DirectorySecurity AdvisoriesPricing
Sign in
Directory
external-secrets logoHELM

external-secrets

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:

1
global:
2
nodeSelector: {}
3
tolerations: []
4
topologySpreadConstraints: []
5
# - maxSkew: 1
6
# topologyKey: topology.kubernetes.io/zone
7
# whenUnsatisfiable: ScheduleAnyway
8
# matchLabelKeys:
9
# - pod-template-hash
10
# - maxSkew: 1
11
# topologyKey: kubernetes.io/hostname
12
# whenUnsatisfiable: DoNotSchedule
13
# matchLabelKeys:
14
# - pod-template-hash
15
affinity: {}
16
# -- Global hostAliases to be applied to all deployments
17
hostAliases: []
18
# -- Global pod labels to be applied to all deployments
19
podLabels: {}
20
# -- Global pod annotations to be applied to all deployments
21
podAnnotations: {}
22
# -- Global imagePullSecrets to be applied to all deployments
23
imagePullSecrets: []
24
# -- Global image repository to be applied to all deployments
25
repository: ""
26
compatibility:
27
openshift:
28
# -- Manages the securityContext properties to make them compatible with OpenShift.
29
# Possible values:
30
# auto - Apply configurations if it is detected that OpenShift is the target platform.
31
# force - Always apply configurations.
32
# disabled - No modification applied.
33
adaptSecurityContext: auto
34
replicaCount: 1
35
bitwarden-sdk-server:
36
enabled: false
37
namespaceOverride: ""
38
# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
39
revisionHistoryLimit: 10
40
image:
41
repository: cgr.dev/chainguard-private/external-secrets
42
pullPolicy: IfNotPresent
43
# -- The image tag to use. The default is the chart appVersion.
44
tag: latest@sha256:910e8e24c4cf0f1fc09b2f6e2df6312745c5bc844a22e18ca8e7cc1124ef59a1
45
# -- The flavour of tag you want to use
46
# There are different image flavours available, like distroless and ubi.
47
# Please see GitHub release notes for image tags for these flavors.
48
# By default, the distroless image is used.
49
flavour: ""
50
# -- If set, install and upgrade CRDs through helm chart.
51
installCRDs: true
52
crds:
53
# -- If true, create CRDs for Cluster External Secret. If set to false you must also set processClusterExternalSecret: false.
54
createClusterExternalSecret: true
55
# -- If true, create CRDs for Cluster Secret Store. If set to false you must also set processClusterStore: false.
56
createClusterSecretStore: true
57
# -- If true, create CRDs for Secret Store. If set to false you must also set processSecretStore: false.
58
createSecretStore: true
59
# -- If true, create CRDs for Cluster Generator. If set to false you must also set processClusterGenerator: false.
60
createClusterGenerator: true
61
# -- If true, create CRDs for Cluster Push Secret. If set to false you must also set processClusterPushSecret: false.
62
createClusterPushSecret: true
63
# -- If true, create CRDs for Push Secret. If set to false you must also set processPushSecret: false.
64
createPushSecret: true
65
annotations: {}
66
conversion:
67
# -- Conversion is disabled by default as we stopped supporting v1alpha1.
68
enabled: false
69
# -- If true, enable v1beta1 API version serving for ExternalSecret, ClusterExternalSecret, SecretStore, and ClusterSecretStore CRDs.
70
# v1beta1 is deprecated. Only enable this for backward compatibility if you have existing v1beta1 resources.
71
# Warning: This flag will be removed on 2026.05.01.
72
unsafeServeV1Beta1: false
73
imagePullSecrets: []
74
nameOverride: ""
75
fullnameOverride: ""
76
namespaceOverride: ""
77
# -- Additional labels added to all helm chart resources.
78
commonLabels: {}
79
# -- If true, external-secrets will perform leader election between instances to ensure no more
80
# than one instance of external-secrets operates at a time.
81
leaderElect: false
82
# -- ID of the lease object used for leader election.
83
# Leave empty to use the default ('external-secrets-controller').
84
# Set to a unique value when running multiple independent ESO deployments in the same namespace.
85
# @default -- "external-secrets-controller"
86
leaderElectionID: ""
87
# -- If set external secrets will filter matching
88
# Secret Stores with the appropriate controller values.
89
controllerClass: ""
90
# -- If true external secrets will use recommended kubernetes
91
# annotations as prometheus metric labels.
92
extendedMetricLabels: false
93
# -- If set external secrets are only reconciled in the
94
# provided namespace
95
scopedNamespace: ""
96
# -- If true, create scoped RBAC roles and implicitly disable cluster-scoped
97
# controllers. Scoped to scopedNamespace if set, otherwise to .Release.Namespace.
98
scopedRBAC: false
99
# -- If true the OpenShift finalizer permissions will be added to RBAC
100
openshiftFinalizers: true
101
# -- If true the system:auth-delegator ClusterRole will be added to RBAC
102
systemAuthDelegator: false
103
# -- if true, the operator will process cluster external secret. Else, it will ignore them.
104
# When enabled, this adds update/patch permissions on namespaces to handle finalizers for proper
105
# cleanup during namespace deletion, preventing race conditions with ExternalSecrets.
106
processClusterExternalSecret: true
107
# -- if true, the operator will process cluster push secret. Else, it will ignore them.
108
processClusterPushSecret: true
109
# -- if true, the operator will process cluster store. Else, it will ignore them.
110
processClusterStore: true
111
# -- if true, the operator will process secret store. Else, it will ignore them.
112
processSecretStore: true
113
# -- Default time duration between reconciling (Cluster)SecretStores.
114
storeRequeueInterval: ""
115
# -- if true, the operator will process cluster generator. Else, it will ignore them.
116
processClusterGenerator: true
117
# -- if true, the operator will process push secret. Else, it will ignore them.
118
processPushSecret: true
119
# -- Enable support for generic targets (ConfigMaps, Custom Resources).
120
# Warning: Using generic target. Make sure access policies and encryption are properly configured.
121
# When enabled, this grants the controller permissions to create/update/delete
122
# ConfigMaps and optionally other resource types specified in generic.resources.
123
genericTargets:
124
# -- Enable generic target support
125
enabled: false
126
# -- List of additional resource types to grant permissions for.
127
# Each entry should specify apiGroup, resources, and verbs.
128
# Example:
129
# resources:
130
# - apiGroup: "argoproj.io"
131
# resources: ["applications"]
132
# verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
133
resources: []
134
# -- Specifies whether an external secret operator deployment be created.
135
createOperator: true
136
# -- if true, HTTP2 will be enabled for the services created by all controllers, curently metrics and webhook.
137
enableHTTP2: false
138
# -- Vault token cache configuration
139
vault:
140
# -- Enable Vault token cache. External secrets will reuse the Vault token without creating a new one on each request.
141
enableTokenCache: false
142
# -- Maximum size of Vault token cache. Only used if enableTokenCache is true.
143
tokenCacheSize: 262144
144
# -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at
145
# a time.
146
concurrent: 1
147
# -- Specifies Log Params to the External Secrets Operator
148
log:
149
level: info
150
timeEncoding: epoch
151
service:
152
# -- Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
153
ipFamilyPolicy: ""
154
# -- Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
155
ipFamilies: []
156
serviceAccount:
157
# -- Specifies whether a service account should be created.
158
create: true
159
# -- Automounts the service account token in all containers of the pod
160
automount: true
161
# -- Annotations to add to the service account.
162
annotations: {}
163
# -- Extra Labels to add to the service account.
164
extraLabels: {}
165
# -- The name of the service account to use.
166
# If not set and create is true, a name is generated using the fullname template.
167
name: ""
168
rbac:
169
# -- Specifies whether role and rolebinding resources should be created.
170
create: true
171
# -- Specifies whether the serviceaccounts/token create permission is included in the controller RBAC.
172
# When set to false, users must create per-ServiceAccount Role/RoleBinding with resourceNames constraint
173
# to grant ESO token creation for specific ServiceAccounts referenced in SecretStore specs.
174
serviceAccountTokenCreate: true
175
servicebindings:
176
# -- Specifies whether a clusterrole to give servicebindings read access should be created.
177
create: true
178
# -- Specifies whether permissions are aggregated to the view ClusterRole
179
aggregateToView: true
180
# -- Specifies whether permissions are aggregated to the edit ClusterRole
181
aggregateToEdit: true
182
## -- Extra environment variables to add to container.
183
extraEnv: []
184
## -- Map of extra arguments to pass to container.
185
extraArgs: {}
186
## -- Extra volumes to pass to pod.
187
extraVolumes: []
188
## -- Extra Kubernetes objects to deploy with the helm chart
189
extraObjects: []
190
## -- Extra volumes to mount to the container.
191
extraVolumeMounts: []
192
## -- Extra init containers to add to the pod.
193
extraInitContainers: []
194
## -- Extra containers to add to the pod.
195
extraContainers: []
196
# -- Annotations to add to Deployment
197
deploymentAnnotations: {}
198
# -- Set deployment strategy
199
strategy: {}
200
# -- Annotations to add to Pod
201
podAnnotations: {}
202
podLabels: {}
203
podSecurityContext:
204
enabled: true
205
# fsGroup: 2000
206
securityContext:
207
allowPrivilegeEscalation: false
208
capabilities:
209
drop:
210
- ALL
211
enabled: true
212
readOnlyRootFilesystem: true
213
runAsNonRoot: true
214
runAsUser: 1000
215
seccompProfile:
216
type: RuntimeDefault
217
resources: {}
218
# requests:
219
# cpu: 10m
220
# memory: 32Mi
221
222
serviceMonitor:
223
# -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
224
enabled: false
225
# -- How should we react to missing CRD "`monitoring.coreos.com/v1/ServiceMonitor`"
226
#
227
# Possible values:
228
# - `skipIfMissing`: Only render ServiceMonitor resources if CRD is present, skip if missing.
229
# - `failIfMissing`: Fail Helm install if CRD is not present.
230
# - `alwaysRender` : Always render ServiceMonitor resources, do not check for CRD.
231
232
# @schema
233
# enum:
234
# - skipIfMissing
235
# - failIfMissing
236
# - alwaysRender
237
# @schema
238
renderMode: skipIfMissing # @schema enum: [skipIfMissing, failIfMissing, alwaysRender]
239
# -- namespace where you want to install ServiceMonitors
240
namespace: ""
241
# -- Additional labels
242
additionalLabels: {}
243
# -- Interval to scrape metrics
244
interval: 30s
245
# -- Timeout if metrics can't be retrieved in given time interval
246
scrapeTimeout: 25s
247
# -- Let prometheus add an exported_ prefix to conflicting labels
248
honorLabels: false
249
# -- Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)
250
metricRelabelings: []
251
# - action: replace
252
# regex: (.*)
253
# replacement: $1
254
# sourceLabels:
255
# - exported_namespace
256
# targetLabel: namespace
257
258
# -- Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config)
259
relabelings: []
260
# - sourceLabels: [__meta_kubernetes_pod_node_name]
261
# separator: ;
262
# regex: ^(.*)$
263
# targetLabel: nodename
264
# replacement: $1
265
# action: replace
266
metrics:
267
listen:
268
port: 8080
269
auth:
270
# -- Enable Kubernetes RBAC-based authentication for metrics endpoint. Requires metrics.listen.secure to be true. Default value is false.
271
enabled: false
272
secure:
273
enabled: false
274
# -- if those are not set or invalid, self-signed certs will be generated
275
# -- TLS cert directory path
276
certDir: /etc/tls
277
# -- TLS cert file path
278
certFile: /etc/tls/tls.crt
279
# -- TLS key file path
280
keyFile: /etc/tls/tls.key
281
service:
282
# -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
283
enabled: false
284
# -- Metrics service port to scrape
285
port: 8080
286
# -- Additional service annotations
287
annotations: {}
288
grafanaDashboard:
289
# -- If true creates a Grafana dashboard.
290
enabled: false
291
# -- Label that ConfigMaps should have to be loaded as dashboards.
292
sidecarLabel: "grafana_dashboard"
293
# -- Label value that ConfigMaps should have to be loaded as dashboards.
294
sidecarLabelValue: "1"
295
# -- Annotations that ConfigMaps can have to get configured in Grafana,
296
# See: sidecar.dashboards.folderAnnotation for specifying the dashboard folder.
297
# https://github.com/grafana/helm-charts/tree/main/charts/grafana
298
annotations: {}
299
# -- Extra labels to add to the Grafana dashboard ConfigMap.
300
extraLabels: {}
301
livenessProbe:
302
# -- Enabled determines if the liveness probe should be used or not. By default it's disabled.
303
enabled: false
304
# -- The body of the liveness probe settings.
305
spec:
306
# -- Bind address for the health server used by both liveness and readiness probes (--live-addr flag).
307
address: ""
308
# -- Port for the health server used by both liveness and readiness probes (--live-addr flag).
309
port: 8082
310
# -- Specify the maximum amount of time to wait for a probe to respond before considering it fails.
311
timeoutSeconds: 5
312
# -- Number of consecutive probe failures that should occur before considering the probe as failed.
313
failureThreshold: 5
314
# -- Period in seconds for K8s to start performing probes.
315
periodSeconds: 10
316
# -- Number of successful probes to mark probe successful.
317
successThreshold: 1
318
# -- Delay in seconds for the container to start before performing the initial probe.
319
initialDelaySeconds: 10
320
# -- Handler for liveness probe.
321
httpGet:
322
# -- Set this value to 'live' (for named port) or an an integer for liveness probes.
323
# @schema type: [string, integer]
324
port: live
325
# -- Path for liveness probe.
326
path: /healthz
327
readinessProbe:
328
# -- Determines whether the readiness probe is enabled. Disabled by default. Enabling this will auto-start the health server (--live-addr) even if livenessProbe is disabled. Health server address/port are configured via livenessProbe.spec.address and livenessProbe.spec.port.
329
enabled: false
330
# -- The body of the readiness probe settings (standard Kubernetes probe spec).
331
spec:
332
# -- Specify the maximum amount of time to wait for a probe to respond before considering it fails.
333
timeoutSeconds: 5
334
# -- Number of consecutive probe failures that should occur before considering the probe as failed.
335
failureThreshold: 3
336
# -- Period in seconds for K8s to start performing probes.
337
periodSeconds: 10
338
# -- Number of successful probes to mark probe successful.
339
successThreshold: 1
340
# -- Delay in seconds for the container to start before performing the initial probe.
341
initialDelaySeconds: 10
342
# -- Handler for readiness probe.
343
httpGet:
344
# -- Set this value to 'live' (for named port) or an integer for readiness probes.
345
# @schema type: [string, integer]
346
port: live
347
# -- Path for readiness probe.
348
path: /readyz
349
nodeSelector: {}
350
tolerations: []
351
topologySpreadConstraints: []
352
affinity: {}
353
# -- Pod priority class name.
354
priorityClassName: ""
355
# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
356
podDisruptionBudget:
357
enabled: false
358
minAvailable: 1 # @schema type:[integer, string]
359
nameOverride: ""
360
# maxUnavailable: "50%"
361
# -- Run the controller on the host network
362
hostNetwork: false
363
# -- (bool) Specifies if controller pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33.
364
# @schema type: [boolean, null]
365
hostUsers:
366
webhook:
367
# -- Annotations to place on validating webhook configuration.
368
annotations: {}
369
# -- Specifies whether a webhook deployment be created. If set to false, crds.conversion.enabled should also be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint.
370
create: true
371
# -- Specifies the time to check if the cert is valid
372
certCheckInterval: "5m"
373
# -- Specifies the lookaheadInterval for certificate validity
374
lookaheadInterval: ""
375
replicaCount: 1
376
# -- Specifies Log Params to the Webhook
377
log:
378
level: info
379
timeEncoding: epoch
380
# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
381
revisionHistoryLimit: 10
382
certDir: /tmp/certs
383
# -- Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore
384
failurePolicy: Fail
385
# -- Specifies if webhook pod should use hostNetwork or not.
386
hostNetwork: false
387
# -- (bool) Specifies if webhook pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33.
388
# @schema type: [boolean, null]
389
hostUsers:
390
image:
391
repository: cgr.dev/chainguard-private/external-secrets
392
pullPolicy: IfNotPresent
393
# -- The image tag to use. The default is the chart appVersion.
394
tag: latest@sha256:910e8e24c4cf0f1fc09b2f6e2df6312745c5bc844a22e18ca8e7cc1124ef59a1
395
# -- The flavour of tag you want to use
396
flavour: ""
397
imagePullSecrets: []
398
# -- The port the webhook will listen to
399
port: 10250
400
serviceAccount:
401
# -- Specifies whether a service account should be created.
402
create: true
403
# -- Automounts the service account token in all containers of the pod
404
automount: true
405
# -- Annotations to add to the service account.
406
annotations: {}
407
# -- Extra Labels to add to the service account.
408
extraLabels: {}
409
# -- The name of the service account to use.
410
# If not set and create is true, a name is generated using the fullname template.
411
name: ""
412
nodeSelector: {}
413
# -- Specifies `hostAliases` to webhook deployment
414
hostAliases: []
415
certManager:
416
# -- Enabling cert-manager support will disable the built in secret and
417
# switch to using cert-manager (installed separately) to automatically issue
418
# and renew the webhook certificate. This chart does not install
419
# cert-manager for you, See https://cert-manager.io/docs/
420
enabled: false
421
# -- Automatically add the cert-manager.io/inject-ca-from annotation to the
422
# webhooks and CRDs. As long as you have the cert-manager CA Injector
423
# enabled, this will automatically setup your webhook's CA to the one used
424
# by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector
425
addInjectorAnnotations: true
426
cert:
427
# -- Create a certificate resource within this chart. See
428
# https://cert-manager.io/docs/usage/certificate/
429
create: true
430
# -- For the Certificate created by this chart, setup the issuer. See
431
# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec
432
issuerRef:
433
group: cert-manager.io
434
kind: "Issuer"
435
name: "my-issuer"
436
# -- Set the requested duration (i.e. lifetime) of the Certificate. See
437
# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
438
# One year by default.
439
duration: "8760h0m0s"
440
# -- Set the revisionHistoryLimit on the Certificate. See
441
# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
442
# Defaults to 0 (ignored).
443
revisionHistoryLimit: 0
444
# -- How long before the currently issued certificate’s expiry
445
# cert-manager should renew the certificate. See
446
# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
447
# Note that renewBefore should be greater than .webhook.lookaheadInterval
448
# since the webhook will check this far in advance that the certificate is
449
# valid.
450
renewBefore: ""
451
# -- Specific settings on the privateKey and its generation
452
privateKey: {}
453
# rotationPolicy: Always
454
# algorithm: RSA
455
# size: 2048
456
# -- Specific settings on the signatureAlgorithm used on the cert.
457
# signatureAlgorithm is only valid for cert-manager v1.18.0+
458
signatureAlgorithm: ""
459
# -- Add extra annotations to the Certificate resource.
460
annotations: {}
461
tolerations: []
462
topologySpreadConstraints: []
463
affinity: {}
464
# -- Set deployment strategy
465
strategy: {}
466
# -- Pod priority class name.
467
priorityClassName: ""
468
# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
469
podDisruptionBudget:
470
enabled: false
471
minAvailable: 1 # @schema type:[integer, string]
472
nameOverride: ""
473
# maxUnavailable: "50%"
474
metrics:
475
listen:
476
port: 8080
477
auth:
478
# -- Enable Kubernetes RBAC-based authentication for webhook's metrics endpoint. Requires webhook.metrics.listen.secure to be true. Default value is false.
479
enabled: false
480
secure:
481
enabled: false
482
# -- if those are not set or invalid, self-signed certs will be generated
483
# -- TLS cert directory path
484
certDir: /etc/tls
485
# -- TLS cert file path
486
certFile: /etc/tls/tls.crt
487
# -- TLS key file path
488
keyFile: /etc/tls/tls.key
489
service:
490
# -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
491
enabled: false
492
# -- Metrics service port to scrape
493
port: 8080
494
# -- Additional service annotations
495
annotations: {}
496
livenessProbe:
497
enabled: false
498
# -- Set this value to 'live' (for named port) or an integer for liveness probes.
499
# @schema type: [string, integer]
500
port: 8081
501
timeoutSeconds: 5
502
failureThreshold: 5
503
periodSeconds: 10
504
successThreshold: 1
505
initialDelaySeconds: 10
506
readinessProbe:
507
enabled: true
508
address: ""
509
# -- Set this value to 'ready' (for named port) or an integer for readiness probes.
510
# @schema type: [string, integer]
511
port: 8081
512
timeoutSeconds: 5
513
failureThreshold: 3
514
periodSeconds: 5
515
successThreshold: 1
516
initialDelaySeconds: 20
517
## -- Extra environment variables to add to container.
518
extraEnv: []
519
## -- Map of extra arguments to pass to container.
520
extraArgs: {}
521
## -- Extra init containers to add to the pod.
522
extraInitContainers: []
523
## -- Extra volumes to pass to pod.
524
extraVolumes: []
525
## -- Extra volumes to mount to the container.
526
extraVolumeMounts: []
527
# -- Annotations to add to Secret
528
secretAnnotations: {}
529
# -- Annotations to add to Deployment
530
deploymentAnnotations: {}
531
# -- Annotations to add to Pod
532
podAnnotations: {}
533
podLabels: {}
534
podSecurityContext:
535
enabled: true
536
# fsGroup: 2000
537
securityContext:
538
allowPrivilegeEscalation: false
539
capabilities:
540
drop:
541
- ALL
542
enabled: true
543
readOnlyRootFilesystem: true
544
runAsNonRoot: true
545
runAsUser: 1000
546
seccompProfile:
547
type: RuntimeDefault
548
resources: {}
549
# requests:
550
# cpu: 10m
551
# memory: 32Mi
552
553
# -- Manage the service through which the webhook is reached.
554
service:
555
# -- Whether the service object should be enabled or not (it is expected to exist).
556
enabled: true
557
# -- Custom annotations for the webhook service.
558
annotations: {}
559
# -- Custom labels for the webhook service.
560
labels: {}
561
# -- The service type of the webhook service.
562
type: ClusterIP
563
# -- If the webhook service type is LoadBalancer, you can assign a specific load balancer IP here.
564
# Check the documentation of your load balancer provider to see if/how this should be used.
565
loadBalancerIP: ""
566
certController:
567
# -- Specifies whether a certificate controller deployment be created.
568
create: true
569
requeueInterval: "5m"
570
replicaCount: 1
571
# -- Specifies Log Params to the Certificate Controller
572
log:
573
level: info
574
timeEncoding: epoch
575
# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
576
revisionHistoryLimit: 10
577
image:
578
repository: cgr.dev/chainguard-private/external-secrets
579
pullPolicy: IfNotPresent
580
tag: latest@sha256:910e8e24c4cf0f1fc09b2f6e2df6312745c5bc844a22e18ca8e7cc1124ef59a1
581
flavour: ""
582
imagePullSecrets: []
583
rbac:
584
# -- Specifies whether role and rolebinding resources should be created.
585
create: true
586
serviceAccount:
587
# -- Specifies whether a service account should be created.
588
create: true
589
# -- Automounts the service account token in all containers of the pod
590
automount: true
591
# -- Annotations to add to the service account.
592
annotations: {}
593
# -- Extra Labels to add to the service account.
594
extraLabels: {}
595
# -- The name of the service account to use.
596
# If not set and create is true, a name is generated using the fullname template.
597
name: ""
598
nodeSelector: {}
599
# -- Specifies `hostAliases` to cert-controller deployment
600
hostAliases: []
601
tolerations: []
602
topologySpreadConstraints: []
603
affinity: {}
604
# -- Set deployment strategy
605
strategy: {}
606
# -- Run the certController on the host network
607
hostNetwork: false
608
# -- (bool) Specifies if certController pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33.
609
# @schema type: [boolean, null]
610
hostUsers:
611
# -- Pod priority class name.
612
priorityClassName: ""
613
# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
614
podDisruptionBudget:
615
enabled: false
616
minAvailable: 1 # @schema type:[integer, string]
617
nameOverride: ""
618
# maxUnavailable: "50%"
619
metrics:
620
listen:
621
port: 8080
622
auth:
623
# -- Enable Kubernetes RBAC-based authentication for certController's metrics endpoint. Requires certController.metrics.listen.secure to be true. Default value is false.
624
enabled: false
625
secure:
626
enabled: false
627
# -- if those are not set or invalid, self-signed certs will be generated
628
# -- TLS cert directory path
629
certDir: /etc/tls
630
# -- TLS cert file path
631
certFile: /etc/tls/tls.crt
632
# -- TLS key file path
633
keyFile: /etc/tls/tls.key
634
service:
635
# -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
636
enabled: false
637
# -- Metrics service port to scrape
638
port: 8080
639
# -- Additional service annotations
640
annotations: {}
641
livenessProbe:
642
enabled: false
643
# -- Set this value to 'live' (for named port) or an integer for liveness probes.
644
# @schema type: [string, integer]
645
port: 8081
646
timeoutSeconds: 5
647
failureThreshold: 5
648
periodSeconds: 10
649
successThreshold: 1
650
initialDelaySeconds: 10
651
readinessProbe:
652
enabled: true
653
address: ""
654
# -- Set this value to 'ready' (for named port) or an integer for readiness probes.
655
# @schema type: [string, integer]
656
port: 8081
657
timeoutSeconds: 5
658
failureThreshold: 3
659
periodSeconds: 5
660
successThreshold: 1
661
initialDelaySeconds: 20
662
startupProbe:
663
# -- Enabled determines if the startup probe should be used or not. By default it's enabled
664
enabled: false
665
# -- whether to use the readiness probe port for startup probe.
666
useReadinessProbePort: true
667
# -- Port for startup probe.
668
port: ""
669
## -- Extra environment variables to add to container.
670
extraEnv: []
671
## -- Map of extra arguments to pass to container.
672
extraArgs: {}
673
## -- Extra init containers to add to the pod.
674
extraInitContainers: []
675
## -- Extra volumes to pass to pod.
676
extraVolumes: []
677
## -- Extra volumes to mount to the container.
678
extraVolumeMounts: []
679
# -- Annotations to add to Deployment
680
deploymentAnnotations: {}
681
# -- Annotations to add to Pod
682
podAnnotations: {}
683
podLabels: {}
684
podSecurityContext:
685
enabled: true
686
# fsGroup: 2000
687
securityContext:
688
allowPrivilegeEscalation: false
689
capabilities:
690
drop:
691
- ALL
692
enabled: true
693
readOnlyRootFilesystem: true
694
runAsNonRoot: true
695
runAsUser: 1000
696
seccompProfile:
697
type: RuntimeDefault
698
resources: {}
699
# requests:
700
# cpu: 10m
701
# memory: 32Mi
702
# -- Specifies `dnsPolicy` to deployment
703
dnsPolicy: ClusterFirst
704
# -- Specifies `dnsOptions` to deployment
705
dnsConfig: {}
706
# -- Specifies `hostAliases` to deployment
707
hostAliases: []
708
# -- Any extra pod spec on the deployment
709
podSpecExtra: {}
710

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.