ESS version 1.5.0

Author: Jakob Nagel

ess/versions/1.7.0/Chart.yaml

@@ -0,0 +1,17 @@
+apiVersion: v2
+name: ess
+description: External Secret Syncer for Control Plane
+type: application
+version: 1.7.0
+appVersion: v1.5.0
+
+dependencies:
+  - name: cpln-common
+    version: 1.0.0
+    repository: "oci://ghcr.io/controlplane-com/templates"
+
+annotations:
+  created: "2025-03-12"
+  lastModified: "2026-06-05"
+  category: "secrets"
+  createsGvc: false

ess/versions/1.7.0/README.md

@@ -0,0 +1,241 @@
+## External Secret Syncer (ESS)
+
+### Overview
+
+Creates an application that continuously syncs secrets from external providers into Control Plane secrets on a configurable schedule. Supported providers: **HashiCorp Vault**, **AWS Secrets Manager**, **AWS Parameter Store**, **Doppler**, **GCP Secret Manager**, **1Password**, **1Password Connect**, and **Infisical**.
+
+---
+
+### How It Works
+
+ESS runs as a workload on Control Plane. Your provider configuration and secrets list are stored in a Control Plane secret and mounted into the workload as `sync.yaml`. On startup, ESS schedules a polling loop for each configured secret. At each interval, it fetches the latest value from the external provider and creates or updates the corresponding Control Plane secret via the API.
+
+ESS tags every secret it manages with `syncer.cpln.io/source` (set to the workload path). This prevents two ESS instances from accidentally overwriting each other's secrets. An hourly cleanup job also deletes any Control Plane secrets that ESS owns but that have been removed from your `sync.yaml` config.
+
+---
+
+### Patch Notes
+
+This version of ESS fixes a bug preventing the cleanup from running
+
+### Configuring `values.yaml`
+
+#### Top-level fields
+
+| Field | Description |
+|---|---|
+| `image` | The ESS container image. Do not change unless upgrading. |
+| `resources.cpu` / `resources.memory` | Resource limits for the workload container. |
+| `port` | Port for the ESS HTTP admin API (default: `3004`). Used for health checks and manual sync triggers. |
+| `allowedIp` | List of CIDRs allowed to reach the ESS admin API externally. Replace the placeholder with your IP, or use `0.0.0.0/0` to allow all. |
+| `essConfig` | The full sync configuration — providers and secrets (see below). |
+
+---
+
+#### `essConfig.providers`
+
+Each provider entry requires a unique `name` and exactly one provider block. An optional `syncInterval` sets the default interval for all secrets using that provider.
+
+**Vault**
+```yaml
+- name: my-vault
+  vault:
+    address: https://my-vault.com:8200  # required
+    token: <TOKEN>                       # required
+  syncInterval: 1m                       # optional — overrides global default
+```
+
+**AWS Parameter Store**
+```yaml
+- name: my-aws-ssm
+  awsParameterStore:
+    region: us-east-1
+    accessKeyId: <ACCESS_KEY>       # optional if using an IAM-linked identity
+    secretAccessKey: <SECRET_KEY>   # optional if using an IAM-linked identity
+```
+
+**AWS Secrets Manager**
+```yaml
+- name: my-aws-secrets-manager
+  awsSecretsManager:
+    region: us-east-1
+    accessKeyId: <ACCESS_KEY>
+    secretAccessKey: <SECRET_KEY>
+```
+
+**Doppler**
+```yaml
+- name: my-doppler
+  doppler:
+    accessToken: <TOKEN>  # use a Doppler service token (dp.st....)
+```
+
+**GCP Secret Manager**
+```yaml
+- name: my-gcp
+  gcpSecretManager:
+    projectId: 123456789876
+    credentials:                    # optional — omit to use Application Default Credentials
+      clientEmail: <EMAIL>
+      privateKey: <PRIVATE_KEY>
+```
+
+**1Password**
+```yaml
+- name: my-1password
+  onePassword:
+    serviceAccountToken: <TOKEN>
+    integrationName: my-ess         # optional
+    integrationVersion: 1.0.0       # optional
+```
+
+**1Password Connect**
+```yaml
+- name: my-1password-connect
+  onePasswordConnect:
+    serverURL: https://my-connect-server.example.com  # required
+    token: <TOKEN>                                     # required
+```
+
+**Infisical**
+```yaml
+- name: my-infisical
+  infisical:
+    clientId: <CLIENT_ID>          # required — from an Infisical machine identity
+    clientSecret: <CLIENT_SECRET>  # required
+    projectId: <PROJECT_ID>        # required
+```
+
+---
+
+#### `essConfig.secrets`
+
+Each secret entry syncs one value (or a set of values) from a provider into a Control Plane secret.
+
+| Field | Description |
+|---|---|
+| `name` | Name of the Control Plane secret to create or update. |
+| `provider` | Must match a provider `name` defined above. |
+| `syncInterval` | Optional. Overrides the provider-level and global default for this specific secret. |
+
+Each secret must use exactly one of the following sync types:
+
+---
+
+##### `opaque` — Single value (stored as a Control Plane `opaque` secret)
+
+Shorthand (path only, no fallback):
+```yaml
+- name: my-secret
+  provider: my-vault
+  opaque: /v1/secret/data/myapp
+```
+
+With options:
+```yaml
+- name: my-secret
+  provider: my-vault
+  opaque:
+    path: /v1/secret/data/myapp    # path to fetch
+    parse: data.password           # optional — extract a key from a JSON/YAML response
+    default: fallback-value        # optional — used if fetch fails
+    encoding: base64               # optional — base64-decode the fetched value
+```
+
+> **Note:** If you use the shorthand form (`opaque: /some/path`) with no `default`, a fetch failure causes the sync to fail with no fallback.
+
+---
+
+##### `dictionary` — Multiple values (stored as a Control Plane `dictionary` secret)
+
+Each key in the dictionary is fetched independently:
+```yaml
+- name: my-secret
+  provider: my-vault
+  dictionary:
+    PORT:
+      path: /v1/secret/data/app
+      parse: data.port
+      default: 5432
+    PASSWORD:
+      path: /v1/secret/data/app
+      parse: data.password
+    USERNAME:
+      path: /v1/secret/data/app
+      parse: data.username
+      default: "no username"
+```
+
+Each key supports `path`, `parse`, `default`, and `encoding` — the same options as `opaque`. A failure on one key does not block others.
+
+---
+
+##### `dictionaryFromProject` — Sync an entire project (Doppler or GCP Secret Manager)
+
+Syncs all secrets from a provider project in one operation, stored as a Control Plane `dictionary` secret. The expected shape depends on the provider.
+
+**Doppler** — specify a `project/config` path:
+```yaml
+- name: my-doppler-config
+  provider: my-doppler
+  dictionaryFromProject:
+    path: my-project/dev    # format: "project/config" — exactly two segments
+```
+
+**GCP Secret Manager** — set to `true` to pull every accessible secret from the project configured on the provider:
+```yaml
+- name: my-gcp-config
+  provider: my-gcp
+  dictionaryFromProject: true
+```
+
+Each fetched secret's latest version becomes one key in the resulting dictionary. Secrets with no accessible latest version (no versions, disabled, or destroyed) are skipped.
+
+> **Note:** `dictionaryFromProject` is only valid with the Doppler or GCP Secret Manager providers. Doppler requires the `{ path: ... }` object form; GCP requires the `true` form. Mixing them (or using either with another provider) causes ESS to exit at startup.
+
+---
+
+#### Doppler Path Formats
+
+| Sync type | Path format | Example |
+|---|---|---|
+| `opaque` or `dictionary` key | `project/config/SECRET_NAME` | `my-app/production/DATABASE_URL` |
+| `dictionaryFromProject` | `project/config` | `my-app/production` |
+
+---
+
+#### Infisical Path Formats
+
+The Infisical project is set on the provider (`infisical.projectId`). Secret paths are scoped to an environment within that project.
+
+| Sync type | Path format | Example |
+|---|---|---|
+| `opaque` or `dictionary` key | `<environmentID>/<secret>` | `dev/DATABASE_URL` |
+
+---
+
+#### Sync Interval Format
+
+Intervals use the format `<hours>h<minutes>m<seconds>s`. All parts are optional but at least one is required.
+
+Examples: `10s`, `5m`, `1h`, `1h30m`, `1h30m10s`
+
+Priority (highest wins):
+1. Secret-level `syncInterval`
+2. Provider-level `syncInterval`
+3. Global default (`300s`)
+
+---
+
+### Important Notes
+
+- **Conflict protection:** If a Control Plane secret already exists and is managed by a different ESS instance, the sync for that secret will fail. Two ESS instances cannot manage the same secret.
+- **Secret type changes:** Changing a secret from `opaque` to `dictionary` (or vice versa) causes ESS to delete the existing secret and recreate it. There is a brief window where the secret does not exist.
+- **Cleanup:** ESS runs an hourly job that deletes Control Plane secrets it owns but that no longer appear in `sync.yaml`. Removing a secret from the config will eventually result in its deletion from Control Plane.
+- **Doppler `parse`:** The `parse` field only works when the Doppler secret's value is JSON or YAML. Using `parse` on a plain string secret throws an error.
+- **`sync.yaml` hot reload:** ESS watches its config file and automatically restarts when changes are detected (every ~5 seconds). No workload restart is needed after updating the config secret.
+
+### Resources
+
+- [ESS Documentation](https://docs.controlplane.com/template-catalog/templates/external-secret-syncer)
+- [Image Source Code](https://github.com/controlplane-com/external-secret-syncer)

ess/versions/1.7.0/templates/_helpers.tpl

@@ -0,0 +1,39 @@
+{{/* Resource Naming */}}
+
+{{/*
+ESS Workload Name
+*/}}
+{{- define "ess.name" -}}
+{{- printf "%s-ess" .Release.Name }}
+{{- end }}
+
+{{/*
+ESS Identity Name
+*/}}
+{{- define "ess.identity.name" -}}
+{{- printf "%s-ess-identity" .Release.Name }}
+{{- end }}
+
+{{/*
+ESS Policy Name
+*/}}
+{{- define "ess.policy.name" -}}
+{{- printf "%s-ess-policy" .Release.Name }}
+{{- end }}
+
+{{/*
+ESS Secret Config Name
+*/}}
+{{- define "ess.secret.name" -}}
+{{- printf "%s-ess-config" .Release.Name }}
+{{- end }}
+
+
+{{/* Labeling */}}
+
+{{/*
+Common labels
+*/}}
+{{- define "ess.tags" -}}
+{{- include "cpln-common.tags" . }}
+{{- end }}

ess/versions/1.7.0/templates/identity.yaml

@@ -0,0 +1,5 @@
+kind: identity
+gvc: {{ .Values.global.cpln.gvc }}
+name: {{ include "ess.identity.name" . }}
+description: ESS identity
+tags: {{- include "ess.tags" . | nindent 4 }}

ess/versions/1.7.0/templates/policy.yaml

@@ -0,0 +1,10 @@
+kind: policy
+name: {{ include "ess.policy.name" . }}
+description: ESS policy
+bindings:
+  - permissions:
+      - manage
+    principalLinks:
+      - //gvc/{{ .Values.global.cpln.gvc }}/identity/{{ include "ess.identity.name" . }}
+target: all
+targetKind: secret

ess/versions/1.7.0/templates/secret.yaml

@@ -0,0 +1,9 @@
+kind: secret
+name: {{ include "ess.secret.name" . }}
+description: ESS config
+tags: {{- include "ess.tags" . | nindent 4 }}
+type: opaque
+data:
+  encoding: plain
+  payload: |
+{{- toYaml .Values.essConfig | nindent 4 }}

ess/versions/1.7.0/templates/workload.yaml

@@ -0,0 +1,61 @@
+kind: workload
+name: {{ include "ess.name" . }}
+description: External Secret Syncer
+tags: {{- include "ess.tags" . | nindent 4 }}
+spec:
+  type: standard
+  containers:
+    - name: ess
+      cpu: {{ .Values.resources.cpu | quote }}
+      image: {{ .Values.image }}
+      inheritEnv: false
+      memory: {{ .Values.resources.memory | quote }}
+      ports:
+        - number: {{ .Values.port }}
+          protocol: http
+      readinessProbe:
+        failureThreshold: 3
+        httpGet:
+          httpHeaders: []
+          path: /about
+          port: {{ .Values.port }}
+          scheme: HTTP
+        initialDelaySeconds: 0
+        periodSeconds: 10
+        successThreshold: 1
+        timeoutSeconds: 1
+      volumes:
+        - path: /usr/src/app/sync.yaml
+          recoveryPolicy: retain
+          uri: cpln://secret/{{ include "ess.secret.name" . }}
+  defaultOptions:
+    autoscaling:
+      maxConcurrency: 0
+      maxScale: 3
+      metric: cpu
+      minScale: 1
+      scaleToZeroDelay: 300
+      target: 100
+    capacityAI: false
+    debug: false
+    suspend: false
+    timeoutSeconds: 5
+  firewallConfig:
+    external:
+      inboundAllowCIDR: 
+        {{- toYaml .Values.allowedIp | nindent 8 }}
+      inboundBlockedCIDR: []
+      outboundAllowCIDR:
+        - 0.0.0.0/0
+      outboundAllowHostname: []
+      outboundAllowPort: []
+      outboundBlockedCIDR: []
+    internal:
+      inboundAllowType: none
+      inboundAllowWorkload: []
+  identityLink: //gvc/{{ .Values.global.cpln.gvc }}/identity/{{ include "ess.identity.name" . }}
+  loadBalancer:
+    direct:
+      enabled: false
+      ports: []
+  supportDynamicTags: false