← Back to index Esc
Kind
ClusterExternalSecret
Group
external-secrets.io
Version
v1
apiVersion: external-secrets.io/v1 kind: ClusterExternalSecret metadata: name: example
Tip: use .spec.externalSecretMetadata for path-only search
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object
spec object
ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
externalSecretMetadata object
The metadata of the external secrets to be created
annotations object
labels object
externalSecretName string
The name of the external secrets to be created. Defaults to the name of the ClusterExternalSecret
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
externalSecretSpec object required
The spec for the ExternalSecrets to be created
data []object
Data defines the connection between the Kubernetes Secret keys and the Provider data
remoteRef object required
RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch.
conversionStrategy string
Used to define a conversion Strategy
enum: Default, Unicode
decodingStrategy string
Used to define a decoding Strategy
enum: Auto, Base64, Base64URL, None
key string required
Key is the key used in the Provider, mandatory
metadataPolicy string
Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
enum: None, Fetch
nullBytePolicy string
Controls how ESO handles fetched secret data containing NUL bytes for this source.
enum: Ignore, Fail
property string
Used to select a specific property of the Provider value (if a map), if supported
version string
Used to select a specific version of the Provider value, if supported
secretKey string required
The key in the Kubernetes Secret to store the value.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
sourceRef object
SourceRef allows you to override the source from which the value will be pulled.
generatorRef object
GeneratorRef points to a generator custom resource. Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1.
apiVersion string
Specify the apiVersion of the generator resource
kind string required
Specify the Kind of the generator resource
enum: ACRAccessToken, ClusterGenerator, CloudsmithAccessToken, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken,... ACRAccessToken, ClusterGenerator, CloudsmithAccessToken, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken, QuayAccessToken, Password, SSHKey, STSSessionToken, UUID, VaultDynamicSecret, Webhook, Grafana, MFA
name string required
Specify the name of the generator resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
storeRef object
SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
kind string
Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
enum: SecretStore, ClusterSecretStore
name string
Name of the SecretStore resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
dataFrom []object
DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
extract object
Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
conversionStrategy string
Used to define a conversion Strategy
enum: Default, Unicode
decodingStrategy string
Used to define a decoding Strategy
enum: Auto, Base64, Base64URL, None
key string required
Key is the key used in the Provider, mandatory
metadataPolicy string
Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
enum: None, Fetch
nullBytePolicy string
Controls how ESO handles fetched secret data containing NUL bytes for this source.
enum: Ignore, Fail
property string
Used to select a specific property of the Provider value (if a map), if supported
version string
Used to select a specific version of the Provider value, if supported
find object
Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
conversionStrategy string
Used to define a conversion Strategy
enum: Default, Unicode
decodingStrategy string
Used to define a decoding Strategy
enum: Auto, Base64, Base64URL, None
name object
Finds secrets based on the name.
regexp string
Finds secrets base
nullBytePolicy string
Controls how ESO handles fetched secret data containing NUL bytes for this find source.
enum: Ignore, Fail
path string
A root path to start the find operations.
tags object
Find secrets based on tags.
rewrite []object
Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
merge object
Used to merge key/values in one single Secret The resulting key will contain all values from the specified secrets
conflictPolicy string
Used to define the policy to use in conflict resolution.
enum: Ignore, Error
into string
Used to define the target key of the merge operation. Required if strategy is JSON. Ignored otherwise.
priority []string
Used to define key priority in conflict resolution.
priorityPolicy string
Used to define the policy when a key in the priority list does not exist in the input.
enum: IgnoreNotFound, Strict
strategy string
Used to define the strategy to use in the merge operation.
enum: Extract, JSON
regexp object
Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
source string required
Used to define the regular expression of a re.Compiler.
target string required
Used to define the target pattern of a ReplaceAll operation.
transform object
Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation.
template string required
Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template.
sourceRef object
SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values
generatorRef object
GeneratorRef points to a generator custom resource.
apiVersion string
Specify the apiVersion of the generator resource
kind string required
Specify the Kind of the generator resource
enum: ACRAccessToken, ClusterGenerator, CloudsmithAccessToken, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken,... ACRAccessToken, ClusterGenerator, CloudsmithAccessToken, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken, QuayAccessToken, Password, SSHKey, STSSessionToken, UUID, VaultDynamicSecret, Webhook, Grafana, MFA
name string required
Specify the name of the generator resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
storeRef object
SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
kind string
Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
enum: SecretStore, ClusterSecretStore
name string
Name of the SecretStore resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
refreshInterval string
RefreshInterval is the amount of time before the values are read again from the SecretStore provider, specified as Golang Duration strings. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" Example values: "1h0m0s", "2h30m0s", "10m0s" May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
refreshPolicy string
RefreshPolicy determines how the ExternalSecret should be refreshed: - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval. No periodic updates occur if refreshInterval is 0. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
enum: CreatedOnce, Periodic, OnChange
secretStoreRef object
SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
kind string
Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
enum: SecretStore, ClusterSecretStore
name string
Name of the SecretStore resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
target object
ExternalSecretTarget defines the Kubernetes Secret to be created, there can be only one target per ExternalSecret.
creationPolicy string
CreationPolicy defines rules on how to create the resulting Secret. Defaults to "Owner"
enum: Owner, Orphan, Merge, None
deletionPolicy string
DeletionPolicy defines rules on how to delete the resulting Secret. Defaults to "Retain"
enum: Delete, Merge, Retain
immutable boolean
Immutable defines if the final secret will be immutable
manifest object
Manifest defines a custom Kubernetes resource to create instead of a Secret. When specified, ExternalSecret will create the resource type defined here (e.g., ConfigMap, Custom Resource) instead of a Secret. Warning: Using Generic target. Make sure access policies and encryption are properly configured.
apiVersion string required
APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
minLength: 1
kind string required
Kind of the target resource (e.g., "ConfigMap", "Application")
minLength: 1
name string
The name of the Secret resource to be managed. Defaults to the .metadata.name of the ExternalSecret resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
template object
Template defines a blueprint for the created Secret resource.
data object
engineVersion string
EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
enum: v2
mergePolicy string
TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
enum: Replace, Merge
metadata object
ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
annotations object
finalizers []string
labels object
templateFrom []object
configMap object
TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
items []object required
A list of keys in the ConfigMap/Secret to use as templates for Secret data
key string required
A key in the ConfigMap/Secret
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
templateAs string
TemplateScope specifies how the template keys should be interpreted.
enum: Values, KeysAndValues
name string required
The name of the ConfigMap/Secret resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
literal string
secret object
TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
items []object required
A list of keys in the ConfigMap/Secret to use as templates for Secret data
key string required
A key in the ConfigMap/Secret
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
templateAs string
TemplateScope specifies how the template keys should be interpreted.
enum: Values, KeysAndValues
name string required
The name of the ConfigMap/Secret resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
target string
Target specifies where to place the template result. For Secret resources, common values are: "Data", "Annotations", "Labels". For custom resources (when spec.target.manifest is set), this supports nested paths like "spec.database.config" or "data".
type string
namespaceSelector object
The labels to select by to find the Namespaces to create the ExternalSecrets in. Deprecated: Use NamespaceSelectors instead.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
namespaceSelectors []object
A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
namespaces []string
Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. Deprecated: Use NamespaceSelectors instead.
refreshTime string
The time in which the controller should reconcile its objects and recheck namespaces for labels.
status object
ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
conditions []object
message string
status string required
type string required
ClusterExternalSecretConditionType defines a value type for ClusterExternalSecret conditions.
externalSecretName string
ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
failedNamespaces []object
Failed namespaces are the namespaces that failed to apply an ExternalSecret
namespace string required
Namespace is the namespace that failed when trying to apply an ExternalSecret
reason string
Reason is why the ExternalSecret failed to apply to the namespace
provisionedNamespaces []string
ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets

No matches. Try .spec.externalSecretMetadata for an exact path

Copied!