Controller Classes
NOTE: this feature is experimental and not highly tested
Controller classes are a property set during the deployment that allows multiple controllers to work in a group of workload. It works by separating which secretStores are going to be attributed to which controller. For the behavior of a single controller, no extra configuration is needed.
Setting up Controller Class
In order to deploy the controller with a specific class, install the helm charts specifying the controller class, and create a SecretStore
with the appropriate spec.controller
values:
helm install custom-external-secrets external-secrets/external-secrets --set controllerClass=custom
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: controller-custom-example
spec:
#define the controller label to the matching value of the deployment
controller: custom
#configure provider the same way
provider:
vault:
server: "http://vault.default:8200"
path: "secret"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "demo-role"
Now, any ExternalSecret
bound to this secret store will be evaluated by the operator with the controllerClass custom.
Note: Any SecretStore without
spec.controller
set will be considered as valid by any operator, regardless of their respective controllerClasses.