ExternalSecret

external-secrets.io / v1beta1

apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: example

apiVersion string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata object

spec object

ExternalSecretSpec defines the desired state of ExternalSecret.

data []object

Data defines the connection between the Kubernetes Secret keys and the Provider data

remoteRef object required

RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch.

conversionStrategy string

Used to define a conversion Strategy

enum: Default, Unicode

decodingStrategy string

Used to define a decoding Strategy

enum: Auto, Base64, Base64URL, None

key string required

Key is the key used in the Provider, mandatory

metadataPolicy string

Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None

enum: None, Fetch

property string

Used to select a specific property of the Provider value (if a map), if supported

version string

Used to select a specific version of the Provider value, if supported

secretKey string required

The key in the Kubernetes Secret to store the value.

pattern: ^[-._a-zA-Z0-9]+$

minLength: 1

maxLength: 253

sourceRef object

SourceRef allows you to override the source from which the value will be pulled.

generatorRef object

GeneratorRef points to a generator custom resource. Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1.

apiVersion string

Specify the apiVersion of the generator resource

kind string required

Specify the Kind of the generator resource

enum:

ACRAccessToken, ClusterGenerator, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken, QuayAccessToken, Passw...

ACRAccessToken, ClusterGenerator, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken, QuayAccessToken, Password, SSHKey, STSSessionToken, UUID, VaultDynamicSecret, Webhook, Grafana

name string required

Specify the name of the generator resource

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

storeRef object

SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.

kind string

Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`

enum: SecretStore, ClusterSecretStore

name string

Name of the SecretStore resource

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

dataFrom []object

DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order

extract object

Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.

conversionStrategy string

Used to define a conversion Strategy

enum: Default, Unicode

decodingStrategy string

Used to define a decoding Strategy

enum: Auto, Base64, Base64URL, None

key string required

Key is the key used in the Provider, mandatory

metadataPolicy string

Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None

enum: None, Fetch

property string

Used to select a specific property of the Provider value (if a map), if supported

version string

Used to select a specific version of the Provider value, if supported

find object

Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.

conversionStrategy string

Used to define a conversion Strategy

enum: Default, Unicode

decodingStrategy string

Used to define a decoding Strategy

enum: Auto, Base64, Base64URL, None

name object

Finds secrets based on the name.

regexp string

Finds secrets base

path string

A root path to start the find operations.

tags object

Find secrets based on tags.

rewrite []object

Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)

regexp object

Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.

source string required

Used to define the regular expression of a re.Compiler.

target string required

Used to define the target pattern of a ReplaceAll operation.

transform object

Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation.

template string required

Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template.

sourceRef object

SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values

generatorRef object

GeneratorRef points to a generator custom resource.

apiVersion string

Specify the apiVersion of the generator resource

kind string required

Specify the Kind of the generator resource

enum:

ACRAccessToken, ClusterGenerator, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken, QuayAccessToken, Passw...

ACRAccessToken, ClusterGenerator, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken, QuayAccessToken, Password, SSHKey, STSSessionToken, UUID, VaultDynamicSecret, Webhook, Grafana

name string required

Specify the name of the generator resource

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

storeRef object

SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.

kind string

Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`

enum: SecretStore, ClusterSecretStore

name string

Name of the SecretStore resource

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

refreshInterval string

RefreshInterval is the amount of time before the values are read again from the SecretStore provider, specified as Golang Duration strings. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" Example values: "1h0m0s", "2h30m0s", "10m0s" May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.

refreshPolicy string

RefreshPolicy determines how the ExternalSecret should be refreshed: - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval. No periodic updates occur if refreshInterval is 0. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes

enum: CreatedOnce, Periodic, OnChange

secretStoreRef object

SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.

kind string

Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`

enum: SecretStore, ClusterSecretStore

name string

Name of the SecretStore resource

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

target object

ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.

creationPolicy string

CreationPolicy defines rules on how to create the resulting Secret. Defaults to "Owner"

enum: Owner, Orphan, Merge, None

deletionPolicy string

DeletionPolicy defines rules on how to delete the resulting Secret. Defaults to "Retain"

enum: Delete, Merge, Retain

immutable boolean

Immutable defines if the final secret will be immutable

name string

The name of the Secret resource to be managed. Defaults to the .metadata.name of the ExternalSecret resource

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

template object

Template defines a blueprint for the created Secret resource.

data object

engineVersion string

EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].

enum: v2

mergePolicy string

TemplateMergePolicy defines how template values should be merged when generating a secret.

enum: Replace, Merge

metadata object

ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.

annotations object

labels object

templateFrom []object

configMap object

TemplateRef defines a reference to a template source in a ConfigMap or Secret.

items []object required

A list of keys in the ConfigMap/Secret to use as templates for Secret data

key string required

A key in the ConfigMap/Secret

pattern: ^[-._a-zA-Z0-9]+$

minLength: 1

maxLength: 253

templateAs string

TemplateScope defines the scope of the template when processing template data.

enum: Values, KeysAndValues

name string required

The name of the ConfigMap/Secret resource

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

literal string

secret object

TemplateRef defines a reference to a template source in a ConfigMap or Secret.

items []object required

A list of keys in the ConfigMap/Secret to use as templates for Secret data

key string required

A key in the ConfigMap/Secret

pattern: ^[-._a-zA-Z0-9]+$

minLength: 1

maxLength: 253

templateAs string

TemplateScope defines the scope of the template when processing template data.

enum: Values, KeysAndValues

name string required

The name of the ConfigMap/Secret resource

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

target string

TemplateTarget defines the target field where the template result will be stored.

enum: Data, Annotations, Labels

type string

status object

ExternalSecretStatus defines the observed state of ExternalSecret.

binding object

Binding represents a servicebinding.io Provisioned Service reference to the secret

name string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

conditions []object

lastTransitionTime string

format: date-time

message string

reason string

status string required

type string required

ExternalSecretConditionType defines the condition type for an ExternalSecret.

refreshTime string

refreshTime is the time and date the external secret was fetched and the target secret updated

format: date-time

syncedResourceVersion string

SyncedResourceVersion keeps track of the last synced version

No matches. Try .spec.data for an exact path