Skip to content

Controller Classes

NOTE: this feature is experimental and not highly tested

Controller classes are a property set during the deployment that allows multiple controllers to work in a group of workload. It works by separating which secretStores are going to be attributed to which controller. For the behavior of a single controller, no extra configuration is needed.

Setting up Controller Class

In order to deploy the controller with a specific class, install the helm charts specifying the controller class, and create a SecretStore with the appropriate spec.controller values:

helm install custom-external-secrets external-secrets/external-secrets --set controllerClass=custom
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: controller-custom-example
spec:
  #define the controller label to the matching value of the deployment
  controller: custom
  #configure provider the same way
  provider:
    vault:
      server: "http://vault.default:8200"
      path: "secret"
      version: "v2"
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "demo-role"

Now, any ExternalSecret bound to this secret store will be evaluated by the operator with the controllerClass custom.

Note: Any SecretStore without spec.controller set will be considered as valid by any operator, regardless of their respective controllerClasses.