← Back to index Esc
Kind
Pushsecret
Group
external-secrets.io
Version
v1alpha1
apiVersion: external-secrets.io/v1alpha1 kind: Pushsecret metadata: name: example
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object
spec object
PushSecretSpec configures the behavior of the PushSecret.
data []object
Secret Data that should be pushed to providers
conversionStrategy string
Used to define a conversion Strategy for the secret keys
enum: None, ReverseUnicode
match object required
Match a given Secret Key to be pushed to the provider.
remoteRef object required
Remote Refs to push to providers.
property string
Name of the property in the resulting secret
remoteKey string required
Name of the resulting provider secret.
secretKey string
Secret Key to be pushed
metadata object
Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation.
dataTo []object
DataTo defines bulk push rules that expand source Secret keys into provider entries.
conversionStrategy string
Used to define a conversion Strategy for the secret keys
enum: None, ReverseUnicode
match object
Match pattern for selecting keys from the source Secret. If not specified, all keys are selected.
regexp string
Regexp matches keys by regular expression. If not specified, all keys are matched.
metadata object
Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation.
remoteKey string
RemoteKey is the name of the single provider secret that will receive ALL matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}). When set, per-key expansion is skipped and a single push is performed. The provider's store prefix (if any) is still prepended to this value. When not set, each matched key is pushed as its own individual provider secret.
rewrite []object
Rewrite operations to transform keys before pushing to the provider. Operations are applied sequentially.
regexp object
Used to rewrite with regular expressions.
source string required
Used to define the regular expression of a re.Compiler.
target string required
Used to define the target pattern of a ReplaceAll operation.
transform object
Used to apply string transformation on the secrets.
template string required
Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template.
storeRef object
StoreRef specifies which SecretStore to push to. Required.
kind string
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
enum: SecretStore, ClusterSecretStore
labelSelector object
Optionally, sync to secret stores with label selector
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
name string
Optionally, sync to the SecretStore of the given name
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
deletionPolicy string
Deletion Policy to handle Secrets in the provider.
enum: Delete, None
refreshInterval string
The Interval to which External Secrets will try to push a secret definition
secretStoreRefs []object required
kind string
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
enum: SecretStore, ClusterSecretStore
labelSelector object
Optionally, sync to secret stores with label selector
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
name string
Optionally, sync to the SecretStore of the given name
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
selector object required
The Secret Selector (k8s source) for the Push Secret
generatorRef object
Point to a generator to create a Secret.
apiVersion string
Specify the apiVersion of the generator resource
kind string required
Specify the Kind of the generator resource
enum: ACRAccessToken, ClusterGenerator, CloudsmithAccessToken, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken, QuayAccessToken, Password, SSHKey, STSSessionToken, UUID, VaultDynamicSecret, Webhook, Grafana, MFA
name string required
Specify the name of the generator resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
secret object
Select a Secret to Push.
name string
Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
selector object
Selector chooses secrets using a labelSelector.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
template object
Template defines a blueprint for the created Secret resource.
data object
engineVersion string
EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
enum: v2
mergePolicy string
TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
enum: Replace, Merge
metadata object
ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
annotations object
finalizers []string
labels object
templateFrom []object
configMap object
TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
items []object required
A list of keys in the ConfigMap/Secret to use as templates for Secret data
key string required
A key in the ConfigMap/Secret
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
templateAs string
TemplateScope specifies how the template keys should be interpreted.
enum: Values, KeysAndValues
name string required
The name of the ConfigMap/Secret resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
literal string
secret object
TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
items []object required
A list of keys in the ConfigMap/Secret to use as templates for Secret data
key string required
A key in the ConfigMap/Secret
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
templateAs string
TemplateScope specifies how the template keys should be interpreted.
enum: Values, KeysAndValues
name string required
The name of the ConfigMap/Secret resource
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
target string
Target specifies where to place the template result. For Secret resources, common values are: "Data", "Annotations", "Labels". For custom resources (when spec.target.manifest is set), this supports nested paths like "spec.database.config" or "data".
type string
updatePolicy string
UpdatePolicy to handle Secrets in the provider.
enum: Replace, IfNotExists
status object
PushSecretStatus indicates the history of the status of PushSecret.
conditions []object
lastTransitionTime string
format: date-time
message string
reason string
status string required
type string required
PushSecretConditionType indicates the condition of the PushSecret.
refreshTime string
refreshTime is the time and date the external secret was fetched and the target secret updated
format: date-time
syncedPushSecrets object
Synced PushSecrets, including secrets that already exist in provider. Matches secret stores to PushSecretData that was stored to that secret store.
syncedResourceVersion string
SyncedResourceVersion keeps track of the last synced version.
Copied!