| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902 |
- <!doctype html>
- <html lang="en" class="no-js">
- <head>
-
- <meta charset="utf-8">
- <meta name="viewport" content="width=device-width,initial-scale=1">
-
-
-
-
- <link rel="prev" href="../hashicorp-vault/">
-
-
- <link rel="next" href="../ibm-secrets-manager/">
-
-
- <link rel="icon" href="../../pictures/eso-round-logo.svg">
- <meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.5.42">
-
-
-
- <title>Kubernetes - External Secrets Operator</title>
-
-
-
- <link rel="stylesheet" href="../../assets/stylesheets/main.0253249f.min.css">
-
-
- <link rel="stylesheet" href="../../assets/stylesheets/palette.06af60db.min.css">
-
-
-
-
-
-
-
-
-
-
- <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
- <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
- <style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
-
-
-
- <script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
-
-
-
-
-
- <script id="__analytics">function __md_analytics(){function e(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],e("js",new Date),e("config","G-QP38TD8K7V"),document.addEventListener("DOMContentLoaded",(function(){document.forms.search&&document.forms.search.query.addEventListener("blur",(function(){this.value&&e("event","search",{search_term:this.value})}));document$.subscribe((function(){var t=document.forms.feedback;if(void 0!==t)for(var a of t.querySelectorAll("[type=submit]"))a.addEventListener("click",(function(a){a.preventDefault();var n=document.location.pathname,d=this.getAttribute("data-md-value");e("event","feedback",{page:n,data:d}),t.firstElementChild.disabled=!0;var r=t.querySelector(".md-feedback__note [data-md-value='"+d+"']");r&&(r.hidden=!1)})),t.hidden=!1})),location$.subscribe((function(t){e("config","G-QP38TD8K7V",{page_path:t.pathname})}))}));var t=document.createElement("script");t.async=!0,t.src="https://www.googletagmanager.com/gtag/js?id=G-QP38TD8K7V",document.getElementById("__analytics").insertAdjacentElement("afterEnd",t)}</script>
-
- <script>"undefined"!=typeof __md_analytics&&__md_analytics()</script>
-
-
-
-
- </head>
-
-
-
-
-
-
-
-
-
- <body dir="ltr" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo">
-
-
- <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
- <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
- <label class="md-overlay" for="__drawer"></label>
- <div data-md-component="skip">
-
-
- <a href="#external-secret-spec" class="md-skip">
- Skip to content
- </a>
-
- </div>
- <div data-md-component="announce">
-
- </div>
-
- <div data-md-color-scheme="default" data-md-component="outdated" hidden>
-
- <aside class="md-banner md-banner--warning">
- <div class="md-banner__inner md-grid md-typeset">
-
- You're not viewing the latest version.
- <a href="../../..">
- <strong>Click here to go to latest.</strong>
- </a>
- </div>
- <script>var el=document.querySelector("[data-md-component=outdated]"),outdated=__md_get("__outdated",sessionStorage);!0===outdated&&el&&(el.hidden=!1)</script>
- </aside>
-
- </div>
-
-
-
- <header class="md-header" data-md-component="header">
- <nav class="md-header__inner md-grid" aria-label="Header">
- <a href="../.." title="External Secrets Operator" class="md-header__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
-
- <img src="../../pictures/eso-round-logo.svg" alt="logo">
- </a>
- <label class="md-header__button md-icon" for="__drawer">
-
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg>
- </label>
- <div class="md-header__title" data-md-component="header-title">
- <div class="md-header__ellipsis">
- <div class="md-header__topic">
- <span class="md-ellipsis">
- External Secrets Operator
- </span>
- </div>
- <div class="md-header__topic" data-md-component="header-topic">
- <span class="md-ellipsis">
-
- Kubernetes
-
- </span>
- </div>
- </div>
- </div>
-
-
- <form class="md-header__option" data-md-component="palette">
-
-
-
-
- <input class="md-option" data-md-color-media="(prefers-color-scheme: light)" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to dark mode" type="radio" name="__palette" id="__palette_0">
-
- <label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_1" hidden>
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
- </label>
-
-
-
-
-
- <input class="md-option" data-md-color-media="(prefers-color-scheme: dark)" data-md-color-scheme="slate" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to light mode" type="radio" name="__palette" id="__palette_1">
-
- <label class="md-header__button md-icon" title="Switch to light mode" for="__palette_0" hidden>
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12s-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
- </label>
-
-
- </form>
-
-
-
- <script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
-
-
-
- <label class="md-header__button md-icon" for="__search">
-
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
- </label>
- <div class="md-search" data-md-component="search" role="dialog">
- <label class="md-search__overlay" for="__search"></label>
- <div class="md-search__inner" role="search">
- <form class="md-search__form" name="search">
- <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
- <label class="md-search__icon md-icon" for="__search">
-
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
-
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
- </label>
- <nav class="md-search__options" aria-label="Search">
-
- <button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
-
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg>
- </button>
- </nav>
-
- </form>
- <div class="md-search__output">
- <div class="md-search__scrollwrap" tabindex="0" data-md-scrollfix>
- <div class="md-search-result" data-md-component="search-result">
- <div class="md-search-result__meta">
- Initializing search
- </div>
- <ol class="md-search-result__list" role="presentation"></ol>
- </div>
- </div>
- </div>
- </div>
- </div>
-
-
- <div class="md-header__source">
- <a href="https://github.com/external-secrets/external-secrets" title="Go to repository" class="md-source" data-md-component="source">
- <div class="md-source__icon md-icon">
-
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81"/></svg>
- </div>
- <div class="md-source__repository">
- External Secrets Operator
- </div>
- </a>
- </div>
-
- </nav>
-
- </header>
-
- <div class="md-container" data-md-component="container">
-
-
-
-
-
- <nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
- <div class="md-grid">
- <ul class="md-tabs__list">
-
-
-
-
-
-
-
- <li class="md-tabs__item">
- <a href="../.." class="md-tabs__link">
-
-
-
-
- Introduction
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-tabs__item">
- <a href="../../api/components/" class="md-tabs__link">
-
-
-
-
- API
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-tabs__item">
- <a href="../../guides/introduction/" class="md-tabs__link">
-
-
-
-
- Guides
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-tabs__item md-tabs__item--active">
- <a href="../aws-secrets-manager/" class="md-tabs__link">
-
-
-
-
- Provider
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-tabs__item">
- <a href="../../examples/gitops-using-fluxcd/" class="md-tabs__link">
-
-
-
-
- Examples
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-tabs__item">
- <a href="../../contributing/devguide/" class="md-tabs__link">
-
-
-
-
- Community
- </a>
- </li>
-
-
-
-
-
- </ul>
- </div>
- </nav>
-
-
-
- <main class="md-main" data-md-component="main">
- <div class="md-main__inner md-grid">
-
-
-
- <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
- <div class="md-sidebar__scrollwrap">
- <div class="md-sidebar__inner">
-
-
- <nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0">
- <label class="md-nav__title" for="__drawer">
- <a href="../.." title="External Secrets Operator" class="md-nav__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
-
- <img src="../../pictures/eso-round-logo.svg" alt="logo">
- </a>
- External Secrets Operator
- </label>
-
- <div class="md-nav__source">
- <a href="https://github.com/external-secrets/external-secrets" title="Go to repository" class="md-source" data-md-component="source">
- <div class="md-source__icon md-icon">
-
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81"/></svg>
- </div>
- <div class="md-source__repository">
- External Secrets Operator
- </div>
- </a>
- </div>
-
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_1" >
-
-
-
- <div class="md-nav__link md-nav__container">
- <a href="../.." class="md-nav__link ">
-
-
- <span class="md-ellipsis">
- Introduction
- </span>
-
- </a>
-
-
- <label class="md-nav__link " for="__nav_1" id="__nav_1_label" tabindex="0">
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- </div>
-
- <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_1_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_1">
- <span class="md-nav__icon md-icon"></span>
- Introduction
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../introduction/overview/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Overview
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../introduction/getting-started/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Getting started
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../introduction/faq/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- FAQ
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../introduction/stability-support/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Stability and Support
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../introduction/deprecation-policy/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Deprecation Policy
- </span>
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2" >
-
-
- <label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="0">
-
-
- <span class="md-ellipsis">
- API
- </span>
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_2">
- <span class="md-nav__icon md-icon"></span>
- API
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/components/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Components
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_2" >
-
-
- <label class="md-nav__link" for="__nav_2_2" id="__nav_2_2_label" tabindex="0">
-
-
- <span class="md-ellipsis">
- Core Resources
- </span>
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_2_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_2_2">
- <span class="md-nav__icon md-icon"></span>
- Core Resources
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/externalsecret/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- ExternalSecret
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/secretstore/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- SecretStore
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/clustersecretstore/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- ClusterSecretStore
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/clusterexternalsecret/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- ClusterExternalSecret
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/pushsecret/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- PushSecret
- </span>
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_3" >
-
-
-
- <div class="md-nav__link md-nav__container">
- <a href="../../api/generator/" class="md-nav__link ">
-
-
- <span class="md-ellipsis">
- Generators
- </span>
-
- </a>
-
-
- <label class="md-nav__link " for="__nav_2_3" id="__nav_2_3_label" tabindex="0">
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- </div>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_3_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_2_3">
- <span class="md-nav__icon md-icon"></span>
- Generators
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/acr/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Azure Container Registry
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/ecr/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- AWS Elastic Container Registry
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/gcr/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Google Container Registry
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/vault/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Vault Dynamic Secret
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/password/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Password
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/fake/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Fake
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/webhook/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Webhook
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/github/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Github
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/uuid/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- UUID
- </span>
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_4" >
-
-
- <label class="md-nav__link" for="__nav_2_4" id="__nav_2_4_label" tabindex="0">
-
-
- <span class="md-ellipsis">
- Reference Docs
- </span>
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_4_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_2_4">
- <span class="md-nav__icon md-icon"></span>
- Reference Docs
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/spec/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- API specification
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/controller-options/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Controller Options
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/metrics/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Metrics
- </span>
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3" >
-
-
- <label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
-
-
- <span class="md-ellipsis">
- Guides
- </span>
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_3">
- <span class="md-nav__icon md-icon"></span>
- Guides
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/introduction/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Introduction
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_2" >
-
-
- <label class="md-nav__link" for="__nav_3_2" id="__nav_3_2_label" tabindex="0">
-
-
- <span class="md-ellipsis">
- External Secrets
- </span>
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_2_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_3_2">
- <span class="md-nav__icon md-icon"></span>
- External Secrets
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/all-keys-one-secret/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Extract structured data
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/getallsecrets/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Find Secrets by Name or Metadata
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/datafrom-rewrite/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Rewriting Keys
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_2_4" >
-
-
- <label class="md-nav__link" for="__nav_3_2_4" id="__nav_3_2_4_label" tabindex="0">
-
-
- <span class="md-ellipsis">
- Advanced Templating
- </span>
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="3" aria-labelledby="__nav_3_2_4_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_3_2_4">
- <span class="md-nav__icon md-icon"></span>
- Advanced Templating
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/templating/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- v2
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/templating-v1/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- v1
- </span>
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/common-k8s-secret-types/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Kubernetes Secret Types
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/ownership-deletion-policy/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Lifecycle: ownership & deletion
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/decoding-strategy/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Decoding Strategies
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/controller-class/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Controller Classes
- </span>
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/generator/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Generators
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/pushsecrets/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Push Secrets
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_5" >
-
-
- <label class="md-nav__link" for="__nav_3_5" id="__nav_3_5_label" tabindex="0">
-
-
- <span class="md-ellipsis">
- Operations
- </span>
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_5_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_3_5">
- <span class="md-nav__icon md-icon"></span>
- Operations
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/multi-tenancy/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Multi Tenancy
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/security-best-practices/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Security Best Practices
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/threat-model/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Threat Model
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/v1beta1/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Upgrading to v1beta1
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/using-latest-image/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Using Latest Image
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/disable-cluster-features/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Disable Cluster Features
- </span>
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested">
-
-
-
- <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" checked>
-
-
- <label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="">
-
-
- <span class="md-ellipsis">
- Provider
- </span>
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="true">
- <label class="md-nav__title" for="__nav_4">
- <span class="md-nav__icon md-icon"></span>
- Provider
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../aws-secrets-manager/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- AWS Secrets Manager
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../aws-parameter-store/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- AWS Parameter Store
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../azure-key-vault/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Azure Key Vault
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../beyondtrust/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- BeyondTrust
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../bitwarden-secrets-manager/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Bitwarden Secrets Manager
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../chef/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Chef
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../conjur/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- CyberArk Conjur
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../device42/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Device42
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../google-secrets-manager/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Google Cloud Secret Manager
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../hashicorp-vault/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- HashiCorp Vault
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--active">
-
- <input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
-
-
-
- <label class="md-nav__link md-nav__link--active" for="__toc">
-
-
- <span class="md-ellipsis">
- Kubernetes
- </span>
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <a href="./" class="md-nav__link md-nav__link--active">
-
-
- <span class="md-ellipsis">
- Kubernetes
- </span>
-
- </a>
-
-
- <nav class="md-nav md-nav--secondary" aria-label="Table of contents">
-
-
-
-
- <label class="md-nav__title" for="__toc">
- <span class="md-nav__icon md-icon"></span>
- Table of contents
- </label>
- <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
-
- <li class="md-nav__item">
- <a href="#external-secret-spec" class="md-nav__link">
- <span class="md-ellipsis">
- External Secret Spec
- </span>
- </a>
-
- <nav class="md-nav" aria-label="External Secret Spec">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#find-by-tag-name" class="md-nav__link">
- <span class="md-ellipsis">
- find by tag & name
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#target-api-server-configuration" class="md-nav__link">
- <span class="md-ellipsis">
- Target API-Server Configuration
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#authentication" class="md-nav__link">
- <span class="md-ellipsis">
- Authentication
- </span>
- </a>
-
- <nav class="md-nav" aria-label="Authentication">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#authenticating-with-bearertoken" class="md-nav__link">
- <span class="md-ellipsis">
- Authenticating with BearerToken
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#authenticating-with-serviceaccount" class="md-nav__link">
- <span class="md-ellipsis">
- Authenticating with ServiceAccount
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#authenticating-with-client-certificates" class="md-nav__link">
- <span class="md-ellipsis">
- Authenticating with Client Certificates
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#pushsecret" class="md-nav__link">
- <span class="md-ellipsis">
- PushSecret
- </span>
- </a>
-
- <nav class="md-nav" aria-label="PushSecret">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#pushsecret-metadata" class="md-nav__link">
- <span class="md-ellipsis">
- PushSecret Metadata
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#implementation-considerations" class="md-nav__link">
- <span class="md-ellipsis">
- Implementation Considerations
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- </ul>
-
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../ibm-secrets-manager/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- IBM Secrets Manager
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../akeyless/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Akeyless
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../yandex-certificate-manager/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Yandex Certificate Manager
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../yandex-lockbox/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Yandex Lockbox
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../alibaba/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Alibaba Cloud
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../gitlab-variables/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- GitLab Variables
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../oracle-vault/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Oracle Vault
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../1password-automation/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- 1Password Secrets Automation
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../webhook/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Webhook
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../fake/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Fake
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../senhasegura-dsm/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- senhasegura DevOps Secrets Management (DSM)
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../doppler/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Doppler
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../keeper-security/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Keeper Security
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../cloak/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Cloak End 2 End Encrypted Secrets
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../scaleway/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Scaleway
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../delinea/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Delinea
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../secretserver/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Secret Server
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../passbolt/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Passbolt
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../pulumi/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Pulumi ESC
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../onboardbase/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Onboardbase
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider-passworddepot/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Password Depot
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../fortanix/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Fortanix
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../infisical/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Infisical
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../previder/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Previder
- </span>
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_5" >
-
-
- <label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
-
-
- <span class="md-ellipsis">
- Examples
- </span>
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_5">
- <span class="md-nav__icon md-icon"></span>
- Examples
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../examples/gitops-using-fluxcd/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- FluxCD
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../examples/anchore-engine-credentials/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Anchore Engine
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../examples/jenkins-kubernetes-credentials/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Jenkins
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../examples/bitwarden/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- BitWarden
- </span>
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6" >
-
-
- <label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
-
-
- <span class="md-ellipsis">
- Community
- </span>
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_6">
- <span class="md-nav__icon md-icon"></span>
- Community
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6_1" >
-
-
- <label class="md-nav__link" for="__nav_6_1" id="__nav_6_1_label" tabindex="0">
-
-
- <span class="md-ellipsis">
- Contributing
- </span>
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_1_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_6_1">
- <span class="md-nav__icon md-icon"></span>
- Contributing
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../contributing/devguide/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Developer guide
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../contributing/process/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Contributing Process
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../contributing/release/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Release Process
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../contributing/coc/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Code of Conduct
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../contributing/roadmap/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Roadmap
- </span>
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6_2" >
-
-
- <label class="md-nav__link" for="__nav_6_2" id="__nav_6_2_label" tabindex="0">
-
-
- <span class="md-ellipsis">
- External Resources
- </span>
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_2_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_6_2">
- <span class="md-nav__icon md-icon"></span>
- External Resources
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../eso-talks/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Talks
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../eso-demos/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Demos
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../eso-blogs/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Blogs
- </span>
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../eso-tools/" class="md-nav__link">
-
-
- <span class="md-ellipsis">
- Tools
- </span>
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
- </ul>
- </nav>
- </div>
- </div>
- </div>
-
-
-
- <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
- <div class="md-sidebar__scrollwrap">
- <div class="md-sidebar__inner">
-
- <nav class="md-nav md-nav--secondary" aria-label="Table of contents">
-
-
-
-
- <label class="md-nav__title" for="__toc">
- <span class="md-nav__icon md-icon"></span>
- Table of contents
- </label>
- <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
-
- <li class="md-nav__item">
- <a href="#external-secret-spec" class="md-nav__link">
- <span class="md-ellipsis">
- External Secret Spec
- </span>
- </a>
-
- <nav class="md-nav" aria-label="External Secret Spec">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#find-by-tag-name" class="md-nav__link">
- <span class="md-ellipsis">
- find by tag & name
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#target-api-server-configuration" class="md-nav__link">
- <span class="md-ellipsis">
- Target API-Server Configuration
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#authentication" class="md-nav__link">
- <span class="md-ellipsis">
- Authentication
- </span>
- </a>
-
- <nav class="md-nav" aria-label="Authentication">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#authenticating-with-bearertoken" class="md-nav__link">
- <span class="md-ellipsis">
- Authenticating with BearerToken
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#authenticating-with-serviceaccount" class="md-nav__link">
- <span class="md-ellipsis">
- Authenticating with ServiceAccount
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#authenticating-with-client-certificates" class="md-nav__link">
- <span class="md-ellipsis">
- Authenticating with Client Certificates
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#pushsecret" class="md-nav__link">
- <span class="md-ellipsis">
- PushSecret
- </span>
- </a>
-
- <nav class="md-nav" aria-label="PushSecret">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#pushsecret-metadata" class="md-nav__link">
- <span class="md-ellipsis">
- PushSecret Metadata
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#implementation-considerations" class="md-nav__link">
- <span class="md-ellipsis">
- Implementation Considerations
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- </ul>
-
- </nav>
- </div>
- </div>
- </div>
-
-
-
- <div class="md-content" data-md-component="content">
- <article class="md-content__inner md-typeset">
-
-
-
-
- <h1>Kubernetes</h1>
- <p>External Secrets Operator allows to retrieve secrets from a Kubernetes Cluster - this can be either a remote cluster or the local one where the operator runs in.</p>
- <p>A <code>SecretStore</code> points to a <strong>specific namespace</strong> in the target Kubernetes Cluster. You are able to retrieve all secrets from that particular namespace given you have the correct set of RBAC permissions.</p>
- <p>The <code>SecretStore</code> reconciler checks if you have read access for secrets in that namespace using <code>SelfSubjectRulesReview</code>. See below on how to set that up properly.</p>
- <h3 id="external-secret-spec">External Secret Spec</h3>
- <p>This provider supports the use of the <code>Property</code> field. With it you point to the key of the remote secret. If you leave it empty it will json encode all key/value pairs.</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h</span>
- <span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">k8s-store</span><span class="w"> </span><span class="c1"># name of the SecretStore (or kind specified)</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span><span class="w"> </span><span class="c1"># name of the k8s Secret to be created</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">username</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
- <span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">username</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">password</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
- <span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">password</span>
- <span class="w"> </span><span class="c1"># metadataPolicy to fetch all the labels and annotations in JSON format</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">tags</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">metadataPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Fetch</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
- <span class="w"> </span><span class="c1"># metadataPolicy to fetch all the labels in JSON format</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">labels</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">metadataPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Fetch</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
- <span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">labels</span>
- <span class="w"> </span><span class="c1"># metadataPolicy to fetch a specific label (dev) from the source secret</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">developer</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">metadataPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Fetch</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
- <span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">labels.dev</span>
- </code></pre></div>
- <h4 id="find-by-tag-name">find by tag & name</h4>
- <p>You can fetch secrets based on labels or names matching a regexp:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">fetch-tls-and-nginx</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h</span>
- <span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">k8s-store</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">fetch-tls-and-nginx</span>
- <span class="w"> </span><span class="nt">dataFrom</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">find</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># match secret name with regexp</span>
- <span class="w"> </span><span class="nt">regexp</span><span class="p">:</span><span class="w"> </span><span class="s">"tls-.*"</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">find</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">tags</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># fetch secrets based on label combination</span>
- <span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="s">"nginx"</span>
- </code></pre></div>
- <h3 id="target-api-server-configuration">Target API-Server Configuration</h3>
- <p>The servers <code>url</code> can be omitted and defaults to <code>kubernetes.default</code>. You <strong>have to</strong> provide a CA certificate in order to connect to the API Server securely.
- For your convenience, each namespace has a ConfigMap <code>kube-root-ca.crt</code> that contains the CA certificate of the internal API Server (see <code>RootCAConfigMap</code> <a href="https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/">feature gate</a>).
- Use that if you want to connect to the same API server.
- If you want to connect to a remote API Server you need to fetch it and store it inside the cluster as ConfigMap or Secret.
- You may also define it inline as base64 encoded value using the <code>caBundle</code> property.</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">k8s-store-default-ns</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">kubernetes</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># with this, the store is able to pull only from `default` namespace</span>
- <span class="w"> </span><span class="nt">remoteNamespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span>
- <span class="w"> </span><span class="nt">server</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="s">"https://myapiserver.tld"</span>
- <span class="w"> </span><span class="nt">caProvider</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ConfigMap</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kube-root-ca.crt</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ca.crt</span>
- </code></pre></div>
- <h3 id="authentication">Authentication</h3>
- <p>It's possible to authenticate against the Kubernetes API using client certificates, a bearer token or service account. The operator enforces that exactly one authentication method is used. You can not use the service account that is mounted inside the operator, this is by design to avoid reading secrets across namespaces.</p>
- <p><strong>NOTE:</strong> <code>SelfSubjectRulesReview</code> permission is required in order to validation work properly. Please use the following role as reference:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">rbac.authorization.k8s.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Role</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eso-store-role</span>
- <span class="nt">rules</span><span class="p">:</span>
- <span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">""</span><span class="p p-Indicator">]</span>
- <span class="w"> </span><span class="nt">resources</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secrets</span>
- <span class="w"> </span><span class="nt">verbs</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">get</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">list</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">watch</span>
- <span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">apiGroups</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">authorization.k8s.io</span>
- <span class="w"> </span><span class="nt">resources</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">selfsubjectrulesreviews</span>
- <span class="w"> </span><span class="nt">verbs</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">create</span>
- </code></pre></div>
- <h4 id="authenticating-with-bearertoken">Authenticating with BearerToken</h4>
- <p>Create a Kubernetes secret with a client token. There are many ways to acquire such a token, please refer to the <a href="https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authentication-strategies">Kubernetes Authentication docs</a>.</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Secret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-token</span>
- <span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">token</span><span class="p">:</span><span class="w"> </span><span class="s">"...."</span>
- </code></pre></div>
- <p>Create a SecretStore: The <code>auth</code> section indicates that the type <code>token</code> will be used for authentication, it includes the path to fetch the token. Set <code>remoteNamespace</code> to the name of the namespace where your target secrets reside.</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">k8s-store-token-auth</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">kubernetes</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># with this, the store is able to pull only from `default` namespace</span>
- <span class="w"> </span><span class="nt">remoteNamespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span>
- <span class="w"> </span><span class="nt">server</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ...</span>
- <span class="w"> </span><span class="nt">auth</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">token</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">bearerToken</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-token</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">token</span>
- </code></pre></div>
- <h4 id="authenticating-with-serviceaccount">Authenticating with ServiceAccount</h4>
- <p>Create a Kubernetes Service Account, please refer to the <a href="https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens">Service Account Tokens Documentation</a> on how they work and how to create them.</p>
- <div class="highlight"><pre><span></span><code>$ kubectl create serviceaccount my-store
- </code></pre></div>
- <p>This Service Account needs permissions to read <code>Secret</code> and create <code>SelfSubjectRulesReview</code> resources. Please see the above role.</p>
- <div class="highlight"><pre><span></span><code>$ kubectl create rolebinding my-store --role=eso-store-role --serviceaccount=default:my-store
- </code></pre></div>
- <p>Create a SecretStore: the <code>auth</code> section indicates that the type <code>serviceAccount</code> will be used for authentication.</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">k8s-store-sa-auth</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">kubernetes</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># with this, the store is able to pull only from `default` namespace</span>
- <span class="w"> </span><span class="nt">remoteNamespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span>
- <span class="w"> </span><span class="nt">server</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ...</span>
- <span class="w"> </span><span class="nt">auth</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">serviceAccount</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">"my-store"</span>
- </code></pre></div>
- <h4 id="authenticating-with-client-certificates">Authenticating with Client Certificates</h4>
- <p>Create a Kubernetes secret which contains the client key and certificate. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/certificates/">Generate Certificates Documentations</a> on how to create them.</p>
- <div class="highlight"><pre><span></span><code>$ kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/to/tls.key
- </code></pre></div>
- <p>Reference the <code>tls-secret</code> in the SecretStore</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">k8s-store-cert-auth</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">kubernetes</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># with this, the store is able to pull only from `default` namespace</span>
- <span class="w"> </span><span class="nt">remoteNamespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span>
- <span class="w"> </span><span class="nt">server</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ...</span>
- <span class="w"> </span><span class="nt">auth</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">cert</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">clientCert</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">"tls-secret"</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">"tls.crt"</span>
- <span class="w"> </span><span class="nt">clientKey</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">"tls-secret"</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">"tls.key"</span>
- </code></pre></div>
- <h3 id="pushsecret">PushSecret</h3>
- <p>The PushSecret functionality facilitates the replication of a Kubernetes Secret from one namespace or cluster to another. This feature proves useful in scenarios where you need to share sensitive information, such as credentials or configuration data, across different parts of your infrastructure.</p>
- <p>To configure the PushSecret resource, you need to specify the following parameters:</p>
- <ul>
- <li>
- <p><strong>Selector</strong>: Specify the selector that identifies the source Secret to be replicated. This selector allows you to target the specific Secret you want to share.</p>
- </li>
- <li>
- <p><strong>SecretKey</strong>: Set the SecretKey parameter to indicate the key within the source Secret that you want to replicate. This ensures that only the relevant information is shared.</p>
- </li>
- <li>
- <p><strong>RemoteRef.Property</strong>: In addition to the above parameters, the Kubernetes provider requires you to set the <code>remoteRef.property</code> field. This field specifies the key of the remote Secret resource where the replicated value should be stored.</p>
- </li>
- </ul>
- <p>Here's an example:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">10s</span>
- <span class="w"> </span><span class="nt">secretStoreRefs</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">k8s-store-remote-ns</span>
- <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
- <span class="w"> </span><span class="nt">selector</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">secret</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pokedex-credentials</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">best-pokemon</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">remote-best-pokemon</span>
- <span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">best-pokemon</span>
- </code></pre></div>
- <p>To utilize the PushSecret feature effectively, the referenced <code>SecretStore</code> requires specific permissions on the target cluster. In particular it requires <code>create</code>, <code>read</code>, <code>update</code> and <code>delete</code> permissions on the Secret resource:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">rbac.authorization.k8s.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Role</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">remote</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eso-store-push-role</span>
- <span class="nt">rules</span><span class="p">:</span>
- <span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">""</span><span class="p p-Indicator">]</span>
- <span class="w"> </span><span class="nt">resources</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secrets</span>
- <span class="w"> </span><span class="nt">verbs</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">get</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">list</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">watch</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">create</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">update</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">patch</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">delete</span>
- <span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">apiGroups</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">authorization.k8s.io</span>
- <span class="w"> </span><span class="nt">resources</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">selfsubjectrulesreviews</span>
- <span class="w"> </span><span class="nt">verbs</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">create</span>
- </code></pre></div>
- <h4 id="pushsecret-metadata">PushSecret Metadata</h4>
- <p>The Kubernetes provider is able to manage both <code>metadata.labels</code> and <code>metadata.annotations</code> of the secret on the target cluster.</p>
- <p>Users have different preferences on what metadata should be pushed. ESO by default pushes both labels and annotations to the target secret and merges them with the existing metadata.</p>
- <p>You can specify the metadata in the <code>spec.template.metadata</code> section if you want to decouple it from the existing secret.</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ...</span>
- <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">labels</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">app.kubernetes.io/part-of</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">argocd</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">mysql_connection_string</span><span class="p">:</span><span class="w"> </span><span class="s">"mysql://{{</span><span class="nv"> </span><span class="s">.hostname</span><span class="nv"> </span><span class="s">}}:3306/{{</span><span class="nv"> </span><span class="s">.database</span><span class="nv"> </span><span class="s">}}"</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mysql_connection_string</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">backend_secrets</span>
- <span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mysql_connection_string</span>
- </code></pre></div>
- <p>Further, you can leverage the <code>.data[].metadata</code> section to fine-tine the behaviour of the metadata merge strategy. The metadata section is a versioned custom-resource <em>alike</em> structure, the behaviour is detailed below.</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ...</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example-1</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example-remote-secret</span>
- <span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">url</span>
- <span class="w"> </span><span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes.external-secrets.io/v1alpha1</span>
- <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecretMetadata</span>
- <span class="w"> </span><span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">sourceMergePolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Merge</span><span class="w"> </span><span class="c1"># or Replace</span>
- <span class="w"> </span><span class="nt">targetMergePolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Merge</span><span class="w"> </span><span class="c1"># or Replace / Ignore</span>
- <span class="w"> </span><span class="nt">labels</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">color</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">red</span>
- <span class="w"> </span><span class="nt">annotations</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">yes</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">please</span>
- </code></pre></div>
- <table>
- <thead>
- <tr>
- <th>Field</th>
- <th>Type</th>
- <th>Description</th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td>sourceMergePolicy</td>
- <td>string: <code>Merge</code>, <code>Replace</code></td>
- <td>The sourceMergePolicy defines how the metadata of the source secret is merged. <code>Merge</code> will merge the metadata of the source secret with the metadata defined in <code>.data[].metadata</code>. With <code>Replace</code>, the metadata in <code>.data[].metadata</code> replaces the source metadata.</td>
- </tr>
- <tr>
- <td>targetMergePolicy</td>
- <td>string: <code>Merge</code>, <code>Replace</code>, <code>Ignore</code></td>
- <td>The targetMergePolicy defines how ESO merges the metadata produced by the sourceMergePolicy with the target secret. With <code>Merge</code>, the source metadata is merged with the existing metadata from the target secret. <code>Replace</code> will replace the target metadata with the metadata defined in the source. <code>Ignore</code> leaves the target metadata as is.</td>
- </tr>
- <tr>
- <td>labels</td>
- <td><code>map[string]string</code></td>
- <td>The labels.</td>
- </tr>
- <tr>
- <td>annotations</td>
- <td><code>map[string]string</code></td>
- <td>The annotations.</td>
- </tr>
- </tbody>
- </table>
- <h4 id="implementation-considerations">Implementation Considerations</h4>
- <p>When utilizing the PushSecret feature and configuring the permissions for the SecretStore, consider the following:</p>
- <ul>
- <li>
- <p><strong>RBAC Configuration</strong>: Ensure that the Role-Based Access Control (RBAC) configuration for the SecretStore grants the appropriate permissions for creating, reading, and updating resources in the target cluster.</p>
- </li>
- <li>
- <p><strong>Least Privilege Principle</strong>: Adhere to the principle of least privilege when assigning permissions to the SecretStore. Only provide the minimum required permissions to accomplish the desired synchronization between Secrets.</p>
- </li>
- <li>
- <p><strong>Namespace or Cluster Scope</strong>: Depending on your specific requirements, configure the SecretStore to operate at the desired scope, whether it is limited to a specific namespace or encompasses the entire cluster. Consider the security and access control implications of your chosen scope.</p>
- </li>
- </ul>
-
-
- </article>
- </div>
-
-
- <script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
- </div>
-
- </main>
-
- <img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=6658a9eb-067d-49f1-94f2-b8b00f21451e" />
-
- <footer class="md-footer">
-
- <div class="md-footer-meta md-typeset">
- <div class="md-footer-meta__inner md-grid">
- <div class="md-copyright">
-
- <div class="md-copyright__highlight">
- © 2024 The external-secrets Authors.<br/>
- © 2024 The Linux Foundation. All rights reserved.<br/><br/>
- The Linux Foundation has registered trademarks and uses trademarks.<br/>
- For a list of trademarks of The Linux Foundation, please see our <a href="https://www.linuxfoundation.org/trademark-usage/">Trademark Usage page</a>.
- </div>
-
-
- Made with
- <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
- Material for MkDocs
- </a>
-
- </div>
-
- </div>
- </div>
- </footer>
-
- </div>
- <div class="md-dialog" data-md-component="dialog">
- <div class="md-dialog__inner md-typeset"></div>
- </div>
-
-
- <script id="__config" type="application/json">{"base": "../..", "features": ["navigation.tabs", "navigation.indexes", "navigation.expand"], "search": "../../assets/javascripts/workers/search.6ce7567c.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"provider": "mike"}}</script>
-
-
- <script src="../../assets/javascripts/bundle.83f73b43.min.js"></script>
-
-
- </body>
- </html>
|