4 topologySpreadConstraints: []
6 # topologyKey: topology.kubernetes.io/zone
7 # whenUnsatisfiable: ScheduleAnyway
11 # topologyKey: kubernetes.io/hostname
12 # whenUnsatisfiable: DoNotSchedule
16 # -- Global hostAliases to be applied to all deployments
18 # -- Global pod labels to be applied to all deployments
20 # -- Global pod annotations to be applied to all deployments
22 # -- Global imagePullSecrets to be applied to all deployments
24 # -- Global image repository to be applied to all deployments
28 # -- Manages the securityContext properties to make them compatible with OpenShift.
30 # auto - Apply configurations if it is detected that OpenShift is the target platform.
31 # force - Always apply configurations.
32 # disabled - No modification applied.
33 adaptSecurityContext: auto
38# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
39revisionHistoryLimit: 10
41 repository: cgr.dev/chainguard-private/external-secrets
42 pullPolicy: IfNotPresent
43 # -- The image tag to use. The default is the chart appVersion.
44 tag: latest@sha256:910e8e24c4cf0f1fc09b2f6e2df6312745c5bc844a22e18ca8e7cc1124ef59a1
45 # -- The flavour of tag you want to use
46 # There are different image flavours available, like distroless and ubi.
47 # Please see GitHub release notes for image tags for these flavors.
48 # By default, the distroless image is used.
50# -- If set, install and upgrade CRDs through helm chart.
53 # -- If true, create CRDs for Cluster External Secret. If set to false you must also set processClusterExternalSecret: false.
54 createClusterExternalSecret: true
55 # -- If true, create CRDs for Cluster Secret Store. If set to false you must also set processClusterStore: false.
56 createClusterSecretStore: true
57 # -- If true, create CRDs for Secret Store. If set to false you must also set processSecretStore: false.
58 createSecretStore: true
59 # -- If true, create CRDs for Cluster Generator. If set to false you must also set processClusterGenerator: false.
60 createClusterGenerator: true
61 # -- If true, create CRDs for Cluster Push Secret. If set to false you must also set processClusterPushSecret: false.
62 createClusterPushSecret: true
63 # -- If true, create CRDs for Push Secret. If set to false you must also set processPushSecret: false.
64 createPushSecret: true
67 # -- Conversion is disabled by default as we stopped supporting v1alpha1.
69 # -- If true, enable v1beta1 API version serving for ExternalSecret, ClusterExternalSecret, SecretStore, and ClusterSecretStore CRDs.
70 # v1beta1 is deprecated. Only enable this for backward compatibility if you have existing v1beta1 resources.
71 # Warning: This flag will be removed on 2026.05.01.
72 unsafeServeV1Beta1: false
77# -- Additional labels added to all helm chart resources.
79# -- If true, external-secrets will perform leader election between instances to ensure no more
80# than one instance of external-secrets operates at a time.
82# -- ID of the lease object used for leader election.
83# Leave empty to use the default ('external-secrets-controller').
84# Set to a unique value when running multiple independent ESO deployments in the same namespace.
85# @default -- "external-secrets-controller"
87# -- If set external secrets will filter matching
88# Secret Stores with the appropriate controller values.
90# -- If true external secrets will use recommended kubernetes
91# annotations as prometheus metric labels.
92extendedMetricLabels: false
93# -- If set external secrets are only reconciled in the
96# -- If true, create scoped RBAC roles and implicitly disable cluster-scoped
97# controllers. Scoped to scopedNamespace if set, otherwise to .Release.Namespace.
99# -- If true the OpenShift finalizer permissions will be added to RBAC
100openshiftFinalizers: true
101# -- If true the system:auth-delegator ClusterRole will be added to RBAC
102systemAuthDelegator: false
103# -- if true, the operator will process cluster external secret. Else, it will ignore them.
104# When enabled, this adds update/patch permissions on namespaces to handle finalizers for proper
105# cleanup during namespace deletion, preventing race conditions with ExternalSecrets.
106processClusterExternalSecret: true
107# -- if true, the operator will process cluster push secret. Else, it will ignore them.
108processClusterPushSecret: true
109# -- if true, the operator will process cluster store. Else, it will ignore them.
110processClusterStore: true
111# -- if true, the operator will process secret store. Else, it will ignore them.
112processSecretStore: true
113# -- Default time duration between reconciling (Cluster)SecretStores.
114storeRequeueInterval: ""
115# -- if true, the operator will process cluster generator. Else, it will ignore them.
116processClusterGenerator: true
117# -- if true, the operator will process push secret. Else, it will ignore them.
118processPushSecret: true
119# -- Enable support for generic targets (ConfigMaps, Custom Resources).
120# Warning: Using generic target. Make sure access policies and encryption are properly configured.
121# When enabled, this grants the controller permissions to create/update/delete
122# ConfigMaps and optionally other resource types specified in generic.resources.
124 # -- Enable generic target support
126 # -- List of additional resource types to grant permissions for.
127 # Each entry should specify apiGroup, resources, and verbs.
130 # - apiGroup: "argoproj.io"
131 # resources: ["applications"]
132 # verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
134# -- Specifies whether an external secret operator deployment be created.
136# -- if true, HTTP2 will be enabled for the services created by all controllers, curently metrics and webhook.
138# -- Vault token cache configuration
140 # -- Enable Vault token cache. External secrets will reuse the Vault token without creating a new one on each request.
141 enableTokenCache: false
142 # -- Maximum size of Vault token cache. Only used if enableTokenCache is true.
143 tokenCacheSize: 262144
144# -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at
147# -- Specifies Log Params to the External Secrets Operator
152 # -- Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
154 # -- Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
157 # -- Specifies whether a service account should be created.
159 # -- Automounts the service account token in all containers of the pod
161 # -- Annotations to add to the service account.
163 # -- Extra Labels to add to the service account.
165 # -- The name of the service account to use.
166 # If not set and create is true, a name is generated using the fullname template.
169 # -- Specifies whether role and rolebinding resources should be created.
171 # -- Specifies whether the serviceaccounts/token create permission is included in the controller RBAC.
172 # When set to false, users must create per-ServiceAccount Role/RoleBinding with resourceNames constraint
173 # to grant ESO token creation for specific ServiceAccounts referenced in SecretStore specs.
174 serviceAccountTokenCreate: true
176 # -- Specifies whether a clusterrole to give servicebindings read access should be created.
178 # -- Specifies whether permissions are aggregated to the view ClusterRole
179 aggregateToView: true
180 # -- Specifies whether permissions are aggregated to the edit ClusterRole
181 aggregateToEdit: true
182## -- Extra environment variables to add to container.
184## -- Map of extra arguments to pass to container.
186## -- Extra volumes to pass to pod.
188## -- Extra Kubernetes objects to deploy with the helm chart
190## -- Extra volumes to mount to the container.
192## -- Extra init containers to add to the pod.
193extraInitContainers: []
194## -- Extra containers to add to the pod.
196# -- Annotations to add to Deployment
197deploymentAnnotations: {}
198# -- Set deployment strategy
200# -- Annotations to add to Pod
207 allowPrivilegeEscalation: false
212 readOnlyRootFilesystem: true
223 # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
225 # -- How should we react to missing CRD "`monitoring.coreos.com/v1/ServiceMonitor`"
228 # - `skipIfMissing`: Only render ServiceMonitor resources if CRD is present, skip if missing.
229 # - `failIfMissing`: Fail Helm install if CRD is not present.
230 # - `alwaysRender` : Always render ServiceMonitor resources, do not check for CRD.
238 renderMode: skipIfMissing # @schema enum: [skipIfMissing, failIfMissing, alwaysRender]
239 # -- namespace where you want to install ServiceMonitors
241 # -- Additional labels
243 # -- Interval to scrape metrics
245 # -- Timeout if metrics can't be retrieved in given time interval
247 # -- Let prometheus add an exported_ prefix to conflicting labels
249 # -- Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)
250 metricRelabelings: []
255 # - exported_namespace
256 # targetLabel: namespace
258 # -- Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config)
260 # - sourceLabels: [__meta_kubernetes_pod_node_name]
263 # targetLabel: nodename
270 # -- Enable Kubernetes RBAC-based authentication for metrics endpoint. Requires metrics.listen.secure to be true. Default value is false.
274 # -- if those are not set or invalid, self-signed certs will be generated
275 # -- TLS cert directory path
277 # -- TLS cert file path
278 certFile: /etc/tls/tls.crt
279 # -- TLS key file path
280 keyFile: /etc/tls/tls.key
282 # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
284 # -- Metrics service port to scrape
286 # -- Additional service annotations
289 # -- If true creates a Grafana dashboard.
291 # -- Label that ConfigMaps should have to be loaded as dashboards.
292 sidecarLabel: "grafana_dashboard"
293 # -- Label value that ConfigMaps should have to be loaded as dashboards.
294 sidecarLabelValue: "1"
295 # -- Annotations that ConfigMaps can have to get configured in Grafana,
296 # See: sidecar.dashboards.folderAnnotation for specifying the dashboard folder.
297 # https://github.com/grafana/helm-charts/tree/main/charts/grafana
299 # -- Extra labels to add to the Grafana dashboard ConfigMap.
302 # -- Enabled determines if the liveness probe should be used or not. By default it's disabled.
304 # -- The body of the liveness probe settings.
306 # -- Bind address for the health server used by both liveness and readiness probes (--live-addr flag).
308 # -- Port for the health server used by both liveness and readiness probes (--live-addr flag).
310 # -- Specify the maximum amount of time to wait for a probe to respond before considering it fails.
312 # -- Number of consecutive probe failures that should occur before considering the probe as failed.
314 # -- Period in seconds for K8s to start performing probes.
316 # -- Number of successful probes to mark probe successful.
318 # -- Delay in seconds for the container to start before performing the initial probe.
319 initialDelaySeconds: 10
320 # -- Handler for liveness probe.
322 # -- Set this value to 'live' (for named port) or an an integer for liveness probes.
323 # @schema type: [string, integer]
325 # -- Path for liveness probe.
328 # -- Determines whether the readiness probe is enabled. Disabled by default. Enabling this will auto-start the health server (--live-addr) even if livenessProbe is disabled. Health server address/port are configured via livenessProbe.spec.address and livenessProbe.spec.port.
330 # -- The body of the readiness probe settings (standard Kubernetes probe spec).
332 # -- Specify the maximum amount of time to wait for a probe to respond before considering it fails.
334 # -- Number of consecutive probe failures that should occur before considering the probe as failed.
336 # -- Period in seconds for K8s to start performing probes.
338 # -- Number of successful probes to mark probe successful.
340 # -- Delay in seconds for the container to start before performing the initial probe.
341 initialDelaySeconds: 10
342 # -- Handler for readiness probe.
344 # -- Set this value to 'live' (for named port) or an integer for readiness probes.
345 # @schema type: [string, integer]
347 # -- Path for readiness probe.
351topologySpreadConstraints: []
353# -- Pod priority class name.
355# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
358 minAvailable: 1 # @schema type:[integer, string]
360 # maxUnavailable: "50%"
361# -- Run the controller on the host network
363# -- (bool) Specifies if controller pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33.
364# @schema type: [boolean, null]
367 # -- Annotations to place on validating webhook configuration.
369 # -- Specifies whether a webhook deployment be created. If set to false, crds.conversion.enabled should also be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint.
371 # -- Specifies the time to check if the cert is valid
372 certCheckInterval: "5m"
373 # -- Specifies the lookaheadInterval for certificate validity
374 lookaheadInterval: ""
376 # -- Specifies Log Params to the Webhook
380 # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
381 revisionHistoryLimit: 10
383 # -- Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore
385 # -- Specifies if webhook pod should use hostNetwork or not.
387 # -- (bool) Specifies if webhook pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33.
388 # @schema type: [boolean, null]
391 repository: cgr.dev/chainguard-private/external-secrets
392 pullPolicy: IfNotPresent
393 # -- The image tag to use. The default is the chart appVersion.
394 tag: latest@sha256:910e8e24c4cf0f1fc09b2f6e2df6312745c5bc844a22e18ca8e7cc1124ef59a1
395 # -- The flavour of tag you want to use
398 # -- The port the webhook will listen to
401 # -- Specifies whether a service account should be created.
403 # -- Automounts the service account token in all containers of the pod
405 # -- Annotations to add to the service account.
407 # -- Extra Labels to add to the service account.
409 # -- The name of the service account to use.
410 # If not set and create is true, a name is generated using the fullname template.
413 # -- Specifies `hostAliases` to webhook deployment
416 # -- Enabling cert-manager support will disable the built in secret and
417 # switch to using cert-manager (installed separately) to automatically issue
418 # and renew the webhook certificate. This chart does not install
419 # cert-manager for you, See https://cert-manager.io/docs/
421 # -- Automatically add the cert-manager.io/inject-ca-from annotation to the
422 # webhooks and CRDs. As long as you have the cert-manager CA Injector
423 # enabled, this will automatically setup your webhook's CA to the one used
424 # by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector
425 addInjectorAnnotations: true
427 # -- Create a certificate resource within this chart. See
428 # https://cert-manager.io/docs/usage/certificate/
430 # -- For the Certificate created by this chart, setup the issuer. See
431 # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec
433 group: cert-manager.io
436 # -- Set the requested duration (i.e. lifetime) of the Certificate. See
437 # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
438 # One year by default.
439 duration: "8760h0m0s"
440 # -- Set the revisionHistoryLimit on the Certificate. See
441 # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
442 # Defaults to 0 (ignored).
443 revisionHistoryLimit: 0
444 # -- How long before the currently issued certificate’s expiry
445 # cert-manager should renew the certificate. See
446 # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
447 # Note that renewBefore should be greater than .webhook.lookaheadInterval
448 # since the webhook will check this far in advance that the certificate is
451 # -- Specific settings on the privateKey and its generation
453 # rotationPolicy: Always
456 # -- Specific settings on the signatureAlgorithm used on the cert.
457 # signatureAlgorithm is only valid for cert-manager v1.18.0+
458 signatureAlgorithm: ""
459 # -- Add extra annotations to the Certificate resource.
462 topologySpreadConstraints: []
464 # -- Set deployment strategy
466 # -- Pod priority class name.
467 priorityClassName: ""
468 # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
471 minAvailable: 1 # @schema type:[integer, string]
473 # maxUnavailable: "50%"
478 # -- Enable Kubernetes RBAC-based authentication for webhook's metrics endpoint. Requires webhook.metrics.listen.secure to be true. Default value is false.
482 # -- if those are not set or invalid, self-signed certs will be generated
483 # -- TLS cert directory path
485 # -- TLS cert file path
486 certFile: /etc/tls/tls.crt
487 # -- TLS key file path
488 keyFile: /etc/tls/tls.key
490 # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
492 # -- Metrics service port to scrape
494 # -- Additional service annotations
498 # -- Set this value to 'live' (for named port) or an integer for liveness probes.
499 # @schema type: [string, integer]
505 initialDelaySeconds: 10
509 # -- Set this value to 'ready' (for named port) or an integer for readiness probes.
510 # @schema type: [string, integer]
516 initialDelaySeconds: 20
517 ## -- Extra environment variables to add to container.
519 ## -- Map of extra arguments to pass to container.
521 ## -- Extra init containers to add to the pod.
522 extraInitContainers: []
523 ## -- Extra volumes to pass to pod.
525 ## -- Extra volumes to mount to the container.
526 extraVolumeMounts: []
527 # -- Annotations to add to Secret
528 secretAnnotations: {}
529 # -- Annotations to add to Deployment
530 deploymentAnnotations: {}
531 # -- Annotations to add to Pod
538 allowPrivilegeEscalation: false
543 readOnlyRootFilesystem: true
553 # -- Manage the service through which the webhook is reached.
555 # -- Whether the service object should be enabled or not (it is expected to exist).
557 # -- Custom annotations for the webhook service.
559 # -- Custom labels for the webhook service.
561 # -- The service type of the webhook service.
563 # -- If the webhook service type is LoadBalancer, you can assign a specific load balancer IP here.
564 # Check the documentation of your load balancer provider to see if/how this should be used.
567 # -- Specifies whether a certificate controller deployment be created.
569 requeueInterval: "5m"
571 # -- Specifies Log Params to the Certificate Controller
575 # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
576 revisionHistoryLimit: 10
578 repository: cgr.dev/chainguard-private/external-secrets
579 pullPolicy: IfNotPresent
580 tag: latest@sha256:910e8e24c4cf0f1fc09b2f6e2df6312745c5bc844a22e18ca8e7cc1124ef59a1
584 # -- Specifies whether role and rolebinding resources should be created.
587 # -- Specifies whether a service account should be created.
589 # -- Automounts the service account token in all containers of the pod
591 # -- Annotations to add to the service account.
593 # -- Extra Labels to add to the service account.
595 # -- The name of the service account to use.
596 # If not set and create is true, a name is generated using the fullname template.
599 # -- Specifies `hostAliases` to cert-controller deployment
602 topologySpreadConstraints: []
604 # -- Set deployment strategy
606 # -- Run the certController on the host network
608 # -- (bool) Specifies if certController pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33.
609 # @schema type: [boolean, null]
611 # -- Pod priority class name.
612 priorityClassName: ""
613 # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
616 minAvailable: 1 # @schema type:[integer, string]
618 # maxUnavailable: "50%"
623 # -- Enable Kubernetes RBAC-based authentication for certController's metrics endpoint. Requires certController.metrics.listen.secure to be true. Default value is false.
627 # -- if those are not set or invalid, self-signed certs will be generated
628 # -- TLS cert directory path
630 # -- TLS cert file path
631 certFile: /etc/tls/tls.crt
632 # -- TLS key file path
633 keyFile: /etc/tls/tls.key
635 # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
637 # -- Metrics service port to scrape
639 # -- Additional service annotations
643 # -- Set this value to 'live' (for named port) or an integer for liveness probes.
644 # @schema type: [string, integer]
650 initialDelaySeconds: 10
654 # -- Set this value to 'ready' (for named port) or an integer for readiness probes.
655 # @schema type: [string, integer]
661 initialDelaySeconds: 20
663 # -- Enabled determines if the startup probe should be used or not. By default it's enabled
665 # -- whether to use the readiness probe port for startup probe.
666 useReadinessProbePort: true
667 # -- Port for startup probe.
669 ## -- Extra environment variables to add to container.
671 ## -- Map of extra arguments to pass to container.
673 ## -- Extra init containers to add to the pod.
674 extraInitContainers: []
675 ## -- Extra volumes to pass to pod.
677 ## -- Extra volumes to mount to the container.
678 extraVolumeMounts: []
679 # -- Annotations to add to Deployment
680 deploymentAnnotations: {}
681 # -- Annotations to add to Pod
688 allowPrivilegeEscalation: false
693 readOnlyRootFilesystem: true
702# -- Specifies `dnsPolicy` to deployment
703dnsPolicy: ClusterFirst
704# -- Specifies `dnsOptions` to deployment
706# -- Specifies `hostAliases` to deployment
708# -- Any extra pod spec on the deployment