README.md 25 KB
External Secrets
External secrets management for Kubernetes
TL;DR
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets
Installing the Chart
To install the chart with the release name external-secrets:
helm install external-secrets external-secrets/external-secrets
Custom Resources
By default, the chart will install external-secrets CRDs, this can be controlled with installCRDs value.
Uninstalling the Chart
To uninstall the external-secrets deployment:
helm uninstall external-secrets
The command removes all the Kubernetes components associated with the chart and deletes the release.
Values
| Key | Type | Default | Description |
|---|---|---|---|
| affinity | object | {} |
|
| bitwarden-sdk-server.enabled | bool | false |
|
| bitwarden-sdk-server.namespaceOverride | string | "" |
|
| certController.affinity | object | {} |
|
| certController.create | bool | true |
Specifies whether a certificate controller deployment be created. |
| certController.deploymentAnnotations | object | {} |
Annotations to add to Deployment |
| certController.extraArgs | object | {} |
|
| certController.extraEnv | list | [] |
|
| certController.extraInitContainers | list | [] |
|
| certController.extraVolumeMounts | list | [] |
|
| certController.extraVolumes | list | [] |
|
| certController.hostNetwork | bool | false |
Run the certController on the host network |
| certController.image.flavour | string | "" |
|
| certController.image.pullPolicy | string | "IfNotPresent" |
|
| certController.image.repository | string | "ghcr.io/external-secrets/external-secrets" |
|
| certController.image.tag | string | "" |
|
| certController.imagePullSecrets | list | [] |
|
| certController.log | object | {"level":"info","timeEncoding":"epoch"} |
Specifies Log Params to the Certificate Controller |
| certController.metrics.listen.port | int | 8080 |
|
| certController.metrics.service.annotations | object | {} |
Additional service annotations |
| certController.metrics.service.enabled | bool | false |
Enable if you use another monitoring tool than Prometheus to scrape the metrics |
| certController.metrics.service.port | int | 8080 |
Metrics service port to scrape |
| certController.nodeSelector | object | {} |
|
| certController.podAnnotations | object | {} |
Annotations to add to Pod |
| certController.podDisruptionBudget | object | {"enabled":false,"minAvailable":1,"nameOverride":""} |
Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| certController.podLabels | object | {} |
|
| certController.podSecurityContext.enabled | bool | true |
|
| certController.priorityClassName | string | "" |
Pod priority class name. |
| certController.rbac.create | bool | true |
Specifies whether role and rolebinding resources should be created. |
| certController.readinessProbe.address | string | "" |
Address for readiness probe |
| certController.readinessProbe.port | int | 8081 |
ReadinessProbe port for kubelet |
| certController.replicaCount | int | 1 |
|
| certController.requeueInterval | string | "5m" |
|
| certController.resources | object | {} |
|
| certController.revisionHistoryLimit | int | 10 |
Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
| certController.securityContext.allowPrivilegeEscalation | bool | false |
|
| certController.securityContext.capabilities.drop[0] | string | "ALL" |
|
| certController.securityContext.enabled | bool | true |
|
| certController.securityContext.readOnlyRootFilesystem | bool | true |
|
| certController.securityContext.runAsNonRoot | bool | true |
|
| certController.securityContext.runAsUser | int | 1000 |
|
| certController.securityContext.seccompProfile.type | string | "RuntimeDefault" |
|
| certController.serviceAccount.annotations | object | {} |
Annotations to add to the service account. |
| certController.serviceAccount.automount | bool | true |
Automounts the service account token in all containers of the pod |
| certController.serviceAccount.create | bool | true |
Specifies whether a service account should be created. |
| certController.serviceAccount.extraLabels | object | {} |
Extra Labels to add to the service account. |
| certController.serviceAccount.name | string | "" |
The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
| certController.startupProbe.enabled | bool | false |
Enabled determines if the startup probe should be used or not. By default it's enabled |
| certController.startupProbe.port | string | "" |
Port for startup probe. |
| certController.startupProbe.useReadinessProbePort | bool | true |
whether to use the readiness probe port for startup probe. |
| certController.strategy | object | {} |
Set deployment strategy |
| certController.tolerations | list | [] |
|
| certController.topologySpreadConstraints | list | [] |
|
| commonLabels | object | {} |
Additional labels added to all helm chart resources. |
| concurrent | int | 1 |
Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time. |
| controllerClass | string | "" |
If set external secrets will filter matching Secret Stores with the appropriate controller values. |
| crds.annotations | object | {} |
|
| crds.conversion.enabled | bool | false |
Conversion is disabled by default as we stopped supporting v1alpha1. |
| crds.createClusterExternalSecret | bool | true |
If true, create CRDs for Cluster External Secret. |
| crds.createClusterGenerator | bool | true |
If true, create CRDs for Cluster Generator. |
| crds.createClusterPushSecret | bool | true |
If true, create CRDs for Cluster Push Secret. |
| crds.createClusterSecretStore | bool | true |
If true, create CRDs for Cluster Secret Store. |
| crds.createPushSecret | bool | true |
If true, create CRDs for Push Secret. |
| createOperator | bool | true |
Specifies whether an external secret operator deployment be created. |
| deploymentAnnotations | object | {} |
Annotations to add to Deployment |
| dnsConfig | object | {} |
Specifies dnsOptions to deployment |
| dnsPolicy | string | "ClusterFirst" |
Specifies dnsPolicy to deployment |
| enableHTTP2 | bool | false |
if true, HTTP2 will be enabled for the services created by all controllers, curently metrics and webhook. |
| extendedMetricLabels | bool | false |
If true external secrets will use recommended kubernetes annotations as prometheus metric labels. |
| extraArgs | object | {} |
|
| extraContainers | list | [] |
|
| extraEnv | list | [] |
|
| extraInitContainers | list | [] |
|
| extraObjects | list | [] |
|
| extraVolumeMounts | list | [] |
|
| extraVolumes | list | [] |
|
| fullnameOverride | string | "" |
|
| genericTargets | object | {"enabled":false,"resources":[]} |
Enable support for generic targets (ConfigMaps, Custom Resources). Warning: Using generic target. Make sure access policies and encryption are properly configured. When enabled, this grants the controller permissions to create/update/delete ConfigMaps and optionally other resource types specified in generic.resources. |
| genericTargets.enabled | bool | false |
Enable generic target support |
| genericTargets.resources | list | [] |
List of additional resource types to grant permissions for. Each entry should specify apiGroup, resources, and verbs. Example: resources: - apiGroup: "argoproj.io" resources: ["applications"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] |
| global.affinity | object | {} |
|
| global.compatibility.openshift.adaptSecurityContext | string | "auto" |
Manages the securityContext properties to make them compatible with OpenShift. Possible values: auto - Apply configurations if it is detected that OpenShift is the target platform. force - Always apply configurations. disabled - No modification applied. |
| global.nodeSelector | object | {} |
|
| global.tolerations | list | [] |
|
| global.topologySpreadConstraints | list | [] |
|
| grafanaDashboard.annotations | object | {} |
Annotations that ConfigMaps can have to get configured in Grafana, See: sidecar.dashboards.folderAnnotation for specifying the dashboard folder. https://github.com/grafana/helm-charts/tree/main/charts/grafana |
| grafanaDashboard.enabled | bool | false |
If true creates a Grafana dashboard. |
| grafanaDashboard.extraLabels | object | {} |
Extra labels to add to the Grafana dashboard ConfigMap. |
| grafanaDashboard.sidecarLabel | string | "grafana_dashboard" |
Label that ConfigMaps should have to be loaded as dashboards. |
| grafanaDashboard.sidecarLabelValue | string | "1" |
Label value that ConfigMaps should have to be loaded as dashboards. |
| hostNetwork | bool | false |
Run the controller on the host network |
| image.flavour | string | "" |
The flavour of tag you want to use There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default, the distroless image is used. |
| image.pullPolicy | string | "IfNotPresent" |
|
| image.repository | string | "ghcr.io/external-secrets/external-secrets" |
|
| image.tag | string | "" |
The image tag to use. The default is the chart appVersion. |
| imagePullSecrets | list | [] |
|
| installCRDs | bool | true |
If set, install and upgrade CRDs through helm chart. |
| leaderElect | bool | false |
If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. |
| livenessProbe.enabled | bool | false |
Enabled determines if the liveness probe should be used or not. By default it's disabled. |
| livenessProbe.spec | object | {"address":"","failureThreshold":5,"httpGet":{"path":"/healthz","port":8082},"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5} |
The body of the liveness probe settings. |
| livenessProbe.spec.address | string | "" |
Address for liveness probe. |
| livenessProbe.spec.failureThreshold | int | 5 |
Number of consecutive probe failures that should occur before considering the probe as failed. |
| livenessProbe.spec.httpGet | object | {"path":"/healthz","port":8082} |
Handler for liveness probe. |
| livenessProbe.spec.httpGet.path | string | "/healthz" |
Path for liveness probe. |
| livenessProbe.spec.httpGet.port | int | 8082 |
Set this value to 8082 to active liveness probes. @schema type: [string, integer] |
| livenessProbe.spec.initialDelaySeconds | int | 10 |
Delay in seconds for the container to start before performing the initial probe. |
| livenessProbe.spec.periodSeconds | int | 10 |
Period in seconds for K8s to start performing probes. |
| livenessProbe.spec.successThreshold | int | 1 |
Number of successful probes to mark probe successful. |
| livenessProbe.spec.timeoutSeconds | int | 5 |
Specify the maximum amount of time to wait for a probe to respond before considering it fails. |
| log | object | {"level":"info","timeEncoding":"epoch"} |
Specifies Log Params to the External Secrets Operator |
| metrics.listen.port | int | 8080 |
|
| metrics.listen.secure.certDir | string | "/etc/tls" |
TLS cert directory path |
| metrics.listen.secure.certFile | string | "/etc/tls/tls.crt" |
TLS cert file path |
| metrics.listen.secure.enabled | bool | false |
|
| metrics.listen.secure.keyFile | string | "/etc/tls/tls.key" |
TLS key file path |
| metrics.service.annotations | object | {} |
Additional service annotations |
| metrics.service.enabled | bool | false |
Enable if you use another monitoring tool than Prometheus to scrape the metrics |
| metrics.service.port | int | 8080 |
Metrics service port to scrape |
| nameOverride | string | "" |
|
| namespaceOverride | string | "" |
|
| nodeSelector | object | {} |
|
| openshiftFinalizers | bool | true |
If true the OpenShift finalizer permissions will be added to RBAC |
| podAnnotations | object | {} |
Annotations to add to Pod |
| podDisruptionBudget | object | {"enabled":false,"minAvailable":1,"nameOverride":""} |
Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| podLabels | object | {} |
|
| podSecurityContext.enabled | bool | true |
|
| podSpecExtra | object | {} |
Any extra pod spec on the deployment |
| priorityClassName | string | "" |
Pod priority class name. |
| processClusterExternalSecret | bool | true |
if true, the operator will process cluster external secret. Else, it will ignore them. When enabled, this adds update/patch permissions on namespaces to handle finalizers for proper cleanup during namespace deletion, preventing race conditions with ExternalSecrets. |
| processClusterGenerator | bool | true |
if true, the operator will process cluster generator. Else, it will ignore them. |
| processClusterPushSecret | bool | true |
if true, the operator will process cluster push secret. Else, it will ignore them. |
| processClusterStore | bool | true |
if true, the operator will process cluster store. Else, it will ignore them. |
| processPushSecret | bool | true |
if true, the operator will process push secret. Else, it will ignore them. |
| rbac.aggregateToEdit | bool | true |
Specifies whether permissions are aggregated to the edit ClusterRole |
| rbac.aggregateToView | bool | true |
Specifies whether permissions are aggregated to the view ClusterRole |
| rbac.create | bool | true |
Specifies whether role and rolebinding resources should be created. |
| rbac.servicebindings.create | bool | true |
Specifies whether a clusterrole to give servicebindings read access should be created. |
| replicaCount | int | 1 |
|
| resources | object | {} |
|
| revisionHistoryLimit | int | 10 |
Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
| scopedNamespace | string | "" |
If set external secrets are only reconciled in the provided namespace |
| scopedRBAC | bool | false |
Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets |
| securityContext.allowPrivilegeEscalation | bool | false |
|
| securityContext.capabilities.drop[0] | string | "ALL" |
|
| securityContext.enabled | bool | true |
|
| securityContext.readOnlyRootFilesystem | bool | true |
|
| securityContext.runAsNonRoot | bool | true |
|
| securityContext.runAsUser | int | 1000 |
|
| securityContext.seccompProfile.type | string | "RuntimeDefault" |
|
| service.ipFamilies | list | [] |
Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. |
| service.ipFamilyPolicy | string | "" |
Set the ip family policy to configure dual-stack see Configure dual-stack |
| serviceAccount.annotations | object | {} |
Annotations to add to the service account. |
| serviceAccount.automount | bool | true |
Automounts the service account token in all containers of the pod |
| serviceAccount.create | bool | true |
Specifies whether a service account should be created. |
| serviceAccount.extraLabels | object | {} |
Extra Labels to add to the service account. |
| serviceAccount.name | string | "" |
The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
| serviceMonitor.additionalLabels | object | {} |
Additional labels |
| serviceMonitor.enabled | bool | false |
Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics |
| serviceMonitor.honorLabels | bool | false |
Let prometheus add an exported_ prefix to conflicting labels |
| serviceMonitor.interval | string | "30s" |
Interval to scrape metrics |
| serviceMonitor.metricRelabelings | list | [] |
Metric relabel configs to apply to samples before ingestion. Metric Relabeling |
| serviceMonitor.namespace | string | "" |
namespace where you want to install ServiceMonitors |
| serviceMonitor.relabelings | list | [] |
Relabel configs to apply to samples before ingestion. Relabeling |
| serviceMonitor.renderMode | string | "skipIfMissing" |
How should we react to missing CRD "monitoring.coreos.com/v1/ServiceMonitor" Possible values: - skipIfMissing: Only render ServiceMonitor resources if CRD is present, skip if missing. - failIfMissing: Fail Helm install if CRD is not present. - alwaysRender : Always render ServiceMonitor resources, do not check for CRD. @schema enum: - skipIfMissing - failIfMissing - alwaysRender @schema |
| serviceMonitor.scrapeTimeout | string | "25s" |
Timeout if metrics can't be retrieved in given time interval |
| strategy | object | {} |
Set deployment strategy |
| systemAuthDelegator | bool | false |
If true the system:auth-delegator ClusterRole will be added to RBAC |
| tolerations | list | [] |
|
| topologySpreadConstraints | list | [] |
|
| webhook.affinity | object | {} |
|
| webhook.annotations | object | {} |
Annotations to place on validating webhook configuration. |
| webhook.certCheckInterval | string | "5m" |
Specifies the time to check if the cert is valid |
| webhook.certDir | string | "/tmp/certs" |
|
| webhook.certManager.addInjectorAnnotations | bool | true |
Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically setup your webhook's CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector |
| webhook.certManager.cert.annotations | object | {} |
Add extra annotations to the Certificate resource. |
| webhook.certManager.cert.create | bool | true |
Create a certificate resource within this chart. See https://cert-manager.io/docs/usage/certificate/ |
| webhook.certManager.cert.duration | string | "8760h0m0s" |
Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec One year by default. |
| webhook.certManager.cert.issuerRef | object | {"group":"cert-manager.io","kind":"Issuer","name":"my-issuer"} |
For the Certificate created by this chart, setup the issuer. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec |
| webhook.certManager.cert.renewBefore | string | "" |
How long before the currently issued certificate’s expiry cert-manager should renew the certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Note that renewBefore should be greater than .webhook.lookaheadInterval since the webhook will check this far in advance that the certificate is valid. |
| webhook.certManager.cert.revisionHistoryLimit | int | 0 |
Set the revisionHistoryLimit on the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Defaults to 0 (ignored). |
| webhook.certManager.enabled | bool | false |
Enabling cert-manager support will disable the built in secret and switch to using cert-manager (installed separately) to automatically issue and renew the webhook certificate. This chart does not install cert-manager for you, See https://cert-manager.io/docs/ |
| webhook.create | bool | true |
Specifies whether a webhook deployment be created. If set to false, crds.conversion.enabled should also be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint. |
| webhook.deploymentAnnotations | object | {} |
Annotations to add to Deployment |
| webhook.extraArgs | object | {} |
|
| webhook.extraEnv | list | [] |
|
| webhook.extraInitContainers | list | [] |
|
| webhook.extraVolumeMounts | list | [] |
|
| webhook.extraVolumes | list | [] |
|
| webhook.failurePolicy | string | "Fail" |
Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore |
| webhook.hostNetwork | bool | false |
Specifies if webhook pod should use hostNetwork or not. |
| webhook.image.flavour | string | "" |
The flavour of tag you want to use |
| webhook.image.pullPolicy | string | "IfNotPresent" |
|
| webhook.image.repository | string | "ghcr.io/external-secrets/external-secrets" |
|
| webhook.image.tag | string | "" |
The image tag to use. The default is the chart appVersion. |
| webhook.imagePullSecrets | list | [] |
|
| webhook.log | object | {"level":"info","timeEncoding":"epoch"} |
Specifies Log Params to the Webhook |
| webhook.lookaheadInterval | string | "" |
Specifies the lookaheadInterval for certificate validity |
| webhook.metrics.listen.port | int | 8080 |
|
| webhook.metrics.service.annotations | object | {} |
Additional service annotations |
| webhook.metrics.service.enabled | bool | false |
Enable if you use another monitoring tool than Prometheus to scrape the metrics |
| webhook.metrics.service.port | int | 8080 |
Metrics service port to scrape |
| webhook.nodeSelector | object | {} |
|
| webhook.podAnnotations | object | {} |
Annotations to add to Pod |
| webhook.podDisruptionBudget | object | {"enabled":false,"minAvailable":1,"nameOverride":""} |
Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| webhook.podLabels | object | {} |
|
| webhook.podSecurityContext.enabled | bool | true |
|
| webhook.port | int | 10250 |
The port the webhook will listen to |
| webhook.priorityClassName | string | "" |
Pod priority class name. |
| webhook.readinessProbe.address | string | "" |
Address for readiness probe |
| webhook.readinessProbe.port | int | 8081 |
ReadinessProbe port for kubelet |
| webhook.replicaCount | int | 1 |
|
| webhook.resources | object | {} |
|
| webhook.revisionHistoryLimit | int | 10 |
Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
| webhook.secretAnnotations | object | {} |
Annotations to add to Secret |
| webhook.securityContext.allowPrivilegeEscalation | bool | false |
|
| webhook.securityContext.capabilities.drop[0] | string | "ALL" |
|
| webhook.securityContext.enabled | bool | true |
|
| webhook.securityContext.readOnlyRootFilesystem | bool | true |
|
| webhook.securityContext.runAsNonRoot | bool | true |
|
| webhook.securityContext.runAsUser | int | 1000 |
|
| webhook.securityContext.seccompProfile.type | string | "RuntimeDefault" |
|
| webhook.service | object | {"annotations":{},"enabled":true,"labels":{},"loadBalancerIP":"","type":"ClusterIP"} |
Manage the service through which the webhook is reached. |
| webhook.service.annotations | object | {} |
Custom annotations for the webhook service. |
| webhook.service.enabled | bool | true |
Whether the service object should be enabled or not (it is expected to exist). |
| webhook.service.labels | object | {} |
Custom labels for the webhook service. |
| webhook.service.loadBalancerIP | string | "" |
If the webhook service type is LoadBalancer, you can assign a specific load balancer IP here. Check the documentation of your load balancer provider to see if/how this should be used. |
| webhook.service.type | string | "ClusterIP" |
The service type of the webhook service. |
| webhook.serviceAccount.annotations | object | {} |
Annotations to add to the service account. |
| webhook.serviceAccount.automount | bool | true |
Automounts the service account token in all containers of the pod |
| webhook.serviceAccount.create | bool | true |
Specifies whether a service account should be created. |
| webhook.serviceAccount.extraLabels | object | {} |
Extra Labels to add to the service account. |
| webhook.serviceAccount.name | string | "" |
The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
| webhook.strategy | object | {} |
Set deployment strategy |
| webhook.tolerations | list | [] |
|
| webhook.topologySpreadConstraints | list | [] |