🔑 Secret Types¶
The Secrets Injector supports a wide variety of secret types through a single, unified configuration interface. Each entry in the externalsecrets list in your values.yaml can produce a different type of Kubernetes Secret.
Supported Types¶
| Type | Key Field | Description |
|---|---|---|
| Multivalue | multivalue: true |
Extract all key-value pairs from a cloud secret |
| Single Value | (default) | Map one remote secret to one K8s secret key |
| TLS Certificate | type: "kubernetes.io/tls" |
Split cert and key from separate remote secrets |
| ArgoCD Cluster | argocd: true |
Register clusters in ArgoCD (cert or bearer token) |
| ArgoCD Repo Creds | argocdRepoCreds: true |
Repository credentials for ArgoCD |
| Grafana Contact Point | contactpoint: true |
Contact point config with grafana_alert label |
| Custom Labels & Types | type: / labels: |
Non-opaque types, custom labels |
How Types Are Determined¶
The template uses a priority-based decision tree:
- Custom type set (not TLS) → Non-opaque secret with template
- TLS type → Fetches separate
-crtand-keyremote secrets - Contact point → Grafana alert contact point
- ArgoCD repo creds → Repository credential secret
- ArgoCD cluster → Cluster registration secret (cert or bearer token)
- Multivalue →
dataFrom.extract— pulls all keys - Property set → Single key extraction from JSON
- Default → Single value mapping
Combine with Labels
Most secret types support the optional labels field to attach custom metadata to the generated Kubernetes Secret.