apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.19.0 labels: external-secrets.io/component: controller name: beyondtrustworkloadcredentialsdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io names: categories: - external-secrets - external-secrets-generators kind: BeyondtrustWorkloadCredentialsDynamicSecret listKind: BeyondtrustWorkloadCredentialsDynamicSecretList plural: beyondtrustworkloadcredentialsdynamicsecrets singular: beyondtrustworkloadcredentialsdynamicsecret scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: |- BeyondtrustWorkloadCredentialsDynamicSecret represents a generator that requests dynamic credentials from BeyondTrust Workload Credentials. This generator calls the BeyondTrust Workload Credentials API to generate fresh, temporary credentials (such as AWS STS credentials) each time an ExternalSecret is refreshed. Dynamic secret definitions must be created in BeyondTrust Workload Credentials before they can be referenced. For complete documentation, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: |- BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator. This generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api properties: controller: description: |- Controller selects the controller that should handle this generator. Leave empty to use the default controller. type: string provider: description: |- Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication, server connection details, and the folder path to the dynamic secret definition. The folderPath should point to a dynamic secret definition that has been created in BeyondTrust Workload Credentials (e.g., "production/aws-temp"). For setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api properties: auth: description: |- Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API. Currently supports API key authentication via Kubernetes secret reference. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication properties: apikey: description: |- APIKey configures API token authentication for BeyondTrust Workload Credentials. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests. properties: token: description: |- Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication properties: key: description: |- A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required. maxLength: 253 minLength: 1 pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: The name of the Secret resource being referred to. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string namespace: description: |- The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string type: object required: - token type: object required: - apikey type: object caBundle: description: |- CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA. If not set, the system's trusted root certificates are used. format: byte type: string caProvider: description: |- CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate. This is used to validate the BeyondTrust Workload Credentials API TLS certificate. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. maxLength: 253 minLength: 1 pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: The name of the object located at the provider type. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string namespace: description: |- The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". enum: - Secret - ConfigMap type: string required: - name - type type: object folderPath: description: |- FolderPath specifies the default folder path for secret retrieval. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec. Example: "production/database" or "dev/api-keys" Leave empty to retrieve secrets from the root folder. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders type: string server: description: |- Server configures the BeyondTrust Workload Credentials server connection details. Includes the API URL and Site ID for your BeyondTrust instance. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api properties: apiUrl: description: |- APIURL is the base URL of your BeyondTrust Workload Credentials API server. This should be the full URL to your BeyondTrust instance. Example: https://api.beyondtrust.io/siie For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url type: string siteId: description: |- SiteID is your BeyondTrust Workload Credentials site identifier (UUID format). This identifier is unique to your BeyondTrust Workload Credentials instance. You can find your Site ID in the BeyondTrust Workload Credentials admin console. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890 For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api type: string required: - apiUrl - siteId type: object required: - auth - server type: object retrySettings: description: |- RetrySettings configures exponential backoff for failed API requests. If not specified, uses the default retry settings. properties: maxRetries: format: int32 type: integer retryInterval: type: string type: object required: - provider type: object type: object served: true storage: true subresources: status: {}