| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534353535363537353835393540354135423543354435453546354735483549355035513552355335543555355635573558355935603561356235633564356535663567356835693570357135723573357435753576357735783579358035813582358335843585358635873588358935903591359235933594359535963597359835993600360136023603360436053606360736083609361036113612361336143615361636173618361936203621362236233624362536263627362836293630363136323633363436353636363736383639364036413642364336443645364636473648364936503651365236533654365536563657365836593660366136623663366436653666366736683669367036713672367336743675367636773678367936803681368236833684368536863687368836893690369136923693369436953696369736983699370037013702370337043705370637073708370937103711371237133714371537163717371837193720372137223723372437253726372737283729373037313732373337343735373637373738373937403741374237433744374537463747374837493750375137523753375437553756375737583759376037613762376337643765376637673768376937703771377237733774377537763777377837793780378137823783378437853786378737883789379037913792379337943795379637973798379938003801380238033804380538063807380838093810381138123813381438153816381738183819382038213822382338243825382638273828382938303831383238333834383538363837383838393840384138423843384438453846384738483849385038513852385338543855385638573858385938603861386238633864386538663867386838693870387138723873387438753876387738783879388038813882388338843885388638873888388938903891389238933894389538963897389838993900390139023903390439053906390739083909391039113912391339143915391639173918391939203921392239233924392539263927392839293930393139323933393439353936393739383939394039413942394339443945394639473948394939503951395239533954395539563957395839593960396139623963396439653966396739683969397039713972397339743975397639773978397939803981398239833984398539863987398839893990399139923993399439953996399739983999400040014002400340044005400640074008400940104011401240134014401540164017401840194020402140224023402440254026402740284029403040314032403340344035403640374038403940404041404240434044404540464047404840494050405140524053405440554056405740584059406040614062406340644065406640674068406940704071407240734074407540764077407840794080408140824083408440854086408740884089409040914092409340944095409640974098409941004101410241034104410541064107410841094110411141124113411441154116411741184119412041214122412341244125412641274128412941304131413241334134413541364137413841394140414141424143414441454146414741484149415041514152415341544155415641574158415941604161416241634164416541664167416841694170417141724173417441754176417741784179418041814182418341844185418641874188418941904191419241934194419541964197419841994200420142024203420442054206420742084209421042114212421342144215421642174218421942204221422242234224422542264227422842294230423142324233423442354236423742384239424042414242424342444245424642474248424942504251425242534254425542564257425842594260426142624263426442654266426742684269427042714272427342744275427642774278427942804281428242834284428542864287428842894290429142924293429442954296429742984299430043014302430343044305430643074308430943104311431243134314431543164317431843194320432143224323432443254326432743284329433043314332433343344335433643374338433943404341434243434344434543464347434843494350435143524353435443554356435743584359436043614362436343644365436643674368436943704371437243734374437543764377437843794380438143824383438443854386438743884389439043914392439343944395439643974398439944004401440244034404440544064407440844094410441144124413441444154416441744184419442044214422442344244425442644274428442944304431443244334434443544364437443844394440444144424443444444454446444744484449445044514452445344544455445644574458445944604461446244634464446544664467446844694470447144724473447444754476447744784479448044814482448344844485448644874488448944904491449244934494449544964497449844994500450145024503450445054506450745084509451045114512451345144515451645174518451945204521452245234524452545264527452845294530453145324533453445354536453745384539454045414542454345444545454645474548454945504551455245534554455545564557455845594560456145624563456445654566456745684569457045714572457345744575457645774578457945804581458245834584458545864587458845894590459145924593459445954596459745984599460046014602460346044605460646074608460946104611461246134614461546164617461846194620462146224623462446254626462746284629463046314632463346344635463646374638463946404641464246434644464546464647464846494650465146524653465446554656465746584659466046614662466346644665466646674668466946704671467246734674467546764677467846794680468146824683468446854686468746884689469046914692469346944695469646974698469947004701470247034704470547064707470847094710471147124713471447154716471747184719472047214722472347244725472647274728472947304731473247334734473547364737473847394740474147424743474447454746474747484749475047514752475347544755475647574758475947604761476247634764476547664767476847694770477147724773477447754776477747784779478047814782478347844785478647874788478947904791479247934794479547964797479847994800480148024803480448054806480748084809481048114812481348144815481648174818481948204821482248234824482548264827482848294830483148324833483448354836483748384839484048414842484348444845484648474848484948504851485248534854485548564857485848594860486148624863486448654866486748684869487048714872487348744875487648774878487948804881488248834884488548864887488848894890489148924893489448954896489748984899490049014902490349044905490649074908490949104911491249134914491549164917491849194920492149224923492449254926492749284929493049314932493349344935493649374938493949404941494249434944494549464947494849494950495149524953495449554956495749584959496049614962496349644965496649674968496949704971497249734974497549764977497849794980498149824983498449854986498749884989499049914992499349944995499649974998499950005001500250035004500550065007500850095010501150125013501450155016501750185019502050215022502350245025502650275028502950305031503250335034503550365037503850395040504150425043504450455046504750485049505050515052505350545055505650575058505950605061506250635064506550665067506850695070507150725073507450755076507750785079508050815082508350845085508650875088508950905091509250935094509550965097509850995100510151025103510451055106510751085109511051115112511351145115511651175118511951205121512251235124512551265127512851295130513151325133513451355136513751385139514051415142514351445145514651475148514951505151515251535154515551565157515851595160516151625163516451655166516751685169517051715172517351745175517651775178517951805181518251835184518551865187518851895190519151925193519451955196519751985199520052015202520352045205520652075208520952105211521252135214521552165217521852195220522152225223522452255226522752285229523052315232523352345235523652375238523952405241524252435244524552465247524852495250525152525253525452555256525752585259526052615262526352645265526652675268526952705271527252735274527552765277527852795280528152825283528452855286528752885289529052915292529352945295529652975298529953005301530253035304530553065307530853095310531153125313531453155316531753185319532053215322532353245325532653275328532953305331533253335334533553365337533853395340534153425343534453455346534753485349535053515352535353545355535653575358535953605361536253635364536553665367536853695370537153725373537453755376537753785379538053815382538353845385538653875388538953905391539253935394539553965397539853995400540154025403540454055406540754085409541054115412541354145415541654175418541954205421542254235424542554265427542854295430543154325433543454355436543754385439544054415442544354445445544654475448544954505451545254535454545554565457545854595460546154625463546454655466546754685469547054715472547354745475547654775478547954805481548254835484548554865487548854895490549154925493549454955496549754985499550055015502550355045505550655075508550955105511551255135514551555165517551855195520552155225523552455255526552755285529553055315532553355345535553655375538553955405541554255435544554555465547554855495550555155525553555455555556555755585559556055615562556355645565556655675568556955705571557255735574557555765577557855795580558155825583558455855586558755885589559055915592559355945595559655975598559956005601560256035604560556065607560856095610561156125613561456155616561756185619562056215622562356245625562656275628562956305631563256335634563556365637563856395640564156425643564456455646564756485649565056515652565356545655565656575658565956605661566256635664566556665667566856695670567156725673567456755676567756785679568056815682568356845685568656875688568956905691569256935694569556965697569856995700570157025703570457055706570757085709571057115712571357145715571657175718571957205721572257235724572557265727572857295730573157325733573457355736573757385739574057415742574357445745574657475748574957505751575257535754575557565757575857595760576157625763576457655766576757685769577057715772577357745775577657775778577957805781578257835784578557865787578857895790579157925793579457955796579757985799580058015802580358045805580658075808580958105811581258135814581558165817581858195820582158225823582458255826582758285829583058315832583358345835583658375838583958405841584258435844584558465847584858495850585158525853585458555856585758585859586058615862586358645865586658675868586958705871587258735874587558765877587858795880588158825883588458855886588758885889589058915892589358945895589658975898589959005901590259035904590559065907590859095910591159125913591459155916591759185919592059215922592359245925592659275928592959305931593259335934593559365937593859395940594159425943594459455946594759485949595059515952595359545955595659575958595959605961596259635964596559665967596859695970597159725973597459755976597759785979598059815982598359845985598659875988598959905991 |
- <!doctype html>
- <html lang="en" class="no-js">
- <head>
-
- <meta charset="utf-8">
- <meta name="viewport" content="width=device-width,initial-scale=1">
-
-
-
-
- <link rel="prev" href="../datafrom-rewrite/">
-
-
- <link rel="next" href="../templating-v1/">
-
-
-
-
-
- <link rel="icon" href="../../pictures/eso-round-logo.svg">
- <meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.7.6">
-
-
-
- <title>v2 - External Secrets Operator</title>
-
-
-
- <link rel="stylesheet" href="../../assets/stylesheets/main.484c7ddc.min.css">
-
-
- <link rel="stylesheet" href="../../assets/stylesheets/palette.ab4e12ef.min.css">
-
-
-
-
-
-
-
-
-
-
- <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
- <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
- <style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
-
-
-
- <script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
-
-
-
-
-
- <script id="__analytics">function __md_analytics(){function e(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],e("js",new Date),e("config","G-QP38TD8K7V"),document.addEventListener("DOMContentLoaded",(function(){document.forms.search&&document.forms.search.query.addEventListener("blur",(function(){this.value&&e("event","search",{search_term:this.value})}));document$.subscribe((function(){var t=document.forms.feedback;if(void 0!==t)for(var a of t.querySelectorAll("[type=submit]"))a.addEventListener("click",(function(a){a.preventDefault();var n=document.location.pathname,d=this.getAttribute("data-md-value");e("event","feedback",{page:n,data:d}),t.firstElementChild.disabled=!0;var r=t.querySelector(".md-feedback__note [data-md-value='"+d+"']");r&&(r.hidden=!1)})),t.hidden=!1})),location$.subscribe((function(t){e("config","G-QP38TD8K7V",{page_path:t.pathname})}))}));var t=document.createElement("script");t.async=!0,t.src="https://www.googletagmanager.com/gtag/js?id=G-QP38TD8K7V",document.getElementById("__analytics").insertAdjacentElement("afterEnd",t)}</script>
-
- <script>"undefined"!=typeof __md_analytics&&__md_analytics()</script>
-
-
-
- </head>
-
-
-
-
-
-
-
-
-
- <body dir="ltr" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo">
-
-
- <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
- <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
- <label class="md-overlay" for="__drawer"></label>
- <div data-md-component="skip">
-
-
- <a href="#advanced-templating-v2" class="md-skip">
- Skip to content
- </a>
-
- </div>
- <div data-md-component="announce">
-
- </div>
-
- <div data-md-color-scheme="default" data-md-component="outdated" hidden>
-
- <aside class="md-banner md-banner--warning">
- <div class="md-banner__inner md-grid md-typeset">
-
- You're not viewing the latest version.
- <a href="../../..">
- <strong>Click here to go to latest.</strong>
- </a>
- </div>
- <script>var el=document.querySelector("[data-md-component=outdated]"),base=new URL("../.."),outdated=__md_get("__outdated",sessionStorage,base);!0===outdated&&el&&(el.hidden=!1)</script>
- </aside>
-
- </div>
-
-
-
- <header class="md-header" data-md-component="header">
- <nav class="md-header__inner md-grid" aria-label="Header">
- <a href="../.." title="External Secrets Operator" class="md-header__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
-
- <img src="../../pictures/eso-round-logo.svg" alt="logo">
- </a>
- <label class="md-header__button md-icon" for="__drawer">
-
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg>
- </label>
- <div class="md-header__title" data-md-component="header-title">
- <div class="md-header__ellipsis">
- <div class="md-header__topic">
- <span class="md-ellipsis">
- External Secrets Operator
- </span>
- </div>
- <div class="md-header__topic" data-md-component="header-topic">
- <span class="md-ellipsis">
-
- v2
-
- </span>
- </div>
- </div>
- </div>
-
-
- <form class="md-header__option" data-md-component="palette">
-
-
-
-
- <input class="md-option" data-md-color-media="(prefers-color-scheme: light)" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to dark mode" type="radio" name="__palette" id="__palette_0">
-
- <label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_1" hidden>
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
- </label>
-
-
-
-
-
- <input class="md-option" data-md-color-media="(prefers-color-scheme: dark)" data-md-color-scheme="slate" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to light mode" type="radio" name="__palette" id="__palette_1">
-
- <label class="md-header__button md-icon" title="Switch to light mode" for="__palette_0" hidden>
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12s-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
- </label>
-
-
- </form>
-
-
-
- <script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
-
-
-
-
-
- <label class="md-header__button md-icon" for="__search">
-
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
- </label>
- <div class="md-search" data-md-component="search" role="dialog">
- <label class="md-search__overlay" for="__search"></label>
- <div class="md-search__inner" role="search">
- <form class="md-search__form" name="search">
- <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
- <label class="md-search__icon md-icon" for="__search">
-
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
-
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
- </label>
- <nav class="md-search__options" aria-label="Search">
-
- <button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
-
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg>
- </button>
- </nav>
-
- </form>
- <div class="md-search__output">
- <div class="md-search__scrollwrap" tabindex="0" data-md-scrollfix>
- <div class="md-search-result" data-md-component="search-result">
- <div class="md-search-result__meta">
- Initializing search
- </div>
- <ol class="md-search-result__list" role="presentation"></ol>
- </div>
- </div>
- </div>
- </div>
- </div>
-
-
-
- <div class="md-header__source">
- <a href="https://github.com/external-secrets/external-secrets" title="Go to repository" class="md-source" data-md-component="source">
- <div class="md-source__icon md-icon">
-
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 7.1.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2025 Fonticons, Inc.--><path d="M439.6 236.1 244 40.5c-5.4-5.5-12.8-8.5-20.4-8.5s-15 3-20.4 8.4L162.5 81l51.5 51.5c27.1-9.1 52.7 16.8 43.4 43.7l49.7 49.7c34.2-11.8 61.2 31 35.5 56.7-26.5 26.5-70.2-2.9-56-37.3L240.3 199v121.9c25.3 12.5 22.3 41.8 9.1 55-6.4 6.4-15.2 10.1-24.3 10.1s-17.8-3.6-24.3-10.1c-17.6-17.6-11.1-46.9 11.2-56v-123c-20.8-8.5-24.6-30.7-18.6-45L142.6 101 8.5 235.1C3 240.6 0 247.9 0 255.5s3 15 8.5 20.4l195.6 195.7c5.4 5.4 12.7 8.4 20.4 8.4s15-3 20.4-8.4l194.7-194.7c5.4-5.4 8.4-12.8 8.4-20.4s-3-15-8.4-20.4"/></svg>
- </div>
- <div class="md-source__repository">
- External Secrets Operator
- </div>
- </a>
- </div>
-
- </nav>
-
- </header>
-
- <div class="md-container" data-md-component="container">
-
-
-
-
-
- <nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
- <div class="md-grid">
- <ul class="md-tabs__list">
-
-
-
-
-
-
-
-
- <li class="md-tabs__item">
- <a href="../.." class="md-tabs__link">
-
-
-
-
-
- Introduction
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
- <li class="md-tabs__item">
- <a href="../../api/components/" class="md-tabs__link">
-
-
-
-
-
- API
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-tabs__item md-tabs__item--active">
- <a href="../introduction/" class="md-tabs__link">
-
-
-
-
-
- Guides
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
- <li class="md-tabs__item">
- <a href="../../provider/aws-secrets-manager/" class="md-tabs__link">
-
-
-
-
-
- Provider
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
- <li class="md-tabs__item">
- <a href="../../examples/gitops-using-fluxcd/" class="md-tabs__link">
-
-
-
-
-
- Examples
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-tabs__item">
- <a href="../../contributing/devguide/" class="md-tabs__link">
-
-
-
-
-
- Community
- </a>
- </li>
-
-
-
-
-
- </ul>
- </div>
- </nav>
-
-
-
- <main class="md-main" data-md-component="main">
- <div class="md-main__inner md-grid">
-
-
-
- <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
- <div class="md-sidebar__scrollwrap">
- <div class="md-sidebar__inner">
-
-
- <nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0">
- <label class="md-nav__title" for="__drawer">
- <a href="../.." title="External Secrets Operator" class="md-nav__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
-
- <img src="../../pictures/eso-round-logo.svg" alt="logo">
- </a>
- External Secrets Operator
- </label>
-
- <div class="md-nav__source">
- <a href="https://github.com/external-secrets/external-secrets" title="Go to repository" class="md-source" data-md-component="source">
- <div class="md-source__icon md-icon">
-
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 7.1.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2025 Fonticons, Inc.--><path d="M439.6 236.1 244 40.5c-5.4-5.5-12.8-8.5-20.4-8.5s-15 3-20.4 8.4L162.5 81l51.5 51.5c27.1-9.1 52.7 16.8 43.4 43.7l49.7 49.7c34.2-11.8 61.2 31 35.5 56.7-26.5 26.5-70.2-2.9-56-37.3L240.3 199v121.9c25.3 12.5 22.3 41.8 9.1 55-6.4 6.4-15.2 10.1-24.3 10.1s-17.8-3.6-24.3-10.1c-17.6-17.6-11.1-46.9 11.2-56v-123c-20.8-8.5-24.6-30.7-18.6-45L142.6 101 8.5 235.1C3 240.6 0 247.9 0 255.5s3 15 8.5 20.4l195.6 195.7c5.4 5.4 12.7 8.4 20.4 8.4s15-3 20.4-8.4l194.7-194.7c5.4-5.4 8.4-12.8 8.4-20.4s-3-15-8.4-20.4"/></svg>
- </div>
- <div class="md-source__repository">
- External Secrets Operator
- </div>
- </a>
- </div>
-
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_1" >
-
-
- <div class="md-nav__link md-nav__container">
- <a href="../.." class="md-nav__link ">
-
-
-
- <span class="md-ellipsis">
-
-
- Introduction
-
-
- </span>
-
-
- </a>
-
-
- <label class="md-nav__link " for="__nav_1" id="__nav_1_label" tabindex="0">
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- </div>
-
- <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_1_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_1">
- <span class="md-nav__icon md-icon"></span>
-
-
- Introduction
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../introduction/overview/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Overview
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../introduction/glossary/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Glossary
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../introduction/prerequisites/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Prerequisites
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../introduction/getting-started/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Getting started
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../introduction/faq/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- FAQ
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../introduction/stability-support/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Stability and Support
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../introduction/deprecation-policy/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Deprecation Policy
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2" >
-
-
- <label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- API
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_2">
- <span class="md-nav__icon md-icon"></span>
-
-
- API
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/components/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Components
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_2" >
-
-
- <label class="md-nav__link" for="__nav_2_2" id="__nav_2_2_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- Core Resources
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_2_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_2_2">
- <span class="md-nav__icon md-icon"></span>
-
-
- Core Resources
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/externalsecret/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- ExternalSecret
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/secretstore/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- SecretStore
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/clustersecretstore/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- ClusterSecretStore
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/clusterexternalsecret/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- ClusterExternalSecret
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/clusterpushsecret/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- ClusterPushSecret
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/pushsecret/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- PushSecret
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_3" >
-
-
- <div class="md-nav__link md-nav__container">
- <a href="../../api/generator/" class="md-nav__link ">
-
-
-
- <span class="md-ellipsis">
-
-
- Generators
-
-
- </span>
-
-
- </a>
-
-
- <label class="md-nav__link " for="__nav_2_3" id="__nav_2_3_label" tabindex="0">
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- </div>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_3_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_2_3">
- <span class="md-nav__icon md-icon"></span>
-
-
- Generators
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/acr/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Azure Container Registry
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/ecr/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- AWS Elastic Container Registry
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/sts/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- AWS STS Session Token
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/cloudsmith/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Cloudsmith
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/cluster/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Cluster Generator
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/gcr/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Google Container Registry
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/grafana/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Grafana
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/quay/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Quay
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/vault/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Vault Dynamic Secret
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/password/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Password
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/fake/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Fake
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/webhook/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Webhook
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/github/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Github
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/uuid/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- UUID
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/mfa/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- MFA
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/sshkey/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- SSHKey
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_4" >
-
-
- <label class="md-nav__link" for="__nav_2_4" id="__nav_2_4_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- Reference Docs
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_4_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_2_4">
- <span class="md-nav__icon md-icon"></span>
-
-
- Reference Docs
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/spec/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- API specification
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/controller-options/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Controller Options
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/metrics/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Metrics
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/selectable-fields/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Selectable Fields
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested">
-
-
-
- <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3" checked>
-
-
- <label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="">
-
-
-
- <span class="md-ellipsis">
-
-
- Guides
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="true">
- <label class="md-nav__title" for="__nav_3">
- <span class="md-nav__icon md-icon"></span>
-
-
- Guides
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../introduction/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Introduction
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--active md-nav__item--nested">
-
-
-
- <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3_2" checked>
-
-
- <label class="md-nav__link" for="__nav_3_2" id="__nav_3_2_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- External Secrets
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_2_label" aria-expanded="true">
- <label class="md-nav__title" for="__nav_3_2">
- <span class="md-nav__icon md-icon"></span>
-
-
- External Secrets
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../all-keys-one-secret/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Extract structured data
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../getallsecrets/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Find Secrets by Name or Metadata
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../datafrom-rewrite/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Rewriting Keys
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--active md-nav__item--nested">
-
-
-
- <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3_2_4" checked>
-
-
- <label class="md-nav__link" for="__nav_3_2_4" id="__nav_3_2_4_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- Advanced Templating
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="3" aria-labelledby="__nav_3_2_4_label" aria-expanded="true">
- <label class="md-nav__title" for="__nav_3_2_4">
- <span class="md-nav__icon md-icon"></span>
-
-
- Advanced Templating
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--active">
-
- <input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
-
-
-
-
-
- <label class="md-nav__link md-nav__link--active" for="__toc">
-
-
-
- <span class="md-ellipsis">
-
-
- v2
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <a href="./" class="md-nav__link md-nav__link--active">
-
-
-
- <span class="md-ellipsis">
-
-
- v2
-
-
- </span>
-
-
- </a>
-
-
- <nav class="md-nav md-nav--secondary" aria-label="Table of contents">
-
-
-
-
-
-
- <label class="md-nav__title" for="__toc">
- <span class="md-nav__icon md-icon"></span>
- Table of contents
- </label>
- <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
-
- <li class="md-nav__item">
- <a href="#helm" class="md-nav__link">
- <span class="md-ellipsis">
-
- Helm
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#examples" class="md-nav__link">
- <span class="md-ellipsis">
-
- Examples
-
- </span>
- </a>
-
- <nav class="md-nav" aria-label="Examples">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#mergepolicy" class="md-nav__link">
- <span class="md-ellipsis">
-
- MergePolicy
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#templatefrom" class="md-nav__link">
- <span class="md-ellipsis">
-
- TemplateFrom
-
- </span>
- </a>
-
- <nav class="md-nav" aria-label="TemplateFrom">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#valuesdecodingstrategy-example" class="md-nav__link">
- <span class="md-ellipsis">
-
- ValuesDecodingStrategy example
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#htpasswd-example" class="md-nav__link">
- <span class="md-ellipsis">
-
- htpasswd example
-
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#extract-keys-and-certificates-from-pkcs12-archive" class="md-nav__link">
- <span class="md-ellipsis">
-
- Extract Keys and Certificates from PKCS#12 Archive
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#extract-from-jwk" class="md-nav__link">
- <span class="md-ellipsis">
-
- Extract from JWK
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#filter-pem-blocks" class="md-nav__link">
- <span class="md-ellipsis">
-
- Filter PEM blocks
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#extract-subject-alternative-names-sans-from-certificate" class="md-nav__link">
- <span class="md-ellipsis">
-
- Extract Subject Alternative Names (SANs) from Certificate
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#rsa-decryption-data-from-provider" class="md-nav__link">
- <span class="md-ellipsis">
-
- RSA Decryption Data From Provider
-
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#templating-with-pushsecret" class="md-nav__link">
- <span class="md-ellipsis">
-
- Templating with PushSecret
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#helper-functions" class="md-nav__link">
- <span class="md-ellipsis">
-
- Helper functions
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#migrating-from-v1" class="md-nav__link">
- <span class="md-ellipsis">
-
- Migrating from v1
-
- </span>
- </a>
-
- <nav class="md-nav" aria-label="Migrating from v1">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#functions-removedreplaced" class="md-nav__link">
- <span class="md-ellipsis">
-
- Functions removed/replaced
-
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- </ul>
-
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../templating-v1/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- v1
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../common-k8s-secret-types/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Kubernetes Secret Types
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../ownership-deletion-policy/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Lifecycle: ownership & deletion
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../decoding-strategy/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Decoding Strategies
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../controller-class/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Controller Classes
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../targeting-custom-resources/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Targeting Custom Resources
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../generator/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Generators
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../pushsecrets/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Push Secrets
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_6" >
-
-
- <label class="md-nav__link" for="__nav_3_6" id="__nav_3_6_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- Operations
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_6_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_3_6">
- <span class="md-nav__icon md-icon"></span>
-
-
- Operations
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../multi-tenancy/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Multi Tenancy
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../security-best-practices/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Security Best Practices
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../threat-model/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Threat Model
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../v1beta1/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Upgrading to v1beta1
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../using-latest-image/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Using Latest Image
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../disable-cluster-features/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Disable Cluster Features
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_7" >
-
-
- <label class="md-nav__link" for="__nav_3_7" id="__nav_3_7_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- Tooling
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_7_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_3_7">
- <span class="md-nav__icon md-icon"></span>
-
-
- Tooling
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../using-esoctl-tool/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Using the esoctl tool
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_4" >
-
-
- <label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- Provider
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_4">
- <span class="md-nav__icon md-icon"></span>
-
-
- Provider
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/aws-secrets-manager/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- AWS Secrets Manager
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/aws-parameter-store/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- AWS Parameter Store
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/aws-access/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- AWS Access
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/azure-key-vault/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Azure Key Vault
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/barbican/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Barbican
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/beyondtrust/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- BeyondTrust
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/bitwarden-secrets-manager/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Bitwarden Secrets Manager
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/chef/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Chef
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/cloudru/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Cloud.ru Secret Manager
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/conjur/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- CyberArk Conjur
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/google-secrets-manager/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Google Cloud Secret Manager
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/hashicorp-vault/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- HashiCorp Vault
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/kubernetes/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Kubernetes
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/ibm-secrets-manager/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- IBM Secrets Manager
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/akeyless/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Akeyless
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/yandex-certificate-manager/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Yandex Certificate Manager
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/yandex-lockbox/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Yandex Lockbox
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/gitlab-variables/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- GitLab Variables
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/github/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Github Actions Secrets
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/oracle-vault/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Oracle Vault
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/ovhcloud/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- OVHcloud
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/1password-automation/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- 1Password Connect Server
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/1password-sdk/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- 1Password SDK
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/webhook/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Webhook
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/fake/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Fake
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/senhasegura-dsm/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- senhasegura DevOps Secrets Management (DSM)
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/doppler/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Doppler
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/keeper-security/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Keeper Security
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/cloak/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Cloak End 2 End Encrypted Secrets
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/scaleway/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Scaleway
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/delinea/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Delinea
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/secretserver/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Secret Server
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/passbolt/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Passbolt
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/pulumi/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Pulumi ESC
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/onboardbase/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Onboardbase
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider-passworddepot/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Password Depot
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/fortanix/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Fortanix
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/infisical/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Infisical
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/previder/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Previder
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/openbao/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- OpenBao
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/volcengine/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Volcengine
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/ngrok/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- ngrok
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/devolutions-server/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Devolutions Server
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider/nebius-mysterybox/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Nebius MysteryBox
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_5" >
-
-
- <label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- Examples
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_5">
- <span class="md-nav__icon md-icon"></span>
-
-
- Examples
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../examples/gitops-using-fluxcd/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- FluxCD
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../examples/anchore-engine-credentials/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Anchore Engine
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../examples/jenkins-kubernetes-credentials/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Jenkins
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../examples/bitwarden/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Bitwarden
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6" >
-
-
- <label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- Community
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_6">
- <span class="md-nav__icon md-icon"></span>
-
-
- Community
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6_1" >
-
-
- <label class="md-nav__link" for="__nav_6_1" id="__nav_6_1_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- Contributing
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_1_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_6_1">
- <span class="md-nav__icon md-icon"></span>
-
-
- Contributing
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../contributing/devguide/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Developer guide
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../contributing/process/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Contributing Process
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../contributing/release/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Release Process
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../contributing/coc/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Code of Conduct
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../contributing/calendar/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Community meetings calendar
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../contributing/roadmap/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Roadmap
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../contributing/burnout-mitigation/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Burnout Prevention
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../contributing/llm-policy/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- LLM Policy
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6_2" >
-
-
- <label class="md-nav__link" for="__nav_6_2" id="__nav_6_2_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- External Resources
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_2_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_6_2">
- <span class="md-nav__icon md-icon"></span>
-
-
- External Resources
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../eso-talks/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Talks
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../eso-demos/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Demos
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../eso-blogs/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Blogs
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../eso-tools/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Tools
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
- </ul>
- </nav>
- </div>
- </div>
- </div>
-
-
-
- <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
- <div class="md-sidebar__scrollwrap">
- <div class="md-sidebar__inner">
-
- <nav class="md-nav md-nav--secondary" aria-label="Table of contents">
-
-
-
-
-
-
- <label class="md-nav__title" for="__toc">
- <span class="md-nav__icon md-icon"></span>
- Table of contents
- </label>
- <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
-
- <li class="md-nav__item">
- <a href="#helm" class="md-nav__link">
- <span class="md-ellipsis">
-
- Helm
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#examples" class="md-nav__link">
- <span class="md-ellipsis">
-
- Examples
-
- </span>
- </a>
-
- <nav class="md-nav" aria-label="Examples">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#mergepolicy" class="md-nav__link">
- <span class="md-ellipsis">
-
- MergePolicy
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#templatefrom" class="md-nav__link">
- <span class="md-ellipsis">
-
- TemplateFrom
-
- </span>
- </a>
-
- <nav class="md-nav" aria-label="TemplateFrom">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#valuesdecodingstrategy-example" class="md-nav__link">
- <span class="md-ellipsis">
-
- ValuesDecodingStrategy example
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#htpasswd-example" class="md-nav__link">
- <span class="md-ellipsis">
-
- htpasswd example
-
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#extract-keys-and-certificates-from-pkcs12-archive" class="md-nav__link">
- <span class="md-ellipsis">
-
- Extract Keys and Certificates from PKCS#12 Archive
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#extract-from-jwk" class="md-nav__link">
- <span class="md-ellipsis">
-
- Extract from JWK
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#filter-pem-blocks" class="md-nav__link">
- <span class="md-ellipsis">
-
- Filter PEM blocks
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#extract-subject-alternative-names-sans-from-certificate" class="md-nav__link">
- <span class="md-ellipsis">
-
- Extract Subject Alternative Names (SANs) from Certificate
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#rsa-decryption-data-from-provider" class="md-nav__link">
- <span class="md-ellipsis">
-
- RSA Decryption Data From Provider
-
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#templating-with-pushsecret" class="md-nav__link">
- <span class="md-ellipsis">
-
- Templating with PushSecret
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#helper-functions" class="md-nav__link">
- <span class="md-ellipsis">
-
- Helper functions
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#migrating-from-v1" class="md-nav__link">
- <span class="md-ellipsis">
-
- Migrating from v1
-
- </span>
- </a>
-
- <nav class="md-nav" aria-label="Migrating from v1">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#functions-removedreplaced" class="md-nav__link">
- <span class="md-ellipsis">
-
- Functions removed/replaced
-
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- </ul>
-
- </nav>
- </div>
- </div>
- </div>
-
-
-
- <div class="md-content" data-md-component="content">
-
- <article class="md-content__inner md-typeset">
-
-
-
-
- <h1 id="advanced-templating-v2">Advanced Templating v2</h1>
- <p>With External Secrets Operator you can transform the data from the external secret provider before it is stored as <code>Kind=Secret</code>. You can do this with the <code>Spec.Target.Template</code>.</p>
- <p>Each data value is interpreted as a <a href="https://golang.org/pkg/text/template/">Go template</a>. Please note that referencing a non-existing key in the template will raise an error, instead of being suppressed.</p>
- <div class="admonition note">
- <p class="admonition-title">Note</p>
- <p>Consider using camelcase when defining <strong>.'spec.data.secretkey'</strong>, example: serviceAccountToken</p>
- <p>If your secret keys contain <strong><code>-</code> (dashes)</strong>, you will need to reference them using <strong><code>index</code></strong> </br>
- Example: <strong><code>{{ index .data "service-account-token" }}</code></strong></p>
- </div>
- <h2 id="helm">Helm</h2>
- <p>When installing ExternalSecrets via <code>helm</code>, the template must be escaped so that <code>helm</code> will not try to render it. The most straightforward way to accomplish this would be to use backticks (<a href="https://pkg.go.dev/text/template#hdr-Examples">raw string constants</a>):</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">template</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ...</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">admin</span>
- <span class="w"> </span><span class="c1"># password: "{{ .mysecret }}" # If you are using plain manifests or gitops tools</span>
- <span class="w"> </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">`{{</span><span class="nv"> </span><span class="s">.mysecret</span><span class="nv"> </span><span class="s">}}`</span><span class="nv"> </span><span class="s">}}"</span><span class="w"> </span><span class="c1"># If you are using helm</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mysecret</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/credentials</span>
- </code></pre></div>
- <h2 id="examples">Examples</h2>
- <p>You can use templates to inject your secrets into a configuration file that you mount into your pod:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">template</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ...</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-to-be-created</span>
- <span class="w"> </span><span class="c1"># this is how the Kind=Secret will look like</span>
- <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># multiline string</span>
- <span class="w"> </span><span class="nt">config</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span>
- <span class="w"> </span><span class="no">datasources:</span>
- <span class="w"> </span><span class="no">- name: Graphite</span>
- <span class="w"> </span><span class="no">type: graphite</span>
- <span class="w"> </span><span class="no">access: proxy</span>
- <span class="w"> </span><span class="no">url: http://localhost:8080</span>
- <span class="w"> </span><span class="no">password: "{{ .password }}"</span>
- <span class="w"> </span><span class="no">user: "{{ .user }}"</span>
- <span class="w"> </span><span class="c1"># using replace function to rewrite secret</span>
- <span class="w"> </span><span class="nt">connection</span><span class="p">:</span><span class="w"> </span><span class="s">'{{</span><span class="nv"> </span><span class="s">.dburl</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">replace</span><span class="nv"> </span><span class="s">"postgres://"</span><span class="nv"> </span><span class="s">"postgresql://"</span><span class="nv"> </span><span class="s">}}'</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">user</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/grafana/user</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">password</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/grafana/password</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">dburl</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/database/url</span>
- </code></pre></div>
- <p>Another example with two keys in the same secret:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">template</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ...</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">admin</span>
- <span class="w"> </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.mysecret</span><span class="nv"> </span><span class="s">}}"</span><span class="w"> </span><span class="c1"># If you are using plain manifests or gitops tools</span>
- <span class="w"> </span><span class="c1"># password: "{{ `{{ .mysecret }}` }}" # If you are using templated tools like helm</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mysecret</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/credentials</span>
- </code></pre></div>
- <h3 id="mergepolicy">MergePolicy</h3>
- <p>By default, the templating mechanism will not use any information available from the original <code>data</code> and <code>dataFrom</code> queries to the provider, and only keep the templated information. It is possible to change this behavior through the use of the <code>mergePolicy</code> field. <code>mergePolicy</code> currently accepts two values: <code>Replace</code> (the default) and <code>Merge</code>. When using <code>Merge</code>, <code>data</code> and <code>dataFrom</code> keys will also be embedded into the templated secret, having lower priority than the template outcome. See the example for more information:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">template</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ...</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">mergePolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Merge</span>
- <span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">admin</span>
- <span class="w"> </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.password</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">b64dec</span><span class="nv"> </span><span class="s">}}"</span><span class="w"> </span><span class="c1"># Overwrites the password from the data call and use this output</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">password</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/credentials/password</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">username</span><span class="w"> </span><span class="c1"># Preserves the username in the templated Secret</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/credentials/username</span>
- </code></pre></div>
- <h3 id="templatefrom">TemplateFrom</h3>
- <p>You do not have to define your templates inline in an ExternalSecret but you can pull <code>ConfigMaps</code> or other Secrets that contain a template. Consider the following example:</p>
- <div class="highlight"><pre><span></span><code><span class="c1"># define your template in a config map</span>
- <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ConfigMap</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">grafana-config-tpl</span>
- <span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">config.yaml</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span>
- <span class="w"> </span><span class="no">datasources:</span>
- <span class="w"> </span><span class="no">- name: Graphite</span>
- <span class="w"> </span><span class="no">type: graphite</span>
- <span class="w"> </span><span class="no">access: proxy</span>
- <span class="w"> </span><span class="no">url: "{{ .uri }}"</span>
- <span class="w"> </span><span class="no">password: "{{ .password }}"</span>
- <span class="w"> </span><span class="no">user: "{{ .user }}"</span>
- <span class="w"> </span><span class="nt">templated</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span>
- <span class="w"> </span><span class="no"># key and value templated</span>
- <span class="w"> </span><span class="no">my-application-{{ .user}}: {{ .password | b64enc }}</span>
- <span class="w"> </span><span class="no"># conditional keys</span>
- <span class="w"> </span><span class="no">{{- if hasPrefix "oci://" .uri }}</span>
- <span class="w"> </span><span class="no">enableOCI: true</span>
- <span class="w"> </span><span class="no">{{- else }}</span>
- <span class="w"> </span><span class="no">enableOCI: false</span>
- <span class="w"> </span><span class="no">{{- end }}</span>
- <span class="w"> </span><span class="no"># Fixed values</span>
- <span class="w"> </span><span class="no">application-type: grafana</span>
- <span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span>
- <span class="w"> </span><span class="no">#dynamic timestamp generation</span>
- <span class="w"> </span><span class="no">last-synced-for-user/{{ .user }}: {{ now }}</span>
- <span class="nn">---</span>
- <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-template-example</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ...</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-to-be-created</span>
- <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
- <span class="w"> </span><span class="nt">templateFrom</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Data</span>
- <span class="w"> </span><span class="nt">configMap</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># name of the configmap to pull in</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">grafana-config-tpl</span>
- <span class="w"> </span><span class="c1"># here you define the keys that should be used as template</span>
- <span class="w"> </span><span class="nt">items</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">config.yaml</span>
- <span class="w"> </span><span class="nt">templateAs</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Values</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">templated</span>
- <span class="w"> </span><span class="nt">templateAs</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">KeysAndValues</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Annotations</span>
- <span class="w"> </span><span class="nt">configMap</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># name of the configmap to pull in</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">grafana-config-tpl</span>
- <span class="w"> </span><span class="c1"># here you define the keys that should be used as template</span>
- <span class="w"> </span><span class="nt">items</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">annotations</span>
- <span class="w"> </span><span class="nt">templateAs</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">KeysAndValues</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">user</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/grafana/user</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">password</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/grafana/password</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">uri</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/grafana/uri</span>
- </code></pre></div>
- <p><code>TemplateFrom</code> also gives you the ability to Target your template to the Secret's Annotations, Labels or the Data block. It also allows you to render the templated information as <code>Values</code> or as <code>KeysAndValues</code> through the <code>templateAs</code> configuration:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-template-example</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ...</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-to-be-created</span>
- <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
- <span class="w"> </span><span class="nt">templateFrom</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Annotations</span>
- <span class="w"> </span><span class="nt">literal</span><span class="p">:</span><span class="w"> </span><span class="s">"last-sync-for-user/{{</span><span class="nv"> </span><span class="s">.user</span><span class="nv"> </span><span class="s">}}:</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">.now</span><span class="nv"> </span><span class="s">}}"</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">user</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/grafana/user</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">password</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/grafana/password</span>
- </code></pre></div>
- <p>Lastly, <code>TemplateFrom</code> also supports adding <code>Literal</code> blocks for quick templating. These <code>Literal</code> blocks differ from <code>Template.Data</code> as they are rendered as a a <code>key:value</code> pair (while the <code>Template.Data</code>, you can only template the value).</p>
- <h4 id="valuesdecodingstrategy-example">ValuesDecodingStrategy example</h4>
- <p><code>TemplateFrom</code> entries can also decode rendered values with <code>ValuesDecodingStrategy</code>. This is useful when the template selects Base64-encoded values from structured provider data and the final Kubernetes Secret must contain the decoded bytes.</p>
- <p>For example, imagine several remote secrets matched by <code>dataFrom.find</code> contain JSON values like this:</p>
- <div class="highlight"><pre><span></span><code><span class="p">{</span>
- <span class="w"> </span><span class="nt">"cert"</span><span class="p">:</span><span class="w"> </span><span class="s2">"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCg=="</span><span class="p">,</span>
- <span class="w"> </span><span class="nt">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"certificate encoded as base64"</span>
- <span class="p">}</span>
- </code></pre></div>
- <p>And let's imagine an ExternalSecret definition as this one:</p>
- <p><div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx-certs</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h</span>
- <span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterSecretStore</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-secretsmanager</span>
- <span class="w"> </span><span class="nt">dataFrom</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">find</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">regexp</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">^productA/nginx/.*</span>
- <span class="w"> </span><span class="nt">rewrite</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">regexp</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">source</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">^productA/nginx/(.*)</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">$1</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx-certs</span>
- <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
- <span class="w"> </span><span class="nt">templateFrom</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">literal</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|-</span>
- <span class="w"> </span><span class="no">{{- range $key, $val := . }}</span>
- <span class="w"> </span><span class="no">{{- $json := $val | fromJson }}</span>
- <span class="w"> </span><span class="no">{{ $key }}: {{ $json.cert }}</span>
- <span class="w"> </span><span class="no">{{- end }}</span>
- </code></pre></div>
- Without <code>templateFrom[0].ValuesDecodingStrategy</code>, the template will select the <code>cert</code> property, and get the base64 text. The resulting Kubernetes Secret value will be stored as Base64 text.</p>
- <p>Alternatively, you can use the <code>templateFrom[0].valuesDecodingStrategy: Base64</code> as following:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx-certs</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h</span>
- <span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterSecretStore</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-secretsmanager</span>
- <span class="w"> </span><span class="nt">dataFrom</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">find</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">regexp</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">^productA/nginx/.*</span>
- <span class="w"> </span><span class="nt">rewrite</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">regexp</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">source</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">^productA/nginx/(.*)</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">$1</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx-certs</span>
- <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
- <span class="w"> </span><span class="nt">templateFrom</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">valuesDecodingStrategy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Base64</span>
- <span class="w"> </span><span class="nt">literal</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|-</span>
- <span class="w"> </span><span class="no">{{- range $key, $val := . }}</span>
- <span class="w"> </span><span class="no">{{- $json := $val | fromJson }}</span>
- <span class="w"> </span><span class="no">{{ $key }}: {{ $json.cert }}</span>
- <span class="w"> </span><span class="no">{{- end }}</span>
- </code></pre></div>
- <p>This way, the template still renders safe Base64 text internally.
- ESO then decodes the value and writes the decoded bytes in the Kubernetes Secret's data.
- Only rendered values are decoded; rendered keys are left unchanged.</p>
- <p>In other words, use <code>valuesDecodingStrategy</code> to <code>None</code> when values are not encoded, and our usual strategies like <code>Base64</code>, <code>Base64URL</code> (or even <code>Auto</code>) when values may be either Base64/Base64URL encoded.</p>
- <div class="admonition note">
- <p class="admonition-title">Note</p>
- <p>This is safer for binary data than decoding inside the template with <code>{{ $json.cert | b64dec }}</code>, because <code>b64dec</code> injects raw bytes into the intermediate rendered YAML.</p>
- </div>
- <h4 id="htpasswd-example">htpasswd example</h4>
- <p>See an example, how to produce a <code>htpasswd</code> file that can be used by an ingress-controller (for example: https://kubernetes.github.io/ingress-nginx/examples/auth/basic/) where the contents of the <code>htpasswd</code> file needs to be presented via the <code>auth</code> key. We use the <code>htpasswd</code> function to create a <code>bcrypted</code> hash of the password.</p>
- <p>Suppose you have multiple key-value pairs within your provider secret like</p>
- <div class="highlight"><pre><span></span><code><span class="p">{</span>
- <span class="w"> </span><span class="nt">"user1"</span><span class="p">:</span><span class="w"> </span><span class="s2">"password1"</span><span class="p">,</span>
- <span class="w"> </span><span class="nt">"user2"</span><span class="p">:</span><span class="w"> </span><span class="s2">"password2"</span><span class="p">,</span>
- <span class="w"> </span><span class="err">...</span>
- <span class="p">}</span>
- </code></pre></div>
- <p>You may either pass <code>bcrypt</code>, to use that hashing algorithm, or <code>sha</code>, to use the <code>SHA-1</code> hashing algorithm, as an argument. <code>bcrypt</code> is considered more secure, but some applications may not support it.</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-template-example</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ...</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-to-be-created</span>
- <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
- <span class="w"> </span><span class="nt">templateFrom</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Data</span>
- <span class="w"> </span><span class="nt">literal</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|-</span>
- <span class="w"> </span><span class="no">{{- $creds := list }}</span>
- <span class="w"> </span><span class="no">{{- range $user, $pw := . }}</span>
- <span class="w"> </span><span class="no">{{- $creds = append $creds (printf "%s" (htpasswd $user $pw "bcrypt")) }}</span>
- <span class="w"> </span><span class="no">{{- end }}</span>
- <span class="w"> </span><span class="no">auth: {{ $creds | join "\n" | quote }}</span>
- <span class="w"> </span><span class="nt">dataFrom</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">extract</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/ingress-controller/valid-users</span>
- </code></pre></div>
- <h3 id="extract-keys-and-certificates-from-pkcs12-archive">Extract Keys and Certificates from PKCS#12 Archive</h3>
- <p>You can use pre-defined functions to extract data from your secrets. Here: extract keys and certificates from a PKCS#12 archive and store it as PEM.</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">template</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ...</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes.io/tls</span>
- <span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">tls.crt</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.mysecret</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">pkcs12cert</span><span class="nv"> </span><span class="s">}}"</span>
- <span class="w"> </span><span class="nt">tls.key</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.mysecret</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">pkcs12key</span><span class="nv"> </span><span class="s">}}"</span>
- <span class="w"> </span><span class="c1"># if needed unlock the pkcs12 with the password</span>
- <span class="w"> </span><span class="nt">tls.crt</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.mysecret</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">pkcs12certPass</span><span class="nv"> </span><span class="s">"</span><span class="l l-Scalar l-Scalar-Plain">my-password" }}"</span>
- </code></pre></div>
- <h3 id="extract-from-jwk">Extract from JWK</h3>
- <p>You can extract the public or private key parts of a JWK and use them as <a href="https://pkg.go.dev/crypto/x509#ParsePKCS8PrivateKey">PKCS#8</a> private key or PEM-encoded <a href="https://pkg.go.dev/crypto/x509#MarshalPKIXPublicKey">PKIX</a> public key.</p>
- <p>A JWK looks similar to this:</p>
- <div class="highlight"><pre><span></span><code><span class="p">{</span>
- <span class="w"> </span><span class="nt">"kty"</span><span class="p">:</span><span class="w"> </span><span class="s2">"RSA"</span><span class="p">,</span>
- <span class="w"> </span><span class="nt">"kid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cc34c0a0-bd5a-4a3c-a50d-a2a7db7643df"</span><span class="p">,</span>
- <span class="w"> </span><span class="nt">"use"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sig"</span><span class="p">,</span>
- <span class="w"> </span><span class="nt">"n"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pjdss..."</span><span class="p">,</span>
- <span class="w"> </span><span class="nt">"e"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AQAB"</span>
- <span class="w"> </span><span class="c1">// ...</span>
- <span class="p">}</span>
- </code></pre></div>
- <p>And what you want may be a PEM-encoded public or private key portion of it. Take a look at this example on how to transform it into the desired format:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">template</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ...</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># .myjwk is a json-encoded JWK string.</span>
- <span class="w"> </span><span class="c1">#</span>
- <span class="w"> </span><span class="c1"># this template will produce for jwk_pub a PEM encoded public key:</span>
- <span class="w"> </span><span class="c1"># -----BEGIN PUBLIC KEY-----</span>
- <span class="w"> </span><span class="c1"># MIIBI...</span>
- <span class="w"> </span><span class="c1"># ...</span>
- <span class="w"> </span><span class="c1"># ...AQAB</span>
- <span class="w"> </span><span class="c1"># -----END PUBLIC KEY-----</span>
- <span class="w"> </span><span class="nt">jwk_pub</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.myjwk</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">jwkPublicKeyPem</span><span class="nv"> </span><span class="s">}}"</span>
- <span class="w"> </span><span class="c1"># private key is a pem-encoded PKCS#8 private key</span>
- <span class="w"> </span><span class="nt">jwk_priv</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.myjwk</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">jwkPrivateKeyPem</span><span class="nv"> </span><span class="s">}}"</span>
- </code></pre></div>
- <h3 id="filter-pem-blocks">Filter PEM blocks</h3>
- <p>Consider you have a secret that contains both a certificate and a private key encoded in PEM format and it is your goal to use only the certificate from that secret.</p>
- <div class="highlight"><pre><span></span><code>-----BEGIN PRIVATE KEY-----
- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCvxGZOW4IXvGlh
- . . .
- m8JCpbJXDfSSVxKHgK1Siw4K6pnTsIA2e/Z+Ha2fvtocERjq7VQMAJFaIZSTKo9Q
- JwwY+vj0yxWjyzHUzZB33tg=
- -----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
- MIIDMDCCAhigAwIBAgIQabPaXuZCQaCg+eQAVptGGDANBgkqhkiG9w0BAQsFADAV
- . . .
- NtFUGA95RGN9s+pl6XY0YARPHf5O76ErC1OZtDTR5RdyQfcM+94gYZsexsXl0aQO
- 9YD3Wg==
- -----END CERTIFICATE-----
- </code></pre></div>
- <p>You can achieve that by using the <code>filterPEM</code> function to extract a specific type of PEM block from that secret. If multiple blocks of that type (here: <code>CERTIFICATE</code>) exist, all of them are returned in the order specified. To extract a specific type of PEM block, pass the type as a string argument to the filterPEM function. Take a look at this example of how to transform a secret which contains a private key and a certificate into the desired format:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">template</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ...</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes.io/tls</span>
- <span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">tls.crt</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.mysecret</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">filterPEM</span><span class="nv"> </span><span class="s">"</span><span class="l l-Scalar l-Scalar-Plain">CERTIFICATE" }}"</span>
- <span class="w"> </span><span class="nt">tls.key</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.mysecret</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">filterPEM</span><span class="nv"> </span><span class="s">"</span><span class="l l-Scalar l-Scalar-Plain">PRIVATE KEY" }}"</span>
- </code></pre></div>
- <p>In case you have a secret that contains a (partial) certificate chain you can extract the <code>leaf</code>, <code>intermediate</code> or <code>root</code> certificate(s) using the <code>filterCertChain</code> function. See the following example on how to use the <code>filterPEM</code> and <code>filterCertChain</code> functions together to split the certificate chain into a <code>tls.crt</code> part only containing the leaf certificate and a <code>ca.crt</code> part with all the intermediate certificates.</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">template</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ...</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes.io/tls</span>
- <span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">ca.crt</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.mysecret</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">filterPEM</span><span class="nv"> </span><span class="s">"</span><span class="l l-Scalar l-Scalar-Plain">CERTIFICATE" | filterCertChain "intermediate" }}"</span>
- <span class="w"> </span><span class="nt">tls.crt</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.mysecret</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">filterPEM</span><span class="nv"> </span><span class="s">"</span><span class="l l-Scalar l-Scalar-Plain">CERTIFICATE" | filterCertChain "leaf" }}"</span>
- <span class="w"> </span><span class="nt">tls.key</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.mysecret</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">filterPEM</span><span class="nv"> </span><span class="s">"</span><span class="l l-Scalar l-Scalar-Plain">PRIVATE KEY" }}"</span>
- </code></pre></div>
- <h3 id="extract-subject-alternative-names-sans-from-certificate">Extract Subject Alternative Names (SANs) from Certificate</h3>
- <p>You can use the <code>certSANs</code> function to extract Subject Alternative Names from a PEM-encoded certificate. It returns a list of all SANs including DNS names, IP addresses, email addresses, and URIs. This is useful when you need to know which domains or IPs a certificate covers.</p>
- <p>You can combine <code>certSANs</code> with <code>filterPEM</code> and <code>filterCertChain</code> to first extract the leaf certificate from a chain and then get its SANs:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">cert-sans-example</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ...</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># Store all SANs as a comma-separated string</span>
- <span class="w"> </span><span class="nt">sans</span><span class="p">:</span><span class="w"> </span><span class="s">'{{</span><span class="nv"> </span><span class="s">.certificate</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">filterPEM</span><span class="nv"> </span><span class="s">"CERTIFICATE"</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">filterCertChain</span><span class="nv"> </span><span class="s">"leaf"</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">certSANs</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">join</span><span class="nv"> </span><span class="s">","</span><span class="nv"> </span><span class="s">}}'</span>
- <span class="w"> </span><span class="c1"># Store the first SAN (e.g. primary domain)</span>
- <span class="w"> </span><span class="nt">primary-domain</span><span class="p">:</span><span class="w"> </span><span class="s">'{{</span><span class="nv"> </span><span class="s">index</span><span class="nv"> </span><span class="s">(.certificate</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">filterPEM</span><span class="nv"> </span><span class="s">"CERTIFICATE"</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">filterCertChain</span><span class="nv"> </span><span class="s">"leaf"</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">certSANs)</span><span class="nv"> </span><span class="s">0</span><span class="nv"> </span><span class="s">}}'</span>
- <span class="w"> </span><span class="c1"># Store SANs as a JSON array</span>
- <span class="w"> </span><span class="nt">sans-json</span><span class="p">:</span><span class="w"> </span><span class="s">'{{</span><span class="nv"> </span><span class="s">.certificate</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">filterPEM</span><span class="nv"> </span><span class="s">"CERTIFICATE"</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">filterCertChain</span><span class="nv"> </span><span class="s">"leaf"</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">certSANs</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">toJson</span><span class="nv"> </span><span class="s">}}'</span>
- </code></pre></div>
- <h3 id="rsa-decryption-data-from-provider">RSA Decryption Data From Provider</h3>
- <p>When a provider returns RSA-encrypted values, you can decrypt them directly in the template using the <code>rsaDecrypt</code> functions (engine v2).
- <code>rsaDecrypt</code> performs decryption with the private key passed through the pipeline: <code><privateKeyPEM | rsaDecrypt "<SCHEME>" "<HASH>" <ciphertext> ></code>. <code>SCHEME</code> and <code>HASH</code> are strings (for example, <code>"RSA-OAEP"</code> and <code>"SHA1"</code>). The third argument must be the ciphertext in binary form.</p>
- <p>Base64 handling: providers often return ciphertext as Base64. You can either:</p>
- <ul>
- <li>decode in the template with <code>b64dec</code> (for example: <code>(.password_encrypted_base64 | b64dec)</code>), or</li>
- <li>set <code>decodingStrategy: Base64</code> on the corresponding <code>spec.data.remoteRef</code> so the template receives binary data.</li>
- </ul>
- <p>Prerequisites</p>
- <ul>
- <li><code>spec.target.template.engineVersion: v2</code>.</li>
- <li>A valid RSA private key in PEM format without passphrase (from another reference in the same ExternalSecret).</li>
- <li>Ciphertext must match the key pair and the chosen algorithm/hash.</li>
- </ul>
- <p>Full example:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">rsa-decrypt-template-v2</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ...</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># Decrypt a binary ciphertext using a private key stored in a Kubernetes Secret.</span>
- <span class="w"> </span><span class="c1"># rsaDecrypt("SCHEME", "HASH", ciphertext, privateKeyPEM) decrypts the ciphertext (binary).</span>
- <span class="w"> </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span><span class="s">'{{</span><span class="nv"> </span><span class="s">rsaDecrypt</span><span class="nv"> </span><span class="s">"RSA-OAEP"</span><span class="nv"> </span><span class="s">"SHA1"</span><span class="nv"> </span><span class="s">.password_encrypted_binary</span><span class="nv"> </span><span class="s">.privatekey</span><span class="nv"> </span><span class="s">}}'</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">privatekey</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">a-secretname-in-cluster</span>
- <span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">privatekey</span>
- <span class="w"> </span><span class="nt">sourceRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">storeRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span><span class="w"> </span><span class="c1"># or ClusterSecretStore</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes</span><span class="w"> </span><span class="c1"># name of the k8s provider</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">password_encrypted_binary</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/credentials/password_encrypted_binary</span>
- <span class="w"> </span><span class="c1"># If ciphertext is Base64 encoded, either decode in-template (b64dec) or use decodingStrategy: Base64</span>
- <span class="w"> </span><span class="c1"># Example (decode here -> template receives binary):</span>
- <span class="w"> </span><span class="c1"># - secretKey: password_encrypted_base64</span>
- <span class="w"> </span><span class="c1"># remoteRef:</span>
- <span class="w"> </span><span class="c1"># key: /credentials/password_encrypted_base64</span>
- <span class="w"> </span><span class="c1"># decodingStrategy: Base64</span>
- <span class="w"> </span><span class="c1"># ...</span>
- </code></pre></div>
- <p>Useful variations (included as comments in the example):</p>
- <ul>
- <li>Base64 decode in the template with <code>b64dec</code> or via <code>decodingStrategy: Base64</code> on <code>spec.data</code>.</li>
- <li>Use a private key available in the same ExternalSecret (for example: <code>( .private_key | rsaDecrypt ... )</code>).</li>
- </ul>
- <p>Error notes</p>
- <ul>
- <li>Referencing a missing key in the template will fail rendering.</li>
- <li>If key/algorithm/hash do not match the ciphertext, decryption will fail and reconciliation will retry.</li>
- </ul>
- <h2 id="templating-with-pushsecret">Templating with PushSecret</h2>
- <p><code>PushSecret</code> templating is much like <code>ExternalSecrets</code> templating. In-fact under the hood, it's using the same data structure.
- Which means, anything described in the above should be possible with push secret as well resulting in a templated secret
- created at the provider.</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">template</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ...</span>
- <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">token</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.token</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">toString</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">upper</span><span class="nv"> </span><span class="s">}}</span><span class="nv"> </span><span class="s">was</span><span class="nv"> </span><span class="s">templated"</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">token</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">create-secret-name</span>
- <span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">token</span>
- </code></pre></div>
- <h2 id="helper-functions">Helper functions</h2>
- <div class="admonition info inline end">
- <p class="admonition-title">Info</p>
- <p>Note: we removed <code>env</code> and <code>expandenv</code> from sprig functions for security reasons.</p>
- </div>
- <p>We provide a couple of convenience functions that help you transform your secrets. This is useful when dealing with PKCS#12 archives or JSON Web Keys (JWK).</p>
- <p>In addition to that you can use over 200+ <a href="http://masterminds.github.io/sprig/">sprig functions</a>. If you feel a function is missing or might be valuable feel free to open an issue and submit a <a href="../../contributing/process/#submitting-a-pull-request">pull request</a>.</p>
- <p><br/></p>
- <table>
- <thead>
- <tr>
- <th>Function</th>
- <th>Description</th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td>pkcs12key</td>
- <td>Extracts all private keys from a PKCS#12 archive and encodes them in <strong>PKCS#8 PEM</strong> format.</td>
- </tr>
- <tr>
- <td>pkcs12keyPass</td>
- <td>Same as <code>pkcs12key</code>. Uses the provided password to decrypt the PKCS#12 archive.</td>
- </tr>
- <tr>
- <td>pkcs12cert</td>
- <td>Extracts all certificates from a PKCS#12 archive and orders them if possible. If disjunct or multiple leaf certs are provided they are returned as-is. <br/> Sort order: <code>leaf / intermediate(s) / root</code>.</td>
- </tr>
- <tr>
- <td>pkcs12certPass</td>
- <td>Same as <code>pkcs12cert</code>. Uses the provided password to decrypt the PKCS#12 archive.</td>
- </tr>
- <tr>
- <td>pemToPkcs12</td>
- <td>Takes a PEM encoded certificate and key and creates a base64 encoded PKCS#12 archive.</td>
- </tr>
- <tr>
- <td>pemToPkcs12Pass</td>
- <td>Same as <code>pemToPkcs12</code>. Uses the provided password to encrypt the PKCS#12 archive.</td>
- </tr>
- <tr>
- <td>fullPemToPkcs12</td>
- <td>Takes a PEM encoded certificates chain and key and creates a base64 encoded PKCS#12 archive.</td>
- </tr>
- <tr>
- <td>fullPemToPkcs12Pass</td>
- <td>Same as <code>fullPemToPkcs12</code>. Uses the provided password to encrypt the PKCS#12 archive.</td>
- </tr>
- <tr>
- <td>pemTruststoreToPKCS12</td>
- <td>Takes a PEM encoded certificates and creates a base64 encoded PKCS#12 archive.</td>
- </tr>
- <tr>
- <td>pemTruststoreToPKCS12Pass</td>
- <td>Same as <code>pemTruststoreToPKCS12</code>. Uses the provided password to encrypt the PKCS#12 archive.</td>
- </tr>
- <tr>
- <td>filterPEM</td>
- <td>Filters PEM blocks with a specific type from a list of PEM blocks.</td>
- </tr>
- <tr>
- <td>filterCertChain</td>
- <td>Filters PEM block(s) with a specific certificate type (<code>leaf</code>, <code>intermediate</code> or <code>root</code>) from a certificate chain of PEM blocks (PEM blocks with type <code>CERTIFICATE</code>).</td>
- </tr>
- <tr>
- <td>certSANs</td>
- <td>Extracts Subject Alternative Names (SANs) from a PEM-encoded certificate and returns them as a list of strings. Includes DNS names, IP addresses, email addresses, and URIs.</td>
- </tr>
- <tr>
- <td>jwkPublicKeyPem</td>
- <td>Takes an json-serialized JWK and returns an PEM block of type <code>PUBLIC KEY</code> that contains the public key. <a href="https://golang.org/pkg/crypto/x509/#MarshalPKIXPublicKey">See here</a> for details.</td>
- </tr>
- <tr>
- <td>jwkPrivateKeyPem</td>
- <td>Takes an json-serialized JWK as <code>string</code> and returns an PEM block of type <code>PRIVATE KEY</code> that contains the private key in PKCS #8 format. <a href="https://golang.org/pkg/crypto/x509/#MarshalPKCS8PrivateKey">See here</a> for details.</td>
- </tr>
- <tr>
- <td>rsaDecrypt</td>
- <td>Decrypts RSA ciphertext using a PEM private key. Usage: <code><rsaDecrypt "SCHEME" "HASH" ciphertext privateKeyPEM></code> or <code><privateKeyPEM \| rsaDecrypt "SCHEME" "HASH" ciphertext></code>. <strong>SCHEME</strong>: supported values are <code>"None"</code> and <code>"RSA-OAEP"</code>. <strong>HASH</strong>: supported values are <code>"SHA1"</code> and <code>"SHA256"</code>. <strong>Ciphertext</strong> must be binary — use <code>b64dec</code> or <code>decodingStrategy: Base64</code> to convert Base64 payloads.</td>
- </tr>
- <tr>
- <td>toYaml</td>
- <td>Takes an interface, marshals it to yaml. It returns a string, even on marshal error (empty string).</td>
- </tr>
- <tr>
- <td>fromYaml</td>
- <td>Function converts a YAML document into a map[string]any.</td>
- </tr>
- <tr>
- <td>hexdec</td>
- <td>decodes hexadecimal values</td>
- </tr>
- </tbody>
- </table>
- <h2 id="migrating-from-v1">Migrating from v1</h2>
- <p>If you are still using <code>v1alpha1</code>, You have to opt-in to use the new engine version by specifying <code>template.engineVersion=v2</code>:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ...</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
- <span class="w"> </span><span class="c1"># ...</span>
- </code></pre></div>
- <p>The biggest change was that basically all function parameter types were changed from accepting/returning <code>[]byte</code> to <code>string</code>. This is relevant for you because now you don't need to specify <code>toString</code> all the time at the end of a template pipeline.</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
- <span class="c1"># ...</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># this used to be {{ .foobar | toString }}</span>
- <span class="w"> </span><span class="nt">egg</span><span class="p">:</span><span class="w"> </span><span class="s">"new:</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">.foobar</span><span class="nv"> </span><span class="s">}}"</span>
- </code></pre></div>
- <h5 id="functions-removedreplaced">Functions removed/replaced</h5>
- <ul>
- <li><code>base64encode</code> was renamed to <code>b64enc</code>.</li>
- <li><code>base64decode</code> was renamed to <code>b64dec</code>. Any errors that occur during decoding are silenced.</li>
- <li><code>fromJSON</code> was renamed to <code>fromJson</code>. Any errors that occur during unmarshalling are silenced.</li>
- <li><code>toJSON</code> was renamed to <code>toJson</code>. Any errors that occur during marshalling are silenced.</li>
- <li><code>pkcs12key</code> and <code>pkcs12keyPass</code> encode the PKCS#8 key directly into PEM format. There is no need to call <code>pemPrivateKey</code> anymore. Also, these functions do extract all private keys from the PKCS#12 archive not just the first one.</li>
- <li><code>pkcs12cert</code> and <code>pkcs12certPass</code> encode the certs directly into PEM format. There is no need to call <code>pemCertificate</code> anymore. These functions now <strong>extract all certificates</strong> from the PKCS#12 archive not just the first one.</li>
- <li><code>toString</code> implementation was replaced by the <code>sprig</code> implementation and should be api-compatible.</li>
- <li><code>toBytes</code> was removed.</li>
- <li><code>pemPrivateKey</code> was removed. It's now implemented within the <code>pkcs12*</code> functions.</li>
- <li><code>pemCertificate</code> was removed. It's now implemented within the <code>pkcs12*</code> functions.</li>
- </ul>
-
-
- </article>
- </div>
-
-
- <script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
- </div>
-
- </main>
-
- <img referrerpolicy="no-referrer-when-downgrade"
- src="https://static.scarf.sh/a.png?x-pxid=6658a9eb-067d-49f1-94f2-b8b00f21451e" alt=""
- hidden />
-
- <footer class="md-footer">
-
- <div class="md-footer-meta md-typeset">
- <div class="md-footer-meta__inner md-grid">
- <div class="md-copyright">
-
- <div class="md-copyright__highlight">
- © 2025 The external-secrets Authors.<br/>
- © 2025 The Linux Foundation. All rights reserved.<br/><br/>
- The Linux Foundation has registered trademarks and uses trademarks.<br/>
- For a list of trademarks of The Linux Foundation, please see our <a href="https://www.linuxfoundation.org/trademark-usage/">Trademark Usage page</a>.
- </div>
-
-
- Made with
- <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
- Material for MkDocs
- </a>
-
- </div>
-
- </div>
- </div>
- </footer>
-
- </div>
- <div class="md-dialog" data-md-component="dialog">
- <div class="md-dialog__inner md-typeset"></div>
- </div>
-
-
-
-
-
- <script id="__config" type="application/json">{"annotate": null, "base": "../..", "features": ["navigation.tabs", "navigation.indexes", "navigation.expand"], "search": "../../assets/javascripts/workers/search.2c215733.min.js", "tags": null, "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"provider": "mike"}}</script>
-
-
- <script src="../../assets/javascripts/bundle.79ae519e.min.js"></script>
-
-
- </body>
- </html>
|
