← Back to index Esc
Kind
Externalsecret
Group
external-secrets.io
Version
v1
apiVersion: external-secrets.io/v1 kind: Externalsecret metadata: name: example
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object
spec object
ExternalSecretSpec defines the desired state of ExternalSecret.
data []object
Data defines the connection between the Kubernetes Secret keys and the Provider data
remoteRef object required
RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch.
conversionStrategy string
Used to define a conversion Strategy
enum: Default, Unicode
decodingStrategy string
Used to define a decoding Strategy
enum: Auto, Base64, Base64URL, None
key string required
Key is the key used in the Provider, mandatory
metadataPolicy string
Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
enum: None, Fetch
nullBytePolicy string
Controls how ESO handles fetched secret data containing NUL bytes for this source.
enum: Ignore, Fail
property string
Used to select a specific property of the Provider value (if a map), if supported
version string
Used to select a specific version of the Provider value, if supported
secretKey string required
The key in the Kubernetes Secret to store the value.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
sourceRef object
SourceRef allows you to override the source from which the value will be pulled.
generatorRef object
GeneratorRef points to a generator custom resource. Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1.
apiVersion string
Specify the apiVersion of the generator resource
kind string required
Specify the Kind of the generator resource
enum: ACRAccessToken, ClusterGenerator, CloudsmithAccessToken, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken, QuayAccessToken, Password, SSHKey, STSSessionToken, UUID, VaultDynamicSecret, Webhook, Grafana, MFA
name string required
Specify the name of the generator resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
storeRef object
SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
kind string
Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
enum: SecretStore, ClusterSecretStore
name string
Name of the SecretStore resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
dataFrom []object
DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
extract object
Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
conversionStrategy string
Used to define a conversion Strategy
enum: Default, Unicode
decodingStrategy string
Used to define a decoding Strategy
enum: Auto, Base64, Base64URL, None
key string required
Key is the key used in the Provider, mandatory
metadataPolicy string
Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
enum: None, Fetch
nullBytePolicy string
Controls how ESO handles fetched secret data containing NUL bytes for this source.
enum: Ignore, Fail
property string
Used to select a specific property of the Provider value (if a map), if supported
version string
Used to select a specific version of the Provider value, if supported
find object
Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
conversionStrategy string
Used to define a conversion Strategy
enum: Default, Unicode
decodingStrategy string
Used to define a decoding Strategy
enum: Auto, Base64, Base64URL, None
name object
Finds secrets based on the name.
regexp string
Finds secrets base
nullBytePolicy string
Controls how ESO handles fetched secret data containing NUL bytes for this find source.
enum: Ignore, Fail
path string
A root path to start the find operations.
tags object
Find secrets based on tags.
rewrite []object
Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
merge object
Used to merge key/values in one single Secret The resulting key will contain all values from the specified secrets
conflictPolicy string
Used to define the policy to use in conflict resolution.
enum: Ignore, Error
into string
Used to define the target key of the merge operation. Required if strategy is JSON. Ignored otherwise.
priority []string
Used to define key priority in conflict resolution.
priorityPolicy string
Used to define the policy when a key in the priority list does not exist in the input.
enum: IgnoreNotFound, Strict
strategy string
Used to define the strategy to use in the merge operation.
enum: Extract, JSON
regexp object
Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
source string required
Used to define the regular expression of a re.Compiler.
target string required
Used to define the target pattern of a ReplaceAll operation.
transform object
Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation.
template string required
Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template.
sourceRef object
SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values
generatorRef object
GeneratorRef points to a generator custom resource.
apiVersion string
Specify the apiVersion of the generator resource
kind string required
Specify the Kind of the generator resource
enum: ACRAccessToken, ClusterGenerator, CloudsmithAccessToken, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken, QuayAccessToken, Password, SSHKey, STSSessionToken, UUID, VaultDynamicSecret, Webhook, Grafana, MFA
name string required
Specify the name of the generator resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
storeRef object
SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
kind string
Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
enum: SecretStore, ClusterSecretStore
name string
Name of the SecretStore resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
refreshInterval string
RefreshInterval is the amount of time before the values are read again from the SecretStore provider, specified as Golang Duration strings. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" Example values: "1h0m0s", "2h30m0s", "10m0s" May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
refreshPolicy string
RefreshPolicy determines how the ExternalSecret should be refreshed: - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval. No periodic updates occur if refreshInterval is 0. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
enum: CreatedOnce, Periodic, OnChange
secretStoreRef object
SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
kind string
Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
enum: SecretStore, ClusterSecretStore
name string
Name of the SecretStore resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
target object
ExternalSecretTarget defines the Kubernetes Secret to be created, there can be only one target per ExternalSecret.
creationPolicy string
CreationPolicy defines rules on how to create the resulting Secret. Defaults to "Owner"
enum: Owner, Orphan, Merge, None
deletionPolicy string
DeletionPolicy defines rules on how to delete the resulting Secret. Defaults to "Retain"
enum: Delete, Merge, Retain
immutable boolean
Immutable defines if the final secret will be immutable
manifest object
Manifest defines a custom Kubernetes resource to create instead of a Secret. When specified, ExternalSecret will create the resource type defined here (e.g., ConfigMap, Custom Resource) instead of a Secret. Warning: Using Generic target. Make sure access policies and encryption are properly configured.
apiVersion string required
APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
minLength: 1
kind string required
Kind of the target resource (e.g., "ConfigMap", "Application")
minLength: 1
name string
The name of the Secret resource to be managed. Defaults to the .metadata.name of the ExternalSecret resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
template object
Template defines a blueprint for the created Secret resource.
data object
engineVersion string
EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
enum: v2
mergePolicy string
TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
enum: Replace, Merge
metadata object
ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
annotations object
finalizers []string
labels object
templateFrom []object
configMap object
TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
items []object required
A list of keys in the ConfigMap/Secret to use as templates for Secret data
key string required
A key in the ConfigMap/Secret
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
templateAs string
TemplateScope specifies how the template keys should be interpreted.
enum: Values, KeysAndValues
name string required
The name of the ConfigMap/Secret resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
literal string
secret object
TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
items []object required
A list of keys in the ConfigMap/Secret to use as templates for Secret data
key string required
A key in the ConfigMap/Secret
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
templateAs string
TemplateScope specifies how the template keys should be interpreted.
enum: Values, KeysAndValues
name string required
The name of the ConfigMap/Secret resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
target string
Target specifies where to place the template result. For Secret resources, common values are: "Data", "Annotations", "Labels". For custom resources (when spec.target.manifest is set), this supports nested paths like "spec.database.config" or "data".
type string
status object
ExternalSecretStatus defines the observed state of ExternalSecret.
binding object
Binding represents a servicebinding.io Provisioned Service reference to the secret
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
conditions []object
lastTransitionTime string
format: date-time
message string
reason string
status string required
type string required
ExternalSecretConditionType defines a value type for ExternalSecret conditions.
enum: Ready, Deleted
refreshTime string
refreshTime is the time and date the external secret was fetched and the target secret updated
format: date-time
syncedResourceVersion string
SyncedResourceVersion keeps track of the last synced version
Copied!