Installation
Bundle
Installing the External Secrets Enterprise Bundle
This document provides instructions for installing the External Secrets Enterprise bundle, which includes both the External Secrets Operator and the Enterprise UI.What’s Included
The bundle installs the following components:- External Secrets Enterprise: The core component for managing secrets and enterprise edition of External Secrets Operator.
- Enterprise UI: A graphical user interface for managing secrets.
- Enterprise Backend components: handling authentication, authorization, and other enterprise features.
- Ingress Controller: Traefik is installed as an Ingress controller to expose the UI.
Installation Commands
Install the External Secrets Enterprise bundle using our Helm chart. This chart includes all the necessary components, including the web UI.
The Helm installation will wait until everything is up and running.
This can take up to 10 minutes due to image downloads.You can disable this behavior by setting
global.waitForReady=false.Helm Values
| Key | Type | Default | Description |
|---|---|---|---|
| audit-listener.enabled | bool | false | |
| audit-listener.fullnameOverride | string | "audit-listener" | |
| audit-listener.host | string | "grpc.prod.externalsecrets.com" | |
| audit-listener.image.pullPolicy | string | "IfNotPresent" | |
| audit-listener.image.repository | string | "us-central1-docker.pkg.dev/external-secrets-inc-registry/public/audit-listener" | |
| audit-listener.listenerId | string | "test-listener" | |
| audit-listener.namespaceOverride | string | "audit-listener" | |
| audit-listener.port | int | 443 | |
| audit-listener.pullSecret.create | bool | true | |
| audit-listener.pullSecret.email | string | "" | |
| audit-listener.pullSecret.name | string | "esi-registry-credentials" | |
| audit-listener.pullSecret.value | string | "" | |
| audit-listener.tenantId | string | "test-tenant" | |
| audit-poc-backend.affinity | object | {} | |
| audit-poc-backend.autoscaling.enabled | bool | false | |
| audit-poc-backend.database.enabled | bool | true | |
| audit-poc-backend.database.type | string | "postgresql" | |
| audit-poc-backend.db.adminDB.value | string | "admin" | |
| audit-poc-backend.db.database.value | string | "admin" | |
| audit-poc-backend.db.enabled | bool | true | |
| audit-poc-backend.db.host.value | string | "mongodb" | |
| audit-poc-backend.db.password.value | string | "audit_poc" | |
| audit-poc-backend.db.port.value | int | 27017 | |
| audit-poc-backend.db.user.value | string | "audit_poc" | |
| audit-poc-backend.enabled | bool | true | |
| audit-poc-backend.fullnameOverride | string | "audit-backend" | |
| audit-poc-backend.image.pullPolicy | string | "IfNotPresent" | |
| audit-poc-backend.image.repository | string | "us-central1-docker.pkg.dev/external-secrets-inc-registry/public/audit-poc-backend" | |
| audit-poc-backend.livenessProbe | object | {} | |
| audit-poc-backend.metrics.enabled | bool | false | |
| audit-poc-backend.namespaceOverride | string | "audit-backend" | |
| audit-poc-backend.nodeSelector | object | {} | |
| audit-poc-backend.podMonitor.enabled | bool | false | |
| audit-poc-backend.readinessProbe | object | {} | |
| audit-poc-backend.resources | object | {} | |
| audit-poc-backend.tolerations | list | [] | |
| audit-poc-backend.volumeMounts | list | [] | |
| audit-poc-backend.volumes | list | [] | |
| eso-server.enabled | bool | true | |
| eso-server.fullnameOverride | string | "eso-server" | |
| eso-server.image.pullPolicy | string | "IfNotPresent" | |
| eso-server.image.repository | string | "us-central1-docker.pkg.dev/external-secrets-inc-registry/public/eso-server" | |
| eso-server.namespaceOverride | string | "eso-server" | |
| eso-server.podMonitor.enabled | bool | false | |
| eso-server.service.port | int | 8080 | |
| eso-server.service.type | string | "ClusterIP" | |
| eso-server.tenantManager.url | string | "http://tenant-manager.tenant-manager:8080" | |
| external-secrets.certController.image.repository | string | "us-central1-docker.pkg.dev/external-secrets-inc-registry/public/external-secrets" | |
| external-secrets.controller.replicas | int | 1 | |
| external-secrets.enabled | bool | true | |
| external-secrets.fullnameOverride | string | "external-secrets" | |
| external-secrets.image.repository | string | "us-central1-docker.pkg.dev/external-secrets-inc-registry/public/external-secrets" | |
| external-secrets.namespaceOverride | string | "external-secrets" | |
| external-secrets.podMonitor.enabled | bool | false | |
| external-secrets.serviceMonitor.enabled | bool | false | |
| external-secrets.webhook.enabled | bool | true | |
| external-secrets.webhook.image.repository | string | "us-central1-docker.pkg.dev/external-secrets-inc-registry/public/external-secrets" | |
| global.certificate.enabled | bool | false | |
| global.certificate.issuerRef.kind | string | "Issuer" | |
| global.certificate.issuerRef.name | string | "you-issuer-name" | |
| global.certificate.issuerRef.namespace | string | "your-issuer-namespace" | |
| global.certificate.secretName | string | "ingress-tls" | |
| global.createNamespaces | bool | true | |
| global.domains.auditBackend | string | "audit-backend.external-secrets.127.0.0.1.sslip.io" | |
| global.domains.esoServer | string | "eso-server.external-secrets.127.0.0.1.sslip.io" | |
| global.domains.tenantManager | string | "tenant-manager.external-secrets.127.0.0.1.sslip.io" | |
| global.domains.webUi | string | "ui.external-secrets.127.0.0.1.sslip.io" | |
| global.ingress.enabled | bool | true | |
| global.ingressPort | int | 8080 | |
| global.ingressSecurePort | int | 8443 | |
| global.licenseFile | string | "# your-enterprise-license-goes-here\n" | |
| global.namespace | string | "esi" | |
| global.namespaces.externalSecrets.createNamespace | bool | true | |
| global.licenseAccepted | bool | false | |
| global.waitForReady | bool | false | |
| mongodb.auth.database | string | "admin" | |
| mongodb.auth.enabled | bool | true | |
| mongodb.auth.password | string | "audit_poc" | |
| mongodb.auth.rootPassword | string | "admin123" | |
| mongodb.auth.rootUser | string | "admin" | |
| mongodb.auth.username | string | "audit_poc" | |
| mongodb.enabled | bool | true | |
| mongodb.external.adminDatabase | string | "admin" | |
| mongodb.external.database | string | "admin" | |
| mongodb.external.host | string | "localhost" | |
| mongodb.external.password | string | "audit_poc" | |
| mongodb.external.port | int | 27017 | |
| mongodb.external.username | string | "audit_poc" | |
| mongodb.fullnameOverride | string | "mongodb" | |
| mongodb.global.fullnameOverride | string | "mongodb" | |
| mongodb.global.namespaceOverride | string | "audit-backend" | |
| mongodb.namespaceOverride | string | "audit-backend" | |
| mongodb.persistence.enabled | bool | true | |
| mongodb.persistence.size | string | "8Gi" | |
| mongodb.service.ports.mongodb | int | 27017 | |
| mongodb.service.type | string | "ClusterIP" | |
| postgresql.auth.database | string | "tenant_manager" | |
| postgresql.auth.enablePostgresUser | bool | true | |
| postgresql.auth.password | string | "tenant_manager" | |
| postgresql.auth.postgresPassword | string | "postgres123" | |
| postgresql.auth.username | string | "tenant_manager" | |
| postgresql.enabled | bool | true | |
| postgresql.external.database | string | "tenant_manager" | |
| postgresql.external.host | string | "localhost" | |
| postgresql.external.password | string | "tenant_manager" | |
| postgresql.external.port | int | 5432 | |
| postgresql.external.username | string | "tenant_manager" | |
| postgresql.fullnameOverride | string | "postgresql" | |
| postgresql.global.fullnameOverride | string | "postgresql" | |
| postgresql.global.namespaceOverride | string | "tenant-manager" | |
| postgresql.namespaceOverride | string | "tenant-manager" | |
| postgresql.primary.persistence.enabled | bool | true | |
| postgresql.primary.persistence.size | string | "8Gi" | |
| postgresql.primary.service.ports.postgresql | int | 5432 | |
| postgresql.primary.service.type | string | "ClusterIP" | |
| reloader.enabled | bool | true | |
| reloader.fullnameOverride | string | "reloader" | |
| reloader.image.repository | string | "ghcr.io/external-secrets-inc/reloader" | |
| reloader.namespaceOverride | string | "reloader" | |
| reloader.podMonitor.enabled | bool | false | |
| tenant-manager.affinity | object | {} | |
| tenant-manager.bootstrap.roles.created_user.policies[0].action | string | "read" | |
| tenant-manager.bootstrap.roles.created_user.policies[0].attr | string | "*" | |
| tenant-manager.bootstrap.roles.created_user.policies[0].rego | string | "package authz\nallow = true\n" | |
| tenant-manager.bootstrap.roles.created_user.policies[0].resource | string | "*" | |
| tenant-manager.bootstrap.roles.created_user.policies[0].role | string | "created_user_reader" | |
| tenant-manager.bootstrap.roles.created_user.policies[1].action | string | "GET" | |
| tenant-manager.bootstrap.roles.created_user.policies[1].attr | string | "*" | |
| tenant-manager.bootstrap.roles.created_user.policies[1].rego | string | "package authz\nallow = true\n" | |
| tenant-manager.bootstrap.roles.created_user.policies[1].resource | string | "*" | |
| tenant-manager.bootstrap.roles.created_user.policies[1].role | string | "created_user_getter" | |
| tenant-manager.bootstrap.roles.created_user.policies[2].action | string | "POST" | |
| tenant-manager.bootstrap.roles.created_user.policies[2].attr | string | "*" | |
| tenant-manager.bootstrap.roles.created_user.policies[2].rego | string | "package authz\nallow = true\n" | |
| tenant-manager.bootstrap.roles.created_user.policies[2].resource | string | "/api/authz/check" | |
| tenant-manager.bootstrap.roles.created_user.policies[2].role | string | "check_authz" | |
| tenant-manager.bootstrap.roles.signup_user.policies[0].action | string | "*" | |
| tenant-manager.bootstrap.roles.signup_user.policies[0].attr | string | "*" | |
| tenant-manager.bootstrap.roles.signup_user.policies[0].rego | string | "package authz\nallow = true\n" | |
| tenant-manager.bootstrap.roles.signup_user.policies[0].resource | string | "*" | |
| tenant-manager.bootstrap.roles.signup_user.policies[0].role | string | "signup_user_admin" | |
| tenant-manager.enabled | bool | true | |
| tenant-manager.fullnameOverride | string | "tenant-manager" | |
| tenant-manager.image.pullPolicy | string | "IfNotPresent" | |
| tenant-manager.image.repository | string | "us-central1-docker.pkg.dev/external-secrets-inc-registry/public/tenant-manager" | |
| tenant-manager.livenessProbe | object | {} | |
| tenant-manager.metrics.enabled | bool | false | |
| tenant-manager.namespaceOverride | string | "tenant-manager" | |
| tenant-manager.nodeSelector | object | {} | |
| tenant-manager.podMonitor.enabled | bool | false | |
| tenant-manager.readinessProbe | object | {} | |
| tenant-manager.resources | object | {} | |
| tenant-manager.sql.enabled | bool | true | |
| tenant-manager.sql.host.value | string | "postgresql" | |
| tenant-manager.sqlProxy.enabled | bool | false | |
| tenant-manager.tolerations | list | [] | |
| tenant-manager.volumeMounts | list | [] | |
| tenant-manager.volumes | list | [] | |
| traefik.enabled | bool | false | |
| traefik.fullnameOverride | string | "traefik" | |
| traefik.namespaceOverride | string | "traefik" | |
| traefik.service.type | string | "LoadBalancer" | |
| web-ui.enabled | bool | true | |
| web-ui.fullnameOverride | string | "web-ui" | |
| web-ui.image.pullPolicy | string | "IfNotPresent" | |
| web-ui.image.repository | string | "us-central1-docker.pkg.dev/external-secrets-inc-registry/public/web-ui" | |
| web-ui.namespaceOverride | string | "web-ui" | |
| web-ui.podMonitor.enabled | bool | false |