|
|
@@ -1,3 +1,4 @@
|
|
|
+---
|
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
|
kind: CustomResourceDefinition
|
|
|
metadata:
|
|
|
@@ -1137,7 +1138,1129 @@ spec:
|
|
|
type: object
|
|
|
type: object
|
|
|
served: true
|
|
|
- storage: true
|
|
|
+ storage: false
|
|
|
+ subresources:
|
|
|
+ status: {}
|
|
|
+ - additionalPrinterColumns:
|
|
|
+ - jsonPath: .metadata.creationTimestamp
|
|
|
+ name: AGE
|
|
|
+ type: date
|
|
|
+ name: v1alpha2
|
|
|
+ schema:
|
|
|
+ openAPIV3Schema:
|
|
|
+ description: ClusterSecretStore represents a secure external location for
|
|
|
+ storing secrets, which can be referenced as part of `storeRef` fields.
|
|
|
+ properties:
|
|
|
+ apiVersion:
|
|
|
+ description: 'APIVersion defines the versioned schema of this representation
|
|
|
+ of an object. Servers should convert recognized schemas to the latest
|
|
|
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
|
+ type: string
|
|
|
+ kind:
|
|
|
+ description: 'Kind is a string value representing the REST resource this
|
|
|
+ object represents. Servers may infer this from the endpoint the client
|
|
|
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
|
+ type: string
|
|
|
+ metadata:
|
|
|
+ type: object
|
|
|
+ spec:
|
|
|
+ description: SecretStoreSpec defines the desired state of SecretStore.
|
|
|
+ properties:
|
|
|
+ controller:
|
|
|
+ description: 'Used to select the correct KES controller (think: ingress.ingressClassName)
|
|
|
+ The KES controller is instantiated with a specific controller name
|
|
|
+ and filters ES based on this property'
|
|
|
+ type: string
|
|
|
+ provider:
|
|
|
+ description: Used to configure the provider. Only one provider may
|
|
|
+ be set
|
|
|
+ maxProperties: 1
|
|
|
+ minProperties: 1
|
|
|
+ properties:
|
|
|
+ akeyless:
|
|
|
+ description: Akeyless configures this store to sync secrets using
|
|
|
+ Akeyless Vault provider
|
|
|
+ properties:
|
|
|
+ akeylessGWApiURL:
|
|
|
+ description: Akeyless GW API Url from which the secrets to
|
|
|
+ be fetched from.
|
|
|
+ type: string
|
|
|
+ authSecretRef:
|
|
|
+ description: Auth configures how the operator authenticates
|
|
|
+ with Akeyless.
|
|
|
+ properties:
|
|
|
+ secretRef:
|
|
|
+ description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM:
|
|
|
+ AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
|
|
|
+ properties:
|
|
|
+ accessID:
|
|
|
+ description: The SecretAccessID is used for authentication
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret
|
|
|
+ resource's `data` field to be used. Some instances
|
|
|
+ of this field may be defaulted, in others it
|
|
|
+ may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of
|
|
|
+ the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ accessType:
|
|
|
+ description: A reference to a specific 'key' within
|
|
|
+ a Secret resource, In some instances, `key` is a
|
|
|
+ required field.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret
|
|
|
+ resource's `data` field to be used. Some instances
|
|
|
+ of this field may be defaulted, in others it
|
|
|
+ may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of
|
|
|
+ the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ accessTypeParam:
|
|
|
+ description: A reference to a specific 'key' within
|
|
|
+ a Secret resource, In some instances, `key` is a
|
|
|
+ required field.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret
|
|
|
+ resource's `data` field to be used. Some instances
|
|
|
+ of this field may be defaulted, in others it
|
|
|
+ may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of
|
|
|
+ the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - secretRef
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - akeylessGWApiURL
|
|
|
+ - authSecretRef
|
|
|
+ type: object
|
|
|
+ alibaba:
|
|
|
+ description: Alibaba configures this store to sync secrets using
|
|
|
+ Alibaba Cloud provider
|
|
|
+ properties:
|
|
|
+ auth:
|
|
|
+ description: AlibabaAuth contains a secretRef for credentials.
|
|
|
+ properties:
|
|
|
+ secretRef:
|
|
|
+ description: AlibabaAuthSecretRef holds secret references
|
|
|
+ for Alibaba credentials.
|
|
|
+ properties:
|
|
|
+ accessKeyIDSecretRef:
|
|
|
+ description: The AccessKeyID is used for authentication
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret
|
|
|
+ resource's `data` field to be used. Some instances
|
|
|
+ of this field may be defaulted, in others it
|
|
|
+ may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of
|
|
|
+ the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ accessKeySecretSecretRef:
|
|
|
+ description: The AccessKeySecret is used for authentication
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret
|
|
|
+ resource's `data` field to be used. Some instances
|
|
|
+ of this field may be defaulted, in others it
|
|
|
+ may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of
|
|
|
+ the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - accessKeyIDSecretRef
|
|
|
+ - accessKeySecretSecretRef
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - secretRef
|
|
|
+ type: object
|
|
|
+ endpoint:
|
|
|
+ type: string
|
|
|
+ regionID:
|
|
|
+ description: Alibaba Region to be used for the provider
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - auth
|
|
|
+ - regionID
|
|
|
+ type: object
|
|
|
+ aws:
|
|
|
+ description: AWS configures this store to sync secrets using AWS
|
|
|
+ Secret Manager provider
|
|
|
+ properties:
|
|
|
+ auth:
|
|
|
+ description: 'Auth defines the information necessary to authenticate
|
|
|
+ against AWS if not set aws sdk will infer credentials from
|
|
|
+ your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
|
|
+ properties:
|
|
|
+ jwt:
|
|
|
+ description: Authenticate against AWS using service account
|
|
|
+ tokens.
|
|
|
+ properties:
|
|
|
+ serviceAccountRef:
|
|
|
+ description: A reference to a ServiceAccount resource.
|
|
|
+ properties:
|
|
|
+ name:
|
|
|
+ description: The name of the ServiceAccount resource
|
|
|
+ being referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of
|
|
|
+ the referent.
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - name
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ secretRef:
|
|
|
+ description: AWSAuthSecretRef holds secret references
|
|
|
+ for AWS credentials both AccessKeyID and SecretAccessKey
|
|
|
+ must be defined in order to properly authenticate.
|
|
|
+ properties:
|
|
|
+ accessKeyIDSecretRef:
|
|
|
+ description: The AccessKeyID is used for authentication
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret
|
|
|
+ resource's `data` field to be used. Some instances
|
|
|
+ of this field may be defaulted, in others it
|
|
|
+ may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of
|
|
|
+ the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ secretAccessKeySecretRef:
|
|
|
+ description: The SecretAccessKey is used for authentication
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret
|
|
|
+ resource's `data` field to be used. Some instances
|
|
|
+ of this field may be defaulted, in others it
|
|
|
+ may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of
|
|
|
+ the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ region:
|
|
|
+ description: AWS Region to be used for the provider
|
|
|
+ type: string
|
|
|
+ role:
|
|
|
+ description: Role is a Role ARN which the SecretManager provider
|
|
|
+ will assume
|
|
|
+ type: string
|
|
|
+ service:
|
|
|
+ description: Service defines which service should be used
|
|
|
+ to fetch the secrets
|
|
|
+ enum:
|
|
|
+ - SecretsManager
|
|
|
+ - ParameterStore
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - region
|
|
|
+ - service
|
|
|
+ type: object
|
|
|
+ azurekv:
|
|
|
+ description: AzureKV configures this store to sync secrets using
|
|
|
+ Azure Key Vault provider
|
|
|
+ properties:
|
|
|
+ authSecretRef:
|
|
|
+ description: Auth configures how the operator authenticates
|
|
|
+ with Azure. Required for ServicePrincipal auth type.
|
|
|
+ properties:
|
|
|
+ clientId:
|
|
|
+ description: The Azure clientId of the service principle
|
|
|
+ used for authentication.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret resource's
|
|
|
+ `data` field to be used. Some instances of this
|
|
|
+ field may be defaulted, in others it may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
|
+ defaults to the namespace of the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ clientSecret:
|
|
|
+ description: The Azure ClientSecret of the service principle
|
|
|
+ used for authentication.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret resource's
|
|
|
+ `data` field to be used. Some instances of this
|
|
|
+ field may be defaulted, in others it may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
|
+ defaults to the namespace of the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - clientId
|
|
|
+ - clientSecret
|
|
|
+ type: object
|
|
|
+ authType:
|
|
|
+ default: ServicePrincipal
|
|
|
+ description: 'Auth type defines how to authenticate to the
|
|
|
+ keyvault service. Valid values are: - "ServicePrincipal"
|
|
|
+ (default): Using a service principal (tenantId, clientId,
|
|
|
+ clientSecret) - "ManagedIdentity": Using Managed Identity
|
|
|
+ assigned to the pod (see aad-pod-identity)'
|
|
|
+ enum:
|
|
|
+ - ServicePrincipal
|
|
|
+ - ManagedIdentity
|
|
|
+ type: string
|
|
|
+ identityId:
|
|
|
+ description: If multiple Managed Identity is assigned to the
|
|
|
+ pod, you can select the one to be used
|
|
|
+ type: string
|
|
|
+ tenantId:
|
|
|
+ description: TenantID configures the Azure Tenant to send
|
|
|
+ requests to. Required for ServicePrincipal auth type.
|
|
|
+ type: string
|
|
|
+ vaultUrl:
|
|
|
+ description: Vault Url from which the secrets to be fetched
|
|
|
+ from.
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - vaultUrl
|
|
|
+ type: object
|
|
|
+ gcpsm:
|
|
|
+ description: GCPSM configures this store to sync secrets using
|
|
|
+ Google Cloud Platform Secret Manager provider
|
|
|
+ properties:
|
|
|
+ auth:
|
|
|
+ description: Auth defines the information necessary to authenticate
|
|
|
+ against GCP
|
|
|
+ properties:
|
|
|
+ secretRef:
|
|
|
+ properties:
|
|
|
+ secretAccessKeySecretRef:
|
|
|
+ description: The SecretAccessKey is used for authentication
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret
|
|
|
+ resource's `data` field to be used. Some instances
|
|
|
+ of this field may be defaulted, in others it
|
|
|
+ may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of
|
|
|
+ the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ workloadIdentity:
|
|
|
+ properties:
|
|
|
+ clusterLocation:
|
|
|
+ type: string
|
|
|
+ clusterName:
|
|
|
+ type: string
|
|
|
+ serviceAccountRef:
|
|
|
+ description: A reference to a ServiceAccount resource.
|
|
|
+ properties:
|
|
|
+ name:
|
|
|
+ description: The name of the ServiceAccount resource
|
|
|
+ being referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of
|
|
|
+ the referent.
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - name
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - clusterLocation
|
|
|
+ - clusterName
|
|
|
+ - serviceAccountRef
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ projectID:
|
|
|
+ description: ProjectID project where secret is located
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ gitlab:
|
|
|
+ description: GItlab configures this store to sync secrets using
|
|
|
+ Gitlab Variables provider
|
|
|
+ properties:
|
|
|
+ auth:
|
|
|
+ description: Auth configures how secret-manager authenticates
|
|
|
+ with a GitLab instance.
|
|
|
+ properties:
|
|
|
+ SecretRef:
|
|
|
+ properties:
|
|
|
+ accessToken:
|
|
|
+ description: AccessToken is used for authentication.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret
|
|
|
+ resource's `data` field to be used. Some instances
|
|
|
+ of this field may be defaulted, in others it
|
|
|
+ may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of
|
|
|
+ the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - SecretRef
|
|
|
+ type: object
|
|
|
+ projectID:
|
|
|
+ description: ProjectID specifies a project where secrets are
|
|
|
+ located.
|
|
|
+ type: string
|
|
|
+ url:
|
|
|
+ description: URL configures the GitLab instance URL. Defaults
|
|
|
+ to https://gitlab.com/.
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - auth
|
|
|
+ type: object
|
|
|
+ ibm:
|
|
|
+ description: IBM configures this store to sync secrets using IBM
|
|
|
+ Cloud provider
|
|
|
+ properties:
|
|
|
+ auth:
|
|
|
+ description: Auth configures how secret-manager authenticates
|
|
|
+ with the IBM secrets manager.
|
|
|
+ properties:
|
|
|
+ secretRef:
|
|
|
+ properties:
|
|
|
+ secretApiKeySecretRef:
|
|
|
+ description: The SecretAccessKey is used for authentication
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret
|
|
|
+ resource's `data` field to be used. Some instances
|
|
|
+ of this field may be defaulted, in others it
|
|
|
+ may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of
|
|
|
+ the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - secretRef
|
|
|
+ type: object
|
|
|
+ serviceUrl:
|
|
|
+ description: ServiceURL is the Endpoint URL that is specific
|
|
|
+ to the Secrets Manager service instance
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - auth
|
|
|
+ type: object
|
|
|
+ oracle:
|
|
|
+ description: Oracle configures this store to sync secrets using
|
|
|
+ Oracle Vault provider
|
|
|
+ properties:
|
|
|
+ auth:
|
|
|
+ description: Auth configures how secret-manager authenticates
|
|
|
+ with the Oracle Vault.
|
|
|
+ properties:
|
|
|
+ secretRef:
|
|
|
+ description: SecretRef to pass through sensitive information.
|
|
|
+ properties:
|
|
|
+ fingerprint:
|
|
|
+ description: Fingerprint is the fingerprint of the
|
|
|
+ API private key.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret
|
|
|
+ resource's `data` field to be used. Some instances
|
|
|
+ of this field may be defaulted, in others it
|
|
|
+ may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of
|
|
|
+ the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ privatekey:
|
|
|
+ description: PrivateKey is the user's API Signing
|
|
|
+ Key in PEM format, used for authentication.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret
|
|
|
+ resource's `data` field to be used. Some instances
|
|
|
+ of this field may be defaulted, in others it
|
|
|
+ may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of
|
|
|
+ the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - secretRef
|
|
|
+ type: object
|
|
|
+ region:
|
|
|
+ description: Region is the region where secret is located.
|
|
|
+ type: string
|
|
|
+ tenancy:
|
|
|
+ description: Tenancy is the tenancy OCID where secret is located.
|
|
|
+ type: string
|
|
|
+ user:
|
|
|
+ description: User is an access OCID specific to the account.
|
|
|
+ type: string
|
|
|
+ vault:
|
|
|
+ description: Vault is the vault's OCID of the specific vault
|
|
|
+ where secret is located.
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - auth
|
|
|
+ type: object
|
|
|
+ vault:
|
|
|
+ description: Vault configures this store to sync secrets using
|
|
|
+ Hashi provider
|
|
|
+ properties:
|
|
|
+ auth:
|
|
|
+ description: Auth configures how secret-manager authenticates
|
|
|
+ with the Vault server.
|
|
|
+ properties:
|
|
|
+ appRole:
|
|
|
+ description: AppRole authenticates with Vault using the
|
|
|
+ App Role auth mechanism, with the role and secret stored
|
|
|
+ in a Kubernetes Secret resource.
|
|
|
+ properties:
|
|
|
+ path:
|
|
|
+ default: approle
|
|
|
+ description: 'Path where the App Role authentication
|
|
|
+ backend is mounted in Vault, e.g: "approle"'
|
|
|
+ type: string
|
|
|
+ roleId:
|
|
|
+ description: RoleID configured in the App Role authentication
|
|
|
+ backend when setting up the authentication backend
|
|
|
+ in Vault.
|
|
|
+ type: string
|
|
|
+ secretRef:
|
|
|
+ description: Reference to a key in a Secret that contains
|
|
|
+ the App Role secret used to authenticate with Vault.
|
|
|
+ The `key` field must be specified and denotes which
|
|
|
+ entry within the Secret resource is used as the
|
|
|
+ app role secret.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret
|
|
|
+ resource's `data` field to be used. Some instances
|
|
|
+ of this field may be defaulted, in others it
|
|
|
+ may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of
|
|
|
+ the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - path
|
|
|
+ - roleId
|
|
|
+ - secretRef
|
|
|
+ type: object
|
|
|
+ cert:
|
|
|
+ description: Cert authenticates with TLS Certificates
|
|
|
+ by passing client certificate, private key and ca certificate
|
|
|
+ Cert authentication method
|
|
|
+ properties:
|
|
|
+ clientCert:
|
|
|
+ description: ClientCert is a certificate to authenticate
|
|
|
+ using the Cert Vault authentication method
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret
|
|
|
+ resource's `data` field to be used. Some instances
|
|
|
+ of this field may be defaulted, in others it
|
|
|
+ may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of
|
|
|
+ the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ secretRef:
|
|
|
+ description: SecretRef to a key in a Secret resource
|
|
|
+ containing client private key to authenticate with
|
|
|
+ Vault using the Cert authentication method
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret
|
|
|
+ resource's `data` field to be used. Some instances
|
|
|
+ of this field may be defaulted, in others it
|
|
|
+ may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of
|
|
|
+ the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ jwt:
|
|
|
+ description: Jwt authenticates with Vault by passing role
|
|
|
+ and JWT token using the JWT/OIDC authentication method
|
|
|
+ properties:
|
|
|
+ path:
|
|
|
+ default: jwt
|
|
|
+ description: 'Path where the JWT authentication backend
|
|
|
+ is mounted in Vault, e.g: "jwt"'
|
|
|
+ type: string
|
|
|
+ role:
|
|
|
+ description: Role is a JWT role to authenticate using
|
|
|
+ the JWT/OIDC Vault authentication method
|
|
|
+ type: string
|
|
|
+ secretRef:
|
|
|
+ description: SecretRef to a key in a Secret resource
|
|
|
+ containing JWT token to authenticate with Vault
|
|
|
+ using the JWT/OIDC authentication method
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret
|
|
|
+ resource's `data` field to be used. Some instances
|
|
|
+ of this field may be defaulted, in others it
|
|
|
+ may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of
|
|
|
+ the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - path
|
|
|
+ type: object
|
|
|
+ kubernetes:
|
|
|
+ description: Kubernetes authenticates with Vault by passing
|
|
|
+ the ServiceAccount token stored in the named Secret
|
|
|
+ resource to the Vault server.
|
|
|
+ properties:
|
|
|
+ mountPath:
|
|
|
+ default: kubernetes
|
|
|
+ description: 'Path where the Kubernetes authentication
|
|
|
+ backend is mounted in Vault, e.g: "kubernetes"'
|
|
|
+ type: string
|
|
|
+ role:
|
|
|
+ description: A required field containing the Vault
|
|
|
+ Role to assume. A Role binds a Kubernetes ServiceAccount
|
|
|
+ with a set of Vault policies.
|
|
|
+ type: string
|
|
|
+ secretRef:
|
|
|
+ description: Optional secret field containing a Kubernetes
|
|
|
+ ServiceAccount JWT used for authenticating with
|
|
|
+ Vault. If a name is specified without a key, `token`
|
|
|
+ is the default. If one is not specified, the one
|
|
|
+ bound to the controller will be used.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret
|
|
|
+ resource's `data` field to be used. Some instances
|
|
|
+ of this field may be defaulted, in others it
|
|
|
+ may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of
|
|
|
+ the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ serviceAccountRef:
|
|
|
+ description: Optional service account field containing
|
|
|
+ the name of a kubernetes ServiceAccount. If the
|
|
|
+ service account is specified, the service account
|
|
|
+ secret token JWT will be used for authenticating
|
|
|
+ with Vault. If the service account selector is not
|
|
|
+ supplied, the secretRef will be used instead.
|
|
|
+ properties:
|
|
|
+ name:
|
|
|
+ description: The name of the ServiceAccount resource
|
|
|
+ being referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of
|
|
|
+ the referent.
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - name
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - mountPath
|
|
|
+ - role
|
|
|
+ type: object
|
|
|
+ ldap:
|
|
|
+ description: Ldap authenticates with Vault by passing
|
|
|
+ username/password pair using the LDAP authentication
|
|
|
+ method
|
|
|
+ properties:
|
|
|
+ path:
|
|
|
+ default: ldap
|
|
|
+ description: 'Path where the LDAP authentication backend
|
|
|
+ is mounted in Vault, e.g: "ldap"'
|
|
|
+ type: string
|
|
|
+ secretRef:
|
|
|
+ description: SecretRef to a key in a Secret resource
|
|
|
+ containing password for the LDAP user used to authenticate
|
|
|
+ with Vault using the LDAP authentication method
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret
|
|
|
+ resource's `data` field to be used. Some instances
|
|
|
+ of this field may be defaulted, in others it
|
|
|
+ may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of
|
|
|
+ the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ username:
|
|
|
+ description: Username is a LDAP user name used to
|
|
|
+ authenticate using the LDAP Vault authentication
|
|
|
+ method
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - path
|
|
|
+ - username
|
|
|
+ type: object
|
|
|
+ tokenSecretRef:
|
|
|
+ description: TokenSecretRef authenticates with Vault by
|
|
|
+ presenting a token.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret resource's
|
|
|
+ `data` field to be used. Some instances of this
|
|
|
+ field may be defaulted, in others it may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
|
+ defaults to the namespace of the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ caBundle:
|
|
|
+ description: PEM encoded CA bundle used to validate Vault
|
|
|
+ server certificate. Only used if the Server URL is using
|
|
|
+ HTTPS protocol. This parameter is ignored for plain HTTP
|
|
|
+ protocol connection. If not set the system root certificates
|
|
|
+ are used to validate the TLS connection.
|
|
|
+ format: byte
|
|
|
+ type: string
|
|
|
+ caProvider:
|
|
|
+ description: The provider for the CA bundle to use to validate
|
|
|
+ Vault server certificate.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key the value inside of the provider
|
|
|
+ type to use, only used with "Secret" type
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the object located at the provider
|
|
|
+ type.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: The namespace the Provider type is in.
|
|
|
+ type: string
|
|
|
+ type:
|
|
|
+ description: The type of provider to use such as "Secret",
|
|
|
+ or "ConfigMap".
|
|
|
+ enum:
|
|
|
+ - Secret
|
|
|
+ - ConfigMap
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - name
|
|
|
+ - type
|
|
|
+ type: object
|
|
|
+ forwardInconsistent:
|
|
|
+ description: ForwardInconsistent tells Vault to forward read-after-write
|
|
|
+ requests to the Vault leader instead of simply retrying
|
|
|
+ within a loop. This can increase performance if the option
|
|
|
+ is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
|
|
|
+ type: boolean
|
|
|
+ namespace:
|
|
|
+ description: 'Name of the vault namespace. Namespaces is a
|
|
|
+ set of features within Vault Enterprise that allows Vault
|
|
|
+ environments to support Secure Multi-tenancy. e.g: "ns1".
|
|
|
+ More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
|
|
|
+ type: string
|
|
|
+ path:
|
|
|
+ description: 'Path is the mount path of the Vault KV backend
|
|
|
+ endpoint, e.g: "secret". The v2 KV secret engine version
|
|
|
+ specific "/data" path suffix for fetching secrets from Vault
|
|
|
+ is optional and will be appended if not present in specified
|
|
|
+ path.'
|
|
|
+ type: string
|
|
|
+ readYourWrites:
|
|
|
+ description: ReadYourWrites ensures isolated read-after-write
|
|
|
+ semantics by providing discovered cluster replication states
|
|
|
+ in each request. More information about eventual consistency
|
|
|
+ in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
|
|
|
+ type: boolean
|
|
|
+ server:
|
|
|
+ description: 'Server is the connection address for the Vault
|
|
|
+ server, e.g: "https://vault.example.com:8200".'
|
|
|
+ type: string
|
|
|
+ version:
|
|
|
+ default: v2
|
|
|
+ description: Version is the Vault KV secret engine version.
|
|
|
+ This can be either "v1" or "v2". Version defaults to "v2".
|
|
|
+ enum:
|
|
|
+ - v1
|
|
|
+ - v2
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - auth
|
|
|
+ - server
|
|
|
+ type: object
|
|
|
+ webhook:
|
|
|
+ description: Webhook configures this store to sync secrets using
|
|
|
+ a generic templated webhook
|
|
|
+ properties:
|
|
|
+ body:
|
|
|
+ description: Body
|
|
|
+ type: string
|
|
|
+ caBundle:
|
|
|
+ description: PEM encoded CA bundle used to validate webhook
|
|
|
+ server certificate. Only used if the Server URL is using
|
|
|
+ HTTPS protocol. This parameter is ignored for plain HTTP
|
|
|
+ protocol connection. If not set the system root certificates
|
|
|
+ are used to validate the TLS connection.
|
|
|
+ format: byte
|
|
|
+ type: string
|
|
|
+ caProvider:
|
|
|
+ description: The provider for the CA bundle to use to validate
|
|
|
+ webhook server certificate.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key the value inside of the provider
|
|
|
+ type to use, only used with "Secret" type
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the object located at the provider
|
|
|
+ type.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: The namespace the Provider type is in.
|
|
|
+ type: string
|
|
|
+ type:
|
|
|
+ description: The type of provider to use such as "Secret",
|
|
|
+ or "ConfigMap".
|
|
|
+ enum:
|
|
|
+ - Secret
|
|
|
+ - ConfigMap
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - name
|
|
|
+ - type
|
|
|
+ type: object
|
|
|
+ headers:
|
|
|
+ additionalProperties:
|
|
|
+ type: string
|
|
|
+ description: Headers
|
|
|
+ type: object
|
|
|
+ method:
|
|
|
+ description: Webhook Method
|
|
|
+ type: string
|
|
|
+ result:
|
|
|
+ description: Result formatting
|
|
|
+ properties:
|
|
|
+ jsonPath:
|
|
|
+ description: Json path of return value
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ secrets:
|
|
|
+ description: Secrets to fill in templates These secrets will
|
|
|
+ be passed to the templating function as key value pairs
|
|
|
+ under the given name
|
|
|
+ items:
|
|
|
+ properties:
|
|
|
+ name:
|
|
|
+ description: Name of this secret in templates
|
|
|
+ type: string
|
|
|
+ secretRef:
|
|
|
+ description: Secret ref to fill in credentials
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret
|
|
|
+ resource's `data` field to be used. Some instances
|
|
|
+ of this field may be defaulted, in others it may
|
|
|
+ be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped.
|
|
|
+ cluster-scoped defaults to the namespace of the
|
|
|
+ referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - name
|
|
|
+ - secretRef
|
|
|
+ type: object
|
|
|
+ type: array
|
|
|
+ timeout:
|
|
|
+ description: Timeout
|
|
|
+ type: string
|
|
|
+ url:
|
|
|
+ description: Webhook url to call
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - result
|
|
|
+ - url
|
|
|
+ type: object
|
|
|
+ yandexlockbox:
|
|
|
+ description: YandexLockbox configures this store to sync secrets
|
|
|
+ using Yandex Lockbox provider
|
|
|
+ properties:
|
|
|
+ apiEndpoint:
|
|
|
+ description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
|
|
|
+ type: string
|
|
|
+ auth:
|
|
|
+ description: Auth defines the information necessary to authenticate
|
|
|
+ against Yandex Lockbox
|
|
|
+ properties:
|
|
|
+ authorizedKeySecretRef:
|
|
|
+ description: The authorized key used for authentication
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret resource's
|
|
|
+ `data` field to be used. Some instances of this
|
|
|
+ field may be defaulted, in others it may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
|
+ defaults to the namespace of the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ caProvider:
|
|
|
+ description: The provider for the CA bundle to use to validate
|
|
|
+ Yandex.Cloud server certificate.
|
|
|
+ properties:
|
|
|
+ certSecretRef:
|
|
|
+ description: A reference to a specific 'key' within a
|
|
|
+ Secret resource, In some instances, `key` is a required
|
|
|
+ field.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret resource's
|
|
|
+ `data` field to be used. Some instances of this
|
|
|
+ field may be defaulted, in others it may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being
|
|
|
+ referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred
|
|
|
+ to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
|
+ defaults to the namespace of the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - auth
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ retrySettings:
|
|
|
+ description: Used to configure http retries if failed
|
|
|
+ properties:
|
|
|
+ maxRetries:
|
|
|
+ format: int32
|
|
|
+ type: integer
|
|
|
+ retryInterval:
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - provider
|
|
|
+ type: object
|
|
|
+ status:
|
|
|
+ description: SecretStoreStatus defines the observed state of the SecretStore.
|
|
|
+ properties:
|
|
|
+ conditions:
|
|
|
+ items:
|
|
|
+ properties:
|
|
|
+ lastTransitionTime:
|
|
|
+ format: date-time
|
|
|
+ type: string
|
|
|
+ message:
|
|
|
+ type: string
|
|
|
+ reason:
|
|
|
+ type: string
|
|
|
+ status:
|
|
|
+ type: string
|
|
|
+ type:
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - status
|
|
|
+ - type
|
|
|
+ type: object
|
|
|
+ type: array
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ served: true
|
|
|
+ storage: false
|
|
|
subresources:
|
|
|
status: {}
|
|
|
status:
|
Sebastian Gomez