← Back to index Esc
Kind
Clusterpushsecret
Group
external-secrets.io
Version
v1alpha1
apiVersion: external-secrets.io/v1alpha1 kind: Clusterpushsecret metadata: name: example
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object
spec object
ClusterPushSecretSpec defines the configuration for a ClusterPushSecret resource.
namespaceSelectors []object
A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
pushSecretMetadata object
The metadata of the external secrets to be created
annotations object
labels object
pushSecretName string
The name of the push secrets to be created. Defaults to the name of the ClusterPushSecret
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
pushSecretSpec object required
PushSecretSpec defines what to do with the secrets.
data []object
Secret Data that should be pushed to providers
conversionStrategy string
Used to define a conversion Strategy for the secret keys
enum: None, ReverseUnicode
match object required
Match a given Secret Key to be pushed to the provider.
remoteRef object required
Remote Refs to push to providers.
property string
Name of the property in the resulting secret
remoteKey string required
Name of the resulting provider secret.
secretKey string
Secret Key to be pushed
metadata object
Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation.
dataTo []object
DataTo defines bulk push rules that expand source Secret keys into provider entries.
conversionStrategy string
Used to define a conversion Strategy for the secret keys
enum: None, ReverseUnicode
match object
Match pattern for selecting keys from the source Secret. If not specified, all keys are selected.
regexp string
Regexp matches keys by regular expression. If not specified, all keys are matched.
metadata object
Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation.
remoteKey string
RemoteKey is the name of the single provider secret that will receive ALL matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}). When set, per-key expansion is skipped and a single push is performed. The provider's store prefix (if any) is still prepended to this value. When not set, each matched key is pushed as its own individual provider secret.
rewrite []object
Rewrite operations to transform keys before pushing to the provider. Operations are applied sequentially.
regexp object
Used to rewrite with regular expressions.
source string required
Used to define the regular expression of a re.Compiler.
target string required
Used to define the target pattern of a ReplaceAll operation.
transform object
Used to apply string transformation on the secrets.
template string required
Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template.
storeRef object
StoreRef specifies which SecretStore to push to. Required.
kind string
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
enum: SecretStore, ClusterSecretStore
labelSelector object
Optionally, sync to secret stores with label selector
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
name string
Optionally, sync to the SecretStore of the given name
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
deletionPolicy string
Deletion Policy to handle Secrets in the provider.
enum: Delete, None
refreshInterval string
The Interval to which External Secrets will try to push a secret definition
secretStoreRefs []object required
kind string
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
enum: SecretStore, ClusterSecretStore
labelSelector object
Optionally, sync to secret stores with label selector
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
name string
Optionally, sync to the SecretStore of the given name
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
selector object required
The Secret Selector (k8s source) for the Push Secret
generatorRef object
Point to a generator to create a Secret.
apiVersion string
Specify the apiVersion of the generator resource
kind string required
Specify the Kind of the generator resource
enum: ACRAccessToken, ClusterGenerator, CloudsmithAccessToken, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken, QuayAccessToken, Password, SSHKey, STSSessionToken, UUID, VaultDynamicSecret, Webhook, Grafana, MFA
name string required
Specify the name of the generator resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
secret object
Select a Secret to Push.
name string
Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
selector object
Selector chooses secrets using a labelSelector.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
template object
Template defines a blueprint for the created Secret resource.
data object
engineVersion string
EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
enum: v2
mergePolicy string
TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
enum: Replace, Merge
metadata object
ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
annotations object
finalizers []string
labels object
templateFrom []object
configMap object
TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
items []object required
A list of keys in the ConfigMap/Secret to use as templates for Secret data
key string required
A key in the ConfigMap/Secret
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
templateAs string
TemplateScope specifies how the template keys should be interpreted.
enum: Values, KeysAndValues
name string required
The name of the ConfigMap/Secret resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
literal string
secret object
TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
items []object required
A list of keys in the ConfigMap/Secret to use as templates for Secret data
key string required
A key in the ConfigMap/Secret
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
templateAs string
TemplateScope specifies how the template keys should be interpreted.
enum: Values, KeysAndValues
name string required
The name of the ConfigMap/Secret resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
target string
Target specifies where to place the template result. For Secret resources, common values are: "Data", "Annotations", "Labels". For custom resources (when spec.target.manifest is set), this supports nested paths like "spec.database.config" or "data".
type string
updatePolicy string
UpdatePolicy to handle Secrets in the provider.
enum: Replace, IfNotExists
refreshTime string
The time in which the controller should reconcile its objects and recheck namespaces for labels.
status object
ClusterPushSecretStatus contains the status information for the ClusterPushSecret resource.
conditions []object
lastTransitionTime string
format: date-time
message string
reason string
status string required
type string required
PushSecretConditionType indicates the condition of the PushSecret.
failedNamespaces []object
Failed namespaces are the namespaces that failed to apply an PushSecret
namespace string required
Namespace is the namespace that failed when trying to apply an PushSecret
reason string
Reason is why the PushSecret failed to apply to the namespace
provisionedNamespaces []string
ProvisionedNamespaces are the namespaces where the ClusterPushSecret has secrets
pushSecretName string
Copied!