vault KV backend endpoint
- # Used as a path prefix for the external secret key
- path: "secret"
- # Version is the Vault KV secret engine version.
- # This can be either "v1" or "v2", defaults to "v2"
- version: "v2"
- # vault enterprise namespace: https://www.vaultproject.io/docs/enterprise/namespaces
- namespace: "a-team"
- # base64 encoded string of certificate
- caBundle: "..."
- # Instead of caBundle you can also specify a caProvider
- # this will retrieve the cert from a Secret or ConfigMap
- caProvider:
- # Can be Secret or ConfigMap
- type: "Secret"
- # namespace is mandatory for ClusterSecretStore and not relevant for SecretStore
- namespace: "my-cert-secret-namespace"
- name: "my-cert-secret"
- key: "cert-key"
- auth:
- # static token: https://www.vaultproject.io/docs/auth/token
- tokenSecretRef:
- name: "my-secret"
- namespace: "secret-admin"
- key: "vault-token"
- # AppRole auth: https://www.vaultproject.io/docs/auth/approle
- appRole:
- path: "approle"
- # Instead of referencing the AppRole's ID from the secret, you can also specify it directly
- # roleId: "db02de05-fa39-4855-059b-67221c5c2f63"
- roleRef:
- name: "my-secret"
- namespace: "secret-admin"
- key: "vault-role-id"
- secretRef:
- name: "my-secret"
- namespace: "secret-admin"
- key: "vault-role-secret"
- # Kubernetes auth: https://www.vaultproject.io/docs/auth/kubernetes
- kubernetes:
- mountPath: "kubernetes"
- role: "demo"
- # Optional service account reference
- serviceAccountRef:
- name: "my-sa"
- namespace: "secret-admin"
- # Optional secret field containing a Kubernetes ServiceAccount JWT
- # used for authenticating with Vault
- secretRef:
- name: "my-secret"
- namespace: "secret-admin"
- key: "vault"
- # (2): GCP Secret Manager
- gcpsm:
- # Auth defines the information necessary to authenticate against GCP by getting
- # the credentials from an already created Kubernetes Secret.
- auth:
- secretRef:
- secretAccessKeySecretRef:
- name: gcpsm-secret
- key: secret-access-credentials
- namespace: example
- projectID: myproject
- # (3): Kubernetes provider
- kubernetes:
- server:
- url: "https://myapiserver.tld"
- caProvider:
- type: Secret
- name: my-cluster-secrets
- namespace: example
- key: ca.crt
- auth:
- serviceAccount:
- name: "example-sa"
- namespace: "example"
- # (4): Oracle provider
- oracle:
- # The vault OCID
- vault: ocid1.vault.oc1.eu-frankfurt-1.aaa1aaaaaaaaa.aaaaaaaaaaaaaa1aaaaaaa111aaaaaaaaaaaaaaaa
- # The vault region
- region: eu-frankfurt-1
- auth:
- # The user OCID
- user: ocid1.user.oc1..aaa1aaaaaaaaa.aaaaaaaaaaaaaa1aaaaaaa111aaaaaaaaaaaaaaaa
- # The tenancy OCID
- tenancy: ocid1.tenancy.oc1..aaa1aaaaaaaaa.aaaaaaaaaaaaaa1aaaaaaa111aaaaaaaaaaaaaaaa
- secretRef:
- privatekey:
- # The secret that contains your privatekey
- name: oci-secret-name
- key: privateKey
- namespace: example-namespace
- fingerprint:
- # The secret that contains your fingerprint
- name: oci-secret-name
- key: fingerprint
- namespace: example-namespace
- # (TODO): add more provider examples here
- # Conditions about namespaces in which the ClusterSecretStore is usable for ExternalSecrets
- conditions:
- # Options are namespaceSelector, namespaces or namespacesRegex
- - namespaceSelector:
- matchLabels:
- my.namespace.io/some-label: "value" # Only namespaces with that label will work
- - namespaces:
- - "namespace-a"
- - "namespace-b"
- # Namespace regexes are useful for policy management or when external tools auto-generate namespaces with prefixes/suffixes
- - namespaceRegexes:
- - "namespace-a-.*" # All namespaces prefixed by namespace-a- will work
- - "namespace-b-.*" # All namespaces prefixed by namespace-b- will work
- # conditions needs only one of the conditions to meet for the CSS to be usable in the namespace.
- status:
- # Standard condition schema
- conditions:
- # SecretStore ready condition indicates the given store is in ready
- # state and able to referenced by ExternalSecrets
- # If the `status` of this condition is `False`, ExternalSecret controllers
- # should prevent attempts to fetch secrets
- - type: Ready
- status: "False"
- reason: "ConfigError"
- message: "SecretStore validation failed"
- lastTransitionTime: "2019-08-12T12:33:02Z"
|
