Skip to search

ClusterExternalSecret

external-secrets.io / v1beta1

apiVersion: external-secrets.io/v1beta1 kind: ClusterExternalSecret metadata: name: example
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object
spec object
ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
externalSecretMetadata object
The metadata of the external secrets to be created
annotations object
labels object
externalSecretName string
The name of the external secrets to be created. Defaults to the name of the ClusterExternalSecret
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
externalSecretSpec object required
The spec for the ExternalSecrets to be created
data []object
Data defines the connection between the Kubernetes Secret keys and the Provider data
remoteRef object required
RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch.
conversionStrategy string
Used to define a conversion Strategy
enum: Default, Unicode
decodingStrategy string
Used to define a decoding Strategy
enum: Auto, Base64, Base64URL, None
key string required
Key is the key used in the Provider, mandatory
metadataPolicy string
Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
enum: None, Fetch
property string
Used to select a specific property of the Provider value (if a map), if supported
version string
Used to select a specific version of the Provider value, if supported
secretKey string required
The key in the Kubernetes Secret to store the value.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
sourceRef object
SourceRef allows you to override the source from which the value will be pulled.
generatorRef object
GeneratorRef points to a generator custom resource. Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1.
apiVersion string
Specify the apiVersion of the generator resource
kind string required
Specify the Kind of the generator resource
enum: ACRAccessToken, ClusterGenerator, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken, QuayAccessToken, Passw... ACRAccessToken, ClusterGenerator, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken, QuayAccessToken, Password, SSHKey, STSSessionToken, UUID, VaultDynamicSecret, Webhook, Grafana
name string required
Specify the name of the generator resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
storeRef object
SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
kind string
Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
enum: SecretStore, ClusterSecretStore
name string
Name of the SecretStore resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
dataFrom []object
DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
extract object
Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
conversionStrategy string
Used to define a conversion Strategy
enum: Default, Unicode
decodingStrategy string
Used to define a decoding Strategy
enum: Auto, Base64, Base64URL, None
key string required
Key is the key used in the Provider, mandatory
metadataPolicy string
Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
enum: None, Fetch
property string
Used to select a specific property of the Provider value (if a map), if supported
version string
Used to select a specific version of the Provider value, if supported
find object
Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
conversionStrategy string
Used to define a conversion Strategy
enum: Default, Unicode
decodingStrategy string
Used to define a decoding Strategy
enum: Auto, Base64, Base64URL, None
name object
Finds secrets based on the name.
regexp string
Finds secrets base
path string
A root path to start the find operations.
tags object
Find secrets based on tags.
rewrite []object
Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
regexp object
Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
source string required
Used to define the regular expression of a re.Compiler.
target string required
Used to define the target pattern of a ReplaceAll operation.
transform object
Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation.
template string required
Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template.
sourceRef object
SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values
generatorRef object
GeneratorRef points to a generator custom resource.
apiVersion string
Specify the apiVersion of the generator resource
kind string required
Specify the Kind of the generator resource
enum: ACRAccessToken, ClusterGenerator, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken, QuayAccessToken, Passw... ACRAccessToken, ClusterGenerator, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken, QuayAccessToken, Password, SSHKey, STSSessionToken, UUID, VaultDynamicSecret, Webhook, Grafana
name string required
Specify the name of the generator resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
storeRef object
SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
kind string
Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
enum: SecretStore, ClusterSecretStore
name string
Name of the SecretStore resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
refreshInterval string
RefreshInterval is the amount of time before the values are read again from the SecretStore provider, specified as Golang Duration strings. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" Example values: "1h0m0s", "2h30m0s", "10m0s" May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
refreshPolicy string
RefreshPolicy determines how the ExternalSecret should be refreshed: - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval. No periodic updates occur if refreshInterval is 0. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
enum: CreatedOnce, Periodic, OnChange
secretStoreRef object
SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
kind string
Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
enum: SecretStore, ClusterSecretStore
name string
Name of the SecretStore resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
target object
ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
creationPolicy string
CreationPolicy defines rules on how to create the resulting Secret. Defaults to "Owner"
enum: Owner, Orphan, Merge, None
deletionPolicy string
DeletionPolicy defines rules on how to delete the resulting Secret. Defaults to "Retain"
enum: Delete, Merge, Retain
immutable boolean
Immutable defines if the final secret will be immutable
name string
The name of the Secret resource to be managed. Defaults to the .metadata.name of the ExternalSecret resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
template object
Template defines a blueprint for the created Secret resource.
data object
engineVersion string
EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
enum: v2
mergePolicy string
TemplateMergePolicy defines how template values should be merged when generating a secret.
enum: Replace, Merge
metadata object
ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
annotations object
labels object
templateFrom []object
configMap object
TemplateRef defines a reference to a template source in a ConfigMap or Secret.
items []object required
A list of keys in the ConfigMap/Secret to use as templates for Secret data
key string required
A key in the ConfigMap/Secret
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
templateAs string
TemplateScope defines the scope of the template when processing template data.
enum: Values, KeysAndValues
name string required
The name of the ConfigMap/Secret resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
literal string
secret object
TemplateRef defines a reference to a template source in a ConfigMap or Secret.
items []object required
A list of keys in the ConfigMap/Secret to use as templates for Secret data
key string required
A key in the ConfigMap/Secret
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
templateAs string
TemplateScope defines the scope of the template when processing template data.
enum: Values, KeysAndValues
name string required
The name of the ConfigMap/Secret resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
target string
TemplateTarget defines the target field where the template result will be stored.
enum: Data, Annotations, Labels
type string
namespaceSelector object
The labels to select by to find the Namespaces to create the ExternalSecrets in
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
namespaceSelectors []object
A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
namespaces []string
Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. Deprecated: Use NamespaceSelectors instead.
refreshTime string
The time in which the controller should reconcile its objects and recheck namespaces for labels.
status object
ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
conditions []object
message string
status string required
type string required
ClusterExternalSecretConditionType indicates the condition of the ClusterExternalSecret.
externalSecretName string
ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
failedNamespaces []object
Failed namespaces are the namespaces that failed to apply an ExternalSecret
namespace string required
Namespace is the namespace that failed when trying to apply an ExternalSecret
reason string
Reason is why the ExternalSecret failed to apply to the namespace
provisionedNamespaces []string
ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets

No matches. Try .spec.externalSecretMetadata for an exact path