Kubernetes CRDs
reloader.external-secrets.io/v1alpha1
Package v1alpha1 contains API Schema definitions for the Reloader v1alpha1 API group.
Config
Config is the Schema for the Reloader Config API.
| Field | Type | Description | Validation |
|---|---|---|---|
apiVersion | string | reloader.external-secrets.io/v1alpha1 | |
kind | string | Config | |
metadata | ObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | |
spec | ConfigSpec |
Types
AWSSDKAuth
AWSSDKAuth contains authentication methods for AWS SDK.
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
authMethod | string | ||
region | string | ||
serviceAccountRef | ServiceAccountSelector | ||
secretRef | AWSSDKSecretRef |
AWSSDKSecretRef
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
accessKeyIdSecretRef | SecretKeySelector | ||
secretAccessKeySecretRef | SecretKeySelector |
AWSSQSConfig
AWSSQSConfig contains configuration for AWS SDK.
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
queueURL | string | QueueURL is the URL of the AWS SDK queue. | |
auth | AWSSDKAuth | Authentication methods for AWS. | |
numberOfMessages | integer | MaxNumberOfMessages specifies the maximum number of messages to retrieve from the SDK queue in a single request. | default: 10 |
waitTimeSeconds | integer | WaitTimeSeconds specifies the duration (in seconds) to wait for messages in the SDK queue before returning. | default: 20 |
visibilityTimeout | integer | VisibilityTimeout specifies the duration (in seconds) that a message received from the SDK queue is hidden from subsequent retrievals. | default: 30 |
AzureEventGridConfig
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
host | string | ||
port | integer | default: 8080 | |
subscriptions | string array |
BasicAuth
BasicAuth contains basic authentication credentials.
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
usernameSecretRef | SecretKeySelector | UsernameSecretRef contains a secret reference for the username | |
passwordSecretRef | SecretKeySelector | PasswordSecretRef contains a secret reference for the password |
BearerToken
BearerToken contains the bearer token credentials.
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
bearerTokenSecretRef | SecretKeySelector | BearerTokenSecretRef references a Kubernetes Secret containing the bearer token. |
Condition
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
value | string | ||
operation | ConditionOperation |
ConditionOperation (string)
Used by:
| Field | Description |
|---|---|
Equal | |
NotEqual | |
Contains | |
NotContains | |
RegularExpression |
ConfigSpec
ConfigSpec defines the desired state of a Reloader Config.
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
notificationSources | NotificationSource array | NotificationSources specifies the notification systems to listen to. | |
destinationsToWatch | DestinationToWatch array | DestinationsToWatch specifies which secrets the controller should monitor. |
DeploymentDestination
Defines a DeploymentDestination. Behavior is a pod template annotations patch.
- Default UpdateStrategy is pod template annotations patch to trigger a new rollout.
- Default MatchStrategy matches secret keys using:
spec.template.spec.containers[*].env[*].valueFrom.secretKeyRef.namespec.template.spec.containers[*].envFrom.secretRef.name
- Default WaitStrategy waits for rollout completion with a 3-minute grace period.
| Field | Type | Description | Validation |
|---|---|---|---|
namespaceSelectors | LabelSelector array | NamespaceSelectors selects namespaces based on labels. Manifest must be in a matching namespace. | |
labelSelectors | LabelSelector | LabelSelectors selects resources by labels. Supports matchLabels and matchExpressions. | |
names | string array | Names specifies resource names to watch. The resource must match one of the entries. |
DestinationToWatch
DestinationToWatch specifies the criteria for monitoring secrets in the cluster.
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
type | enum[ExternalSecret, Deployment] | Type specifies the kind of destination to watch. | |
externalSecret | ExternalSecretDestination | ||
deployment | DeploymentDestination | ||
updateStrategy | UpdateStrategy | If not specified, the default update strategy is used. | |
matchStrategy | MatchStrategy | If not specified, the default match strategy is used. | |
waitStrategy | WaitStrategy | If not specified, the default wait strategy is used. |
ExternalSecretDestination
Defines an ExternalSecretDestination. Behavior is annotations patch.
- Default UpdateStrategy: annotations patch triggers externalSecret reconcile.
- Default MatchStrategy:
spec.data.remoteRef.keyspec.dataFrom.remoteRef.key- Regex match for
spec.dataFrom.find.name.regexp
| Field | Type | Description | Validation |
|---|---|---|---|
namespaceSelectors | LabelSelector array | NamespaceSelectors selects namespaces based on labels. Manifest must be in a matching namespace. | |
labelSelectors | LabelSelector | LabelSelectors selects resources by labels. Supports matchLabels and matchExpressions. | |
names | string array | Names specifies resource names to watch. The resource must match one of the entries. |
GCPSMAuthSecretRef
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
secretAccessKeySecretRef | SecretKeySelector | The SecretAccessKey is used for authentication |
GCPWorkloadIdentity
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
serviceAccountRef | ServiceAccountSelector | ||
clusterLocation | string | ||
clusterName | string | ||
clusterProjectID | string |
GooglePubSubAuth
GooglePubSubAuth contains authentication methods for Google Pub/Sub.
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
secretRef | GCPSMAuthSecretRef | ||
workloadIdentity | GCPWorkloadIdentity |
GooglePubSubConfig
GooglePubSubConfig contains configuration for Google Pub/Sub.
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
subscriptionID | string | SubscriptionID is the ID of the Pub/Sub subscription. | |
projectID | string | ProjectID is the GCP project ID where the subscription exists. | |
auth | GooglePubSubAuth | Authentication methods for Google Pub/Sub. |
HashicorpVaultConfig
HashicorpVault contains configuration for Hashicorp Vault notifications.
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
host | string | Host is the hostname or IP address to listen on. | |
port | integer | Port is the port number to listen on. | default: 8000 |
KubeConfigRef
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
secretRef | SecretKeySelector |
KubernetesAuth
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
kubeConfigRef | KubeConfigRef | ||
caBundle | string | Defines a CABundle if either tokenRef or serviceAccountRef are used. | |
tokenRef | TokenRef | ||
serviceAccountRef | ServiceAccountSelector |
KubernetesSecretConfig
KubernetesSecretConfig contains configuration for Kubernetes notifications.
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
serverURL | string | Server URL | |
auth | KubernetesAuth | How to authenticate with Kubernetes. If not specified, default config is used. |
MatchStrategy
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
path | string | ||
conditions | Condition array |
MockConfig
MockConfig represents configuration settings for mock notifications.
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
emitInterval | integer |
NotificationSource
NotificationSource represents a notification system configuration.
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
type | enum[AwsSqs, AzureEventGrid, GooglePubSub, HashicorpVault, Webhook, TCPSocket, KubernetesSecret] | Type of the notification source. | |
awsSqs | AWSSQSConfig | AwsSqs configuration (required if type is AwsSqs). | |
azureEventGrid | AzureEventGridConfig | ||
googlePubSub | GooglePubSubConfig | GooglePubSub configuration (required if type is GooglePubSub). | |
webhook | WebhookConfig | Webhook configuration (required if type is Webhook). | |
hashicorpVault | HashicorpVaultConfig | HashicorpVault configuration (required if type is HashicorpVault). | |
kubernetesSecret | KubernetesSecretConfig | Kubernetes Secret configuration (required if type is KubernetesSecret). | |
tcpSocket | TCPSocketConfig | TCPSocket configuration (required if type is TCPSocket). | |
mock | MockConfig | Mock configuration (optional; useful for testing). |
PatchOperationConfig
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
path | string | ||
template | string |
RetryPolicy
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
maxRetries | integer | MaxRetries is the maximum number of times to retry. Values over 10 are capped at 10. | |
algorithm | string | Defines how retry timing evolves. Supports "linear" and "exponential" (default if value is invalid/null). |
SecretKeySelector
SecretKeySelector references a specific key within a Kubernetes secret.
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
name | string | Name of the referenced Kubernetes secret. | |
key | string | Key within the referenced Kubernetes secret. | |
namespace | string | Namespace where the secret resides. |
ServiceAccountSelector
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
name | string | Name of the service account to select. | |
namespace | string | Namespace of the service account. | |
audiences | string array | Audiences for the service account token. Additional values added based on identity provider used. |
TCPSocketConfig
TCPSocketConfig contains configuration for TCP Socket notifications.
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
host | string | Host is the hostname or IP address to listen on. | |
port | integer | Port is the port number to listen on. | default: 8000 |
identifierPathOnPayload | string | Key in the payload used to identify the secret. Defaults to 0.data.ObjectName if not specified. |
TokenRef
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
secretRef | SecretKeySelector |
UpdateStrategy
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
operation | UpdateStrategyOperation | ||
patchOperationConfig | PatchOperationConfig | Required if operation == Patch. |
UpdateStrategyOperation (string)
Used by:
| Field | Description |
|---|---|
PatchStatus | |
Patch | |
Delete |
WaitForCondition
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
retryTimeout | Duration | Period to wait before each retry. | |
maxRetries | integer | Maximum number of retries for the condition. | |
type | string | The name of the condition to wait for. | |
message | string | Optional message to match. | |
reason | string | Optional reason to match. | |
transitionedAfter | Duration | Minimum time since last transition to accept the condition. | |
updatedAfter | Duration | Minimum time since last update to accept the condition. |
WaitStrategy
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
time | Duration | Wait time between reconciliations. | |
condition | WaitForCondition | Condition that must be satisfied before continuing. |
WebhookAuth
WebhookAuth contains authentication methods for webhooks.
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
basicAuth | BasicAuth | Basic authentication credentials. | |
bearerToken | BearerToken | Kubernetes secret containing the bearer token. |
WebhookConfig
WebhookConfig contains configuration for Webhook notifications.
Used by:
| Field | Type | Description | Validation |
|---|---|---|---|
path | string | Endpoint path (default: /webhook). Always expects a POST request. | |
address | string | Address where the webhook is served. Defaults to :8090. | |
identifierPathOnPayload | string | Key in the payload used to identify the secret. Defaults to 0.data.ObjectName if not set. | |
webhookAuth | WebhookAuth | Authentication method for the webhook. | |
retryPolicy | RetryPolicy | Policy to retry failed messages. If not set, 4xx will be returned and no retry will be attempted. |