PushSecret

external-secrets.io / v1alpha1

apiVersion: external-secrets.io/v1alpha1 kind: PushSecret metadata: name: example

apiVersion string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata object

spec object

PushSecretSpec configures the behavior of the PushSecret.

data []object

Secret Data that should be pushed to providers

conversionStrategy string

Used to define a conversion Strategy for the secret keys

enum: None, ReverseUnicode

match object required

Match a given Secret Key to be pushed to the provider.

remoteRef object required

Remote Refs to push to providers.

property string

Name of the property in the resulting secret

remoteKey string required

Name of the resulting provider secret.

secretKey string

Secret Key to be pushed

metadata object

Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation.

dataTo []object

DataTo defines bulk push rules that expand source Secret keys into provider entries.

conversionStrategy string

Used to define a conversion Strategy for the secret keys

enum: None, ReverseUnicode

match object

Match pattern for selecting keys from the source Secret. If not specified, all keys are selected.

regexp string

Regexp matches keys by regular expression. If not specified, all keys are matched.

metadata object

Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation.

remoteKey string

RemoteKey is the name of the single provider secret that will receive ALL matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}). When set, per-key expansion is skipped and a single push is performed. The provider's store prefix (if any) is still prepended to this value. When not set, each matched key is pushed as its own individual provider secret.

rewrite []object

Rewrite operations to transform keys before pushing to the provider. Operations are applied sequentially.

regexp object

Used to rewrite with regular expressions.

source string required

Used to define the regular expression of a re.Compiler.

target string required

Used to define the target pattern of a ReplaceAll operation.

transform object

Used to apply string transformation on the secrets.

template string required

Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template.

storeRef object

StoreRef specifies which SecretStore to push to. Required.

kind string

Kind of the SecretStore resource (SecretStore or ClusterSecretStore)

enum: SecretStore, ClusterSecretStore

labelSelector object

Optionally, sync to secret stores with label selector

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

matchLabels object

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

name string

Optionally, sync to the SecretStore of the given name

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

deletionPolicy string

Deletion Policy to handle Secrets in the provider.

enum: Delete, None

refreshInterval string

The Interval to which External Secrets will try to push a secret definition

secretStoreRefs []object required

kind string

Kind of the SecretStore resource (SecretStore or ClusterSecretStore)

enum: SecretStore, ClusterSecretStore

labelSelector object

Optionally, sync to secret stores with label selector

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

name string

Optionally, sync to the SecretStore of the given name

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

selector object required

The Secret Selector (k8s source) for the Push Secret

generatorRef object

Point to a generator to create a Secret.

apiVersion string

Specify the apiVersion of the generator resource

kind string required

Specify the Kind of the generator resource

enum:

ACRAccessToken, ClusterGenerator, CloudsmithAccessToken, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken,...

ACRAccessToken, ClusterGenerator, CloudsmithAccessToken, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken, QuayAccessToken, Password, SSHKey, STSSessionToken, UUID, VaultDynamicSecret, Webhook, Grafana, MFA

name string required

Specify the name of the generator resource

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

secret object

Select a Secret to Push.

name string

Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

selector object

Selector chooses secrets using a labelSelector.

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

template object

Template defines a blueprint for the created Secret resource.

data object

engineVersion string

EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].

enum: v2

mergePolicy string

TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.

enum: Replace, Merge

metadata object

ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.

annotations object

finalizers []string

labels object

templateFrom []object

configMap object

TemplateRef specifies a reference to either a ConfigMap or a Secret resource.

items []object required

A list of keys in the ConfigMap/Secret to use as templates for Secret data

key string required

A key in the ConfigMap/Secret

pattern: ^[-._a-zA-Z0-9]+$

minLength: 1

maxLength: 253

templateAs string

TemplateScope specifies how the template keys should be interpreted.

enum: Values, KeysAndValues

name string required

The name of the ConfigMap/Secret resource

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

literal string

secret object

TemplateRef specifies a reference to either a ConfigMap or a Secret resource.

items []object required

A list of keys in the ConfigMap/Secret to use as templates for Secret data

key string required

A key in the ConfigMap/Secret

pattern: ^[-._a-zA-Z0-9]+$

minLength: 1

maxLength: 253

templateAs string

TemplateScope specifies how the template keys should be interpreted.

enum: Values, KeysAndValues

name string required

The name of the ConfigMap/Secret resource

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

target string

Target specifies where to place the template result. For Secret resources, common values are: "Data", "Annotations", "Labels". For custom resources (when spec.target.manifest is set), this supports nested paths like "spec.database.config" or "data".

type string

updatePolicy string

UpdatePolicy to handle Secrets in the provider.

enum: Replace, IfNotExists

status object

PushSecretStatus indicates the history of the status of PushSecret.

conditions []object

lastTransitionTime string

format: date-time

message string

reason string

status string required

type string required

PushSecretConditionType indicates the condition of the PushSecret.

refreshTime string

refreshTime is the time and date the external secret was fetched and the target secret updated

format: date-time

syncedPushSecrets object

Synced PushSecrets, including secrets that already exist in provider. Matches secret stores to PushSecretData that was stored to that secret store.

syncedResourceVersion string

SyncedResourceVersion keeps track of the last synced version.

No matches. Try .spec.data for an exact path