external-secrets

Helm chart

Last changed

Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Tag:

global:

nodeSelector: {}

tolerations: []

topologySpreadConstraints: []

# - maxSkew: 1

# topologyKey: topology.kubernetes.io/zone

# whenUnsatisfiable: ScheduleAnyway

# matchLabelKeys:

# - pod-template-hash

# - maxSkew: 1

# topologyKey: kubernetes.io/hostname

# whenUnsatisfiable: DoNotSchedule

# matchLabelKeys:

# - pod-template-hash

affinity: {}

# -- Global hostAliases to be applied to all deployments

hostAliases: []

# -- Global pod labels to be applied to all deployments

podLabels: {}

# -- Global pod annotations to be applied to all deployments

podAnnotations: {}

# -- Global imagePullSecrets to be applied to all deployments

imagePullSecrets: []

# -- Global image repository to be applied to all deployments

repository: ""

compatibility:

openshift:

# -- Manages the securityContext properties to make them compatible with OpenShift.

# Possible values:

# auto - Apply configurations if it is detected that OpenShift is the target platform.

# force - Always apply configurations.

# disabled - No modification applied.

adaptSecurityContext: auto

replicaCount: 1

bitwarden-sdk-server:

enabled: false

namespaceOverride: ""

# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)

revisionHistoryLimit: 10

image:

repository: cgr.dev/chainguard-private/external-secrets

pullPolicy: IfNotPresent

# -- The image tag to use. The default is the chart appVersion.

tag: latest@sha256:1872bc5bfb723e6eecd769130272533a9cc70dfd35a288d5ce3d82f766b4a407

# -- The flavour of tag you want to use

# There are different image flavours available, like distroless and ubi.

# Please see GitHub release notes for image tags for these flavors.

# By default, the distroless image is used.

flavour: ""

# -- If set, install and upgrade CRDs through helm chart.

installCRDs: true

crds:

# -- If true, create CRDs for Cluster External Secret. If set to false you must also set processClusterExternalSecret: false.

createClusterExternalSecret: true

# -- If true, create CRDs for Cluster Secret Store. If set to false you must also set processClusterStore: false.

createClusterSecretStore: true

# -- If true, create CRDs for Secret Store. If set to false you must also set processSecretStore: false.

createSecretStore: true

# -- If true, create CRDs for Cluster Generator. If set to false you must also set processClusterGenerator: false.

createClusterGenerator: true

# -- If true, create CRDs for Cluster Push Secret. If set to false you must also set processClusterPushSecret: false.

createClusterPushSecret: true

# -- If true, create CRDs for Push Secret. If set to false you must also set processPushSecret: false.

createPushSecret: true

annotations: {}

conversion:

# -- Conversion is disabled by default as we stopped supporting v1alpha1.

enabled: false

# -- If true, enable v1beta1 API version serving for ExternalSecret, ClusterExternalSecret, SecretStore, and ClusterSecretStore CRDs.

# v1beta1 is deprecated. Only enable this for backward compatibility if you have existing v1beta1 resources.

# Warning: This flag will be removed on 2026.05.01.

unsafeServeV1Beta1: false

imagePullSecrets: []

nameOverride: ""

fullnameOverride: ""

namespaceOverride: ""

# -- Additional labels added to all helm chart resources.

commonLabels: {}

# -- If true, external-secrets will perform leader election between instances to ensure no more

# than one instance of external-secrets operates at a time.

leaderElect: false

# -- ID of the lease object used for leader election.

# Leave empty to use the default ('external-secrets-controller').

# Set to a unique value when running multiple independent ESO deployments in the same namespace.

# @default -- "external-secrets-controller"

leaderElectionID: ""

# -- If set external secrets will filter matching

# Secret Stores with the appropriate controller values.

controllerClass: ""

# -- If true external secrets will use recommended kubernetes

# annotations as prometheus metric labels.

extendedMetricLabels: false

# -- If set external secrets are only reconciled in the

# provided namespace

scopedNamespace: ""

# -- If true, create scoped RBAC roles and implicitly disable cluster-scoped

# controllers. Scoped to scopedNamespace if set, otherwise to .Release.Namespace.

scopedRBAC: false

# -- If true the OpenShift finalizer permissions will be added to RBAC

100

openshiftFinalizers: true

101

# -- If true the system:auth-delegator ClusterRole will be added to RBAC

102

systemAuthDelegator: false

103

# -- if true, the operator will process cluster external secret. Else, it will ignore them.

104

# When enabled, this adds update/patch permissions on namespaces to handle finalizers for proper

105

# cleanup during namespace deletion, preventing race conditions with ExternalSecrets.

106

processClusterExternalSecret: true

107

# -- if true, the operator will process cluster push secret. Else, it will ignore them.

108

processClusterPushSecret: true

109

# -- if true, the operator will process cluster store. Else, it will ignore them.

110

processClusterStore: true

111

# -- if true, the operator will process secret store. Else, it will ignore them.

112

processSecretStore: true

113

# -- if true, the operator will process cluster generator. Else, it will ignore them.

114

processClusterGenerator: true

115

# -- if true, the operator will process push secret. Else, it will ignore them.

116

processPushSecret: true

117

# -- Enable support for generic targets (ConfigMaps, Custom Resources).

118

# Warning: Using generic target. Make sure access policies and encryption are properly configured.

119

# When enabled, this grants the controller permissions to create/update/delete

120

# ConfigMaps and optionally other resource types specified in generic.resources.

121

genericTargets:

122

# -- Enable generic target support

123

enabled: false

124

# -- List of additional resource types to grant permissions for.

125

# Each entry should specify apiGroup, resources, and verbs.

126

# Example:

127

# resources:

128

# - apiGroup: "argoproj.io"

129

# resources: ["applications"]

130

# verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

131

resources: []

132

# -- Specifies whether an external secret operator deployment be created.

133

createOperator: true

134

# -- if true, HTTP2 will be enabled for the services created by all controllers, curently metrics and webhook.

135

enableHTTP2: false

136

# -- Vault token cache configuration

137

vault:

138

# -- Enable Vault token cache. External secrets will reuse the Vault token without creating a new one on each request.

139

enableTokenCache: false

140

# -- Maximum size of Vault token cache. Only used if enableTokenCache is true.

141

tokenCacheSize: 262144

142

# -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at

143

# a time.

144

concurrent: 1

145

# -- Specifies Log Params to the External Secrets Operator

146

log:

147

level: info

148

timeEncoding: epoch

149

service:

150

# -- Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)

151

ipFamilyPolicy: ""

152

# -- Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.

153

ipFamilies: []

154

serviceAccount:

155

# -- Specifies whether a service account should be created.

156

create: true

157

# -- Automounts the service account token in all containers of the pod

158

automount: true

159

# -- Annotations to add to the service account.

160

annotations: {}

161

# -- Extra Labels to add to the service account.

162

extraLabels: {}

163

# -- The name of the service account to use.

164

# If not set and create is true, a name is generated using the fullname template.

165

166

rbac:

167

# -- Specifies whether role and rolebinding resources should be created.

168

create: true

169

# -- Specifies whether the serviceaccounts/token create permission is included in the controller RBAC.

170

# When set to false, users must create per-ServiceAccount Role/RoleBinding with resourceNames constraint

171

# to grant ESO token creation for specific ServiceAccounts referenced in SecretStore specs.

172

serviceAccountTokenCreate: true

173

servicebindings:

174

# -- Specifies whether a clusterrole to give servicebindings read access should be created.

175

create: true

176

# -- Specifies whether permissions are aggregated to the view ClusterRole

177

aggregateToView: true

178

# -- Specifies whether permissions are aggregated to the edit ClusterRole

179

aggregateToEdit: true

180

## -- Extra environment variables to add to container.

181

extraEnv: []

182

## -- Map of extra arguments to pass to container.

183

extraArgs: {}

184

## -- Extra volumes to pass to pod.

185

extraVolumes: []

186

## -- Extra Kubernetes objects to deploy with the helm chart

187

extraObjects: []

188

## -- Extra volumes to mount to the container.

189

extraVolumeMounts: []

190

## -- Extra init containers to add to the pod.

191

extraInitContainers: []

192

## -- Extra containers to add to the pod.

193

extraContainers: []

194

# -- Annotations to add to Deployment

195

deploymentAnnotations: {}

196

# -- Set deployment strategy

197

strategy: {}

198

# -- Annotations to add to Pod

199

podAnnotations: {}

200

podLabels: {}

201

podSecurityContext:

202

enabled: true

203

# fsGroup: 2000

204

securityContext:

205

allowPrivilegeEscalation: false

206

capabilities:

207

drop:

208

- ALL

209

enabled: true

210

readOnlyRootFilesystem: true

211

runAsNonRoot: true

212

runAsUser: 1000

213

seccompProfile:

214

type: RuntimeDefault

215

resources: {}

216

# requests:

217

# cpu: 10m

218

# memory: 32Mi

219

220

serviceMonitor:

221

# -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics

222

enabled: false

223

# -- How should we react to missing CRD "`monitoring.coreos.com/v1/ServiceMonitor`"

224

225

# Possible values:

226

# - `skipIfMissing`: Only render ServiceMonitor resources if CRD is present, skip if missing.

227

# - `failIfMissing`: Fail Helm install if CRD is not present.

228

# - `alwaysRender` : Always render ServiceMonitor resources, do not check for CRD.

229

230

# @schema

231

# enum:

232

# - skipIfMissing

233

# - failIfMissing

234

# - alwaysRender

235

# @schema

236

renderMode: skipIfMissing # @schema enum: [skipIfMissing, failIfMissing, alwaysRender]

237

# -- namespace where you want to install ServiceMonitors

238

namespace: ""

239

# -- Additional labels

240

additionalLabels: {}

241

# -- Interval to scrape metrics

242

interval: 30s

243

# -- Timeout if metrics can't be retrieved in given time interval

244

scrapeTimeout: 25s

245

# -- Let prometheus add an exported_ prefix to conflicting labels

246

honorLabels: false

247

# -- Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)

248

metricRelabelings: []

249

# - action: replace

250

# regex: (.*)

251

# replacement: $1

252

# sourceLabels:

253

# - exported_namespace

254

# targetLabel: namespace

255

256

# -- Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config)

257

relabelings: []

258

# - sourceLabels: [__meta_kubernetes_pod_node_name]

259

# separator: ;

260

# regex: ^(.*)$

261

# targetLabel: nodename

262

# replacement: $1

263

# action: replace

264

metrics:

265

listen:

266

port: 8080

267

auth:

268

# -- Enable Kubernetes RBAC-based authentication for metrics endpoint. Requires metrics.listen.secure to be true. Default value is false.

269

enabled: false

270

secure:

271

enabled: false

272

# -- if those are not set or invalid, self-signed certs will be generated

273

# -- TLS cert directory path

274

certDir: /etc/tls

275

# -- TLS cert file path

276

certFile: /etc/tls/tls.crt

277

# -- TLS key file path

278

keyFile: /etc/tls/tls.key

279

service:

280

# -- Enable if you use another monitoring tool than Prometheus to scrape the metrics

281

enabled: false

282

# -- Metrics service port to scrape

283

port: 8080

284

# -- Additional service annotations

285

annotations: {}

286

grafanaDashboard:

287

# -- If true creates a Grafana dashboard.

288

enabled: false

289

# -- Label that ConfigMaps should have to be loaded as dashboards.

290

sidecarLabel: "grafana_dashboard"

291

# -- Label value that ConfigMaps should have to be loaded as dashboards.

292

sidecarLabelValue: "1"

293

# -- Annotations that ConfigMaps can have to get configured in Grafana,

294

# See: sidecar.dashboards.folderAnnotation for specifying the dashboard folder.

295

# https://github.com/grafana/helm-charts/tree/main/charts/grafana

296

annotations: {}

297

# -- Extra labels to add to the Grafana dashboard ConfigMap.

298

extraLabels: {}

299

livenessProbe:

300

# -- Enabled determines if the liveness probe should be used or not. By default it's disabled.

301

enabled: false

302

# -- The body of the liveness probe settings.

303

spec:

304

# -- Bind address for the health server used by both liveness and readiness probes (--live-addr flag).

305

address: ""

306

# -- Port for the health server used by both liveness and readiness probes (--live-addr flag).

307

port: 8082

308

# -- Specify the maximum amount of time to wait for a probe to respond before considering it fails.

309

timeoutSeconds: 5

310

# -- Number of consecutive probe failures that should occur before considering the probe as failed.

311

failureThreshold: 5

312

# -- Period in seconds for K8s to start performing probes.

313

periodSeconds: 10

314

# -- Number of successful probes to mark probe successful.

315

successThreshold: 1

316

# -- Delay in seconds for the container to start before performing the initial probe.

317

initialDelaySeconds: 10

318

# -- Handler for liveness probe.

319

httpGet:

320

# -- Set this value to 'live' (for named port) or an an integer for liveness probes.

321

# @schema type: [string, integer]

322

port: live

323

# -- Path for liveness probe.

324

path: /healthz

325

readinessProbe:

326

# -- Determines whether the readiness probe is enabled. Disabled by default. Enabling this will auto-start the health server (--live-addr) even if livenessProbe is disabled. Health server address/port are configured via livenessProbe.spec.address and livenessProbe.spec.port.

327

enabled: false

328

# -- The body of the readiness probe settings (standard Kubernetes probe spec).

329

spec:

330

# -- Specify the maximum amount of time to wait for a probe to respond before considering it fails.

331

timeoutSeconds: 5

332

# -- Number of consecutive probe failures that should occur before considering the probe as failed.

333

failureThreshold: 3

334

# -- Period in seconds for K8s to start performing probes.

335

periodSeconds: 10

336

# -- Number of successful probes to mark probe successful.

337

successThreshold: 1

338

# -- Delay in seconds for the container to start before performing the initial probe.

339

initialDelaySeconds: 10

340

# -- Handler for readiness probe.

341

httpGet:

342

# -- Set this value to 'live' (for named port) or an integer for readiness probes.

343

# @schema type: [string, integer]

344

port: live

345

# -- Path for readiness probe.

346

path: /readyz

347

nodeSelector: {}

348

tolerations: []

349

topologySpreadConstraints: []

350

affinity: {}

351

# -- Pod priority class name.

352

priorityClassName: ""

353

# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/

354

podDisruptionBudget:

355

enabled: false

356

minAvailable: 1 # @schema type:[integer, string]

357

nameOverride: ""

358

# maxUnavailable: "50%"

359

# -- Run the controller on the host network

360

hostNetwork: false

361

# -- (bool) Specifies if controller pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33.

362

# @schema type: [boolean, null]

363

hostUsers:

364

webhook:

365

# -- Annotations to place on validating webhook configuration.

366

annotations: {}

367

# -- Specifies whether a webhook deployment be created. If set to false, crds.conversion.enabled should also be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint.

368

create: true

369

# -- Specifies the time to check if the cert is valid

370

certCheckInterval: "5m"

371

# -- Specifies the lookaheadInterval for certificate validity

372

lookaheadInterval: ""

373

replicaCount: 1

374

# -- Specifies Log Params to the Webhook

375

log:

376

level: info

377

timeEncoding: epoch

378

# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)

379

revisionHistoryLimit: 10

380

certDir: /tmp/certs

381

# -- Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore

382

failurePolicy: Fail

383

# -- Specifies if webhook pod should use hostNetwork or not.

384

hostNetwork: false

385

# -- (bool) Specifies if webhook pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33.

386

# @schema type: [boolean, null]

387

hostUsers:

388

image:

389

repository: cgr.dev/chainguard-private/external-secrets

390

pullPolicy: IfNotPresent

391

# -- The image tag to use. The default is the chart appVersion.

392

tag: latest@sha256:1872bc5bfb723e6eecd769130272533a9cc70dfd35a288d5ce3d82f766b4a407

393

# -- The flavour of tag you want to use

394

flavour: ""

395

imagePullSecrets: []

396

# -- The port the webhook will listen to

397

port: 10250

398

serviceAccount:

399

# -- Specifies whether a service account should be created.

400

create: true

401

# -- Automounts the service account token in all containers of the pod

402

automount: true

403

# -- Annotations to add to the service account.

404

annotations: {}

405

# -- Extra Labels to add to the service account.

406

extraLabels: {}

407

# -- The name of the service account to use.

408

# If not set and create is true, a name is generated using the fullname template.

409

410

nodeSelector: {}

411

# -- Specifies `hostAliases` to webhook deployment

412

hostAliases: []

413

certManager:

414

# -- Enabling cert-manager support will disable the built in secret and

415

# switch to using cert-manager (installed separately) to automatically issue

416

# and renew the webhook certificate. This chart does not install

417

# cert-manager for you, See https://cert-manager.io/docs/

418

enabled: false

419

# -- Automatically add the cert-manager.io/inject-ca-from annotation to the

420

# webhooks and CRDs. As long as you have the cert-manager CA Injector

421

# enabled, this will automatically setup your webhook's CA to the one used

422

# by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector

423

addInjectorAnnotations: true

424

cert:

425

# -- Create a certificate resource within this chart. See

426

# https://cert-manager.io/docs/usage/certificate/

427

create: true

428

# -- For the Certificate created by this chart, setup the issuer. See

429

# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec

430

issuerRef:

431

group: cert-manager.io

432

kind: "Issuer"

433

434

# -- Set the requested duration (i.e. lifetime) of the Certificate. See

435

# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec

436

# One year by default.

437

duration: "8760h0m0s"

438

# -- Set the revisionHistoryLimit on the Certificate. See

439

# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec

440

# Defaults to 0 (ignored).

441

revisionHistoryLimit: 0

442

# -- How long before the currently issued certificate’s expiry

443

# cert-manager should renew the certificate. See

444

# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec

445

# Note that renewBefore should be greater than .webhook.lookaheadInterval

446

# since the webhook will check this far in advance that the certificate is

447

# valid.

448

renewBefore: ""

449

# -- Specific settings on the privateKey and its generation

450

privateKey: {}

451

# rotationPolicy: Always

452

# algorithm: RSA

453

# size: 2048

454

# -- Specific settings on the signatureAlgorithm used on the cert.

455

# signatureAlgorithm is only valid for cert-manager v1.18.0+

456

signatureAlgorithm: ""

457

# -- Add extra annotations to the Certificate resource.

458

annotations: {}

459

tolerations: []

460

topologySpreadConstraints: []

461

affinity: {}

462

# -- Set deployment strategy

463

strategy: {}

464

# -- Pod priority class name.

465

priorityClassName: ""

466

# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/

467

podDisruptionBudget:

468

enabled: false

469

minAvailable: 1 # @schema type:[integer, string]

470

nameOverride: ""

471

# maxUnavailable: "50%"

472

metrics:

473

listen:

474

port: 8080

475

auth:

476

# -- Enable Kubernetes RBAC-based authentication for webhook's metrics endpoint. Requires webhook.metrics.listen.secure to be true. Default value is false.

477

enabled: false

478

secure:

479

enabled: false

480

# -- if those are not set or invalid, self-signed certs will be generated

481

# -- TLS cert directory path

482

certDir: /etc/tls

483

# -- TLS cert file path

484

certFile: /etc/tls/tls.crt

485

# -- TLS key file path

486

keyFile: /etc/tls/tls.key

487

service:

488

# -- Enable if you use another monitoring tool than Prometheus to scrape the metrics

489

enabled: false

490

# -- Metrics service port to scrape

491

port: 8080

492

# -- Additional service annotations

493

annotations: {}

494

livenessProbe:

495

enabled: false

496

# -- Set this value to 'live' (for named port) or an integer for liveness probes.

497

# @schema type: [string, integer]

498

port: 8081

499

timeoutSeconds: 5

500

failureThreshold: 5

501

periodSeconds: 10

502

successThreshold: 1

503

initialDelaySeconds: 10

504

readinessProbe:

505

enabled: true

506

address: ""

507

# -- Set this value to 'ready' (for named port) or an integer for readiness probes.

508

# @schema type: [string, integer]

509

port: 8081

510

timeoutSeconds: 5

511

failureThreshold: 3

512

periodSeconds: 5

513

successThreshold: 1

514

initialDelaySeconds: 20

515

## -- Extra environment variables to add to container.

516

extraEnv: []

517

## -- Map of extra arguments to pass to container.

518

extraArgs: {}

519

## -- Extra init containers to add to the pod.

520

extraInitContainers: []

521

## -- Extra volumes to pass to pod.

522

extraVolumes: []

523

## -- Extra volumes to mount to the container.

524

extraVolumeMounts: []

525

# -- Annotations to add to Secret

526

secretAnnotations: {}

527

# -- Annotations to add to Deployment

528

deploymentAnnotations: {}

529

# -- Annotations to add to Pod

530

podAnnotations: {}

531

podLabels: {}

532

podSecurityContext:

533

enabled: true

534

# fsGroup: 2000

535

securityContext:

536

allowPrivilegeEscalation: false

537

capabilities:

538

drop:

539

- ALL

540

enabled: true

541

readOnlyRootFilesystem: true

542

runAsNonRoot: true

543

runAsUser: 1000

544

seccompProfile:

545

type: RuntimeDefault

546

resources: {}

547

# requests:

548

# cpu: 10m

549

# memory: 32Mi

550

551

# -- Manage the service through which the webhook is reached.

552

service:

553

# -- Whether the service object should be enabled or not (it is expected to exist).

554

enabled: true

555

# -- Custom annotations for the webhook service.

556

annotations: {}

557

# -- Custom labels for the webhook service.

558

labels: {}

559

# -- The service type of the webhook service.

560

type: ClusterIP

561

# -- If the webhook service type is LoadBalancer, you can assign a specific load balancer IP here.

562

# Check the documentation of your load balancer provider to see if/how this should be used.

563

loadBalancerIP: ""

564

certController:

565

# -- Specifies whether a certificate controller deployment be created.

566

create: true

567

requeueInterval: "5m"

568

replicaCount: 1

569

# -- Specifies Log Params to the Certificate Controller

570

log:

571

level: info

572

timeEncoding: epoch

573

# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)

574

revisionHistoryLimit: 10

575

image:

576

repository: cgr.dev/chainguard-private/external-secrets

577

pullPolicy: IfNotPresent

578

tag: latest@sha256:1872bc5bfb723e6eecd769130272533a9cc70dfd35a288d5ce3d82f766b4a407

579

flavour: ""

580

imagePullSecrets: []

581

rbac:

582

# -- Specifies whether role and rolebinding resources should be created.

583

create: true

584

serviceAccount:

585

# -- Specifies whether a service account should be created.

586

create: true

587

# -- Automounts the service account token in all containers of the pod

588

automount: true

589

# -- Annotations to add to the service account.

590

annotations: {}

591

# -- Extra Labels to add to the service account.

592

extraLabels: {}

593

# -- The name of the service account to use.

594

# If not set and create is true, a name is generated using the fullname template.

595

596

nodeSelector: {}

597

# -- Specifies `hostAliases` to cert-controller deployment

598

hostAliases: []

599

tolerations: []

600

topologySpreadConstraints: []

601

affinity: {}

602

# -- Set deployment strategy

603

strategy: {}

604

# -- Run the certController on the host network

605

hostNetwork: false

606

# -- (bool) Specifies if certController pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33.

607

# @schema type: [boolean, null]

608

hostUsers:

609

# -- Pod priority class name.

610

priorityClassName: ""

611

# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/

612

podDisruptionBudget:

613

enabled: false

614

minAvailable: 1 # @schema type:[integer, string]

615

nameOverride: ""

616

# maxUnavailable: "50%"

617

metrics:

618

listen:

619

port: 8080

620

auth:

621

# -- Enable Kubernetes RBAC-based authentication for certController's metrics endpoint. Requires certController.metrics.listen.secure to be true. Default value is false.

622

enabled: false

623

secure:

624

enabled: false

625

# -- if those are not set or invalid, self-signed certs will be generated

626

# -- TLS cert directory path

627

certDir: /etc/tls

628

# -- TLS cert file path

629

certFile: /etc/tls/tls.crt

630

# -- TLS key file path

631

keyFile: /etc/tls/tls.key

632

service:

633

# -- Enable if you use another monitoring tool than Prometheus to scrape the metrics

634

enabled: false

635

# -- Metrics service port to scrape

636

port: 8080

637

# -- Additional service annotations

638

annotations: {}

639

livenessProbe:

640

enabled: false

641

# -- Set this value to 'live' (for named port) or an integer for liveness probes.

642

# @schema type: [string, integer]

643

port: 8081

644

timeoutSeconds: 5

645

failureThreshold: 5

646

periodSeconds: 10

647

successThreshold: 1

648

initialDelaySeconds: 10

649

readinessProbe:

650

enabled: true

651

address: ""

652

# -- Set this value to 'ready' (for named port) or an integer for readiness probes.

653

# @schema type: [string, integer]

654

port: 8081

655

timeoutSeconds: 5

656

failureThreshold: 3

657

periodSeconds: 5

658

successThreshold: 1

659

initialDelaySeconds: 20

660

startupProbe:

661

# -- Enabled determines if the startup probe should be used or not. By default it's enabled

662

enabled: false

663

# -- whether to use the readiness probe port for startup probe.

664

useReadinessProbePort: true

665

# -- Port for startup probe.

666

port: ""

667

## -- Extra environment variables to add to container.

668

extraEnv: []

669

## -- Map of extra arguments to pass to container.

670

extraArgs: {}

671

## -- Extra init containers to add to the pod.

672

extraInitContainers: []

673

## -- Extra volumes to pass to pod.

674

extraVolumes: []

675

## -- Extra volumes to mount to the container.

676

extraVolumeMounts: []

677

# -- Annotations to add to Deployment

678

deploymentAnnotations: {}

679

# -- Annotations to add to Pod

680

podAnnotations: {}

681

podLabels: {}

682

podSecurityContext:

683

enabled: true

684

# fsGroup: 2000

685

securityContext:

686

allowPrivilegeEscalation: false

687

capabilities:

688

drop:

689

- ALL

690

enabled: true

691

readOnlyRootFilesystem: true

692

runAsNonRoot: true

693

runAsUser: 1000

694

seccompProfile:

695

type: RuntimeDefault

696

resources: {}

697

# requests:

698

# cpu: 10m

699

# memory: 32Mi

700

# -- Specifies `dnsPolicy` to deployment

701

dnsPolicy: ClusterFirst

702

# -- Specifies `dnsOptions` to deployment

703

dnsConfig: {}

704

# -- Specifies `hostAliases` to deployment

705

hostAliases: []

706

# -- Any extra pod spec on the deployment

707

podSpecExtra: {}

708

The trusted source for open source

Talk to an expert

Privacy

Terms

© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.

external-secrets

The trusted source for open source

Product

Solutions

Customers

Resources

Company