full-external-secret.yaml 6.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163
  1. {% raw %}
  2. apiVersion: external-secrets.io/v1
  3. kind: ExternalSecret
  4. metadata:
  5. name: "hello-world"
  6. # labels and annotations are copied over to the
  7. # secret that will be created
  8. labels:
  9. acme.org/owned-by: "q-team"
  10. annotations:
  11. acme.org/sha: 1234
  12. spec:
  13. # Optional, SecretStoreRef defines the default SecretStore to use when fetching the secret data.
  14. secretStoreRef:
  15. name: aws-store
  16. kind: SecretStore # or ClusterSecretStore
  17. # RefreshPolicy determines how the ExternalSecret should be refreshed.
  18. # - CreatedOnce: Creates the Secret only if it does not exist and does not update it afterward
  19. # - Periodic: (default) Synchronizes the Secret at intervals specified by refreshInterval
  20. # - OnChange: Only synchronizes when the ExternalSecret's metadata or specification changes
  21. refreshPolicy: Periodic
  22. # RefreshInterval is the amount of time before the values reading again from the SecretStore provider
  23. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" (from time.ParseDuration)
  24. # May be set to zero to fetch and create it once
  25. refreshInterval: "1h0m0s"
  26. # SyncWindows optionally restricts when periodic refreshes may occur (UTC, Periodic policy only).
  27. # kind: allow -- syncs are permitted only while at least one window is active.
  28. # kind: deny -- syncs are blocked while any window is active.
  29. # Each window entry uses a standard 5-field cron schedule and a duration.
  30. syncWindows:
  31. kind: allow
  32. windows:
  33. - schedule: "0 9 * * 1-5" # weekdays at 09:00 UTC
  34. duration: 8h # window open until 17:00 UTC
  35. # the target describes the secret that shall be created
  36. # there can only be one target per ExternalSecret
  37. target:
  38. # The secret name of the resource
  39. # Defaults to .metadata.name of the ExternalSecret
  40. # It is immutable
  41. name: application-config
  42. # Specifies the ExternalSecret ownership details in the created Secret. Options:
  43. # - Owner: (default) Creates the Secret and sets .metadata.ownerReferences. If the ExternalSecret is deleted, the Secret will also be deleted.
  44. # - Merge: Does not create the Secret but merges data fields into the existing Secret (expects the Secret to already exist).
  45. # - Orphan: Creates the Secret but does not set .metadata.ownerReferences. If the Secret already exists, it will be updated.
  46. # - None: Does not create or update the Secret (reserved for future use with injector).
  47. creationPolicy: Merge
  48. # Specifies what happens to the Secret when data fields are deleted from the provider (e.g., Vault, AWS Parameter Store). Options:
  49. # - Retain: (default) Retains the Secret if all Secret data fields have been deleted from the provider.
  50. # - Delete: Removes the Secret if all Secret data fields from the provider are deleted.
  51. # - Merge: Removes keys from the Secret but not the Secret itself.
  52. deletionPolicy: Retain
  53. # Specify a blueprint for the resulting Kind=Secret
  54. template:
  55. type: kubernetes.io/dockerconfigjson # or TLS...
  56. metadata:
  57. # Labels and annotations to set on the Secret.
  58. # When a template is defined, these replace the default behavior
  59. # of copying labels and annotations from the ExternalSecret.
  60. # Set to an empty map ({}) to prevent any labels or annotations from being copied.
  61. annotations: {}
  62. labels: {}
  63. # The finalizers will be added to the Secret.
  64. # It is expected that finalizers will be deleted with custom cleanup functionality.
  65. # This is required when another chart depends on the Secret, and it is needed to prevent the Secret from being deleted too early.
  66. finalizers: []
  67. # Use inline templates to construct your desired config file that contains your secret
  68. data:
  69. config.yml: |
  70. database:
  71. connection: postgres://{{ .username }}:{{ .password }}@{{ .database_host }}:5432/payments
  72. # Uses an existing template from configmap
  73. # Secret is fetched, merged and templated within the referenced configMap data
  74. # It does not update the configmap, it creates a secret with: data["alertmanager.yml"] = ...result...
  75. templateFrom:
  76. - configMap:
  77. name: application-config-tmpl
  78. items:
  79. - key: config.yml
  80. # Data defines the connection between the Kubernetes Secret keys and the Provider data
  81. data:
  82. - secretKey: username
  83. remoteRef:
  84. key: database-credentials
  85. version: v1
  86. property: username
  87. decodingStrategy: None # can be None, Base64, Base64URL or Auto
  88. # define the source of the secret. Can be a SecretStore or a Generator kind
  89. sourceRef:
  90. # point to a SecretStore that should be used to fetch a secret.
  91. # must be defined if no spec.secretStoreRef is defined.
  92. storeRef:
  93. name: aws-secretstore
  94. kind: ClusterSecretStore
  95. # Used to fetch all properties from the Provider key
  96. # If multiple dataFrom are specified, secrets are merged in the specified order
  97. # Can be defined using sourceRef.generatorRef or extract / find
  98. # Both use cases are exemplified below
  99. dataFrom:
  100. - sourceRef:
  101. generatorRef:
  102. apiVersion: generators.external-secrets.io/v1alpha1
  103. kind: ECRAuthorizationToken
  104. name: "my-ecr"
  105. #Or
  106. dataFrom:
  107. - extract:
  108. key: database-credentials
  109. version: v1
  110. property: data
  111. conversionStrategy: Default
  112. decodingStrategy: Auto
  113. rewrite:
  114. - regexp:
  115. source: "exp-(.*?)-ression"
  116. target: "rewriting-${1}-with-groups"
  117. - find:
  118. path: path-to-filter
  119. name:
  120. regexp: ".*foobar.*"
  121. tags:
  122. foo: bar
  123. conversionStrategy: Unicode
  124. decodingStrategy: Base64
  125. rewrite:
  126. - regexp:
  127. source: "foo"
  128. target: "bar"
  129. status:
  130. # refreshTime is the time and date the external secret was fetched and
  131. # the target secret updated
  132. refreshTime: "2019-08-12T12:33:02Z"
  133. # Standard condition schema
  134. conditions:
  135. # ExternalSecret ready condition indicates the secret is ready for use.
  136. # This is defined as:
  137. # - The target secret exists
  138. # - The target secret has been refreshed within the last refreshInterval
  139. # - The target secret content is up-to-date based on any target templates
  140. - type: Ready
  141. status: "True" # False if last refresh was not successful
  142. reason: "SecretSynced"
  143. message: "Secret was synced"
  144. lastTransitionTime: "2019-08-12T12:33:02Z"
  145. {% endraw %}