External secrets management for Kubernetes
This package has no upstream release note links on file. Please add some to chart/Chart.yaml under annotations.bigbang.dev/upstreamReleaseNotesMarkdown.
Example:
annotations:
bigbang.dev/upstreamReleaseNotesMarkdown: |
- [Find our upstream chart's CHANGELOG here](https://link-goes-here/CHANGELOG.md)
- [and our upstream application release notes here](https://another-link-here/RELEASE_NOTES.md)- Kubernetes Cluster deployed
- Kubernetes config installed in
~/.kube/config - Helm installed
Kubernetes: >= 1.19.0-0
Install Helm
https://helm.sh/docs/intro/install/
- Clone down the repository
- cd into directory
helm install external-secrets chart/| Key | Type | Default | Description |
|---|---|---|---|
| domain | string | "bigbang.dev" |
|
| istio.enabled | bool | false |
|
| istio.hardened.enabled | bool | false |
|
| istio.hardened.outboundTrafficPolicyMode | string | "REGISTRY_ONLY" |
|
| istio.hardened.customServiceEntries | list | [] |
|
| istio.hardened.customAuthorizationPolicies | list | [] |
|
| istio.mtls.mode | string | "STRICT" |
STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic |
| istio.injection | string | "disabled" |
|
| networkPolicies.enabled | bool | false |
|
| networkPolicies.ingressLabels.app | string | "istio-ingressgateway" |
|
| networkPolicies.ingressLabels.istio | string | "ingressgateway" |
|
| networkPolicies.additionalPolicies | list | [] |
|
| bbtests.enabled | bool | false |
|
| bbtests.namespace | string | "external-secrets" |
|
| bbtests.scripts.image | string | "registry1.dso.mil/ironbank/big-bang/base:2.1.0" |
|
| bbtests.secretstore.name | string | "external-secrets-test-store" |
|
| bbtests.serviceaccount.name | string | "external-secrets-external-secrets-script-sa" |
|
| bbtests.secrets.testsecret.value | string | "this is a magic value" |
|
| waitJob.enabled | bool | true |
|
| waitJob.permissions.apiGroups[0] | string | "external-secrets.io" |
|
| waitJob.permissions.apiGroups[1] | string | "generators.external-secrets.io" |
|
| waitJob.permissions.apiGroups[2] | string | "" |
|
| waitJob.permissions.resources[0] | string | "acraccesstokens" |
|
| waitJob.permissions.resources[1] | string | "clusterexternalsecrets" |
|
| waitJob.permissions.resources[2] | string | "clustersecretstores" |
|
| waitJob.permissions.resources[3] | string | "ecrauthorizationtokens" |
|
| waitJob.permissions.resources[4] | string | "externalsecrets" |
|
| waitJob.permissions.resources[5] | string | "fakes" |
|
| waitJob.permissions.resources[6] | string | "gcraccesstokens" |
|
| waitJob.permissions.resources[7] | string | "githubaccesstokens" |
|
| waitJob.permissions.resources[8] | string | "passwords" |
|
| waitJob.permissions.resources[9] | string | "pushsecrets" |
|
| waitJob.permissions.resources[10] | string | "secretstores" |
|
| waitJob.permissions.resources[11] | string | "vaultdynamicsecrets" |
|
| waitJob.permissions.resources[12] | string | "webhooks" |
|
| waitJob.permissions.resources[13] | string | "secrets" |
|
| waitJob.permissions.verbs[0] | string | "create" |
|
| waitJob.permissions.verbs[1] | string | "delete" |
|
| waitJob.permissions.verbs[2] | string | "get" |
|
| waitJob.permissions.verbs[3] | string | "list" |
|
| waitJob.permissions.verbs[4] | string | "watch" |
|
| env.EXTERNAL_SECRETS_NAMESPACE | string | "external-secrets" |
|
| clusterSecretStoreConfiguration.enabled | bool | false |
|
| clusterSecretStoreConfiguration.clusterSecretStoreList[0].name | string | "" |
|
| clusterSecretStoreConfiguration.clusterSecretStoreList[0].namespace | string | "" |
|
| clusterSecretStoreConfiguration.clusterSecretStoreList[0].source | object | {"auth":{"accessKeyID":"","accessKeyName":"","authType":"","secretAccessKey":""},"provider":"aws","region":"us-gov-west-1","service":"SecretsManager"} |
define types of authentication: ## |
| clusterSecretStoreConfiguration.clusterSecretStoreList[0].source.provider | string | "aws" |
AWS secrets manager only - other services can be added later ## |
| clusterSecretStoreConfiguration.clusterSecretStoreList[0].source.service | string | "SecretsManager" |
Specify type of service, i.e., SecretsManager (default) ## |
| clusterSecretStoreConfiguration.clusterSecretStoreList[0].source.region | string | "us-gov-west-1" |
Specify AWS region, i.e. us-gov-west-1 (default) ## |
| clusterSecretStoreConfiguration.clusterSecretStoreList[0].source.auth.authType | string | "" |
Specify authType is required: identity, accesskey or serviceaccount ## |
| clusterSecretStoreConfiguration.clusterSecretStoreList[0].source.auth.accessKeyName | string | "" |
Name of the accessKeyID and secretAccessKey pair ## |
| clusterSecretStoreConfiguration.clusterSecretStoreList[0].source.auth.accessKeyID | string | "" |
Specify AWS Access Key ID file ## |
| clusterSecretStoreConfiguration.clusterSecretStoreList[0].source.auth.secretAccessKey | string | "" |
Specify AWS Secret Access Key file ## |
| externalSecretsConfiguration.enabled | bool | false |
|
| externalSecretsConfiguration.refreshInterval | string | "1m" |
|
| externalSecretsConfiguration.secretList[0].name | string | "" |
|
| externalSecretsConfiguration.secretList[0].namespace | string | "" |
|
| externalSecretsConfiguration.secretList[0].secrets.targetName | string | "" |
|
| externalSecretsConfiguration.secretList[0].secrets.targetPolicy | string | "Owner" |
|
| upstream | object | Upstream chart values | Values to pass to the upstream external-secrets chart |
| upstream.serviceAccount.create | bool | true |
Specifies whether a service account should be created. |
| upstream.serviceAccount.automount | bool | true |
Automounts the service account token in all containers of the pod |
| upstream.serviceAccount.annotations | object | {} |
Annotations to add to the service account. |
| upstream.serviceAccount.extraLabels | object | {} |
Extra Labels to add to the service account. |
| upstream.serviceAccount.name | string | "" |
The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
| upstream.rbac.create | bool | true |
Specifies whether role and rolebinding resources should be created. |
| upstream.rbac.servicebindings.create | bool | true |
Specifies whether a clusterrole to give servicebindings read access should be created. |
| upstream.rbac.aggregateToView | bool | true |
Specifies whether permissions are aggregated to the view ClusterRole |
| upstream.rbac.aggregateToEdit | bool | true |
Specifies whether permissions are aggregated to the edit ClusterRole |
| upstream.concurrent | int | 1 |
Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time. |
| upstream.log | object | {"level":"info","timeEncoding":"epoch"} |
Specifies Log Params to the External Secrets Operator |
| upstream.service.ipFamilyPolicy | string | "" |
Set the ip family policy to configure dual-stack see Configure dual-stack |
| upstream.service.ipFamilies | list | [] |
Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. |
| upstream.image.tag | string | "v0.20.4" |
The image tag to use. The default is the chart appVersion. |
Please see the contributing guide if you are interested in contributing.
This file is programatically generated using helm-docs and some BigBang-specific templates. The gluon repository has instructions for regenerating package READMEs.