# External Secrets

[//]: # (README.md generated by gotmpl. DO NOT EDIT.) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.5.2](https://img.shields.io/badge/Version-0.5.2-informational?style=flat-square) External secret management for Kubernetes ## TL;DR ```bash helm repo add external-secrets https://charts.external-secrets.io helm install external-secrets/external-secrets ``` ## Installing the Chart To install the chart with the release name `external-secrets`: ```bash helm install external-secrets external-secrets/external-secrets ``` ### Custom Resources By default, the chart will install external-secrets CRDs, this can be controlled with `installCRDs` value. ## Uninstalling the Chart To uninstall the `external-secrets` deployment: ```bash helm uninstall external-secrets ``` The command removes all the Kubernetes components associated with the chart and deletes the release. ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | | | certController.affinity | object | `{}` | | | certController.create | bool | `true` | Specifies whether a certificate controller deployment be created. | | certController.deploymentAnnotations | object | `{}` | Annotations to add to Deployment | | certController.extraArgs | object | `{}` | | | certController.extraEnv | list | `[]` | | | certController.fullnameOverride | string | `""` | | | certController.image.pullPolicy | string | `"IfNotPresent"` | | | certController.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | | | certController.image.tag | string | `""` | | | certController.imagePullSecrets | list | `[]` | | | certController.nameOverride | string | `""` | | | certController.nodeSelector | object | `{}` | | | certController.podAnnotations | object | `{}` | Annotations to add to Pod | | certController.podLabels | object | `{}` | | | certController.podSecurityContext | object | `{}` | | | certController.priorityClassName | string | `""` | Pod priority class name. | | certController.prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead | | certController.prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead | | certController.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. | | certController.requeueInterval | string | `"5m"` | | | certController.resources | object | `{}` | | | certController.securityContext | object | `{}` | | | certController.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. | | certController.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | | certController.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. | | certController.serviceMonitor.additionalLabels | object | `{}` | Additional labels | | certController.serviceMonitor.enabled | bool | `false` | Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics | | certController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics | | certController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval | | certController.tolerations | list | `[]` | | | concurrent | int | `1` | Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time. | | controllerClass | string | `""` | If set external secrets will filter matching Secret Stores with the appropriate controller values. | | crds.createClusterExternalSecret | bool | `true` | If true, create CRDs for Cluster External Secret. | | crds.createClusterSecretStore | bool | `true` | If true, create CRDs for Cluster Secret Store. | | createOperator | bool | `true` | Specifies whether an external secret operator deployment be created. | | deploymentAnnotations | object | `{}` | Annotations to add to Deployment | | extraArgs | object | `{}` | | | extraEnv | list | `[]` | | | fullnameOverride | string | `""` | | | image.pullPolicy | string | `"IfNotPresent"` | | | image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | | | image.tag | string | `""` | The image tag to use. The default is the chart appVersion. | | imagePullSecrets | list | `[]` | | | installCRDs | bool | `true` | If set, install and upgrade CRDs through helm chart. | | leaderElect | bool | `false` | If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. | | nameOverride | string | `""` | | | nodeSelector | object | `{}` | | | podAnnotations | object | `{}` | Annotations to add to Pod | | podLabels | object | `{}` | | | podSecurityContext | object | `{}` | | | priorityClassName | string | `""` | Pod priority class name. | | processClusterExternalSecret | bool | `true` | if true, the operator will process cluster external secret. Else, it will ignore them. | | processClusterStore | bool | `true` | if true, the operator will process cluster store. Else, it will ignore them. | | prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead. | | prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead. | | rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. | | replicaCount | int | `1` | | | resources | object | `{}` | | | scopedNamespace | string | `""` | If set external secrets are only reconciled in the provided namespace | | scopedRBAC | bool | `false` | Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets | | securityContext | object | `{}` | | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. | | serviceMonitor.additionalLabels | object | `{}` | Additional labels | | serviceMonitor.enabled | bool | `false` | Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics | | serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics | | serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval | | tolerations | list | `[]` | | | webhook.affinity | object | `{}` | | | webhook.certCheckInterval | string | `"5m"` | | | webhook.certDir | string | `"/tmp/certs"` | | | webhook.create | bool | `true` | Specifies whether a webhook deployment be created. | | webhook.deploymentAnnotations | object | `{}` | Annotations to add to Deployment | | webhook.extraArgs | object | `{}` | | | webhook.extraEnv | list | `[]` | | | webhook.failurePolicy | string | `"Fail"` | specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore | | webhook.fullnameOverride | string | `""` | | | webhook.hostNetwork | bool | `false` | Specifies if webhook pod should use hostNetwork or not. | | webhook.image.pullPolicy | string | `"IfNotPresent"` | | | webhook.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | | | webhook.image.tag | string | `""` | The image tag to use. The default is the chart appVersion. | | webhook.imagePullSecrets | list | `[]` | | | webhook.nameOverride | string | `""` | | | webhook.nodeSelector | object | `{}` | | | webhook.podAnnotations | object | `{}` | Annotations to add to Pod | | webhook.podLabels | object | `{}` | | | webhook.podSecurityContext | object | `{}` | | | webhook.port | int | `10250` | The port the webhook will listen to | | webhook.priorityClassName | string | `""` | Pod priority class name. | | webhook.prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead | | webhook.prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead | | webhook.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. | | webhook.replicaCount | int | `1` | | | webhook.resources | object | `{}` | | | webhook.secretAnnotations | object | `{}` | Annotations to add to Secret | | webhook.securityContext | object | `{}` | | | webhook.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. | | webhook.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | | webhook.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. | | webhook.serviceMonitor.additionalLabels | object | `{}` | Additional labels | | webhook.serviceMonitor.enabled | bool | `false` | Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics | | webhook.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics | | webhook.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval | | webhook.tolerations | list | `[]` | |