External Secret Descriptor reference
External Secret descriptor
An external secret allows an Akka service to source secrets from an external secret manager.
| Field | Type | Description |
|---|---|---|
azure |
Configuration for Azure KeyVault external secrets. |
|
gcp |
Configuration for GCP Secret Manager external secrets. |
AzureExternalSecret
Azure KeyVault external secret configuration.
| Field | Type | Description |
|---|---|---|
keyVaultName |
string required |
The name of the KeyVault. |
tenantID |
string required |
The ID of the tenant that the KeyVault is in. |
clientID |
string required |
The ID of the client that was created to access the KeyVault via federated workload identity. |
cloudName |
string |
If using a non default cloud, the name of the cloud. |
objects |
[]AzureExternalSecretObject required |
The secret objects to mount from the KeyVault. |
AzureExternalSecretObject
An Azure KeyVault object that should be mounted as part of the external secret.
| Field | Type | Description |
|---|---|---|
name |
string required |
The name of the object in the KeyVault. |
type |
string required |
The type of object, either |
alias |
string |
The alias for the object. This will be the filename of the object when mounted into the Akka service’s container. Defaults to the object name. |
version |
string |
The version of the object to mount. Defaults to the latest. |
versionHistory |
int |
If set and non zero, specifies that multiple versions of the history should be mounted. In such cases, the object name/alias will be a folder, and the top N (where N is the versionHistory) versions of the secret will be placed in that folder as files. The file name for each version will be an integer, starting with 0 for the latest version, 1 for the next most recent, and so on. |
encoding |
string |
The encoding of the object. Valid types are |
format |
string |
The format of the object. Supported types are |
filePermission |
int |
The permission of the file being mounted. Defaults to 0644. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. Note that YAML accepts both octal and decimal values, with octal values being specified by using a leading 0. Meanwhile JSON requires decimal values. If not specified, the volume’s default mode will be used. |
GcpExternalSecret
GCP Secret Manager external secret configuration.
| Field | Type | Description |
|---|---|---|
projectId |
string required |
The GCP project ID that the secrets are in. |
location |
string |
If using regional secrets, the default location of the secrets. |
objects |
[]GcpExternalSecretObject required |
The secret objects to mount. |
GcpExternalSecretObject
A GCP Secret Manager object that should be mounted as part of the external secret.
| Field | Type | Description |
|---|---|---|
name |
string required |
The name of the secret in GCP Secret Manager. |
path |
string required |
The path that the object will be mounted at. |
version |
string |
The version of the secret to mount. Defaults to |
projectId |
string |
The project ID of the object, if different from the default project ID configured for the secret. |
location |
string |
If the object is a regional secret, the location of the object, if different from the default location configured for the secret. |
filePermission |
int |
The permission of the file being mounted. Defaults to 0644. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. Note that YAML accepts both octal and decimal values, with octal values being specified by using a leading 0. Meanwhile JSON requires decimal values. If not specified, the volume’s default mode will be used. |