| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237 |
- # Example values.yaml demonstrating provider deployment
- # This shows how to deploy External Secrets with multiple providers
- # Deploy the External Secrets controller
- replicaCount: 1
- image:
- repository: oci.external-secrets.io/external-secrets/external-secrets
- pullPolicy: IfNotPresent
- tag: ""
- # Install CRDs
- installCRDs: true
- v2:
- enabled: true
- crds:
- createProvider: true
- createClusterProvider: true
- # Enable provider deployments
- providers:
- enabled: true
-
- list:
- # AWS Provider Example
- - name: aws-primary
- type: aws
- enabled: true
- replicaCount: 2
-
- image:
- repository: oci.external-secrets.io/external-secrets/provider-aws
- pullPolicy: IfNotPresent
- tag: ""
-
- serviceAccount:
- create: true
- annotations:
- # Example: Use IRSA for AWS authentication
- eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/eso-provider-aws
- automount: true
-
- podSecurityContext:
- enabled: true
- runAsNonRoot: true
- runAsUser: 65532
- fsGroup: 65532
- seccompProfile:
- type: RuntimeDefault
-
- securityContext:
- enabled: true
- allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- runAsUser: 65532
- capabilities:
- drop:
- - ALL
-
- service:
- type: ClusterIP
- port: 8080
-
- resources:
- limits:
- cpu: 200m
- memory: 256Mi
- requests:
- cpu: 50m
- memory: 64Mi
-
- affinity:
- podAntiAffinity:
- preferredDuringSchedulingIgnoredDuringExecution:
- - weight: 100
- podAffinityTerm:
- labelSelector:
- matchLabels:
- app.kubernetes.io/component: provider
- external-secrets.io/provider: aws
- topologyKey: kubernetes.io/hostname
-
- podDisruptionBudget:
- enabled: true
- minAvailable: 1
-
- tls:
- enabled: true
- certPath: /etc/provider/certs
- caSecretName: external-secrets-v2-ca
- mountCA: true
-
- config:
- region: us-east-1
- authMethod: irsa
-
- logging:
- level: info
- format: json
-
- metrics:
- enabled: true
- port: 8081
- serviceMonitor:
- enabled: true
- interval: 30s
- scrapeTimeout: 10s
-
- health:
- port: 8082
- livenessProbe:
- enabled: true
- initialDelaySeconds: 10
- periodSeconds: 20
- readinessProbe:
- enabled: true
- initialDelaySeconds: 5
- periodSeconds: 10
-
- # GCP Provider Example (disabled by default)
- - name: gcp
- type: gcp
- enabled: false
- replicaCount: 2
-
- image:
- repository: oci.external-secrets.io/external-secrets/provider-gcp
- pullPolicy: IfNotPresent
-
- serviceAccount:
- create: true
- annotations:
- # Example: Use Workload Identity for GCP authentication
- iam.gke.io/gcp-service-account: eso-provider@project-id.iam.gserviceaccount.com
-
- resources:
- limits:
- cpu: 200m
- memory: 256Mi
- requests:
- cpu: 50m
- memory: 64Mi
-
- config:
- projectID: my-project-id
-
- logging:
- level: info
-
- metrics:
- enabled: true
-
- # Azure Provider Example (disabled by default)
- - name: azure
- type: azure
- enabled: false
- replicaCount: 2
-
- image:
- repository: oci.external-secrets.io/external-secrets/provider-azure
- pullPolicy: IfNotPresent
-
- serviceAccount:
- create: true
- annotations:
- # Example: Use Azure Workload Identity
- azure.workload.identity/client-id: "00000000-0000-0000-0000-000000000000"
-
- podLabels:
- azure.workload.identity/use: "true"
-
- resources:
- limits:
- cpu: 200m
- memory: 256Mi
- requests:
- cpu: 50m
- memory: 64Mi
-
- config:
- vaultURL: https://my-keyvault.vault.azure.net
- tenantID: "00000000-0000-0000-0000-000000000000"
-
- logging:
- level: info
-
- metrics:
- enabled: true
-
- # Vault Provider Example (disabled by default)
- - name: vault
- type: vault
- enabled: false
- replicaCount: 2
-
- image:
- repository: oci.external-secrets.io/external-secrets/provider-vault
- pullPolicy: IfNotPresent
-
- serviceAccount:
- create: true
-
- resources:
- limits:
- cpu: 200m
- memory: 256Mi
- requests:
- cpu: 50m
- memory: 64Mi
-
- config:
- vaultAddr: https://vault.example.com
- authMethod: kubernetes
-
- extraEnv:
- - name: VAULT_SKIP_VERIFY
- value: "false"
-
- logging:
- level: info
-
- metrics:
- enabled: true
- # Standard controller configuration continues...
- serviceAccount:
- create: true
- annotations: {}
- resources:
- limits:
- cpu: 500m
- memory: 512Mi
- requests:
- cpu: 100m
- memory: 128Mi
|
