2022-03-09 09:48:25 +00:00
|
|
|
apiVersion: external-secrets.io/v1beta1
|
2021-06-25 20:28:46 +00:00
|
|
|
kind: ClusterSecretStore
|
|
|
|
metadata:
|
|
|
|
name: example
|
|
|
|
spec:
|
|
|
|
# Used to select the correct ESO controller (think: ingress.ingressClassName)
|
|
|
|
# The ESO controller is instantiated with a specific controller name
|
|
|
|
# and filters ES based on this property
|
|
|
|
# Optional
|
|
|
|
controller: dev
|
|
|
|
|
|
|
|
# provider field contains the configuration to access the provider
|
|
|
|
# which contains the secret exactly one provider must be configured.
|
|
|
|
provider:
|
|
|
|
# (1): AWS Secrets Manager
|
|
|
|
# aws configures this store to sync secrets using AWS Secret Manager provider
|
|
|
|
aws:
|
|
|
|
service: SecretsManager
|
|
|
|
# Role is a Role ARN which the SecretManager provider will assume
|
|
|
|
role: iam-role
|
|
|
|
# AWS Region to be used for the provider
|
|
|
|
region: eu-central-1
|
2021-12-28 22:23:33 +00:00
|
|
|
# Auth defines the information necessary to authenticate against AWS
|
2021-06-25 20:28:46 +00:00
|
|
|
auth:
|
2021-12-28 22:23:33 +00:00
|
|
|
# Getting the accessKeyID and secretAccessKey from an already created Kubernetes Secret
|
2021-06-25 20:28:46 +00:00
|
|
|
secretRef:
|
2022-06-04 12:09:21 +00:00
|
|
|
accessKeyIDSecretRef:
|
2021-06-25 20:28:46 +00:00
|
|
|
name: awssm-secret
|
|
|
|
key: access-key
|
2022-06-04 12:09:21 +00:00
|
|
|
secretAccessKeySecretRef:
|
2021-06-25 20:28:46 +00:00
|
|
|
name: awssm-secret
|
|
|
|
key: secret-access-key
|
2021-12-28 22:23:33 +00:00
|
|
|
# IAM roles for service accounts
|
|
|
|
# https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
|
|
|
|
jwt:
|
|
|
|
serviceAccountRef:
|
|
|
|
name: my-serviceaccount
|
|
|
|
namespace: sa-namespace
|
2021-06-25 20:28:46 +00:00
|
|
|
|
|
|
|
vault:
|
|
|
|
server: "https://vault.acme.org"
|
|
|
|
# Path is the mount path of the Vault KV backend endpoint
|
2023-03-09 20:37:06 +00:00
|
|
|
# Used as a path prefix for the external secret key
|
2021-06-25 20:28:46 +00:00
|
|
|
path: "secret"
|
|
|
|
# Version is the Vault KV secret engine version.
|
|
|
|
# This can be either "v1" or "v2", defaults to "v2"
|
|
|
|
version: "v2"
|
|
|
|
# vault enterprise namespace: https://www.vaultproject.io/docs/enterprise/namespaces
|
|
|
|
namespace: "a-team"
|
2021-12-13 23:07:42 +00:00
|
|
|
# base64 encoded string of certificate
|
2021-06-25 20:28:46 +00:00
|
|
|
caBundle: "..."
|
2021-12-13 23:07:42 +00:00
|
|
|
# Instead of caBundle you can also specify a caProvider
|
|
|
|
# this will retrieve the cert from a Secret or ConfigMap
|
|
|
|
caProvider:
|
|
|
|
# Can be Secret or ConfigMap
|
|
|
|
type: "Secret"
|
2023-03-07 12:11:02 +00:00
|
|
|
# namespace is mandatory for ClusterSecretStore and not relevant for SecretStore
|
2021-12-13 23:07:42 +00:00
|
|
|
namespace: "my-cert-secret-namespace"
|
|
|
|
name: "my-cert-secret"
|
|
|
|
key: "cert-key"
|
2021-06-25 20:28:46 +00:00
|
|
|
auth:
|
|
|
|
# static token: https://www.vaultproject.io/docs/auth/token
|
|
|
|
tokenSecretRef:
|
|
|
|
name: "my-secret"
|
|
|
|
namespace: "secret-admin"
|
|
|
|
key: "vault-token"
|
|
|
|
|
|
|
|
# AppRole auth: https://www.vaultproject.io/docs/auth/approle
|
|
|
|
appRole:
|
|
|
|
path: "approle"
|
|
|
|
roleId: "db02de05-fa39-4855-059b-67221c5c2f63"
|
|
|
|
secretRef:
|
|
|
|
name: "my-secret"
|
|
|
|
namespace: "secret-admin"
|
|
|
|
key: "vault-token"
|
|
|
|
|
|
|
|
# Kubernetes auth: https://www.vaultproject.io/docs/auth/kubernetes
|
|
|
|
kubernetes:
|
|
|
|
mountPath: "kubernetes"
|
|
|
|
role: "demo"
|
|
|
|
# Optional service account reference
|
|
|
|
serviceAccountRef:
|
|
|
|
name: "my-sa"
|
|
|
|
namespace: "secret-admin"
|
|
|
|
# Optional secret field containing a Kubernetes ServiceAccount JWT
|
|
|
|
# used for authenticating with Vault
|
|
|
|
secretRef:
|
|
|
|
name: "my-secret"
|
|
|
|
namespace: "secret-admin"
|
|
|
|
key: "vault"
|
|
|
|
|
|
|
|
# (2): GCP Secret Manager
|
|
|
|
gcpsm:
|
|
|
|
# Auth defines the information necessary to authenticate against GCP by getting
|
|
|
|
# the credentials from an already created Kubernetes Secret.
|
|
|
|
auth:
|
|
|
|
secretRef:
|
|
|
|
secretAccessKeySecretRef:
|
|
|
|
name: gcpsm-secret
|
|
|
|
key: secret-access-credentials
|
2021-06-28 18:39:53 +00:00
|
|
|
namespace: example
|
2021-06-25 20:28:46 +00:00
|
|
|
projectID: myproject
|
2023-02-01 23:55:47 +00:00
|
|
|
|
2022-07-19 14:34:58 +00:00
|
|
|
# (3): Kubernetes provider
|
|
|
|
kubernetes:
|
|
|
|
server:
|
2022-10-17 14:40:18 +00:00
|
|
|
url: "https://myapiserver.tld"
|
|
|
|
caProvider:
|
|
|
|
type: Secret
|
|
|
|
name: my-cluster-secrets
|
|
|
|
namespace: example
|
|
|
|
key: ca.crt
|
2022-07-19 14:34:58 +00:00
|
|
|
auth:
|
|
|
|
serviceAccount:
|
|
|
|
name: "example-sa"
|
|
|
|
namespace: "example"
|
2023-02-01 23:55:47 +00:00
|
|
|
|
|
|
|
# (4): Oracle provider
|
|
|
|
oracle:
|
|
|
|
# The vault OCID
|
|
|
|
vault: ocid1.vault.oc1.eu-frankfurt-1.aaa1aaaaaaaaa.aaaaaaaaaaaaaa1aaaaaaa111aaaaaaaaaaaaaaaa
|
|
|
|
# The vault region
|
|
|
|
region: eu-frankfurt-1
|
|
|
|
auth:
|
|
|
|
# The user OCID
|
|
|
|
user: ocid1.user.oc1..aaa1aaaaaaaaa.aaaaaaaaaaaaaa1aaaaaaa111aaaaaaaaaaaaaaaa
|
|
|
|
# The tenancy OCID
|
|
|
|
tenancy: ocid1.tenancy.oc1..aaa1aaaaaaaaa.aaaaaaaaaaaaaa1aaaaaaa111aaaaaaaaaaaaaaaa
|
|
|
|
secretRef:
|
|
|
|
privatekey:
|
|
|
|
# The secret that contains your privatekey
|
|
|
|
name: oci-secret-name
|
|
|
|
key: privateKey
|
|
|
|
fingerprint:
|
|
|
|
# The secret that contains your fingerprint
|
|
|
|
name: oci-secret-name
|
|
|
|
key: fingerprint
|
|
|
|
|
2021-06-25 20:28:46 +00:00
|
|
|
# (TODO): add more provider examples here
|
|
|
|
|
2022-10-17 14:40:18 +00:00
|
|
|
# Conditions about namespaces in which the ClusterSecretStore is usable for ExternalSecrets
|
|
|
|
conditions:
|
|
|
|
# Options are namespaceSelector, or namespaces
|
|
|
|
- namespaceSelector:
|
|
|
|
matchLabels:
|
|
|
|
my.namespace.io/some-label: "value" # Only namespaces with that label will work
|
|
|
|
|
|
|
|
- namespaces:
|
|
|
|
- "namespace-a"
|
|
|
|
- "namespace-b"
|
|
|
|
|
|
|
|
# conditions needs only one of the conditions to meet for the CSS to be usable in the namespace.
|
|
|
|
|
2021-06-25 20:28:46 +00:00
|
|
|
status:
|
|
|
|
# Standard condition schema
|
|
|
|
conditions:
|
2022-10-17 14:40:18 +00:00
|
|
|
# SecretStore ready condition indicates the given store is in ready
|
|
|
|
# state and able to referenced by ExternalSecrets
|
|
|
|
# If the `status` of this condition is `False`, ExternalSecret controllers
|
|
|
|
# should prevent attempts to fetch secrets
|
|
|
|
- type: Ready
|
|
|
|
status: "False"
|
|
|
|
reason: "ConfigError"
|
|
|
|
message: "SecretStore validation failed"
|
|
|
|
lastTransitionTime: "2019-08-12T12:33:02Z"
|