|
|
@@ -0,0 +1,324 @@
|
|
|
+apiVersion: apiextensions.k8s.io/v1
|
|
|
+kind: CustomResourceDefinition
|
|
|
+metadata:
|
|
|
+ annotations:
|
|
|
+ controller-gen.kubebuilder.io/version: v0.19.0
|
|
|
+ name: secretmanagers.provider.external-secrets.io
|
|
|
+spec:
|
|
|
+ group: provider.external-secrets.io
|
|
|
+ names:
|
|
|
+ categories:
|
|
|
+ - external-secrets
|
|
|
+ kind: SecretManager
|
|
|
+ listKind: SecretManagerList
|
|
|
+ plural: secretmanagers
|
|
|
+ shortNames:
|
|
|
+ - gcpsm
|
|
|
+ singular: secretmanager
|
|
|
+ scope: Namespaced
|
|
|
+ versions:
|
|
|
+ - name: v2alpha1
|
|
|
+ schema:
|
|
|
+ openAPIV3Schema:
|
|
|
+ description: SecretManager is the Schema for GCP Secret Manager provider configuration.
|
|
|
+ properties:
|
|
|
+ apiVersion:
|
|
|
+ description: |-
|
|
|
+ APIVersion defines the versioned schema of this representation of an object.
|
|
|
+ Servers should convert recognized schemas to the latest internal value, and
|
|
|
+ may reject unrecognized values.
|
|
|
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
|
+ type: string
|
|
|
+ kind:
|
|
|
+ description: |-
|
|
|
+ Kind is a string value representing the REST resource this object represents.
|
|
|
+ Servers may infer this from the endpoint the client submits requests to.
|
|
|
+ Cannot be updated.
|
|
|
+ In CamelCase.
|
|
|
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
|
+ type: string
|
|
|
+ metadata:
|
|
|
+ type: object
|
|
|
+ spec:
|
|
|
+ description: SecretManagerSpec defines the desired state of SecretManager.
|
|
|
+ properties:
|
|
|
+ auth:
|
|
|
+ description: GCPSMAuth defines the authentication methods for Google
|
|
|
+ Cloud Platform Secret Manager.
|
|
|
+ properties:
|
|
|
+ secretRef:
|
|
|
+ description: GCPSMAuthSecretRef contains the secret references
|
|
|
+ for GCP Secret Manager authentication.
|
|
|
+ properties:
|
|
|
+ secretAccessKeySecretRef:
|
|
|
+ description: The SecretAccessKey is used for authentication
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: |-
|
|
|
+ A key in the referenced Secret.
|
|
|
+ Some instances of this field may be defaulted, in others it may be required.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[-._a-zA-Z0-9]+$
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being referred
|
|
|
+ to.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: |-
|
|
|
+ The namespace of the Secret resource being referred to.
|
|
|
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
|
|
|
+ maxLength: 63
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ workloadIdentity:
|
|
|
+ description: GCPWorkloadIdentity defines configuration for workload
|
|
|
+ identity authentication to GCP.
|
|
|
+ properties:
|
|
|
+ clusterLocation:
|
|
|
+ description: |-
|
|
|
+ ClusterLocation is the location of the cluster
|
|
|
+ If not specified, it fetches information from the metadata server
|
|
|
+ type: string
|
|
|
+ clusterName:
|
|
|
+ description: |-
|
|
|
+ ClusterName is the name of the cluster
|
|
|
+ If not specified, it fetches information from the metadata server
|
|
|
+ type: string
|
|
|
+ clusterProjectID:
|
|
|
+ description: |-
|
|
|
+ ClusterProjectID is the project ID of the cluster
|
|
|
+ If not specified, it fetches information from the metadata server
|
|
|
+ type: string
|
|
|
+ serviceAccountRef:
|
|
|
+ description: ServiceAccountSelector is a reference to a ServiceAccount
|
|
|
+ resource.
|
|
|
+ properties:
|
|
|
+ audiences:
|
|
|
+ description: |-
|
|
|
+ Audience specifies the `aud` claim for the service account token
|
|
|
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
|
|
|
+ then this audiences will be appended to the list
|
|
|
+ items:
|
|
|
+ type: string
|
|
|
+ type: array
|
|
|
+ name:
|
|
|
+ description: The name of the ServiceAccount resource being
|
|
|
+ referred to.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: |-
|
|
|
+ Namespace of the resource being referred to.
|
|
|
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
|
|
|
+ maxLength: 63
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - name
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - serviceAccountRef
|
|
|
+ type: object
|
|
|
+ workloadIdentityFederation:
|
|
|
+ description: GCPWorkloadIdentityFederation holds the configurations
|
|
|
+ required for generating federated access tokens.
|
|
|
+ properties:
|
|
|
+ audience:
|
|
|
+ description: |-
|
|
|
+ audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
|
|
|
+ If specified, Audience found in the external account credential config will be overridden with the configured value.
|
|
|
+ audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
|
|
|
+ type: string
|
|
|
+ awsSecurityCredentials:
|
|
|
+ description: |-
|
|
|
+ awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
|
|
|
+ when using the AWS metadata server is not an option.
|
|
|
+ properties:
|
|
|
+ awsCredentialsSecretRef:
|
|
|
+ description: |-
|
|
|
+ awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
|
|
|
+ Secret should be created with below names for keys
|
|
|
+ - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
|
|
|
+ - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
|
|
|
+ - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
|
|
|
+ properties:
|
|
|
+ name:
|
|
|
+ description: name of the secret.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: namespace in which the secret exists.
|
|
|
+ If empty, secret will looked up in local namespace.
|
|
|
+ maxLength: 63
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - name
|
|
|
+ type: object
|
|
|
+ region:
|
|
|
+ description: region is for configuring the AWS region
|
|
|
+ to be used.
|
|
|
+ example: ap-south-1
|
|
|
+ maxLength: 50
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9-]+$
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - awsCredentialsSecretRef
|
|
|
+ - region
|
|
|
+ type: object
|
|
|
+ credConfig:
|
|
|
+ description: |-
|
|
|
+ credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
|
|
|
+ For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
|
|
|
+ serviceAccountRef must be used by providing operators service account details.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: key name holding the external account credential
|
|
|
+ config.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[-._a-zA-Z0-9]+$
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: name of the configmap.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: namespace in which the configmap exists.
|
|
|
+ If empty, configmap will looked up in local namespace.
|
|
|
+ maxLength: 63
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - key
|
|
|
+ - name
|
|
|
+ type: object
|
|
|
+ externalTokenEndpoint:
|
|
|
+ description: |-
|
|
|
+ externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
|
|
|
+ credential_source.url in the provided credConfig. This field is merely to double-check the external token source
|
|
|
+ URL is having the expected value.
|
|
|
+ type: string
|
|
|
+ serviceAccountRef:
|
|
|
+ description: |-
|
|
|
+ serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
|
|
|
+ when Kubernetes is configured as provider in workload identity pool.
|
|
|
+ properties:
|
|
|
+ audiences:
|
|
|
+ description: |-
|
|
|
+ Audience specifies the `aud` claim for the service account token
|
|
|
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
|
|
|
+ then this audiences will be appended to the list
|
|
|
+ items:
|
|
|
+ type: string
|
|
|
+ type: array
|
|
|
+ name:
|
|
|
+ description: The name of the ServiceAccount resource being
|
|
|
+ referred to.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: |-
|
|
|
+ Namespace of the resource being referred to.
|
|
|
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
|
|
|
+ maxLength: 63
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - name
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ location:
|
|
|
+ type: string
|
|
|
+ projectID:
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ status:
|
|
|
+ description: SecretManagerStatus defines the observed state of SecretManager.
|
|
|
+ properties:
|
|
|
+ conditions:
|
|
|
+ description: Conditions represent the latest available observations
|
|
|
+ of the resource's state.
|
|
|
+ items:
|
|
|
+ description: Condition contains details for one aspect of the current
|
|
|
+ state of this API Resource.
|
|
|
+ properties:
|
|
|
+ lastTransitionTime:
|
|
|
+ description: |-
|
|
|
+ lastTransitionTime is the last time the condition transitioned from one status to another.
|
|
|
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
|
|
|
+ format: date-time
|
|
|
+ type: string
|
|
|
+ message:
|
|
|
+ description: |-
|
|
|
+ message is a human readable message indicating details about the transition.
|
|
|
+ This may be an empty string.
|
|
|
+ maxLength: 32768
|
|
|
+ type: string
|
|
|
+ observedGeneration:
|
|
|
+ description: |-
|
|
|
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
|
|
|
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
|
|
+ with respect to the current state of the instance.
|
|
|
+ format: int64
|
|
|
+ minimum: 0
|
|
|
+ type: integer
|
|
|
+ reason:
|
|
|
+ description: |-
|
|
|
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
|
|
+ Producers of specific condition types may define expected values and meanings for this field,
|
|
|
+ and whether the values are considered a guaranteed API.
|
|
|
+ The value should be a CamelCase string.
|
|
|
+ This field may not be empty.
|
|
|
+ maxLength: 1024
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
|
+ type: string
|
|
|
+ status:
|
|
|
+ description: status of the condition, one of True, False, Unknown.
|
|
|
+ enum:
|
|
|
+ - "True"
|
|
|
+ - "False"
|
|
|
+ - Unknown
|
|
|
+ type: string
|
|
|
+ type:
|
|
|
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
|
+ maxLength: 316
|
|
|
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - lastTransitionTime
|
|
|
+ - message
|
|
|
+ - reason
|
|
|
+ - status
|
|
|
+ - type
|
|
|
+ type: object
|
|
|
+ type: array
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ served: true
|
|
|
+ storage: true
|
|
|
+ subresources:
|
|
|
+ status: {}
|
Moritz Johner