Skip to content

ClusterSecretStore

ClusterSecretStore

The ClusterSecretStore is a cluster scoped SecretStore that can be referenced by all ExternalSecrets from all namespaces. Use it to offer a central gateway to your secret backend.

Example

For a full list of supported fields see spec or dig into our guides.

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: example
spec:
  # Used to select the correct ESO controller (think: ingress.ingressClassName)
  # The ESO controller is instantiated with a specific controller name
  # and filters ES based on this property
  # Optional
  controller: dev

  # provider field contains the configuration to access the provider
  # which contains the secret exactly one provider must be configured.
  provider:
    # (1): AWS Secrets Manager
    # aws configures this store to sync secrets using AWS Secret Manager provider
    aws:
      service: SecretsManager
      # Role is a Role ARN which the SecretManager provider will assume
      role: iam-role
      # AWS Region to be used for the provider
      region: eu-central-1
      # Auth defines the information necessary to authenticate against AWS
      auth:
        # Getting the accessKeyID and secretAccessKey from an already created Kubernetes Secret
        secretRef:
          accessKeyIDSecretRef:
            name: awssm-secret
            key: access-key
          secretAccessKeySecretRef:
            name: awssm-secret
            key: secret-access-key
        # IAM roles for service accounts
        # https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
        jwt:
          serviceAccountRef:
            name: my-serviceaccount
            namespace: sa-namespace

    vault:
      server: "https://vault.acme.org"
      # Path is the mount path of the Vault KV backend endpoint
      # Used as a path prefix for the external secret key
      path: "secret"
      # Version is the Vault KV secret engine version.
      # This can be either "v1" or "v2", defaults to "v2"
      version: "v2"
      # vault enterprise namespace: https://www.vaultproject.io/docs/enterprise/namespaces
      namespace: "a-team"
      # base64 encoded string of certificate
      caBundle: "..."
      # Instead of caBundle you can also specify a caProvider
      # this will retrieve the cert from a Secret or ConfigMap
      caProvider:
        # Can be Secret or ConfigMap
        type: "Secret"
        # namespace is mandatory for ClusterSecretStore and not relevant for SecretStore
        namespace: "my-cert-secret-namespace"
        name: "my-cert-secret"
        key: "cert-key"
      auth:
        # static token: https://www.vaultproject.io/docs/auth/token
        tokenSecretRef:
          name: "my-secret"
          namespace: "secret-admin"
          key: "vault-token"

        # AppRole auth: https://www.vaultproject.io/docs/auth/approle
        appRole:
          path: "approle"
          # Instead of referencing the AppRole's ID from the secret, you can also specify it directly
          # roleId: "db02de05-fa39-4855-059b-67221c5c2f63"
          roleRef:
            name: "my-secret"
            namespace: "secret-admin"
            key: "vault-role-id"
          secretRef:
            name: "my-secret"
            namespace: "secret-admin"
            key: "vault-role-secret"

        # Kubernetes auth: https://www.vaultproject.io/docs/auth/kubernetes
        kubernetes:
          mountPath: "kubernetes"
          role: "demo"
          # Optional service account reference
          serviceAccountRef:
            name: "my-sa"
            namespace: "secret-admin"
          # Optional secret field containing a Kubernetes ServiceAccount JWT
          # used for authenticating with Vault
          secretRef:
            name: "my-secret"
            namespace: "secret-admin"
            key: "vault"

    # (2): GCP Secret Manager
    gcpsm:
      # Auth defines the information necessary to authenticate against GCP by getting
      # the credentials from an already created Kubernetes Secret.
      auth:
        secretRef:
          secretAccessKeySecretRef:
            name: gcpsm-secret
            key: secret-access-credentials
            namespace: example
      projectID: myproject

    # (3): Kubernetes provider
    kubernetes:
      server:
        url: "https://myapiserver.tld"
        caProvider:
          type: Secret
          name: my-cluster-secrets
          namespace: example
          key: ca.crt
      auth:
        serviceAccount:
          name: "example-sa"
          namespace: "example"

    # (4): Oracle provider
    oracle:
      # The vault OCID
      vault: ocid1.vault.oc1.eu-frankfurt-1.aaa1aaaaaaaaa.aaaaaaaaaaaaaa1aaaaaaa111aaaaaaaaaaaaaaaa
      # The vault region
      region: eu-frankfurt-1
      auth:
        # The user OCID
        user: ocid1.user.oc1..aaa1aaaaaaaaa.aaaaaaaaaaaaaa1aaaaaaa111aaaaaaaaaaaaaaaa
        # The tenancy OCID
        tenancy: ocid1.tenancy.oc1..aaa1aaaaaaaaa.aaaaaaaaaaaaaa1aaaaaaa111aaaaaaaaaaaaaaaa
        secretRef:
          privatekey:
            # The secret that contains your privatekey
            name: oci-secret-name
            key: privateKey
            namespace: example-namespace
          fingerprint:
            # The secret that contains your fingerprint
            name: oci-secret-name
            key: fingerprint
            namespace: example-namespace

    # (TODO): add more provider examples here

  # Conditions about namespaces in which the ClusterSecretStore is usable for ExternalSecrets
  conditions:
    # Options are namespaceSelector, namespaces or namespacesRegex
    - namespaceSelector:
        matchLabels:
          my.namespace.io/some-label: "value" # Only namespaces with that label will work

    - namespaces:
        - "namespace-a"
        - "namespace-b"

    # Namespace regexes are useful for policy management or when external tools auto-generate namespaces with prefixes/suffixes
    - namespaceRegexes:
        - "namespace-a-.*" # All namespaces prefixed by namespace-a- will work
        - "namespace-b-.*" # All namespaces prefixed by namespace-b- will work

    # conditions needs only one of the conditions to meet for the CSS to be usable in the namespace.

status:
  # Standard condition schema
  conditions:
    # SecretStore ready condition indicates the given store is in ready
    # state and able to referenced by ExternalSecrets
    # If the `status` of this condition is `False`, ExternalSecret controllers
    # should prevent attempts to fetch secrets
    - type: Ready
      status: "False"
      reason: "ConfigError"
      message: "SecretStore validation failed"
      lastTransitionTime: "2019-08-12T12:33:02Z"