Skip to content

ClusterPushSecret

The ClusterPushSecret is a cluster scoped resource that can be used to manage PushSecret resources in specific namespaces.

With namespaceSelectors you can select namespaces in which the PushSecret should be created. If there is a conflict with an existing resource the controller will error out.

Example

Below is an example of the ClusterPushSecret in use.

---
# The source secret that will be pushed to the destination secret by ClusterPushSecret.
apiVersion: v1
kind: Secret
metadata:
  name: source-secret
stringData:
  best-pokemon-src: "Pikachu"
---
apiVersion: external-secrets.io/v1alpha1
kind: ClusterPushSecret
metadata:
  name: "hello-world"
spec:
  # The name to be used on the PushSecrets
  pushSecretName: "hello-world-ps"

  # This is a list of basic label selector to select the namespaces to deploy PushSecrets to.
  # you can read more about them here https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements
  # The list is OR'd together, so if any of the namespaceSelectors match the namespace,
  # the ExternalSecret will be deployed to that namespace.
  namespaceSelectors:
  - matchLabels:
      cool: label

  # How often the ClusterPushSecret should reconcile itself
  # This will decide how often to check and make sure that the PushSecrets exist in the matching namespaces
  refreshTime: "1m"

  # This is the spec of the PushSecrets to be created
  # The content of this was taken from our PushSecret example
  pushSecretSpec:
    updatePolicy: Replace # Policy to overwrite existing secrets in the provider on sync
    deletionPolicy: Delete # the provider' secret will be deleted if the PushSecret is deleted
    refreshInterval: 1h # Refresh interval for which push secret will reconcile
    secretStoreRefs: # A list of secret stores to push secrets to
      - name: aws-parameterstore
        kind: SecretStore
    selector:
      secret:
        name: source-secret # Source Kubernetes secret to be pushed
      # Alternatively, you can point to a generator that produces values to be pushed
      generatorRef:
        apiVersion: external-secrets.io/v1alpha1
        kind: ECRAuthorizationToken
        name: prod-registry-credentials
    template:
      metadata:
        annotations: { }
        labels: { }
      data:
        # If the key source secret key has dashes, then it cannot be accessed directly,
        # and the "index" function should be used.
        best-pokemon: "{{ index . \"best-pokemon-src\" | toString | upper }} is the really best!"
      # Also, it's possible to use an existing template from configmap where Secret is fetched, 
      # merged and templated within the referenced configMap data.
      # It does not update the configmap, it creates a secret with: data["config.yml"] = ...result...
      templateFrom:
        - configMap:
            name: application-config-tmpl
            items:
              - key: config.yml
    data:
      - conversionStrategy: None # Also supports the ReverseUnicode strategy
        match:
          # The secretKey is used within ClusterPushSecret (it should match key under spec.pushSecretSpec.template.data)
          secretKey: best-pokemon
          remoteRef:
            remoteKey: destination-secret # The destination secret object name (where the secret is going to be pushed)
            property: best-pokemon-dst # The key within the destination secret object.
status:
  # This will list any namespaces where the creation of the ExternalSecret failed
  # This will not list any issues with the ExternalSecrets, you will have to check the
  # ExternalSecrets to see any issues with them.
  failedNamespaces:
    - namespace: "matching-ns-1"
      # This is one of the possible messages, and likely the most common
      reason: "external secret already exists in namespace"

  # You can find all matching and successfully deployed namespaces here
  provisionedNamespaces:
    - "matching-ns-3"
    - "matching-ns-2"

  # The condition can be Ready, PartiallyReady, or NotReady
  # PartiallyReady would indicate an error in 1 or more namespaces
  # NotReady would indicate errors in all namespaces meaning all ExternalSecrets resulted in errors
  conditions:
  - type: PartiallyReady
    status: "True"
    lastTransitionTime: "2022-01-12T12:33:02Z"

The result of the created Secret object will look like:

# The destination secret that will be templated and pushed by ClusterPushSecret.
apiVersion: v1
kind: Secret
metadata:
  name: destination-secret
stringData:
  best-pokemon-dst: "PIKACHU is the really best!"