index.html 129 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534353535363537353835393540354135423543354435453546354735483549355035513552355335543555355635573558355935603561356235633564356535663567356835693570357135723573357435753576357735783579358035813582358335843585358635873588358935903591359235933594359535963597359835993600360136023603360436053606360736083609361036113612361336143615361636173618361936203621362236233624362536263627362836293630363136323633363436353636363736383639364036413642364336443645364636473648364936503651365236533654365536563657365836593660366136623663366436653666366736683669367036713672367336743675367636773678367936803681368236833684368536863687368836893690369136923693369436953696369736983699370037013702370337043705370637073708370937103711371237133714371537163717371837193720372137223723372437253726372737283729373037313732373337343735373637373738373937403741374237433744374537463747374837493750375137523753375437553756375737583759376037613762376337643765376637673768376937703771377237733774377537763777377837793780378137823783378437853786378737883789379037913792379337943795379637973798379938003801380238033804380538063807380838093810381138123813381438153816381738183819382038213822382338243825382638273828382938303831383238333834383538363837383838393840384138423843384438453846384738483849385038513852385338543855385638573858385938603861386238633864386538663867386838693870387138723873387438753876387738783879388038813882388338843885388638873888388938903891389238933894389538963897389838993900390139023903390439053906390739083909391039113912391339143915391639173918391939203921392239233924392539263927392839293930393139323933393439353936393739383939394039413942394339443945394639473948394939503951395239533954395539563957395839593960396139623963396439653966396739683969397039713972397339743975397639773978397939803981398239833984398539863987398839893990399139923993399439953996399739983999400040014002400340044005400640074008400940104011401240134014401540164017401840194020402140224023402440254026402740284029403040314032403340344035403640374038403940404041404240434044404540464047404840494050405140524053405440554056405740584059406040614062406340644065406640674068406940704071407240734074407540764077407840794080408140824083408440854086408740884089409040914092409340944095409640974098409941004101410241034104410541064107410841094110411141124113411441154116411741184119412041214122412341244125412641274128412941304131413241334134413541364137413841394140414141424143414441454146414741484149415041514152415341544155415641574158415941604161416241634164416541664167416841694170417141724173417441754176417741784179418041814182418341844185418641874188418941904191419241934194419541964197419841994200420142024203420442054206420742084209421042114212421342144215421642174218421942204221422242234224422542264227422842294230423142324233423442354236423742384239424042414242424342444245424642474248424942504251425242534254425542564257425842594260426142624263426442654266426742684269427042714272427342744275427642774278427942804281428242834284428542864287428842894290429142924293429442954296429742984299430043014302430343044305430643074308430943104311431243134314431543164317431843194320432143224323432443254326432743284329433043314332433343344335433643374338433943404341434243434344434543464347434843494350435143524353435443554356435743584359436043614362436343644365436643674368436943704371437243734374437543764377437843794380438143824383438443854386438743884389439043914392439343944395439643974398439944004401440244034404440544064407440844094410441144124413441444154416441744184419442044214422442344244425442644274428442944304431443244334434443544364437443844394440444144424443444444454446444744484449445044514452445344544455445644574458445944604461446244634464446544664467446844694470447144724473447444754476447744784479448044814482448344844485448644874488448944904491449244934494449544964497449844994500450145024503450445054506450745084509451045114512451345144515451645174518451945204521452245234524452545264527452845294530453145324533453445354536453745384539454045414542454345444545454645474548454945504551455245534554455545564557455845594560456145624563456445654566456745684569457045714572457345744575457645774578457945804581458245834584458545864587458845894590459145924593459445954596459745984599460046014602460346044605460646074608460946104611461246134614461546164617461846194620462146224623462446254626462746284629463046314632463346344635463646374638463946404641464246434644464546464647464846494650465146524653465446554656465746584659466046614662466346644665466646674668466946704671467246734674467546764677467846794680468146824683468446854686468746884689469046914692469346944695469646974698469947004701470247034704470547064707470847094710471147124713471447154716471747184719472047214722472347244725472647274728472947304731473247334734473547364737473847394740474147424743474447454746474747484749475047514752475347544755475647574758475947604761476247634764476547664767476847694770477147724773477447754776477747784779478047814782478347844785478647874788478947904791479247934794479547964797479847994800480148024803480448054806480748084809481048114812481348144815481648174818481948204821482248234824482548264827482848294830483148324833483448354836483748384839484048414842484348444845484648474848484948504851485248534854485548564857485848594860486148624863486448654866486748684869487048714872487348744875487648774878487948804881488248834884488548864887488848894890489148924893489448954896489748984899490049014902490349044905490649074908490949104911491249134914491549164917491849194920492149224923492449254926492749284929493049314932493349344935493649374938493949404941494249434944494549464947494849494950495149524953495449554956495749584959496049614962496349644965496649674968496949704971497249734974497549764977497849794980498149824983498449854986498749884989499049914992499349944995499649974998499950005001500250035004500550065007500850095010501150125013501450155016501750185019502050215022502350245025502650275028502950305031503250335034503550365037503850395040504150425043504450455046504750485049505050515052505350545055505650575058505950605061506250635064506550665067506850695070507150725073507450755076507750785079508050815082508350845085508650875088508950905091509250935094509550965097509850995100510151025103510451055106510751085109511051115112511351145115511651175118511951205121512251235124512551265127512851295130513151325133513451355136513751385139514051415142514351445145514651475148514951505151515251535154515551565157515851595160516151625163516451655166516751685169517051715172517351745175517651775178517951805181518251835184518551865187518851895190519151925193519451955196519751985199520052015202520352045205520652075208520952105211521252135214521552165217521852195220522152225223522452255226522752285229523052315232523352345235523652375238523952405241524252435244524552465247524852495250525152525253525452555256525752585259526052615262526352645265526652675268526952705271527252735274527552765277527852795280528152825283528452855286528752885289529052915292529352945295529652975298529953005301530253035304530553065307530853095310531153125313531453155316531753185319532053215322532353245325532653275328532953305331533253335334533553365337533853395340534153425343534453455346534753485349535053515352535353545355535653575358535953605361536253635364536553665367536853695370537153725373537453755376537753785379538053815382538353845385538653875388538953905391539253935394539553965397539853995400540154025403540454055406540754085409541054115412541354145415541654175418541954205421542254235424542554265427542854295430543154325433543454355436543754385439544054415442544354445445544654475448544954505451545254535454545554565457545854595460546154625463546454655466546754685469547054715472547354745475547654775478547954805481548254835484548554865487548854895490549154925493549454955496549754985499550055015502550355045505550655075508550955105511551255135514551555165517551855195520552155225523552455255526552755285529553055315532553355345535553655375538553955405541554255435544554555465547554855495550555155525553555455555556555755585559556055615562556355645565556655675568556955705571557255735574557555765577557855795580558155825583558455855586558755885589559055915592559355945595559655975598559956005601560256035604560556065607560856095610561156125613561456155616561756185619562056215622562356245625562656275628562956305631563256335634563556365637563856395640564156425643564456455646564756485649565056515652565356545655565656575658565956605661566256635664566556665667566856695670567156725673567456755676567756785679568056815682568356845685568656875688568956905691569256935694569556965697569856995700570157025703570457055706570757085709571057115712571357145715571657175718571957205721572257235724572557265727572857295730573157325733573457355736573757385739574057415742574357445745574657475748574957505751575257535754575557565757575857595760576157625763576457655766576757685769577057715772577357745775577657775778577957805781578257835784578557865787578857895790579157925793579457955796579757985799580058015802580358045805580658075808580958105811581258135814581558165817581858195820582158225823582458255826582758285829583058315832583358345835583658375838
  1. <!doctype html>
  2. <html lang="en" class="no-js">
  3. <head>
  4. <meta charset="utf-8">
  5. <meta name="viewport" content="width=device-width,initial-scale=1">
  6. <link rel="prev" href="../hashicorp-vault/">
  7. <link rel="next" href="../ibm-secrets-manager/">
  8. <link rel="icon" href="../../pictures/eso-round-logo.svg">
  9. <meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.7.6">
  10. <title>Kubernetes - External Secrets Operator</title>
  11. <link rel="stylesheet" href="../../assets/stylesheets/main.484c7ddc.min.css">
  12. <link rel="stylesheet" href="../../assets/stylesheets/palette.ab4e12ef.min.css">
  13. <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
  14. <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
  15. <style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
  16. <script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
  17. <script id="__analytics">function __md_analytics(){function e(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],e("js",new Date),e("config","G-QP38TD8K7V"),document.addEventListener("DOMContentLoaded",(function(){document.forms.search&&document.forms.search.query.addEventListener("blur",(function(){this.value&&e("event","search",{search_term:this.value})}));document$.subscribe((function(){var t=document.forms.feedback;if(void 0!==t)for(var a of t.querySelectorAll("[type=submit]"))a.addEventListener("click",(function(a){a.preventDefault();var n=document.location.pathname,d=this.getAttribute("data-md-value");e("event","feedback",{page:n,data:d}),t.firstElementChild.disabled=!0;var r=t.querySelector(".md-feedback__note [data-md-value='"+d+"']");r&&(r.hidden=!1)})),t.hidden=!1})),location$.subscribe((function(t){e("config","G-QP38TD8K7V",{page_path:t.pathname})}))}));var t=document.createElement("script");t.async=!0,t.src="https://www.googletagmanager.com/gtag/js?id=G-QP38TD8K7V",document.getElementById("__analytics").insertAdjacentElement("afterEnd",t)}</script>
  18. <script>"undefined"!=typeof __md_analytics&&__md_analytics()</script>
  19. </head>
  20. <body dir="ltr" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo">
  21. <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
  22. <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
  23. <label class="md-overlay" for="__drawer"></label>
  24. <div data-md-component="skip">
  25. <a href="#external-secret-spec" class="md-skip">
  26. Skip to content
  27. </a>
  28. </div>
  29. <div data-md-component="announce">
  30. </div>
  31. <div data-md-color-scheme="default" data-md-component="outdated" hidden>
  32. <aside class="md-banner md-banner--warning">
  33. <div class="md-banner__inner md-grid md-typeset">
  34. You're not viewing the latest version.
  35. <a href="../../..">
  36. <strong>Click here to go to latest.</strong>
  37. </a>
  38. </div>
  39. <script>var el=document.querySelector("[data-md-component=outdated]"),base=new URL("../.."),outdated=__md_get("__outdated",sessionStorage,base);!0===outdated&&el&&(el.hidden=!1)</script>
  40. </aside>
  41. </div>
  42. <header class="md-header" data-md-component="header">
  43. <nav class="md-header__inner md-grid" aria-label="Header">
  44. <a href="../.." title="External Secrets Operator" class="md-header__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
  45. <img src="../../pictures/eso-round-logo.svg" alt="logo">
  46. </a>
  47. <label class="md-header__button md-icon" for="__drawer">
  48. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg>
  49. </label>
  50. <div class="md-header__title" data-md-component="header-title">
  51. <div class="md-header__ellipsis">
  52. <div class="md-header__topic">
  53. <span class="md-ellipsis">
  54. External Secrets Operator
  55. </span>
  56. </div>
  57. <div class="md-header__topic" data-md-component="header-topic">
  58. <span class="md-ellipsis">
  59. Kubernetes
  60. </span>
  61. </div>
  62. </div>
  63. </div>
  64. <form class="md-header__option" data-md-component="palette">
  65. <input class="md-option" data-md-color-media="(prefers-color-scheme: light)" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to dark mode" type="radio" name="__palette" id="__palette_0">
  66. <label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_1" hidden>
  67. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
  68. </label>
  69. <input class="md-option" data-md-color-media="(prefers-color-scheme: dark)" data-md-color-scheme="slate" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to light mode" type="radio" name="__palette" id="__palette_1">
  70. <label class="md-header__button md-icon" title="Switch to light mode" for="__palette_0" hidden>
  71. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12s-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
  72. </label>
  73. </form>
  74. <script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
  75. <label class="md-header__button md-icon" for="__search">
  76. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
  77. </label>
  78. <div class="md-search" data-md-component="search" role="dialog">
  79. <label class="md-search__overlay" for="__search"></label>
  80. <div class="md-search__inner" role="search">
  81. <form class="md-search__form" name="search">
  82. <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
  83. <label class="md-search__icon md-icon" for="__search">
  84. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
  85. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
  86. </label>
  87. <nav class="md-search__options" aria-label="Search">
  88. <button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
  89. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg>
  90. </button>
  91. </nav>
  92. </form>
  93. <div class="md-search__output">
  94. <div class="md-search__scrollwrap" tabindex="0" data-md-scrollfix>
  95. <div class="md-search-result" data-md-component="search-result">
  96. <div class="md-search-result__meta">
  97. Initializing search
  98. </div>
  99. <ol class="md-search-result__list" role="presentation"></ol>
  100. </div>
  101. </div>
  102. </div>
  103. </div>
  104. </div>
  105. <div class="md-header__source">
  106. <a href="https://github.com/external-secrets/external-secrets" title="Go to repository" class="md-source" data-md-component="source">
  107. <div class="md-source__icon md-icon">
  108. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 7.1.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2025 Fonticons, Inc.--><path d="M439.6 236.1 244 40.5c-5.4-5.5-12.8-8.5-20.4-8.5s-15 3-20.4 8.4L162.5 81l51.5 51.5c27.1-9.1 52.7 16.8 43.4 43.7l49.7 49.7c34.2-11.8 61.2 31 35.5 56.7-26.5 26.5-70.2-2.9-56-37.3L240.3 199v121.9c25.3 12.5 22.3 41.8 9.1 55-6.4 6.4-15.2 10.1-24.3 10.1s-17.8-3.6-24.3-10.1c-17.6-17.6-11.1-46.9 11.2-56v-123c-20.8-8.5-24.6-30.7-18.6-45L142.6 101 8.5 235.1C3 240.6 0 247.9 0 255.5s3 15 8.5 20.4l195.6 195.7c5.4 5.4 12.7 8.4 20.4 8.4s15-3 20.4-8.4l194.7-194.7c5.4-5.4 8.4-12.8 8.4-20.4s-3-15-8.4-20.4"/></svg>
  109. </div>
  110. <div class="md-source__repository">
  111. External Secrets Operator
  112. </div>
  113. </a>
  114. </div>
  115. </nav>
  116. </header>
  117. <div class="md-container" data-md-component="container">
  118. <nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
  119. <div class="md-grid">
  120. <ul class="md-tabs__list">
  121. <li class="md-tabs__item">
  122. <a href="../.." class="md-tabs__link">
  123. Introduction
  124. </a>
  125. </li>
  126. <li class="md-tabs__item">
  127. <a href="../../api/components/" class="md-tabs__link">
  128. API
  129. </a>
  130. </li>
  131. <li class="md-tabs__item">
  132. <a href="../../guides/introduction/" class="md-tabs__link">
  133. Guides
  134. </a>
  135. </li>
  136. <li class="md-tabs__item md-tabs__item--active">
  137. <a href="../aws-secrets-manager/" class="md-tabs__link">
  138. Provider
  139. </a>
  140. </li>
  141. <li class="md-tabs__item">
  142. <a href="../../examples/gitops-using-fluxcd/" class="md-tabs__link">
  143. Examples
  144. </a>
  145. </li>
  146. <li class="md-tabs__item">
  147. <a href="../../contributing/devguide/" class="md-tabs__link">
  148. Community
  149. </a>
  150. </li>
  151. </ul>
  152. </div>
  153. </nav>
  154. <main class="md-main" data-md-component="main">
  155. <div class="md-main__inner md-grid">
  156. <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
  157. <div class="md-sidebar__scrollwrap">
  158. <div class="md-sidebar__inner">
  159. <nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0">
  160. <label class="md-nav__title" for="__drawer">
  161. <a href="../.." title="External Secrets Operator" class="md-nav__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
  162. <img src="../../pictures/eso-round-logo.svg" alt="logo">
  163. </a>
  164. External Secrets Operator
  165. </label>
  166. <div class="md-nav__source">
  167. <a href="https://github.com/external-secrets/external-secrets" title="Go to repository" class="md-source" data-md-component="source">
  168. <div class="md-source__icon md-icon">
  169. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 7.1.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2025 Fonticons, Inc.--><path d="M439.6 236.1 244 40.5c-5.4-5.5-12.8-8.5-20.4-8.5s-15 3-20.4 8.4L162.5 81l51.5 51.5c27.1-9.1 52.7 16.8 43.4 43.7l49.7 49.7c34.2-11.8 61.2 31 35.5 56.7-26.5 26.5-70.2-2.9-56-37.3L240.3 199v121.9c25.3 12.5 22.3 41.8 9.1 55-6.4 6.4-15.2 10.1-24.3 10.1s-17.8-3.6-24.3-10.1c-17.6-17.6-11.1-46.9 11.2-56v-123c-20.8-8.5-24.6-30.7-18.6-45L142.6 101 8.5 235.1C3 240.6 0 247.9 0 255.5s3 15 8.5 20.4l195.6 195.7c5.4 5.4 12.7 8.4 20.4 8.4s15-3 20.4-8.4l194.7-194.7c5.4-5.4 8.4-12.8 8.4-20.4s-3-15-8.4-20.4"/></svg>
  170. </div>
  171. <div class="md-source__repository">
  172. External Secrets Operator
  173. </div>
  174. </a>
  175. </div>
  176. <ul class="md-nav__list" data-md-scrollfix>
  177. <li class="md-nav__item md-nav__item--nested">
  178. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_1" >
  179. <div class="md-nav__link md-nav__container">
  180. <a href="../.." class="md-nav__link ">
  181. <span class="md-ellipsis">
  182. Introduction
  183. </span>
  184. </a>
  185. <label class="md-nav__link " for="__nav_1" id="__nav_1_label" tabindex="0">
  186. <span class="md-nav__icon md-icon"></span>
  187. </label>
  188. </div>
  189. <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_1_label" aria-expanded="false">
  190. <label class="md-nav__title" for="__nav_1">
  191. <span class="md-nav__icon md-icon"></span>
  192. Introduction
  193. </label>
  194. <ul class="md-nav__list" data-md-scrollfix>
  195. <li class="md-nav__item">
  196. <a href="../../introduction/overview/" class="md-nav__link">
  197. <span class="md-ellipsis">
  198. Overview
  199. </span>
  200. </a>
  201. </li>
  202. <li class="md-nav__item">
  203. <a href="../../introduction/glossary/" class="md-nav__link">
  204. <span class="md-ellipsis">
  205. Glossary
  206. </span>
  207. </a>
  208. </li>
  209. <li class="md-nav__item">
  210. <a href="../../introduction/prerequisites/" class="md-nav__link">
  211. <span class="md-ellipsis">
  212. Prerequisites
  213. </span>
  214. </a>
  215. </li>
  216. <li class="md-nav__item">
  217. <a href="../../introduction/getting-started/" class="md-nav__link">
  218. <span class="md-ellipsis">
  219. Getting started
  220. </span>
  221. </a>
  222. </li>
  223. <li class="md-nav__item">
  224. <a href="../../introduction/faq/" class="md-nav__link">
  225. <span class="md-ellipsis">
  226. FAQ
  227. </span>
  228. </a>
  229. </li>
  230. <li class="md-nav__item">
  231. <a href="../../introduction/stability-support/" class="md-nav__link">
  232. <span class="md-ellipsis">
  233. Stability and Support
  234. </span>
  235. </a>
  236. </li>
  237. <li class="md-nav__item">
  238. <a href="../../introduction/deprecation-policy/" class="md-nav__link">
  239. <span class="md-ellipsis">
  240. Deprecation Policy
  241. </span>
  242. </a>
  243. </li>
  244. </ul>
  245. </nav>
  246. </li>
  247. <li class="md-nav__item md-nav__item--nested">
  248. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2" >
  249. <label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="0">
  250. <span class="md-ellipsis">
  251. API
  252. </span>
  253. <span class="md-nav__icon md-icon"></span>
  254. </label>
  255. <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false">
  256. <label class="md-nav__title" for="__nav_2">
  257. <span class="md-nav__icon md-icon"></span>
  258. API
  259. </label>
  260. <ul class="md-nav__list" data-md-scrollfix>
  261. <li class="md-nav__item">
  262. <a href="../../api/components/" class="md-nav__link">
  263. <span class="md-ellipsis">
  264. Components
  265. </span>
  266. </a>
  267. </li>
  268. <li class="md-nav__item md-nav__item--nested">
  269. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_2" >
  270. <label class="md-nav__link" for="__nav_2_2" id="__nav_2_2_label" tabindex="0">
  271. <span class="md-ellipsis">
  272. Core Resources
  273. </span>
  274. <span class="md-nav__icon md-icon"></span>
  275. </label>
  276. <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_2_label" aria-expanded="false">
  277. <label class="md-nav__title" for="__nav_2_2">
  278. <span class="md-nav__icon md-icon"></span>
  279. Core Resources
  280. </label>
  281. <ul class="md-nav__list" data-md-scrollfix>
  282. <li class="md-nav__item">
  283. <a href="../../api/externalsecret/" class="md-nav__link">
  284. <span class="md-ellipsis">
  285. ExternalSecret
  286. </span>
  287. </a>
  288. </li>
  289. <li class="md-nav__item">
  290. <a href="../../api/secretstore/" class="md-nav__link">
  291. <span class="md-ellipsis">
  292. SecretStore
  293. </span>
  294. </a>
  295. </li>
  296. <li class="md-nav__item">
  297. <a href="../../api/clustersecretstore/" class="md-nav__link">
  298. <span class="md-ellipsis">
  299. ClusterSecretStore
  300. </span>
  301. </a>
  302. </li>
  303. <li class="md-nav__item">
  304. <a href="../../api/clusterexternalsecret/" class="md-nav__link">
  305. <span class="md-ellipsis">
  306. ClusterExternalSecret
  307. </span>
  308. </a>
  309. </li>
  310. <li class="md-nav__item">
  311. <a href="../../api/clusterpushsecret/" class="md-nav__link">
  312. <span class="md-ellipsis">
  313. ClusterPushSecret
  314. </span>
  315. </a>
  316. </li>
  317. <li class="md-nav__item">
  318. <a href="../../api/pushsecret/" class="md-nav__link">
  319. <span class="md-ellipsis">
  320. PushSecret
  321. </span>
  322. </a>
  323. </li>
  324. </ul>
  325. </nav>
  326. </li>
  327. <li class="md-nav__item md-nav__item--nested">
  328. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_3" >
  329. <div class="md-nav__link md-nav__container">
  330. <a href="../../api/generator/" class="md-nav__link ">
  331. <span class="md-ellipsis">
  332. Generators
  333. </span>
  334. </a>
  335. <label class="md-nav__link " for="__nav_2_3" id="__nav_2_3_label" tabindex="0">
  336. <span class="md-nav__icon md-icon"></span>
  337. </label>
  338. </div>
  339. <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_3_label" aria-expanded="false">
  340. <label class="md-nav__title" for="__nav_2_3">
  341. <span class="md-nav__icon md-icon"></span>
  342. Generators
  343. </label>
  344. <ul class="md-nav__list" data-md-scrollfix>
  345. <li class="md-nav__item">
  346. <a href="../../api/generator/acr/" class="md-nav__link">
  347. <span class="md-ellipsis">
  348. Azure Container Registry
  349. </span>
  350. </a>
  351. </li>
  352. <li class="md-nav__item">
  353. <a href="../../api/generator/ecr/" class="md-nav__link">
  354. <span class="md-ellipsis">
  355. AWS Elastic Container Registry
  356. </span>
  357. </a>
  358. </li>
  359. <li class="md-nav__item">
  360. <a href="../../api/generator/sts/" class="md-nav__link">
  361. <span class="md-ellipsis">
  362. AWS STS Session Token
  363. </span>
  364. </a>
  365. </li>
  366. <li class="md-nav__item">
  367. <a href="../../api/generator/cloudsmith/" class="md-nav__link">
  368. <span class="md-ellipsis">
  369. Cloudsmith
  370. </span>
  371. </a>
  372. </li>
  373. <li class="md-nav__item">
  374. <a href="../../api/generator/cluster/" class="md-nav__link">
  375. <span class="md-ellipsis">
  376. Cluster Generator
  377. </span>
  378. </a>
  379. </li>
  380. <li class="md-nav__item">
  381. <a href="../../api/generator/gcr/" class="md-nav__link">
  382. <span class="md-ellipsis">
  383. Google Container Registry
  384. </span>
  385. </a>
  386. </li>
  387. <li class="md-nav__item">
  388. <a href="../../api/generator/grafana/" class="md-nav__link">
  389. <span class="md-ellipsis">
  390. Grafana
  391. </span>
  392. </a>
  393. </li>
  394. <li class="md-nav__item">
  395. <a href="../../api/generator/quay/" class="md-nav__link">
  396. <span class="md-ellipsis">
  397. Quay
  398. </span>
  399. </a>
  400. </li>
  401. <li class="md-nav__item">
  402. <a href="../../api/generator/vault/" class="md-nav__link">
  403. <span class="md-ellipsis">
  404. Vault Dynamic Secret
  405. </span>
  406. </a>
  407. </li>
  408. <li class="md-nav__item">
  409. <a href="../../api/generator/beyondtrustworkloadcredentials/" class="md-nav__link">
  410. <span class="md-ellipsis">
  411. BeyondTrust Workload Credentials
  412. </span>
  413. </a>
  414. </li>
  415. <li class="md-nav__item">
  416. <a href="../../api/generator/password/" class="md-nav__link">
  417. <span class="md-ellipsis">
  418. Password
  419. </span>
  420. </a>
  421. </li>
  422. <li class="md-nav__item">
  423. <a href="../../api/generator/fake/" class="md-nav__link">
  424. <span class="md-ellipsis">
  425. Fake
  426. </span>
  427. </a>
  428. </li>
  429. <li class="md-nav__item">
  430. <a href="../../api/generator/webhook/" class="md-nav__link">
  431. <span class="md-ellipsis">
  432. Webhook
  433. </span>
  434. </a>
  435. </li>
  436. <li class="md-nav__item">
  437. <a href="../../api/generator/github/" class="md-nav__link">
  438. <span class="md-ellipsis">
  439. Github
  440. </span>
  441. </a>
  442. </li>
  443. <li class="md-nav__item">
  444. <a href="../../api/generator/gitlab/" class="md-nav__link">
  445. <span class="md-ellipsis">
  446. Gitlab
  447. </span>
  448. </a>
  449. </li>
  450. <li class="md-nav__item">
  451. <a href="../../api/generator/uuid/" class="md-nav__link">
  452. <span class="md-ellipsis">
  453. UUID
  454. </span>
  455. </a>
  456. </li>
  457. <li class="md-nav__item">
  458. <a href="../../api/generator/mfa/" class="md-nav__link">
  459. <span class="md-ellipsis">
  460. MFA
  461. </span>
  462. </a>
  463. </li>
  464. <li class="md-nav__item">
  465. <a href="../../api/generator/sshkey/" class="md-nav__link">
  466. <span class="md-ellipsis">
  467. SSHKey
  468. </span>
  469. </a>
  470. </li>
  471. </ul>
  472. </nav>
  473. </li>
  474. <li class="md-nav__item md-nav__item--nested">
  475. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_4" >
  476. <label class="md-nav__link" for="__nav_2_4" id="__nav_2_4_label" tabindex="0">
  477. <span class="md-ellipsis">
  478. Reference Docs
  479. </span>
  480. <span class="md-nav__icon md-icon"></span>
  481. </label>
  482. <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_4_label" aria-expanded="false">
  483. <label class="md-nav__title" for="__nav_2_4">
  484. <span class="md-nav__icon md-icon"></span>
  485. Reference Docs
  486. </label>
  487. <ul class="md-nav__list" data-md-scrollfix>
  488. <li class="md-nav__item">
  489. <a href="../../api/spec/" class="md-nav__link">
  490. <span class="md-ellipsis">
  491. API specification
  492. </span>
  493. </a>
  494. </li>
  495. <li class="md-nav__item">
  496. <a href="../../api/controller-options/" class="md-nav__link">
  497. <span class="md-ellipsis">
  498. Controller Options
  499. </span>
  500. </a>
  501. </li>
  502. <li class="md-nav__item">
  503. <a href="../../api/metrics/" class="md-nav__link">
  504. <span class="md-ellipsis">
  505. Metrics
  506. </span>
  507. </a>
  508. </li>
  509. <li class="md-nav__item">
  510. <a href="../../api/selectable-fields/" class="md-nav__link">
  511. <span class="md-ellipsis">
  512. Selectable Fields
  513. </span>
  514. </a>
  515. </li>
  516. </ul>
  517. </nav>
  518. </li>
  519. </ul>
  520. </nav>
  521. </li>
  522. <li class="md-nav__item md-nav__item--nested">
  523. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3" >
  524. <label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
  525. <span class="md-ellipsis">
  526. Guides
  527. </span>
  528. <span class="md-nav__icon md-icon"></span>
  529. </label>
  530. <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
  531. <label class="md-nav__title" for="__nav_3">
  532. <span class="md-nav__icon md-icon"></span>
  533. Guides
  534. </label>
  535. <ul class="md-nav__list" data-md-scrollfix>
  536. <li class="md-nav__item">
  537. <a href="../../guides/introduction/" class="md-nav__link">
  538. <span class="md-ellipsis">
  539. Introduction
  540. </span>
  541. </a>
  542. </li>
  543. <li class="md-nav__item md-nav__item--nested">
  544. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_2" >
  545. <label class="md-nav__link" for="__nav_3_2" id="__nav_3_2_label" tabindex="0">
  546. <span class="md-ellipsis">
  547. External Secrets
  548. </span>
  549. <span class="md-nav__icon md-icon"></span>
  550. </label>
  551. <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_2_label" aria-expanded="false">
  552. <label class="md-nav__title" for="__nav_3_2">
  553. <span class="md-nav__icon md-icon"></span>
  554. External Secrets
  555. </label>
  556. <ul class="md-nav__list" data-md-scrollfix>
  557. <li class="md-nav__item">
  558. <a href="../../guides/all-keys-one-secret/" class="md-nav__link">
  559. <span class="md-ellipsis">
  560. Extract structured data
  561. </span>
  562. </a>
  563. </li>
  564. <li class="md-nav__item">
  565. <a href="../../guides/getallsecrets/" class="md-nav__link">
  566. <span class="md-ellipsis">
  567. Find Secrets by Name or Metadata
  568. </span>
  569. </a>
  570. </li>
  571. <li class="md-nav__item">
  572. <a href="../../guides/datafrom-rewrite/" class="md-nav__link">
  573. <span class="md-ellipsis">
  574. Rewriting Keys
  575. </span>
  576. </a>
  577. </li>
  578. <li class="md-nav__item md-nav__item--nested">
  579. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_2_4" >
  580. <label class="md-nav__link" for="__nav_3_2_4" id="__nav_3_2_4_label" tabindex="0">
  581. <span class="md-ellipsis">
  582. Advanced Templating
  583. </span>
  584. <span class="md-nav__icon md-icon"></span>
  585. </label>
  586. <nav class="md-nav" data-md-level="3" aria-labelledby="__nav_3_2_4_label" aria-expanded="false">
  587. <label class="md-nav__title" for="__nav_3_2_4">
  588. <span class="md-nav__icon md-icon"></span>
  589. Advanced Templating
  590. </label>
  591. <ul class="md-nav__list" data-md-scrollfix>
  592. <li class="md-nav__item">
  593. <a href="../../guides/templating/" class="md-nav__link">
  594. <span class="md-ellipsis">
  595. v2
  596. </span>
  597. </a>
  598. </li>
  599. <li class="md-nav__item">
  600. <a href="../../guides/templating-v1/" class="md-nav__link">
  601. <span class="md-ellipsis">
  602. v1
  603. </span>
  604. </a>
  605. </li>
  606. </ul>
  607. </nav>
  608. </li>
  609. <li class="md-nav__item">
  610. <a href="../../guides/common-k8s-secret-types/" class="md-nav__link">
  611. <span class="md-ellipsis">
  612. Kubernetes Secret Types
  613. </span>
  614. </a>
  615. </li>
  616. <li class="md-nav__item">
  617. <a href="../../guides/ownership-deletion-policy/" class="md-nav__link">
  618. <span class="md-ellipsis">
  619. Lifecycle: ownership & deletion
  620. </span>
  621. </a>
  622. </li>
  623. <li class="md-nav__item">
  624. <a href="../../guides/decoding-strategy/" class="md-nav__link">
  625. <span class="md-ellipsis">
  626. Decoding Strategies
  627. </span>
  628. </a>
  629. </li>
  630. <li class="md-nav__item">
  631. <a href="../../guides/controller-class/" class="md-nav__link">
  632. <span class="md-ellipsis">
  633. Controller Classes
  634. </span>
  635. </a>
  636. </li>
  637. </ul>
  638. </nav>
  639. </li>
  640. <li class="md-nav__item">
  641. <a href="../../guides/targeting-custom-resources/" class="md-nav__link">
  642. <span class="md-ellipsis">
  643. Targeting Custom Resources
  644. </span>
  645. </a>
  646. </li>
  647. <li class="md-nav__item">
  648. <a href="../../guides/generator/" class="md-nav__link">
  649. <span class="md-ellipsis">
  650. Generators
  651. </span>
  652. </a>
  653. </li>
  654. <li class="md-nav__item">
  655. <a href="../../guides/pushsecrets/" class="md-nav__link">
  656. <span class="md-ellipsis">
  657. Push Secrets
  658. </span>
  659. </a>
  660. </li>
  661. <li class="md-nav__item md-nav__item--nested">
  662. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_6" >
  663. <label class="md-nav__link" for="__nav_3_6" id="__nav_3_6_label" tabindex="0">
  664. <span class="md-ellipsis">
  665. Operations
  666. </span>
  667. <span class="md-nav__icon md-icon"></span>
  668. </label>
  669. <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_6_label" aria-expanded="false">
  670. <label class="md-nav__title" for="__nav_3_6">
  671. <span class="md-nav__icon md-icon"></span>
  672. Operations
  673. </label>
  674. <ul class="md-nav__list" data-md-scrollfix>
  675. <li class="md-nav__item">
  676. <a href="../../guides/multi-tenancy/" class="md-nav__link">
  677. <span class="md-ellipsis">
  678. Multi Tenancy
  679. </span>
  680. </a>
  681. </li>
  682. <li class="md-nav__item">
  683. <a href="../../guides/security-best-practices/" class="md-nav__link">
  684. <span class="md-ellipsis">
  685. Security Best Practices
  686. </span>
  687. </a>
  688. </li>
  689. <li class="md-nav__item">
  690. <a href="../../guides/threat-model/" class="md-nav__link">
  691. <span class="md-ellipsis">
  692. Threat Model
  693. </span>
  694. </a>
  695. </li>
  696. <li class="md-nav__item">
  697. <a href="../../guides/v1beta1/" class="md-nav__link">
  698. <span class="md-ellipsis">
  699. Upgrading to v1beta1
  700. </span>
  701. </a>
  702. </li>
  703. <li class="md-nav__item">
  704. <a href="../../guides/using-latest-image/" class="md-nav__link">
  705. <span class="md-ellipsis">
  706. Using Latest Image
  707. </span>
  708. </a>
  709. </li>
  710. <li class="md-nav__item">
  711. <a href="../../guides/disable-cluster-features/" class="md-nav__link">
  712. <span class="md-ellipsis">
  713. Disable Cluster Features
  714. </span>
  715. </a>
  716. </li>
  717. </ul>
  718. </nav>
  719. </li>
  720. <li class="md-nav__item md-nav__item--nested">
  721. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_7" >
  722. <label class="md-nav__link" for="__nav_3_7" id="__nav_3_7_label" tabindex="0">
  723. <span class="md-ellipsis">
  724. Tooling
  725. </span>
  726. <span class="md-nav__icon md-icon"></span>
  727. </label>
  728. <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_7_label" aria-expanded="false">
  729. <label class="md-nav__title" for="__nav_3_7">
  730. <span class="md-nav__icon md-icon"></span>
  731. Tooling
  732. </label>
  733. <ul class="md-nav__list" data-md-scrollfix>
  734. <li class="md-nav__item">
  735. <a href="../../guides/using-esoctl-tool/" class="md-nav__link">
  736. <span class="md-ellipsis">
  737. Using the esoctl tool
  738. </span>
  739. </a>
  740. </li>
  741. </ul>
  742. </nav>
  743. </li>
  744. </ul>
  745. </nav>
  746. </li>
  747. <li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested">
  748. <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" checked>
  749. <label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="">
  750. <span class="md-ellipsis">
  751. Provider
  752. </span>
  753. <span class="md-nav__icon md-icon"></span>
  754. </label>
  755. <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="true">
  756. <label class="md-nav__title" for="__nav_4">
  757. <span class="md-nav__icon md-icon"></span>
  758. Provider
  759. </label>
  760. <ul class="md-nav__list" data-md-scrollfix>
  761. <li class="md-nav__item">
  762. <a href="../aws-secrets-manager/" class="md-nav__link">
  763. <span class="md-ellipsis">
  764. AWS Secrets Manager
  765. </span>
  766. </a>
  767. </li>
  768. <li class="md-nav__item">
  769. <a href="../aws-parameter-store/" class="md-nav__link">
  770. <span class="md-ellipsis">
  771. AWS Parameter Store
  772. </span>
  773. </a>
  774. </li>
  775. <li class="md-nav__item">
  776. <a href="../aws-access/" class="md-nav__link">
  777. <span class="md-ellipsis">
  778. AWS Access
  779. </span>
  780. </a>
  781. </li>
  782. <li class="md-nav__item">
  783. <a href="../azure-key-vault/" class="md-nav__link">
  784. <span class="md-ellipsis">
  785. Azure Key Vault
  786. </span>
  787. </a>
  788. </li>
  789. <li class="md-nav__item">
  790. <a href="../barbican/" class="md-nav__link">
  791. <span class="md-ellipsis">
  792. Barbican
  793. </span>
  794. </a>
  795. </li>
  796. <li class="md-nav__item">
  797. <a href="../beyondtrust/" class="md-nav__link">
  798. <span class="md-ellipsis">
  799. BeyondTrust
  800. </span>
  801. </a>
  802. </li>
  803. <li class="md-nav__item">
  804. <a href="../beyondtrustworkloadcredentials/" class="md-nav__link">
  805. <span class="md-ellipsis">
  806. BeyondTrust Workload Credentials
  807. </span>
  808. </a>
  809. </li>
  810. <li class="md-nav__item">
  811. <a href="../bitwarden-secrets-manager/" class="md-nav__link">
  812. <span class="md-ellipsis">
  813. Bitwarden Secrets Manager
  814. </span>
  815. </a>
  816. </li>
  817. <li class="md-nav__item">
  818. <a href="../chef/" class="md-nav__link">
  819. <span class="md-ellipsis">
  820. Chef
  821. </span>
  822. </a>
  823. </li>
  824. <li class="md-nav__item">
  825. <a href="../cloudru/" class="md-nav__link">
  826. <span class="md-ellipsis">
  827. Cloud.ru Secret Manager
  828. </span>
  829. </a>
  830. </li>
  831. <li class="md-nav__item">
  832. <a href="../conjur/" class="md-nav__link">
  833. <span class="md-ellipsis">
  834. CyberArk Conjur
  835. </span>
  836. </a>
  837. </li>
  838. <li class="md-nav__item">
  839. <a href="../google-secrets-manager/" class="md-nav__link">
  840. <span class="md-ellipsis">
  841. Google Cloud Secret Manager
  842. </span>
  843. </a>
  844. </li>
  845. <li class="md-nav__item">
  846. <a href="../hashicorp-vault/" class="md-nav__link">
  847. <span class="md-ellipsis">
  848. HashiCorp Vault
  849. </span>
  850. </a>
  851. </li>
  852. <li class="md-nav__item md-nav__item--active">
  853. <input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
  854. <label class="md-nav__link md-nav__link--active" for="__toc">
  855. <span class="md-ellipsis">
  856. Kubernetes
  857. </span>
  858. <span class="md-nav__icon md-icon"></span>
  859. </label>
  860. <a href="./" class="md-nav__link md-nav__link--active">
  861. <span class="md-ellipsis">
  862. Kubernetes
  863. </span>
  864. </a>
  865. <nav class="md-nav md-nav--secondary" aria-label="Table of contents">
  866. <label class="md-nav__title" for="__toc">
  867. <span class="md-nav__icon md-icon"></span>
  868. Table of contents
  869. </label>
  870. <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
  871. <li class="md-nav__item">
  872. <a href="#external-secret-spec" class="md-nav__link">
  873. <span class="md-ellipsis">
  874. External Secret Spec
  875. </span>
  876. </a>
  877. <nav class="md-nav" aria-label="External Secret Spec">
  878. <ul class="md-nav__list">
  879. <li class="md-nav__item">
  880. <a href="#find-by-tag-name" class="md-nav__link">
  881. <span class="md-ellipsis">
  882. find by tag &amp; name
  883. </span>
  884. </a>
  885. </li>
  886. </ul>
  887. </nav>
  888. </li>
  889. <li class="md-nav__item">
  890. <a href="#target-api-server-configuration" class="md-nav__link">
  891. <span class="md-ellipsis">
  892. Target API-Server Configuration
  893. </span>
  894. </a>
  895. </li>
  896. <li class="md-nav__item">
  897. <a href="#authentication" class="md-nav__link">
  898. <span class="md-ellipsis">
  899. Authentication
  900. </span>
  901. </a>
  902. <nav class="md-nav" aria-label="Authentication">
  903. <ul class="md-nav__list">
  904. <li class="md-nav__item">
  905. <a href="#authenticating-with-bearertoken" class="md-nav__link">
  906. <span class="md-ellipsis">
  907. Authenticating with BearerToken
  908. </span>
  909. </a>
  910. </li>
  911. <li class="md-nav__item">
  912. <a href="#authenticating-with-serviceaccount" class="md-nav__link">
  913. <span class="md-ellipsis">
  914. Authenticating with ServiceAccount
  915. </span>
  916. </a>
  917. </li>
  918. <li class="md-nav__item">
  919. <a href="#authenticating-with-client-certificates" class="md-nav__link">
  920. <span class="md-ellipsis">
  921. Authenticating with Client Certificates
  922. </span>
  923. </a>
  924. </li>
  925. </ul>
  926. </nav>
  927. </li>
  928. <li class="md-nav__item">
  929. <a href="#access-from-different-namespace-in-same-cluster" class="md-nav__link">
  930. <span class="md-ellipsis">
  931. Access from different namespace in same cluster
  932. </span>
  933. </a>
  934. </li>
  935. <li class="md-nav__item">
  936. <a href="#pushsecret" class="md-nav__link">
  937. <span class="md-ellipsis">
  938. PushSecret
  939. </span>
  940. </a>
  941. <nav class="md-nav" aria-label="PushSecret">
  942. <ul class="md-nav__list">
  943. <li class="md-nav__item">
  944. <a href="#pushsecret-metadata" class="md-nav__link">
  945. <span class="md-ellipsis">
  946. PushSecret Metadata
  947. </span>
  948. </a>
  949. </li>
  950. <li class="md-nav__item">
  951. <a href="#implementation-considerations" class="md-nav__link">
  952. <span class="md-ellipsis">
  953. Implementation Considerations
  954. </span>
  955. </a>
  956. </li>
  957. </ul>
  958. </nav>
  959. </li>
  960. </ul>
  961. </nav>
  962. </li>
  963. <li class="md-nav__item">
  964. <a href="../ibm-secrets-manager/" class="md-nav__link">
  965. <span class="md-ellipsis">
  966. IBM Secrets Manager
  967. </span>
  968. </a>
  969. </li>
  970. <li class="md-nav__item">
  971. <a href="../akeyless/" class="md-nav__link">
  972. <span class="md-ellipsis">
  973. Akeyless
  974. </span>
  975. </a>
  976. </li>
  977. <li class="md-nav__item">
  978. <a href="../yandex-certificate-manager/" class="md-nav__link">
  979. <span class="md-ellipsis">
  980. Yandex Certificate Manager
  981. </span>
  982. </a>
  983. </li>
  984. <li class="md-nav__item">
  985. <a href="../yandex-lockbox/" class="md-nav__link">
  986. <span class="md-ellipsis">
  987. Yandex Lockbox
  988. </span>
  989. </a>
  990. </li>
  991. <li class="md-nav__item">
  992. <a href="../gitlab-variables/" class="md-nav__link">
  993. <span class="md-ellipsis">
  994. GitLab Variables
  995. </span>
  996. </a>
  997. </li>
  998. <li class="md-nav__item">
  999. <a href="../github/" class="md-nav__link">
  1000. <span class="md-ellipsis">
  1001. Github Actions Secrets
  1002. </span>
  1003. </a>
  1004. </li>
  1005. <li class="md-nav__item">
  1006. <a href="../oracle-vault/" class="md-nav__link">
  1007. <span class="md-ellipsis">
  1008. Oracle Vault
  1009. </span>
  1010. </a>
  1011. </li>
  1012. <li class="md-nav__item">
  1013. <a href="../ovhcloud/" class="md-nav__link">
  1014. <span class="md-ellipsis">
  1015. OVHcloud
  1016. </span>
  1017. </a>
  1018. </li>
  1019. <li class="md-nav__item">
  1020. <a href="../1password-automation/" class="md-nav__link">
  1021. <span class="md-ellipsis">
  1022. 1Password Connect Server
  1023. </span>
  1024. </a>
  1025. </li>
  1026. <li class="md-nav__item">
  1027. <a href="../1password-sdk/" class="md-nav__link">
  1028. <span class="md-ellipsis">
  1029. 1Password SDK
  1030. </span>
  1031. </a>
  1032. </li>
  1033. <li class="md-nav__item">
  1034. <a href="../webhook/" class="md-nav__link">
  1035. <span class="md-ellipsis">
  1036. Webhook
  1037. </span>
  1038. </a>
  1039. </li>
  1040. <li class="md-nav__item">
  1041. <a href="../fake/" class="md-nav__link">
  1042. <span class="md-ellipsis">
  1043. Fake
  1044. </span>
  1045. </a>
  1046. </li>
  1047. <li class="md-nav__item">
  1048. <a href="../senhasegura-dsm/" class="md-nav__link">
  1049. <span class="md-ellipsis">
  1050. senhasegura DevOps Secrets Management (DSM)
  1051. </span>
  1052. </a>
  1053. </li>
  1054. <li class="md-nav__item">
  1055. <a href="../doppler/" class="md-nav__link">
  1056. <span class="md-ellipsis">
  1057. Doppler
  1058. </span>
  1059. </a>
  1060. </li>
  1061. <li class="md-nav__item">
  1062. <a href="../keeper-security/" class="md-nav__link">
  1063. <span class="md-ellipsis">
  1064. Keeper Security
  1065. </span>
  1066. </a>
  1067. </li>
  1068. <li class="md-nav__item">
  1069. <a href="../cloak/" class="md-nav__link">
  1070. <span class="md-ellipsis">
  1071. Cloak End 2 End Encrypted Secrets
  1072. </span>
  1073. </a>
  1074. </li>
  1075. <li class="md-nav__item">
  1076. <a href="../scaleway/" class="md-nav__link">
  1077. <span class="md-ellipsis">
  1078. Scaleway
  1079. </span>
  1080. </a>
  1081. </li>
  1082. <li class="md-nav__item">
  1083. <a href="../delinea/" class="md-nav__link">
  1084. <span class="md-ellipsis">
  1085. Delinea
  1086. </span>
  1087. </a>
  1088. </li>
  1089. <li class="md-nav__item">
  1090. <a href="../secretserver/" class="md-nav__link">
  1091. <span class="md-ellipsis">
  1092. Secret Server
  1093. </span>
  1094. </a>
  1095. </li>
  1096. <li class="md-nav__item">
  1097. <a href="../passbolt/" class="md-nav__link">
  1098. <span class="md-ellipsis">
  1099. Passbolt
  1100. </span>
  1101. </a>
  1102. </li>
  1103. <li class="md-nav__item">
  1104. <a href="../pulumi/" class="md-nav__link">
  1105. <span class="md-ellipsis">
  1106. Pulumi ESC
  1107. </span>
  1108. </a>
  1109. </li>
  1110. <li class="md-nav__item">
  1111. <a href="../onboardbase/" class="md-nav__link">
  1112. <span class="md-ellipsis">
  1113. Onboardbase
  1114. </span>
  1115. </a>
  1116. </li>
  1117. <li class="md-nav__item">
  1118. <a href="../../provider-passworddepot/" class="md-nav__link">
  1119. <span class="md-ellipsis">
  1120. Password Depot
  1121. </span>
  1122. </a>
  1123. </li>
  1124. <li class="md-nav__item">
  1125. <a href="../fortanix/" class="md-nav__link">
  1126. <span class="md-ellipsis">
  1127. Fortanix
  1128. </span>
  1129. </a>
  1130. </li>
  1131. <li class="md-nav__item">
  1132. <a href="../infisical/" class="md-nav__link">
  1133. <span class="md-ellipsis">
  1134. Infisical
  1135. </span>
  1136. </a>
  1137. </li>
  1138. <li class="md-nav__item">
  1139. <a href="../previder/" class="md-nav__link">
  1140. <span class="md-ellipsis">
  1141. Previder
  1142. </span>
  1143. </a>
  1144. </li>
  1145. <li class="md-nav__item">
  1146. <a href="../openbao/" class="md-nav__link">
  1147. <span class="md-ellipsis">
  1148. OpenBao
  1149. </span>
  1150. </a>
  1151. </li>
  1152. <li class="md-nav__item">
  1153. <a href="../volcengine/" class="md-nav__link">
  1154. <span class="md-ellipsis">
  1155. Volcengine
  1156. </span>
  1157. </a>
  1158. </li>
  1159. <li class="md-nav__item">
  1160. <a href="../ngrok/" class="md-nav__link">
  1161. <span class="md-ellipsis">
  1162. ngrok
  1163. </span>
  1164. </a>
  1165. </li>
  1166. <li class="md-nav__item">
  1167. <a href="../devolutions-server/" class="md-nav__link">
  1168. <span class="md-ellipsis">
  1169. Devolutions Server
  1170. </span>
  1171. </a>
  1172. </li>
  1173. <li class="md-nav__item">
  1174. <a href="../nebius-mysterybox/" class="md-nav__link">
  1175. <span class="md-ellipsis">
  1176. Nebius MysteryBox
  1177. </span>
  1178. </a>
  1179. </li>
  1180. </ul>
  1181. </nav>
  1182. </li>
  1183. <li class="md-nav__item md-nav__item--nested">
  1184. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_5" >
  1185. <label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
  1186. <span class="md-ellipsis">
  1187. Examples
  1188. </span>
  1189. <span class="md-nav__icon md-icon"></span>
  1190. </label>
  1191. <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
  1192. <label class="md-nav__title" for="__nav_5">
  1193. <span class="md-nav__icon md-icon"></span>
  1194. Examples
  1195. </label>
  1196. <ul class="md-nav__list" data-md-scrollfix>
  1197. <li class="md-nav__item">
  1198. <a href="../../examples/gitops-using-fluxcd/" class="md-nav__link">
  1199. <span class="md-ellipsis">
  1200. FluxCD
  1201. </span>
  1202. </a>
  1203. </li>
  1204. <li class="md-nav__item">
  1205. <a href="../../examples/anchore-engine-credentials/" class="md-nav__link">
  1206. <span class="md-ellipsis">
  1207. Anchore Engine
  1208. </span>
  1209. </a>
  1210. </li>
  1211. <li class="md-nav__item">
  1212. <a href="../../examples/jenkins-kubernetes-credentials/" class="md-nav__link">
  1213. <span class="md-ellipsis">
  1214. Jenkins
  1215. </span>
  1216. </a>
  1217. </li>
  1218. <li class="md-nav__item">
  1219. <a href="../../examples/bitwarden/" class="md-nav__link">
  1220. <span class="md-ellipsis">
  1221. Bitwarden
  1222. </span>
  1223. </a>
  1224. </li>
  1225. </ul>
  1226. </nav>
  1227. </li>
  1228. <li class="md-nav__item md-nav__item--nested">
  1229. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6" >
  1230. <label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
  1231. <span class="md-ellipsis">
  1232. Community
  1233. </span>
  1234. <span class="md-nav__icon md-icon"></span>
  1235. </label>
  1236. <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
  1237. <label class="md-nav__title" for="__nav_6">
  1238. <span class="md-nav__icon md-icon"></span>
  1239. Community
  1240. </label>
  1241. <ul class="md-nav__list" data-md-scrollfix>
  1242. <li class="md-nav__item md-nav__item--nested">
  1243. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6_1" >
  1244. <label class="md-nav__link" for="__nav_6_1" id="__nav_6_1_label" tabindex="0">
  1245. <span class="md-ellipsis">
  1246. Contributing
  1247. </span>
  1248. <span class="md-nav__icon md-icon"></span>
  1249. </label>
  1250. <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_1_label" aria-expanded="false">
  1251. <label class="md-nav__title" for="__nav_6_1">
  1252. <span class="md-nav__icon md-icon"></span>
  1253. Contributing
  1254. </label>
  1255. <ul class="md-nav__list" data-md-scrollfix>
  1256. <li class="md-nav__item">
  1257. <a href="../../contributing/devguide/" class="md-nav__link">
  1258. <span class="md-ellipsis">
  1259. Developer guide
  1260. </span>
  1261. </a>
  1262. </li>
  1263. <li class="md-nav__item">
  1264. <a href="../../contributing/process/" class="md-nav__link">
  1265. <span class="md-ellipsis">
  1266. Contributing Process
  1267. </span>
  1268. </a>
  1269. </li>
  1270. <li class="md-nav__item">
  1271. <a href="../../contributing/release/" class="md-nav__link">
  1272. <span class="md-ellipsis">
  1273. Release Process
  1274. </span>
  1275. </a>
  1276. </li>
  1277. <li class="md-nav__item">
  1278. <a href="../../contributing/coc/" class="md-nav__link">
  1279. <span class="md-ellipsis">
  1280. Code of Conduct
  1281. </span>
  1282. </a>
  1283. </li>
  1284. <li class="md-nav__item">
  1285. <a href="../../contributing/calendar/" class="md-nav__link">
  1286. <span class="md-ellipsis">
  1287. Community meetings calendar
  1288. </span>
  1289. </a>
  1290. </li>
  1291. <li class="md-nav__item">
  1292. <a href="../../contributing/roadmap/" class="md-nav__link">
  1293. <span class="md-ellipsis">
  1294. Roadmap
  1295. </span>
  1296. </a>
  1297. </li>
  1298. <li class="md-nav__item">
  1299. <a href="../../contributing/burnout-mitigation/" class="md-nav__link">
  1300. <span class="md-ellipsis">
  1301. Burnout Prevention
  1302. </span>
  1303. </a>
  1304. </li>
  1305. <li class="md-nav__item">
  1306. <a href="../../contributing/llm-policy/" class="md-nav__link">
  1307. <span class="md-ellipsis">
  1308. LLM Policy
  1309. </span>
  1310. </a>
  1311. </li>
  1312. </ul>
  1313. </nav>
  1314. </li>
  1315. <li class="md-nav__item md-nav__item--nested">
  1316. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6_2" >
  1317. <label class="md-nav__link" for="__nav_6_2" id="__nav_6_2_label" tabindex="0">
  1318. <span class="md-ellipsis">
  1319. External Resources
  1320. </span>
  1321. <span class="md-nav__icon md-icon"></span>
  1322. </label>
  1323. <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_2_label" aria-expanded="false">
  1324. <label class="md-nav__title" for="__nav_6_2">
  1325. <span class="md-nav__icon md-icon"></span>
  1326. External Resources
  1327. </label>
  1328. <ul class="md-nav__list" data-md-scrollfix>
  1329. <li class="md-nav__item">
  1330. <a href="../../eso-talks/" class="md-nav__link">
  1331. <span class="md-ellipsis">
  1332. Talks
  1333. </span>
  1334. </a>
  1335. </li>
  1336. <li class="md-nav__item">
  1337. <a href="../../eso-demos/" class="md-nav__link">
  1338. <span class="md-ellipsis">
  1339. Demos
  1340. </span>
  1341. </a>
  1342. </li>
  1343. <li class="md-nav__item">
  1344. <a href="../../eso-blogs/" class="md-nav__link">
  1345. <span class="md-ellipsis">
  1346. Blogs
  1347. </span>
  1348. </a>
  1349. </li>
  1350. <li class="md-nav__item">
  1351. <a href="../../eso-tools/" class="md-nav__link">
  1352. <span class="md-ellipsis">
  1353. Tools
  1354. </span>
  1355. </a>
  1356. </li>
  1357. </ul>
  1358. </nav>
  1359. </li>
  1360. </ul>
  1361. </nav>
  1362. </li>
  1363. </ul>
  1364. </nav>
  1365. </div>
  1366. </div>
  1367. </div>
  1368. <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
  1369. <div class="md-sidebar__scrollwrap">
  1370. <div class="md-sidebar__inner">
  1371. <nav class="md-nav md-nav--secondary" aria-label="Table of contents">
  1372. <label class="md-nav__title" for="__toc">
  1373. <span class="md-nav__icon md-icon"></span>
  1374. Table of contents
  1375. </label>
  1376. <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
  1377. <li class="md-nav__item">
  1378. <a href="#external-secret-spec" class="md-nav__link">
  1379. <span class="md-ellipsis">
  1380. External Secret Spec
  1381. </span>
  1382. </a>
  1383. <nav class="md-nav" aria-label="External Secret Spec">
  1384. <ul class="md-nav__list">
  1385. <li class="md-nav__item">
  1386. <a href="#find-by-tag-name" class="md-nav__link">
  1387. <span class="md-ellipsis">
  1388. find by tag &amp; name
  1389. </span>
  1390. </a>
  1391. </li>
  1392. </ul>
  1393. </nav>
  1394. </li>
  1395. <li class="md-nav__item">
  1396. <a href="#target-api-server-configuration" class="md-nav__link">
  1397. <span class="md-ellipsis">
  1398. Target API-Server Configuration
  1399. </span>
  1400. </a>
  1401. </li>
  1402. <li class="md-nav__item">
  1403. <a href="#authentication" class="md-nav__link">
  1404. <span class="md-ellipsis">
  1405. Authentication
  1406. </span>
  1407. </a>
  1408. <nav class="md-nav" aria-label="Authentication">
  1409. <ul class="md-nav__list">
  1410. <li class="md-nav__item">
  1411. <a href="#authenticating-with-bearertoken" class="md-nav__link">
  1412. <span class="md-ellipsis">
  1413. Authenticating with BearerToken
  1414. </span>
  1415. </a>
  1416. </li>
  1417. <li class="md-nav__item">
  1418. <a href="#authenticating-with-serviceaccount" class="md-nav__link">
  1419. <span class="md-ellipsis">
  1420. Authenticating with ServiceAccount
  1421. </span>
  1422. </a>
  1423. </li>
  1424. <li class="md-nav__item">
  1425. <a href="#authenticating-with-client-certificates" class="md-nav__link">
  1426. <span class="md-ellipsis">
  1427. Authenticating with Client Certificates
  1428. </span>
  1429. </a>
  1430. </li>
  1431. </ul>
  1432. </nav>
  1433. </li>
  1434. <li class="md-nav__item">
  1435. <a href="#access-from-different-namespace-in-same-cluster" class="md-nav__link">
  1436. <span class="md-ellipsis">
  1437. Access from different namespace in same cluster
  1438. </span>
  1439. </a>
  1440. </li>
  1441. <li class="md-nav__item">
  1442. <a href="#pushsecret" class="md-nav__link">
  1443. <span class="md-ellipsis">
  1444. PushSecret
  1445. </span>
  1446. </a>
  1447. <nav class="md-nav" aria-label="PushSecret">
  1448. <ul class="md-nav__list">
  1449. <li class="md-nav__item">
  1450. <a href="#pushsecret-metadata" class="md-nav__link">
  1451. <span class="md-ellipsis">
  1452. PushSecret Metadata
  1453. </span>
  1454. </a>
  1455. </li>
  1456. <li class="md-nav__item">
  1457. <a href="#implementation-considerations" class="md-nav__link">
  1458. <span class="md-ellipsis">
  1459. Implementation Considerations
  1460. </span>
  1461. </a>
  1462. </li>
  1463. </ul>
  1464. </nav>
  1465. </li>
  1466. </ul>
  1467. </nav>
  1468. </div>
  1469. </div>
  1470. </div>
  1471. <div class="md-content" data-md-component="content">
  1472. <article class="md-content__inner md-typeset">
  1473. <h1>Kubernetes</h1>
  1474. <p>External Secrets Operator allows to retrieve secrets from a Kubernetes Cluster - this can be either a remote cluster or the local one where the operator runs in.</p>
  1475. <p>A <code>SecretStore</code> points to a <strong>specific namespace</strong> in the target Kubernetes Cluster. You are able to retrieve all secrets from that particular namespace given you have the correct set of RBAC permissions.</p>
  1476. <p>The <code>SecretStore</code> reconciler checks if you have read access for secrets in that namespace using <code>SelfSubjectRulesReview</code> and will fallback to <code>SelfSubjectAccessReview</code> when that fails. See below on how to set that up properly.</p>
  1477. <h3 id="external-secret-spec">External Secret Spec</h3>
  1478. <p>This provider supports the use of the <code>Property</code> field. With it you point to the key of the remote secret. If you leave it empty it will json encode all key/value pairs.</p>
  1479. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
  1480. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
  1481. <span class="nt">metadata</span><span class="p">:</span>
  1482. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
  1483. <span class="nt">spec</span><span class="p">:</span>
  1484. <span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h0m0s</span>
  1485. <span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span>
  1486. <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
  1487. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">k8s-store</span><span class="w"> </span><span class="c1"># name of the SecretStore (or kind specified)</span>
  1488. <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
  1489. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span><span class="w"> </span><span class="c1"># name of the k8s Secret to be created</span>
  1490. <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
  1491. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">username</span>
  1492. <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
  1493. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
  1494. <span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">username</span>
  1495. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">password</span>
  1496. <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
  1497. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
  1498. <span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">password</span>
  1499. <span class="w"> </span><span class="c1"># metadataPolicy to fetch all the labels and annotations in JSON format</span>
  1500. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">tags</span>
  1501. <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
  1502. <span class="w"> </span><span class="nt">metadataPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Fetch</span>
  1503. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
  1504. <span class="w"> </span><span class="c1"># metadataPolicy to fetch all the labels in JSON format</span>
  1505. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">labels</span>
  1506. <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
  1507. <span class="w"> </span><span class="nt">metadataPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Fetch</span>
  1508. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
  1509. <span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">labels</span>
  1510. <span class="w"> </span><span class="c1"># metadataPolicy to fetch a specific label (dev) from the source secret</span>
  1511. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">developer</span>
  1512. <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
  1513. <span class="w"> </span><span class="nt">metadataPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Fetch</span>
  1514. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
  1515. <span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">labels.dev</span>
  1516. </code></pre></div>
  1517. <h4 id="find-by-tag-name">find by tag &amp; name</h4>
  1518. <p>You can fetch secrets based on labels or names matching a regexp:</p>
  1519. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
  1520. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
  1521. <span class="nt">metadata</span><span class="p">:</span>
  1522. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">fetch-tls-and-nginx</span>
  1523. <span class="nt">spec</span><span class="p">:</span>
  1524. <span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h0m0s</span>
  1525. <span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span>
  1526. <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
  1527. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">k8s-store</span>
  1528. <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
  1529. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">fetch-tls-and-nginx</span>
  1530. <span class="w"> </span><span class="nt">dataFrom</span><span class="p">:</span>
  1531. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">find</span><span class="p">:</span>
  1532. <span class="w"> </span><span class="nt">name</span><span class="p">:</span>
  1533. <span class="w"> </span><span class="c1"># match secret name with regexp</span>
  1534. <span class="w"> </span><span class="nt">regexp</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;tls-.*&quot;</span>
  1535. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">find</span><span class="p">:</span>
  1536. <span class="w"> </span><span class="nt">tags</span><span class="p">:</span>
  1537. <span class="w"> </span><span class="c1"># fetch secrets based on label combination</span>
  1538. <span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;nginx&quot;</span>
  1539. </code></pre></div>
  1540. <h3 id="target-api-server-configuration">Target API-Server Configuration</h3>
  1541. <p>The servers <code>url</code> can be omitted and defaults to <code>kubernetes.default</code>. If no <code>caBundle</code> or <code>caProvider</code> is specified, the operator uses the system certificate roots from the container image. Both the default (<code>distroless/static</code>) and UBI images include standard CA certificates, so connections to servers using well-known CAs (e.g., Let's Encrypt) work without explicit CA configuration.
  1542. For your convenience, each namespace has a ConfigMap <code>kube-root-ca.crt</code> that contains the CA certificate of the internal API Server (see <code>RootCAConfigMap</code> <a href="https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/">feature gate</a>).
  1543. Use that if you want to connect to the same API server.
  1544. If you want to connect to a remote API Server you need to fetch it and store it inside the cluster as ConfigMap or Secret.
  1545. You may also define it inline as base64 encoded value using the <code>caBundle</code> property.</p>
  1546. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
  1547. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
  1548. <span class="nt">metadata</span><span class="p">:</span>
  1549. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">k8s-store-default-ns</span>
  1550. <span class="nt">spec</span><span class="p">:</span>
  1551. <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
  1552. <span class="w"> </span><span class="nt">kubernetes</span><span class="p">:</span>
  1553. <span class="w"> </span><span class="c1"># with this, the store is able to pull only from `default` namespace</span>
  1554. <span class="w"> </span><span class="nt">remoteNamespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span>
  1555. <span class="w"> </span><span class="nt">server</span><span class="p">:</span>
  1556. <span class="w"> </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;https://myapiserver.tld&quot;</span>
  1557. <span class="w"> </span><span class="nt">caProvider</span><span class="p">:</span>
  1558. <span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ConfigMap</span>
  1559. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kube-root-ca.crt</span>
  1560. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ca.crt</span>
  1561. </code></pre></div>
  1562. <div class="admonition note">
  1563. <p class="admonition-title">Note</p>
  1564. <p>System CA roots only cover certificates signed by well-known CAs. Internal Kubernetes API servers typically use self-signed or cluster-internal CAs — you still need to provide explicit <code>caBundle</code> or <code>caProvider</code> for those.</p>
  1565. </div>
  1566. <p>If the remote server uses a certificate from a well-known CA, you can omit CA configuration entirely:</p>
  1567. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
  1568. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
  1569. <span class="nt">metadata</span><span class="p">:</span>
  1570. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">k8s-store-system-ca</span>
  1571. <span class="nt">spec</span><span class="p">:</span>
  1572. <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
  1573. <span class="w"> </span><span class="nt">kubernetes</span><span class="p">:</span>
  1574. <span class="w"> </span><span class="nt">remoteNamespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span>
  1575. <span class="w"> </span><span class="nt">server</span><span class="p">:</span>
  1576. <span class="w"> </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;https://my-proxy.example.com&quot;</span>
  1577. <span class="w"> </span><span class="c1"># No caBundle or caProvider — uses system CA roots</span>
  1578. <span class="w"> </span><span class="nt">auth</span><span class="p">:</span>
  1579. <span class="w"> </span><span class="nt">token</span><span class="p">:</span>
  1580. <span class="w"> </span><span class="nt">bearerToken</span><span class="p">:</span>
  1581. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-token</span>
  1582. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">token</span>
  1583. </code></pre></div>
  1584. <h3 id="authentication">Authentication</h3>
  1585. <p>It's possible to authenticate against the Kubernetes API using client certificates, a bearer token or service account. The operator enforces that exactly one authentication method is used. You can not use the service account that is mounted inside the operator, this is by design to avoid reading secrets across namespaces.</p>
  1586. <p><strong>NOTE:</strong> <code>SelfSubjectRulesReview</code> permission is required in order to validation work properly. Please use the following role as reference:</p>
  1587. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">rbac.authorization.k8s.io/v1</span>
  1588. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Role</span>
  1589. <span class="nt">metadata</span><span class="p">:</span>
  1590. <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span>
  1591. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eso-store-role</span>
  1592. <span class="nt">rules</span><span class="p">:</span>
  1593. <span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">&quot;&quot;</span><span class="p p-Indicator">]</span>
  1594. <span class="w"> </span><span class="nt">resources</span><span class="p">:</span>
  1595. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secrets</span>
  1596. <span class="w"> </span><span class="nt">verbs</span><span class="p">:</span>
  1597. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">get</span>
  1598. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">list</span>
  1599. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">watch</span>
  1600. <span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">apiGroups</span><span class="p">:</span>
  1601. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">authorization.k8s.io</span>
  1602. <span class="w"> </span><span class="nt">resources</span><span class="p">:</span>
  1603. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">selfsubjectrulesreviews</span>
  1604. <span class="w"> </span><span class="nt">verbs</span><span class="p">:</span>
  1605. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">create</span>
  1606. </code></pre></div>
  1607. <h4 id="authenticating-with-bearertoken">Authenticating with BearerToken</h4>
  1608. <p>Create a Kubernetes secret with a client token. There are many ways to acquire such a token, please refer to the <a href="https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authentication-strategies">Kubernetes Authentication docs</a>.</p>
  1609. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
  1610. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Secret</span>
  1611. <span class="nt">metadata</span><span class="p">:</span>
  1612. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-token</span>
  1613. <span class="nt">data</span><span class="p">:</span>
  1614. <span class="w"> </span><span class="nt">token</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;....&quot;</span>
  1615. </code></pre></div>
  1616. <p>Create a SecretStore: The <code>auth</code> section indicates that the type <code>token</code> will be used for authentication, it includes the path to fetch the token. Set <code>remoteNamespace</code> to the name of the namespace where your target secrets reside.</p>
  1617. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
  1618. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
  1619. <span class="nt">metadata</span><span class="p">:</span>
  1620. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">k8s-store-token-auth</span>
  1621. <span class="nt">spec</span><span class="p">:</span>
  1622. <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
  1623. <span class="w"> </span><span class="nt">kubernetes</span><span class="p">:</span>
  1624. <span class="w"> </span><span class="c1"># with this, the store is able to pull only from `default` namespace</span>
  1625. <span class="w"> </span><span class="nt">remoteNamespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span>
  1626. <span class="w"> </span><span class="nt">server</span><span class="p">:</span>
  1627. <span class="w"> </span><span class="c1"># ...</span>
  1628. <span class="w"> </span><span class="nt">auth</span><span class="p">:</span>
  1629. <span class="w"> </span><span class="nt">token</span><span class="p">:</span>
  1630. <span class="w"> </span><span class="nt">bearerToken</span><span class="p">:</span>
  1631. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-token</span>
  1632. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">token</span>
  1633. </code></pre></div>
  1634. <h4 id="authenticating-with-serviceaccount">Authenticating with ServiceAccount</h4>
  1635. <p>Create a Kubernetes Service Account, please refer to the <a href="https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens">Service Account Tokens Documentation</a> on how they work and how to create them.</p>
  1636. <div class="highlight"><pre><span></span><code>$ kubectl create serviceaccount my-store
  1637. </code></pre></div>
  1638. <p>This Service Account needs permissions to read <code>Secret</code> and create <code>SelfSubjectRulesReview</code> resources. Please see the above role.</p>
  1639. <div class="highlight"><pre><span></span><code>$ kubectl create rolebinding my-store --role=eso-store-role --serviceaccount=default:my-store
  1640. </code></pre></div>
  1641. <p>Create a SecretStore: the <code>auth</code> section indicates that the type <code>serviceAccount</code> will be used for authentication.</p>
  1642. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
  1643. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
  1644. <span class="nt">metadata</span><span class="p">:</span>
  1645. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">k8s-store-sa-auth</span>
  1646. <span class="nt">spec</span><span class="p">:</span>
  1647. <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
  1648. <span class="w"> </span><span class="nt">kubernetes</span><span class="p">:</span>
  1649. <span class="w"> </span><span class="c1"># with this, the store is able to pull only from `default` namespace</span>
  1650. <span class="w"> </span><span class="nt">remoteNamespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span>
  1651. <span class="w"> </span><span class="nt">server</span><span class="p">:</span>
  1652. <span class="w"> </span><span class="c1"># ...</span>
  1653. <span class="w"> </span><span class="nt">auth</span><span class="p">:</span>
  1654. <span class="w"> </span><span class="nt">serviceAccount</span><span class="p">:</span>
  1655. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;my-store&quot;</span>
  1656. </code></pre></div>
  1657. <h4 id="authenticating-with-client-certificates">Authenticating with Client Certificates</h4>
  1658. <p>Create a Kubernetes secret which contains the client key and certificate. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/certificates/">Generate Certificates Documentations</a> on how to create them.</p>
  1659. <div class="highlight"><pre><span></span><code>$ kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/to/tls.key
  1660. </code></pre></div>
  1661. <p>Reference the <code>tls-secret</code> in the SecretStore</p>
  1662. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
  1663. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
  1664. <span class="nt">metadata</span><span class="p">:</span>
  1665. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">k8s-store-cert-auth</span>
  1666. <span class="nt">spec</span><span class="p">:</span>
  1667. <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
  1668. <span class="w"> </span><span class="nt">kubernetes</span><span class="p">:</span>
  1669. <span class="w"> </span><span class="c1"># with this, the store is able to pull only from `default` namespace</span>
  1670. <span class="w"> </span><span class="nt">remoteNamespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span>
  1671. <span class="w"> </span><span class="nt">server</span><span class="p">:</span>
  1672. <span class="w"> </span><span class="c1"># ...</span>
  1673. <span class="w"> </span><span class="nt">auth</span><span class="p">:</span>
  1674. <span class="w"> </span><span class="nt">cert</span><span class="p">:</span>
  1675. <span class="w"> </span><span class="nt">clientCert</span><span class="p">:</span>
  1676. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;tls-secret&quot;</span>
  1677. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;tls.crt&quot;</span>
  1678. <span class="w"> </span><span class="nt">clientKey</span><span class="p">:</span>
  1679. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;tls-secret&quot;</span>
  1680. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;tls.key&quot;</span>
  1681. </code></pre></div>
  1682. <h3 id="access-from-different-namespace-in-same-cluster">Access from different namespace in same cluster</h3>
  1683. <p>If you don't have cluster wide access to create a <code>ClusterExternalSecret</code>, you can still access a secret from a dedicated namespace via a bearer token to a service connection within that namespace:</p>
  1684. <div class="highlight"><pre><span></span><code><span class="c1"># shared-secrets.yaml</span>
  1685. <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
  1686. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Secret</span>
  1687. <span class="nt">metadata</span><span class="p">:</span>
  1688. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">user-credentials</span>
  1689. <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">shared-secrets</span>
  1690. <span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Opaque</span>
  1691. <span class="nt">stringData</span><span class="p">:</span>
  1692. <span class="w"> </span><span class="nt">username</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">peter</span>
  1693. <span class="nn">---</span>
  1694. <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">rbac.authorization.k8s.io/v1</span>
  1695. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Role</span>
  1696. <span class="nt">metadata</span><span class="p">:</span>
  1697. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eso-store-role</span>
  1698. <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">shared-secrets</span>
  1699. <span class="nt">rules</span><span class="p">:</span>
  1700. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">&quot;&quot;</span><span class="p p-Indicator">]</span>
  1701. <span class="w"> </span><span class="nt">resources</span><span class="p">:</span>
  1702. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secrets</span>
  1703. <span class="w"> </span><span class="nt">verbs</span><span class="p">:</span>
  1704. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">get</span>
  1705. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">list</span>
  1706. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">watch</span>
  1707. <span class="w"> </span><span class="c1"># This will allow the role `eso-store-role` to perform **permission reviews** for itself within the defined namespace:</span>
  1708. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">apiGroups</span><span class="p">:</span>
  1709. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">authorization.k8s.io</span>
  1710. <span class="w"> </span><span class="nt">resources</span><span class="p">:</span>
  1711. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">selfsubjectrulesreviews</span><span class="w"> </span><span class="c1"># used to review or fetch the list of permissions a user or service account currently has.</span>
  1712. <span class="w"> </span><span class="nt">verbs</span><span class="p">:</span>
  1713. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">create</span><span class="w"> </span><span class="c1"># `create` allows creating a `selfsubjectrulesreviews` request.</span>
  1714. <span class="nn">---</span>
  1715. <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
  1716. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ServiceAccount</span>
  1717. <span class="nt">metadata</span><span class="p">:</span>
  1718. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eso-service-account</span>
  1719. <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">shared-secrets</span>
  1720. <span class="nn">---</span>
  1721. <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">rbac.authorization.k8s.io/v1</span>
  1722. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">RoleBinding</span>
  1723. <span class="nt">metadata</span><span class="p">:</span>
  1724. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bind-eso-store-role-to-eso-service-account</span>
  1725. <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">shared-secrets</span>
  1726. <span class="nt">subjects</span><span class="p">:</span>
  1727. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ServiceAccount</span>
  1728. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eso-service-account</span>
  1729. <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">shared-secrets</span>
  1730. <span class="nt">roleRef</span><span class="p">:</span>
  1731. <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Role</span>
  1732. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eso-store-role</span>
  1733. <span class="w"> </span><span class="nt">apiGroup</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">rbac.authorization.k8s.io</span>
  1734. </code></pre></div>
  1735. <p>After <code>kubectl apply -f shared-secrets.yaml</code>, create a bearer token for the service account with <code>kubectl create token eso-service-account</code>, then use that bearer token to access the <code>remoteNamespace</code> via secret in the target namespace:</p>
  1736. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
  1737. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Secret</span>
  1738. <span class="nt">metadata</span><span class="p">:</span>
  1739. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eso-token</span>
  1740. <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">target-namespace</span>
  1741. <span class="nt">stringData</span><span class="p">:</span>
  1742. <span class="w"> </span><span class="nt">token</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;&lt;paste-bearer-token-here&gt;&quot;</span>
  1743. <span class="nn">---</span>
  1744. <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
  1745. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
  1746. <span class="nt">metadata</span><span class="p">:</span>
  1747. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes-secret-store</span>
  1748. <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">target-namespace</span>
  1749. <span class="nt">spec</span><span class="p">:</span>
  1750. <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
  1751. <span class="w"> </span><span class="nt">kubernetes</span><span class="p">:</span>
  1752. <span class="w"> </span><span class="nt">remoteNamespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">shared-secrets</span>
  1753. <span class="w"> </span><span class="nt">server</span><span class="p">:</span>
  1754. <span class="w"> </span><span class="c1"># Skip url cause we are in the same cluster</span>
  1755. <span class="w"> </span><span class="nt">caProvider</span><span class="p">:</span>
  1756. <span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ConfigMap</span>
  1757. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kube-root-ca.crt</span>
  1758. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ca.crt</span>
  1759. <span class="w"> </span><span class="nt">auth</span><span class="p">:</span>
  1760. <span class="w"> </span><span class="nt">token</span><span class="p">:</span>
  1761. <span class="w"> </span><span class="nt">bearerToken</span><span class="p">:</span>
  1762. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eso-token</span>
  1763. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">token</span>
  1764. <span class="nn">---</span>
  1765. <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
  1766. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
  1767. <span class="nt">metadata</span><span class="p">:</span>
  1768. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eso-kubernetes-secret</span>
  1769. <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">target-namespace</span>
  1770. <span class="nt">spec</span><span class="p">:</span>
  1771. <span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span>
  1772. <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
  1773. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes-secret-store</span>
  1774. <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
  1775. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eso-kubernetes-secret</span>
  1776. <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
  1777. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">username</span>
  1778. <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
  1779. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">user-credentials</span>
  1780. <span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">username</span>
  1781. </code></pre></div>
  1782. <h3 id="pushsecret">PushSecret</h3>
  1783. <p>The PushSecret functionality facilitates the replication of a Kubernetes Secret from one namespace or cluster to another. This feature proves useful in scenarios where you need to share sensitive information, such as credentials or configuration data, across different parts of your infrastructure.</p>
  1784. <p>To configure the PushSecret resource, you need to specify the following parameters:</p>
  1785. <ul>
  1786. <li>
  1787. <p><strong>Selector</strong>: Specify the selector that identifies the source Secret to be replicated. This selector allows you to target the specific Secret you want to share.</p>
  1788. </li>
  1789. <li>
  1790. <p><strong>SecretKey</strong>: Set the SecretKey parameter to indicate the key within the source Secret that you want to replicate. This ensures that only the relevant information is shared.</p>
  1791. </li>
  1792. <li>
  1793. <p><strong>RemoteRef.Property</strong>: In addition to the above parameters, the Kubernetes provider requires you to set the <code>remoteRef.property</code> field. This field specifies the key of the remote Secret resource where the replicated value should be stored.</p>
  1794. </li>
  1795. </ul>
  1796. <p>Here's an example:</p>
  1797. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
  1798. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecret</span>
  1799. <span class="nt">metadata</span><span class="p">:</span>
  1800. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span>
  1801. <span class="nt">spec</span><span class="p">:</span>
  1802. <span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h0m0s</span>
  1803. <span class="w"> </span><span class="nt">secretStoreRefs</span><span class="p">:</span>
  1804. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">k8s-store-remote-ns</span>
  1805. <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
  1806. <span class="w"> </span><span class="nt">selector</span><span class="p">:</span>
  1807. <span class="w"> </span><span class="nt">secret</span><span class="p">:</span>
  1808. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pokedex-credentials</span>
  1809. <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
  1810. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span>
  1811. <span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">best-pokemon</span>
  1812. <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
  1813. <span class="w"> </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">remote-best-pokemon</span>
  1814. <span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">best-pokemon</span>
  1815. </code></pre></div>
  1816. <p>To use the PushSecret feature effectively, the referenced <code>SecretStore</code> requires specific permissions on the target cluster. In particular, it requires <code>create</code>, <code>read</code>, <code>update</code> and <code>delete</code> permissions on the Secret resource:</p>
  1817. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">rbac.authorization.k8s.io/v1</span>
  1818. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Role</span>
  1819. <span class="nt">metadata</span><span class="p">:</span>
  1820. <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">remote</span>
  1821. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eso-store-push-role</span>
  1822. <span class="nt">rules</span><span class="p">:</span>
  1823. <span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">&quot;&quot;</span><span class="p p-Indicator">]</span>
  1824. <span class="w"> </span><span class="nt">resources</span><span class="p">:</span>
  1825. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secrets</span>
  1826. <span class="w"> </span><span class="nt">verbs</span><span class="p">:</span>
  1827. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">get</span>
  1828. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">list</span>
  1829. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">watch</span>
  1830. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">create</span>
  1831. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">update</span>
  1832. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">patch</span>
  1833. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">delete</span>
  1834. <span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">apiGroups</span><span class="p">:</span>
  1835. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">authorization.k8s.io</span>
  1836. <span class="w"> </span><span class="nt">resources</span><span class="p">:</span>
  1837. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">selfsubjectrulesreviews</span>
  1838. <span class="w"> </span><span class="nt">verbs</span><span class="p">:</span>
  1839. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">create</span>
  1840. </code></pre></div>
  1841. <p>It is possible to override the target secret type with the <code>.template.type</code> property. By default the secret type is copied from the source secret. If none is specified, the default type <code>Opaque</code> will be used. The type can be set to any valid Kubernetes secret type, such as <code>kubernetes.io/dockerconfigjson</code>, <code>kubernetes.io/tls</code>, etc.</p>
  1842. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
  1843. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecret</span>
  1844. <span class="nt">metadata</span><span class="p">:</span>
  1845. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span>
  1846. <span class="nt">spec</span><span class="p">:</span>
  1847. <span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h0m0s</span>
  1848. <span class="w"> </span><span class="nt">secretStoreRefs</span><span class="p">:</span>
  1849. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">k8s-store-remote-ns</span>
  1850. <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
  1851. <span class="w"> </span><span class="nt">selector</span><span class="p">:</span>
  1852. <span class="w"> </span><span class="nt">secret</span><span class="p">:</span>
  1853. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pokedex-credentials</span>
  1854. <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
  1855. <span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes.io/dockerconfigjson</span>
  1856. <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
  1857. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span>
  1858. <span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">dockerconfigjson</span>
  1859. <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
  1860. <span class="w"> </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">remote-dockerconfigjson</span>
  1861. <span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;.dockerconfigjson&quot;</span>
  1862. </code></pre></div>
  1863. <h4 id="pushsecret-metadata">PushSecret Metadata</h4>
  1864. <p>The Kubernetes provider is able to manage both <code>metadata.labels</code> and <code>metadata.annotations</code> of the secret on the target cluster.</p>
  1865. <p>Users have different preferences on what metadata should be pushed. ESO, by default, pushes both labels and annotations to the target secret and merges them with the existing metadata.</p>
  1866. <p>You can specify the metadata in the <code>spec.template.metadata</code> section if you want to decouple it from the existing secret.</p>
  1867. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
  1868. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecret</span>
  1869. <span class="nt">metadata</span><span class="p">:</span>
  1870. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span>
  1871. <span class="nt">spec</span><span class="p">:</span>
  1872. <span class="w"> </span><span class="c1"># ...</span>
  1873. <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
  1874. <span class="w"> </span><span class="nt">metadata</span><span class="p">:</span>
  1875. <span class="w"> </span><span class="nt">labels</span><span class="p">:</span>
  1876. <span class="w"> </span><span class="nt">app.kubernetes.io/part-of</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">argocd</span>
  1877. <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
  1878. <span class="w"> </span><span class="nt">mysql_connection_string</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;mysql://{{</span><span class="nv"> </span><span class="s">.hostname</span><span class="nv"> </span><span class="s">}}:3306/{{</span><span class="nv"> </span><span class="s">.database</span><span class="nv"> </span><span class="s">}}&quot;</span>
  1879. <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
  1880. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span>
  1881. <span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mysql_connection_string</span>
  1882. <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
  1883. <span class="w"> </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">backend_secrets</span>
  1884. <span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mysql_connection_string</span>
  1885. </code></pre></div>
  1886. <p>Further, you can leverage the <code>.data[].metadata</code> section to fine-tine the behavior of the metadata merge strategy. The metadata section is a versioned custom-resource <em>similar</em> structure, the behavior is detailed below.</p>
  1887. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
  1888. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecret</span>
  1889. <span class="nt">metadata</span><span class="p">:</span>
  1890. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span>
  1891. <span class="nt">spec</span><span class="p">:</span>
  1892. <span class="w"> </span><span class="c1"># ...</span>
  1893. <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
  1894. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span>
  1895. <span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example-1</span>
  1896. <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
  1897. <span class="w"> </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example-remote-secret</span>
  1898. <span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">url</span>
  1899. <span class="w"> </span><span class="nt">metadata</span><span class="p">:</span>
  1900. <span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes.external-secrets.io/v1alpha1</span>
  1901. <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecretMetadata</span>
  1902. <span class="w"> </span><span class="nt">spec</span><span class="p">:</span>
  1903. <span class="w"> </span><span class="nt">sourceMergePolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Merge</span><span class="w"> </span><span class="c1"># or Replace</span>
  1904. <span class="w"> </span><span class="nt">targetMergePolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Merge</span><span class="w"> </span><span class="c1"># or Replace / Ignore</span>
  1905. <span class="w"> </span><span class="nt">labels</span><span class="p">:</span>
  1906. <span class="w"> </span><span class="nt">color</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">red</span>
  1907. <span class="w"> </span><span class="nt">annotations</span><span class="p">:</span>
  1908. <span class="w"> </span><span class="nt">yes</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">please</span>
  1909. </code></pre></div>
  1910. <table>
  1911. <thead>
  1912. <tr>
  1913. <th>Field</th>
  1914. <th>Type</th>
  1915. <th>Description</th>
  1916. </tr>
  1917. </thead>
  1918. <tbody>
  1919. <tr>
  1920. <td>sourceMergePolicy</td>
  1921. <td>string: <code>Merge</code>, <code>Replace</code></td>
  1922. <td>The sourceMergePolicy defines how the metadata of the source secret is merged. <code>Merge</code> will merge the metadata of the source secret with the metadata defined in <code>.data[].metadata</code>. With <code>Replace</code>, the metadata in <code>.data[].metadata</code> replaces the source metadata.</td>
  1923. </tr>
  1924. <tr>
  1925. <td>targetMergePolicy</td>
  1926. <td>string: <code>Merge</code>, <code>Replace</code>, <code>Ignore</code></td>
  1927. <td>The targetMergePolicy defines how ESO merges the metadata produced by the sourceMergePolicy with the target secret. With <code>Merge</code>, the source metadata is merged with the existing metadata from the target secret. <code>Replace</code> will replace the target metadata with the metadata defined in the source. <code>Ignore</code> leaves the target metadata as is.</td>
  1928. </tr>
  1929. <tr>
  1930. <td>labels</td>
  1931. <td><code>map[string]string</code></td>
  1932. <td>The labels.</td>
  1933. </tr>
  1934. <tr>
  1935. <td>annotations</td>
  1936. <td><code>map[string]string</code></td>
  1937. <td>The annotations.</td>
  1938. </tr>
  1939. <tr>
  1940. <td>remoteNamespace</td>
  1941. <td>string</td>
  1942. <td>The Namespace in which the remote Secret will created in if defined.</td>
  1943. </tr>
  1944. </tbody>
  1945. </table>
  1946. <h4 id="implementation-considerations">Implementation Considerations</h4>
  1947. <p>When using the PushSecret feature and configuring the permissions for the SecretStore, consider the following:</p>
  1948. <ul>
  1949. <li>
  1950. <p><strong>RBAC Configuration</strong>: Ensure that the Role-Based Access Control (RBAC) configuration for the SecretStore grants the appropriate permissions for creating, reading, and updating resources in the target cluster.</p>
  1951. </li>
  1952. <li>
  1953. <p><strong>Least Privilege Principle</strong>: Adhere to the principle of least privilege when assigning permissions to the SecretStore. Only provide the minimum required permissions to accomplish the desired synchronization between Secrets.</p>
  1954. </li>
  1955. <li>
  1956. <p><strong>Namespace or Cluster Scope</strong>: Depending on your specific requirements, configure the SecretStore to operate at the desired scope, whether it is limited to a specific namespace or encompasses the entire cluster. Consider the security and access control implications of your chosen scope.</p>
  1957. </li>
  1958. </ul>
  1959. </article>
  1960. </div>
  1961. <script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
  1962. </div>
  1963. </main>
  1964. <img referrerpolicy="no-referrer-when-downgrade"
  1965. src="https://static.scarf.sh/a.png?x-pxid=6658a9eb-067d-49f1-94f2-b8b00f21451e" alt=""
  1966. hidden />
  1967. <footer class="md-footer">
  1968. <div class="md-footer-meta md-typeset">
  1969. <div class="md-footer-meta__inner md-grid">
  1970. <div class="md-copyright">
  1971. <div class="md-copyright__highlight">
  1972. &copy; 2025 The external-secrets Authors.<br/>
  1973. &copy; 2025 The Linux Foundation. All rights reserved.<br/><br/>
  1974. The Linux Foundation has registered trademarks and uses trademarks.<br/>
  1975. For a list of trademarks of The Linux Foundation, please see our <a href="https://www.linuxfoundation.org/trademark-usage/">Trademark Usage page</a>.
  1976. </div>
  1977. Made with
  1978. <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
  1979. Material for MkDocs
  1980. </a>
  1981. </div>
  1982. </div>
  1983. </div>
  1984. </footer>
  1985. </div>
  1986. <div class="md-dialog" data-md-component="dialog">
  1987. <div class="md-dialog__inner md-typeset"></div>
  1988. </div>
  1989. <script id="__config" type="application/json">{"annotate": null, "base": "../..", "features": ["navigation.tabs", "navigation.indexes", "navigation.expand"], "search": "../../assets/javascripts/workers/search.2c215733.min.js", "tags": null, "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"provider": "mike"}}</script>
  1990. <script src="../../assets/javascripts/bundle.79ae519e.min.js"></script>
  1991. </body>
  1992. </html>