logic855
/
helm-external-secrets
зеркало из https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101
							{% raw %}
---
# The source secret that will be pushed to the destination secret by ClusterPushSecret.
apiVersion: v1
kind: Secret
metadata:
  name: source-secret
stringData:
  best-pokemon-src: "Pikachu"
---
apiVersion: external-secrets.io/v1alpha1
kind: ClusterPushSecret
metadata:
  name: "hello-world"
spec:
  # The name to be used on the PushSecrets.
  # Defaults to the name of the ClusterPushSecret when omitted.
  pushSecretName: "hello-world-ps"

  # Optional labels and annotations to set on every created PushSecret.
  pushSecretMetadata:
    labels: {}
    annotations: {}

  # This is a list of basic label selector to select the namespaces to deploy PushSecrets to.
  # you can read more about them here https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements
  # The list is OR'd together, so if any of the namespaceSelectors match the namespace,
  # the ExternalSecret will be deployed to that namespace.
  namespaceSelectors:
  - matchLabels:
      cool: label

  # How often the ClusterPushSecret should reconcile itself
  # This will decide how often to check and make sure that the PushSecrets exist in the matching namespaces
  # If omitted, the controller's default requeue interval is used.
  refreshTime: "1m"

  # This is the spec of the PushSecrets to be created
  # The content of this was taken from our PushSecret example
  pushSecretSpec:
    updatePolicy: Replace # Policy to overwrite existing secrets in the provider on sync
    deletionPolicy: Delete # the provider' secret will be deleted if the PushSecret is deleted
    refreshInterval: 1h0m0s # Refresh interval for which push secret will reconcile
    secretStoreRefs: # A list of secret stores to push secrets to
      - name: aws-parameterstore
        kind: SecretStore
    selector:
      secret:
        name: source-secret # Source Kubernetes secret to be pushed
      # Alternatively, you can point to a generator that produces values to be pushed
      generatorRef:
        apiVersion: external-secrets.io/v1alpha1
        kind: ECRAuthorizationToken
        name: prod-registry-credentials
    template:
      metadata:
        annotations: { }
        labels: { }
      data:
        # If the key source secret key has dashes, then it cannot be accessed directly,
        # and the "index" function should be used.
        best-pokemon: "{{ index . \"best-pokemon-src\" | toString | upper }} is the really best!"
      # Also, it's possible to use an existing template from configmap where Secret is fetched,
      # merged and templated within the referenced configMap data.
      # It does not update the configmap, it creates a secret with: data["config.yml"] = ...result...
      templateFrom:
        - configMap:
            name: application-config-tmpl
            items:
              - key: config.yml
    data:
      - conversionStrategy: None # Also supports the ReverseUnicode strategy
        match:
          # The secretKey is used within ClusterPushSecret (it should match key under spec.pushSecretSpec.template.data)
          secretKey: best-pokemon
          remoteRef:
            remoteKey: destination-secret # The destination secret object name (where the secret is going to be pushed)
            property: best-pokemon-dst # The key within the destination secret object.
status:
  # This will list any namespaces where the creation of the ExternalSecret failed
  # This will not list any issues with the ExternalSecrets, you will have to check the
  # ExternalSecrets to see any issues with them.
  failedNamespaces:
    - namespace: "matching-ns-1"
      # This is one of the possible messages, and likely the most common
      reason: "push secret already exists in namespace"

  # You can find all matching and successfully deployed namespaces here
  provisionedNamespaces:
    - "matching-ns-3"
    - "matching-ns-2"

  # The only condition type is Ready. status is "True" when all matching
  # namespaces synced, and "False" if one or more namespaces failed (the failed
  # ones are listed under failedNamespaces above).
  conditions:
  - type: Ready
    status: "False"
    message: "one or more namespaces failed"
    lastTransitionTime: "2022-01-12T12:33:02Z"
{% endraw %}