Deployed 8fb0fec6 to main with MkDocs 1.6.0 and mike 1.2.0.dev0

main/provider/oracle-vault/index.html

@@ -2251,10 +2251,9 @@
     </span>
   </a>
   
-    <nav class="md-nav" aria-label="Oracle Vault">
-      <ul class="md-nav__list">
-        
-          <li class="md-nav__item">
+</li>
+      
+        <li class="md-nav__item">
   <a href="#authentication" class="md-nav__link">
     <span class="md-ellipsis">
       Authentication
@@ -2265,50 +2264,69 @@
       <ul class="md-nav__list">
         
           <li class="md-nav__item">
-  <a href="#service-account-key-authentication" class="md-nav__link">
+  <a href="#user-principal-authentication" class="md-nav__link">
     <span class="md-ellipsis">
-      Service account key authentication
+      User Principal Authentication
     </span>
   </a>
   
 </li>
         
-      </ul>
-    </nav>
+          <li class="md-nav__item">
+  <a href="#instance-principal-authentication-oci" class="md-nav__link">
+    <span class="md-ellipsis">
+      Instance Principal Authentication (OCI)
+    </span>
+  </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#update-secret-store" class="md-nav__link">
+  <a href="#workload-identity-authentication-ocioke" class="md-nav__link">
     <span class="md-ellipsis">
-      Update secret store
+      Workload Identity Authentication (OCI/OKE)
     </span>
   </a>
   
 </li>
         
+      </ul>
+    </nav>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#creating-an-external-secret" class="md-nav__link">
+    <span class="md-ellipsis">
+      Creating an External Secret
+    </span>
+  </a>
+  
+    <nav class="md-nav" aria-label="Creating an External Secret">
+      <ul class="md-nav__list">
+        
           <li class="md-nav__item">
-  <a href="#creating-external-secret" class="md-nav__link">
+  <a href="#external-secret-targeting-json-data" class="md-nav__link">
     <span class="md-ellipsis">
-      Creating external secret
+      External Secret targeting JSON data
     </span>
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#getting-the-kubernetes-secret" class="md-nav__link">
+  <a href="#external-secret-targeting-plaintext-data" class="md-nav__link">
     <span class="md-ellipsis">
-      Getting the Kubernetes secret
+      External Secret targeting plaintext data
     </span>
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#pushsecrets-and-retrieving-multiple-secrets" class="md-nav__link">
+  <a href="#getting-the-kubernetes-secret" class="md-nav__link">
     <span class="md-ellipsis">
-      PushSecrets and retrieving multiple secrets.
+      Getting the Kubernetes secret
     </span>
   </a>
   
@@ -2317,6 +2335,15 @@
       </ul>
     </nav>
   
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#pushsecrets-and-retrieving-multiple-secrets" class="md-nav__link">
+    <span class="md-ellipsis">
+      PushSecrets and retrieving multiple secrets.
+    </span>
+  </a>
+  
 </li>
       
     </ul>
@@ -3210,10 +3237,9 @@
     </span>
   </a>
   
-    <nav class="md-nav" aria-label="Oracle Vault">
-      <ul class="md-nav__list">
-        
-          <li class="md-nav__item">
+</li>
+      
+        <li class="md-nav__item">
   <a href="#authentication" class="md-nav__link">
     <span class="md-ellipsis">
       Authentication
@@ -3224,50 +3250,69 @@
       <ul class="md-nav__list">
         
           <li class="md-nav__item">
-  <a href="#service-account-key-authentication" class="md-nav__link">
+  <a href="#user-principal-authentication" class="md-nav__link">
     <span class="md-ellipsis">
-      Service account key authentication
+      User Principal Authentication
     </span>
   </a>
   
 </li>
         
-      </ul>
-    </nav>
+          <li class="md-nav__item">
+  <a href="#instance-principal-authentication-oci" class="md-nav__link">
+    <span class="md-ellipsis">
+      Instance Principal Authentication (OCI)
+    </span>
+  </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#update-secret-store" class="md-nav__link">
+  <a href="#workload-identity-authentication-ocioke" class="md-nav__link">
     <span class="md-ellipsis">
-      Update secret store
+      Workload Identity Authentication (OCI/OKE)
     </span>
   </a>
   
 </li>
         
+      </ul>
+    </nav>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#creating-an-external-secret" class="md-nav__link">
+    <span class="md-ellipsis">
+      Creating an External Secret
+    </span>
+  </a>
+  
+    <nav class="md-nav" aria-label="Creating an External Secret">
+      <ul class="md-nav__list">
+        
           <li class="md-nav__item">
-  <a href="#creating-external-secret" class="md-nav__link">
+  <a href="#external-secret-targeting-json-data" class="md-nav__link">
     <span class="md-ellipsis">
-      Creating external secret
+      External Secret targeting JSON data
     </span>
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#getting-the-kubernetes-secret" class="md-nav__link">
+  <a href="#external-secret-targeting-plaintext-data" class="md-nav__link">
     <span class="md-ellipsis">
-      Getting the Kubernetes secret
+      External Secret targeting plaintext data
     </span>
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#pushsecrets-and-retrieving-multiple-secrets" class="md-nav__link">
+  <a href="#getting-the-kubernetes-secret" class="md-nav__link">
     <span class="md-ellipsis">
-      PushSecrets and retrieving multiple secrets.
+      Getting the Kubernetes secret
     </span>
   </a>
   
@@ -3276,6 +3321,15 @@
       </ul>
     </nav>
   
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#pushsecrets-and-retrieving-multiple-secrets" class="md-nav__link">
+    <span class="md-ellipsis">
+      PushSecrets and retrieving multiple secrets.
+    </span>
+  </a>
+  
 </li>
       
     </ul>
@@ -3299,20 +3353,38 @@
   <h1>Oracle Vault</h1>
 
 <h2 id="oracle-vault">Oracle Vault</h2>
-<p>External Secrets Operator integrates with <a href="https://github.com/oracle/oci-go-sdk">OCI API</a> to sync secret on the Oracle Vault to secrets held on the Kubernetes cluster.</p>
-<h3 id="authentication">Authentication</h3>
-<p>Specify the authenticating principal with <code>principalType</code>, using <code>UserPrincipal</code>, <code>InstancePrincipal</code>, or <code>Workload</code> as values.
-If <code>principalType</code> or <code>auth</code> are not set, the operator defaults to instance principal for authentication.</p>
-<p>For user principal, userOCID, tenancyOCID, fingerprint and private key are required.
-The fingerprint and key file should be supplied in the secret with the rest being provided in the secret store.</p>
-<p>See url for what region you you are accessing.
+<p>External Secrets Operator integrates with the <a href="https://docs.oracle.com/en-us/iaas/api/">Oracle Cloud Infrastructure (OCI) REST API</a> to manage secrets in Oracle Vault. All secret operations exposed by External Secrets Operator are supported by the Oracle provider.</p>
+<p>For more information on managing OCI Vaults and OCI Vault Secrets, see the following documentation:</p>
+<ul>
+<li><a href="https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingvaults.htm">Managing Vaults</a></li>
+<li><a href="https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingsecrets.htm">Managing Vault Secrets</a></li>
+</ul>
+<h2 id="authentication">Authentication</h2>
+<p>External Secrets Operator may authenticate to OCI Vault using User Principal, <a href="https://blogs.oracle.com/developers/post/accessing-the-oracle-cloud-infrastructure-api-using-instance-principals">Instance Principal</a>, or <a href="https://blogs.oracle.com/cloud-infrastructure/post/oke-workload-identity-greater-control-access">Workload Identity</a>.</p>
+<p>To specify the authenticating principal in a secret store, set the <code>spec.provider.oracle.principalType</code> value. Note that the value of <code>principalType</code> defaults <code>InstancePrincipal</code> if not set.</p>
+<p>apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: my-secret-store
+spec:
+  provider:
+    oracle:
+      # May be UserPrincipal, InstancePrincipal, or Workload
+      principalType: <Principal Type></p>
+<h3 id="user-principal-authentication">User Principal Authentication</h3>
+<p>For user principal authentication, region, user OCID, tenancy OCID, private key, and fingerprint are required.
+The private key and fingerprint must be supplied in a Kubernetes secret, while the user OCID, tenancy OCID, and region should be set in the secret store.</p>
+<p>To get your user principal information, find url for the OCI region you are accessing.
 <img alt="userOCID-details" src="../../pictures/screenshot_region.png" /></p>
-<p>Select tenancy in the top right to see your user OCID as shown below.
+<p>Select tenancy in the top right to see your tenancy OCID as shown below.
 <img alt="tenancyOCID-details" src="../../pictures/screenshot_tenancy_OCID.png" /></p>
 <p>Select your user in the top right to see your user OCID as shown below.
 <img alt="region-details" src="../../pictures/screenshot_user_OCID.png" /></p>
-<h4 id="service-account-key-authentication">Service account key authentication</h4>
-<p>Create a secret containing your private key and fingerprint:</p>
+<p>Your fingerprint will be attatched to your API key, once it has been generated. Private keys can be created or uploaded on the same page as the your user OCID.
+<img alt="fingerprint-details" src="../../pictures/screenshot_fingerprint.png" /></p>
+<p>Once you click "Add API Key" you will be shown the following, where you can download the key in the necessary PEM format for API requests. Creating a private key will automatically generate a fingerprint.
+<img alt="API-key-details" src="../../pictures/screenshot_API_key.png" /></p>
+<p>Next, create a secret containing your private key and fingerprint:</p>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Secret</span>
 <span class="nt">metadata</span><span class="p">:</span>
@@ -3324,42 +3396,10 @@ The fingerprint and key file should be supplied in the secret with the rest bein
 <span class="w">  </span><span class="nt">privateKey</span><span class="p">:</span><span class="w"> </span>
 <span class="w">  </span><span class="nt">fingerprint</span><span class="p">:</span><span class="w"> </span>
 </code></pre></div>
-<p>Your fingerprint will be attatched to your API key, once it has been generated. Found on the same page as the user OCID.
-<img alt="fingerprint-details" src="../../pictures/screenshot_fingerprint.png" /></p>
-<p>Once you click "Add API Key" you will be shown the following, where you can download the RSA key in the necessary PEM format for API requests.
-This will automatically generate a fingerprint.
-<img alt="API-key-details" src="../../pictures/screenshot_API_key.png" /></p>
-<h3 id="update-secret-store">Update secret store</h3>
-<p>Be sure the <code>oracle</code> provider is listed in the <code>Kind=SecretStore</code>.</p>
+<p>After creating the credentials secret, the secret store can be configured:</p>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 <span class="nt">metadata</span><span class="p">:</span>
-<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example-instance-principal</span>
-<span class="nt">spec</span><span class="p">:</span>
-<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
-<span class="w">    </span><span class="nt">oracle</span><span class="p">:</span>
-<span class="w">      </span><span class="nt">vault</span><span class="p">:</span><span class="w"> </span><span class="c1"># The vault OCID</span>
-<span class="w">      </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="c1"># The vault region</span>
-<span class="w">      </span><span class="nt">principalType</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">InstancePrincipal</span>
-
-<span class="nn">---</span>
-
-<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
-<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
-<span class="nt">metadata</span><span class="p">:</span>
-<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example-workload-identity</span>
-<span class="nt">spec</span><span class="p">:</span>
-<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
-<span class="w">    </span><span class="nt">oracle</span><span class="p">:</span>
-<span class="w">      </span><span class="nt">vault</span><span class="p">:</span><span class="w"> </span><span class="c1"># The vault OCID</span>
-<span class="w">      </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="c1"># The vault region</span>
-<span class="w">      </span><span class="nt">principalType</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Workload</span>
-
-<span class="nn">---</span>
-
-<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
-<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
-<span class="nt">metadata</span><span class="p">:</span>
 <span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example-auth</span>
 <span class="nt">spec</span><span class="p">:</span>
 <span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
@@ -3379,8 +3419,39 @@ This will automatically generate a fingerprint.
 <span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">fingerprint</span>
 </code></pre></div>
 <p><strong>NOTE:</strong> In case of a <code>ClusterSecretStore</code>, Be sure to provide <code>namespace</code> in <code>privatekey</code> and <code>fingerprint</code> with the namespaces where the secrets reside.</p>
-<h3 id="creating-external-secret">Creating external secret</h3>
-<p>To create a kubernetes secret from the Oracle Cloud Interface secret a<code>Kind=ExternalSecret</code> is needed.</p>
+<h3 id="instance-principal-authentication-oci">Instance Principal Authentication (OCI)</h3>
+<p>Instance Principal uses a pod's instance principal to authenticate to OCI Vault. Ensure your cluster instances have the appropriate policies to use <a href="https://blogs.oracle.com/developers/post/accessing-the-oracle-cloud-infrastructure-api-using-instance-principals">Instance Principal</a>.</p>
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
+<span class="nt">metadata</span><span class="p">:</span>
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-secret-store</span>
+<span class="nt">spec</span><span class="p">:</span>
+<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
+<span class="w">    </span><span class="nt">oracle</span><span class="p">:</span>
+<span class="w">      </span><span class="nt">vault</span><span class="p">:</span><span class="w"> </span><span class="c1"># The vault OCID</span>
+<span class="w">      </span><span class="nt">principalType</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">InstancePrincipal</span>
+</code></pre></div>
+<h3 id="workload-identity-authentication-ocioke">Workload Identity Authentication (OCI/OKE)</h3>
+<p><a href="https://blogs.oracle.com/cloud-infrastructure/post/oke-workload-identity-greater-control-access">Workload Identity</a> can be used to grant the External Secrets Operator pod policy driven access to OCI Vault when running on Oracle Container Engine for Kubernetes (OKE).</p>
+<p>Note that if a service account is not provided in the secret store, the Oracle provider will authenticate using the service account token of the External Secrets Operator.</p>
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
+<span class="nt">metadata</span><span class="p">:</span>
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-secret-store</span>
+<span class="nt">spec</span><span class="p">:</span>
+<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
+<span class="w">    </span><span class="nt">oracle</span><span class="p">:</span>
+<span class="w">      </span><span class="nt">vault</span><span class="p">:</span><span class="w"> </span><span class="c1"># The vault OCID</span>
+<span class="w">      </span><span class="nt">principalType</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Workload</span>
+<span class="w">      </span><span class="c1"># If serviceAccountRef is not specified, the Oracle provider will authenticate using the service account token of the External Secrets Operator.</span>
+<span class="w">      </span><span class="nt">serviceAccountRef</span><span class="p">:</span>
+<span class="w">        </span><span class="c1"># If using a namespaced secret store, this service account must exist in the same namespace as the secret store.</span>
+<span class="w">        </span><span class="c1"># namespace: service account namespace. Required if using ClusterSecretStore, otherwise cannot be specified.</span>
+<span class="w">        </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="c1"># The service account name to use for authentication.</span>
+</code></pre></div>
+<h2 id="creating-an-external-secret">Creating an External Secret</h2>
+<p>To create a Kubernetes secret from an OCI Vault secret a <code>Kind=ExternalSecret</code> is needed. The External Secret will reference an OCI Vault instance containing secrets with either JSON or plaintext data.</p>
+<h4 id="external-secret-targeting-json-data">External Secret targeting JSON data</h4>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
 <span class="nt">metadata</span><span class="p">:</span>
@@ -3397,11 +3468,29 @@ This will automatically generate a fingerprint.
 <span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">extract</span><span class="p">:</span>
 <span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">the-secret-name</span>
 </code></pre></div>
+<h4 id="external-secret-targeting-plaintext-data">External Secret targeting plaintext data</h4>
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
+<span class="nt">metadata</span><span class="p">:</span>
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span>
+<span class="nt">spec</span><span class="p">:</span>
+<span class="w">  </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">0.03m</span>
+<span class="w">  </span><span class="nt">secretStoreRef</span><span class="p">:</span>
+<span class="w">    </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
+<span class="w">    </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span><span class="w"> </span><span class="c1"># Must match SecretStore on the cluster</span>
+<span class="w">  </span><span class="nt">target</span><span class="p">:</span>
+<span class="w">    </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-to-be-created</span><span class="w"> </span><span class="c1"># Name for the secret on the cluster</span>
+<span class="w">    </span><span class="nt">creationPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Owner</span>
+<span class="w">  </span><span class="nt">data</span><span class="p">:</span>
+<span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">key</span>
+<span class="w">      </span><span class="nt">remoteRef</span><span class="p">:</span>
+<span class="w">        </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-eso-secret</span>
+</code></pre></div>
 <h3 id="getting-the-kubernetes-secret">Getting the Kubernetes secret</h3>
-<p>The operator will fetch the project variable and inject it as a <code>Kind=Secret</code>.
+<p>The operator will fetch the OCI Vault Secret and inject it as a <code>Kind=Secret</code>.
 <div class="highlight"><pre><span></span><code>kubectl get secret oracle-secret-to-create -o jsonpath=&#39;{.data.dev-secret-test}&#39; | base64 -d
 </code></pre></div></p>
-<h3 id="pushsecrets-and-retrieving-multiple-secrets">PushSecrets and retrieving multiple secrets.</h3>
+<h2 id="pushsecrets-and-retrieving-multiple-secrets">PushSecrets and retrieving multiple secrets.</h2>
 <p>When using <a href="https://external-secrets.io/latest/guides/pushsecrets/">PushSecrets</a>, the compartment OCID and encryption key OCID must be specified in the
 Oracle SecretStore. You can find your compartment and encrpytion key OCIDs in the OCI console.</p>
 <p>If <a href="https://external-secrets.io/latest/guides/getallsecrets/">retrieving multiple secrets</a> by tag or regex, only the compartment OCID must be specified.</p>

main/snippets/oracle-external-secret-plaintext.yaml

@@ -0,0 +1,16 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: example
+spec:
+  refreshInterval: 0.03m
+  secretStoreRef:
+    kind: SecretStore
+    name: example # Must match SecretStore on the cluster
+  target:
+    name: secret-to-be-created # Name for the secret on the cluster
+    creationPolicy: Owner
+  data:
+    - secretKey: key
+      remoteRef:
+        key: my-eso-secret

main/snippets/oracle-instance-principal.yaml

@@ -0,0 +1,9 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: my-secret-store
+spec:
+  provider:
+    oracle:
+      vault: # The vault OCID
+      principalType: InstancePrincipal

main/snippets/oracle-principal-type.yaml

@@ -0,0 +1,9 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: my-secret-store
+spec:
+  provider:
+    oracle:
+      # May be UserPrincipal, InstancePrincipal, or Workload
+      principalType: <Principal Type>

main/snippets/oracle-secret-store.yaml

@@ -1,29 +1,3 @@
-apiVersion: external-secrets.io/v1beta1
-kind: SecretStore
-metadata:
-  name: example-instance-principal
-spec:
-  provider:
-    oracle:
-      vault: # The vault OCID
-      region: # The vault region
-      principalType: InstancePrincipal
-
----
-
-apiVersion: external-secrets.io/v1beta1
-kind: SecretStore
-metadata:
-  name: example-workload-identity
-spec:
-  provider:
-    oracle:
-      vault: # The vault OCID
-      region: # The vault region
-      principalType: Workload
-
----
-
 apiVersion: external-secrets.io/v1beta1
 kind: SecretStore
 metadata:

main/snippets/oracle-workload-identity.yaml

@@ -0,0 +1,14 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: my-secret-store
+spec:
+  provider:
+    oracle:
+      vault: # The vault OCID
+      principalType: Workload
+      # If serviceAccountRef is not specified, the Oracle provider will authenticate using the service account token of the External Secrets Operator.
+      serviceAccountRef:
+        # If using a namespaced secret store, this service account must exist in the same namespace as the secret store.
+        # namespace: service account namespace. Required if using ClusterSecretStore, otherwise cannot be specified.
+        name: # The service account name to use for authentication.