46 lines
1.7 KiB
YAML
46 lines
1.7 KiB
YAML
# Template ExternalSecret - Basic Configuration
|
|
#
|
|
# This template syncs secrets from Vault into a Kubernetes Secret.
|
|
# Copy this file to your `secrets-<repo-name>/` folder and customize.
|
|
#
|
|
# The secrets defined here will be synced into a Kubernetes Secret named "app-secrets"
|
|
# that your pods can mount or reference via environment variables.
|
|
|
|
apiVersion: external-secrets.io/v1beta1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: app-secrets
|
|
namespace: default # CHANGE: Your application's namespace
|
|
spec:
|
|
# How often to sync secrets (shorter = more frequent updates)
|
|
refreshInterval: 1h
|
|
|
|
# Reference to the SecretStore (should be in the same namespace)
|
|
# or ClusterSecretStore (available cluster-wide)
|
|
secretStoreRef:
|
|
name: vault-secretstore # CHANGE: Name of your SecretStore
|
|
kind: SecretStore # CHANGE: Use "ClusterSecretStore" if using cluster-wide store
|
|
|
|
# Target: where to create the synced Kubernetes Secret
|
|
target:
|
|
name: app-secrets # CHANGE: Name of the Secret to create
|
|
creationPolicy: Owner
|
|
template:
|
|
engineVersion: v2
|
|
# Template the secret data (optional transformation)
|
|
data:
|
|
DATABASE_URL: "{{ .db_url }}"
|
|
API_KEY: "{{ .api_key }}"
|
|
|
|
# Source: which secrets to fetch from the backend
|
|
data:
|
|
- secretKey: db_url # Name used in template and Secret
|
|
remoteRef:
|
|
key: my-app/database # CHANGE: Path in Vault
|
|
property: url # CHANGE: Property within that Vault key
|
|
|
|
- secretKey: api_key # Name used in template and Secret
|
|
remoteRef:
|
|
key: my-app/api # CHANGE: Path in Vault
|
|
property: token # CHANGE: Property within that Vault key
|