The external-secrets binary includes three components: core controller, certcontroller and webook.
Core Controller Flags
The core controller is invoked without a subcommand and can be configured with the following flags:
Name
Type
Default
Descripton
--client-burst
int
uses rest client default (10)
Maximum Burst allowed to be passed to rest.Client
--client-qps
float32
uses rest client default (5)
QPS configuration to be passed to rest.Client
--concurrent
int
1
The number of concurrent ExternalSecret reconciles.
--controller-class
string
default
The controller is instantiated with a specific controller name and filters ES based on this property
--enable-cluster-external-secret-reconciler
boolean
true
Enables the cluster external secret reconciler.
--enable-cluster-store-reconciler
boolean
true
Enables the cluster store reconciler.
--enable-secrets-caching
boolean
false
Enables the secrets caching for external-secrets pod.
--enable-configmaps-caching
boolean
false
Enables the ConfigMap caching for external-secrets pod.
--enable-flood-gate
boolean
true
Enable flood gate. External secret will be reconciled only if the ClusterStore or Store have an healthy or unknown state.
--enable-leader-election
boolean
false
Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.
--experimental-enable-aws-session-cache
boolean
false
Enable experimental AWS session cache. External secret will reuse the AWS session without creating a new one on each request.
--help
help for external-secrets
--loglevel
string
info
loglevel to use, one of: debug, info, warn, error, dpanic, panic, fatal
--metrics-addr
string
:8080
The address the metric endpoint binds to.
--namespace
string
-
watch external secrets scoped in the provided namespace only. ClusterSecretStore can be used but only work if it doesn't reference resources from other namespaces
--store-requeue-interval
duration
5m0s
Default Time duration between reconciling (Cluster)SecretStores
Cert Controller Flags
Name
Type
Default
Descripton
--crd-requeue-interval
duration
5m0s
Time duration between reconciling CRDs for new certs
--enable-leader-election
boolean
false
Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.
--healthz-addr
string
:8081
The address the health endpoint binds to.
--help
help for certcontroller
--loglevel
string
info
loglevel to use, one of: debug, info, warn, error, dpanic, panic, fatal
--metrics-addr
string
:8080
The address the metric endpoint binds to.
--secret-name
string
external-secrets-webhook
Secret to store certs for webhook
--secret-namespace
string
default
namespace of the secret to store certs
--service-name
string
external-secrets-webhook
Webhook service name
--service-namespace
string
default
Webhook service namespace
Webhook Flags
Name
Type
Default
Descripton
--cert-dir
string
/tmp/k8s-webhook-server/serving-certs
path to check for certs
--check-interval
duration
5m0s
certificate check interval
--dns-name
string
localhost
DNS name to validate certificates with
--healthz-addr
string
:8081
The address the health endpoint binds to.
--help
help for webhook
--loglevel
string
info
loglevel to use, one of: debug, info, warn, error, dpanic, panic, fatal
--lookahead-interval
duration
2160h0m0s (90d)
certificate check interval
--metrics-addr
string
:8080
The address the metric endpoint binds to.
--port
number
10250
Port number that the webhook server will serve.
--tls-ciphers
string
comma separated list of tls ciphers allowed. This does not apply to TLS 1.3 as the ciphers are selected automatically. The order of this list does not give preference to the ciphers, the ordering is done automatically. Full lists of available ciphers can be found at https://pkg.go.dev/crypto/tls#pkg-constants. E.g. 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'