|
|
@@ -60,7 +60,7 @@ should match snapshot of default values:
|
|
|
description: SecretStoreSpec defines the desired state of SecretStore.
|
|
|
properties:
|
|
|
conditions:
|
|
|
- description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
|
|
|
+ description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
|
|
|
items:
|
|
|
description: |-
|
|
|
ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
|
|
|
@@ -354,96 +354,6 @@ should match snapshot of default values:
|
|
|
- akeylessGWApiURL
|
|
|
- authSecretRef
|
|
|
type: object
|
|
|
- alibaba:
|
|
|
- description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
|
|
|
- properties:
|
|
|
- auth:
|
|
|
- description: AlibabaAuth contains a secretRef for credentials.
|
|
|
- properties:
|
|
|
- rrsa:
|
|
|
- description: AlibabaRRSAAuth authenticates against Alibaba using RRSA.
|
|
|
- properties:
|
|
|
- oidcProviderArn:
|
|
|
- type: string
|
|
|
- oidcTokenFilePath:
|
|
|
- type: string
|
|
|
- roleArn:
|
|
|
- type: string
|
|
|
- sessionName:
|
|
|
- type: string
|
|
|
- required:
|
|
|
- - oidcProviderArn
|
|
|
- - oidcTokenFilePath
|
|
|
- - roleArn
|
|
|
- - sessionName
|
|
|
- type: object
|
|
|
- secretRef:
|
|
|
- description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
|
|
|
- properties:
|
|
|
- accessKeyIDSecretRef:
|
|
|
- description: The AccessKeyID is used for authentication
|
|
|
- properties:
|
|
|
- key:
|
|
|
- description: |-
|
|
|
- A key in the referenced Secret.
|
|
|
- Some instances of this field may be defaulted, in others it may be required.
|
|
|
- maxLength: 253
|
|
|
- minLength: 1
|
|
|
- pattern: ^[-._a-zA-Z0-9]+$
|
|
|
- type: string
|
|
|
- name:
|
|
|
- description: The name of the Secret resource being referred to.
|
|
|
- maxLength: 253
|
|
|
- minLength: 1
|
|
|
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
- type: string
|
|
|
- namespace:
|
|
|
- description: |-
|
|
|
- The namespace of the Secret resource being referred to.
|
|
|
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
|
|
|
- maxLength: 63
|
|
|
- minLength: 1
|
|
|
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
- type: string
|
|
|
- type: object
|
|
|
- accessKeySecretSecretRef:
|
|
|
- description: The AccessKeySecret is used for authentication
|
|
|
- properties:
|
|
|
- key:
|
|
|
- description: |-
|
|
|
- A key in the referenced Secret.
|
|
|
- Some instances of this field may be defaulted, in others it may be required.
|
|
|
- maxLength: 253
|
|
|
- minLength: 1
|
|
|
- pattern: ^[-._a-zA-Z0-9]+$
|
|
|
- type: string
|
|
|
- name:
|
|
|
- description: The name of the Secret resource being referred to.
|
|
|
- maxLength: 253
|
|
|
- minLength: 1
|
|
|
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
- type: string
|
|
|
- namespace:
|
|
|
- description: |-
|
|
|
- The namespace of the Secret resource being referred to.
|
|
|
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
|
|
|
- maxLength: 63
|
|
|
- minLength: 1
|
|
|
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
- type: string
|
|
|
- type: object
|
|
|
- required:
|
|
|
- - accessKeyIDSecretRef
|
|
|
- - accessKeySecretSecretRef
|
|
|
- type: object
|
|
|
- type: object
|
|
|
- regionID:
|
|
|
- description: Alibaba Region to be used for the provider
|
|
|
- type: string
|
|
|
- required:
|
|
|
- - auth
|
|
|
- - regionID
|
|
|
- type: object
|
|
|
aws:
|
|
|
description: AWS configures this store to sync secrets using AWS Secret Manager provider
|
|
|
properties:
|
|
|
@@ -608,7 +518,6 @@ should match snapshot of default values:
|
|
|
ForceDeleteWithoutRecovery in the same call. If you don't use either,
|
|
|
then by default Secrets Manager uses a 30-day recovery window.
|
|
|
see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
|
|
|
- format: int64
|
|
|
type: integer
|
|
|
type: object
|
|
|
service:
|
|
|
@@ -767,8 +676,11 @@ should match snapshot of default values:
|
|
|
type: string
|
|
|
customCloudConfig:
|
|
|
description: |-
|
|
|
- CustomCloudConfig defines custom Azure Stack Hub or Azure Stack Edge endpoints.
|
|
|
+ CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
|
|
|
Required when EnvironmentType is AzureStackCloud.
|
|
|
+ Optional for other environment types - useful for Azure China when using Workload Identity
|
|
|
+ with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
|
|
|
+ standard China Cloud endpoint (login.chinacloudapi.cn).
|
|
|
IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
|
|
|
configuration is not supported with the legacy go-autorest SDK.
|
|
|
properties:
|
|
|
@@ -852,6 +764,97 @@ should match snapshot of default values:
|
|
|
required:
|
|
|
- vaultUrl
|
|
|
type: object
|
|
|
+ barbican:
|
|
|
+ description: Barbican configures this store to sync secrets using the OpenStack Barbican provider
|
|
|
+ properties:
|
|
|
+ auth:
|
|
|
+ description: BarbicanAuth contains the authentication information for Barbican.
|
|
|
+ properties:
|
|
|
+ password:
|
|
|
+ description: BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
|
|
|
+ properties:
|
|
|
+ secretRef:
|
|
|
+ description: |-
|
|
|
+ SecretKeySelector is a reference to a specific 'key' within a Secret resource.
|
|
|
+ In some instances, `key` is a required field.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: |-
|
|
|
+ A key in the referenced Secret.
|
|
|
+ Some instances of this field may be defaulted, in others it may be required.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[-._a-zA-Z0-9]+$
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being referred to.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: |-
|
|
|
+ The namespace of the Secret resource being referred to.
|
|
|
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
|
|
|
+ maxLength: 63
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - secretRef
|
|
|
+ type: object
|
|
|
+ username:
|
|
|
+ description: BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
|
|
|
+ maxProperties: 1
|
|
|
+ minProperties: 1
|
|
|
+ properties:
|
|
|
+ secretRef:
|
|
|
+ description: |-
|
|
|
+ SecretKeySelector is a reference to a specific 'key' within a Secret resource.
|
|
|
+ In some instances, `key` is a required field.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: |-
|
|
|
+ A key in the referenced Secret.
|
|
|
+ Some instances of this field may be defaulted, in others it may be required.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[-._a-zA-Z0-9]+$
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being referred to.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: |-
|
|
|
+ The namespace of the Secret resource being referred to.
|
|
|
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
|
|
|
+ maxLength: 63
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ value:
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - password
|
|
|
+ - username
|
|
|
+ type: object
|
|
|
+ authURL:
|
|
|
+ type: string
|
|
|
+ domainName:
|
|
|
+ type: string
|
|
|
+ region:
|
|
|
+ type: string
|
|
|
+ tenantName:
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - auth
|
|
|
+ type: object
|
|
|
beyondtrust:
|
|
|
description: Beyondtrust configures this store to sync secrets using Password Safe provider.
|
|
|
properties:
|
|
|
@@ -1034,6 +1037,10 @@ should match snapshot of default values:
|
|
|
clientTimeOutSeconds:
|
|
|
description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
|
|
|
type: integer
|
|
|
+ decrypt:
|
|
|
+ default: true
|
|
|
+ description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
|
|
|
+ type: boolean
|
|
|
retrievalType:
|
|
|
description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
|
|
|
type: string
|
|
|
@@ -1557,60 +1564,59 @@ should match snapshot of default values:
|
|
|
- clientSecret
|
|
|
- tenant
|
|
|
type: object
|
|
|
- device42:
|
|
|
- description: Device42 configures this store to sync secrets using the Device42 provider
|
|
|
+ doppler:
|
|
|
+ description: Doppler configures this store to sync secrets using the Doppler provider
|
|
|
properties:
|
|
|
auth:
|
|
|
- description: Auth configures how secret-manager authenticates with a Device42 instance.
|
|
|
+ description: Auth configures how the Operator authenticates with the Doppler API
|
|
|
properties:
|
|
|
- secretRef:
|
|
|
- description: Device42SecretRef contains the secret reference for accessing the Device42 instance.
|
|
|
+ oidcConfig:
|
|
|
+ description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
|
|
|
properties:
|
|
|
- credentials:
|
|
|
- description: Username / Password is used for authentication.
|
|
|
+ expirationSeconds:
|
|
|
+ default: 600
|
|
|
+ description: |-
|
|
|
+ ExpirationSeconds sets the ServiceAccount token validity duration.
|
|
|
+ Defaults to 10 minutes.
|
|
|
+ format: int64
|
|
|
+ type: integer
|
|
|
+ identity:
|
|
|
+ description: Identity is the Doppler Service Account Identity ID configured for OIDC authentication.
|
|
|
+ type: string
|
|
|
+ serviceAccountRef:
|
|
|
+ description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
|
|
|
properties:
|
|
|
- key:
|
|
|
+ audiences:
|
|
|
description: |-
|
|
|
- A key in the referenced Secret.
|
|
|
- Some instances of this field may be defaulted, in others it may be required.
|
|
|
- maxLength: 253
|
|
|
- minLength: 1
|
|
|
- pattern: ^[-._a-zA-Z0-9]+$
|
|
|
- type: string
|
|
|
+ Audience specifies the `aud` claim for the service account token
|
|
|
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
|
|
|
+ then this audiences will be appended to the list
|
|
|
+ items:
|
|
|
+ type: string
|
|
|
+ type: array
|
|
|
name:
|
|
|
- description: The name of the Secret resource being referred to.
|
|
|
+ description: The name of the ServiceAccount resource being referred to.
|
|
|
maxLength: 253
|
|
|
minLength: 1
|
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
type: string
|
|
|
namespace:
|
|
|
description: |-
|
|
|
- The namespace of the Secret resource being referred to.
|
|
|
+ Namespace of the resource being referred to.
|
|
|
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
|
|
|
maxLength: 63
|
|
|
minLength: 1
|
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
type: string
|
|
|
+ required:
|
|
|
+ - name
|
|
|
type: object
|
|
|
+ required:
|
|
|
+ - identity
|
|
|
+ - serviceAccountRef
|
|
|
type: object
|
|
|
- required:
|
|
|
- - secretRef
|
|
|
- type: object
|
|
|
- host:
|
|
|
- description: URL configures the Device42 instance URL.
|
|
|
- type: string
|
|
|
- required:
|
|
|
- - auth
|
|
|
- - host
|
|
|
- type: object
|
|
|
- doppler:
|
|
|
- description: Doppler configures this store to sync secrets using the Doppler provider
|
|
|
- properties:
|
|
|
- auth:
|
|
|
- description: Auth configures how the Operator authenticates with the Doppler API
|
|
|
- properties:
|
|
|
secretRef:
|
|
|
- description: DopplerAuthSecretRef contains the secret reference for accessing the Doppler API.
|
|
|
+ description: SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.
|
|
|
properties:
|
|
|
dopplerToken:
|
|
|
description: |-
|
|
|
@@ -1644,9 +1650,10 @@ should match snapshot of default values:
|
|
|
required:
|
|
|
- dopplerToken
|
|
|
type: object
|
|
|
- required:
|
|
|
- - secretRef
|
|
|
type: object
|
|
|
+ x-kubernetes-validations:
|
|
|
+ - message: Exactly one of 'secretRef' or 'oidcConfig' must be specified
|
|
|
+ rule: (has(self.secretRef) && !has(self.oidcConfig)) || (!has(self.secretRef) && has(self.oidcConfig))
|
|
|
config:
|
|
|
description: Doppler config (required if not using a Service Token)
|
|
|
type: string
|
|
|
@@ -1675,6 +1682,87 @@ should match snapshot of default values:
|
|
|
required:
|
|
|
- auth
|
|
|
type: object
|
|
|
+ dvls:
|
|
|
+ description: DVLS configures this store to sync secrets using Devolutions Server provider
|
|
|
+ properties:
|
|
|
+ auth:
|
|
|
+ description: Auth defines the authentication method to use.
|
|
|
+ properties:
|
|
|
+ secretRef:
|
|
|
+ description: SecretRef contains the Application ID and Application Secret for authentication.
|
|
|
+ properties:
|
|
|
+ appId:
|
|
|
+ description: AppID is the reference to the secret containing the Application ID.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: |-
|
|
|
+ A key in the referenced Secret.
|
|
|
+ Some instances of this field may be defaulted, in others it may be required.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[-._a-zA-Z0-9]+$
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being referred to.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: |-
|
|
|
+ The namespace of the Secret resource being referred to.
|
|
|
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
|
|
|
+ maxLength: 63
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ appSecret:
|
|
|
+ description: AppSecret is the reference to the secret containing the Application Secret.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: |-
|
|
|
+ A key in the referenced Secret.
|
|
|
+ Some instances of this field may be defaulted, in others it may be required.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[-._a-zA-Z0-9]+$
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being referred to.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: |-
|
|
|
+ The namespace of the Secret resource being referred to.
|
|
|
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
|
|
|
+ maxLength: 63
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - appId
|
|
|
+ - appSecret
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - secretRef
|
|
|
+ type: object
|
|
|
+ insecure:
|
|
|
+ description: |-
|
|
|
+ Insecure allows connecting to DVLS over plain HTTP.
|
|
|
+ This is NOT RECOMMENDED for production use.
|
|
|
+ Set to true only if you understand the security implications.
|
|
|
+ type: boolean
|
|
|
+ serverUrl:
|
|
|
+ description: ServerURL is the DVLS instance URL (e.g., https://dvls.example.com).
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - auth
|
|
|
+ - serverUrl
|
|
|
+ type: object
|
|
|
fake:
|
|
|
description: Fake configures a store with static key/value pairs
|
|
|
properties:
|
|
|
@@ -1953,12 +2041,11 @@ should match snapshot of default values:
|
|
|
type: object
|
|
|
github:
|
|
|
description: |-
|
|
|
- Github configures this store to push GitHub Action secrets using GitHub API provider.
|
|
|
+ Github configures this store to push GitHub Actions secrets using the GitHub API provider.
|
|
|
Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
|
|
|
properties:
|
|
|
appID:
|
|
|
description: appID specifies the Github APP that will be used to authenticate the client
|
|
|
- format: int64
|
|
|
type: integer
|
|
|
auth:
|
|
|
description: auth configures how secret-manager authenticates with a Github instance.
|
|
|
@@ -1999,8 +2086,17 @@ should match snapshot of default values:
|
|
|
type: string
|
|
|
installationID:
|
|
|
description: installationID specifies the Github APP installation that will be used to authenticate the client
|
|
|
- format: int64
|
|
|
type: integer
|
|
|
+ orgSecretVisibility:
|
|
|
+ description: |-
|
|
|
+ orgSecretVisibility controls the visibility of organization secrets pushed via PushSecret.
|
|
|
+ Valid values are "all" or "private".
|
|
|
+ When unset, new secrets are created with visibility "all" and existing secrets preserve
|
|
|
+ whatever visibility they already have in GitHub.
|
|
|
+ enum:
|
|
|
+ - all
|
|
|
+ - private
|
|
|
+ type: string
|
|
|
organization:
|
|
|
description: organization will be used to fetch secrets from the Github organization
|
|
|
type: string
|
|
|
@@ -2901,6 +2997,48 @@ should match snapshot of default values:
|
|
|
- clientSecret
|
|
|
type: object
|
|
|
type: object
|
|
|
+ caBundle:
|
|
|
+ description: |-
|
|
|
+ CABundle is a PEM-encoded CA certificate bundle used to validate
|
|
|
+ the Infisical server's TLS certificate. Mutually exclusive with CAProvider.
|
|
|
+ format: byte
|
|
|
+ type: string
|
|
|
+ caProvider:
|
|
|
+ description: |-
|
|
|
+ CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
|
|
|
+ The certificate is used to validate the Infisical server's TLS certificate.
|
|
|
+ Mutually exclusive with CABundle.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key where the CA certificate can be found in the Secret or ConfigMap.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[-._a-zA-Z0-9]+$
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the object located at the provider type.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: |-
|
|
|
+ The namespace the Provider type is in.
|
|
|
+ Can only be defined when used in a ClusterSecretStore.
|
|
|
+ maxLength: 63
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
+ type: string
|
|
|
+ type:
|
|
|
+ description: The type of provider to use such as "Secret", or "ConfigMap".
|
|
|
+ enum:
|
|
|
+ - Secret
|
|
|
+ - ConfigMap
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - name
|
|
|
+ - type
|
|
|
+ type: object
|
|
|
hostAPI:
|
|
|
default: https://app.infisical.com/api
|
|
|
description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
|
|
|
@@ -3179,6 +3317,120 @@ should match snapshot of default values:
|
|
|
type: string
|
|
|
type: object
|
|
|
type: object
|
|
|
+ nebiusmysterybox:
|
|
|
+ description: NebiusMysterybox configures this store to sync secrets using NebiusMysterybox provider
|
|
|
+ properties:
|
|
|
+ apiDomain:
|
|
|
+ description: NebiusMysterybox API endpoint
|
|
|
+ type: string
|
|
|
+ auth:
|
|
|
+ description: Auth defines parameters to authenticate in MysteryBox
|
|
|
+ properties:
|
|
|
+ serviceAccountCredsSecretRef:
|
|
|
+ description: |-
|
|
|
+ ServiceAccountCreds references a Kubernetes Secret key that contains a JSON
|
|
|
+ document with service account credentials used to get an IAM token.
|
|
|
+
|
|
|
+ Expected JSON structure:
|
|
|
+ {
|
|
|
+ "subject-credentials": {
|
|
|
+ "alg": "RS256",
|
|
|
+ "private-key": "-----BEGIN PRIVATE KEY-----\n<private-key>\n-----END PRIVATE KEY-----\n",
|
|
|
+ "kid": "<public-key-id>",
|
|
|
+ "iss": "<issuer-service-account-id>",
|
|
|
+ "sub": "<subject-service-account-id>"
|
|
|
+ }
|
|
|
+ }
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: |-
|
|
|
+ A key in the referenced Secret.
|
|
|
+ Some instances of this field may be defaulted, in others it may be required.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[-._a-zA-Z0-9]+$
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being referred to.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: |-
|
|
|
+ The namespace of the Secret resource being referred to.
|
|
|
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
|
|
|
+ maxLength: 63
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ tokenSecretRef:
|
|
|
+ description: Token authenticates with Nebius Mysterybox by presenting a token.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: |-
|
|
|
+ A key in the referenced Secret.
|
|
|
+ Some instances of this field may be defaulted, in others it may be required.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[-._a-zA-Z0-9]+$
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being referred to.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: |-
|
|
|
+ The namespace of the Secret resource being referred to.
|
|
|
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
|
|
|
+ maxLength: 63
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ x-kubernetes-validations:
|
|
|
+ - message: either serviceAccountCredsSecretRef or tokenSecretRef must be set
|
|
|
+ rule: has(self.serviceAccountCredsSecretRef) || has(self.tokenSecretRef)
|
|
|
+ caProvider:
|
|
|
+ description: The provider for the CA bundle to use to validate NebiusMysterybox server certificate.
|
|
|
+ properties:
|
|
|
+ certSecretRef:
|
|
|
+ description: |-
|
|
|
+ SecretKeySelector is a reference to a specific 'key' within a Secret resource.
|
|
|
+ In some instances, `key` is a required field.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: |-
|
|
|
+ A key in the referenced Secret.
|
|
|
+ Some instances of this field may be defaulted, in others it may be required.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[-._a-zA-Z0-9]+$
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being referred to.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: |-
|
|
|
+ The namespace of the Secret resource being referred to.
|
|
|
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
|
|
|
+ maxLength: 63
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - apiDomain
|
|
|
+ - auth
|
|
|
+ type: object
|
|
|
ngrok:
|
|
|
description: Ngrok configures this store to sync secrets using the ngrok provider.
|
|
|
properties:
|
|
|
@@ -3406,6 +3658,28 @@ should match snapshot of default values:
|
|
|
required:
|
|
|
- serviceAccountSecretRef
|
|
|
type: object
|
|
|
+ cache:
|
|
|
+ description: |-
|
|
|
+ Cache configures client-side caching for read operations (GetSecret, GetSecretMap).
|
|
|
+ When enabled, secrets are cached with the specified TTL.
|
|
|
+ Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.
|
|
|
+ If omitted, caching is disabled (default).
|
|
|
+ cache: {} is a valid option to set.
|
|
|
+ properties:
|
|
|
+ maxSize:
|
|
|
+ default: 100
|
|
|
+ description: |-
|
|
|
+ MaxSize is the maximum number of secrets to cache.
|
|
|
+ When the cache is full, least-recently-used entries are evicted.
|
|
|
+ minimum: 1
|
|
|
+ type: integer
|
|
|
+ ttl:
|
|
|
+ default: 5m
|
|
|
+ description: |-
|
|
|
+ TTL is the time-to-live for cached secrets.
|
|
|
+ Format: duration string (e.g., "5m", "1h", "30s")
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
integrationInfo:
|
|
|
description: |-
|
|
|
IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
|
|
|
@@ -3566,6 +3840,168 @@ should match snapshot of default values:
|
|
|
- region
|
|
|
- vault
|
|
|
type: object
|
|
|
+ ovh:
|
|
|
+ description: OVHcloud configures this store to sync secrets using the OVHcloud provider.
|
|
|
+ properties:
|
|
|
+ auth:
|
|
|
+ description: Authentication method (mtls or token).
|
|
|
+ properties:
|
|
|
+ mtls:
|
|
|
+ description: OvhClientMTLS defines the configuration required to authenticate to OVHcloud's Secret Manager using mTLS.
|
|
|
+ properties:
|
|
|
+ caBundle:
|
|
|
+ format: byte
|
|
|
+ type: string
|
|
|
+ caProvider:
|
|
|
+ description: |-
|
|
|
+ CAProvider provides a custom certificate authority for accessing the provider's store.
|
|
|
+ The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key where the CA certificate can be found in the Secret or ConfigMap.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[-._a-zA-Z0-9]+$
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the object located at the provider type.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: |-
|
|
|
+ The namespace the Provider type is in.
|
|
|
+ Can only be defined when used in a ClusterSecretStore.
|
|
|
+ maxLength: 63
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
+ type: string
|
|
|
+ type:
|
|
|
+ description: The type of provider to use such as "Secret", or "ConfigMap".
|
|
|
+ enum:
|
|
|
+ - Secret
|
|
|
+ - ConfigMap
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - name
|
|
|
+ - type
|
|
|
+ type: object
|
|
|
+ certSecretRef:
|
|
|
+ description: |-
|
|
|
+ SecretKeySelector is a reference to a specific 'key' within a Secret resource.
|
|
|
+ In some instances, `key` is a required field.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: |-
|
|
|
+ A key in the referenced Secret.
|
|
|
+ Some instances of this field may be defaulted, in others it may be required.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[-._a-zA-Z0-9]+$
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being referred to.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: |-
|
|
|
+ The namespace of the Secret resource being referred to.
|
|
|
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
|
|
|
+ maxLength: 63
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ keySecretRef:
|
|
|
+ description: |-
|
|
|
+ SecretKeySelector is a reference to a specific 'key' within a Secret resource.
|
|
|
+ In some instances, `key` is a required field.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: |-
|
|
|
+ A key in the referenced Secret.
|
|
|
+ Some instances of this field may be defaulted, in others it may be required.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[-._a-zA-Z0-9]+$
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being referred to.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: |-
|
|
|
+ The namespace of the Secret resource being referred to.
|
|
|
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
|
|
|
+ maxLength: 63
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - certSecretRef
|
|
|
+ - keySecretRef
|
|
|
+ type: object
|
|
|
+ token:
|
|
|
+ description: OvhClientToken defines the configuration required to authenticate to OVHcloud's Secret Manager using a token.
|
|
|
+ properties:
|
|
|
+ tokenSecretRef:
|
|
|
+ description: |-
|
|
|
+ SecretKeySelector is a reference to a specific 'key' within a Secret resource.
|
|
|
+ In some instances, `key` is a required field.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: |-
|
|
|
+ A key in the referenced Secret.
|
|
|
+ Some instances of this field may be defaulted, in others it may be required.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[-._a-zA-Z0-9]+$
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being referred to.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: |-
|
|
|
+ The namespace of the Secret resource being referred to.
|
|
|
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
|
|
|
+ maxLength: 63
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ required:
|
|
|
+ - tokenSecretRef
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ casRequired:
|
|
|
+ description: 'Enables or disables check-and-set (CAS) (default: false).'
|
|
|
+ type: boolean
|
|
|
+ okmsTimeout:
|
|
|
+ default: 30
|
|
|
+ description: 'Setup a timeout in seconds when requests to the KMS are made (default: 30).'
|
|
|
+ format: int32
|
|
|
+ minimum: 1
|
|
|
+ type: integer
|
|
|
+ okmsid:
|
|
|
+ description: specifies the OKMS ID.
|
|
|
+ type: string
|
|
|
+ server:
|
|
|
+ description: specifies the OKMS server endpoint.
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - auth
|
|
|
+ - okmsid
|
|
|
+ - server
|
|
|
+ type: object
|
|
|
passbolt:
|
|
|
description: |-
|
|
|
PassboltProvider provides access to Passbolt secrets manager.
|
|
|
@@ -3794,7 +4230,7 @@ should match snapshot of default values:
|
|
|
- project
|
|
|
type: object
|
|
|
scaleway:
|
|
|
- description: Scaleway
|
|
|
+ description: Scaleway configures this store to sync secrets using the Scaleway provider.
|
|
|
properties:
|
|
|
accessKey:
|
|
|
description: AccessKey is the non-secret part of the api key.
|
|
|
@@ -4057,7 +4493,7 @@ should match snapshot of default values:
|
|
|
- url
|
|
|
type: object
|
|
|
vault:
|
|
|
- description: Vault configures this store to sync secrets using Hashi provider
|
|
|
+ description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
|
|
|
properties:
|
|
|
auth:
|
|
|
description: Auth configures how secret-manager authenticates with the Vault server.
|
|
|
@@ -4209,6 +4645,9 @@ should match snapshot of default values:
|
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
type: string
|
|
|
type: object
|
|
|
+ vaultRole:
|
|
|
+ description: VaultRole specifies the Vault role to use for TLS certificate authentication.
|
|
|
+ type: string
|
|
|
type: object
|
|
|
gcp:
|
|
|
description: |-
|
|
|
@@ -4496,6 +4935,7 @@ should match snapshot of default values:
|
|
|
Optional audiences field that will be used to request a temporary Kubernetes service
|
|
|
account token for the service account referenced by `serviceAccountRef`.
|
|
|
Defaults to a single audience `vault` it not specified.
|
|
|
+
|
|
|
Deprecated: use serviceAccountRef.Audiences instead
|
|
|
items:
|
|
|
type: string
|
|
|
@@ -4505,9 +4945,9 @@ should match snapshot of default values:
|
|
|
Optional expiration time in seconds that will be used to request a temporary
|
|
|
Kubernetes service account token for the service account referenced by
|
|
|
`serviceAccountRef`.
|
|
|
+
|
|
|
Deprecated: this will be removed in the future.
|
|
|
Defaults to 10 minutes.
|
|
|
- format: int64
|
|
|
type: integer
|
|
|
serviceAccountRef:
|
|
|
description: Service account field containing the name of a kubernetes ServiceAccount.
|
|
|
@@ -5426,10 +5866,9 @@ should match snapshot of default values:
|
|
|
description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
|
|
|
type: integer
|
|
|
retrySettings:
|
|
|
- description: Used to configure http retries if failed
|
|
|
+ description: Used to configure HTTP retries on failures.
|
|
|
properties:
|
|
|
maxRetries:
|
|
|
- format: int32
|
|
|
type: integer
|
|
|
retryInterval:
|
|
|
type: string
|
|
|
@@ -5510,7 +5949,7 @@ should match snapshot of default values:
|
|
|
description: SecretStoreSpec defines the desired state of SecretStore.
|
|
|
properties:
|
|
|
conditions:
|
|
|
- description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
|
|
|
+ description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
|
|
|
items:
|
|
|
description: |-
|
|
|
ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
|
|
|
@@ -6058,7 +6497,6 @@ should match snapshot of default values:
|
|
|
ForceDeleteWithoutRecovery in the same call. If you don't use either,
|
|
|
then by default Secrets Manager uses a 30 day recovery window.
|
|
|
see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
|
|
|
- format: int64
|
|
|
type: integer
|
|
|
type: object
|
|
|
service:
|
|
|
@@ -6450,6 +6888,10 @@ should match snapshot of default values:
|
|
|
clientTimeOutSeconds:
|
|
|
description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
|
|
|
type: integer
|
|
|
+ decrypt:
|
|
|
+ default: true
|
|
|
+ description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
|
|
|
+ type: boolean
|
|
|
retrievalType:
|
|
|
description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
|
|
|
type: string
|
|
|
@@ -7243,11 +7685,10 @@ should match snapshot of default values:
|
|
|
type: string
|
|
|
type: object
|
|
|
github:
|
|
|
- description: Github configures this store to push Github Action secrets using Github API provider
|
|
|
+ description: Github configures this store to push GitHub Actions secrets using the GitHub API provider.
|
|
|
properties:
|
|
|
appID:
|
|
|
description: appID specifies the Github APP that will be used to authenticate the client
|
|
|
- format: int64
|
|
|
type: integer
|
|
|
auth:
|
|
|
description: auth configures how secret-manager authenticates with a Github instance.
|
|
|
@@ -7288,7 +7729,6 @@ should match snapshot of default values:
|
|
|
type: string
|
|
|
installationID:
|
|
|
description: installationID specifies the Github APP installation that will be used to authenticate the client
|
|
|
- format: int64
|
|
|
type: integer
|
|
|
organization:
|
|
|
description: organization will be used to fetch secrets from the Github organization
|
|
|
@@ -8311,7 +8751,7 @@ should match snapshot of default values:
|
|
|
- project
|
|
|
type: object
|
|
|
scaleway:
|
|
|
- description: Scaleway
|
|
|
+ description: Scaleway configures this store to sync secrets using the Scaleway provider.
|
|
|
properties:
|
|
|
accessKey:
|
|
|
description: AccessKey is the non-secret part of the api key.
|
|
|
@@ -8531,7 +8971,7 @@ should match snapshot of default values:
|
|
|
- url
|
|
|
type: object
|
|
|
vault:
|
|
|
- description: Vault configures this store to sync secrets using Hashi provider
|
|
|
+ description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
|
|
|
properties:
|
|
|
auth:
|
|
|
description: Auth configures how secret-manager authenticates with the Vault server.
|
|
|
@@ -8836,6 +9276,7 @@ should match snapshot of default values:
|
|
|
Optional audiences field that will be used to request a temporary Kubernetes service
|
|
|
account token for the service account referenced by `serviceAccountRef`.
|
|
|
Defaults to a single audience `vault` it not specified.
|
|
|
+
|
|
|
Deprecated: use serviceAccountRef.Audiences instead
|
|
|
items:
|
|
|
type: string
|
|
|
@@ -8845,9 +9286,9 @@ should match snapshot of default values:
|
|
|
Optional expiration time in seconds that will be used to request a temporary
|
|
|
Kubernetes service account token for the service account referenced by
|
|
|
`serviceAccountRef`.
|
|
|
+
|
|
|
Deprecated: this will be removed in the future.
|
|
|
Defaults to 10 minutes.
|
|
|
- format: int64
|
|
|
type: integer
|
|
|
serviceAccountRef:
|
|
|
description: Service account field containing the name of a kubernetes ServiceAccount.
|
|
|
@@ -9617,7 +10058,7 @@ should match snapshot of default values:
|
|
|
description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
|
|
|
type: integer
|
|
|
retrySettings:
|
|
|
- description: Used to configure http retries if failed
|
|
|
+ description: Used to configure HTTP retries on failures.
|
|
|
properties:
|
|
|
maxRetries:
|
|
|
description: MaxRetries is the maximum number of retry attempts.
|
Moritz Johner