projectsyn · schemen · Aug 6, 2025 · Aug 6, 2025
diff --git a/class/defaults.yml b/class/defaults.yml
@@ -24,3 +24,5 @@ parameters:
     cluster_secret_stores: {}
     ecr_authorization_tokens: {}
     external_secrets: {}
+
+    secrets: {}
diff --git a/component/resources.jsonnet b/component/resources.jsonnet
@@ -1,5 +1,6 @@
 local com = import 'lib/commodore.libjsonnet';
 local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
 
 local eso = import 'lib/external-secrets-operator.libsonnet';
 
@@ -54,9 +55,12 @@ local ecr_authorization_tokens = com.generateResources(
     }
 );
 
+local secrets = com.generateResources(params.secrets, kube.Secret);
+
 {
   [if std.length(stores) > 0 then '20_secret_stores']: stores,
   [if std.length(clusterstores) > 0 then '20_cluster_secret_stores']: clusterstores,
   [if std.length(external_secrets) > 0 then '20_external_secrets']: external_secrets,
   [if std.length(ecr_authorization_tokens) > 0 then '20_ecr_authorization_tokens']: ecr_authorization_tokens,
+  [if std.length(params.secrets) > 0 then '99_secrets']: secrets,
 }
diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -86,3 +86,7 @@ The key can be just a name, or `<namespace>/<name>`.
 If the key is just a name, the resulting `ExternalSecret` is deployed in the namespace in which the operator is deployed.
 The component sets `metadata.name` and `metadata.namespace` based on the object key.
 The value is used as is and setting `metadata.name` or `metadata.namespace` overrides the values parsed from the object key.
+
+== `secrets`
+A dict of secrets to create in the namespace.
+The key is the name of the secret, the value is the content of the secret.
diff --git a/tests/defaults.yml b/tests/defaults.yml
@@ -104,3 +104,13 @@ parameters:
                   apiVersion: generators.external-secrets.io/v1alpha1
                   kind: ClusterGenerator
                   name: "my-password-generator"
+
+    secrets:
+      my-secret:
+        stringData:
+          secret-key: '?{vaultkv:${cluster:tenant}/${cluster:name}/secret-value}'
+      my-other-secret:
+        metadata:
+          namespace: testing
+        stringData:
+          secret-key: '?{vaultkv:${cluster:tenant}/${cluster:name}/other-secret}'
diff --git a/tests/golden/defaults/external-secrets-operator/external-secrets-operator/99_secrets.yaml b/tests/golden/defaults/external-secrets-operator/external-secrets-operator/99_secrets.yaml
@@ -0,0 +1,24 @@
+apiVersion: v1
+data: {}
+kind: Secret
+metadata:
+  annotations: {}
+  labels:
+    name: my-other-secret
+  name: my-other-secret
+  namespace: testing
+stringData:
+  secret-key: t-silent-test-1234/c-green-test-1234/other-secret
+type: Opaque
+---
+apiVersion: v1
+data: {}
+kind: Secret
+metadata:
+  annotations: {}
+  labels:
+    name: my-secret
+  name: my-secret
+stringData:
+  secret-key: t-silent-test-1234/c-green-test-1234/secret-value
+type: Opaque