Domovská stránka Prehľadávať Pomoc
Prihlásiť sa
logic855
/
helm-external-secrets
zrkadlo https://github.com/external-secrets/external-secrets
1
0
Fork 0
Súbory Issues 0 Wiki
Branch: main
Branche Tagy
helm-external-s...
/
docs
/
snippets
/
full-pushsecret.yaml

full-pushsecret.yaml 2.3 KB
Permanentný odkaz História Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657 
  1. {% raw %}
    2. 

  2. ---
    3. 

  3. # The source secret that will be pushed to the destination secret by PushSecret.
    4. 

  4. apiVersion: v1
    5. 

  5. kind: Secret
    6. 

  6. metadata:
    7. 

  7.   name: pushsecret-example
    8. 

  8. stringData:
    9. 

  9.   best-pokemon-src: "Pikachu"
    10. 

  10. ---
    11. 

  11. apiVersion: external-secrets.io/v1alpha1
    12. 

  12. kind: PushSecret
    13. 

  13. metadata:
    14. 

  14.   name: pushsecret-example # Customisable
    15. 

  15.   namespace: default # Same of the SecretStores
    16. 

  16. spec:
    17. 

  17.   updatePolicy: Replace # Policy to overwrite existing secrets in the provider on sync
    18. 

  18.   deletionPolicy: Delete # delete the provider secret when the PushSecret is deleted (default: None, which keeps it)
    19. 

  19.   refreshInterval: 1h0m0s # Refresh interval for which push secret will reconcile
    20. 

  20.   secretStoreRefs: # A list of secret stores to push secrets to
    21. 

  21.     - name: aws-parameterstore
    22. 

  22.       kind: SecretStore
    23. 

  23.   # Exactly one of selector.secret or selector.generatorRef may be set.
    24. 

  24.   selector:
    25. 

  25.     secret:
    26. 

  26.       name: pokedex-credentials # Source Kubernetes secret to be pushed
    27. 

  27.     # Alternatively (mutually exclusive with secret), point to a generator
    28. 

  28.     # that produces the values to be pushed:
    29. 

  29.     # generatorRef:
    30. 

  30.     #   apiVersion: generators.external-secrets.io/v1alpha1
    31. 

  31.     #   kind: ECRAuthorizationToken
    32. 

  32.     #   name: prod-registry-credentials
    33. 

  33.   template:
    34. 

  34.     metadata:
    35. 

  35.       annotations: { }
    36. 

  36.       labels: { }
    37. 

  37.     data:
    38. 

  38.       # If the key source secret key has dashes, then it cannot be accessed directly,
    39. 

  39.       # and the "index" function should be used.
    40. 

  40.       best-pokemon: "{{ index . \"best-pokemon-src\" | toString | upper }} is the really best!"
    41. 

  41.     # Also, it's possible to use an existing template from configmap where Secret is fetched,
    42. 

  42.     # merged and templated within the referenced configMap data.
    43. 

  43.     # It does not update the configmap, it creates a secret with: data["config.yml"] = ...result...
    44. 

  44.     templateFrom:
    45. 

  45.       - configMap:
    46. 

  46.           name: application-config-tmpl
    47. 

  47.           items:
    48. 

  48.             - key: config.yml
    49. 

  49.   data:
    50. 

  50.     - conversionStrategy: None # Also supports the ReverseUnicode strategy
    51. 

  51.       match:
    52. 

  52.         # The secretKey is used within PushSecret (it should match key under spec.template.data)
    53. 

  53.         secretKey: best-pokemon
    54. 

  54.         remoteRef:
    55. 

  55.           remoteKey: destination-secret # The destination secret object name (where the secret is going to be pushed)
    56. 

  56.           property: best-pokemon-dst # The key within the destination secret object.
    57. 

  57. {% endraw %}
    58.