external-secrets: replicaCount: 3 # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) revisionHistoryLimit: 10 image: repository: ghcr.io/external-secrets/external-secrets pullPolicy: Always # -- The image tag to use. The default is the chart appVersion. # There are different image flavours available, like distroless and ubi. # Please see GitHub release notes for image tags for these flavors. # By default the distroless image is used. tag: "" # -- If set, install and upgrade CRDs through helm chart. installCRDs: true crds: # -- If true, create CRDs for Cluster External Secret. createClusterExternalSecret: true # -- If true, create CRDs for Cluster Secret Store. createClusterSecretStore: true # -- If true, create CRDs for Push Secret. createPushSecret: true annotations: {} conversion: enabled: true imagePullSecrets: [] nameOverride: "" fullnameOverride: "" # -- If true, external-secrets will perform leader election between instances to ensure no more # than one instance of external-secrets operates at a time. leaderElect: true # -- If set external secrets will filter matching # Secret Stores with the appropriate controller values. controllerClass: "" # -- If true external secrets will use recommended kubernetes # annotations as prometheus metric labels. extendedMetricLabels: false # -- If set external secrets are only reconciled in the # provided namespace scopedNamespace: "" # -- Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace # and implicitly disable cluster stores and cluster external secrets scopedRBAC: false # -- if true, the operator will process cluster external secret. Else, it will ignore them. processClusterExternalSecret: true # -- if true, the operator will process cluster store. Else, it will ignore them. processClusterStore: true # -- Specifies whether an external secret operator deployment be created. createOperator: true # -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at # a time. concurrent: 1 serviceAccount: # -- Specifies whether a service account should be created. create: true # -- Automounts the service account token in all containers of the pod automount: true # -- Annotations to add to the service account. annotations: {} # -- Extra Labels to add to the service account. extraLabels: {} # -- The name of the service account to use. # If not set and create is true, a name is generated using the fullname template. name: "" rbac: # -- Specifies whether role and rolebinding resources should be created. create: true ## -- Extra environment variables to add to container. extraEnv: [] ## -- Map of extra arguments to pass to container. extraArgs: {} ## -- Extra volumes to pass to pod. extraVolumes: [] ## -- Extra volumes to mount to the container. extraVolumeMounts: [] ## -- Extra containers to add to the pod. extraContainers: [] # -- Annotations to add to Deployment deploymentAnnotations: {} # -- Annotations to add to Pod podAnnotations: {} podLabels: {} podSecurityContext: {} # fsGroup: 2000 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault resources: {} # requests: # cpu: 10m # memory: 32Mi prometheus: # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead. enabled: false service: # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead. port: 8080 serviceMonitor: # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics enabled: false # -- namespace where you want to install ServiceMonitors namespace: "" # -- Additional labels additionalLabels: {} # -- Interval to scrape metrics interval: 30s # -- Timeout if metrics can't be retrieved in given time interval scrapeTimeout: 25s # -- Let prometheus add an exported_ prefix to conflicting labels honorLabels: false # -- Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) metricRelabelings: [] # - action: replace # regex: (.*) # replacement: $1 # sourceLabels: # - exported_namespace # targetLabel: namespace # -- Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) relabelings: [] # - sourceLabels: [__meta_kubernetes_pod_node_name] # separator: ; # regex: ^(.*)$ # targetLabel: nodename # replacement: $1 # action: replace metrics: service: # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics enabled: false # -- Metrics service port to scrape port: 8080 # -- Additional service annotations annotations: {} nodeSelector: {} tolerations: [] topologySpreadConstraints: [] affinity: {} # -- Pod priority class name. priorityClassName: "" # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ podDisruptionBudget: enabled: false minAvailable: 1 # maxUnavailable: 1 # -- Run the controller on the host network hostNetwork: false webhook: # -- Specifies whether a webhook deployment be created. create: true # -- Specifices the time to check if the cert is valid certCheckInterval: "5m" # -- Specifices the lookaheadInterval for certificate validity lookaheadInterval: "" replicaCount: 1 # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) revisionHistoryLimit: 10 certDir: /tmp/certs # -- Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore failurePolicy: Fail # -- Specifies if webhook pod should use hostNetwork or not. hostNetwork: false image: repository: ghcr.io/external-secrets/external-secrets pullPolicy: IfNotPresent # -- The image tag to use. The default is the chart appVersion. tag: "" imagePullSecrets: [] nameOverride: "" fullnameOverride: "" # -- The port the webhook will listen to port: 10250 rbac: # -- Specifies whether role and rolebinding resources should be created. create: true serviceAccount: # -- Specifies whether a service account should be created. create: true # -- Automounts the service account token in all containers of the pod automount: true # -- Annotations to add to the service account. annotations: {} # -- Extra Labels to add to the service account. extraLabels: {} # -- The name of the service account to use. # If not set and create is true, a name is generated using the fullname template. name: "" nodeSelector: {} tolerations: [] topologySpreadConstraints: [] affinity: {} # -- Pod priority class name. priorityClassName: "" # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ podDisruptionBudget: enabled: false minAvailable: 1 # maxUnavailable: 1 prometheus: # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead enabled: false service: # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead port: 8080 serviceMonitor: # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics enabled: false # -- Additional labels additionalLabels: {} # -- Interval to scrape metrics interval: 30s # -- Timeout if metrics can't be retrieved in given time interval scrapeTimeout: 25s metrics: service: # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics enabled: false # -- Metrics service port to scrape port: 8080 # -- Additional service annotations annotations: {} readinessProbe: # -- Address for readiness probe address: "" # -- ReadinessProbe port for kubelet port: 8081 ## -- Extra environment variables to add to container. extraEnv: [] ## -- Map of extra arguments to pass to container. extraArgs: {} ## -- Extra volumes to pass to pod. extraVolumes: [] ## -- Extra volumes to mount to the container. extraVolumeMounts: [] # -- Annotations to add to Secret secretAnnotations: {} # -- Annotations to add to Deployment deploymentAnnotations: {} # -- Annotations to add to Pod podAnnotations: {} podLabels: {} podSecurityContext: {} # fsGroup: 2000 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault resources: {} # requests: # cpu: 10m # memory: 32Mi certController: # -- Specifies whether a certificate controller deployment be created. create: true requeueInterval: "5m" replicaCount: 1 # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) revisionHistoryLimit: 10 image: repository: ghcr.io/external-secrets/external-secrets pullPolicy: Always tag: "" imagePullSecrets: [] nameOverride: "" fullnameOverride: "" rbac: # -- Specifies whether role and rolebinding resources should be created. create: true serviceAccount: # -- Specifies whether a service account should be created. create: true # -- Automounts the service account token in all containers of the pod automount: true # -- Annotations to add to the service account. annotations: {} # -- Extra Labels to add to the service account. extraLabels: {} # -- The name of the service account to use. # If not set and create is true, a name is generated using the fullname template. name: "" nodeSelector: {} tolerations: [] topologySpreadConstraints: [] affinity: {} # -- Run the certController on the host network hostNetwork: false # -- Pod priority class name. priorityClassName: "" # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ podDisruptionBudget: enabled: false minAvailable: 1 # maxUnavailable: 1 prometheus: # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead enabled: false service: # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead port: 8080 serviceMonitor: # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics enabled: false # -- Additional labels additionalLabels: {} # -- Interval to scrape metrics interval: 30s # -- Timeout if metrics can't be retrieved in given time interval scrapeTimeout: 25s metrics: service: # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics enabled: false # -- Metrics service port to scrape port: 8080 # -- Additional service annotations annotations: {} ## -- Extra environment variables to add to container. extraEnv: [] ## -- Map of extra arguments to pass to container. extraArgs: {} ## -- Extra volumes to pass to pod. extraVolumes: [] ## -- Extra volumes to mount to the container. extraVolumeMounts: [] # -- Annotations to add to Deployment deploymentAnnotations: {} # -- Annotations to add to Pod podAnnotations: {} podLabels: {} podSecurityContext: {} # fsGroup: 2000 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault resources: {} # requests: # cpu: 10m # memory: 32Mi # -- Specifies `dnsOptions` to deployment dnsConfig: {}