|
|
@@ -4,7 +4,7 @@ should match snapshot of default values:
|
|
|
kind: CustomResourceDefinition
|
|
|
metadata:
|
|
|
annotations:
|
|
|
- controller-gen.kubebuilder.io/version: v0.18.0
|
|
|
+ controller-gen.kubebuilder.io/version: v0.19.0
|
|
|
labels:
|
|
|
external-secrets.io/component: controller
|
|
|
name: secretstores.external-secrets.io
|
|
|
@@ -762,18 +762,44 @@ should match snapshot of default values:
|
|
|
- ManagedIdentity
|
|
|
- WorkloadIdentity
|
|
|
type: string
|
|
|
+ customCloudConfig:
|
|
|
+ description: |-
|
|
|
+ CustomCloudConfig defines custom Azure Stack Hub or Azure Stack Edge endpoints.
|
|
|
+ Required when EnvironmentType is AzureStackCloud.
|
|
|
+ IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
|
|
|
+ configuration is not supported with the legacy go-autorest SDK.
|
|
|
+ properties:
|
|
|
+ activeDirectoryEndpoint:
|
|
|
+ description: |-
|
|
|
+ ActiveDirectoryEndpoint is the AAD endpoint for authentication
|
|
|
+ Required when using custom cloud configuration
|
|
|
+ type: string
|
|
|
+ keyVaultDNSSuffix:
|
|
|
+ description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
|
|
|
+ type: string
|
|
|
+ keyVaultEndpoint:
|
|
|
+ description: KeyVaultEndpoint is the Key Vault service endpoint
|
|
|
+ type: string
|
|
|
+ resourceManagerEndpoint:
|
|
|
+ description: ResourceManagerEndpoint is the Azure Resource Manager endpoint
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - activeDirectoryEndpoint
|
|
|
+ type: object
|
|
|
environmentType:
|
|
|
default: PublicCloud
|
|
|
description: |-
|
|
|
EnvironmentType specifies the Azure cloud environment endpoints to use for
|
|
|
connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
|
|
|
The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
|
|
|
- PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
|
|
|
+ PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
|
|
|
+ Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
|
|
|
enum:
|
|
|
- PublicCloud
|
|
|
- USGovernmentCloud
|
|
|
- ChinaCloud
|
|
|
- GermanCloud
|
|
|
+ - AzureStackCloud
|
|
|
type: string
|
|
|
identityId:
|
|
|
description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
|
|
|
@@ -811,6 +837,12 @@ should match snapshot of default values:
|
|
|
tenantId:
|
|
|
description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
|
|
|
type: string
|
|
|
+ useAzureSDK:
|
|
|
+ default: false
|
|
|
+ description: |-
|
|
|
+ UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
|
|
|
+ This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
|
|
|
+ type: boolean
|
|
|
vaultUrl:
|
|
|
description: Vault Url from which the secrets to be fetched from.
|
|
|
type: string
|
|
|
@@ -1780,6 +1812,119 @@ should match snapshot of default values:
|
|
|
required:
|
|
|
- serviceAccountRef
|
|
|
type: object
|
|
|
+ workloadIdentityFederation:
|
|
|
+ description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
|
|
|
+ properties:
|
|
|
+ audience:
|
|
|
+ description: |-
|
|
|
+ audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
|
|
|
+ If specified, Audience found in the external account credential config will be overridden with the configured value.
|
|
|
+ audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
|
|
|
+ type: string
|
|
|
+ awsSecurityCredentials:
|
|
|
+ description: |-
|
|
|
+ awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
|
|
|
+ when using the AWS metadata server is not an option.
|
|
|
+ properties:
|
|
|
+ awsCredentialsSecretRef:
|
|
|
+ description: |-
|
|
|
+ awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
|
|
|
+ Secret should be created with below names for keys
|
|
|
+ - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
|
|
|
+ - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
|
|
|
+ - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
|
|
|
+ properties:
|
|
|
+ name:
|
|
|
+ description: name of the secret.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
|
|
|
+ maxLength: 63
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - name
|
|
|
+ type: object
|
|
|
+ region:
|
|
|
+ description: region is for configuring the AWS region to be used.
|
|
|
+ example: ap-south-1
|
|
|
+ maxLength: 50
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9-]+$
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - awsCredentialsSecretRef
|
|
|
+ - region
|
|
|
+ type: object
|
|
|
+ credConfig:
|
|
|
+ description: |-
|
|
|
+ credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
|
|
|
+ For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
|
|
|
+ serviceAccountRef must be used by providing operators service account details.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: key name holding the external account credential config.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[-._a-zA-Z0-9]+$
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: name of the configmap.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
|
|
|
+ maxLength: 63
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - key
|
|
|
+ - name
|
|
|
+ type: object
|
|
|
+ externalTokenEndpoint:
|
|
|
+ description: |-
|
|
|
+ externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
|
|
|
+ credential_source.url in the provided credConfig. This field is merely to double-check the external token source
|
|
|
+ URL is having the expected value.
|
|
|
+ type: string
|
|
|
+ serviceAccountRef:
|
|
|
+ description: |-
|
|
|
+ serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
|
|
|
+ when Kubernetes is configured as provider in workload identity pool.
|
|
|
+ properties:
|
|
|
+ audiences:
|
|
|
+ description: |-
|
|
|
+ Audience specifies the `aud` claim for the service account token
|
|
|
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
|
|
|
+ then this audiences will be appended to the list
|
|
|
+ items:
|
|
|
+ type: string
|
|
|
+ type: array
|
|
|
+ name:
|
|
|
+ description: The name of the ServiceAccount resource being referred to.
|
|
|
+ maxLength: 253
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: |-
|
|
|
+ Namespace of the resource being referred to.
|
|
|
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
|
|
|
+ maxLength: 63
|
|
|
+ minLength: 1
|
|
|
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - name
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
type: object
|
|
|
location:
|
|
|
description: Location optionally defines a location for a secret
|
|
|
@@ -3642,6 +3787,9 @@ should match snapshot of default values:
|
|
|
SecretServer configures this store to sync secrets using SecretServer provider
|
|
|
https://docs.delinea.com/online-help/secret-server/start.htm
|
|
|
properties:
|
|
|
+ domain:
|
|
|
+ description: Domain is the secret server domain.
|
|
|
+ type: string
|
|
|
password:
|
|
|
description: Password is the secret server account password.
|
|
|
properties:
|
AvivGuiser