values.yaml 28 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852
  1. ---
  2. global:
  3. nodeSelector: {}
  4. tolerations: []
  5. topologySpreadConstraints: []
  6. # - maxSkew: 1
  7. # topologyKey: topology.kubernetes.io/zone
  8. # whenUnsatisfiable: ScheduleAnyway
  9. # matchLabelKeys:
  10. # - pod-template-hash
  11. # - maxSkew: 1
  12. # topologyKey: kubernetes.io/hostname
  13. # whenUnsatisfiable: DoNotSchedule
  14. # matchLabelKeys:
  15. # - pod-template-hash
  16. affinity: {}
  17. # -- Global hostAliases to be applied to all deployments
  18. hostAliases: []
  19. # -- Global pod labels to be applied to all deployments
  20. podLabels: {}
  21. # -- Global pod annotations to be applied to all deployments
  22. podAnnotations: {}
  23. # -- Global imagePullSecrets to be applied to all deployments
  24. imagePullSecrets: []
  25. # -- Global image repository to be applied to all deployments
  26. repository: ""
  27. compatibility:
  28. openshift:
  29. # -- Manages the securityContext properties to make them compatible with OpenShift.
  30. # Possible values:
  31. # auto - Apply configurations if it is detected that OpenShift is the target platform.
  32. # force - Always apply configurations.
  33. # disabled - No modification applied.
  34. adaptSecurityContext: auto
  35. replicaCount: 1
  36. bitwarden-sdk-server:
  37. enabled: false
  38. namespaceOverride: ""
  39. # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
  40. revisionHistoryLimit: 10
  41. image:
  42. repository: ghcr.io/external-secrets/external-secrets
  43. pullPolicy: IfNotPresent
  44. # -- The image tag to use. The default is the chart appVersion.
  45. tag: ""
  46. # -- The flavour of tag you want to use
  47. # There are different image flavours available, like distroless and ubi.
  48. # Please see GitHub release notes for image tags for these flavors.
  49. # By default, the distroless image is used.
  50. flavour: ""
  51. # -- If set, install and upgrade CRDs through helm chart.
  52. installCRDs: true
  53. crds:
  54. # -- If true, create CRDs for Cluster External Secret. If set to false you must also set processClusterExternalSecret: false.
  55. createClusterExternalSecret: true
  56. # -- If true, create CRDs for Cluster Secret Store. If set to false you must also set processClusterStore: false.
  57. createClusterSecretStore: true
  58. # -- If true, create CRDs for Secret Store. If set to false you must also set processSecretStore: false.
  59. createSecretStore: true
  60. # -- If true, create CRDs for Cluster Generator. If set to false you must also set processClusterGenerator: false.
  61. createClusterGenerator: true
  62. # -- If true, create CRDs for Cluster Push Secret. If set to false you must also set processClusterPushSecret: false.
  63. createClusterPushSecret: true
  64. # -- If true, create CRDs for Push Secret. If set to false you must also set processPushSecret: false.
  65. createPushSecret: true
  66. annotations: {}
  67. conversion:
  68. # -- Conversion is disabled by default as we stopped supporting v1alpha1.
  69. enabled: false
  70. # -- If true, enable v1beta1 API version serving for ExternalSecret, ClusterExternalSecret, SecretStore, and ClusterSecretStore CRDs.
  71. # v1beta1 is deprecated. Only enable this for backward compatibility if you have existing v1beta1 resources.
  72. # Warning: This flag will be removed on 2026.05.01.
  73. unsafeServeV1Beta1: false
  74. imagePullSecrets: []
  75. nameOverride: ""
  76. fullnameOverride: ""
  77. namespaceOverride: ""
  78. # -- Additional labels added to all helm chart resources.
  79. commonLabels: {}
  80. # -- If true, external-secrets will perform leader election between instances to ensure no more
  81. # than one instance of external-secrets operates at a time.
  82. leaderElect: false
  83. # -- ID of the lease object used for leader election.
  84. # Leave empty to use the default ('external-secrets-controller').
  85. # Set to a unique value when running multiple independent ESO deployments in the same namespace.
  86. # @default -- "external-secrets-controller"
  87. leaderElectionID: ""
  88. # -- If set external secrets will filter matching
  89. # Secret Stores with the appropriate controller values.
  90. controllerClass: ""
  91. # -- If true external secrets will use recommended kubernetes
  92. # annotations as prometheus metric labels.
  93. extendedMetricLabels: false
  94. # -- If set external secrets are only reconciled in the
  95. # provided namespace
  96. scopedNamespace: ""
  97. # -- If true, create scoped RBAC roles and implicitly disable cluster-scoped
  98. # controllers. Scoped to scopedNamespace if set, otherwise to .Release.Namespace.
  99. scopedRBAC: false
  100. # -- If true the OpenShift finalizer permissions will be added to RBAC
  101. openshiftFinalizers: true
  102. # -- If true the system:auth-delegator ClusterRole will be added to RBAC
  103. systemAuthDelegator: false
  104. # -- if true, the operator will process cluster external secret. Else, it will ignore them.
  105. # When enabled, this adds update/patch permissions on namespaces to handle finalizers for proper
  106. # cleanup during namespace deletion, preventing race conditions with ExternalSecrets.
  107. processClusterExternalSecret: true
  108. # -- if true, the operator will process cluster push secret. Else, it will ignore them.
  109. processClusterPushSecret: true
  110. # -- if true, the operator will process cluster store. Else, it will ignore them.
  111. processClusterStore: true
  112. # -- if true, the operator will process secret store. Else, it will ignore them.
  113. processSecretStore: true
  114. # -- Default time duration between reconciling (Cluster)SecretStores.
  115. storeRequeueInterval: ""
  116. # -- if true, the operator will process cluster generator. Else, it will ignore them.
  117. processClusterGenerator: true
  118. # -- if true, the operator will process push secret. Else, it will ignore them.
  119. processPushSecret: true
  120. # -- Enable support for generic targets (ConfigMaps, Custom Resources).
  121. # Warning: Using generic target. Make sure access policies and encryption are properly configured.
  122. # When enabled, this grants the controller permissions to create/update/delete
  123. # ConfigMaps and optionally other resource types specified in generic.resources.
  124. genericTargets:
  125. # -- Enable generic target support
  126. enabled: false
  127. # -- List of additional resource types to grant permissions for.
  128. # Each entry should specify apiGroup, resources, and verbs.
  129. # Example:
  130. # resources:
  131. # - apiGroup: "argoproj.io"
  132. # resources: ["applications"]
  133. # verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  134. resources: []
  135. # -- Specifies whether an external secret operator deployment be created.
  136. createOperator: true
  137. # -- if true, HTTP2 will be enabled for the services created by all controllers, curently metrics and webhook.
  138. enableHTTP2: false
  139. # -- Vault token cache configuration
  140. vault:
  141. # -- Enable Vault token cache. External secrets will reuse the Vault token without creating a new one on each request.
  142. enableTokenCache: false
  143. # -- Maximum size of Vault token cache. Only used if enableTokenCache is true.
  144. tokenCacheSize: 262144
  145. # -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at
  146. # a time.
  147. concurrent: 1
  148. # -- Specifies Log Params to the External Secrets Operator
  149. log:
  150. level: info
  151. timeEncoding: epoch
  152. service:
  153. # -- Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
  154. ipFamilyPolicy: ""
  155. # -- Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
  156. ipFamilies: []
  157. serviceAccount:
  158. # -- Specifies whether a service account should be created.
  159. create: true
  160. # -- Automounts the service account token in all containers of the pod
  161. automount: true
  162. # -- Annotations to add to the service account.
  163. annotations: {}
  164. # -- Extra Labels to add to the service account.
  165. extraLabels: {}
  166. # -- The name of the service account to use.
  167. # If not set and create is true, a name is generated using the fullname template.
  168. name: ""
  169. rbac:
  170. # -- Specifies whether role and rolebinding resources should be created.
  171. create: true
  172. # -- Specifies whether the serviceaccounts/token create permission is included in the controller RBAC.
  173. # When set to false, users must create per-ServiceAccount Role/RoleBinding with resourceNames constraint
  174. # to grant ESO token creation for specific ServiceAccounts referenced in SecretStore specs.
  175. serviceAccountTokenCreate: true
  176. servicebindings:
  177. # -- Specifies whether a clusterrole to give servicebindings read access should be created.
  178. create: true
  179. # -- Specifies whether permissions are aggregated to the view ClusterRole
  180. aggregateToView: true
  181. # -- Specifies whether permissions are aggregated to the edit ClusterRole
  182. aggregateToEdit: true
  183. # -- Specifies whether permissions are aggregated to the admin ClusterRole
  184. aggregateToAdmin: true
  185. ## -- Extra environment variables to add to container.
  186. extraEnv: []
  187. ## -- Map of extra arguments to pass to container.
  188. extraArgs: {}
  189. ## -- Extra volumes to pass to pod.
  190. extraVolumes: []
  191. ## -- Extra Kubernetes objects to deploy with the helm chart
  192. extraObjects: []
  193. ## -- Extra volumes to mount to the container.
  194. extraVolumeMounts: []
  195. ## -- Extra init containers to add to the pod.
  196. extraInitContainers: []
  197. ## -- Extra containers to add to the pod.
  198. extraContainers: []
  199. # -- Annotations to add to Deployment
  200. deploymentAnnotations: {}
  201. # -- Set deployment strategy
  202. strategy: {}
  203. # -- Annotations to add to Pod
  204. podAnnotations: {}
  205. podLabels: {}
  206. podSecurityContext:
  207. enabled: true
  208. # fsGroup: 2000
  209. securityContext:
  210. allowPrivilegeEscalation: false
  211. capabilities:
  212. drop:
  213. - ALL
  214. enabled: true
  215. readOnlyRootFilesystem: true
  216. runAsNonRoot: true
  217. runAsUser: 1000
  218. seccompProfile:
  219. type: RuntimeDefault
  220. resources: {}
  221. # requests:
  222. # cpu: 10m
  223. # memory: 32Mi
  224. serviceMonitor:
  225. # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
  226. enabled: false
  227. # -- How should we react to missing CRD "`monitoring.coreos.com/v1/ServiceMonitor`"
  228. #
  229. # Possible values:
  230. # - `skipIfMissing`: Only render ServiceMonitor resources if CRD is present, skip if missing.
  231. # - `failIfMissing`: Fail Helm install if CRD is not present.
  232. # - `alwaysRender` : Always render ServiceMonitor resources, do not check for CRD.
  233. # @schema
  234. # enum:
  235. # - skipIfMissing
  236. # - failIfMissing
  237. # - alwaysRender
  238. # @schema
  239. renderMode: skipIfMissing # @schema enum: [skipIfMissing, failIfMissing, alwaysRender]
  240. # -- namespace where you want to install ServiceMonitors
  241. namespace: ""
  242. # -- Additional labels
  243. additionalLabels: {}
  244. # -- Interval to scrape metrics
  245. interval: 30s
  246. # -- Timeout if metrics can't be retrieved in given time interval
  247. scrapeTimeout: 25s
  248. # -- Let prometheus add an exported_ prefix to conflicting labels
  249. honorLabels: false
  250. # -- Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)
  251. metricRelabelings: []
  252. # - action: replace
  253. # regex: (.*)
  254. # replacement: $1
  255. # sourceLabels:
  256. # - exported_namespace
  257. # targetLabel: namespace
  258. # -- Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config)
  259. relabelings: []
  260. # - sourceLabels: [__meta_kubernetes_pod_node_name]
  261. # separator: ;
  262. # regex: ^(.*)$
  263. # targetLabel: nodename
  264. # replacement: $1
  265. # action: replace
  266. metrics:
  267. listen:
  268. port: 8080
  269. auth:
  270. # -- Enable Kubernetes RBAC-based authentication for metrics endpoint. Requires metrics.listen.secure to be true. Default value is false.
  271. enabled: false
  272. secure:
  273. enabled: false
  274. # -- if those are not set or invalid, self-signed certs will be generated
  275. # -- TLS cert directory path
  276. certDir: /etc/tls
  277. # -- TLS cert file path
  278. certFile: /etc/tls/tls.crt
  279. # -- TLS key file path
  280. keyFile: /etc/tls/tls.key
  281. service:
  282. # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
  283. enabled: false
  284. # -- Metrics service port to scrape
  285. port: 8080
  286. # -- Additional service annotations
  287. annotations: {}
  288. grafanaDashboard:
  289. # -- If true creates a Grafana dashboard.
  290. enabled: false
  291. # -- Label that ConfigMaps should have to be loaded as dashboards.
  292. sidecarLabel: "grafana_dashboard"
  293. # -- Label value that ConfigMaps should have to be loaded as dashboards.
  294. sidecarLabelValue: "1"
  295. # -- Annotations that ConfigMaps can have to get configured in Grafana,
  296. # See: sidecar.dashboards.folderAnnotation for specifying the dashboard folder.
  297. # https://github.com/grafana/helm-charts/tree/main/charts/grafana
  298. annotations: {}
  299. # -- Extra labels to add to the Grafana dashboard ConfigMap.
  300. extraLabels: {}
  301. livenessProbe:
  302. # -- Enabled determines if the liveness probe should be used or not. By default it's disabled.
  303. enabled: false
  304. # -- The body of the liveness probe settings.
  305. spec:
  306. # -- Bind address for the health server used by both liveness and readiness probes (--live-addr flag).
  307. address: ""
  308. # -- Port for the health server used by both liveness and readiness probes (--live-addr flag).
  309. port: 8082
  310. # -- Specify the maximum amount of time to wait for a probe to respond before considering it fails.
  311. timeoutSeconds: 5
  312. # -- Number of consecutive probe failures that should occur before considering the probe as failed.
  313. failureThreshold: 5
  314. # -- Period in seconds for K8s to start performing probes.
  315. periodSeconds: 10
  316. # -- Number of successful probes to mark probe successful.
  317. successThreshold: 1
  318. # -- Delay in seconds for the container to start before performing the initial probe.
  319. initialDelaySeconds: 10
  320. # -- Handler for liveness probe.
  321. httpGet:
  322. # -- Set this value to 'live' (for named port) or an an integer for liveness probes.
  323. # @schema type: [string, integer]
  324. port: live
  325. # -- Path for liveness probe.
  326. path: /healthz
  327. readinessProbe:
  328. # -- Determines whether the readiness probe is enabled. Disabled by default. Enabling this will auto-start the health server (--live-addr) even if livenessProbe is disabled. Health server address/port are configured via livenessProbe.spec.address and livenessProbe.spec.port.
  329. enabled: false
  330. # -- The body of the readiness probe settings (standard Kubernetes probe spec).
  331. spec:
  332. # -- Specify the maximum amount of time to wait for a probe to respond before considering it fails.
  333. timeoutSeconds: 5
  334. # -- Number of consecutive probe failures that should occur before considering the probe as failed.
  335. failureThreshold: 3
  336. # -- Period in seconds for K8s to start performing probes.
  337. periodSeconds: 10
  338. # -- Number of successful probes to mark probe successful.
  339. successThreshold: 1
  340. # -- Delay in seconds for the container to start before performing the initial probe.
  341. initialDelaySeconds: 10
  342. # -- Handler for readiness probe.
  343. httpGet:
  344. # -- Set this value to 'live' (for named port) or an integer for readiness probes.
  345. # @schema type: [string, integer]
  346. port: live
  347. # -- Path for readiness probe.
  348. path: /readyz
  349. nodeSelector: {}
  350. tolerations: []
  351. topologySpreadConstraints: []
  352. affinity: {}
  353. # -- Pod priority class name.
  354. priorityClassName: ""
  355. # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
  356. podDisruptionBudget:
  357. enabled: false
  358. minAvailable: 1 # @schema type:[integer, string]
  359. nameOverride: ""
  360. # maxUnavailable: "50%"
  361. # -- Run the controller on the host network
  362. hostNetwork: false
  363. # -- (bool) Specifies if controller pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33.
  364. # @schema type: [boolean, null]
  365. hostUsers:
  366. webhook:
  367. # -- Annotations to place on validating webhook configuration.
  368. annotations: {}
  369. # -- Specifies whether a webhook deployment be created. If set to false, crds.conversion.enabled should also be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint.
  370. create: true
  371. # -- Specifies the time to check if the cert is valid
  372. certCheckInterval: "5m"
  373. # -- Specifies the lookaheadInterval for certificate validity
  374. lookaheadInterval: ""
  375. replicaCount: 1
  376. # -- Specifies Log Params to the Webhook
  377. log:
  378. level: info
  379. timeEncoding: epoch
  380. # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
  381. revisionHistoryLimit: 10
  382. certDir: /tmp/certs
  383. # -- Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore
  384. failurePolicy: Fail
  385. # -- Specifies if webhook pod should use hostNetwork or not.
  386. hostNetwork: false
  387. # -- (bool) Specifies if webhook pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33.
  388. # @schema type: [boolean, null]
  389. hostUsers:
  390. image:
  391. repository: ghcr.io/external-secrets/external-secrets
  392. pullPolicy: IfNotPresent
  393. # -- The image tag to use. The default is the chart appVersion.
  394. tag: ""
  395. # -- The flavour of tag you want to use
  396. flavour: ""
  397. imagePullSecrets: []
  398. # -- The port the webhook will listen to
  399. port: 10250
  400. serviceAccount:
  401. # -- Specifies whether a service account should be created.
  402. create: true
  403. # -- Automounts the service account token in all containers of the pod
  404. automount: true
  405. # -- Annotations to add to the service account.
  406. annotations: {}
  407. # -- Extra Labels to add to the service account.
  408. extraLabels: {}
  409. # -- The name of the service account to use.
  410. # If not set and create is true, a name is generated using the fullname template.
  411. name: ""
  412. nodeSelector: {}
  413. # -- Specifies `hostAliases` to webhook deployment
  414. hostAliases: []
  415. certManager:
  416. # -- Enabling cert-manager support will disable the built in secret and
  417. # switch to using cert-manager (installed separately) to automatically issue
  418. # and renew the webhook certificate. This chart does not install
  419. # cert-manager for you, See https://cert-manager.io/docs/
  420. enabled: false
  421. # -- Automatically add the cert-manager.io/inject-ca-from annotation to the
  422. # webhooks and CRDs. As long as you have the cert-manager CA Injector
  423. # enabled, this will automatically setup your webhook's CA to the one used
  424. # by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector
  425. addInjectorAnnotations: true
  426. cert:
  427. # -- Create a certificate resource within this chart. See
  428. # https://cert-manager.io/docs/usage/certificate/
  429. create: true
  430. # -- For the Certificate created by this chart, setup the issuer. See
  431. # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec
  432. issuerRef:
  433. group: cert-manager.io
  434. kind: "Issuer"
  435. name: "my-issuer"
  436. # -- Set the requested duration (i.e. lifetime) of the Certificate. See
  437. # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
  438. # One year by default.
  439. duration: "8760h0m0s"
  440. # -- Set the revisionHistoryLimit on the Certificate. See
  441. # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
  442. # Defaults to 0 (ignored).
  443. revisionHistoryLimit: 0
  444. # -- How long before the currently issued certificate’s expiry
  445. # cert-manager should renew the certificate. See
  446. # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
  447. # Note that renewBefore should be greater than .webhook.lookaheadInterval
  448. # since the webhook will check this far in advance that the certificate is
  449. # valid.
  450. renewBefore: ""
  451. # -- Specific settings on the privateKey and its generation
  452. privateKey: {}
  453. # rotationPolicy: Always
  454. # algorithm: RSA
  455. # size: 2048
  456. # -- Specific settings on the signatureAlgorithm used on the cert.
  457. # signatureAlgorithm is only valid for cert-manager v1.18.0+
  458. signatureAlgorithm: ""
  459. # -- Add extra annotations to the Certificate resource.
  460. annotations: {}
  461. tolerations: []
  462. topologySpreadConstraints: []
  463. affinity: {}
  464. # -- Set deployment strategy
  465. strategy: {}
  466. # -- Pod priority class name.
  467. priorityClassName: ""
  468. # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
  469. podDisruptionBudget:
  470. enabled: false
  471. minAvailable: 1 # @schema type:[integer, string]
  472. nameOverride: ""
  473. # maxUnavailable: "50%"
  474. metrics:
  475. listen:
  476. port: 8080
  477. auth:
  478. # -- Enable Kubernetes RBAC-based authentication for webhook's metrics endpoint. Requires webhook.metrics.listen.secure to be true. Default value is false.
  479. enabled: false
  480. secure:
  481. enabled: false
  482. # -- if those are not set or invalid, self-signed certs will be generated
  483. # -- TLS cert directory path
  484. certDir: /etc/tls
  485. # -- TLS cert file path
  486. certFile: /etc/tls/tls.crt
  487. # -- TLS key file path
  488. keyFile: /etc/tls/tls.key
  489. service:
  490. # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
  491. enabled: false
  492. # -- Metrics service port to scrape
  493. port: 8080
  494. # -- Additional service annotations
  495. annotations: {}
  496. livenessProbe:
  497. enabled: false
  498. # -- Set this value to 'live' (for named port) or an integer for liveness probes.
  499. # @schema type: [string, integer]
  500. port: 8081
  501. timeoutSeconds: 5
  502. failureThreshold: 5
  503. periodSeconds: 10
  504. successThreshold: 1
  505. initialDelaySeconds: 10
  506. readinessProbe:
  507. enabled: true
  508. address: ""
  509. # -- Set this value to 'ready' (for named port) or an integer for readiness probes.
  510. # @schema type: [string, integer]
  511. port: 8081
  512. timeoutSeconds: 5
  513. failureThreshold: 3
  514. periodSeconds: 5
  515. successThreshold: 1
  516. initialDelaySeconds: 20
  517. ## -- Extra environment variables to add to container.
  518. extraEnv: []
  519. ## -- Map of extra arguments to pass to container.
  520. extraArgs: {}
  521. ## -- Extra init containers to add to the pod.
  522. extraInitContainers: []
  523. ## -- Extra volumes to pass to pod.
  524. extraVolumes: []
  525. ## -- Extra volumes to mount to the container.
  526. extraVolumeMounts: []
  527. # -- Annotations to add to Secret
  528. secretAnnotations: {}
  529. # -- Annotations to add to Deployment
  530. deploymentAnnotations: {}
  531. # -- Annotations to add to Pod
  532. podAnnotations: {}
  533. podLabels: {}
  534. podSecurityContext:
  535. enabled: true
  536. # fsGroup: 2000
  537. securityContext:
  538. allowPrivilegeEscalation: false
  539. capabilities:
  540. drop:
  541. - ALL
  542. enabled: true
  543. readOnlyRootFilesystem: true
  544. runAsNonRoot: true
  545. runAsUser: 1000
  546. seccompProfile:
  547. type: RuntimeDefault
  548. resources: {}
  549. # requests:
  550. # cpu: 10m
  551. # memory: 32Mi
  552. # -- Manage the service through which the webhook is reached.
  553. service:
  554. # -- Whether the service object should be enabled or not (it is expected to exist).
  555. enabled: true
  556. # -- Custom annotations for the webhook service.
  557. annotations: {}
  558. # -- Custom labels for the webhook service.
  559. labels: {}
  560. # -- The service type of the webhook service.
  561. type: ClusterIP
  562. # -- If the webhook service type is LoadBalancer, you can assign a specific load balancer IP here.
  563. # Check the documentation of your load balancer provider to see if/how this should be used.
  564. loadBalancerIP: ""
  565. certController:
  566. # -- Specifies whether a certificate controller deployment be created.
  567. create: true
  568. requeueInterval: "5m"
  569. replicaCount: 1
  570. # -- Specifies Log Params to the Certificate Controller
  571. log:
  572. level: info
  573. timeEncoding: epoch
  574. # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
  575. revisionHistoryLimit: 10
  576. image:
  577. repository: ghcr.io/external-secrets/external-secrets
  578. pullPolicy: IfNotPresent
  579. tag: ""
  580. flavour: ""
  581. imagePullSecrets: []
  582. rbac:
  583. # -- Specifies whether role and rolebinding resources should be created.
  584. create: true
  585. serviceAccount:
  586. # -- Specifies whether a service account should be created.
  587. create: true
  588. # -- Automounts the service account token in all containers of the pod
  589. automount: true
  590. # -- Annotations to add to the service account.
  591. annotations: {}
  592. # -- Extra Labels to add to the service account.
  593. extraLabels: {}
  594. # -- The name of the service account to use.
  595. # If not set and create is true, a name is generated using the fullname template.
  596. name: ""
  597. nodeSelector: {}
  598. # -- Specifies `hostAliases` to cert-controller deployment
  599. hostAliases: []
  600. tolerations: []
  601. topologySpreadConstraints: []
  602. affinity: {}
  603. # -- Set deployment strategy
  604. strategy: {}
  605. # -- Run the certController on the host network
  606. hostNetwork: false
  607. # -- (bool) Specifies if certController pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33.
  608. # @schema type: [boolean, null]
  609. hostUsers:
  610. # -- Pod priority class name.
  611. priorityClassName: ""
  612. # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
  613. podDisruptionBudget:
  614. enabled: false
  615. minAvailable: 1 # @schema type:[integer, string]
  616. nameOverride: ""
  617. # maxUnavailable: "50%"
  618. metrics:
  619. listen:
  620. port: 8080
  621. auth:
  622. # -- Enable Kubernetes RBAC-based authentication for certController's metrics endpoint. Requires certController.metrics.listen.secure to be true. Default value is false.
  623. enabled: false
  624. secure:
  625. enabled: false
  626. # -- if those are not set or invalid, self-signed certs will be generated
  627. # -- TLS cert directory path
  628. certDir: /etc/tls
  629. # -- TLS cert file path
  630. certFile: /etc/tls/tls.crt
  631. # -- TLS key file path
  632. keyFile: /etc/tls/tls.key
  633. service:
  634. # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
  635. enabled: false
  636. # -- Metrics service port to scrape
  637. port: 8080
  638. # -- Additional service annotations
  639. annotations: {}
  640. livenessProbe:
  641. enabled: false
  642. # -- Set this value to 'live' (for named port) or an integer for liveness probes.
  643. # @schema type: [string, integer]
  644. port: 8081
  645. timeoutSeconds: 5
  646. failureThreshold: 5
  647. periodSeconds: 10
  648. successThreshold: 1
  649. initialDelaySeconds: 10
  650. readinessProbe:
  651. enabled: true
  652. address: ""
  653. # -- Set this value to 'ready' (for named port) or an integer for readiness probes.
  654. # @schema type: [string, integer]
  655. port: 8081
  656. timeoutSeconds: 5
  657. failureThreshold: 3
  658. periodSeconds: 5
  659. successThreshold: 1
  660. initialDelaySeconds: 20
  661. startupProbe:
  662. # -- Enabled determines if the startup probe should be used or not. By default it's enabled
  663. enabled: false
  664. # -- whether to use the readiness probe port for startup probe.
  665. useReadinessProbePort: true
  666. # -- Port for startup probe.
  667. port: ""
  668. ## -- Extra environment variables to add to container.
  669. extraEnv: []
  670. ## -- Map of extra arguments to pass to container.
  671. extraArgs: {}
  672. ## -- Extra init containers to add to the pod.
  673. extraInitContainers: []
  674. ## -- Extra volumes to pass to pod.
  675. extraVolumes: []
  676. ## -- Extra volumes to mount to the container.
  677. extraVolumeMounts: []
  678. # -- Annotations to add to Deployment
  679. deploymentAnnotations: {}
  680. # -- Annotations to add to Pod
  681. podAnnotations: {}
  682. podLabels: {}
  683. podSecurityContext:
  684. enabled: true
  685. # fsGroup: 2000
  686. securityContext:
  687. allowPrivilegeEscalation: false
  688. capabilities:
  689. drop:
  690. - ALL
  691. enabled: true
  692. readOnlyRootFilesystem: true
  693. runAsNonRoot: true
  694. runAsUser: 1000
  695. seccompProfile:
  696. type: RuntimeDefault
  697. resources: {}
  698. # requests:
  699. # cpu: 10m
  700. # memory: 32Mi
  701. # -- Specifies `dnsPolicy` to deployment
  702. dnsPolicy: ClusterFirst
  703. # -- Specifies `dnsOptions` to deployment
  704. dnsConfig: {}
  705. # -- Specifies `hostAliases` to deployment
  706. hostAliases: []
  707. # -- Any extra pod spec on the deployment
  708. podSpecExtra: {}