mirrors/external-secrets
1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
Code Activity
external-secrets/docs/snippets/full-cluster-secret-store.yaml
Yannay Hammer 14f5ddf198
Added namespace condition to ClusterSecretStore (#1635) 
* Added namespace condition to ClusterSecretStore

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Added the new conditions field to the docs

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Added tests to ClusterSecretStore namespace conditions

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Added some comments to explain tests better

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Fixed a testcase

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Increased golangci timeout to 10m

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Fixed test to use fakeProvider correctly

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Removed hardcoded timeout from make lint

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Improved error message on non matching namespace

Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Modified testCase to use GenericStore interface

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Attempt at generalizing the testcase and reducing code duplication

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Reduced some diff

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* fix: tidy e2e mod

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Signed-off-by: Yannay Hammer <yannayha@gmail.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Docs <docs@external-secrets.io>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2022-10-17 16:40:18 +02:00

141 lines
4.9 KiB
YAML
Raw Blame History

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: example
spec:
# Used to select the correct ESO controller (think: ingress.ingressClassName)
# The ESO controller is instantiated with a specific controller name
# and filters ES based on this property
# Optional
controller: dev
# provider field contains the configuration to access the provider
# which contains the secret exactly one provider must be configured.
provider:
# (1): AWS Secrets Manager
# aws configures this store to sync secrets using AWS Secret Manager provider
aws:
service: SecretsManager
# Role is a Role ARN which the SecretManager provider will assume
role: iam-role
# AWS Region to be used for the provider
region: eu-central-1
# Auth defines the information necessary to authenticate against AWS
auth:
# Getting the accessKeyID and secretAccessKey from an already created Kubernetes Secret
secretRef:
accessKeyIDSecretRef:
name: awssm-secret
key: access-key
secretAccessKeySecretRef:
name: awssm-secret
key: secret-access-key
# IAM roles for service accounts
# https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
jwt:
serviceAccountRef:
name: my-serviceaccount
namespace: sa-namespace
vault:
server: "https://vault.acme.org"
# Path is the mount path of the Vault KV backend endpoint
path: "secret"
# Version is the Vault KV secret engine version.
# This can be either "v1" or "v2", defaults to "v2"
version: "v2"
# vault enterprise namespace: https://www.vaultproject.io/docs/enterprise/namespaces
namespace: "a-team"
# base64 encoded string of certificate
caBundle: "..."
# Instead of caBundle you can also specify a caProvider
# this will retrieve the cert from a Secret or ConfigMap
caProvider:
# Can be Secret or ConfigMap
type: "Secret"
# This is mandatory for ClusterSecretStore and not relevant for SecretStore
namespace: "my-cert-secret-namespace"
name: "my-cert-secret"
key: "cert-key"
auth:
# static token: https://www.vaultproject.io/docs/auth/token
tokenSecretRef:
name: "my-secret"
namespace: "secret-admin"
key: "vault-token"
# AppRole auth: https://www.vaultproject.io/docs/auth/approle
appRole:
path: "approle"
roleId: "db02de05-fa39-4855-059b-67221c5c2f63"
secretRef:
name: "my-secret"
namespace: "secret-admin"
key: "vault-token"
# Kubernetes auth: https://www.vaultproject.io/docs/auth/kubernetes
kubernetes:
mountPath: "kubernetes"
role: "demo"
# Optional service account reference
serviceAccountRef:
name: "my-sa"
namespace: "secret-admin"
# Optional secret field containing a Kubernetes ServiceAccount JWT
# used for authenticating with Vault
secretRef:
name: "my-secret"
namespace: "secret-admin"
key: "vault"
# (2): GCP Secret Manager
gcpsm:
# Auth defines the information necessary to authenticate against GCP by getting
# the credentials from an already created Kubernetes Secret.
auth:
secretRef:
secretAccessKeySecretRef:
name: gcpsm-secret
key: secret-access-credentials
namespace: example
projectID: myproject
# (3): Kubernetes provider
kubernetes:
server:
url: "https://myapiserver.tld"
caProvider:
type: Secret
name: my-cluster-secrets
namespace: example
key: ca.crt
auth:
serviceAccount:
name: "example-sa"
namespace: "example"
# (TODO): add more provider examples here
# Conditions about namespaces in which the ClusterSecretStore is usable for ExternalSecrets
conditions:
# Options are namespaceSelector, or namespaces
- namespaceSelector:
matchLabels:
my.namespace.io/some-label: "value" # Only namespaces with that label will work
- namespaces:
- "namespace-a"
- "namespace-b"
# conditions needs only one of the conditions to meet for the CSS to be usable in the namespace.
status:
# Standard condition schema
conditions:
# SecretStore ready condition indicates the given store is in ready
# state and able to referenced by ExternalSecrets
# If the `status` of this condition is `False`, ExternalSecret controllers
# should prevent attempts to fetch secrets
- type: Ready
status: "False"
reason: "ConfigError"
message: "SecretStore validation failed"
lastTransitionTime: "2019-08-12T12:33:02Z"
View git blame Copy permalink