Skip to content

ClusterExternalSecret

ClusterExternalSecret

The ClusterExternalSecret is a cluster scoped resource that can be used to manage ExternalSecret resources in specific namespaces.

With namespaceSelectors you can select namespaces in which the ExternalSecret should be created. If there is a conflict with an existing resource the controller will error out.

Example

Below is an example of the ClusterExternalSecret in use.

apiVersion: external-secrets.io/v1
kind: ClusterExternalSecret
metadata:
  name: "hello-world"
spec:
  # The name to be used on the ExternalSecrets
  externalSecretName: "hello-world-es"

  # This is a basic label selector to select the namespaces to deploy ExternalSecrets to.
  # you can read more about them here https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements
  # Deprecated: Use namespaceSelectors instead.
  # namespaceSelector:
  #   matchLabels:
  #     cool: label

  # This is a list of basic label selector to select the namespaces to deploy ExternalSecrets to.
  # you can read more about them here https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements
  # The list is OR'd together, so if any of the namespaceSelectors match the namespace,
  # the ExternalSecret will be deployed to that namespace.
  namespaceSelectors:
  - matchLabels:
      cool: label

  # How often the ClusterExternalSecret should reconcile itself
  # This will decide how often to check and make sure that the ExternalSecrets exist in the matching namespaces
  refreshTime: "1m"

  # This is the spec of the ExternalSecrets to be created
  # The content of this was taken from our ExternalSecret example
  externalSecretSpec:
    secretStoreRef:
      name: secret-store-name
      kind: SecretStore

    # RefreshPolicy determines how the ExternalSecret should be refreshed:
    # - CreatedOnce: Creates the Secret only if it does not exist and does not update it afterward
    # - Periodic: (default) Synchronizes the Secret at intervals specified by refreshInterval
    # - OnChange: Only synchronizes when the ExternalSecret's metadata or specification changes
    refreshPolicy: Periodic

    refreshInterval: "1h"
    target:
      name: my-secret
      creationPolicy: 'Merge'
      template:
        type: kubernetes.io/dockerconfigjson

        metadata:
          annotations: {}
          labels: {}
        data:
          config.yml: |
            endpoints:
            - https://{{ .data.user }}:{{ .data.password }}@api.exmaple.com
        templateFrom:
        - configMap:
            name: alertmanager
            items:
            - key: alertmanager.yaml
    data:
      - secretKey: secret-key-to-be-managed
        remoteRef:
          key: provider-key
          version: provider-key-version
          property: provider-key-property
    dataFrom:
    - key: provider-key
      version: provider-key-version
      property: provider-key-property

status:
  # This will list any namespaces where the creation of the ExternalSecret failed
  # This will not list any issues with the ExternalSecrets, you will have to check the
  # ExternalSecrets to see any issues with them.
  failedNamespaces:
    - namespace: "matching-ns-1"
      # This is one of the possible messages, and likely the most common
      reason: "external secret already exists in namespace"

  # You can find all matching and successfully deployed namespaces here
  provisionedNamespaces:
    - "matching-ns-3"
    - "matching-ns-2"

  # The condition can be Ready, PartiallyReady, or NotReady
  # PartiallyReady would indicate an error in 1 or more namespaces
  # NotReady would indicate errors in all namespaces meaning all ExternalSecrets resulted in errors
  conditions:
  - type: PartiallyReady
    status: "True"
    lastTransitionTime: "2022-01-12T12:33:02Z"

Synchronizing corresponding ExternalSecrets

Regular refreshes can be controlled using the refreshPolicy and refreshInterval fields. Adhoc synchronizations can be triggered by setting, updating or deleting the annotation external-secrets.io/force-sync on the ClusterExternalSecret:

kubectl annotate ces my-ces external-secrets.io/force-sync=$(date +%s) --overwrite

Changes to this annotation will be synchronized to all ExternalSecrets owned by the ClusterExternalSecret.

Deprecations

namespaceSelector

The field namespaceSelector has been deprecated in favor of namespaceSelectors and will be removed in a future version.