The External Secrets Enterprise Edition is product suite is a premium product.
It requires a specific subscription. Contact us for more information.
esi-cli is configured through a variety of command-line flags. These flags control its operational mode, secret sources, injection targets, and behavior.
General Flags
These flags are applicable to coreesi-cli functionality.
| Flag | Description | Default Value | Required By/Notes |
|---|---|---|---|
--mode | Specifies the operation mode for esi-cli. | (none) | Required. Must be init or daemon. See Modes of Operation for details. |
--namespace | The Kubernetes namespace where esi-cli should look for ExternalSecret resources. | Value of the KUBERNETES_NAMESPACE environment variable, or "default" if not set. | Relevant when not using federation. |
--external-secrets | A comma-separated list of ExternalSecret names to process. esi-cli will fetch all data from the Kubernetes Secret resources managed by these ExternalSecrets. | "" (empty string) | In init mode, this data is typically injected as environment variables. |
--inject-on-env | A comma-separated list of specific environment variable injections. The format for each injection is ENV_VAR_NAME=secretName.key. | "" | Primarily used in init mode. Allows precise mapping of secret keys to environment variable names. Overrides general env vars from --external-secrets if names conflict. |
--inject-on-file | A comma-separated list of file injections. The format is /path/to/target/file=secretName.key or /path/to/target/file=secretName. | "" | Used in both init and daemon modes. If .key is omitted (e.g., /path/to/secret.yaml=mySecret), the full secret data is written as a YAML file. esi-cli automatically creates parent directories if they don’t exist. |
--args | A comma-separated list of arguments to be passed to the application binary that esi-cli executes (specified by --binary-path). | "" | Used only in init mode. Arguments should be provided as a single string, e.g., "--config=/app/config.json,--verbose". |
--binary-path | The absolute path to the application binary that esi-cli will execute after it has completed secret injection. | "" | Required for init mode. esi-cli uses syscall.Exec to replace its own process with this binary. |
--daemon-refresh-interval | The interval at which esi-cli in daemon mode will attempt to refresh secrets. | 2m (2 minutes) | Used in daemon mode for periodic refreshes. This is the primary refresh mechanism in federation mode and a fallback/resync in local Kubernetes mode. |
Federation Flags
These flags are used whenesi-cli is configured to fetch secrets from a central ESI Federation server, rather than directly from ExternalSecret resources in the local Kubernetes cluster.
Using
--federated-server-url enables federation mode. When in federation mode, flags like --namespace and --external-secrets (referring to local Kubernetes resources) are typically not the primary source of secrets, though --namespace might still be used for resolving local service account tokens if paths are not absolute.| Flag | Description | Default Value | Notes |
|---|---|---|---|
--federated-server-url | The URL of the ESI Federation server from which to fetch secrets. | "" (empty string) | Setting this flag activates federation mode. |
--federated-generators | Specifies the name of a generator configuration to use on the federated ESI server. | "" | Used to request specific types of generated secrets (e.g., dynamic credentials) from the federation server. |
--federated-store | Specifies the name of a SecretStore (or ClusterSecretStore) to access on the federated ESI server. | "" | This tells the federation server which backend secret store to use for fulfilling the secret request. |
--federated-token | The file path to the Kubernetes service account token that esi-cli will use to authenticate with the federated ESI server. | /var/run/secrets/kubernetes.io/serviceaccount/token | The service account associated with this token must be authorized by the ESI Federation server. |
--federated-ca-crt | The file path to the CA certificate bundle used to verify the TLS certificate of the federated ESI server. | /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | Essential for secure communication if the federation server uses a custom CA or self-signed certificates. |
When using federation, either
--federated-store or --federated-generators (or both, depending on the federation server’s setup and the desired secrets) is typically required along with --federated-server-url.