external-secrets

Helm chart

Last changed

Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Tag:

global:

nodeSelector: {}

tolerations: []

topologySpreadConstraints: []

# - maxSkew: 1

# topologyKey: topology.kubernetes.io/zone

# whenUnsatisfiable: ScheduleAnyway

# matchLabelKeys:

# - pod-template-hash

# - maxSkew: 1

# topologyKey: kubernetes.io/hostname

# whenUnsatisfiable: DoNotSchedule

# matchLabelKeys:

# - pod-template-hash

affinity: {}

# -- Global hostAliases to be applied to all deployments

hostAliases: []

# -- Global pod labels to be applied to all deployments

podLabels: {}

# -- Global pod annotations to be applied to all deployments

podAnnotations: {}

# -- Global imagePullSecrets to be applied to all deployments

imagePullSecrets: []

# -- Global image repository to be applied to all deployments

repository: ""

compatibility:

openshift:

# -- Manages the securityContext properties to make them compatible with OpenShift.

# Possible values:

# auto - Apply configurations if it is detected that OpenShift is the target platform.

# force - Always apply configurations.

# disabled - No modification applied.

adaptSecurityContext: auto

replicaCount: 1

bitwarden-sdk-server:

enabled: false

namespaceOverride: ""

# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)

revisionHistoryLimit: 10

image:

repository: cgr.dev/chainguard-private/external-secrets

pullPolicy: IfNotPresent

# -- The image tag to use. The default is the chart appVersion.

tag: latest@sha256:d2c9181872c4cf603887deeb24ffd9e24e8faa21ed3d62b86073790395bb59e5

# -- The flavour of tag you want to use

# There are different image flavours available, like distroless and ubi.

# Please see GitHub release notes for image tags for these flavors.

# By default, the distroless image is used.

flavour: ""

# -- If set, install and upgrade CRDs through helm chart.

installCRDs: true

crds:

# -- If true, create CRDs for Cluster External Secret. If set to false you must also set processClusterExternalSecret: false.

createClusterExternalSecret: true

# -- If true, create CRDs for Cluster Secret Store. If set to false you must also set processClusterStore: false.

createClusterSecretStore: true

# -- If true, create CRDs for Secret Store. If set to false you must also set processSecretStore: false.

createSecretStore: true

# -- If true, create CRDs for Cluster Generator. If set to false you must also set processClusterGenerator: false.

createClusterGenerator: true

# -- If true, create CRDs for Cluster Push Secret. If set to false you must also set processClusterPushSecret: false.

createClusterPushSecret: true

# -- If true, create CRDs for Push Secret. If set to false you must also set processPushSecret: false.

createPushSecret: true

annotations: {}

conversion:

# -- Conversion is disabled by default as we stopped supporting v1alpha1.

enabled: false

# -- If true, enable v1beta1 API version serving for ExternalSecret, ClusterExternalSecret, SecretStore, and ClusterSecretStore CRDs.

# v1beta1 is deprecated. Only enable this for backward compatibility if you have existing v1beta1 resources.

# Warning: This flag will be removed on 2026.05.01.

unsafeServeV1Beta1: false

imagePullSecrets: []

nameOverride: ""

fullnameOverride: ""

namespaceOverride: ""

# -- Additional labels added to all helm chart resources.

commonLabels: {}

# -- If true, external-secrets will perform leader election between instances to ensure no more

# than one instance of external-secrets operates at a time.

leaderElect: false

# -- ID of the lease object used for leader election.

# Leave empty to use the default ('external-secrets-controller').

# Set to a unique value when running multiple independent ESO deployments in the same namespace.

# @default -- "external-secrets-controller"

leaderElectionID: ""

# -- If set external secrets will filter matching

# Secret Stores with the appropriate controller values.

controllerClass: ""

# -- If true external secrets will use recommended kubernetes

# annotations as prometheus metric labels.

extendedMetricLabels: false

# -- If set external secrets are only reconciled in the

# provided namespace

scopedNamespace: ""

# -- Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace

# and implicitly disable cluster stores and cluster external secrets

scopedRBAC: false

# -- If true the OpenShift finalizer permissions will be added to RBAC

100

openshiftFinalizers: true

101

# -- If true the system:auth-delegator ClusterRole will be added to RBAC

102

systemAuthDelegator: false

103

# -- if true, the operator will process cluster external secret. Else, it will ignore them.

104

# When enabled, this adds update/patch permissions on namespaces to handle finalizers for proper

105

# cleanup during namespace deletion, preventing race conditions with ExternalSecrets.

106

processClusterExternalSecret: true

107

# -- if true, the operator will process cluster push secret. Else, it will ignore them.

108

processClusterPushSecret: true

109

# -- if true, the operator will process cluster store. Else, it will ignore them.

110

processClusterStore: true

111

# -- if true, the operator will process secret store. Else, it will ignore them.

112

processSecretStore: true

113

# -- if true, the operator will process cluster generator. Else, it will ignore them.

114

processClusterGenerator: true

115

# -- if true, the operator will process push secret. Else, it will ignore them.

116

processPushSecret: true

117

# -- Enable support for generic targets (ConfigMaps, Custom Resources).

118

# Warning: Using generic target. Make sure access policies and encryption are properly configured.

119

# When enabled, this grants the controller permissions to create/update/delete

120

# ConfigMaps and optionally other resource types specified in generic.resources.

121

genericTargets:

122

# -- Enable generic target support

123

enabled: false

124

# -- List of additional resource types to grant permissions for.

125

# Each entry should specify apiGroup, resources, and verbs.

126

# Example:

127

# resources:

128

# - apiGroup: "argoproj.io"

129

# resources: ["applications"]

130

# verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

131

resources: []

132

# -- Specifies whether an external secret operator deployment be created.

133

createOperator: true

134

# -- if true, HTTP2 will be enabled for the services created by all controllers, curently metrics and webhook.

135

enableHTTP2: false

136

# -- Vault token cache configuration

137

vault:

138

# -- Enable Vault token cache. External secrets will reuse the Vault token without creating a new one on each request.

139

enableTokenCache: false

140

# -- Maximum size of Vault token cache. Only used if enableTokenCache is true.

141

tokenCacheSize: 262144

142

# -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at

143

# a time.

144

concurrent: 1

145

# -- Specifies Log Params to the External Secrets Operator

146

log:

147

level: info

148

timeEncoding: epoch

149

service:

150

# -- Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)

151

ipFamilyPolicy: ""

152

# -- Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.

153

ipFamilies: []

154

serviceAccount:

155

# -- Specifies whether a service account should be created.

156

create: true

157

# -- Automounts the service account token in all containers of the pod

158

automount: true

159

# -- Annotations to add to the service account.

160

annotations: {}

161

# -- Extra Labels to add to the service account.

162

extraLabels: {}

163

# -- The name of the service account to use.

164

# If not set and create is true, a name is generated using the fullname template.

165

166

rbac:

167

# -- Specifies whether role and rolebinding resources should be created.

168

create: true

169

servicebindings:

170

# -- Specifies whether a clusterrole to give servicebindings read access should be created.

171

create: true

172

# -- Specifies whether permissions are aggregated to the view ClusterRole

173

aggregateToView: true

174

# -- Specifies whether permissions are aggregated to the edit ClusterRole

175

aggregateToEdit: true

176

## -- Extra environment variables to add to container.

177

extraEnv: []

178

## -- Map of extra arguments to pass to container.

179

extraArgs: {}

180

## -- Extra volumes to pass to pod.

181

extraVolumes: []

182

## -- Extra Kubernetes objects to deploy with the helm chart

183

extraObjects: []

184

## -- Extra volumes to mount to the container.

185

extraVolumeMounts: []

186

## -- Extra init containers to add to the pod.

187

extraInitContainers: []

188

## -- Extra containers to add to the pod.

189

extraContainers: []

190

# -- Annotations to add to Deployment

191

deploymentAnnotations: {}

192

# -- Set deployment strategy

193

strategy: {}

194

# -- Annotations to add to Pod

195

podAnnotations: {}

196

podLabels: {}

197

podSecurityContext:

198

enabled: true

199

# fsGroup: 2000

200

securityContext:

201

allowPrivilegeEscalation: false

202

capabilities:

203

drop:

204

- ALL

205

enabled: true

206

readOnlyRootFilesystem: true

207

runAsNonRoot: true

208

runAsUser: 1000

209

seccompProfile:

210

type: RuntimeDefault

211

resources: {}

212

# requests:

213

# cpu: 10m

214

# memory: 32Mi

215

216

serviceMonitor:

217

# -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics

218

enabled: false

219

# -- How should we react to missing CRD "`monitoring.coreos.com/v1/ServiceMonitor`"

220

221

# Possible values:

222

# - `skipIfMissing`: Only render ServiceMonitor resources if CRD is present, skip if missing.

223

# - `failIfMissing`: Fail Helm install if CRD is not present.

224

# - `alwaysRender` : Always render ServiceMonitor resources, do not check for CRD.

225

226

# @schema

227

# enum:

228

# - skipIfMissing

229

# - failIfMissing

230

# - alwaysRender

231

# @schema

232

renderMode: skipIfMissing # @schema enum: [skipIfMissing, failIfMissing, alwaysRender]

233

# -- namespace where you want to install ServiceMonitors

234

namespace: ""

235

# -- Additional labels

236

additionalLabels: {}

237

# -- Interval to scrape metrics

238

interval: 30s

239

# -- Timeout if metrics can't be retrieved in given time interval

240

scrapeTimeout: 25s

241

# -- Let prometheus add an exported_ prefix to conflicting labels

242

honorLabels: false

243

# -- Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)

244

metricRelabelings: []

245

# - action: replace

246

# regex: (.*)

247

# replacement: $1

248

# sourceLabels:

249

# - exported_namespace

250

# targetLabel: namespace

251

252

# -- Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config)

253

relabelings: []

254

# - sourceLabels: [__meta_kubernetes_pod_node_name]

255

# separator: ;

256

# regex: ^(.*)$

257

# targetLabel: nodename

258

# replacement: $1

259

# action: replace

260

metrics:

261

listen:

262

port: 8080

263

secure:

264

enabled: false

265

# -- if those are not set or invalid, self-signed certs will be generated

266

# -- TLS cert directory path

267

certDir: /etc/tls

268

# -- TLS cert file path

269

certFile: /etc/tls/tls.crt

270

# -- TLS key file path

271

keyFile: /etc/tls/tls.key

272

service:

273

# -- Enable if you use another monitoring tool than Prometheus to scrape the metrics

274

enabled: false

275

# -- Metrics service port to scrape

276

port: 8080

277

# -- Additional service annotations

278

annotations: {}

279

grafanaDashboard:

280

# -- If true creates a Grafana dashboard.

281

enabled: false

282

# -- Label that ConfigMaps should have to be loaded as dashboards.

283

sidecarLabel: "grafana_dashboard"

284

# -- Label value that ConfigMaps should have to be loaded as dashboards.

285

sidecarLabelValue: "1"

286

# -- Annotations that ConfigMaps can have to get configured in Grafana,

287

# See: sidecar.dashboards.folderAnnotation for specifying the dashboard folder.

288

# https://github.com/grafana/helm-charts/tree/main/charts/grafana

289

annotations: {}

290

# -- Extra labels to add to the Grafana dashboard ConfigMap.

291

extraLabels: {}

292

livenessProbe:

293

# -- Enabled determines if the liveness probe should be used or not. By default it's disabled.

294

enabled: false

295

# -- The body of the liveness probe settings.

296

spec:

297

# -- Bind address for the health server used by both liveness and readiness probes (--live-addr flag).

298

address: ""

299

# -- Port for the health server used by both liveness and readiness probes (--live-addr flag).

300

port: 8082

301

# -- Specify the maximum amount of time to wait for a probe to respond before considering it fails.

302

timeoutSeconds: 5

303

# -- Number of consecutive probe failures that should occur before considering the probe as failed.

304

failureThreshold: 5

305

# -- Period in seconds for K8s to start performing probes.

306

periodSeconds: 10

307

# -- Number of successful probes to mark probe successful.

308

successThreshold: 1

309

# -- Delay in seconds for the container to start before performing the initial probe.

310

initialDelaySeconds: 10

311

# -- Handler for liveness probe.

312

httpGet:

313

# -- Set this value to 'live' (for named port) or an an integer for liveness probes.

314

# @schema type: [string, integer]

315

port: live

316

# -- Path for liveness probe.

317

path: /healthz

318

readinessProbe:

319

# -- Determines whether the readiness probe is enabled. Disabled by default. Enabling this will auto-start the health server (--live-addr) even if livenessProbe is disabled. Health server address/port are configured via livenessProbe.spec.address and livenessProbe.spec.port.

320

enabled: false

321

# -- The body of the readiness probe settings (standard Kubernetes probe spec).

322

spec:

323

# -- Specify the maximum amount of time to wait for a probe to respond before considering it fails.

324

timeoutSeconds: 5

325

# -- Number of consecutive probe failures that should occur before considering the probe as failed.

326

failureThreshold: 3

327

# -- Period in seconds for K8s to start performing probes.

328

periodSeconds: 10

329

# -- Number of successful probes to mark probe successful.

330

successThreshold: 1

331

# -- Delay in seconds for the container to start before performing the initial probe.

332

initialDelaySeconds: 10

333

# -- Handler for readiness probe.

334

httpGet:

335

# -- Set this value to 'live' (for named port) or an integer for readiness probes.

336

# @schema type: [string, integer]

337

port: live

338

# -- Path for readiness probe.

339

path: /readyz

340

nodeSelector: {}

341

tolerations: []

342

topologySpreadConstraints: []

343

affinity: {}

344

# -- Pod priority class name.

345

priorityClassName: ""

346

# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/

347

podDisruptionBudget:

348

enabled: false

349

minAvailable: 1 # @schema type:[integer, string]

350

nameOverride: ""

351

# maxUnavailable: "50%"

352

# -- Run the controller on the host network

353

hostNetwork: false

354

# -- (bool) Specifies if controller pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33.

355

# @schema type: [boolean, null]

356

hostUsers:

357

webhook:

358

# -- Annotations to place on validating webhook configuration.

359

annotations: {}

360

# -- Specifies whether a webhook deployment be created. If set to false, crds.conversion.enabled should also be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint.

361

create: true

362

# -- Specifies the time to check if the cert is valid

363

certCheckInterval: "5m"

364

# -- Specifies the lookaheadInterval for certificate validity

365

lookaheadInterval: ""

366

replicaCount: 1

367

# -- Specifies Log Params to the Webhook

368

log:

369

level: info

370

timeEncoding: epoch

371

# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)

372

revisionHistoryLimit: 10

373

certDir: /tmp/certs

374

# -- Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore

375

failurePolicy: Fail

376

# -- Specifies if webhook pod should use hostNetwork or not.

377

hostNetwork: false

378

# -- (bool) Specifies if webhook pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33.

379

# @schema type: [boolean, null]

380

hostUsers:

381

image:

382

repository: cgr.dev/chainguard-private/external-secrets

383

pullPolicy: IfNotPresent

384

# -- The image tag to use. The default is the chart appVersion.

385

tag: latest@sha256:d2c9181872c4cf603887deeb24ffd9e24e8faa21ed3d62b86073790395bb59e5

386

# -- The flavour of tag you want to use

387

flavour: ""

388

imagePullSecrets: []

389

# -- The port the webhook will listen to

390

port: 10250

391

serviceAccount:

392

# -- Specifies whether a service account should be created.

393

create: true

394

# -- Automounts the service account token in all containers of the pod

395

automount: true

396

# -- Annotations to add to the service account.

397

annotations: {}

398

# -- Extra Labels to add to the service account.

399

extraLabels: {}

400

# -- The name of the service account to use.

401

# If not set and create is true, a name is generated using the fullname template.

402

403

nodeSelector: {}

404

# -- Specifies `hostAliases` to webhook deployment

405

hostAliases: []

406

certManager:

407

# -- Enabling cert-manager support will disable the built in secret and

408

# switch to using cert-manager (installed separately) to automatically issue

409

# and renew the webhook certificate. This chart does not install

410

# cert-manager for you, See https://cert-manager.io/docs/

411

enabled: false

412

# -- Automatically add the cert-manager.io/inject-ca-from annotation to the

413

# webhooks and CRDs. As long as you have the cert-manager CA Injector

414

# enabled, this will automatically setup your webhook's CA to the one used

415

# by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector

416

addInjectorAnnotations: true

417

cert:

418

# -- Create a certificate resource within this chart. See

419

# https://cert-manager.io/docs/usage/certificate/

420

create: true

421

# -- For the Certificate created by this chart, setup the issuer. See

422

# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec

423

issuerRef:

424

group: cert-manager.io

425

kind: "Issuer"

426

427

# -- Set the requested duration (i.e. lifetime) of the Certificate. See

428

# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec

429

# One year by default.

430

duration: "8760h0m0s"

431

# -- Set the revisionHistoryLimit on the Certificate. See

432

# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec

433

# Defaults to 0 (ignored).

434

revisionHistoryLimit: 0

435

# -- How long before the currently issued certificate’s expiry

436

# cert-manager should renew the certificate. See

437

# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec

438

# Note that renewBefore should be greater than .webhook.lookaheadInterval

439

# since the webhook will check this far in advance that the certificate is

440

# valid.

441

renewBefore: ""

442

# -- Specific settings on the privateKey and its generation

443

privateKey: {}

444

# rotationPolicy: Always

445

# algorithm: RSA

446

# size: 2048

447

# -- Specific settings on the signatureAlgorithm used on the cert.

448

# signatureAlgorithm is only valid for cert-manager v1.18.0+

449

signatureAlgorithm: ""

450

# -- Add extra annotations to the Certificate resource.

451

annotations: {}

452

tolerations: []

453

topologySpreadConstraints: []

454

affinity: {}

455

# -- Set deployment strategy

456

strategy: {}

457

# -- Pod priority class name.

458

priorityClassName: ""

459

# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/

460

podDisruptionBudget:

461

enabled: false

462

minAvailable: 1 # @schema type:[integer, string]

463

nameOverride: ""

464

# maxUnavailable: "50%"

465

metrics:

466

listen:

467

port: 8080

468

service:

469

# -- Enable if you use another monitoring tool than Prometheus to scrape the metrics

470

enabled: false

471

# -- Metrics service port to scrape

472

port: 8080

473

# -- Additional service annotations

474

annotations: {}

475

livenessProbe:

476

enabled: false

477

# -- Set this value to 'live' (for named port) or an integer for liveness probes.

478

# @schema type: [string, integer]

479

port: 8081

480

timeoutSeconds: 5

481

failureThreshold: 5

482

periodSeconds: 10

483

successThreshold: 1

484

initialDelaySeconds: 10

485

readinessProbe:

486

enabled: true

487

address: ""

488

# -- Set this value to 'ready' (for named port) or an integer for readiness probes.

489

# @schema type: [string, integer]

490

port: 8081

491

timeoutSeconds: 5

492

failureThreshold: 3

493

periodSeconds: 5

494

successThreshold: 1

495

initialDelaySeconds: 20

496

## -- Extra environment variables to add to container.

497

extraEnv: []

498

## -- Map of extra arguments to pass to container.

499

extraArgs: {}

500

## -- Extra init containers to add to the pod.

501

extraInitContainers: []

502

## -- Extra volumes to pass to pod.

503

extraVolumes: []

504

## -- Extra volumes to mount to the container.

505

extraVolumeMounts: []

506

# -- Annotations to add to Secret

507

secretAnnotations: {}

508

# -- Annotations to add to Deployment

509

deploymentAnnotations: {}

510

# -- Annotations to add to Pod

511

podAnnotations: {}

512

podLabels: {}

513

podSecurityContext:

514

enabled: true

515

# fsGroup: 2000

516

securityContext:

517

allowPrivilegeEscalation: false

518

capabilities:

519

drop:

520

- ALL

521

enabled: true

522

readOnlyRootFilesystem: true

523

runAsNonRoot: true

524

runAsUser: 1000

525

seccompProfile:

526

type: RuntimeDefault

527

resources: {}

528

# requests:

529

# cpu: 10m

530

# memory: 32Mi

531

532

# -- Manage the service through which the webhook is reached.

533

service:

534

# -- Whether the service object should be enabled or not (it is expected to exist).

535

enabled: true

536

# -- Custom annotations for the webhook service.

537

annotations: {}

538

# -- Custom labels for the webhook service.

539

labels: {}

540

# -- The service type of the webhook service.

541

type: ClusterIP

542

# -- If the webhook service type is LoadBalancer, you can assign a specific load balancer IP here.

543

# Check the documentation of your load balancer provider to see if/how this should be used.

544

loadBalancerIP: ""

545

certController:

546

# -- Specifies whether a certificate controller deployment be created.

547

create: true

548

requeueInterval: "5m"

549

replicaCount: 1

550

# -- Specifies Log Params to the Certificate Controller

551

log:

552

level: info

553

timeEncoding: epoch

554

# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)

555

revisionHistoryLimit: 10

556

image:

557

repository: cgr.dev/chainguard-private/external-secrets

558

pullPolicy: IfNotPresent

559

tag: latest@sha256:d2c9181872c4cf603887deeb24ffd9e24e8faa21ed3d62b86073790395bb59e5

560

flavour: ""

561

imagePullSecrets: []

562

rbac:

563

# -- Specifies whether role and rolebinding resources should be created.

564

create: true

565

serviceAccount:

566

# -- Specifies whether a service account should be created.

567

create: true

568

# -- Automounts the service account token in all containers of the pod

569

automount: true

570

# -- Annotations to add to the service account.

571

annotations: {}

572

# -- Extra Labels to add to the service account.

573

extraLabels: {}

574

# -- The name of the service account to use.

575

# If not set and create is true, a name is generated using the fullname template.

576

577

nodeSelector: {}

578

# -- Specifies `hostAliases` to cert-controller deployment

579

hostAliases: []

580

tolerations: []

581

topologySpreadConstraints: []

582

affinity: {}

583

# -- Set deployment strategy

584

strategy: {}

585

# -- Run the certController on the host network

586

hostNetwork: false

587

# -- (bool) Specifies if certController pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33.

588

# @schema type: [boolean, null]

589

hostUsers:

590

# -- Pod priority class name.

591

priorityClassName: ""

592

# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/

593

podDisruptionBudget:

594

enabled: false

595

minAvailable: 1 # @schema type:[integer, string]

596

nameOverride: ""

597

# maxUnavailable: "50%"

598

metrics:

599

listen:

600

port: 8080

601

service:

602

# -- Enable if you use another monitoring tool than Prometheus to scrape the metrics

603

enabled: false

604

# -- Metrics service port to scrape

605

port: 8080

606

# -- Additional service annotations

607

annotations: {}

608

livenessProbe:

609

enabled: false

610

# -- Set this value to 'live' (for named port) or an integer for liveness probes.

611

# @schema type: [string, integer]

612

port: 8081

613

timeoutSeconds: 5

614

failureThreshold: 5

615

periodSeconds: 10

616

successThreshold: 1

617

initialDelaySeconds: 10

618

readinessProbe:

619

enabled: true

620

address: ""

621

# -- Set this value to 'ready' (for named port) or an integer for readiness probes.

622

# @schema type: [string, integer]

623

port: 8081

624

timeoutSeconds: 5

625

failureThreshold: 3

626

periodSeconds: 5

627

successThreshold: 1

628

initialDelaySeconds: 20

629

startupProbe:

630

# -- Enabled determines if the startup probe should be used or not. By default it's enabled

631

enabled: false

632

# -- whether to use the readiness probe port for startup probe.

633

useReadinessProbePort: true

634

# -- Port for startup probe.

635

port: ""

636

## -- Extra environment variables to add to container.

637

extraEnv: []

638

## -- Map of extra arguments to pass to container.

639

extraArgs: {}

640

## -- Extra init containers to add to the pod.

641

extraInitContainers: []

642

## -- Extra volumes to pass to pod.

643

extraVolumes: []

644

## -- Extra volumes to mount to the container.

645

extraVolumeMounts: []

646

# -- Annotations to add to Deployment

647

deploymentAnnotations: {}

648

# -- Annotations to add to Pod

649

podAnnotations: {}

650

podLabels: {}

651

podSecurityContext:

652

enabled: true

653

# fsGroup: 2000

654

securityContext:

655

allowPrivilegeEscalation: false

656

capabilities:

657

drop:

658

- ALL

659

enabled: true

660

readOnlyRootFilesystem: true

661

runAsNonRoot: true

662

runAsUser: 1000

663

seccompProfile:

664

type: RuntimeDefault

665

resources: {}

666

# requests:

667

# cpu: 10m

668

# memory: 32Mi

669

# -- Specifies `dnsPolicy` to deployment

670

dnsPolicy: ClusterFirst

671

# -- Specifies `dnsOptions` to deployment

672

dnsConfig: {}

673

# -- Specifies `hostAliases` to deployment

674

hostAliases: []

675

# -- Any extra pod spec on the deployment

676

podSpecExtra: {}

677

The trusted source for open source

Talk to an expert

Privacy

Terms

© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.

external-secrets

The trusted source for open source

Product

Solutions

Customers

Resources

Company