Skip to content

API Reference

Kubernetes CRDs

reloader.external-secrets.io/v1alpha1

Package v1alpha1 contains API Schema definitions for the Reloader v1alpha1 API group.

Config

Config is the Schema for the Reloader Config API.

Field Type Description Validation
apiVersion string reloader.external-secrets.io/v1alpha1
kind string Config
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec ConfigSpec

Types

AWSSDKAuth

AWSSDKAuth contains authentication methods for AWS SDK.

Used by: AWSSQSConfig

Field Type Description Validation
authMethod string
region string
serviceAccountRef ServiceAccountSelector
secretRef AWSSDKSecretRef

AWSSDKSecretRef

Used by: AWSSDKAuth

Field Type Description Validation
accessKeyIdSecretRef SecretKeySelector
secretAccessKeySecretRef SecretKeySelector

AWSSQSConfig

AWSSQSConfig contains configuration for AWS SDK.

Used by: NotificationSource

Field Type Description Validation
queueURL string QueueURL is the URL of the AWS SDK queue.
auth AWSSDKAuth Authentication methods for AWS.
numberOfMessages integer MaxNumberOfMessages specifies the maximum number of messages to retrieve from the SDK queue in a single request. default: 10
waitTimeSeconds integer WaitTimeSeconds specifies the duration (in seconds) to wait for messages in the SDK queue before returning. default: 20
visibilityTimeout integer VisibilityTimeout specifies the duration (in seconds) that a message received from the SDK queue is hidden from subsequent retrievals. default: 30

AzureEventGridConfig

Used by: NotificationSource

Field Type Description Validation
host string
port integer default: 8080
subscriptions string array

BasicAuth

BasicAuth contains basic authentication credentials.

Used by: WebhookAuth

Field Type Description Validation
usernameSecretRef SecretKeySelector UsernameSecretRef contains a secret reference for the username
passwordSecretRef SecretKeySelector PasswordSecretRef contains a secret reference for the password

BearerToken

BearerToken contains the bearer token credentials.

Used by: WebhookAuth

Field Type Description Validation
bearerTokenSecretRef SecretKeySelector BearerTokenSecretRef references a Kubernetes Secret containing the bearer token.

Condition

Used by: MatchStrategy

Field Type Description Validation
value string
operation ConditionOperation

ConditionOperation (string)

Used by: Condition

Field Description
Equal
NotEqual
Contains
NotContains
RegularExpression

ConfigSpec

ConfigSpec defines the desired state of a Reloader Config.

Used by: Config

Field Type Description Validation
notificationSources NotificationSource array NotificationSources specifies the notification systems to listen to.
destinationsToWatch DestinationToWatch array DestinationsToWatch specifies which secrets the controller should monitor.

DeploymentDestination

Defines a DeploymentDestination. Behavior is a pod template annotations patch.

  • Default UpdateStrategy is pod template annotations patch to trigger a new rollout.
  • Default MatchStrategy matches secret keys using:
    • spec.template.spec.containers[*].env[*].valueFrom.secretKeyRef.name
    • spec.template.spec.containers[*].envFrom.secretRef.name
  • Default WaitStrategy waits for rollout completion with a 3-minute grace period.

Used by: DestinationToWatch

Field Type Description Validation
namespaceSelectors LabelSelector array NamespaceSelectors selects namespaces based on labels. Manifest must be in a matching namespace.
labelSelectors LabelSelector LabelSelectors selects resources by labels. Supports matchLabels and matchExpressions.
names string array Names specifies resource names to watch. The resource must match one of the entries.

DestinationToWatch

DestinationToWatch specifies the criteria for monitoring secrets in the cluster.

Used by: ConfigSpec

Field Type Description Validation
type enum[ExternalSecret, Deployment] Type specifies the kind of destination to watch.
externalSecret ExternalSecretDestination
deployment DeploymentDestination
updateStrategy UpdateStrategy If not specified, the default update strategy is used.
matchStrategy MatchStrategy If not specified, the default match strategy is used.
waitStrategy WaitStrategy If not specified, the default wait strategy is used.

ExternalSecretDestination

Defines an ExternalSecretDestination. Behavior is annotations patch.

  • Default UpdateStrategy: annotations patch triggers externalSecret reconcile.
  • Default MatchStrategy:
    • spec.data.remoteRef.key
    • spec.dataFrom.remoteRef.key
    • Regex match for spec.dataFrom.find.name.regexp

Used by: DestinationToWatch

Field Type Description Validation
namespaceSelectors LabelSelector array NamespaceSelectors selects namespaces based on labels. Manifest must be in a matching namespace.
labelSelectors LabelSelector LabelSelectors selects resources by labels. Supports matchLabels and matchExpressions.
names string array Names specifies resource names to watch. The resource must match one of the entries.

GCPSMAuthSecretRef

Used by: GooglePubSubAuth

Field Type Description Validation
secretAccessKeySecretRef SecretKeySelector The SecretAccessKey is used for authentication

GCPWorkloadIdentity

Used by: GooglePubSubAuth

Field Type Description Validation
serviceAccountRef ServiceAccountSelector
clusterLocation string
clusterName string
clusterProjectID string

GooglePubSubAuth

GooglePubSubAuth contains authentication methods for Google Pub/Sub.

Used by: GooglePubSubConfig

Field Type Description Validation
secretRef GCPSMAuthSecretRef
workloadIdentity GCPWorkloadIdentity

GooglePubSubConfig

GooglePubSubConfig contains configuration for Google Pub/Sub.

Used by: NotificationSource

Field Type Description Validation
subscriptionID string SubscriptionID is the ID of the Pub/Sub subscription.
projectID string ProjectID is the GCP project ID where the subscription exists.
auth GooglePubSubAuth Authentication methods for Google Pub/Sub.

HashicorpVaultConfig

HashicorpVault contains configuration for Hashicorp Vault notifications.

Used by: NotificationSource

Field Type Description Validation
host string Host is the hostname or IP address to listen on.
port integer Port is the port number to listen on. default: 8000

KubeConfigRef

Used by: KubernetesAuth

Field Type Description Validation
secretRef SecretKeySelector

KubernetesAuth

Used by: KubernetesSecretConfig

Field Type Description Validation
kubeConfigRef KubeConfigRef
caBundle string Defines a CABundle if either tokenRef or serviceAccountRef are used.
tokenRef TokenRef
serviceAccountRef ServiceAccountSelector

KubernetesSecretConfig

KubernetesSecretConfig contains configuration for Kubernetes notifications.

Used by: NotificationSource

Field Type Description Validation
serverURL string Server URL
auth KubernetesAuth How to authenticate with Kubernetes. If not specified, default config is used.

MatchStrategy

Used by: DestinationToWatch

Field Type Description Validation
path string
conditions Condition array

MockConfig

MockConfig represents configuration settings for mock notifications.

Used by: NotificationSource

Field Type Description Validation
emitInterval integer

NotificationSource

NotificationSource represents a notification system configuration.

Used by: ConfigSpec

Field Type Description Validation
type enum[AwsSqs, AzureEventGrid, GooglePubSub, HashicorpVault, Webhook, TCPSocket, KubernetesSecret] Type of the notification source.
awsSqs AWSSQSConfig AwsSqs configuration (required if type is AwsSqs).
azureEventGrid AzureEventGridConfig
googlePubSub GooglePubSubConfig GooglePubSub configuration (required if type is GooglePubSub).
webhook WebhookConfig Webhook configuration (required if type is Webhook).
hashicorpVault HashicorpVaultConfig HashicorpVault configuration (required if type is HashicorpVault).
kubernetesSecret KubernetesSecretConfig Kubernetes Secret configuration (required if type is KubernetesSecret).
tcpSocket TCPSocketConfig TCPSocket configuration (required if type is TCPSocket).
mock MockConfig Mock configuration (optional; useful for testing).

PatchOperationConfig

Used by: UpdateStrategy

Field Type Description Validation
path string
template string

RetryPolicy

Used by: WebhookConfig

Field Type Description Validation
maxRetries integer MaxRetries is the maximum number of times to retry. Values over 10 are capped at 10.
algorithm string Defines how retry timing evolves. Supports "linear" and "exponential" (default if value is invalid/null).

SecretKeySelector

SecretKeySelector references a specific key within a Kubernetes secret.

Used by: AWSSDKSecretRef, BasicAuth, BearerToken, GCPSMAuthSecretRef, KubeConfigRef, TokenRef

Field Type Description Validation
name string Name of the referenced Kubernetes secret.
key string Key within the referenced Kubernetes secret.
namespace string Namespace where the secret resides.

ServiceAccountSelector

Used by: AWSSDKAuth, GCPWorkloadIdentity, KubernetesAuth

Field Type Description Validation
name string Name of the service account to select.
namespace string Namespace of the service account.
audiences string array Audiences for the service account token. Additional values added based on identity provider used.

TCPSocketConfig

TCPSocketConfig contains configuration for TCP Socket notifications.

Used by: NotificationSource

Field Type Description Validation
host string Host is the hostname or IP address to listen on.
port integer Port is the port number to listen on. default: 8000
identifierPathOnPayload string Key in the payload used to identify the secret. Defaults to 0.data.ObjectName if not specified.

TokenRef

Used by: KubernetesAuth

Field Type Description Validation
secretRef SecretKeySelector

UpdateStrategy

Used by: DestinationToWatch

Field Type Description Validation
operation UpdateStrategyOperation
patchOperationConfig PatchOperationConfig Required if operation == Patch.

UpdateStrategyOperation (string)

Used by: UpdateStrategy

Field Description
PatchStatus
Patch
Delete

WaitForCondition

Used by: WaitStrategy

Field Type Description Validation
retryTimeout Duration Period to wait before each retry.
maxRetries integer Maximum number of retries for the condition.
type string The name of the condition to wait for.
message string Optional message to match.
reason string Optional reason to match.
transitionedAfter Duration Minimum time since last transition to accept the condition.
updatedAfter Duration Minimum time since last update to accept the condition.

WaitStrategy

Used by: DestinationToWatch

Field Type Description Validation
time Duration Wait time between reconciliations.
condition WaitForCondition Condition that must be satisfied before continuing.

WebhookAuth

WebhookAuth contains authentication methods for webhooks.

Used by: WebhookConfig

Field Type Description Validation
basicAuth BasicAuth Basic authentication credentials.
bearerToken BearerToken Kubernetes secret containing the bearer token.

WebhookConfig

WebhookConfig contains configuration for Webhook notifications.

Used by: NotificationSource

Field Type Description Validation
path string Endpoint path (default: /webhook). Always expects a POST request.
address string Address where the webhook is served. Defaults to :8090.
identifierPathOnPayload string Key in the payload used to identify the secret. Defaults to 0.data.ObjectName if not set.
webhookAuth WebhookAuth Authentication method for the webhook.
retryPolicy RetryPolicy Policy to retry failed messages. If not set, 4xx will be returned and no retry will be attempted.