ClusterSecretStore
The ClusterSecretStore is a cluster scoped SecretStore that can be referenced by all
ExternalSecrets from all namespaces. Use it to offer a central gateway to your secret backend.
Different Store Providers have different stability levels, maintenance status, and support. To check the full list, please see Stability Support.
Unmaintained Stores generate events
Admission webhooks and controllers will emit warning events for providers without a explicit maintainer.
To disable controller warning events, you can add external-secrets.io/ignore-maintenance-checks: "true" annotation to the SecretStore.
Admission webhook warning cannot be disabled.
Example
For a full list of supported fields see spec or dig into our guides.
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: example
annotations:
## Add this annotation to disable controller warning events for unmaintained stores
external-secrets.io/disable-maintenance-checks: "true"
spec:
# Used to select the correct ESO controller (think: ingress.ingressClassName)
# The ESO controller is instantiated with a specific controller name
# and filters ES based on this property
# Optional
controller: dev
# provider field contains the configuration to access the provider
# which contains the secret exactly one provider must be configured.
provider:
# (1): AWS Secrets Manager
# aws configures this store to sync secrets using AWS Secret Manager provider
aws:
service: SecretsManager
# Role is a Role ARN which the SecretManager provider will assume
role: iam-role
# AWS Region to be used for the provider
region: eu-central-1
# Auth defines the information necessary to authenticate against AWS
auth:
# Getting the accessKeyID and secretAccessKey from an already created Kubernetes Secret
secretRef:
accessKeyIDSecretRef:
name: awssm-secret
key: access-key
secretAccessKeySecretRef:
name: awssm-secret
key: secret-access-key
# IAM roles for service accounts
# https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
jwt:
serviceAccountRef:
name: my-serviceaccount
namespace: sa-namespace
vault:
server: "https://vault.acme.org"
# Path is the mount path of the Vault KV backend endpoint
# Used as a path prefix for the external secret key
path: "secret"
# Version is the Vault KV secret engine version.
# This can be either "v1" or "v2", defaults to "v2"
version: "v2"
# vault enterprise namespace: https://www.vaultproject.io/docs/enterprise/namespaces
namespace: "a-team"
# base64 encoded string of certificate
caBundle: "..."
# Instead of caBundle you can also specify a caProvider
# this will retrieve the cert from a Secret or ConfigMap
caProvider:
# Can be Secret or ConfigMap
type: "Secret"
# namespace is mandatory for ClusterSecretStore and not relevant for SecretStore
namespace: "my-cert-secret-namespace"
name: "my-cert-secret"
key: "cert-key"
auth:
# static token: https://www.vaultproject.io/docs/auth/token
tokenSecretRef:
name: "my-secret"
namespace: "secret-admin"
key: "vault-token"
# AppRole auth: https://www.vaultproject.io/docs/auth/approle
appRole:
path: "approle"
# Instead of referencing the AppRole's ID from the secret, you can also specify it directly
# roleId: "db02de05-fa39-4855-059b-67221c5c2f63"
roleRef:
name: "my-secret"
namespace: "secret-admin"
key: "vault-role-id"
secretRef:
name: "my-secret"
namespace: "secret-admin"
key: "vault-role-secret"
# Kubernetes auth: https://www.vaultproject.io/docs/auth/kubernetes
kubernetes:
mountPath: "kubernetes"
role: "demo"
# Optional service account reference
serviceAccountRef:
name: "my-sa"
namespace: "secret-admin"
# Optional secret field containing a Kubernetes ServiceAccount JWT
# used for authenticating with Vault
secretRef:
name: "my-secret"
namespace: "secret-admin"
key: "vault"
# (2): GCP Secret Manager
gcpsm:
# Auth defines the information necessary to authenticate against GCP by getting
# the credentials from an already created Kubernetes Secret.
auth:
secretRef:
secretAccessKeySecretRef:
name: gcpsm-secret
key: secret-access-credentials
namespace: example
projectID: myproject
# (3): Kubernetes provider
kubernetes:
server:
url: "https://myapiserver.tld"
caProvider:
type: Secret
name: my-cluster-secrets
namespace: example
key: ca.crt
auth:
serviceAccount:
name: "example-sa"
namespace: "example"
# (4): Oracle provider
oracle:
# The vault OCID
vault: ocid1.vault.oc1.eu-frankfurt-1.aaa1aaaaaaaaa.aaaaaaaaaaaaaa1aaaaaaa111aaaaaaaaaaaaaaaa
# The vault region
region: eu-frankfurt-1
auth:
# The user OCID
user: ocid1.user.oc1..aaa1aaaaaaaaa.aaaaaaaaaaaaaa1aaaaaaa111aaaaaaaaaaaaaaaa
# The tenancy OCID
tenancy: ocid1.tenancy.oc1..aaa1aaaaaaaaa.aaaaaaaaaaaaaa1aaaaaaa111aaaaaaaaaaaaaaaa
secretRef:
privatekey:
# The secret that contains your privatekey
name: oci-secret-name
key: privateKey
namespace: example-namespace
fingerprint:
# The secret that contains your fingerprint
name: oci-secret-name
key: fingerprint
namespace: example-namespace
# (TODO): add more provider examples here
# Conditions about namespaces in which the ClusterSecretStore is usable for ExternalSecrets
conditions:
# Options are namespaceSelector, namespaces or namespacesRegex
- namespaceSelector:
matchLabels:
my.namespace.io/some-label: "value" # Only namespaces with that label will work
- namespaces:
- "namespace-a"
- "namespace-b"
# Namespace regexes are useful for policy management or when external tools auto-generate namespaces with prefixes/suffixes
- namespaceRegexes:
- "namespace-a-.*" # All namespaces prefixed by namespace-a- will work
- "namespace-b-.*" # All namespaces prefixed by namespace-b- will work
# conditions needs only one of the conditions to meet for the CSS to be usable in the namespace.
status:
# Standard condition schema
conditions:
# SecretStore ready condition indicates the given store is in ready
# state and able to referenced by ExternalSecrets
# If the `status` of this condition is `False`, ExternalSecret controllers
# should prevent attempts to fetch secrets
- type: Ready
status: "False"
reason: "ConfigError"
message: "SecretStore validation failed"
lastTransitionTime: "2019-08-12T12:33:02Z"
