logic855
/
helm-external-secrets
огледало от https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238
							# Example values.yaml demonstrating provider deployment
# This shows how to deploy External Secrets with multiple providers

# Deploy the External Secrets controller
replicaCount: 1

image:
  repository: oci.external-secrets.io/external-secrets/external-secrets
  pullPolicy: IfNotPresent
  tag: ""

# Install CRDs
installCRDs: true
v2:
  enabled: true
crds:
  createClusterProviderClass: true
  createProviderStore: true
  createClusterProviderStore: true

# Enable provider deployments
providers:
  enabled: true
  
  list:
    # AWS Provider Example
    - name: aws-primary
      type: aws
      enabled: true
      replicaCount: 2
      
      image:
        repository: oci.external-secrets.io/external-secrets/provider-aws
        pullPolicy: IfNotPresent
        tag: ""
      
      serviceAccount:
        create: true
        annotations:
          # Example: Use IRSA for AWS authentication
          eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/eso-provider-aws
        automount: true
      
      podSecurityContext:
        enabled: true
        runAsNonRoot: true
        runAsUser: 65532
        fsGroup: 65532
        seccompProfile:
          type: RuntimeDefault
      
      securityContext:
        enabled: true
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        runAsNonRoot: true
        runAsUser: 65532
        capabilities:
          drop:
          - ALL
      
      service:
        type: ClusterIP
        port: 8080
      
      resources:
        limits:
          cpu: 200m
          memory: 256Mi
        requests:
          cpu: 50m
          memory: 64Mi
      
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:
                matchLabels:
                  app.kubernetes.io/component: provider
                  external-secrets.io/provider: aws
              topologyKey: kubernetes.io/hostname
      
      podDisruptionBudget:
        enabled: true
        minAvailable: 1
      
      tls:
        enabled: true
        certPath: /etc/provider/certs
        caSecretName: external-secrets-v2-ca
        mountCA: true
      
      config:
        region: us-east-1
        authMethod: irsa
      
      logging:
        level: info
        format: json
      
      metrics:
        enabled: true
        port: 8081
        serviceMonitor:
          enabled: true
          interval: 30s
          scrapeTimeout: 10s
      
      health:
        port: 8082
        livenessProbe:
          enabled: true
          initialDelaySeconds: 10
          periodSeconds: 20
        readinessProbe:
          enabled: true
          initialDelaySeconds: 5
          periodSeconds: 10
    
    # GCP Provider Example (disabled by default)
    - name: gcp
      type: gcp
      enabled: false
      replicaCount: 2
      
      image:
        repository: oci.external-secrets.io/external-secrets/provider-gcp
        pullPolicy: IfNotPresent
      
      serviceAccount:
        create: true
        annotations:
          # Example: Use Workload Identity for GCP authentication
          iam.gke.io/gcp-service-account: eso-provider@project-id.iam.gserviceaccount.com
      
      resources:
        limits:
          cpu: 200m
          memory: 256Mi
        requests:
          cpu: 50m
          memory: 64Mi
      
      config:
        projectID: my-project-id
      
      logging:
        level: info
      
      metrics:
        enabled: true
    
    # Azure Provider Example (disabled by default)
    - name: azure
      type: azure
      enabled: false
      replicaCount: 2
      
      image:
        repository: oci.external-secrets.io/external-secrets/provider-azure
        pullPolicy: IfNotPresent
      
      serviceAccount:
        create: true
        annotations:
          # Example: Use Azure Workload Identity
          azure.workload.identity/client-id: "00000000-0000-0000-0000-000000000000"
      
      podLabels:
        azure.workload.identity/use: "true"
      
      resources:
        limits:
          cpu: 200m
          memory: 256Mi
        requests:
          cpu: 50m
          memory: 64Mi
      
      config:
        vaultURL: https://my-keyvault.vault.azure.net
        tenantID: "00000000-0000-0000-0000-000000000000"
      
      logging:
        level: info
      
      metrics:
        enabled: true
    
    # Vault Provider Example (disabled by default)
    - name: vault
      type: vault
      enabled: false
      replicaCount: 2
      
      image:
        repository: oci.external-secrets.io/external-secrets/provider-vault
        pullPolicy: IfNotPresent
      
      serviceAccount:
        create: true
      
      resources:
        limits:
          cpu: 200m
          memory: 256Mi
        requests:
          cpu: 50m
          memory: 64Mi
      
      config:
        vaultAddr: https://vault.example.com
        authMethod: kubernetes
      
      extraEnv:
      - name: VAULT_SKIP_VERIFY
        value: "false"
      
      logging:
        level: info
      
      metrics:
        enabled: true

# Standard controller configuration continues...
serviceAccount:
  create: true
  annotations: {}

resources:
  limits:
    cpu: 500m
    memory: 512Mi
  requests:
    cpu: 100m
    memory: 128Mi