External Secret
Definition
configMaps:
external-secret-template:
containers: []
data:
config.yml: |
login: "{{ .LOGIN }}"
password: "{{ .PASSWORD }}"
externalSecrets:
external-full:
labels:
extra-label: "label value"
annotations:
extra-annotation: "annotation value"
keys:
SITE_LOGIN: LOGIN
SITE_PASSWORD: PASSWORD
spec:
target:
template:
metadata:
labels:
extra-secret-label: "label value"
annotations:
extra-secret-annotation: "annotation value"
data:
AUTH: "{{ `{{ .LOGIN }}:{{ .PASSWORD }}` }}"
templateFrom:
- configMap:
name: external-secret-template
items:
- keys: config.yml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
annotations:
extra-annotation: annotation value
extra-secret-annotation: annotation value
labels:
app.kubernetes.io/component: cicd-sample
app.kubernetes.io/instance: docs
app.kubernetes.io/managed-by: helm
app.kubernetes.io/name: cicd-sample
app.kubernetes.io/part-of: cicd
app.kubernetes.io/version: 1.0.0
exordis/application: cicd-sample
exordis/application-instance: docs
exordis/application-type: service
exordis/environment: test
exordis/product: Some Product
exordis/subsystem: cicd
extra-label: label value
extra-secret-label: label value
helm.sh/chart: cicd-subsystem-application-0.1.0
name: cicd-sample-docs-external-full
namespace: cicd-test
spec:
data:
- remoteRef:
key: SITE_LOGIN
secretKey: LOGIN
- remoteRef:
key: SITE_PASSWORD
secretKey: PASSWORD
refreshInterval: 1m
secretStoreRef:
kind: ClusterSecretStore
name: cicd-test
target:
creationPolicy: Owner
deletionPolicy: Retain
name: cicd-sample-docs-external-full
template:
data:
AUTH: '{{ `{{ .LOGIN }}:{{ .PASSWORD }}` }}'
LOGIN: '{{ .LOGIN }}'
PASSWORD: '{{ .PASSWORD }}'
metadata:
annotations:
extra-annotation: annotation value
extra-secret-annotation: annotation value
labels:
app.kubernetes.io/component: cicd-sample
app.kubernetes.io/instance: docs
app.kubernetes.io/managed-by: helm
app.kubernetes.io/name: cicd-sample
app.kubernetes.io/part-of: cicd
app.kubernetes.io/version: 1.0.0
exordis/application: cicd-sample
exordis/application-instance: docs
exordis/application-type: service
exordis/environment: test
exordis/product: Some Product
exordis/subsystem: cicd
extra-label: label value
extra-secret-label: label value
helm.sh/chart: cicd-subsystem-application-0.1.0
templateFrom:
- configMap:
items:
- keys: config.yml
name: cicd-sample-docs-external-secret-template
apiVersion: apps/v1
kind: Deployment
metadata:
annotations: {}
labels:
app.kubernetes.io/component: cicd-sample
app.kubernetes.io/instance: docs
app.kubernetes.io/managed-by: helm
app.kubernetes.io/name: cicd-sample
app.kubernetes.io/part-of: cicd
app.kubernetes.io/version: 1.0.0
exordis/application: cicd-sample
exordis/application-instance: docs
exordis/application-type: service
exordis/application-workload: "true"
exordis/environment: test
exordis/product: Some Product
exordis/subsystem: cicd
helm.sh/chart: cicd-subsystem-application-0.1.0
name: cicd-sample-docs
namespace: cicd-test
spec:
replicas: 3
revisionHistoryLimit: 2
selector:
matchLabels:
exordis/application: cicd-sample
exordis/application-instance: docs
exordis/application-workload: "true"
exordis/environment: test
exordis/subsystem: cicd
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations:
checksum/configMap.config-map-with-containers: 48b7e320feb03b105aa89ed415344c030af90d34a34c66f56146d9f0fd2da3e3
checksum/configMap.config-map-without-containers: 1dbfa263d171e565d412b904c69bdf60fc6bc8db2fcb31e13049242a8bbdecac
checksum/configMap.envs: 7804c1a2bc6fb98bc7b87c036f6bdb678f897e534204c2e4efd7d881bf5b2924
checksum/configMap.external-secret-template: f921d5d8c41b9909941321f0d31975eb7ca6d83cba279a6fa91b5f035c9c3f56
checksum/secret.secret-with-containers: 8e0836f50407f40dc36bf200910416c00f82b8bf5284ab96e908b1d709eb65e3
checksum/secret.secret-without-containers: 2e931d517cebd760f5460ea95663a82d8df2673e2c075918c21b33c96bfd6686
custom-annotation: custom annotation
labels:
app.kubernetes.io/component: cicd-sample
app.kubernetes.io/instance: docs
app.kubernetes.io/managed-by: helm
app.kubernetes.io/name: cicd-sample
app.kubernetes.io/part-of: cicd
app.kubernetes.io/version: 1.0.0
custom-label: custom label
exordis/application: cicd-sample
exordis/application-instance: docs
exordis/application-type: service
exordis/application-workload: "true"
exordis/environment: test
exordis/product: Some Product
exordis/subsystem: cicd
helm.sh/chart: cicd-subsystem-application-0.1.0
spec:
containers:
- envFrom:
- secretRef:
name: cicd-sample-docs-external-full
- secretRef:
name: cicd-sample-docs-secret-without-containers
- secretRef:
name: cicd-sample-docs-secret-with-containers
- configMapRef:
name: cicd-sample-docs-envs
- configMapRef:
name: cicd-sample-docs-config-map-without-containers
- configMapRef:
name: cicd-sample-docs-config-map-with-containers
image: registry.gitlab.com/cicd-unittests:1.0.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 30
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: 80
timeoutSeconds: 1
name: application
ports:
- containerPort: 80
name: http
protocol: TCP
readinessProbe:
failureThreshold: 30
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: 80
timeoutSeconds: 1
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 64Mi
startupProbe:
failureThreshold: 30
periodSeconds: 5
successThreshold: 1
tcpSocket:
port: 80
timeoutSeconds: 1
volumeMounts:
- mountPath: /some-data
name: volume1
- mountPath: /pvc-data
name: mypvc
- envFrom:
- secretRef:
name: cicd-sample-docs-external-full
- secretRef:
name: cicd-sample-docs-secret-without-containers
- configMapRef:
name: cicd-sample-docs-envs
- configMapRef:
name: cicd-sample-docs-config-map-without-containers
image: docker.io/jsreport/jsreport:4.7.0
imagePullPolicy: IfNotPresent
name: jsreport
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 64Mi
volumeMounts:
- mountPath: /some-another-data-but-same-as-for-application
name: volume1
initContainers:
- envFrom:
- secretRef:
name: cicd-sample-docs-external-full
- secretRef:
name: cicd-sample-docs-secret-without-containers
- configMapRef:
name: cicd-sample-docs-envs
- configMapRef:
name: cicd-sample-docs-config-map-without-containers
image: registry.gitlab.com/my-migration-image:1.0.0
imagePullPolicy: Always
name: migration
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 64Mi
volumeMounts: []
serviceAccountName: cicd-sample-docs-workload
terminationGracePeriodSeconds: 60
volumes:
- name: mypvc
persistentVolumeClaim:
claimName: cicd-sample-docs-mypvc
- emptyDir:
sizeLimit: 100Mi
name: volume1
apiVersion: batch/v1
kind: CronJob
metadata:
annotations: {}
labels:
app.kubernetes.io/component: cicd-sample
app.kubernetes.io/instance: docs
app.kubernetes.io/managed-by: helm
app.kubernetes.io/name: cicd-sample
app.kubernetes.io/part-of: cicd
app.kubernetes.io/version: 1.0.0
exordis/application: cicd-sample
exordis/application-instance: docs
exordis/application-type: service
exordis/environment: test
exordis/product: Some Product
exordis/subsystem: cicd
helm.sh/chart: cicd-subsystem-application-0.1.0
name: cicd-sample-docs-cleanup
namespace: cicd-test
spec:
concurrencyPolicy: Forbid
failedJobsHistoryLimit: 1
jobTemplate:
spec:
template:
metadata:
annotations:
custom-annotation: custom annotation
labels:
app.kubernetes.io/component: cicd-sample
app.kubernetes.io/instance: docs
app.kubernetes.io/managed-by: helm
app.kubernetes.io/name: cicd-sample
app.kubernetes.io/part-of: cicd
app.kubernetes.io/version: 1.0.0
custom-label: custom label
exordis/application: cicd-sample
exordis/application-instance: docs
exordis/application-type: service
exordis/environment: test
exordis/product: Some Product
exordis/subsystem: cicd
helm.sh/chart: cicd-subsystem-application-0.1.0
spec:
containers:
- args:
- tag
- delete
- --registry
envFrom:
- secretRef:
name: cicd-sample-docs-external-full
- secretRef:
name: cicd-sample-docs-secret-without-containers
- secretRef:
name: cicd-sample-docs-secret-with-containers
- configMapRef:
name: cicd-sample-docs-envs
- configMapRef:
name: cicd-sample-docs-config-map-without-containers
image: registry.gitlab.com/cicd-unittests:1.0.0
imagePullPolicy: IfNotPresent
name: main
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 64Mi
volumeMounts:
- mountPath: /some-data
name: volume2
initContainers:
- envFrom:
- secretRef:
name: cicd-sample-docs-external-full
- secretRef:
name: cicd-sample-docs-secret-without-containers
- configMapRef:
name: cicd-sample-docs-envs
- configMapRef:
name: cicd-sample-docs-config-map-without-containers
image: registry.gitlab.com/cicd-sample/cleanup-init:1.0.0
imagePullPolicy: IfNotPresent
name: cleanup-init
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 64Mi
volumeMounts: []
restartPolicy: Never
serviceAccountName: default
volumes:
- emptyDir:
sizeLimit: 300Mi
name: volume2
ttlSecondsAfterFinished: 86400
schedule: 0 6 * * *
enabled-
if set to false external secret is excluded from rendering
default: true
namespace-
external secret namespace
default: subsystem namespace generated by convention
labels-
list of labels to add to external secret and target secret in addition to common labels
default: empty dict
annotations-
list of annotations to add to external secret and target secret in addition to common labels
default: empty dict
containers-
list of container ids to add
secretReffor the target secret. Ifcontainersis not provided,secretRefwould be added to all containers in secret namespace. Batch workloads should be referenced as[workload collection].[workload id].[container id]e.gcronjobs.cleanup.maindefault: nil (add
secretRefto all containers) keys-
map of
referenceKey -> sourceKey. Simple shortcut for the case where list of external secret keys are to be passed with given key names to target secretif
sourceKeyis nil it defaults toreferenceKeyvaluedefault: empty dict
spec-
ExternalSecret manifest
specfield value (see External Secrets Operator Documentation for more details).default::
secretStoreRef: name: [subsystem name]-[environment] kind: ClusterSecretStore refreshInterval: 1m target: creationPolicy: Owner deletionPolicy: Retain data: []
Minimum Viable External Secret Definition
- Default metadata
- Single key
DB_LOGINfrom external provider is passed through to target secret keeping the name
externalSecrets:
simple:
keys:
DB_LOGIN:
Validations
- External secret
idis unique with respect to secrets ids - Each item in
containersreferences existing container - Each item in
containersreferences container from the same namespace as external secret
Overrides
name-
nameis generated from id by convention spec-
target.template.metadata.annotations-
common annotations are added with override, external secret
.annotationsare added if same annotation is not explicitly redefined. target.template.metadata.labels-
common labels are added with override, external secret
.labelsare added if same label is not explicitly redefined. target.name-
is set to secret name generated from external secret
idby convention secretStoreRef-
generated to point subsystem
ClusterSecretStore(nameis generated fromid=""by convention ) target.template.templateFrom[].configMap.name-
is expanded to full ConfigMap name if references
idof ConfigMap defined in values
Manifest Generation
- common labels are added to metadata
ExternalSecretmanifest is generated for each defined external secret.secretRefis added for target secret to containers with ids listed in.containers(all if this field is not set)