Advanced Templating v1
Warning
Templating Engine v1 is deprecated and will be removed in the future. Please migrate to engine v2 and take a look at our upgrade guide for changes.
With External Secrets Operator you can transform the data from the external secret provider before it is stored as Kind=Secret. You can do this with the Spec.Target.Template. Each data value is interpreted as a golang template.
Examples
You can use templates to inject your secrets into a configuration file that you mount into your pod:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: template
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: secretstore-sample
    kind: SecretStore
  target:
    name: secret-to-be-created
    # v1 is the default version
    engineVersion: v1
    # this is how the Kind=Secret will look like
    template:
      type: kubernetes.io/tls
      data:
        # multiline string
        config: |
          datasources:
          - name: Graphite
            type: graphite
            access: proxy
            url: http://localhost:8080
            password: "{{ .password | toString }}" # <-- convert []byte to string
            user: "{{ .user | toString }}"         # <-- convert []byte to string
  data:
  - secretKey: user
    remoteRef:
      key: /grafana/user
  - secretKey: password
    remoteRef:
      key: /grafana/password
You can also use pre-defined functions to extract data from your secrets. Here: extract key/cert from a pkcs12 archive and store it as PEM.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: template
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: secretstore-sample
    kind: SecretStore
  target:
    name: secret-to-be-created
    # this is how the Kind=Secret will look like
    template:
      type: kubernetes.io/tls
      data:
        tls.crt: "{{ .mysecret | pkcs12cert | pemCertificate }}"
        tls.key: "{{ .mysecret | pkcs12key | pemPrivateKey }}"
  data:
  # this is a pkcs12 archive that contains
  # a cert and a private key
  - secretKey: mysecret
    remoteRef:
      key: example
TemplateFrom
You do not have to define your templates inline in an ExternalSecret but you can pull ConfigMaps or other Secrets that contain a template. Consider the following example:
# define your template in a config map
apiVersion: v1
kind: ConfigMap
metadata:
  name: grafana-config-tpl
data:
  config.yaml: |
    datasources:
      - name: Graphite
        type: graphite
        access: proxy
        url: http://localhost:8080
        password: "{{ .password | toString }}" # <-- convert []byte to string
        user: "{{ .user | toString }}"         # <-- convert []byte to string
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: my-template-example
spec:
  # ...
  target:
    name: secret-to-be-created
    template:
      templateFrom:
      - configMap:
          # name of the configmap to pull in
          name: grafana-config-tpl
          # here you define the keys that should be used as template
          items:
          - key: config.yaml
  data:
  - secretKey: user
    remoteRef:
      key: /grafana/user
  - secretKey: password
    remoteRef:
      key: /grafana/password
Helper functions
We provide a bunch of convenience functions that help you transform your secrets. A secret value is a []byte.
| Function | Description | Input | Output | 
|---|---|---|---|
| pkcs12key | extracts the private key from a pkcs12 archive | []byte | []byte | 
| pkcs12keyPass | extracts the private key from a pkcs12 archive using the provided password | password string, data[]byte | []byte | 
| pkcs12cert | extracts the certificate from a pkcs12 archive | []byte | []byte | 
| pkcs12certPass | extracts the certificate from a pkcs12 archive using the provided password | password string, data[]byte | []byte | 
| pemPrivateKey | PEM encodes the provided bytes as private key | []byte | string | 
| pemCertificate | PEM encodes the provided bytes as certificate | []byte | string | 
| jwkPublicKeyPem | takes an json-serialized JWK as []byteand returns an PEM block of typePUBLIC KEYthat contains the public key (see here) for details | []byte | string | 
| jwkPrivateKeyPem | takes an json-serialized JWK as []byteand returns an PEM block of typePRIVATE KEYthat contains the private key in PKCS #8 format (see here) for details | []byte | string | 
| base64decode | decodes the provided bytes as base64 | []byte | []byte | 
| base64encode | encodes the provided bytes as base64 | []byte | []byte | 
| fromJSON | parses the bytes as JSON so you can access individual properties | []byte | interface{} | 
| toJSON | encodes the provided object as json string | interface{} | string | 
| toString | converts bytes to string | []byte | string | 
| toBytes | converts string to bytes | string | []byte | 
| upper | converts all characters to their upper case | string | string | 
| lower | converts all character to their lower case | string | string |