external-secrets values.yaml
π
openshiftπ
Type: bool
false
global.nodeSelectorπ
Type: object
{}
global.tolerationsπ
Type: list
[]
global.topologySpreadConstraintsπ
Type: list
[]
global.affinityπ
Type: object
{}
global.compatibility.openshift.adaptSecurityContextπ
Type: string
"auto"
Description: Manages the securityContext properties to make them compatible with OpenShift. Possible values: auto - Apply configurations if it is detected that OpenShift is the target platform. force - Always apply configurations. disabled - No modification applied.
replicaCountπ
Type: int
1
bitwarden-sdk-server.enabledπ
Type: bool
false
revisionHistoryLimitπ
Type: int
10
Description: Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
image.repositoryπ
Type: string
"registry1.dso.mil/ironbank/opensource/external-secrets/external-secrets"
image.pullPolicyπ
Type: string
"IfNotPresent"
image.tagπ
Type: string
"v0.10.2"
Description: The image tag to use. The default is the chart appVersion.
image.flavourπ
Type: string
""
Description: The flavour of tag you want to use There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default, the distroless image is used.
installCRDsπ
Type: bool
false
Description: If set, install and upgrade CRDs through helm chart.
crds.createClusterExternalSecretπ
Type: bool
true
Description: If true, create CRDs for Cluster External Secret.
crds.createClusterSecretStoreπ
Type: bool
true
Description: If true, create CRDs for Cluster Secret Store.
crds.createPushSecretπ
Type: bool
true
Description: If true, create CRDs for Push Secret.
crds.annotationsπ
Type: object
{}
crds.conversion.enabledπ
Type: bool
true
imagePullSecrets[0].nameπ
Type: string
"private-registry"
nameOverrideπ
Type: string
""
fullnameOverrideπ
Type: string
""
namespaceOverrideπ
Type: string
""
commonLabelsπ
Type: object
{}
Description: Additional labels added to all helm chart resources.
leaderElectπ
Type: bool
false
Description: If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time.
controllerClassπ
Type: string
""
Description: If set external secrets will filter matching Secret Stores with the appropriate controller values.
extendedMetricLabelsπ
Type: bool
false
Description: If true external secrets will use recommended kubernetes annotations as prometheus metric labels.
scopedNamespaceπ
Type: string
""
Description: If set external secrets are only reconciled in the provided namespace
scopedRBACπ
Type: bool
false
Description: Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets
processClusterExternalSecretπ
Type: bool
true
Description: if true, the operator will process cluster external secret. Else, it will ignore them.
processClusterStoreπ
Type: bool
true
Description: if true, the operator will process cluster store. Else, it will ignore them.
processPushSecretπ
Type: bool
true
Description: if true, the operator will process push secret. Else, it will ignore them.
createOperatorπ
Type: bool
true
Description: Specifies whether an external secret operator deployment be created.
concurrentπ
Type: int
1
Description: Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time.
logπ
Type: object
level: info
timeEncoding: epoch
Description: Specifices Log Params to the Webhook
service.ipFamilyPolicyπ
Type: string
""
Description: Set the ip family policy to configure dual-stack see Configure dual-stack
service.ipFamiliesπ
Type: list
[]
Description: Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
serviceAccount.createπ
Type: bool
true
Description: Specifies whether a service account should be created.
serviceAccount.automountπ
Type: bool
true
Description: Automounts the service account token in all containers of the pod
serviceAccount.annotationsπ
Type: object
{}
Description: Annotations to add to the service account.
serviceAccount.extraLabelsπ
Type: object
{}
Description: Extra Labels to add to the service account.
serviceAccount.nameπ
Type: string
""
Description: The name of the service account to use. If not set and create is true, a name is generated using the fullname template.
rbac.createπ
Type: bool
true
Description: Specifies whether role and rolebinding resources should be created.
rbac.servicebindings.createπ
Type: bool
true
Description: Specifies whether a clusterrole to give servicebindings read access should be created.
extraEnvπ
Type: list
[]
extraArgsπ
Type: object
{}
extraVolumesπ
Type: list
[]
extraObjectsπ
Type: list
[]
extraVolumeMountsπ
Type: list
[]
extraContainersπ
Type: list
[]
deploymentAnnotationsπ
Type: object
{}
Description: Annotations to add to Deployment
podAnnotationsπ
Type: object
{}
Description: Annotations to add to Pod
podLabelsπ
Type: object
{}
podSecurityContext.enabledπ
Type: bool
true
securityContext.allowPrivilegeEscalationπ
Type: bool
false
securityContext.capabilities.drop[0]π
Type: string
"ALL"
securityContext.enabledπ
Type: bool
true
securityContext.readOnlyRootFilesystemπ
Type: bool
true
securityContext.runAsNonRootπ
Type: bool
true
securityContext.runAsUserπ
Type: int
1000
securityContext.runAsGroupπ
Type: int
1000
securityContext.seccompProfile.typeπ
Type: string
"RuntimeDefault"
resources.requests.memoryπ
Type: string
"256Mi"
resources.requests.cpuπ
Type: string
"100m"
resources.limits.cpuπ
Type: string
"100m"
resources.limits.memoryπ
Type: string
"256Mi"
serviceMonitor.enabledπ
Type: bool
false
Description: Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
serviceMonitor.namespaceπ
Type: string
""
Description: namespace where you want to install ServiceMonitors
serviceMonitor.additionalLabelsπ
Type: object
{}
Description: Additional labels
serviceMonitor.intervalπ
Type: string
"30s"
Description: Interval to scrape metrics
serviceMonitor.scrapeTimeoutπ
Type: string
"25s"
Description: Timeout if metrics canβt be retrieved in given time interval
serviceMonitor.honorLabelsπ
Type: bool
false
Description: Let prometheus add an exported_ prefix to conflicting labels
serviceMonitor.metricRelabelingsπ
Type: list
[]
Description: Metric relabel configs to apply to samples before ingestion. Metric Relabeling
serviceMonitor.relabelingsπ
Type: list
[]
Description: Relabel configs to apply to samples before ingestion. Relabeling
metrics.listen.portπ
Type: int
8080
metrics.service.enabledπ
Type: bool
false
Description: Enable if you use another monitoring tool than Prometheus to scrape the metrics
metrics.service.portπ
Type: int
8080
Description: Metrics service port to scrape
metrics.service.annotationsπ
Type: object
{}
Description: Additional service annotations
nodeSelectorπ
Type: object
{}
tolerationsπ
Type: list
[]
topologySpreadConstraintsπ
Type: list
[]
affinityπ
Type: object
{}
priorityClassNameπ
Type: string
""
Description: Pod priority class name.
podDisruptionBudgetπ
Type: object
enabled: false
minAvailable: 1
Description: Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
hostNetworkπ
Type: bool
false
Description: Run the controller on the host network
webhook.createπ
Type: bool
true
Description: Specifies whether a webhook deployment be created.
webhook.certCheckIntervalπ
Type: string
"5m"
Description: Specifices the time to check if the cert is valid
webhook.lookaheadIntervalπ
Type: string
""
Description: Specifices the lookaheadInterval for certificate validity
webhook.replicaCountπ
Type: int
1
webhook.logπ
Type: object
level: info
timeEncoding: epoch
Description: Specifices Log Params to the Webhook
webhook.revisionHistoryLimitπ
Type: int
10
Description: Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
webhook.certDirπ
Type: string
"/tmp/certs"
webhook.failurePolicyπ
Type: string
"Fail"
Description: Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore
webhook.hostNetworkπ
Type: bool
false
Description: Specifies if webhook pod should use hostNetwork or not.
webhook.image.repositoryπ
Type: string
"registry1.dso.mil/ironbank/opensource/external-secrets/external-secrets"
webhook.image.pullPolicyπ
Type: string
"IfNotPresent"
webhook.image.tagπ
Type: string
"v0.10.2"
Description: The image tag to use. The default is the chart appVersion.
webhook.image.flavourπ
Type: string
""
Description: The flavour of tag you want to use
webhook.imagePullSecrets[0].nameπ
Type: string
"private-registry"
webhook.nameOverrideπ
Type: string
""
webhook.fullnameOverrideπ
Type: string
""
webhook.portπ
Type: int
10250
Description: The port the webhook will listen to
webhook.rbac.createπ
Type: bool
true
Description: Specifies whether role and rolebinding resources should be created.
webhook.serviceAccount.createπ
Type: bool
true
Description: Specifies whether a service account should be created.
webhook.serviceAccount.automountπ
Type: bool
true
Description: Automounts the service account token in all containers of the pod
webhook.serviceAccount.annotationsπ
Type: object
{}
Description: Annotations to add to the service account.
webhook.serviceAccount.extraLabelsπ
Type: object
{}
Description: Extra Labels to add to the service account.
webhook.serviceAccount.nameπ
Type: string
""
Description: The name of the service account to use. If not set and create is true, a name is generated using the fullname template.
webhook.nodeSelectorπ
Type: object
{}
webhook.certManager.enabledπ
Type: bool
false
Description: Enabling cert-manager support will disable the built in secret and switch to using cert-manager (installed separately) to automatically issue and renew the webhook certificate. This chart does not install cert-manager for you, See https://cert-manager.io/docs/
webhook.certManager.addInjectorAnnotationsπ
Type: bool
true
Description: Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically setup your webhookβs CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector
webhook.certManager.cert.createπ
Type: bool
true
Description: Create a certificate resource within this chart. See https://cert-manager.io/docs/usage/certificate/
webhook.certManager.cert.issuerRefπ
Type: object
group: cert-manager.io
kind: Issuer
name: my-issuer
Description: For the Certificate created by this chart, setup the issuer. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec
webhook.certManager.cert.durationπ
Type: string
"8760h"
Description: Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec One year by default.
webhook.certManager.cert.renewBeforeπ
Type: string
""
Description: How long before the currently issued certificateβs expiry cert-manager should renew the certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Note that renewBefore should be greater than .webhook.lookaheadInterval since the webhook will check this far in advance that the certificate is valid.
webhook.certManager.cert.annotationsπ
Type: object
{}
Description: Add extra annotations to the Certificate resource.
webhook.tolerationsπ
Type: list
[]
webhook.topologySpreadConstraintsπ
Type: list
[]
webhook.affinityπ
Type: object
{}
webhook.priorityClassNameπ
Type: string
""
Description: Pod priority class name.
webhook.podDisruptionBudgetπ
Type: object
enabled: false
minAvailable: 1
Description: Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
webhook.metrics.listen.portπ
Type: int
8080
webhook.metrics.service.enabledπ
Type: bool
false
Description: Enable if you use another monitoring tool than Prometheus to scrape the metrics
webhook.metrics.service.portπ
Type: int
8080
Description: Metrics service port to scrape
webhook.metrics.service.annotationsπ
Type: object
{}
Description: Additional service annotations
webhook.readinessProbe.addressπ
Type: string
""
Description: Address for readiness probe
webhook.readinessProbe.portπ
Type: int
8081
Description: ReadinessProbe port for kubelet
webhook.extraEnvπ
Type: list
[]
webhook.extraArgsπ
Type: object
{}
webhook.extraVolumesπ
Type: list
[]
webhook.extraVolumeMountsπ
Type: list
[]
webhook.secretAnnotationsπ
Type: object
{}
Description: Annotations to add to Secret
webhook.deploymentAnnotationsπ
Type: object
{}
Description: Annotations to add to Deployment
webhook.podAnnotationsπ
Type: object
{}
Description: Annotations to add to Pod
webhook.podLabels.βexternal-secrets.io/componentβπ
Type: string
"webhook"
webhook.podSecurityContext.enabledπ
Type: bool
true
webhook.securityContext.allowPrivilegeEscalationπ
Type: bool
false
webhook.securityContext.capabilities.drop[0]π
Type: string
"ALL"
webhook.securityContext.enabledπ
Type: bool
true
webhook.securityContext.readOnlyRootFilesystemπ
Type: bool
true
webhook.securityContext.runAsNonRootπ
Type: bool
true
webhook.securityContext.runAsUserπ
Type: int
1000
webhook.securityContext.runAsGroupπ
Type: int
1000
webhook.securityContext.seccompProfile.typeπ
Type: string
"RuntimeDefault"
webhook.resources.requests.memoryπ
Type: string
"256Mi"
webhook.resources.requests.cpuπ
Type: string
"100m"
webhook.resources.limits.cpuπ
Type: string
"100m"
webhook.resources.limits.memoryπ
Type: string
"256Mi"
certController.createπ
Type: bool
true
Description: Specifies whether a certificate controller deployment be created.
certController.requeueIntervalπ
Type: string
"5m"
certController.replicaCountπ
Type: int
1
certController.logπ
Type: object
level: info
timeEncoding: epoch
Description: Specifices Log Params to the Webhook
certController.revisionHistoryLimitπ
Type: int
10
Description: Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
certController.image.repositoryπ
Type: string
"registry1.dso.mil/ironbank/opensource/external-secrets/external-secrets"
certController.image.pullPolicyπ
Type: string
"IfNotPresent"
certController.image.tagπ
Type: string
"v0.10.2"
certController.image.flavourπ
Type: string
""
certController.imagePullSecrets[0].nameπ
Type: string
"private-registry"
certController.nameOverrideπ
Type: string
""
certController.fullnameOverrideπ
Type: string
""
certController.rbac.createπ
Type: bool
true
Description: Specifies whether role and rolebinding resources should be created.
certController.serviceAccount.createπ
Type: bool
true
Description: Specifies whether a service account should be created.
certController.serviceAccount.automountπ
Type: bool
true
Description: Automounts the service account token in all containers of the pod
certController.serviceAccount.annotationsπ
Type: object
{}
Description: Annotations to add to the service account.
certController.serviceAccount.extraLabelsπ
Type: object
{}
Description: Extra Labels to add to the service account.
certController.serviceAccount.nameπ
Type: string
""
Description: The name of the service account to use. If not set and create is true, a name is generated using the fullname template.
certController.nodeSelectorπ
Type: object
{}
certController.tolerationsπ
Type: list
[]
certController.topologySpreadConstraintsπ
Type: list
[]
certController.affinityπ
Type: object
{}
certController.hostNetworkπ
Type: bool
false
Description: Run the certController on the host network
certController.priorityClassNameπ
Type: string
""
Description: Pod priority class name.
certController.podDisruptionBudgetπ
Type: object
enabled: false
minAvailable: 1
Description: Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
certController.metrics.listen.portπ
Type: int
8080
certController.metrics.service.enabledπ
Type: bool
false
Description: Enable if you use another monitoring tool than Prometheus to scrape the metrics
certController.metrics.service.portπ
Type: int
8080
Description: Metrics service port to scrape
certController.metrics.service.annotationsπ
Type: object
{}
Description: Additional service annotations
certController.readinessProbe.addressπ
Type: string
""
Description: Address for readiness probe
certController.readinessProbe.portπ
Type: int
8081
Description: ReadinessProbe port for kubelet
certController.extraEnvπ
Type: list
[]
certController.extraArgsπ
Type: object
{}
certController.extraVolumesπ
Type: list
[]
certController.extraVolumeMountsπ
Type: list
[]
certController.deploymentAnnotationsπ
Type: object
{}
Description: Annotations to add to Deployment
certController.podAnnotationsπ
Type: object
{}
Description: Annotations to add to Pod
certController.podLabelsπ
Type: object
{}
certController.podSecurityContext.enabledπ
Type: bool
true
certController.securityContext.allowPrivilegeEscalationπ
Type: bool
false
certController.securityContext.capabilities.drop[0]π
Type: string
"ALL"
certController.securityContext.enabledπ
Type: bool
true
certController.securityContext.readOnlyRootFilesystemπ
Type: bool
true
certController.securityContext.runAsNonRootπ
Type: bool
true
certController.securityContext.runAsUserπ
Type: int
1000
certController.securityContext.runAsGroupπ
Type: int
1000
certController.securityContext.seccompProfile.typeπ
Type: string
"RuntimeDefault"
certController.resources.requests.memoryπ
Type: string
"256Mi"
certController.resources.requests.cpuπ
Type: string
"100m"
certController.resources.limits.cpuπ
Type: string
"100m"
certController.resources.limits.memoryπ
Type: string
"256Mi"
dnsPolicyπ
Type: string
"ClusterFirst"
Description: Specifies dnsPolicy
to deployment
dnsConfigπ
Type: object
{}
Description: Specifies dnsOptions
to deployment
podSpecExtraπ
Type: object
{}
Description: Any extra pod spec on the deployment
domainπ
Type: string
"bigbang.dev"
istio.enabledπ
Type: bool
false
istio.hardened.enabledπ
Type: bool
false
istio.hardened.outboundTrafficPolicyModeπ
Type: string
"REGISTRY_ONLY"
istio.hardened.customServiceEntriesπ
Type: list
[]
istio.hardened.customAuthorizationPoliciesπ
Type: list
[]
istio.mtls.modeπ
Type: string
"STRICT"
Description: STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic
istio.injectionπ
Type: string
"disabled"
networkPolicies.enabledπ
Type: bool
false
networkPolicies.ingressLabels.appπ
Type: string
"istio-ingressgateway"
networkPolicies.ingressLabels.istioπ
Type: string
"ingressgateway"
networkPolicies.additionalPoliciesπ
Type: list
[]
networkPolicies.ingress[0].from[0].namespaceSelectorπ
Type: object
{}
networkPolicies.ingress[0].ports[0].portπ
Type: int
10250
networkPolicies.ingress[0].ports[0].protocolπ
Type: string
"TCP"
networkPolicies.ingress[0].ports[1].portπ
Type: int
10250
networkPolicies.ingress[0].ports[1].protocolπ
Type: string
"TCP"
bbtests.enabledπ
Type: bool
false
bbtests.namespaceπ
Type: string
"external-secrets"
bbtests.secretstore.nameπ
Type: string
"external-secrets-test-store"
bbtests.serviceaccount.nameπ
Type: string
"external-secrets-test"
bbtests.rolebinding.nameπ
Type: string
"external-secrets-test-read-secrets"
bbtests.role.nameπ
Type: string
"external-secrets-reader"
bbtests.role.rules[0].apiGroups[0]π
Type: string
""
bbtests.role.rules[0].resources[0]π
Type: string
"secrets"
bbtests.role.rules[0].verbs[0]π
Type: string
"get"
bbtests.role.rules[0].verbs[1]π
Type: string
"watch"
bbtests.role.rules[0].verbs[2]π
Type: string
"list"
bbtests.role.rules[1].apiGroups[0]π
Type: string
""
bbtests.role.rules[1].resources[0]π
Type: string
"SelfSubjectRulesReview"
bbtests.role.rules[1].verbs[0]π
Type: string
"create"
bbtests.secrets.testsecret.valueπ
Type: string
"this is a magic value"