Skip to content

external-secrets values.yaml📜

openshift📜

Type: bool

Default value
false

global.nodeSelector📜

Type: object

Default value
{}

global.tolerations📜

Type: list

Default value
[]

global.topologySpreadConstraints📜

Type: list

Default value
[]

global.affinity📜

Type: object

Default value
{}

global.compatibility.openshift.adaptSecurityContext📜

Type: string

Default value
"auto"

Description: Manages the securityContext properties to make them compatible with OpenShift. Possible values: auto - Apply configurations if it is detected that OpenShift is the target platform. force - Always apply configurations. disabled - No modification applied.

replicaCount📜

Type: int

Default value
1

bitwarden-sdk-server.enabled📜

Type: bool

Default value
false

revisionHistoryLimit📜

Type: int

Default value
10

Description: Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)

image.repository📜

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/external-secrets/external-secrets"

image.pullPolicy📜

Type: string

Default value
"IfNotPresent"

image.tag📜

Type: string

Default value
"v0.9.20"

Description: The image tag to use. The default is the chart appVersion.

image.flavour📜

Type: string

Default value
""

Description: The flavour of tag you want to use There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default, the distroless image is used.

installCRDs📜

Type: bool

Default value
false

Description: If set, install and upgrade CRDs through helm chart.

crds.createClusterExternalSecret📜

Type: bool

Default value
true

Description: If true, create CRDs for Cluster External Secret.

crds.createClusterSecretStore📜

Type: bool

Default value
true

Description: If true, create CRDs for Cluster Secret Store.

crds.createPushSecret📜

Type: bool

Default value
true

Description: If true, create CRDs for Push Secret.

crds.annotations📜

Type: object

Default value
{}

crds.conversion.enabled📜

Type: bool

Default value
true

imagePullSecrets[0].name📜

Type: string

Default value
"private-registry"

nameOverride📜

Type: string

Default value
""

fullnameOverride📜

Type: string

Default value
""

namespaceOverride📜

Type: string

Default value
""

commonLabels📜

Type: object

Default value
{}

Description: Additional labels added to all helm chart resources.

leaderElect📜

Type: bool

Default value
false

Description: If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time.

controllerClass📜

Type: string

Default value
""

Description: If set external secrets will filter matching Secret Stores with the appropriate controller values.

extendedMetricLabels📜

Type: bool

Default value
false

Description: If true external secrets will use recommended kubernetes annotations as prometheus metric labels.

scopedNamespace📜

Type: string

Default value
""

Description: If set external secrets are only reconciled in the provided namespace

scopedRBAC📜

Type: bool

Default value
false

Description: Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets

processClusterExternalSecret📜

Type: bool

Default value
true

Description: if true, the operator will process cluster external secret. Else, it will ignore them.

processClusterStore📜

Type: bool

Default value
true

Description: if true, the operator will process cluster store. Else, it will ignore them.

processPushSecret📜

Type: bool

Default value
true

Description: if true, the operator will process push secret. Else, it will ignore them.

createOperator📜

Type: bool

Default value
true

Description: Specifies whether an external secret operator deployment be created.

concurrent📜

Type: int

Default value
1

Description: Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time.

log📜

Type: object

Default value
level: info
timeEncoding: epoch

Description: Specifices Log Params to the Webhook

service.ipFamilyPolicy📜

Type: string

Default value
""

Description: Set the ip family policy to configure dual-stack see Configure dual-stack

service.ipFamilies📜

Type: list

Default value
[]

Description: Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.

serviceAccount.create📜

Type: bool

Default value
true

Description: Specifies whether a service account should be created.

serviceAccount.automount📜

Type: bool

Default value
true

Description: Automounts the service account token in all containers of the pod

serviceAccount.annotations📜

Type: object

Default value
{}

Description: Annotations to add to the service account.

serviceAccount.extraLabels📜

Type: object

Default value
{}

Description: Extra Labels to add to the service account.

serviceAccount.name📜

Type: string

Default value
""

Description: The name of the service account to use. If not set and create is true, a name is generated using the fullname template.

rbac.create📜

Type: bool

Default value
true

Description: Specifies whether role and rolebinding resources should be created.

rbac.servicebindings.create📜

Type: bool

Default value
true

Description: Specifies whether a clusterrole to give servicebindings read access should be created.

extraEnv📜

Type: list

Default value
[]

extraArgs📜

Type: object

Default value
{}

extraVolumes📜

Type: list

Default value
[]

extraObjects📜

Type: list

Default value
[]

extraVolumeMounts📜

Type: list

Default value
[]

extraContainers📜

Type: list

Default value
[]

deploymentAnnotations📜

Type: object

Default value
{}

Description: Annotations to add to Deployment

podAnnotations📜

Type: object

Default value
{}

Description: Annotations to add to Pod

podLabels📜

Type: object

Default value
{}

podSecurityContext.enabled📜

Type: bool

Default value
true

securityContext.allowPrivilegeEscalation📜

Type: bool

Default value
false

securityContext.capabilities.drop[0]📜

Type: string

Default value
"ALL"

securityContext.enabled📜

Type: bool

Default value
true

securityContext.readOnlyRootFilesystem📜

Type: bool

Default value
true

securityContext.runAsNonRoot📜

Type: bool

Default value
true

securityContext.runAsUser📜

Type: int

Default value
1000

securityContext.runAsGroup📜

Type: int

Default value
1000

securityContext.seccompProfile.type📜

Type: string

Default value
"RuntimeDefault"

resources.requests.memory📜

Type: string

Default value
"256Mi"

resources.requests.cpu📜

Type: string

Default value
"100m"

resources.limits.cpu📜

Type: string

Default value
"100m"

resources.limits.memory📜

Type: string

Default value
"256Mi"

serviceMonitor.enabled📜

Type: bool

Default value
false

Description: Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics

serviceMonitor.namespace📜

Type: string

Default value
""

Description: namespace where you want to install ServiceMonitors

serviceMonitor.additionalLabels📜

Type: object

Default value
{}

Description: Additional labels

serviceMonitor.interval📜

Type: string

Default value
"30s"

Description: Interval to scrape metrics

serviceMonitor.scrapeTimeout📜

Type: string

Default value
"25s"

Description: Timeout if metrics can’t be retrieved in given time interval

serviceMonitor.honorLabels📜

Type: bool

Default value
false

Description: Let prometheus add an exported_ prefix to conflicting labels

serviceMonitor.metricRelabelings📜

Type: list

Default value
[]

Description: Metric relabel configs to apply to samples before ingestion. Metric Relabeling

serviceMonitor.relabelings📜

Type: list

Default value
[]

Description: Relabel configs to apply to samples before ingestion. Relabeling

metrics.listen.port📜

Type: int

Default value
8080

metrics.service.enabled📜

Type: bool

Default value
false

Description: Enable if you use another monitoring tool than Prometheus to scrape the metrics

metrics.service.port📜

Type: int

Default value
8080

Description: Metrics service port to scrape

metrics.service.annotations📜

Type: object

Default value
{}

Description: Additional service annotations

nodeSelector📜

Type: object

Default value
{}

tolerations📜

Type: list

Default value
[]

topologySpreadConstraints📜

Type: list

Default value
[]

affinity📜

Type: object

Default value
{}

priorityClassName📜

Type: string

Default value
""

Description: Pod priority class name.

podDisruptionBudget📜

Type: object

Default value
enabled: false
minAvailable: 1

Description: Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/

hostNetwork📜

Type: bool

Default value
false

Description: Run the controller on the host network

webhook.create📜

Type: bool

Default value
true

Description: Specifies whether a webhook deployment be created.

webhook.certCheckInterval📜

Type: string

Default value
"5m"

Description: Specifices the time to check if the cert is valid

webhook.lookaheadInterval📜

Type: string

Default value
""

Description: Specifices the lookaheadInterval for certificate validity

webhook.replicaCount📜

Type: int

Default value
1

webhook.log📜

Type: object

Default value
level: info
timeEncoding: epoch

Description: Specifices Log Params to the Webhook

webhook.revisionHistoryLimit📜

Type: int

Default value
10

Description: Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)

webhook.certDir📜

Type: string

Default value
"/tmp/certs"

webhook.failurePolicy📜

Type: string

Default value
"Fail"

Description: Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore

webhook.hostNetwork📜

Type: bool

Default value
false

Description: Specifies if webhook pod should use hostNetwork or not.

webhook.image.repository📜

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/external-secrets/external-secrets"

webhook.image.pullPolicy📜

Type: string

Default value
"IfNotPresent"

webhook.image.tag📜

Type: string

Default value
"v0.9.20"

Description: The image tag to use. The default is the chart appVersion.

webhook.image.flavour📜

Type: string

Default value
""

Description: The flavour of tag you want to use

webhook.imagePullSecrets[0].name📜

Type: string

Default value
"private-registry"

webhook.nameOverride📜

Type: string

Default value
""

webhook.fullnameOverride📜

Type: string

Default value
""

webhook.port📜

Type: int

Default value
10250

Description: The port the webhook will listen to

webhook.rbac.create📜

Type: bool

Default value
true

Description: Specifies whether role and rolebinding resources should be created.

webhook.serviceAccount.create📜

Type: bool

Default value
true

Description: Specifies whether a service account should be created.

webhook.serviceAccount.automount📜

Type: bool

Default value
true

Description: Automounts the service account token in all containers of the pod

webhook.serviceAccount.annotations📜

Type: object

Default value
{}

Description: Annotations to add to the service account.

webhook.serviceAccount.extraLabels📜

Type: object

Default value
{}

Description: Extra Labels to add to the service account.

webhook.serviceAccount.name📜

Type: string

Default value
""

Description: The name of the service account to use. If not set and create is true, a name is generated using the fullname template.

webhook.nodeSelector📜

Type: object

Default value
{}

webhook.certManager.enabled📜

Type: bool

Default value
false

Description: Enabling cert-manager support will disable the built in secret and switch to using cert-manager (installed separately) to automatically issue and renew the webhook certificate. This chart does not install cert-manager for you, See https://cert-manager.io/docs/

webhook.certManager.addInjectorAnnotations📜

Type: bool

Default value
true

Description: Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically setup your webhook’s CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector

webhook.certManager.cert.create📜

Type: bool

Default value
true

Description: Create a certificate resource within this chart. See https://cert-manager.io/docs/usage/certificate/

webhook.certManager.cert.issuerRef📜

Type: object

Default value
group: cert-manager.io
kind: Issuer
name: my-issuer

Description: For the Certificate created by this chart, setup the issuer. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec

webhook.certManager.cert.duration📜

Type: string

Default value
"8760h"

Description: Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec One year by default.

webhook.certManager.cert.renewBefore📜

Type: string

Default value
""

Description: How long before the currently issued certificate’s expiry cert-manager should renew the certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Note that renewBefore should be greater than .webhook.lookaheadInterval since the webhook will check this far in advance that the certificate is valid.

webhook.certManager.cert.annotations📜

Type: object

Default value
{}

Description: Add extra annotations to the Certificate resource.

webhook.tolerations📜

Type: list

Default value
[]

webhook.topologySpreadConstraints📜

Type: list

Default value
[]

webhook.affinity📜

Type: object

Default value
{}

webhook.priorityClassName📜

Type: string

Default value
""

Description: Pod priority class name.

webhook.podDisruptionBudget📜

Type: object

Default value
enabled: false
minAvailable: 1

Description: Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/

webhook.metrics.listen.port📜

Type: int

Default value
8080

webhook.metrics.service.enabled📜

Type: bool

Default value
false

Description: Enable if you use another monitoring tool than Prometheus to scrape the metrics

webhook.metrics.service.port📜

Type: int

Default value
8080

Description: Metrics service port to scrape

webhook.metrics.service.annotations📜

Type: object

Default value
{}

Description: Additional service annotations

webhook.readinessProbe.address📜

Type: string

Default value
""

Description: Address for readiness probe

webhook.readinessProbe.port📜

Type: int

Default value
8081

Description: ReadinessProbe port for kubelet

webhook.extraEnv📜

Type: list

Default value
[]

webhook.extraArgs📜

Type: object

Default value
{}

webhook.extraVolumes📜

Type: list

Default value
[]

webhook.extraVolumeMounts📜

Type: list

Default value
[]

webhook.secretAnnotations📜

Type: object

Default value
{}

Description: Annotations to add to Secret

webhook.deploymentAnnotations📜

Type: object

Default value
{}

Description: Annotations to add to Deployment

webhook.podAnnotations📜

Type: object

Default value
{}

Description: Annotations to add to Pod

webhook.podLabels.”external-secrets.io/component”📜

Type: string

Default value
"webhook"

webhook.podSecurityContext.enabled📜

Type: bool

Default value
true

webhook.securityContext.allowPrivilegeEscalation📜

Type: bool

Default value
false

webhook.securityContext.capabilities.drop[0]📜

Type: string

Default value
"ALL"

webhook.securityContext.enabled📜

Type: bool

Default value
true

webhook.securityContext.readOnlyRootFilesystem📜

Type: bool

Default value
true

webhook.securityContext.runAsNonRoot📜

Type: bool

Default value
true

webhook.securityContext.runAsUser📜

Type: int

Default value
1000

webhook.securityContext.runAsGroup📜

Type: int

Default value
1000

webhook.securityContext.seccompProfile.type📜

Type: string

Default value
"RuntimeDefault"

webhook.resources.requests.memory📜

Type: string

Default value
"256Mi"

webhook.resources.requests.cpu📜

Type: string

Default value
"100m"

webhook.resources.limits.cpu📜

Type: string

Default value
"100m"

webhook.resources.limits.memory📜

Type: string

Default value
"256Mi"

certController.create📜

Type: bool

Default value
true

Description: Specifies whether a certificate controller deployment be created.

certController.requeueInterval📜

Type: string

Default value
"5m"

certController.replicaCount📜

Type: int

Default value
1

certController.log📜

Type: object

Default value
level: info
timeEncoding: epoch

Description: Specifices Log Params to the Webhook

certController.revisionHistoryLimit📜

Type: int

Default value
10

Description: Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)

certController.image.repository📜

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/external-secrets/external-secrets"

certController.image.pullPolicy📜

Type: string

Default value
"IfNotPresent"

certController.image.tag📜

Type: string

Default value
"v0.9.20"

certController.image.flavour📜

Type: string

Default value
""

certController.imagePullSecrets[0].name📜

Type: string

Default value
"private-registry"

certController.nameOverride📜

Type: string

Default value
""

certController.fullnameOverride📜

Type: string

Default value
""

certController.rbac.create📜

Type: bool

Default value
true

Description: Specifies whether role and rolebinding resources should be created.

certController.serviceAccount.create📜

Type: bool

Default value
true

Description: Specifies whether a service account should be created.

certController.serviceAccount.automount📜

Type: bool

Default value
true

Description: Automounts the service account token in all containers of the pod

certController.serviceAccount.annotations📜

Type: object

Default value
{}

Description: Annotations to add to the service account.

certController.serviceAccount.extraLabels📜

Type: object

Default value
{}

Description: Extra Labels to add to the service account.

certController.serviceAccount.name📜

Type: string

Default value
""

Description: The name of the service account to use. If not set and create is true, a name is generated using the fullname template.

certController.nodeSelector📜

Type: object

Default value
{}

certController.tolerations📜

Type: list

Default value
[]

certController.topologySpreadConstraints📜

Type: list

Default value
[]

certController.affinity📜

Type: object

Default value
{}

certController.hostNetwork📜

Type: bool

Default value
false

Description: Run the certController on the host network

certController.priorityClassName📜

Type: string

Default value
""

Description: Pod priority class name.

certController.podDisruptionBudget📜

Type: object

Default value
enabled: false
minAvailable: 1

Description: Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/

certController.metrics.listen.port📜

Type: int

Default value
8080

certController.metrics.service.enabled📜

Type: bool

Default value
false

Description: Enable if you use another monitoring tool than Prometheus to scrape the metrics

certController.metrics.service.port📜

Type: int

Default value
8080

Description: Metrics service port to scrape

certController.metrics.service.annotations📜

Type: object

Default value
{}

Description: Additional service annotations

certController.readinessProbe.address📜

Type: string

Default value
""

Description: Address for readiness probe

certController.readinessProbe.port📜

Type: int

Default value
8081

Description: ReadinessProbe port for kubelet

certController.extraEnv📜

Type: list

Default value
[]

certController.extraArgs📜

Type: object

Default value
{}

certController.extraVolumes📜

Type: list

Default value
[]

certController.extraVolumeMounts📜

Type: list

Default value
[]

certController.deploymentAnnotations📜

Type: object

Default value
{}

Description: Annotations to add to Deployment

certController.podAnnotations📜

Type: object

Default value
{}

Description: Annotations to add to Pod

certController.podLabels📜

Type: object

Default value
{}

certController.podSecurityContext.enabled📜

Type: bool

Default value
true

certController.securityContext.allowPrivilegeEscalation📜

Type: bool

Default value
false

certController.securityContext.capabilities.drop[0]📜

Type: string

Default value
"ALL"

certController.securityContext.enabled📜

Type: bool

Default value
true

certController.securityContext.readOnlyRootFilesystem📜

Type: bool

Default value
true

certController.securityContext.runAsNonRoot📜

Type: bool

Default value
true

certController.securityContext.runAsUser📜

Type: int

Default value
1000

certController.securityContext.runAsGroup📜

Type: int

Default value
1000

certController.securityContext.seccompProfile.type📜

Type: string

Default value
"RuntimeDefault"

certController.resources.requests.memory📜

Type: string

Default value
"256Mi"

certController.resources.requests.cpu📜

Type: string

Default value
"100m"

certController.resources.limits.cpu📜

Type: string

Default value
"100m"

certController.resources.limits.memory📜

Type: string

Default value
"256Mi"

dnsPolicy📜

Type: string

Default value
"ClusterFirst"

Description: Specifies dnsPolicy to deployment

dnsConfig📜

Type: object

Default value
{}

Description: Specifies dnsOptions to deployment

podSpecExtra📜

Type: object

Default value
{}

Description: Any extra pod spec on the deployment

domain📜

Type: string

Default value
"bigbang.dev"

istio.enabled📜

Type: bool

Default value
false

istio.hardened.enabled📜

Type: bool

Default value
false

istio.hardened.outboundTrafficPolicyMode📜

Type: string

Default value
"REGISTRY_ONLY"

istio.hardened.customServiceEntries📜

Type: list

Default value
[]

istio.hardened.customAuthorizationPolicies📜

Type: list

Default value
[]

istio.mtls.mode📜

Type: string

Default value
"STRICT"

Description: STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic

istio.injection📜

Type: string

Default value
"disabled"

networkPolicies.enabled📜

Type: bool

Default value
false

networkPolicies.ingressLabels.app📜

Type: string

Default value
"istio-ingressgateway"

networkPolicies.ingressLabels.istio📜

Type: string

Default value
"ingressgateway"

networkPolicies.additionalPolicies📜

Type: list

Default value
[]

networkPolicies.ingress[0].from[0].namespaceSelector📜

Type: object

Default value
{}

networkPolicies.ingress[0].ports[0].port📜

Type: int

Default value
10250

networkPolicies.ingress[0].ports[0].protocol📜

Type: string

Default value
"TCP"

networkPolicies.ingress[0].ports[1].port📜

Type: int

Default value
10250

networkPolicies.ingress[0].ports[1].protocol📜

Type: string

Default value
"TCP"

bbtests.enabled📜

Type: bool

Default value
false

bbtests.namespace📜

Type: string

Default value
"external-secrets"

bbtests.secretstore.name📜

Type: string

Default value
"external-secrets-test-store"

bbtests.serviceaccount.name📜

Type: string

Default value
"external-secrets-test"

bbtests.rolebinding.name📜

Type: string

Default value
"external-secrets-test-read-secrets"

bbtests.role.name📜

Type: string

Default value
"external-secrets-reader"

bbtests.role.rules[0].apiGroups[0]📜

Type: string

Default value
""

bbtests.role.rules[0].resources[0]📜

Type: string

Default value
"secrets"

bbtests.role.rules[0].verbs[0]📜

Type: string

Default value
"get"

bbtests.role.rules[0].verbs[1]📜

Type: string

Default value
"watch"

bbtests.role.rules[0].verbs[2]📜

Type: string

Default value
"list"

bbtests.role.rules[1].apiGroups[0]📜

Type: string

Default value
""

bbtests.role.rules[1].resources[0]📜

Type: string

Default value
"SelfSubjectRulesReview"

bbtests.role.rules[1].verbs[0]📜

Type: string

Default value
"create"

bbtests.secrets.testsecret.value📜

Type: string

Default value
"this is a magic value"