| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117 |
- apiVersion: external-secrets.io/v1beta1
- kind: ClusterSecretStore
- metadata:
- name: example
- spec:
- # Used to select the correct ESO controller (think: ingress.ingressClassName)
- # The ESO controller is instantiated with a specific controller name
- # and filters ES based on this property
- # Optional
- controller: dev
- # provider field contains the configuration to access the provider
- # which contains the secret exactly one provider must be configured.
- provider:
- # (1): AWS Secrets Manager
- # aws configures this store to sync secrets using AWS Secret Manager provider
- aws:
- service: SecretsManager
- # Role is a Role ARN which the SecretManager provider will assume
- role: iam-role
- # AWS Region to be used for the provider
- region: eu-central-1
- # Auth defines the information necessary to authenticate against AWS
- auth:
- # Getting the accessKeyID and secretAccessKey from an already created Kubernetes Secret
- secretRef:
- accessKeyID:
- name: awssm-secret
- key: access-key
- secretAccessKey:
- name: awssm-secret
- key: secret-access-key
- # IAM roles for service accounts
- # https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
- jwt:
- serviceAccountRef:
- name: my-serviceaccount
- namespace: sa-namespace
- vault:
- server: "https://vault.acme.org"
- # Path is the mount path of the Vault KV backend endpoint
- path: "secret"
- # Version is the Vault KV secret engine version.
- # This can be either "v1" or "v2", defaults to "v2"
- version: "v2"
- # vault enterprise namespace: https://www.vaultproject.io/docs/enterprise/namespaces
- namespace: "a-team"
- # base64 encoded string of certificate
- caBundle: "..."
- # Instead of caBundle you can also specify a caProvider
- # this will retrieve the cert from a Secret or ConfigMap
- caProvider:
- # Can be Secret or ConfigMap
- type: "Secret"
- # This is mandatory for ClusterSecretStore and not relevant for SecretStore
- namespace: "my-cert-secret-namespace"
- name: "my-cert-secret"
- key: "cert-key"
- auth:
- # static token: https://www.vaultproject.io/docs/auth/token
- tokenSecretRef:
- name: "my-secret"
- namespace: "secret-admin"
- key: "vault-token"
- # AppRole auth: https://www.vaultproject.io/docs/auth/approle
- appRole:
- path: "approle"
- roleId: "db02de05-fa39-4855-059b-67221c5c2f63"
- secretRef:
- name: "my-secret"
- namespace: "secret-admin"
- key: "vault-token"
- # Kubernetes auth: https://www.vaultproject.io/docs/auth/kubernetes
- kubernetes:
- mountPath: "kubernetes"
- role: "demo"
- # Optional service account reference
- serviceAccountRef:
- name: "my-sa"
- namespace: "secret-admin"
- # Optional secret field containing a Kubernetes ServiceAccount JWT
- # used for authenticating with Vault
- secretRef:
- name: "my-secret"
- namespace: "secret-admin"
- key: "vault"
- # (2): GCP Secret Manager
- gcpsm:
- # Auth defines the information necessary to authenticate against GCP by getting
- # the credentials from an already created Kubernetes Secret.
- auth:
- secretRef:
- secretAccessKeySecretRef:
- name: gcpsm-secret
- key: secret-access-credentials
- namespace: example
- projectID: myproject
- # (TODO): add more provider examples here
- status:
- # Standard condition schema
- conditions:
- # SecretStore ready condition indicates the given store is in ready
- # state and able to referenced by ExternalSecrets
- # If the `status` of this condition is `False`, ExternalSecret controllers
- # should prevent attempts to fetch secrets
- - type: Ready
- status: "False"
- reason: "ConfigError"
- message: "SecretStore validation failed"
- lastTransitionTime: "2019-08-12T12:33:02Z"
|
