Secret
Definition
secrets:
secret-full-metadata:
# reference is not added to workloads as namespace differs
namespace: "my-namespace"
labels:
extra-label: "label value"
annotations:
extra-annotation: "annotation value"
stringData:
password: "passw0rd"
secret-with-containers:
containers:
- application
- cronjobs.cleanup.main
stringData:
password: "passw0rd"
secret-without-containers:
stringData:
token: "t0ken"
apiVersion: v1
data: {}
kind: Secret
metadata:
annotations:
extra-annotation: annotation value
labels:
app.kubernetes.io/component: cicd-sample
app.kubernetes.io/instance: docs
app.kubernetes.io/managed-by: helm
app.kubernetes.io/name: cicd-sample
app.kubernetes.io/part-of: cicd
app.kubernetes.io/version: 1.0.0
exordis/application: cicd-sample
exordis/application-instance: docs
exordis/application-type: service
exordis/environment: test
exordis/product: Some Product
exordis/subsystem: cicd
extra-label: label value
helm.sh/chart: cicd-subsystem-application-0.1.0
name: cicd-sample-docs-secret-full-metadata
namespace: my-namespace
stringData:
password: passw0rd
type: Opaque
apiVersion: v1
data: {}
kind: Secret
metadata:
annotations: {}
labels:
app.kubernetes.io/component: cicd-sample
app.kubernetes.io/instance: docs
app.kubernetes.io/managed-by: helm
app.kubernetes.io/name: cicd-sample
app.kubernetes.io/part-of: cicd
app.kubernetes.io/version: 1.0.0
exordis/application: cicd-sample
exordis/application-instance: docs
exordis/application-type: service
exordis/environment: test
exordis/product: Some Product
exordis/subsystem: cicd
helm.sh/chart: cicd-subsystem-application-0.1.0
name: cicd-sample-docs-secret-with-containers
namespace: cicd-test
stringData:
password: passw0rd
type: Opaque
apiVersion: v1
data: {}
kind: Secret
metadata:
annotations: {}
labels:
app.kubernetes.io/component: cicd-sample
app.kubernetes.io/instance: docs
app.kubernetes.io/managed-by: helm
app.kubernetes.io/name: cicd-sample
app.kubernetes.io/part-of: cicd
app.kubernetes.io/version: 1.0.0
exordis/application: cicd-sample
exordis/application-instance: docs
exordis/application-type: service
exordis/environment: test
exordis/product: Some Product
exordis/subsystem: cicd
helm.sh/chart: cicd-subsystem-application-0.1.0
name: cicd-sample-docs-secret-without-containers
namespace: cicd-test
stringData:
token: t0ken
type: Opaque
apiVersion: apps/v1
kind: Deployment
metadata:
annotations: {}
labels:
app.kubernetes.io/component: cicd-sample
app.kubernetes.io/instance: docs
app.kubernetes.io/managed-by: helm
app.kubernetes.io/name: cicd-sample
app.kubernetes.io/part-of: cicd
app.kubernetes.io/version: 1.0.0
exordis/application: cicd-sample
exordis/application-instance: docs
exordis/application-type: service
exordis/application-workload: "true"
exordis/environment: test
exordis/product: Some Product
exordis/subsystem: cicd
helm.sh/chart: cicd-subsystem-application-0.1.0
name: cicd-sample-docs
namespace: cicd-test
spec:
replicas: 3
revisionHistoryLimit: 2
selector:
matchLabels:
exordis/application: cicd-sample
exordis/application-instance: docs
exordis/application-workload: "true"
exordis/environment: test
exordis/subsystem: cicd
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations:
checksum/configMap.config-map-with-containers: 48b7e320feb03b105aa89ed415344c030af90d34a34c66f56146d9f0fd2da3e3
checksum/configMap.config-map-without-containers: 1dbfa263d171e565d412b904c69bdf60fc6bc8db2fcb31e13049242a8bbdecac
checksum/configMap.envs: 7804c1a2bc6fb98bc7b87c036f6bdb678f897e534204c2e4efd7d881bf5b2924
checksum/configMap.external-secret-template: f921d5d8c41b9909941321f0d31975eb7ca6d83cba279a6fa91b5f035c9c3f56
checksum/secret.secret-with-containers: 8e0836f50407f40dc36bf200910416c00f82b8bf5284ab96e908b1d709eb65e3
checksum/secret.secret-without-containers: 2e931d517cebd760f5460ea95663a82d8df2673e2c075918c21b33c96bfd6686
custom-annotation: custom annotation
labels:
app.kubernetes.io/component: cicd-sample
app.kubernetes.io/instance: docs
app.kubernetes.io/managed-by: helm
app.kubernetes.io/name: cicd-sample
app.kubernetes.io/part-of: cicd
app.kubernetes.io/version: 1.0.0
custom-label: custom label
exordis/application: cicd-sample
exordis/application-instance: docs
exordis/application-type: service
exordis/application-workload: "true"
exordis/environment: test
exordis/product: Some Product
exordis/subsystem: cicd
helm.sh/chart: cicd-subsystem-application-0.1.0
spec:
containers:
- envFrom:
- secretRef:
name: cicd-sample-docs-external-full
- secretRef:
name: cicd-sample-docs-secret-without-containers
- secretRef:
name: cicd-sample-docs-secret-with-containers
- configMapRef:
name: cicd-sample-docs-envs
- configMapRef:
name: cicd-sample-docs-config-map-without-containers
- configMapRef:
name: cicd-sample-docs-config-map-with-containers
image: registry.gitlab.com/cicd-unittests:1.0.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 30
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: 80
timeoutSeconds: 1
name: application
ports:
- containerPort: 80
name: http
protocol: TCP
readinessProbe:
failureThreshold: 30
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: 80
timeoutSeconds: 1
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 64Mi
startupProbe:
failureThreshold: 30
periodSeconds: 5
successThreshold: 1
tcpSocket:
port: 80
timeoutSeconds: 1
volumeMounts:
- mountPath: /some-data
name: volume1
- mountPath: /pvc-data
name: mypvc
- envFrom:
- secretRef:
name: cicd-sample-docs-external-full
- secretRef:
name: cicd-sample-docs-secret-without-containers
- configMapRef:
name: cicd-sample-docs-envs
- configMapRef:
name: cicd-sample-docs-config-map-without-containers
image: docker.io/jsreport/jsreport:4.7.0
imagePullPolicy: IfNotPresent
name: jsreport
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 64Mi
volumeMounts:
- mountPath: /some-another-data-but-same-as-for-application
name: volume1
initContainers:
- envFrom:
- secretRef:
name: cicd-sample-docs-external-full
- secretRef:
name: cicd-sample-docs-secret-without-containers
- configMapRef:
name: cicd-sample-docs-envs
- configMapRef:
name: cicd-sample-docs-config-map-without-containers
image: registry.gitlab.com/my-migration-image:1.0.0
imagePullPolicy: Always
name: migration
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 64Mi
volumeMounts: []
serviceAccountName: cicd-sample-docs-workload
terminationGracePeriodSeconds: 60
volumes:
- name: mypvc
persistentVolumeClaim:
claimName: cicd-sample-docs-mypvc
- emptyDir:
sizeLimit: 100Mi
name: volume1
apiVersion: batch/v1
kind: CronJob
metadata:
annotations: {}
labels:
app.kubernetes.io/component: cicd-sample
app.kubernetes.io/instance: docs
app.kubernetes.io/managed-by: helm
app.kubernetes.io/name: cicd-sample
app.kubernetes.io/part-of: cicd
app.kubernetes.io/version: 1.0.0
exordis/application: cicd-sample
exordis/application-instance: docs
exordis/application-type: service
exordis/environment: test
exordis/product: Some Product
exordis/subsystem: cicd
helm.sh/chart: cicd-subsystem-application-0.1.0
name: cicd-sample-docs-cleanup
namespace: cicd-test
spec:
concurrencyPolicy: Forbid
failedJobsHistoryLimit: 1
jobTemplate:
spec:
template:
metadata:
annotations:
custom-annotation: custom annotation
labels:
app.kubernetes.io/component: cicd-sample
app.kubernetes.io/instance: docs
app.kubernetes.io/managed-by: helm
app.kubernetes.io/name: cicd-sample
app.kubernetes.io/part-of: cicd
app.kubernetes.io/version: 1.0.0
custom-label: custom label
exordis/application: cicd-sample
exordis/application-instance: docs
exordis/application-type: service
exordis/environment: test
exordis/product: Some Product
exordis/subsystem: cicd
helm.sh/chart: cicd-subsystem-application-0.1.0
spec:
containers:
- args:
- tag
- delete
- --registry
envFrom:
- secretRef:
name: cicd-sample-docs-external-full
- secretRef:
name: cicd-sample-docs-secret-without-containers
- secretRef:
name: cicd-sample-docs-secret-with-containers
- configMapRef:
name: cicd-sample-docs-envs
- configMapRef:
name: cicd-sample-docs-config-map-without-containers
image: registry.gitlab.com/cicd-unittests:1.0.0
imagePullPolicy: IfNotPresent
name: main
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 64Mi
volumeMounts:
- mountPath: /some-data
name: volume2
initContainers:
- envFrom:
- secretRef:
name: cicd-sample-docs-external-full
- secretRef:
name: cicd-sample-docs-secret-without-containers
- configMapRef:
name: cicd-sample-docs-envs
- configMapRef:
name: cicd-sample-docs-config-map-without-containers
image: registry.gitlab.com/cicd-sample/cleanup-init:1.0.0
imagePullPolicy: IfNotPresent
name: cleanup-init
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 64Mi
volumeMounts: []
restartPolicy: Never
serviceAccountName: default
volumes:
- emptyDir:
sizeLimit: 300Mi
name: volume2
ttlSecondsAfterFinished: 86400
schedule: 0 6 * * *
enabled-
if set to false secret is excluded from rendering
default: true
namespace-
secret namespace
default: subsystem namespace generated by convention
labels-
list of labels to add to secret in addition to common labels
default: empty dict
annotations-
list of annotations to add to secret in addition to common labels
default: empty dict
containers-
list of container ids to add
secretReffor the secret. Ifcontainersis not provided,secretRefwould be added to all containers in secret namespace. Batch workloads should be referenced as[workload collection].[workload id].[container id]e.gcronjobs.cleanup.maindefault: nil (add
secretRefto all containers) type-
typeto be added to secret manifestdefault: Opaque
data-
datato be added to secret manifestdefault: empty dict
stringData-
stringDatato be added to secret manifestdefault: empty dict
Validations
- Secret
idis unique with respect to external secrets ids - Each item in
containersreferences existing container - Each item in
containersreferences container from the same namespace as secret
Overrides
name-
nameis generated from id by convention
Manifests Generation
- common labels are added to metadata
secretRefis added to containers with ids listed insecret.containers(all if this field is not set)- annotation with checksum of configmap is added to workloads manifests if at least one container of has
secretRefadded - secret manifest is generated each secret