external-secrets values.yaml
📜
openshift📜
Type: bool
false
global.nodeSelector📜
Type: object
{}
global.tolerations📜
Type: list
[]
global.topologySpreadConstraints📜
Type: list
[]
global.affinity📜
Type: object
{}
global.compatibility.openshift.adaptSecurityContext📜
Type: string
"auto"
Description: Manages the securityContext properties to make them compatible with OpenShift. Possible values: auto - Apply configurations if it is detected that OpenShift is the target platform. force - Always apply configurations. disabled - No modification applied.
replicaCount📜
Type: int
1
bitwarden-sdk-server.enabled📜
Type: bool
false
revisionHistoryLimit📜
Type: int
10
Description: Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
image.repository📜
Type: string
"registry1.dso.mil/ironbank/opensource/external-secrets/external-secrets"
image.pullPolicy📜
Type: string
"IfNotPresent"
image.tag📜
Type: string
"v0.11.0"
Description: The image tag to use. The default is the chart appVersion.
image.flavour📜
Type: string
""
Description: The flavour of tag you want to use There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default, the distroless image is used.
installCRDs📜
Type: bool
false
Description: If set, install and upgrade CRDs through helm chart.
crds.createClusterExternalSecret📜
Type: bool
true
Description: If true, create CRDs for Cluster External Secret.
crds.createClusterSecretStore📜
Type: bool
true
Description: If true, create CRDs for Cluster Secret Store.
crds.createClusterGenerator📜
Type: bool
true
Description: If true, create CRDs for Cluster Generator.
crds.createPushSecret📜
Type: bool
true
Description: If true, create CRDs for Push Secret.
crds.annotations📜
Type: object
{}
crds.conversion.enabled📜
Type: bool
false
Description: If webhook is set to false this also needs to be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint.
imagePullSecrets[0].name📜
Type: string
"private-registry"
nameOverride📜
Type: string
""
fullnameOverride📜
Type: string
""
namespaceOverride📜
Type: string
""
commonLabels📜
Type: object
{}
Description: Additional labels added to all helm chart resources.
leaderElect📜
Type: bool
false
Description: If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time.
controllerClass📜
Type: string
""
Description: If set external secrets will filter matching Secret Stores with the appropriate controller values.
extendedMetricLabels📜
Type: bool
false
Description: If true external secrets will use recommended kubernetes annotations as prometheus metric labels.
scopedNamespace📜
Type: string
""
Description: If set external secrets are only reconciled in the provided namespace
scopedRBAC📜
Type: bool
false
Description: Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets
processClusterExternalSecret📜
Type: bool
true
Description: if true, the operator will process cluster external secret. Else, it will ignore them.
processClusterStore📜
Type: bool
true
Description: if true, the operator will process cluster store. Else, it will ignore them.
processPushSecret📜
Type: bool
true
Description: if true, the operator will process push secret. Else, it will ignore them.
createOperator📜
Type: bool
true
Description: Specifies whether an external secret operator deployment be created.
concurrent📜
Type: int
1
Description: Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time.
log📜
Type: object
level: info
timeEncoding: epoch
Description: Specifices Log Params to the Webhook
service.ipFamilyPolicy📜
Type: string
""
Description: Set the ip family policy to configure dual-stack see Configure dual-stack
service.ipFamilies📜
Type: list
[]
Description: Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
serviceAccount.create📜
Type: bool
true
Description: Specifies whether a service account should be created.
serviceAccount.automount📜
Type: bool
true
Description: Automounts the service account token in all containers of the pod
serviceAccount.annotations📜
Type: object
{}
Description: Annotations to add to the service account.
serviceAccount.extraLabels📜
Type: object
{}
Description: Extra Labels to add to the service account.
serviceAccount.name📜
Type: string
""
Description: The name of the service account to use. If not set and create is true, a name is generated using the fullname template.
secretConfiguration.enabled📜
Type: bool
false
secretConfiguration.secretList[0].name📜
Type: string
"default"
secretConfiguration.secretList[0].namespace📜
Type: string
""
secretConfiguration.secretList[0].labels📜
Type: string
""
secretConfiguration.secretList[0].annotations📜
Type: string
""
secretConfiguration.secretList[0].source.provider📜
Type: string
"aws"
secretConfiguration.secretList[0].source.service📜
Type: string
"SecretsManager"
secretConfiguration.secretList[0].source.serviceName📜
Type: string
""
secretConfiguration.secretList[0].source.region📜
Type: string
"us-gov-west-1"
secretConfiguration.secretList[0].source.refreshInterval📜
Type: string
"1m"
secretConfiguration.secretList[0].source.auth.authType📜
Type: string
""
secretConfiguration.secretList[0].source.auth.role📜
Type: string
""
secretConfiguration.secretList[0].source.auth.accessKeyName📜
Type: string
""
secretConfiguration.secretList[0].source.auth.accessKeyID📜
Type: string
""
secretConfiguration.secretList[0].source.auth.secretAccessKey📜
Type: string
""
secretConfiguration.secretList[0].source.auth.serviceAccount📜
Type: string
""
secretConfiguration.secretList[0].source.secrets.targetName📜
Type: string
""
secretConfiguration.secretList[0].source.secrets.targetPolicy📜
Type: string
""
secretConfiguration.secretList[0].source.secrets.secretKeyName.key📜
Type: string
""
secretConfiguration.secretList[0].source.secrets.secretKeyName.version📜
Type: string
""
secretConfiguration.secretList[0].source.secrets.secretKeyName.property📜
Type: string
""
secretConfiguration.secretList[0].source.secrets.secretKeyName.metadataPolicy📜
Type: string
""
rbac.create📜
Type: bool
true
Description: Specifies whether role and rolebinding resources should be created.
rbac.servicebindings.create📜
Type: bool
true
Description: Specifies whether a clusterrole to give servicebindings read access should be created.
extraEnv📜
Type: list
[]
extraArgs📜
Type: object
{}
extraVolumes📜
Type: list
[]
extraObjects📜
Type: list
[]
extraVolumeMounts📜
Type: list
[]
extraContainers📜
Type: list
[]
deploymentAnnotations📜
Type: object
{}
Description: Annotations to add to Deployment
podAnnotations📜
Type: object
{}
Description: Annotations to add to Pod
podLabels📜
Type: object
{}
podSecurityContext.enabled📜
Type: bool
true
securityContext.allowPrivilegeEscalation📜
Type: bool
false
securityContext.capabilities.drop[0]📜
Type: string
"ALL"
securityContext.enabled📜
Type: bool
true
securityContext.readOnlyRootFilesystem📜
Type: bool
true
securityContext.runAsNonRoot📜
Type: bool
true
securityContext.runAsUser📜
Type: int
1000
securityContext.runAsGroup📜
Type: int
1000
securityContext.seccompProfile.type📜
Type: string
"RuntimeDefault"
resources.requests.memory📜
Type: string
"256Mi"
resources.requests.cpu📜
Type: string
"100m"
resources.limits.cpu📜
Type: string
"100m"
resources.limits.memory📜
Type: string
"256Mi"
serviceMonitor.enabled📜
Type: bool
false
Description: Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
serviceMonitor.namespace📜
Type: string
""
Description: namespace where you want to install ServiceMonitors
serviceMonitor.additionalLabels📜
Type: object
{}
Description: Additional labels
serviceMonitor.interval📜
Type: string
"30s"
Description: Interval to scrape metrics
serviceMonitor.scrapeTimeout📜
Type: string
"25s"
Description: Timeout if metrics can’t be retrieved in given time interval
serviceMonitor.honorLabels📜
Type: bool
false
Description: Let prometheus add an exported_ prefix to conflicting labels
serviceMonitor.metricRelabelings📜
Type: list
[]
Description: Metric relabel configs to apply to samples before ingestion. Metric Relabeling
serviceMonitor.relabelings📜
Type: list
[]
Description: Relabel configs to apply to samples before ingestion. Relabeling
metrics.listen.port📜
Type: int
8080
metrics.service.enabled📜
Type: bool
false
Description: Enable if you use another monitoring tool than Prometheus to scrape the metrics
metrics.service.port📜
Type: int
8080
Description: Metrics service port to scrape
metrics.service.annotations📜
Type: object
{}
Description: Additional service annotations
nodeSelector📜
Type: object
{}
tolerations📜
Type: list
[]
topologySpreadConstraints📜
Type: list
[]
affinity📜
Type: object
{}
priorityClassName📜
Type: string
""
Description: Pod priority class name.
podDisruptionBudget📜
Type: object
enabled: false
minAvailable: 1
Description: Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
hostNetwork📜
Type: bool
false
Description: Run the controller on the host network
webhook.create📜
Type: bool
false
Description: Specifies whether a webhook deployment be created. The default behavior of ESO in bigbang at this time is to NOT deploy the validating webhook. There is a bug that is still unresolved which causes the cert-controller and validating webhook to come up unhealthy more often than not. Beware that enabling these options may result in an unhealthy deployment.
webhook.certCheckInterval📜
Type: string
"5m"
Description: Specifices the time to check if the cert is valid
webhook.lookaheadInterval📜
Type: string
""
Description: Specifices the lookaheadInterval for certificate validity
webhook.replicaCount📜
Type: int
1
webhook.log📜
Type: object
level: info
timeEncoding: epoch
Description: Specifices Log Params to the Webhook
webhook.revisionHistoryLimit📜
Type: int
10
Description: Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
webhook.certDir📜
Type: string
"/tmp/certs"
webhook.failurePolicy📜
Type: string
"Fail"
Description: Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore
webhook.hostNetwork📜
Type: bool
false
Description: Specifies if webhook pod should use hostNetwork or not.
webhook.image.repository📜
Type: string
"registry1.dso.mil/ironbank/opensource/external-secrets/external-secrets"
webhook.image.pullPolicy📜
Type: string
"IfNotPresent"
webhook.image.tag📜
Type: string
"v0.11.0"
Description: The image tag to use. The default is the chart appVersion.
webhook.image.flavour📜
Type: string
""
Description: The flavour of tag you want to use
webhook.imagePullSecrets[0].name📜
Type: string
"private-registry"
webhook.nameOverride📜
Type: string
""
webhook.fullnameOverride📜
Type: string
""
webhook.port📜
Type: int
10250
Description: The port the webhook will listen to
webhook.rbac.create📜
Type: bool
true
Description: Specifies whether role and rolebinding resources should be created.
webhook.serviceAccount.create📜
Type: bool
true
Description: Specifies whether a service account should be created.
webhook.serviceAccount.automount📜
Type: bool
true
Description: Automounts the service account token in all containers of the pod
webhook.serviceAccount.annotations📜
Type: object
{}
Description: Annotations to add to the service account.
webhook.serviceAccount.extraLabels📜
Type: object
{}
Description: Extra Labels to add to the service account.
webhook.serviceAccount.name📜
Type: string
""
Description: The name of the service account to use. If not set and create is true, a name is generated using the fullname template.
webhook.nodeSelector📜
Type: object
{}
webhook.certManager.enabled📜
Type: bool
false
Description: Enabling cert-manager support will disable the built in secret and switch to using cert-manager (installed separately) to automatically issue and renew the webhook certificate. This chart does not install cert-manager for you, See https://cert-manager.io/docs/
webhook.certManager.addInjectorAnnotations📜
Type: bool
true
Description: Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically setup your webhook’s CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector
webhook.certManager.cert.create📜
Type: bool
true
Description: Create a certificate resource within this chart. See https://cert-manager.io/docs/usage/certificate/
webhook.certManager.cert.issuerRef📜
Type: object
group: cert-manager.io
kind: Issuer
name: my-issuer
Description: For the Certificate created by this chart, setup the issuer. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec
webhook.certManager.cert.duration📜
Type: string
"8760h"
Description: Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec One year by default.
webhook.certManager.cert.renewBefore📜
Type: string
""
Description: How long before the currently issued certificate’s expiry cert-manager should renew the certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Note that renewBefore should be greater than .webhook.lookaheadInterval since the webhook will check this far in advance that the certificate is valid.
webhook.certManager.cert.annotations📜
Type: object
{}
Description: Add extra annotations to the Certificate resource.
webhook.tolerations📜
Type: list
[]
webhook.topologySpreadConstraints📜
Type: list
[]
webhook.affinity📜
Type: object
{}
webhook.priorityClassName📜
Type: string
""
Description: Pod priority class name.
webhook.podDisruptionBudget📜
Type: object
enabled: false
minAvailable: 1
Description: Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
webhook.metrics.listen.port📜
Type: int
8080
webhook.metrics.service.enabled📜
Type: bool
false
Description: Enable if you use another monitoring tool than Prometheus to scrape the metrics
webhook.metrics.service.port📜
Type: int
8080
Description: Metrics service port to scrape
webhook.metrics.service.annotations📜
Type: object
{}
Description: Additional service annotations
webhook.readinessProbe.address📜
Type: string
""
Description: Address for readiness probe
webhook.readinessProbe.port📜
Type: int
8081
Description: ReadinessProbe port for kubelet
webhook.extraEnv📜
Type: list
[]
webhook.extraArgs📜
Type: object
{}
webhook.extraVolumes📜
Type: list
[]
webhook.extraVolumeMounts📜
Type: list
[]
webhook.secretAnnotations📜
Type: object
{}
Description: Annotations to add to Secret
webhook.deploymentAnnotations📜
Type: object
{}
Description: Annotations to add to Deployment
webhook.podAnnotations📜
Type: object
{}
Description: Annotations to add to Pod
webhook.podLabels.”external-secrets.io/component”📜
Type: string
"webhook"
webhook.podSecurityContext.enabled📜
Type: bool
true
webhook.securityContext.allowPrivilegeEscalation📜
Type: bool
false
webhook.securityContext.capabilities.drop[0]📜
Type: string
"ALL"
webhook.securityContext.enabled📜
Type: bool
true
webhook.securityContext.readOnlyRootFilesystem📜
Type: bool
true
webhook.securityContext.runAsNonRoot📜
Type: bool
true
webhook.securityContext.runAsUser📜
Type: int
1000
webhook.securityContext.runAsGroup📜
Type: int
1000
webhook.securityContext.seccompProfile.type📜
Type: string
"RuntimeDefault"
webhook.resources.requests.memory📜
Type: string
"256Mi"
webhook.resources.requests.cpu📜
Type: string
"100m"
webhook.resources.limits.cpu📜
Type: string
"100m"
webhook.resources.limits.memory📜
Type: string
"256Mi"
certController.create📜
Type: bool
false
Description: Specifies whether a certificate controller deployment be created. The default behavior of ESO in bigbang at this time is to NOT create a cert controller. There is a bug that is still unresolved which causes the cert-controller and validating webhook to come up unhealthy more often than not. Beware that enabling these options may result in an unhealthy deployment.
certController.requeueInterval📜
Type: string
"5m"
certController.replicaCount📜
Type: int
1
certController.log📜
Type: object
level: info
timeEncoding: epoch
Description: Specifices Log Params to the Webhook
certController.revisionHistoryLimit📜
Type: int
10
Description: Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
certController.image.repository📜
Type: string
"registry1.dso.mil/ironbank/opensource/external-secrets/external-secrets"
certController.image.pullPolicy📜
Type: string
"IfNotPresent"
certController.image.tag📜
Type: string
"v0.11.0"
certController.image.flavour📜
Type: string
""
certController.imagePullSecrets[0].name📜
Type: string
"private-registry"
certController.nameOverride📜
Type: string
""
certController.fullnameOverride📜
Type: string
""
certController.rbac.create📜
Type: bool
true
Description: Specifies whether role and rolebinding resources should be created.
certController.serviceAccount.create📜
Type: bool
true
Description: Specifies whether a service account should be created.
certController.serviceAccount.automount📜
Type: bool
true
Description: Automounts the service account token in all containers of the pod
certController.serviceAccount.annotations📜
Type: object
{}
Description: Annotations to add to the service account.
certController.serviceAccount.extraLabels📜
Type: object
{}
Description: Extra Labels to add to the service account.
certController.serviceAccount.name📜
Type: string
""
Description: The name of the service account to use. If not set and create is true, a name is generated using the fullname template.
certController.nodeSelector📜
Type: object
{}
certController.tolerations📜
Type: list
[]
certController.topologySpreadConstraints📜
Type: list
[]
certController.affinity📜
Type: object
{}
certController.hostNetwork📜
Type: bool
false
Description: Run the certController on the host network Upstream bug reports related to the ongoing cert-controller/validating webhook issue indicate that in some EKS and GCP deployments, using hostNetwork: true
may resolve some issues.
certController.priorityClassName📜
Type: string
""
Description: Pod priority class name.
certController.podDisruptionBudget📜
Type: object
enabled: false
minAvailable: 1
Description: Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
certController.metrics.listen.port📜
Type: int
8080
certController.metrics.service.enabled📜
Type: bool
false
Description: Enable if you use another monitoring tool than Prometheus to scrape the metrics
certController.metrics.service.port📜
Type: int
8080
Description: Metrics service port to scrape
certController.metrics.service.annotations📜
Type: object
{}
Description: Additional service annotations
certController.readinessProbe.address📜
Type: string
""
Description: Address for readiness probe
certController.readinessProbe.port📜
Type: int
8081
Description: ReadinessProbe port for kubelet
certController.extraEnv📜
Type: list
[]
certController.extraArgs📜
Type: object
{}
certController.extraVolumes📜
Type: list
[]
certController.extraVolumeMounts📜
Type: list
[]
certController.deploymentAnnotations📜
Type: object
{}
Description: Annotations to add to Deployment
certController.podAnnotations📜
Type: object
{}
Description: Annotations to add to Pod
certController.podLabels📜
Type: object
{}
certController.podSecurityContext.enabled📜
Type: bool
true
certController.securityContext.allowPrivilegeEscalation📜
Type: bool
false
certController.securityContext.capabilities.drop[0]📜
Type: string
"ALL"
certController.securityContext.enabled📜
Type: bool
true
certController.securityContext.readOnlyRootFilesystem📜
Type: bool
true
certController.securityContext.runAsNonRoot📜
Type: bool
true
certController.securityContext.runAsUser📜
Type: int
1000
certController.securityContext.runAsGroup📜
Type: int
1000
certController.securityContext.seccompProfile.type📜
Type: string
"RuntimeDefault"
certController.resources.requests.memory📜
Type: string
"256Mi"
certController.resources.requests.cpu📜
Type: string
"100m"
certController.resources.limits.cpu📜
Type: string
"100m"
certController.resources.limits.memory📜
Type: string
"256Mi"
dnsPolicy📜
Type: string
"ClusterFirst"
Description: Specifies dnsPolicy
to deployment
dnsConfig📜
Type: object
{}
Description: Specifies dnsOptions
to deployment
podSpecExtra📜
Type: object
{}
Description: Any extra pod spec on the deployment
domain📜
Type: string
"bigbang.dev"
istio.enabled📜
Type: bool
false
istio.hardened.enabled📜
Type: bool
false
istio.hardened.outboundTrafficPolicyMode📜
Type: string
"REGISTRY_ONLY"
istio.hardened.customServiceEntries📜
Type: list
[]
istio.hardened.customAuthorizationPolicies📜
Type: list
[]
istio.mtls.mode📜
Type: string
"STRICT"
Description: STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic
istio.injection📜
Type: string
"disabled"
networkPolicies.enabled📜
Type: bool
false
networkPolicies.ingressLabels.app📜
Type: string
"istio-ingressgateway"
networkPolicies.ingressLabels.istio📜
Type: string
"ingressgateway"
networkPolicies.additionalPolicies📜
Type: list
[]
bbtests.enabled📜
Type: bool
false
bbtests.namespace📜
Type: string
"external-secrets"
bbtests.secretstore.name📜
Type: string
"external-secrets-test-store"
bbtests.serviceaccount.name📜
Type: string
"external-secrets-test"
bbtests.rolebinding.name📜
Type: string
"external-secrets-test-read-secrets"
bbtests.role.name📜
Type: string
"external-secrets-reader"
bbtests.role.rules[0].apiGroups[0]📜
Type: string
""
bbtests.role.rules[0].resources[0]📜
Type: string
"secrets"
bbtests.role.rules[0].verbs[0]📜
Type: string
"get"
bbtests.role.rules[0].verbs[1]📜
Type: string
"watch"
bbtests.role.rules[0].verbs[2]📜
Type: string
"list"
bbtests.role.rules[1].apiGroups[0]📜
Type: string
""
bbtests.role.rules[1].resources[0]📜
Type: string
"SelfSubjectRulesReview"
bbtests.role.rules[1].verbs[0]📜
Type: string
"create"
bbtests.secrets.testsecret.value📜
Type: string
"this is a magic value"
waitJob.enabled📜
Type: bool
true
waitJob.scripts.image📜
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.7"
waitJob.permissions.apiGroups[0]📜
Type: string
"external-secrets.io"
waitJob.permissions.apiGroups[1]📜
Type: string
"generators.external-secrets.io"
waitJob.permissions.apiGroups[2]📜
Type: string
""
waitJob.permissions.resources[0]📜
Type: string
"acraccesstokens"
waitJob.permissions.resources[1]📜
Type: string
"clusterexternalsecrets"
waitJob.permissions.resources[2]📜
Type: string
"clustersecretstores"
waitJob.permissions.resources[3]📜
Type: string
"ecrauthorizationtokens"
waitJob.permissions.resources[4]📜
Type: string
"externalsecrets"
waitJob.permissions.resources[5]📜
Type: string
"fakes"
waitJob.permissions.resources[6]📜
Type: string
"gcraccesstokens"
waitJob.permissions.resources[7]📜
Type: string
"githubaccesstokens"
waitJob.permissions.resources[8]📜
Type: string
"passwords"
waitJob.permissions.resources[9]📜
Type: string
"pushsecrets"
waitJob.permissions.resources[10]📜
Type: string
"secretstores"
waitJob.permissions.resources[11]📜
Type: string
"vaultdynamicsecrets"
waitJob.permissions.resources[12]📜
Type: string
"webhooks"
waitJob.permissions.resources[13]📜
Type: string
"secrets"
waitJob.permissions.verbs[0]📜
Type: string
"create"
waitJob.permissions.verbs[1]📜
Type: string
"delete"
waitJob.permissions.verbs[2]📜
Type: string
"get"
waitJob.permissions.verbs[3]📜
Type: string
"list"
waitJob.permissions.verbs[4]📜
Type: string
"watch"