apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: name: example spec: # Used to select the correct ESO controller (think: ingress.ingressClassName) # The ESO controller is instantiated with a specific controller name # and filters ES based on this property # Optional controller: dev # provider field contains the configuration to access the provider # which contains the secret exactly one provider must be configured. provider: # (1): AWS Secrets Manager # aws configures this store to sync secrets using AWS Secret Manager provider aws: service: SecretsManager # Role is a Role ARN which the SecretManager provider will assume role: iam-role # AWS Region to be used for the provider region: eu-central-1 # Auth defines the information necessary to authenticate against AWS auth: # Getting the accessKeyID and secretAccessKey from an already created Kubernetes Secret secretRef: accessKeyIDSecretRef: name: awssm-secret key: access-key secretAccessKeySecretRef: name: awssm-secret key: secret-access-key # IAM roles for service accounts # https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html jwt: serviceAccountRef: name: my-serviceaccount namespace: sa-namespace vault: server: "https://vault.acme.org" # Path is the mount path of the Vault KV backend endpoint # Used as a path prefix for the external secret key path: "secret" # Version is the Vault KV secret engine version. # This can be either "v1" or "v2", defaults to "v2" version: "v2" # vault enterprise namespace: https://www.vaultproject.io/docs/enterprise/namespaces namespace: "a-team" # base64 encoded string of certificate caBundle: "..." # Instead of caBundle you can also specify a caProvider # this will retrieve the cert from a Secret or ConfigMap caProvider: # Can be Secret or ConfigMap type: "Secret" # namespace is mandatory for ClusterSecretStore and not relevant for SecretStore namespace: "my-cert-secret-namespace" name: "my-cert-secret" key: "cert-key" auth: # static token: https://www.vaultproject.io/docs/auth/token tokenSecretRef: name: "my-secret" namespace: "secret-admin" key: "vault-token" # AppRole auth: https://www.vaultproject.io/docs/auth/approle appRole: path: "approle" # Instead of referencing the AppRole's ID from the secret, you can also specify it directly # roleId: "db02de05-fa39-4855-059b-67221c5c2f63" roleRef: name: "my-secret" namespace: "secret-admin" key: "vault-role-id" secretRef: name: "my-secret" namespace: "secret-admin" key: "vault-role-secret" # Kubernetes auth: https://www.vaultproject.io/docs/auth/kubernetes kubernetes: mountPath: "kubernetes" role: "demo" # Optional service account reference serviceAccountRef: name: "my-sa" namespace: "secret-admin" # Optional secret field containing a Kubernetes ServiceAccount JWT # used for authenticating with Vault secretRef: name: "my-secret" namespace: "secret-admin" key: "vault" # (2): GCP Secret Manager gcpsm: # Auth defines the information necessary to authenticate against GCP by getting # the credentials from an already created Kubernetes Secret. auth: secretRef: secretAccessKeySecretRef: name: gcpsm-secret key: secret-access-credentials namespace: example projectID: myproject # (3): Kubernetes provider kubernetes: server: url: "https://myapiserver.tld" caProvider: type: Secret name: my-cluster-secrets namespace: example key: ca.crt auth: serviceAccount: name: "example-sa" namespace: "example" # (4): Oracle provider oracle: # The vault OCID vault: ocid1.vault.oc1.eu-frankfurt-1.aaa1aaaaaaaaa.aaaaaaaaaaaaaa1aaaaaaa111aaaaaaaaaaaaaaaa # The vault region region: eu-frankfurt-1 auth: # The user OCID user: ocid1.user.oc1..aaa1aaaaaaaaa.aaaaaaaaaaaaaa1aaaaaaa111aaaaaaaaaaaaaaaa # The tenancy OCID tenancy: ocid1.tenancy.oc1..aaa1aaaaaaaaa.aaaaaaaaaaaaaa1aaaaaaa111aaaaaaaaaaaaaaaa secretRef: privatekey: # The secret that contains your privatekey name: oci-secret-name key: privateKey namespace: example-namespace fingerprint: # The secret that contains your fingerprint name: oci-secret-name key: fingerprint namespace: example-namespace # (TODO): add more provider examples here # Conditions about namespaces in which the ClusterSecretStore is usable for ExternalSecrets conditions: # Options are namespaceSelector, namespaces or namespacesRegex - namespaceSelector: matchLabels: my.namespace.io/some-label: "value" # Only namespaces with that label will work - namespaces: - "namespace-a" - "namespace-b" # Namespace regexes are useful for policy management or when external tools auto-generate namespaces with prefixes/suffixes - namespaceRegexes: - "namespace-a-.*" # All namespaces prefixed by namespace-a- will work - "namespace-b-.*" # All namespaces prefixed by namespace-b- will work # conditions needs only one of the conditions to meet for the CSS to be usable in the namespace. status: # Standard condition schema conditions: # SecretStore ready condition indicates the given store is in ready # state and able to referenced by ExternalSecrets # If the `status` of this condition is `False`, ExternalSecret controllers # should prevent attempts to fetch secrets - type: Ready status: "False" reason: "ConfigError" message: "SecretStore validation failed" lastTransitionTime: "2019-08-12T12:33:02Z"