ClusterPushSecret
external-secrets.io / v1alpha1
apiVersion: external-secrets.io/v1alpha1
kind: ClusterPushSecret
metadata:
name: example
apiVersion
string
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind
string
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata
object
spec object
ClusterPushSecretSpec defines the configuration for a ClusterPushSecret resource.
namespaceSelectors []object
A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key
string required
key is the label key that the selector applies to.
operator
string required
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
values
[]string
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
matchLabels
object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
pushSecretMetadata object
The metadata of the external secrets to be created
annotations
object
labels
object
pushSecretName
string
The name of the push secrets to be created.
Defaults to the name of the ClusterPushSecret
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253pushSecretSpec object required
PushSecretSpec defines what to do with the secrets.
data []object
Secret Data that should be pushed to providers
conversionStrategy
string
Used to define a conversion Strategy for the secret keys
enum:
None, ReverseUnicodematch object required
Match a given Secret Key to be pushed to the provider.
remoteRef object required
Remote Refs to push to providers.
property
string
Name of the property in the resulting secret
remoteKey
string required
Name of the resulting provider secret.
secretKey
string
Secret Key to be pushed
metadata
object
Metadata is metadata attached to the secret.
The structure of metadata is provider specific, please look it up in the provider documentation.
dataTo []object
DataTo defines bulk push rules that expand source Secret keys into provider entries.
conversionStrategy
string
Used to define a conversion Strategy for the secret keys
enum:
None, ReverseUnicodematch object
Match pattern for selecting keys from the source Secret.
If not specified, all keys are selected.
regexp
string
Regexp matches keys by regular expression.
If not specified, all keys are matched.
metadata
object
Metadata is metadata attached to the secret.
The structure of metadata is provider specific, please look it up in the provider documentation.
remoteKey
string
RemoteKey is the name of the single provider secret that will receive ALL
matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}).
When set, per-key expansion is skipped and a single push is performed.
The provider's store prefix (if any) is still prepended to this value.
When not set, each matched key is pushed as its own individual provider secret.
rewrite []object
Rewrite operations to transform keys before pushing to the provider.
Operations are applied sequentially.
regexp object
Used to rewrite with regular expressions.
source
string required
Used to define the regular expression of a re.Compiler.
target
string required
Used to define the target pattern of a ReplaceAll operation.
transform object
Used to apply string transformation on the secrets.
template
string required
Used to define the template to apply on the secret name.
`.value ` will specify the secret name in the template.
storeRef object
StoreRef specifies which SecretStore to push to. Required.
kind
string
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
enum:
SecretStore, ClusterSecretStorelabelSelector object
Optionally, sync to secret stores with label selector
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key
string required
key is the label key that the selector applies to.
operator
string required
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
values
[]string
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
matchLabels
object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
name
string
Optionally, sync to the SecretStore of the given name
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
deletionPolicy
string
Deletion Policy to handle Secrets in the provider.
enum:
Delete, None
refreshInterval
string
The Interval to which External Secrets will try to push a secret definition
secretStoreRefs []object required
kind
string
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
enum:
SecretStore, ClusterSecretStorelabelSelector object
Optionally, sync to secret stores with label selector
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key
string required
key is the label key that the selector applies to.
operator
string required
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
values
[]string
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
matchLabels
object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
name
string
Optionally, sync to the SecretStore of the given name
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253selector object required
The Secret Selector (k8s source) for the Push Secret
generatorRef object
Point to a generator to create a Secret.
apiVersion
string
Specify the apiVersion of the generator resource
kind
string required
Specify the Kind of the generator resource
enum:
enum: ACRAccessToken, ClusterGenerator, CloudsmithAccessToken, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken,...
ACRAccessToken, ClusterGenerator, CloudsmithAccessToken, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken, QuayAccessToken, Password, SSHKey, STSSessionToken, UUID, VaultDynamicSecret, Webhook, Grafana, MFA
name
string required
Specify the name of the generator resource
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253secret object
Select a Secret to Push.
name
string
Name of the Secret.
The Secret must exist in the same namespace as the PushSecret manifest.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253selector object
Selector chooses secrets using a labelSelector.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key
string required
key is the label key that the selector applies to.
operator
string required
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
values
[]string
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
matchLabels
object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
template object
Template defines a blueprint for the created Secret resource.
data
object
engineVersion
string
EngineVersion specifies the template engine version
that should be used to compile/execute the
template specified in .data and .templateFrom[].
enum:
v2
mergePolicy
string
TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
enum:
Replace, Mergemetadata object
ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
annotations
object
finalizers
[]string
labels
object
templateFrom []object
configMap object
TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
items []object required
A list of keys in the ConfigMap/Secret to use as templates for Secret data
key
string required
A key in the ConfigMap/Secret
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
templateAs
string
TemplateScope specifies how the template keys should be interpreted.
enum:
Values, KeysAndValues
name
string required
The name of the ConfigMap/Secret resource
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
literal
string
secret object
TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
items []object required
A list of keys in the ConfigMap/Secret to use as templates for Secret data
key
string required
A key in the ConfigMap/Secret
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
templateAs
string
TemplateScope specifies how the template keys should be interpreted.
enum:
Values, KeysAndValues
name
string required
The name of the ConfigMap/Secret resource
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
target
string
Target specifies where to place the template result.
For Secret resources, common values are: "Data", "Annotations", "Labels".
For custom resources (when spec.target.manifest is set), this supports
nested paths like "spec.database.config" or "data".
type
string
updatePolicy
string
UpdatePolicy to handle Secrets in the provider.
enum:
Replace, IfNotExists
refreshTime
string
The time in which the controller should reconcile its objects and recheck namespaces for labels.
status object
ClusterPushSecretStatus contains the status information for the ClusterPushSecret resource.
conditions []object
lastTransitionTime
string
format:
date-time
message
string
reason
string
status
string required
type
string required
PushSecretConditionType indicates the condition of the PushSecret.
failedNamespaces []object
Failed namespaces are the namespaces that failed to apply an PushSecret
namespace
string required
Namespace is the namespace that failed when trying to apply an PushSecret
reason
string
Reason is why the PushSecret failed to apply to the namespace
provisionedNamespaces
[]string
ProvisionedNamespaces are the namespaces where the ClusterPushSecret has secrets
pushSecretName
string
No matches. Try .spec.namespaceSelectors for an exact path