logic855/helm-external-secrets @ ab51970242521c6a7fb10ab2f236505bf56ac249

Träd: ab51970242

IdanAdar-patch-1

Switch-UBI-to-go-toolset-as-base-image

aws-iam-anywhere

aws-metadata

beach-team

beach-team-fix/beach-team-pipeline

beach/fix-fake-provider

beach/keyvault-set-secret

bh.ss

broken-link

bump/0.8.13

bunp-helm-chart

chart/certcontroller-partial-cache

chore/bump-0.9.2-branch

chore/bump-controller-runtime

chore/refactor-aws-auth

chore/standardize-vault-auth-paths

chore/update-readme-with-vision

cleanup-keys-when-using-template

coderabbitai/docstrings/17d3e22

conversion-webhook-debug

copilot/fix-code-scanning-alerts

copilot/fix-license-header-typographical-errors

copilot/sub-pr-6021

dependabot/docker/ubi9/ubi-8942b73866f8434571d6fc4c10cbebd48982995d2249c39302e4d71e7df3afd9

dependabot/github_actions/aws-actions/configure-aws-credentials-6.2.0

dependabot/github_actions/docker/setup-qemu-action-4.1.0

dependabot/go_modules/github.com/onsi/ginkgo-1.15.1

dependabot/go_modules/sigs.k8s.io/controller-runtime-0.8.3

dependabot/pip/hack/api-docs/idna-3.17

dependabot/pip/hack/api-docs/platformdirs-4.10.0

design/decoding-strategy

dev/jsauvain/plugin_ovh_provider

docs/demo-of-devops-toolkit

e2e-test-run

feat/add-log-values-to-helm-chart

feature/aws-getallsecrets

feature/aws-getallsecrets-trim-root-path

feature/configure-promethues-target-port

feature/custom-cert-secret

feature/gcp-referent-auth

feature/keyvault-deletion-policy

feature/new-provider-structure

fix-infisical-404

fix-test

fix/e2e

fix/gcp-issues

fix/kubernetes-access-review-strategy

fix/vault-lint

fix/vault-not-handling-json-values

gc-feat-sts-session-token-generator-attempt-2

gc-fix-update-readme

gc/design/gen-secretstore-v2

gc/fix/ibm

gc/fix/v015.1

gc/rollback-0.15.1

gh-pages

gh-pages-dev

gitlab-validation-refactors

gusfcarvalho-patch-1

main

mj-add-generator

mj-aws-v2-parameterstore-e2e

mj-bump-ubiimg

mj-bumps

mj-design-oopp

mj-e2e-managed-aws-tf

mj-expose-admission-warnings

mj-fix-aws-genereator-auth-cache

mj-fix-dashboard

mj-fix-reko

mj-fix-vault-ref-spec

mj-go-mod

mj-provider-mod

mj-pushsecret-generator-state

mj-test-gcp-m

mj-test-mgmt

mj-v2-poc

mj-v2-poc-2

mj-v2-poc-api-crds

mj-v2-poc-build-targets

mj-v2-poc-charts

mj-v2-poc-ci-licensing

mj-v2-poc-compat-clientmanager

mj-v2-poc-core-wiring

mj-v2-poc-e2e-framework

mj-v2-poc-e2e-generator-suites

mj-v2-poc-e2e-provider-aws

mj-v2-poc-e2e-provider-common

mj-v2-poc-e2e-provider-fake-kubernetes

mj-v2-poc-e2e-provider-gcp

mj-v2-poc-e2e-provider-legacy

mj-v2-poc-final-cleanup

mj-v2-poc-generator-registry

mj-v2-poc-misc-cleanups

mj-v2-poc-module-refresh

mj-v2-poc-provider-adapters

mj-v2-poc-provider-aws

mj-v2-poc-provider-certs

mj-v2-poc-provider-fake

mj-v2-poc-provider-hack

mj-v2-poc-provider-interface

mj-v2-poc-provider-kubernetes

mj-v2-poc-provider-schemes

mj-v2-poc-pushsecret-v2

mj-v2-poc-rebased

mj-v2-poc-runtime-contract

mj-v2-poc-runtime-webhook

mj-v2-poc-store-requeue

poc-workflow

pr-5527

predicate-watch-fix

promote-chart-0.9.11

release-0.10.3-helm-charts

release-0.10.4-helm-charts

release-0.6

release-0.7

release-0.8

release-0.9

release-branch-test-1

release-chart-v0.10.5

release-chart-v0.15.0

release-chart-v0.15.0-2

release-chart-v0.15.0-3

release-helm-2.2.0

release-helm-chart-v0.10.5

release-helm-chart-v0.16.1

release-helm-chart-v0.16.2

release-helm-chart-v0.17.0

release-helm-chart-v0.18.1

release-helm-chart-v0.18.2

release-helm-chart-v0.19.0

release-helm-chart-v0.19.1

release-helm-chart-v0.20.1

release-helm-chart-v0.20.1-2

release-helm-chart-v0.20.1-3

release-helm-chart-v0.20.2

release-helm-chart-v0.20.3

release-helm-chart-v0.20.3-2

release-helm-chart-v0.20.4

release-helm-chart-v1.0.0

release-helm-chart-v1.1.0

release-notes-0.18.0

release-v0.10.6-helm-chart

release-v0.10.6-helm-chart-docs

release-v0.10.7

release-v0.11.0-charts

release-v0.12.1-charts

release-v0.13.0-charts

release-v0.13.0-charts-2

release-v0.14.0-charts

release-v0.14.2-charts

release-v0.14.3-charts

release-v0.14.3-charts-2

release-v0.14.4

revert-662-revert-613-getall-Secrets

sonar-dispatch

test-ca-cert-trouble

test-e2e-no-fork-2

test-e2e-run

test-infra

test-non-fork-e2e-test

update-deps-1679516143

update-deps-1679516914

update-deps-1679517123

update-deps-1679518009

update-deps-1679519068

update-deps-1679520715

update-deps-1679521323

update-deps-1679522475

update-deps-1679524823

update-deps-1679526149

update-deps-1679526150

update-deps-1684144987

update-deps-1684144991

update-deps-1684749783

update-deps-1684749784

update-deps-1685354595

update-deps-1685354598

update-deps-1685959386

update-deps-1685959389

update-deps-1686564186

update-deps-1686564187

update-deps-1687168984

update-deps-1688983412

update-deps-1689588212

update-deps-1689588216

update-deps-1689588218

update-deps-1690192998

update-deps-1690192999

update-deps-1690193006

update-deps-1690797787

update-deps-1690797790

update-deps-1690797793

update-deps-1691402717

update-deps-1692612193

update-deps-1692612200

update-deps-1698660199

update-deps-1699265013

update-deps-1699869789

update-deps-1702893806

update-deps-1703498593

update-deps-1704103390

update-deps-1705313002

update-deps-1705313003

update-deps-1707127435

update-deps-1708337007

update-deps-1708941785

update-deps-1709548582

update-deps-1711361006

update-deps-1728295726

update-deps-1728900214

update-deps-1729505043

update-deps-1730714625

update-deps-1731319410

update-deps-1731924224

update-deps-1733738623

update-deps-1734343423

update-deps-1734948213

update-deps-1735553019

update-deps-1735553021

update-deps-1736157834

update-deps-1736762637

update-deps-1737367411

update-deps-1737367413

update-deps-1737972215

update-deps-1738577008

update-deps-1739181819

update-deps-1739786702

update-deps-1740391424

update-deps-1740996509

update-deps-1741601012

update-deps-1742205840

update-deps-1742810656

update-deps-1744021399

update-deps-1745229858

update-deps-1745836636

update-deps-1746439470

update-deps-1747044270

update-deps-1747649082

update-deps-1748254077

update-deps-1748858663

update-deps-1749463460

update-deps-1750068277

update-deps-1750673073

update-deps-1751277848

update-deps-1751882658

update-deps-1752487463

update-deps-1753092271

update-deps-1753697066

update-deps-1754301928

update-deps-1754906674

update-deps-1755511479

update-deps-1755511483

update-deps-1756116259

update-deps-1762164298

update-deps-1770632590

update-deps-1774261326

update-helm-chart-v0.14.2

update-ibm-docs

update-vault-api

validate-secret-store-gitlab

validate-store-oracle

Hashicorp Vault

External Secrets Operator integrates with HashiCorp Vault for secret management. Vault itself implements lots of different secret engines, as of now we only support the KV Secrets Engine.

Authentication

We support three different modes for authentication: token-based, appRole and kubernetes-native, each one comes with it's own trade-offs. Depending on the authentication method you need to adapt your environment.

Token-based authentication

A static token is stored in a Kind=Secret and is used to authenticate with vault.

{% include 'vault-token-store.yaml' %}

AppRole authentication example

AppRole authentication reads the secret id from a Kind=Secret and uses the specified roleId to aquire a temporary token to fetch secrets.

{% include 'vault-approle-store.yaml' %}

Kubernetes authentication

Kubernetes-native authentication has three options of optaining credentials for vault:

by using a service account jwt referenced in serviceAccountRef
by using the jwt from a Kind=Secret referenced by the secretRef
by using transient credentials from the mounted service account token within the external-secrets operator

{% include 'vault-kubernetes-store.yaml' %}

provider-hashicorp-vault.md 1.6 KB Historik Rå

Hashicorp Vault

Authentication

Token-based authentication

AppRole authentication example

Kubernetes authentication

provider-hashicorp-vault.md 1.6 KB

Historik Rå