helm-external-secrets/deploy/charts/external-secrets

External Secrets

External secrets management for Kubernetes

TL;DR

helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets

Installing the Chart

To install the chart with the release name external-secrets:

helm install external-secrets external-secrets/external-secrets

Custom Resources

By default, the chart will install external-secrets CRDs, this can be controlled with installCRDs value.

Uninstalling the Chart

To uninstall the external-secrets deployment:

helm uninstall external-secrets

The command removes all the Kubernetes components associated with the chart and deletes the release.

Values

Key	Type	Default	Description
affinity	object	{}
bitwarden-sdk-server.enabled	bool	false
bitwarden-sdk-server.namespaceOverride	string	""
certController.affinity	object	{}
certController.create	bool	true	Specifies whether a certificate controller deployment be created.
certController.deploymentAnnotations	object	{}	Annotations to add to Deployment
certController.extraArgs	object	{}
certController.extraEnv	list	[]
certController.extraInitContainers	list	[]
certController.extraVolumeMounts	list	[]
certController.extraVolumes	list	[]
certController.hostAliases	list	[]	Specifies hostAliases to cert-controller deployment
certController.hostNetwork	bool	false	Run the certController on the host network
certController.hostUsers	bool	nil	Specifies if certController pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33. @schema type: [boolean, null]
certController.image.flavour	string	""
certController.image.pullPolicy	string	"IfNotPresent"
certController.image.repository	string	"ghcr.io/external-secrets/external-secrets"
certController.image.tag	string	""
certController.imagePullSecrets	list	[]
certController.log	object	{"level":"info","timeEncoding":"epoch"}	Specifies Log Params to the Certificate Controller
certController.metrics.listen.port	int	8080
certController.metrics.service.annotations	object	{}	Additional service annotations
certController.metrics.service.enabled	bool	false	Enable if you use another monitoring tool than Prometheus to scrape the metrics
certController.metrics.service.port	int	8080	Metrics service port to scrape
certController.nodeSelector	object	{}
certController.podAnnotations	object	{}	Annotations to add to Pod
certController.podDisruptionBudget	object	{"enabled":false,"minAvailable":1,"nameOverride":""}	Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
certController.podLabels	object	{}
certController.podSecurityContext.enabled	bool	true
certController.priorityClassName	string	""	Pod priority class name.
certController.rbac.create	bool	true	Specifies whether role and rolebinding resources should be created.
certController.readinessProbe.address	string	""	Address for readiness probe
certController.readinessProbe.port	int	8081	ReadinessProbe port for kubelet
certController.replicaCount	int	1
certController.requeueInterval	string	"5m"
certController.resources	object	{}
certController.revisionHistoryLimit	int	10	Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
certController.securityContext.allowPrivilegeEscalation	bool	false
certController.securityContext.capabilities.drop[0]	string	"ALL"
certController.securityContext.enabled	bool	true
certController.securityContext.readOnlyRootFilesystem	bool	true
certController.securityContext.runAsNonRoot	bool	true
certController.securityContext.runAsUser	int	1000
certController.securityContext.seccompProfile.type	string	"RuntimeDefault"
certController.serviceAccount.annotations	object	{}	Annotations to add to the service account.
certController.serviceAccount.automount	bool	true	Automounts the service account token in all containers of the pod
certController.serviceAccount.create	bool	true	Specifies whether a service account should be created.
certController.serviceAccount.extraLabels	object	{}	Extra Labels to add to the service account.
certController.serviceAccount.name	string	""	The name of the service account to use. If not set and create is true, a name is generated using the fullname template.
certController.startupProbe.enabled	bool	false	Enabled determines if the startup probe should be used or not. By default it's enabled
certController.startupProbe.port	string	""	Port for startup probe.
certController.startupProbe.useReadinessProbePort	bool	true	whether to use the readiness probe port for startup probe.
certController.strategy	object	{}	Set deployment strategy
certController.tolerations	list	[]
certController.topologySpreadConstraints	list	[]
commonLabels	object	{}	Additional labels added to all helm chart resources.
concurrent	int	1	Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time.
controllerClass	string	""	If set external secrets will filter matching Secret Stores with the appropriate controller values.
crds.annotations	object	{}
crds.conversion.enabled	bool	false	Conversion is disabled by default as we stopped supporting v1alpha1.
crds.createClusterExternalSecret	bool	true	If true, create CRDs for Cluster External Secret. If set to false you must also set processClusterExternalSecret: false.
crds.createClusterGenerator	bool	true	If true, create CRDs for Cluster Generator. If set to false you must also set processClusterGenerator: false.
crds.createClusterPushSecret	bool	true	If true, create CRDs for Cluster Push Secret. If set to false you must also set processClusterPushSecret: false.
crds.createClusterSecretStore	bool	true	If true, create CRDs for Cluster Secret Store. If set to false you must also set processClusterStore: false.
crds.createPushSecret	bool	true	If true, create CRDs for Push Secret. If set to false you must also set processPushSecret: false.
crds.createSecretStore	bool	true	If true, create CRDs for Secret Store. If set to false you must also set processSecretStore: false.
crds.unsafeServeV1Beta1	bool	false	If true, enable v1beta1 API version serving for ExternalSecret, ClusterExternalSecret, SecretStore, and ClusterSecretStore CRDs. v1beta1 is deprecated. Only enable this for backward compatibility if you have existing v1beta1 resources. Warning: This flag will be removed on 2026.05.01.
createOperator	bool	true	Specifies whether an external secret operator deployment be created.
deploymentAnnotations	object	{}	Annotations to add to Deployment
dnsConfig	object	{}	Specifies dnsOptions to deployment
dnsPolicy	string	"ClusterFirst"	Specifies dnsPolicy to deployment
enableHTTP2	bool	false	if true, HTTP2 will be enabled for the services created by all controllers, curently metrics and webhook.
extendedMetricLabels	bool	false	If true external secrets will use recommended kubernetes annotations as prometheus metric labels.
extraArgs	object	{}
extraContainers	list	[]
extraEnv	list	[]
extraInitContainers	list	[]
extraObjects	list	[]
extraVolumeMounts	list	[]
extraVolumes	list	[]
fullnameOverride	string	""
genericTargets	object	{"enabled":false,"resources":[]}	Enable support for generic targets (ConfigMaps, Custom Resources). Warning: Using generic target. Make sure access policies and encryption are properly configured. When enabled, this grants the controller permissions to create/update/delete ConfigMaps and optionally other resource types specified in generic.resources.
genericTargets.enabled	bool	false	Enable generic target support
genericTargets.resources	list	[]	List of additional resource types to grant permissions for. Each entry should specify apiGroup, resources, and verbs. Example: resources: - apiGroup: "argoproj.io" resources: ["applications"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
global.affinity	object	{}
global.compatibility.openshift.adaptSecurityContext	string	"auto"	Manages the securityContext properties to make them compatible with OpenShift. Possible values: auto - Apply configurations if it is detected that OpenShift is the target platform. force - Always apply configurations. disabled - No modification applied.
global.hostAliases	list	[]	Global hostAliases to be applied to all deployments
global.imagePullSecrets	list	[]	Global imagePullSecrets to be applied to all deployments
global.nodeSelector	object	{}
global.podAnnotations	object	{}	Global pod annotations to be applied to all deployments
global.podLabels	object	{}	Global pod labels to be applied to all deployments
global.repository	string	""	Global image repository to be applied to all deployments
global.tolerations	list	[]
global.topologySpreadConstraints	list	[]
grafanaDashboard.annotations	object	{}	Annotations that ConfigMaps can have to get configured in Grafana, See: sidecar.dashboards.folderAnnotation for specifying the dashboard folder. https://github.com/grafana/helm-charts/tree/main/charts/grafana
grafanaDashboard.enabled	bool	false	If true creates a Grafana dashboard.
grafanaDashboard.extraLabels	object	{}	Extra labels to add to the Grafana dashboard ConfigMap.
grafanaDashboard.sidecarLabel	string	"grafana_dashboard"	Label that ConfigMaps should have to be loaded as dashboards.
grafanaDashboard.sidecarLabelValue	string	"1"	Label value that ConfigMaps should have to be loaded as dashboards.
hostAliases	list	[]	Specifies hostAliases to deployment
hostNetwork	bool	false	Run the controller on the host network
hostUsers	bool	nil	Specifies if controller pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33. @schema type: [boolean, null]
image.flavour	string	""	The flavour of tag you want to use There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default, the distroless image is used.
image.pullPolicy	string	"IfNotPresent"
image.repository	string	"ghcr.io/external-secrets/external-secrets"
image.tag	string	""	The image tag to use. The default is the chart appVersion.
imagePullSecrets	list	[]
installCRDs	bool	true	If set, install and upgrade CRDs through helm chart.
leaderElect	bool	false	If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time.
livenessProbe.enabled	bool	false	Enabled determines if the liveness probe should be used or not. By default it's disabled.
livenessProbe.spec	object	{"address":"","failureThreshold":5,"httpGet":{"path":"/healthz","port":"live"},"initialDelaySeconds":10,"periodSeconds":10,"port":8082,"successThreshold":1,"timeoutSeconds":5}	The body of the liveness probe settings.
livenessProbe.spec.address	string	""	Bind address for the health server used by both liveness and readiness probes (--live-addr flag).
livenessProbe.spec.failureThreshold	int	5	Number of consecutive probe failures that should occur before considering the probe as failed.
livenessProbe.spec.httpGet	object	{"path":"/healthz","port":"live"}	Handler for liveness probe.
livenessProbe.spec.httpGet.path	string	"/healthz"	Path for liveness probe.
livenessProbe.spec.httpGet.port	string	"live"	Set this value to 'live' (for named port) or an an integer for liveness probes. @schema type: [string, integer]
livenessProbe.spec.initialDelaySeconds	int	10	Delay in seconds for the container to start before performing the initial probe.
livenessProbe.spec.periodSeconds	int	10	Period in seconds for K8s to start performing probes.
livenessProbe.spec.port	int	8082	Port for the health server used by both liveness and readiness probes (--live-addr flag).
livenessProbe.spec.successThreshold	int	1	Number of successful probes to mark probe successful.
livenessProbe.spec.timeoutSeconds	int	5	Specify the maximum amount of time to wait for a probe to respond before considering it fails.
log	object	{"level":"info","timeEncoding":"epoch"}	Specifies Log Params to the External Secrets Operator
metrics.listen.port	int	8080
metrics.listen.secure.certDir	string	"/etc/tls"	TLS cert directory path
metrics.listen.secure.certFile	string	"/etc/tls/tls.crt"	TLS cert file path
metrics.listen.secure.enabled	bool	false
metrics.listen.secure.keyFile	string	"/etc/tls/tls.key"	TLS key file path
metrics.service.annotations	object	{}	Additional service annotations
metrics.service.enabled	bool	false	Enable if you use another monitoring tool than Prometheus to scrape the metrics
metrics.service.port	int	8080	Metrics service port to scrape
nameOverride	string	""
namespaceOverride	string	""
nodeSelector	object	{}
openshiftFinalizers	bool	true	If true the OpenShift finalizer permissions will be added to RBAC
podAnnotations	object	{}	Annotations to add to Pod
podDisruptionBudget	object	{"enabled":false,"minAvailable":1,"nameOverride":""}	Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
podLabels	object	{}
podSecurityContext.enabled	bool	true
podSpecExtra	object	{}	Any extra pod spec on the deployment
priorityClassName	string	""	Pod priority class name.
processClusterExternalSecret	bool	true	if true, the operator will process cluster external secret. Else, it will ignore them. When enabled, this adds update/patch permissions on namespaces to handle finalizers for proper cleanup during namespace deletion, preventing race conditions with ExternalSecrets.
processClusterGenerator	bool	true	if true, the operator will process cluster generator. Else, it will ignore them.
processClusterPushSecret	bool	true	if true, the operator will process cluster push secret. Else, it will ignore them.
processClusterStore	bool	true	if true, the operator will process cluster store. Else, it will ignore them.
processPushSecret	bool	true	if true, the operator will process push secret. Else, it will ignore them.
processSecretStore	bool	true	if true, the operator will process secret store. Else, it will ignore them.
rbac.aggregateToEdit	bool	true	Specifies whether permissions are aggregated to the edit ClusterRole
rbac.aggregateToView	bool	true	Specifies whether permissions are aggregated to the view ClusterRole
rbac.create	bool	true	Specifies whether role and rolebinding resources should be created.
rbac.servicebindings.create	bool	true	Specifies whether a clusterrole to give servicebindings read access should be created.
readinessProbe.enabled	bool	false	Determines whether the readiness probe is enabled. Disabled by default. Enabling this will auto-start the health server (--live-addr) even if livenessProbe is disabled. Health server address/port are configured via livenessProbe.spec.address and livenessProbe.spec.port.
readinessProbe.spec	object	{"failureThreshold":3,"httpGet":{"path":"/readyz","port":"live"},"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5}	The body of the readiness probe settings (standard Kubernetes probe spec).
readinessProbe.spec.failureThreshold	int	3	Number of consecutive probe failures that should occur before considering the probe as failed.
readinessProbe.spec.httpGet	object	{"path":"/readyz","port":"live"}	Handler for readiness probe.
readinessProbe.spec.httpGet.path	string	"/readyz"	Path for readiness probe.
readinessProbe.spec.httpGet.port	string	"live"	Set this value to 'live' (for named port) or an integer for readiness probes. @schema type: [string, integer]
readinessProbe.spec.initialDelaySeconds	int	10	Delay in seconds for the container to start before performing the initial probe.
readinessProbe.spec.periodSeconds	int	10	Period in seconds for K8s to start performing probes.
readinessProbe.spec.successThreshold	int	1	Number of successful probes to mark probe successful.
readinessProbe.spec.timeoutSeconds	int	5	Specify the maximum amount of time to wait for a probe to respond before considering it fails.
replicaCount	int	1
resources	object	{}
revisionHistoryLimit	int	10	Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
scopedNamespace	string	""	If set external secrets are only reconciled in the provided namespace
scopedRBAC	bool	false	Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets
securityContext.allowPrivilegeEscalation	bool	false
securityContext.capabilities.drop[0]	string	"ALL"
securityContext.enabled	bool	true
securityContext.readOnlyRootFilesystem	bool	true
securityContext.runAsNonRoot	bool	true
securityContext.runAsUser	int	1000
securityContext.seccompProfile.type	string	"RuntimeDefault"
service.ipFamilies	list	[]	Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
service.ipFamilyPolicy	string	""	Set the ip family policy to configure dual-stack see Configure dual-stack
serviceAccount.annotations	object	{}	Annotations to add to the service account.
serviceAccount.automount	bool	true	Automounts the service account token in all containers of the pod
serviceAccount.create	bool	true	Specifies whether a service account should be created.
serviceAccount.extraLabels	object	{}	Extra Labels to add to the service account.
serviceAccount.name	string	""	The name of the service account to use. If not set and create is true, a name is generated using the fullname template.
serviceMonitor.additionalLabels	object	{}	Additional labels
serviceMonitor.enabled	bool	false	Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
serviceMonitor.honorLabels	bool	false	Let prometheus add an exported_ prefix to conflicting labels
serviceMonitor.interval	string	"30s"	Interval to scrape metrics
serviceMonitor.metricRelabelings	list	[]	Metric relabel configs to apply to samples before ingestion. Metric Relabeling
serviceMonitor.namespace	string	""	namespace where you want to install ServiceMonitors
serviceMonitor.relabelings	list	[]	Relabel configs to apply to samples before ingestion. Relabeling
serviceMonitor.renderMode	string	"skipIfMissing"	How should we react to missing CRD "monitoring.coreos.com/v1/ServiceMonitor" Possible values: - skipIfMissing: Only render ServiceMonitor resources if CRD is present, skip if missing. - failIfMissing: Fail Helm install if CRD is not present. - alwaysRender : Always render ServiceMonitor resources, do not check for CRD. @schema enum: - skipIfMissing - failIfMissing - alwaysRender @schema
serviceMonitor.scrapeTimeout	string	"25s"	Timeout if metrics can't be retrieved in given time interval
strategy	object	{}	Set deployment strategy
systemAuthDelegator	bool	false	If true the system:auth-delegator ClusterRole will be added to RBAC
tolerations	list	[]
topologySpreadConstraints	list	[]
vault	object	{"enableTokenCache":false,"tokenCacheSize":262144}	Vault token cache configuration
vault.enableTokenCache	bool	false	Enable Vault token cache. External secrets will reuse the Vault token without creating a new one on each request.
vault.tokenCacheSize	int	262144	Maximum size of Vault token cache. Only used if enableTokenCache is true.
webhook.affinity	object	{}
webhook.annotations	object	{}	Annotations to place on validating webhook configuration.
webhook.certCheckInterval	string	"5m"	Specifies the time to check if the cert is valid
webhook.certDir	string	"/tmp/certs"
webhook.certManager.addInjectorAnnotations	bool	true	Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically setup your webhook's CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector
webhook.certManager.cert.annotations	object	{}	Add extra annotations to the Certificate resource.
webhook.certManager.cert.create	bool	true	Create a certificate resource within this chart. See https://cert-manager.io/docs/usage/certificate/
webhook.certManager.cert.duration	string	"8760h0m0s"	Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec One year by default.
webhook.certManager.cert.issuerRef	object	{"group":"cert-manager.io","kind":"Issuer","name":"my-issuer"}	For the Certificate created by this chart, setup the issuer. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec
webhook.certManager.cert.privateKey	object	{}	Specific settings on the privateKey and its generation
webhook.certManager.cert.renewBefore	string	""	How long before the currently issued certificate’s expiry cert-manager should renew the certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Note that renewBefore should be greater than .webhook.lookaheadInterval since the webhook will check this far in advance that the certificate is valid.
webhook.certManager.cert.revisionHistoryLimit	int	0	Set the revisionHistoryLimit on the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Defaults to 0 (ignored).
webhook.certManager.cert.signatureAlgorithm	string	""	Specific settings on the signatureAlgorithm used on the cert. signatureAlgorithm is only valid for cert-manager v1.18.0+
webhook.certManager.enabled	bool	false	Enabling cert-manager support will disable the built in secret and switch to using cert-manager (installed separately) to automatically issue and renew the webhook certificate. This chart does not install cert-manager for you, See https://cert-manager.io/docs/
webhook.create	bool	true	Specifies whether a webhook deployment be created. If set to false, crds.conversion.enabled should also be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint.
webhook.deploymentAnnotations	object	{}	Annotations to add to Deployment
webhook.extraArgs	object	{}
webhook.extraEnv	list	[]
webhook.extraInitContainers	list	[]
webhook.extraVolumeMounts	list	[]
webhook.extraVolumes	list	[]
webhook.failurePolicy	string	"Fail"	Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore
webhook.hostAliases	list	[]	Specifies hostAliases to webhook deployment
webhook.hostNetwork	bool	false	Specifies if webhook pod should use hostNetwork or not.
webhook.hostUsers	bool	nil	Specifies if webhook pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33. @schema type: [boolean, null]
webhook.image.flavour	string	""	The flavour of tag you want to use
webhook.image.pullPolicy	string	"IfNotPresent"
webhook.image.repository	string	"ghcr.io/external-secrets/external-secrets"
webhook.image.tag	string	""	The image tag to use. The default is the chart appVersion.
webhook.imagePullSecrets	list	[]
webhook.log	object	{"level":"info","timeEncoding":"epoch"}	Specifies Log Params to the Webhook
webhook.lookaheadInterval	string	""	Specifies the lookaheadInterval for certificate validity
webhook.metrics.listen.port	int	8080
webhook.metrics.service.annotations	object	{}	Additional service annotations
webhook.metrics.service.enabled	bool	false	Enable if you use another monitoring tool than Prometheus to scrape the metrics
webhook.metrics.service.port	int	8080	Metrics service port to scrape
webhook.nodeSelector	object	{}
webhook.podAnnotations	object	{}	Annotations to add to Pod
webhook.podDisruptionBudget	object	{"enabled":false,"minAvailable":1,"nameOverride":""}	Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
webhook.podLabels	object	{}
webhook.podSecurityContext.enabled	bool	true
webhook.port	int	10250	The port the webhook will listen to
webhook.priorityClassName	string	""	Pod priority class name.
webhook.readinessProbe.address	string	""	Address for readiness probe
webhook.readinessProbe.port	int	8081	ReadinessProbe port for kubelet
webhook.replicaCount	int	1
webhook.resources	object	{}
webhook.revisionHistoryLimit	int	10	Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
webhook.secretAnnotations	object	{}	Annotations to add to Secret
webhook.securityContext.allowPrivilegeEscalation	bool	false
webhook.securityContext.capabilities.drop[0]	string	"ALL"
webhook.securityContext.enabled	bool	true
webhook.securityContext.readOnlyRootFilesystem	bool	true
webhook.securityContext.runAsNonRoot	bool	true
webhook.securityContext.runAsUser	int	1000
webhook.securityContext.seccompProfile.type	string	"RuntimeDefault"
webhook.service	object	{"annotations":{},"enabled":true,"labels":{},"loadBalancerIP":"","type":"ClusterIP"}	Manage the service through which the webhook is reached.
webhook.service.annotations	object	{}	Custom annotations for the webhook service.
webhook.service.enabled	bool	true	Whether the service object should be enabled or not (it is expected to exist).
webhook.service.labels	object	{}	Custom labels for the webhook service.
webhook.service.loadBalancerIP	string	""	If the webhook service type is LoadBalancer, you can assign a specific load balancer IP here. Check the documentation of your load balancer provider to see if/how this should be used.
webhook.service.type	string	"ClusterIP"	The service type of the webhook service.
webhook.serviceAccount.annotations	object	{}	Annotations to add to the service account.
webhook.serviceAccount.automount	bool	true	Automounts the service account token in all containers of the pod
webhook.serviceAccount.create	bool	true	Specifies whether a service account should be created.
webhook.serviceAccount.extraLabels	object	{}	Extra Labels to add to the service account.
webhook.serviceAccount.name	string	""	The name of the service account to use. If not set and create is true, a name is generated using the fullname template.
webhook.strategy	object	{}	Set deployment strategy
webhook.tolerations	list	[]
webhook.topologySpreadConstraints	list	[]