147 lines
10 KiB
Markdown
147 lines
10 KiB
Markdown
# External Secrets
|
|
|
|
<p align="left"><img src="https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png" width="100x" /></p>
|
|
|
|
[//]: # (README.md generated by gotmpl. DO NOT EDIT.)
|
|
|
|
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.5.6](https://img.shields.io/badge/Version-0.5.6-informational?style=flat-square)
|
|
|
|
External secret management for Kubernetes
|
|
|
|
## TL;DR
|
|
```bash
|
|
helm repo add external-secrets https://charts.external-secrets.io
|
|
helm install external-secrets/external-secrets
|
|
```
|
|
|
|
## Installing the Chart
|
|
To install the chart with the release name `external-secrets`:
|
|
```bash
|
|
helm install external-secrets external-secrets/external-secrets
|
|
```
|
|
|
|
### Custom Resources
|
|
By default, the chart will install external-secrets CRDs, this can be controlled with `installCRDs` value.
|
|
|
|
## Uninstalling the Chart
|
|
To uninstall the `external-secrets` deployment:
|
|
```bash
|
|
helm uninstall external-secrets
|
|
```
|
|
The command removes all the Kubernetes components associated with the chart and deletes the release.
|
|
|
|
## Values
|
|
|
|
| Key | Type | Default | Description |
|
|
|-----|------|---------|-------------|
|
|
| affinity | object | `{}` | |
|
|
| certController.affinity | object | `{}` | |
|
|
| certController.create | bool | `true` | Specifies whether a certificate controller deployment be created. |
|
|
| certController.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
|
|
| certController.extraArgs | object | `{}` | |
|
|
| certController.extraEnv | list | `[]` | |
|
|
| certController.fullnameOverride | string | `""` | |
|
|
| certController.image.pullPolicy | string | `"IfNotPresent"` | |
|
|
| certController.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | |
|
|
| certController.image.tag | string | `""` | |
|
|
| certController.imagePullSecrets | list | `[]` | |
|
|
| certController.nameOverride | string | `""` | |
|
|
| certController.nodeSelector | object | `{}` | |
|
|
| certController.podAnnotations | object | `{}` | Annotations to add to Pod |
|
|
| certController.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
|
|
| certController.podLabels | object | `{}` | |
|
|
| certController.podSecurityContext | object | `{}` | |
|
|
| certController.priorityClassName | string | `""` | Pod priority class name. |
|
|
| certController.prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead |
|
|
| certController.prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead |
|
|
| certController.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
|
|
| certController.replicaCount | int | `1` | |
|
|
| certController.requeueInterval | string | `"5m"` | |
|
|
| certController.resources | object | `{}` | |
|
|
| certController.securityContext | object | `{}` | |
|
|
| certController.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
|
|
| certController.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
|
|
| certController.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
|
|
| certController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
|
|
| certController.serviceMonitor.enabled | bool | `false` | Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics |
|
|
| certController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
|
|
| certController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
|
|
| certController.tolerations | list | `[]` | |
|
|
| concurrent | int | `1` | Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time. |
|
|
| controllerClass | string | `""` | If set external secrets will filter matching Secret Stores with the appropriate controller values. |
|
|
| crds.createClusterExternalSecret | bool | `true` | If true, create CRDs for Cluster External Secret. |
|
|
| crds.createClusterSecretStore | bool | `true` | If true, create CRDs for Cluster Secret Store. |
|
|
| createOperator | bool | `true` | Specifies whether an external secret operator deployment be created. |
|
|
| deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
|
|
| extraArgs | object | `{}` | |
|
|
| extraEnv | list | `[]` | |
|
|
| fullnameOverride | string | `""` | |
|
|
| image.pullPolicy | string | `"IfNotPresent"` | |
|
|
| image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | |
|
|
| image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
|
|
| imagePullSecrets | list | `[]` | |
|
|
| installCRDs | bool | `true` | If set, install and upgrade CRDs through helm chart. |
|
|
| leaderElect | bool | `false` | If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. |
|
|
| nameOverride | string | `""` | |
|
|
| nodeSelector | object | `{}` | |
|
|
| podAnnotations | object | `{}` | Annotations to add to Pod |
|
|
| podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
|
|
| podLabels | object | `{}` | |
|
|
| podSecurityContext | object | `{}` | |
|
|
| priorityClassName | string | `""` | Pod priority class name. |
|
|
| processClusterExternalSecret | bool | `true` | if true, the operator will process cluster external secret. Else, it will ignore them. |
|
|
| processClusterStore | bool | `true` | if true, the operator will process cluster store. Else, it will ignore them. |
|
|
| prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead. |
|
|
| prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead. |
|
|
| rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
|
|
| replicaCount | int | `1` | |
|
|
| resources | object | `{}` | |
|
|
| scopedNamespace | string | `""` | If set external secrets are only reconciled in the provided namespace |
|
|
| scopedRBAC | bool | `false` | Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets |
|
|
| securityContext | object | `{}` | |
|
|
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
|
|
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
|
|
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
|
|
| serviceMonitor.additionalLabels | object | `{}` | Additional labels |
|
|
| serviceMonitor.enabled | bool | `false` | Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics |
|
|
| serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
|
|
| serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
|
|
| tolerations | list | `[]` | |
|
|
| webhook.affinity | object | `{}` | |
|
|
| webhook.certCheckInterval | string | `"5m"` | |
|
|
| webhook.certDir | string | `"/tmp/certs"` | |
|
|
| webhook.create | bool | `true` | Specifies whether a webhook deployment be created. |
|
|
| webhook.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
|
|
| webhook.extraArgs | object | `{}` | |
|
|
| webhook.extraEnv | list | `[]` | |
|
|
| webhook.failurePolicy | string | `"Fail"` | specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore |
|
|
| webhook.fullnameOverride | string | `""` | |
|
|
| webhook.hostNetwork | bool | `false` | Specifies if webhook pod should use hostNetwork or not. |
|
|
| webhook.image.pullPolicy | string | `"IfNotPresent"` | |
|
|
| webhook.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | |
|
|
| webhook.image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
|
|
| webhook.imagePullSecrets | list | `[]` | |
|
|
| webhook.nameOverride | string | `""` | |
|
|
| webhook.nodeSelector | object | `{}` | |
|
|
| webhook.podAnnotations | object | `{}` | Annotations to add to Pod |
|
|
| webhook.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
|
|
| webhook.podLabels | object | `{}` | |
|
|
| webhook.podSecurityContext | object | `{}` | |
|
|
| webhook.port | int | `10250` | The port the webhook will listen to |
|
|
| webhook.priorityClassName | string | `""` | Pod priority class name. |
|
|
| webhook.prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead |
|
|
| webhook.prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead |
|
|
| webhook.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
|
|
| webhook.replicaCount | int | `1` | |
|
|
| webhook.resources | object | `{}` | |
|
|
| webhook.secretAnnotations | object | `{}` | Annotations to add to Secret |
|
|
| webhook.securityContext | object | `{}` | |
|
|
| webhook.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
|
|
| webhook.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
|
|
| webhook.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
|
|
| webhook.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
|
|
| webhook.serviceMonitor.enabled | bool | `false` | Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics |
|
|
| webhook.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
|
|
| webhook.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
|
|
| webhook.tolerations | list | `[]` | |
|