Skip to content

ClusterPushSecret

The ClusterPushSecret is a cluster scoped resource that can be used to manage PushSecret resources in specific namespaces.

With namespaceSelectors you can select namespaces in which the PushSecret should be created. If there is a conflict with an existing resource the controller will error out.

Example

Below is an example of the ClusterPushSecret in use.

apiVersion: external-secrets.io/v1alpha1
kind: ClusterPushSecret
metadata:
  name: "hello-world"
spec:
  # The name to be used on the PushSecrets
  pushSecretName: "hello-world-ps"

  # This is a list of basic label selector to select the namespaces to deploy PushSecrets to.
  # you can read more about them here https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements
  # The list is OR'd together, so if any of the namespaceSelectors match the namespace,
  # the ExternalSecret will be deployed to that namespace.
  namespaceSelectors:
  - matchLabels:
      cool: label

  # How often the ClusterPushSecret should reconcile itself
  # This will decide how often to check and make sure that the PushSecrets exist in the matching namespaces
  refreshTime: "1m"

  # This is the spec of the PushSecrets to be created
  # The content of this was taken from our PushSecret example
  pushSecretSpec:
    updatePolicy: Replace # Policy to overwrite existing secrets in the provider on sync
    deletionPolicy: Delete # the provider' secret will be deleted if the PushSecret is deleted
    refreshInterval: 1h # Refresh interval for which push secret will reconcile
    secretStoreRefs: # A list of secret stores to push secrets to
      - name: aws-parameterstore
        kind: SecretStore
    selector:
      secret:
        name: pokedex-credentials # Source Kubernetes secret to be pushed
      # Alternatively, you can point to a generator that produces values to be pushed
      generatorRef:
        apiVersion: external-secrets.io/v1alpha1
        kind: ECRAuthorizationToken
        name: prod-registry-credentials
    template:
      metadata:
        annotations: { }
        labels: { }
      data:
        best-pokemon: "{{ .best-pokemon | toString | upper }} is the really best!"
      # Uses an existing template from configmap
      # Secret is fetched, merged and templated within the referenced configMap data
      # It does not update the configmap, it creates a secret with: data["alertmanager.yml"] = ...result...
      templateFrom:
        - configMap:
            name: application-config-tmpl
            items:
              - key: config.yml
    data:
      - conversionStrategy: None # Also supports the ReverseUnicode strategy
        match:
          secretKey: best-pokemon # Source Kubernetes secret key to be pushed
          remoteRef:
            remoteKey: my-first-parameter # Remote reference (where the secret is going to be pushed)

status:
  # This will list any namespaces where the creation of the ExternalSecret failed
  # This will not list any issues with the ExternalSecrets, you will have to check the
  # ExternalSecrets to see any issues with them.
  failedNamespaces:
    - namespace: "matching-ns-1"
      # This is one of the possible messages, and likely the most common
      reason: "external secret already exists in namespace"

  # You can find all matching and successfully deployed namespaces here
  provisionedNamespaces:
    - "matching-ns-3"
    - "matching-ns-2"

  # The condition can be Ready, PartiallyReady, or NotReady
  # PartiallyReady would indicate an error in 1 or more namespaces
  # NotReady would indicate errors in all namespaces meaning all ExternalSecrets resulted in errors
  conditions:
  - type: PartiallyReady
    status: "True"
    lastTransitionTime: "2022-01-12T12:33:02Z"