mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-15 17:51:01 +00:00
7416a84b2a
* added new crd-names flag to reconcile only installed CRDs in cert controller Signed-off-by: Steven Bressey <sbressey@bressey.me> * add guide to disable cluster features Signed-off-by: Steven Bressey <sbressey@bressey.me> * fix fmt Signed-off-by: Steven Bressey <sbressey@bressey.me> Co-authored-by: Steven Bressey <sbressey@bressey.me> |
||
|---|---|---|
| .. | ||
| ci | ||
| templates | ||
| .helmignore | ||
| Chart.yaml | ||
| README.md | ||
| README.md.gotmpl | ||
| values.yaml | ||
External Secrets
External secret management for Kubernetes
TL;DR
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets
Installing the Chart
To install the chart with the release name external-secrets:
helm install external-secrets external-secrets/external-secrets
Custom Resources
By default, the chart will install external-secrets CRDs, this can be controlled with installCRDs value.
Uninstalling the Chart
To uninstall the external-secrets deployment:
helm uninstall external-secrets
The command removes all the Kubernetes components associated with the chart and deletes the release.
Values
| Key | Type | Default | Description |
|---|---|---|---|
| affinity | object | {} |
|
| certController.affinity | object | {} |
|
| certController.create | bool | true |
Specifies whether a certificate controller deployment be created. |
| certController.deploymentAnnotations | object | {} |
Annotations to add to Deployment |
| certController.extraArgs | object | {} |
|
| certController.extraEnv | list | [] |
|
| certController.extraVolumeMounts | list | [] |
|
| certController.extraVolumes | list | [] |
|
| certController.fullnameOverride | string | "" |
|
| certController.image.pullPolicy | string | "IfNotPresent" |
|
| certController.image.repository | string | "ghcr.io/external-secrets/external-secrets" |
|
| certController.image.tag | string | "" |
|
| certController.imagePullSecrets | list | [] |
|
| certController.metrics.service.annotations | object | {} |
Additional service annotations |
| certController.metrics.service.enabled | bool | false |
Enable if you use another monitoring tool than Prometheus to scrape the metrics |
| certController.metrics.service.port | int | 8080 |
Metrics service port to scrape |
| certController.nameOverride | string | "" |
|
| certController.nodeSelector | object | {} |
|
| certController.podAnnotations | object | {} |
Annotations to add to Pod |
| certController.podDisruptionBudget | object | {"enabled":false,"minAvailable":1} |
Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| certController.podLabels | object | {} |
|
| certController.podSecurityContext | object | {} |
|
| certController.priorityClassName | string | "" |
Pod priority class name. |
| certController.prometheus.enabled | bool | false |
deprecated. will be removed with 0.7.0, use serviceMonitor instead |
| certController.prometheus.service.port | int | 8080 |
deprecated. will be removed with 0.7.0, use serviceMonitor instead |
| certController.rbac.create | bool | true |
Specifies whether role and rolebinding resources should be created. |
| certController.replicaCount | int | 1 |
|
| certController.requeueInterval | string | "5m" |
|
| certController.resources | object | {} |
|
| certController.securityContext | object | {} |
|
| certController.serviceAccount.annotations | object | {} |
Annotations to add to the service account. |
| certController.serviceAccount.create | bool | true |
Specifies whether a service account should be created. |
| certController.serviceAccount.extraLabels | object | {} |
Extra Labels to add to the service account. |
| certController.serviceAccount.name | string | "" |
The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
| certController.serviceMonitor.additionalLabels | object | {} |
Additional labels |
| certController.serviceMonitor.enabled | bool | false |
Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics |
| certController.serviceMonitor.interval | string | "30s" |
Interval to scrape metrics |
| certController.serviceMonitor.scrapeTimeout | string | "25s" |
Timeout if metrics can't be retrieved in given time interval |
| certController.tolerations | list | [] |
|
| concurrent | int | 1 |
Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time. |
| controllerClass | string | "" |
If set external secrets will filter matching Secret Stores with the appropriate controller values. |
| crds.createClusterExternalSecret | bool | true |
If true, create CRDs for Cluster External Secret. |
| crds.createClusterSecretStore | bool | true |
If true, create CRDs for Cluster Secret Store. |
| crds.createPushSecret | bool | true |
If true, create CRDs for Push Secret. |
| createOperator | bool | true |
Specifies whether an external secret operator deployment be created. |
| deploymentAnnotations | object | {} |
Annotations to add to Deployment |
| dnsConfig | object | {} |
Specifies dnsOptions to deployment |
| extraArgs | object | {} |
|
| extraEnv | list | [] |
|
| extraVolumeMounts | list | [] |
|
| extraVolumes | list | [] |
|
| fullnameOverride | string | "" |
|
| image.pullPolicy | string | "IfNotPresent" |
|
| image.repository | string | "ghcr.io/external-secrets/external-secrets" |
|
| image.tag | string | "" |
The image tag to use. The default is the chart appVersion. There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default the distroless image is used. |
| imagePullSecrets | list | [] |
|
| installCRDs | bool | true |
If set, install and upgrade CRDs through helm chart. |
| leaderElect | bool | false |
If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. |
| metrics.service.annotations | object | {} |
Additional service annotations |
| metrics.service.enabled | bool | false |
Enable if you use another monitoring tool than Prometheus to scrape the metrics |
| metrics.service.port | int | 8080 |
Metrics service port to scrape |
| nameOverride | string | "" |
|
| nodeSelector | object | {} |
|
| podAnnotations | object | {} |
Annotations to add to Pod |
| podDisruptionBudget | object | {"enabled":false,"minAvailable":1} |
Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| podLabels | object | {} |
|
| podSecurityContext | object | {} |
|
| priorityClassName | string | "" |
Pod priority class name. |
| processClusterExternalSecret | bool | true |
if true, the operator will process cluster external secret. Else, it will ignore them. |
| processClusterStore | bool | true |
if true, the operator will process cluster store. Else, it will ignore them. |
| prometheus.enabled | bool | false |
deprecated. will be removed with 0.7.0, use serviceMonitor instead. |
| prometheus.service.port | int | 8080 |
deprecated. will be removed with 0.7.0, use serviceMonitor instead. |
| rbac.create | bool | true |
Specifies whether role and rolebinding resources should be created. |
| replicaCount | int | 1 |
|
| resources | object | {} |
|
| scopedNamespace | string | "" |
If set external secrets are only reconciled in the provided namespace |
| scopedRBAC | bool | false |
Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets |
| securityContext | object | {} |
|
| serviceAccount.annotations | object | {} |
Annotations to add to the service account. |
| serviceAccount.create | bool | true |
Specifies whether a service account should be created. |
| serviceAccount.extraLabels | object | {} |
Extra Labels to add to the service account. |
| serviceAccount.name | string | "" |
The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
| serviceMonitor.additionalLabels | object | {} |
Additional labels |
| serviceMonitor.enabled | bool | false |
Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics |
| serviceMonitor.interval | string | "30s" |
Interval to scrape metrics |
| serviceMonitor.scrapeTimeout | string | "25s" |
Timeout if metrics can't be retrieved in given time interval |
| tolerations | list | [] |
|
| webhook.affinity | object | {} |
|
| webhook.certCheckInterval | string | "5m" |
Specifices the time to check if the cert is valid |
| webhook.certDir | string | "/tmp/certs" |
|
| webhook.create | bool | true |
Specifies whether a webhook deployment be created. |
| webhook.deploymentAnnotations | object | {} |
Annotations to add to Deployment |
| webhook.extraArgs | object | {} |
|
| webhook.extraEnv | list | [] |
|
| webhook.extraVolumeMounts | list | [] |
|
| webhook.extraVolumes | list | [] |
|
| webhook.failurePolicy | string | "Fail" |
specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore |
| webhook.fullnameOverride | string | "" |
|
| webhook.hostNetwork | bool | false |
Specifies if webhook pod should use hostNetwork or not. |
| webhook.image.pullPolicy | string | "IfNotPresent" |
|
| webhook.image.repository | string | "ghcr.io/external-secrets/external-secrets" |
|
| webhook.image.tag | string | "" |
The image tag to use. The default is the chart appVersion. |
| webhook.imagePullSecrets | list | [] |
|
| webhook.lookaheadInterval | string | "" |
Specifices the lookaheadInterval for certificate validity |
| webhook.metrics.service.annotations | object | {} |
Additional service annotations |
| webhook.metrics.service.enabled | bool | false |
Enable if you use another monitoring tool than Prometheus to scrape the metrics |
| webhook.metrics.service.port | int | 8080 |
Metrics service port to scrape |
| webhook.nameOverride | string | "" |
|
| webhook.nodeSelector | object | {} |
|
| webhook.podAnnotations | object | {} |
Annotations to add to Pod |
| webhook.podDisruptionBudget | object | {"enabled":false,"minAvailable":1} |
Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| webhook.podLabels | object | {} |
|
| webhook.podSecurityContext | object | {} |
|
| webhook.port | int | 10250 |
The port the webhook will listen to |
| webhook.priorityClassName | string | "" |
Pod priority class name. |
| webhook.prometheus.enabled | bool | false |
deprecated. will be removed with 0.7.0, use serviceMonitor instead |
| webhook.prometheus.service.port | int | 8080 |
deprecated. will be removed with 0.7.0, use serviceMonitor instead |
| webhook.rbac.create | bool | true |
Specifies whether role and rolebinding resources should be created. |
| webhook.readinessProbe.address | string | "" |
Address for readiness probe |
| webhook.readinessProbe.port | int | 8081 |
ReadinessProbe port for kubelet |
| webhook.replicaCount | int | 1 |
|
| webhook.resources | object | {} |
|
| webhook.secretAnnotations | object | {} |
Annotations to add to Secret |
| webhook.securityContext | object | {} |
|
| webhook.serviceAccount.annotations | object | {} |
Annotations to add to the service account. |
| webhook.serviceAccount.create | bool | true |
Specifies whether a service account should be created. |
| webhook.serviceAccount.extraLabels | object | {} |
Extra Labels to add to the service account. |
| webhook.serviceAccount.name | string | "" |
The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
| webhook.serviceMonitor.additionalLabels | object | {} |
Additional labels |
| webhook.serviceMonitor.enabled | bool | false |
Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics |
| webhook.serviceMonitor.interval | string | "30s" |
Interval to scrape metrics |
| webhook.serviceMonitor.scrapeTimeout | string | "25s" |
Timeout if metrics can't be retrieved in given time interval |
| webhook.tolerations | list | [] |