bundle.yaml 1.8 MB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534353535363537353835393540354135423543354435453546354735483549355035513552355335543555355635573558355935603561356235633564356535663567356835693570357135723573357435753576357735783579358035813582358335843585358635873588358935903591359235933594359535963597359835993600360136023603360436053606360736083609361036113612361336143615361636173618361936203621362236233624362536263627362836293630363136323633363436353636363736383639364036413642364336443645364636473648364936503651365236533654365536563657365836593660366136623663366436653666366736683669367036713672367336743675367636773678367936803681368236833684368536863687368836893690369136923693369436953696369736983699370037013702370337043705370637073708370937103711371237133714371537163717371837193720372137223723372437253726372737283729373037313732373337343735373637373738373937403741374237433744374537463747374837493750375137523753375437553756375737583759376037613762376337643765376637673768376937703771377237733774377537763777377837793780378137823783378437853786378737883789379037913792379337943795379637973798379938003801380238033804380538063807380838093810381138123813381438153816381738183819382038213822382338243825382638273828382938303831383238333834383538363837383838393840384138423843384438453846384738483849385038513852385338543855385638573858385938603861386238633864386538663867386838693870387138723873387438753876387738783879388038813882388338843885388638873888388938903891389238933894389538963897389838993900390139023903390439053906390739083909391039113912391339143915391639173918391939203921392239233924392539263927392839293930393139323933393439353936393739383939394039413942394339443945394639473948394939503951395239533954395539563957395839593960396139623963396439653966396739683969397039713972397339743975397639773978397939803981398239833984398539863987398839893990399139923993399439953996399739983999400040014002400340044005400640074008400940104011401240134014401540164017401840194020402140224023402440254026402740284029403040314032403340344035403640374038403940404041404240434044404540464047404840494050405140524053405440554056405740584059406040614062406340644065406640674068406940704071407240734074407540764077407840794080408140824083408440854086408740884089409040914092409340944095409640974098409941004101410241034104410541064107410841094110411141124113411441154116411741184119412041214122412341244125412641274128412941304131413241334134413541364137413841394140414141424143414441454146414741484149415041514152415341544155415641574158415941604161416241634164416541664167416841694170417141724173417441754176417741784179418041814182418341844185418641874188418941904191419241934194419541964197419841994200420142024203420442054206420742084209421042114212421342144215421642174218421942204221422242234224422542264227422842294230423142324233423442354236423742384239424042414242424342444245424642474248424942504251425242534254425542564257425842594260426142624263426442654266426742684269427042714272427342744275427642774278427942804281428242834284428542864287428842894290429142924293429442954296429742984299430043014302430343044305430643074308430943104311431243134314431543164317431843194320432143224323432443254326432743284329433043314332433343344335433643374338433943404341434243434344434543464347434843494350435143524353435443554356435743584359436043614362436343644365436643674368436943704371437243734374437543764377437843794380438143824383438443854386438743884389439043914392439343944395439643974398439944004401440244034404440544064407440844094410441144124413441444154416441744184419442044214422442344244425442644274428442944304431443244334434443544364437443844394440444144424443444444454446444744484449445044514452445344544455445644574458445944604461446244634464446544664467446844694470447144724473447444754476447744784479448044814482448344844485448644874488448944904491449244934494449544964497449844994500450145024503450445054506450745084509451045114512451345144515451645174518451945204521452245234524452545264527452845294530453145324533453445354536453745384539454045414542454345444545454645474548454945504551455245534554455545564557455845594560456145624563456445654566456745684569457045714572457345744575457645774578457945804581458245834584458545864587458845894590459145924593459445954596459745984599460046014602460346044605460646074608460946104611461246134614461546164617461846194620462146224623462446254626462746284629463046314632463346344635463646374638463946404641464246434644464546464647464846494650465146524653465446554656465746584659466046614662466346644665466646674668466946704671467246734674467546764677467846794680468146824683468446854686468746884689469046914692469346944695469646974698469947004701470247034704470547064707470847094710471147124713471447154716471747184719472047214722472347244725472647274728472947304731473247334734473547364737473847394740474147424743474447454746474747484749475047514752475347544755475647574758475947604761476247634764476547664767476847694770477147724773477447754776477747784779478047814782478347844785478647874788478947904791479247934794479547964797479847994800480148024803480448054806480748084809481048114812481348144815481648174818481948204821482248234824482548264827482848294830483148324833483448354836483748384839484048414842484348444845484648474848484948504851485248534854485548564857485848594860486148624863486448654866486748684869487048714872487348744875487648774878487948804881488248834884488548864887488848894890489148924893489448954896489748984899490049014902490349044905490649074908490949104911491249134914491549164917491849194920492149224923492449254926492749284929493049314932493349344935493649374938493949404941494249434944494549464947494849494950495149524953495449554956495749584959496049614962496349644965496649674968496949704971497249734974497549764977497849794980498149824983498449854986498749884989499049914992499349944995499649974998499950005001500250035004500550065007500850095010501150125013501450155016501750185019502050215022502350245025502650275028502950305031503250335034503550365037503850395040504150425043504450455046504750485049505050515052505350545055505650575058505950605061506250635064506550665067506850695070507150725073507450755076507750785079508050815082508350845085508650875088508950905091509250935094509550965097509850995100510151025103510451055106510751085109511051115112511351145115511651175118511951205121512251235124512551265127512851295130513151325133513451355136513751385139514051415142514351445145514651475148514951505151515251535154515551565157515851595160516151625163516451655166516751685169517051715172517351745175517651775178517951805181518251835184518551865187518851895190519151925193519451955196519751985199520052015202520352045205520652075208520952105211521252135214521552165217521852195220522152225223522452255226522752285229523052315232523352345235523652375238523952405241524252435244524552465247524852495250525152525253525452555256525752585259526052615262526352645265526652675268526952705271527252735274527552765277527852795280528152825283528452855286528752885289529052915292529352945295529652975298529953005301530253035304530553065307530853095310531153125313531453155316531753185319532053215322532353245325532653275328532953305331533253335334533553365337533853395340534153425343534453455346534753485349535053515352535353545355535653575358535953605361536253635364536553665367536853695370537153725373537453755376537753785379538053815382538353845385538653875388538953905391539253935394539553965397539853995400540154025403540454055406540754085409541054115412541354145415541654175418541954205421542254235424542554265427542854295430543154325433543454355436543754385439544054415442544354445445544654475448544954505451545254535454545554565457545854595460546154625463546454655466546754685469547054715472547354745475547654775478547954805481548254835484548554865487548854895490549154925493549454955496549754985499550055015502550355045505550655075508550955105511551255135514551555165517551855195520552155225523552455255526552755285529553055315532553355345535553655375538553955405541554255435544554555465547554855495550555155525553555455555556555755585559556055615562556355645565556655675568556955705571557255735574557555765577557855795580558155825583558455855586558755885589559055915592559355945595559655975598559956005601560256035604560556065607560856095610561156125613561456155616561756185619562056215622562356245625562656275628562956305631563256335634563556365637563856395640564156425643564456455646564756485649565056515652565356545655565656575658565956605661566256635664566556665667566856695670567156725673567456755676567756785679568056815682568356845685568656875688568956905691569256935694569556965697569856995700570157025703570457055706570757085709571057115712571357145715571657175718571957205721572257235724572557265727572857295730573157325733573457355736573757385739574057415742574357445745574657475748574957505751575257535754575557565757575857595760576157625763576457655766576757685769577057715772577357745775577657775778577957805781578257835784578557865787578857895790579157925793579457955796579757985799580058015802580358045805580658075808580958105811581258135814581558165817581858195820582158225823582458255826582758285829583058315832583358345835583658375838583958405841584258435844584558465847584858495850585158525853585458555856585758585859586058615862586358645865586658675868586958705871587258735874587558765877587858795880588158825883588458855886588758885889589058915892589358945895589658975898589959005901590259035904590559065907590859095910591159125913591459155916591759185919592059215922592359245925592659275928592959305931593259335934593559365937593859395940594159425943594459455946594759485949595059515952595359545955595659575958595959605961596259635964596559665967596859695970597159725973597459755976597759785979598059815982598359845985598659875988598959905991599259935994599559965997599859996000600160026003600460056006600760086009601060116012601360146015601660176018601960206021602260236024602560266027602860296030603160326033603460356036603760386039604060416042604360446045604660476048604960506051605260536054605560566057605860596060606160626063606460656066606760686069607060716072607360746075607660776078607960806081608260836084608560866087608860896090609160926093609460956096609760986099610061016102610361046105610661076108610961106111611261136114611561166117611861196120612161226123612461256126612761286129613061316132613361346135613661376138613961406141614261436144614561466147614861496150615161526153615461556156615761586159616061616162616361646165616661676168616961706171617261736174617561766177617861796180618161826183618461856186618761886189619061916192619361946195619661976198619962006201620262036204620562066207620862096210621162126213621462156216621762186219622062216222622362246225622662276228622962306231623262336234623562366237623862396240624162426243624462456246624762486249625062516252625362546255625662576258625962606261626262636264626562666267626862696270627162726273627462756276627762786279628062816282628362846285628662876288628962906291629262936294629562966297629862996300630163026303630463056306630763086309631063116312631363146315631663176318631963206321632263236324632563266327632863296330633163326333633463356336633763386339634063416342634363446345634663476348634963506351635263536354635563566357635863596360636163626363636463656366636763686369637063716372637363746375637663776378637963806381638263836384638563866387638863896390639163926393639463956396639763986399640064016402640364046405640664076408640964106411641264136414641564166417641864196420642164226423642464256426642764286429643064316432643364346435643664376438643964406441644264436444644564466447644864496450645164526453645464556456645764586459646064616462646364646465646664676468646964706471647264736474647564766477647864796480648164826483648464856486648764886489649064916492649364946495649664976498649965006501650265036504650565066507650865096510651165126513651465156516651765186519652065216522652365246525652665276528652965306531653265336534653565366537653865396540654165426543654465456546654765486549655065516552655365546555655665576558655965606561656265636564656565666567656865696570657165726573657465756576657765786579658065816582658365846585658665876588658965906591659265936594659565966597659865996600660166026603660466056606660766086609661066116612661366146615661666176618661966206621662266236624662566266627662866296630663166326633663466356636663766386639664066416642664366446645664666476648664966506651665266536654665566566657665866596660666166626663666466656666666766686669667066716672667366746675667666776678667966806681668266836684668566866687668866896690669166926693669466956696669766986699670067016702670367046705670667076708670967106711671267136714671567166717671867196720672167226723672467256726672767286729673067316732673367346735673667376738673967406741674267436744674567466747674867496750675167526753675467556756675767586759676067616762676367646765676667676768676967706771677267736774677567766777677867796780678167826783678467856786678767886789679067916792679367946795679667976798679968006801680268036804680568066807680868096810681168126813681468156816681768186819682068216822682368246825682668276828682968306831683268336834683568366837683868396840684168426843684468456846684768486849685068516852685368546855685668576858685968606861686268636864686568666867686868696870687168726873687468756876687768786879688068816882688368846885688668876888688968906891689268936894689568966897689868996900690169026903690469056906690769086909691069116912691369146915691669176918691969206921692269236924692569266927692869296930693169326933693469356936693769386939694069416942694369446945694669476948694969506951695269536954695569566957695869596960696169626963696469656966696769686969697069716972697369746975697669776978697969806981698269836984698569866987698869896990699169926993699469956996699769986999700070017002700370047005700670077008700970107011701270137014701570167017701870197020702170227023702470257026702770287029703070317032703370347035703670377038703970407041704270437044704570467047704870497050705170527053705470557056705770587059706070617062706370647065706670677068706970707071707270737074707570767077707870797080708170827083708470857086708770887089709070917092709370947095709670977098709971007101710271037104710571067107710871097110711171127113711471157116711771187119712071217122712371247125712671277128712971307131713271337134713571367137713871397140714171427143714471457146714771487149715071517152715371547155715671577158715971607161716271637164716571667167716871697170717171727173717471757176717771787179718071817182718371847185718671877188718971907191719271937194719571967197719871997200720172027203720472057206720772087209721072117212721372147215721672177218721972207221722272237224722572267227722872297230723172327233723472357236723772387239724072417242724372447245724672477248724972507251725272537254725572567257725872597260726172627263726472657266726772687269727072717272727372747275727672777278727972807281728272837284728572867287728872897290729172927293729472957296729772987299730073017302730373047305730673077308730973107311731273137314731573167317731873197320732173227323732473257326732773287329733073317332733373347335733673377338733973407341734273437344734573467347734873497350735173527353735473557356735773587359736073617362736373647365736673677368736973707371737273737374737573767377737873797380738173827383738473857386738773887389739073917392739373947395739673977398739974007401740274037404740574067407740874097410741174127413741474157416741774187419742074217422742374247425742674277428742974307431743274337434743574367437743874397440744174427443744474457446744774487449745074517452745374547455745674577458745974607461746274637464746574667467746874697470747174727473747474757476747774787479748074817482748374847485748674877488748974907491749274937494749574967497749874997500750175027503750475057506750775087509751075117512751375147515751675177518751975207521752275237524752575267527752875297530753175327533753475357536753775387539754075417542754375447545754675477548754975507551755275537554755575567557755875597560756175627563756475657566756775687569757075717572757375747575757675777578757975807581758275837584758575867587758875897590759175927593759475957596759775987599760076017602760376047605760676077608760976107611761276137614761576167617761876197620762176227623762476257626762776287629763076317632763376347635763676377638763976407641764276437644764576467647764876497650765176527653765476557656765776587659766076617662766376647665766676677668766976707671767276737674767576767677767876797680768176827683768476857686768776887689769076917692769376947695769676977698769977007701770277037704770577067707770877097710771177127713771477157716771777187719772077217722772377247725772677277728772977307731773277337734773577367737773877397740774177427743774477457746774777487749775077517752775377547755775677577758775977607761776277637764776577667767776877697770777177727773777477757776777777787779778077817782778377847785778677877788778977907791779277937794779577967797779877997800780178027803780478057806780778087809781078117812781378147815781678177818781978207821782278237824782578267827782878297830783178327833783478357836783778387839784078417842784378447845784678477848784978507851785278537854785578567857785878597860786178627863786478657866786778687869787078717872787378747875787678777878787978807881788278837884788578867887788878897890789178927893789478957896789778987899790079017902790379047905790679077908790979107911791279137914791579167917791879197920792179227923792479257926792779287929793079317932793379347935793679377938793979407941794279437944794579467947794879497950795179527953795479557956795779587959796079617962796379647965796679677968796979707971797279737974797579767977797879797980798179827983798479857986798779887989799079917992799379947995799679977998799980008001800280038004800580068007800880098010801180128013801480158016801780188019802080218022802380248025802680278028802980308031803280338034803580368037803880398040804180428043804480458046804780488049805080518052805380548055805680578058805980608061806280638064806580668067806880698070807180728073807480758076807780788079808080818082808380848085808680878088808980908091809280938094809580968097809880998100810181028103810481058106810781088109811081118112811381148115811681178118811981208121812281238124812581268127812881298130813181328133813481358136813781388139814081418142814381448145814681478148814981508151815281538154815581568157815881598160816181628163816481658166816781688169817081718172817381748175817681778178817981808181818281838184818581868187818881898190819181928193819481958196819781988199820082018202820382048205820682078208820982108211821282138214821582168217821882198220822182228223822482258226822782288229823082318232823382348235823682378238823982408241824282438244824582468247824882498250825182528253825482558256825782588259826082618262826382648265826682678268826982708271827282738274827582768277827882798280828182828283828482858286828782888289829082918292829382948295829682978298829983008301830283038304830583068307830883098310831183128313831483158316831783188319832083218322832383248325832683278328832983308331833283338334833583368337833883398340834183428343834483458346834783488349835083518352835383548355835683578358835983608361836283638364836583668367836883698370837183728373837483758376837783788379838083818382838383848385838683878388838983908391839283938394839583968397839883998400840184028403840484058406840784088409841084118412841384148415841684178418841984208421842284238424842584268427842884298430843184328433843484358436843784388439844084418442844384448445844684478448844984508451845284538454845584568457845884598460846184628463846484658466846784688469847084718472847384748475847684778478847984808481848284838484848584868487848884898490849184928493849484958496849784988499850085018502850385048505850685078508850985108511851285138514851585168517851885198520852185228523852485258526852785288529853085318532853385348535853685378538853985408541854285438544854585468547854885498550855185528553855485558556855785588559856085618562856385648565856685678568856985708571857285738574857585768577857885798580858185828583858485858586858785888589859085918592859385948595859685978598859986008601860286038604860586068607860886098610861186128613861486158616861786188619862086218622862386248625862686278628862986308631863286338634863586368637863886398640864186428643864486458646864786488649865086518652865386548655865686578658865986608661866286638664866586668667866886698670867186728673867486758676867786788679868086818682868386848685868686878688868986908691869286938694869586968697869886998700870187028703870487058706870787088709871087118712871387148715871687178718871987208721872287238724872587268727872887298730873187328733873487358736873787388739874087418742874387448745874687478748874987508751875287538754875587568757875887598760876187628763876487658766876787688769877087718772877387748775877687778778877987808781878287838784878587868787878887898790879187928793879487958796879787988799880088018802880388048805880688078808880988108811881288138814881588168817881888198820882188228823882488258826882788288829883088318832883388348835883688378838883988408841884288438844884588468847884888498850885188528853885488558856885788588859886088618862886388648865886688678868886988708871887288738874887588768877887888798880888188828883888488858886888788888889889088918892889388948895889688978898889989008901890289038904890589068907890889098910891189128913891489158916891789188919892089218922892389248925892689278928892989308931893289338934893589368937893889398940894189428943894489458946894789488949895089518952895389548955895689578958895989608961896289638964896589668967896889698970897189728973897489758976897789788979898089818982898389848985898689878988898989908991899289938994899589968997899889999000900190029003900490059006900790089009901090119012901390149015901690179018901990209021902290239024902590269027902890299030903190329033903490359036903790389039904090419042904390449045904690479048904990509051905290539054905590569057905890599060906190629063906490659066906790689069907090719072907390749075907690779078907990809081908290839084908590869087908890899090909190929093909490959096909790989099910091019102910391049105910691079108910991109111911291139114911591169117911891199120912191229123912491259126912791289129913091319132913391349135913691379138913991409141914291439144914591469147914891499150915191529153915491559156915791589159916091619162916391649165916691679168916991709171917291739174917591769177917891799180918191829183918491859186918791889189919091919192919391949195919691979198919992009201920292039204920592069207920892099210921192129213921492159216921792189219922092219222922392249225922692279228922992309231923292339234923592369237923892399240924192429243924492459246924792489249925092519252925392549255925692579258925992609261926292639264926592669267926892699270927192729273927492759276927792789279928092819282928392849285928692879288928992909291929292939294929592969297929892999300930193029303930493059306930793089309931093119312931393149315931693179318931993209321932293239324932593269327932893299330933193329333933493359336933793389339934093419342934393449345934693479348934993509351935293539354935593569357935893599360936193629363936493659366936793689369937093719372937393749375937693779378937993809381938293839384938593869387938893899390939193929393939493959396939793989399940094019402940394049405940694079408940994109411941294139414941594169417941894199420942194229423942494259426942794289429943094319432943394349435943694379438943994409441944294439444944594469447944894499450945194529453945494559456945794589459946094619462946394649465946694679468946994709471947294739474947594769477947894799480948194829483948494859486948794889489949094919492949394949495949694979498949995009501950295039504950595069507950895099510951195129513951495159516951795189519952095219522952395249525952695279528952995309531953295339534953595369537953895399540954195429543954495459546954795489549955095519552955395549555955695579558955995609561956295639564956595669567956895699570957195729573957495759576957795789579958095819582958395849585958695879588958995909591959295939594959595969597959895999600960196029603960496059606960796089609961096119612961396149615961696179618961996209621962296239624962596269627962896299630963196329633963496359636963796389639964096419642964396449645964696479648964996509651965296539654965596569657965896599660966196629663966496659666966796689669967096719672967396749675967696779678967996809681968296839684968596869687968896899690969196929693969496959696969796989699970097019702970397049705970697079708970997109711971297139714971597169717971897199720972197229723972497259726972797289729973097319732973397349735973697379738973997409741974297439744974597469747974897499750975197529753975497559756975797589759976097619762976397649765976697679768976997709771977297739774977597769777977897799780978197829783978497859786978797889789979097919792979397949795979697979798979998009801980298039804980598069807980898099810981198129813981498159816981798189819982098219822982398249825982698279828982998309831983298339834983598369837983898399840984198429843984498459846984798489849985098519852985398549855985698579858985998609861986298639864986598669867986898699870987198729873987498759876987798789879988098819882988398849885988698879888988998909891989298939894989598969897989898999900990199029903990499059906990799089909991099119912991399149915991699179918991999209921992299239924992599269927992899299930993199329933993499359936993799389939994099419942994399449945994699479948994999509951995299539954995599569957995899599960996199629963996499659966996799689969997099719972997399749975997699779978997999809981998299839984998599869987998899899990999199929993999499959996999799989999100001000110002100031000410005100061000710008100091001010011100121001310014100151001610017100181001910020100211002210023100241002510026100271002810029100301003110032100331003410035100361003710038100391004010041100421004310044100451004610047100481004910050100511005210053100541005510056100571005810059100601006110062100631006410065100661006710068100691007010071100721007310074100751007610077100781007910080100811008210083100841008510086100871008810089100901009110092100931009410095100961009710098100991010010101101021010310104101051010610107101081010910110101111011210113101141011510116101171011810119101201012110122101231012410125101261012710128101291013010131101321013310134101351013610137101381013910140101411014210143101441014510146101471014810149101501015110152101531015410155101561015710158101591016010161101621016310164101651016610167101681016910170101711017210173101741017510176101771017810179101801018110182101831018410185101861018710188101891019010191101921019310194101951019610197101981019910200102011020210203102041020510206102071020810209102101021110212102131021410215102161021710218102191022010221102221022310224102251022610227102281022910230102311023210233102341023510236102371023810239102401024110242102431024410245102461024710248102491025010251102521025310254102551025610257102581025910260102611026210263102641026510266102671026810269102701027110272102731027410275102761027710278102791028010281102821028310284102851028610287102881028910290102911029210293102941029510296102971029810299103001030110302103031030410305103061030710308103091031010311103121031310314103151031610317103181031910320103211032210323103241032510326103271032810329103301033110332103331033410335103361033710338103391034010341103421034310344103451034610347103481034910350103511035210353103541035510356103571035810359103601036110362103631036410365103661036710368103691037010371103721037310374103751037610377103781037910380103811038210383103841038510386103871038810389103901039110392103931039410395103961039710398103991040010401104021040310404104051040610407104081040910410104111041210413104141041510416104171041810419104201042110422104231042410425104261042710428104291043010431104321043310434104351043610437104381043910440104411044210443104441044510446104471044810449104501045110452104531045410455104561045710458104591046010461104621046310464104651046610467104681046910470104711047210473104741047510476104771047810479104801048110482104831048410485104861048710488104891049010491104921049310494104951049610497104981049910500105011050210503105041050510506105071050810509105101051110512105131051410515105161051710518105191052010521105221052310524105251052610527105281052910530105311053210533105341053510536105371053810539105401054110542105431054410545105461054710548105491055010551105521055310554105551055610557105581055910560105611056210563105641056510566105671056810569105701057110572105731057410575105761057710578105791058010581105821058310584105851058610587105881058910590105911059210593105941059510596105971059810599106001060110602106031060410605106061060710608106091061010611106121061310614106151061610617106181061910620106211062210623106241062510626106271062810629106301063110632106331063410635106361063710638106391064010641106421064310644106451064610647106481064910650106511065210653106541065510656106571065810659106601066110662106631066410665106661066710668106691067010671106721067310674106751067610677106781067910680106811068210683106841068510686106871068810689106901069110692106931069410695106961069710698106991070010701107021070310704107051070610707107081070910710107111071210713107141071510716107171071810719107201072110722107231072410725107261072710728107291073010731107321073310734107351073610737107381073910740107411074210743107441074510746107471074810749107501075110752107531075410755107561075710758107591076010761107621076310764107651076610767107681076910770107711077210773107741077510776107771077810779107801078110782107831078410785107861078710788107891079010791107921079310794107951079610797107981079910800108011080210803108041080510806108071080810809108101081110812108131081410815108161081710818108191082010821108221082310824108251082610827108281082910830108311083210833108341083510836108371083810839108401084110842108431084410845108461084710848108491085010851108521085310854108551085610857108581085910860108611086210863108641086510866108671086810869108701087110872108731087410875108761087710878108791088010881108821088310884108851088610887108881088910890108911089210893108941089510896108971089810899109001090110902109031090410905109061090710908109091091010911109121091310914109151091610917109181091910920109211092210923109241092510926109271092810929109301093110932109331093410935109361093710938109391094010941109421094310944109451094610947109481094910950109511095210953109541095510956109571095810959109601096110962109631096410965109661096710968109691097010971109721097310974109751097610977109781097910980109811098210983109841098510986109871098810989109901099110992109931099410995109961099710998109991100011001110021100311004110051100611007110081100911010110111101211013110141101511016110171101811019110201102111022110231102411025110261102711028110291103011031110321103311034110351103611037110381103911040110411104211043110441104511046110471104811049110501105111052110531105411055110561105711058110591106011061110621106311064110651106611067110681106911070110711107211073110741107511076110771107811079110801108111082110831108411085110861108711088110891109011091110921109311094110951109611097110981109911100111011110211103111041110511106111071110811109111101111111112111131111411115111161111711118111191112011121111221112311124111251112611127111281112911130111311113211133111341113511136111371113811139111401114111142111431114411145111461114711148111491115011151111521115311154111551115611157111581115911160111611116211163111641116511166111671116811169111701117111172111731117411175111761117711178111791118011181111821118311184111851118611187111881118911190111911119211193111941119511196111971119811199112001120111202112031120411205112061120711208112091121011211112121121311214112151121611217112181121911220112211122211223112241122511226112271122811229112301123111232112331123411235112361123711238112391124011241112421124311244112451124611247112481124911250112511125211253112541125511256112571125811259112601126111262112631126411265112661126711268112691127011271112721127311274112751127611277112781127911280112811128211283112841128511286112871128811289112901129111292112931129411295112961129711298112991130011301113021130311304113051130611307113081130911310113111131211313113141131511316113171131811319113201132111322113231132411325113261132711328113291133011331113321133311334113351133611337113381133911340113411134211343113441134511346113471134811349113501135111352113531135411355113561135711358113591136011361113621136311364113651136611367113681136911370113711137211373113741137511376113771137811379113801138111382113831138411385113861138711388113891139011391113921139311394113951139611397113981139911400114011140211403114041140511406114071140811409114101141111412114131141411415114161141711418114191142011421114221142311424114251142611427114281142911430114311143211433114341143511436114371143811439114401144111442114431144411445114461144711448114491145011451114521145311454114551145611457114581145911460114611146211463114641146511466114671146811469114701147111472114731147411475114761147711478114791148011481114821148311484114851148611487114881148911490114911149211493114941149511496114971149811499115001150111502115031150411505115061150711508115091151011511115121151311514115151151611517115181151911520115211152211523115241152511526115271152811529115301153111532115331153411535115361153711538115391154011541115421154311544115451154611547115481154911550115511155211553115541155511556115571155811559115601156111562115631156411565115661156711568115691157011571115721157311574115751157611577115781157911580115811158211583115841158511586115871158811589115901159111592115931159411595115961159711598115991160011601116021160311604116051160611607116081160911610116111161211613116141161511616116171161811619116201162111622116231162411625116261162711628116291163011631116321163311634116351163611637116381163911640116411164211643116441164511646116471164811649116501165111652116531165411655116561165711658116591166011661116621166311664116651166611667116681166911670116711167211673116741167511676116771167811679116801168111682116831168411685116861168711688116891169011691116921169311694116951169611697116981169911700117011170211703117041170511706117071170811709117101171111712117131171411715117161171711718117191172011721117221172311724117251172611727117281172911730117311173211733117341173511736117371173811739117401174111742117431174411745117461174711748117491175011751117521175311754117551175611757117581175911760117611176211763117641176511766117671176811769117701177111772117731177411775117761177711778117791178011781117821178311784117851178611787117881178911790117911179211793117941179511796117971179811799118001180111802118031180411805118061180711808118091181011811118121181311814118151181611817118181181911820118211182211823118241182511826118271182811829118301183111832118331183411835118361183711838118391184011841118421184311844118451184611847118481184911850118511185211853118541185511856118571185811859118601186111862118631186411865118661186711868118691187011871118721187311874118751187611877118781187911880118811188211883118841188511886118871188811889118901189111892118931189411895118961189711898118991190011901119021190311904119051190611907119081190911910119111191211913119141191511916119171191811919119201192111922119231192411925119261192711928119291193011931119321193311934119351193611937119381193911940119411194211943119441194511946119471194811949119501195111952119531195411955119561195711958119591196011961119621196311964119651196611967119681196911970119711197211973119741197511976119771197811979119801198111982119831198411985119861198711988119891199011991119921199311994119951199611997119981199912000120011200212003120041200512006120071200812009120101201112012120131201412015120161201712018120191202012021120221202312024120251202612027120281202912030120311203212033120341203512036120371203812039120401204112042120431204412045120461204712048120491205012051120521205312054120551205612057120581205912060120611206212063120641206512066120671206812069120701207112072120731207412075120761207712078120791208012081120821208312084120851208612087120881208912090120911209212093120941209512096120971209812099121001210112102121031210412105121061210712108121091211012111121121211312114121151211612117121181211912120121211212212123121241212512126121271212812129121301213112132121331213412135121361213712138121391214012141121421214312144121451214612147121481214912150121511215212153121541215512156121571215812159121601216112162121631216412165121661216712168121691217012171121721217312174121751217612177121781217912180121811218212183121841218512186121871218812189121901219112192121931219412195121961219712198121991220012201122021220312204122051220612207122081220912210122111221212213122141221512216122171221812219122201222112222122231222412225122261222712228122291223012231122321223312234122351223612237122381223912240122411224212243122441224512246122471224812249122501225112252122531225412255122561225712258122591226012261122621226312264122651226612267122681226912270122711227212273122741227512276122771227812279122801228112282122831228412285122861228712288122891229012291122921229312294122951229612297122981229912300123011230212303123041230512306123071230812309123101231112312123131231412315123161231712318123191232012321123221232312324123251232612327123281232912330123311233212333123341233512336123371233812339123401234112342123431234412345123461234712348123491235012351123521235312354123551235612357123581235912360123611236212363123641236512366123671236812369123701237112372123731237412375123761237712378123791238012381123821238312384123851238612387123881238912390123911239212393123941239512396123971239812399124001240112402124031240412405124061240712408124091241012411124121241312414124151241612417124181241912420124211242212423124241242512426124271242812429124301243112432124331243412435124361243712438124391244012441124421244312444124451244612447124481244912450124511245212453124541245512456124571245812459124601246112462124631246412465124661246712468124691247012471124721247312474124751247612477124781247912480124811248212483124841248512486124871248812489124901249112492124931249412495124961249712498124991250012501125021250312504125051250612507125081250912510125111251212513125141251512516125171251812519125201252112522125231252412525125261252712528125291253012531125321253312534125351253612537125381253912540125411254212543125441254512546125471254812549125501255112552125531255412555125561255712558125591256012561125621256312564125651256612567125681256912570125711257212573125741257512576125771257812579125801258112582125831258412585125861258712588125891259012591125921259312594125951259612597125981259912600126011260212603126041260512606126071260812609126101261112612126131261412615126161261712618126191262012621126221262312624126251262612627126281262912630126311263212633126341263512636126371263812639126401264112642126431264412645126461264712648126491265012651126521265312654126551265612657126581265912660126611266212663126641266512666126671266812669126701267112672126731267412675126761267712678126791268012681126821268312684126851268612687126881268912690126911269212693126941269512696126971269812699127001270112702127031270412705127061270712708127091271012711127121271312714127151271612717127181271912720127211272212723127241272512726127271272812729127301273112732127331273412735127361273712738127391274012741127421274312744127451274612747127481274912750127511275212753127541275512756127571275812759127601276112762127631276412765127661276712768127691277012771127721277312774127751277612777127781277912780127811278212783127841278512786127871278812789127901279112792127931279412795127961279712798127991280012801128021280312804128051280612807128081280912810128111281212813128141281512816128171281812819128201282112822128231282412825128261282712828128291283012831128321283312834128351283612837128381283912840128411284212843128441284512846128471284812849128501285112852128531285412855128561285712858128591286012861128621286312864128651286612867128681286912870128711287212873128741287512876128771287812879128801288112882128831288412885128861288712888128891289012891128921289312894128951289612897128981289912900129011290212903129041290512906129071290812909129101291112912129131291412915129161291712918129191292012921129221292312924129251292612927129281292912930129311293212933129341293512936129371293812939129401294112942129431294412945129461294712948129491295012951129521295312954129551295612957129581295912960129611296212963129641296512966129671296812969129701297112972129731297412975129761297712978129791298012981129821298312984129851298612987129881298912990129911299212993129941299512996129971299812999130001300113002130031300413005130061300713008130091301013011130121301313014130151301613017130181301913020130211302213023130241302513026130271302813029130301303113032130331303413035130361303713038130391304013041130421304313044130451304613047130481304913050130511305213053130541305513056130571305813059130601306113062130631306413065130661306713068130691307013071130721307313074130751307613077130781307913080130811308213083130841308513086130871308813089130901309113092130931309413095130961309713098130991310013101131021310313104131051310613107131081310913110131111311213113131141311513116131171311813119131201312113122131231312413125131261312713128131291313013131131321313313134131351313613137131381313913140131411314213143131441314513146131471314813149131501315113152131531315413155131561315713158131591316013161131621316313164131651316613167131681316913170131711317213173131741317513176131771317813179131801318113182131831318413185131861318713188131891319013191131921319313194131951319613197131981319913200132011320213203132041320513206132071320813209132101321113212132131321413215132161321713218132191322013221132221322313224132251322613227132281322913230132311323213233132341323513236132371323813239132401324113242132431324413245132461324713248132491325013251132521325313254132551325613257132581325913260132611326213263132641326513266132671326813269132701327113272132731327413275132761327713278132791328013281132821328313284132851328613287132881328913290132911329213293132941329513296132971329813299133001330113302133031330413305133061330713308133091331013311133121331313314133151331613317133181331913320133211332213323133241332513326133271332813329133301333113332133331333413335133361333713338133391334013341133421334313344133451334613347133481334913350133511335213353133541335513356133571335813359133601336113362133631336413365133661336713368133691337013371133721337313374133751337613377133781337913380133811338213383133841338513386133871338813389133901339113392133931339413395133961339713398133991340013401134021340313404134051340613407134081340913410134111341213413134141341513416134171341813419134201342113422134231342413425134261342713428134291343013431134321343313434134351343613437134381343913440134411344213443134441344513446134471344813449134501345113452134531345413455134561345713458134591346013461134621346313464134651346613467134681346913470134711347213473134741347513476134771347813479134801348113482134831348413485134861348713488134891349013491134921349313494134951349613497134981349913500135011350213503135041350513506135071350813509135101351113512135131351413515135161351713518135191352013521135221352313524135251352613527135281352913530135311353213533135341353513536135371353813539135401354113542135431354413545135461354713548135491355013551135521355313554135551355613557135581355913560135611356213563135641356513566135671356813569135701357113572135731357413575135761357713578135791358013581135821358313584135851358613587135881358913590135911359213593135941359513596135971359813599136001360113602136031360413605136061360713608136091361013611136121361313614136151361613617136181361913620136211362213623136241362513626136271362813629136301363113632136331363413635136361363713638136391364013641136421364313644136451364613647136481364913650136511365213653136541365513656136571365813659136601366113662136631366413665136661366713668136691367013671136721367313674136751367613677136781367913680136811368213683136841368513686136871368813689136901369113692136931369413695136961369713698136991370013701137021370313704137051370613707137081370913710137111371213713137141371513716137171371813719137201372113722137231372413725137261372713728137291373013731137321373313734137351373613737137381373913740137411374213743137441374513746137471374813749137501375113752137531375413755137561375713758137591376013761137621376313764137651376613767137681376913770137711377213773137741377513776137771377813779137801378113782137831378413785137861378713788137891379013791137921379313794137951379613797137981379913800138011380213803138041380513806138071380813809138101381113812138131381413815138161381713818138191382013821138221382313824138251382613827138281382913830138311383213833138341383513836138371383813839138401384113842138431384413845138461384713848138491385013851138521385313854138551385613857138581385913860138611386213863138641386513866138671386813869138701387113872138731387413875138761387713878138791388013881138821388313884138851388613887138881388913890138911389213893138941389513896138971389813899139001390113902139031390413905139061390713908139091391013911139121391313914139151391613917139181391913920139211392213923139241392513926139271392813929139301393113932139331393413935139361393713938139391394013941139421394313944139451394613947139481394913950139511395213953139541395513956139571395813959139601396113962139631396413965139661396713968139691397013971139721397313974139751397613977139781397913980139811398213983139841398513986139871398813989139901399113992139931399413995139961399713998139991400014001140021400314004140051400614007140081400914010140111401214013140141401514016140171401814019140201402114022140231402414025140261402714028140291403014031140321403314034140351403614037140381403914040140411404214043140441404514046140471404814049140501405114052140531405414055140561405714058140591406014061140621406314064140651406614067140681406914070140711407214073140741407514076140771407814079140801408114082140831408414085140861408714088140891409014091140921409314094140951409614097140981409914100141011410214103141041410514106141071410814109141101411114112141131411414115141161411714118141191412014121141221412314124141251412614127141281412914130141311413214133141341413514136141371413814139141401414114142141431414414145141461414714148141491415014151141521415314154141551415614157141581415914160141611416214163141641416514166141671416814169141701417114172141731417414175141761417714178141791418014181141821418314184141851418614187141881418914190141911419214193141941419514196141971419814199142001420114202142031420414205142061420714208142091421014211142121421314214142151421614217142181421914220142211422214223142241422514226142271422814229142301423114232142331423414235142361423714238142391424014241142421424314244142451424614247142481424914250142511425214253142541425514256142571425814259142601426114262142631426414265142661426714268142691427014271142721427314274142751427614277142781427914280142811428214283142841428514286142871428814289142901429114292142931429414295142961429714298142991430014301143021430314304143051430614307143081430914310143111431214313143141431514316143171431814319143201432114322143231432414325143261432714328143291433014331143321433314334143351433614337143381433914340143411434214343143441434514346143471434814349143501435114352143531435414355143561435714358143591436014361143621436314364143651436614367143681436914370143711437214373143741437514376143771437814379143801438114382143831438414385143861438714388143891439014391143921439314394143951439614397143981439914400144011440214403144041440514406144071440814409144101441114412144131441414415144161441714418144191442014421144221442314424144251442614427144281442914430144311443214433144341443514436144371443814439144401444114442144431444414445144461444714448144491445014451144521445314454144551445614457144581445914460144611446214463144641446514466144671446814469144701447114472144731447414475144761447714478144791448014481144821448314484144851448614487144881448914490144911449214493144941449514496144971449814499145001450114502145031450414505145061450714508145091451014511145121451314514145151451614517145181451914520145211452214523145241452514526145271452814529145301453114532145331453414535145361453714538145391454014541145421454314544145451454614547145481454914550145511455214553145541455514556145571455814559145601456114562145631456414565145661456714568145691457014571145721457314574145751457614577145781457914580145811458214583145841458514586145871458814589145901459114592145931459414595145961459714598145991460014601146021460314604146051460614607146081460914610146111461214613146141461514616146171461814619146201462114622146231462414625146261462714628146291463014631146321463314634146351463614637146381463914640146411464214643146441464514646146471464814649146501465114652146531465414655146561465714658146591466014661146621466314664146651466614667146681466914670146711467214673146741467514676146771467814679146801468114682146831468414685146861468714688146891469014691146921469314694146951469614697146981469914700147011470214703147041470514706147071470814709147101471114712147131471414715147161471714718147191472014721147221472314724147251472614727147281472914730147311473214733147341473514736147371473814739147401474114742147431474414745147461474714748147491475014751147521475314754147551475614757147581475914760147611476214763147641476514766147671476814769147701477114772147731477414775147761477714778147791478014781147821478314784147851478614787147881478914790147911479214793147941479514796147971479814799148001480114802148031480414805148061480714808148091481014811148121481314814148151481614817148181481914820148211482214823148241482514826148271482814829148301483114832148331483414835148361483714838148391484014841148421484314844148451484614847148481484914850148511485214853148541485514856148571485814859148601486114862148631486414865148661486714868148691487014871148721487314874148751487614877148781487914880148811488214883148841488514886148871488814889148901489114892148931489414895148961489714898148991490014901149021490314904149051490614907149081490914910149111491214913149141491514916149171491814919149201492114922149231492414925149261492714928149291493014931149321493314934149351493614937149381493914940149411494214943149441494514946149471494814949149501495114952149531495414955149561495714958149591496014961149621496314964149651496614967149681496914970149711497214973149741497514976149771497814979149801498114982149831498414985149861498714988149891499014991149921499314994149951499614997149981499915000150011500215003150041500515006150071500815009150101501115012150131501415015150161501715018150191502015021150221502315024150251502615027150281502915030150311503215033150341503515036150371503815039150401504115042150431504415045150461504715048150491505015051150521505315054150551505615057150581505915060150611506215063150641506515066150671506815069150701507115072150731507415075150761507715078150791508015081150821508315084150851508615087150881508915090150911509215093150941509515096150971509815099151001510115102151031510415105151061510715108151091511015111151121511315114151151511615117151181511915120151211512215123151241512515126151271512815129151301513115132151331513415135151361513715138151391514015141151421514315144151451514615147151481514915150151511515215153151541515515156151571515815159151601516115162151631516415165151661516715168151691517015171151721517315174151751517615177151781517915180151811518215183151841518515186151871518815189151901519115192151931519415195151961519715198151991520015201152021520315204152051520615207152081520915210152111521215213152141521515216152171521815219152201522115222152231522415225152261522715228152291523015231152321523315234152351523615237152381523915240152411524215243152441524515246152471524815249152501525115252152531525415255152561525715258152591526015261152621526315264152651526615267152681526915270152711527215273152741527515276152771527815279152801528115282152831528415285152861528715288152891529015291152921529315294152951529615297152981529915300153011530215303153041530515306153071530815309153101531115312153131531415315153161531715318153191532015321153221532315324153251532615327153281532915330153311533215333153341533515336153371533815339153401534115342153431534415345153461534715348153491535015351153521535315354153551535615357153581535915360153611536215363153641536515366153671536815369153701537115372153731537415375153761537715378153791538015381153821538315384153851538615387153881538915390153911539215393153941539515396153971539815399154001540115402154031540415405154061540715408154091541015411154121541315414154151541615417154181541915420154211542215423154241542515426154271542815429154301543115432154331543415435154361543715438154391544015441154421544315444154451544615447154481544915450154511545215453154541545515456154571545815459154601546115462154631546415465154661546715468154691547015471154721547315474154751547615477154781547915480154811548215483154841548515486154871548815489154901549115492154931549415495154961549715498154991550015501155021550315504155051550615507155081550915510155111551215513155141551515516155171551815519155201552115522155231552415525155261552715528155291553015531155321553315534155351553615537155381553915540155411554215543155441554515546155471554815549155501555115552155531555415555155561555715558155591556015561155621556315564155651556615567155681556915570155711557215573155741557515576155771557815579155801558115582155831558415585155861558715588155891559015591155921559315594155951559615597155981559915600156011560215603156041560515606156071560815609156101561115612156131561415615156161561715618156191562015621156221562315624156251562615627156281562915630156311563215633156341563515636156371563815639156401564115642156431564415645156461564715648156491565015651156521565315654156551565615657156581565915660156611566215663156641566515666156671566815669156701567115672156731567415675156761567715678156791568015681156821568315684156851568615687156881568915690156911569215693156941569515696156971569815699157001570115702157031570415705157061570715708157091571015711157121571315714157151571615717157181571915720157211572215723157241572515726157271572815729157301573115732157331573415735157361573715738157391574015741157421574315744157451574615747157481574915750157511575215753157541575515756157571575815759157601576115762157631576415765157661576715768157691577015771157721577315774157751577615777157781577915780157811578215783157841578515786157871578815789157901579115792157931579415795157961579715798157991580015801158021580315804158051580615807158081580915810158111581215813158141581515816158171581815819158201582115822158231582415825158261582715828158291583015831158321583315834158351583615837158381583915840158411584215843158441584515846158471584815849158501585115852158531585415855158561585715858158591586015861158621586315864158651586615867158681586915870158711587215873158741587515876158771587815879158801588115882158831588415885158861588715888158891589015891158921589315894158951589615897158981589915900159011590215903159041590515906159071590815909159101591115912159131591415915159161591715918159191592015921159221592315924159251592615927159281592915930159311593215933159341593515936159371593815939159401594115942159431594415945159461594715948159491595015951159521595315954159551595615957159581595915960159611596215963159641596515966159671596815969159701597115972159731597415975159761597715978159791598015981159821598315984159851598615987159881598915990159911599215993159941599515996159971599815999160001600116002160031600416005160061600716008160091601016011160121601316014160151601616017160181601916020160211602216023160241602516026160271602816029160301603116032160331603416035160361603716038160391604016041160421604316044160451604616047160481604916050160511605216053160541605516056160571605816059160601606116062160631606416065160661606716068160691607016071160721607316074160751607616077160781607916080160811608216083160841608516086160871608816089160901609116092160931609416095160961609716098160991610016101161021610316104161051610616107161081610916110161111611216113161141611516116161171611816119161201612116122161231612416125161261612716128161291613016131161321613316134161351613616137161381613916140161411614216143161441614516146161471614816149161501615116152161531615416155161561615716158161591616016161161621616316164161651616616167161681616916170161711617216173161741617516176161771617816179161801618116182161831618416185161861618716188161891619016191161921619316194161951619616197161981619916200162011620216203162041620516206162071620816209162101621116212162131621416215162161621716218162191622016221162221622316224162251622616227162281622916230162311623216233162341623516236162371623816239162401624116242162431624416245162461624716248162491625016251162521625316254162551625616257162581625916260162611626216263162641626516266162671626816269162701627116272162731627416275162761627716278162791628016281162821628316284162851628616287162881628916290162911629216293162941629516296162971629816299163001630116302163031630416305163061630716308163091631016311163121631316314163151631616317163181631916320163211632216323163241632516326163271632816329163301633116332163331633416335163361633716338163391634016341163421634316344163451634616347163481634916350163511635216353163541635516356163571635816359163601636116362163631636416365163661636716368163691637016371163721637316374163751637616377163781637916380163811638216383163841638516386163871638816389163901639116392163931639416395163961639716398163991640016401164021640316404164051640616407164081640916410164111641216413164141641516416164171641816419164201642116422164231642416425164261642716428164291643016431164321643316434164351643616437164381643916440164411644216443164441644516446164471644816449164501645116452164531645416455164561645716458164591646016461164621646316464164651646616467164681646916470164711647216473164741647516476164771647816479164801648116482164831648416485164861648716488164891649016491164921649316494164951649616497164981649916500165011650216503165041650516506165071650816509165101651116512165131651416515165161651716518165191652016521165221652316524165251652616527165281652916530165311653216533165341653516536165371653816539165401654116542165431654416545165461654716548165491655016551165521655316554165551655616557165581655916560165611656216563165641656516566165671656816569165701657116572165731657416575165761657716578165791658016581165821658316584165851658616587165881658916590165911659216593165941659516596165971659816599166001660116602166031660416605166061660716608166091661016611166121661316614166151661616617166181661916620166211662216623166241662516626166271662816629166301663116632166331663416635166361663716638166391664016641166421664316644166451664616647166481664916650166511665216653166541665516656166571665816659166601666116662166631666416665166661666716668166691667016671166721667316674166751667616677166781667916680166811668216683166841668516686166871668816689166901669116692166931669416695166961669716698166991670016701167021670316704167051670616707167081670916710167111671216713167141671516716167171671816719167201672116722167231672416725167261672716728167291673016731167321673316734167351673616737167381673916740167411674216743167441674516746167471674816749167501675116752167531675416755167561675716758167591676016761167621676316764167651676616767167681676916770167711677216773167741677516776167771677816779167801678116782167831678416785167861678716788167891679016791167921679316794167951679616797167981679916800168011680216803168041680516806168071680816809168101681116812168131681416815168161681716818168191682016821168221682316824168251682616827168281682916830168311683216833168341683516836168371683816839168401684116842168431684416845168461684716848168491685016851168521685316854168551685616857168581685916860168611686216863168641686516866168671686816869168701687116872168731687416875168761687716878168791688016881168821688316884168851688616887168881688916890168911689216893168941689516896168971689816899169001690116902169031690416905169061690716908169091691016911169121691316914169151691616917169181691916920169211692216923169241692516926169271692816929169301693116932169331693416935169361693716938169391694016941169421694316944169451694616947169481694916950169511695216953169541695516956169571695816959169601696116962169631696416965169661696716968169691697016971169721697316974169751697616977169781697916980169811698216983169841698516986169871698816989169901699116992169931699416995169961699716998169991700017001170021700317004170051700617007170081700917010170111701217013170141701517016170171701817019170201702117022170231702417025170261702717028170291703017031170321703317034170351703617037170381703917040170411704217043170441704517046170471704817049170501705117052170531705417055170561705717058170591706017061170621706317064170651706617067170681706917070170711707217073170741707517076170771707817079170801708117082170831708417085170861708717088170891709017091170921709317094170951709617097170981709917100171011710217103171041710517106171071710817109171101711117112171131711417115171161711717118171191712017121171221712317124171251712617127171281712917130171311713217133171341713517136171371713817139171401714117142171431714417145171461714717148171491715017151171521715317154171551715617157171581715917160171611716217163171641716517166171671716817169171701717117172171731717417175171761717717178171791718017181171821718317184171851718617187171881718917190171911719217193171941719517196171971719817199172001720117202172031720417205172061720717208172091721017211172121721317214172151721617217172181721917220172211722217223172241722517226172271722817229172301723117232172331723417235172361723717238172391724017241172421724317244172451724617247172481724917250172511725217253172541725517256172571725817259172601726117262172631726417265172661726717268172691727017271172721727317274172751727617277172781727917280172811728217283172841728517286172871728817289172901729117292172931729417295172961729717298172991730017301173021730317304173051730617307173081730917310173111731217313173141731517316173171731817319173201732117322173231732417325173261732717328173291733017331173321733317334173351733617337173381733917340173411734217343173441734517346173471734817349173501735117352173531735417355173561735717358173591736017361173621736317364173651736617367173681736917370173711737217373173741737517376173771737817379173801738117382173831738417385173861738717388173891739017391173921739317394173951739617397173981739917400174011740217403174041740517406174071740817409174101741117412174131741417415174161741717418174191742017421174221742317424174251742617427174281742917430174311743217433174341743517436174371743817439174401744117442174431744417445174461744717448174491745017451174521745317454174551745617457174581745917460174611746217463174641746517466174671746817469174701747117472174731747417475174761747717478174791748017481174821748317484174851748617487174881748917490174911749217493174941749517496174971749817499175001750117502175031750417505175061750717508175091751017511175121751317514175151751617517175181751917520175211752217523175241752517526175271752817529175301753117532175331753417535175361753717538175391754017541175421754317544175451754617547175481754917550175511755217553175541755517556175571755817559175601756117562175631756417565175661756717568175691757017571175721757317574175751757617577175781757917580175811758217583175841758517586175871758817589175901759117592175931759417595175961759717598175991760017601176021760317604176051760617607176081760917610176111761217613176141761517616176171761817619176201762117622176231762417625176261762717628176291763017631176321763317634176351763617637176381763917640176411764217643176441764517646176471764817649176501765117652176531765417655176561765717658176591766017661176621766317664176651766617667176681766917670176711767217673176741767517676176771767817679176801768117682176831768417685176861768717688176891769017691176921769317694176951769617697176981769917700177011770217703177041770517706177071770817709177101771117712177131771417715177161771717718177191772017721177221772317724177251772617727177281772917730177311773217733177341773517736177371773817739177401774117742177431774417745177461774717748177491775017751177521775317754177551775617757177581775917760177611776217763177641776517766177671776817769177701777117772177731777417775177761777717778177791778017781177821778317784177851778617787177881778917790177911779217793177941779517796177971779817799178001780117802178031780417805178061780717808178091781017811178121781317814178151781617817178181781917820178211782217823178241782517826178271782817829178301783117832178331783417835178361783717838178391784017841178421784317844178451784617847178481784917850178511785217853178541785517856178571785817859178601786117862178631786417865178661786717868178691787017871178721787317874178751787617877178781787917880178811788217883178841788517886178871788817889178901789117892178931789417895178961789717898178991790017901179021790317904179051790617907179081790917910179111791217913179141791517916179171791817919179201792117922179231792417925179261792717928179291793017931179321793317934179351793617937179381793917940179411794217943179441794517946179471794817949179501795117952179531795417955179561795717958179591796017961179621796317964179651796617967179681796917970179711797217973179741797517976179771797817979179801798117982179831798417985179861798717988179891799017991179921799317994179951799617997179981799918000180011800218003180041800518006180071800818009180101801118012180131801418015180161801718018180191802018021180221802318024180251802618027180281802918030180311803218033180341803518036180371803818039180401804118042180431804418045180461804718048180491805018051180521805318054180551805618057180581805918060180611806218063180641806518066180671806818069180701807118072180731807418075180761807718078180791808018081180821808318084180851808618087180881808918090180911809218093180941809518096180971809818099181001810118102181031810418105181061810718108181091811018111181121811318114181151811618117181181811918120181211812218123181241812518126181271812818129181301813118132181331813418135181361813718138181391814018141181421814318144181451814618147181481814918150181511815218153181541815518156181571815818159181601816118162181631816418165181661816718168181691817018171181721817318174181751817618177181781817918180181811818218183181841818518186181871818818189181901819118192181931819418195181961819718198181991820018201182021820318204182051820618207182081820918210182111821218213182141821518216182171821818219182201822118222182231822418225182261822718228182291823018231182321823318234182351823618237182381823918240182411824218243182441824518246182471824818249182501825118252182531825418255182561825718258182591826018261182621826318264182651826618267182681826918270182711827218273182741827518276182771827818279182801828118282182831828418285182861828718288182891829018291182921829318294182951829618297182981829918300183011830218303183041830518306183071830818309183101831118312183131831418315183161831718318183191832018321183221832318324183251832618327183281832918330183311833218333183341833518336183371833818339183401834118342183431834418345183461834718348183491835018351183521835318354183551835618357183581835918360183611836218363183641836518366183671836818369183701837118372183731837418375183761837718378183791838018381183821838318384183851838618387183881838918390183911839218393183941839518396183971839818399184001840118402184031840418405184061840718408184091841018411184121841318414184151841618417184181841918420184211842218423184241842518426184271842818429184301843118432184331843418435184361843718438184391844018441184421844318444184451844618447184481844918450184511845218453184541845518456184571845818459184601846118462184631846418465184661846718468184691847018471184721847318474184751847618477184781847918480184811848218483184841848518486184871848818489184901849118492184931849418495184961849718498184991850018501185021850318504185051850618507185081850918510185111851218513185141851518516185171851818519185201852118522185231852418525185261852718528185291853018531185321853318534185351853618537185381853918540185411854218543185441854518546185471854818549185501855118552185531855418555185561855718558185591856018561185621856318564185651856618567185681856918570185711857218573185741857518576185771857818579185801858118582185831858418585185861858718588185891859018591185921859318594185951859618597185981859918600186011860218603186041860518606186071860818609186101861118612186131861418615186161861718618186191862018621186221862318624186251862618627186281862918630186311863218633186341863518636186371863818639186401864118642186431864418645186461864718648186491865018651186521865318654186551865618657186581865918660186611866218663186641866518666186671866818669186701867118672186731867418675186761867718678186791868018681186821868318684186851868618687186881868918690186911869218693186941869518696186971869818699187001870118702187031870418705187061870718708187091871018711187121871318714187151871618717187181871918720187211872218723187241872518726187271872818729187301873118732187331873418735187361873718738187391874018741187421874318744187451874618747187481874918750187511875218753187541875518756187571875818759187601876118762187631876418765187661876718768187691877018771187721877318774187751877618777187781877918780187811878218783187841878518786187871878818789187901879118792187931879418795187961879718798187991880018801188021880318804188051880618807188081880918810188111881218813188141881518816188171881818819188201882118822188231882418825188261882718828188291883018831188321883318834188351883618837188381883918840188411884218843188441884518846188471884818849188501885118852188531885418855188561885718858188591886018861188621886318864188651886618867188681886918870188711887218873188741887518876188771887818879188801888118882188831888418885188861888718888188891889018891188921889318894188951889618897188981889918900189011890218903189041890518906189071890818909189101891118912189131891418915189161891718918189191892018921189221892318924189251892618927189281892918930189311893218933189341893518936189371893818939189401894118942189431894418945189461894718948189491895018951189521895318954189551895618957189581895918960189611896218963189641896518966189671896818969189701897118972189731897418975189761897718978189791898018981189821898318984189851898618987189881898918990189911899218993189941899518996189971899818999190001900119002190031900419005190061900719008190091901019011190121901319014190151901619017190181901919020190211902219023190241902519026190271902819029190301903119032190331903419035190361903719038190391904019041190421904319044190451904619047190481904919050190511905219053190541905519056190571905819059190601906119062190631906419065190661906719068190691907019071190721907319074190751907619077190781907919080190811908219083190841908519086190871908819089190901909119092190931909419095190961909719098190991910019101191021910319104191051910619107191081910919110191111911219113191141911519116191171911819119191201912119122191231912419125191261912719128191291913019131191321913319134191351913619137191381913919140191411914219143191441914519146191471914819149191501915119152191531915419155191561915719158191591916019161191621916319164191651916619167191681916919170191711917219173191741917519176191771917819179191801918119182191831918419185191861918719188191891919019191191921919319194191951919619197191981919919200192011920219203192041920519206192071920819209192101921119212192131921419215192161921719218192191922019221192221922319224192251922619227192281922919230192311923219233192341923519236192371923819239192401924119242192431924419245192461924719248192491925019251192521925319254192551925619257192581925919260192611926219263192641926519266192671926819269192701927119272192731927419275192761927719278192791928019281192821928319284192851928619287192881928919290192911929219293192941929519296192971929819299193001930119302193031930419305193061930719308193091931019311193121931319314193151931619317193181931919320193211932219323193241932519326193271932819329193301933119332193331933419335193361933719338193391934019341193421934319344193451934619347193481934919350193511935219353193541935519356193571935819359193601936119362193631936419365193661936719368193691937019371193721937319374193751937619377193781937919380193811938219383193841938519386193871938819389193901939119392193931939419395193961939719398193991940019401194021940319404194051940619407194081940919410194111941219413194141941519416194171941819419194201942119422194231942419425194261942719428194291943019431194321943319434194351943619437194381943919440194411944219443194441944519446194471944819449194501945119452194531945419455194561945719458194591946019461194621946319464194651946619467194681946919470194711947219473194741947519476194771947819479194801948119482194831948419485194861948719488194891949019491194921949319494194951949619497194981949919500195011950219503195041950519506195071950819509195101951119512195131951419515195161951719518195191952019521195221952319524195251952619527195281952919530195311953219533195341953519536195371953819539195401954119542195431954419545195461954719548195491955019551195521955319554195551955619557195581955919560195611956219563195641956519566195671956819569195701957119572195731957419575195761957719578195791958019581195821958319584195851958619587195881958919590195911959219593195941959519596195971959819599196001960119602196031960419605196061960719608196091961019611196121961319614196151961619617196181961919620196211962219623196241962519626196271962819629196301963119632196331963419635196361963719638196391964019641196421964319644196451964619647196481964919650196511965219653196541965519656196571965819659196601966119662196631966419665196661966719668196691967019671196721967319674196751967619677196781967919680196811968219683196841968519686196871968819689196901969119692196931969419695196961969719698196991970019701197021970319704197051970619707197081970919710197111971219713197141971519716197171971819719197201972119722197231972419725197261972719728197291973019731197321973319734197351973619737197381973919740197411974219743197441974519746197471974819749197501975119752197531975419755197561975719758197591976019761197621976319764197651976619767197681976919770197711977219773197741977519776197771977819779197801978119782197831978419785197861978719788197891979019791197921979319794197951979619797197981979919800198011980219803198041980519806198071980819809198101981119812198131981419815198161981719818198191982019821198221982319824198251982619827198281982919830198311983219833198341983519836198371983819839198401984119842198431984419845198461984719848198491985019851198521985319854198551985619857198581985919860198611986219863198641986519866198671986819869198701987119872198731987419875198761987719878198791988019881198821988319884198851988619887198881988919890198911989219893198941989519896198971989819899199001990119902199031990419905199061990719908199091991019911199121991319914199151991619917199181991919920199211992219923199241992519926199271992819929199301993119932199331993419935199361993719938199391994019941199421994319944199451994619947199481994919950199511995219953199541995519956199571995819959199601996119962199631996419965199661996719968199691997019971199721997319974199751997619977199781997919980199811998219983199841998519986199871998819989199901999119992199931999419995199961999719998199992000020001200022000320004200052000620007200082000920010200112001220013200142001520016200172001820019200202002120022200232002420025200262002720028200292003020031200322003320034200352003620037200382003920040200412004220043200442004520046200472004820049200502005120052200532005420055200562005720058200592006020061200622006320064200652006620067200682006920070200712007220073200742007520076200772007820079200802008120082200832008420085200862008720088200892009020091200922009320094200952009620097200982009920100201012010220103201042010520106201072010820109201102011120112201132011420115201162011720118201192012020121201222012320124201252012620127201282012920130201312013220133201342013520136201372013820139201402014120142201432014420145201462014720148201492015020151201522015320154201552015620157201582015920160201612016220163201642016520166201672016820169201702017120172201732017420175201762017720178201792018020181201822018320184201852018620187201882018920190201912019220193201942019520196201972019820199202002020120202202032020420205202062020720208202092021020211202122021320214202152021620217202182021920220202212022220223202242022520226202272022820229202302023120232202332023420235202362023720238202392024020241202422024320244202452024620247202482024920250202512025220253202542025520256202572025820259202602026120262202632026420265202662026720268202692027020271202722027320274202752027620277202782027920280202812028220283202842028520286202872028820289202902029120292202932029420295202962029720298202992030020301203022030320304203052030620307203082030920310203112031220313203142031520316203172031820319203202032120322203232032420325203262032720328203292033020331203322033320334203352033620337203382033920340203412034220343203442034520346203472034820349203502035120352203532035420355203562035720358203592036020361203622036320364203652036620367203682036920370203712037220373203742037520376203772037820379203802038120382203832038420385203862038720388203892039020391203922039320394203952039620397203982039920400204012040220403204042040520406204072040820409204102041120412204132041420415204162041720418204192042020421204222042320424204252042620427204282042920430204312043220433204342043520436204372043820439204402044120442204432044420445204462044720448204492045020451204522045320454204552045620457204582045920460204612046220463204642046520466204672046820469204702047120472204732047420475204762047720478204792048020481204822048320484204852048620487204882048920490204912049220493204942049520496204972049820499205002050120502205032050420505205062050720508205092051020511205122051320514205152051620517205182051920520205212052220523205242052520526205272052820529205302053120532205332053420535205362053720538205392054020541205422054320544205452054620547205482054920550205512055220553205542055520556205572055820559205602056120562205632056420565205662056720568205692057020571205722057320574205752057620577205782057920580205812058220583205842058520586205872058820589205902059120592205932059420595205962059720598205992060020601206022060320604206052060620607206082060920610206112061220613206142061520616206172061820619206202062120622206232062420625206262062720628206292063020631206322063320634206352063620637206382063920640206412064220643206442064520646206472064820649206502065120652206532065420655206562065720658206592066020661206622066320664206652066620667206682066920670206712067220673206742067520676206772067820679206802068120682206832068420685206862068720688206892069020691206922069320694206952069620697206982069920700207012070220703207042070520706207072070820709207102071120712207132071420715207162071720718207192072020721207222072320724207252072620727207282072920730207312073220733207342073520736207372073820739207402074120742207432074420745207462074720748207492075020751207522075320754207552075620757207582075920760207612076220763207642076520766207672076820769207702077120772207732077420775207762077720778207792078020781207822078320784207852078620787207882078920790207912079220793207942079520796207972079820799208002080120802208032080420805208062080720808208092081020811208122081320814208152081620817208182081920820208212082220823208242082520826208272082820829208302083120832208332083420835208362083720838208392084020841208422084320844208452084620847208482084920850208512085220853208542085520856208572085820859208602086120862208632086420865208662086720868208692087020871208722087320874208752087620877208782087920880208812088220883208842088520886208872088820889208902089120892208932089420895208962089720898208992090020901209022090320904209052090620907209082090920910209112091220913209142091520916209172091820919209202092120922209232092420925209262092720928209292093020931209322093320934209352093620937209382093920940209412094220943209442094520946209472094820949209502095120952209532095420955209562095720958209592096020961209622096320964209652096620967209682096920970209712097220973209742097520976209772097820979209802098120982209832098420985209862098720988209892099020991209922099320994209952099620997209982099921000210012100221003210042100521006210072100821009210102101121012210132101421015210162101721018210192102021021210222102321024210252102621027210282102921030210312103221033210342103521036210372103821039210402104121042210432104421045210462104721048210492105021051210522105321054210552105621057210582105921060210612106221063210642106521066210672106821069210702107121072210732107421075210762107721078210792108021081210822108321084210852108621087210882108921090210912109221093210942109521096210972109821099211002110121102211032110421105211062110721108211092111021111211122111321114211152111621117211182111921120211212112221123211242112521126211272112821129211302113121132211332113421135211362113721138211392114021141211422114321144211452114621147211482114921150211512115221153211542115521156211572115821159211602116121162211632116421165211662116721168211692117021171211722117321174211752117621177211782117921180211812118221183211842118521186211872118821189211902119121192211932119421195211962119721198211992120021201212022120321204212052120621207212082120921210212112121221213212142121521216212172121821219212202122121222212232122421225212262122721228212292123021231212322123321234212352123621237212382123921240212412124221243212442124521246212472124821249212502125121252212532125421255212562125721258212592126021261212622126321264212652126621267212682126921270212712127221273212742127521276212772127821279212802128121282212832128421285212862128721288212892129021291212922129321294212952129621297212982129921300213012130221303213042130521306213072130821309213102131121312213132131421315213162131721318213192132021321213222132321324213252132621327213282132921330213312133221333213342133521336213372133821339213402134121342213432134421345213462134721348213492135021351213522135321354213552135621357213582135921360213612136221363213642136521366213672136821369213702137121372213732137421375213762137721378213792138021381213822138321384213852138621387213882138921390213912139221393213942139521396213972139821399214002140121402214032140421405214062140721408214092141021411214122141321414214152141621417214182141921420214212142221423214242142521426214272142821429214302143121432214332143421435214362143721438214392144021441214422144321444214452144621447214482144921450214512145221453214542145521456214572145821459214602146121462214632146421465214662146721468214692147021471214722147321474214752147621477214782147921480214812148221483214842148521486214872148821489214902149121492214932149421495214962149721498214992150021501215022150321504215052150621507215082150921510215112151221513215142151521516215172151821519215202152121522215232152421525215262152721528215292153021531215322153321534215352153621537215382153921540215412154221543215442154521546215472154821549215502155121552215532155421555215562155721558215592156021561215622156321564215652156621567215682156921570215712157221573215742157521576215772157821579215802158121582215832158421585215862158721588215892159021591215922159321594215952159621597215982159921600216012160221603216042160521606216072160821609216102161121612216132161421615216162161721618216192162021621216222162321624216252162621627216282162921630216312163221633216342163521636216372163821639216402164121642216432164421645216462164721648216492165021651216522165321654216552165621657216582165921660216612166221663216642166521666216672166821669216702167121672216732167421675216762167721678216792168021681216822168321684216852168621687216882168921690216912169221693216942169521696216972169821699217002170121702217032170421705217062170721708217092171021711217122171321714217152171621717217182171921720217212172221723217242172521726217272172821729217302173121732217332173421735217362173721738217392174021741217422174321744217452174621747217482174921750217512175221753217542175521756217572175821759217602176121762217632176421765217662176721768217692177021771217722177321774217752177621777217782177921780217812178221783217842178521786217872178821789217902179121792217932179421795217962179721798217992180021801218022180321804218052180621807218082180921810218112181221813218142181521816218172181821819218202182121822218232182421825218262182721828218292183021831218322183321834218352183621837218382183921840218412184221843218442184521846218472184821849218502185121852218532185421855218562185721858218592186021861218622186321864218652186621867218682186921870218712187221873218742187521876218772187821879218802188121882218832188421885218862188721888218892189021891218922189321894218952189621897218982189921900219012190221903219042190521906219072190821909219102191121912219132191421915219162191721918219192192021921219222192321924219252192621927219282192921930219312193221933219342193521936219372193821939219402194121942219432194421945219462194721948219492195021951219522195321954219552195621957219582195921960219612196221963219642196521966219672196821969219702197121972219732197421975219762197721978219792198021981219822198321984219852198621987219882198921990219912199221993219942199521996219972199821999220002200122002220032200422005220062200722008220092201022011220122201322014220152201622017220182201922020220212202222023220242202522026220272202822029220302203122032220332203422035220362203722038220392204022041220422204322044220452204622047220482204922050220512205222053220542205522056220572205822059220602206122062220632206422065220662206722068220692207022071220722207322074220752207622077220782207922080220812208222083220842208522086220872208822089220902209122092220932209422095220962209722098220992210022101221022210322104221052210622107221082210922110221112211222113221142211522116221172211822119221202212122122221232212422125221262212722128221292213022131221322213322134221352213622137221382213922140221412214222143221442214522146221472214822149221502215122152221532215422155221562215722158221592216022161221622216322164221652216622167221682216922170221712217222173221742217522176221772217822179221802218122182221832218422185221862218722188221892219022191221922219322194221952219622197221982219922200222012220222203222042220522206222072220822209222102221122212222132221422215222162221722218222192222022221222222222322224222252222622227222282222922230222312223222233222342223522236222372223822239222402224122242222432224422245222462224722248222492225022251222522225322254222552225622257222582225922260222612226222263222642226522266222672226822269222702227122272222732227422275222762227722278222792228022281222822228322284222852228622287222882228922290222912229222293222942229522296222972229822299223002230122302223032230422305223062230722308223092231022311223122231322314223152231622317223182231922320223212232222323223242232522326223272232822329223302233122332223332233422335223362233722338223392234022341223422234322344223452234622347223482234922350223512235222353223542235522356223572235822359223602236122362223632236422365223662236722368223692237022371223722237322374223752237622377223782237922380223812238222383223842238522386223872238822389223902239122392223932239422395223962239722398223992240022401224022240322404224052240622407224082240922410224112241222413224142241522416224172241822419224202242122422224232242422425224262242722428224292243022431224322243322434224352243622437224382243922440224412244222443224442244522446224472244822449224502245122452224532245422455224562245722458224592246022461224622246322464224652246622467224682246922470224712247222473224742247522476224772247822479224802248122482224832248422485224862248722488224892249022491224922249322494224952249622497224982249922500225012250222503225042250522506225072250822509225102251122512225132251422515225162251722518225192252022521225222252322524225252252622527225282252922530225312253222533225342253522536225372253822539225402254122542225432254422545225462254722548225492255022551225522255322554225552255622557225582255922560225612256222563225642256522566225672256822569225702257122572225732257422575225762257722578225792258022581225822258322584225852258622587225882258922590225912259222593225942259522596225972259822599226002260122602226032260422605226062260722608226092261022611226122261322614226152261622617226182261922620226212262222623226242262522626226272262822629226302263122632226332263422635226362263722638226392264022641226422264322644226452264622647226482264922650226512265222653226542265522656226572265822659226602266122662226632266422665226662266722668226692267022671226722267322674226752267622677226782267922680226812268222683226842268522686226872268822689226902269122692226932269422695226962269722698226992270022701227022270322704227052270622707227082270922710227112271222713227142271522716227172271822719227202272122722227232272422725227262272722728227292273022731227322273322734227352273622737227382273922740227412274222743227442274522746227472274822749227502275122752227532275422755227562275722758227592276022761227622276322764227652276622767227682276922770227712277222773227742277522776227772277822779227802278122782227832278422785227862278722788227892279022791227922279322794227952279622797227982279922800228012280222803228042280522806228072280822809228102281122812228132281422815228162281722818228192282022821228222282322824228252282622827228282282922830228312283222833228342283522836228372283822839228402284122842228432284422845228462284722848228492285022851228522285322854228552285622857228582285922860228612286222863228642286522866228672286822869228702287122872228732287422875228762287722878228792288022881228822288322884228852288622887228882288922890228912289222893228942289522896228972289822899229002290122902229032290422905229062290722908229092291022911229122291322914229152291622917229182291922920229212292222923229242292522926229272292822929229302293122932229332293422935229362293722938229392294022941229422294322944229452294622947229482294922950229512295222953229542295522956229572295822959229602296122962229632296422965229662296722968229692297022971229722297322974229752297622977229782297922980229812298222983229842298522986229872298822989229902299122992229932299422995229962299722998229992300023001230022300323004230052300623007230082300923010230112301223013230142301523016230172301823019230202302123022230232302423025230262302723028230292303023031230322303323034230352303623037230382303923040230412304223043230442304523046230472304823049230502305123052230532305423055230562305723058230592306023061230622306323064230652306623067230682306923070230712307223073230742307523076230772307823079230802308123082230832308423085230862308723088230892309023091230922309323094230952309623097230982309923100231012310223103231042310523106231072310823109231102311123112231132311423115231162311723118231192312023121231222312323124231252312623127231282312923130231312313223133231342313523136231372313823139231402314123142231432314423145231462314723148231492315023151231522315323154231552315623157231582315923160231612316223163231642316523166231672316823169231702317123172231732317423175231762317723178231792318023181231822318323184231852318623187231882318923190231912319223193231942319523196231972319823199232002320123202232032320423205232062320723208232092321023211232122321323214232152321623217232182321923220232212322223223232242322523226232272322823229232302323123232232332323423235232362323723238232392324023241232422324323244232452324623247232482324923250232512325223253232542325523256232572325823259232602326123262232632326423265232662326723268232692327023271232722327323274232752327623277232782327923280232812328223283232842328523286232872328823289232902329123292232932329423295232962329723298232992330023301233022330323304233052330623307233082330923310233112331223313233142331523316233172331823319233202332123322233232332423325233262332723328233292333023331233322333323334233352333623337233382333923340233412334223343233442334523346233472334823349233502335123352233532335423355233562335723358233592336023361233622336323364233652336623367233682336923370233712337223373233742337523376233772337823379233802338123382233832338423385233862338723388233892339023391233922339323394233952339623397233982339923400234012340223403234042340523406234072340823409234102341123412234132341423415234162341723418234192342023421234222342323424234252342623427234282342923430234312343223433234342343523436234372343823439234402344123442234432344423445234462344723448234492345023451234522345323454234552345623457234582345923460234612346223463234642346523466234672346823469234702347123472234732347423475234762347723478234792348023481234822348323484234852348623487234882348923490234912349223493234942349523496234972349823499235002350123502235032350423505235062350723508235092351023511235122351323514235152351623517235182351923520235212352223523235242352523526235272352823529235302353123532235332353423535235362353723538235392354023541235422354323544235452354623547235482354923550235512355223553235542355523556235572355823559235602356123562235632356423565235662356723568235692357023571235722357323574235752357623577235782357923580235812358223583235842358523586235872358823589235902359123592235932359423595235962359723598235992360023601236022360323604236052360623607236082360923610236112361223613236142361523616236172361823619236202362123622236232362423625236262362723628236292363023631236322363323634236352363623637236382363923640236412364223643236442364523646236472364823649236502365123652236532365423655236562365723658236592366023661236622366323664236652366623667236682366923670236712367223673236742367523676236772367823679236802368123682236832368423685236862368723688236892369023691236922369323694236952369623697236982369923700237012370223703237042370523706237072370823709237102371123712237132371423715237162371723718237192372023721237222372323724237252372623727237282372923730237312373223733237342373523736237372373823739237402374123742237432374423745237462374723748237492375023751237522375323754237552375623757237582375923760237612376223763237642376523766237672376823769237702377123772237732377423775237762377723778237792378023781237822378323784237852378623787237882378923790237912379223793237942379523796237972379823799238002380123802238032380423805238062380723808238092381023811238122381323814238152381623817238182381923820238212382223823238242382523826238272382823829238302383123832238332383423835238362383723838238392384023841238422384323844238452384623847238482384923850238512385223853238542385523856238572385823859238602386123862238632386423865238662386723868238692387023871238722387323874238752387623877238782387923880238812388223883238842388523886238872388823889238902389123892238932389423895238962389723898238992390023901239022390323904239052390623907239082390923910239112391223913239142391523916239172391823919239202392123922239232392423925239262392723928239292393023931239322393323934239352393623937239382393923940239412394223943239442394523946239472394823949239502395123952239532395423955239562395723958239592396023961239622396323964239652396623967239682396923970239712397223973239742397523976239772397823979239802398123982239832398423985239862398723988239892399023991239922399323994239952399623997239982399924000240012400224003240042400524006240072400824009240102401124012240132401424015240162401724018240192402024021240222402324024240252402624027240282402924030240312403224033240342403524036240372403824039240402404124042240432404424045240462404724048240492405024051240522405324054240552405624057240582405924060240612406224063240642406524066240672406824069240702407124072240732407424075240762407724078240792408024081240822408324084240852408624087240882408924090240912409224093240942409524096240972409824099241002410124102241032410424105241062410724108241092411024111241122411324114241152411624117241182411924120241212412224123241242412524126241272412824129241302413124132241332413424135241362413724138241392414024141241422414324144241452414624147241482414924150241512415224153241542415524156241572415824159241602416124162241632416424165241662416724168241692417024171241722417324174241752417624177241782417924180241812418224183241842418524186241872418824189241902419124192241932419424195241962419724198241992420024201242022420324204242052420624207242082420924210242112421224213242142421524216242172421824219242202422124222242232422424225242262422724228242292423024231242322423324234242352423624237242382423924240242412424224243242442424524246242472424824249242502425124252242532425424255242562425724258242592426024261242622426324264242652426624267242682426924270242712427224273242742427524276242772427824279242802428124282242832428424285242862428724288242892429024291242922429324294242952429624297242982429924300243012430224303243042430524306243072430824309243102431124312243132431424315243162431724318243192432024321243222432324324243252432624327243282432924330243312433224333243342433524336243372433824339243402434124342243432434424345243462434724348243492435024351243522435324354243552435624357243582435924360243612436224363243642436524366243672436824369243702437124372243732437424375243762437724378243792438024381243822438324384243852438624387243882438924390243912439224393243942439524396243972439824399244002440124402244032440424405244062440724408244092441024411244122441324414244152441624417244182441924420244212442224423244242442524426244272442824429244302443124432244332443424435244362443724438244392444024441244422444324444244452444624447244482444924450244512445224453244542445524456244572445824459244602446124462244632446424465244662446724468244692447024471244722447324474244752447624477244782447924480244812448224483244842448524486244872448824489244902449124492244932449424495244962449724498244992450024501245022450324504245052450624507245082450924510245112451224513245142451524516245172451824519245202452124522245232452424525245262452724528245292453024531245322453324534245352453624537245382453924540245412454224543245442454524546245472454824549245502455124552245532455424555245562455724558245592456024561245622456324564245652456624567245682456924570245712457224573245742457524576245772457824579245802458124582245832458424585245862458724588245892459024591245922459324594245952459624597245982459924600246012460224603246042460524606246072460824609246102461124612246132461424615246162461724618246192462024621246222462324624246252462624627246282462924630246312463224633246342463524636246372463824639246402464124642246432464424645246462464724648246492465024651246522465324654246552465624657246582465924660246612466224663246642466524666246672466824669246702467124672246732467424675246762467724678246792468024681246822468324684246852468624687246882468924690246912469224693246942469524696246972469824699247002470124702247032470424705247062470724708247092471024711247122471324714247152471624717247182471924720247212472224723247242472524726247272472824729247302473124732247332473424735247362473724738247392474024741247422474324744247452474624747247482474924750247512475224753247542475524756247572475824759247602476124762247632476424765247662476724768247692477024771247722477324774247752477624777247782477924780247812478224783247842478524786247872478824789247902479124792247932479424795247962479724798247992480024801248022480324804248052480624807248082480924810248112481224813248142481524816248172481824819248202482124822248232482424825248262482724828248292483024831248322483324834248352483624837248382483924840248412484224843248442484524846248472484824849248502485124852248532485424855248562485724858248592486024861248622486324864248652486624867248682486924870248712487224873248742487524876248772487824879248802488124882248832488424885248862488724888248892489024891248922489324894248952489624897248982489924900249012490224903249042490524906249072490824909249102491124912249132491424915249162491724918249192492024921249222492324924249252492624927249282492924930249312493224933249342493524936249372493824939249402494124942249432494424945249462494724948249492495024951249522495324954249552495624957249582495924960249612496224963249642496524966249672496824969249702497124972249732497424975249762497724978249792498024981249822498324984249852498624987249882498924990249912499224993249942499524996249972499824999250002500125002250032500425005250062500725008250092501025011250122501325014250152501625017250182501925020250212502225023250242502525026250272502825029250302503125032250332503425035250362503725038250392504025041250422504325044250452504625047250482504925050250512505225053250542505525056250572505825059250602506125062250632506425065250662506725068250692507025071250722507325074250752507625077250782507925080250812508225083250842508525086250872508825089250902509125092250932509425095250962509725098250992510025101251022510325104251052510625107251082510925110251112511225113251142511525116251172511825119251202512125122251232512425125251262512725128251292513025131251322513325134251352513625137251382513925140251412514225143251442514525146251472514825149251502515125152251532515425155251562515725158251592516025161251622516325164251652516625167251682516925170251712517225173251742517525176251772517825179251802518125182251832518425185251862518725188251892519025191251922519325194251952519625197251982519925200252012520225203252042520525206252072520825209252102521125212252132521425215252162521725218252192522025221252222522325224252252522625227252282522925230252312523225233252342523525236252372523825239252402524125242252432524425245252462524725248252492525025251252522525325254252552525625257252582525925260252612526225263252642526525266252672526825269252702527125272252732527425275252762527725278252792528025281252822528325284252852528625287252882528925290252912529225293252942529525296252972529825299253002530125302253032530425305253062530725308253092531025311253122531325314253152531625317253182531925320253212532225323253242532525326253272532825329253302533125332253332533425335253362533725338253392534025341253422534325344253452534625347253482534925350253512535225353253542535525356253572535825359253602536125362253632536425365253662536725368253692537025371253722537325374253752537625377253782537925380253812538225383253842538525386253872538825389253902539125392253932539425395253962539725398253992540025401254022540325404254052540625407254082540925410254112541225413254142541525416254172541825419254202542125422254232542425425254262542725428254292543025431254322543325434254352543625437254382543925440254412544225443254442544525446254472544825449254502545125452254532545425455254562545725458254592546025461254622546325464254652546625467254682546925470254712547225473254742547525476254772547825479254802548125482254832548425485254862548725488254892549025491254922549325494254952549625497254982549925500255012550225503255042550525506255072550825509255102551125512255132551425515255162551725518255192552025521255222552325524255252552625527255282552925530255312553225533255342553525536255372553825539255402554125542255432554425545255462554725548255492555025551255522555325554255552555625557255582555925560255612556225563255642556525566255672556825569255702557125572255732557425575255762557725578255792558025581255822558325584255852558625587255882558925590255912559225593255942559525596255972559825599256002560125602256032560425605256062560725608256092561025611256122561325614256152561625617256182561925620256212562225623256242562525626256272562825629256302563125632256332563425635256362563725638256392564025641256422564325644256452564625647256482564925650256512565225653256542565525656256572565825659256602566125662256632566425665256662566725668256692567025671256722567325674256752567625677256782567925680256812568225683256842568525686256872568825689256902569125692256932569425695256962569725698256992570025701257022570325704257052570625707257082570925710257112571225713257142571525716257172571825719257202572125722257232572425725257262572725728257292573025731257322573325734257352573625737257382573925740257412574225743257442574525746257472574825749257502575125752257532575425755257562575725758257592576025761257622576325764257652576625767257682576925770257712577225773257742577525776257772577825779257802578125782257832578425785257862578725788257892579025791257922579325794257952579625797257982579925800258012580225803258042580525806258072580825809258102581125812258132581425815258162581725818258192582025821258222582325824258252582625827258282582925830258312583225833258342583525836258372583825839258402584125842258432584425845258462584725848258492585025851258522585325854258552585625857258582585925860258612586225863258642586525866258672586825869258702587125872258732587425875258762587725878258792588025881258822588325884258852588625887258882588925890258912589225893258942589525896258972589825899259002590125902259032590425905259062590725908259092591025911259122591325914259152591625917259182591925920259212592225923259242592525926259272592825929259302593125932259332593425935259362593725938259392594025941259422594325944259452594625947259482594925950259512595225953259542595525956259572595825959259602596125962259632596425965259662596725968259692597025971259722597325974259752597625977259782597925980259812598225983259842598525986259872598825989259902599125992259932599425995259962599725998259992600026001260022600326004260052600626007260082600926010260112601226013260142601526016260172601826019260202602126022260232602426025260262602726028260292603026031260322603326034260352603626037260382603926040260412604226043260442604526046260472604826049260502605126052260532605426055260562605726058260592606026061260622606326064260652606626067260682606926070260712607226073260742607526076260772607826079260802608126082260832608426085260862608726088260892609026091260922609326094260952609626097260982609926100261012610226103261042610526106261072610826109261102611126112261132611426115261162611726118261192612026121261222612326124261252612626127261282612926130261312613226133261342613526136261372613826139261402614126142261432614426145261462614726148261492615026151261522615326154261552615626157261582615926160261612616226163261642616526166261672616826169261702617126172261732617426175261762617726178261792618026181261822618326184261852618626187261882618926190261912619226193261942619526196261972619826199262002620126202262032620426205262062620726208262092621026211262122621326214262152621626217262182621926220262212622226223262242622526226262272622826229262302623126232262332623426235262362623726238262392624026241262422624326244262452624626247262482624926250262512625226253262542625526256262572625826259262602626126262262632626426265262662626726268262692627026271262722627326274262752627626277262782627926280262812628226283262842628526286262872628826289262902629126292262932629426295262962629726298262992630026301263022630326304263052630626307263082630926310263112631226313263142631526316263172631826319263202632126322263232632426325263262632726328263292633026331263322633326334263352633626337263382633926340263412634226343263442634526346263472634826349263502635126352263532635426355263562635726358263592636026361263622636326364263652636626367263682636926370263712637226373263742637526376263772637826379263802638126382263832638426385263862638726388263892639026391263922639326394263952639626397263982639926400264012640226403264042640526406264072640826409264102641126412264132641426415264162641726418264192642026421264222642326424264252642626427264282642926430264312643226433264342643526436264372643826439264402644126442264432644426445264462644726448264492645026451264522645326454264552645626457264582645926460264612646226463264642646526466264672646826469264702647126472264732647426475264762647726478264792648026481264822648326484264852648626487264882648926490264912649226493264942649526496264972649826499265002650126502265032650426505265062650726508265092651026511265122651326514265152651626517265182651926520265212652226523265242652526526265272652826529265302653126532265332653426535265362653726538265392654026541265422654326544265452654626547265482654926550265512655226553265542655526556265572655826559265602656126562265632656426565265662656726568265692657026571265722657326574265752657626577265782657926580265812658226583265842658526586265872658826589265902659126592265932659426595265962659726598265992660026601266022660326604266052660626607266082660926610266112661226613266142661526616266172661826619266202662126622266232662426625266262662726628266292663026631266322663326634266352663626637266382663926640266412664226643266442664526646266472664826649266502665126652266532665426655266562665726658266592666026661266622666326664266652666626667266682666926670266712667226673266742667526676266772667826679266802668126682266832668426685266862668726688266892669026691266922669326694266952669626697266982669926700267012670226703267042670526706267072670826709267102671126712267132671426715267162671726718267192672026721267222672326724267252672626727267282672926730267312673226733267342673526736267372673826739267402674126742267432674426745267462674726748267492675026751267522675326754267552675626757267582675926760267612676226763267642676526766267672676826769267702677126772267732677426775267762677726778267792678026781267822678326784267852678626787267882678926790267912679226793267942679526796267972679826799268002680126802268032680426805268062680726808268092681026811268122681326814268152681626817268182681926820268212682226823268242682526826268272682826829268302683126832268332683426835268362683726838268392684026841268422684326844268452684626847268482684926850268512685226853268542685526856268572685826859268602686126862268632686426865268662686726868268692687026871268722687326874268752687626877268782687926880268812688226883268842688526886268872688826889268902689126892268932689426895268962689726898268992690026901269022690326904269052690626907269082690926910269112691226913269142691526916269172691826919269202692126922269232692426925269262692726928269292693026931269322693326934269352693626937269382693926940269412694226943269442694526946269472694826949269502695126952269532695426955269562695726958269592696026961269622696326964269652696626967269682696926970269712697226973269742697526976269772697826979269802698126982269832698426985269862698726988269892699026991269922699326994269952699626997269982699927000270012700227003270042700527006270072700827009270102701127012270132701427015270162701727018270192702027021270222702327024270252702627027270282702927030270312703227033270342703527036270372703827039270402704127042270432704427045270462704727048270492705027051270522705327054270552705627057270582705927060270612706227063270642706527066270672706827069270702707127072270732707427075270762707727078270792708027081270822708327084270852708627087270882708927090270912709227093270942709527096270972709827099271002710127102271032710427105271062710727108271092711027111271122711327114271152711627117271182711927120271212712227123271242712527126271272712827129271302713127132271332713427135271362713727138271392714027141271422714327144271452714627147271482714927150271512715227153271542715527156271572715827159271602716127162271632716427165271662716727168271692717027171271722717327174271752717627177271782717927180271812718227183271842718527186271872718827189271902719127192271932719427195271962719727198271992720027201272022720327204272052720627207272082720927210272112721227213272142721527216272172721827219272202722127222272232722427225272262722727228272292723027231272322723327234272352723627237272382723927240272412724227243272442724527246272472724827249272502725127252272532725427255272562725727258272592726027261272622726327264272652726627267272682726927270272712727227273272742727527276272772727827279272802728127282272832728427285272862728727288272892729027291272922729327294272952729627297272982729927300273012730227303273042730527306273072730827309273102731127312273132731427315273162731727318273192732027321273222732327324273252732627327273282732927330273312733227333273342733527336273372733827339273402734127342273432734427345273462734727348273492735027351273522735327354273552735627357273582735927360273612736227363273642736527366273672736827369273702737127372273732737427375273762737727378273792738027381273822738327384273852738627387273882738927390273912739227393273942739527396273972739827399274002740127402274032740427405274062740727408274092741027411274122741327414274152741627417274182741927420274212742227423274242742527426274272742827429274302743127432274332743427435274362743727438274392744027441274422744327444274452744627447274482744927450274512745227453274542745527456274572745827459274602746127462274632746427465274662746727468274692747027471274722747327474274752747627477274782747927480274812748227483274842748527486274872748827489274902749127492274932749427495274962749727498274992750027501275022750327504275052750627507275082750927510275112751227513275142751527516275172751827519275202752127522275232752427525275262752727528275292753027531275322753327534275352753627537275382753927540275412754227543275442754527546275472754827549275502755127552275532755427555275562755727558275592756027561275622756327564275652756627567275682756927570275712757227573275742757527576275772757827579275802758127582275832758427585275862758727588275892759027591275922759327594275952759627597275982759927600276012760227603276042760527606276072760827609276102761127612276132761427615276162761727618276192762027621276222762327624276252762627627276282762927630276312763227633276342763527636276372763827639276402764127642276432764427645276462764727648276492765027651276522765327654276552765627657276582765927660276612766227663276642766527666276672766827669276702767127672276732767427675276762767727678276792768027681276822768327684276852768627687276882768927690276912769227693276942769527696276972769827699277002770127702277032770427705277062770727708277092771027711277122771327714277152771627717277182771927720277212772227723277242772527726277272772827729277302773127732277332773427735277362773727738277392774027741277422774327744277452774627747277482774927750277512775227753277542775527756277572775827759277602776127762277632776427765277662776727768277692777027771277722777327774277752777627777277782777927780277812778227783277842778527786277872778827789277902779127792277932779427795277962779727798277992780027801278022780327804278052780627807278082780927810278112781227813278142781527816278172781827819278202782127822278232782427825278262782727828278292783027831278322783327834278352783627837278382783927840278412784227843278442784527846278472784827849278502785127852278532785427855278562785727858278592786027861278622786327864278652786627867278682786927870278712787227873278742787527876278772787827879278802788127882278832788427885278862788727888278892789027891278922789327894278952789627897278982789927900279012790227903279042790527906279072790827909279102791127912279132791427915279162791727918279192792027921279222792327924279252792627927279282792927930279312793227933279342793527936279372793827939279402794127942279432794427945279462794727948279492795027951279522795327954279552795627957279582795927960279612796227963279642796527966279672796827969279702797127972279732797427975279762797727978279792798027981279822798327984279852798627987279882798927990279912799227993279942799527996279972799827999280002800128002280032800428005280062800728008280092801028011280122801328014280152801628017280182801928020280212802228023280242802528026280272802828029280302803128032280332803428035280362803728038280392804028041280422804328044280452804628047280482804928050280512805228053280542805528056280572805828059280602806128062280632806428065280662806728068280692807028071280722807328074280752807628077280782807928080280812808228083280842808528086280872808828089280902809128092280932809428095280962809728098280992810028101281022810328104281052810628107281082810928110281112811228113281142811528116281172811828119281202812128122281232812428125281262812728128281292813028131281322813328134281352813628137281382813928140281412814228143281442814528146281472814828149281502815128152281532815428155281562815728158281592816028161281622816328164281652816628167281682816928170281712817228173281742817528176281772817828179281802818128182281832818428185281862818728188281892819028191281922819328194281952819628197281982819928200282012820228203282042820528206282072820828209282102821128212282132821428215282162821728218282192822028221282222822328224282252822628227282282822928230282312823228233282342823528236282372823828239282402824128242282432824428245282462824728248282492825028251282522825328254282552825628257282582825928260282612826228263282642826528266282672826828269282702827128272282732827428275282762827728278282792828028281282822828328284282852828628287282882828928290282912829228293282942829528296282972829828299283002830128302283032830428305283062830728308283092831028311283122831328314283152831628317283182831928320283212832228323283242832528326283272832828329283302833128332283332833428335283362833728338283392834028341283422834328344283452834628347283482834928350283512835228353283542835528356283572835828359283602836128362283632836428365283662836728368283692837028371283722837328374283752837628377283782837928380283812838228383283842838528386283872838828389283902839128392283932839428395283962839728398283992840028401284022840328404284052840628407284082840928410284112841228413284142841528416284172841828419284202842128422284232842428425284262842728428284292843028431284322843328434284352843628437284382843928440284412844228443284442844528446284472844828449284502845128452284532845428455284562845728458284592846028461284622846328464284652846628467284682846928470284712847228473284742847528476284772847828479284802848128482284832848428485284862848728488284892849028491284922849328494284952849628497284982849928500285012850228503285042850528506285072850828509285102851128512285132851428515285162851728518285192852028521285222852328524285252852628527285282852928530285312853228533285342853528536285372853828539285402854128542285432854428545285462854728548285492855028551285522855328554285552855628557285582855928560285612856228563285642856528566285672856828569285702857128572285732857428575285762857728578285792858028581285822858328584285852858628587285882858928590285912859228593285942859528596285972859828599286002860128602286032860428605286062860728608286092861028611286122861328614286152861628617286182861928620286212862228623286242862528626286272862828629286302863128632286332863428635286362863728638286392864028641286422864328644286452864628647286482864928650286512865228653286542865528656286572865828659286602866128662286632866428665286662866728668286692867028671286722867328674286752867628677286782867928680286812868228683286842868528686286872868828689286902869128692286932869428695286962869728698286992870028701287022870328704287052870628707287082870928710287112871228713287142871528716287172871828719287202872128722287232872428725287262872728728287292873028731287322873328734287352873628737287382873928740287412874228743287442874528746287472874828749287502875128752287532875428755287562875728758287592876028761287622876328764287652876628767287682876928770287712877228773287742877528776287772877828779287802878128782287832878428785287862878728788287892879028791287922879328794287952879628797287982879928800288012880228803288042880528806288072880828809288102881128812288132881428815288162881728818288192882028821288222882328824288252882628827288282882928830288312883228833288342883528836288372883828839288402884128842288432884428845288462884728848288492885028851288522885328854288552885628857288582885928860288612886228863288642886528866288672886828869288702887128872288732887428875288762887728878288792888028881288822888328884288852888628887288882888928890288912889228893288942889528896288972889828899289002890128902289032890428905289062890728908289092891028911289122891328914289152891628917289182891928920289212892228923289242892528926289272892828929289302893128932289332893428935289362893728938289392894028941289422894328944289452894628947289482894928950289512895228953289542895528956289572895828959289602896128962289632896428965289662896728968289692897028971289722897328974289752897628977289782897928980289812898228983289842898528986289872898828989289902899128992289932899428995289962899728998289992900029001290022900329004290052900629007290082900929010290112901229013290142901529016290172901829019290202902129022290232902429025290262902729028290292903029031290322903329034290352903629037290382903929040290412904229043290442904529046290472904829049290502905129052290532905429055290562905729058290592906029061290622906329064290652906629067290682906929070290712907229073290742907529076290772907829079290802908129082290832908429085290862908729088290892909029091290922909329094290952909629097290982909929100291012910229103291042910529106291072910829109291102911129112291132911429115291162911729118291192912029121291222912329124291252912629127291282912929130291312913229133291342913529136291372913829139291402914129142291432914429145291462914729148291492915029151291522915329154291552915629157291582915929160291612916229163291642916529166291672916829169291702917129172291732917429175291762917729178291792918029181291822918329184291852918629187291882918929190291912919229193291942919529196291972919829199292002920129202292032920429205292062920729208292092921029211292122921329214292152921629217292182921929220292212922229223292242922529226292272922829229292302923129232292332923429235292362923729238292392924029241292422924329244292452924629247292482924929250292512925229253292542925529256292572925829259292602926129262292632926429265292662926729268292692927029271292722927329274292752927629277292782927929280292812928229283292842928529286292872928829289292902929129292292932929429295292962929729298292992930029301293022930329304293052930629307293082930929310293112931229313293142931529316293172931829319293202932129322293232932429325293262932729328293292933029331293322933329334293352933629337293382933929340293412934229343293442934529346293472934829349293502935129352293532935429355293562935729358293592936029361293622936329364293652936629367293682936929370293712937229373293742937529376293772937829379293802938129382293832938429385293862938729388293892939029391293922939329394293952939629397293982939929400294012940229403294042940529406294072940829409294102941129412294132941429415294162941729418294192942029421294222942329424294252942629427294282942929430294312943229433294342943529436294372943829439294402944129442294432944429445294462944729448294492945029451294522945329454294552945629457294582945929460294612946229463294642946529466294672946829469294702947129472294732947429475294762947729478294792948029481294822948329484294852948629487294882948929490294912949229493294942949529496294972949829499295002950129502295032950429505295062950729508295092951029511295122951329514295152951629517295182951929520295212952229523295242952529526295272952829529295302953129532295332953429535295362953729538295392954029541295422954329544295452954629547295482954929550295512955229553295542955529556295572955829559295602956129562295632956429565295662956729568295692957029571295722957329574295752957629577295782957929580295812958229583295842958529586295872958829589295902959129592295932959429595295962959729598295992960029601296022960329604296052960629607296082960929610296112961229613296142961529616296172961829619296202962129622296232962429625296262962729628296292963029631296322963329634296352963629637296382963929640296412964229643296442964529646296472964829649296502965129652296532965429655296562965729658296592966029661296622966329664296652966629667296682966929670296712967229673296742967529676296772967829679296802968129682296832968429685296862968729688296892969029691296922969329694296952969629697296982969929700297012970229703297042970529706297072970829709297102971129712297132971429715297162971729718297192972029721297222972329724297252972629727297282972929730297312973229733297342973529736297372973829739297402974129742297432974429745297462974729748297492975029751297522975329754297552975629757297582975929760297612976229763297642976529766297672976829769297702977129772297732977429775297762977729778297792978029781297822978329784297852978629787297882978929790297912979229793297942979529796297972979829799298002980129802298032980429805298062980729808298092981029811298122981329814298152981629817298182981929820298212982229823298242982529826298272982829829298302983129832298332983429835298362983729838298392984029841298422984329844298452984629847298482984929850298512985229853298542985529856298572985829859298602986129862298632986429865298662986729868298692987029871298722987329874298752987629877298782987929880298812988229883298842988529886298872988829889298902989129892298932989429895298962989729898298992990029901299022990329904299052990629907299082990929910299112991229913299142991529916299172991829919299202992129922299232992429925299262992729928299292993029931299322993329934299352993629937299382993929940299412994229943299442994529946299472994829949299502995129952299532995429955299562995729958299592996029961299622996329964299652996629967299682996929970299712997229973299742997529976299772997829979299802998129982299832998429985299862998729988299892999029991299922999329994299952999629997299982999930000300013000230003300043000530006300073000830009300103001130012300133001430015300163001730018300193002030021300223002330024300253002630027300283002930030300313003230033300343003530036300373003830039300403004130042300433004430045300463004730048300493005030051300523005330054300553005630057300583005930060300613006230063300643006530066300673006830069300703007130072300733007430075300763007730078300793008030081300823008330084300853008630087300883008930090300913009230093300943009530096300973009830099301003010130102301033010430105301063010730108301093011030111301123011330114301153011630117301183011930120301213012230123301243012530126301273012830129301303013130132301333013430135301363013730138301393014030141301423014330144301453014630147301483014930150301513015230153301543015530156301573015830159301603016130162301633016430165301663016730168301693017030171301723017330174301753017630177301783017930180301813018230183301843018530186301873018830189301903019130192301933019430195301963019730198301993020030201302023020330204302053020630207302083020930210302113021230213302143021530216302173021830219302203022130222302233022430225302263022730228302293023030231302323023330234302353023630237302383023930240302413024230243302443024530246302473024830249302503025130252302533025430255302563025730258302593026030261302623026330264302653026630267302683026930270302713027230273302743027530276302773027830279302803028130282302833028430285302863028730288302893029030291302923029330294302953029630297302983029930300303013030230303303043030530306303073030830309303103031130312303133031430315303163031730318303193032030321303223032330324303253032630327303283032930330303313033230333303343033530336303373033830339303403034130342303433034430345303463034730348303493035030351303523035330354303553035630357303583035930360303613036230363303643036530366303673036830369303703037130372303733037430375303763037730378303793038030381303823038330384303853038630387303883038930390303913039230393303943039530396303973039830399304003040130402304033040430405304063040730408304093041030411304123041330414304153041630417304183041930420304213042230423304243042530426304273042830429304303043130432304333043430435304363043730438304393044030441304423044330444304453044630447304483044930450304513045230453304543045530456304573045830459304603046130462304633046430465304663046730468304693047030471304723047330474304753047630477304783047930480304813048230483304843048530486304873048830489304903049130492304933049430495304963049730498304993050030501305023050330504305053050630507305083050930510305113051230513305143051530516305173051830519305203052130522305233052430525305263052730528305293053030531305323053330534305353053630537305383053930540305413054230543305443054530546305473054830549305503055130552305533055430555305563055730558305593056030561305623056330564305653056630567305683056930570305713057230573305743057530576305773057830579305803058130582305833058430585305863058730588305893059030591305923059330594305953059630597305983059930600306013060230603306043060530606306073060830609306103061130612306133061430615306163061730618306193062030621306223062330624306253062630627306283062930630306313063230633306343063530636306373063830639306403064130642306433064430645306463064730648306493065030651306523065330654306553065630657306583065930660306613066230663306643066530666306673066830669306703067130672306733067430675306763067730678306793068030681306823068330684306853068630687306883068930690306913069230693306943069530696306973069830699307003070130702307033070430705307063070730708307093071030711307123071330714307153071630717307183071930720307213072230723307243072530726307273072830729307303073130732307333073430735307363073730738307393074030741307423074330744307453074630747307483074930750307513075230753307543075530756307573075830759307603076130762307633076430765307663076730768307693077030771307723077330774307753077630777307783077930780307813078230783307843078530786307873078830789307903079130792307933079430795307963079730798307993080030801308023080330804308053080630807308083080930810308113081230813308143081530816308173081830819308203082130822308233082430825308263082730828308293083030831308323083330834308353083630837308383083930840308413084230843308443084530846308473084830849308503085130852308533085430855308563085730858308593086030861308623086330864308653086630867308683086930870308713087230873308743087530876308773087830879308803088130882
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.19.0
  6. labels:
  7. external-secrets.io/component: controller
  8. name: clusterexternalsecrets.external-secrets.io
  9. spec:
  10. group: external-secrets.io
  11. names:
  12. categories:
  13. - external-secrets
  14. kind: ClusterExternalSecret
  15. listKind: ClusterExternalSecretList
  16. plural: clusterexternalsecrets
  17. shortNames:
  18. - ces
  19. singular: clusterexternalsecret
  20. scope: Cluster
  21. versions:
  22. - additionalPrinterColumns:
  23. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  24. name: Store
  25. type: string
  26. - jsonPath: .spec.refreshTime
  27. name: Refresh Interval
  28. type: string
  29. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  30. name: Ready
  31. type: string
  32. name: v1
  33. schema:
  34. openAPIV3Schema:
  35. description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
  36. properties:
  37. apiVersion:
  38. description: |-
  39. APIVersion defines the versioned schema of this representation of an object.
  40. Servers should convert recognized schemas to the latest internal value, and
  41. may reject unrecognized values.
  42. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  43. type: string
  44. kind:
  45. description: |-
  46. Kind is a string value representing the REST resource this object represents.
  47. Servers may infer this from the endpoint the client submits requests to.
  48. Cannot be updated.
  49. In CamelCase.
  50. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  51. type: string
  52. metadata:
  53. type: object
  54. spec:
  55. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  56. properties:
  57. externalSecretMetadata:
  58. description: The metadata of the external secrets to be created
  59. properties:
  60. annotations:
  61. additionalProperties:
  62. type: string
  63. type: object
  64. labels:
  65. additionalProperties:
  66. type: string
  67. type: object
  68. type: object
  69. externalSecretName:
  70. description: |-
  71. The name of the external secrets to be created.
  72. Defaults to the name of the ClusterExternalSecret
  73. maxLength: 253
  74. minLength: 1
  75. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  76. type: string
  77. externalSecretSpec:
  78. description: The spec for the ExternalSecrets to be created
  79. properties:
  80. data:
  81. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  82. items:
  83. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  84. properties:
  85. remoteRef:
  86. description: |-
  87. RemoteRef points to the remote secret and defines
  88. which secret (version/property/..) to fetch.
  89. properties:
  90. conversionStrategy:
  91. default: Default
  92. description: Used to define a conversion Strategy
  93. enum:
  94. - Default
  95. - Unicode
  96. type: string
  97. decodingStrategy:
  98. default: None
  99. description: Used to define a decoding Strategy
  100. enum:
  101. - Auto
  102. - Base64
  103. - Base64URL
  104. - None
  105. type: string
  106. key:
  107. description: Key is the key used in the Provider, mandatory
  108. type: string
  109. metadataPolicy:
  110. default: None
  111. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  112. enum:
  113. - None
  114. - Fetch
  115. type: string
  116. nullBytePolicy:
  117. default: Ignore
  118. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  119. enum:
  120. - Ignore
  121. - Fail
  122. type: string
  123. property:
  124. description: Used to select a specific property of the Provider value (if a map), if supported
  125. type: string
  126. version:
  127. description: Used to select a specific version of the Provider value, if supported
  128. type: string
  129. required:
  130. - key
  131. type: object
  132. secretKey:
  133. description: The key in the Kubernetes Secret to store the value.
  134. maxLength: 253
  135. minLength: 1
  136. pattern: ^[-._a-zA-Z0-9]+$
  137. type: string
  138. sourceRef:
  139. description: |-
  140. SourceRef allows you to override the source
  141. from which the value will be pulled.
  142. maxProperties: 1
  143. minProperties: 1
  144. properties:
  145. generatorRef:
  146. description: |-
  147. GeneratorRef points to a generator custom resource.
  148. Deprecated: The generatorRef is not implemented in .data[].
  149. this will be removed with v1.
  150. properties:
  151. apiVersion:
  152. default: generators.external-secrets.io/v1alpha1
  153. description: Specify the apiVersion of the generator resource
  154. type: string
  155. kind:
  156. description: Specify the Kind of the generator resource
  157. enum:
  158. - ACRAccessToken
  159. - BeyondtrustWorkloadCredentialsDynamicSecret
  160. - ClusterGenerator
  161. - CloudsmithAccessToken
  162. - ECRAuthorizationToken
  163. - Fake
  164. - GCRAccessToken
  165. - GithubAccessToken
  166. - QuayAccessToken
  167. - Password
  168. - SSHKey
  169. - STSSessionToken
  170. - UUID
  171. - VaultDynamicSecret
  172. - Webhook
  173. - Grafana
  174. - MFA
  175. type: string
  176. name:
  177. description: Specify the name of the generator resource
  178. maxLength: 253
  179. minLength: 1
  180. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  181. type: string
  182. required:
  183. - kind
  184. - name
  185. type: object
  186. storeRef:
  187. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  188. properties:
  189. kind:
  190. description: |-
  191. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  192. Defaults to `SecretStore`
  193. enum:
  194. - SecretStore
  195. - ClusterSecretStore
  196. type: string
  197. name:
  198. description: Name of the SecretStore resource
  199. maxLength: 253
  200. minLength: 1
  201. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  202. type: string
  203. type: object
  204. type: object
  205. required:
  206. - remoteRef
  207. - secretKey
  208. type: object
  209. type: array
  210. dataFrom:
  211. description: |-
  212. DataFrom is used to fetch all properties from a specific Provider data
  213. If multiple entries are specified, the Secret keys are merged in the specified order
  214. items:
  215. description: |-
  216. ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data
  217. when using DataFrom to fetch multiple values from a Provider.
  218. properties:
  219. extract:
  220. description: |-
  221. Used to extract multiple key/value pairs from one secret
  222. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  223. properties:
  224. conversionStrategy:
  225. default: Default
  226. description: Used to define a conversion Strategy
  227. enum:
  228. - Default
  229. - Unicode
  230. type: string
  231. decodingStrategy:
  232. default: None
  233. description: Used to define a decoding Strategy
  234. enum:
  235. - Auto
  236. - Base64
  237. - Base64URL
  238. - None
  239. type: string
  240. key:
  241. description: Key is the key used in the Provider, mandatory
  242. type: string
  243. metadataPolicy:
  244. default: None
  245. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  246. enum:
  247. - None
  248. - Fetch
  249. type: string
  250. nullBytePolicy:
  251. default: Ignore
  252. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  253. enum:
  254. - Ignore
  255. - Fail
  256. type: string
  257. property:
  258. description: Used to select a specific property of the Provider value (if a map), if supported
  259. type: string
  260. version:
  261. description: Used to select a specific version of the Provider value, if supported
  262. type: string
  263. required:
  264. - key
  265. type: object
  266. find:
  267. description: |-
  268. Used to find secrets based on tags or regular expressions
  269. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  270. properties:
  271. conversionStrategy:
  272. default: Default
  273. description: Used to define a conversion Strategy
  274. enum:
  275. - Default
  276. - Unicode
  277. type: string
  278. decodingStrategy:
  279. default: None
  280. description: Used to define a decoding Strategy
  281. enum:
  282. - Auto
  283. - Base64
  284. - Base64URL
  285. - None
  286. type: string
  287. name:
  288. description: Finds secrets based on the name.
  289. properties:
  290. regexp:
  291. description: Finds secrets base
  292. type: string
  293. type: object
  294. nullBytePolicy:
  295. default: Ignore
  296. description: Controls how ESO handles fetched secret data containing NUL bytes for this find source.
  297. enum:
  298. - Ignore
  299. - Fail
  300. type: string
  301. path:
  302. description: A root path to start the find operations.
  303. type: string
  304. tags:
  305. additionalProperties:
  306. type: string
  307. description: Find secrets based on tags.
  308. type: object
  309. type: object
  310. rewrite:
  311. description: |-
  312. Used to rewrite secret Keys after getting them from the secret Provider
  313. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  314. items:
  315. description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret.
  316. maxProperties: 1
  317. minProperties: 1
  318. properties:
  319. merge:
  320. description: |-
  321. Used to merge key/values in one single Secret
  322. The resulting key will contain all values from the specified secrets
  323. properties:
  324. conflictPolicy:
  325. default: Error
  326. description: Used to define the policy to use in conflict resolution.
  327. enum:
  328. - Ignore
  329. - Error
  330. type: string
  331. into:
  332. default: ""
  333. description: |-
  334. Used to define the target key of the merge operation.
  335. Required if strategy is JSON. Ignored otherwise.
  336. type: string
  337. priority:
  338. description: Used to define key priority in conflict resolution.
  339. items:
  340. type: string
  341. type: array
  342. priorityPolicy:
  343. default: Strict
  344. description: Used to define the policy when a key in the priority list does not exist in the input.
  345. enum:
  346. - IgnoreNotFound
  347. - Strict
  348. type: string
  349. strategy:
  350. default: Extract
  351. description: Used to define the strategy to use in the merge operation.
  352. enum:
  353. - Extract
  354. - JSON
  355. type: string
  356. type: object
  357. regexp:
  358. description: |-
  359. Used to rewrite with regular expressions.
  360. The resulting key will be the output of a regexp.ReplaceAll operation.
  361. properties:
  362. source:
  363. description: Used to define the regular expression of a re.Compiler.
  364. type: string
  365. target:
  366. description: Used to define the target pattern of a ReplaceAll operation.
  367. type: string
  368. required:
  369. - source
  370. - target
  371. type: object
  372. transform:
  373. description: |-
  374. Used to apply string transformation on the secrets.
  375. The resulting key will be the output of the template applied by the operation.
  376. properties:
  377. template:
  378. description: |-
  379. Used to define the template to apply on the secret name.
  380. `.value ` will specify the secret name in the template.
  381. type: string
  382. required:
  383. - template
  384. type: object
  385. type: object
  386. type: array
  387. sourceRef:
  388. description: |-
  389. SourceRef points to a store or generator
  390. which contains secret values ready to use.
  391. Use this in combination with Extract or Find pull values out of
  392. a specific SecretStore.
  393. When sourceRef points to a generator Extract or Find is not supported.
  394. The generator returns a static map of values
  395. maxProperties: 1
  396. minProperties: 1
  397. properties:
  398. generatorRef:
  399. description: GeneratorRef points to a generator custom resource.
  400. properties:
  401. apiVersion:
  402. default: generators.external-secrets.io/v1alpha1
  403. description: Specify the apiVersion of the generator resource
  404. type: string
  405. kind:
  406. description: Specify the Kind of the generator resource
  407. enum:
  408. - ACRAccessToken
  409. - BeyondtrustWorkloadCredentialsDynamicSecret
  410. - ClusterGenerator
  411. - CloudsmithAccessToken
  412. - ECRAuthorizationToken
  413. - Fake
  414. - GCRAccessToken
  415. - GithubAccessToken
  416. - QuayAccessToken
  417. - Password
  418. - SSHKey
  419. - STSSessionToken
  420. - UUID
  421. - VaultDynamicSecret
  422. - Webhook
  423. - Grafana
  424. - MFA
  425. type: string
  426. name:
  427. description: Specify the name of the generator resource
  428. maxLength: 253
  429. minLength: 1
  430. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  431. type: string
  432. required:
  433. - kind
  434. - name
  435. type: object
  436. storeRef:
  437. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  438. properties:
  439. kind:
  440. description: |-
  441. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  442. Defaults to `SecretStore`
  443. enum:
  444. - SecretStore
  445. - ClusterSecretStore
  446. type: string
  447. name:
  448. description: Name of the SecretStore resource
  449. maxLength: 253
  450. minLength: 1
  451. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  452. type: string
  453. type: object
  454. type: object
  455. type: object
  456. type: array
  457. refreshInterval:
  458. default: 1h0m0s
  459. description: |-
  460. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  461. specified as Golang Duration strings.
  462. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  463. Example values: "1h0m0s", "2h30m0s", "10m0s"
  464. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  465. type: string
  466. refreshPolicy:
  467. description: |-
  468. RefreshPolicy determines how the ExternalSecret should be refreshed:
  469. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  470. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  471. No periodic updates occur if refreshInterval is 0.
  472. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  473. enum:
  474. - CreatedOnce
  475. - Periodic
  476. - OnChange
  477. type: string
  478. secretStoreRef:
  479. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  480. properties:
  481. kind:
  482. description: |-
  483. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  484. Defaults to `SecretStore`
  485. enum:
  486. - SecretStore
  487. - ClusterSecretStore
  488. type: string
  489. name:
  490. description: Name of the SecretStore resource
  491. maxLength: 253
  492. minLength: 1
  493. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  494. type: string
  495. type: object
  496. target:
  497. default:
  498. creationPolicy: Owner
  499. deletionPolicy: Retain
  500. description: |-
  501. ExternalSecretTarget defines the Kubernetes Secret to be created,
  502. there can be only one target per ExternalSecret.
  503. properties:
  504. creationPolicy:
  505. default: Owner
  506. description: |-
  507. CreationPolicy defines rules on how to create the resulting Secret.
  508. Defaults to "Owner"
  509. enum:
  510. - Owner
  511. - Orphan
  512. - Merge
  513. - None
  514. type: string
  515. deletionPolicy:
  516. default: Retain
  517. description: |-
  518. DeletionPolicy defines rules on how to delete the resulting Secret.
  519. Defaults to "Retain"
  520. enum:
  521. - Delete
  522. - Merge
  523. - Retain
  524. type: string
  525. immutable:
  526. description: Immutable defines if the final secret will be immutable
  527. type: boolean
  528. manifest:
  529. description: |-
  530. Manifest defines a custom Kubernetes resource to create instead of a Secret.
  531. When specified, ExternalSecret will create the resource type defined here
  532. (e.g., ConfigMap, Custom Resource) instead of a Secret.
  533. Warning: Using Generic target. Make sure access policies and encryption are properly configured.
  534. properties:
  535. apiVersion:
  536. description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
  537. minLength: 1
  538. type: string
  539. kind:
  540. description: Kind of the target resource (e.g., "ConfigMap", "Application")
  541. minLength: 1
  542. type: string
  543. required:
  544. - apiVersion
  545. - kind
  546. type: object
  547. name:
  548. description: |-
  549. The name of the Secret resource to be managed.
  550. Defaults to the .metadata.name of the ExternalSecret resource
  551. maxLength: 253
  552. minLength: 1
  553. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  554. type: string
  555. template:
  556. description: Template defines a blueprint for the created Secret resource.
  557. properties:
  558. data:
  559. additionalProperties:
  560. type: string
  561. type: object
  562. engineVersion:
  563. default: v2
  564. description: |-
  565. EngineVersion specifies the template engine version
  566. that should be used to compile/execute the
  567. template specified in .data and .templateFrom[].
  568. enum:
  569. - v2
  570. type: string
  571. mergePolicy:
  572. default: Replace
  573. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  574. enum:
  575. - Replace
  576. - Merge
  577. type: string
  578. metadata:
  579. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  580. properties:
  581. annotations:
  582. additionalProperties:
  583. type: string
  584. type: object
  585. finalizers:
  586. items:
  587. type: string
  588. type: array
  589. labels:
  590. additionalProperties:
  591. type: string
  592. type: object
  593. type: object
  594. templateFrom:
  595. items:
  596. description: |-
  597. TemplateFrom specifies a source for templates.
  598. Each item in the list can either reference a ConfigMap or a Secret resource.
  599. properties:
  600. configMap:
  601. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  602. properties:
  603. items:
  604. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  605. items:
  606. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  607. properties:
  608. key:
  609. description: A key in the ConfigMap/Secret
  610. maxLength: 253
  611. minLength: 1
  612. pattern: ^[-._a-zA-Z0-9]+$
  613. type: string
  614. templateAs:
  615. default: Values
  616. description: TemplateScope specifies how the template keys should be interpreted.
  617. enum:
  618. - Values
  619. - KeysAndValues
  620. type: string
  621. required:
  622. - key
  623. type: object
  624. type: array
  625. name:
  626. description: The name of the ConfigMap/Secret resource
  627. maxLength: 253
  628. minLength: 1
  629. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  630. type: string
  631. required:
  632. - items
  633. - name
  634. type: object
  635. literal:
  636. type: string
  637. secret:
  638. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  639. properties:
  640. items:
  641. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  642. items:
  643. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  644. properties:
  645. key:
  646. description: A key in the ConfigMap/Secret
  647. maxLength: 253
  648. minLength: 1
  649. pattern: ^[-._a-zA-Z0-9]+$
  650. type: string
  651. templateAs:
  652. default: Values
  653. description: TemplateScope specifies how the template keys should be interpreted.
  654. enum:
  655. - Values
  656. - KeysAndValues
  657. type: string
  658. required:
  659. - key
  660. type: object
  661. type: array
  662. name:
  663. description: The name of the ConfigMap/Secret resource
  664. maxLength: 253
  665. minLength: 1
  666. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  667. type: string
  668. required:
  669. - items
  670. - name
  671. type: object
  672. target:
  673. default: Data
  674. description: |-
  675. Target specifies where to place the template result.
  676. For Secret resources, common values are: "Data", "Annotations", "Labels".
  677. For custom resources (when spec.target.manifest is set), this supports
  678. nested paths like "spec.database.config" or "data".
  679. type: string
  680. type: object
  681. type: array
  682. type:
  683. type: string
  684. type: object
  685. type: object
  686. type: object
  687. namespaceSelector:
  688. description: |-
  689. The labels to select by to find the Namespaces to create the ExternalSecrets in.
  690. Deprecated: Use NamespaceSelectors instead.
  691. properties:
  692. matchExpressions:
  693. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  694. items:
  695. description: |-
  696. A label selector requirement is a selector that contains values, a key, and an operator that
  697. relates the key and values.
  698. properties:
  699. key:
  700. description: key is the label key that the selector applies to.
  701. type: string
  702. operator:
  703. description: |-
  704. operator represents a key's relationship to a set of values.
  705. Valid operators are In, NotIn, Exists and DoesNotExist.
  706. type: string
  707. values:
  708. description: |-
  709. values is an array of string values. If the operator is In or NotIn,
  710. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  711. the values array must be empty. This array is replaced during a strategic
  712. merge patch.
  713. items:
  714. type: string
  715. type: array
  716. x-kubernetes-list-type: atomic
  717. required:
  718. - key
  719. - operator
  720. type: object
  721. type: array
  722. x-kubernetes-list-type: atomic
  723. matchLabels:
  724. additionalProperties:
  725. type: string
  726. description: |-
  727. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  728. map is equivalent to an element of matchExpressions, whose key field is "key", the
  729. operator is "In", and the values array contains only "value". The requirements are ANDed.
  730. type: object
  731. type: object
  732. x-kubernetes-map-type: atomic
  733. namespaceSelectors:
  734. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  735. items:
  736. description: |-
  737. A label selector is a label query over a set of resources. The result of matchLabels and
  738. matchExpressions are ANDed. An empty label selector matches all objects. A null
  739. label selector matches no objects.
  740. properties:
  741. matchExpressions:
  742. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  743. items:
  744. description: |-
  745. A label selector requirement is a selector that contains values, a key, and an operator that
  746. relates the key and values.
  747. properties:
  748. key:
  749. description: key is the label key that the selector applies to.
  750. type: string
  751. operator:
  752. description: |-
  753. operator represents a key's relationship to a set of values.
  754. Valid operators are In, NotIn, Exists and DoesNotExist.
  755. type: string
  756. values:
  757. description: |-
  758. values is an array of string values. If the operator is In or NotIn,
  759. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  760. the values array must be empty. This array is replaced during a strategic
  761. merge patch.
  762. items:
  763. type: string
  764. type: array
  765. x-kubernetes-list-type: atomic
  766. required:
  767. - key
  768. - operator
  769. type: object
  770. type: array
  771. x-kubernetes-list-type: atomic
  772. matchLabels:
  773. additionalProperties:
  774. type: string
  775. description: |-
  776. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  777. map is equivalent to an element of matchExpressions, whose key field is "key", the
  778. operator is "In", and the values array contains only "value". The requirements are ANDed.
  779. type: object
  780. type: object
  781. x-kubernetes-map-type: atomic
  782. type: array
  783. namespaces:
  784. description: |-
  785. Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
  786. Deprecated: Use NamespaceSelectors instead.
  787. items:
  788. maxLength: 63
  789. minLength: 1
  790. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  791. type: string
  792. type: array
  793. refreshTime:
  794. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  795. type: string
  796. required:
  797. - externalSecretSpec
  798. type: object
  799. status:
  800. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  801. properties:
  802. conditions:
  803. items:
  804. description: ClusterExternalSecretStatusCondition defines the observed state of a ClusterExternalSecret resource.
  805. properties:
  806. message:
  807. type: string
  808. status:
  809. type: string
  810. type:
  811. description: ClusterExternalSecretConditionType defines a value type for ClusterExternalSecret conditions.
  812. type: string
  813. required:
  814. - status
  815. - type
  816. type: object
  817. type: array
  818. externalSecretName:
  819. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  820. type: string
  821. failedNamespaces:
  822. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  823. items:
  824. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  825. properties:
  826. namespace:
  827. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  828. type: string
  829. reason:
  830. description: Reason is why the ExternalSecret failed to apply to the namespace
  831. type: string
  832. required:
  833. - namespace
  834. type: object
  835. type: array
  836. provisionedNamespaces:
  837. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  838. items:
  839. type: string
  840. type: array
  841. type: object
  842. type: object
  843. served: true
  844. storage: true
  845. subresources:
  846. status: {}
  847. - additionalPrinterColumns:
  848. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  849. name: Store
  850. type: string
  851. - jsonPath: .spec.refreshTime
  852. name: Refresh Interval
  853. type: string
  854. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  855. name: Ready
  856. type: string
  857. deprecated: true
  858. name: v1beta1
  859. schema:
  860. openAPIV3Schema:
  861. description: ClusterExternalSecret is the schema for the clusterexternalsecrets API.
  862. properties:
  863. apiVersion:
  864. description: |-
  865. APIVersion defines the versioned schema of this representation of an object.
  866. Servers should convert recognized schemas to the latest internal value, and
  867. may reject unrecognized values.
  868. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  869. type: string
  870. kind:
  871. description: |-
  872. Kind is a string value representing the REST resource this object represents.
  873. Servers may infer this from the endpoint the client submits requests to.
  874. Cannot be updated.
  875. In CamelCase.
  876. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  877. type: string
  878. metadata:
  879. type: object
  880. spec:
  881. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  882. properties:
  883. externalSecretMetadata:
  884. description: The metadata of the external secrets to be created
  885. properties:
  886. annotations:
  887. additionalProperties:
  888. type: string
  889. type: object
  890. labels:
  891. additionalProperties:
  892. type: string
  893. type: object
  894. type: object
  895. externalSecretName:
  896. description: |-
  897. The name of the external secrets to be created.
  898. Defaults to the name of the ClusterExternalSecret
  899. maxLength: 253
  900. minLength: 1
  901. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  902. type: string
  903. externalSecretSpec:
  904. description: The spec for the ExternalSecrets to be created
  905. properties:
  906. data:
  907. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  908. items:
  909. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  910. properties:
  911. remoteRef:
  912. description: |-
  913. RemoteRef points to the remote secret and defines
  914. which secret (version/property/..) to fetch.
  915. properties:
  916. conversionStrategy:
  917. default: Default
  918. description: Used to define a conversion Strategy
  919. enum:
  920. - Default
  921. - Unicode
  922. type: string
  923. decodingStrategy:
  924. default: None
  925. description: Used to define a decoding Strategy
  926. enum:
  927. - Auto
  928. - Base64
  929. - Base64URL
  930. - None
  931. type: string
  932. key:
  933. description: Key is the key used in the Provider, mandatory
  934. type: string
  935. metadataPolicy:
  936. default: None
  937. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  938. enum:
  939. - None
  940. - Fetch
  941. type: string
  942. property:
  943. description: Used to select a specific property of the Provider value (if a map), if supported
  944. type: string
  945. version:
  946. description: Used to select a specific version of the Provider value, if supported
  947. type: string
  948. required:
  949. - key
  950. type: object
  951. secretKey:
  952. description: The key in the Kubernetes Secret to store the value.
  953. maxLength: 253
  954. minLength: 1
  955. pattern: ^[-._a-zA-Z0-9]+$
  956. type: string
  957. sourceRef:
  958. description: |-
  959. SourceRef allows you to override the source
  960. from which the value will be pulled.
  961. maxProperties: 1
  962. minProperties: 1
  963. properties:
  964. generatorRef:
  965. description: |-
  966. GeneratorRef points to a generator custom resource.
  967. Deprecated: The generatorRef is not implemented in .data[].
  968. this will be removed with v1.
  969. properties:
  970. apiVersion:
  971. default: generators.external-secrets.io/v1alpha1
  972. description: Specify the apiVersion of the generator resource
  973. type: string
  974. kind:
  975. description: Specify the Kind of the generator resource
  976. enum:
  977. - ACRAccessToken
  978. - ClusterGenerator
  979. - ECRAuthorizationToken
  980. - Fake
  981. - GCRAccessToken
  982. - GithubAccessToken
  983. - QuayAccessToken
  984. - Password
  985. - SSHKey
  986. - STSSessionToken
  987. - UUID
  988. - VaultDynamicSecret
  989. - Webhook
  990. - Grafana
  991. type: string
  992. name:
  993. description: Specify the name of the generator resource
  994. maxLength: 253
  995. minLength: 1
  996. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  997. type: string
  998. required:
  999. - kind
  1000. - name
  1001. type: object
  1002. storeRef:
  1003. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1004. properties:
  1005. kind:
  1006. description: |-
  1007. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1008. Defaults to `SecretStore`
  1009. enum:
  1010. - SecretStore
  1011. - ClusterSecretStore
  1012. type: string
  1013. name:
  1014. description: Name of the SecretStore resource
  1015. maxLength: 253
  1016. minLength: 1
  1017. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1018. type: string
  1019. type: object
  1020. type: object
  1021. required:
  1022. - remoteRef
  1023. - secretKey
  1024. type: object
  1025. type: array
  1026. dataFrom:
  1027. description: |-
  1028. DataFrom is used to fetch all properties from a specific Provider data
  1029. If multiple entries are specified, the Secret keys are merged in the specified order
  1030. items:
  1031. description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options.
  1032. properties:
  1033. extract:
  1034. description: |-
  1035. Used to extract multiple key/value pairs from one secret
  1036. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  1037. properties:
  1038. conversionStrategy:
  1039. default: Default
  1040. description: Used to define a conversion Strategy
  1041. enum:
  1042. - Default
  1043. - Unicode
  1044. type: string
  1045. decodingStrategy:
  1046. default: None
  1047. description: Used to define a decoding Strategy
  1048. enum:
  1049. - Auto
  1050. - Base64
  1051. - Base64URL
  1052. - None
  1053. type: string
  1054. key:
  1055. description: Key is the key used in the Provider, mandatory
  1056. type: string
  1057. metadataPolicy:
  1058. default: None
  1059. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  1060. enum:
  1061. - None
  1062. - Fetch
  1063. type: string
  1064. property:
  1065. description: Used to select a specific property of the Provider value (if a map), if supported
  1066. type: string
  1067. version:
  1068. description: Used to select a specific version of the Provider value, if supported
  1069. type: string
  1070. required:
  1071. - key
  1072. type: object
  1073. find:
  1074. description: |-
  1075. Used to find secrets based on tags or regular expressions
  1076. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  1077. properties:
  1078. conversionStrategy:
  1079. default: Default
  1080. description: Used to define a conversion Strategy
  1081. enum:
  1082. - Default
  1083. - Unicode
  1084. type: string
  1085. decodingStrategy:
  1086. default: None
  1087. description: Used to define a decoding Strategy
  1088. enum:
  1089. - Auto
  1090. - Base64
  1091. - Base64URL
  1092. - None
  1093. type: string
  1094. name:
  1095. description: Finds secrets based on the name.
  1096. properties:
  1097. regexp:
  1098. description: Finds secrets base
  1099. type: string
  1100. type: object
  1101. path:
  1102. description: A root path to start the find operations.
  1103. type: string
  1104. tags:
  1105. additionalProperties:
  1106. type: string
  1107. description: Find secrets based on tags.
  1108. type: object
  1109. type: object
  1110. rewrite:
  1111. description: |-
  1112. Used to rewrite secret Keys after getting them from the secret Provider
  1113. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  1114. items:
  1115. description: ExternalSecretRewrite defines rules on how to rewrite secret keys.
  1116. maxProperties: 1
  1117. minProperties: 1
  1118. properties:
  1119. regexp:
  1120. description: |-
  1121. Used to rewrite with regular expressions.
  1122. The resulting key will be the output of a regexp.ReplaceAll operation.
  1123. properties:
  1124. source:
  1125. description: Used to define the regular expression of a re.Compiler.
  1126. type: string
  1127. target:
  1128. description: Used to define the target pattern of a ReplaceAll operation.
  1129. type: string
  1130. required:
  1131. - source
  1132. - target
  1133. type: object
  1134. transform:
  1135. description: |-
  1136. Used to apply string transformation on the secrets.
  1137. The resulting key will be the output of the template applied by the operation.
  1138. properties:
  1139. template:
  1140. description: |-
  1141. Used to define the template to apply on the secret name.
  1142. `.value ` will specify the secret name in the template.
  1143. type: string
  1144. required:
  1145. - template
  1146. type: object
  1147. type: object
  1148. type: array
  1149. sourceRef:
  1150. description: |-
  1151. SourceRef points to a store or generator
  1152. which contains secret values ready to use.
  1153. Use this in combination with Extract or Find pull values out of
  1154. a specific SecretStore.
  1155. When sourceRef points to a generator Extract or Find is not supported.
  1156. The generator returns a static map of values
  1157. maxProperties: 1
  1158. minProperties: 1
  1159. properties:
  1160. generatorRef:
  1161. description: GeneratorRef points to a generator custom resource.
  1162. properties:
  1163. apiVersion:
  1164. default: generators.external-secrets.io/v1alpha1
  1165. description: Specify the apiVersion of the generator resource
  1166. type: string
  1167. kind:
  1168. description: Specify the Kind of the generator resource
  1169. enum:
  1170. - ACRAccessToken
  1171. - ClusterGenerator
  1172. - ECRAuthorizationToken
  1173. - Fake
  1174. - GCRAccessToken
  1175. - GithubAccessToken
  1176. - QuayAccessToken
  1177. - Password
  1178. - SSHKey
  1179. - STSSessionToken
  1180. - UUID
  1181. - VaultDynamicSecret
  1182. - Webhook
  1183. - Grafana
  1184. type: string
  1185. name:
  1186. description: Specify the name of the generator resource
  1187. maxLength: 253
  1188. minLength: 1
  1189. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1190. type: string
  1191. required:
  1192. - kind
  1193. - name
  1194. type: object
  1195. storeRef:
  1196. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1197. properties:
  1198. kind:
  1199. description: |-
  1200. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1201. Defaults to `SecretStore`
  1202. enum:
  1203. - SecretStore
  1204. - ClusterSecretStore
  1205. type: string
  1206. name:
  1207. description: Name of the SecretStore resource
  1208. maxLength: 253
  1209. minLength: 1
  1210. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1211. type: string
  1212. type: object
  1213. type: object
  1214. type: object
  1215. type: array
  1216. refreshInterval:
  1217. default: 1h0m0s
  1218. description: |-
  1219. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  1220. specified as Golang Duration strings.
  1221. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  1222. Example values: "1h0m0s", "2h30m0s", "10m0s"
  1223. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  1224. type: string
  1225. refreshPolicy:
  1226. description: |-
  1227. RefreshPolicy determines how the ExternalSecret should be refreshed:
  1228. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  1229. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  1230. No periodic updates occur if refreshInterval is 0.
  1231. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  1232. enum:
  1233. - CreatedOnce
  1234. - Periodic
  1235. - OnChange
  1236. type: string
  1237. secretStoreRef:
  1238. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1239. properties:
  1240. kind:
  1241. description: |-
  1242. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1243. Defaults to `SecretStore`
  1244. enum:
  1245. - SecretStore
  1246. - ClusterSecretStore
  1247. type: string
  1248. name:
  1249. description: Name of the SecretStore resource
  1250. maxLength: 253
  1251. minLength: 1
  1252. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1253. type: string
  1254. type: object
  1255. target:
  1256. default:
  1257. creationPolicy: Owner
  1258. deletionPolicy: Retain
  1259. description: |-
  1260. ExternalSecretTarget defines the Kubernetes Secret to be created
  1261. There can be only one target per ExternalSecret.
  1262. properties:
  1263. creationPolicy:
  1264. default: Owner
  1265. description: |-
  1266. CreationPolicy defines rules on how to create the resulting Secret.
  1267. Defaults to "Owner"
  1268. enum:
  1269. - Owner
  1270. - Orphan
  1271. - Merge
  1272. - None
  1273. type: string
  1274. deletionPolicy:
  1275. default: Retain
  1276. description: |-
  1277. DeletionPolicy defines rules on how to delete the resulting Secret.
  1278. Defaults to "Retain"
  1279. enum:
  1280. - Delete
  1281. - Merge
  1282. - Retain
  1283. type: string
  1284. immutable:
  1285. description: Immutable defines if the final secret will be immutable
  1286. type: boolean
  1287. name:
  1288. description: |-
  1289. The name of the Secret resource to be managed.
  1290. Defaults to the .metadata.name of the ExternalSecret resource
  1291. maxLength: 253
  1292. minLength: 1
  1293. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1294. type: string
  1295. template:
  1296. description: Template defines a blueprint for the created Secret resource.
  1297. properties:
  1298. data:
  1299. additionalProperties:
  1300. type: string
  1301. type: object
  1302. engineVersion:
  1303. default: v2
  1304. description: |-
  1305. EngineVersion specifies the template engine version
  1306. that should be used to compile/execute the
  1307. template specified in .data and .templateFrom[].
  1308. enum:
  1309. - v2
  1310. type: string
  1311. mergePolicy:
  1312. default: Replace
  1313. description: TemplateMergePolicy defines how template values should be merged when generating a secret.
  1314. enum:
  1315. - Replace
  1316. - Merge
  1317. type: string
  1318. metadata:
  1319. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  1320. properties:
  1321. annotations:
  1322. additionalProperties:
  1323. type: string
  1324. type: object
  1325. labels:
  1326. additionalProperties:
  1327. type: string
  1328. type: object
  1329. type: object
  1330. templateFrom:
  1331. items:
  1332. description: TemplateFrom defines a source for template data.
  1333. properties:
  1334. configMap:
  1335. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  1336. properties:
  1337. items:
  1338. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  1339. items:
  1340. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  1341. properties:
  1342. key:
  1343. description: A key in the ConfigMap/Secret
  1344. maxLength: 253
  1345. minLength: 1
  1346. pattern: ^[-._a-zA-Z0-9]+$
  1347. type: string
  1348. templateAs:
  1349. default: Values
  1350. description: TemplateScope defines the scope of the template when processing template data.
  1351. enum:
  1352. - Values
  1353. - KeysAndValues
  1354. type: string
  1355. required:
  1356. - key
  1357. type: object
  1358. type: array
  1359. name:
  1360. description: The name of the ConfigMap/Secret resource
  1361. maxLength: 253
  1362. minLength: 1
  1363. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1364. type: string
  1365. required:
  1366. - items
  1367. - name
  1368. type: object
  1369. literal:
  1370. type: string
  1371. secret:
  1372. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  1373. properties:
  1374. items:
  1375. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  1376. items:
  1377. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  1378. properties:
  1379. key:
  1380. description: A key in the ConfigMap/Secret
  1381. maxLength: 253
  1382. minLength: 1
  1383. pattern: ^[-._a-zA-Z0-9]+$
  1384. type: string
  1385. templateAs:
  1386. default: Values
  1387. description: TemplateScope defines the scope of the template when processing template data.
  1388. enum:
  1389. - Values
  1390. - KeysAndValues
  1391. type: string
  1392. required:
  1393. - key
  1394. type: object
  1395. type: array
  1396. name:
  1397. description: The name of the ConfigMap/Secret resource
  1398. maxLength: 253
  1399. minLength: 1
  1400. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1401. type: string
  1402. required:
  1403. - items
  1404. - name
  1405. type: object
  1406. target:
  1407. default: Data
  1408. description: TemplateTarget defines the target field where the template result will be stored.
  1409. enum:
  1410. - Data
  1411. - Annotations
  1412. - Labels
  1413. type: string
  1414. type: object
  1415. type: array
  1416. type:
  1417. type: string
  1418. type: object
  1419. type: object
  1420. type: object
  1421. namespaceSelector:
  1422. description: The labels to select by to find the Namespaces to create the ExternalSecrets in
  1423. properties:
  1424. matchExpressions:
  1425. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1426. items:
  1427. description: |-
  1428. A label selector requirement is a selector that contains values, a key, and an operator that
  1429. relates the key and values.
  1430. properties:
  1431. key:
  1432. description: key is the label key that the selector applies to.
  1433. type: string
  1434. operator:
  1435. description: |-
  1436. operator represents a key's relationship to a set of values.
  1437. Valid operators are In, NotIn, Exists and DoesNotExist.
  1438. type: string
  1439. values:
  1440. description: |-
  1441. values is an array of string values. If the operator is In or NotIn,
  1442. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1443. the values array must be empty. This array is replaced during a strategic
  1444. merge patch.
  1445. items:
  1446. type: string
  1447. type: array
  1448. x-kubernetes-list-type: atomic
  1449. required:
  1450. - key
  1451. - operator
  1452. type: object
  1453. type: array
  1454. x-kubernetes-list-type: atomic
  1455. matchLabels:
  1456. additionalProperties:
  1457. type: string
  1458. description: |-
  1459. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1460. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1461. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1462. type: object
  1463. type: object
  1464. x-kubernetes-map-type: atomic
  1465. namespaceSelectors:
  1466. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  1467. items:
  1468. description: |-
  1469. A label selector is a label query over a set of resources. The result of matchLabels and
  1470. matchExpressions are ANDed. An empty label selector matches all objects. A null
  1471. label selector matches no objects.
  1472. properties:
  1473. matchExpressions:
  1474. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1475. items:
  1476. description: |-
  1477. A label selector requirement is a selector that contains values, a key, and an operator that
  1478. relates the key and values.
  1479. properties:
  1480. key:
  1481. description: key is the label key that the selector applies to.
  1482. type: string
  1483. operator:
  1484. description: |-
  1485. operator represents a key's relationship to a set of values.
  1486. Valid operators are In, NotIn, Exists and DoesNotExist.
  1487. type: string
  1488. values:
  1489. description: |-
  1490. values is an array of string values. If the operator is In or NotIn,
  1491. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1492. the values array must be empty. This array is replaced during a strategic
  1493. merge patch.
  1494. items:
  1495. type: string
  1496. type: array
  1497. x-kubernetes-list-type: atomic
  1498. required:
  1499. - key
  1500. - operator
  1501. type: object
  1502. type: array
  1503. x-kubernetes-list-type: atomic
  1504. matchLabels:
  1505. additionalProperties:
  1506. type: string
  1507. description: |-
  1508. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1509. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1510. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1511. type: object
  1512. type: object
  1513. x-kubernetes-map-type: atomic
  1514. type: array
  1515. namespaces:
  1516. description: |-
  1517. Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
  1518. Deprecated: Use NamespaceSelectors instead.
  1519. items:
  1520. maxLength: 63
  1521. minLength: 1
  1522. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1523. type: string
  1524. type: array
  1525. refreshTime:
  1526. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  1527. type: string
  1528. required:
  1529. - externalSecretSpec
  1530. type: object
  1531. status:
  1532. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  1533. properties:
  1534. conditions:
  1535. items:
  1536. description: ClusterExternalSecretStatusCondition indicates the status of the ClusterExternalSecret.
  1537. properties:
  1538. message:
  1539. type: string
  1540. status:
  1541. type: string
  1542. type:
  1543. description: ClusterExternalSecretConditionType indicates the condition of the ClusterExternalSecret.
  1544. type: string
  1545. required:
  1546. - status
  1547. - type
  1548. type: object
  1549. type: array
  1550. externalSecretName:
  1551. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  1552. type: string
  1553. failedNamespaces:
  1554. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  1555. items:
  1556. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  1557. properties:
  1558. namespace:
  1559. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  1560. type: string
  1561. reason:
  1562. description: Reason is why the ExternalSecret failed to apply to the namespace
  1563. type: string
  1564. required:
  1565. - namespace
  1566. type: object
  1567. type: array
  1568. provisionedNamespaces:
  1569. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  1570. items:
  1571. type: string
  1572. type: array
  1573. type: object
  1574. type: object
  1575. served: false
  1576. storage: false
  1577. subresources:
  1578. status: {}
  1579. ---
  1580. apiVersion: apiextensions.k8s.io/v1
  1581. kind: CustomResourceDefinition
  1582. metadata:
  1583. annotations:
  1584. controller-gen.kubebuilder.io/version: v0.19.0
  1585. labels:
  1586. external-secrets.io/component: controller
  1587. name: clusterpushsecrets.external-secrets.io
  1588. spec:
  1589. group: external-secrets.io
  1590. names:
  1591. categories:
  1592. - external-secrets
  1593. kind: ClusterPushSecret
  1594. listKind: ClusterPushSecretList
  1595. plural: clusterpushsecrets
  1596. singular: clusterpushsecret
  1597. scope: Cluster
  1598. versions:
  1599. - additionalPrinterColumns:
  1600. - jsonPath: .metadata.creationTimestamp
  1601. name: AGE
  1602. type: date
  1603. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  1604. name: Status
  1605. type: string
  1606. name: v1alpha1
  1607. schema:
  1608. openAPIV3Schema:
  1609. description: ClusterPushSecret is the Schema for the ClusterPushSecrets API that enables cluster-wide management of pushing Kubernetes secrets to external providers.
  1610. properties:
  1611. apiVersion:
  1612. description: |-
  1613. APIVersion defines the versioned schema of this representation of an object.
  1614. Servers should convert recognized schemas to the latest internal value, and
  1615. may reject unrecognized values.
  1616. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  1617. type: string
  1618. kind:
  1619. description: |-
  1620. Kind is a string value representing the REST resource this object represents.
  1621. Servers may infer this from the endpoint the client submits requests to.
  1622. Cannot be updated.
  1623. In CamelCase.
  1624. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  1625. type: string
  1626. metadata:
  1627. type: object
  1628. spec:
  1629. description: ClusterPushSecretSpec defines the configuration for a ClusterPushSecret resource.
  1630. properties:
  1631. namespaceSelectors:
  1632. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  1633. items:
  1634. description: |-
  1635. A label selector is a label query over a set of resources. The result of matchLabels and
  1636. matchExpressions are ANDed. An empty label selector matches all objects. A null
  1637. label selector matches no objects.
  1638. properties:
  1639. matchExpressions:
  1640. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1641. items:
  1642. description: |-
  1643. A label selector requirement is a selector that contains values, a key, and an operator that
  1644. relates the key and values.
  1645. properties:
  1646. key:
  1647. description: key is the label key that the selector applies to.
  1648. type: string
  1649. operator:
  1650. description: |-
  1651. operator represents a key's relationship to a set of values.
  1652. Valid operators are In, NotIn, Exists and DoesNotExist.
  1653. type: string
  1654. values:
  1655. description: |-
  1656. values is an array of string values. If the operator is In or NotIn,
  1657. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1658. the values array must be empty. This array is replaced during a strategic
  1659. merge patch.
  1660. items:
  1661. type: string
  1662. type: array
  1663. x-kubernetes-list-type: atomic
  1664. required:
  1665. - key
  1666. - operator
  1667. type: object
  1668. type: array
  1669. x-kubernetes-list-type: atomic
  1670. matchLabels:
  1671. additionalProperties:
  1672. type: string
  1673. description: |-
  1674. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1675. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1676. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1677. type: object
  1678. type: object
  1679. x-kubernetes-map-type: atomic
  1680. type: array
  1681. pushSecretMetadata:
  1682. description: The metadata of the external secrets to be created
  1683. properties:
  1684. annotations:
  1685. additionalProperties:
  1686. type: string
  1687. type: object
  1688. labels:
  1689. additionalProperties:
  1690. type: string
  1691. type: object
  1692. type: object
  1693. pushSecretName:
  1694. description: |-
  1695. The name of the push secrets to be created.
  1696. Defaults to the name of the ClusterPushSecret
  1697. maxLength: 253
  1698. minLength: 1
  1699. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1700. type: string
  1701. pushSecretSpec:
  1702. description: PushSecretSpec defines what to do with the secrets.
  1703. properties:
  1704. data:
  1705. description: Secret Data that should be pushed to providers
  1706. items:
  1707. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  1708. properties:
  1709. conversionStrategy:
  1710. default: None
  1711. description: Used to define a conversion Strategy for the secret keys
  1712. enum:
  1713. - None
  1714. - ReverseUnicode
  1715. type: string
  1716. match:
  1717. description: Match a given Secret Key to be pushed to the provider.
  1718. properties:
  1719. remoteRef:
  1720. description: Remote Refs to push to providers.
  1721. properties:
  1722. property:
  1723. description: Name of the property in the resulting secret
  1724. type: string
  1725. remoteKey:
  1726. description: Name of the resulting provider secret.
  1727. type: string
  1728. required:
  1729. - remoteKey
  1730. type: object
  1731. secretKey:
  1732. description: Secret Key to be pushed
  1733. type: string
  1734. required:
  1735. - remoteRef
  1736. type: object
  1737. metadata:
  1738. description: |-
  1739. Metadata is metadata attached to the secret.
  1740. The structure of metadata is provider specific, please look it up in the provider documentation.
  1741. x-kubernetes-preserve-unknown-fields: true
  1742. required:
  1743. - match
  1744. type: object
  1745. type: array
  1746. dataTo:
  1747. description: DataTo defines bulk push rules that expand source Secret keys into provider entries.
  1748. items:
  1749. description: PushSecretDataTo defines how to bulk-push secrets to providers without explicit per-key mappings.
  1750. properties:
  1751. conversionStrategy:
  1752. default: None
  1753. description: Used to define a conversion Strategy for the secret keys
  1754. enum:
  1755. - None
  1756. - ReverseUnicode
  1757. type: string
  1758. match:
  1759. description: |-
  1760. Match pattern for selecting keys from the source Secret.
  1761. If not specified, all keys are selected.
  1762. properties:
  1763. regexp:
  1764. description: |-
  1765. Regexp matches keys by regular expression.
  1766. If not specified, all keys are matched.
  1767. type: string
  1768. type: object
  1769. metadata:
  1770. description: |-
  1771. Metadata is metadata attached to the secret.
  1772. The structure of metadata is provider specific, please look it up in the provider documentation.
  1773. x-kubernetes-preserve-unknown-fields: true
  1774. remoteKey:
  1775. description: |-
  1776. RemoteKey is the name of the single provider secret that will receive ALL
  1777. matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}).
  1778. When set, per-key expansion is skipped and a single push is performed.
  1779. The provider's store prefix (if any) is still prepended to this value.
  1780. When not set, each matched key is pushed as its own individual provider secret.
  1781. type: string
  1782. rewrite:
  1783. description: |-
  1784. Rewrite operations to transform keys before pushing to the provider.
  1785. Operations are applied sequentially.
  1786. items:
  1787. description: PushSecretRewrite defines how to transform secret keys before pushing.
  1788. properties:
  1789. regexp:
  1790. description: Used to rewrite with regular expressions.
  1791. properties:
  1792. source:
  1793. description: Used to define the regular expression of a re.Compiler.
  1794. type: string
  1795. target:
  1796. description: Used to define the target pattern of a ReplaceAll operation.
  1797. type: string
  1798. required:
  1799. - source
  1800. - target
  1801. type: object
  1802. transform:
  1803. description: Used to apply string transformation on the secrets.
  1804. properties:
  1805. template:
  1806. description: |-
  1807. Used to define the template to apply on the secret name.
  1808. `.value ` will specify the secret name in the template.
  1809. type: string
  1810. required:
  1811. - template
  1812. type: object
  1813. type: object
  1814. x-kubernetes-validations:
  1815. - message: exactly one of regexp or transform must be set
  1816. rule: (has(self.regexp) && !has(self.transform)) || (!has(self.regexp) && has(self.transform))
  1817. type: array
  1818. storeRef:
  1819. description: StoreRef specifies which SecretStore to push to. Required.
  1820. properties:
  1821. kind:
  1822. default: SecretStore
  1823. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1824. enum:
  1825. - SecretStore
  1826. - ClusterSecretStore
  1827. type: string
  1828. labelSelector:
  1829. description: Optionally, sync to secret stores with label selector
  1830. properties:
  1831. matchExpressions:
  1832. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1833. items:
  1834. description: |-
  1835. A label selector requirement is a selector that contains values, a key, and an operator that
  1836. relates the key and values.
  1837. properties:
  1838. key:
  1839. description: key is the label key that the selector applies to.
  1840. type: string
  1841. operator:
  1842. description: |-
  1843. operator represents a key's relationship to a set of values.
  1844. Valid operators are In, NotIn, Exists and DoesNotExist.
  1845. type: string
  1846. values:
  1847. description: |-
  1848. values is an array of string values. If the operator is In or NotIn,
  1849. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1850. the values array must be empty. This array is replaced during a strategic
  1851. merge patch.
  1852. items:
  1853. type: string
  1854. type: array
  1855. x-kubernetes-list-type: atomic
  1856. required:
  1857. - key
  1858. - operator
  1859. type: object
  1860. type: array
  1861. x-kubernetes-list-type: atomic
  1862. matchLabels:
  1863. additionalProperties:
  1864. type: string
  1865. description: |-
  1866. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1867. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1868. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1869. type: object
  1870. type: object
  1871. x-kubernetes-map-type: atomic
  1872. name:
  1873. description: Optionally, sync to the SecretStore of the given name
  1874. maxLength: 253
  1875. minLength: 1
  1876. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1877. type: string
  1878. type: object
  1879. type: object
  1880. x-kubernetes-validations:
  1881. - message: storeRef must specify either name or labelSelector
  1882. rule: has(self.storeRef) && (has(self.storeRef.name) || has(self.storeRef.labelSelector))
  1883. - message: 'remoteKey and rewrite are mutually exclusive: rewrite is only supported in per-key mode (without remoteKey)'
  1884. rule: '!has(self.remoteKey) || !has(self.rewrite) || size(self.rewrite) == 0'
  1885. type: array
  1886. deletionPolicy:
  1887. default: None
  1888. description: Deletion Policy to handle Secrets in the provider.
  1889. enum:
  1890. - Delete
  1891. - None
  1892. type: string
  1893. refreshInterval:
  1894. default: 1h0m0s
  1895. description: The Interval to which External Secrets will try to push a secret definition
  1896. type: string
  1897. secretStoreRefs:
  1898. items:
  1899. description: PushSecretStoreRef contains a reference on how to sync to a SecretStore.
  1900. properties:
  1901. kind:
  1902. default: SecretStore
  1903. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1904. enum:
  1905. - SecretStore
  1906. - ClusterSecretStore
  1907. type: string
  1908. labelSelector:
  1909. description: Optionally, sync to secret stores with label selector
  1910. properties:
  1911. matchExpressions:
  1912. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1913. items:
  1914. description: |-
  1915. A label selector requirement is a selector that contains values, a key, and an operator that
  1916. relates the key and values.
  1917. properties:
  1918. key:
  1919. description: key is the label key that the selector applies to.
  1920. type: string
  1921. operator:
  1922. description: |-
  1923. operator represents a key's relationship to a set of values.
  1924. Valid operators are In, NotIn, Exists and DoesNotExist.
  1925. type: string
  1926. values:
  1927. description: |-
  1928. values is an array of string values. If the operator is In or NotIn,
  1929. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1930. the values array must be empty. This array is replaced during a strategic
  1931. merge patch.
  1932. items:
  1933. type: string
  1934. type: array
  1935. x-kubernetes-list-type: atomic
  1936. required:
  1937. - key
  1938. - operator
  1939. type: object
  1940. type: array
  1941. x-kubernetes-list-type: atomic
  1942. matchLabels:
  1943. additionalProperties:
  1944. type: string
  1945. description: |-
  1946. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1947. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1948. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1949. type: object
  1950. type: object
  1951. x-kubernetes-map-type: atomic
  1952. name:
  1953. description: Optionally, sync to the SecretStore of the given name
  1954. maxLength: 253
  1955. minLength: 1
  1956. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1957. type: string
  1958. type: object
  1959. type: array
  1960. selector:
  1961. description: The Secret Selector (k8s source) for the Push Secret
  1962. maxProperties: 1
  1963. minProperties: 1
  1964. properties:
  1965. generatorRef:
  1966. description: Point to a generator to create a Secret.
  1967. properties:
  1968. apiVersion:
  1969. default: generators.external-secrets.io/v1alpha1
  1970. description: Specify the apiVersion of the generator resource
  1971. type: string
  1972. kind:
  1973. description: Specify the Kind of the generator resource
  1974. enum:
  1975. - ACRAccessToken
  1976. - BeyondtrustWorkloadCredentialsDynamicSecret
  1977. - ClusterGenerator
  1978. - CloudsmithAccessToken
  1979. - ECRAuthorizationToken
  1980. - Fake
  1981. - GCRAccessToken
  1982. - GithubAccessToken
  1983. - QuayAccessToken
  1984. - Password
  1985. - SSHKey
  1986. - STSSessionToken
  1987. - UUID
  1988. - VaultDynamicSecret
  1989. - Webhook
  1990. - Grafana
  1991. - MFA
  1992. type: string
  1993. name:
  1994. description: Specify the name of the generator resource
  1995. maxLength: 253
  1996. minLength: 1
  1997. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1998. type: string
  1999. required:
  2000. - kind
  2001. - name
  2002. type: object
  2003. secret:
  2004. description: Select a Secret to Push.
  2005. properties:
  2006. name:
  2007. description: |-
  2008. Name of the Secret.
  2009. The Secret must exist in the same namespace as the PushSecret manifest.
  2010. maxLength: 253
  2011. minLength: 1
  2012. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2013. type: string
  2014. selector:
  2015. description: Selector chooses secrets using a labelSelector.
  2016. properties:
  2017. matchExpressions:
  2018. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2019. items:
  2020. description: |-
  2021. A label selector requirement is a selector that contains values, a key, and an operator that
  2022. relates the key and values.
  2023. properties:
  2024. key:
  2025. description: key is the label key that the selector applies to.
  2026. type: string
  2027. operator:
  2028. description: |-
  2029. operator represents a key's relationship to a set of values.
  2030. Valid operators are In, NotIn, Exists and DoesNotExist.
  2031. type: string
  2032. values:
  2033. description: |-
  2034. values is an array of string values. If the operator is In or NotIn,
  2035. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2036. the values array must be empty. This array is replaced during a strategic
  2037. merge patch.
  2038. items:
  2039. type: string
  2040. type: array
  2041. x-kubernetes-list-type: atomic
  2042. required:
  2043. - key
  2044. - operator
  2045. type: object
  2046. type: array
  2047. x-kubernetes-list-type: atomic
  2048. matchLabels:
  2049. additionalProperties:
  2050. type: string
  2051. description: |-
  2052. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2053. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2054. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2055. type: object
  2056. type: object
  2057. x-kubernetes-map-type: atomic
  2058. type: object
  2059. type: object
  2060. template:
  2061. description: Template defines a blueprint for the created Secret resource.
  2062. properties:
  2063. data:
  2064. additionalProperties:
  2065. type: string
  2066. type: object
  2067. engineVersion:
  2068. default: v2
  2069. description: |-
  2070. EngineVersion specifies the template engine version
  2071. that should be used to compile/execute the
  2072. template specified in .data and .templateFrom[].
  2073. enum:
  2074. - v2
  2075. type: string
  2076. mergePolicy:
  2077. default: Replace
  2078. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  2079. enum:
  2080. - Replace
  2081. - Merge
  2082. type: string
  2083. metadata:
  2084. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  2085. properties:
  2086. annotations:
  2087. additionalProperties:
  2088. type: string
  2089. type: object
  2090. finalizers:
  2091. items:
  2092. type: string
  2093. type: array
  2094. labels:
  2095. additionalProperties:
  2096. type: string
  2097. type: object
  2098. type: object
  2099. templateFrom:
  2100. items:
  2101. description: |-
  2102. TemplateFrom specifies a source for templates.
  2103. Each item in the list can either reference a ConfigMap or a Secret resource.
  2104. properties:
  2105. configMap:
  2106. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  2107. properties:
  2108. items:
  2109. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  2110. items:
  2111. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  2112. properties:
  2113. key:
  2114. description: A key in the ConfigMap/Secret
  2115. maxLength: 253
  2116. minLength: 1
  2117. pattern: ^[-._a-zA-Z0-9]+$
  2118. type: string
  2119. templateAs:
  2120. default: Values
  2121. description: TemplateScope specifies how the template keys should be interpreted.
  2122. enum:
  2123. - Values
  2124. - KeysAndValues
  2125. type: string
  2126. required:
  2127. - key
  2128. type: object
  2129. type: array
  2130. name:
  2131. description: The name of the ConfigMap/Secret resource
  2132. maxLength: 253
  2133. minLength: 1
  2134. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2135. type: string
  2136. required:
  2137. - items
  2138. - name
  2139. type: object
  2140. literal:
  2141. type: string
  2142. secret:
  2143. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  2144. properties:
  2145. items:
  2146. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  2147. items:
  2148. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  2149. properties:
  2150. key:
  2151. description: A key in the ConfigMap/Secret
  2152. maxLength: 253
  2153. minLength: 1
  2154. pattern: ^[-._a-zA-Z0-9]+$
  2155. type: string
  2156. templateAs:
  2157. default: Values
  2158. description: TemplateScope specifies how the template keys should be interpreted.
  2159. enum:
  2160. - Values
  2161. - KeysAndValues
  2162. type: string
  2163. required:
  2164. - key
  2165. type: object
  2166. type: array
  2167. name:
  2168. description: The name of the ConfigMap/Secret resource
  2169. maxLength: 253
  2170. minLength: 1
  2171. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2172. type: string
  2173. required:
  2174. - items
  2175. - name
  2176. type: object
  2177. target:
  2178. default: Data
  2179. description: |-
  2180. Target specifies where to place the template result.
  2181. For Secret resources, common values are: "Data", "Annotations", "Labels".
  2182. For custom resources (when spec.target.manifest is set), this supports
  2183. nested paths like "spec.database.config" or "data".
  2184. type: string
  2185. type: object
  2186. type: array
  2187. type:
  2188. type: string
  2189. type: object
  2190. updatePolicy:
  2191. default: Replace
  2192. description: UpdatePolicy to handle Secrets in the provider.
  2193. enum:
  2194. - Replace
  2195. - IfNotExists
  2196. type: string
  2197. required:
  2198. - secretStoreRefs
  2199. - selector
  2200. type: object
  2201. refreshTime:
  2202. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  2203. type: string
  2204. required:
  2205. - pushSecretSpec
  2206. type: object
  2207. status:
  2208. description: ClusterPushSecretStatus contains the status information for the ClusterPushSecret resource.
  2209. properties:
  2210. conditions:
  2211. items:
  2212. description: PushSecretStatusCondition indicates the status of the PushSecret.
  2213. properties:
  2214. lastTransitionTime:
  2215. format: date-time
  2216. type: string
  2217. message:
  2218. type: string
  2219. reason:
  2220. type: string
  2221. status:
  2222. type: string
  2223. type:
  2224. description: PushSecretConditionType indicates the condition of the PushSecret.
  2225. type: string
  2226. required:
  2227. - status
  2228. - type
  2229. type: object
  2230. type: array
  2231. failedNamespaces:
  2232. description: Failed namespaces are the namespaces that failed to apply an PushSecret
  2233. items:
  2234. description: ClusterPushSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  2235. properties:
  2236. namespace:
  2237. description: Namespace is the namespace that failed when trying to apply an PushSecret
  2238. type: string
  2239. reason:
  2240. description: Reason is why the PushSecret failed to apply to the namespace
  2241. type: string
  2242. required:
  2243. - namespace
  2244. type: object
  2245. type: array
  2246. provisionedNamespaces:
  2247. description: ProvisionedNamespaces are the namespaces where the ClusterPushSecret has secrets
  2248. items:
  2249. type: string
  2250. type: array
  2251. pushSecretName:
  2252. type: string
  2253. type: object
  2254. type: object
  2255. served: true
  2256. storage: true
  2257. subresources:
  2258. status: {}
  2259. ---
  2260. apiVersion: apiextensions.k8s.io/v1
  2261. kind: CustomResourceDefinition
  2262. metadata:
  2263. annotations:
  2264. controller-gen.kubebuilder.io/version: v0.19.0
  2265. labels:
  2266. external-secrets.io/component: controller
  2267. name: clustersecretstores.external-secrets.io
  2268. spec:
  2269. group: external-secrets.io
  2270. names:
  2271. categories:
  2272. - external-secrets
  2273. kind: ClusterSecretStore
  2274. listKind: ClusterSecretStoreList
  2275. plural: clustersecretstores
  2276. shortNames:
  2277. - css
  2278. singular: clustersecretstore
  2279. scope: Cluster
  2280. versions:
  2281. - additionalPrinterColumns:
  2282. - jsonPath: .metadata.creationTimestamp
  2283. name: AGE
  2284. type: date
  2285. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2286. name: Status
  2287. type: string
  2288. - jsonPath: .status.capabilities
  2289. name: Capabilities
  2290. type: string
  2291. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  2292. name: Ready
  2293. type: string
  2294. name: v1
  2295. schema:
  2296. openAPIV3Schema:
  2297. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  2298. properties:
  2299. apiVersion:
  2300. description: |-
  2301. APIVersion defines the versioned schema of this representation of an object.
  2302. Servers should convert recognized schemas to the latest internal value, and
  2303. may reject unrecognized values.
  2304. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  2305. type: string
  2306. kind:
  2307. description: |-
  2308. Kind is a string value representing the REST resource this object represents.
  2309. Servers may infer this from the endpoint the client submits requests to.
  2310. Cannot be updated.
  2311. In CamelCase.
  2312. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  2313. type: string
  2314. metadata:
  2315. type: object
  2316. spec:
  2317. description: SecretStoreSpec defines the desired state of SecretStore.
  2318. properties:
  2319. conditions:
  2320. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  2321. items:
  2322. description: |-
  2323. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  2324. for a ClusterSecretStore instance.
  2325. properties:
  2326. namespaceRegexes:
  2327. description: Choose namespaces by using regex matching
  2328. items:
  2329. type: string
  2330. type: array
  2331. namespaceSelector:
  2332. description: Choose namespace using a labelSelector
  2333. properties:
  2334. matchExpressions:
  2335. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2336. items:
  2337. description: |-
  2338. A label selector requirement is a selector that contains values, a key, and an operator that
  2339. relates the key and values.
  2340. properties:
  2341. key:
  2342. description: key is the label key that the selector applies to.
  2343. type: string
  2344. operator:
  2345. description: |-
  2346. operator represents a key's relationship to a set of values.
  2347. Valid operators are In, NotIn, Exists and DoesNotExist.
  2348. type: string
  2349. values:
  2350. description: |-
  2351. values is an array of string values. If the operator is In or NotIn,
  2352. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2353. the values array must be empty. This array is replaced during a strategic
  2354. merge patch.
  2355. items:
  2356. type: string
  2357. type: array
  2358. x-kubernetes-list-type: atomic
  2359. required:
  2360. - key
  2361. - operator
  2362. type: object
  2363. type: array
  2364. x-kubernetes-list-type: atomic
  2365. matchLabels:
  2366. additionalProperties:
  2367. type: string
  2368. description: |-
  2369. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2370. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2371. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2372. type: object
  2373. type: object
  2374. x-kubernetes-map-type: atomic
  2375. namespaces:
  2376. description: Choose namespaces by name
  2377. items:
  2378. maxLength: 63
  2379. minLength: 1
  2380. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2381. type: string
  2382. type: array
  2383. type: object
  2384. type: array
  2385. controller:
  2386. description: |-
  2387. Used to select the correct ESO controller (think: ingress.ingressClassName)
  2388. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  2389. type: string
  2390. provider:
  2391. description: Used to configure the provider. Only one provider may be set
  2392. maxProperties: 1
  2393. minProperties: 1
  2394. properties:
  2395. akeyless:
  2396. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  2397. properties:
  2398. akeylessGWApiURL:
  2399. description: Akeyless GW API Url from which the secrets to be fetched from.
  2400. type: string
  2401. authSecretRef:
  2402. description: Auth configures how the operator authenticates with Akeyless.
  2403. properties:
  2404. kubernetesAuth:
  2405. description: |-
  2406. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  2407. token stored in the named Secret resource.
  2408. properties:
  2409. accessID:
  2410. description: the Akeyless Kubernetes auth-method access-id
  2411. type: string
  2412. k8sConfName:
  2413. description: Kubernetes-auth configuration name in Akeyless-Gateway
  2414. type: string
  2415. secretRef:
  2416. description: |-
  2417. Optional secret field containing a Kubernetes ServiceAccount JWT used
  2418. for authenticating with Akeyless. If a name is specified without a key,
  2419. `token` is the default. If one is not specified, the one bound to
  2420. the controller will be used.
  2421. properties:
  2422. key:
  2423. description: |-
  2424. A key in the referenced Secret.
  2425. Some instances of this field may be defaulted, in others it may be required.
  2426. maxLength: 253
  2427. minLength: 1
  2428. pattern: ^[-._a-zA-Z0-9]+$
  2429. type: string
  2430. name:
  2431. description: The name of the Secret resource being referred to.
  2432. maxLength: 253
  2433. minLength: 1
  2434. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2435. type: string
  2436. namespace:
  2437. description: |-
  2438. The namespace of the Secret resource being referred to.
  2439. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2440. maxLength: 63
  2441. minLength: 1
  2442. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2443. type: string
  2444. type: object
  2445. serviceAccountRef:
  2446. description: |-
  2447. Optional service account field containing the name of a kubernetes ServiceAccount.
  2448. If the service account is specified, the service account secret token JWT will be used
  2449. for authenticating with Akeyless. If the service account selector is not supplied,
  2450. the secretRef will be used instead.
  2451. properties:
  2452. audiences:
  2453. description: |-
  2454. Audience specifies the `aud` claim for the service account token
  2455. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2456. then this audiences will be appended to the list
  2457. items:
  2458. type: string
  2459. type: array
  2460. name:
  2461. description: The name of the ServiceAccount resource being referred to.
  2462. maxLength: 253
  2463. minLength: 1
  2464. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2465. type: string
  2466. namespace:
  2467. description: |-
  2468. Namespace of the resource being referred to.
  2469. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2470. maxLength: 63
  2471. minLength: 1
  2472. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2473. type: string
  2474. required:
  2475. - name
  2476. type: object
  2477. required:
  2478. - accessID
  2479. - k8sConfName
  2480. type: object
  2481. secretRef:
  2482. description: |-
  2483. Reference to a Secret that contains the details
  2484. to authenticate with Akeyless.
  2485. properties:
  2486. accessID:
  2487. description: The SecretAccessID is used for authentication
  2488. properties:
  2489. key:
  2490. description: |-
  2491. A key in the referenced Secret.
  2492. Some instances of this field may be defaulted, in others it may be required.
  2493. maxLength: 253
  2494. minLength: 1
  2495. pattern: ^[-._a-zA-Z0-9]+$
  2496. type: string
  2497. name:
  2498. description: The name of the Secret resource being referred to.
  2499. maxLength: 253
  2500. minLength: 1
  2501. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2502. type: string
  2503. namespace:
  2504. description: |-
  2505. The namespace of the Secret resource being referred to.
  2506. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2507. maxLength: 63
  2508. minLength: 1
  2509. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2510. type: string
  2511. type: object
  2512. accessType:
  2513. description: |-
  2514. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  2515. In some instances, `key` is a required field.
  2516. properties:
  2517. key:
  2518. description: |-
  2519. A key in the referenced Secret.
  2520. Some instances of this field may be defaulted, in others it may be required.
  2521. maxLength: 253
  2522. minLength: 1
  2523. pattern: ^[-._a-zA-Z0-9]+$
  2524. type: string
  2525. name:
  2526. description: The name of the Secret resource being referred to.
  2527. maxLength: 253
  2528. minLength: 1
  2529. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2530. type: string
  2531. namespace:
  2532. description: |-
  2533. The namespace of the Secret resource being referred to.
  2534. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2535. maxLength: 63
  2536. minLength: 1
  2537. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2538. type: string
  2539. type: object
  2540. accessTypeParam:
  2541. description: |-
  2542. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  2543. In some instances, `key` is a required field.
  2544. properties:
  2545. key:
  2546. description: |-
  2547. A key in the referenced Secret.
  2548. Some instances of this field may be defaulted, in others it may be required.
  2549. maxLength: 253
  2550. minLength: 1
  2551. pattern: ^[-._a-zA-Z0-9]+$
  2552. type: string
  2553. name:
  2554. description: The name of the Secret resource being referred to.
  2555. maxLength: 253
  2556. minLength: 1
  2557. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2558. type: string
  2559. namespace:
  2560. description: |-
  2561. The namespace of the Secret resource being referred to.
  2562. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2563. maxLength: 63
  2564. minLength: 1
  2565. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2566. type: string
  2567. type: object
  2568. type: object
  2569. type: object
  2570. caBundle:
  2571. description: |-
  2572. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  2573. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  2574. are used to validate the TLS connection.
  2575. format: byte
  2576. type: string
  2577. caProvider:
  2578. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  2579. properties:
  2580. key:
  2581. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2582. maxLength: 253
  2583. minLength: 1
  2584. pattern: ^[-._a-zA-Z0-9]+$
  2585. type: string
  2586. name:
  2587. description: The name of the object located at the provider type.
  2588. maxLength: 253
  2589. minLength: 1
  2590. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2591. type: string
  2592. namespace:
  2593. description: |-
  2594. The namespace the Provider type is in.
  2595. Can only be defined when used in a ClusterSecretStore.
  2596. maxLength: 63
  2597. minLength: 1
  2598. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2599. type: string
  2600. type:
  2601. description: The type of provider to use such as "Secret", or "ConfigMap".
  2602. enum:
  2603. - Secret
  2604. - ConfigMap
  2605. type: string
  2606. required:
  2607. - name
  2608. - type
  2609. type: object
  2610. required:
  2611. - akeylessGWApiURL
  2612. - authSecretRef
  2613. type: object
  2614. aws:
  2615. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  2616. properties:
  2617. additionalRoles:
  2618. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  2619. items:
  2620. type: string
  2621. type: array
  2622. auth:
  2623. description: |-
  2624. Auth defines the information necessary to authenticate against AWS
  2625. if not set aws sdk will infer credentials from your environment
  2626. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  2627. properties:
  2628. jwt:
  2629. description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.
  2630. properties:
  2631. serviceAccountRef:
  2632. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  2633. properties:
  2634. audiences:
  2635. description: |-
  2636. Audience specifies the `aud` claim for the service account token
  2637. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2638. then this audiences will be appended to the list
  2639. items:
  2640. type: string
  2641. type: array
  2642. name:
  2643. description: The name of the ServiceAccount resource being referred to.
  2644. maxLength: 253
  2645. minLength: 1
  2646. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2647. type: string
  2648. namespace:
  2649. description: |-
  2650. Namespace of the resource being referred to.
  2651. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2652. maxLength: 63
  2653. minLength: 1
  2654. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2655. type: string
  2656. required:
  2657. - name
  2658. type: object
  2659. type: object
  2660. secretRef:
  2661. description: |-
  2662. AWSAuthSecretRef holds secret references for AWS credentials
  2663. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  2664. properties:
  2665. accessKeyIDSecretRef:
  2666. description: The AccessKeyID is used for authentication
  2667. properties:
  2668. key:
  2669. description: |-
  2670. A key in the referenced Secret.
  2671. Some instances of this field may be defaulted, in others it may be required.
  2672. maxLength: 253
  2673. minLength: 1
  2674. pattern: ^[-._a-zA-Z0-9]+$
  2675. type: string
  2676. name:
  2677. description: The name of the Secret resource being referred to.
  2678. maxLength: 253
  2679. minLength: 1
  2680. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2681. type: string
  2682. namespace:
  2683. description: |-
  2684. The namespace of the Secret resource being referred to.
  2685. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2686. maxLength: 63
  2687. minLength: 1
  2688. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2689. type: string
  2690. type: object
  2691. secretAccessKeySecretRef:
  2692. description: The SecretAccessKey is used for authentication
  2693. properties:
  2694. key:
  2695. description: |-
  2696. A key in the referenced Secret.
  2697. Some instances of this field may be defaulted, in others it may be required.
  2698. maxLength: 253
  2699. minLength: 1
  2700. pattern: ^[-._a-zA-Z0-9]+$
  2701. type: string
  2702. name:
  2703. description: The name of the Secret resource being referred to.
  2704. maxLength: 253
  2705. minLength: 1
  2706. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2707. type: string
  2708. namespace:
  2709. description: |-
  2710. The namespace of the Secret resource being referred to.
  2711. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2712. maxLength: 63
  2713. minLength: 1
  2714. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2715. type: string
  2716. type: object
  2717. sessionTokenSecretRef:
  2718. description: |-
  2719. The SessionToken used for authentication
  2720. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  2721. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  2722. properties:
  2723. key:
  2724. description: |-
  2725. A key in the referenced Secret.
  2726. Some instances of this field may be defaulted, in others it may be required.
  2727. maxLength: 253
  2728. minLength: 1
  2729. pattern: ^[-._a-zA-Z0-9]+$
  2730. type: string
  2731. name:
  2732. description: The name of the Secret resource being referred to.
  2733. maxLength: 253
  2734. minLength: 1
  2735. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2736. type: string
  2737. namespace:
  2738. description: |-
  2739. The namespace of the Secret resource being referred to.
  2740. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2741. maxLength: 63
  2742. minLength: 1
  2743. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2744. type: string
  2745. type: object
  2746. type: object
  2747. type: object
  2748. customSessionTags:
  2749. additionalProperties:
  2750. type: string
  2751. description: |-
  2752. CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom.
  2753. These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags.
  2754. type: object
  2755. x-kubernetes-validations:
  2756. - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind'
  2757. rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)'
  2758. externalID:
  2759. description: AWS External ID set on assumed IAM roles
  2760. type: string
  2761. prefix:
  2762. description: Prefix adds a prefix to all retrieved values.
  2763. type: string
  2764. region:
  2765. description: AWS Region to be used for the provider
  2766. type: string
  2767. role:
  2768. description: Role is a Role ARN which the provider will assume
  2769. type: string
  2770. secretsManager:
  2771. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  2772. properties:
  2773. forceDeleteWithoutRecovery:
  2774. description: |-
  2775. Specifies whether to delete the secret without any recovery window. You
  2776. can't use both this parameter and RecoveryWindowInDays in the same call.
  2777. If you don't use either, then by default Secrets Manager uses a 30 day
  2778. recovery window.
  2779. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  2780. type: boolean
  2781. recoveryWindowInDays:
  2782. description: |-
  2783. The number of days from 7 to 30 that Secrets Manager waits before
  2784. permanently deleting the secret. You can't use both this parameter and
  2785. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  2786. then by default Secrets Manager uses a 30-day recovery window.
  2787. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  2788. format: int64
  2789. type: integer
  2790. type: object
  2791. service:
  2792. description: Service defines which service should be used to fetch the secrets
  2793. enum:
  2794. - SecretsManager
  2795. - ParameterStore
  2796. type: string
  2797. sessionTags:
  2798. description: AWS STS assume role session tags
  2799. items:
  2800. description: |-
  2801. Tag is a key-value pair that can be attached to an AWS resource.
  2802. see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
  2803. properties:
  2804. key:
  2805. type: string
  2806. value:
  2807. type: string
  2808. required:
  2809. - key
  2810. - value
  2811. type: object
  2812. type: array
  2813. sessionTagsPolicy:
  2814. default: None
  2815. description: |-
  2816. SessionTagsPolicy controls whether and how STS session tags are added when assuming roles.
  2817. None (default): no tags are added.
  2818. Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags.
  2819. Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags.
  2820. Note: the IAM role must have sts:TagSession permission when using Simple or Custom.
  2821. enum:
  2822. - None
  2823. - Simple
  2824. - Custom
  2825. type: string
  2826. transitiveTagKeys:
  2827. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  2828. items:
  2829. type: string
  2830. type: array
  2831. required:
  2832. - region
  2833. - service
  2834. type: object
  2835. azurekv:
  2836. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  2837. properties:
  2838. authSecretRef:
  2839. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  2840. properties:
  2841. clientCertificate:
  2842. description: The Azure ClientCertificate of the service principle used for authentication.
  2843. properties:
  2844. key:
  2845. description: |-
  2846. A key in the referenced Secret.
  2847. Some instances of this field may be defaulted, in others it may be required.
  2848. maxLength: 253
  2849. minLength: 1
  2850. pattern: ^[-._a-zA-Z0-9]+$
  2851. type: string
  2852. name:
  2853. description: The name of the Secret resource being referred to.
  2854. maxLength: 253
  2855. minLength: 1
  2856. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2857. type: string
  2858. namespace:
  2859. description: |-
  2860. The namespace of the Secret resource being referred to.
  2861. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2862. maxLength: 63
  2863. minLength: 1
  2864. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2865. type: string
  2866. type: object
  2867. clientId:
  2868. description: The Azure clientId of the service principle or managed identity used for authentication.
  2869. properties:
  2870. key:
  2871. description: |-
  2872. A key in the referenced Secret.
  2873. Some instances of this field may be defaulted, in others it may be required.
  2874. maxLength: 253
  2875. minLength: 1
  2876. pattern: ^[-._a-zA-Z0-9]+$
  2877. type: string
  2878. name:
  2879. description: The name of the Secret resource being referred to.
  2880. maxLength: 253
  2881. minLength: 1
  2882. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2883. type: string
  2884. namespace:
  2885. description: |-
  2886. The namespace of the Secret resource being referred to.
  2887. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2888. maxLength: 63
  2889. minLength: 1
  2890. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2891. type: string
  2892. type: object
  2893. clientSecret:
  2894. description: The Azure ClientSecret of the service principle used for authentication.
  2895. properties:
  2896. key:
  2897. description: |-
  2898. A key in the referenced Secret.
  2899. Some instances of this field may be defaulted, in others it may be required.
  2900. maxLength: 253
  2901. minLength: 1
  2902. pattern: ^[-._a-zA-Z0-9]+$
  2903. type: string
  2904. name:
  2905. description: The name of the Secret resource being referred to.
  2906. maxLength: 253
  2907. minLength: 1
  2908. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2909. type: string
  2910. namespace:
  2911. description: |-
  2912. The namespace of the Secret resource being referred to.
  2913. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2914. maxLength: 63
  2915. minLength: 1
  2916. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2917. type: string
  2918. type: object
  2919. tenantId:
  2920. description: The Azure tenantId of the managed identity used for authentication.
  2921. properties:
  2922. key:
  2923. description: |-
  2924. A key in the referenced Secret.
  2925. Some instances of this field may be defaulted, in others it may be required.
  2926. maxLength: 253
  2927. minLength: 1
  2928. pattern: ^[-._a-zA-Z0-9]+$
  2929. type: string
  2930. name:
  2931. description: The name of the Secret resource being referred to.
  2932. maxLength: 253
  2933. minLength: 1
  2934. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2935. type: string
  2936. namespace:
  2937. description: |-
  2938. The namespace of the Secret resource being referred to.
  2939. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2940. maxLength: 63
  2941. minLength: 1
  2942. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2943. type: string
  2944. type: object
  2945. type: object
  2946. authType:
  2947. default: ServicePrincipal
  2948. description: |-
  2949. Auth type defines how to authenticate to the keyvault service.
  2950. Valid values are:
  2951. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  2952. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  2953. enum:
  2954. - ServicePrincipal
  2955. - ManagedIdentity
  2956. - WorkloadIdentity
  2957. type: string
  2958. customCloudConfig:
  2959. description: |-
  2960. CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
  2961. Required when EnvironmentType is AzureStackCloud.
  2962. Optional for other environment types - useful for Azure China when using Workload Identity
  2963. with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
  2964. standard China Cloud endpoint (login.chinacloudapi.cn).
  2965. IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
  2966. configuration is not supported with the legacy go-autorest SDK.
  2967. properties:
  2968. activeDirectoryEndpoint:
  2969. description: |-
  2970. ActiveDirectoryEndpoint is the AAD endpoint for authentication
  2971. Required when using custom cloud configuration
  2972. type: string
  2973. keyVaultDNSSuffix:
  2974. description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
  2975. type: string
  2976. keyVaultEndpoint:
  2977. description: KeyVaultEndpoint is the Key Vault service endpoint
  2978. type: string
  2979. resourceManagerEndpoint:
  2980. description: ResourceManagerEndpoint is the Azure Resource Manager endpoint
  2981. type: string
  2982. required:
  2983. - activeDirectoryEndpoint
  2984. type: object
  2985. environmentType:
  2986. default: PublicCloud
  2987. description: |-
  2988. EnvironmentType specifies the Azure cloud environment endpoints to use for
  2989. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  2990. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  2991. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
  2992. Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
  2993. enum:
  2994. - PublicCloud
  2995. - USGovernmentCloud
  2996. - ChinaCloud
  2997. - GermanCloud
  2998. - AzureStackCloud
  2999. type: string
  3000. identityId:
  3001. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  3002. type: string
  3003. serviceAccountRef:
  3004. description: |-
  3005. ServiceAccountRef specified the service account
  3006. that should be used when authenticating with WorkloadIdentity.
  3007. properties:
  3008. audiences:
  3009. description: |-
  3010. Audience specifies the `aud` claim for the service account token
  3011. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3012. then this audiences will be appended to the list
  3013. items:
  3014. type: string
  3015. type: array
  3016. name:
  3017. description: The name of the ServiceAccount resource being referred to.
  3018. maxLength: 253
  3019. minLength: 1
  3020. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3021. type: string
  3022. namespace:
  3023. description: |-
  3024. Namespace of the resource being referred to.
  3025. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3026. maxLength: 63
  3027. minLength: 1
  3028. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3029. type: string
  3030. required:
  3031. - name
  3032. type: object
  3033. tenantId:
  3034. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  3035. type: string
  3036. useAzureSDK:
  3037. default: false
  3038. description: |-
  3039. UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
  3040. This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
  3041. type: boolean
  3042. vaultUrl:
  3043. description: Vault Url from which the secrets to be fetched from.
  3044. type: string
  3045. required:
  3046. - vaultUrl
  3047. type: object
  3048. barbican:
  3049. description: Barbican configures this store to sync secrets using the OpenStack Barbican provider
  3050. properties:
  3051. auth:
  3052. description: BarbicanAuth contains the authentication information for Barbican.
  3053. properties:
  3054. password:
  3055. description: BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
  3056. properties:
  3057. secretRef:
  3058. description: |-
  3059. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  3060. In some instances, `key` is a required field.
  3061. properties:
  3062. key:
  3063. description: |-
  3064. A key in the referenced Secret.
  3065. Some instances of this field may be defaulted, in others it may be required.
  3066. maxLength: 253
  3067. minLength: 1
  3068. pattern: ^[-._a-zA-Z0-9]+$
  3069. type: string
  3070. name:
  3071. description: The name of the Secret resource being referred to.
  3072. maxLength: 253
  3073. minLength: 1
  3074. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3075. type: string
  3076. namespace:
  3077. description: |-
  3078. The namespace of the Secret resource being referred to.
  3079. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3080. maxLength: 63
  3081. minLength: 1
  3082. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3083. type: string
  3084. type: object
  3085. required:
  3086. - secretRef
  3087. type: object
  3088. username:
  3089. description: BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
  3090. maxProperties: 1
  3091. minProperties: 1
  3092. properties:
  3093. secretRef:
  3094. description: |-
  3095. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  3096. In some instances, `key` is a required field.
  3097. properties:
  3098. key:
  3099. description: |-
  3100. A key in the referenced Secret.
  3101. Some instances of this field may be defaulted, in others it may be required.
  3102. maxLength: 253
  3103. minLength: 1
  3104. pattern: ^[-._a-zA-Z0-9]+$
  3105. type: string
  3106. name:
  3107. description: The name of the Secret resource being referred to.
  3108. maxLength: 253
  3109. minLength: 1
  3110. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3111. type: string
  3112. namespace:
  3113. description: |-
  3114. The namespace of the Secret resource being referred to.
  3115. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3116. maxLength: 63
  3117. minLength: 1
  3118. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3119. type: string
  3120. type: object
  3121. value:
  3122. type: string
  3123. type: object
  3124. required:
  3125. - password
  3126. - username
  3127. type: object
  3128. authURL:
  3129. type: string
  3130. domainName:
  3131. type: string
  3132. region:
  3133. type: string
  3134. tenantName:
  3135. type: string
  3136. required:
  3137. - auth
  3138. type: object
  3139. beyondtrust:
  3140. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  3141. properties:
  3142. auth:
  3143. description: Auth configures how the operator authenticates with Beyondtrust.
  3144. properties:
  3145. apiKey:
  3146. description: APIKey If not provided then ClientID/ClientSecret become required.
  3147. properties:
  3148. secretRef:
  3149. description: SecretRef references a key in a secret that will be used as value.
  3150. properties:
  3151. key:
  3152. description: |-
  3153. A key in the referenced Secret.
  3154. Some instances of this field may be defaulted, in others it may be required.
  3155. maxLength: 253
  3156. minLength: 1
  3157. pattern: ^[-._a-zA-Z0-9]+$
  3158. type: string
  3159. name:
  3160. description: The name of the Secret resource being referred to.
  3161. maxLength: 253
  3162. minLength: 1
  3163. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3164. type: string
  3165. namespace:
  3166. description: |-
  3167. The namespace of the Secret resource being referred to.
  3168. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3169. maxLength: 63
  3170. minLength: 1
  3171. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3172. type: string
  3173. type: object
  3174. value:
  3175. description: Value can be specified directly to set a value without using a secret.
  3176. type: string
  3177. type: object
  3178. certificate:
  3179. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  3180. properties:
  3181. secretRef:
  3182. description: SecretRef references a key in a secret that will be used as value.
  3183. properties:
  3184. key:
  3185. description: |-
  3186. A key in the referenced Secret.
  3187. Some instances of this field may be defaulted, in others it may be required.
  3188. maxLength: 253
  3189. minLength: 1
  3190. pattern: ^[-._a-zA-Z0-9]+$
  3191. type: string
  3192. name:
  3193. description: The name of the Secret resource being referred to.
  3194. maxLength: 253
  3195. minLength: 1
  3196. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3197. type: string
  3198. namespace:
  3199. description: |-
  3200. The namespace of the Secret resource being referred to.
  3201. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3202. maxLength: 63
  3203. minLength: 1
  3204. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3205. type: string
  3206. type: object
  3207. value:
  3208. description: Value can be specified directly to set a value without using a secret.
  3209. type: string
  3210. type: object
  3211. certificateKey:
  3212. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  3213. properties:
  3214. secretRef:
  3215. description: SecretRef references a key in a secret that will be used as value.
  3216. properties:
  3217. key:
  3218. description: |-
  3219. A key in the referenced Secret.
  3220. Some instances of this field may be defaulted, in others it may be required.
  3221. maxLength: 253
  3222. minLength: 1
  3223. pattern: ^[-._a-zA-Z0-9]+$
  3224. type: string
  3225. name:
  3226. description: The name of the Secret resource being referred to.
  3227. maxLength: 253
  3228. minLength: 1
  3229. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3230. type: string
  3231. namespace:
  3232. description: |-
  3233. The namespace of the Secret resource being referred to.
  3234. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3235. maxLength: 63
  3236. minLength: 1
  3237. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3238. type: string
  3239. type: object
  3240. value:
  3241. description: Value can be specified directly to set a value without using a secret.
  3242. type: string
  3243. type: object
  3244. clientId:
  3245. description: ClientID is the API OAuth Client ID.
  3246. properties:
  3247. secretRef:
  3248. description: SecretRef references a key in a secret that will be used as value.
  3249. properties:
  3250. key:
  3251. description: |-
  3252. A key in the referenced Secret.
  3253. Some instances of this field may be defaulted, in others it may be required.
  3254. maxLength: 253
  3255. minLength: 1
  3256. pattern: ^[-._a-zA-Z0-9]+$
  3257. type: string
  3258. name:
  3259. description: The name of the Secret resource being referred to.
  3260. maxLength: 253
  3261. minLength: 1
  3262. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3263. type: string
  3264. namespace:
  3265. description: |-
  3266. The namespace of the Secret resource being referred to.
  3267. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3268. maxLength: 63
  3269. minLength: 1
  3270. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3271. type: string
  3272. type: object
  3273. value:
  3274. description: Value can be specified directly to set a value without using a secret.
  3275. type: string
  3276. type: object
  3277. clientSecret:
  3278. description: ClientSecret is the API OAuth Client Secret.
  3279. properties:
  3280. secretRef:
  3281. description: SecretRef references a key in a secret that will be used as value.
  3282. properties:
  3283. key:
  3284. description: |-
  3285. A key in the referenced Secret.
  3286. Some instances of this field may be defaulted, in others it may be required.
  3287. maxLength: 253
  3288. minLength: 1
  3289. pattern: ^[-._a-zA-Z0-9]+$
  3290. type: string
  3291. name:
  3292. description: The name of the Secret resource being referred to.
  3293. maxLength: 253
  3294. minLength: 1
  3295. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3296. type: string
  3297. namespace:
  3298. description: |-
  3299. The namespace of the Secret resource being referred to.
  3300. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3301. maxLength: 63
  3302. minLength: 1
  3303. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3304. type: string
  3305. type: object
  3306. value:
  3307. description: Value can be specified directly to set a value without using a secret.
  3308. type: string
  3309. type: object
  3310. type: object
  3311. server:
  3312. description: Auth configures how API server works.
  3313. properties:
  3314. apiUrl:
  3315. type: string
  3316. apiVersion:
  3317. type: string
  3318. clientTimeOutSeconds:
  3319. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  3320. type: integer
  3321. decrypt:
  3322. default: true
  3323. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  3324. type: boolean
  3325. retrievalType:
  3326. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  3327. type: string
  3328. separator:
  3329. description: A character that separates the folder names.
  3330. type: string
  3331. verifyCA:
  3332. type: boolean
  3333. required:
  3334. - apiUrl
  3335. - verifyCA
  3336. type: object
  3337. required:
  3338. - auth
  3339. - server
  3340. type: object
  3341. beyondtrustworkloadcredentials:
  3342. description: BeyondtrustWorkloadCredentials configures this store to sync secrets using the BeyondTrust Workload Credentials provider.
  3343. properties:
  3344. auth:
  3345. description: |-
  3346. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  3347. Currently supports API key authentication via Kubernetes secret reference.
  3348. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  3349. properties:
  3350. apikey:
  3351. description: |-
  3352. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  3353. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  3354. properties:
  3355. token:
  3356. description: |-
  3357. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  3358. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  3359. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  3360. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  3361. properties:
  3362. key:
  3363. description: |-
  3364. A key in the referenced Secret.
  3365. Some instances of this field may be defaulted, in others it may be required.
  3366. maxLength: 253
  3367. minLength: 1
  3368. pattern: ^[-._a-zA-Z0-9]+$
  3369. type: string
  3370. name:
  3371. description: The name of the Secret resource being referred to.
  3372. maxLength: 253
  3373. minLength: 1
  3374. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3375. type: string
  3376. namespace:
  3377. description: |-
  3378. The namespace of the Secret resource being referred to.
  3379. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3380. maxLength: 63
  3381. minLength: 1
  3382. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3383. type: string
  3384. type: object
  3385. required:
  3386. - token
  3387. type: object
  3388. required:
  3389. - apikey
  3390. type: object
  3391. caBundle:
  3392. description: |-
  3393. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  3394. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  3395. If not set, the system's trusted root certificates are used.
  3396. format: byte
  3397. type: string
  3398. caProvider:
  3399. description: |-
  3400. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  3401. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  3402. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  3403. properties:
  3404. key:
  3405. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3406. maxLength: 253
  3407. minLength: 1
  3408. pattern: ^[-._a-zA-Z0-9]+$
  3409. type: string
  3410. name:
  3411. description: The name of the object located at the provider type.
  3412. maxLength: 253
  3413. minLength: 1
  3414. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3415. type: string
  3416. namespace:
  3417. description: |-
  3418. The namespace the Provider type is in.
  3419. Can only be defined when used in a ClusterSecretStore.
  3420. maxLength: 63
  3421. minLength: 1
  3422. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3423. type: string
  3424. type:
  3425. description: The type of provider to use such as "Secret", or "ConfigMap".
  3426. enum:
  3427. - Secret
  3428. - ConfigMap
  3429. type: string
  3430. required:
  3431. - name
  3432. - type
  3433. type: object
  3434. folderPath:
  3435. description: |-
  3436. FolderPath specifies the default folder path for secret retrieval.
  3437. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  3438. Example: "production/database" or "dev/api-keys"
  3439. Leave empty to retrieve secrets from the root folder.
  3440. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  3441. type: string
  3442. server:
  3443. description: |-
  3444. Server configures the BeyondTrust Workload Credentials server connection details.
  3445. Includes the API URL and Site ID for your BeyondTrust instance.
  3446. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  3447. properties:
  3448. apiUrl:
  3449. description: |-
  3450. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  3451. This should be the full URL to your BeyondTrust instance.
  3452. Example: https://api.beyondtrust.io/siie
  3453. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  3454. type: string
  3455. siteId:
  3456. description: |-
  3457. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  3458. This identifier is unique to your BeyondTrust Workload Credentials instance.
  3459. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  3460. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  3461. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  3462. type: string
  3463. required:
  3464. - apiUrl
  3465. - siteId
  3466. type: object
  3467. required:
  3468. - auth
  3469. - server
  3470. type: object
  3471. bitwardensecretsmanager:
  3472. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  3473. properties:
  3474. apiURL:
  3475. type: string
  3476. auth:
  3477. description: |-
  3478. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  3479. Make sure that the token being used has permissions on the given secret.
  3480. properties:
  3481. secretRef:
  3482. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  3483. properties:
  3484. credentials:
  3485. description: AccessToken used for the bitwarden instance.
  3486. properties:
  3487. key:
  3488. description: |-
  3489. A key in the referenced Secret.
  3490. Some instances of this field may be defaulted, in others it may be required.
  3491. maxLength: 253
  3492. minLength: 1
  3493. pattern: ^[-._a-zA-Z0-9]+$
  3494. type: string
  3495. name:
  3496. description: The name of the Secret resource being referred to.
  3497. maxLength: 253
  3498. minLength: 1
  3499. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3500. type: string
  3501. namespace:
  3502. description: |-
  3503. The namespace of the Secret resource being referred to.
  3504. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3505. maxLength: 63
  3506. minLength: 1
  3507. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3508. type: string
  3509. type: object
  3510. required:
  3511. - credentials
  3512. type: object
  3513. required:
  3514. - secretRef
  3515. type: object
  3516. bitwardenServerSDKURL:
  3517. type: string
  3518. caBundle:
  3519. description: |-
  3520. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  3521. can be performed.
  3522. type: string
  3523. caProvider:
  3524. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  3525. properties:
  3526. key:
  3527. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3528. maxLength: 253
  3529. minLength: 1
  3530. pattern: ^[-._a-zA-Z0-9]+$
  3531. type: string
  3532. name:
  3533. description: The name of the object located at the provider type.
  3534. maxLength: 253
  3535. minLength: 1
  3536. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3537. type: string
  3538. namespace:
  3539. description: |-
  3540. The namespace the Provider type is in.
  3541. Can only be defined when used in a ClusterSecretStore.
  3542. maxLength: 63
  3543. minLength: 1
  3544. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3545. type: string
  3546. type:
  3547. description: The type of provider to use such as "Secret", or "ConfigMap".
  3548. enum:
  3549. - Secret
  3550. - ConfigMap
  3551. type: string
  3552. required:
  3553. - name
  3554. - type
  3555. type: object
  3556. identityURL:
  3557. type: string
  3558. organizationID:
  3559. description: OrganizationID determines which organization this secret store manages.
  3560. type: string
  3561. projectID:
  3562. description: ProjectID determines which project this secret store manages.
  3563. type: string
  3564. required:
  3565. - auth
  3566. - organizationID
  3567. - projectID
  3568. type: object
  3569. chef:
  3570. description: Chef configures this store to sync secrets with chef server
  3571. properties:
  3572. auth:
  3573. description: Auth defines the information necessary to authenticate against chef Server
  3574. properties:
  3575. secretRef:
  3576. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  3577. properties:
  3578. privateKeySecretRef:
  3579. description: SecretKey is the Signing Key in PEM format, used for authentication.
  3580. properties:
  3581. key:
  3582. description: |-
  3583. A key in the referenced Secret.
  3584. Some instances of this field may be defaulted, in others it may be required.
  3585. maxLength: 253
  3586. minLength: 1
  3587. pattern: ^[-._a-zA-Z0-9]+$
  3588. type: string
  3589. name:
  3590. description: The name of the Secret resource being referred to.
  3591. maxLength: 253
  3592. minLength: 1
  3593. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3594. type: string
  3595. namespace:
  3596. description: |-
  3597. The namespace of the Secret resource being referred to.
  3598. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3599. maxLength: 63
  3600. minLength: 1
  3601. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3602. type: string
  3603. type: object
  3604. required:
  3605. - privateKeySecretRef
  3606. type: object
  3607. required:
  3608. - secretRef
  3609. type: object
  3610. serverUrl:
  3611. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  3612. type: string
  3613. username:
  3614. description: UserName should be the user ID on the chef server
  3615. type: string
  3616. required:
  3617. - auth
  3618. - serverUrl
  3619. - username
  3620. type: object
  3621. cloudrusm:
  3622. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  3623. properties:
  3624. auth:
  3625. description: CSMAuth contains a secretRef for credentials.
  3626. properties:
  3627. secretRef:
  3628. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  3629. properties:
  3630. accessKeyIDSecretRef:
  3631. description: The AccessKeyID is used for authentication
  3632. properties:
  3633. key:
  3634. description: |-
  3635. A key in the referenced Secret.
  3636. Some instances of this field may be defaulted, in others it may be required.
  3637. maxLength: 253
  3638. minLength: 1
  3639. pattern: ^[-._a-zA-Z0-9]+$
  3640. type: string
  3641. name:
  3642. description: The name of the Secret resource being referred to.
  3643. maxLength: 253
  3644. minLength: 1
  3645. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3646. type: string
  3647. namespace:
  3648. description: |-
  3649. The namespace of the Secret resource being referred to.
  3650. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3651. maxLength: 63
  3652. minLength: 1
  3653. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3654. type: string
  3655. type: object
  3656. accessKeySecretSecretRef:
  3657. description: The AccessKeySecret is used for authentication
  3658. properties:
  3659. key:
  3660. description: |-
  3661. A key in the referenced Secret.
  3662. Some instances of this field may be defaulted, in others it may be required.
  3663. maxLength: 253
  3664. minLength: 1
  3665. pattern: ^[-._a-zA-Z0-9]+$
  3666. type: string
  3667. name:
  3668. description: The name of the Secret resource being referred to.
  3669. maxLength: 253
  3670. minLength: 1
  3671. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3672. type: string
  3673. namespace:
  3674. description: |-
  3675. The namespace of the Secret resource being referred to.
  3676. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3677. maxLength: 63
  3678. minLength: 1
  3679. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3680. type: string
  3681. type: object
  3682. required:
  3683. - accessKeyIDSecretRef
  3684. - accessKeySecretSecretRef
  3685. type: object
  3686. type: object
  3687. projectID:
  3688. description: ProjectID is the project, which the secrets are stored in.
  3689. type: string
  3690. required:
  3691. - auth
  3692. type: object
  3693. conjur:
  3694. description: Conjur configures this store to sync secrets using conjur provider
  3695. properties:
  3696. auth:
  3697. description: Defines authentication settings for connecting to Conjur.
  3698. properties:
  3699. apikey:
  3700. description: Authenticates with Conjur using an API key.
  3701. properties:
  3702. account:
  3703. description: Account is the Conjur organization account name.
  3704. type: string
  3705. apiKeyRef:
  3706. description: |-
  3707. A reference to a specific 'key' containing the Conjur API key
  3708. within a Secret resource. In some instances, `key` is a required field.
  3709. properties:
  3710. key:
  3711. description: |-
  3712. A key in the referenced Secret.
  3713. Some instances of this field may be defaulted, in others it may be required.
  3714. maxLength: 253
  3715. minLength: 1
  3716. pattern: ^[-._a-zA-Z0-9]+$
  3717. type: string
  3718. name:
  3719. description: The name of the Secret resource being referred to.
  3720. maxLength: 253
  3721. minLength: 1
  3722. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3723. type: string
  3724. namespace:
  3725. description: |-
  3726. The namespace of the Secret resource being referred to.
  3727. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3728. maxLength: 63
  3729. minLength: 1
  3730. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3731. type: string
  3732. type: object
  3733. userRef:
  3734. description: |-
  3735. A reference to a specific 'key' containing the Conjur username
  3736. within a Secret resource. In some instances, `key` is a required field.
  3737. properties:
  3738. key:
  3739. description: |-
  3740. A key in the referenced Secret.
  3741. Some instances of this field may be defaulted, in others it may be required.
  3742. maxLength: 253
  3743. minLength: 1
  3744. pattern: ^[-._a-zA-Z0-9]+$
  3745. type: string
  3746. name:
  3747. description: The name of the Secret resource being referred to.
  3748. maxLength: 253
  3749. minLength: 1
  3750. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3751. type: string
  3752. namespace:
  3753. description: |-
  3754. The namespace of the Secret resource being referred to.
  3755. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3756. maxLength: 63
  3757. minLength: 1
  3758. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3759. type: string
  3760. type: object
  3761. required:
  3762. - account
  3763. - apiKeyRef
  3764. - userRef
  3765. type: object
  3766. jwt:
  3767. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  3768. properties:
  3769. account:
  3770. description: Account is the Conjur organization account name.
  3771. type: string
  3772. hostId:
  3773. description: |-
  3774. Optional HostID for JWT authentication. This may be used depending
  3775. on how the Conjur JWT authenticator policy is configured.
  3776. type: string
  3777. secretRef:
  3778. description: |-
  3779. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  3780. authenticate with Conjur using the JWT authentication method.
  3781. properties:
  3782. key:
  3783. description: |-
  3784. A key in the referenced Secret.
  3785. Some instances of this field may be defaulted, in others it may be required.
  3786. maxLength: 253
  3787. minLength: 1
  3788. pattern: ^[-._a-zA-Z0-9]+$
  3789. type: string
  3790. name:
  3791. description: The name of the Secret resource being referred to.
  3792. maxLength: 253
  3793. minLength: 1
  3794. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3795. type: string
  3796. namespace:
  3797. description: |-
  3798. The namespace of the Secret resource being referred to.
  3799. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3800. maxLength: 63
  3801. minLength: 1
  3802. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3803. type: string
  3804. type: object
  3805. serviceAccountRef:
  3806. description: |-
  3807. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  3808. a token for with the `TokenRequest` API.
  3809. properties:
  3810. audiences:
  3811. description: |-
  3812. Audience specifies the `aud` claim for the service account token
  3813. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3814. then this audiences will be appended to the list
  3815. items:
  3816. type: string
  3817. type: array
  3818. name:
  3819. description: The name of the ServiceAccount resource being referred to.
  3820. maxLength: 253
  3821. minLength: 1
  3822. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3823. type: string
  3824. namespace:
  3825. description: |-
  3826. Namespace of the resource being referred to.
  3827. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3828. maxLength: 63
  3829. minLength: 1
  3830. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3831. type: string
  3832. required:
  3833. - name
  3834. type: object
  3835. serviceID:
  3836. description: The conjur authn jwt webservice id
  3837. type: string
  3838. required:
  3839. - account
  3840. - serviceID
  3841. type: object
  3842. type: object
  3843. caBundle:
  3844. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  3845. type: string
  3846. caProvider:
  3847. description: |-
  3848. Used to provide custom certificate authority (CA) certificates
  3849. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  3850. that contains a PEM-encoded certificate.
  3851. properties:
  3852. key:
  3853. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3854. maxLength: 253
  3855. minLength: 1
  3856. pattern: ^[-._a-zA-Z0-9]+$
  3857. type: string
  3858. name:
  3859. description: The name of the object located at the provider type.
  3860. maxLength: 253
  3861. minLength: 1
  3862. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3863. type: string
  3864. namespace:
  3865. description: |-
  3866. The namespace the Provider type is in.
  3867. Can only be defined when used in a ClusterSecretStore.
  3868. maxLength: 63
  3869. minLength: 1
  3870. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3871. type: string
  3872. type:
  3873. description: The type of provider to use such as "Secret", or "ConfigMap".
  3874. enum:
  3875. - Secret
  3876. - ConfigMap
  3877. type: string
  3878. required:
  3879. - name
  3880. - type
  3881. type: object
  3882. url:
  3883. description: URL is the endpoint of the Conjur instance.
  3884. type: string
  3885. required:
  3886. - auth
  3887. - url
  3888. type: object
  3889. delinea:
  3890. description: |-
  3891. Delinea DevOps Secrets Vault
  3892. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  3893. properties:
  3894. clientId:
  3895. description: ClientID is the non-secret part of the credential.
  3896. properties:
  3897. secretRef:
  3898. description: SecretRef references a key in a secret that will be used as value.
  3899. properties:
  3900. key:
  3901. description: |-
  3902. A key in the referenced Secret.
  3903. Some instances of this field may be defaulted, in others it may be required.
  3904. maxLength: 253
  3905. minLength: 1
  3906. pattern: ^[-._a-zA-Z0-9]+$
  3907. type: string
  3908. name:
  3909. description: The name of the Secret resource being referred to.
  3910. maxLength: 253
  3911. minLength: 1
  3912. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3913. type: string
  3914. namespace:
  3915. description: |-
  3916. The namespace of the Secret resource being referred to.
  3917. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3918. maxLength: 63
  3919. minLength: 1
  3920. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3921. type: string
  3922. type: object
  3923. value:
  3924. description: Value can be specified directly to set a value without using a secret.
  3925. type: string
  3926. type: object
  3927. clientSecret:
  3928. description: ClientSecret is the secret part of the credential.
  3929. properties:
  3930. secretRef:
  3931. description: SecretRef references a key in a secret that will be used as value.
  3932. properties:
  3933. key:
  3934. description: |-
  3935. A key in the referenced Secret.
  3936. Some instances of this field may be defaulted, in others it may be required.
  3937. maxLength: 253
  3938. minLength: 1
  3939. pattern: ^[-._a-zA-Z0-9]+$
  3940. type: string
  3941. name:
  3942. description: The name of the Secret resource being referred to.
  3943. maxLength: 253
  3944. minLength: 1
  3945. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3946. type: string
  3947. namespace:
  3948. description: |-
  3949. The namespace of the Secret resource being referred to.
  3950. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3951. maxLength: 63
  3952. minLength: 1
  3953. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3954. type: string
  3955. type: object
  3956. value:
  3957. description: Value can be specified directly to set a value without using a secret.
  3958. type: string
  3959. type: object
  3960. tenant:
  3961. description: Tenant is the chosen hostname / site name.
  3962. type: string
  3963. tld:
  3964. description: |-
  3965. TLD is based on the server location that was chosen during provisioning.
  3966. If unset, defaults to "com".
  3967. type: string
  3968. urlTemplate:
  3969. description: |-
  3970. URLTemplate
  3971. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  3972. type: string
  3973. required:
  3974. - clientId
  3975. - clientSecret
  3976. - tenant
  3977. type: object
  3978. doppler:
  3979. description: Doppler configures this store to sync secrets using the Doppler provider
  3980. properties:
  3981. auth:
  3982. description: Auth configures how the Operator authenticates with the Doppler API
  3983. properties:
  3984. oidcConfig:
  3985. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  3986. properties:
  3987. expirationSeconds:
  3988. default: 600
  3989. description: |-
  3990. ExpirationSeconds sets the ServiceAccount token validity duration.
  3991. Defaults to 10 minutes.
  3992. format: int64
  3993. type: integer
  3994. identity:
  3995. description: Identity is the Doppler Service Account Identity ID configured for OIDC authentication.
  3996. type: string
  3997. serviceAccountRef:
  3998. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  3999. properties:
  4000. audiences:
  4001. description: |-
  4002. Audience specifies the `aud` claim for the service account token
  4003. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4004. then this audiences will be appended to the list
  4005. items:
  4006. type: string
  4007. type: array
  4008. name:
  4009. description: The name of the ServiceAccount resource being referred to.
  4010. maxLength: 253
  4011. minLength: 1
  4012. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4013. type: string
  4014. namespace:
  4015. description: |-
  4016. Namespace of the resource being referred to.
  4017. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4018. maxLength: 63
  4019. minLength: 1
  4020. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4021. type: string
  4022. required:
  4023. - name
  4024. type: object
  4025. required:
  4026. - identity
  4027. - serviceAccountRef
  4028. type: object
  4029. secretRef:
  4030. description: SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.
  4031. properties:
  4032. dopplerToken:
  4033. description: |-
  4034. The DopplerToken is used for authentication.
  4035. See https://docs.doppler.com/reference/api#authentication for auth token types.
  4036. The Key attribute defaults to dopplerToken if not specified.
  4037. properties:
  4038. key:
  4039. description: |-
  4040. A key in the referenced Secret.
  4041. Some instances of this field may be defaulted, in others it may be required.
  4042. maxLength: 253
  4043. minLength: 1
  4044. pattern: ^[-._a-zA-Z0-9]+$
  4045. type: string
  4046. name:
  4047. description: The name of the Secret resource being referred to.
  4048. maxLength: 253
  4049. minLength: 1
  4050. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4051. type: string
  4052. namespace:
  4053. description: |-
  4054. The namespace of the Secret resource being referred to.
  4055. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4056. maxLength: 63
  4057. minLength: 1
  4058. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4059. type: string
  4060. type: object
  4061. required:
  4062. - dopplerToken
  4063. type: object
  4064. type: object
  4065. x-kubernetes-validations:
  4066. - message: Exactly one of 'secretRef' or 'oidcConfig' must be specified
  4067. rule: (has(self.secretRef) && !has(self.oidcConfig)) || (!has(self.secretRef) && has(self.oidcConfig))
  4068. config:
  4069. description: Doppler config (required if not using a Service Token)
  4070. type: string
  4071. format:
  4072. description: Format enables the downloading of secrets as a file (string)
  4073. enum:
  4074. - json
  4075. - dotnet-json
  4076. - env
  4077. - yaml
  4078. - docker
  4079. type: string
  4080. nameTransformer:
  4081. description: Environment variable compatible name transforms that change secret names to a different format
  4082. enum:
  4083. - upper-camel
  4084. - camel
  4085. - lower-snake
  4086. - tf-var
  4087. - dotnet-env
  4088. - lower-kebab
  4089. type: string
  4090. project:
  4091. description: Doppler project (required if not using a Service Token)
  4092. type: string
  4093. required:
  4094. - auth
  4095. type: object
  4096. dvls:
  4097. description: DVLS configures this store to sync secrets using Devolutions Server provider
  4098. properties:
  4099. auth:
  4100. description: Auth defines the authentication method to use.
  4101. properties:
  4102. secretRef:
  4103. description: SecretRef contains the Application ID and Application Secret for authentication.
  4104. properties:
  4105. appId:
  4106. description: AppID is the reference to the secret containing the Application ID.
  4107. properties:
  4108. key:
  4109. description: |-
  4110. A key in the referenced Secret.
  4111. Some instances of this field may be defaulted, in others it may be required.
  4112. maxLength: 253
  4113. minLength: 1
  4114. pattern: ^[-._a-zA-Z0-9]+$
  4115. type: string
  4116. name:
  4117. description: The name of the Secret resource being referred to.
  4118. maxLength: 253
  4119. minLength: 1
  4120. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4121. type: string
  4122. namespace:
  4123. description: |-
  4124. The namespace of the Secret resource being referred to.
  4125. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4126. maxLength: 63
  4127. minLength: 1
  4128. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4129. type: string
  4130. type: object
  4131. appSecret:
  4132. description: AppSecret is the reference to the secret containing the Application Secret.
  4133. properties:
  4134. key:
  4135. description: |-
  4136. A key in the referenced Secret.
  4137. Some instances of this field may be defaulted, in others it may be required.
  4138. maxLength: 253
  4139. minLength: 1
  4140. pattern: ^[-._a-zA-Z0-9]+$
  4141. type: string
  4142. name:
  4143. description: The name of the Secret resource being referred to.
  4144. maxLength: 253
  4145. minLength: 1
  4146. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4147. type: string
  4148. namespace:
  4149. description: |-
  4150. The namespace of the Secret resource being referred to.
  4151. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4152. maxLength: 63
  4153. minLength: 1
  4154. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4155. type: string
  4156. type: object
  4157. required:
  4158. - appId
  4159. - appSecret
  4160. type: object
  4161. required:
  4162. - secretRef
  4163. type: object
  4164. insecure:
  4165. description: |-
  4166. Insecure allows connecting to DVLS over plain HTTP.
  4167. This is NOT RECOMMENDED for production use.
  4168. Set to true only if you understand the security implications.
  4169. type: boolean
  4170. serverUrl:
  4171. description: ServerURL is the DVLS instance URL (e.g., https://dvls.example.com).
  4172. type: string
  4173. vault:
  4174. description: |-
  4175. Vault is the name or UUID of the vault to fetch secrets from.
  4176. When omitted, the vault must be specified in the secret key using the legacy format "<vault-id>/<entry-id>".
  4177. type: string
  4178. required:
  4179. - auth
  4180. - serverUrl
  4181. type: object
  4182. fake:
  4183. description: Fake configures a store with static key/value pairs
  4184. properties:
  4185. data:
  4186. items:
  4187. description: FakeProviderData defines a key-value pair with optional version for the fake provider.
  4188. properties:
  4189. key:
  4190. type: string
  4191. value:
  4192. type: string
  4193. version:
  4194. type: string
  4195. required:
  4196. - key
  4197. - value
  4198. type: object
  4199. type: array
  4200. validationResult:
  4201. description: ValidationResult is defined type for the number of validation results.
  4202. type: integer
  4203. required:
  4204. - data
  4205. type: object
  4206. fortanix:
  4207. description: Fortanix configures this store to sync secrets using the Fortanix provider
  4208. properties:
  4209. apiKey:
  4210. description: APIKey is the API token to access SDKMS Applications.
  4211. properties:
  4212. secretRef:
  4213. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  4214. properties:
  4215. key:
  4216. description: |-
  4217. A key in the referenced Secret.
  4218. Some instances of this field may be defaulted, in others it may be required.
  4219. maxLength: 253
  4220. minLength: 1
  4221. pattern: ^[-._a-zA-Z0-9]+$
  4222. type: string
  4223. name:
  4224. description: The name of the Secret resource being referred to.
  4225. maxLength: 253
  4226. minLength: 1
  4227. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4228. type: string
  4229. namespace:
  4230. description: |-
  4231. The namespace of the Secret resource being referred to.
  4232. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4233. maxLength: 63
  4234. minLength: 1
  4235. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4236. type: string
  4237. type: object
  4238. type: object
  4239. apiUrl:
  4240. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  4241. type: string
  4242. type: object
  4243. gcpsm:
  4244. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  4245. properties:
  4246. auth:
  4247. description: Auth defines the information necessary to authenticate against GCP
  4248. properties:
  4249. secretRef:
  4250. description: GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication.
  4251. properties:
  4252. secretAccessKeySecretRef:
  4253. description: The SecretAccessKey is used for authentication
  4254. properties:
  4255. key:
  4256. description: |-
  4257. A key in the referenced Secret.
  4258. Some instances of this field may be defaulted, in others it may be required.
  4259. maxLength: 253
  4260. minLength: 1
  4261. pattern: ^[-._a-zA-Z0-9]+$
  4262. type: string
  4263. name:
  4264. description: The name of the Secret resource being referred to.
  4265. maxLength: 253
  4266. minLength: 1
  4267. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4268. type: string
  4269. namespace:
  4270. description: |-
  4271. The namespace of the Secret resource being referred to.
  4272. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4273. maxLength: 63
  4274. minLength: 1
  4275. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4276. type: string
  4277. type: object
  4278. type: object
  4279. workloadIdentity:
  4280. description: GCPWorkloadIdentity defines configuration for workload identity authentication to GCP.
  4281. properties:
  4282. clusterLocation:
  4283. description: |-
  4284. ClusterLocation is the location of the cluster
  4285. If not specified, it fetches information from the metadata server
  4286. type: string
  4287. clusterName:
  4288. description: |-
  4289. ClusterName is the name of the cluster
  4290. If not specified, it fetches information from the metadata server
  4291. type: string
  4292. clusterProjectID:
  4293. description: |-
  4294. ClusterProjectID is the project ID of the cluster
  4295. If not specified, it fetches information from the metadata server
  4296. type: string
  4297. serviceAccountRef:
  4298. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  4299. properties:
  4300. audiences:
  4301. description: |-
  4302. Audience specifies the `aud` claim for the service account token
  4303. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4304. then this audiences will be appended to the list
  4305. items:
  4306. type: string
  4307. type: array
  4308. name:
  4309. description: The name of the ServiceAccount resource being referred to.
  4310. maxLength: 253
  4311. minLength: 1
  4312. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4313. type: string
  4314. namespace:
  4315. description: |-
  4316. Namespace of the resource being referred to.
  4317. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4318. maxLength: 63
  4319. minLength: 1
  4320. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4321. type: string
  4322. required:
  4323. - name
  4324. type: object
  4325. required:
  4326. - serviceAccountRef
  4327. type: object
  4328. workloadIdentityFederation:
  4329. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  4330. properties:
  4331. audience:
  4332. description: |-
  4333. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  4334. If specified, Audience found in the external account credential config will be overridden with the configured value.
  4335. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  4336. type: string
  4337. awsSecurityCredentials:
  4338. description: |-
  4339. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  4340. when using the AWS metadata server is not an option.
  4341. properties:
  4342. awsCredentialsSecretRef:
  4343. description: |-
  4344. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  4345. Secret should be created with below names for keys
  4346. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  4347. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  4348. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  4349. properties:
  4350. name:
  4351. description: name of the secret.
  4352. maxLength: 253
  4353. minLength: 1
  4354. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4355. type: string
  4356. namespace:
  4357. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  4358. maxLength: 63
  4359. minLength: 1
  4360. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4361. type: string
  4362. required:
  4363. - name
  4364. type: object
  4365. region:
  4366. description: region is for configuring the AWS region to be used.
  4367. example: ap-south-1
  4368. maxLength: 50
  4369. minLength: 1
  4370. pattern: ^[a-z0-9-]+$
  4371. type: string
  4372. required:
  4373. - awsCredentialsSecretRef
  4374. - region
  4375. type: object
  4376. credConfig:
  4377. description: |-
  4378. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  4379. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  4380. serviceAccountRef must be used by providing operators service account details.
  4381. properties:
  4382. key:
  4383. description: key name holding the external account credential config.
  4384. maxLength: 253
  4385. minLength: 1
  4386. pattern: ^[-._a-zA-Z0-9]+$
  4387. type: string
  4388. name:
  4389. description: name of the configmap.
  4390. maxLength: 253
  4391. minLength: 1
  4392. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4393. type: string
  4394. namespace:
  4395. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  4396. maxLength: 63
  4397. minLength: 1
  4398. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4399. type: string
  4400. required:
  4401. - key
  4402. - name
  4403. type: object
  4404. externalTokenEndpoint:
  4405. description: |-
  4406. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  4407. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  4408. URL is having the expected value.
  4409. type: string
  4410. gcpServiceAccountEmail:
  4411. description: |-
  4412. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  4413. after Workload Identity Federation. Use this to grant access through the service account's
  4414. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  4415. service_account_impersonation_url in the external account JSON from credConfig;
  4416. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  4417. on that ServiceAccount.
  4418. example: my-gsa@my-project.iam.gserviceaccount.com
  4419. minLength: 1
  4420. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  4421. type: string
  4422. serviceAccountRef:
  4423. description: |-
  4424. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  4425. when Kubernetes is configured as provider in workload identity pool.
  4426. properties:
  4427. audiences:
  4428. description: |-
  4429. Audience specifies the `aud` claim for the service account token
  4430. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4431. then this audiences will be appended to the list
  4432. items:
  4433. type: string
  4434. type: array
  4435. name:
  4436. description: The name of the ServiceAccount resource being referred to.
  4437. maxLength: 253
  4438. minLength: 1
  4439. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4440. type: string
  4441. namespace:
  4442. description: |-
  4443. Namespace of the resource being referred to.
  4444. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4445. maxLength: 63
  4446. minLength: 1
  4447. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4448. type: string
  4449. required:
  4450. - name
  4451. type: object
  4452. type: object
  4453. type: object
  4454. location:
  4455. description: Location optionally defines a location for a secret
  4456. type: string
  4457. projectID:
  4458. description: ProjectID project where secret is located
  4459. type: string
  4460. secretVersionSelectionPolicy:
  4461. default: LatestOrFail
  4462. description: |-
  4463. SecretVersionSelectionPolicy specifies how the provider selects a secret version
  4464. when "latest" is disabled or destroyed.
  4465. Possible values are:
  4466. - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed.
  4467. - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED
  4468. type: string
  4469. type: object
  4470. github:
  4471. description: |-
  4472. Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  4473. Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
  4474. properties:
  4475. appID:
  4476. description: appID specifies the Github APP that will be used to authenticate the client
  4477. format: int64
  4478. type: integer
  4479. auth:
  4480. description: auth configures how secret-manager authenticates with a Github instance.
  4481. properties:
  4482. privateKey:
  4483. description: |-
  4484. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4485. In some instances, `key` is a required field.
  4486. properties:
  4487. key:
  4488. description: |-
  4489. A key in the referenced Secret.
  4490. Some instances of this field may be defaulted, in others it may be required.
  4491. maxLength: 253
  4492. minLength: 1
  4493. pattern: ^[-._a-zA-Z0-9]+$
  4494. type: string
  4495. name:
  4496. description: The name of the Secret resource being referred to.
  4497. maxLength: 253
  4498. minLength: 1
  4499. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4500. type: string
  4501. namespace:
  4502. description: |-
  4503. The namespace of the Secret resource being referred to.
  4504. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4505. maxLength: 63
  4506. minLength: 1
  4507. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4508. type: string
  4509. type: object
  4510. required:
  4511. - privateKey
  4512. type: object
  4513. environment:
  4514. description: environment will be used to fetch secrets from a particular environment within a github repository
  4515. type: string
  4516. installationID:
  4517. description: installationID specifies the Github APP installation that will be used to authenticate the client
  4518. format: int64
  4519. type: integer
  4520. orgSecretVisibility:
  4521. description: |-
  4522. orgSecretVisibility controls the visibility of organization secrets pushed via PushSecret.
  4523. Valid values are "all" or "private".
  4524. When unset, new secrets are created with visibility "all" and existing secrets preserve
  4525. whatever visibility they already have in GitHub.
  4526. enum:
  4527. - all
  4528. - private
  4529. type: string
  4530. organization:
  4531. description: organization will be used to fetch secrets from the Github organization
  4532. type: string
  4533. repository:
  4534. description: repository will be used to fetch secrets from the Github repository within an organization
  4535. type: string
  4536. uploadURL:
  4537. description: Upload URL for enterprise instances. Default to URL.
  4538. type: string
  4539. url:
  4540. default: https://github.com/
  4541. description: URL configures the Github instance URL. Defaults to https://github.com/.
  4542. type: string
  4543. required:
  4544. - appID
  4545. - auth
  4546. - installationID
  4547. - organization
  4548. type: object
  4549. gitlab:
  4550. description: GitLab configures this store to sync secrets using GitLab Variables provider
  4551. properties:
  4552. auth:
  4553. description: Auth configures how secret-manager authenticates with a GitLab instance.
  4554. properties:
  4555. SecretRef:
  4556. description: GitlabSecretRef contains the secret reference for GitLab authentication credentials.
  4557. properties:
  4558. accessToken:
  4559. description: AccessToken is used for authentication.
  4560. properties:
  4561. key:
  4562. description: |-
  4563. A key in the referenced Secret.
  4564. Some instances of this field may be defaulted, in others it may be required.
  4565. maxLength: 253
  4566. minLength: 1
  4567. pattern: ^[-._a-zA-Z0-9]+$
  4568. type: string
  4569. name:
  4570. description: The name of the Secret resource being referred to.
  4571. maxLength: 253
  4572. minLength: 1
  4573. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4574. type: string
  4575. namespace:
  4576. description: |-
  4577. The namespace of the Secret resource being referred to.
  4578. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4579. maxLength: 63
  4580. minLength: 1
  4581. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4582. type: string
  4583. type: object
  4584. type: object
  4585. required:
  4586. - SecretRef
  4587. type: object
  4588. caBundle:
  4589. description: |-
  4590. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  4591. can be performed.
  4592. format: byte
  4593. type: string
  4594. caProvider:
  4595. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  4596. properties:
  4597. key:
  4598. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  4599. maxLength: 253
  4600. minLength: 1
  4601. pattern: ^[-._a-zA-Z0-9]+$
  4602. type: string
  4603. name:
  4604. description: The name of the object located at the provider type.
  4605. maxLength: 253
  4606. minLength: 1
  4607. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4608. type: string
  4609. namespace:
  4610. description: |-
  4611. The namespace the Provider type is in.
  4612. Can only be defined when used in a ClusterSecretStore.
  4613. maxLength: 63
  4614. minLength: 1
  4615. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4616. type: string
  4617. type:
  4618. description: The type of provider to use such as "Secret", or "ConfigMap".
  4619. enum:
  4620. - Secret
  4621. - ConfigMap
  4622. type: string
  4623. required:
  4624. - name
  4625. - type
  4626. type: object
  4627. environment:
  4628. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  4629. type: string
  4630. groupIDs:
  4631. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  4632. items:
  4633. type: string
  4634. type: array
  4635. inheritFromGroups:
  4636. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  4637. type: boolean
  4638. projectID:
  4639. description: ProjectID specifies a project where secrets are located.
  4640. type: string
  4641. url:
  4642. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  4643. type: string
  4644. required:
  4645. - auth
  4646. type: object
  4647. ibm:
  4648. description: IBM configures this store to sync secrets using IBM Cloud provider
  4649. properties:
  4650. auth:
  4651. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  4652. maxProperties: 1
  4653. minProperties: 1
  4654. properties:
  4655. containerAuth:
  4656. description: IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile.
  4657. properties:
  4658. iamEndpoint:
  4659. type: string
  4660. profile:
  4661. description: the IBM Trusted Profile
  4662. type: string
  4663. tokenLocation:
  4664. description: Location the token is mounted on the pod
  4665. type: string
  4666. required:
  4667. - profile
  4668. type: object
  4669. secretRef:
  4670. description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
  4671. properties:
  4672. iamEndpoint:
  4673. description: The IAM endpoint used to obain a token
  4674. type: string
  4675. secretApiKeySecretRef:
  4676. description: The SecretAccessKey is used for authentication
  4677. properties:
  4678. key:
  4679. description: |-
  4680. A key in the referenced Secret.
  4681. Some instances of this field may be defaulted, in others it may be required.
  4682. maxLength: 253
  4683. minLength: 1
  4684. pattern: ^[-._a-zA-Z0-9]+$
  4685. type: string
  4686. name:
  4687. description: The name of the Secret resource being referred to.
  4688. maxLength: 253
  4689. minLength: 1
  4690. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4691. type: string
  4692. namespace:
  4693. description: |-
  4694. The namespace of the Secret resource being referred to.
  4695. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4696. maxLength: 63
  4697. minLength: 1
  4698. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4699. type: string
  4700. type: object
  4701. type: object
  4702. type: object
  4703. serviceUrl:
  4704. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  4705. type: string
  4706. required:
  4707. - auth
  4708. type: object
  4709. infisical:
  4710. description: Infisical configures this store to sync secrets using the Infisical provider
  4711. properties:
  4712. auth:
  4713. description: Auth configures how the Operator authenticates with the Infisical API
  4714. properties:
  4715. awsAuthCredentials:
  4716. description: AwsAuthCredentials represents the credentials for AWS authentication.
  4717. properties:
  4718. identityId:
  4719. description: |-
  4720. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4721. In some instances, `key` is a required field.
  4722. properties:
  4723. key:
  4724. description: |-
  4725. A key in the referenced Secret.
  4726. Some instances of this field may be defaulted, in others it may be required.
  4727. maxLength: 253
  4728. minLength: 1
  4729. pattern: ^[-._a-zA-Z0-9]+$
  4730. type: string
  4731. name:
  4732. description: The name of the Secret resource being referred to.
  4733. maxLength: 253
  4734. minLength: 1
  4735. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4736. type: string
  4737. namespace:
  4738. description: |-
  4739. The namespace of the Secret resource being referred to.
  4740. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4741. maxLength: 63
  4742. minLength: 1
  4743. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4744. type: string
  4745. type: object
  4746. required:
  4747. - identityId
  4748. type: object
  4749. azureAuthCredentials:
  4750. description: AzureAuthCredentials represents the credentials for Azure authentication.
  4751. properties:
  4752. identityId:
  4753. description: |-
  4754. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4755. In some instances, `key` is a required field.
  4756. properties:
  4757. key:
  4758. description: |-
  4759. A key in the referenced Secret.
  4760. Some instances of this field may be defaulted, in others it may be required.
  4761. maxLength: 253
  4762. minLength: 1
  4763. pattern: ^[-._a-zA-Z0-9]+$
  4764. type: string
  4765. name:
  4766. description: The name of the Secret resource being referred to.
  4767. maxLength: 253
  4768. minLength: 1
  4769. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4770. type: string
  4771. namespace:
  4772. description: |-
  4773. The namespace of the Secret resource being referred to.
  4774. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4775. maxLength: 63
  4776. minLength: 1
  4777. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4778. type: string
  4779. type: object
  4780. resource:
  4781. description: |-
  4782. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4783. In some instances, `key` is a required field.
  4784. properties:
  4785. key:
  4786. description: |-
  4787. A key in the referenced Secret.
  4788. Some instances of this field may be defaulted, in others it may be required.
  4789. maxLength: 253
  4790. minLength: 1
  4791. pattern: ^[-._a-zA-Z0-9]+$
  4792. type: string
  4793. name:
  4794. description: The name of the Secret resource being referred to.
  4795. maxLength: 253
  4796. minLength: 1
  4797. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4798. type: string
  4799. namespace:
  4800. description: |-
  4801. The namespace of the Secret resource being referred to.
  4802. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4803. maxLength: 63
  4804. minLength: 1
  4805. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4806. type: string
  4807. type: object
  4808. required:
  4809. - identityId
  4810. type: object
  4811. gcpIamAuthCredentials:
  4812. description: GcpIamAuthCredentials represents the credentials for GCP IAM authentication.
  4813. properties:
  4814. identityId:
  4815. description: |-
  4816. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4817. In some instances, `key` is a required field.
  4818. properties:
  4819. key:
  4820. description: |-
  4821. A key in the referenced Secret.
  4822. Some instances of this field may be defaulted, in others it may be required.
  4823. maxLength: 253
  4824. minLength: 1
  4825. pattern: ^[-._a-zA-Z0-9]+$
  4826. type: string
  4827. name:
  4828. description: The name of the Secret resource being referred to.
  4829. maxLength: 253
  4830. minLength: 1
  4831. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4832. type: string
  4833. namespace:
  4834. description: |-
  4835. The namespace of the Secret resource being referred to.
  4836. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4837. maxLength: 63
  4838. minLength: 1
  4839. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4840. type: string
  4841. type: object
  4842. serviceAccountKeyFilePath:
  4843. description: |-
  4844. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4845. In some instances, `key` is a required field.
  4846. properties:
  4847. key:
  4848. description: |-
  4849. A key in the referenced Secret.
  4850. Some instances of this field may be defaulted, in others it may be required.
  4851. maxLength: 253
  4852. minLength: 1
  4853. pattern: ^[-._a-zA-Z0-9]+$
  4854. type: string
  4855. name:
  4856. description: The name of the Secret resource being referred to.
  4857. maxLength: 253
  4858. minLength: 1
  4859. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4860. type: string
  4861. namespace:
  4862. description: |-
  4863. The namespace of the Secret resource being referred to.
  4864. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4865. maxLength: 63
  4866. minLength: 1
  4867. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4868. type: string
  4869. type: object
  4870. required:
  4871. - identityId
  4872. - serviceAccountKeyFilePath
  4873. type: object
  4874. gcpIdTokenAuthCredentials:
  4875. description: GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication.
  4876. properties:
  4877. identityId:
  4878. description: |-
  4879. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4880. In some instances, `key` is a required field.
  4881. properties:
  4882. key:
  4883. description: |-
  4884. A key in the referenced Secret.
  4885. Some instances of this field may be defaulted, in others it may be required.
  4886. maxLength: 253
  4887. minLength: 1
  4888. pattern: ^[-._a-zA-Z0-9]+$
  4889. type: string
  4890. name:
  4891. description: The name of the Secret resource being referred to.
  4892. maxLength: 253
  4893. minLength: 1
  4894. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4895. type: string
  4896. namespace:
  4897. description: |-
  4898. The namespace of the Secret resource being referred to.
  4899. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4900. maxLength: 63
  4901. minLength: 1
  4902. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4903. type: string
  4904. type: object
  4905. required:
  4906. - identityId
  4907. type: object
  4908. jwtAuthCredentials:
  4909. description: JwtAuthCredentials represents the credentials for JWT authentication.
  4910. properties:
  4911. identityId:
  4912. description: |-
  4913. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4914. In some instances, `key` is a required field.
  4915. properties:
  4916. key:
  4917. description: |-
  4918. A key in the referenced Secret.
  4919. Some instances of this field may be defaulted, in others it may be required.
  4920. maxLength: 253
  4921. minLength: 1
  4922. pattern: ^[-._a-zA-Z0-9]+$
  4923. type: string
  4924. name:
  4925. description: The name of the Secret resource being referred to.
  4926. maxLength: 253
  4927. minLength: 1
  4928. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4929. type: string
  4930. namespace:
  4931. description: |-
  4932. The namespace of the Secret resource being referred to.
  4933. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4934. maxLength: 63
  4935. minLength: 1
  4936. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4937. type: string
  4938. type: object
  4939. jwt:
  4940. description: |-
  4941. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4942. In some instances, `key` is a required field.
  4943. properties:
  4944. key:
  4945. description: |-
  4946. A key in the referenced Secret.
  4947. Some instances of this field may be defaulted, in others it may be required.
  4948. maxLength: 253
  4949. minLength: 1
  4950. pattern: ^[-._a-zA-Z0-9]+$
  4951. type: string
  4952. name:
  4953. description: The name of the Secret resource being referred to.
  4954. maxLength: 253
  4955. minLength: 1
  4956. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4957. type: string
  4958. namespace:
  4959. description: |-
  4960. The namespace of the Secret resource being referred to.
  4961. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4962. maxLength: 63
  4963. minLength: 1
  4964. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4965. type: string
  4966. type: object
  4967. required:
  4968. - identityId
  4969. - jwt
  4970. type: object
  4971. kubernetesAuthCredentials:
  4972. description: KubernetesAuthCredentials represents the credentials for Kubernetes authentication.
  4973. properties:
  4974. identityId:
  4975. description: |-
  4976. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4977. In some instances, `key` is a required field.
  4978. properties:
  4979. key:
  4980. description: |-
  4981. A key in the referenced Secret.
  4982. Some instances of this field may be defaulted, in others it may be required.
  4983. maxLength: 253
  4984. minLength: 1
  4985. pattern: ^[-._a-zA-Z0-9]+$
  4986. type: string
  4987. name:
  4988. description: The name of the Secret resource being referred to.
  4989. maxLength: 253
  4990. minLength: 1
  4991. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4992. type: string
  4993. namespace:
  4994. description: |-
  4995. The namespace of the Secret resource being referred to.
  4996. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4997. maxLength: 63
  4998. minLength: 1
  4999. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5000. type: string
  5001. type: object
  5002. serviceAccountTokenPath:
  5003. description: |-
  5004. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5005. In some instances, `key` is a required field.
  5006. properties:
  5007. key:
  5008. description: |-
  5009. A key in the referenced Secret.
  5010. Some instances of this field may be defaulted, in others it may be required.
  5011. maxLength: 253
  5012. minLength: 1
  5013. pattern: ^[-._a-zA-Z0-9]+$
  5014. type: string
  5015. name:
  5016. description: The name of the Secret resource being referred to.
  5017. maxLength: 253
  5018. minLength: 1
  5019. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5020. type: string
  5021. namespace:
  5022. description: |-
  5023. The namespace of the Secret resource being referred to.
  5024. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5025. maxLength: 63
  5026. minLength: 1
  5027. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5028. type: string
  5029. type: object
  5030. required:
  5031. - identityId
  5032. type: object
  5033. ldapAuthCredentials:
  5034. description: LdapAuthCredentials represents the credentials for LDAP authentication.
  5035. properties:
  5036. identityId:
  5037. description: |-
  5038. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5039. In some instances, `key` is a required field.
  5040. properties:
  5041. key:
  5042. description: |-
  5043. A key in the referenced Secret.
  5044. Some instances of this field may be defaulted, in others it may be required.
  5045. maxLength: 253
  5046. minLength: 1
  5047. pattern: ^[-._a-zA-Z0-9]+$
  5048. type: string
  5049. name:
  5050. description: The name of the Secret resource being referred to.
  5051. maxLength: 253
  5052. minLength: 1
  5053. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5054. type: string
  5055. namespace:
  5056. description: |-
  5057. The namespace of the Secret resource being referred to.
  5058. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5059. maxLength: 63
  5060. minLength: 1
  5061. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5062. type: string
  5063. type: object
  5064. ldapPassword:
  5065. description: |-
  5066. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5067. In some instances, `key` is a required field.
  5068. properties:
  5069. key:
  5070. description: |-
  5071. A key in the referenced Secret.
  5072. Some instances of this field may be defaulted, in others it may be required.
  5073. maxLength: 253
  5074. minLength: 1
  5075. pattern: ^[-._a-zA-Z0-9]+$
  5076. type: string
  5077. name:
  5078. description: The name of the Secret resource being referred to.
  5079. maxLength: 253
  5080. minLength: 1
  5081. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5082. type: string
  5083. namespace:
  5084. description: |-
  5085. The namespace of the Secret resource being referred to.
  5086. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5087. maxLength: 63
  5088. minLength: 1
  5089. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5090. type: string
  5091. type: object
  5092. ldapUsername:
  5093. description: |-
  5094. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5095. In some instances, `key` is a required field.
  5096. properties:
  5097. key:
  5098. description: |-
  5099. A key in the referenced Secret.
  5100. Some instances of this field may be defaulted, in others it may be required.
  5101. maxLength: 253
  5102. minLength: 1
  5103. pattern: ^[-._a-zA-Z0-9]+$
  5104. type: string
  5105. name:
  5106. description: The name of the Secret resource being referred to.
  5107. maxLength: 253
  5108. minLength: 1
  5109. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5110. type: string
  5111. namespace:
  5112. description: |-
  5113. The namespace of the Secret resource being referred to.
  5114. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5115. maxLength: 63
  5116. minLength: 1
  5117. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5118. type: string
  5119. type: object
  5120. required:
  5121. - identityId
  5122. - ldapPassword
  5123. - ldapUsername
  5124. type: object
  5125. ociAuthCredentials:
  5126. description: OciAuthCredentials represents the credentials for OCI authentication.
  5127. properties:
  5128. fingerprint:
  5129. description: |-
  5130. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5131. In some instances, `key` is a required field.
  5132. properties:
  5133. key:
  5134. description: |-
  5135. A key in the referenced Secret.
  5136. Some instances of this field may be defaulted, in others it may be required.
  5137. maxLength: 253
  5138. minLength: 1
  5139. pattern: ^[-._a-zA-Z0-9]+$
  5140. type: string
  5141. name:
  5142. description: The name of the Secret resource being referred to.
  5143. maxLength: 253
  5144. minLength: 1
  5145. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5146. type: string
  5147. namespace:
  5148. description: |-
  5149. The namespace of the Secret resource being referred to.
  5150. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5151. maxLength: 63
  5152. minLength: 1
  5153. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5154. type: string
  5155. type: object
  5156. identityId:
  5157. description: |-
  5158. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5159. In some instances, `key` is a required field.
  5160. properties:
  5161. key:
  5162. description: |-
  5163. A key in the referenced Secret.
  5164. Some instances of this field may be defaulted, in others it may be required.
  5165. maxLength: 253
  5166. minLength: 1
  5167. pattern: ^[-._a-zA-Z0-9]+$
  5168. type: string
  5169. name:
  5170. description: The name of the Secret resource being referred to.
  5171. maxLength: 253
  5172. minLength: 1
  5173. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5174. type: string
  5175. namespace:
  5176. description: |-
  5177. The namespace of the Secret resource being referred to.
  5178. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5179. maxLength: 63
  5180. minLength: 1
  5181. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5182. type: string
  5183. type: object
  5184. privateKey:
  5185. description: |-
  5186. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5187. In some instances, `key` is a required field.
  5188. properties:
  5189. key:
  5190. description: |-
  5191. A key in the referenced Secret.
  5192. Some instances of this field may be defaulted, in others it may be required.
  5193. maxLength: 253
  5194. minLength: 1
  5195. pattern: ^[-._a-zA-Z0-9]+$
  5196. type: string
  5197. name:
  5198. description: The name of the Secret resource being referred to.
  5199. maxLength: 253
  5200. minLength: 1
  5201. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5202. type: string
  5203. namespace:
  5204. description: |-
  5205. The namespace of the Secret resource being referred to.
  5206. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5207. maxLength: 63
  5208. minLength: 1
  5209. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5210. type: string
  5211. type: object
  5212. privateKeyPassphrase:
  5213. description: |-
  5214. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5215. In some instances, `key` is a required field.
  5216. properties:
  5217. key:
  5218. description: |-
  5219. A key in the referenced Secret.
  5220. Some instances of this field may be defaulted, in others it may be required.
  5221. maxLength: 253
  5222. minLength: 1
  5223. pattern: ^[-._a-zA-Z0-9]+$
  5224. type: string
  5225. name:
  5226. description: The name of the Secret resource being referred to.
  5227. maxLength: 253
  5228. minLength: 1
  5229. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5230. type: string
  5231. namespace:
  5232. description: |-
  5233. The namespace of the Secret resource being referred to.
  5234. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5235. maxLength: 63
  5236. minLength: 1
  5237. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5238. type: string
  5239. type: object
  5240. region:
  5241. description: |-
  5242. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5243. In some instances, `key` is a required field.
  5244. properties:
  5245. key:
  5246. description: |-
  5247. A key in the referenced Secret.
  5248. Some instances of this field may be defaulted, in others it may be required.
  5249. maxLength: 253
  5250. minLength: 1
  5251. pattern: ^[-._a-zA-Z0-9]+$
  5252. type: string
  5253. name:
  5254. description: The name of the Secret resource being referred to.
  5255. maxLength: 253
  5256. minLength: 1
  5257. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5258. type: string
  5259. namespace:
  5260. description: |-
  5261. The namespace of the Secret resource being referred to.
  5262. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5263. maxLength: 63
  5264. minLength: 1
  5265. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5266. type: string
  5267. type: object
  5268. tenancyId:
  5269. description: |-
  5270. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5271. In some instances, `key` is a required field.
  5272. properties:
  5273. key:
  5274. description: |-
  5275. A key in the referenced Secret.
  5276. Some instances of this field may be defaulted, in others it may be required.
  5277. maxLength: 253
  5278. minLength: 1
  5279. pattern: ^[-._a-zA-Z0-9]+$
  5280. type: string
  5281. name:
  5282. description: The name of the Secret resource being referred to.
  5283. maxLength: 253
  5284. minLength: 1
  5285. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5286. type: string
  5287. namespace:
  5288. description: |-
  5289. The namespace of the Secret resource being referred to.
  5290. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5291. maxLength: 63
  5292. minLength: 1
  5293. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5294. type: string
  5295. type: object
  5296. userId:
  5297. description: |-
  5298. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5299. In some instances, `key` is a required field.
  5300. properties:
  5301. key:
  5302. description: |-
  5303. A key in the referenced Secret.
  5304. Some instances of this field may be defaulted, in others it may be required.
  5305. maxLength: 253
  5306. minLength: 1
  5307. pattern: ^[-._a-zA-Z0-9]+$
  5308. type: string
  5309. name:
  5310. description: The name of the Secret resource being referred to.
  5311. maxLength: 253
  5312. minLength: 1
  5313. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5314. type: string
  5315. namespace:
  5316. description: |-
  5317. The namespace of the Secret resource being referred to.
  5318. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5319. maxLength: 63
  5320. minLength: 1
  5321. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5322. type: string
  5323. type: object
  5324. required:
  5325. - fingerprint
  5326. - identityId
  5327. - privateKey
  5328. - region
  5329. - tenancyId
  5330. - userId
  5331. type: object
  5332. tokenAuthCredentials:
  5333. description: TokenAuthCredentials represents the credentials for access token-based authentication.
  5334. properties:
  5335. accessToken:
  5336. description: |-
  5337. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5338. In some instances, `key` is a required field.
  5339. properties:
  5340. key:
  5341. description: |-
  5342. A key in the referenced Secret.
  5343. Some instances of this field may be defaulted, in others it may be required.
  5344. maxLength: 253
  5345. minLength: 1
  5346. pattern: ^[-._a-zA-Z0-9]+$
  5347. type: string
  5348. name:
  5349. description: The name of the Secret resource being referred to.
  5350. maxLength: 253
  5351. minLength: 1
  5352. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5353. type: string
  5354. namespace:
  5355. description: |-
  5356. The namespace of the Secret resource being referred to.
  5357. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5358. maxLength: 63
  5359. minLength: 1
  5360. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5361. type: string
  5362. type: object
  5363. required:
  5364. - accessToken
  5365. type: object
  5366. universalAuthCredentials:
  5367. description: UniversalAuthCredentials represents the client credentials for universal authentication.
  5368. properties:
  5369. clientId:
  5370. description: |-
  5371. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5372. In some instances, `key` is a required field.
  5373. properties:
  5374. key:
  5375. description: |-
  5376. A key in the referenced Secret.
  5377. Some instances of this field may be defaulted, in others it may be required.
  5378. maxLength: 253
  5379. minLength: 1
  5380. pattern: ^[-._a-zA-Z0-9]+$
  5381. type: string
  5382. name:
  5383. description: The name of the Secret resource being referred to.
  5384. maxLength: 253
  5385. minLength: 1
  5386. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5387. type: string
  5388. namespace:
  5389. description: |-
  5390. The namespace of the Secret resource being referred to.
  5391. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5392. maxLength: 63
  5393. minLength: 1
  5394. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5395. type: string
  5396. type: object
  5397. clientSecret:
  5398. description: |-
  5399. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5400. In some instances, `key` is a required field.
  5401. properties:
  5402. key:
  5403. description: |-
  5404. A key in the referenced Secret.
  5405. Some instances of this field may be defaulted, in others it may be required.
  5406. maxLength: 253
  5407. minLength: 1
  5408. pattern: ^[-._a-zA-Z0-9]+$
  5409. type: string
  5410. name:
  5411. description: The name of the Secret resource being referred to.
  5412. maxLength: 253
  5413. minLength: 1
  5414. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5415. type: string
  5416. namespace:
  5417. description: |-
  5418. The namespace of the Secret resource being referred to.
  5419. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5420. maxLength: 63
  5421. minLength: 1
  5422. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5423. type: string
  5424. type: object
  5425. required:
  5426. - clientId
  5427. - clientSecret
  5428. type: object
  5429. type: object
  5430. caBundle:
  5431. description: |-
  5432. CABundle is a PEM-encoded CA certificate bundle used to validate
  5433. the Infisical server's TLS certificate. Mutually exclusive with CAProvider.
  5434. format: byte
  5435. type: string
  5436. caProvider:
  5437. description: |-
  5438. CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
  5439. The certificate is used to validate the Infisical server's TLS certificate.
  5440. Mutually exclusive with CABundle.
  5441. properties:
  5442. key:
  5443. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5444. maxLength: 253
  5445. minLength: 1
  5446. pattern: ^[-._a-zA-Z0-9]+$
  5447. type: string
  5448. name:
  5449. description: The name of the object located at the provider type.
  5450. maxLength: 253
  5451. minLength: 1
  5452. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5453. type: string
  5454. namespace:
  5455. description: |-
  5456. The namespace the Provider type is in.
  5457. Can only be defined when used in a ClusterSecretStore.
  5458. maxLength: 63
  5459. minLength: 1
  5460. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5461. type: string
  5462. type:
  5463. description: The type of provider to use such as "Secret", or "ConfigMap".
  5464. enum:
  5465. - Secret
  5466. - ConfigMap
  5467. type: string
  5468. required:
  5469. - name
  5470. - type
  5471. type: object
  5472. hostAPI:
  5473. default: https://app.infisical.com/api
  5474. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  5475. type: string
  5476. secretsScope:
  5477. description: SecretsScope defines the scope of the secrets within the workspace
  5478. properties:
  5479. environmentSlug:
  5480. description: EnvironmentSlug is the required slug identifier for the environment.
  5481. type: string
  5482. expandSecretReferences:
  5483. default: true
  5484. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  5485. type: boolean
  5486. projectSlug:
  5487. description: ProjectSlug is the required slug identifier for the project.
  5488. type: string
  5489. recursive:
  5490. default: false
  5491. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  5492. type: boolean
  5493. secretsPath:
  5494. default: /
  5495. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  5496. type: string
  5497. required:
  5498. - environmentSlug
  5499. - projectSlug
  5500. type: object
  5501. required:
  5502. - auth
  5503. - secretsScope
  5504. type: object
  5505. keepersecurity:
  5506. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  5507. properties:
  5508. authRef:
  5509. description: |-
  5510. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5511. In some instances, `key` is a required field.
  5512. properties:
  5513. key:
  5514. description: |-
  5515. A key in the referenced Secret.
  5516. Some instances of this field may be defaulted, in others it may be required.
  5517. maxLength: 253
  5518. minLength: 1
  5519. pattern: ^[-._a-zA-Z0-9]+$
  5520. type: string
  5521. name:
  5522. description: The name of the Secret resource being referred to.
  5523. maxLength: 253
  5524. minLength: 1
  5525. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5526. type: string
  5527. namespace:
  5528. description: |-
  5529. The namespace of the Secret resource being referred to.
  5530. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5531. maxLength: 63
  5532. minLength: 1
  5533. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5534. type: string
  5535. type: object
  5536. folderID:
  5537. type: string
  5538. getByTitleFallback:
  5539. type: boolean
  5540. required:
  5541. - authRef
  5542. - folderID
  5543. type: object
  5544. kubernetes:
  5545. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  5546. properties:
  5547. auth:
  5548. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  5549. maxProperties: 1
  5550. minProperties: 1
  5551. properties:
  5552. cert:
  5553. description: has both clientCert and clientKey as secretKeySelector
  5554. properties:
  5555. clientCert:
  5556. description: |-
  5557. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5558. In some instances, `key` is a required field.
  5559. properties:
  5560. key:
  5561. description: |-
  5562. A key in the referenced Secret.
  5563. Some instances of this field may be defaulted, in others it may be required.
  5564. maxLength: 253
  5565. minLength: 1
  5566. pattern: ^[-._a-zA-Z0-9]+$
  5567. type: string
  5568. name:
  5569. description: The name of the Secret resource being referred to.
  5570. maxLength: 253
  5571. minLength: 1
  5572. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5573. type: string
  5574. namespace:
  5575. description: |-
  5576. The namespace of the Secret resource being referred to.
  5577. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5578. maxLength: 63
  5579. minLength: 1
  5580. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5581. type: string
  5582. type: object
  5583. clientKey:
  5584. description: |-
  5585. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5586. In some instances, `key` is a required field.
  5587. properties:
  5588. key:
  5589. description: |-
  5590. A key in the referenced Secret.
  5591. Some instances of this field may be defaulted, in others it may be required.
  5592. maxLength: 253
  5593. minLength: 1
  5594. pattern: ^[-._a-zA-Z0-9]+$
  5595. type: string
  5596. name:
  5597. description: The name of the Secret resource being referred to.
  5598. maxLength: 253
  5599. minLength: 1
  5600. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5601. type: string
  5602. namespace:
  5603. description: |-
  5604. The namespace of the Secret resource being referred to.
  5605. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5606. maxLength: 63
  5607. minLength: 1
  5608. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5609. type: string
  5610. type: object
  5611. type: object
  5612. serviceAccount:
  5613. description: points to a service account that should be used for authentication
  5614. properties:
  5615. audiences:
  5616. description: |-
  5617. Audience specifies the `aud` claim for the service account token
  5618. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  5619. then this audiences will be appended to the list
  5620. items:
  5621. type: string
  5622. type: array
  5623. name:
  5624. description: The name of the ServiceAccount resource being referred to.
  5625. maxLength: 253
  5626. minLength: 1
  5627. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5628. type: string
  5629. namespace:
  5630. description: |-
  5631. Namespace of the resource being referred to.
  5632. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5633. maxLength: 63
  5634. minLength: 1
  5635. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5636. type: string
  5637. required:
  5638. - name
  5639. type: object
  5640. token:
  5641. description: use static token to authenticate with
  5642. properties:
  5643. bearerToken:
  5644. description: |-
  5645. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5646. In some instances, `key` is a required field.
  5647. properties:
  5648. key:
  5649. description: |-
  5650. A key in the referenced Secret.
  5651. Some instances of this field may be defaulted, in others it may be required.
  5652. maxLength: 253
  5653. minLength: 1
  5654. pattern: ^[-._a-zA-Z0-9]+$
  5655. type: string
  5656. name:
  5657. description: The name of the Secret resource being referred to.
  5658. maxLength: 253
  5659. minLength: 1
  5660. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5661. type: string
  5662. namespace:
  5663. description: |-
  5664. The namespace of the Secret resource being referred to.
  5665. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5666. maxLength: 63
  5667. minLength: 1
  5668. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5669. type: string
  5670. type: object
  5671. type: object
  5672. type: object
  5673. authRef:
  5674. description: A reference to a secret that contains the auth information.
  5675. properties:
  5676. key:
  5677. description: |-
  5678. A key in the referenced Secret.
  5679. Some instances of this field may be defaulted, in others it may be required.
  5680. maxLength: 253
  5681. minLength: 1
  5682. pattern: ^[-._a-zA-Z0-9]+$
  5683. type: string
  5684. name:
  5685. description: The name of the Secret resource being referred to.
  5686. maxLength: 253
  5687. minLength: 1
  5688. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5689. type: string
  5690. namespace:
  5691. description: |-
  5692. The namespace of the Secret resource being referred to.
  5693. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5694. maxLength: 63
  5695. minLength: 1
  5696. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5697. type: string
  5698. type: object
  5699. remoteNamespace:
  5700. default: default
  5701. description: Remote namespace to fetch the secrets from
  5702. maxLength: 63
  5703. minLength: 1
  5704. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5705. type: string
  5706. server:
  5707. description: configures the Kubernetes server Address.
  5708. properties:
  5709. caBundle:
  5710. description: CABundle is a base64-encoded CA certificate
  5711. format: byte
  5712. type: string
  5713. caProvider:
  5714. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  5715. properties:
  5716. key:
  5717. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5718. maxLength: 253
  5719. minLength: 1
  5720. pattern: ^[-._a-zA-Z0-9]+$
  5721. type: string
  5722. name:
  5723. description: The name of the object located at the provider type.
  5724. maxLength: 253
  5725. minLength: 1
  5726. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5727. type: string
  5728. namespace:
  5729. description: |-
  5730. The namespace the Provider type is in.
  5731. Can only be defined when used in a ClusterSecretStore.
  5732. maxLength: 63
  5733. minLength: 1
  5734. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5735. type: string
  5736. type:
  5737. description: The type of provider to use such as "Secret", or "ConfigMap".
  5738. enum:
  5739. - Secret
  5740. - ConfigMap
  5741. type: string
  5742. required:
  5743. - name
  5744. - type
  5745. type: object
  5746. url:
  5747. default: kubernetes.default
  5748. description: configures the Kubernetes server Address.
  5749. type: string
  5750. type: object
  5751. type: object
  5752. nebiusmysterybox:
  5753. description: NebiusMysterybox configures this store to sync secrets using NebiusMysterybox provider
  5754. properties:
  5755. apiDomain:
  5756. description: NebiusMysterybox API endpoint
  5757. type: string
  5758. auth:
  5759. description: Auth defines parameters to authenticate in MysteryBox
  5760. properties:
  5761. serviceAccountCredsSecretRef:
  5762. description: |-
  5763. ServiceAccountCreds references a Kubernetes Secret key that contains a JSON
  5764. document with service account credentials used to get an IAM token.
  5765. Expected JSON structure:
  5766. {
  5767. "subject-credentials": {
  5768. "alg": "RS256",
  5769. "private-key": "-----BEGIN PRIVATE KEY-----\n<private-key>\n-----END PRIVATE KEY-----\n",
  5770. "kid": "<public-key-id>",
  5771. "iss": "<issuer-service-account-id>",
  5772. "sub": "<subject-service-account-id>"
  5773. }
  5774. }
  5775. properties:
  5776. key:
  5777. description: |-
  5778. A key in the referenced Secret.
  5779. Some instances of this field may be defaulted, in others it may be required.
  5780. maxLength: 253
  5781. minLength: 1
  5782. pattern: ^[-._a-zA-Z0-9]+$
  5783. type: string
  5784. name:
  5785. description: The name of the Secret resource being referred to.
  5786. maxLength: 253
  5787. minLength: 1
  5788. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5789. type: string
  5790. namespace:
  5791. description: |-
  5792. The namespace of the Secret resource being referred to.
  5793. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5794. maxLength: 63
  5795. minLength: 1
  5796. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5797. type: string
  5798. type: object
  5799. tokenSecretRef:
  5800. description: Token authenticates with Nebius Mysterybox by presenting a token.
  5801. properties:
  5802. key:
  5803. description: |-
  5804. A key in the referenced Secret.
  5805. Some instances of this field may be defaulted, in others it may be required.
  5806. maxLength: 253
  5807. minLength: 1
  5808. pattern: ^[-._a-zA-Z0-9]+$
  5809. type: string
  5810. name:
  5811. description: The name of the Secret resource being referred to.
  5812. maxLength: 253
  5813. minLength: 1
  5814. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5815. type: string
  5816. namespace:
  5817. description: |-
  5818. The namespace of the Secret resource being referred to.
  5819. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5820. maxLength: 63
  5821. minLength: 1
  5822. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5823. type: string
  5824. type: object
  5825. type: object
  5826. x-kubernetes-validations:
  5827. - message: either serviceAccountCredsSecretRef or tokenSecretRef must be set
  5828. rule: has(self.serviceAccountCredsSecretRef) || has(self.tokenSecretRef)
  5829. caProvider:
  5830. description: The provider for the CA bundle to use to validate NebiusMysterybox server certificate.
  5831. properties:
  5832. certSecretRef:
  5833. description: |-
  5834. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5835. In some instances, `key` is a required field.
  5836. properties:
  5837. key:
  5838. description: |-
  5839. A key in the referenced Secret.
  5840. Some instances of this field may be defaulted, in others it may be required.
  5841. maxLength: 253
  5842. minLength: 1
  5843. pattern: ^[-._a-zA-Z0-9]+$
  5844. type: string
  5845. name:
  5846. description: The name of the Secret resource being referred to.
  5847. maxLength: 253
  5848. minLength: 1
  5849. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5850. type: string
  5851. namespace:
  5852. description: |-
  5853. The namespace of the Secret resource being referred to.
  5854. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5855. maxLength: 63
  5856. minLength: 1
  5857. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5858. type: string
  5859. type: object
  5860. type: object
  5861. required:
  5862. - apiDomain
  5863. - auth
  5864. type: object
  5865. ngrok:
  5866. description: Ngrok configures this store to sync secrets using the ngrok provider.
  5867. properties:
  5868. apiUrl:
  5869. default: https://api.ngrok.com
  5870. description: APIURL is the URL of the ngrok API.
  5871. type: string
  5872. auth:
  5873. description: Auth configures how the ngrok provider authenticates with the ngrok API.
  5874. maxProperties: 1
  5875. minProperties: 1
  5876. properties:
  5877. apiKey:
  5878. description: APIKey is the API Key used to authenticate with ngrok. See https://ngrok.com/docs/api/#authentication
  5879. properties:
  5880. secretRef:
  5881. description: SecretRef is a reference to a secret containing the ngrok API key.
  5882. properties:
  5883. key:
  5884. description: |-
  5885. A key in the referenced Secret.
  5886. Some instances of this field may be defaulted, in others it may be required.
  5887. maxLength: 253
  5888. minLength: 1
  5889. pattern: ^[-._a-zA-Z0-9]+$
  5890. type: string
  5891. name:
  5892. description: The name of the Secret resource being referred to.
  5893. maxLength: 253
  5894. minLength: 1
  5895. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5896. type: string
  5897. namespace:
  5898. description: |-
  5899. The namespace of the Secret resource being referred to.
  5900. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5901. maxLength: 63
  5902. minLength: 1
  5903. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5904. type: string
  5905. type: object
  5906. type: object
  5907. type: object
  5908. vault:
  5909. description: Vault configures the ngrok vault to sync secrets with.
  5910. properties:
  5911. name:
  5912. description: Name is the name of the ngrok vault to sync secrets with.
  5913. type: string
  5914. required:
  5915. - name
  5916. type: object
  5917. required:
  5918. - auth
  5919. - vault
  5920. type: object
  5921. onboardbase:
  5922. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  5923. properties:
  5924. apiHost:
  5925. default: https://public.onboardbase.com/api/v1/
  5926. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  5927. type: string
  5928. auth:
  5929. description: Auth configures how the Operator authenticates with the Onboardbase API
  5930. properties:
  5931. apiKeyRef:
  5932. description: |-
  5933. OnboardbaseAPIKey is the APIKey generated by an admin account.
  5934. It is used to recognize and authorize access to a project and environment within onboardbase
  5935. properties:
  5936. key:
  5937. description: |-
  5938. A key in the referenced Secret.
  5939. Some instances of this field may be defaulted, in others it may be required.
  5940. maxLength: 253
  5941. minLength: 1
  5942. pattern: ^[-._a-zA-Z0-9]+$
  5943. type: string
  5944. name:
  5945. description: The name of the Secret resource being referred to.
  5946. maxLength: 253
  5947. minLength: 1
  5948. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5949. type: string
  5950. namespace:
  5951. description: |-
  5952. The namespace of the Secret resource being referred to.
  5953. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5954. maxLength: 63
  5955. minLength: 1
  5956. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5957. type: string
  5958. type: object
  5959. passcodeRef:
  5960. description: OnboardbasePasscode is the passcode attached to the API Key
  5961. properties:
  5962. key:
  5963. description: |-
  5964. A key in the referenced Secret.
  5965. Some instances of this field may be defaulted, in others it may be required.
  5966. maxLength: 253
  5967. minLength: 1
  5968. pattern: ^[-._a-zA-Z0-9]+$
  5969. type: string
  5970. name:
  5971. description: The name of the Secret resource being referred to.
  5972. maxLength: 253
  5973. minLength: 1
  5974. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5975. type: string
  5976. namespace:
  5977. description: |-
  5978. The namespace of the Secret resource being referred to.
  5979. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5980. maxLength: 63
  5981. minLength: 1
  5982. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5983. type: string
  5984. type: object
  5985. required:
  5986. - apiKeyRef
  5987. - passcodeRef
  5988. type: object
  5989. environment:
  5990. default: development
  5991. description: Environment is the name of an environmnent within a project to pull the secrets from
  5992. type: string
  5993. project:
  5994. default: development
  5995. description: Project is an onboardbase project that the secrets should be pulled from
  5996. type: string
  5997. required:
  5998. - apiHost
  5999. - auth
  6000. - environment
  6001. - project
  6002. type: object
  6003. onepassword:
  6004. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  6005. properties:
  6006. auth:
  6007. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  6008. properties:
  6009. secretRef:
  6010. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  6011. properties:
  6012. connectTokenSecretRef:
  6013. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  6014. properties:
  6015. key:
  6016. description: |-
  6017. A key in the referenced Secret.
  6018. Some instances of this field may be defaulted, in others it may be required.
  6019. maxLength: 253
  6020. minLength: 1
  6021. pattern: ^[-._a-zA-Z0-9]+$
  6022. type: string
  6023. name:
  6024. description: The name of the Secret resource being referred to.
  6025. maxLength: 253
  6026. minLength: 1
  6027. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6028. type: string
  6029. namespace:
  6030. description: |-
  6031. The namespace of the Secret resource being referred to.
  6032. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6033. maxLength: 63
  6034. minLength: 1
  6035. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6036. type: string
  6037. type: object
  6038. required:
  6039. - connectTokenSecretRef
  6040. type: object
  6041. required:
  6042. - secretRef
  6043. type: object
  6044. connectHost:
  6045. description: ConnectHost defines the OnePassword Connect Server to connect to
  6046. type: string
  6047. vaults:
  6048. additionalProperties:
  6049. type: integer
  6050. description: Vaults defines which OnePassword vaults to search in which order
  6051. type: object
  6052. required:
  6053. - auth
  6054. - connectHost
  6055. - vaults
  6056. type: object
  6057. onepasswordSDK:
  6058. description: OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets.
  6059. properties:
  6060. auth:
  6061. description: Auth defines the information necessary to authenticate against OnePassword API.
  6062. properties:
  6063. serviceAccountSecretRef:
  6064. description: ServiceAccountSecretRef points to the secret containing the token to access 1Password vault.
  6065. properties:
  6066. key:
  6067. description: |-
  6068. A key in the referenced Secret.
  6069. Some instances of this field may be defaulted, in others it may be required.
  6070. maxLength: 253
  6071. minLength: 1
  6072. pattern: ^[-._a-zA-Z0-9]+$
  6073. type: string
  6074. name:
  6075. description: The name of the Secret resource being referred to.
  6076. maxLength: 253
  6077. minLength: 1
  6078. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6079. type: string
  6080. namespace:
  6081. description: |-
  6082. The namespace of the Secret resource being referred to.
  6083. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6084. maxLength: 63
  6085. minLength: 1
  6086. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6087. type: string
  6088. type: object
  6089. required:
  6090. - serviceAccountSecretRef
  6091. type: object
  6092. cache:
  6093. description: |-
  6094. Cache configures client-side caching for read operations (GetSecret, GetSecretMap).
  6095. When enabled, secrets are cached with the specified TTL.
  6096. Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.
  6097. If omitted, caching is disabled (default).
  6098. cache: {} is a valid option to set.
  6099. properties:
  6100. maxSize:
  6101. default: 100
  6102. description: |-
  6103. MaxSize is the maximum number of secrets to cache.
  6104. When the cache is full, least-recently-used entries are evicted.
  6105. minimum: 1
  6106. type: integer
  6107. ttl:
  6108. default: 5m
  6109. description: |-
  6110. TTL is the time-to-live for cached secrets.
  6111. Format: duration string (e.g., "5m", "1h", "30s")
  6112. type: string
  6113. type: object
  6114. integrationInfo:
  6115. description: |-
  6116. IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
  6117. If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively.
  6118. properties:
  6119. name:
  6120. default: 1Password SDK
  6121. description: Name defaults to "1Password SDK".
  6122. type: string
  6123. version:
  6124. default: v1.0.0
  6125. description: Version defaults to "v1.0.0".
  6126. type: string
  6127. type: object
  6128. vault:
  6129. description: Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically.
  6130. type: string
  6131. required:
  6132. - auth
  6133. - vault
  6134. type: object
  6135. openBao:
  6136. description: OpenBao configures this store to sync secrets using the OpenBao provider.
  6137. properties:
  6138. auth:
  6139. description: Auth configures how secret-manager authenticates with the OpenBao server.
  6140. properties:
  6141. tokenSecretRef:
  6142. description: TokenSecretRef authenticates with OpenBao by presenting a token.
  6143. properties:
  6144. key:
  6145. description: |-
  6146. A key in the referenced Secret.
  6147. Some instances of this field may be defaulted, in others it may be required.
  6148. maxLength: 253
  6149. minLength: 1
  6150. pattern: ^[-._a-zA-Z0-9]+$
  6151. type: string
  6152. name:
  6153. description: The name of the Secret resource being referred to.
  6154. maxLength: 253
  6155. minLength: 1
  6156. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6157. type: string
  6158. namespace:
  6159. description: |-
  6160. The namespace of the Secret resource being referred to.
  6161. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6162. maxLength: 63
  6163. minLength: 1
  6164. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6165. type: string
  6166. type: object
  6167. type: object
  6168. path:
  6169. description: |-
  6170. Path is the mount path of the OpenBao KV backend endpoint, e.g:
  6171. "secret". The v2 KV secret engine version specific "/data" path suffix
  6172. for fetching secrets from OpenBao is optional and will be appended
  6173. if not present in specified path.
  6174. type: string
  6175. server:
  6176. description: 'Server is the connection address for the OpenBao server, e.g: `https://openbao.example.com:8200`.'
  6177. type: string
  6178. version:
  6179. default: v2
  6180. description: |-
  6181. Version is the OpenBao KV secret engine version. This can be either "v1" or
  6182. "v2". Version defaults to "v2".
  6183. enum:
  6184. - v1
  6185. - v2
  6186. type: string
  6187. required:
  6188. - server
  6189. type: object
  6190. oracle:
  6191. description: Oracle configures this store to sync secrets using Oracle Vault provider
  6192. properties:
  6193. auth:
  6194. description: |-
  6195. Auth configures how secret-manager authenticates with the Oracle Vault.
  6196. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  6197. properties:
  6198. secretRef:
  6199. description: SecretRef to pass through sensitive information.
  6200. properties:
  6201. fingerprint:
  6202. description: Fingerprint is the fingerprint of the API private key.
  6203. properties:
  6204. key:
  6205. description: |-
  6206. A key in the referenced Secret.
  6207. Some instances of this field may be defaulted, in others it may be required.
  6208. maxLength: 253
  6209. minLength: 1
  6210. pattern: ^[-._a-zA-Z0-9]+$
  6211. type: string
  6212. name:
  6213. description: The name of the Secret resource being referred to.
  6214. maxLength: 253
  6215. minLength: 1
  6216. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6217. type: string
  6218. namespace:
  6219. description: |-
  6220. The namespace of the Secret resource being referred to.
  6221. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6222. maxLength: 63
  6223. minLength: 1
  6224. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6225. type: string
  6226. type: object
  6227. privatekey:
  6228. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  6229. properties:
  6230. key:
  6231. description: |-
  6232. A key in the referenced Secret.
  6233. Some instances of this field may be defaulted, in others it may be required.
  6234. maxLength: 253
  6235. minLength: 1
  6236. pattern: ^[-._a-zA-Z0-9]+$
  6237. type: string
  6238. name:
  6239. description: The name of the Secret resource being referred to.
  6240. maxLength: 253
  6241. minLength: 1
  6242. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6243. type: string
  6244. namespace:
  6245. description: |-
  6246. The namespace of the Secret resource being referred to.
  6247. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6248. maxLength: 63
  6249. minLength: 1
  6250. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6251. type: string
  6252. type: object
  6253. required:
  6254. - fingerprint
  6255. - privatekey
  6256. type: object
  6257. tenancy:
  6258. description: Tenancy is the tenancy OCID where user is located.
  6259. type: string
  6260. user:
  6261. description: User is an access OCID specific to the account.
  6262. type: string
  6263. required:
  6264. - secretRef
  6265. - tenancy
  6266. - user
  6267. type: object
  6268. compartment:
  6269. description: |-
  6270. Compartment is the vault compartment OCID.
  6271. Required for PushSecret
  6272. type: string
  6273. encryptionKey:
  6274. description: |-
  6275. EncryptionKey is the OCID of the encryption key within the vault.
  6276. Required for PushSecret
  6277. type: string
  6278. principalType:
  6279. description: |-
  6280. The type of principal to use for authentication. If left blank, the Auth struct will
  6281. determine the principal type. This optional field must be specified if using
  6282. workload identity.
  6283. enum:
  6284. - ""
  6285. - UserPrincipal
  6286. - InstancePrincipal
  6287. - Workload
  6288. type: string
  6289. region:
  6290. description: Region is the region where vault is located.
  6291. type: string
  6292. serviceAccountRef:
  6293. description: |-
  6294. ServiceAccountRef specified the service account
  6295. that should be used when authenticating with WorkloadIdentity.
  6296. properties:
  6297. audiences:
  6298. description: |-
  6299. Audience specifies the `aud` claim for the service account token
  6300. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6301. then this audiences will be appended to the list
  6302. items:
  6303. type: string
  6304. type: array
  6305. name:
  6306. description: The name of the ServiceAccount resource being referred to.
  6307. maxLength: 253
  6308. minLength: 1
  6309. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6310. type: string
  6311. namespace:
  6312. description: |-
  6313. Namespace of the resource being referred to.
  6314. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6315. maxLength: 63
  6316. minLength: 1
  6317. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6318. type: string
  6319. required:
  6320. - name
  6321. type: object
  6322. vault:
  6323. description: Vault is the vault's OCID of the specific vault where secret is located.
  6324. type: string
  6325. required:
  6326. - region
  6327. - vault
  6328. type: object
  6329. ovh:
  6330. description: OVHcloud configures this store to sync secrets using the OVHcloud provider.
  6331. properties:
  6332. auth:
  6333. description: Authentication method (mtls or token).
  6334. properties:
  6335. mtls:
  6336. description: OvhClientMTLS defines the configuration required to authenticate to OVHcloud's Secret Manager using mTLS.
  6337. properties:
  6338. caBundle:
  6339. format: byte
  6340. type: string
  6341. caProvider:
  6342. description: |-
  6343. CAProvider provides a custom certificate authority for accessing the provider's store.
  6344. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
  6345. properties:
  6346. key:
  6347. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6348. maxLength: 253
  6349. minLength: 1
  6350. pattern: ^[-._a-zA-Z0-9]+$
  6351. type: string
  6352. name:
  6353. description: The name of the object located at the provider type.
  6354. maxLength: 253
  6355. minLength: 1
  6356. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6357. type: string
  6358. namespace:
  6359. description: |-
  6360. The namespace the Provider type is in.
  6361. Can only be defined when used in a ClusterSecretStore.
  6362. maxLength: 63
  6363. minLength: 1
  6364. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6365. type: string
  6366. type:
  6367. description: The type of provider to use such as "Secret", or "ConfigMap".
  6368. enum:
  6369. - Secret
  6370. - ConfigMap
  6371. type: string
  6372. required:
  6373. - name
  6374. - type
  6375. type: object
  6376. certSecretRef:
  6377. description: |-
  6378. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6379. In some instances, `key` is a required field.
  6380. properties:
  6381. key:
  6382. description: |-
  6383. A key in the referenced Secret.
  6384. Some instances of this field may be defaulted, in others it may be required.
  6385. maxLength: 253
  6386. minLength: 1
  6387. pattern: ^[-._a-zA-Z0-9]+$
  6388. type: string
  6389. name:
  6390. description: The name of the Secret resource being referred to.
  6391. maxLength: 253
  6392. minLength: 1
  6393. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6394. type: string
  6395. namespace:
  6396. description: |-
  6397. The namespace of the Secret resource being referred to.
  6398. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6399. maxLength: 63
  6400. minLength: 1
  6401. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6402. type: string
  6403. type: object
  6404. keySecretRef:
  6405. description: |-
  6406. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6407. In some instances, `key` is a required field.
  6408. properties:
  6409. key:
  6410. description: |-
  6411. A key in the referenced Secret.
  6412. Some instances of this field may be defaulted, in others it may be required.
  6413. maxLength: 253
  6414. minLength: 1
  6415. pattern: ^[-._a-zA-Z0-9]+$
  6416. type: string
  6417. name:
  6418. description: The name of the Secret resource being referred to.
  6419. maxLength: 253
  6420. minLength: 1
  6421. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6422. type: string
  6423. namespace:
  6424. description: |-
  6425. The namespace of the Secret resource being referred to.
  6426. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6427. maxLength: 63
  6428. minLength: 1
  6429. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6430. type: string
  6431. type: object
  6432. required:
  6433. - certSecretRef
  6434. - keySecretRef
  6435. type: object
  6436. token:
  6437. description: OvhClientToken defines the configuration required to authenticate to OVHcloud's Secret Manager using a token.
  6438. properties:
  6439. tokenSecretRef:
  6440. description: |-
  6441. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6442. In some instances, `key` is a required field.
  6443. properties:
  6444. key:
  6445. description: |-
  6446. A key in the referenced Secret.
  6447. Some instances of this field may be defaulted, in others it may be required.
  6448. maxLength: 253
  6449. minLength: 1
  6450. pattern: ^[-._a-zA-Z0-9]+$
  6451. type: string
  6452. name:
  6453. description: The name of the Secret resource being referred to.
  6454. maxLength: 253
  6455. minLength: 1
  6456. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6457. type: string
  6458. namespace:
  6459. description: |-
  6460. The namespace of the Secret resource being referred to.
  6461. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6462. maxLength: 63
  6463. minLength: 1
  6464. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6465. type: string
  6466. type: object
  6467. required:
  6468. - tokenSecretRef
  6469. type: object
  6470. type: object
  6471. casRequired:
  6472. description: 'Enables or disables check-and-set (CAS) (default: false).'
  6473. type: boolean
  6474. okmsTimeout:
  6475. default: 30
  6476. description: 'Setup a timeout in seconds when requests to the KMS are made (default: 30).'
  6477. format: int32
  6478. minimum: 1
  6479. type: integer
  6480. okmsid:
  6481. description: specifies the OKMS ID.
  6482. type: string
  6483. server:
  6484. description: specifies the OKMS server endpoint.
  6485. type: string
  6486. required:
  6487. - auth
  6488. - okmsid
  6489. - server
  6490. type: object
  6491. passbolt:
  6492. description: |-
  6493. PassboltProvider provides access to Passbolt secrets manager.
  6494. See: https://www.passbolt.com.
  6495. properties:
  6496. auth:
  6497. description: Auth defines the information necessary to authenticate against Passbolt Server
  6498. properties:
  6499. passwordSecretRef:
  6500. description: |-
  6501. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6502. In some instances, `key` is a required field.
  6503. properties:
  6504. key:
  6505. description: |-
  6506. A key in the referenced Secret.
  6507. Some instances of this field may be defaulted, in others it may be required.
  6508. maxLength: 253
  6509. minLength: 1
  6510. pattern: ^[-._a-zA-Z0-9]+$
  6511. type: string
  6512. name:
  6513. description: The name of the Secret resource being referred to.
  6514. maxLength: 253
  6515. minLength: 1
  6516. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6517. type: string
  6518. namespace:
  6519. description: |-
  6520. The namespace of the Secret resource being referred to.
  6521. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6522. maxLength: 63
  6523. minLength: 1
  6524. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6525. type: string
  6526. type: object
  6527. privateKeySecretRef:
  6528. description: |-
  6529. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6530. In some instances, `key` is a required field.
  6531. properties:
  6532. key:
  6533. description: |-
  6534. A key in the referenced Secret.
  6535. Some instances of this field may be defaulted, in others it may be required.
  6536. maxLength: 253
  6537. minLength: 1
  6538. pattern: ^[-._a-zA-Z0-9]+$
  6539. type: string
  6540. name:
  6541. description: The name of the Secret resource being referred to.
  6542. maxLength: 253
  6543. minLength: 1
  6544. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6545. type: string
  6546. namespace:
  6547. description: |-
  6548. The namespace of the Secret resource being referred to.
  6549. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6550. maxLength: 63
  6551. minLength: 1
  6552. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6553. type: string
  6554. type: object
  6555. required:
  6556. - passwordSecretRef
  6557. - privateKeySecretRef
  6558. type: object
  6559. caBundle:
  6560. description: |-
  6561. PEM encoded CA bundle used to validate Passbolt server certificate. Only used
  6562. if the Host URL is using HTTPS protocol. If not set the system root certificates
  6563. are used to validate the TLS connection.
  6564. format: byte
  6565. type: string
  6566. caProvider:
  6567. description: The provider for the CA bundle to use to validate Passbolt server certificate.
  6568. properties:
  6569. key:
  6570. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6571. maxLength: 253
  6572. minLength: 1
  6573. pattern: ^[-._a-zA-Z0-9]+$
  6574. type: string
  6575. name:
  6576. description: The name of the object located at the provider type.
  6577. maxLength: 253
  6578. minLength: 1
  6579. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6580. type: string
  6581. namespace:
  6582. description: |-
  6583. The namespace the Provider type is in.
  6584. Can only be defined when used in a ClusterSecretStore.
  6585. maxLength: 63
  6586. minLength: 1
  6587. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6588. type: string
  6589. type:
  6590. description: The type of provider to use such as "Secret", or "ConfigMap".
  6591. enum:
  6592. - Secret
  6593. - ConfigMap
  6594. type: string
  6595. required:
  6596. - name
  6597. - type
  6598. type: object
  6599. host:
  6600. description: Host defines the Passbolt Server to connect to
  6601. type: string
  6602. required:
  6603. - auth
  6604. - host
  6605. type: object
  6606. passworddepot:
  6607. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  6608. properties:
  6609. auth:
  6610. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  6611. properties:
  6612. secretRef:
  6613. description: PasswordDepotSecretRef contains the secret reference for Password Depot authentication.
  6614. properties:
  6615. credentials:
  6616. description: Username / Password is used for authentication.
  6617. properties:
  6618. key:
  6619. description: |-
  6620. A key in the referenced Secret.
  6621. Some instances of this field may be defaulted, in others it may be required.
  6622. maxLength: 253
  6623. minLength: 1
  6624. pattern: ^[-._a-zA-Z0-9]+$
  6625. type: string
  6626. name:
  6627. description: The name of the Secret resource being referred to.
  6628. maxLength: 253
  6629. minLength: 1
  6630. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6631. type: string
  6632. namespace:
  6633. description: |-
  6634. The namespace of the Secret resource being referred to.
  6635. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6636. maxLength: 63
  6637. minLength: 1
  6638. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6639. type: string
  6640. type: object
  6641. type: object
  6642. required:
  6643. - secretRef
  6644. type: object
  6645. database:
  6646. description: Database to use as source
  6647. type: string
  6648. host:
  6649. description: URL configures the Password Depot instance URL.
  6650. type: string
  6651. required:
  6652. - auth
  6653. - database
  6654. - host
  6655. type: object
  6656. previder:
  6657. description: Previder configures this store to sync secrets using the Previder provider
  6658. properties:
  6659. auth:
  6660. description: PreviderAuth contains a secretRef for credentials.
  6661. properties:
  6662. secretRef:
  6663. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  6664. properties:
  6665. accessToken:
  6666. description: The AccessToken is used for authentication
  6667. properties:
  6668. key:
  6669. description: |-
  6670. A key in the referenced Secret.
  6671. Some instances of this field may be defaulted, in others it may be required.
  6672. maxLength: 253
  6673. minLength: 1
  6674. pattern: ^[-._a-zA-Z0-9]+$
  6675. type: string
  6676. name:
  6677. description: The name of the Secret resource being referred to.
  6678. maxLength: 253
  6679. minLength: 1
  6680. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6681. type: string
  6682. namespace:
  6683. description: |-
  6684. The namespace of the Secret resource being referred to.
  6685. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6686. maxLength: 63
  6687. minLength: 1
  6688. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6689. type: string
  6690. type: object
  6691. required:
  6692. - accessToken
  6693. type: object
  6694. type: object
  6695. baseUri:
  6696. type: string
  6697. required:
  6698. - auth
  6699. type: object
  6700. pulumi:
  6701. description: Pulumi configures this store to sync secrets using the Pulumi provider
  6702. properties:
  6703. accessToken:
  6704. description: |-
  6705. AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  6706. Deprecated: Use auth.accessToken instead.
  6707. properties:
  6708. secretRef:
  6709. description: SecretRef is a reference to a secret containing the Pulumi API token.
  6710. properties:
  6711. key:
  6712. description: |-
  6713. A key in the referenced Secret.
  6714. Some instances of this field may be defaulted, in others it may be required.
  6715. maxLength: 253
  6716. minLength: 1
  6717. pattern: ^[-._a-zA-Z0-9]+$
  6718. type: string
  6719. name:
  6720. description: The name of the Secret resource being referred to.
  6721. maxLength: 253
  6722. minLength: 1
  6723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6724. type: string
  6725. namespace:
  6726. description: |-
  6727. The namespace of the Secret resource being referred to.
  6728. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6729. maxLength: 63
  6730. minLength: 1
  6731. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6732. type: string
  6733. type: object
  6734. type: object
  6735. apiUrl:
  6736. default: https://api.pulumi.com/api/esc
  6737. description: APIURL is the URL of the Pulumi API.
  6738. type: string
  6739. auth:
  6740. description: |-
  6741. Auth configures how the Operator authenticates with the Pulumi API.
  6742. Either auth or the deprecated accessToken field must be specified.
  6743. properties:
  6744. accessToken:
  6745. description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret.
  6746. properties:
  6747. secretRef:
  6748. description: SecretRef is a reference to a secret containing the Pulumi API token.
  6749. properties:
  6750. key:
  6751. description: |-
  6752. A key in the referenced Secret.
  6753. Some instances of this field may be defaulted, in others it may be required.
  6754. maxLength: 253
  6755. minLength: 1
  6756. pattern: ^[-._a-zA-Z0-9]+$
  6757. type: string
  6758. name:
  6759. description: The name of the Secret resource being referred to.
  6760. maxLength: 253
  6761. minLength: 1
  6762. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6763. type: string
  6764. namespace:
  6765. description: |-
  6766. The namespace of the Secret resource being referred to.
  6767. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6768. maxLength: 63
  6769. minLength: 1
  6770. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6771. type: string
  6772. type: object
  6773. type: object
  6774. oidcConfig:
  6775. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  6776. properties:
  6777. expirationSeconds:
  6778. default: 600
  6779. description: |-
  6780. ExpirationSeconds sets the token validity duration for service account and OIDC token.
  6781. Defaults to 10 minutes.
  6782. format: int64
  6783. minimum: 600
  6784. type: integer
  6785. organization:
  6786. description: Organization is the name of the Pulumi organization configured for OIDC authentication.
  6787. type: string
  6788. serviceAccountRef:
  6789. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  6790. properties:
  6791. audiences:
  6792. description: |-
  6793. Audience specifies the `aud` claim for the service account token
  6794. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6795. then this audiences will be appended to the list
  6796. items:
  6797. type: string
  6798. type: array
  6799. name:
  6800. description: The name of the ServiceAccount resource being referred to.
  6801. maxLength: 253
  6802. minLength: 1
  6803. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6804. type: string
  6805. namespace:
  6806. description: |-
  6807. Namespace of the resource being referred to.
  6808. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6809. maxLength: 63
  6810. minLength: 1
  6811. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6812. type: string
  6813. required:
  6814. - name
  6815. type: object
  6816. required:
  6817. - organization
  6818. - serviceAccountRef
  6819. type: object
  6820. type: object
  6821. x-kubernetes-validations:
  6822. - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified
  6823. rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig))
  6824. environment:
  6825. description: |-
  6826. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  6827. dynamically retrieved values from supported providers including all major clouds,
  6828. and other Pulumi ESC environments.
  6829. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  6830. type: string
  6831. organization:
  6832. description: |-
  6833. Organization are a space to collaborate on shared projects and stacks.
  6834. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  6835. type: string
  6836. project:
  6837. description: Project is the name of the Pulumi ESC project the environment belongs to.
  6838. type: string
  6839. required:
  6840. - environment
  6841. - organization
  6842. - project
  6843. type: object
  6844. x-kubernetes-validations:
  6845. - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified
  6846. rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken))
  6847. scaleway:
  6848. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  6849. properties:
  6850. accessKey:
  6851. description: AccessKey is the non-secret part of the api key.
  6852. properties:
  6853. secretRef:
  6854. description: SecretRef references a key in a secret that will be used as value.
  6855. properties:
  6856. key:
  6857. description: |-
  6858. A key in the referenced Secret.
  6859. Some instances of this field may be defaulted, in others it may be required.
  6860. maxLength: 253
  6861. minLength: 1
  6862. pattern: ^[-._a-zA-Z0-9]+$
  6863. type: string
  6864. name:
  6865. description: The name of the Secret resource being referred to.
  6866. maxLength: 253
  6867. minLength: 1
  6868. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6869. type: string
  6870. namespace:
  6871. description: |-
  6872. The namespace of the Secret resource being referred to.
  6873. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6874. maxLength: 63
  6875. minLength: 1
  6876. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6877. type: string
  6878. type: object
  6879. value:
  6880. description: Value can be specified directly to set a value without using a secret.
  6881. type: string
  6882. type: object
  6883. apiUrl:
  6884. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  6885. type: string
  6886. projectId:
  6887. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  6888. type: string
  6889. region:
  6890. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  6891. type: string
  6892. secretKey:
  6893. description: SecretKey is the non-secret part of the api key.
  6894. properties:
  6895. secretRef:
  6896. description: SecretRef references a key in a secret that will be used as value.
  6897. properties:
  6898. key:
  6899. description: |-
  6900. A key in the referenced Secret.
  6901. Some instances of this field may be defaulted, in others it may be required.
  6902. maxLength: 253
  6903. minLength: 1
  6904. pattern: ^[-._a-zA-Z0-9]+$
  6905. type: string
  6906. name:
  6907. description: The name of the Secret resource being referred to.
  6908. maxLength: 253
  6909. minLength: 1
  6910. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6911. type: string
  6912. namespace:
  6913. description: |-
  6914. The namespace of the Secret resource being referred to.
  6915. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6916. maxLength: 63
  6917. minLength: 1
  6918. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6919. type: string
  6920. type: object
  6921. value:
  6922. description: Value can be specified directly to set a value without using a secret.
  6923. type: string
  6924. type: object
  6925. required:
  6926. - accessKey
  6927. - projectId
  6928. - region
  6929. - secretKey
  6930. type: object
  6931. secretserver:
  6932. description: |-
  6933. SecretServer configures this store to sync secrets using SecretServer provider
  6934. https://docs.delinea.com/online-help/secret-server/start.htm
  6935. properties:
  6936. caBundle:
  6937. description: |-
  6938. PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used
  6939. if the ServerURL URL is using HTTPS protocol. If not set the system root certificates
  6940. are used to validate the TLS connection.
  6941. format: byte
  6942. type: string
  6943. caProvider:
  6944. description: The provider for the CA bundle to use to validate Secret ServerURL certificate.
  6945. properties:
  6946. key:
  6947. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6948. maxLength: 253
  6949. minLength: 1
  6950. pattern: ^[-._a-zA-Z0-9]+$
  6951. type: string
  6952. name:
  6953. description: The name of the object located at the provider type.
  6954. maxLength: 253
  6955. minLength: 1
  6956. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6957. type: string
  6958. namespace:
  6959. description: |-
  6960. The namespace the Provider type is in.
  6961. Can only be defined when used in a ClusterSecretStore.
  6962. maxLength: 63
  6963. minLength: 1
  6964. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6965. type: string
  6966. type:
  6967. description: The type of provider to use such as "Secret", or "ConfigMap".
  6968. enum:
  6969. - Secret
  6970. - ConfigMap
  6971. type: string
  6972. required:
  6973. - name
  6974. - type
  6975. type: object
  6976. domain:
  6977. description: Domain is the secret server domain.
  6978. type: string
  6979. password:
  6980. description: Password is the secret server account password.
  6981. properties:
  6982. secretRef:
  6983. description: SecretRef references a key in a secret that will be used as value.
  6984. properties:
  6985. key:
  6986. description: |-
  6987. A key in the referenced Secret.
  6988. Some instances of this field may be defaulted, in others it may be required.
  6989. maxLength: 253
  6990. minLength: 1
  6991. pattern: ^[-._a-zA-Z0-9]+$
  6992. type: string
  6993. name:
  6994. description: The name of the Secret resource being referred to.
  6995. maxLength: 253
  6996. minLength: 1
  6997. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6998. type: string
  6999. namespace:
  7000. description: |-
  7001. The namespace of the Secret resource being referred to.
  7002. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7003. maxLength: 63
  7004. minLength: 1
  7005. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7006. type: string
  7007. type: object
  7008. value:
  7009. description: Value can be specified directly to set a value without using a secret.
  7010. type: string
  7011. type: object
  7012. serverURL:
  7013. description: |-
  7014. ServerURL
  7015. URL to your secret server installation
  7016. type: string
  7017. username:
  7018. description: Username is the secret server account username.
  7019. properties:
  7020. secretRef:
  7021. description: SecretRef references a key in a secret that will be used as value.
  7022. properties:
  7023. key:
  7024. description: |-
  7025. A key in the referenced Secret.
  7026. Some instances of this field may be defaulted, in others it may be required.
  7027. maxLength: 253
  7028. minLength: 1
  7029. pattern: ^[-._a-zA-Z0-9]+$
  7030. type: string
  7031. name:
  7032. description: The name of the Secret resource being referred to.
  7033. maxLength: 253
  7034. minLength: 1
  7035. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7036. type: string
  7037. namespace:
  7038. description: |-
  7039. The namespace of the Secret resource being referred to.
  7040. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7041. maxLength: 63
  7042. minLength: 1
  7043. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7044. type: string
  7045. type: object
  7046. value:
  7047. description: Value can be specified directly to set a value without using a secret.
  7048. type: string
  7049. type: object
  7050. required:
  7051. - password
  7052. - serverURL
  7053. - username
  7054. type: object
  7055. senhasegura:
  7056. description: Senhasegura configures this store to sync secrets using senhasegura provider
  7057. properties:
  7058. auth:
  7059. description: Auth defines parameters to authenticate in senhasegura
  7060. properties:
  7061. clientId:
  7062. type: string
  7063. clientSecretSecretRef:
  7064. description: |-
  7065. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  7066. In some instances, `key` is a required field.
  7067. properties:
  7068. key:
  7069. description: |-
  7070. A key in the referenced Secret.
  7071. Some instances of this field may be defaulted, in others it may be required.
  7072. maxLength: 253
  7073. minLength: 1
  7074. pattern: ^[-._a-zA-Z0-9]+$
  7075. type: string
  7076. name:
  7077. description: The name of the Secret resource being referred to.
  7078. maxLength: 253
  7079. minLength: 1
  7080. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7081. type: string
  7082. namespace:
  7083. description: |-
  7084. The namespace of the Secret resource being referred to.
  7085. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7086. maxLength: 63
  7087. minLength: 1
  7088. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7089. type: string
  7090. type: object
  7091. required:
  7092. - clientId
  7093. - clientSecretSecretRef
  7094. type: object
  7095. ignoreSslCertificate:
  7096. default: false
  7097. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  7098. type: boolean
  7099. module:
  7100. description: Module defines which senhasegura module should be used to get secrets
  7101. type: string
  7102. url:
  7103. description: URL of senhasegura
  7104. type: string
  7105. required:
  7106. - auth
  7107. - module
  7108. - url
  7109. type: object
  7110. vault:
  7111. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  7112. properties:
  7113. auth:
  7114. description: Auth configures how secret-manager authenticates with the Vault server.
  7115. properties:
  7116. appRole:
  7117. description: |-
  7118. AppRole authenticates with Vault using the App Role auth mechanism,
  7119. with the role and secret stored in a Kubernetes Secret resource.
  7120. properties:
  7121. path:
  7122. default: approle
  7123. description: |-
  7124. Path where the App Role authentication backend is mounted
  7125. in Vault, e.g: "approle"
  7126. type: string
  7127. roleId:
  7128. description: |-
  7129. RoleID configured in the App Role authentication backend when setting
  7130. up the authentication backend in Vault.
  7131. type: string
  7132. roleRef:
  7133. description: |-
  7134. Reference to a key in a Secret that contains the App Role ID used
  7135. to authenticate with Vault.
  7136. The `key` field must be specified and denotes which entry within the Secret
  7137. resource is used as the app role id.
  7138. properties:
  7139. key:
  7140. description: |-
  7141. A key in the referenced Secret.
  7142. Some instances of this field may be defaulted, in others it may be required.
  7143. maxLength: 253
  7144. minLength: 1
  7145. pattern: ^[-._a-zA-Z0-9]+$
  7146. type: string
  7147. name:
  7148. description: The name of the Secret resource being referred to.
  7149. maxLength: 253
  7150. minLength: 1
  7151. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7152. type: string
  7153. namespace:
  7154. description: |-
  7155. The namespace of the Secret resource being referred to.
  7156. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7157. maxLength: 63
  7158. minLength: 1
  7159. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7160. type: string
  7161. type: object
  7162. secretRef:
  7163. description: |-
  7164. Reference to a key in a Secret that contains the App Role secret used
  7165. to authenticate with Vault.
  7166. The `key` field must be specified and denotes which entry within the Secret
  7167. resource is used as the app role secret.
  7168. properties:
  7169. key:
  7170. description: |-
  7171. A key in the referenced Secret.
  7172. Some instances of this field may be defaulted, in others it may be required.
  7173. maxLength: 253
  7174. minLength: 1
  7175. pattern: ^[-._a-zA-Z0-9]+$
  7176. type: string
  7177. name:
  7178. description: The name of the Secret resource being referred to.
  7179. maxLength: 253
  7180. minLength: 1
  7181. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7182. type: string
  7183. namespace:
  7184. description: |-
  7185. The namespace of the Secret resource being referred to.
  7186. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7187. maxLength: 63
  7188. minLength: 1
  7189. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7190. type: string
  7191. type: object
  7192. required:
  7193. - path
  7194. - secretRef
  7195. type: object
  7196. cert:
  7197. description: |-
  7198. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  7199. Cert authentication method
  7200. properties:
  7201. clientCert:
  7202. description: |-
  7203. ClientCert is a certificate to authenticate using the Cert Vault
  7204. authentication method
  7205. properties:
  7206. key:
  7207. description: |-
  7208. A key in the referenced Secret.
  7209. Some instances of this field may be defaulted, in others it may be required.
  7210. maxLength: 253
  7211. minLength: 1
  7212. pattern: ^[-._a-zA-Z0-9]+$
  7213. type: string
  7214. name:
  7215. description: The name of the Secret resource being referred to.
  7216. maxLength: 253
  7217. minLength: 1
  7218. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7219. type: string
  7220. namespace:
  7221. description: |-
  7222. The namespace of the Secret resource being referred to.
  7223. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7224. maxLength: 63
  7225. minLength: 1
  7226. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7227. type: string
  7228. type: object
  7229. path:
  7230. default: cert
  7231. description: |-
  7232. Path where the Certificate authentication backend is mounted
  7233. in Vault, e.g: "cert"
  7234. type: string
  7235. secretRef:
  7236. description: |-
  7237. SecretRef to a key in a Secret resource containing client private key to
  7238. authenticate with Vault using the Cert authentication method
  7239. properties:
  7240. key:
  7241. description: |-
  7242. A key in the referenced Secret.
  7243. Some instances of this field may be defaulted, in others it may be required.
  7244. maxLength: 253
  7245. minLength: 1
  7246. pattern: ^[-._a-zA-Z0-9]+$
  7247. type: string
  7248. name:
  7249. description: The name of the Secret resource being referred to.
  7250. maxLength: 253
  7251. minLength: 1
  7252. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7253. type: string
  7254. namespace:
  7255. description: |-
  7256. The namespace of the Secret resource being referred to.
  7257. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7258. maxLength: 63
  7259. minLength: 1
  7260. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7261. type: string
  7262. type: object
  7263. vaultRole:
  7264. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  7265. type: string
  7266. type: object
  7267. gcp:
  7268. description: |-
  7269. Gcp authenticates with Vault using Google Cloud Platform authentication method
  7270. GCP authentication method
  7271. properties:
  7272. location:
  7273. description: Location optionally defines a location/region for the secret
  7274. type: string
  7275. path:
  7276. default: gcp
  7277. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  7278. type: string
  7279. projectID:
  7280. description: Project ID of the Google Cloud Platform project
  7281. type: string
  7282. role:
  7283. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  7284. type: string
  7285. secretRef:
  7286. description: Specify credentials in a Secret object
  7287. properties:
  7288. secretAccessKeySecretRef:
  7289. description: The SecretAccessKey is used for authentication
  7290. properties:
  7291. key:
  7292. description: |-
  7293. A key in the referenced Secret.
  7294. Some instances of this field may be defaulted, in others it may be required.
  7295. maxLength: 253
  7296. minLength: 1
  7297. pattern: ^[-._a-zA-Z0-9]+$
  7298. type: string
  7299. name:
  7300. description: The name of the Secret resource being referred to.
  7301. maxLength: 253
  7302. minLength: 1
  7303. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7304. type: string
  7305. namespace:
  7306. description: |-
  7307. The namespace of the Secret resource being referred to.
  7308. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7309. maxLength: 63
  7310. minLength: 1
  7311. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7312. type: string
  7313. type: object
  7314. type: object
  7315. serviceAccountRef:
  7316. description: ServiceAccountRef to a service account for impersonation
  7317. properties:
  7318. audiences:
  7319. description: |-
  7320. Audience specifies the `aud` claim for the service account token
  7321. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7322. then this audiences will be appended to the list
  7323. items:
  7324. type: string
  7325. type: array
  7326. name:
  7327. description: The name of the ServiceAccount resource being referred to.
  7328. maxLength: 253
  7329. minLength: 1
  7330. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7331. type: string
  7332. namespace:
  7333. description: |-
  7334. Namespace of the resource being referred to.
  7335. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7336. maxLength: 63
  7337. minLength: 1
  7338. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7339. type: string
  7340. required:
  7341. - name
  7342. type: object
  7343. workloadIdentity:
  7344. description: Specify a service account with Workload Identity
  7345. properties:
  7346. clusterLocation:
  7347. description: |-
  7348. ClusterLocation is the location of the cluster
  7349. If not specified, it fetches information from the metadata server
  7350. type: string
  7351. clusterName:
  7352. description: |-
  7353. ClusterName is the name of the cluster
  7354. If not specified, it fetches information from the metadata server
  7355. type: string
  7356. clusterProjectID:
  7357. description: |-
  7358. ClusterProjectID is the project ID of the cluster
  7359. If not specified, it fetches information from the metadata server
  7360. type: string
  7361. serviceAccountRef:
  7362. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  7363. properties:
  7364. audiences:
  7365. description: |-
  7366. Audience specifies the `aud` claim for the service account token
  7367. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7368. then this audiences will be appended to the list
  7369. items:
  7370. type: string
  7371. type: array
  7372. name:
  7373. description: The name of the ServiceAccount resource being referred to.
  7374. maxLength: 253
  7375. minLength: 1
  7376. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7377. type: string
  7378. namespace:
  7379. description: |-
  7380. Namespace of the resource being referred to.
  7381. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7382. maxLength: 63
  7383. minLength: 1
  7384. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7385. type: string
  7386. required:
  7387. - name
  7388. type: object
  7389. required:
  7390. - serviceAccountRef
  7391. type: object
  7392. required:
  7393. - role
  7394. type: object
  7395. iam:
  7396. description: |-
  7397. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  7398. AWS IAM authentication method
  7399. properties:
  7400. externalID:
  7401. description: AWS External ID set on assumed IAM roles
  7402. type: string
  7403. jwt:
  7404. description: Specify a service account with IRSA enabled
  7405. properties:
  7406. serviceAccountRef:
  7407. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  7408. properties:
  7409. audiences:
  7410. description: |-
  7411. Audience specifies the `aud` claim for the service account token
  7412. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7413. then this audiences will be appended to the list
  7414. items:
  7415. type: string
  7416. type: array
  7417. name:
  7418. description: The name of the ServiceAccount resource being referred to.
  7419. maxLength: 253
  7420. minLength: 1
  7421. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7422. type: string
  7423. namespace:
  7424. description: |-
  7425. Namespace of the resource being referred to.
  7426. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7427. maxLength: 63
  7428. minLength: 1
  7429. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7430. type: string
  7431. required:
  7432. - name
  7433. type: object
  7434. type: object
  7435. path:
  7436. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  7437. type: string
  7438. region:
  7439. description: AWS region
  7440. type: string
  7441. role:
  7442. description: This is the AWS role to be assumed before talking to vault
  7443. type: string
  7444. secretRef:
  7445. description: Specify credentials in a Secret object
  7446. properties:
  7447. accessKeyIDSecretRef:
  7448. description: The AccessKeyID is used for authentication
  7449. properties:
  7450. key:
  7451. description: |-
  7452. A key in the referenced Secret.
  7453. Some instances of this field may be defaulted, in others it may be required.
  7454. maxLength: 253
  7455. minLength: 1
  7456. pattern: ^[-._a-zA-Z0-9]+$
  7457. type: string
  7458. name:
  7459. description: The name of the Secret resource being referred to.
  7460. maxLength: 253
  7461. minLength: 1
  7462. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7463. type: string
  7464. namespace:
  7465. description: |-
  7466. The namespace of the Secret resource being referred to.
  7467. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7468. maxLength: 63
  7469. minLength: 1
  7470. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7471. type: string
  7472. type: object
  7473. secretAccessKeySecretRef:
  7474. description: The SecretAccessKey is used for authentication
  7475. properties:
  7476. key:
  7477. description: |-
  7478. A key in the referenced Secret.
  7479. Some instances of this field may be defaulted, in others it may be required.
  7480. maxLength: 253
  7481. minLength: 1
  7482. pattern: ^[-._a-zA-Z0-9]+$
  7483. type: string
  7484. name:
  7485. description: The name of the Secret resource being referred to.
  7486. maxLength: 253
  7487. minLength: 1
  7488. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7489. type: string
  7490. namespace:
  7491. description: |-
  7492. The namespace of the Secret resource being referred to.
  7493. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7494. maxLength: 63
  7495. minLength: 1
  7496. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7497. type: string
  7498. type: object
  7499. sessionTokenSecretRef:
  7500. description: |-
  7501. The SessionToken used for authentication
  7502. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  7503. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  7504. properties:
  7505. key:
  7506. description: |-
  7507. A key in the referenced Secret.
  7508. Some instances of this field may be defaulted, in others it may be required.
  7509. maxLength: 253
  7510. minLength: 1
  7511. pattern: ^[-._a-zA-Z0-9]+$
  7512. type: string
  7513. name:
  7514. description: The name of the Secret resource being referred to.
  7515. maxLength: 253
  7516. minLength: 1
  7517. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7518. type: string
  7519. namespace:
  7520. description: |-
  7521. The namespace of the Secret resource being referred to.
  7522. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7523. maxLength: 63
  7524. minLength: 1
  7525. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7526. type: string
  7527. type: object
  7528. type: object
  7529. vaultAwsIamServerID:
  7530. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  7531. type: string
  7532. vaultRole:
  7533. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  7534. type: string
  7535. required:
  7536. - vaultRole
  7537. type: object
  7538. jwt:
  7539. description: |-
  7540. Jwt authenticates with Vault by passing role and JWT token using the
  7541. JWT/OIDC authentication method
  7542. properties:
  7543. kubernetesServiceAccountToken:
  7544. description: |-
  7545. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  7546. a token for with the `TokenRequest` API.
  7547. properties:
  7548. audiences:
  7549. description: |-
  7550. Optional audiences field that will be used to request a temporary Kubernetes service
  7551. account token for the service account referenced by `serviceAccountRef`.
  7552. Defaults to a single audience `vault` it not specified.
  7553. Deprecated: use serviceAccountRef.Audiences instead
  7554. items:
  7555. type: string
  7556. type: array
  7557. expirationSeconds:
  7558. description: |-
  7559. Optional expiration time in seconds that will be used to request a temporary
  7560. Kubernetes service account token for the service account referenced by
  7561. `serviceAccountRef`.
  7562. Deprecated: this will be removed in the future.
  7563. Defaults to 10 minutes.
  7564. format: int64
  7565. type: integer
  7566. serviceAccountRef:
  7567. description: Service account field containing the name of a kubernetes ServiceAccount.
  7568. properties:
  7569. audiences:
  7570. description: |-
  7571. Audience specifies the `aud` claim for the service account token
  7572. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7573. then this audiences will be appended to the list
  7574. items:
  7575. type: string
  7576. type: array
  7577. name:
  7578. description: The name of the ServiceAccount resource being referred to.
  7579. maxLength: 253
  7580. minLength: 1
  7581. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7582. type: string
  7583. namespace:
  7584. description: |-
  7585. Namespace of the resource being referred to.
  7586. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7587. maxLength: 63
  7588. minLength: 1
  7589. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7590. type: string
  7591. required:
  7592. - name
  7593. type: object
  7594. required:
  7595. - serviceAccountRef
  7596. type: object
  7597. path:
  7598. default: jwt
  7599. description: |-
  7600. Path where the JWT authentication backend is mounted
  7601. in Vault, e.g: "jwt"
  7602. type: string
  7603. role:
  7604. description: |-
  7605. Role is a JWT role to authenticate using the JWT/OIDC Vault
  7606. authentication method
  7607. type: string
  7608. secretRef:
  7609. description: |-
  7610. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  7611. authenticate with Vault using the JWT/OIDC authentication method.
  7612. properties:
  7613. key:
  7614. description: |-
  7615. A key in the referenced Secret.
  7616. Some instances of this field may be defaulted, in others it may be required.
  7617. maxLength: 253
  7618. minLength: 1
  7619. pattern: ^[-._a-zA-Z0-9]+$
  7620. type: string
  7621. name:
  7622. description: The name of the Secret resource being referred to.
  7623. maxLength: 253
  7624. minLength: 1
  7625. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7626. type: string
  7627. namespace:
  7628. description: |-
  7629. The namespace of the Secret resource being referred to.
  7630. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7631. maxLength: 63
  7632. minLength: 1
  7633. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7634. type: string
  7635. type: object
  7636. required:
  7637. - path
  7638. type: object
  7639. kubernetes:
  7640. description: |-
  7641. Kubernetes authenticates with Vault by passing the ServiceAccount
  7642. token stored in the named Secret resource to the Vault server.
  7643. properties:
  7644. mountPath:
  7645. default: kubernetes
  7646. description: |-
  7647. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  7648. "kubernetes"
  7649. type: string
  7650. role:
  7651. description: |-
  7652. A required field containing the Vault Role to assume. A Role binds a
  7653. Kubernetes ServiceAccount with a set of Vault policies.
  7654. type: string
  7655. secretRef:
  7656. description: |-
  7657. Optional secret field containing a Kubernetes ServiceAccount JWT used
  7658. for authenticating with Vault. If a name is specified without a key,
  7659. `token` is the default. If one is not specified, the one bound to
  7660. the controller will be used.
  7661. properties:
  7662. key:
  7663. description: |-
  7664. A key in the referenced Secret.
  7665. Some instances of this field may be defaulted, in others it may be required.
  7666. maxLength: 253
  7667. minLength: 1
  7668. pattern: ^[-._a-zA-Z0-9]+$
  7669. type: string
  7670. name:
  7671. description: The name of the Secret resource being referred to.
  7672. maxLength: 253
  7673. minLength: 1
  7674. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7675. type: string
  7676. namespace:
  7677. description: |-
  7678. The namespace of the Secret resource being referred to.
  7679. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7680. maxLength: 63
  7681. minLength: 1
  7682. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7683. type: string
  7684. type: object
  7685. serviceAccountRef:
  7686. description: |-
  7687. Optional service account field containing the name of a kubernetes ServiceAccount.
  7688. If the service account is specified, the service account secret token JWT will be used
  7689. for authenticating with Vault. If the service account selector is not supplied,
  7690. the secretRef will be used instead.
  7691. properties:
  7692. audiences:
  7693. description: |-
  7694. Audience specifies the `aud` claim for the service account token
  7695. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7696. then this audiences will be appended to the list
  7697. items:
  7698. type: string
  7699. type: array
  7700. name:
  7701. description: The name of the ServiceAccount resource being referred to.
  7702. maxLength: 253
  7703. minLength: 1
  7704. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7705. type: string
  7706. namespace:
  7707. description: |-
  7708. Namespace of the resource being referred to.
  7709. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7710. maxLength: 63
  7711. minLength: 1
  7712. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7713. type: string
  7714. required:
  7715. - name
  7716. type: object
  7717. required:
  7718. - mountPath
  7719. - role
  7720. type: object
  7721. ldap:
  7722. description: |-
  7723. Ldap authenticates with Vault by passing username/password pair using
  7724. the LDAP authentication method
  7725. properties:
  7726. path:
  7727. default: ldap
  7728. description: |-
  7729. Path where the LDAP authentication backend is mounted
  7730. in Vault, e.g: "ldap"
  7731. type: string
  7732. secretRef:
  7733. description: |-
  7734. SecretRef to a key in a Secret resource containing password for the LDAP
  7735. user used to authenticate with Vault using the LDAP authentication
  7736. method
  7737. properties:
  7738. key:
  7739. description: |-
  7740. A key in the referenced Secret.
  7741. Some instances of this field may be defaulted, in others it may be required.
  7742. maxLength: 253
  7743. minLength: 1
  7744. pattern: ^[-._a-zA-Z0-9]+$
  7745. type: string
  7746. name:
  7747. description: The name of the Secret resource being referred to.
  7748. maxLength: 253
  7749. minLength: 1
  7750. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7751. type: string
  7752. namespace:
  7753. description: |-
  7754. The namespace of the Secret resource being referred to.
  7755. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7756. maxLength: 63
  7757. minLength: 1
  7758. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7759. type: string
  7760. type: object
  7761. username:
  7762. description: |-
  7763. Username is an LDAP username used to authenticate using the LDAP Vault
  7764. authentication method
  7765. type: string
  7766. required:
  7767. - path
  7768. - username
  7769. type: object
  7770. namespace:
  7771. description: |-
  7772. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  7773. Namespaces is a set of features within Vault Enterprise that allows
  7774. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  7775. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  7776. This will default to Vault.Namespace field if set, or empty otherwise
  7777. type: string
  7778. tokenSecretRef:
  7779. description: TokenSecretRef authenticates with Vault by presenting a token.
  7780. properties:
  7781. key:
  7782. description: |-
  7783. A key in the referenced Secret.
  7784. Some instances of this field may be defaulted, in others it may be required.
  7785. maxLength: 253
  7786. minLength: 1
  7787. pattern: ^[-._a-zA-Z0-9]+$
  7788. type: string
  7789. name:
  7790. description: The name of the Secret resource being referred to.
  7791. maxLength: 253
  7792. minLength: 1
  7793. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7794. type: string
  7795. namespace:
  7796. description: |-
  7797. The namespace of the Secret resource being referred to.
  7798. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7799. maxLength: 63
  7800. minLength: 1
  7801. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7802. type: string
  7803. type: object
  7804. userPass:
  7805. description: UserPass authenticates with Vault by passing username/password pair
  7806. properties:
  7807. path:
  7808. default: userpass
  7809. description: |-
  7810. Path where the UserPassword authentication backend is mounted
  7811. in Vault, e.g: "userpass"
  7812. type: string
  7813. secretRef:
  7814. description: |-
  7815. SecretRef to a key in a Secret resource containing password for the
  7816. user used to authenticate with Vault using the UserPass authentication
  7817. method
  7818. properties:
  7819. key:
  7820. description: |-
  7821. A key in the referenced Secret.
  7822. Some instances of this field may be defaulted, in others it may be required.
  7823. maxLength: 253
  7824. minLength: 1
  7825. pattern: ^[-._a-zA-Z0-9]+$
  7826. type: string
  7827. name:
  7828. description: The name of the Secret resource being referred to.
  7829. maxLength: 253
  7830. minLength: 1
  7831. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7832. type: string
  7833. namespace:
  7834. description: |-
  7835. The namespace of the Secret resource being referred to.
  7836. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7837. maxLength: 63
  7838. minLength: 1
  7839. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7840. type: string
  7841. type: object
  7842. username:
  7843. description: |-
  7844. Username is a username used to authenticate using the UserPass Vault
  7845. authentication method
  7846. type: string
  7847. required:
  7848. - path
  7849. - username
  7850. type: object
  7851. type: object
  7852. caBundle:
  7853. description: |-
  7854. PEM encoded CA bundle used to validate Vault server certificate. Only used
  7855. if the Server URL is using HTTPS protocol. This parameter is ignored for
  7856. plain HTTP protocol connection. If not set the system root certificates
  7857. are used to validate the TLS connection.
  7858. format: byte
  7859. type: string
  7860. caProvider:
  7861. description: The provider for the CA bundle to use to validate Vault server certificate.
  7862. properties:
  7863. key:
  7864. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  7865. maxLength: 253
  7866. minLength: 1
  7867. pattern: ^[-._a-zA-Z0-9]+$
  7868. type: string
  7869. name:
  7870. description: The name of the object located at the provider type.
  7871. maxLength: 253
  7872. minLength: 1
  7873. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7874. type: string
  7875. namespace:
  7876. description: |-
  7877. The namespace the Provider type is in.
  7878. Can only be defined when used in a ClusterSecretStore.
  7879. maxLength: 63
  7880. minLength: 1
  7881. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7882. type: string
  7883. type:
  7884. description: The type of provider to use such as "Secret", or "ConfigMap".
  7885. enum:
  7886. - Secret
  7887. - ConfigMap
  7888. type: string
  7889. required:
  7890. - name
  7891. - type
  7892. type: object
  7893. checkAndSet:
  7894. description: |-
  7895. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  7896. Only applies to Vault KV v2 stores. When enabled, write operations must include
  7897. the current version of the secret to prevent unintentional overwrites.
  7898. properties:
  7899. required:
  7900. description: |-
  7901. Required when true, all write operations must include a check-and-set parameter.
  7902. This helps prevent unintentional overwrites of secrets.
  7903. type: boolean
  7904. type: object
  7905. forwardInconsistent:
  7906. description: |-
  7907. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  7908. leader instead of simply retrying within a loop. This can increase performance if
  7909. the option is enabled serverside.
  7910. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  7911. type: boolean
  7912. headers:
  7913. additionalProperties:
  7914. type: string
  7915. description: Headers to be added in Vault request
  7916. type: object
  7917. namespace:
  7918. description: |-
  7919. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  7920. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  7921. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  7922. type: string
  7923. path:
  7924. description: |-
  7925. Path is the mount path of the Vault KV backend endpoint, e.g:
  7926. "secret". The v2 KV secret engine version specific "/data" path suffix
  7927. for fetching secrets from Vault is optional and will be appended
  7928. if not present in specified path.
  7929. type: string
  7930. readYourWrites:
  7931. description: |-
  7932. ReadYourWrites ensures isolated read-after-write semantics by
  7933. providing discovered cluster replication states in each request.
  7934. More information about eventual consistency in Vault can be found here
  7935. https://www.vaultproject.io/docs/enterprise/consistency
  7936. type: boolean
  7937. server:
  7938. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  7939. type: string
  7940. tls:
  7941. description: |-
  7942. The configuration used for client side related TLS communication, when the Vault server
  7943. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  7944. This parameter is ignored for plain HTTP protocol connection.
  7945. It's worth noting this configuration is different from the "TLS certificates auth method",
  7946. which is available under the `auth.cert` section.
  7947. properties:
  7948. certSecretRef:
  7949. description: |-
  7950. CertSecretRef is a certificate added to the transport layer
  7951. when communicating with the Vault server.
  7952. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  7953. properties:
  7954. key:
  7955. description: |-
  7956. A key in the referenced Secret.
  7957. Some instances of this field may be defaulted, in others it may be required.
  7958. maxLength: 253
  7959. minLength: 1
  7960. pattern: ^[-._a-zA-Z0-9]+$
  7961. type: string
  7962. name:
  7963. description: The name of the Secret resource being referred to.
  7964. maxLength: 253
  7965. minLength: 1
  7966. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7967. type: string
  7968. namespace:
  7969. description: |-
  7970. The namespace of the Secret resource being referred to.
  7971. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7972. maxLength: 63
  7973. minLength: 1
  7974. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7975. type: string
  7976. type: object
  7977. keySecretRef:
  7978. description: |-
  7979. KeySecretRef to a key in a Secret resource containing client private key
  7980. added to the transport layer when communicating with the Vault server.
  7981. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  7982. properties:
  7983. key:
  7984. description: |-
  7985. A key in the referenced Secret.
  7986. Some instances of this field may be defaulted, in others it may be required.
  7987. maxLength: 253
  7988. minLength: 1
  7989. pattern: ^[-._a-zA-Z0-9]+$
  7990. type: string
  7991. name:
  7992. description: The name of the Secret resource being referred to.
  7993. maxLength: 253
  7994. minLength: 1
  7995. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7996. type: string
  7997. namespace:
  7998. description: |-
  7999. The namespace of the Secret resource being referred to.
  8000. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8001. maxLength: 63
  8002. minLength: 1
  8003. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8004. type: string
  8005. type: object
  8006. type: object
  8007. version:
  8008. default: v2
  8009. description: |-
  8010. Version is the Vault KV secret engine version. This can be either "v1" or
  8011. "v2". Version defaults to "v2".
  8012. enum:
  8013. - v1
  8014. - v2
  8015. type: string
  8016. required:
  8017. - server
  8018. type: object
  8019. volcengine:
  8020. description: Volcengine configures this store to sync secrets using the Volcengine provider
  8021. properties:
  8022. auth:
  8023. description: |-
  8024. Auth defines the authentication method to use.
  8025. If not specified, the provider will try to use IRSA (IAM Role for Service Account).
  8026. properties:
  8027. secretRef:
  8028. description: |-
  8029. SecretRef defines the static credentials to use for authentication.
  8030. If not set, IRSA is used.
  8031. properties:
  8032. accessKeyID:
  8033. description: AccessKeyID is the reference to the secret containing the Access Key ID.
  8034. properties:
  8035. key:
  8036. description: |-
  8037. A key in the referenced Secret.
  8038. Some instances of this field may be defaulted, in others it may be required.
  8039. maxLength: 253
  8040. minLength: 1
  8041. pattern: ^[-._a-zA-Z0-9]+$
  8042. type: string
  8043. name:
  8044. description: The name of the Secret resource being referred to.
  8045. maxLength: 253
  8046. minLength: 1
  8047. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8048. type: string
  8049. namespace:
  8050. description: |-
  8051. The namespace of the Secret resource being referred to.
  8052. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8053. maxLength: 63
  8054. minLength: 1
  8055. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8056. type: string
  8057. type: object
  8058. secretAccessKey:
  8059. description: SecretAccessKey is the reference to the secret containing the Secret Access Key.
  8060. properties:
  8061. key:
  8062. description: |-
  8063. A key in the referenced Secret.
  8064. Some instances of this field may be defaulted, in others it may be required.
  8065. maxLength: 253
  8066. minLength: 1
  8067. pattern: ^[-._a-zA-Z0-9]+$
  8068. type: string
  8069. name:
  8070. description: The name of the Secret resource being referred to.
  8071. maxLength: 253
  8072. minLength: 1
  8073. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8074. type: string
  8075. namespace:
  8076. description: |-
  8077. The namespace of the Secret resource being referred to.
  8078. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8079. maxLength: 63
  8080. minLength: 1
  8081. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8082. type: string
  8083. type: object
  8084. token:
  8085. description: Token is the reference to the secret containing the STS(Security Token Service) Token.
  8086. properties:
  8087. key:
  8088. description: |-
  8089. A key in the referenced Secret.
  8090. Some instances of this field may be defaulted, in others it may be required.
  8091. maxLength: 253
  8092. minLength: 1
  8093. pattern: ^[-._a-zA-Z0-9]+$
  8094. type: string
  8095. name:
  8096. description: The name of the Secret resource being referred to.
  8097. maxLength: 253
  8098. minLength: 1
  8099. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8100. type: string
  8101. namespace:
  8102. description: |-
  8103. The namespace of the Secret resource being referred to.
  8104. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8105. maxLength: 63
  8106. minLength: 1
  8107. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8108. type: string
  8109. type: object
  8110. required:
  8111. - accessKeyID
  8112. - secretAccessKey
  8113. type: object
  8114. type: object
  8115. region:
  8116. description: Region specifies the Volcengine region to connect to.
  8117. type: string
  8118. required:
  8119. - region
  8120. type: object
  8121. webhook:
  8122. description: Webhook configures this store to sync secrets using a generic templated webhook
  8123. properties:
  8124. auth:
  8125. description: Auth specifies a authorization protocol. Only one protocol may be set.
  8126. maxProperties: 1
  8127. minProperties: 1
  8128. properties:
  8129. ntlm:
  8130. description: NTLMProtocol configures the store to use NTLM for auth
  8131. properties:
  8132. passwordSecret:
  8133. description: |-
  8134. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8135. In some instances, `key` is a required field.
  8136. properties:
  8137. key:
  8138. description: |-
  8139. A key in the referenced Secret.
  8140. Some instances of this field may be defaulted, in others it may be required.
  8141. maxLength: 253
  8142. minLength: 1
  8143. pattern: ^[-._a-zA-Z0-9]+$
  8144. type: string
  8145. name:
  8146. description: The name of the Secret resource being referred to.
  8147. maxLength: 253
  8148. minLength: 1
  8149. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8150. type: string
  8151. namespace:
  8152. description: |-
  8153. The namespace of the Secret resource being referred to.
  8154. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8155. maxLength: 63
  8156. minLength: 1
  8157. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8158. type: string
  8159. type: object
  8160. usernameSecret:
  8161. description: |-
  8162. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8163. In some instances, `key` is a required field.
  8164. properties:
  8165. key:
  8166. description: |-
  8167. A key in the referenced Secret.
  8168. Some instances of this field may be defaulted, in others it may be required.
  8169. maxLength: 253
  8170. minLength: 1
  8171. pattern: ^[-._a-zA-Z0-9]+$
  8172. type: string
  8173. name:
  8174. description: The name of the Secret resource being referred to.
  8175. maxLength: 253
  8176. minLength: 1
  8177. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8178. type: string
  8179. namespace:
  8180. description: |-
  8181. The namespace of the Secret resource being referred to.
  8182. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8183. maxLength: 63
  8184. minLength: 1
  8185. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8186. type: string
  8187. type: object
  8188. required:
  8189. - passwordSecret
  8190. - usernameSecret
  8191. type: object
  8192. type: object
  8193. body:
  8194. description: Body
  8195. type: string
  8196. caBundle:
  8197. description: |-
  8198. PEM encoded CA bundle used to validate webhook server certificate. Only used
  8199. if the Server URL is using HTTPS protocol. This parameter is ignored for
  8200. plain HTTP protocol connection. If not set the system root certificates
  8201. are used to validate the TLS connection.
  8202. format: byte
  8203. type: string
  8204. caProvider:
  8205. description: The provider for the CA bundle to use to validate webhook server certificate.
  8206. properties:
  8207. key:
  8208. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8209. maxLength: 253
  8210. minLength: 1
  8211. pattern: ^[-._a-zA-Z0-9]+$
  8212. type: string
  8213. name:
  8214. description: The name of the object located at the provider type.
  8215. maxLength: 253
  8216. minLength: 1
  8217. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8218. type: string
  8219. namespace:
  8220. description: The namespace the Provider type is in.
  8221. maxLength: 63
  8222. minLength: 1
  8223. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8224. type: string
  8225. type:
  8226. description: The type of provider to use such as "Secret", or "ConfigMap".
  8227. enum:
  8228. - Secret
  8229. - ConfigMap
  8230. type: string
  8231. required:
  8232. - name
  8233. - type
  8234. type: object
  8235. headers:
  8236. additionalProperties:
  8237. type: string
  8238. description: Headers
  8239. type: object
  8240. method:
  8241. description: Webhook Method
  8242. type: string
  8243. result:
  8244. description: Result formatting
  8245. properties:
  8246. jsonPath:
  8247. description: Json path of return value
  8248. type: string
  8249. type: object
  8250. secrets:
  8251. description: |-
  8252. Secrets to fill in templates
  8253. These secrets will be passed to the templating function as key value pairs under the given name
  8254. items:
  8255. description: WebhookSecret defines a secret that will be passed to the webhook request.
  8256. properties:
  8257. name:
  8258. description: Name of this secret in templates
  8259. type: string
  8260. secretRef:
  8261. description: Secret ref to fill in credentials
  8262. properties:
  8263. key:
  8264. description: |-
  8265. A key in the referenced Secret.
  8266. Some instances of this field may be defaulted, in others it may be required.
  8267. maxLength: 253
  8268. minLength: 1
  8269. pattern: ^[-._a-zA-Z0-9]+$
  8270. type: string
  8271. name:
  8272. description: The name of the Secret resource being referred to.
  8273. maxLength: 253
  8274. minLength: 1
  8275. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8276. type: string
  8277. namespace:
  8278. description: |-
  8279. The namespace of the Secret resource being referred to.
  8280. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8281. maxLength: 63
  8282. minLength: 1
  8283. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8284. type: string
  8285. type: object
  8286. required:
  8287. - name
  8288. - secretRef
  8289. type: object
  8290. type: array
  8291. timeout:
  8292. description: Timeout
  8293. type: string
  8294. url:
  8295. description: Webhook url to call
  8296. type: string
  8297. required:
  8298. - url
  8299. type: object
  8300. yandexcertificatemanager:
  8301. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  8302. properties:
  8303. apiEndpoint:
  8304. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  8305. type: string
  8306. auth:
  8307. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  8308. properties:
  8309. authorizedKeySecretRef:
  8310. description: The authorized key used for authentication
  8311. properties:
  8312. key:
  8313. description: |-
  8314. A key in the referenced Secret.
  8315. Some instances of this field may be defaulted, in others it may be required.
  8316. maxLength: 253
  8317. minLength: 1
  8318. pattern: ^[-._a-zA-Z0-9]+$
  8319. type: string
  8320. name:
  8321. description: The name of the Secret resource being referred to.
  8322. maxLength: 253
  8323. minLength: 1
  8324. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8325. type: string
  8326. namespace:
  8327. description: |-
  8328. The namespace of the Secret resource being referred to.
  8329. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8330. maxLength: 63
  8331. minLength: 1
  8332. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8333. type: string
  8334. type: object
  8335. type: object
  8336. caProvider:
  8337. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  8338. properties:
  8339. certSecretRef:
  8340. description: |-
  8341. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8342. In some instances, `key` is a required field.
  8343. properties:
  8344. key:
  8345. description: |-
  8346. A key in the referenced Secret.
  8347. Some instances of this field may be defaulted, in others it may be required.
  8348. maxLength: 253
  8349. minLength: 1
  8350. pattern: ^[-._a-zA-Z0-9]+$
  8351. type: string
  8352. name:
  8353. description: The name of the Secret resource being referred to.
  8354. maxLength: 253
  8355. minLength: 1
  8356. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8357. type: string
  8358. namespace:
  8359. description: |-
  8360. The namespace of the Secret resource being referred to.
  8361. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8362. maxLength: 63
  8363. minLength: 1
  8364. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8365. type: string
  8366. type: object
  8367. type: object
  8368. fetching:
  8369. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name
  8370. maxProperties: 1
  8371. minProperties: 1
  8372. properties:
  8373. byID:
  8374. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  8375. type: object
  8376. byName:
  8377. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  8378. properties:
  8379. folderID:
  8380. description: The folder to fetch secrets from
  8381. type: string
  8382. required:
  8383. - folderID
  8384. type: object
  8385. type: object
  8386. required:
  8387. - auth
  8388. type: object
  8389. yandexlockbox:
  8390. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  8391. properties:
  8392. apiEndpoint:
  8393. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  8394. type: string
  8395. auth:
  8396. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  8397. properties:
  8398. authorizedKeySecretRef:
  8399. description: The authorized key used for authentication
  8400. properties:
  8401. key:
  8402. description: |-
  8403. A key in the referenced Secret.
  8404. Some instances of this field may be defaulted, in others it may be required.
  8405. maxLength: 253
  8406. minLength: 1
  8407. pattern: ^[-._a-zA-Z0-9]+$
  8408. type: string
  8409. name:
  8410. description: The name of the Secret resource being referred to.
  8411. maxLength: 253
  8412. minLength: 1
  8413. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8414. type: string
  8415. namespace:
  8416. description: |-
  8417. The namespace of the Secret resource being referred to.
  8418. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8419. maxLength: 63
  8420. minLength: 1
  8421. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8422. type: string
  8423. type: object
  8424. type: object
  8425. caProvider:
  8426. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  8427. properties:
  8428. certSecretRef:
  8429. description: |-
  8430. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8431. In some instances, `key` is a required field.
  8432. properties:
  8433. key:
  8434. description: |-
  8435. A key in the referenced Secret.
  8436. Some instances of this field may be defaulted, in others it may be required.
  8437. maxLength: 253
  8438. minLength: 1
  8439. pattern: ^[-._a-zA-Z0-9]+$
  8440. type: string
  8441. name:
  8442. description: The name of the Secret resource being referred to.
  8443. maxLength: 253
  8444. minLength: 1
  8445. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8446. type: string
  8447. namespace:
  8448. description: |-
  8449. The namespace of the Secret resource being referred to.
  8450. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8451. maxLength: 63
  8452. minLength: 1
  8453. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8454. type: string
  8455. type: object
  8456. type: object
  8457. fetching:
  8458. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name
  8459. maxProperties: 1
  8460. minProperties: 1
  8461. properties:
  8462. byID:
  8463. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  8464. type: object
  8465. byName:
  8466. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  8467. properties:
  8468. folderID:
  8469. description: The folder to fetch secrets from
  8470. type: string
  8471. required:
  8472. - folderID
  8473. type: object
  8474. type: object
  8475. required:
  8476. - auth
  8477. type: object
  8478. type: object
  8479. refreshInterval:
  8480. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  8481. type: integer
  8482. retrySettings:
  8483. description: Used to configure HTTP retries on failures.
  8484. properties:
  8485. maxRetries:
  8486. format: int32
  8487. type: integer
  8488. retryInterval:
  8489. type: string
  8490. type: object
  8491. required:
  8492. - provider
  8493. type: object
  8494. status:
  8495. description: SecretStoreStatus defines the observed state of the SecretStore.
  8496. properties:
  8497. capabilities:
  8498. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  8499. type: string
  8500. conditions:
  8501. items:
  8502. description: SecretStoreStatusCondition contains condition information for a SecretStore.
  8503. properties:
  8504. lastTransitionTime:
  8505. format: date-time
  8506. type: string
  8507. message:
  8508. type: string
  8509. reason:
  8510. type: string
  8511. status:
  8512. type: string
  8513. type:
  8514. description: SecretStoreConditionType represents the condition of the SecretStore.
  8515. type: string
  8516. required:
  8517. - status
  8518. - type
  8519. type: object
  8520. type: array
  8521. type: object
  8522. type: object
  8523. served: true
  8524. storage: true
  8525. subresources:
  8526. status: {}
  8527. - additionalPrinterColumns:
  8528. - jsonPath: .metadata.creationTimestamp
  8529. name: AGE
  8530. type: date
  8531. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  8532. name: Status
  8533. type: string
  8534. - jsonPath: .status.capabilities
  8535. name: Capabilities
  8536. type: string
  8537. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  8538. name: Ready
  8539. type: string
  8540. deprecated: true
  8541. name: v1beta1
  8542. schema:
  8543. openAPIV3Schema:
  8544. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  8545. properties:
  8546. apiVersion:
  8547. description: |-
  8548. APIVersion defines the versioned schema of this representation of an object.
  8549. Servers should convert recognized schemas to the latest internal value, and
  8550. may reject unrecognized values.
  8551. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  8552. type: string
  8553. kind:
  8554. description: |-
  8555. Kind is a string value representing the REST resource this object represents.
  8556. Servers may infer this from the endpoint the client submits requests to.
  8557. Cannot be updated.
  8558. In CamelCase.
  8559. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  8560. type: string
  8561. metadata:
  8562. type: object
  8563. spec:
  8564. description: SecretStoreSpec defines the desired state of SecretStore.
  8565. properties:
  8566. conditions:
  8567. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  8568. items:
  8569. description: |-
  8570. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  8571. for a ClusterSecretStore instance.
  8572. properties:
  8573. namespaceRegexes:
  8574. description: Choose namespaces by using regex matching
  8575. items:
  8576. type: string
  8577. type: array
  8578. namespaceSelector:
  8579. description: Choose namespace using a labelSelector
  8580. properties:
  8581. matchExpressions:
  8582. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  8583. items:
  8584. description: |-
  8585. A label selector requirement is a selector that contains values, a key, and an operator that
  8586. relates the key and values.
  8587. properties:
  8588. key:
  8589. description: key is the label key that the selector applies to.
  8590. type: string
  8591. operator:
  8592. description: |-
  8593. operator represents a key's relationship to a set of values.
  8594. Valid operators are In, NotIn, Exists and DoesNotExist.
  8595. type: string
  8596. values:
  8597. description: |-
  8598. values is an array of string values. If the operator is In or NotIn,
  8599. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  8600. the values array must be empty. This array is replaced during a strategic
  8601. merge patch.
  8602. items:
  8603. type: string
  8604. type: array
  8605. x-kubernetes-list-type: atomic
  8606. required:
  8607. - key
  8608. - operator
  8609. type: object
  8610. type: array
  8611. x-kubernetes-list-type: atomic
  8612. matchLabels:
  8613. additionalProperties:
  8614. type: string
  8615. description: |-
  8616. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  8617. map is equivalent to an element of matchExpressions, whose key field is "key", the
  8618. operator is "In", and the values array contains only "value". The requirements are ANDed.
  8619. type: object
  8620. type: object
  8621. x-kubernetes-map-type: atomic
  8622. namespaces:
  8623. description: Choose namespaces by name
  8624. items:
  8625. maxLength: 63
  8626. minLength: 1
  8627. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8628. type: string
  8629. type: array
  8630. type: object
  8631. type: array
  8632. controller:
  8633. description: |-
  8634. Used to select the correct ESO controller (think: ingress.ingressClassName)
  8635. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  8636. type: string
  8637. provider:
  8638. description: Used to configure the provider. Only one provider may be set
  8639. maxProperties: 1
  8640. minProperties: 1
  8641. properties:
  8642. akeyless:
  8643. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  8644. properties:
  8645. akeylessGWApiURL:
  8646. description: Akeyless GW API Url from which the secrets to be fetched from.
  8647. type: string
  8648. authSecretRef:
  8649. description: Auth configures how the operator authenticates with Akeyless.
  8650. properties:
  8651. kubernetesAuth:
  8652. description: |-
  8653. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  8654. token stored in the named Secret resource.
  8655. properties:
  8656. accessID:
  8657. description: the Akeyless Kubernetes auth-method access-id
  8658. type: string
  8659. k8sConfName:
  8660. description: Kubernetes-auth configuration name in Akeyless-Gateway
  8661. type: string
  8662. secretRef:
  8663. description: |-
  8664. Optional secret field containing a Kubernetes ServiceAccount JWT used
  8665. for authenticating with Akeyless. If a name is specified without a key,
  8666. `token` is the default. If one is not specified, the one bound to
  8667. the controller will be used.
  8668. properties:
  8669. key:
  8670. description: |-
  8671. A key in the referenced Secret.
  8672. Some instances of this field may be defaulted, in others it may be required.
  8673. maxLength: 253
  8674. minLength: 1
  8675. pattern: ^[-._a-zA-Z0-9]+$
  8676. type: string
  8677. name:
  8678. description: The name of the Secret resource being referred to.
  8679. maxLength: 253
  8680. minLength: 1
  8681. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8682. type: string
  8683. namespace:
  8684. description: |-
  8685. The namespace of the Secret resource being referred to.
  8686. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8687. maxLength: 63
  8688. minLength: 1
  8689. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8690. type: string
  8691. type: object
  8692. serviceAccountRef:
  8693. description: |-
  8694. Optional service account field containing the name of a kubernetes ServiceAccount.
  8695. If the service account is specified, the service account secret token JWT will be used
  8696. for authenticating with Akeyless. If the service account selector is not supplied,
  8697. the secretRef will be used instead.
  8698. properties:
  8699. audiences:
  8700. description: |-
  8701. Audience specifies the `aud` claim for the service account token
  8702. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8703. then this audiences will be appended to the list
  8704. items:
  8705. type: string
  8706. type: array
  8707. name:
  8708. description: The name of the ServiceAccount resource being referred to.
  8709. maxLength: 253
  8710. minLength: 1
  8711. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8712. type: string
  8713. namespace:
  8714. description: |-
  8715. Namespace of the resource being referred to.
  8716. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8717. maxLength: 63
  8718. minLength: 1
  8719. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8720. type: string
  8721. required:
  8722. - name
  8723. type: object
  8724. required:
  8725. - accessID
  8726. - k8sConfName
  8727. type: object
  8728. secretRef:
  8729. description: |-
  8730. Reference to a Secret that contains the details
  8731. to authenticate with Akeyless.
  8732. properties:
  8733. accessID:
  8734. description: The SecretAccessID is used for authentication
  8735. properties:
  8736. key:
  8737. description: |-
  8738. A key in the referenced Secret.
  8739. Some instances of this field may be defaulted, in others it may be required.
  8740. maxLength: 253
  8741. minLength: 1
  8742. pattern: ^[-._a-zA-Z0-9]+$
  8743. type: string
  8744. name:
  8745. description: The name of the Secret resource being referred to.
  8746. maxLength: 253
  8747. minLength: 1
  8748. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8749. type: string
  8750. namespace:
  8751. description: |-
  8752. The namespace of the Secret resource being referred to.
  8753. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8754. maxLength: 63
  8755. minLength: 1
  8756. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8757. type: string
  8758. type: object
  8759. accessType:
  8760. description: |-
  8761. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8762. In some instances, `key` is a required field.
  8763. properties:
  8764. key:
  8765. description: |-
  8766. A key in the referenced Secret.
  8767. Some instances of this field may be defaulted, in others it may be required.
  8768. maxLength: 253
  8769. minLength: 1
  8770. pattern: ^[-._a-zA-Z0-9]+$
  8771. type: string
  8772. name:
  8773. description: The name of the Secret resource being referred to.
  8774. maxLength: 253
  8775. minLength: 1
  8776. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8777. type: string
  8778. namespace:
  8779. description: |-
  8780. The namespace of the Secret resource being referred to.
  8781. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8782. maxLength: 63
  8783. minLength: 1
  8784. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8785. type: string
  8786. type: object
  8787. accessTypeParam:
  8788. description: |-
  8789. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8790. In some instances, `key` is a required field.
  8791. properties:
  8792. key:
  8793. description: |-
  8794. A key in the referenced Secret.
  8795. Some instances of this field may be defaulted, in others it may be required.
  8796. maxLength: 253
  8797. minLength: 1
  8798. pattern: ^[-._a-zA-Z0-9]+$
  8799. type: string
  8800. name:
  8801. description: The name of the Secret resource being referred to.
  8802. maxLength: 253
  8803. minLength: 1
  8804. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8805. type: string
  8806. namespace:
  8807. description: |-
  8808. The namespace of the Secret resource being referred to.
  8809. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8810. maxLength: 63
  8811. minLength: 1
  8812. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8813. type: string
  8814. type: object
  8815. type: object
  8816. type: object
  8817. caBundle:
  8818. description: |-
  8819. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  8820. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  8821. are used to validate the TLS connection.
  8822. format: byte
  8823. type: string
  8824. caProvider:
  8825. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  8826. properties:
  8827. key:
  8828. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8829. maxLength: 253
  8830. minLength: 1
  8831. pattern: ^[-._a-zA-Z0-9]+$
  8832. type: string
  8833. name:
  8834. description: The name of the object located at the provider type.
  8835. maxLength: 253
  8836. minLength: 1
  8837. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8838. type: string
  8839. namespace:
  8840. description: |-
  8841. The namespace the Provider type is in.
  8842. Can only be defined when used in a ClusterSecretStore.
  8843. maxLength: 63
  8844. minLength: 1
  8845. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8846. type: string
  8847. type:
  8848. description: The type of provider to use such as "Secret", or "ConfigMap".
  8849. enum:
  8850. - Secret
  8851. - ConfigMap
  8852. type: string
  8853. required:
  8854. - name
  8855. - type
  8856. type: object
  8857. required:
  8858. - akeylessGWApiURL
  8859. - authSecretRef
  8860. type: object
  8861. alibaba:
  8862. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  8863. properties:
  8864. auth:
  8865. description: AlibabaAuth contains a secretRef for credentials.
  8866. properties:
  8867. rrsa:
  8868. description: AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication).
  8869. properties:
  8870. oidcProviderArn:
  8871. type: string
  8872. oidcTokenFilePath:
  8873. type: string
  8874. roleArn:
  8875. type: string
  8876. sessionName:
  8877. type: string
  8878. required:
  8879. - oidcProviderArn
  8880. - oidcTokenFilePath
  8881. - roleArn
  8882. - sessionName
  8883. type: object
  8884. secretRef:
  8885. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  8886. properties:
  8887. accessKeyIDSecretRef:
  8888. description: The AccessKeyID is used for authentication
  8889. properties:
  8890. key:
  8891. description: |-
  8892. A key in the referenced Secret.
  8893. Some instances of this field may be defaulted, in others it may be required.
  8894. maxLength: 253
  8895. minLength: 1
  8896. pattern: ^[-._a-zA-Z0-9]+$
  8897. type: string
  8898. name:
  8899. description: The name of the Secret resource being referred to.
  8900. maxLength: 253
  8901. minLength: 1
  8902. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8903. type: string
  8904. namespace:
  8905. description: |-
  8906. The namespace of the Secret resource being referred to.
  8907. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8908. maxLength: 63
  8909. minLength: 1
  8910. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8911. type: string
  8912. type: object
  8913. accessKeySecretSecretRef:
  8914. description: The AccessKeySecret is used for authentication
  8915. properties:
  8916. key:
  8917. description: |-
  8918. A key in the referenced Secret.
  8919. Some instances of this field may be defaulted, in others it may be required.
  8920. maxLength: 253
  8921. minLength: 1
  8922. pattern: ^[-._a-zA-Z0-9]+$
  8923. type: string
  8924. name:
  8925. description: The name of the Secret resource being referred to.
  8926. maxLength: 253
  8927. minLength: 1
  8928. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8929. type: string
  8930. namespace:
  8931. description: |-
  8932. The namespace of the Secret resource being referred to.
  8933. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8934. maxLength: 63
  8935. minLength: 1
  8936. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8937. type: string
  8938. type: object
  8939. required:
  8940. - accessKeyIDSecretRef
  8941. - accessKeySecretSecretRef
  8942. type: object
  8943. type: object
  8944. regionID:
  8945. description: Alibaba Region to be used for the provider
  8946. type: string
  8947. required:
  8948. - auth
  8949. - regionID
  8950. type: object
  8951. aws:
  8952. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  8953. properties:
  8954. additionalRoles:
  8955. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  8956. items:
  8957. type: string
  8958. type: array
  8959. auth:
  8960. description: |-
  8961. Auth defines the information necessary to authenticate against AWS
  8962. if not set aws sdk will infer credentials from your environment
  8963. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  8964. properties:
  8965. jwt:
  8966. description: AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster.
  8967. properties:
  8968. serviceAccountRef:
  8969. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  8970. properties:
  8971. audiences:
  8972. description: |-
  8973. Audience specifies the `aud` claim for the service account token
  8974. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8975. then this audiences will be appended to the list
  8976. items:
  8977. type: string
  8978. type: array
  8979. name:
  8980. description: The name of the ServiceAccount resource being referred to.
  8981. maxLength: 253
  8982. minLength: 1
  8983. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8984. type: string
  8985. namespace:
  8986. description: |-
  8987. Namespace of the resource being referred to.
  8988. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8989. maxLength: 63
  8990. minLength: 1
  8991. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8992. type: string
  8993. required:
  8994. - name
  8995. type: object
  8996. type: object
  8997. secretRef:
  8998. description: |-
  8999. AWSAuthSecretRef holds secret references for AWS credentials
  9000. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  9001. properties:
  9002. accessKeyIDSecretRef:
  9003. description: The AccessKeyID is used for authentication
  9004. properties:
  9005. key:
  9006. description: |-
  9007. A key in the referenced Secret.
  9008. Some instances of this field may be defaulted, in others it may be required.
  9009. maxLength: 253
  9010. minLength: 1
  9011. pattern: ^[-._a-zA-Z0-9]+$
  9012. type: string
  9013. name:
  9014. description: The name of the Secret resource being referred to.
  9015. maxLength: 253
  9016. minLength: 1
  9017. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9018. type: string
  9019. namespace:
  9020. description: |-
  9021. The namespace of the Secret resource being referred to.
  9022. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9023. maxLength: 63
  9024. minLength: 1
  9025. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9026. type: string
  9027. type: object
  9028. secretAccessKeySecretRef:
  9029. description: The SecretAccessKey is used for authentication
  9030. properties:
  9031. key:
  9032. description: |-
  9033. A key in the referenced Secret.
  9034. Some instances of this field may be defaulted, in others it may be required.
  9035. maxLength: 253
  9036. minLength: 1
  9037. pattern: ^[-._a-zA-Z0-9]+$
  9038. type: string
  9039. name:
  9040. description: The name of the Secret resource being referred to.
  9041. maxLength: 253
  9042. minLength: 1
  9043. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9044. type: string
  9045. namespace:
  9046. description: |-
  9047. The namespace of the Secret resource being referred to.
  9048. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9049. maxLength: 63
  9050. minLength: 1
  9051. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9052. type: string
  9053. type: object
  9054. sessionTokenSecretRef:
  9055. description: |-
  9056. The SessionToken used for authentication
  9057. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  9058. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  9059. properties:
  9060. key:
  9061. description: |-
  9062. A key in the referenced Secret.
  9063. Some instances of this field may be defaulted, in others it may be required.
  9064. maxLength: 253
  9065. minLength: 1
  9066. pattern: ^[-._a-zA-Z0-9]+$
  9067. type: string
  9068. name:
  9069. description: The name of the Secret resource being referred to.
  9070. maxLength: 253
  9071. minLength: 1
  9072. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9073. type: string
  9074. namespace:
  9075. description: |-
  9076. The namespace of the Secret resource being referred to.
  9077. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9078. maxLength: 63
  9079. minLength: 1
  9080. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9081. type: string
  9082. type: object
  9083. type: object
  9084. type: object
  9085. externalID:
  9086. description: AWS External ID set on assumed IAM roles
  9087. type: string
  9088. prefix:
  9089. description: Prefix adds a prefix to all retrieved values.
  9090. type: string
  9091. region:
  9092. description: AWS Region to be used for the provider
  9093. type: string
  9094. role:
  9095. description: Role is a Role ARN which the provider will assume
  9096. type: string
  9097. secretsManager:
  9098. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  9099. properties:
  9100. forceDeleteWithoutRecovery:
  9101. description: |-
  9102. Specifies whether to delete the secret without any recovery window. You
  9103. can't use both this parameter and RecoveryWindowInDays in the same call.
  9104. If you don't use either, then by default Secrets Manager uses a 30 day
  9105. recovery window.
  9106. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  9107. type: boolean
  9108. recoveryWindowInDays:
  9109. description: |-
  9110. The number of days from 7 to 30 that Secrets Manager waits before
  9111. permanently deleting the secret. You can't use both this parameter and
  9112. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  9113. then by default Secrets Manager uses a 30 day recovery window.
  9114. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  9115. format: int64
  9116. type: integer
  9117. type: object
  9118. service:
  9119. description: Service defines which service should be used to fetch the secrets
  9120. enum:
  9121. - SecretsManager
  9122. - ParameterStore
  9123. type: string
  9124. sessionTags:
  9125. description: AWS STS assume role session tags
  9126. items:
  9127. description: Tag defines a tag key and value for AWS resources.
  9128. properties:
  9129. key:
  9130. type: string
  9131. value:
  9132. type: string
  9133. required:
  9134. - key
  9135. - value
  9136. type: object
  9137. type: array
  9138. transitiveTagKeys:
  9139. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  9140. items:
  9141. type: string
  9142. type: array
  9143. required:
  9144. - region
  9145. - service
  9146. type: object
  9147. azurekv:
  9148. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  9149. properties:
  9150. authSecretRef:
  9151. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  9152. properties:
  9153. clientCertificate:
  9154. description: The Azure ClientCertificate of the service principle used for authentication.
  9155. properties:
  9156. key:
  9157. description: |-
  9158. A key in the referenced Secret.
  9159. Some instances of this field may be defaulted, in others it may be required.
  9160. maxLength: 253
  9161. minLength: 1
  9162. pattern: ^[-._a-zA-Z0-9]+$
  9163. type: string
  9164. name:
  9165. description: The name of the Secret resource being referred to.
  9166. maxLength: 253
  9167. minLength: 1
  9168. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9169. type: string
  9170. namespace:
  9171. description: |-
  9172. The namespace of the Secret resource being referred to.
  9173. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9174. maxLength: 63
  9175. minLength: 1
  9176. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9177. type: string
  9178. type: object
  9179. clientId:
  9180. description: The Azure clientId of the service principle or managed identity used for authentication.
  9181. properties:
  9182. key:
  9183. description: |-
  9184. A key in the referenced Secret.
  9185. Some instances of this field may be defaulted, in others it may be required.
  9186. maxLength: 253
  9187. minLength: 1
  9188. pattern: ^[-._a-zA-Z0-9]+$
  9189. type: string
  9190. name:
  9191. description: The name of the Secret resource being referred to.
  9192. maxLength: 253
  9193. minLength: 1
  9194. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9195. type: string
  9196. namespace:
  9197. description: |-
  9198. The namespace of the Secret resource being referred to.
  9199. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9200. maxLength: 63
  9201. minLength: 1
  9202. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9203. type: string
  9204. type: object
  9205. clientSecret:
  9206. description: The Azure ClientSecret of the service principle used for authentication.
  9207. properties:
  9208. key:
  9209. description: |-
  9210. A key in the referenced Secret.
  9211. Some instances of this field may be defaulted, in others it may be required.
  9212. maxLength: 253
  9213. minLength: 1
  9214. pattern: ^[-._a-zA-Z0-9]+$
  9215. type: string
  9216. name:
  9217. description: The name of the Secret resource being referred to.
  9218. maxLength: 253
  9219. minLength: 1
  9220. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9221. type: string
  9222. namespace:
  9223. description: |-
  9224. The namespace of the Secret resource being referred to.
  9225. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9226. maxLength: 63
  9227. minLength: 1
  9228. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9229. type: string
  9230. type: object
  9231. tenantId:
  9232. description: The Azure tenantId of the managed identity used for authentication.
  9233. properties:
  9234. key:
  9235. description: |-
  9236. A key in the referenced Secret.
  9237. Some instances of this field may be defaulted, in others it may be required.
  9238. maxLength: 253
  9239. minLength: 1
  9240. pattern: ^[-._a-zA-Z0-9]+$
  9241. type: string
  9242. name:
  9243. description: The name of the Secret resource being referred to.
  9244. maxLength: 253
  9245. minLength: 1
  9246. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9247. type: string
  9248. namespace:
  9249. description: |-
  9250. The namespace of the Secret resource being referred to.
  9251. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9252. maxLength: 63
  9253. minLength: 1
  9254. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9255. type: string
  9256. type: object
  9257. type: object
  9258. authType:
  9259. default: ServicePrincipal
  9260. description: |-
  9261. Auth type defines how to authenticate to the keyvault service.
  9262. Valid values are:
  9263. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  9264. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  9265. enum:
  9266. - ServicePrincipal
  9267. - ManagedIdentity
  9268. - WorkloadIdentity
  9269. type: string
  9270. environmentType:
  9271. default: PublicCloud
  9272. description: |-
  9273. EnvironmentType specifies the Azure cloud environment endpoints to use for
  9274. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  9275. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  9276. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  9277. enum:
  9278. - PublicCloud
  9279. - USGovernmentCloud
  9280. - ChinaCloud
  9281. - GermanCloud
  9282. type: string
  9283. identityId:
  9284. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  9285. type: string
  9286. serviceAccountRef:
  9287. description: |-
  9288. ServiceAccountRef specified the service account
  9289. that should be used when authenticating with WorkloadIdentity.
  9290. properties:
  9291. audiences:
  9292. description: |-
  9293. Audience specifies the `aud` claim for the service account token
  9294. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9295. then this audiences will be appended to the list
  9296. items:
  9297. type: string
  9298. type: array
  9299. name:
  9300. description: The name of the ServiceAccount resource being referred to.
  9301. maxLength: 253
  9302. minLength: 1
  9303. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9304. type: string
  9305. namespace:
  9306. description: |-
  9307. Namespace of the resource being referred to.
  9308. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9309. maxLength: 63
  9310. minLength: 1
  9311. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9312. type: string
  9313. required:
  9314. - name
  9315. type: object
  9316. tenantId:
  9317. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  9318. type: string
  9319. vaultUrl:
  9320. description: Vault Url from which the secrets to be fetched from.
  9321. type: string
  9322. required:
  9323. - vaultUrl
  9324. type: object
  9325. beyondtrust:
  9326. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  9327. properties:
  9328. auth:
  9329. description: Auth configures how the operator authenticates with Beyondtrust.
  9330. properties:
  9331. apiKey:
  9332. description: APIKey If not provided then ClientID/ClientSecret become required.
  9333. properties:
  9334. secretRef:
  9335. description: SecretRef references a key in a secret that will be used as value.
  9336. properties:
  9337. key:
  9338. description: |-
  9339. A key in the referenced Secret.
  9340. Some instances of this field may be defaulted, in others it may be required.
  9341. maxLength: 253
  9342. minLength: 1
  9343. pattern: ^[-._a-zA-Z0-9]+$
  9344. type: string
  9345. name:
  9346. description: The name of the Secret resource being referred to.
  9347. maxLength: 253
  9348. minLength: 1
  9349. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9350. type: string
  9351. namespace:
  9352. description: |-
  9353. The namespace of the Secret resource being referred to.
  9354. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9355. maxLength: 63
  9356. minLength: 1
  9357. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9358. type: string
  9359. type: object
  9360. value:
  9361. description: Value can be specified directly to set a value without using a secret.
  9362. type: string
  9363. type: object
  9364. certificate:
  9365. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  9366. properties:
  9367. secretRef:
  9368. description: SecretRef references a key in a secret that will be used as value.
  9369. properties:
  9370. key:
  9371. description: |-
  9372. A key in the referenced Secret.
  9373. Some instances of this field may be defaulted, in others it may be required.
  9374. maxLength: 253
  9375. minLength: 1
  9376. pattern: ^[-._a-zA-Z0-9]+$
  9377. type: string
  9378. name:
  9379. description: The name of the Secret resource being referred to.
  9380. maxLength: 253
  9381. minLength: 1
  9382. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9383. type: string
  9384. namespace:
  9385. description: |-
  9386. The namespace of the Secret resource being referred to.
  9387. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9388. maxLength: 63
  9389. minLength: 1
  9390. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9391. type: string
  9392. type: object
  9393. value:
  9394. description: Value can be specified directly to set a value without using a secret.
  9395. type: string
  9396. type: object
  9397. certificateKey:
  9398. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  9399. properties:
  9400. secretRef:
  9401. description: SecretRef references a key in a secret that will be used as value.
  9402. properties:
  9403. key:
  9404. description: |-
  9405. A key in the referenced Secret.
  9406. Some instances of this field may be defaulted, in others it may be required.
  9407. maxLength: 253
  9408. minLength: 1
  9409. pattern: ^[-._a-zA-Z0-9]+$
  9410. type: string
  9411. name:
  9412. description: The name of the Secret resource being referred to.
  9413. maxLength: 253
  9414. minLength: 1
  9415. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9416. type: string
  9417. namespace:
  9418. description: |-
  9419. The namespace of the Secret resource being referred to.
  9420. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9421. maxLength: 63
  9422. minLength: 1
  9423. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9424. type: string
  9425. type: object
  9426. value:
  9427. description: Value can be specified directly to set a value without using a secret.
  9428. type: string
  9429. type: object
  9430. clientId:
  9431. description: ClientID is the API OAuth Client ID.
  9432. properties:
  9433. secretRef:
  9434. description: SecretRef references a key in a secret that will be used as value.
  9435. properties:
  9436. key:
  9437. description: |-
  9438. A key in the referenced Secret.
  9439. Some instances of this field may be defaulted, in others it may be required.
  9440. maxLength: 253
  9441. minLength: 1
  9442. pattern: ^[-._a-zA-Z0-9]+$
  9443. type: string
  9444. name:
  9445. description: The name of the Secret resource being referred to.
  9446. maxLength: 253
  9447. minLength: 1
  9448. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9449. type: string
  9450. namespace:
  9451. description: |-
  9452. The namespace of the Secret resource being referred to.
  9453. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9454. maxLength: 63
  9455. minLength: 1
  9456. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9457. type: string
  9458. type: object
  9459. value:
  9460. description: Value can be specified directly to set a value without using a secret.
  9461. type: string
  9462. type: object
  9463. clientSecret:
  9464. description: ClientSecret is the API OAuth Client Secret.
  9465. properties:
  9466. secretRef:
  9467. description: SecretRef references a key in a secret that will be used as value.
  9468. properties:
  9469. key:
  9470. description: |-
  9471. A key in the referenced Secret.
  9472. Some instances of this field may be defaulted, in others it may be required.
  9473. maxLength: 253
  9474. minLength: 1
  9475. pattern: ^[-._a-zA-Z0-9]+$
  9476. type: string
  9477. name:
  9478. description: The name of the Secret resource being referred to.
  9479. maxLength: 253
  9480. minLength: 1
  9481. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9482. type: string
  9483. namespace:
  9484. description: |-
  9485. The namespace of the Secret resource being referred to.
  9486. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9487. maxLength: 63
  9488. minLength: 1
  9489. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9490. type: string
  9491. type: object
  9492. value:
  9493. description: Value can be specified directly to set a value without using a secret.
  9494. type: string
  9495. type: object
  9496. type: object
  9497. server:
  9498. description: Auth configures how API server works.
  9499. properties:
  9500. apiUrl:
  9501. type: string
  9502. apiVersion:
  9503. type: string
  9504. clientTimeOutSeconds:
  9505. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  9506. type: integer
  9507. decrypt:
  9508. default: true
  9509. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  9510. type: boolean
  9511. retrievalType:
  9512. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  9513. type: string
  9514. separator:
  9515. description: A character that separates the folder names.
  9516. type: string
  9517. verifyCA:
  9518. type: boolean
  9519. required:
  9520. - apiUrl
  9521. - verifyCA
  9522. type: object
  9523. required:
  9524. - auth
  9525. - server
  9526. type: object
  9527. bitwardensecretsmanager:
  9528. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  9529. properties:
  9530. apiURL:
  9531. type: string
  9532. auth:
  9533. description: |-
  9534. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  9535. Make sure that the token being used has permissions on the given secret.
  9536. properties:
  9537. secretRef:
  9538. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  9539. properties:
  9540. credentials:
  9541. description: AccessToken used for the bitwarden instance.
  9542. properties:
  9543. key:
  9544. description: |-
  9545. A key in the referenced Secret.
  9546. Some instances of this field may be defaulted, in others it may be required.
  9547. maxLength: 253
  9548. minLength: 1
  9549. pattern: ^[-._a-zA-Z0-9]+$
  9550. type: string
  9551. name:
  9552. description: The name of the Secret resource being referred to.
  9553. maxLength: 253
  9554. minLength: 1
  9555. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9556. type: string
  9557. namespace:
  9558. description: |-
  9559. The namespace of the Secret resource being referred to.
  9560. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9561. maxLength: 63
  9562. minLength: 1
  9563. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9564. type: string
  9565. type: object
  9566. required:
  9567. - credentials
  9568. type: object
  9569. required:
  9570. - secretRef
  9571. type: object
  9572. bitwardenServerSDKURL:
  9573. type: string
  9574. caBundle:
  9575. description: |-
  9576. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  9577. can be performed.
  9578. type: string
  9579. caProvider:
  9580. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  9581. properties:
  9582. key:
  9583. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  9584. maxLength: 253
  9585. minLength: 1
  9586. pattern: ^[-._a-zA-Z0-9]+$
  9587. type: string
  9588. name:
  9589. description: The name of the object located at the provider type.
  9590. maxLength: 253
  9591. minLength: 1
  9592. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9593. type: string
  9594. namespace:
  9595. description: |-
  9596. The namespace the Provider type is in.
  9597. Can only be defined when used in a ClusterSecretStore.
  9598. maxLength: 63
  9599. minLength: 1
  9600. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9601. type: string
  9602. type:
  9603. description: The type of provider to use such as "Secret", or "ConfigMap".
  9604. enum:
  9605. - Secret
  9606. - ConfigMap
  9607. type: string
  9608. required:
  9609. - name
  9610. - type
  9611. type: object
  9612. identityURL:
  9613. type: string
  9614. organizationID:
  9615. description: OrganizationID determines which organization this secret store manages.
  9616. type: string
  9617. projectID:
  9618. description: ProjectID determines which project this secret store manages.
  9619. type: string
  9620. required:
  9621. - auth
  9622. - organizationID
  9623. - projectID
  9624. type: object
  9625. chef:
  9626. description: Chef configures this store to sync secrets with chef server
  9627. properties:
  9628. auth:
  9629. description: Auth defines the information necessary to authenticate against chef Server
  9630. properties:
  9631. secretRef:
  9632. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  9633. properties:
  9634. privateKeySecretRef:
  9635. description: SecretKey is the Signing Key in PEM format, used for authentication.
  9636. properties:
  9637. key:
  9638. description: |-
  9639. A key in the referenced Secret.
  9640. Some instances of this field may be defaulted, in others it may be required.
  9641. maxLength: 253
  9642. minLength: 1
  9643. pattern: ^[-._a-zA-Z0-9]+$
  9644. type: string
  9645. name:
  9646. description: The name of the Secret resource being referred to.
  9647. maxLength: 253
  9648. minLength: 1
  9649. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9650. type: string
  9651. namespace:
  9652. description: |-
  9653. The namespace of the Secret resource being referred to.
  9654. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9655. maxLength: 63
  9656. minLength: 1
  9657. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9658. type: string
  9659. type: object
  9660. required:
  9661. - privateKeySecretRef
  9662. type: object
  9663. required:
  9664. - secretRef
  9665. type: object
  9666. serverUrl:
  9667. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  9668. type: string
  9669. username:
  9670. description: UserName should be the user ID on the chef server
  9671. type: string
  9672. required:
  9673. - auth
  9674. - serverUrl
  9675. - username
  9676. type: object
  9677. cloudrusm:
  9678. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  9679. properties:
  9680. auth:
  9681. description: CSMAuth contains a secretRef for credentials.
  9682. properties:
  9683. secretRef:
  9684. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  9685. properties:
  9686. accessKeyIDSecretRef:
  9687. description: The AccessKeyID is used for authentication
  9688. properties:
  9689. key:
  9690. description: |-
  9691. A key in the referenced Secret.
  9692. Some instances of this field may be defaulted, in others it may be required.
  9693. maxLength: 253
  9694. minLength: 1
  9695. pattern: ^[-._a-zA-Z0-9]+$
  9696. type: string
  9697. name:
  9698. description: The name of the Secret resource being referred to.
  9699. maxLength: 253
  9700. minLength: 1
  9701. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9702. type: string
  9703. namespace:
  9704. description: |-
  9705. The namespace of the Secret resource being referred to.
  9706. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9707. maxLength: 63
  9708. minLength: 1
  9709. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9710. type: string
  9711. type: object
  9712. accessKeySecretSecretRef:
  9713. description: The AccessKeySecret is used for authentication
  9714. properties:
  9715. key:
  9716. description: |-
  9717. A key in the referenced Secret.
  9718. Some instances of this field may be defaulted, in others it may be required.
  9719. maxLength: 253
  9720. minLength: 1
  9721. pattern: ^[-._a-zA-Z0-9]+$
  9722. type: string
  9723. name:
  9724. description: The name of the Secret resource being referred to.
  9725. maxLength: 253
  9726. minLength: 1
  9727. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9728. type: string
  9729. namespace:
  9730. description: |-
  9731. The namespace of the Secret resource being referred to.
  9732. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9733. maxLength: 63
  9734. minLength: 1
  9735. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9736. type: string
  9737. type: object
  9738. required:
  9739. - accessKeyIDSecretRef
  9740. - accessKeySecretSecretRef
  9741. type: object
  9742. type: object
  9743. projectID:
  9744. description: ProjectID is the project, which the secrets are stored in.
  9745. type: string
  9746. required:
  9747. - auth
  9748. type: object
  9749. conjur:
  9750. description: Conjur configures this store to sync secrets using conjur provider
  9751. properties:
  9752. auth:
  9753. description: Defines authentication settings for connecting to Conjur.
  9754. properties:
  9755. apikey:
  9756. description: Authenticates with Conjur using an API key.
  9757. properties:
  9758. account:
  9759. description: Account is the Conjur organization account name.
  9760. type: string
  9761. apiKeyRef:
  9762. description: |-
  9763. A reference to a specific 'key' containing the Conjur API key
  9764. within a Secret resource. In some instances, `key` is a required field.
  9765. properties:
  9766. key:
  9767. description: |-
  9768. A key in the referenced Secret.
  9769. Some instances of this field may be defaulted, in others it may be required.
  9770. maxLength: 253
  9771. minLength: 1
  9772. pattern: ^[-._a-zA-Z0-9]+$
  9773. type: string
  9774. name:
  9775. description: The name of the Secret resource being referred to.
  9776. maxLength: 253
  9777. minLength: 1
  9778. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9779. type: string
  9780. namespace:
  9781. description: |-
  9782. The namespace of the Secret resource being referred to.
  9783. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9784. maxLength: 63
  9785. minLength: 1
  9786. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9787. type: string
  9788. type: object
  9789. userRef:
  9790. description: |-
  9791. A reference to a specific 'key' containing the Conjur username
  9792. within a Secret resource. In some instances, `key` is a required field.
  9793. properties:
  9794. key:
  9795. description: |-
  9796. A key in the referenced Secret.
  9797. Some instances of this field may be defaulted, in others it may be required.
  9798. maxLength: 253
  9799. minLength: 1
  9800. pattern: ^[-._a-zA-Z0-9]+$
  9801. type: string
  9802. name:
  9803. description: The name of the Secret resource being referred to.
  9804. maxLength: 253
  9805. minLength: 1
  9806. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9807. type: string
  9808. namespace:
  9809. description: |-
  9810. The namespace of the Secret resource being referred to.
  9811. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9812. maxLength: 63
  9813. minLength: 1
  9814. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9815. type: string
  9816. type: object
  9817. required:
  9818. - account
  9819. - apiKeyRef
  9820. - userRef
  9821. type: object
  9822. jwt:
  9823. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  9824. properties:
  9825. account:
  9826. description: Account is the Conjur organization account name.
  9827. type: string
  9828. hostId:
  9829. description: |-
  9830. Optional HostID for JWT authentication. This may be used depending
  9831. on how the Conjur JWT authenticator policy is configured.
  9832. type: string
  9833. secretRef:
  9834. description: |-
  9835. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  9836. authenticate with Conjur using the JWT authentication method.
  9837. properties:
  9838. key:
  9839. description: |-
  9840. A key in the referenced Secret.
  9841. Some instances of this field may be defaulted, in others it may be required.
  9842. maxLength: 253
  9843. minLength: 1
  9844. pattern: ^[-._a-zA-Z0-9]+$
  9845. type: string
  9846. name:
  9847. description: The name of the Secret resource being referred to.
  9848. maxLength: 253
  9849. minLength: 1
  9850. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9851. type: string
  9852. namespace:
  9853. description: |-
  9854. The namespace of the Secret resource being referred to.
  9855. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9856. maxLength: 63
  9857. minLength: 1
  9858. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9859. type: string
  9860. type: object
  9861. serviceAccountRef:
  9862. description: |-
  9863. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  9864. a token for with the `TokenRequest` API.
  9865. properties:
  9866. audiences:
  9867. description: |-
  9868. Audience specifies the `aud` claim for the service account token
  9869. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9870. then this audiences will be appended to the list
  9871. items:
  9872. type: string
  9873. type: array
  9874. name:
  9875. description: The name of the ServiceAccount resource being referred to.
  9876. maxLength: 253
  9877. minLength: 1
  9878. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9879. type: string
  9880. namespace:
  9881. description: |-
  9882. Namespace of the resource being referred to.
  9883. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9884. maxLength: 63
  9885. minLength: 1
  9886. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9887. type: string
  9888. required:
  9889. - name
  9890. type: object
  9891. serviceID:
  9892. description: The conjur authn jwt webservice id
  9893. type: string
  9894. required:
  9895. - account
  9896. - serviceID
  9897. type: object
  9898. type: object
  9899. caBundle:
  9900. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  9901. type: string
  9902. caProvider:
  9903. description: |-
  9904. Used to provide custom certificate authority (CA) certificates
  9905. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  9906. that contains a PEM-encoded certificate.
  9907. properties:
  9908. key:
  9909. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  9910. maxLength: 253
  9911. minLength: 1
  9912. pattern: ^[-._a-zA-Z0-9]+$
  9913. type: string
  9914. name:
  9915. description: The name of the object located at the provider type.
  9916. maxLength: 253
  9917. minLength: 1
  9918. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9919. type: string
  9920. namespace:
  9921. description: |-
  9922. The namespace the Provider type is in.
  9923. Can only be defined when used in a ClusterSecretStore.
  9924. maxLength: 63
  9925. minLength: 1
  9926. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9927. type: string
  9928. type:
  9929. description: The type of provider to use such as "Secret", or "ConfigMap".
  9930. enum:
  9931. - Secret
  9932. - ConfigMap
  9933. type: string
  9934. required:
  9935. - name
  9936. - type
  9937. type: object
  9938. url:
  9939. description: URL is the endpoint of the Conjur instance.
  9940. type: string
  9941. required:
  9942. - auth
  9943. - url
  9944. type: object
  9945. delinea:
  9946. description: |-
  9947. Delinea DevOps Secrets Vault
  9948. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  9949. properties:
  9950. clientId:
  9951. description: ClientID is the non-secret part of the credential.
  9952. properties:
  9953. secretRef:
  9954. description: SecretRef references a key in a secret that will be used as value.
  9955. properties:
  9956. key:
  9957. description: |-
  9958. A key in the referenced Secret.
  9959. Some instances of this field may be defaulted, in others it may be required.
  9960. maxLength: 253
  9961. minLength: 1
  9962. pattern: ^[-._a-zA-Z0-9]+$
  9963. type: string
  9964. name:
  9965. description: The name of the Secret resource being referred to.
  9966. maxLength: 253
  9967. minLength: 1
  9968. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9969. type: string
  9970. namespace:
  9971. description: |-
  9972. The namespace of the Secret resource being referred to.
  9973. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9974. maxLength: 63
  9975. minLength: 1
  9976. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9977. type: string
  9978. type: object
  9979. value:
  9980. description: Value can be specified directly to set a value without using a secret.
  9981. type: string
  9982. type: object
  9983. clientSecret:
  9984. description: ClientSecret is the secret part of the credential.
  9985. properties:
  9986. secretRef:
  9987. description: SecretRef references a key in a secret that will be used as value.
  9988. properties:
  9989. key:
  9990. description: |-
  9991. A key in the referenced Secret.
  9992. Some instances of this field may be defaulted, in others it may be required.
  9993. maxLength: 253
  9994. minLength: 1
  9995. pattern: ^[-._a-zA-Z0-9]+$
  9996. type: string
  9997. name:
  9998. description: The name of the Secret resource being referred to.
  9999. maxLength: 253
  10000. minLength: 1
  10001. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10002. type: string
  10003. namespace:
  10004. description: |-
  10005. The namespace of the Secret resource being referred to.
  10006. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10007. maxLength: 63
  10008. minLength: 1
  10009. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10010. type: string
  10011. type: object
  10012. value:
  10013. description: Value can be specified directly to set a value without using a secret.
  10014. type: string
  10015. type: object
  10016. tenant:
  10017. description: Tenant is the chosen hostname / site name.
  10018. type: string
  10019. tld:
  10020. description: |-
  10021. TLD is based on the server location that was chosen during provisioning.
  10022. If unset, defaults to "com".
  10023. type: string
  10024. urlTemplate:
  10025. description: |-
  10026. URLTemplate
  10027. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  10028. type: string
  10029. required:
  10030. - clientId
  10031. - clientSecret
  10032. - tenant
  10033. type: object
  10034. device42:
  10035. description: Device42 configures this store to sync secrets using the Device42 provider
  10036. properties:
  10037. auth:
  10038. description: Auth configures how secret-manager authenticates with a Device42 instance.
  10039. properties:
  10040. secretRef:
  10041. description: Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider.
  10042. properties:
  10043. credentials:
  10044. description: Username / Password is used for authentication.
  10045. properties:
  10046. key:
  10047. description: |-
  10048. A key in the referenced Secret.
  10049. Some instances of this field may be defaulted, in others it may be required.
  10050. maxLength: 253
  10051. minLength: 1
  10052. pattern: ^[-._a-zA-Z0-9]+$
  10053. type: string
  10054. name:
  10055. description: The name of the Secret resource being referred to.
  10056. maxLength: 253
  10057. minLength: 1
  10058. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10059. type: string
  10060. namespace:
  10061. description: |-
  10062. The namespace of the Secret resource being referred to.
  10063. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10064. maxLength: 63
  10065. minLength: 1
  10066. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10067. type: string
  10068. type: object
  10069. type: object
  10070. required:
  10071. - secretRef
  10072. type: object
  10073. host:
  10074. description: URL configures the Device42 instance URL.
  10075. type: string
  10076. required:
  10077. - auth
  10078. - host
  10079. type: object
  10080. doppler:
  10081. description: Doppler configures this store to sync secrets using the Doppler provider
  10082. properties:
  10083. auth:
  10084. description: Auth configures how the Operator authenticates with the Doppler API
  10085. properties:
  10086. secretRef:
  10087. description: DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider.
  10088. properties:
  10089. dopplerToken:
  10090. description: |-
  10091. The DopplerToken is used for authentication.
  10092. See https://docs.doppler.com/reference/api#authentication for auth token types.
  10093. The Key attribute defaults to dopplerToken if not specified.
  10094. properties:
  10095. key:
  10096. description: |-
  10097. A key in the referenced Secret.
  10098. Some instances of this field may be defaulted, in others it may be required.
  10099. maxLength: 253
  10100. minLength: 1
  10101. pattern: ^[-._a-zA-Z0-9]+$
  10102. type: string
  10103. name:
  10104. description: The name of the Secret resource being referred to.
  10105. maxLength: 253
  10106. minLength: 1
  10107. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10108. type: string
  10109. namespace:
  10110. description: |-
  10111. The namespace of the Secret resource being referred to.
  10112. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10113. maxLength: 63
  10114. minLength: 1
  10115. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10116. type: string
  10117. type: object
  10118. required:
  10119. - dopplerToken
  10120. type: object
  10121. required:
  10122. - secretRef
  10123. type: object
  10124. config:
  10125. description: Doppler config (required if not using a Service Token)
  10126. type: string
  10127. format:
  10128. description: Format enables the downloading of secrets as a file (string)
  10129. enum:
  10130. - json
  10131. - dotnet-json
  10132. - env
  10133. - yaml
  10134. - docker
  10135. type: string
  10136. nameTransformer:
  10137. description: Environment variable compatible name transforms that change secret names to a different format
  10138. enum:
  10139. - upper-camel
  10140. - camel
  10141. - lower-snake
  10142. - tf-var
  10143. - dotnet-env
  10144. - lower-kebab
  10145. type: string
  10146. project:
  10147. description: Doppler project (required if not using a Service Token)
  10148. type: string
  10149. required:
  10150. - auth
  10151. type: object
  10152. fake:
  10153. description: Fake configures a store with static key/value pairs
  10154. properties:
  10155. data:
  10156. items:
  10157. description: FakeProviderData defines a key-value pair for the fake provider used in testing.
  10158. properties:
  10159. key:
  10160. type: string
  10161. value:
  10162. type: string
  10163. version:
  10164. type: string
  10165. required:
  10166. - key
  10167. - value
  10168. type: object
  10169. type: array
  10170. required:
  10171. - data
  10172. type: object
  10173. fortanix:
  10174. description: Fortanix configures this store to sync secrets using the Fortanix provider
  10175. properties:
  10176. apiKey:
  10177. description: APIKey is the API token to access SDKMS Applications.
  10178. properties:
  10179. secretRef:
  10180. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  10181. properties:
  10182. key:
  10183. description: |-
  10184. A key in the referenced Secret.
  10185. Some instances of this field may be defaulted, in others it may be required.
  10186. maxLength: 253
  10187. minLength: 1
  10188. pattern: ^[-._a-zA-Z0-9]+$
  10189. type: string
  10190. name:
  10191. description: The name of the Secret resource being referred to.
  10192. maxLength: 253
  10193. minLength: 1
  10194. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10195. type: string
  10196. namespace:
  10197. description: |-
  10198. The namespace of the Secret resource being referred to.
  10199. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10200. maxLength: 63
  10201. minLength: 1
  10202. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10203. type: string
  10204. type: object
  10205. type: object
  10206. apiUrl:
  10207. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  10208. type: string
  10209. type: object
  10210. gcpsm:
  10211. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  10212. properties:
  10213. auth:
  10214. description: Auth defines the information necessary to authenticate against GCP
  10215. properties:
  10216. secretRef:
  10217. description: GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider.
  10218. properties:
  10219. secretAccessKeySecretRef:
  10220. description: The SecretAccessKey is used for authentication
  10221. properties:
  10222. key:
  10223. description: |-
  10224. A key in the referenced Secret.
  10225. Some instances of this field may be defaulted, in others it may be required.
  10226. maxLength: 253
  10227. minLength: 1
  10228. pattern: ^[-._a-zA-Z0-9]+$
  10229. type: string
  10230. name:
  10231. description: The name of the Secret resource being referred to.
  10232. maxLength: 253
  10233. minLength: 1
  10234. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10235. type: string
  10236. namespace:
  10237. description: |-
  10238. The namespace of the Secret resource being referred to.
  10239. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10240. maxLength: 63
  10241. minLength: 1
  10242. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10243. type: string
  10244. type: object
  10245. type: object
  10246. workloadIdentity:
  10247. description: GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication.
  10248. properties:
  10249. clusterLocation:
  10250. description: |-
  10251. ClusterLocation is the location of the cluster
  10252. If not specified, it fetches information from the metadata server
  10253. type: string
  10254. clusterName:
  10255. description: |-
  10256. ClusterName is the name of the cluster
  10257. If not specified, it fetches information from the metadata server
  10258. type: string
  10259. clusterProjectID:
  10260. description: |-
  10261. ClusterProjectID is the project ID of the cluster
  10262. If not specified, it fetches information from the metadata server
  10263. type: string
  10264. serviceAccountRef:
  10265. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  10266. properties:
  10267. audiences:
  10268. description: |-
  10269. Audience specifies the `aud` claim for the service account token
  10270. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10271. then this audiences will be appended to the list
  10272. items:
  10273. type: string
  10274. type: array
  10275. name:
  10276. description: The name of the ServiceAccount resource being referred to.
  10277. maxLength: 253
  10278. minLength: 1
  10279. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10280. type: string
  10281. namespace:
  10282. description: |-
  10283. Namespace of the resource being referred to.
  10284. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10285. maxLength: 63
  10286. minLength: 1
  10287. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10288. type: string
  10289. required:
  10290. - name
  10291. type: object
  10292. required:
  10293. - serviceAccountRef
  10294. type: object
  10295. type: object
  10296. location:
  10297. description: Location optionally defines a location for a secret
  10298. type: string
  10299. projectID:
  10300. description: ProjectID project where secret is located
  10301. type: string
  10302. type: object
  10303. github:
  10304. description: Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  10305. properties:
  10306. appID:
  10307. description: appID specifies the Github APP that will be used to authenticate the client
  10308. format: int64
  10309. type: integer
  10310. auth:
  10311. description: auth configures how secret-manager authenticates with a Github instance.
  10312. properties:
  10313. privateKey:
  10314. description: |-
  10315. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10316. In some instances, `key` is a required field.
  10317. properties:
  10318. key:
  10319. description: |-
  10320. A key in the referenced Secret.
  10321. Some instances of this field may be defaulted, in others it may be required.
  10322. maxLength: 253
  10323. minLength: 1
  10324. pattern: ^[-._a-zA-Z0-9]+$
  10325. type: string
  10326. name:
  10327. description: The name of the Secret resource being referred to.
  10328. maxLength: 253
  10329. minLength: 1
  10330. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10331. type: string
  10332. namespace:
  10333. description: |-
  10334. The namespace of the Secret resource being referred to.
  10335. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10336. maxLength: 63
  10337. minLength: 1
  10338. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10339. type: string
  10340. type: object
  10341. required:
  10342. - privateKey
  10343. type: object
  10344. environment:
  10345. description: environment will be used to fetch secrets from a particular environment within a github repository
  10346. type: string
  10347. installationID:
  10348. description: installationID specifies the Github APP installation that will be used to authenticate the client
  10349. format: int64
  10350. type: integer
  10351. organization:
  10352. description: organization will be used to fetch secrets from the Github organization
  10353. type: string
  10354. repository:
  10355. description: repository will be used to fetch secrets from the Github repository within an organization
  10356. type: string
  10357. uploadURL:
  10358. description: Upload URL for enterprise instances. Default to URL.
  10359. type: string
  10360. url:
  10361. default: https://github.com/
  10362. description: URL configures the Github instance URL. Defaults to https://github.com/.
  10363. type: string
  10364. required:
  10365. - appID
  10366. - auth
  10367. - installationID
  10368. - organization
  10369. type: object
  10370. gitlab:
  10371. description: GitLab configures this store to sync secrets using GitLab Variables provider
  10372. properties:
  10373. auth:
  10374. description: Auth configures how secret-manager authenticates with a GitLab instance.
  10375. properties:
  10376. SecretRef:
  10377. description: GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider.
  10378. properties:
  10379. accessToken:
  10380. description: AccessToken is used for authentication.
  10381. properties:
  10382. key:
  10383. description: |-
  10384. A key in the referenced Secret.
  10385. Some instances of this field may be defaulted, in others it may be required.
  10386. maxLength: 253
  10387. minLength: 1
  10388. pattern: ^[-._a-zA-Z0-9]+$
  10389. type: string
  10390. name:
  10391. description: The name of the Secret resource being referred to.
  10392. maxLength: 253
  10393. minLength: 1
  10394. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10395. type: string
  10396. namespace:
  10397. description: |-
  10398. The namespace of the Secret resource being referred to.
  10399. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10400. maxLength: 63
  10401. minLength: 1
  10402. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10403. type: string
  10404. type: object
  10405. type: object
  10406. required:
  10407. - SecretRef
  10408. type: object
  10409. caBundle:
  10410. description: |-
  10411. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  10412. can be performed.
  10413. format: byte
  10414. type: string
  10415. caProvider:
  10416. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  10417. properties:
  10418. key:
  10419. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  10420. maxLength: 253
  10421. minLength: 1
  10422. pattern: ^[-._a-zA-Z0-9]+$
  10423. type: string
  10424. name:
  10425. description: The name of the object located at the provider type.
  10426. maxLength: 253
  10427. minLength: 1
  10428. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10429. type: string
  10430. namespace:
  10431. description: |-
  10432. The namespace the Provider type is in.
  10433. Can only be defined when used in a ClusterSecretStore.
  10434. maxLength: 63
  10435. minLength: 1
  10436. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10437. type: string
  10438. type:
  10439. description: The type of provider to use such as "Secret", or "ConfigMap".
  10440. enum:
  10441. - Secret
  10442. - ConfigMap
  10443. type: string
  10444. required:
  10445. - name
  10446. - type
  10447. type: object
  10448. environment:
  10449. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  10450. type: string
  10451. groupIDs:
  10452. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  10453. items:
  10454. type: string
  10455. type: array
  10456. inheritFromGroups:
  10457. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  10458. type: boolean
  10459. projectID:
  10460. description: ProjectID specifies a project where secrets are located.
  10461. type: string
  10462. url:
  10463. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  10464. type: string
  10465. required:
  10466. - auth
  10467. type: object
  10468. ibm:
  10469. description: IBM configures this store to sync secrets using IBM Cloud provider
  10470. properties:
  10471. auth:
  10472. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  10473. maxProperties: 1
  10474. minProperties: 1
  10475. properties:
  10476. containerAuth:
  10477. description: IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile.
  10478. properties:
  10479. iamEndpoint:
  10480. type: string
  10481. profile:
  10482. description: the IBM Trusted Profile
  10483. type: string
  10484. tokenLocation:
  10485. description: Location the token is mounted on the pod
  10486. type: string
  10487. required:
  10488. - profile
  10489. type: object
  10490. secretRef:
  10491. description: IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider.
  10492. properties:
  10493. secretApiKeySecretRef:
  10494. description: The SecretAccessKey is used for authentication
  10495. properties:
  10496. key:
  10497. description: |-
  10498. A key in the referenced Secret.
  10499. Some instances of this field may be defaulted, in others it may be required.
  10500. maxLength: 253
  10501. minLength: 1
  10502. pattern: ^[-._a-zA-Z0-9]+$
  10503. type: string
  10504. name:
  10505. description: The name of the Secret resource being referred to.
  10506. maxLength: 253
  10507. minLength: 1
  10508. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10509. type: string
  10510. namespace:
  10511. description: |-
  10512. The namespace of the Secret resource being referred to.
  10513. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10514. maxLength: 63
  10515. minLength: 1
  10516. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10517. type: string
  10518. type: object
  10519. type: object
  10520. type: object
  10521. serviceUrl:
  10522. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  10523. type: string
  10524. required:
  10525. - auth
  10526. type: object
  10527. infisical:
  10528. description: Infisical configures this store to sync secrets using the Infisical provider
  10529. properties:
  10530. auth:
  10531. description: Auth configures how the Operator authenticates with the Infisical API
  10532. properties:
  10533. universalAuthCredentials:
  10534. description: UniversalAuthCredentials defines the credentials for Infisical Universal Auth.
  10535. properties:
  10536. clientId:
  10537. description: |-
  10538. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10539. In some instances, `key` is a required field.
  10540. properties:
  10541. key:
  10542. description: |-
  10543. A key in the referenced Secret.
  10544. Some instances of this field may be defaulted, in others it may be required.
  10545. maxLength: 253
  10546. minLength: 1
  10547. pattern: ^[-._a-zA-Z0-9]+$
  10548. type: string
  10549. name:
  10550. description: The name of the Secret resource being referred to.
  10551. maxLength: 253
  10552. minLength: 1
  10553. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10554. type: string
  10555. namespace:
  10556. description: |-
  10557. The namespace of the Secret resource being referred to.
  10558. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10559. maxLength: 63
  10560. minLength: 1
  10561. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10562. type: string
  10563. type: object
  10564. clientSecret:
  10565. description: |-
  10566. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10567. In some instances, `key` is a required field.
  10568. properties:
  10569. key:
  10570. description: |-
  10571. A key in the referenced Secret.
  10572. Some instances of this field may be defaulted, in others it may be required.
  10573. maxLength: 253
  10574. minLength: 1
  10575. pattern: ^[-._a-zA-Z0-9]+$
  10576. type: string
  10577. name:
  10578. description: The name of the Secret resource being referred to.
  10579. maxLength: 253
  10580. minLength: 1
  10581. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10582. type: string
  10583. namespace:
  10584. description: |-
  10585. The namespace of the Secret resource being referred to.
  10586. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10587. maxLength: 63
  10588. minLength: 1
  10589. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10590. type: string
  10591. type: object
  10592. required:
  10593. - clientId
  10594. - clientSecret
  10595. type: object
  10596. type: object
  10597. hostAPI:
  10598. default: https://app.infisical.com/api
  10599. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  10600. type: string
  10601. secretsScope:
  10602. description: SecretsScope defines the scope of the secrets within the workspace
  10603. properties:
  10604. environmentSlug:
  10605. description: EnvironmentSlug is the required slug identifier for the environment.
  10606. type: string
  10607. expandSecretReferences:
  10608. default: true
  10609. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  10610. type: boolean
  10611. projectSlug:
  10612. description: ProjectSlug is the required slug identifier for the project.
  10613. type: string
  10614. recursive:
  10615. default: false
  10616. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  10617. type: boolean
  10618. secretsPath:
  10619. default: /
  10620. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  10621. type: string
  10622. required:
  10623. - environmentSlug
  10624. - projectSlug
  10625. type: object
  10626. required:
  10627. - auth
  10628. - secretsScope
  10629. type: object
  10630. keepersecurity:
  10631. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  10632. properties:
  10633. authRef:
  10634. description: |-
  10635. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10636. In some instances, `key` is a required field.
  10637. properties:
  10638. key:
  10639. description: |-
  10640. A key in the referenced Secret.
  10641. Some instances of this field may be defaulted, in others it may be required.
  10642. maxLength: 253
  10643. minLength: 1
  10644. pattern: ^[-._a-zA-Z0-9]+$
  10645. type: string
  10646. name:
  10647. description: The name of the Secret resource being referred to.
  10648. maxLength: 253
  10649. minLength: 1
  10650. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10651. type: string
  10652. namespace:
  10653. description: |-
  10654. The namespace of the Secret resource being referred to.
  10655. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10656. maxLength: 63
  10657. minLength: 1
  10658. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10659. type: string
  10660. type: object
  10661. folderID:
  10662. type: string
  10663. required:
  10664. - authRef
  10665. - folderID
  10666. type: object
  10667. kubernetes:
  10668. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  10669. properties:
  10670. auth:
  10671. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  10672. maxProperties: 1
  10673. minProperties: 1
  10674. properties:
  10675. cert:
  10676. description: has both clientCert and clientKey as secretKeySelector
  10677. properties:
  10678. clientCert:
  10679. description: |-
  10680. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10681. In some instances, `key` is a required field.
  10682. properties:
  10683. key:
  10684. description: |-
  10685. A key in the referenced Secret.
  10686. Some instances of this field may be defaulted, in others it may be required.
  10687. maxLength: 253
  10688. minLength: 1
  10689. pattern: ^[-._a-zA-Z0-9]+$
  10690. type: string
  10691. name:
  10692. description: The name of the Secret resource being referred to.
  10693. maxLength: 253
  10694. minLength: 1
  10695. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10696. type: string
  10697. namespace:
  10698. description: |-
  10699. The namespace of the Secret resource being referred to.
  10700. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10701. maxLength: 63
  10702. minLength: 1
  10703. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10704. type: string
  10705. type: object
  10706. clientKey:
  10707. description: |-
  10708. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10709. In some instances, `key` is a required field.
  10710. properties:
  10711. key:
  10712. description: |-
  10713. A key in the referenced Secret.
  10714. Some instances of this field may be defaulted, in others it may be required.
  10715. maxLength: 253
  10716. minLength: 1
  10717. pattern: ^[-._a-zA-Z0-9]+$
  10718. type: string
  10719. name:
  10720. description: The name of the Secret resource being referred to.
  10721. maxLength: 253
  10722. minLength: 1
  10723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10724. type: string
  10725. namespace:
  10726. description: |-
  10727. The namespace of the Secret resource being referred to.
  10728. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10729. maxLength: 63
  10730. minLength: 1
  10731. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10732. type: string
  10733. type: object
  10734. type: object
  10735. serviceAccount:
  10736. description: points to a service account that should be used for authentication
  10737. properties:
  10738. audiences:
  10739. description: |-
  10740. Audience specifies the `aud` claim for the service account token
  10741. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10742. then this audiences will be appended to the list
  10743. items:
  10744. type: string
  10745. type: array
  10746. name:
  10747. description: The name of the ServiceAccount resource being referred to.
  10748. maxLength: 253
  10749. minLength: 1
  10750. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10751. type: string
  10752. namespace:
  10753. description: |-
  10754. Namespace of the resource being referred to.
  10755. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10756. maxLength: 63
  10757. minLength: 1
  10758. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10759. type: string
  10760. required:
  10761. - name
  10762. type: object
  10763. token:
  10764. description: use static token to authenticate with
  10765. properties:
  10766. bearerToken:
  10767. description: |-
  10768. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10769. In some instances, `key` is a required field.
  10770. properties:
  10771. key:
  10772. description: |-
  10773. A key in the referenced Secret.
  10774. Some instances of this field may be defaulted, in others it may be required.
  10775. maxLength: 253
  10776. minLength: 1
  10777. pattern: ^[-._a-zA-Z0-9]+$
  10778. type: string
  10779. name:
  10780. description: The name of the Secret resource being referred to.
  10781. maxLength: 253
  10782. minLength: 1
  10783. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10784. type: string
  10785. namespace:
  10786. description: |-
  10787. The namespace of the Secret resource being referred to.
  10788. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10789. maxLength: 63
  10790. minLength: 1
  10791. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10792. type: string
  10793. type: object
  10794. type: object
  10795. type: object
  10796. authRef:
  10797. description: A reference to a secret that contains the auth information.
  10798. properties:
  10799. key:
  10800. description: |-
  10801. A key in the referenced Secret.
  10802. Some instances of this field may be defaulted, in others it may be required.
  10803. maxLength: 253
  10804. minLength: 1
  10805. pattern: ^[-._a-zA-Z0-9]+$
  10806. type: string
  10807. name:
  10808. description: The name of the Secret resource being referred to.
  10809. maxLength: 253
  10810. minLength: 1
  10811. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10812. type: string
  10813. namespace:
  10814. description: |-
  10815. The namespace of the Secret resource being referred to.
  10816. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10817. maxLength: 63
  10818. minLength: 1
  10819. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10820. type: string
  10821. type: object
  10822. remoteNamespace:
  10823. default: default
  10824. description: Remote namespace to fetch the secrets from
  10825. maxLength: 63
  10826. minLength: 1
  10827. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10828. type: string
  10829. server:
  10830. description: configures the Kubernetes server Address.
  10831. properties:
  10832. caBundle:
  10833. description: CABundle is a base64-encoded CA certificate
  10834. format: byte
  10835. type: string
  10836. caProvider:
  10837. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  10838. properties:
  10839. key:
  10840. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  10841. maxLength: 253
  10842. minLength: 1
  10843. pattern: ^[-._a-zA-Z0-9]+$
  10844. type: string
  10845. name:
  10846. description: The name of the object located at the provider type.
  10847. maxLength: 253
  10848. minLength: 1
  10849. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10850. type: string
  10851. namespace:
  10852. description: |-
  10853. The namespace the Provider type is in.
  10854. Can only be defined when used in a ClusterSecretStore.
  10855. maxLength: 63
  10856. minLength: 1
  10857. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10858. type: string
  10859. type:
  10860. description: The type of provider to use such as "Secret", or "ConfigMap".
  10861. enum:
  10862. - Secret
  10863. - ConfigMap
  10864. type: string
  10865. required:
  10866. - name
  10867. - type
  10868. type: object
  10869. url:
  10870. default: kubernetes.default
  10871. description: configures the Kubernetes server Address.
  10872. type: string
  10873. type: object
  10874. type: object
  10875. onboardbase:
  10876. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  10877. properties:
  10878. apiHost:
  10879. default: https://public.onboardbase.com/api/v1/
  10880. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  10881. type: string
  10882. auth:
  10883. description: Auth configures how the Operator authenticates with the Onboardbase API
  10884. properties:
  10885. apiKeyRef:
  10886. description: |-
  10887. OnboardbaseAPIKey is the APIKey generated by an admin account.
  10888. It is used to recognize and authorize access to a project and environment within onboardbase
  10889. properties:
  10890. key:
  10891. description: |-
  10892. A key in the referenced Secret.
  10893. Some instances of this field may be defaulted, in others it may be required.
  10894. maxLength: 253
  10895. minLength: 1
  10896. pattern: ^[-._a-zA-Z0-9]+$
  10897. type: string
  10898. name:
  10899. description: The name of the Secret resource being referred to.
  10900. maxLength: 253
  10901. minLength: 1
  10902. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10903. type: string
  10904. namespace:
  10905. description: |-
  10906. The namespace of the Secret resource being referred to.
  10907. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10908. maxLength: 63
  10909. minLength: 1
  10910. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10911. type: string
  10912. type: object
  10913. passcodeRef:
  10914. description: OnboardbasePasscode is the passcode attached to the API Key
  10915. properties:
  10916. key:
  10917. description: |-
  10918. A key in the referenced Secret.
  10919. Some instances of this field may be defaulted, in others it may be required.
  10920. maxLength: 253
  10921. minLength: 1
  10922. pattern: ^[-._a-zA-Z0-9]+$
  10923. type: string
  10924. name:
  10925. description: The name of the Secret resource being referred to.
  10926. maxLength: 253
  10927. minLength: 1
  10928. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10929. type: string
  10930. namespace:
  10931. description: |-
  10932. The namespace of the Secret resource being referred to.
  10933. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10934. maxLength: 63
  10935. minLength: 1
  10936. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10937. type: string
  10938. type: object
  10939. required:
  10940. - apiKeyRef
  10941. - passcodeRef
  10942. type: object
  10943. environment:
  10944. default: development
  10945. description: Environment is the name of an environmnent within a project to pull the secrets from
  10946. type: string
  10947. project:
  10948. default: development
  10949. description: Project is an onboardbase project that the secrets should be pulled from
  10950. type: string
  10951. required:
  10952. - apiHost
  10953. - auth
  10954. - environment
  10955. - project
  10956. type: object
  10957. onepassword:
  10958. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  10959. properties:
  10960. auth:
  10961. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  10962. properties:
  10963. secretRef:
  10964. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  10965. properties:
  10966. connectTokenSecretRef:
  10967. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  10968. properties:
  10969. key:
  10970. description: |-
  10971. A key in the referenced Secret.
  10972. Some instances of this field may be defaulted, in others it may be required.
  10973. maxLength: 253
  10974. minLength: 1
  10975. pattern: ^[-._a-zA-Z0-9]+$
  10976. type: string
  10977. name:
  10978. description: The name of the Secret resource being referred to.
  10979. maxLength: 253
  10980. minLength: 1
  10981. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10982. type: string
  10983. namespace:
  10984. description: |-
  10985. The namespace of the Secret resource being referred to.
  10986. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10987. maxLength: 63
  10988. minLength: 1
  10989. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10990. type: string
  10991. type: object
  10992. required:
  10993. - connectTokenSecretRef
  10994. type: object
  10995. required:
  10996. - secretRef
  10997. type: object
  10998. connectHost:
  10999. description: ConnectHost defines the OnePassword Connect Server to connect to
  11000. type: string
  11001. vaults:
  11002. additionalProperties:
  11003. type: integer
  11004. description: Vaults defines which OnePassword vaults to search in which order
  11005. type: object
  11006. required:
  11007. - auth
  11008. - connectHost
  11009. - vaults
  11010. type: object
  11011. oracle:
  11012. description: Oracle configures this store to sync secrets using Oracle Vault provider
  11013. properties:
  11014. auth:
  11015. description: |-
  11016. Auth configures how secret-manager authenticates with the Oracle Vault.
  11017. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  11018. properties:
  11019. secretRef:
  11020. description: SecretRef to pass through sensitive information.
  11021. properties:
  11022. fingerprint:
  11023. description: Fingerprint is the fingerprint of the API private key.
  11024. properties:
  11025. key:
  11026. description: |-
  11027. A key in the referenced Secret.
  11028. Some instances of this field may be defaulted, in others it may be required.
  11029. maxLength: 253
  11030. minLength: 1
  11031. pattern: ^[-._a-zA-Z0-9]+$
  11032. type: string
  11033. name:
  11034. description: The name of the Secret resource being referred to.
  11035. maxLength: 253
  11036. minLength: 1
  11037. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11038. type: string
  11039. namespace:
  11040. description: |-
  11041. The namespace of the Secret resource being referred to.
  11042. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11043. maxLength: 63
  11044. minLength: 1
  11045. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11046. type: string
  11047. type: object
  11048. privatekey:
  11049. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  11050. properties:
  11051. key:
  11052. description: |-
  11053. A key in the referenced Secret.
  11054. Some instances of this field may be defaulted, in others it may be required.
  11055. maxLength: 253
  11056. minLength: 1
  11057. pattern: ^[-._a-zA-Z0-9]+$
  11058. type: string
  11059. name:
  11060. description: The name of the Secret resource being referred to.
  11061. maxLength: 253
  11062. minLength: 1
  11063. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11064. type: string
  11065. namespace:
  11066. description: |-
  11067. The namespace of the Secret resource being referred to.
  11068. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11069. maxLength: 63
  11070. minLength: 1
  11071. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11072. type: string
  11073. type: object
  11074. required:
  11075. - fingerprint
  11076. - privatekey
  11077. type: object
  11078. tenancy:
  11079. description: Tenancy is the tenancy OCID where user is located.
  11080. type: string
  11081. user:
  11082. description: User is an access OCID specific to the account.
  11083. type: string
  11084. required:
  11085. - secretRef
  11086. - tenancy
  11087. - user
  11088. type: object
  11089. compartment:
  11090. description: |-
  11091. Compartment is the vault compartment OCID.
  11092. Required for PushSecret
  11093. type: string
  11094. encryptionKey:
  11095. description: |-
  11096. EncryptionKey is the OCID of the encryption key within the vault.
  11097. Required for PushSecret
  11098. type: string
  11099. principalType:
  11100. description: |-
  11101. The type of principal to use for authentication. If left blank, the Auth struct will
  11102. determine the principal type. This optional field must be specified if using
  11103. workload identity.
  11104. enum:
  11105. - ""
  11106. - UserPrincipal
  11107. - InstancePrincipal
  11108. - Workload
  11109. type: string
  11110. region:
  11111. description: Region is the region where vault is located.
  11112. type: string
  11113. serviceAccountRef:
  11114. description: |-
  11115. ServiceAccountRef specified the service account
  11116. that should be used when authenticating with WorkloadIdentity.
  11117. properties:
  11118. audiences:
  11119. description: |-
  11120. Audience specifies the `aud` claim for the service account token
  11121. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11122. then this audiences will be appended to the list
  11123. items:
  11124. type: string
  11125. type: array
  11126. name:
  11127. description: The name of the ServiceAccount resource being referred to.
  11128. maxLength: 253
  11129. minLength: 1
  11130. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11131. type: string
  11132. namespace:
  11133. description: |-
  11134. Namespace of the resource being referred to.
  11135. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11136. maxLength: 63
  11137. minLength: 1
  11138. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11139. type: string
  11140. required:
  11141. - name
  11142. type: object
  11143. vault:
  11144. description: Vault is the vault's OCID of the specific vault where secret is located.
  11145. type: string
  11146. required:
  11147. - region
  11148. - vault
  11149. type: object
  11150. passbolt:
  11151. description: PassboltProvider defines configuration for the Passbolt provider.
  11152. properties:
  11153. auth:
  11154. description: Auth defines the information necessary to authenticate against Passbolt Server
  11155. properties:
  11156. passwordSecretRef:
  11157. description: PasswordSecretRef is a reference to the secret containing the Passbolt password
  11158. properties:
  11159. key:
  11160. description: |-
  11161. A key in the referenced Secret.
  11162. Some instances of this field may be defaulted, in others it may be required.
  11163. maxLength: 253
  11164. minLength: 1
  11165. pattern: ^[-._a-zA-Z0-9]+$
  11166. type: string
  11167. name:
  11168. description: The name of the Secret resource being referred to.
  11169. maxLength: 253
  11170. minLength: 1
  11171. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11172. type: string
  11173. namespace:
  11174. description: |-
  11175. The namespace of the Secret resource being referred to.
  11176. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11177. maxLength: 63
  11178. minLength: 1
  11179. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11180. type: string
  11181. type: object
  11182. privateKeySecretRef:
  11183. description: PrivateKeySecretRef is a reference to the secret containing the Passbolt private key
  11184. properties:
  11185. key:
  11186. description: |-
  11187. A key in the referenced Secret.
  11188. Some instances of this field may be defaulted, in others it may be required.
  11189. maxLength: 253
  11190. minLength: 1
  11191. pattern: ^[-._a-zA-Z0-9]+$
  11192. type: string
  11193. name:
  11194. description: The name of the Secret resource being referred to.
  11195. maxLength: 253
  11196. minLength: 1
  11197. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11198. type: string
  11199. namespace:
  11200. description: |-
  11201. The namespace of the Secret resource being referred to.
  11202. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11203. maxLength: 63
  11204. minLength: 1
  11205. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11206. type: string
  11207. type: object
  11208. required:
  11209. - passwordSecretRef
  11210. - privateKeySecretRef
  11211. type: object
  11212. host:
  11213. description: Host defines the Passbolt Server to connect to
  11214. type: string
  11215. required:
  11216. - auth
  11217. - host
  11218. type: object
  11219. passworddepot:
  11220. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  11221. properties:
  11222. auth:
  11223. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  11224. properties:
  11225. secretRef:
  11226. description: PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider.
  11227. properties:
  11228. credentials:
  11229. description: Username / Password is used for authentication.
  11230. properties:
  11231. key:
  11232. description: |-
  11233. A key in the referenced Secret.
  11234. Some instances of this field may be defaulted, in others it may be required.
  11235. maxLength: 253
  11236. minLength: 1
  11237. pattern: ^[-._a-zA-Z0-9]+$
  11238. type: string
  11239. name:
  11240. description: The name of the Secret resource being referred to.
  11241. maxLength: 253
  11242. minLength: 1
  11243. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11244. type: string
  11245. namespace:
  11246. description: |-
  11247. The namespace of the Secret resource being referred to.
  11248. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11249. maxLength: 63
  11250. minLength: 1
  11251. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11252. type: string
  11253. type: object
  11254. type: object
  11255. required:
  11256. - secretRef
  11257. type: object
  11258. database:
  11259. description: Database to use as source
  11260. type: string
  11261. host:
  11262. description: URL configures the Password Depot instance URL.
  11263. type: string
  11264. required:
  11265. - auth
  11266. - database
  11267. - host
  11268. type: object
  11269. previder:
  11270. description: Previder configures this store to sync secrets using the Previder provider
  11271. properties:
  11272. auth:
  11273. description: PreviderAuth contains a secretRef for credentials.
  11274. properties:
  11275. secretRef:
  11276. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  11277. properties:
  11278. accessToken:
  11279. description: The AccessToken is used for authentication
  11280. properties:
  11281. key:
  11282. description: |-
  11283. A key in the referenced Secret.
  11284. Some instances of this field may be defaulted, in others it may be required.
  11285. maxLength: 253
  11286. minLength: 1
  11287. pattern: ^[-._a-zA-Z0-9]+$
  11288. type: string
  11289. name:
  11290. description: The name of the Secret resource being referred to.
  11291. maxLength: 253
  11292. minLength: 1
  11293. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11294. type: string
  11295. namespace:
  11296. description: |-
  11297. The namespace of the Secret resource being referred to.
  11298. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11299. maxLength: 63
  11300. minLength: 1
  11301. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11302. type: string
  11303. type: object
  11304. required:
  11305. - accessToken
  11306. type: object
  11307. type: object
  11308. baseUri:
  11309. type: string
  11310. required:
  11311. - auth
  11312. type: object
  11313. pulumi:
  11314. description: Pulumi configures this store to sync secrets using the Pulumi provider
  11315. properties:
  11316. accessToken:
  11317. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  11318. properties:
  11319. secretRef:
  11320. description: SecretRef is a reference to a secret containing the Pulumi API token.
  11321. properties:
  11322. key:
  11323. description: |-
  11324. A key in the referenced Secret.
  11325. Some instances of this field may be defaulted, in others it may be required.
  11326. maxLength: 253
  11327. minLength: 1
  11328. pattern: ^[-._a-zA-Z0-9]+$
  11329. type: string
  11330. name:
  11331. description: The name of the Secret resource being referred to.
  11332. maxLength: 253
  11333. minLength: 1
  11334. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11335. type: string
  11336. namespace:
  11337. description: |-
  11338. The namespace of the Secret resource being referred to.
  11339. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11340. maxLength: 63
  11341. minLength: 1
  11342. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11343. type: string
  11344. type: object
  11345. type: object
  11346. apiUrl:
  11347. default: https://api.pulumi.com/api/esc
  11348. description: APIURL is the URL of the Pulumi API.
  11349. type: string
  11350. environment:
  11351. description: |-
  11352. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  11353. dynamically retrieved values from supported providers including all major clouds,
  11354. and other Pulumi ESC environments.
  11355. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  11356. type: string
  11357. organization:
  11358. description: |-
  11359. Organization are a space to collaborate on shared projects and stacks.
  11360. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  11361. type: string
  11362. project:
  11363. description: Project is the name of the Pulumi ESC project the environment belongs to.
  11364. type: string
  11365. required:
  11366. - accessToken
  11367. - environment
  11368. - organization
  11369. - project
  11370. type: object
  11371. scaleway:
  11372. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  11373. properties:
  11374. accessKey:
  11375. description: AccessKey is the non-secret part of the api key.
  11376. properties:
  11377. secretRef:
  11378. description: SecretRef references a key in a secret that will be used as value.
  11379. properties:
  11380. key:
  11381. description: |-
  11382. A key in the referenced Secret.
  11383. Some instances of this field may be defaulted, in others it may be required.
  11384. maxLength: 253
  11385. minLength: 1
  11386. pattern: ^[-._a-zA-Z0-9]+$
  11387. type: string
  11388. name:
  11389. description: The name of the Secret resource being referred to.
  11390. maxLength: 253
  11391. minLength: 1
  11392. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11393. type: string
  11394. namespace:
  11395. description: |-
  11396. The namespace of the Secret resource being referred to.
  11397. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11398. maxLength: 63
  11399. minLength: 1
  11400. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11401. type: string
  11402. type: object
  11403. value:
  11404. description: Value can be specified directly to set a value without using a secret.
  11405. type: string
  11406. type: object
  11407. apiUrl:
  11408. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  11409. type: string
  11410. projectId:
  11411. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  11412. type: string
  11413. region:
  11414. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  11415. type: string
  11416. secretKey:
  11417. description: SecretKey is the non-secret part of the api key.
  11418. properties:
  11419. secretRef:
  11420. description: SecretRef references a key in a secret that will be used as value.
  11421. properties:
  11422. key:
  11423. description: |-
  11424. A key in the referenced Secret.
  11425. Some instances of this field may be defaulted, in others it may be required.
  11426. maxLength: 253
  11427. minLength: 1
  11428. pattern: ^[-._a-zA-Z0-9]+$
  11429. type: string
  11430. name:
  11431. description: The name of the Secret resource being referred to.
  11432. maxLength: 253
  11433. minLength: 1
  11434. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11435. type: string
  11436. namespace:
  11437. description: |-
  11438. The namespace of the Secret resource being referred to.
  11439. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11440. maxLength: 63
  11441. minLength: 1
  11442. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11443. type: string
  11444. type: object
  11445. value:
  11446. description: Value can be specified directly to set a value without using a secret.
  11447. type: string
  11448. type: object
  11449. required:
  11450. - accessKey
  11451. - projectId
  11452. - region
  11453. - secretKey
  11454. type: object
  11455. secretserver:
  11456. description: |-
  11457. SecretServer configures this store to sync secrets using SecretServer provider
  11458. https://docs.delinea.com/online-help/secret-server/start.htm
  11459. properties:
  11460. password:
  11461. description: Password is the secret server account password.
  11462. properties:
  11463. secretRef:
  11464. description: SecretRef references a key in a secret that will be used as value.
  11465. properties:
  11466. key:
  11467. description: |-
  11468. A key in the referenced Secret.
  11469. Some instances of this field may be defaulted, in others it may be required.
  11470. maxLength: 253
  11471. minLength: 1
  11472. pattern: ^[-._a-zA-Z0-9]+$
  11473. type: string
  11474. name:
  11475. description: The name of the Secret resource being referred to.
  11476. maxLength: 253
  11477. minLength: 1
  11478. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11479. type: string
  11480. namespace:
  11481. description: |-
  11482. The namespace of the Secret resource being referred to.
  11483. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11484. maxLength: 63
  11485. minLength: 1
  11486. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11487. type: string
  11488. type: object
  11489. value:
  11490. description: Value can be specified directly to set a value without using a secret.
  11491. type: string
  11492. type: object
  11493. serverURL:
  11494. description: |-
  11495. ServerURL
  11496. URL to your secret server installation
  11497. type: string
  11498. username:
  11499. description: Username is the secret server account username.
  11500. properties:
  11501. secretRef:
  11502. description: SecretRef references a key in a secret that will be used as value.
  11503. properties:
  11504. key:
  11505. description: |-
  11506. A key in the referenced Secret.
  11507. Some instances of this field may be defaulted, in others it may be required.
  11508. maxLength: 253
  11509. minLength: 1
  11510. pattern: ^[-._a-zA-Z0-9]+$
  11511. type: string
  11512. name:
  11513. description: The name of the Secret resource being referred to.
  11514. maxLength: 253
  11515. minLength: 1
  11516. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11517. type: string
  11518. namespace:
  11519. description: |-
  11520. The namespace of the Secret resource being referred to.
  11521. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11522. maxLength: 63
  11523. minLength: 1
  11524. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11525. type: string
  11526. type: object
  11527. value:
  11528. description: Value can be specified directly to set a value without using a secret.
  11529. type: string
  11530. type: object
  11531. required:
  11532. - password
  11533. - serverURL
  11534. - username
  11535. type: object
  11536. senhasegura:
  11537. description: Senhasegura configures this store to sync secrets using senhasegura provider
  11538. properties:
  11539. auth:
  11540. description: Auth defines parameters to authenticate in senhasegura
  11541. properties:
  11542. clientId:
  11543. type: string
  11544. clientSecretSecretRef:
  11545. description: |-
  11546. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  11547. In some instances, `key` is a required field.
  11548. properties:
  11549. key:
  11550. description: |-
  11551. A key in the referenced Secret.
  11552. Some instances of this field may be defaulted, in others it may be required.
  11553. maxLength: 253
  11554. minLength: 1
  11555. pattern: ^[-._a-zA-Z0-9]+$
  11556. type: string
  11557. name:
  11558. description: The name of the Secret resource being referred to.
  11559. maxLength: 253
  11560. minLength: 1
  11561. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11562. type: string
  11563. namespace:
  11564. description: |-
  11565. The namespace of the Secret resource being referred to.
  11566. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11567. maxLength: 63
  11568. minLength: 1
  11569. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11570. type: string
  11571. type: object
  11572. required:
  11573. - clientId
  11574. - clientSecretSecretRef
  11575. type: object
  11576. ignoreSslCertificate:
  11577. default: false
  11578. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  11579. type: boolean
  11580. module:
  11581. description: Module defines which senhasegura module should be used to get secrets
  11582. type: string
  11583. url:
  11584. description: URL of senhasegura
  11585. type: string
  11586. required:
  11587. - auth
  11588. - module
  11589. - url
  11590. type: object
  11591. vault:
  11592. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  11593. properties:
  11594. auth:
  11595. description: Auth configures how secret-manager authenticates with the Vault server.
  11596. properties:
  11597. appRole:
  11598. description: |-
  11599. AppRole authenticates with Vault using the App Role auth mechanism,
  11600. with the role and secret stored in a Kubernetes Secret resource.
  11601. properties:
  11602. path:
  11603. default: approle
  11604. description: |-
  11605. Path where the App Role authentication backend is mounted
  11606. in Vault, e.g: "approle"
  11607. type: string
  11608. roleId:
  11609. description: |-
  11610. RoleID configured in the App Role authentication backend when setting
  11611. up the authentication backend in Vault.
  11612. type: string
  11613. roleRef:
  11614. description: |-
  11615. Reference to a key in a Secret that contains the App Role ID used
  11616. to authenticate with Vault.
  11617. The `key` field must be specified and denotes which entry within the Secret
  11618. resource is used as the app role id.
  11619. properties:
  11620. key:
  11621. description: |-
  11622. A key in the referenced Secret.
  11623. Some instances of this field may be defaulted, in others it may be required.
  11624. maxLength: 253
  11625. minLength: 1
  11626. pattern: ^[-._a-zA-Z0-9]+$
  11627. type: string
  11628. name:
  11629. description: The name of the Secret resource being referred to.
  11630. maxLength: 253
  11631. minLength: 1
  11632. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11633. type: string
  11634. namespace:
  11635. description: |-
  11636. The namespace of the Secret resource being referred to.
  11637. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11638. maxLength: 63
  11639. minLength: 1
  11640. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11641. type: string
  11642. type: object
  11643. secretRef:
  11644. description: |-
  11645. Reference to a key in a Secret that contains the App Role secret used
  11646. to authenticate with Vault.
  11647. The `key` field must be specified and denotes which entry within the Secret
  11648. resource is used as the app role secret.
  11649. properties:
  11650. key:
  11651. description: |-
  11652. A key in the referenced Secret.
  11653. Some instances of this field may be defaulted, in others it may be required.
  11654. maxLength: 253
  11655. minLength: 1
  11656. pattern: ^[-._a-zA-Z0-9]+$
  11657. type: string
  11658. name:
  11659. description: The name of the Secret resource being referred to.
  11660. maxLength: 253
  11661. minLength: 1
  11662. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11663. type: string
  11664. namespace:
  11665. description: |-
  11666. The namespace of the Secret resource being referred to.
  11667. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11668. maxLength: 63
  11669. minLength: 1
  11670. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11671. type: string
  11672. type: object
  11673. required:
  11674. - path
  11675. - secretRef
  11676. type: object
  11677. cert:
  11678. description: |-
  11679. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  11680. Cert authentication method
  11681. properties:
  11682. clientCert:
  11683. description: |-
  11684. ClientCert is a certificate to authenticate using the Cert Vault
  11685. authentication method
  11686. properties:
  11687. key:
  11688. description: |-
  11689. A key in the referenced Secret.
  11690. Some instances of this field may be defaulted, in others it may be required.
  11691. maxLength: 253
  11692. minLength: 1
  11693. pattern: ^[-._a-zA-Z0-9]+$
  11694. type: string
  11695. name:
  11696. description: The name of the Secret resource being referred to.
  11697. maxLength: 253
  11698. minLength: 1
  11699. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11700. type: string
  11701. namespace:
  11702. description: |-
  11703. The namespace of the Secret resource being referred to.
  11704. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11705. maxLength: 63
  11706. minLength: 1
  11707. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11708. type: string
  11709. type: object
  11710. secretRef:
  11711. description: |-
  11712. SecretRef to a key in a Secret resource containing client private key to
  11713. authenticate with Vault using the Cert authentication method
  11714. properties:
  11715. key:
  11716. description: |-
  11717. A key in the referenced Secret.
  11718. Some instances of this field may be defaulted, in others it may be required.
  11719. maxLength: 253
  11720. minLength: 1
  11721. pattern: ^[-._a-zA-Z0-9]+$
  11722. type: string
  11723. name:
  11724. description: The name of the Secret resource being referred to.
  11725. maxLength: 253
  11726. minLength: 1
  11727. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11728. type: string
  11729. namespace:
  11730. description: |-
  11731. The namespace of the Secret resource being referred to.
  11732. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11733. maxLength: 63
  11734. minLength: 1
  11735. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11736. type: string
  11737. type: object
  11738. type: object
  11739. iam:
  11740. description: |-
  11741. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  11742. AWS IAM authentication method
  11743. properties:
  11744. externalID:
  11745. description: AWS External ID set on assumed IAM roles
  11746. type: string
  11747. jwt:
  11748. description: Specify a service account with IRSA enabled
  11749. properties:
  11750. serviceAccountRef:
  11751. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  11752. properties:
  11753. audiences:
  11754. description: |-
  11755. Audience specifies the `aud` claim for the service account token
  11756. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11757. then this audiences will be appended to the list
  11758. items:
  11759. type: string
  11760. type: array
  11761. name:
  11762. description: The name of the ServiceAccount resource being referred to.
  11763. maxLength: 253
  11764. minLength: 1
  11765. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11766. type: string
  11767. namespace:
  11768. description: |-
  11769. Namespace of the resource being referred to.
  11770. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11771. maxLength: 63
  11772. minLength: 1
  11773. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11774. type: string
  11775. required:
  11776. - name
  11777. type: object
  11778. type: object
  11779. path:
  11780. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  11781. type: string
  11782. region:
  11783. description: AWS region
  11784. type: string
  11785. role:
  11786. description: This is the AWS role to be assumed before talking to vault
  11787. type: string
  11788. secretRef:
  11789. description: Specify credentials in a Secret object
  11790. properties:
  11791. accessKeyIDSecretRef:
  11792. description: The AccessKeyID is used for authentication
  11793. properties:
  11794. key:
  11795. description: |-
  11796. A key in the referenced Secret.
  11797. Some instances of this field may be defaulted, in others it may be required.
  11798. maxLength: 253
  11799. minLength: 1
  11800. pattern: ^[-._a-zA-Z0-9]+$
  11801. type: string
  11802. name:
  11803. description: The name of the Secret resource being referred to.
  11804. maxLength: 253
  11805. minLength: 1
  11806. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11807. type: string
  11808. namespace:
  11809. description: |-
  11810. The namespace of the Secret resource being referred to.
  11811. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11812. maxLength: 63
  11813. minLength: 1
  11814. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11815. type: string
  11816. type: object
  11817. secretAccessKeySecretRef:
  11818. description: The SecretAccessKey is used for authentication
  11819. properties:
  11820. key:
  11821. description: |-
  11822. A key in the referenced Secret.
  11823. Some instances of this field may be defaulted, in others it may be required.
  11824. maxLength: 253
  11825. minLength: 1
  11826. pattern: ^[-._a-zA-Z0-9]+$
  11827. type: string
  11828. name:
  11829. description: The name of the Secret resource being referred to.
  11830. maxLength: 253
  11831. minLength: 1
  11832. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11833. type: string
  11834. namespace:
  11835. description: |-
  11836. The namespace of the Secret resource being referred to.
  11837. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11838. maxLength: 63
  11839. minLength: 1
  11840. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11841. type: string
  11842. type: object
  11843. sessionTokenSecretRef:
  11844. description: |-
  11845. The SessionToken used for authentication
  11846. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  11847. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  11848. properties:
  11849. key:
  11850. description: |-
  11851. A key in the referenced Secret.
  11852. Some instances of this field may be defaulted, in others it may be required.
  11853. maxLength: 253
  11854. minLength: 1
  11855. pattern: ^[-._a-zA-Z0-9]+$
  11856. type: string
  11857. name:
  11858. description: The name of the Secret resource being referred to.
  11859. maxLength: 253
  11860. minLength: 1
  11861. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11862. type: string
  11863. namespace:
  11864. description: |-
  11865. The namespace of the Secret resource being referred to.
  11866. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11867. maxLength: 63
  11868. minLength: 1
  11869. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11870. type: string
  11871. type: object
  11872. type: object
  11873. vaultAwsIamServerID:
  11874. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  11875. type: string
  11876. vaultRole:
  11877. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  11878. type: string
  11879. required:
  11880. - vaultRole
  11881. type: object
  11882. jwt:
  11883. description: |-
  11884. Jwt authenticates with Vault by passing role and JWT token using the
  11885. JWT/OIDC authentication method
  11886. properties:
  11887. kubernetesServiceAccountToken:
  11888. description: |-
  11889. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  11890. a token for with the `TokenRequest` API.
  11891. properties:
  11892. audiences:
  11893. description: |-
  11894. Optional audiences field that will be used to request a temporary Kubernetes service
  11895. account token for the service account referenced by `serviceAccountRef`.
  11896. Defaults to a single audience `vault` it not specified.
  11897. Deprecated: use serviceAccountRef.Audiences instead
  11898. items:
  11899. type: string
  11900. type: array
  11901. expirationSeconds:
  11902. description: |-
  11903. Optional expiration time in seconds that will be used to request a temporary
  11904. Kubernetes service account token for the service account referenced by
  11905. `serviceAccountRef`.
  11906. Deprecated: this will be removed in the future.
  11907. Defaults to 10 minutes.
  11908. format: int64
  11909. type: integer
  11910. serviceAccountRef:
  11911. description: Service account field containing the name of a kubernetes ServiceAccount.
  11912. properties:
  11913. audiences:
  11914. description: |-
  11915. Audience specifies the `aud` claim for the service account token
  11916. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11917. then this audiences will be appended to the list
  11918. items:
  11919. type: string
  11920. type: array
  11921. name:
  11922. description: The name of the ServiceAccount resource being referred to.
  11923. maxLength: 253
  11924. minLength: 1
  11925. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11926. type: string
  11927. namespace:
  11928. description: |-
  11929. Namespace of the resource being referred to.
  11930. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11931. maxLength: 63
  11932. minLength: 1
  11933. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11934. type: string
  11935. required:
  11936. - name
  11937. type: object
  11938. required:
  11939. - serviceAccountRef
  11940. type: object
  11941. path:
  11942. default: jwt
  11943. description: |-
  11944. Path where the JWT authentication backend is mounted
  11945. in Vault, e.g: "jwt"
  11946. type: string
  11947. role:
  11948. description: |-
  11949. Role is a JWT role to authenticate using the JWT/OIDC Vault
  11950. authentication method
  11951. type: string
  11952. secretRef:
  11953. description: |-
  11954. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  11955. authenticate with Vault using the JWT/OIDC authentication method.
  11956. properties:
  11957. key:
  11958. description: |-
  11959. A key in the referenced Secret.
  11960. Some instances of this field may be defaulted, in others it may be required.
  11961. maxLength: 253
  11962. minLength: 1
  11963. pattern: ^[-._a-zA-Z0-9]+$
  11964. type: string
  11965. name:
  11966. description: The name of the Secret resource being referred to.
  11967. maxLength: 253
  11968. minLength: 1
  11969. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11970. type: string
  11971. namespace:
  11972. description: |-
  11973. The namespace of the Secret resource being referred to.
  11974. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11975. maxLength: 63
  11976. minLength: 1
  11977. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11978. type: string
  11979. type: object
  11980. required:
  11981. - path
  11982. type: object
  11983. kubernetes:
  11984. description: |-
  11985. Kubernetes authenticates with Vault by passing the ServiceAccount
  11986. token stored in the named Secret resource to the Vault server.
  11987. properties:
  11988. mountPath:
  11989. default: kubernetes
  11990. description: |-
  11991. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  11992. "kubernetes"
  11993. type: string
  11994. role:
  11995. description: |-
  11996. A required field containing the Vault Role to assume. A Role binds a
  11997. Kubernetes ServiceAccount with a set of Vault policies.
  11998. type: string
  11999. secretRef:
  12000. description: |-
  12001. Optional secret field containing a Kubernetes ServiceAccount JWT used
  12002. for authenticating with Vault. If a name is specified without a key,
  12003. `token` is the default. If one is not specified, the one bound to
  12004. the controller will be used.
  12005. properties:
  12006. key:
  12007. description: |-
  12008. A key in the referenced Secret.
  12009. Some instances of this field may be defaulted, in others it may be required.
  12010. maxLength: 253
  12011. minLength: 1
  12012. pattern: ^[-._a-zA-Z0-9]+$
  12013. type: string
  12014. name:
  12015. description: The name of the Secret resource being referred to.
  12016. maxLength: 253
  12017. minLength: 1
  12018. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12019. type: string
  12020. namespace:
  12021. description: |-
  12022. The namespace of the Secret resource being referred to.
  12023. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12024. maxLength: 63
  12025. minLength: 1
  12026. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12027. type: string
  12028. type: object
  12029. serviceAccountRef:
  12030. description: |-
  12031. Optional service account field containing the name of a kubernetes ServiceAccount.
  12032. If the service account is specified, the service account secret token JWT will be used
  12033. for authenticating with Vault. If the service account selector is not supplied,
  12034. the secretRef will be used instead.
  12035. properties:
  12036. audiences:
  12037. description: |-
  12038. Audience specifies the `aud` claim for the service account token
  12039. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  12040. then this audiences will be appended to the list
  12041. items:
  12042. type: string
  12043. type: array
  12044. name:
  12045. description: The name of the ServiceAccount resource being referred to.
  12046. maxLength: 253
  12047. minLength: 1
  12048. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12049. type: string
  12050. namespace:
  12051. description: |-
  12052. Namespace of the resource being referred to.
  12053. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12054. maxLength: 63
  12055. minLength: 1
  12056. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12057. type: string
  12058. required:
  12059. - name
  12060. type: object
  12061. required:
  12062. - mountPath
  12063. - role
  12064. type: object
  12065. ldap:
  12066. description: |-
  12067. Ldap authenticates with Vault by passing username/password pair using
  12068. the LDAP authentication method
  12069. properties:
  12070. path:
  12071. default: ldap
  12072. description: |-
  12073. Path where the LDAP authentication backend is mounted
  12074. in Vault, e.g: "ldap"
  12075. type: string
  12076. secretRef:
  12077. description: |-
  12078. SecretRef to a key in a Secret resource containing password for the LDAP
  12079. user used to authenticate with Vault using the LDAP authentication
  12080. method
  12081. properties:
  12082. key:
  12083. description: |-
  12084. A key in the referenced Secret.
  12085. Some instances of this field may be defaulted, in others it may be required.
  12086. maxLength: 253
  12087. minLength: 1
  12088. pattern: ^[-._a-zA-Z0-9]+$
  12089. type: string
  12090. name:
  12091. description: The name of the Secret resource being referred to.
  12092. maxLength: 253
  12093. minLength: 1
  12094. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12095. type: string
  12096. namespace:
  12097. description: |-
  12098. The namespace of the Secret resource being referred to.
  12099. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12100. maxLength: 63
  12101. minLength: 1
  12102. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12103. type: string
  12104. type: object
  12105. username:
  12106. description: |-
  12107. Username is an LDAP username used to authenticate using the LDAP Vault
  12108. authentication method
  12109. type: string
  12110. required:
  12111. - path
  12112. - username
  12113. type: object
  12114. namespace:
  12115. description: |-
  12116. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  12117. Namespaces is a set of features within Vault Enterprise that allows
  12118. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  12119. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  12120. This will default to Vault.Namespace field if set, or empty otherwise
  12121. type: string
  12122. tokenSecretRef:
  12123. description: TokenSecretRef authenticates with Vault by presenting a token.
  12124. properties:
  12125. key:
  12126. description: |-
  12127. A key in the referenced Secret.
  12128. Some instances of this field may be defaulted, in others it may be required.
  12129. maxLength: 253
  12130. minLength: 1
  12131. pattern: ^[-._a-zA-Z0-9]+$
  12132. type: string
  12133. name:
  12134. description: The name of the Secret resource being referred to.
  12135. maxLength: 253
  12136. minLength: 1
  12137. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12138. type: string
  12139. namespace:
  12140. description: |-
  12141. The namespace of the Secret resource being referred to.
  12142. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12143. maxLength: 63
  12144. minLength: 1
  12145. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12146. type: string
  12147. type: object
  12148. userPass:
  12149. description: UserPass authenticates with Vault by passing username/password pair
  12150. properties:
  12151. path:
  12152. default: userpass
  12153. description: |-
  12154. Path where the UserPassword authentication backend is mounted
  12155. in Vault, e.g: "userpass"
  12156. type: string
  12157. secretRef:
  12158. description: |-
  12159. SecretRef to a key in a Secret resource containing password for the
  12160. user used to authenticate with Vault using the UserPass authentication
  12161. method
  12162. properties:
  12163. key:
  12164. description: |-
  12165. A key in the referenced Secret.
  12166. Some instances of this field may be defaulted, in others it may be required.
  12167. maxLength: 253
  12168. minLength: 1
  12169. pattern: ^[-._a-zA-Z0-9]+$
  12170. type: string
  12171. name:
  12172. description: The name of the Secret resource being referred to.
  12173. maxLength: 253
  12174. minLength: 1
  12175. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12176. type: string
  12177. namespace:
  12178. description: |-
  12179. The namespace of the Secret resource being referred to.
  12180. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12181. maxLength: 63
  12182. minLength: 1
  12183. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12184. type: string
  12185. type: object
  12186. username:
  12187. description: |-
  12188. Username is a username used to authenticate using the UserPass Vault
  12189. authentication method
  12190. type: string
  12191. required:
  12192. - path
  12193. - username
  12194. type: object
  12195. type: object
  12196. caBundle:
  12197. description: |-
  12198. PEM encoded CA bundle used to validate Vault server certificate. Only used
  12199. if the Server URL is using HTTPS protocol. This parameter is ignored for
  12200. plain HTTP protocol connection. If not set the system root certificates
  12201. are used to validate the TLS connection.
  12202. format: byte
  12203. type: string
  12204. caProvider:
  12205. description: The provider for the CA bundle to use to validate Vault server certificate.
  12206. properties:
  12207. key:
  12208. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  12209. maxLength: 253
  12210. minLength: 1
  12211. pattern: ^[-._a-zA-Z0-9]+$
  12212. type: string
  12213. name:
  12214. description: The name of the object located at the provider type.
  12215. maxLength: 253
  12216. minLength: 1
  12217. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12218. type: string
  12219. namespace:
  12220. description: |-
  12221. The namespace the Provider type is in.
  12222. Can only be defined when used in a ClusterSecretStore.
  12223. maxLength: 63
  12224. minLength: 1
  12225. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12226. type: string
  12227. type:
  12228. description: The type of provider to use such as "Secret", or "ConfigMap".
  12229. enum:
  12230. - Secret
  12231. - ConfigMap
  12232. type: string
  12233. required:
  12234. - name
  12235. - type
  12236. type: object
  12237. forwardInconsistent:
  12238. description: |-
  12239. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  12240. leader instead of simply retrying within a loop. This can increase performance if
  12241. the option is enabled serverside.
  12242. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  12243. type: boolean
  12244. headers:
  12245. additionalProperties:
  12246. type: string
  12247. description: Headers to be added in Vault request
  12248. type: object
  12249. namespace:
  12250. description: |-
  12251. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  12252. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  12253. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  12254. type: string
  12255. path:
  12256. description: |-
  12257. Path is the mount path of the Vault KV backend endpoint, e.g:
  12258. "secret". The v2 KV secret engine version specific "/data" path suffix
  12259. for fetching secrets from Vault is optional and will be appended
  12260. if not present in specified path.
  12261. type: string
  12262. readYourWrites:
  12263. description: |-
  12264. ReadYourWrites ensures isolated read-after-write semantics by
  12265. providing discovered cluster replication states in each request.
  12266. More information about eventual consistency in Vault can be found here
  12267. https://www.vaultproject.io/docs/enterprise/consistency
  12268. type: boolean
  12269. server:
  12270. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  12271. type: string
  12272. tls:
  12273. description: |-
  12274. The configuration used for client side related TLS communication, when the Vault server
  12275. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  12276. This parameter is ignored for plain HTTP protocol connection.
  12277. It's worth noting this configuration is different from the "TLS certificates auth method",
  12278. which is available under the `auth.cert` section.
  12279. properties:
  12280. certSecretRef:
  12281. description: |-
  12282. CertSecretRef is a certificate added to the transport layer
  12283. when communicating with the Vault server.
  12284. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  12285. properties:
  12286. key:
  12287. description: |-
  12288. A key in the referenced Secret.
  12289. Some instances of this field may be defaulted, in others it may be required.
  12290. maxLength: 253
  12291. minLength: 1
  12292. pattern: ^[-._a-zA-Z0-9]+$
  12293. type: string
  12294. name:
  12295. description: The name of the Secret resource being referred to.
  12296. maxLength: 253
  12297. minLength: 1
  12298. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12299. type: string
  12300. namespace:
  12301. description: |-
  12302. The namespace of the Secret resource being referred to.
  12303. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12304. maxLength: 63
  12305. minLength: 1
  12306. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12307. type: string
  12308. type: object
  12309. keySecretRef:
  12310. description: |-
  12311. KeySecretRef to a key in a Secret resource containing client private key
  12312. added to the transport layer when communicating with the Vault server.
  12313. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  12314. properties:
  12315. key:
  12316. description: |-
  12317. A key in the referenced Secret.
  12318. Some instances of this field may be defaulted, in others it may be required.
  12319. maxLength: 253
  12320. minLength: 1
  12321. pattern: ^[-._a-zA-Z0-9]+$
  12322. type: string
  12323. name:
  12324. description: The name of the Secret resource being referred to.
  12325. maxLength: 253
  12326. minLength: 1
  12327. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12328. type: string
  12329. namespace:
  12330. description: |-
  12331. The namespace of the Secret resource being referred to.
  12332. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12333. maxLength: 63
  12334. minLength: 1
  12335. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12336. type: string
  12337. type: object
  12338. type: object
  12339. version:
  12340. default: v2
  12341. description: |-
  12342. Version is the Vault KV secret engine version. This can be either "v1" or
  12343. "v2". Version defaults to "v2".
  12344. enum:
  12345. - v1
  12346. - v2
  12347. type: string
  12348. required:
  12349. - server
  12350. type: object
  12351. webhook:
  12352. description: Webhook configures this store to sync secrets using a generic templated webhook
  12353. properties:
  12354. auth:
  12355. description: Auth specifies a authorization protocol. Only one protocol may be set.
  12356. maxProperties: 1
  12357. minProperties: 1
  12358. properties:
  12359. ntlm:
  12360. description: NTLMProtocol configures the store to use NTLM for auth
  12361. properties:
  12362. passwordSecret:
  12363. description: |-
  12364. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12365. In some instances, `key` is a required field.
  12366. properties:
  12367. key:
  12368. description: |-
  12369. A key in the referenced Secret.
  12370. Some instances of this field may be defaulted, in others it may be required.
  12371. maxLength: 253
  12372. minLength: 1
  12373. pattern: ^[-._a-zA-Z0-9]+$
  12374. type: string
  12375. name:
  12376. description: The name of the Secret resource being referred to.
  12377. maxLength: 253
  12378. minLength: 1
  12379. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12380. type: string
  12381. namespace:
  12382. description: |-
  12383. The namespace of the Secret resource being referred to.
  12384. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12385. maxLength: 63
  12386. minLength: 1
  12387. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12388. type: string
  12389. type: object
  12390. usernameSecret:
  12391. description: |-
  12392. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12393. In some instances, `key` is a required field.
  12394. properties:
  12395. key:
  12396. description: |-
  12397. A key in the referenced Secret.
  12398. Some instances of this field may be defaulted, in others it may be required.
  12399. maxLength: 253
  12400. minLength: 1
  12401. pattern: ^[-._a-zA-Z0-9]+$
  12402. type: string
  12403. name:
  12404. description: The name of the Secret resource being referred to.
  12405. maxLength: 253
  12406. minLength: 1
  12407. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12408. type: string
  12409. namespace:
  12410. description: |-
  12411. The namespace of the Secret resource being referred to.
  12412. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12413. maxLength: 63
  12414. minLength: 1
  12415. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12416. type: string
  12417. type: object
  12418. required:
  12419. - passwordSecret
  12420. - usernameSecret
  12421. type: object
  12422. type: object
  12423. body:
  12424. description: Body
  12425. type: string
  12426. caBundle:
  12427. description: |-
  12428. PEM encoded CA bundle used to validate webhook server certificate. Only used
  12429. if the Server URL is using HTTPS protocol. This parameter is ignored for
  12430. plain HTTP protocol connection. If not set the system root certificates
  12431. are used to validate the TLS connection.
  12432. format: byte
  12433. type: string
  12434. caProvider:
  12435. description: The provider for the CA bundle to use to validate webhook server certificate.
  12436. properties:
  12437. key:
  12438. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  12439. maxLength: 253
  12440. minLength: 1
  12441. pattern: ^[-._a-zA-Z0-9]+$
  12442. type: string
  12443. name:
  12444. description: The name of the object located at the provider type.
  12445. maxLength: 253
  12446. minLength: 1
  12447. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12448. type: string
  12449. namespace:
  12450. description: The namespace the Provider type is in.
  12451. maxLength: 63
  12452. minLength: 1
  12453. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12454. type: string
  12455. type:
  12456. description: The type of provider to use such as "Secret", or "ConfigMap".
  12457. enum:
  12458. - Secret
  12459. - ConfigMap
  12460. type: string
  12461. required:
  12462. - name
  12463. - type
  12464. type: object
  12465. headers:
  12466. additionalProperties:
  12467. type: string
  12468. description: Headers
  12469. type: object
  12470. method:
  12471. description: Webhook Method
  12472. type: string
  12473. result:
  12474. description: Result formatting
  12475. properties:
  12476. jsonPath:
  12477. description: Json path of return value
  12478. type: string
  12479. type: object
  12480. secrets:
  12481. description: |-
  12482. Secrets to fill in templates
  12483. These secrets will be passed to the templating function as key value pairs under the given name
  12484. items:
  12485. description: WebhookSecret defines a secret to be used in webhook templates.
  12486. properties:
  12487. name:
  12488. description: Name of this secret in templates
  12489. type: string
  12490. secretRef:
  12491. description: Secret ref to fill in credentials
  12492. properties:
  12493. key:
  12494. description: |-
  12495. A key in the referenced Secret.
  12496. Some instances of this field may be defaulted, in others it may be required.
  12497. maxLength: 253
  12498. minLength: 1
  12499. pattern: ^[-._a-zA-Z0-9]+$
  12500. type: string
  12501. name:
  12502. description: The name of the Secret resource being referred to.
  12503. maxLength: 253
  12504. minLength: 1
  12505. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12506. type: string
  12507. namespace:
  12508. description: |-
  12509. The namespace of the Secret resource being referred to.
  12510. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12511. maxLength: 63
  12512. minLength: 1
  12513. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12514. type: string
  12515. type: object
  12516. required:
  12517. - name
  12518. - secretRef
  12519. type: object
  12520. type: array
  12521. timeout:
  12522. description: Timeout
  12523. type: string
  12524. url:
  12525. description: Webhook url to call
  12526. type: string
  12527. required:
  12528. - result
  12529. - url
  12530. type: object
  12531. yandexcertificatemanager:
  12532. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  12533. properties:
  12534. apiEndpoint:
  12535. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  12536. type: string
  12537. auth:
  12538. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  12539. properties:
  12540. authorizedKeySecretRef:
  12541. description: The authorized key used for authentication
  12542. properties:
  12543. key:
  12544. description: |-
  12545. A key in the referenced Secret.
  12546. Some instances of this field may be defaulted, in others it may be required.
  12547. maxLength: 253
  12548. minLength: 1
  12549. pattern: ^[-._a-zA-Z0-9]+$
  12550. type: string
  12551. name:
  12552. description: The name of the Secret resource being referred to.
  12553. maxLength: 253
  12554. minLength: 1
  12555. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12556. type: string
  12557. namespace:
  12558. description: |-
  12559. The namespace of the Secret resource being referred to.
  12560. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12561. maxLength: 63
  12562. minLength: 1
  12563. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12564. type: string
  12565. type: object
  12566. type: object
  12567. caProvider:
  12568. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  12569. properties:
  12570. certSecretRef:
  12571. description: |-
  12572. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12573. In some instances, `key` is a required field.
  12574. properties:
  12575. key:
  12576. description: |-
  12577. A key in the referenced Secret.
  12578. Some instances of this field may be defaulted, in others it may be required.
  12579. maxLength: 253
  12580. minLength: 1
  12581. pattern: ^[-._a-zA-Z0-9]+$
  12582. type: string
  12583. name:
  12584. description: The name of the Secret resource being referred to.
  12585. maxLength: 253
  12586. minLength: 1
  12587. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12588. type: string
  12589. namespace:
  12590. description: |-
  12591. The namespace of the Secret resource being referred to.
  12592. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12593. maxLength: 63
  12594. minLength: 1
  12595. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12596. type: string
  12597. type: object
  12598. type: object
  12599. required:
  12600. - auth
  12601. type: object
  12602. yandexlockbox:
  12603. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  12604. properties:
  12605. apiEndpoint:
  12606. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  12607. type: string
  12608. auth:
  12609. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  12610. properties:
  12611. authorizedKeySecretRef:
  12612. description: The authorized key used for authentication
  12613. properties:
  12614. key:
  12615. description: |-
  12616. A key in the referenced Secret.
  12617. Some instances of this field may be defaulted, in others it may be required.
  12618. maxLength: 253
  12619. minLength: 1
  12620. pattern: ^[-._a-zA-Z0-9]+$
  12621. type: string
  12622. name:
  12623. description: The name of the Secret resource being referred to.
  12624. maxLength: 253
  12625. minLength: 1
  12626. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12627. type: string
  12628. namespace:
  12629. description: |-
  12630. The namespace of the Secret resource being referred to.
  12631. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12632. maxLength: 63
  12633. minLength: 1
  12634. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12635. type: string
  12636. type: object
  12637. type: object
  12638. caProvider:
  12639. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  12640. properties:
  12641. certSecretRef:
  12642. description: |-
  12643. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12644. In some instances, `key` is a required field.
  12645. properties:
  12646. key:
  12647. description: |-
  12648. A key in the referenced Secret.
  12649. Some instances of this field may be defaulted, in others it may be required.
  12650. maxLength: 253
  12651. minLength: 1
  12652. pattern: ^[-._a-zA-Z0-9]+$
  12653. type: string
  12654. name:
  12655. description: The name of the Secret resource being referred to.
  12656. maxLength: 253
  12657. minLength: 1
  12658. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12659. type: string
  12660. namespace:
  12661. description: |-
  12662. The namespace of the Secret resource being referred to.
  12663. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12664. maxLength: 63
  12665. minLength: 1
  12666. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12667. type: string
  12668. type: object
  12669. type: object
  12670. required:
  12671. - auth
  12672. type: object
  12673. type: object
  12674. refreshInterval:
  12675. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  12676. type: integer
  12677. retrySettings:
  12678. description: Used to configure HTTP retries on failures.
  12679. properties:
  12680. maxRetries:
  12681. description: MaxRetries is the maximum number of retry attempts.
  12682. format: int32
  12683. type: integer
  12684. retryInterval:
  12685. description: RetryInterval is the interval between retry attempts.
  12686. type: string
  12687. type: object
  12688. required:
  12689. - provider
  12690. type: object
  12691. status:
  12692. description: SecretStoreStatus defines the observed state of the SecretStore.
  12693. properties:
  12694. capabilities:
  12695. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  12696. type: string
  12697. conditions:
  12698. items:
  12699. description: SecretStoreStatusCondition defines the observed condition of the SecretStore.
  12700. properties:
  12701. lastTransitionTime:
  12702. format: date-time
  12703. type: string
  12704. message:
  12705. type: string
  12706. reason:
  12707. type: string
  12708. status:
  12709. type: string
  12710. type:
  12711. description: SecretStoreConditionType represents the condition type of the SecretStore.
  12712. type: string
  12713. required:
  12714. - status
  12715. - type
  12716. type: object
  12717. type: array
  12718. type: object
  12719. type: object
  12720. served: false
  12721. storage: false
  12722. subresources:
  12723. status: {}
  12724. ---
  12725. apiVersion: apiextensions.k8s.io/v1
  12726. kind: CustomResourceDefinition
  12727. metadata:
  12728. annotations:
  12729. controller-gen.kubebuilder.io/version: v0.19.0
  12730. labels:
  12731. external-secrets.io/component: controller
  12732. name: externalsecrets.external-secrets.io
  12733. spec:
  12734. group: external-secrets.io
  12735. names:
  12736. categories:
  12737. - external-secrets
  12738. kind: ExternalSecret
  12739. listKind: ExternalSecretList
  12740. plural: externalsecrets
  12741. shortNames:
  12742. - es
  12743. singular: externalsecret
  12744. scope: Namespaced
  12745. versions:
  12746. - additionalPrinterColumns:
  12747. - jsonPath: .spec.secretStoreRef.kind
  12748. name: StoreType
  12749. type: string
  12750. - jsonPath: .spec.secretStoreRef.name
  12751. name: Store
  12752. type: string
  12753. - jsonPath: .spec.refreshInterval
  12754. name: Refresh Interval
  12755. type: string
  12756. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  12757. name: Status
  12758. type: string
  12759. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  12760. name: Ready
  12761. type: string
  12762. - jsonPath: .status.refreshTime
  12763. name: Last Sync
  12764. type: date
  12765. name: v1
  12766. schema:
  12767. openAPIV3Schema:
  12768. description: |-
  12769. ExternalSecret is the Schema for the external-secrets API.
  12770. It defines how to fetch data from external APIs and make it available as Kubernetes Secrets.
  12771. properties:
  12772. apiVersion:
  12773. description: |-
  12774. APIVersion defines the versioned schema of this representation of an object.
  12775. Servers should convert recognized schemas to the latest internal value, and
  12776. may reject unrecognized values.
  12777. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  12778. type: string
  12779. kind:
  12780. description: |-
  12781. Kind is a string value representing the REST resource this object represents.
  12782. Servers may infer this from the endpoint the client submits requests to.
  12783. Cannot be updated.
  12784. In CamelCase.
  12785. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  12786. type: string
  12787. metadata:
  12788. type: object
  12789. spec:
  12790. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  12791. properties:
  12792. data:
  12793. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  12794. items:
  12795. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  12796. properties:
  12797. remoteRef:
  12798. description: |-
  12799. RemoteRef points to the remote secret and defines
  12800. which secret (version/property/..) to fetch.
  12801. properties:
  12802. conversionStrategy:
  12803. default: Default
  12804. description: Used to define a conversion Strategy
  12805. enum:
  12806. - Default
  12807. - Unicode
  12808. type: string
  12809. decodingStrategy:
  12810. default: None
  12811. description: Used to define a decoding Strategy
  12812. enum:
  12813. - Auto
  12814. - Base64
  12815. - Base64URL
  12816. - None
  12817. type: string
  12818. key:
  12819. description: Key is the key used in the Provider, mandatory
  12820. type: string
  12821. metadataPolicy:
  12822. default: None
  12823. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  12824. enum:
  12825. - None
  12826. - Fetch
  12827. type: string
  12828. nullBytePolicy:
  12829. default: Ignore
  12830. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  12831. enum:
  12832. - Ignore
  12833. - Fail
  12834. type: string
  12835. property:
  12836. description: Used to select a specific property of the Provider value (if a map), if supported
  12837. type: string
  12838. version:
  12839. description: Used to select a specific version of the Provider value, if supported
  12840. type: string
  12841. required:
  12842. - key
  12843. type: object
  12844. secretKey:
  12845. description: The key in the Kubernetes Secret to store the value.
  12846. maxLength: 253
  12847. minLength: 1
  12848. pattern: ^[-._a-zA-Z0-9]+$
  12849. type: string
  12850. sourceRef:
  12851. description: |-
  12852. SourceRef allows you to override the source
  12853. from which the value will be pulled.
  12854. maxProperties: 1
  12855. minProperties: 1
  12856. properties:
  12857. generatorRef:
  12858. description: |-
  12859. GeneratorRef points to a generator custom resource.
  12860. Deprecated: The generatorRef is not implemented in .data[].
  12861. this will be removed with v1.
  12862. properties:
  12863. apiVersion:
  12864. default: generators.external-secrets.io/v1alpha1
  12865. description: Specify the apiVersion of the generator resource
  12866. type: string
  12867. kind:
  12868. description: Specify the Kind of the generator resource
  12869. enum:
  12870. - ACRAccessToken
  12871. - BeyondtrustWorkloadCredentialsDynamicSecret
  12872. - ClusterGenerator
  12873. - CloudsmithAccessToken
  12874. - ECRAuthorizationToken
  12875. - Fake
  12876. - GCRAccessToken
  12877. - GithubAccessToken
  12878. - QuayAccessToken
  12879. - Password
  12880. - SSHKey
  12881. - STSSessionToken
  12882. - UUID
  12883. - VaultDynamicSecret
  12884. - Webhook
  12885. - Grafana
  12886. - MFA
  12887. type: string
  12888. name:
  12889. description: Specify the name of the generator resource
  12890. maxLength: 253
  12891. minLength: 1
  12892. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12893. type: string
  12894. required:
  12895. - kind
  12896. - name
  12897. type: object
  12898. storeRef:
  12899. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  12900. properties:
  12901. kind:
  12902. description: |-
  12903. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  12904. Defaults to `SecretStore`
  12905. enum:
  12906. - SecretStore
  12907. - ClusterSecretStore
  12908. type: string
  12909. name:
  12910. description: Name of the SecretStore resource
  12911. maxLength: 253
  12912. minLength: 1
  12913. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12914. type: string
  12915. type: object
  12916. type: object
  12917. required:
  12918. - remoteRef
  12919. - secretKey
  12920. type: object
  12921. type: array
  12922. dataFrom:
  12923. description: |-
  12924. DataFrom is used to fetch all properties from a specific Provider data
  12925. If multiple entries are specified, the Secret keys are merged in the specified order
  12926. items:
  12927. description: |-
  12928. ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data
  12929. when using DataFrom to fetch multiple values from a Provider.
  12930. properties:
  12931. extract:
  12932. description: |-
  12933. Used to extract multiple key/value pairs from one secret
  12934. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  12935. properties:
  12936. conversionStrategy:
  12937. default: Default
  12938. description: Used to define a conversion Strategy
  12939. enum:
  12940. - Default
  12941. - Unicode
  12942. type: string
  12943. decodingStrategy:
  12944. default: None
  12945. description: Used to define a decoding Strategy
  12946. enum:
  12947. - Auto
  12948. - Base64
  12949. - Base64URL
  12950. - None
  12951. type: string
  12952. key:
  12953. description: Key is the key used in the Provider, mandatory
  12954. type: string
  12955. metadataPolicy:
  12956. default: None
  12957. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  12958. enum:
  12959. - None
  12960. - Fetch
  12961. type: string
  12962. nullBytePolicy:
  12963. default: Ignore
  12964. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  12965. enum:
  12966. - Ignore
  12967. - Fail
  12968. type: string
  12969. property:
  12970. description: Used to select a specific property of the Provider value (if a map), if supported
  12971. type: string
  12972. version:
  12973. description: Used to select a specific version of the Provider value, if supported
  12974. type: string
  12975. required:
  12976. - key
  12977. type: object
  12978. find:
  12979. description: |-
  12980. Used to find secrets based on tags or regular expressions
  12981. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  12982. properties:
  12983. conversionStrategy:
  12984. default: Default
  12985. description: Used to define a conversion Strategy
  12986. enum:
  12987. - Default
  12988. - Unicode
  12989. type: string
  12990. decodingStrategy:
  12991. default: None
  12992. description: Used to define a decoding Strategy
  12993. enum:
  12994. - Auto
  12995. - Base64
  12996. - Base64URL
  12997. - None
  12998. type: string
  12999. name:
  13000. description: Finds secrets based on the name.
  13001. properties:
  13002. regexp:
  13003. description: Finds secrets base
  13004. type: string
  13005. type: object
  13006. nullBytePolicy:
  13007. default: Ignore
  13008. description: Controls how ESO handles fetched secret data containing NUL bytes for this find source.
  13009. enum:
  13010. - Ignore
  13011. - Fail
  13012. type: string
  13013. path:
  13014. description: A root path to start the find operations.
  13015. type: string
  13016. tags:
  13017. additionalProperties:
  13018. type: string
  13019. description: Find secrets based on tags.
  13020. type: object
  13021. type: object
  13022. rewrite:
  13023. description: |-
  13024. Used to rewrite secret Keys after getting them from the secret Provider
  13025. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  13026. items:
  13027. description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret.
  13028. maxProperties: 1
  13029. minProperties: 1
  13030. properties:
  13031. merge:
  13032. description: |-
  13033. Used to merge key/values in one single Secret
  13034. The resulting key will contain all values from the specified secrets
  13035. properties:
  13036. conflictPolicy:
  13037. default: Error
  13038. description: Used to define the policy to use in conflict resolution.
  13039. enum:
  13040. - Ignore
  13041. - Error
  13042. type: string
  13043. into:
  13044. default: ""
  13045. description: |-
  13046. Used to define the target key of the merge operation.
  13047. Required if strategy is JSON. Ignored otherwise.
  13048. type: string
  13049. priority:
  13050. description: Used to define key priority in conflict resolution.
  13051. items:
  13052. type: string
  13053. type: array
  13054. priorityPolicy:
  13055. default: Strict
  13056. description: Used to define the policy when a key in the priority list does not exist in the input.
  13057. enum:
  13058. - IgnoreNotFound
  13059. - Strict
  13060. type: string
  13061. strategy:
  13062. default: Extract
  13063. description: Used to define the strategy to use in the merge operation.
  13064. enum:
  13065. - Extract
  13066. - JSON
  13067. type: string
  13068. type: object
  13069. regexp:
  13070. description: |-
  13071. Used to rewrite with regular expressions.
  13072. The resulting key will be the output of a regexp.ReplaceAll operation.
  13073. properties:
  13074. source:
  13075. description: Used to define the regular expression of a re.Compiler.
  13076. type: string
  13077. target:
  13078. description: Used to define the target pattern of a ReplaceAll operation.
  13079. type: string
  13080. required:
  13081. - source
  13082. - target
  13083. type: object
  13084. transform:
  13085. description: |-
  13086. Used to apply string transformation on the secrets.
  13087. The resulting key will be the output of the template applied by the operation.
  13088. properties:
  13089. template:
  13090. description: |-
  13091. Used to define the template to apply on the secret name.
  13092. `.value ` will specify the secret name in the template.
  13093. type: string
  13094. required:
  13095. - template
  13096. type: object
  13097. type: object
  13098. type: array
  13099. sourceRef:
  13100. description: |-
  13101. SourceRef points to a store or generator
  13102. which contains secret values ready to use.
  13103. Use this in combination with Extract or Find pull values out of
  13104. a specific SecretStore.
  13105. When sourceRef points to a generator Extract or Find is not supported.
  13106. The generator returns a static map of values
  13107. maxProperties: 1
  13108. minProperties: 1
  13109. properties:
  13110. generatorRef:
  13111. description: GeneratorRef points to a generator custom resource.
  13112. properties:
  13113. apiVersion:
  13114. default: generators.external-secrets.io/v1alpha1
  13115. description: Specify the apiVersion of the generator resource
  13116. type: string
  13117. kind:
  13118. description: Specify the Kind of the generator resource
  13119. enum:
  13120. - ACRAccessToken
  13121. - BeyondtrustWorkloadCredentialsDynamicSecret
  13122. - ClusterGenerator
  13123. - CloudsmithAccessToken
  13124. - ECRAuthorizationToken
  13125. - Fake
  13126. - GCRAccessToken
  13127. - GithubAccessToken
  13128. - QuayAccessToken
  13129. - Password
  13130. - SSHKey
  13131. - STSSessionToken
  13132. - UUID
  13133. - VaultDynamicSecret
  13134. - Webhook
  13135. - Grafana
  13136. - MFA
  13137. type: string
  13138. name:
  13139. description: Specify the name of the generator resource
  13140. maxLength: 253
  13141. minLength: 1
  13142. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13143. type: string
  13144. required:
  13145. - kind
  13146. - name
  13147. type: object
  13148. storeRef:
  13149. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13150. properties:
  13151. kind:
  13152. description: |-
  13153. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13154. Defaults to `SecretStore`
  13155. enum:
  13156. - SecretStore
  13157. - ClusterSecretStore
  13158. type: string
  13159. name:
  13160. description: Name of the SecretStore resource
  13161. maxLength: 253
  13162. minLength: 1
  13163. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13164. type: string
  13165. type: object
  13166. type: object
  13167. type: object
  13168. type: array
  13169. refreshInterval:
  13170. default: 1h0m0s
  13171. description: |-
  13172. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  13173. specified as Golang Duration strings.
  13174. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  13175. Example values: "1h0m0s", "2h30m0s", "10m0s"
  13176. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  13177. type: string
  13178. refreshPolicy:
  13179. description: |-
  13180. RefreshPolicy determines how the ExternalSecret should be refreshed:
  13181. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  13182. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  13183. No periodic updates occur if refreshInterval is 0.
  13184. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  13185. enum:
  13186. - CreatedOnce
  13187. - Periodic
  13188. - OnChange
  13189. type: string
  13190. secretStoreRef:
  13191. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13192. properties:
  13193. kind:
  13194. description: |-
  13195. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13196. Defaults to `SecretStore`
  13197. enum:
  13198. - SecretStore
  13199. - ClusterSecretStore
  13200. type: string
  13201. name:
  13202. description: Name of the SecretStore resource
  13203. maxLength: 253
  13204. minLength: 1
  13205. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13206. type: string
  13207. type: object
  13208. target:
  13209. default:
  13210. creationPolicy: Owner
  13211. deletionPolicy: Retain
  13212. description: |-
  13213. ExternalSecretTarget defines the Kubernetes Secret to be created,
  13214. there can be only one target per ExternalSecret.
  13215. properties:
  13216. creationPolicy:
  13217. default: Owner
  13218. description: |-
  13219. CreationPolicy defines rules on how to create the resulting Secret.
  13220. Defaults to "Owner"
  13221. enum:
  13222. - Owner
  13223. - Orphan
  13224. - Merge
  13225. - None
  13226. type: string
  13227. deletionPolicy:
  13228. default: Retain
  13229. description: |-
  13230. DeletionPolicy defines rules on how to delete the resulting Secret.
  13231. Defaults to "Retain"
  13232. enum:
  13233. - Delete
  13234. - Merge
  13235. - Retain
  13236. type: string
  13237. immutable:
  13238. description: Immutable defines if the final secret will be immutable
  13239. type: boolean
  13240. manifest:
  13241. description: |-
  13242. Manifest defines a custom Kubernetes resource to create instead of a Secret.
  13243. When specified, ExternalSecret will create the resource type defined here
  13244. (e.g., ConfigMap, Custom Resource) instead of a Secret.
  13245. Warning: Using Generic target. Make sure access policies and encryption are properly configured.
  13246. properties:
  13247. apiVersion:
  13248. description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
  13249. minLength: 1
  13250. type: string
  13251. kind:
  13252. description: Kind of the target resource (e.g., "ConfigMap", "Application")
  13253. minLength: 1
  13254. type: string
  13255. required:
  13256. - apiVersion
  13257. - kind
  13258. type: object
  13259. name:
  13260. description: |-
  13261. The name of the Secret resource to be managed.
  13262. Defaults to the .metadata.name of the ExternalSecret resource
  13263. maxLength: 253
  13264. minLength: 1
  13265. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13266. type: string
  13267. template:
  13268. description: Template defines a blueprint for the created Secret resource.
  13269. properties:
  13270. data:
  13271. additionalProperties:
  13272. type: string
  13273. type: object
  13274. engineVersion:
  13275. default: v2
  13276. description: |-
  13277. EngineVersion specifies the template engine version
  13278. that should be used to compile/execute the
  13279. template specified in .data and .templateFrom[].
  13280. enum:
  13281. - v2
  13282. type: string
  13283. mergePolicy:
  13284. default: Replace
  13285. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  13286. enum:
  13287. - Replace
  13288. - Merge
  13289. type: string
  13290. metadata:
  13291. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  13292. properties:
  13293. annotations:
  13294. additionalProperties:
  13295. type: string
  13296. type: object
  13297. finalizers:
  13298. items:
  13299. type: string
  13300. type: array
  13301. labels:
  13302. additionalProperties:
  13303. type: string
  13304. type: object
  13305. type: object
  13306. templateFrom:
  13307. items:
  13308. description: |-
  13309. TemplateFrom specifies a source for templates.
  13310. Each item in the list can either reference a ConfigMap or a Secret resource.
  13311. properties:
  13312. configMap:
  13313. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  13314. properties:
  13315. items:
  13316. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13317. items:
  13318. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  13319. properties:
  13320. key:
  13321. description: A key in the ConfigMap/Secret
  13322. maxLength: 253
  13323. minLength: 1
  13324. pattern: ^[-._a-zA-Z0-9]+$
  13325. type: string
  13326. templateAs:
  13327. default: Values
  13328. description: TemplateScope specifies how the template keys should be interpreted.
  13329. enum:
  13330. - Values
  13331. - KeysAndValues
  13332. type: string
  13333. required:
  13334. - key
  13335. type: object
  13336. type: array
  13337. name:
  13338. description: The name of the ConfigMap/Secret resource
  13339. maxLength: 253
  13340. minLength: 1
  13341. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13342. type: string
  13343. required:
  13344. - items
  13345. - name
  13346. type: object
  13347. literal:
  13348. type: string
  13349. secret:
  13350. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  13351. properties:
  13352. items:
  13353. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13354. items:
  13355. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  13356. properties:
  13357. key:
  13358. description: A key in the ConfigMap/Secret
  13359. maxLength: 253
  13360. minLength: 1
  13361. pattern: ^[-._a-zA-Z0-9]+$
  13362. type: string
  13363. templateAs:
  13364. default: Values
  13365. description: TemplateScope specifies how the template keys should be interpreted.
  13366. enum:
  13367. - Values
  13368. - KeysAndValues
  13369. type: string
  13370. required:
  13371. - key
  13372. type: object
  13373. type: array
  13374. name:
  13375. description: The name of the ConfigMap/Secret resource
  13376. maxLength: 253
  13377. minLength: 1
  13378. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13379. type: string
  13380. required:
  13381. - items
  13382. - name
  13383. type: object
  13384. target:
  13385. default: Data
  13386. description: |-
  13387. Target specifies where to place the template result.
  13388. For Secret resources, common values are: "Data", "Annotations", "Labels".
  13389. For custom resources (when spec.target.manifest is set), this supports
  13390. nested paths like "spec.database.config" or "data".
  13391. type: string
  13392. type: object
  13393. type: array
  13394. type:
  13395. type: string
  13396. type: object
  13397. type: object
  13398. type: object
  13399. status:
  13400. description: ExternalSecretStatus defines the observed state of ExternalSecret.
  13401. properties:
  13402. binding:
  13403. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  13404. properties:
  13405. name:
  13406. default: ""
  13407. description: |-
  13408. Name of the referent.
  13409. This field is effectively required, but due to backwards compatibility is
  13410. allowed to be empty. Instances of this type with an empty value here are
  13411. almost certainly wrong.
  13412. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  13413. type: string
  13414. type: object
  13415. x-kubernetes-map-type: atomic
  13416. conditions:
  13417. items:
  13418. description: ExternalSecretStatusCondition defines a status condition of an ExternalSecret resource.
  13419. properties:
  13420. lastTransitionTime:
  13421. format: date-time
  13422. type: string
  13423. message:
  13424. type: string
  13425. reason:
  13426. type: string
  13427. status:
  13428. type: string
  13429. type:
  13430. description: ExternalSecretConditionType defines a value type for ExternalSecret conditions.
  13431. enum:
  13432. - Ready
  13433. - Deleted
  13434. type: string
  13435. required:
  13436. - status
  13437. - type
  13438. type: object
  13439. type: array
  13440. refreshTime:
  13441. description: |-
  13442. refreshTime is the time and date the external secret was fetched and
  13443. the target secret updated
  13444. format: date-time
  13445. nullable: true
  13446. type: string
  13447. syncedResourceVersion:
  13448. description: SyncedResourceVersion keeps track of the last synced version
  13449. type: string
  13450. type: object
  13451. type: object
  13452. selectableFields:
  13453. - jsonPath: .spec.secretStoreRef.name
  13454. - jsonPath: .spec.secretStoreRef.kind
  13455. - jsonPath: .spec.target.name
  13456. - jsonPath: .spec.refreshInterval
  13457. served: true
  13458. storage: true
  13459. subresources:
  13460. status: {}
  13461. - additionalPrinterColumns:
  13462. - jsonPath: .spec.secretStoreRef.kind
  13463. name: StoreType
  13464. type: string
  13465. - jsonPath: .spec.secretStoreRef.name
  13466. name: Store
  13467. type: string
  13468. - jsonPath: .spec.refreshInterval
  13469. name: Refresh Interval
  13470. type: string
  13471. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  13472. name: Status
  13473. type: string
  13474. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  13475. name: Ready
  13476. type: string
  13477. - jsonPath: .status.refreshTime
  13478. name: Last Sync
  13479. type: date
  13480. deprecated: true
  13481. name: v1beta1
  13482. schema:
  13483. openAPIV3Schema:
  13484. description: ExternalSecret is the schema for the external-secrets API.
  13485. properties:
  13486. apiVersion:
  13487. description: |-
  13488. APIVersion defines the versioned schema of this representation of an object.
  13489. Servers should convert recognized schemas to the latest internal value, and
  13490. may reject unrecognized values.
  13491. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  13492. type: string
  13493. kind:
  13494. description: |-
  13495. Kind is a string value representing the REST resource this object represents.
  13496. Servers may infer this from the endpoint the client submits requests to.
  13497. Cannot be updated.
  13498. In CamelCase.
  13499. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  13500. type: string
  13501. metadata:
  13502. type: object
  13503. spec:
  13504. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  13505. properties:
  13506. data:
  13507. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  13508. items:
  13509. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  13510. properties:
  13511. remoteRef:
  13512. description: |-
  13513. RemoteRef points to the remote secret and defines
  13514. which secret (version/property/..) to fetch.
  13515. properties:
  13516. conversionStrategy:
  13517. default: Default
  13518. description: Used to define a conversion Strategy
  13519. enum:
  13520. - Default
  13521. - Unicode
  13522. type: string
  13523. decodingStrategy:
  13524. default: None
  13525. description: Used to define a decoding Strategy
  13526. enum:
  13527. - Auto
  13528. - Base64
  13529. - Base64URL
  13530. - None
  13531. type: string
  13532. key:
  13533. description: Key is the key used in the Provider, mandatory
  13534. type: string
  13535. metadataPolicy:
  13536. default: None
  13537. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13538. enum:
  13539. - None
  13540. - Fetch
  13541. type: string
  13542. property:
  13543. description: Used to select a specific property of the Provider value (if a map), if supported
  13544. type: string
  13545. version:
  13546. description: Used to select a specific version of the Provider value, if supported
  13547. type: string
  13548. required:
  13549. - key
  13550. type: object
  13551. secretKey:
  13552. description: The key in the Kubernetes Secret to store the value.
  13553. maxLength: 253
  13554. minLength: 1
  13555. pattern: ^[-._a-zA-Z0-9]+$
  13556. type: string
  13557. sourceRef:
  13558. description: |-
  13559. SourceRef allows you to override the source
  13560. from which the value will be pulled.
  13561. maxProperties: 1
  13562. minProperties: 1
  13563. properties:
  13564. generatorRef:
  13565. description: |-
  13566. GeneratorRef points to a generator custom resource.
  13567. Deprecated: The generatorRef is not implemented in .data[].
  13568. this will be removed with v1.
  13569. properties:
  13570. apiVersion:
  13571. default: generators.external-secrets.io/v1alpha1
  13572. description: Specify the apiVersion of the generator resource
  13573. type: string
  13574. kind:
  13575. description: Specify the Kind of the generator resource
  13576. enum:
  13577. - ACRAccessToken
  13578. - ClusterGenerator
  13579. - ECRAuthorizationToken
  13580. - Fake
  13581. - GCRAccessToken
  13582. - GithubAccessToken
  13583. - QuayAccessToken
  13584. - Password
  13585. - SSHKey
  13586. - STSSessionToken
  13587. - UUID
  13588. - VaultDynamicSecret
  13589. - Webhook
  13590. - Grafana
  13591. type: string
  13592. name:
  13593. description: Specify the name of the generator resource
  13594. maxLength: 253
  13595. minLength: 1
  13596. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13597. type: string
  13598. required:
  13599. - kind
  13600. - name
  13601. type: object
  13602. storeRef:
  13603. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13604. properties:
  13605. kind:
  13606. description: |-
  13607. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13608. Defaults to `SecretStore`
  13609. enum:
  13610. - SecretStore
  13611. - ClusterSecretStore
  13612. type: string
  13613. name:
  13614. description: Name of the SecretStore resource
  13615. maxLength: 253
  13616. minLength: 1
  13617. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13618. type: string
  13619. type: object
  13620. type: object
  13621. required:
  13622. - remoteRef
  13623. - secretKey
  13624. type: object
  13625. type: array
  13626. dataFrom:
  13627. description: |-
  13628. DataFrom is used to fetch all properties from a specific Provider data
  13629. If multiple entries are specified, the Secret keys are merged in the specified order
  13630. items:
  13631. description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options.
  13632. properties:
  13633. extract:
  13634. description: |-
  13635. Used to extract multiple key/value pairs from one secret
  13636. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13637. properties:
  13638. conversionStrategy:
  13639. default: Default
  13640. description: Used to define a conversion Strategy
  13641. enum:
  13642. - Default
  13643. - Unicode
  13644. type: string
  13645. decodingStrategy:
  13646. default: None
  13647. description: Used to define a decoding Strategy
  13648. enum:
  13649. - Auto
  13650. - Base64
  13651. - Base64URL
  13652. - None
  13653. type: string
  13654. key:
  13655. description: Key is the key used in the Provider, mandatory
  13656. type: string
  13657. metadataPolicy:
  13658. default: None
  13659. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13660. enum:
  13661. - None
  13662. - Fetch
  13663. type: string
  13664. property:
  13665. description: Used to select a specific property of the Provider value (if a map), if supported
  13666. type: string
  13667. version:
  13668. description: Used to select a specific version of the Provider value, if supported
  13669. type: string
  13670. required:
  13671. - key
  13672. type: object
  13673. find:
  13674. description: |-
  13675. Used to find secrets based on tags or regular expressions
  13676. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13677. properties:
  13678. conversionStrategy:
  13679. default: Default
  13680. description: Used to define a conversion Strategy
  13681. enum:
  13682. - Default
  13683. - Unicode
  13684. type: string
  13685. decodingStrategy:
  13686. default: None
  13687. description: Used to define a decoding Strategy
  13688. enum:
  13689. - Auto
  13690. - Base64
  13691. - Base64URL
  13692. - None
  13693. type: string
  13694. name:
  13695. description: Finds secrets based on the name.
  13696. properties:
  13697. regexp:
  13698. description: Finds secrets base
  13699. type: string
  13700. type: object
  13701. path:
  13702. description: A root path to start the find operations.
  13703. type: string
  13704. tags:
  13705. additionalProperties:
  13706. type: string
  13707. description: Find secrets based on tags.
  13708. type: object
  13709. type: object
  13710. rewrite:
  13711. description: |-
  13712. Used to rewrite secret Keys after getting them from the secret Provider
  13713. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  13714. items:
  13715. description: ExternalSecretRewrite defines rules on how to rewrite secret keys.
  13716. maxProperties: 1
  13717. minProperties: 1
  13718. properties:
  13719. regexp:
  13720. description: |-
  13721. Used to rewrite with regular expressions.
  13722. The resulting key will be the output of a regexp.ReplaceAll operation.
  13723. properties:
  13724. source:
  13725. description: Used to define the regular expression of a re.Compiler.
  13726. type: string
  13727. target:
  13728. description: Used to define the target pattern of a ReplaceAll operation.
  13729. type: string
  13730. required:
  13731. - source
  13732. - target
  13733. type: object
  13734. transform:
  13735. description: |-
  13736. Used to apply string transformation on the secrets.
  13737. The resulting key will be the output of the template applied by the operation.
  13738. properties:
  13739. template:
  13740. description: |-
  13741. Used to define the template to apply on the secret name.
  13742. `.value ` will specify the secret name in the template.
  13743. type: string
  13744. required:
  13745. - template
  13746. type: object
  13747. type: object
  13748. type: array
  13749. sourceRef:
  13750. description: |-
  13751. SourceRef points to a store or generator
  13752. which contains secret values ready to use.
  13753. Use this in combination with Extract or Find pull values out of
  13754. a specific SecretStore.
  13755. When sourceRef points to a generator Extract or Find is not supported.
  13756. The generator returns a static map of values
  13757. maxProperties: 1
  13758. minProperties: 1
  13759. properties:
  13760. generatorRef:
  13761. description: GeneratorRef points to a generator custom resource.
  13762. properties:
  13763. apiVersion:
  13764. default: generators.external-secrets.io/v1alpha1
  13765. description: Specify the apiVersion of the generator resource
  13766. type: string
  13767. kind:
  13768. description: Specify the Kind of the generator resource
  13769. enum:
  13770. - ACRAccessToken
  13771. - ClusterGenerator
  13772. - ECRAuthorizationToken
  13773. - Fake
  13774. - GCRAccessToken
  13775. - GithubAccessToken
  13776. - QuayAccessToken
  13777. - Password
  13778. - SSHKey
  13779. - STSSessionToken
  13780. - UUID
  13781. - VaultDynamicSecret
  13782. - Webhook
  13783. - Grafana
  13784. type: string
  13785. name:
  13786. description: Specify the name of the generator resource
  13787. maxLength: 253
  13788. minLength: 1
  13789. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13790. type: string
  13791. required:
  13792. - kind
  13793. - name
  13794. type: object
  13795. storeRef:
  13796. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13797. properties:
  13798. kind:
  13799. description: |-
  13800. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13801. Defaults to `SecretStore`
  13802. enum:
  13803. - SecretStore
  13804. - ClusterSecretStore
  13805. type: string
  13806. name:
  13807. description: Name of the SecretStore resource
  13808. maxLength: 253
  13809. minLength: 1
  13810. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13811. type: string
  13812. type: object
  13813. type: object
  13814. type: object
  13815. type: array
  13816. refreshInterval:
  13817. default: 1h0m0s
  13818. description: |-
  13819. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  13820. specified as Golang Duration strings.
  13821. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  13822. Example values: "1h0m0s", "2h30m0s", "10m0s"
  13823. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  13824. type: string
  13825. refreshPolicy:
  13826. description: |-
  13827. RefreshPolicy determines how the ExternalSecret should be refreshed:
  13828. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  13829. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  13830. No periodic updates occur if refreshInterval is 0.
  13831. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  13832. enum:
  13833. - CreatedOnce
  13834. - Periodic
  13835. - OnChange
  13836. type: string
  13837. secretStoreRef:
  13838. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13839. properties:
  13840. kind:
  13841. description: |-
  13842. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13843. Defaults to `SecretStore`
  13844. enum:
  13845. - SecretStore
  13846. - ClusterSecretStore
  13847. type: string
  13848. name:
  13849. description: Name of the SecretStore resource
  13850. maxLength: 253
  13851. minLength: 1
  13852. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13853. type: string
  13854. type: object
  13855. target:
  13856. default:
  13857. creationPolicy: Owner
  13858. deletionPolicy: Retain
  13859. description: |-
  13860. ExternalSecretTarget defines the Kubernetes Secret to be created
  13861. There can be only one target per ExternalSecret.
  13862. properties:
  13863. creationPolicy:
  13864. default: Owner
  13865. description: |-
  13866. CreationPolicy defines rules on how to create the resulting Secret.
  13867. Defaults to "Owner"
  13868. enum:
  13869. - Owner
  13870. - Orphan
  13871. - Merge
  13872. - None
  13873. type: string
  13874. deletionPolicy:
  13875. default: Retain
  13876. description: |-
  13877. DeletionPolicy defines rules on how to delete the resulting Secret.
  13878. Defaults to "Retain"
  13879. enum:
  13880. - Delete
  13881. - Merge
  13882. - Retain
  13883. type: string
  13884. immutable:
  13885. description: Immutable defines if the final secret will be immutable
  13886. type: boolean
  13887. name:
  13888. description: |-
  13889. The name of the Secret resource to be managed.
  13890. Defaults to the .metadata.name of the ExternalSecret resource
  13891. maxLength: 253
  13892. minLength: 1
  13893. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13894. type: string
  13895. template:
  13896. description: Template defines a blueprint for the created Secret resource.
  13897. properties:
  13898. data:
  13899. additionalProperties:
  13900. type: string
  13901. type: object
  13902. engineVersion:
  13903. default: v2
  13904. description: |-
  13905. EngineVersion specifies the template engine version
  13906. that should be used to compile/execute the
  13907. template specified in .data and .templateFrom[].
  13908. enum:
  13909. - v2
  13910. type: string
  13911. mergePolicy:
  13912. default: Replace
  13913. description: TemplateMergePolicy defines how template values should be merged when generating a secret.
  13914. enum:
  13915. - Replace
  13916. - Merge
  13917. type: string
  13918. metadata:
  13919. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  13920. properties:
  13921. annotations:
  13922. additionalProperties:
  13923. type: string
  13924. type: object
  13925. labels:
  13926. additionalProperties:
  13927. type: string
  13928. type: object
  13929. type: object
  13930. templateFrom:
  13931. items:
  13932. description: TemplateFrom defines a source for template data.
  13933. properties:
  13934. configMap:
  13935. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  13936. properties:
  13937. items:
  13938. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13939. items:
  13940. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  13941. properties:
  13942. key:
  13943. description: A key in the ConfigMap/Secret
  13944. maxLength: 253
  13945. minLength: 1
  13946. pattern: ^[-._a-zA-Z0-9]+$
  13947. type: string
  13948. templateAs:
  13949. default: Values
  13950. description: TemplateScope defines the scope of the template when processing template data.
  13951. enum:
  13952. - Values
  13953. - KeysAndValues
  13954. type: string
  13955. required:
  13956. - key
  13957. type: object
  13958. type: array
  13959. name:
  13960. description: The name of the ConfigMap/Secret resource
  13961. maxLength: 253
  13962. minLength: 1
  13963. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13964. type: string
  13965. required:
  13966. - items
  13967. - name
  13968. type: object
  13969. literal:
  13970. type: string
  13971. secret:
  13972. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  13973. properties:
  13974. items:
  13975. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13976. items:
  13977. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  13978. properties:
  13979. key:
  13980. description: A key in the ConfigMap/Secret
  13981. maxLength: 253
  13982. minLength: 1
  13983. pattern: ^[-._a-zA-Z0-9]+$
  13984. type: string
  13985. templateAs:
  13986. default: Values
  13987. description: TemplateScope defines the scope of the template when processing template data.
  13988. enum:
  13989. - Values
  13990. - KeysAndValues
  13991. type: string
  13992. required:
  13993. - key
  13994. type: object
  13995. type: array
  13996. name:
  13997. description: The name of the ConfigMap/Secret resource
  13998. maxLength: 253
  13999. minLength: 1
  14000. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14001. type: string
  14002. required:
  14003. - items
  14004. - name
  14005. type: object
  14006. target:
  14007. default: Data
  14008. description: TemplateTarget defines the target field where the template result will be stored.
  14009. enum:
  14010. - Data
  14011. - Annotations
  14012. - Labels
  14013. type: string
  14014. type: object
  14015. type: array
  14016. type:
  14017. type: string
  14018. type: object
  14019. type: object
  14020. type: object
  14021. status:
  14022. description: ExternalSecretStatus defines the observed state of ExternalSecret.
  14023. properties:
  14024. binding:
  14025. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  14026. properties:
  14027. name:
  14028. default: ""
  14029. description: |-
  14030. Name of the referent.
  14031. This field is effectively required, but due to backwards compatibility is
  14032. allowed to be empty. Instances of this type with an empty value here are
  14033. almost certainly wrong.
  14034. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  14035. type: string
  14036. type: object
  14037. x-kubernetes-map-type: atomic
  14038. conditions:
  14039. items:
  14040. description: ExternalSecretStatusCondition contains condition information for an ExternalSecret.
  14041. properties:
  14042. lastTransitionTime:
  14043. format: date-time
  14044. type: string
  14045. message:
  14046. type: string
  14047. reason:
  14048. type: string
  14049. status:
  14050. type: string
  14051. type:
  14052. description: ExternalSecretConditionType defines the condition type for an ExternalSecret.
  14053. type: string
  14054. required:
  14055. - status
  14056. - type
  14057. type: object
  14058. type: array
  14059. refreshTime:
  14060. description: |-
  14061. refreshTime is the time and date the external secret was fetched and
  14062. the target secret updated
  14063. format: date-time
  14064. nullable: true
  14065. type: string
  14066. syncedResourceVersion:
  14067. description: SyncedResourceVersion keeps track of the last synced version
  14068. type: string
  14069. type: object
  14070. type: object
  14071. served: false
  14072. storage: false
  14073. subresources:
  14074. status: {}
  14075. ---
  14076. apiVersion: apiextensions.k8s.io/v1
  14077. kind: CustomResourceDefinition
  14078. metadata:
  14079. annotations:
  14080. controller-gen.kubebuilder.io/version: v0.19.0
  14081. labels:
  14082. external-secrets.io/component: controller
  14083. name: pushsecrets.external-secrets.io
  14084. spec:
  14085. group: external-secrets.io
  14086. names:
  14087. categories:
  14088. - external-secrets
  14089. kind: PushSecret
  14090. listKind: PushSecretList
  14091. plural: pushsecrets
  14092. shortNames:
  14093. - ps
  14094. singular: pushsecret
  14095. scope: Namespaced
  14096. versions:
  14097. - additionalPrinterColumns:
  14098. - jsonPath: .metadata.creationTimestamp
  14099. name: AGE
  14100. type: date
  14101. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  14102. name: Status
  14103. type: string
  14104. - jsonPath: .status.refreshTime
  14105. name: Last Sync
  14106. type: date
  14107. name: v1alpha1
  14108. schema:
  14109. openAPIV3Schema:
  14110. description: PushSecret is the Schema for the PushSecrets API that enables pushing Kubernetes secrets to external secret providers.
  14111. properties:
  14112. apiVersion:
  14113. description: |-
  14114. APIVersion defines the versioned schema of this representation of an object.
  14115. Servers should convert recognized schemas to the latest internal value, and
  14116. may reject unrecognized values.
  14117. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  14118. type: string
  14119. kind:
  14120. description: |-
  14121. Kind is a string value representing the REST resource this object represents.
  14122. Servers may infer this from the endpoint the client submits requests to.
  14123. Cannot be updated.
  14124. In CamelCase.
  14125. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  14126. type: string
  14127. metadata:
  14128. type: object
  14129. spec:
  14130. description: PushSecretSpec configures the behavior of the PushSecret.
  14131. properties:
  14132. data:
  14133. description: Secret Data that should be pushed to providers
  14134. items:
  14135. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  14136. properties:
  14137. conversionStrategy:
  14138. default: None
  14139. description: Used to define a conversion Strategy for the secret keys
  14140. enum:
  14141. - None
  14142. - ReverseUnicode
  14143. type: string
  14144. match:
  14145. description: Match a given Secret Key to be pushed to the provider.
  14146. properties:
  14147. remoteRef:
  14148. description: Remote Refs to push to providers.
  14149. properties:
  14150. property:
  14151. description: Name of the property in the resulting secret
  14152. type: string
  14153. remoteKey:
  14154. description: Name of the resulting provider secret.
  14155. type: string
  14156. required:
  14157. - remoteKey
  14158. type: object
  14159. secretKey:
  14160. description: Secret Key to be pushed
  14161. type: string
  14162. required:
  14163. - remoteRef
  14164. type: object
  14165. metadata:
  14166. description: |-
  14167. Metadata is metadata attached to the secret.
  14168. The structure of metadata is provider specific, please look it up in the provider documentation.
  14169. x-kubernetes-preserve-unknown-fields: true
  14170. required:
  14171. - match
  14172. type: object
  14173. type: array
  14174. dataTo:
  14175. description: DataTo defines bulk push rules that expand source Secret keys into provider entries.
  14176. items:
  14177. description: PushSecretDataTo defines how to bulk-push secrets to providers without explicit per-key mappings.
  14178. properties:
  14179. conversionStrategy:
  14180. default: None
  14181. description: Used to define a conversion Strategy for the secret keys
  14182. enum:
  14183. - None
  14184. - ReverseUnicode
  14185. type: string
  14186. match:
  14187. description: |-
  14188. Match pattern for selecting keys from the source Secret.
  14189. If not specified, all keys are selected.
  14190. properties:
  14191. regexp:
  14192. description: |-
  14193. Regexp matches keys by regular expression.
  14194. If not specified, all keys are matched.
  14195. type: string
  14196. type: object
  14197. metadata:
  14198. description: |-
  14199. Metadata is metadata attached to the secret.
  14200. The structure of metadata is provider specific, please look it up in the provider documentation.
  14201. x-kubernetes-preserve-unknown-fields: true
  14202. remoteKey:
  14203. description: |-
  14204. RemoteKey is the name of the single provider secret that will receive ALL
  14205. matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}).
  14206. When set, per-key expansion is skipped and a single push is performed.
  14207. The provider's store prefix (if any) is still prepended to this value.
  14208. When not set, each matched key is pushed as its own individual provider secret.
  14209. type: string
  14210. rewrite:
  14211. description: |-
  14212. Rewrite operations to transform keys before pushing to the provider.
  14213. Operations are applied sequentially.
  14214. items:
  14215. description: PushSecretRewrite defines how to transform secret keys before pushing.
  14216. properties:
  14217. regexp:
  14218. description: Used to rewrite with regular expressions.
  14219. properties:
  14220. source:
  14221. description: Used to define the regular expression of a re.Compiler.
  14222. type: string
  14223. target:
  14224. description: Used to define the target pattern of a ReplaceAll operation.
  14225. type: string
  14226. required:
  14227. - source
  14228. - target
  14229. type: object
  14230. transform:
  14231. description: Used to apply string transformation on the secrets.
  14232. properties:
  14233. template:
  14234. description: |-
  14235. Used to define the template to apply on the secret name.
  14236. `.value ` will specify the secret name in the template.
  14237. type: string
  14238. required:
  14239. - template
  14240. type: object
  14241. type: object
  14242. x-kubernetes-validations:
  14243. - message: exactly one of regexp or transform must be set
  14244. rule: (has(self.regexp) && !has(self.transform)) || (!has(self.regexp) && has(self.transform))
  14245. type: array
  14246. storeRef:
  14247. description: StoreRef specifies which SecretStore to push to. Required.
  14248. properties:
  14249. kind:
  14250. default: SecretStore
  14251. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  14252. enum:
  14253. - SecretStore
  14254. - ClusterSecretStore
  14255. type: string
  14256. labelSelector:
  14257. description: Optionally, sync to secret stores with label selector
  14258. properties:
  14259. matchExpressions:
  14260. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14261. items:
  14262. description: |-
  14263. A label selector requirement is a selector that contains values, a key, and an operator that
  14264. relates the key and values.
  14265. properties:
  14266. key:
  14267. description: key is the label key that the selector applies to.
  14268. type: string
  14269. operator:
  14270. description: |-
  14271. operator represents a key's relationship to a set of values.
  14272. Valid operators are In, NotIn, Exists and DoesNotExist.
  14273. type: string
  14274. values:
  14275. description: |-
  14276. values is an array of string values. If the operator is In or NotIn,
  14277. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14278. the values array must be empty. This array is replaced during a strategic
  14279. merge patch.
  14280. items:
  14281. type: string
  14282. type: array
  14283. x-kubernetes-list-type: atomic
  14284. required:
  14285. - key
  14286. - operator
  14287. type: object
  14288. type: array
  14289. x-kubernetes-list-type: atomic
  14290. matchLabels:
  14291. additionalProperties:
  14292. type: string
  14293. description: |-
  14294. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14295. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14296. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14297. type: object
  14298. type: object
  14299. x-kubernetes-map-type: atomic
  14300. name:
  14301. description: Optionally, sync to the SecretStore of the given name
  14302. maxLength: 253
  14303. minLength: 1
  14304. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14305. type: string
  14306. type: object
  14307. type: object
  14308. x-kubernetes-validations:
  14309. - message: storeRef must specify either name or labelSelector
  14310. rule: has(self.storeRef) && (has(self.storeRef.name) || has(self.storeRef.labelSelector))
  14311. - message: 'remoteKey and rewrite are mutually exclusive: rewrite is only supported in per-key mode (without remoteKey)'
  14312. rule: '!has(self.remoteKey) || !has(self.rewrite) || size(self.rewrite) == 0'
  14313. type: array
  14314. deletionPolicy:
  14315. default: None
  14316. description: Deletion Policy to handle Secrets in the provider.
  14317. enum:
  14318. - Delete
  14319. - None
  14320. type: string
  14321. refreshInterval:
  14322. default: 1h0m0s
  14323. description: The Interval to which External Secrets will try to push a secret definition
  14324. type: string
  14325. secretStoreRefs:
  14326. items:
  14327. description: PushSecretStoreRef contains a reference on how to sync to a SecretStore.
  14328. properties:
  14329. kind:
  14330. default: SecretStore
  14331. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  14332. enum:
  14333. - SecretStore
  14334. - ClusterSecretStore
  14335. type: string
  14336. labelSelector:
  14337. description: Optionally, sync to secret stores with label selector
  14338. properties:
  14339. matchExpressions:
  14340. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14341. items:
  14342. description: |-
  14343. A label selector requirement is a selector that contains values, a key, and an operator that
  14344. relates the key and values.
  14345. properties:
  14346. key:
  14347. description: key is the label key that the selector applies to.
  14348. type: string
  14349. operator:
  14350. description: |-
  14351. operator represents a key's relationship to a set of values.
  14352. Valid operators are In, NotIn, Exists and DoesNotExist.
  14353. type: string
  14354. values:
  14355. description: |-
  14356. values is an array of string values. If the operator is In or NotIn,
  14357. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14358. the values array must be empty. This array is replaced during a strategic
  14359. merge patch.
  14360. items:
  14361. type: string
  14362. type: array
  14363. x-kubernetes-list-type: atomic
  14364. required:
  14365. - key
  14366. - operator
  14367. type: object
  14368. type: array
  14369. x-kubernetes-list-type: atomic
  14370. matchLabels:
  14371. additionalProperties:
  14372. type: string
  14373. description: |-
  14374. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14375. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14376. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14377. type: object
  14378. type: object
  14379. x-kubernetes-map-type: atomic
  14380. name:
  14381. description: Optionally, sync to the SecretStore of the given name
  14382. maxLength: 253
  14383. minLength: 1
  14384. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14385. type: string
  14386. type: object
  14387. type: array
  14388. selector:
  14389. description: The Secret Selector (k8s source) for the Push Secret
  14390. maxProperties: 1
  14391. minProperties: 1
  14392. properties:
  14393. generatorRef:
  14394. description: Point to a generator to create a Secret.
  14395. properties:
  14396. apiVersion:
  14397. default: generators.external-secrets.io/v1alpha1
  14398. description: Specify the apiVersion of the generator resource
  14399. type: string
  14400. kind:
  14401. description: Specify the Kind of the generator resource
  14402. enum:
  14403. - ACRAccessToken
  14404. - BeyondtrustWorkloadCredentialsDynamicSecret
  14405. - ClusterGenerator
  14406. - CloudsmithAccessToken
  14407. - ECRAuthorizationToken
  14408. - Fake
  14409. - GCRAccessToken
  14410. - GithubAccessToken
  14411. - QuayAccessToken
  14412. - Password
  14413. - SSHKey
  14414. - STSSessionToken
  14415. - UUID
  14416. - VaultDynamicSecret
  14417. - Webhook
  14418. - Grafana
  14419. - MFA
  14420. type: string
  14421. name:
  14422. description: Specify the name of the generator resource
  14423. maxLength: 253
  14424. minLength: 1
  14425. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14426. type: string
  14427. required:
  14428. - kind
  14429. - name
  14430. type: object
  14431. secret:
  14432. description: Select a Secret to Push.
  14433. properties:
  14434. name:
  14435. description: |-
  14436. Name of the Secret.
  14437. The Secret must exist in the same namespace as the PushSecret manifest.
  14438. maxLength: 253
  14439. minLength: 1
  14440. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14441. type: string
  14442. selector:
  14443. description: Selector chooses secrets using a labelSelector.
  14444. properties:
  14445. matchExpressions:
  14446. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14447. items:
  14448. description: |-
  14449. A label selector requirement is a selector that contains values, a key, and an operator that
  14450. relates the key and values.
  14451. properties:
  14452. key:
  14453. description: key is the label key that the selector applies to.
  14454. type: string
  14455. operator:
  14456. description: |-
  14457. operator represents a key's relationship to a set of values.
  14458. Valid operators are In, NotIn, Exists and DoesNotExist.
  14459. type: string
  14460. values:
  14461. description: |-
  14462. values is an array of string values. If the operator is In or NotIn,
  14463. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14464. the values array must be empty. This array is replaced during a strategic
  14465. merge patch.
  14466. items:
  14467. type: string
  14468. type: array
  14469. x-kubernetes-list-type: atomic
  14470. required:
  14471. - key
  14472. - operator
  14473. type: object
  14474. type: array
  14475. x-kubernetes-list-type: atomic
  14476. matchLabels:
  14477. additionalProperties:
  14478. type: string
  14479. description: |-
  14480. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14481. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14482. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14483. type: object
  14484. type: object
  14485. x-kubernetes-map-type: atomic
  14486. type: object
  14487. type: object
  14488. template:
  14489. description: Template defines a blueprint for the created Secret resource.
  14490. properties:
  14491. data:
  14492. additionalProperties:
  14493. type: string
  14494. type: object
  14495. engineVersion:
  14496. default: v2
  14497. description: |-
  14498. EngineVersion specifies the template engine version
  14499. that should be used to compile/execute the
  14500. template specified in .data and .templateFrom[].
  14501. enum:
  14502. - v2
  14503. type: string
  14504. mergePolicy:
  14505. default: Replace
  14506. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  14507. enum:
  14508. - Replace
  14509. - Merge
  14510. type: string
  14511. metadata:
  14512. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  14513. properties:
  14514. annotations:
  14515. additionalProperties:
  14516. type: string
  14517. type: object
  14518. finalizers:
  14519. items:
  14520. type: string
  14521. type: array
  14522. labels:
  14523. additionalProperties:
  14524. type: string
  14525. type: object
  14526. type: object
  14527. templateFrom:
  14528. items:
  14529. description: |-
  14530. TemplateFrom specifies a source for templates.
  14531. Each item in the list can either reference a ConfigMap or a Secret resource.
  14532. properties:
  14533. configMap:
  14534. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  14535. properties:
  14536. items:
  14537. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14538. items:
  14539. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  14540. properties:
  14541. key:
  14542. description: A key in the ConfigMap/Secret
  14543. maxLength: 253
  14544. minLength: 1
  14545. pattern: ^[-._a-zA-Z0-9]+$
  14546. type: string
  14547. templateAs:
  14548. default: Values
  14549. description: TemplateScope specifies how the template keys should be interpreted.
  14550. enum:
  14551. - Values
  14552. - KeysAndValues
  14553. type: string
  14554. required:
  14555. - key
  14556. type: object
  14557. type: array
  14558. name:
  14559. description: The name of the ConfigMap/Secret resource
  14560. maxLength: 253
  14561. minLength: 1
  14562. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14563. type: string
  14564. required:
  14565. - items
  14566. - name
  14567. type: object
  14568. literal:
  14569. type: string
  14570. secret:
  14571. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  14572. properties:
  14573. items:
  14574. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14575. items:
  14576. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  14577. properties:
  14578. key:
  14579. description: A key in the ConfigMap/Secret
  14580. maxLength: 253
  14581. minLength: 1
  14582. pattern: ^[-._a-zA-Z0-9]+$
  14583. type: string
  14584. templateAs:
  14585. default: Values
  14586. description: TemplateScope specifies how the template keys should be interpreted.
  14587. enum:
  14588. - Values
  14589. - KeysAndValues
  14590. type: string
  14591. required:
  14592. - key
  14593. type: object
  14594. type: array
  14595. name:
  14596. description: The name of the ConfigMap/Secret resource
  14597. maxLength: 253
  14598. minLength: 1
  14599. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14600. type: string
  14601. required:
  14602. - items
  14603. - name
  14604. type: object
  14605. target:
  14606. default: Data
  14607. description: |-
  14608. Target specifies where to place the template result.
  14609. For Secret resources, common values are: "Data", "Annotations", "Labels".
  14610. For custom resources (when spec.target.manifest is set), this supports
  14611. nested paths like "spec.database.config" or "data".
  14612. type: string
  14613. type: object
  14614. type: array
  14615. type:
  14616. type: string
  14617. type: object
  14618. updatePolicy:
  14619. default: Replace
  14620. description: UpdatePolicy to handle Secrets in the provider.
  14621. enum:
  14622. - Replace
  14623. - IfNotExists
  14624. type: string
  14625. required:
  14626. - secretStoreRefs
  14627. - selector
  14628. type: object
  14629. status:
  14630. description: PushSecretStatus indicates the history of the status of PushSecret.
  14631. properties:
  14632. conditions:
  14633. items:
  14634. description: PushSecretStatusCondition indicates the status of the PushSecret.
  14635. properties:
  14636. lastTransitionTime:
  14637. format: date-time
  14638. type: string
  14639. message:
  14640. type: string
  14641. reason:
  14642. type: string
  14643. status:
  14644. type: string
  14645. type:
  14646. description: PushSecretConditionType indicates the condition of the PushSecret.
  14647. type: string
  14648. required:
  14649. - status
  14650. - type
  14651. type: object
  14652. type: array
  14653. refreshTime:
  14654. description: |-
  14655. refreshTime is the time and date the external secret was fetched and
  14656. the target secret updated
  14657. format: date-time
  14658. nullable: true
  14659. type: string
  14660. syncedPushSecrets:
  14661. additionalProperties:
  14662. additionalProperties:
  14663. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  14664. properties:
  14665. conversionStrategy:
  14666. default: None
  14667. description: Used to define a conversion Strategy for the secret keys
  14668. enum:
  14669. - None
  14670. - ReverseUnicode
  14671. type: string
  14672. match:
  14673. description: Match a given Secret Key to be pushed to the provider.
  14674. properties:
  14675. remoteRef:
  14676. description: Remote Refs to push to providers.
  14677. properties:
  14678. property:
  14679. description: Name of the property in the resulting secret
  14680. type: string
  14681. remoteKey:
  14682. description: Name of the resulting provider secret.
  14683. type: string
  14684. required:
  14685. - remoteKey
  14686. type: object
  14687. secretKey:
  14688. description: Secret Key to be pushed
  14689. type: string
  14690. required:
  14691. - remoteRef
  14692. type: object
  14693. metadata:
  14694. description: |-
  14695. Metadata is metadata attached to the secret.
  14696. The structure of metadata is provider specific, please look it up in the provider documentation.
  14697. x-kubernetes-preserve-unknown-fields: true
  14698. required:
  14699. - match
  14700. type: object
  14701. type: object
  14702. description: |-
  14703. Synced PushSecrets, including secrets that already exist in provider.
  14704. Matches secret stores to PushSecretData that was stored to that secret store.
  14705. type: object
  14706. syncedResourceVersion:
  14707. description: SyncedResourceVersion keeps track of the last synced version.
  14708. type: string
  14709. type: object
  14710. type: object
  14711. served: true
  14712. storage: true
  14713. subresources:
  14714. status: {}
  14715. ---
  14716. apiVersion: apiextensions.k8s.io/v1
  14717. kind: CustomResourceDefinition
  14718. metadata:
  14719. annotations:
  14720. controller-gen.kubebuilder.io/version: v0.19.0
  14721. labels:
  14722. external-secrets.io/component: controller
  14723. name: secretstores.external-secrets.io
  14724. spec:
  14725. group: external-secrets.io
  14726. names:
  14727. categories:
  14728. - external-secrets
  14729. kind: SecretStore
  14730. listKind: SecretStoreList
  14731. plural: secretstores
  14732. shortNames:
  14733. - ss
  14734. singular: secretstore
  14735. scope: Namespaced
  14736. versions:
  14737. - additionalPrinterColumns:
  14738. - jsonPath: .metadata.creationTimestamp
  14739. name: AGE
  14740. type: date
  14741. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  14742. name: Status
  14743. type: string
  14744. - jsonPath: .status.capabilities
  14745. name: Capabilities
  14746. type: string
  14747. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  14748. name: Ready
  14749. type: string
  14750. name: v1
  14751. schema:
  14752. openAPIV3Schema:
  14753. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  14754. properties:
  14755. apiVersion:
  14756. description: |-
  14757. APIVersion defines the versioned schema of this representation of an object.
  14758. Servers should convert recognized schemas to the latest internal value, and
  14759. may reject unrecognized values.
  14760. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  14761. type: string
  14762. kind:
  14763. description: |-
  14764. Kind is a string value representing the REST resource this object represents.
  14765. Servers may infer this from the endpoint the client submits requests to.
  14766. Cannot be updated.
  14767. In CamelCase.
  14768. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  14769. type: string
  14770. metadata:
  14771. type: object
  14772. spec:
  14773. description: SecretStoreSpec defines the desired state of SecretStore.
  14774. properties:
  14775. conditions:
  14776. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  14777. items:
  14778. description: |-
  14779. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  14780. for a ClusterSecretStore instance.
  14781. properties:
  14782. namespaceRegexes:
  14783. description: Choose namespaces by using regex matching
  14784. items:
  14785. type: string
  14786. type: array
  14787. namespaceSelector:
  14788. description: Choose namespace using a labelSelector
  14789. properties:
  14790. matchExpressions:
  14791. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14792. items:
  14793. description: |-
  14794. A label selector requirement is a selector that contains values, a key, and an operator that
  14795. relates the key and values.
  14796. properties:
  14797. key:
  14798. description: key is the label key that the selector applies to.
  14799. type: string
  14800. operator:
  14801. description: |-
  14802. operator represents a key's relationship to a set of values.
  14803. Valid operators are In, NotIn, Exists and DoesNotExist.
  14804. type: string
  14805. values:
  14806. description: |-
  14807. values is an array of string values. If the operator is In or NotIn,
  14808. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14809. the values array must be empty. This array is replaced during a strategic
  14810. merge patch.
  14811. items:
  14812. type: string
  14813. type: array
  14814. x-kubernetes-list-type: atomic
  14815. required:
  14816. - key
  14817. - operator
  14818. type: object
  14819. type: array
  14820. x-kubernetes-list-type: atomic
  14821. matchLabels:
  14822. additionalProperties:
  14823. type: string
  14824. description: |-
  14825. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14826. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14827. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14828. type: object
  14829. type: object
  14830. x-kubernetes-map-type: atomic
  14831. namespaces:
  14832. description: Choose namespaces by name
  14833. items:
  14834. maxLength: 63
  14835. minLength: 1
  14836. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14837. type: string
  14838. type: array
  14839. type: object
  14840. type: array
  14841. controller:
  14842. description: |-
  14843. Used to select the correct ESO controller (think: ingress.ingressClassName)
  14844. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  14845. type: string
  14846. provider:
  14847. description: Used to configure the provider. Only one provider may be set
  14848. maxProperties: 1
  14849. minProperties: 1
  14850. properties:
  14851. akeyless:
  14852. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  14853. properties:
  14854. akeylessGWApiURL:
  14855. description: Akeyless GW API Url from which the secrets to be fetched from.
  14856. type: string
  14857. authSecretRef:
  14858. description: Auth configures how the operator authenticates with Akeyless.
  14859. properties:
  14860. kubernetesAuth:
  14861. description: |-
  14862. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  14863. token stored in the named Secret resource.
  14864. properties:
  14865. accessID:
  14866. description: the Akeyless Kubernetes auth-method access-id
  14867. type: string
  14868. k8sConfName:
  14869. description: Kubernetes-auth configuration name in Akeyless-Gateway
  14870. type: string
  14871. secretRef:
  14872. description: |-
  14873. Optional secret field containing a Kubernetes ServiceAccount JWT used
  14874. for authenticating with Akeyless. If a name is specified without a key,
  14875. `token` is the default. If one is not specified, the one bound to
  14876. the controller will be used.
  14877. properties:
  14878. key:
  14879. description: |-
  14880. A key in the referenced Secret.
  14881. Some instances of this field may be defaulted, in others it may be required.
  14882. maxLength: 253
  14883. minLength: 1
  14884. pattern: ^[-._a-zA-Z0-9]+$
  14885. type: string
  14886. name:
  14887. description: The name of the Secret resource being referred to.
  14888. maxLength: 253
  14889. minLength: 1
  14890. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14891. type: string
  14892. namespace:
  14893. description: |-
  14894. The namespace of the Secret resource being referred to.
  14895. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14896. maxLength: 63
  14897. minLength: 1
  14898. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14899. type: string
  14900. type: object
  14901. serviceAccountRef:
  14902. description: |-
  14903. Optional service account field containing the name of a kubernetes ServiceAccount.
  14904. If the service account is specified, the service account secret token JWT will be used
  14905. for authenticating with Akeyless. If the service account selector is not supplied,
  14906. the secretRef will be used instead.
  14907. properties:
  14908. audiences:
  14909. description: |-
  14910. Audience specifies the `aud` claim for the service account token
  14911. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  14912. then this audiences will be appended to the list
  14913. items:
  14914. type: string
  14915. type: array
  14916. name:
  14917. description: The name of the ServiceAccount resource being referred to.
  14918. maxLength: 253
  14919. minLength: 1
  14920. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14921. type: string
  14922. namespace:
  14923. description: |-
  14924. Namespace of the resource being referred to.
  14925. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14926. maxLength: 63
  14927. minLength: 1
  14928. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14929. type: string
  14930. required:
  14931. - name
  14932. type: object
  14933. required:
  14934. - accessID
  14935. - k8sConfName
  14936. type: object
  14937. secretRef:
  14938. description: |-
  14939. Reference to a Secret that contains the details
  14940. to authenticate with Akeyless.
  14941. properties:
  14942. accessID:
  14943. description: The SecretAccessID is used for authentication
  14944. properties:
  14945. key:
  14946. description: |-
  14947. A key in the referenced Secret.
  14948. Some instances of this field may be defaulted, in others it may be required.
  14949. maxLength: 253
  14950. minLength: 1
  14951. pattern: ^[-._a-zA-Z0-9]+$
  14952. type: string
  14953. name:
  14954. description: The name of the Secret resource being referred to.
  14955. maxLength: 253
  14956. minLength: 1
  14957. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14958. type: string
  14959. namespace:
  14960. description: |-
  14961. The namespace of the Secret resource being referred to.
  14962. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14963. maxLength: 63
  14964. minLength: 1
  14965. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14966. type: string
  14967. type: object
  14968. accessType:
  14969. description: |-
  14970. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  14971. In some instances, `key` is a required field.
  14972. properties:
  14973. key:
  14974. description: |-
  14975. A key in the referenced Secret.
  14976. Some instances of this field may be defaulted, in others it may be required.
  14977. maxLength: 253
  14978. minLength: 1
  14979. pattern: ^[-._a-zA-Z0-9]+$
  14980. type: string
  14981. name:
  14982. description: The name of the Secret resource being referred to.
  14983. maxLength: 253
  14984. minLength: 1
  14985. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14986. type: string
  14987. namespace:
  14988. description: |-
  14989. The namespace of the Secret resource being referred to.
  14990. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14991. maxLength: 63
  14992. minLength: 1
  14993. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14994. type: string
  14995. type: object
  14996. accessTypeParam:
  14997. description: |-
  14998. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  14999. In some instances, `key` is a required field.
  15000. properties:
  15001. key:
  15002. description: |-
  15003. A key in the referenced Secret.
  15004. Some instances of this field may be defaulted, in others it may be required.
  15005. maxLength: 253
  15006. minLength: 1
  15007. pattern: ^[-._a-zA-Z0-9]+$
  15008. type: string
  15009. name:
  15010. description: The name of the Secret resource being referred to.
  15011. maxLength: 253
  15012. minLength: 1
  15013. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15014. type: string
  15015. namespace:
  15016. description: |-
  15017. The namespace of the Secret resource being referred to.
  15018. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15019. maxLength: 63
  15020. minLength: 1
  15021. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15022. type: string
  15023. type: object
  15024. type: object
  15025. type: object
  15026. caBundle:
  15027. description: |-
  15028. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  15029. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  15030. are used to validate the TLS connection.
  15031. format: byte
  15032. type: string
  15033. caProvider:
  15034. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  15035. properties:
  15036. key:
  15037. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  15038. maxLength: 253
  15039. minLength: 1
  15040. pattern: ^[-._a-zA-Z0-9]+$
  15041. type: string
  15042. name:
  15043. description: The name of the object located at the provider type.
  15044. maxLength: 253
  15045. minLength: 1
  15046. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15047. type: string
  15048. namespace:
  15049. description: |-
  15050. The namespace the Provider type is in.
  15051. Can only be defined when used in a ClusterSecretStore.
  15052. maxLength: 63
  15053. minLength: 1
  15054. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15055. type: string
  15056. type:
  15057. description: The type of provider to use such as "Secret", or "ConfigMap".
  15058. enum:
  15059. - Secret
  15060. - ConfigMap
  15061. type: string
  15062. required:
  15063. - name
  15064. - type
  15065. type: object
  15066. required:
  15067. - akeylessGWApiURL
  15068. - authSecretRef
  15069. type: object
  15070. aws:
  15071. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  15072. properties:
  15073. additionalRoles:
  15074. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  15075. items:
  15076. type: string
  15077. type: array
  15078. auth:
  15079. description: |-
  15080. Auth defines the information necessary to authenticate against AWS
  15081. if not set aws sdk will infer credentials from your environment
  15082. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  15083. properties:
  15084. jwt:
  15085. description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.
  15086. properties:
  15087. serviceAccountRef:
  15088. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  15089. properties:
  15090. audiences:
  15091. description: |-
  15092. Audience specifies the `aud` claim for the service account token
  15093. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15094. then this audiences will be appended to the list
  15095. items:
  15096. type: string
  15097. type: array
  15098. name:
  15099. description: The name of the ServiceAccount resource being referred to.
  15100. maxLength: 253
  15101. minLength: 1
  15102. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15103. type: string
  15104. namespace:
  15105. description: |-
  15106. Namespace of the resource being referred to.
  15107. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15108. maxLength: 63
  15109. minLength: 1
  15110. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15111. type: string
  15112. required:
  15113. - name
  15114. type: object
  15115. type: object
  15116. secretRef:
  15117. description: |-
  15118. AWSAuthSecretRef holds secret references for AWS credentials
  15119. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  15120. properties:
  15121. accessKeyIDSecretRef:
  15122. description: The AccessKeyID is used for authentication
  15123. properties:
  15124. key:
  15125. description: |-
  15126. A key in the referenced Secret.
  15127. Some instances of this field may be defaulted, in others it may be required.
  15128. maxLength: 253
  15129. minLength: 1
  15130. pattern: ^[-._a-zA-Z0-9]+$
  15131. type: string
  15132. name:
  15133. description: The name of the Secret resource being referred to.
  15134. maxLength: 253
  15135. minLength: 1
  15136. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15137. type: string
  15138. namespace:
  15139. description: |-
  15140. The namespace of the Secret resource being referred to.
  15141. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15142. maxLength: 63
  15143. minLength: 1
  15144. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15145. type: string
  15146. type: object
  15147. secretAccessKeySecretRef:
  15148. description: The SecretAccessKey is used for authentication
  15149. properties:
  15150. key:
  15151. description: |-
  15152. A key in the referenced Secret.
  15153. Some instances of this field may be defaulted, in others it may be required.
  15154. maxLength: 253
  15155. minLength: 1
  15156. pattern: ^[-._a-zA-Z0-9]+$
  15157. type: string
  15158. name:
  15159. description: The name of the Secret resource being referred to.
  15160. maxLength: 253
  15161. minLength: 1
  15162. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15163. type: string
  15164. namespace:
  15165. description: |-
  15166. The namespace of the Secret resource being referred to.
  15167. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15168. maxLength: 63
  15169. minLength: 1
  15170. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15171. type: string
  15172. type: object
  15173. sessionTokenSecretRef:
  15174. description: |-
  15175. The SessionToken used for authentication
  15176. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  15177. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  15178. properties:
  15179. key:
  15180. description: |-
  15181. A key in the referenced Secret.
  15182. Some instances of this field may be defaulted, in others it may be required.
  15183. maxLength: 253
  15184. minLength: 1
  15185. pattern: ^[-._a-zA-Z0-9]+$
  15186. type: string
  15187. name:
  15188. description: The name of the Secret resource being referred to.
  15189. maxLength: 253
  15190. minLength: 1
  15191. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15192. type: string
  15193. namespace:
  15194. description: |-
  15195. The namespace of the Secret resource being referred to.
  15196. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15197. maxLength: 63
  15198. minLength: 1
  15199. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15200. type: string
  15201. type: object
  15202. type: object
  15203. type: object
  15204. customSessionTags:
  15205. additionalProperties:
  15206. type: string
  15207. description: |-
  15208. CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom.
  15209. These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags.
  15210. type: object
  15211. x-kubernetes-validations:
  15212. - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind'
  15213. rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)'
  15214. externalID:
  15215. description: AWS External ID set on assumed IAM roles
  15216. type: string
  15217. prefix:
  15218. description: Prefix adds a prefix to all retrieved values.
  15219. type: string
  15220. region:
  15221. description: AWS Region to be used for the provider
  15222. type: string
  15223. role:
  15224. description: Role is a Role ARN which the provider will assume
  15225. type: string
  15226. secretsManager:
  15227. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  15228. properties:
  15229. forceDeleteWithoutRecovery:
  15230. description: |-
  15231. Specifies whether to delete the secret without any recovery window. You
  15232. can't use both this parameter and RecoveryWindowInDays in the same call.
  15233. If you don't use either, then by default Secrets Manager uses a 30 day
  15234. recovery window.
  15235. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  15236. type: boolean
  15237. recoveryWindowInDays:
  15238. description: |-
  15239. The number of days from 7 to 30 that Secrets Manager waits before
  15240. permanently deleting the secret. You can't use both this parameter and
  15241. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  15242. then by default Secrets Manager uses a 30-day recovery window.
  15243. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  15244. format: int64
  15245. type: integer
  15246. type: object
  15247. service:
  15248. description: Service defines which service should be used to fetch the secrets
  15249. enum:
  15250. - SecretsManager
  15251. - ParameterStore
  15252. type: string
  15253. sessionTags:
  15254. description: AWS STS assume role session tags
  15255. items:
  15256. description: |-
  15257. Tag is a key-value pair that can be attached to an AWS resource.
  15258. see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
  15259. properties:
  15260. key:
  15261. type: string
  15262. value:
  15263. type: string
  15264. required:
  15265. - key
  15266. - value
  15267. type: object
  15268. type: array
  15269. sessionTagsPolicy:
  15270. default: None
  15271. description: |-
  15272. SessionTagsPolicy controls whether and how STS session tags are added when assuming roles.
  15273. None (default): no tags are added.
  15274. Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags.
  15275. Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags.
  15276. Note: the IAM role must have sts:TagSession permission when using Simple or Custom.
  15277. enum:
  15278. - None
  15279. - Simple
  15280. - Custom
  15281. type: string
  15282. transitiveTagKeys:
  15283. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  15284. items:
  15285. type: string
  15286. type: array
  15287. required:
  15288. - region
  15289. - service
  15290. type: object
  15291. azurekv:
  15292. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  15293. properties:
  15294. authSecretRef:
  15295. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  15296. properties:
  15297. clientCertificate:
  15298. description: The Azure ClientCertificate of the service principle used for authentication.
  15299. properties:
  15300. key:
  15301. description: |-
  15302. A key in the referenced Secret.
  15303. Some instances of this field may be defaulted, in others it may be required.
  15304. maxLength: 253
  15305. minLength: 1
  15306. pattern: ^[-._a-zA-Z0-9]+$
  15307. type: string
  15308. name:
  15309. description: The name of the Secret resource being referred to.
  15310. maxLength: 253
  15311. minLength: 1
  15312. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15313. type: string
  15314. namespace:
  15315. description: |-
  15316. The namespace of the Secret resource being referred to.
  15317. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15318. maxLength: 63
  15319. minLength: 1
  15320. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15321. type: string
  15322. type: object
  15323. clientId:
  15324. description: The Azure clientId of the service principle or managed identity used for authentication.
  15325. properties:
  15326. key:
  15327. description: |-
  15328. A key in the referenced Secret.
  15329. Some instances of this field may be defaulted, in others it may be required.
  15330. maxLength: 253
  15331. minLength: 1
  15332. pattern: ^[-._a-zA-Z0-9]+$
  15333. type: string
  15334. name:
  15335. description: The name of the Secret resource being referred to.
  15336. maxLength: 253
  15337. minLength: 1
  15338. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15339. type: string
  15340. namespace:
  15341. description: |-
  15342. The namespace of the Secret resource being referred to.
  15343. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15344. maxLength: 63
  15345. minLength: 1
  15346. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15347. type: string
  15348. type: object
  15349. clientSecret:
  15350. description: The Azure ClientSecret of the service principle used for authentication.
  15351. properties:
  15352. key:
  15353. description: |-
  15354. A key in the referenced Secret.
  15355. Some instances of this field may be defaulted, in others it may be required.
  15356. maxLength: 253
  15357. minLength: 1
  15358. pattern: ^[-._a-zA-Z0-9]+$
  15359. type: string
  15360. name:
  15361. description: The name of the Secret resource being referred to.
  15362. maxLength: 253
  15363. minLength: 1
  15364. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15365. type: string
  15366. namespace:
  15367. description: |-
  15368. The namespace of the Secret resource being referred to.
  15369. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15370. maxLength: 63
  15371. minLength: 1
  15372. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15373. type: string
  15374. type: object
  15375. tenantId:
  15376. description: The Azure tenantId of the managed identity used for authentication.
  15377. properties:
  15378. key:
  15379. description: |-
  15380. A key in the referenced Secret.
  15381. Some instances of this field may be defaulted, in others it may be required.
  15382. maxLength: 253
  15383. minLength: 1
  15384. pattern: ^[-._a-zA-Z0-9]+$
  15385. type: string
  15386. name:
  15387. description: The name of the Secret resource being referred to.
  15388. maxLength: 253
  15389. minLength: 1
  15390. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15391. type: string
  15392. namespace:
  15393. description: |-
  15394. The namespace of the Secret resource being referred to.
  15395. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15396. maxLength: 63
  15397. minLength: 1
  15398. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15399. type: string
  15400. type: object
  15401. type: object
  15402. authType:
  15403. default: ServicePrincipal
  15404. description: |-
  15405. Auth type defines how to authenticate to the keyvault service.
  15406. Valid values are:
  15407. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  15408. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  15409. enum:
  15410. - ServicePrincipal
  15411. - ManagedIdentity
  15412. - WorkloadIdentity
  15413. type: string
  15414. customCloudConfig:
  15415. description: |-
  15416. CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
  15417. Required when EnvironmentType is AzureStackCloud.
  15418. Optional for other environment types - useful for Azure China when using Workload Identity
  15419. with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
  15420. standard China Cloud endpoint (login.chinacloudapi.cn).
  15421. IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
  15422. configuration is not supported with the legacy go-autorest SDK.
  15423. properties:
  15424. activeDirectoryEndpoint:
  15425. description: |-
  15426. ActiveDirectoryEndpoint is the AAD endpoint for authentication
  15427. Required when using custom cloud configuration
  15428. type: string
  15429. keyVaultDNSSuffix:
  15430. description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
  15431. type: string
  15432. keyVaultEndpoint:
  15433. description: KeyVaultEndpoint is the Key Vault service endpoint
  15434. type: string
  15435. resourceManagerEndpoint:
  15436. description: ResourceManagerEndpoint is the Azure Resource Manager endpoint
  15437. type: string
  15438. required:
  15439. - activeDirectoryEndpoint
  15440. type: object
  15441. environmentType:
  15442. default: PublicCloud
  15443. description: |-
  15444. EnvironmentType specifies the Azure cloud environment endpoints to use for
  15445. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  15446. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  15447. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
  15448. Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
  15449. enum:
  15450. - PublicCloud
  15451. - USGovernmentCloud
  15452. - ChinaCloud
  15453. - GermanCloud
  15454. - AzureStackCloud
  15455. type: string
  15456. identityId:
  15457. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  15458. type: string
  15459. serviceAccountRef:
  15460. description: |-
  15461. ServiceAccountRef specified the service account
  15462. that should be used when authenticating with WorkloadIdentity.
  15463. properties:
  15464. audiences:
  15465. description: |-
  15466. Audience specifies the `aud` claim for the service account token
  15467. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15468. then this audiences will be appended to the list
  15469. items:
  15470. type: string
  15471. type: array
  15472. name:
  15473. description: The name of the ServiceAccount resource being referred to.
  15474. maxLength: 253
  15475. minLength: 1
  15476. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15477. type: string
  15478. namespace:
  15479. description: |-
  15480. Namespace of the resource being referred to.
  15481. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15482. maxLength: 63
  15483. minLength: 1
  15484. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15485. type: string
  15486. required:
  15487. - name
  15488. type: object
  15489. tenantId:
  15490. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  15491. type: string
  15492. useAzureSDK:
  15493. default: false
  15494. description: |-
  15495. UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
  15496. This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
  15497. type: boolean
  15498. vaultUrl:
  15499. description: Vault Url from which the secrets to be fetched from.
  15500. type: string
  15501. required:
  15502. - vaultUrl
  15503. type: object
  15504. barbican:
  15505. description: Barbican configures this store to sync secrets using the OpenStack Barbican provider
  15506. properties:
  15507. auth:
  15508. description: BarbicanAuth contains the authentication information for Barbican.
  15509. properties:
  15510. password:
  15511. description: BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
  15512. properties:
  15513. secretRef:
  15514. description: |-
  15515. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15516. In some instances, `key` is a required field.
  15517. properties:
  15518. key:
  15519. description: |-
  15520. A key in the referenced Secret.
  15521. Some instances of this field may be defaulted, in others it may be required.
  15522. maxLength: 253
  15523. minLength: 1
  15524. pattern: ^[-._a-zA-Z0-9]+$
  15525. type: string
  15526. name:
  15527. description: The name of the Secret resource being referred to.
  15528. maxLength: 253
  15529. minLength: 1
  15530. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15531. type: string
  15532. namespace:
  15533. description: |-
  15534. The namespace of the Secret resource being referred to.
  15535. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15536. maxLength: 63
  15537. minLength: 1
  15538. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15539. type: string
  15540. type: object
  15541. required:
  15542. - secretRef
  15543. type: object
  15544. username:
  15545. description: BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
  15546. maxProperties: 1
  15547. minProperties: 1
  15548. properties:
  15549. secretRef:
  15550. description: |-
  15551. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15552. In some instances, `key` is a required field.
  15553. properties:
  15554. key:
  15555. description: |-
  15556. A key in the referenced Secret.
  15557. Some instances of this field may be defaulted, in others it may be required.
  15558. maxLength: 253
  15559. minLength: 1
  15560. pattern: ^[-._a-zA-Z0-9]+$
  15561. type: string
  15562. name:
  15563. description: The name of the Secret resource being referred to.
  15564. maxLength: 253
  15565. minLength: 1
  15566. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15567. type: string
  15568. namespace:
  15569. description: |-
  15570. The namespace of the Secret resource being referred to.
  15571. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15572. maxLength: 63
  15573. minLength: 1
  15574. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15575. type: string
  15576. type: object
  15577. value:
  15578. type: string
  15579. type: object
  15580. required:
  15581. - password
  15582. - username
  15583. type: object
  15584. authURL:
  15585. type: string
  15586. domainName:
  15587. type: string
  15588. region:
  15589. type: string
  15590. tenantName:
  15591. type: string
  15592. required:
  15593. - auth
  15594. type: object
  15595. beyondtrust:
  15596. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  15597. properties:
  15598. auth:
  15599. description: Auth configures how the operator authenticates with Beyondtrust.
  15600. properties:
  15601. apiKey:
  15602. description: APIKey If not provided then ClientID/ClientSecret become required.
  15603. properties:
  15604. secretRef:
  15605. description: SecretRef references a key in a secret that will be used as value.
  15606. properties:
  15607. key:
  15608. description: |-
  15609. A key in the referenced Secret.
  15610. Some instances of this field may be defaulted, in others it may be required.
  15611. maxLength: 253
  15612. minLength: 1
  15613. pattern: ^[-._a-zA-Z0-9]+$
  15614. type: string
  15615. name:
  15616. description: The name of the Secret resource being referred to.
  15617. maxLength: 253
  15618. minLength: 1
  15619. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15620. type: string
  15621. namespace:
  15622. description: |-
  15623. The namespace of the Secret resource being referred to.
  15624. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15625. maxLength: 63
  15626. minLength: 1
  15627. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15628. type: string
  15629. type: object
  15630. value:
  15631. description: Value can be specified directly to set a value without using a secret.
  15632. type: string
  15633. type: object
  15634. certificate:
  15635. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  15636. properties:
  15637. secretRef:
  15638. description: SecretRef references a key in a secret that will be used as value.
  15639. properties:
  15640. key:
  15641. description: |-
  15642. A key in the referenced Secret.
  15643. Some instances of this field may be defaulted, in others it may be required.
  15644. maxLength: 253
  15645. minLength: 1
  15646. pattern: ^[-._a-zA-Z0-9]+$
  15647. type: string
  15648. name:
  15649. description: The name of the Secret resource being referred to.
  15650. maxLength: 253
  15651. minLength: 1
  15652. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15653. type: string
  15654. namespace:
  15655. description: |-
  15656. The namespace of the Secret resource being referred to.
  15657. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15658. maxLength: 63
  15659. minLength: 1
  15660. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15661. type: string
  15662. type: object
  15663. value:
  15664. description: Value can be specified directly to set a value without using a secret.
  15665. type: string
  15666. type: object
  15667. certificateKey:
  15668. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  15669. properties:
  15670. secretRef:
  15671. description: SecretRef references a key in a secret that will be used as value.
  15672. properties:
  15673. key:
  15674. description: |-
  15675. A key in the referenced Secret.
  15676. Some instances of this field may be defaulted, in others it may be required.
  15677. maxLength: 253
  15678. minLength: 1
  15679. pattern: ^[-._a-zA-Z0-9]+$
  15680. type: string
  15681. name:
  15682. description: The name of the Secret resource being referred to.
  15683. maxLength: 253
  15684. minLength: 1
  15685. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15686. type: string
  15687. namespace:
  15688. description: |-
  15689. The namespace of the Secret resource being referred to.
  15690. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15691. maxLength: 63
  15692. minLength: 1
  15693. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15694. type: string
  15695. type: object
  15696. value:
  15697. description: Value can be specified directly to set a value without using a secret.
  15698. type: string
  15699. type: object
  15700. clientId:
  15701. description: ClientID is the API OAuth Client ID.
  15702. properties:
  15703. secretRef:
  15704. description: SecretRef references a key in a secret that will be used as value.
  15705. properties:
  15706. key:
  15707. description: |-
  15708. A key in the referenced Secret.
  15709. Some instances of this field may be defaulted, in others it may be required.
  15710. maxLength: 253
  15711. minLength: 1
  15712. pattern: ^[-._a-zA-Z0-9]+$
  15713. type: string
  15714. name:
  15715. description: The name of the Secret resource being referred to.
  15716. maxLength: 253
  15717. minLength: 1
  15718. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15719. type: string
  15720. namespace:
  15721. description: |-
  15722. The namespace of the Secret resource being referred to.
  15723. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15724. maxLength: 63
  15725. minLength: 1
  15726. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15727. type: string
  15728. type: object
  15729. value:
  15730. description: Value can be specified directly to set a value without using a secret.
  15731. type: string
  15732. type: object
  15733. clientSecret:
  15734. description: ClientSecret is the API OAuth Client Secret.
  15735. properties:
  15736. secretRef:
  15737. description: SecretRef references a key in a secret that will be used as value.
  15738. properties:
  15739. key:
  15740. description: |-
  15741. A key in the referenced Secret.
  15742. Some instances of this field may be defaulted, in others it may be required.
  15743. maxLength: 253
  15744. minLength: 1
  15745. pattern: ^[-._a-zA-Z0-9]+$
  15746. type: string
  15747. name:
  15748. description: The name of the Secret resource being referred to.
  15749. maxLength: 253
  15750. minLength: 1
  15751. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15752. type: string
  15753. namespace:
  15754. description: |-
  15755. The namespace of the Secret resource being referred to.
  15756. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15757. maxLength: 63
  15758. minLength: 1
  15759. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15760. type: string
  15761. type: object
  15762. value:
  15763. description: Value can be specified directly to set a value without using a secret.
  15764. type: string
  15765. type: object
  15766. type: object
  15767. server:
  15768. description: Auth configures how API server works.
  15769. properties:
  15770. apiUrl:
  15771. type: string
  15772. apiVersion:
  15773. type: string
  15774. clientTimeOutSeconds:
  15775. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  15776. type: integer
  15777. decrypt:
  15778. default: true
  15779. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  15780. type: boolean
  15781. retrievalType:
  15782. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  15783. type: string
  15784. separator:
  15785. description: A character that separates the folder names.
  15786. type: string
  15787. verifyCA:
  15788. type: boolean
  15789. required:
  15790. - apiUrl
  15791. - verifyCA
  15792. type: object
  15793. required:
  15794. - auth
  15795. - server
  15796. type: object
  15797. beyondtrustworkloadcredentials:
  15798. description: BeyondtrustWorkloadCredentials configures this store to sync secrets using the BeyondTrust Workload Credentials provider.
  15799. properties:
  15800. auth:
  15801. description: |-
  15802. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  15803. Currently supports API key authentication via Kubernetes secret reference.
  15804. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  15805. properties:
  15806. apikey:
  15807. description: |-
  15808. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  15809. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  15810. properties:
  15811. token:
  15812. description: |-
  15813. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  15814. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  15815. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  15816. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  15817. properties:
  15818. key:
  15819. description: |-
  15820. A key in the referenced Secret.
  15821. Some instances of this field may be defaulted, in others it may be required.
  15822. maxLength: 253
  15823. minLength: 1
  15824. pattern: ^[-._a-zA-Z0-9]+$
  15825. type: string
  15826. name:
  15827. description: The name of the Secret resource being referred to.
  15828. maxLength: 253
  15829. minLength: 1
  15830. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15831. type: string
  15832. namespace:
  15833. description: |-
  15834. The namespace of the Secret resource being referred to.
  15835. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15836. maxLength: 63
  15837. minLength: 1
  15838. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15839. type: string
  15840. type: object
  15841. required:
  15842. - token
  15843. type: object
  15844. required:
  15845. - apikey
  15846. type: object
  15847. caBundle:
  15848. description: |-
  15849. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  15850. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  15851. If not set, the system's trusted root certificates are used.
  15852. format: byte
  15853. type: string
  15854. caProvider:
  15855. description: |-
  15856. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  15857. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  15858. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  15859. properties:
  15860. key:
  15861. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  15862. maxLength: 253
  15863. minLength: 1
  15864. pattern: ^[-._a-zA-Z0-9]+$
  15865. type: string
  15866. name:
  15867. description: The name of the object located at the provider type.
  15868. maxLength: 253
  15869. minLength: 1
  15870. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15871. type: string
  15872. namespace:
  15873. description: |-
  15874. The namespace the Provider type is in.
  15875. Can only be defined when used in a ClusterSecretStore.
  15876. maxLength: 63
  15877. minLength: 1
  15878. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15879. type: string
  15880. type:
  15881. description: The type of provider to use such as "Secret", or "ConfigMap".
  15882. enum:
  15883. - Secret
  15884. - ConfigMap
  15885. type: string
  15886. required:
  15887. - name
  15888. - type
  15889. type: object
  15890. folderPath:
  15891. description: |-
  15892. FolderPath specifies the default folder path for secret retrieval.
  15893. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  15894. Example: "production/database" or "dev/api-keys"
  15895. Leave empty to retrieve secrets from the root folder.
  15896. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  15897. type: string
  15898. server:
  15899. description: |-
  15900. Server configures the BeyondTrust Workload Credentials server connection details.
  15901. Includes the API URL and Site ID for your BeyondTrust instance.
  15902. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  15903. properties:
  15904. apiUrl:
  15905. description: |-
  15906. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  15907. This should be the full URL to your BeyondTrust instance.
  15908. Example: https://api.beyondtrust.io/siie
  15909. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  15910. type: string
  15911. siteId:
  15912. description: |-
  15913. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  15914. This identifier is unique to your BeyondTrust Workload Credentials instance.
  15915. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  15916. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  15917. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  15918. type: string
  15919. required:
  15920. - apiUrl
  15921. - siteId
  15922. type: object
  15923. required:
  15924. - auth
  15925. - server
  15926. type: object
  15927. bitwardensecretsmanager:
  15928. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  15929. properties:
  15930. apiURL:
  15931. type: string
  15932. auth:
  15933. description: |-
  15934. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  15935. Make sure that the token being used has permissions on the given secret.
  15936. properties:
  15937. secretRef:
  15938. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  15939. properties:
  15940. credentials:
  15941. description: AccessToken used for the bitwarden instance.
  15942. properties:
  15943. key:
  15944. description: |-
  15945. A key in the referenced Secret.
  15946. Some instances of this field may be defaulted, in others it may be required.
  15947. maxLength: 253
  15948. minLength: 1
  15949. pattern: ^[-._a-zA-Z0-9]+$
  15950. type: string
  15951. name:
  15952. description: The name of the Secret resource being referred to.
  15953. maxLength: 253
  15954. minLength: 1
  15955. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15956. type: string
  15957. namespace:
  15958. description: |-
  15959. The namespace of the Secret resource being referred to.
  15960. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15961. maxLength: 63
  15962. minLength: 1
  15963. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15964. type: string
  15965. type: object
  15966. required:
  15967. - credentials
  15968. type: object
  15969. required:
  15970. - secretRef
  15971. type: object
  15972. bitwardenServerSDKURL:
  15973. type: string
  15974. caBundle:
  15975. description: |-
  15976. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  15977. can be performed.
  15978. type: string
  15979. caProvider:
  15980. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  15981. properties:
  15982. key:
  15983. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  15984. maxLength: 253
  15985. minLength: 1
  15986. pattern: ^[-._a-zA-Z0-9]+$
  15987. type: string
  15988. name:
  15989. description: The name of the object located at the provider type.
  15990. maxLength: 253
  15991. minLength: 1
  15992. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15993. type: string
  15994. namespace:
  15995. description: |-
  15996. The namespace the Provider type is in.
  15997. Can only be defined when used in a ClusterSecretStore.
  15998. maxLength: 63
  15999. minLength: 1
  16000. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16001. type: string
  16002. type:
  16003. description: The type of provider to use such as "Secret", or "ConfigMap".
  16004. enum:
  16005. - Secret
  16006. - ConfigMap
  16007. type: string
  16008. required:
  16009. - name
  16010. - type
  16011. type: object
  16012. identityURL:
  16013. type: string
  16014. organizationID:
  16015. description: OrganizationID determines which organization this secret store manages.
  16016. type: string
  16017. projectID:
  16018. description: ProjectID determines which project this secret store manages.
  16019. type: string
  16020. required:
  16021. - auth
  16022. - organizationID
  16023. - projectID
  16024. type: object
  16025. chef:
  16026. description: Chef configures this store to sync secrets with chef server
  16027. properties:
  16028. auth:
  16029. description: Auth defines the information necessary to authenticate against chef Server
  16030. properties:
  16031. secretRef:
  16032. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  16033. properties:
  16034. privateKeySecretRef:
  16035. description: SecretKey is the Signing Key in PEM format, used for authentication.
  16036. properties:
  16037. key:
  16038. description: |-
  16039. A key in the referenced Secret.
  16040. Some instances of this field may be defaulted, in others it may be required.
  16041. maxLength: 253
  16042. minLength: 1
  16043. pattern: ^[-._a-zA-Z0-9]+$
  16044. type: string
  16045. name:
  16046. description: The name of the Secret resource being referred to.
  16047. maxLength: 253
  16048. minLength: 1
  16049. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16050. type: string
  16051. namespace:
  16052. description: |-
  16053. The namespace of the Secret resource being referred to.
  16054. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16055. maxLength: 63
  16056. minLength: 1
  16057. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16058. type: string
  16059. type: object
  16060. required:
  16061. - privateKeySecretRef
  16062. type: object
  16063. required:
  16064. - secretRef
  16065. type: object
  16066. serverUrl:
  16067. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  16068. type: string
  16069. username:
  16070. description: UserName should be the user ID on the chef server
  16071. type: string
  16072. required:
  16073. - auth
  16074. - serverUrl
  16075. - username
  16076. type: object
  16077. cloudrusm:
  16078. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  16079. properties:
  16080. auth:
  16081. description: CSMAuth contains a secretRef for credentials.
  16082. properties:
  16083. secretRef:
  16084. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  16085. properties:
  16086. accessKeyIDSecretRef:
  16087. description: The AccessKeyID is used for authentication
  16088. properties:
  16089. key:
  16090. description: |-
  16091. A key in the referenced Secret.
  16092. Some instances of this field may be defaulted, in others it may be required.
  16093. maxLength: 253
  16094. minLength: 1
  16095. pattern: ^[-._a-zA-Z0-9]+$
  16096. type: string
  16097. name:
  16098. description: The name of the Secret resource being referred to.
  16099. maxLength: 253
  16100. minLength: 1
  16101. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16102. type: string
  16103. namespace:
  16104. description: |-
  16105. The namespace of the Secret resource being referred to.
  16106. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16107. maxLength: 63
  16108. minLength: 1
  16109. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16110. type: string
  16111. type: object
  16112. accessKeySecretSecretRef:
  16113. description: The AccessKeySecret is used for authentication
  16114. properties:
  16115. key:
  16116. description: |-
  16117. A key in the referenced Secret.
  16118. Some instances of this field may be defaulted, in others it may be required.
  16119. maxLength: 253
  16120. minLength: 1
  16121. pattern: ^[-._a-zA-Z0-9]+$
  16122. type: string
  16123. name:
  16124. description: The name of the Secret resource being referred to.
  16125. maxLength: 253
  16126. minLength: 1
  16127. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16128. type: string
  16129. namespace:
  16130. description: |-
  16131. The namespace of the Secret resource being referred to.
  16132. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16133. maxLength: 63
  16134. minLength: 1
  16135. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16136. type: string
  16137. type: object
  16138. required:
  16139. - accessKeyIDSecretRef
  16140. - accessKeySecretSecretRef
  16141. type: object
  16142. type: object
  16143. projectID:
  16144. description: ProjectID is the project, which the secrets are stored in.
  16145. type: string
  16146. required:
  16147. - auth
  16148. type: object
  16149. conjur:
  16150. description: Conjur configures this store to sync secrets using conjur provider
  16151. properties:
  16152. auth:
  16153. description: Defines authentication settings for connecting to Conjur.
  16154. properties:
  16155. apikey:
  16156. description: Authenticates with Conjur using an API key.
  16157. properties:
  16158. account:
  16159. description: Account is the Conjur organization account name.
  16160. type: string
  16161. apiKeyRef:
  16162. description: |-
  16163. A reference to a specific 'key' containing the Conjur API key
  16164. within a Secret resource. In some instances, `key` is a required field.
  16165. properties:
  16166. key:
  16167. description: |-
  16168. A key in the referenced Secret.
  16169. Some instances of this field may be defaulted, in others it may be required.
  16170. maxLength: 253
  16171. minLength: 1
  16172. pattern: ^[-._a-zA-Z0-9]+$
  16173. type: string
  16174. name:
  16175. description: The name of the Secret resource being referred to.
  16176. maxLength: 253
  16177. minLength: 1
  16178. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16179. type: string
  16180. namespace:
  16181. description: |-
  16182. The namespace of the Secret resource being referred to.
  16183. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16184. maxLength: 63
  16185. minLength: 1
  16186. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16187. type: string
  16188. type: object
  16189. userRef:
  16190. description: |-
  16191. A reference to a specific 'key' containing the Conjur username
  16192. within a Secret resource. In some instances, `key` is a required field.
  16193. properties:
  16194. key:
  16195. description: |-
  16196. A key in the referenced Secret.
  16197. Some instances of this field may be defaulted, in others it may be required.
  16198. maxLength: 253
  16199. minLength: 1
  16200. pattern: ^[-._a-zA-Z0-9]+$
  16201. type: string
  16202. name:
  16203. description: The name of the Secret resource being referred to.
  16204. maxLength: 253
  16205. minLength: 1
  16206. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16207. type: string
  16208. namespace:
  16209. description: |-
  16210. The namespace of the Secret resource being referred to.
  16211. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16212. maxLength: 63
  16213. minLength: 1
  16214. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16215. type: string
  16216. type: object
  16217. required:
  16218. - account
  16219. - apiKeyRef
  16220. - userRef
  16221. type: object
  16222. jwt:
  16223. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  16224. properties:
  16225. account:
  16226. description: Account is the Conjur organization account name.
  16227. type: string
  16228. hostId:
  16229. description: |-
  16230. Optional HostID for JWT authentication. This may be used depending
  16231. on how the Conjur JWT authenticator policy is configured.
  16232. type: string
  16233. secretRef:
  16234. description: |-
  16235. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  16236. authenticate with Conjur using the JWT authentication method.
  16237. properties:
  16238. key:
  16239. description: |-
  16240. A key in the referenced Secret.
  16241. Some instances of this field may be defaulted, in others it may be required.
  16242. maxLength: 253
  16243. minLength: 1
  16244. pattern: ^[-._a-zA-Z0-9]+$
  16245. type: string
  16246. name:
  16247. description: The name of the Secret resource being referred to.
  16248. maxLength: 253
  16249. minLength: 1
  16250. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16251. type: string
  16252. namespace:
  16253. description: |-
  16254. The namespace of the Secret resource being referred to.
  16255. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16256. maxLength: 63
  16257. minLength: 1
  16258. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16259. type: string
  16260. type: object
  16261. serviceAccountRef:
  16262. description: |-
  16263. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  16264. a token for with the `TokenRequest` API.
  16265. properties:
  16266. audiences:
  16267. description: |-
  16268. Audience specifies the `aud` claim for the service account token
  16269. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16270. then this audiences will be appended to the list
  16271. items:
  16272. type: string
  16273. type: array
  16274. name:
  16275. description: The name of the ServiceAccount resource being referred to.
  16276. maxLength: 253
  16277. minLength: 1
  16278. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16279. type: string
  16280. namespace:
  16281. description: |-
  16282. Namespace of the resource being referred to.
  16283. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16284. maxLength: 63
  16285. minLength: 1
  16286. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16287. type: string
  16288. required:
  16289. - name
  16290. type: object
  16291. serviceID:
  16292. description: The conjur authn jwt webservice id
  16293. type: string
  16294. required:
  16295. - account
  16296. - serviceID
  16297. type: object
  16298. type: object
  16299. caBundle:
  16300. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  16301. type: string
  16302. caProvider:
  16303. description: |-
  16304. Used to provide custom certificate authority (CA) certificates
  16305. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  16306. that contains a PEM-encoded certificate.
  16307. properties:
  16308. key:
  16309. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  16310. maxLength: 253
  16311. minLength: 1
  16312. pattern: ^[-._a-zA-Z0-9]+$
  16313. type: string
  16314. name:
  16315. description: The name of the object located at the provider type.
  16316. maxLength: 253
  16317. minLength: 1
  16318. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16319. type: string
  16320. namespace:
  16321. description: |-
  16322. The namespace the Provider type is in.
  16323. Can only be defined when used in a ClusterSecretStore.
  16324. maxLength: 63
  16325. minLength: 1
  16326. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16327. type: string
  16328. type:
  16329. description: The type of provider to use such as "Secret", or "ConfigMap".
  16330. enum:
  16331. - Secret
  16332. - ConfigMap
  16333. type: string
  16334. required:
  16335. - name
  16336. - type
  16337. type: object
  16338. url:
  16339. description: URL is the endpoint of the Conjur instance.
  16340. type: string
  16341. required:
  16342. - auth
  16343. - url
  16344. type: object
  16345. delinea:
  16346. description: |-
  16347. Delinea DevOps Secrets Vault
  16348. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  16349. properties:
  16350. clientId:
  16351. description: ClientID is the non-secret part of the credential.
  16352. properties:
  16353. secretRef:
  16354. description: SecretRef references a key in a secret that will be used as value.
  16355. properties:
  16356. key:
  16357. description: |-
  16358. A key in the referenced Secret.
  16359. Some instances of this field may be defaulted, in others it may be required.
  16360. maxLength: 253
  16361. minLength: 1
  16362. pattern: ^[-._a-zA-Z0-9]+$
  16363. type: string
  16364. name:
  16365. description: The name of the Secret resource being referred to.
  16366. maxLength: 253
  16367. minLength: 1
  16368. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16369. type: string
  16370. namespace:
  16371. description: |-
  16372. The namespace of the Secret resource being referred to.
  16373. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16374. maxLength: 63
  16375. minLength: 1
  16376. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16377. type: string
  16378. type: object
  16379. value:
  16380. description: Value can be specified directly to set a value without using a secret.
  16381. type: string
  16382. type: object
  16383. clientSecret:
  16384. description: ClientSecret is the secret part of the credential.
  16385. properties:
  16386. secretRef:
  16387. description: SecretRef references a key in a secret that will be used as value.
  16388. properties:
  16389. key:
  16390. description: |-
  16391. A key in the referenced Secret.
  16392. Some instances of this field may be defaulted, in others it may be required.
  16393. maxLength: 253
  16394. minLength: 1
  16395. pattern: ^[-._a-zA-Z0-9]+$
  16396. type: string
  16397. name:
  16398. description: The name of the Secret resource being referred to.
  16399. maxLength: 253
  16400. minLength: 1
  16401. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16402. type: string
  16403. namespace:
  16404. description: |-
  16405. The namespace of the Secret resource being referred to.
  16406. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16407. maxLength: 63
  16408. minLength: 1
  16409. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16410. type: string
  16411. type: object
  16412. value:
  16413. description: Value can be specified directly to set a value without using a secret.
  16414. type: string
  16415. type: object
  16416. tenant:
  16417. description: Tenant is the chosen hostname / site name.
  16418. type: string
  16419. tld:
  16420. description: |-
  16421. TLD is based on the server location that was chosen during provisioning.
  16422. If unset, defaults to "com".
  16423. type: string
  16424. urlTemplate:
  16425. description: |-
  16426. URLTemplate
  16427. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  16428. type: string
  16429. required:
  16430. - clientId
  16431. - clientSecret
  16432. - tenant
  16433. type: object
  16434. doppler:
  16435. description: Doppler configures this store to sync secrets using the Doppler provider
  16436. properties:
  16437. auth:
  16438. description: Auth configures how the Operator authenticates with the Doppler API
  16439. properties:
  16440. oidcConfig:
  16441. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  16442. properties:
  16443. expirationSeconds:
  16444. default: 600
  16445. description: |-
  16446. ExpirationSeconds sets the ServiceAccount token validity duration.
  16447. Defaults to 10 minutes.
  16448. format: int64
  16449. type: integer
  16450. identity:
  16451. description: Identity is the Doppler Service Account Identity ID configured for OIDC authentication.
  16452. type: string
  16453. serviceAccountRef:
  16454. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  16455. properties:
  16456. audiences:
  16457. description: |-
  16458. Audience specifies the `aud` claim for the service account token
  16459. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16460. then this audiences will be appended to the list
  16461. items:
  16462. type: string
  16463. type: array
  16464. name:
  16465. description: The name of the ServiceAccount resource being referred to.
  16466. maxLength: 253
  16467. minLength: 1
  16468. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16469. type: string
  16470. namespace:
  16471. description: |-
  16472. Namespace of the resource being referred to.
  16473. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16474. maxLength: 63
  16475. minLength: 1
  16476. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16477. type: string
  16478. required:
  16479. - name
  16480. type: object
  16481. required:
  16482. - identity
  16483. - serviceAccountRef
  16484. type: object
  16485. secretRef:
  16486. description: SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.
  16487. properties:
  16488. dopplerToken:
  16489. description: |-
  16490. The DopplerToken is used for authentication.
  16491. See https://docs.doppler.com/reference/api#authentication for auth token types.
  16492. The Key attribute defaults to dopplerToken if not specified.
  16493. properties:
  16494. key:
  16495. description: |-
  16496. A key in the referenced Secret.
  16497. Some instances of this field may be defaulted, in others it may be required.
  16498. maxLength: 253
  16499. minLength: 1
  16500. pattern: ^[-._a-zA-Z0-9]+$
  16501. type: string
  16502. name:
  16503. description: The name of the Secret resource being referred to.
  16504. maxLength: 253
  16505. minLength: 1
  16506. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16507. type: string
  16508. namespace:
  16509. description: |-
  16510. The namespace of the Secret resource being referred to.
  16511. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16512. maxLength: 63
  16513. minLength: 1
  16514. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16515. type: string
  16516. type: object
  16517. required:
  16518. - dopplerToken
  16519. type: object
  16520. type: object
  16521. x-kubernetes-validations:
  16522. - message: Exactly one of 'secretRef' or 'oidcConfig' must be specified
  16523. rule: (has(self.secretRef) && !has(self.oidcConfig)) || (!has(self.secretRef) && has(self.oidcConfig))
  16524. config:
  16525. description: Doppler config (required if not using a Service Token)
  16526. type: string
  16527. format:
  16528. description: Format enables the downloading of secrets as a file (string)
  16529. enum:
  16530. - json
  16531. - dotnet-json
  16532. - env
  16533. - yaml
  16534. - docker
  16535. type: string
  16536. nameTransformer:
  16537. description: Environment variable compatible name transforms that change secret names to a different format
  16538. enum:
  16539. - upper-camel
  16540. - camel
  16541. - lower-snake
  16542. - tf-var
  16543. - dotnet-env
  16544. - lower-kebab
  16545. type: string
  16546. project:
  16547. description: Doppler project (required if not using a Service Token)
  16548. type: string
  16549. required:
  16550. - auth
  16551. type: object
  16552. dvls:
  16553. description: DVLS configures this store to sync secrets using Devolutions Server provider
  16554. properties:
  16555. auth:
  16556. description: Auth defines the authentication method to use.
  16557. properties:
  16558. secretRef:
  16559. description: SecretRef contains the Application ID and Application Secret for authentication.
  16560. properties:
  16561. appId:
  16562. description: AppID is the reference to the secret containing the Application ID.
  16563. properties:
  16564. key:
  16565. description: |-
  16566. A key in the referenced Secret.
  16567. Some instances of this field may be defaulted, in others it may be required.
  16568. maxLength: 253
  16569. minLength: 1
  16570. pattern: ^[-._a-zA-Z0-9]+$
  16571. type: string
  16572. name:
  16573. description: The name of the Secret resource being referred to.
  16574. maxLength: 253
  16575. minLength: 1
  16576. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16577. type: string
  16578. namespace:
  16579. description: |-
  16580. The namespace of the Secret resource being referred to.
  16581. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16582. maxLength: 63
  16583. minLength: 1
  16584. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16585. type: string
  16586. type: object
  16587. appSecret:
  16588. description: AppSecret is the reference to the secret containing the Application Secret.
  16589. properties:
  16590. key:
  16591. description: |-
  16592. A key in the referenced Secret.
  16593. Some instances of this field may be defaulted, in others it may be required.
  16594. maxLength: 253
  16595. minLength: 1
  16596. pattern: ^[-._a-zA-Z0-9]+$
  16597. type: string
  16598. name:
  16599. description: The name of the Secret resource being referred to.
  16600. maxLength: 253
  16601. minLength: 1
  16602. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16603. type: string
  16604. namespace:
  16605. description: |-
  16606. The namespace of the Secret resource being referred to.
  16607. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16608. maxLength: 63
  16609. minLength: 1
  16610. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16611. type: string
  16612. type: object
  16613. required:
  16614. - appId
  16615. - appSecret
  16616. type: object
  16617. required:
  16618. - secretRef
  16619. type: object
  16620. insecure:
  16621. description: |-
  16622. Insecure allows connecting to DVLS over plain HTTP.
  16623. This is NOT RECOMMENDED for production use.
  16624. Set to true only if you understand the security implications.
  16625. type: boolean
  16626. serverUrl:
  16627. description: ServerURL is the DVLS instance URL (e.g., https://dvls.example.com).
  16628. type: string
  16629. vault:
  16630. description: |-
  16631. Vault is the name or UUID of the vault to fetch secrets from.
  16632. When omitted, the vault must be specified in the secret key using the legacy format "<vault-id>/<entry-id>".
  16633. type: string
  16634. required:
  16635. - auth
  16636. - serverUrl
  16637. type: object
  16638. fake:
  16639. description: Fake configures a store with static key/value pairs
  16640. properties:
  16641. data:
  16642. items:
  16643. description: FakeProviderData defines a key-value pair with optional version for the fake provider.
  16644. properties:
  16645. key:
  16646. type: string
  16647. value:
  16648. type: string
  16649. version:
  16650. type: string
  16651. required:
  16652. - key
  16653. - value
  16654. type: object
  16655. type: array
  16656. validationResult:
  16657. description: ValidationResult is defined type for the number of validation results.
  16658. type: integer
  16659. required:
  16660. - data
  16661. type: object
  16662. fortanix:
  16663. description: Fortanix configures this store to sync secrets using the Fortanix provider
  16664. properties:
  16665. apiKey:
  16666. description: APIKey is the API token to access SDKMS Applications.
  16667. properties:
  16668. secretRef:
  16669. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  16670. properties:
  16671. key:
  16672. description: |-
  16673. A key in the referenced Secret.
  16674. Some instances of this field may be defaulted, in others it may be required.
  16675. maxLength: 253
  16676. minLength: 1
  16677. pattern: ^[-._a-zA-Z0-9]+$
  16678. type: string
  16679. name:
  16680. description: The name of the Secret resource being referred to.
  16681. maxLength: 253
  16682. minLength: 1
  16683. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16684. type: string
  16685. namespace:
  16686. description: |-
  16687. The namespace of the Secret resource being referred to.
  16688. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16689. maxLength: 63
  16690. minLength: 1
  16691. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16692. type: string
  16693. type: object
  16694. type: object
  16695. apiUrl:
  16696. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  16697. type: string
  16698. type: object
  16699. gcpsm:
  16700. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  16701. properties:
  16702. auth:
  16703. description: Auth defines the information necessary to authenticate against GCP
  16704. properties:
  16705. secretRef:
  16706. description: GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication.
  16707. properties:
  16708. secretAccessKeySecretRef:
  16709. description: The SecretAccessKey is used for authentication
  16710. properties:
  16711. key:
  16712. description: |-
  16713. A key in the referenced Secret.
  16714. Some instances of this field may be defaulted, in others it may be required.
  16715. maxLength: 253
  16716. minLength: 1
  16717. pattern: ^[-._a-zA-Z0-9]+$
  16718. type: string
  16719. name:
  16720. description: The name of the Secret resource being referred to.
  16721. maxLength: 253
  16722. minLength: 1
  16723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16724. type: string
  16725. namespace:
  16726. description: |-
  16727. The namespace of the Secret resource being referred to.
  16728. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16729. maxLength: 63
  16730. minLength: 1
  16731. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16732. type: string
  16733. type: object
  16734. type: object
  16735. workloadIdentity:
  16736. description: GCPWorkloadIdentity defines configuration for workload identity authentication to GCP.
  16737. properties:
  16738. clusterLocation:
  16739. description: |-
  16740. ClusterLocation is the location of the cluster
  16741. If not specified, it fetches information from the metadata server
  16742. type: string
  16743. clusterName:
  16744. description: |-
  16745. ClusterName is the name of the cluster
  16746. If not specified, it fetches information from the metadata server
  16747. type: string
  16748. clusterProjectID:
  16749. description: |-
  16750. ClusterProjectID is the project ID of the cluster
  16751. If not specified, it fetches information from the metadata server
  16752. type: string
  16753. serviceAccountRef:
  16754. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  16755. properties:
  16756. audiences:
  16757. description: |-
  16758. Audience specifies the `aud` claim for the service account token
  16759. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16760. then this audiences will be appended to the list
  16761. items:
  16762. type: string
  16763. type: array
  16764. name:
  16765. description: The name of the ServiceAccount resource being referred to.
  16766. maxLength: 253
  16767. minLength: 1
  16768. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16769. type: string
  16770. namespace:
  16771. description: |-
  16772. Namespace of the resource being referred to.
  16773. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16774. maxLength: 63
  16775. minLength: 1
  16776. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16777. type: string
  16778. required:
  16779. - name
  16780. type: object
  16781. required:
  16782. - serviceAccountRef
  16783. type: object
  16784. workloadIdentityFederation:
  16785. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  16786. properties:
  16787. audience:
  16788. description: |-
  16789. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  16790. If specified, Audience found in the external account credential config will be overridden with the configured value.
  16791. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  16792. type: string
  16793. awsSecurityCredentials:
  16794. description: |-
  16795. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  16796. when using the AWS metadata server is not an option.
  16797. properties:
  16798. awsCredentialsSecretRef:
  16799. description: |-
  16800. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  16801. Secret should be created with below names for keys
  16802. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  16803. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  16804. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  16805. properties:
  16806. name:
  16807. description: name of the secret.
  16808. maxLength: 253
  16809. minLength: 1
  16810. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16811. type: string
  16812. namespace:
  16813. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  16814. maxLength: 63
  16815. minLength: 1
  16816. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16817. type: string
  16818. required:
  16819. - name
  16820. type: object
  16821. region:
  16822. description: region is for configuring the AWS region to be used.
  16823. example: ap-south-1
  16824. maxLength: 50
  16825. minLength: 1
  16826. pattern: ^[a-z0-9-]+$
  16827. type: string
  16828. required:
  16829. - awsCredentialsSecretRef
  16830. - region
  16831. type: object
  16832. credConfig:
  16833. description: |-
  16834. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  16835. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  16836. serviceAccountRef must be used by providing operators service account details.
  16837. properties:
  16838. key:
  16839. description: key name holding the external account credential config.
  16840. maxLength: 253
  16841. minLength: 1
  16842. pattern: ^[-._a-zA-Z0-9]+$
  16843. type: string
  16844. name:
  16845. description: name of the configmap.
  16846. maxLength: 253
  16847. minLength: 1
  16848. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16849. type: string
  16850. namespace:
  16851. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  16852. maxLength: 63
  16853. minLength: 1
  16854. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16855. type: string
  16856. required:
  16857. - key
  16858. - name
  16859. type: object
  16860. externalTokenEndpoint:
  16861. description: |-
  16862. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  16863. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  16864. URL is having the expected value.
  16865. type: string
  16866. gcpServiceAccountEmail:
  16867. description: |-
  16868. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  16869. after Workload Identity Federation. Use this to grant access through the service account's
  16870. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  16871. service_account_impersonation_url in the external account JSON from credConfig;
  16872. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  16873. on that ServiceAccount.
  16874. example: my-gsa@my-project.iam.gserviceaccount.com
  16875. minLength: 1
  16876. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  16877. type: string
  16878. serviceAccountRef:
  16879. description: |-
  16880. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  16881. when Kubernetes is configured as provider in workload identity pool.
  16882. properties:
  16883. audiences:
  16884. description: |-
  16885. Audience specifies the `aud` claim for the service account token
  16886. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16887. then this audiences will be appended to the list
  16888. items:
  16889. type: string
  16890. type: array
  16891. name:
  16892. description: The name of the ServiceAccount resource being referred to.
  16893. maxLength: 253
  16894. minLength: 1
  16895. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16896. type: string
  16897. namespace:
  16898. description: |-
  16899. Namespace of the resource being referred to.
  16900. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16901. maxLength: 63
  16902. minLength: 1
  16903. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16904. type: string
  16905. required:
  16906. - name
  16907. type: object
  16908. type: object
  16909. type: object
  16910. location:
  16911. description: Location optionally defines a location for a secret
  16912. type: string
  16913. projectID:
  16914. description: ProjectID project where secret is located
  16915. type: string
  16916. secretVersionSelectionPolicy:
  16917. default: LatestOrFail
  16918. description: |-
  16919. SecretVersionSelectionPolicy specifies how the provider selects a secret version
  16920. when "latest" is disabled or destroyed.
  16921. Possible values are:
  16922. - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed.
  16923. - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED
  16924. type: string
  16925. type: object
  16926. github:
  16927. description: |-
  16928. Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  16929. Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
  16930. properties:
  16931. appID:
  16932. description: appID specifies the Github APP that will be used to authenticate the client
  16933. format: int64
  16934. type: integer
  16935. auth:
  16936. description: auth configures how secret-manager authenticates with a Github instance.
  16937. properties:
  16938. privateKey:
  16939. description: |-
  16940. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  16941. In some instances, `key` is a required field.
  16942. properties:
  16943. key:
  16944. description: |-
  16945. A key in the referenced Secret.
  16946. Some instances of this field may be defaulted, in others it may be required.
  16947. maxLength: 253
  16948. minLength: 1
  16949. pattern: ^[-._a-zA-Z0-9]+$
  16950. type: string
  16951. name:
  16952. description: The name of the Secret resource being referred to.
  16953. maxLength: 253
  16954. minLength: 1
  16955. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16956. type: string
  16957. namespace:
  16958. description: |-
  16959. The namespace of the Secret resource being referred to.
  16960. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16961. maxLength: 63
  16962. minLength: 1
  16963. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16964. type: string
  16965. type: object
  16966. required:
  16967. - privateKey
  16968. type: object
  16969. environment:
  16970. description: environment will be used to fetch secrets from a particular environment within a github repository
  16971. type: string
  16972. installationID:
  16973. description: installationID specifies the Github APP installation that will be used to authenticate the client
  16974. format: int64
  16975. type: integer
  16976. orgSecretVisibility:
  16977. description: |-
  16978. orgSecretVisibility controls the visibility of organization secrets pushed via PushSecret.
  16979. Valid values are "all" or "private".
  16980. When unset, new secrets are created with visibility "all" and existing secrets preserve
  16981. whatever visibility they already have in GitHub.
  16982. enum:
  16983. - all
  16984. - private
  16985. type: string
  16986. organization:
  16987. description: organization will be used to fetch secrets from the Github organization
  16988. type: string
  16989. repository:
  16990. description: repository will be used to fetch secrets from the Github repository within an organization
  16991. type: string
  16992. uploadURL:
  16993. description: Upload URL for enterprise instances. Default to URL.
  16994. type: string
  16995. url:
  16996. default: https://github.com/
  16997. description: URL configures the Github instance URL. Defaults to https://github.com/.
  16998. type: string
  16999. required:
  17000. - appID
  17001. - auth
  17002. - installationID
  17003. - organization
  17004. type: object
  17005. gitlab:
  17006. description: GitLab configures this store to sync secrets using GitLab Variables provider
  17007. properties:
  17008. auth:
  17009. description: Auth configures how secret-manager authenticates with a GitLab instance.
  17010. properties:
  17011. SecretRef:
  17012. description: GitlabSecretRef contains the secret reference for GitLab authentication credentials.
  17013. properties:
  17014. accessToken:
  17015. description: AccessToken is used for authentication.
  17016. properties:
  17017. key:
  17018. description: |-
  17019. A key in the referenced Secret.
  17020. Some instances of this field may be defaulted, in others it may be required.
  17021. maxLength: 253
  17022. minLength: 1
  17023. pattern: ^[-._a-zA-Z0-9]+$
  17024. type: string
  17025. name:
  17026. description: The name of the Secret resource being referred to.
  17027. maxLength: 253
  17028. minLength: 1
  17029. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17030. type: string
  17031. namespace:
  17032. description: |-
  17033. The namespace of the Secret resource being referred to.
  17034. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17035. maxLength: 63
  17036. minLength: 1
  17037. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17038. type: string
  17039. type: object
  17040. type: object
  17041. required:
  17042. - SecretRef
  17043. type: object
  17044. caBundle:
  17045. description: |-
  17046. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  17047. can be performed.
  17048. format: byte
  17049. type: string
  17050. caProvider:
  17051. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  17052. properties:
  17053. key:
  17054. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  17055. maxLength: 253
  17056. minLength: 1
  17057. pattern: ^[-._a-zA-Z0-9]+$
  17058. type: string
  17059. name:
  17060. description: The name of the object located at the provider type.
  17061. maxLength: 253
  17062. minLength: 1
  17063. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17064. type: string
  17065. namespace:
  17066. description: |-
  17067. The namespace the Provider type is in.
  17068. Can only be defined when used in a ClusterSecretStore.
  17069. maxLength: 63
  17070. minLength: 1
  17071. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17072. type: string
  17073. type:
  17074. description: The type of provider to use such as "Secret", or "ConfigMap".
  17075. enum:
  17076. - Secret
  17077. - ConfigMap
  17078. type: string
  17079. required:
  17080. - name
  17081. - type
  17082. type: object
  17083. environment:
  17084. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  17085. type: string
  17086. groupIDs:
  17087. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  17088. items:
  17089. type: string
  17090. type: array
  17091. inheritFromGroups:
  17092. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  17093. type: boolean
  17094. projectID:
  17095. description: ProjectID specifies a project where secrets are located.
  17096. type: string
  17097. url:
  17098. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  17099. type: string
  17100. required:
  17101. - auth
  17102. type: object
  17103. ibm:
  17104. description: IBM configures this store to sync secrets using IBM Cloud provider
  17105. properties:
  17106. auth:
  17107. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  17108. maxProperties: 1
  17109. minProperties: 1
  17110. properties:
  17111. containerAuth:
  17112. description: IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile.
  17113. properties:
  17114. iamEndpoint:
  17115. type: string
  17116. profile:
  17117. description: the IBM Trusted Profile
  17118. type: string
  17119. tokenLocation:
  17120. description: Location the token is mounted on the pod
  17121. type: string
  17122. required:
  17123. - profile
  17124. type: object
  17125. secretRef:
  17126. description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
  17127. properties:
  17128. iamEndpoint:
  17129. description: The IAM endpoint used to obain a token
  17130. type: string
  17131. secretApiKeySecretRef:
  17132. description: The SecretAccessKey is used for authentication
  17133. properties:
  17134. key:
  17135. description: |-
  17136. A key in the referenced Secret.
  17137. Some instances of this field may be defaulted, in others it may be required.
  17138. maxLength: 253
  17139. minLength: 1
  17140. pattern: ^[-._a-zA-Z0-9]+$
  17141. type: string
  17142. name:
  17143. description: The name of the Secret resource being referred to.
  17144. maxLength: 253
  17145. minLength: 1
  17146. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17147. type: string
  17148. namespace:
  17149. description: |-
  17150. The namespace of the Secret resource being referred to.
  17151. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17152. maxLength: 63
  17153. minLength: 1
  17154. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17155. type: string
  17156. type: object
  17157. type: object
  17158. type: object
  17159. serviceUrl:
  17160. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  17161. type: string
  17162. required:
  17163. - auth
  17164. type: object
  17165. infisical:
  17166. description: Infisical configures this store to sync secrets using the Infisical provider
  17167. properties:
  17168. auth:
  17169. description: Auth configures how the Operator authenticates with the Infisical API
  17170. properties:
  17171. awsAuthCredentials:
  17172. description: AwsAuthCredentials represents the credentials for AWS authentication.
  17173. properties:
  17174. identityId:
  17175. description: |-
  17176. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17177. In some instances, `key` is a required field.
  17178. properties:
  17179. key:
  17180. description: |-
  17181. A key in the referenced Secret.
  17182. Some instances of this field may be defaulted, in others it may be required.
  17183. maxLength: 253
  17184. minLength: 1
  17185. pattern: ^[-._a-zA-Z0-9]+$
  17186. type: string
  17187. name:
  17188. description: The name of the Secret resource being referred to.
  17189. maxLength: 253
  17190. minLength: 1
  17191. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17192. type: string
  17193. namespace:
  17194. description: |-
  17195. The namespace of the Secret resource being referred to.
  17196. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17197. maxLength: 63
  17198. minLength: 1
  17199. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17200. type: string
  17201. type: object
  17202. required:
  17203. - identityId
  17204. type: object
  17205. azureAuthCredentials:
  17206. description: AzureAuthCredentials represents the credentials for Azure authentication.
  17207. properties:
  17208. identityId:
  17209. description: |-
  17210. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17211. In some instances, `key` is a required field.
  17212. properties:
  17213. key:
  17214. description: |-
  17215. A key in the referenced Secret.
  17216. Some instances of this field may be defaulted, in others it may be required.
  17217. maxLength: 253
  17218. minLength: 1
  17219. pattern: ^[-._a-zA-Z0-9]+$
  17220. type: string
  17221. name:
  17222. description: The name of the Secret resource being referred to.
  17223. maxLength: 253
  17224. minLength: 1
  17225. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17226. type: string
  17227. namespace:
  17228. description: |-
  17229. The namespace of the Secret resource being referred to.
  17230. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17231. maxLength: 63
  17232. minLength: 1
  17233. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17234. type: string
  17235. type: object
  17236. resource:
  17237. description: |-
  17238. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17239. In some instances, `key` is a required field.
  17240. properties:
  17241. key:
  17242. description: |-
  17243. A key in the referenced Secret.
  17244. Some instances of this field may be defaulted, in others it may be required.
  17245. maxLength: 253
  17246. minLength: 1
  17247. pattern: ^[-._a-zA-Z0-9]+$
  17248. type: string
  17249. name:
  17250. description: The name of the Secret resource being referred to.
  17251. maxLength: 253
  17252. minLength: 1
  17253. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17254. type: string
  17255. namespace:
  17256. description: |-
  17257. The namespace of the Secret resource being referred to.
  17258. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17259. maxLength: 63
  17260. minLength: 1
  17261. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17262. type: string
  17263. type: object
  17264. required:
  17265. - identityId
  17266. type: object
  17267. gcpIamAuthCredentials:
  17268. description: GcpIamAuthCredentials represents the credentials for GCP IAM authentication.
  17269. properties:
  17270. identityId:
  17271. description: |-
  17272. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17273. In some instances, `key` is a required field.
  17274. properties:
  17275. key:
  17276. description: |-
  17277. A key in the referenced Secret.
  17278. Some instances of this field may be defaulted, in others it may be required.
  17279. maxLength: 253
  17280. minLength: 1
  17281. pattern: ^[-._a-zA-Z0-9]+$
  17282. type: string
  17283. name:
  17284. description: The name of the Secret resource being referred to.
  17285. maxLength: 253
  17286. minLength: 1
  17287. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17288. type: string
  17289. namespace:
  17290. description: |-
  17291. The namespace of the Secret resource being referred to.
  17292. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17293. maxLength: 63
  17294. minLength: 1
  17295. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17296. type: string
  17297. type: object
  17298. serviceAccountKeyFilePath:
  17299. description: |-
  17300. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17301. In some instances, `key` is a required field.
  17302. properties:
  17303. key:
  17304. description: |-
  17305. A key in the referenced Secret.
  17306. Some instances of this field may be defaulted, in others it may be required.
  17307. maxLength: 253
  17308. minLength: 1
  17309. pattern: ^[-._a-zA-Z0-9]+$
  17310. type: string
  17311. name:
  17312. description: The name of the Secret resource being referred to.
  17313. maxLength: 253
  17314. minLength: 1
  17315. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17316. type: string
  17317. namespace:
  17318. description: |-
  17319. The namespace of the Secret resource being referred to.
  17320. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17321. maxLength: 63
  17322. minLength: 1
  17323. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17324. type: string
  17325. type: object
  17326. required:
  17327. - identityId
  17328. - serviceAccountKeyFilePath
  17329. type: object
  17330. gcpIdTokenAuthCredentials:
  17331. description: GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication.
  17332. properties:
  17333. identityId:
  17334. description: |-
  17335. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17336. In some instances, `key` is a required field.
  17337. properties:
  17338. key:
  17339. description: |-
  17340. A key in the referenced Secret.
  17341. Some instances of this field may be defaulted, in others it may be required.
  17342. maxLength: 253
  17343. minLength: 1
  17344. pattern: ^[-._a-zA-Z0-9]+$
  17345. type: string
  17346. name:
  17347. description: The name of the Secret resource being referred to.
  17348. maxLength: 253
  17349. minLength: 1
  17350. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17351. type: string
  17352. namespace:
  17353. description: |-
  17354. The namespace of the Secret resource being referred to.
  17355. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17356. maxLength: 63
  17357. minLength: 1
  17358. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17359. type: string
  17360. type: object
  17361. required:
  17362. - identityId
  17363. type: object
  17364. jwtAuthCredentials:
  17365. description: JwtAuthCredentials represents the credentials for JWT authentication.
  17366. properties:
  17367. identityId:
  17368. description: |-
  17369. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17370. In some instances, `key` is a required field.
  17371. properties:
  17372. key:
  17373. description: |-
  17374. A key in the referenced Secret.
  17375. Some instances of this field may be defaulted, in others it may be required.
  17376. maxLength: 253
  17377. minLength: 1
  17378. pattern: ^[-._a-zA-Z0-9]+$
  17379. type: string
  17380. name:
  17381. description: The name of the Secret resource being referred to.
  17382. maxLength: 253
  17383. minLength: 1
  17384. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17385. type: string
  17386. namespace:
  17387. description: |-
  17388. The namespace of the Secret resource being referred to.
  17389. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17390. maxLength: 63
  17391. minLength: 1
  17392. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17393. type: string
  17394. type: object
  17395. jwt:
  17396. description: |-
  17397. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17398. In some instances, `key` is a required field.
  17399. properties:
  17400. key:
  17401. description: |-
  17402. A key in the referenced Secret.
  17403. Some instances of this field may be defaulted, in others it may be required.
  17404. maxLength: 253
  17405. minLength: 1
  17406. pattern: ^[-._a-zA-Z0-9]+$
  17407. type: string
  17408. name:
  17409. description: The name of the Secret resource being referred to.
  17410. maxLength: 253
  17411. minLength: 1
  17412. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17413. type: string
  17414. namespace:
  17415. description: |-
  17416. The namespace of the Secret resource being referred to.
  17417. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17418. maxLength: 63
  17419. minLength: 1
  17420. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17421. type: string
  17422. type: object
  17423. required:
  17424. - identityId
  17425. - jwt
  17426. type: object
  17427. kubernetesAuthCredentials:
  17428. description: KubernetesAuthCredentials represents the credentials for Kubernetes authentication.
  17429. properties:
  17430. identityId:
  17431. description: |-
  17432. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17433. In some instances, `key` is a required field.
  17434. properties:
  17435. key:
  17436. description: |-
  17437. A key in the referenced Secret.
  17438. Some instances of this field may be defaulted, in others it may be required.
  17439. maxLength: 253
  17440. minLength: 1
  17441. pattern: ^[-._a-zA-Z0-9]+$
  17442. type: string
  17443. name:
  17444. description: The name of the Secret resource being referred to.
  17445. maxLength: 253
  17446. minLength: 1
  17447. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17448. type: string
  17449. namespace:
  17450. description: |-
  17451. The namespace of the Secret resource being referred to.
  17452. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17453. maxLength: 63
  17454. minLength: 1
  17455. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17456. type: string
  17457. type: object
  17458. serviceAccountTokenPath:
  17459. description: |-
  17460. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17461. In some instances, `key` is a required field.
  17462. properties:
  17463. key:
  17464. description: |-
  17465. A key in the referenced Secret.
  17466. Some instances of this field may be defaulted, in others it may be required.
  17467. maxLength: 253
  17468. minLength: 1
  17469. pattern: ^[-._a-zA-Z0-9]+$
  17470. type: string
  17471. name:
  17472. description: The name of the Secret resource being referred to.
  17473. maxLength: 253
  17474. minLength: 1
  17475. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17476. type: string
  17477. namespace:
  17478. description: |-
  17479. The namespace of the Secret resource being referred to.
  17480. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17481. maxLength: 63
  17482. minLength: 1
  17483. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17484. type: string
  17485. type: object
  17486. required:
  17487. - identityId
  17488. type: object
  17489. ldapAuthCredentials:
  17490. description: LdapAuthCredentials represents the credentials for LDAP authentication.
  17491. properties:
  17492. identityId:
  17493. description: |-
  17494. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17495. In some instances, `key` is a required field.
  17496. properties:
  17497. key:
  17498. description: |-
  17499. A key in the referenced Secret.
  17500. Some instances of this field may be defaulted, in others it may be required.
  17501. maxLength: 253
  17502. minLength: 1
  17503. pattern: ^[-._a-zA-Z0-9]+$
  17504. type: string
  17505. name:
  17506. description: The name of the Secret resource being referred to.
  17507. maxLength: 253
  17508. minLength: 1
  17509. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17510. type: string
  17511. namespace:
  17512. description: |-
  17513. The namespace of the Secret resource being referred to.
  17514. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17515. maxLength: 63
  17516. minLength: 1
  17517. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17518. type: string
  17519. type: object
  17520. ldapPassword:
  17521. description: |-
  17522. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17523. In some instances, `key` is a required field.
  17524. properties:
  17525. key:
  17526. description: |-
  17527. A key in the referenced Secret.
  17528. Some instances of this field may be defaulted, in others it may be required.
  17529. maxLength: 253
  17530. minLength: 1
  17531. pattern: ^[-._a-zA-Z0-9]+$
  17532. type: string
  17533. name:
  17534. description: The name of the Secret resource being referred to.
  17535. maxLength: 253
  17536. minLength: 1
  17537. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17538. type: string
  17539. namespace:
  17540. description: |-
  17541. The namespace of the Secret resource being referred to.
  17542. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17543. maxLength: 63
  17544. minLength: 1
  17545. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17546. type: string
  17547. type: object
  17548. ldapUsername:
  17549. description: |-
  17550. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17551. In some instances, `key` is a required field.
  17552. properties:
  17553. key:
  17554. description: |-
  17555. A key in the referenced Secret.
  17556. Some instances of this field may be defaulted, in others it may be required.
  17557. maxLength: 253
  17558. minLength: 1
  17559. pattern: ^[-._a-zA-Z0-9]+$
  17560. type: string
  17561. name:
  17562. description: The name of the Secret resource being referred to.
  17563. maxLength: 253
  17564. minLength: 1
  17565. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17566. type: string
  17567. namespace:
  17568. description: |-
  17569. The namespace of the Secret resource being referred to.
  17570. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17571. maxLength: 63
  17572. minLength: 1
  17573. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17574. type: string
  17575. type: object
  17576. required:
  17577. - identityId
  17578. - ldapPassword
  17579. - ldapUsername
  17580. type: object
  17581. ociAuthCredentials:
  17582. description: OciAuthCredentials represents the credentials for OCI authentication.
  17583. properties:
  17584. fingerprint:
  17585. description: |-
  17586. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17587. In some instances, `key` is a required field.
  17588. properties:
  17589. key:
  17590. description: |-
  17591. A key in the referenced Secret.
  17592. Some instances of this field may be defaulted, in others it may be required.
  17593. maxLength: 253
  17594. minLength: 1
  17595. pattern: ^[-._a-zA-Z0-9]+$
  17596. type: string
  17597. name:
  17598. description: The name of the Secret resource being referred to.
  17599. maxLength: 253
  17600. minLength: 1
  17601. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17602. type: string
  17603. namespace:
  17604. description: |-
  17605. The namespace of the Secret resource being referred to.
  17606. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17607. maxLength: 63
  17608. minLength: 1
  17609. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17610. type: string
  17611. type: object
  17612. identityId:
  17613. description: |-
  17614. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17615. In some instances, `key` is a required field.
  17616. properties:
  17617. key:
  17618. description: |-
  17619. A key in the referenced Secret.
  17620. Some instances of this field may be defaulted, in others it may be required.
  17621. maxLength: 253
  17622. minLength: 1
  17623. pattern: ^[-._a-zA-Z0-9]+$
  17624. type: string
  17625. name:
  17626. description: The name of the Secret resource being referred to.
  17627. maxLength: 253
  17628. minLength: 1
  17629. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17630. type: string
  17631. namespace:
  17632. description: |-
  17633. The namespace of the Secret resource being referred to.
  17634. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17635. maxLength: 63
  17636. minLength: 1
  17637. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17638. type: string
  17639. type: object
  17640. privateKey:
  17641. description: |-
  17642. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17643. In some instances, `key` is a required field.
  17644. properties:
  17645. key:
  17646. description: |-
  17647. A key in the referenced Secret.
  17648. Some instances of this field may be defaulted, in others it may be required.
  17649. maxLength: 253
  17650. minLength: 1
  17651. pattern: ^[-._a-zA-Z0-9]+$
  17652. type: string
  17653. name:
  17654. description: The name of the Secret resource being referred to.
  17655. maxLength: 253
  17656. minLength: 1
  17657. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17658. type: string
  17659. namespace:
  17660. description: |-
  17661. The namespace of the Secret resource being referred to.
  17662. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17663. maxLength: 63
  17664. minLength: 1
  17665. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17666. type: string
  17667. type: object
  17668. privateKeyPassphrase:
  17669. description: |-
  17670. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17671. In some instances, `key` is a required field.
  17672. properties:
  17673. key:
  17674. description: |-
  17675. A key in the referenced Secret.
  17676. Some instances of this field may be defaulted, in others it may be required.
  17677. maxLength: 253
  17678. minLength: 1
  17679. pattern: ^[-._a-zA-Z0-9]+$
  17680. type: string
  17681. name:
  17682. description: The name of the Secret resource being referred to.
  17683. maxLength: 253
  17684. minLength: 1
  17685. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17686. type: string
  17687. namespace:
  17688. description: |-
  17689. The namespace of the Secret resource being referred to.
  17690. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17691. maxLength: 63
  17692. minLength: 1
  17693. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17694. type: string
  17695. type: object
  17696. region:
  17697. description: |-
  17698. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17699. In some instances, `key` is a required field.
  17700. properties:
  17701. key:
  17702. description: |-
  17703. A key in the referenced Secret.
  17704. Some instances of this field may be defaulted, in others it may be required.
  17705. maxLength: 253
  17706. minLength: 1
  17707. pattern: ^[-._a-zA-Z0-9]+$
  17708. type: string
  17709. name:
  17710. description: The name of the Secret resource being referred to.
  17711. maxLength: 253
  17712. minLength: 1
  17713. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17714. type: string
  17715. namespace:
  17716. description: |-
  17717. The namespace of the Secret resource being referred to.
  17718. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17719. maxLength: 63
  17720. minLength: 1
  17721. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17722. type: string
  17723. type: object
  17724. tenancyId:
  17725. description: |-
  17726. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17727. In some instances, `key` is a required field.
  17728. properties:
  17729. key:
  17730. description: |-
  17731. A key in the referenced Secret.
  17732. Some instances of this field may be defaulted, in others it may be required.
  17733. maxLength: 253
  17734. minLength: 1
  17735. pattern: ^[-._a-zA-Z0-9]+$
  17736. type: string
  17737. name:
  17738. description: The name of the Secret resource being referred to.
  17739. maxLength: 253
  17740. minLength: 1
  17741. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17742. type: string
  17743. namespace:
  17744. description: |-
  17745. The namespace of the Secret resource being referred to.
  17746. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17747. maxLength: 63
  17748. minLength: 1
  17749. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17750. type: string
  17751. type: object
  17752. userId:
  17753. description: |-
  17754. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17755. In some instances, `key` is a required field.
  17756. properties:
  17757. key:
  17758. description: |-
  17759. A key in the referenced Secret.
  17760. Some instances of this field may be defaulted, in others it may be required.
  17761. maxLength: 253
  17762. minLength: 1
  17763. pattern: ^[-._a-zA-Z0-9]+$
  17764. type: string
  17765. name:
  17766. description: The name of the Secret resource being referred to.
  17767. maxLength: 253
  17768. minLength: 1
  17769. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17770. type: string
  17771. namespace:
  17772. description: |-
  17773. The namespace of the Secret resource being referred to.
  17774. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17775. maxLength: 63
  17776. minLength: 1
  17777. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17778. type: string
  17779. type: object
  17780. required:
  17781. - fingerprint
  17782. - identityId
  17783. - privateKey
  17784. - region
  17785. - tenancyId
  17786. - userId
  17787. type: object
  17788. tokenAuthCredentials:
  17789. description: TokenAuthCredentials represents the credentials for access token-based authentication.
  17790. properties:
  17791. accessToken:
  17792. description: |-
  17793. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17794. In some instances, `key` is a required field.
  17795. properties:
  17796. key:
  17797. description: |-
  17798. A key in the referenced Secret.
  17799. Some instances of this field may be defaulted, in others it may be required.
  17800. maxLength: 253
  17801. minLength: 1
  17802. pattern: ^[-._a-zA-Z0-9]+$
  17803. type: string
  17804. name:
  17805. description: The name of the Secret resource being referred to.
  17806. maxLength: 253
  17807. minLength: 1
  17808. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17809. type: string
  17810. namespace:
  17811. description: |-
  17812. The namespace of the Secret resource being referred to.
  17813. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17814. maxLength: 63
  17815. minLength: 1
  17816. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17817. type: string
  17818. type: object
  17819. required:
  17820. - accessToken
  17821. type: object
  17822. universalAuthCredentials:
  17823. description: UniversalAuthCredentials represents the client credentials for universal authentication.
  17824. properties:
  17825. clientId:
  17826. description: |-
  17827. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17828. In some instances, `key` is a required field.
  17829. properties:
  17830. key:
  17831. description: |-
  17832. A key in the referenced Secret.
  17833. Some instances of this field may be defaulted, in others it may be required.
  17834. maxLength: 253
  17835. minLength: 1
  17836. pattern: ^[-._a-zA-Z0-9]+$
  17837. type: string
  17838. name:
  17839. description: The name of the Secret resource being referred to.
  17840. maxLength: 253
  17841. minLength: 1
  17842. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17843. type: string
  17844. namespace:
  17845. description: |-
  17846. The namespace of the Secret resource being referred to.
  17847. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17848. maxLength: 63
  17849. minLength: 1
  17850. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17851. type: string
  17852. type: object
  17853. clientSecret:
  17854. description: |-
  17855. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17856. In some instances, `key` is a required field.
  17857. properties:
  17858. key:
  17859. description: |-
  17860. A key in the referenced Secret.
  17861. Some instances of this field may be defaulted, in others it may be required.
  17862. maxLength: 253
  17863. minLength: 1
  17864. pattern: ^[-._a-zA-Z0-9]+$
  17865. type: string
  17866. name:
  17867. description: The name of the Secret resource being referred to.
  17868. maxLength: 253
  17869. minLength: 1
  17870. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17871. type: string
  17872. namespace:
  17873. description: |-
  17874. The namespace of the Secret resource being referred to.
  17875. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17876. maxLength: 63
  17877. minLength: 1
  17878. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17879. type: string
  17880. type: object
  17881. required:
  17882. - clientId
  17883. - clientSecret
  17884. type: object
  17885. type: object
  17886. caBundle:
  17887. description: |-
  17888. CABundle is a PEM-encoded CA certificate bundle used to validate
  17889. the Infisical server's TLS certificate. Mutually exclusive with CAProvider.
  17890. format: byte
  17891. type: string
  17892. caProvider:
  17893. description: |-
  17894. CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
  17895. The certificate is used to validate the Infisical server's TLS certificate.
  17896. Mutually exclusive with CABundle.
  17897. properties:
  17898. key:
  17899. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  17900. maxLength: 253
  17901. minLength: 1
  17902. pattern: ^[-._a-zA-Z0-9]+$
  17903. type: string
  17904. name:
  17905. description: The name of the object located at the provider type.
  17906. maxLength: 253
  17907. minLength: 1
  17908. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17909. type: string
  17910. namespace:
  17911. description: |-
  17912. The namespace the Provider type is in.
  17913. Can only be defined when used in a ClusterSecretStore.
  17914. maxLength: 63
  17915. minLength: 1
  17916. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17917. type: string
  17918. type:
  17919. description: The type of provider to use such as "Secret", or "ConfigMap".
  17920. enum:
  17921. - Secret
  17922. - ConfigMap
  17923. type: string
  17924. required:
  17925. - name
  17926. - type
  17927. type: object
  17928. hostAPI:
  17929. default: https://app.infisical.com/api
  17930. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  17931. type: string
  17932. secretsScope:
  17933. description: SecretsScope defines the scope of the secrets within the workspace
  17934. properties:
  17935. environmentSlug:
  17936. description: EnvironmentSlug is the required slug identifier for the environment.
  17937. type: string
  17938. expandSecretReferences:
  17939. default: true
  17940. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  17941. type: boolean
  17942. projectSlug:
  17943. description: ProjectSlug is the required slug identifier for the project.
  17944. type: string
  17945. recursive:
  17946. default: false
  17947. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  17948. type: boolean
  17949. secretsPath:
  17950. default: /
  17951. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  17952. type: string
  17953. required:
  17954. - environmentSlug
  17955. - projectSlug
  17956. type: object
  17957. required:
  17958. - auth
  17959. - secretsScope
  17960. type: object
  17961. keepersecurity:
  17962. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  17963. properties:
  17964. authRef:
  17965. description: |-
  17966. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17967. In some instances, `key` is a required field.
  17968. properties:
  17969. key:
  17970. description: |-
  17971. A key in the referenced Secret.
  17972. Some instances of this field may be defaulted, in others it may be required.
  17973. maxLength: 253
  17974. minLength: 1
  17975. pattern: ^[-._a-zA-Z0-9]+$
  17976. type: string
  17977. name:
  17978. description: The name of the Secret resource being referred to.
  17979. maxLength: 253
  17980. minLength: 1
  17981. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17982. type: string
  17983. namespace:
  17984. description: |-
  17985. The namespace of the Secret resource being referred to.
  17986. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17987. maxLength: 63
  17988. minLength: 1
  17989. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17990. type: string
  17991. type: object
  17992. folderID:
  17993. type: string
  17994. getByTitleFallback:
  17995. type: boolean
  17996. required:
  17997. - authRef
  17998. - folderID
  17999. type: object
  18000. kubernetes:
  18001. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  18002. properties:
  18003. auth:
  18004. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  18005. maxProperties: 1
  18006. minProperties: 1
  18007. properties:
  18008. cert:
  18009. description: has both clientCert and clientKey as secretKeySelector
  18010. properties:
  18011. clientCert:
  18012. description: |-
  18013. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18014. In some instances, `key` is a required field.
  18015. properties:
  18016. key:
  18017. description: |-
  18018. A key in the referenced Secret.
  18019. Some instances of this field may be defaulted, in others it may be required.
  18020. maxLength: 253
  18021. minLength: 1
  18022. pattern: ^[-._a-zA-Z0-9]+$
  18023. type: string
  18024. name:
  18025. description: The name of the Secret resource being referred to.
  18026. maxLength: 253
  18027. minLength: 1
  18028. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18029. type: string
  18030. namespace:
  18031. description: |-
  18032. The namespace of the Secret resource being referred to.
  18033. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18034. maxLength: 63
  18035. minLength: 1
  18036. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18037. type: string
  18038. type: object
  18039. clientKey:
  18040. description: |-
  18041. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18042. In some instances, `key` is a required field.
  18043. properties:
  18044. key:
  18045. description: |-
  18046. A key in the referenced Secret.
  18047. Some instances of this field may be defaulted, in others it may be required.
  18048. maxLength: 253
  18049. minLength: 1
  18050. pattern: ^[-._a-zA-Z0-9]+$
  18051. type: string
  18052. name:
  18053. description: The name of the Secret resource being referred to.
  18054. maxLength: 253
  18055. minLength: 1
  18056. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18057. type: string
  18058. namespace:
  18059. description: |-
  18060. The namespace of the Secret resource being referred to.
  18061. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18062. maxLength: 63
  18063. minLength: 1
  18064. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18065. type: string
  18066. type: object
  18067. type: object
  18068. serviceAccount:
  18069. description: points to a service account that should be used for authentication
  18070. properties:
  18071. audiences:
  18072. description: |-
  18073. Audience specifies the `aud` claim for the service account token
  18074. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  18075. then this audiences will be appended to the list
  18076. items:
  18077. type: string
  18078. type: array
  18079. name:
  18080. description: The name of the ServiceAccount resource being referred to.
  18081. maxLength: 253
  18082. minLength: 1
  18083. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18084. type: string
  18085. namespace:
  18086. description: |-
  18087. Namespace of the resource being referred to.
  18088. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18089. maxLength: 63
  18090. minLength: 1
  18091. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18092. type: string
  18093. required:
  18094. - name
  18095. type: object
  18096. token:
  18097. description: use static token to authenticate with
  18098. properties:
  18099. bearerToken:
  18100. description: |-
  18101. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18102. In some instances, `key` is a required field.
  18103. properties:
  18104. key:
  18105. description: |-
  18106. A key in the referenced Secret.
  18107. Some instances of this field may be defaulted, in others it may be required.
  18108. maxLength: 253
  18109. minLength: 1
  18110. pattern: ^[-._a-zA-Z0-9]+$
  18111. type: string
  18112. name:
  18113. description: The name of the Secret resource being referred to.
  18114. maxLength: 253
  18115. minLength: 1
  18116. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18117. type: string
  18118. namespace:
  18119. description: |-
  18120. The namespace of the Secret resource being referred to.
  18121. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18122. maxLength: 63
  18123. minLength: 1
  18124. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18125. type: string
  18126. type: object
  18127. type: object
  18128. type: object
  18129. authRef:
  18130. description: A reference to a secret that contains the auth information.
  18131. properties:
  18132. key:
  18133. description: |-
  18134. A key in the referenced Secret.
  18135. Some instances of this field may be defaulted, in others it may be required.
  18136. maxLength: 253
  18137. minLength: 1
  18138. pattern: ^[-._a-zA-Z0-9]+$
  18139. type: string
  18140. name:
  18141. description: The name of the Secret resource being referred to.
  18142. maxLength: 253
  18143. minLength: 1
  18144. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18145. type: string
  18146. namespace:
  18147. description: |-
  18148. The namespace of the Secret resource being referred to.
  18149. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18150. maxLength: 63
  18151. minLength: 1
  18152. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18153. type: string
  18154. type: object
  18155. remoteNamespace:
  18156. default: default
  18157. description: Remote namespace to fetch the secrets from
  18158. maxLength: 63
  18159. minLength: 1
  18160. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18161. type: string
  18162. server:
  18163. description: configures the Kubernetes server Address.
  18164. properties:
  18165. caBundle:
  18166. description: CABundle is a base64-encoded CA certificate
  18167. format: byte
  18168. type: string
  18169. caProvider:
  18170. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  18171. properties:
  18172. key:
  18173. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  18174. maxLength: 253
  18175. minLength: 1
  18176. pattern: ^[-._a-zA-Z0-9]+$
  18177. type: string
  18178. name:
  18179. description: The name of the object located at the provider type.
  18180. maxLength: 253
  18181. minLength: 1
  18182. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18183. type: string
  18184. namespace:
  18185. description: |-
  18186. The namespace the Provider type is in.
  18187. Can only be defined when used in a ClusterSecretStore.
  18188. maxLength: 63
  18189. minLength: 1
  18190. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18191. type: string
  18192. type:
  18193. description: The type of provider to use such as "Secret", or "ConfigMap".
  18194. enum:
  18195. - Secret
  18196. - ConfigMap
  18197. type: string
  18198. required:
  18199. - name
  18200. - type
  18201. type: object
  18202. url:
  18203. default: kubernetes.default
  18204. description: configures the Kubernetes server Address.
  18205. type: string
  18206. type: object
  18207. type: object
  18208. nebiusmysterybox:
  18209. description: NebiusMysterybox configures this store to sync secrets using NebiusMysterybox provider
  18210. properties:
  18211. apiDomain:
  18212. description: NebiusMysterybox API endpoint
  18213. type: string
  18214. auth:
  18215. description: Auth defines parameters to authenticate in MysteryBox
  18216. properties:
  18217. serviceAccountCredsSecretRef:
  18218. description: |-
  18219. ServiceAccountCreds references a Kubernetes Secret key that contains a JSON
  18220. document with service account credentials used to get an IAM token.
  18221. Expected JSON structure:
  18222. {
  18223. "subject-credentials": {
  18224. "alg": "RS256",
  18225. "private-key": "-----BEGIN PRIVATE KEY-----\n<private-key>\n-----END PRIVATE KEY-----\n",
  18226. "kid": "<public-key-id>",
  18227. "iss": "<issuer-service-account-id>",
  18228. "sub": "<subject-service-account-id>"
  18229. }
  18230. }
  18231. properties:
  18232. key:
  18233. description: |-
  18234. A key in the referenced Secret.
  18235. Some instances of this field may be defaulted, in others it may be required.
  18236. maxLength: 253
  18237. minLength: 1
  18238. pattern: ^[-._a-zA-Z0-9]+$
  18239. type: string
  18240. name:
  18241. description: The name of the Secret resource being referred to.
  18242. maxLength: 253
  18243. minLength: 1
  18244. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18245. type: string
  18246. namespace:
  18247. description: |-
  18248. The namespace of the Secret resource being referred to.
  18249. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18250. maxLength: 63
  18251. minLength: 1
  18252. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18253. type: string
  18254. type: object
  18255. tokenSecretRef:
  18256. description: Token authenticates with Nebius Mysterybox by presenting a token.
  18257. properties:
  18258. key:
  18259. description: |-
  18260. A key in the referenced Secret.
  18261. Some instances of this field may be defaulted, in others it may be required.
  18262. maxLength: 253
  18263. minLength: 1
  18264. pattern: ^[-._a-zA-Z0-9]+$
  18265. type: string
  18266. name:
  18267. description: The name of the Secret resource being referred to.
  18268. maxLength: 253
  18269. minLength: 1
  18270. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18271. type: string
  18272. namespace:
  18273. description: |-
  18274. The namespace of the Secret resource being referred to.
  18275. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18276. maxLength: 63
  18277. minLength: 1
  18278. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18279. type: string
  18280. type: object
  18281. type: object
  18282. x-kubernetes-validations:
  18283. - message: either serviceAccountCredsSecretRef or tokenSecretRef must be set
  18284. rule: has(self.serviceAccountCredsSecretRef) || has(self.tokenSecretRef)
  18285. caProvider:
  18286. description: The provider for the CA bundle to use to validate NebiusMysterybox server certificate.
  18287. properties:
  18288. certSecretRef:
  18289. description: |-
  18290. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18291. In some instances, `key` is a required field.
  18292. properties:
  18293. key:
  18294. description: |-
  18295. A key in the referenced Secret.
  18296. Some instances of this field may be defaulted, in others it may be required.
  18297. maxLength: 253
  18298. minLength: 1
  18299. pattern: ^[-._a-zA-Z0-9]+$
  18300. type: string
  18301. name:
  18302. description: The name of the Secret resource being referred to.
  18303. maxLength: 253
  18304. minLength: 1
  18305. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18306. type: string
  18307. namespace:
  18308. description: |-
  18309. The namespace of the Secret resource being referred to.
  18310. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18311. maxLength: 63
  18312. minLength: 1
  18313. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18314. type: string
  18315. type: object
  18316. type: object
  18317. required:
  18318. - apiDomain
  18319. - auth
  18320. type: object
  18321. ngrok:
  18322. description: Ngrok configures this store to sync secrets using the ngrok provider.
  18323. properties:
  18324. apiUrl:
  18325. default: https://api.ngrok.com
  18326. description: APIURL is the URL of the ngrok API.
  18327. type: string
  18328. auth:
  18329. description: Auth configures how the ngrok provider authenticates with the ngrok API.
  18330. maxProperties: 1
  18331. minProperties: 1
  18332. properties:
  18333. apiKey:
  18334. description: APIKey is the API Key used to authenticate with ngrok. See https://ngrok.com/docs/api/#authentication
  18335. properties:
  18336. secretRef:
  18337. description: SecretRef is a reference to a secret containing the ngrok API key.
  18338. properties:
  18339. key:
  18340. description: |-
  18341. A key in the referenced Secret.
  18342. Some instances of this field may be defaulted, in others it may be required.
  18343. maxLength: 253
  18344. minLength: 1
  18345. pattern: ^[-._a-zA-Z0-9]+$
  18346. type: string
  18347. name:
  18348. description: The name of the Secret resource being referred to.
  18349. maxLength: 253
  18350. minLength: 1
  18351. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18352. type: string
  18353. namespace:
  18354. description: |-
  18355. The namespace of the Secret resource being referred to.
  18356. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18357. maxLength: 63
  18358. minLength: 1
  18359. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18360. type: string
  18361. type: object
  18362. type: object
  18363. type: object
  18364. vault:
  18365. description: Vault configures the ngrok vault to sync secrets with.
  18366. properties:
  18367. name:
  18368. description: Name is the name of the ngrok vault to sync secrets with.
  18369. type: string
  18370. required:
  18371. - name
  18372. type: object
  18373. required:
  18374. - auth
  18375. - vault
  18376. type: object
  18377. onboardbase:
  18378. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  18379. properties:
  18380. apiHost:
  18381. default: https://public.onboardbase.com/api/v1/
  18382. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  18383. type: string
  18384. auth:
  18385. description: Auth configures how the Operator authenticates with the Onboardbase API
  18386. properties:
  18387. apiKeyRef:
  18388. description: |-
  18389. OnboardbaseAPIKey is the APIKey generated by an admin account.
  18390. It is used to recognize and authorize access to a project and environment within onboardbase
  18391. properties:
  18392. key:
  18393. description: |-
  18394. A key in the referenced Secret.
  18395. Some instances of this field may be defaulted, in others it may be required.
  18396. maxLength: 253
  18397. minLength: 1
  18398. pattern: ^[-._a-zA-Z0-9]+$
  18399. type: string
  18400. name:
  18401. description: The name of the Secret resource being referred to.
  18402. maxLength: 253
  18403. minLength: 1
  18404. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18405. type: string
  18406. namespace:
  18407. description: |-
  18408. The namespace of the Secret resource being referred to.
  18409. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18410. maxLength: 63
  18411. minLength: 1
  18412. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18413. type: string
  18414. type: object
  18415. passcodeRef:
  18416. description: OnboardbasePasscode is the passcode attached to the API Key
  18417. properties:
  18418. key:
  18419. description: |-
  18420. A key in the referenced Secret.
  18421. Some instances of this field may be defaulted, in others it may be required.
  18422. maxLength: 253
  18423. minLength: 1
  18424. pattern: ^[-._a-zA-Z0-9]+$
  18425. type: string
  18426. name:
  18427. description: The name of the Secret resource being referred to.
  18428. maxLength: 253
  18429. minLength: 1
  18430. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18431. type: string
  18432. namespace:
  18433. description: |-
  18434. The namespace of the Secret resource being referred to.
  18435. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18436. maxLength: 63
  18437. minLength: 1
  18438. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18439. type: string
  18440. type: object
  18441. required:
  18442. - apiKeyRef
  18443. - passcodeRef
  18444. type: object
  18445. environment:
  18446. default: development
  18447. description: Environment is the name of an environmnent within a project to pull the secrets from
  18448. type: string
  18449. project:
  18450. default: development
  18451. description: Project is an onboardbase project that the secrets should be pulled from
  18452. type: string
  18453. required:
  18454. - apiHost
  18455. - auth
  18456. - environment
  18457. - project
  18458. type: object
  18459. onepassword:
  18460. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  18461. properties:
  18462. auth:
  18463. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  18464. properties:
  18465. secretRef:
  18466. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  18467. properties:
  18468. connectTokenSecretRef:
  18469. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  18470. properties:
  18471. key:
  18472. description: |-
  18473. A key in the referenced Secret.
  18474. Some instances of this field may be defaulted, in others it may be required.
  18475. maxLength: 253
  18476. minLength: 1
  18477. pattern: ^[-._a-zA-Z0-9]+$
  18478. type: string
  18479. name:
  18480. description: The name of the Secret resource being referred to.
  18481. maxLength: 253
  18482. minLength: 1
  18483. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18484. type: string
  18485. namespace:
  18486. description: |-
  18487. The namespace of the Secret resource being referred to.
  18488. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18489. maxLength: 63
  18490. minLength: 1
  18491. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18492. type: string
  18493. type: object
  18494. required:
  18495. - connectTokenSecretRef
  18496. type: object
  18497. required:
  18498. - secretRef
  18499. type: object
  18500. connectHost:
  18501. description: ConnectHost defines the OnePassword Connect Server to connect to
  18502. type: string
  18503. vaults:
  18504. additionalProperties:
  18505. type: integer
  18506. description: Vaults defines which OnePassword vaults to search in which order
  18507. type: object
  18508. required:
  18509. - auth
  18510. - connectHost
  18511. - vaults
  18512. type: object
  18513. onepasswordSDK:
  18514. description: OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets.
  18515. properties:
  18516. auth:
  18517. description: Auth defines the information necessary to authenticate against OnePassword API.
  18518. properties:
  18519. serviceAccountSecretRef:
  18520. description: ServiceAccountSecretRef points to the secret containing the token to access 1Password vault.
  18521. properties:
  18522. key:
  18523. description: |-
  18524. A key in the referenced Secret.
  18525. Some instances of this field may be defaulted, in others it may be required.
  18526. maxLength: 253
  18527. minLength: 1
  18528. pattern: ^[-._a-zA-Z0-9]+$
  18529. type: string
  18530. name:
  18531. description: The name of the Secret resource being referred to.
  18532. maxLength: 253
  18533. minLength: 1
  18534. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18535. type: string
  18536. namespace:
  18537. description: |-
  18538. The namespace of the Secret resource being referred to.
  18539. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18540. maxLength: 63
  18541. minLength: 1
  18542. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18543. type: string
  18544. type: object
  18545. required:
  18546. - serviceAccountSecretRef
  18547. type: object
  18548. cache:
  18549. description: |-
  18550. Cache configures client-side caching for read operations (GetSecret, GetSecretMap).
  18551. When enabled, secrets are cached with the specified TTL.
  18552. Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.
  18553. If omitted, caching is disabled (default).
  18554. cache: {} is a valid option to set.
  18555. properties:
  18556. maxSize:
  18557. default: 100
  18558. description: |-
  18559. MaxSize is the maximum number of secrets to cache.
  18560. When the cache is full, least-recently-used entries are evicted.
  18561. minimum: 1
  18562. type: integer
  18563. ttl:
  18564. default: 5m
  18565. description: |-
  18566. TTL is the time-to-live for cached secrets.
  18567. Format: duration string (e.g., "5m", "1h", "30s")
  18568. type: string
  18569. type: object
  18570. integrationInfo:
  18571. description: |-
  18572. IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
  18573. If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively.
  18574. properties:
  18575. name:
  18576. default: 1Password SDK
  18577. description: Name defaults to "1Password SDK".
  18578. type: string
  18579. version:
  18580. default: v1.0.0
  18581. description: Version defaults to "v1.0.0".
  18582. type: string
  18583. type: object
  18584. vault:
  18585. description: Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically.
  18586. type: string
  18587. required:
  18588. - auth
  18589. - vault
  18590. type: object
  18591. openBao:
  18592. description: OpenBao configures this store to sync secrets using the OpenBao provider.
  18593. properties:
  18594. auth:
  18595. description: Auth configures how secret-manager authenticates with the OpenBao server.
  18596. properties:
  18597. tokenSecretRef:
  18598. description: TokenSecretRef authenticates with OpenBao by presenting a token.
  18599. properties:
  18600. key:
  18601. description: |-
  18602. A key in the referenced Secret.
  18603. Some instances of this field may be defaulted, in others it may be required.
  18604. maxLength: 253
  18605. minLength: 1
  18606. pattern: ^[-._a-zA-Z0-9]+$
  18607. type: string
  18608. name:
  18609. description: The name of the Secret resource being referred to.
  18610. maxLength: 253
  18611. minLength: 1
  18612. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18613. type: string
  18614. namespace:
  18615. description: |-
  18616. The namespace of the Secret resource being referred to.
  18617. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18618. maxLength: 63
  18619. minLength: 1
  18620. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18621. type: string
  18622. type: object
  18623. type: object
  18624. path:
  18625. description: |-
  18626. Path is the mount path of the OpenBao KV backend endpoint, e.g:
  18627. "secret". The v2 KV secret engine version specific "/data" path suffix
  18628. for fetching secrets from OpenBao is optional and will be appended
  18629. if not present in specified path.
  18630. type: string
  18631. server:
  18632. description: 'Server is the connection address for the OpenBao server, e.g: `https://openbao.example.com:8200`.'
  18633. type: string
  18634. version:
  18635. default: v2
  18636. description: |-
  18637. Version is the OpenBao KV secret engine version. This can be either "v1" or
  18638. "v2". Version defaults to "v2".
  18639. enum:
  18640. - v1
  18641. - v2
  18642. type: string
  18643. required:
  18644. - server
  18645. type: object
  18646. oracle:
  18647. description: Oracle configures this store to sync secrets using Oracle Vault provider
  18648. properties:
  18649. auth:
  18650. description: |-
  18651. Auth configures how secret-manager authenticates with the Oracle Vault.
  18652. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  18653. properties:
  18654. secretRef:
  18655. description: SecretRef to pass through sensitive information.
  18656. properties:
  18657. fingerprint:
  18658. description: Fingerprint is the fingerprint of the API private key.
  18659. properties:
  18660. key:
  18661. description: |-
  18662. A key in the referenced Secret.
  18663. Some instances of this field may be defaulted, in others it may be required.
  18664. maxLength: 253
  18665. minLength: 1
  18666. pattern: ^[-._a-zA-Z0-9]+$
  18667. type: string
  18668. name:
  18669. description: The name of the Secret resource being referred to.
  18670. maxLength: 253
  18671. minLength: 1
  18672. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18673. type: string
  18674. namespace:
  18675. description: |-
  18676. The namespace of the Secret resource being referred to.
  18677. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18678. maxLength: 63
  18679. minLength: 1
  18680. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18681. type: string
  18682. type: object
  18683. privatekey:
  18684. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  18685. properties:
  18686. key:
  18687. description: |-
  18688. A key in the referenced Secret.
  18689. Some instances of this field may be defaulted, in others it may be required.
  18690. maxLength: 253
  18691. minLength: 1
  18692. pattern: ^[-._a-zA-Z0-9]+$
  18693. type: string
  18694. name:
  18695. description: The name of the Secret resource being referred to.
  18696. maxLength: 253
  18697. minLength: 1
  18698. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18699. type: string
  18700. namespace:
  18701. description: |-
  18702. The namespace of the Secret resource being referred to.
  18703. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18704. maxLength: 63
  18705. minLength: 1
  18706. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18707. type: string
  18708. type: object
  18709. required:
  18710. - fingerprint
  18711. - privatekey
  18712. type: object
  18713. tenancy:
  18714. description: Tenancy is the tenancy OCID where user is located.
  18715. type: string
  18716. user:
  18717. description: User is an access OCID specific to the account.
  18718. type: string
  18719. required:
  18720. - secretRef
  18721. - tenancy
  18722. - user
  18723. type: object
  18724. compartment:
  18725. description: |-
  18726. Compartment is the vault compartment OCID.
  18727. Required for PushSecret
  18728. type: string
  18729. encryptionKey:
  18730. description: |-
  18731. EncryptionKey is the OCID of the encryption key within the vault.
  18732. Required for PushSecret
  18733. type: string
  18734. principalType:
  18735. description: |-
  18736. The type of principal to use for authentication. If left blank, the Auth struct will
  18737. determine the principal type. This optional field must be specified if using
  18738. workload identity.
  18739. enum:
  18740. - ""
  18741. - UserPrincipal
  18742. - InstancePrincipal
  18743. - Workload
  18744. type: string
  18745. region:
  18746. description: Region is the region where vault is located.
  18747. type: string
  18748. serviceAccountRef:
  18749. description: |-
  18750. ServiceAccountRef specified the service account
  18751. that should be used when authenticating with WorkloadIdentity.
  18752. properties:
  18753. audiences:
  18754. description: |-
  18755. Audience specifies the `aud` claim for the service account token
  18756. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  18757. then this audiences will be appended to the list
  18758. items:
  18759. type: string
  18760. type: array
  18761. name:
  18762. description: The name of the ServiceAccount resource being referred to.
  18763. maxLength: 253
  18764. minLength: 1
  18765. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18766. type: string
  18767. namespace:
  18768. description: |-
  18769. Namespace of the resource being referred to.
  18770. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18771. maxLength: 63
  18772. minLength: 1
  18773. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18774. type: string
  18775. required:
  18776. - name
  18777. type: object
  18778. vault:
  18779. description: Vault is the vault's OCID of the specific vault where secret is located.
  18780. type: string
  18781. required:
  18782. - region
  18783. - vault
  18784. type: object
  18785. ovh:
  18786. description: OVHcloud configures this store to sync secrets using the OVHcloud provider.
  18787. properties:
  18788. auth:
  18789. description: Authentication method (mtls or token).
  18790. properties:
  18791. mtls:
  18792. description: OvhClientMTLS defines the configuration required to authenticate to OVHcloud's Secret Manager using mTLS.
  18793. properties:
  18794. caBundle:
  18795. format: byte
  18796. type: string
  18797. caProvider:
  18798. description: |-
  18799. CAProvider provides a custom certificate authority for accessing the provider's store.
  18800. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
  18801. properties:
  18802. key:
  18803. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  18804. maxLength: 253
  18805. minLength: 1
  18806. pattern: ^[-._a-zA-Z0-9]+$
  18807. type: string
  18808. name:
  18809. description: The name of the object located at the provider type.
  18810. maxLength: 253
  18811. minLength: 1
  18812. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18813. type: string
  18814. namespace:
  18815. description: |-
  18816. The namespace the Provider type is in.
  18817. Can only be defined when used in a ClusterSecretStore.
  18818. maxLength: 63
  18819. minLength: 1
  18820. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18821. type: string
  18822. type:
  18823. description: The type of provider to use such as "Secret", or "ConfigMap".
  18824. enum:
  18825. - Secret
  18826. - ConfigMap
  18827. type: string
  18828. required:
  18829. - name
  18830. - type
  18831. type: object
  18832. certSecretRef:
  18833. description: |-
  18834. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18835. In some instances, `key` is a required field.
  18836. properties:
  18837. key:
  18838. description: |-
  18839. A key in the referenced Secret.
  18840. Some instances of this field may be defaulted, in others it may be required.
  18841. maxLength: 253
  18842. minLength: 1
  18843. pattern: ^[-._a-zA-Z0-9]+$
  18844. type: string
  18845. name:
  18846. description: The name of the Secret resource being referred to.
  18847. maxLength: 253
  18848. minLength: 1
  18849. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18850. type: string
  18851. namespace:
  18852. description: |-
  18853. The namespace of the Secret resource being referred to.
  18854. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18855. maxLength: 63
  18856. minLength: 1
  18857. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18858. type: string
  18859. type: object
  18860. keySecretRef:
  18861. description: |-
  18862. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18863. In some instances, `key` is a required field.
  18864. properties:
  18865. key:
  18866. description: |-
  18867. A key in the referenced Secret.
  18868. Some instances of this field may be defaulted, in others it may be required.
  18869. maxLength: 253
  18870. minLength: 1
  18871. pattern: ^[-._a-zA-Z0-9]+$
  18872. type: string
  18873. name:
  18874. description: The name of the Secret resource being referred to.
  18875. maxLength: 253
  18876. minLength: 1
  18877. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18878. type: string
  18879. namespace:
  18880. description: |-
  18881. The namespace of the Secret resource being referred to.
  18882. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18883. maxLength: 63
  18884. minLength: 1
  18885. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18886. type: string
  18887. type: object
  18888. required:
  18889. - certSecretRef
  18890. - keySecretRef
  18891. type: object
  18892. token:
  18893. description: OvhClientToken defines the configuration required to authenticate to OVHcloud's Secret Manager using a token.
  18894. properties:
  18895. tokenSecretRef:
  18896. description: |-
  18897. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18898. In some instances, `key` is a required field.
  18899. properties:
  18900. key:
  18901. description: |-
  18902. A key in the referenced Secret.
  18903. Some instances of this field may be defaulted, in others it may be required.
  18904. maxLength: 253
  18905. minLength: 1
  18906. pattern: ^[-._a-zA-Z0-9]+$
  18907. type: string
  18908. name:
  18909. description: The name of the Secret resource being referred to.
  18910. maxLength: 253
  18911. minLength: 1
  18912. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18913. type: string
  18914. namespace:
  18915. description: |-
  18916. The namespace of the Secret resource being referred to.
  18917. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18918. maxLength: 63
  18919. minLength: 1
  18920. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18921. type: string
  18922. type: object
  18923. required:
  18924. - tokenSecretRef
  18925. type: object
  18926. type: object
  18927. casRequired:
  18928. description: 'Enables or disables check-and-set (CAS) (default: false).'
  18929. type: boolean
  18930. okmsTimeout:
  18931. default: 30
  18932. description: 'Setup a timeout in seconds when requests to the KMS are made (default: 30).'
  18933. format: int32
  18934. minimum: 1
  18935. type: integer
  18936. okmsid:
  18937. description: specifies the OKMS ID.
  18938. type: string
  18939. server:
  18940. description: specifies the OKMS server endpoint.
  18941. type: string
  18942. required:
  18943. - auth
  18944. - okmsid
  18945. - server
  18946. type: object
  18947. passbolt:
  18948. description: |-
  18949. PassboltProvider provides access to Passbolt secrets manager.
  18950. See: https://www.passbolt.com.
  18951. properties:
  18952. auth:
  18953. description: Auth defines the information necessary to authenticate against Passbolt Server
  18954. properties:
  18955. passwordSecretRef:
  18956. description: |-
  18957. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18958. In some instances, `key` is a required field.
  18959. properties:
  18960. key:
  18961. description: |-
  18962. A key in the referenced Secret.
  18963. Some instances of this field may be defaulted, in others it may be required.
  18964. maxLength: 253
  18965. minLength: 1
  18966. pattern: ^[-._a-zA-Z0-9]+$
  18967. type: string
  18968. name:
  18969. description: The name of the Secret resource being referred to.
  18970. maxLength: 253
  18971. minLength: 1
  18972. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18973. type: string
  18974. namespace:
  18975. description: |-
  18976. The namespace of the Secret resource being referred to.
  18977. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18978. maxLength: 63
  18979. minLength: 1
  18980. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18981. type: string
  18982. type: object
  18983. privateKeySecretRef:
  18984. description: |-
  18985. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18986. In some instances, `key` is a required field.
  18987. properties:
  18988. key:
  18989. description: |-
  18990. A key in the referenced Secret.
  18991. Some instances of this field may be defaulted, in others it may be required.
  18992. maxLength: 253
  18993. minLength: 1
  18994. pattern: ^[-._a-zA-Z0-9]+$
  18995. type: string
  18996. name:
  18997. description: The name of the Secret resource being referred to.
  18998. maxLength: 253
  18999. minLength: 1
  19000. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19001. type: string
  19002. namespace:
  19003. description: |-
  19004. The namespace of the Secret resource being referred to.
  19005. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19006. maxLength: 63
  19007. minLength: 1
  19008. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19009. type: string
  19010. type: object
  19011. required:
  19012. - passwordSecretRef
  19013. - privateKeySecretRef
  19014. type: object
  19015. caBundle:
  19016. description: |-
  19017. PEM encoded CA bundle used to validate Passbolt server certificate. Only used
  19018. if the Host URL is using HTTPS protocol. If not set the system root certificates
  19019. are used to validate the TLS connection.
  19020. format: byte
  19021. type: string
  19022. caProvider:
  19023. description: The provider for the CA bundle to use to validate Passbolt server certificate.
  19024. properties:
  19025. key:
  19026. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19027. maxLength: 253
  19028. minLength: 1
  19029. pattern: ^[-._a-zA-Z0-9]+$
  19030. type: string
  19031. name:
  19032. description: The name of the object located at the provider type.
  19033. maxLength: 253
  19034. minLength: 1
  19035. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19036. type: string
  19037. namespace:
  19038. description: |-
  19039. The namespace the Provider type is in.
  19040. Can only be defined when used in a ClusterSecretStore.
  19041. maxLength: 63
  19042. minLength: 1
  19043. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19044. type: string
  19045. type:
  19046. description: The type of provider to use such as "Secret", or "ConfigMap".
  19047. enum:
  19048. - Secret
  19049. - ConfigMap
  19050. type: string
  19051. required:
  19052. - name
  19053. - type
  19054. type: object
  19055. host:
  19056. description: Host defines the Passbolt Server to connect to
  19057. type: string
  19058. required:
  19059. - auth
  19060. - host
  19061. type: object
  19062. passworddepot:
  19063. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  19064. properties:
  19065. auth:
  19066. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  19067. properties:
  19068. secretRef:
  19069. description: PasswordDepotSecretRef contains the secret reference for Password Depot authentication.
  19070. properties:
  19071. credentials:
  19072. description: Username / Password is used for authentication.
  19073. properties:
  19074. key:
  19075. description: |-
  19076. A key in the referenced Secret.
  19077. Some instances of this field may be defaulted, in others it may be required.
  19078. maxLength: 253
  19079. minLength: 1
  19080. pattern: ^[-._a-zA-Z0-9]+$
  19081. type: string
  19082. name:
  19083. description: The name of the Secret resource being referred to.
  19084. maxLength: 253
  19085. minLength: 1
  19086. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19087. type: string
  19088. namespace:
  19089. description: |-
  19090. The namespace of the Secret resource being referred to.
  19091. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19092. maxLength: 63
  19093. minLength: 1
  19094. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19095. type: string
  19096. type: object
  19097. type: object
  19098. required:
  19099. - secretRef
  19100. type: object
  19101. database:
  19102. description: Database to use as source
  19103. type: string
  19104. host:
  19105. description: URL configures the Password Depot instance URL.
  19106. type: string
  19107. required:
  19108. - auth
  19109. - database
  19110. - host
  19111. type: object
  19112. previder:
  19113. description: Previder configures this store to sync secrets using the Previder provider
  19114. properties:
  19115. auth:
  19116. description: PreviderAuth contains a secretRef for credentials.
  19117. properties:
  19118. secretRef:
  19119. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  19120. properties:
  19121. accessToken:
  19122. description: The AccessToken is used for authentication
  19123. properties:
  19124. key:
  19125. description: |-
  19126. A key in the referenced Secret.
  19127. Some instances of this field may be defaulted, in others it may be required.
  19128. maxLength: 253
  19129. minLength: 1
  19130. pattern: ^[-._a-zA-Z0-9]+$
  19131. type: string
  19132. name:
  19133. description: The name of the Secret resource being referred to.
  19134. maxLength: 253
  19135. minLength: 1
  19136. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19137. type: string
  19138. namespace:
  19139. description: |-
  19140. The namespace of the Secret resource being referred to.
  19141. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19142. maxLength: 63
  19143. minLength: 1
  19144. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19145. type: string
  19146. type: object
  19147. required:
  19148. - accessToken
  19149. type: object
  19150. type: object
  19151. baseUri:
  19152. type: string
  19153. required:
  19154. - auth
  19155. type: object
  19156. pulumi:
  19157. description: Pulumi configures this store to sync secrets using the Pulumi provider
  19158. properties:
  19159. accessToken:
  19160. description: |-
  19161. AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  19162. Deprecated: Use auth.accessToken instead.
  19163. properties:
  19164. secretRef:
  19165. description: SecretRef is a reference to a secret containing the Pulumi API token.
  19166. properties:
  19167. key:
  19168. description: |-
  19169. A key in the referenced Secret.
  19170. Some instances of this field may be defaulted, in others it may be required.
  19171. maxLength: 253
  19172. minLength: 1
  19173. pattern: ^[-._a-zA-Z0-9]+$
  19174. type: string
  19175. name:
  19176. description: The name of the Secret resource being referred to.
  19177. maxLength: 253
  19178. minLength: 1
  19179. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19180. type: string
  19181. namespace:
  19182. description: |-
  19183. The namespace of the Secret resource being referred to.
  19184. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19185. maxLength: 63
  19186. minLength: 1
  19187. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19188. type: string
  19189. type: object
  19190. type: object
  19191. apiUrl:
  19192. default: https://api.pulumi.com/api/esc
  19193. description: APIURL is the URL of the Pulumi API.
  19194. type: string
  19195. auth:
  19196. description: |-
  19197. Auth configures how the Operator authenticates with the Pulumi API.
  19198. Either auth or the deprecated accessToken field must be specified.
  19199. properties:
  19200. accessToken:
  19201. description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret.
  19202. properties:
  19203. secretRef:
  19204. description: SecretRef is a reference to a secret containing the Pulumi API token.
  19205. properties:
  19206. key:
  19207. description: |-
  19208. A key in the referenced Secret.
  19209. Some instances of this field may be defaulted, in others it may be required.
  19210. maxLength: 253
  19211. minLength: 1
  19212. pattern: ^[-._a-zA-Z0-9]+$
  19213. type: string
  19214. name:
  19215. description: The name of the Secret resource being referred to.
  19216. maxLength: 253
  19217. minLength: 1
  19218. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19219. type: string
  19220. namespace:
  19221. description: |-
  19222. The namespace of the Secret resource being referred to.
  19223. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19224. maxLength: 63
  19225. minLength: 1
  19226. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19227. type: string
  19228. type: object
  19229. type: object
  19230. oidcConfig:
  19231. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  19232. properties:
  19233. expirationSeconds:
  19234. default: 600
  19235. description: |-
  19236. ExpirationSeconds sets the token validity duration for service account and OIDC token.
  19237. Defaults to 10 minutes.
  19238. format: int64
  19239. minimum: 600
  19240. type: integer
  19241. organization:
  19242. description: Organization is the name of the Pulumi organization configured for OIDC authentication.
  19243. type: string
  19244. serviceAccountRef:
  19245. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  19246. properties:
  19247. audiences:
  19248. description: |-
  19249. Audience specifies the `aud` claim for the service account token
  19250. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19251. then this audiences will be appended to the list
  19252. items:
  19253. type: string
  19254. type: array
  19255. name:
  19256. description: The name of the ServiceAccount resource being referred to.
  19257. maxLength: 253
  19258. minLength: 1
  19259. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19260. type: string
  19261. namespace:
  19262. description: |-
  19263. Namespace of the resource being referred to.
  19264. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19265. maxLength: 63
  19266. minLength: 1
  19267. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19268. type: string
  19269. required:
  19270. - name
  19271. type: object
  19272. required:
  19273. - organization
  19274. - serviceAccountRef
  19275. type: object
  19276. type: object
  19277. x-kubernetes-validations:
  19278. - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified
  19279. rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig))
  19280. environment:
  19281. description: |-
  19282. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  19283. dynamically retrieved values from supported providers including all major clouds,
  19284. and other Pulumi ESC environments.
  19285. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  19286. type: string
  19287. organization:
  19288. description: |-
  19289. Organization are a space to collaborate on shared projects and stacks.
  19290. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  19291. type: string
  19292. project:
  19293. description: Project is the name of the Pulumi ESC project the environment belongs to.
  19294. type: string
  19295. required:
  19296. - environment
  19297. - organization
  19298. - project
  19299. type: object
  19300. x-kubernetes-validations:
  19301. - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified
  19302. rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken))
  19303. scaleway:
  19304. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  19305. properties:
  19306. accessKey:
  19307. description: AccessKey is the non-secret part of the api key.
  19308. properties:
  19309. secretRef:
  19310. description: SecretRef references a key in a secret that will be used as value.
  19311. properties:
  19312. key:
  19313. description: |-
  19314. A key in the referenced Secret.
  19315. Some instances of this field may be defaulted, in others it may be required.
  19316. maxLength: 253
  19317. minLength: 1
  19318. pattern: ^[-._a-zA-Z0-9]+$
  19319. type: string
  19320. name:
  19321. description: The name of the Secret resource being referred to.
  19322. maxLength: 253
  19323. minLength: 1
  19324. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19325. type: string
  19326. namespace:
  19327. description: |-
  19328. The namespace of the Secret resource being referred to.
  19329. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19330. maxLength: 63
  19331. minLength: 1
  19332. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19333. type: string
  19334. type: object
  19335. value:
  19336. description: Value can be specified directly to set a value without using a secret.
  19337. type: string
  19338. type: object
  19339. apiUrl:
  19340. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  19341. type: string
  19342. projectId:
  19343. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  19344. type: string
  19345. region:
  19346. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  19347. type: string
  19348. secretKey:
  19349. description: SecretKey is the non-secret part of the api key.
  19350. properties:
  19351. secretRef:
  19352. description: SecretRef references a key in a secret that will be used as value.
  19353. properties:
  19354. key:
  19355. description: |-
  19356. A key in the referenced Secret.
  19357. Some instances of this field may be defaulted, in others it may be required.
  19358. maxLength: 253
  19359. minLength: 1
  19360. pattern: ^[-._a-zA-Z0-9]+$
  19361. type: string
  19362. name:
  19363. description: The name of the Secret resource being referred to.
  19364. maxLength: 253
  19365. minLength: 1
  19366. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19367. type: string
  19368. namespace:
  19369. description: |-
  19370. The namespace of the Secret resource being referred to.
  19371. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19372. maxLength: 63
  19373. minLength: 1
  19374. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19375. type: string
  19376. type: object
  19377. value:
  19378. description: Value can be specified directly to set a value without using a secret.
  19379. type: string
  19380. type: object
  19381. required:
  19382. - accessKey
  19383. - projectId
  19384. - region
  19385. - secretKey
  19386. type: object
  19387. secretserver:
  19388. description: |-
  19389. SecretServer configures this store to sync secrets using SecretServer provider
  19390. https://docs.delinea.com/online-help/secret-server/start.htm
  19391. properties:
  19392. caBundle:
  19393. description: |-
  19394. PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used
  19395. if the ServerURL URL is using HTTPS protocol. If not set the system root certificates
  19396. are used to validate the TLS connection.
  19397. format: byte
  19398. type: string
  19399. caProvider:
  19400. description: The provider for the CA bundle to use to validate Secret ServerURL certificate.
  19401. properties:
  19402. key:
  19403. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19404. maxLength: 253
  19405. minLength: 1
  19406. pattern: ^[-._a-zA-Z0-9]+$
  19407. type: string
  19408. name:
  19409. description: The name of the object located at the provider type.
  19410. maxLength: 253
  19411. minLength: 1
  19412. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19413. type: string
  19414. namespace:
  19415. description: |-
  19416. The namespace the Provider type is in.
  19417. Can only be defined when used in a ClusterSecretStore.
  19418. maxLength: 63
  19419. minLength: 1
  19420. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19421. type: string
  19422. type:
  19423. description: The type of provider to use such as "Secret", or "ConfigMap".
  19424. enum:
  19425. - Secret
  19426. - ConfigMap
  19427. type: string
  19428. required:
  19429. - name
  19430. - type
  19431. type: object
  19432. domain:
  19433. description: Domain is the secret server domain.
  19434. type: string
  19435. password:
  19436. description: Password is the secret server account password.
  19437. properties:
  19438. secretRef:
  19439. description: SecretRef references a key in a secret that will be used as value.
  19440. properties:
  19441. key:
  19442. description: |-
  19443. A key in the referenced Secret.
  19444. Some instances of this field may be defaulted, in others it may be required.
  19445. maxLength: 253
  19446. minLength: 1
  19447. pattern: ^[-._a-zA-Z0-9]+$
  19448. type: string
  19449. name:
  19450. description: The name of the Secret resource being referred to.
  19451. maxLength: 253
  19452. minLength: 1
  19453. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19454. type: string
  19455. namespace:
  19456. description: |-
  19457. The namespace of the Secret resource being referred to.
  19458. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19459. maxLength: 63
  19460. minLength: 1
  19461. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19462. type: string
  19463. type: object
  19464. value:
  19465. description: Value can be specified directly to set a value without using a secret.
  19466. type: string
  19467. type: object
  19468. serverURL:
  19469. description: |-
  19470. ServerURL
  19471. URL to your secret server installation
  19472. type: string
  19473. username:
  19474. description: Username is the secret server account username.
  19475. properties:
  19476. secretRef:
  19477. description: SecretRef references a key in a secret that will be used as value.
  19478. properties:
  19479. key:
  19480. description: |-
  19481. A key in the referenced Secret.
  19482. Some instances of this field may be defaulted, in others it may be required.
  19483. maxLength: 253
  19484. minLength: 1
  19485. pattern: ^[-._a-zA-Z0-9]+$
  19486. type: string
  19487. name:
  19488. description: The name of the Secret resource being referred to.
  19489. maxLength: 253
  19490. minLength: 1
  19491. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19492. type: string
  19493. namespace:
  19494. description: |-
  19495. The namespace of the Secret resource being referred to.
  19496. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19497. maxLength: 63
  19498. minLength: 1
  19499. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19500. type: string
  19501. type: object
  19502. value:
  19503. description: Value can be specified directly to set a value without using a secret.
  19504. type: string
  19505. type: object
  19506. required:
  19507. - password
  19508. - serverURL
  19509. - username
  19510. type: object
  19511. senhasegura:
  19512. description: Senhasegura configures this store to sync secrets using senhasegura provider
  19513. properties:
  19514. auth:
  19515. description: Auth defines parameters to authenticate in senhasegura
  19516. properties:
  19517. clientId:
  19518. type: string
  19519. clientSecretSecretRef:
  19520. description: |-
  19521. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19522. In some instances, `key` is a required field.
  19523. properties:
  19524. key:
  19525. description: |-
  19526. A key in the referenced Secret.
  19527. Some instances of this field may be defaulted, in others it may be required.
  19528. maxLength: 253
  19529. minLength: 1
  19530. pattern: ^[-._a-zA-Z0-9]+$
  19531. type: string
  19532. name:
  19533. description: The name of the Secret resource being referred to.
  19534. maxLength: 253
  19535. minLength: 1
  19536. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19537. type: string
  19538. namespace:
  19539. description: |-
  19540. The namespace of the Secret resource being referred to.
  19541. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19542. maxLength: 63
  19543. minLength: 1
  19544. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19545. type: string
  19546. type: object
  19547. required:
  19548. - clientId
  19549. - clientSecretSecretRef
  19550. type: object
  19551. ignoreSslCertificate:
  19552. default: false
  19553. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  19554. type: boolean
  19555. module:
  19556. description: Module defines which senhasegura module should be used to get secrets
  19557. type: string
  19558. url:
  19559. description: URL of senhasegura
  19560. type: string
  19561. required:
  19562. - auth
  19563. - module
  19564. - url
  19565. type: object
  19566. vault:
  19567. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  19568. properties:
  19569. auth:
  19570. description: Auth configures how secret-manager authenticates with the Vault server.
  19571. properties:
  19572. appRole:
  19573. description: |-
  19574. AppRole authenticates with Vault using the App Role auth mechanism,
  19575. with the role and secret stored in a Kubernetes Secret resource.
  19576. properties:
  19577. path:
  19578. default: approle
  19579. description: |-
  19580. Path where the App Role authentication backend is mounted
  19581. in Vault, e.g: "approle"
  19582. type: string
  19583. roleId:
  19584. description: |-
  19585. RoleID configured in the App Role authentication backend when setting
  19586. up the authentication backend in Vault.
  19587. type: string
  19588. roleRef:
  19589. description: |-
  19590. Reference to a key in a Secret that contains the App Role ID used
  19591. to authenticate with Vault.
  19592. The `key` field must be specified and denotes which entry within the Secret
  19593. resource is used as the app role id.
  19594. properties:
  19595. key:
  19596. description: |-
  19597. A key in the referenced Secret.
  19598. Some instances of this field may be defaulted, in others it may be required.
  19599. maxLength: 253
  19600. minLength: 1
  19601. pattern: ^[-._a-zA-Z0-9]+$
  19602. type: string
  19603. name:
  19604. description: The name of the Secret resource being referred to.
  19605. maxLength: 253
  19606. minLength: 1
  19607. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19608. type: string
  19609. namespace:
  19610. description: |-
  19611. The namespace of the Secret resource being referred to.
  19612. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19613. maxLength: 63
  19614. minLength: 1
  19615. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19616. type: string
  19617. type: object
  19618. secretRef:
  19619. description: |-
  19620. Reference to a key in a Secret that contains the App Role secret used
  19621. to authenticate with Vault.
  19622. The `key` field must be specified and denotes which entry within the Secret
  19623. resource is used as the app role secret.
  19624. properties:
  19625. key:
  19626. description: |-
  19627. A key in the referenced Secret.
  19628. Some instances of this field may be defaulted, in others it may be required.
  19629. maxLength: 253
  19630. minLength: 1
  19631. pattern: ^[-._a-zA-Z0-9]+$
  19632. type: string
  19633. name:
  19634. description: The name of the Secret resource being referred to.
  19635. maxLength: 253
  19636. minLength: 1
  19637. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19638. type: string
  19639. namespace:
  19640. description: |-
  19641. The namespace of the Secret resource being referred to.
  19642. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19643. maxLength: 63
  19644. minLength: 1
  19645. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19646. type: string
  19647. type: object
  19648. required:
  19649. - path
  19650. - secretRef
  19651. type: object
  19652. cert:
  19653. description: |-
  19654. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  19655. Cert authentication method
  19656. properties:
  19657. clientCert:
  19658. description: |-
  19659. ClientCert is a certificate to authenticate using the Cert Vault
  19660. authentication method
  19661. properties:
  19662. key:
  19663. description: |-
  19664. A key in the referenced Secret.
  19665. Some instances of this field may be defaulted, in others it may be required.
  19666. maxLength: 253
  19667. minLength: 1
  19668. pattern: ^[-._a-zA-Z0-9]+$
  19669. type: string
  19670. name:
  19671. description: The name of the Secret resource being referred to.
  19672. maxLength: 253
  19673. minLength: 1
  19674. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19675. type: string
  19676. namespace:
  19677. description: |-
  19678. The namespace of the Secret resource being referred to.
  19679. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19680. maxLength: 63
  19681. minLength: 1
  19682. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19683. type: string
  19684. type: object
  19685. path:
  19686. default: cert
  19687. description: |-
  19688. Path where the Certificate authentication backend is mounted
  19689. in Vault, e.g: "cert"
  19690. type: string
  19691. secretRef:
  19692. description: |-
  19693. SecretRef to a key in a Secret resource containing client private key to
  19694. authenticate with Vault using the Cert authentication method
  19695. properties:
  19696. key:
  19697. description: |-
  19698. A key in the referenced Secret.
  19699. Some instances of this field may be defaulted, in others it may be required.
  19700. maxLength: 253
  19701. minLength: 1
  19702. pattern: ^[-._a-zA-Z0-9]+$
  19703. type: string
  19704. name:
  19705. description: The name of the Secret resource being referred to.
  19706. maxLength: 253
  19707. minLength: 1
  19708. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19709. type: string
  19710. namespace:
  19711. description: |-
  19712. The namespace of the Secret resource being referred to.
  19713. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19714. maxLength: 63
  19715. minLength: 1
  19716. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19717. type: string
  19718. type: object
  19719. vaultRole:
  19720. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  19721. type: string
  19722. type: object
  19723. gcp:
  19724. description: |-
  19725. Gcp authenticates with Vault using Google Cloud Platform authentication method
  19726. GCP authentication method
  19727. properties:
  19728. location:
  19729. description: Location optionally defines a location/region for the secret
  19730. type: string
  19731. path:
  19732. default: gcp
  19733. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  19734. type: string
  19735. projectID:
  19736. description: Project ID of the Google Cloud Platform project
  19737. type: string
  19738. role:
  19739. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  19740. type: string
  19741. secretRef:
  19742. description: Specify credentials in a Secret object
  19743. properties:
  19744. secretAccessKeySecretRef:
  19745. description: The SecretAccessKey is used for authentication
  19746. properties:
  19747. key:
  19748. description: |-
  19749. A key in the referenced Secret.
  19750. Some instances of this field may be defaulted, in others it may be required.
  19751. maxLength: 253
  19752. minLength: 1
  19753. pattern: ^[-._a-zA-Z0-9]+$
  19754. type: string
  19755. name:
  19756. description: The name of the Secret resource being referred to.
  19757. maxLength: 253
  19758. minLength: 1
  19759. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19760. type: string
  19761. namespace:
  19762. description: |-
  19763. The namespace of the Secret resource being referred to.
  19764. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19765. maxLength: 63
  19766. minLength: 1
  19767. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19768. type: string
  19769. type: object
  19770. type: object
  19771. serviceAccountRef:
  19772. description: ServiceAccountRef to a service account for impersonation
  19773. properties:
  19774. audiences:
  19775. description: |-
  19776. Audience specifies the `aud` claim for the service account token
  19777. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19778. then this audiences will be appended to the list
  19779. items:
  19780. type: string
  19781. type: array
  19782. name:
  19783. description: The name of the ServiceAccount resource being referred to.
  19784. maxLength: 253
  19785. minLength: 1
  19786. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19787. type: string
  19788. namespace:
  19789. description: |-
  19790. Namespace of the resource being referred to.
  19791. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19792. maxLength: 63
  19793. minLength: 1
  19794. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19795. type: string
  19796. required:
  19797. - name
  19798. type: object
  19799. workloadIdentity:
  19800. description: Specify a service account with Workload Identity
  19801. properties:
  19802. clusterLocation:
  19803. description: |-
  19804. ClusterLocation is the location of the cluster
  19805. If not specified, it fetches information from the metadata server
  19806. type: string
  19807. clusterName:
  19808. description: |-
  19809. ClusterName is the name of the cluster
  19810. If not specified, it fetches information from the metadata server
  19811. type: string
  19812. clusterProjectID:
  19813. description: |-
  19814. ClusterProjectID is the project ID of the cluster
  19815. If not specified, it fetches information from the metadata server
  19816. type: string
  19817. serviceAccountRef:
  19818. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  19819. properties:
  19820. audiences:
  19821. description: |-
  19822. Audience specifies the `aud` claim for the service account token
  19823. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19824. then this audiences will be appended to the list
  19825. items:
  19826. type: string
  19827. type: array
  19828. name:
  19829. description: The name of the ServiceAccount resource being referred to.
  19830. maxLength: 253
  19831. minLength: 1
  19832. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19833. type: string
  19834. namespace:
  19835. description: |-
  19836. Namespace of the resource being referred to.
  19837. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19838. maxLength: 63
  19839. minLength: 1
  19840. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19841. type: string
  19842. required:
  19843. - name
  19844. type: object
  19845. required:
  19846. - serviceAccountRef
  19847. type: object
  19848. required:
  19849. - role
  19850. type: object
  19851. iam:
  19852. description: |-
  19853. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  19854. AWS IAM authentication method
  19855. properties:
  19856. externalID:
  19857. description: AWS External ID set on assumed IAM roles
  19858. type: string
  19859. jwt:
  19860. description: Specify a service account with IRSA enabled
  19861. properties:
  19862. serviceAccountRef:
  19863. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  19864. properties:
  19865. audiences:
  19866. description: |-
  19867. Audience specifies the `aud` claim for the service account token
  19868. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19869. then this audiences will be appended to the list
  19870. items:
  19871. type: string
  19872. type: array
  19873. name:
  19874. description: The name of the ServiceAccount resource being referred to.
  19875. maxLength: 253
  19876. minLength: 1
  19877. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19878. type: string
  19879. namespace:
  19880. description: |-
  19881. Namespace of the resource being referred to.
  19882. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19883. maxLength: 63
  19884. minLength: 1
  19885. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19886. type: string
  19887. required:
  19888. - name
  19889. type: object
  19890. type: object
  19891. path:
  19892. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  19893. type: string
  19894. region:
  19895. description: AWS region
  19896. type: string
  19897. role:
  19898. description: This is the AWS role to be assumed before talking to vault
  19899. type: string
  19900. secretRef:
  19901. description: Specify credentials in a Secret object
  19902. properties:
  19903. accessKeyIDSecretRef:
  19904. description: The AccessKeyID is used for authentication
  19905. properties:
  19906. key:
  19907. description: |-
  19908. A key in the referenced Secret.
  19909. Some instances of this field may be defaulted, in others it may be required.
  19910. maxLength: 253
  19911. minLength: 1
  19912. pattern: ^[-._a-zA-Z0-9]+$
  19913. type: string
  19914. name:
  19915. description: The name of the Secret resource being referred to.
  19916. maxLength: 253
  19917. minLength: 1
  19918. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19919. type: string
  19920. namespace:
  19921. description: |-
  19922. The namespace of the Secret resource being referred to.
  19923. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19924. maxLength: 63
  19925. minLength: 1
  19926. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19927. type: string
  19928. type: object
  19929. secretAccessKeySecretRef:
  19930. description: The SecretAccessKey is used for authentication
  19931. properties:
  19932. key:
  19933. description: |-
  19934. A key in the referenced Secret.
  19935. Some instances of this field may be defaulted, in others it may be required.
  19936. maxLength: 253
  19937. minLength: 1
  19938. pattern: ^[-._a-zA-Z0-9]+$
  19939. type: string
  19940. name:
  19941. description: The name of the Secret resource being referred to.
  19942. maxLength: 253
  19943. minLength: 1
  19944. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19945. type: string
  19946. namespace:
  19947. description: |-
  19948. The namespace of the Secret resource being referred to.
  19949. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19950. maxLength: 63
  19951. minLength: 1
  19952. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19953. type: string
  19954. type: object
  19955. sessionTokenSecretRef:
  19956. description: |-
  19957. The SessionToken used for authentication
  19958. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  19959. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  19960. properties:
  19961. key:
  19962. description: |-
  19963. A key in the referenced Secret.
  19964. Some instances of this field may be defaulted, in others it may be required.
  19965. maxLength: 253
  19966. minLength: 1
  19967. pattern: ^[-._a-zA-Z0-9]+$
  19968. type: string
  19969. name:
  19970. description: The name of the Secret resource being referred to.
  19971. maxLength: 253
  19972. minLength: 1
  19973. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19974. type: string
  19975. namespace:
  19976. description: |-
  19977. The namespace of the Secret resource being referred to.
  19978. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19979. maxLength: 63
  19980. minLength: 1
  19981. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19982. type: string
  19983. type: object
  19984. type: object
  19985. vaultAwsIamServerID:
  19986. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  19987. type: string
  19988. vaultRole:
  19989. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  19990. type: string
  19991. required:
  19992. - vaultRole
  19993. type: object
  19994. jwt:
  19995. description: |-
  19996. Jwt authenticates with Vault by passing role and JWT token using the
  19997. JWT/OIDC authentication method
  19998. properties:
  19999. kubernetesServiceAccountToken:
  20000. description: |-
  20001. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  20002. a token for with the `TokenRequest` API.
  20003. properties:
  20004. audiences:
  20005. description: |-
  20006. Optional audiences field that will be used to request a temporary Kubernetes service
  20007. account token for the service account referenced by `serviceAccountRef`.
  20008. Defaults to a single audience `vault` it not specified.
  20009. Deprecated: use serviceAccountRef.Audiences instead
  20010. items:
  20011. type: string
  20012. type: array
  20013. expirationSeconds:
  20014. description: |-
  20015. Optional expiration time in seconds that will be used to request a temporary
  20016. Kubernetes service account token for the service account referenced by
  20017. `serviceAccountRef`.
  20018. Deprecated: this will be removed in the future.
  20019. Defaults to 10 minutes.
  20020. format: int64
  20021. type: integer
  20022. serviceAccountRef:
  20023. description: Service account field containing the name of a kubernetes ServiceAccount.
  20024. properties:
  20025. audiences:
  20026. description: |-
  20027. Audience specifies the `aud` claim for the service account token
  20028. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20029. then this audiences will be appended to the list
  20030. items:
  20031. type: string
  20032. type: array
  20033. name:
  20034. description: The name of the ServiceAccount resource being referred to.
  20035. maxLength: 253
  20036. minLength: 1
  20037. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20038. type: string
  20039. namespace:
  20040. description: |-
  20041. Namespace of the resource being referred to.
  20042. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20043. maxLength: 63
  20044. minLength: 1
  20045. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20046. type: string
  20047. required:
  20048. - name
  20049. type: object
  20050. required:
  20051. - serviceAccountRef
  20052. type: object
  20053. path:
  20054. default: jwt
  20055. description: |-
  20056. Path where the JWT authentication backend is mounted
  20057. in Vault, e.g: "jwt"
  20058. type: string
  20059. role:
  20060. description: |-
  20061. Role is a JWT role to authenticate using the JWT/OIDC Vault
  20062. authentication method
  20063. type: string
  20064. secretRef:
  20065. description: |-
  20066. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  20067. authenticate with Vault using the JWT/OIDC authentication method.
  20068. properties:
  20069. key:
  20070. description: |-
  20071. A key in the referenced Secret.
  20072. Some instances of this field may be defaulted, in others it may be required.
  20073. maxLength: 253
  20074. minLength: 1
  20075. pattern: ^[-._a-zA-Z0-9]+$
  20076. type: string
  20077. name:
  20078. description: The name of the Secret resource being referred to.
  20079. maxLength: 253
  20080. minLength: 1
  20081. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20082. type: string
  20083. namespace:
  20084. description: |-
  20085. The namespace of the Secret resource being referred to.
  20086. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20087. maxLength: 63
  20088. minLength: 1
  20089. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20090. type: string
  20091. type: object
  20092. required:
  20093. - path
  20094. type: object
  20095. kubernetes:
  20096. description: |-
  20097. Kubernetes authenticates with Vault by passing the ServiceAccount
  20098. token stored in the named Secret resource to the Vault server.
  20099. properties:
  20100. mountPath:
  20101. default: kubernetes
  20102. description: |-
  20103. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  20104. "kubernetes"
  20105. type: string
  20106. role:
  20107. description: |-
  20108. A required field containing the Vault Role to assume. A Role binds a
  20109. Kubernetes ServiceAccount with a set of Vault policies.
  20110. type: string
  20111. secretRef:
  20112. description: |-
  20113. Optional secret field containing a Kubernetes ServiceAccount JWT used
  20114. for authenticating with Vault. If a name is specified without a key,
  20115. `token` is the default. If one is not specified, the one bound to
  20116. the controller will be used.
  20117. properties:
  20118. key:
  20119. description: |-
  20120. A key in the referenced Secret.
  20121. Some instances of this field may be defaulted, in others it may be required.
  20122. maxLength: 253
  20123. minLength: 1
  20124. pattern: ^[-._a-zA-Z0-9]+$
  20125. type: string
  20126. name:
  20127. description: The name of the Secret resource being referred to.
  20128. maxLength: 253
  20129. minLength: 1
  20130. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20131. type: string
  20132. namespace:
  20133. description: |-
  20134. The namespace of the Secret resource being referred to.
  20135. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20136. maxLength: 63
  20137. minLength: 1
  20138. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20139. type: string
  20140. type: object
  20141. serviceAccountRef:
  20142. description: |-
  20143. Optional service account field containing the name of a kubernetes ServiceAccount.
  20144. If the service account is specified, the service account secret token JWT will be used
  20145. for authenticating with Vault. If the service account selector is not supplied,
  20146. the secretRef will be used instead.
  20147. properties:
  20148. audiences:
  20149. description: |-
  20150. Audience specifies the `aud` claim for the service account token
  20151. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20152. then this audiences will be appended to the list
  20153. items:
  20154. type: string
  20155. type: array
  20156. name:
  20157. description: The name of the ServiceAccount resource being referred to.
  20158. maxLength: 253
  20159. minLength: 1
  20160. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20161. type: string
  20162. namespace:
  20163. description: |-
  20164. Namespace of the resource being referred to.
  20165. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20166. maxLength: 63
  20167. minLength: 1
  20168. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20169. type: string
  20170. required:
  20171. - name
  20172. type: object
  20173. required:
  20174. - mountPath
  20175. - role
  20176. type: object
  20177. ldap:
  20178. description: |-
  20179. Ldap authenticates with Vault by passing username/password pair using
  20180. the LDAP authentication method
  20181. properties:
  20182. path:
  20183. default: ldap
  20184. description: |-
  20185. Path where the LDAP authentication backend is mounted
  20186. in Vault, e.g: "ldap"
  20187. type: string
  20188. secretRef:
  20189. description: |-
  20190. SecretRef to a key in a Secret resource containing password for the LDAP
  20191. user used to authenticate with Vault using the LDAP authentication
  20192. method
  20193. properties:
  20194. key:
  20195. description: |-
  20196. A key in the referenced Secret.
  20197. Some instances of this field may be defaulted, in others it may be required.
  20198. maxLength: 253
  20199. minLength: 1
  20200. pattern: ^[-._a-zA-Z0-9]+$
  20201. type: string
  20202. name:
  20203. description: The name of the Secret resource being referred to.
  20204. maxLength: 253
  20205. minLength: 1
  20206. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20207. type: string
  20208. namespace:
  20209. description: |-
  20210. The namespace of the Secret resource being referred to.
  20211. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20212. maxLength: 63
  20213. minLength: 1
  20214. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20215. type: string
  20216. type: object
  20217. username:
  20218. description: |-
  20219. Username is an LDAP username used to authenticate using the LDAP Vault
  20220. authentication method
  20221. type: string
  20222. required:
  20223. - path
  20224. - username
  20225. type: object
  20226. namespace:
  20227. description: |-
  20228. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  20229. Namespaces is a set of features within Vault Enterprise that allows
  20230. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  20231. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  20232. This will default to Vault.Namespace field if set, or empty otherwise
  20233. type: string
  20234. tokenSecretRef:
  20235. description: TokenSecretRef authenticates with Vault by presenting a token.
  20236. properties:
  20237. key:
  20238. description: |-
  20239. A key in the referenced Secret.
  20240. Some instances of this field may be defaulted, in others it may be required.
  20241. maxLength: 253
  20242. minLength: 1
  20243. pattern: ^[-._a-zA-Z0-9]+$
  20244. type: string
  20245. name:
  20246. description: The name of the Secret resource being referred to.
  20247. maxLength: 253
  20248. minLength: 1
  20249. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20250. type: string
  20251. namespace:
  20252. description: |-
  20253. The namespace of the Secret resource being referred to.
  20254. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20255. maxLength: 63
  20256. minLength: 1
  20257. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20258. type: string
  20259. type: object
  20260. userPass:
  20261. description: UserPass authenticates with Vault by passing username/password pair
  20262. properties:
  20263. path:
  20264. default: userpass
  20265. description: |-
  20266. Path where the UserPassword authentication backend is mounted
  20267. in Vault, e.g: "userpass"
  20268. type: string
  20269. secretRef:
  20270. description: |-
  20271. SecretRef to a key in a Secret resource containing password for the
  20272. user used to authenticate with Vault using the UserPass authentication
  20273. method
  20274. properties:
  20275. key:
  20276. description: |-
  20277. A key in the referenced Secret.
  20278. Some instances of this field may be defaulted, in others it may be required.
  20279. maxLength: 253
  20280. minLength: 1
  20281. pattern: ^[-._a-zA-Z0-9]+$
  20282. type: string
  20283. name:
  20284. description: The name of the Secret resource being referred to.
  20285. maxLength: 253
  20286. minLength: 1
  20287. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20288. type: string
  20289. namespace:
  20290. description: |-
  20291. The namespace of the Secret resource being referred to.
  20292. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20293. maxLength: 63
  20294. minLength: 1
  20295. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20296. type: string
  20297. type: object
  20298. username:
  20299. description: |-
  20300. Username is a username used to authenticate using the UserPass Vault
  20301. authentication method
  20302. type: string
  20303. required:
  20304. - path
  20305. - username
  20306. type: object
  20307. type: object
  20308. caBundle:
  20309. description: |-
  20310. PEM encoded CA bundle used to validate Vault server certificate. Only used
  20311. if the Server URL is using HTTPS protocol. This parameter is ignored for
  20312. plain HTTP protocol connection. If not set the system root certificates
  20313. are used to validate the TLS connection.
  20314. format: byte
  20315. type: string
  20316. caProvider:
  20317. description: The provider for the CA bundle to use to validate Vault server certificate.
  20318. properties:
  20319. key:
  20320. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  20321. maxLength: 253
  20322. minLength: 1
  20323. pattern: ^[-._a-zA-Z0-9]+$
  20324. type: string
  20325. name:
  20326. description: The name of the object located at the provider type.
  20327. maxLength: 253
  20328. minLength: 1
  20329. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20330. type: string
  20331. namespace:
  20332. description: |-
  20333. The namespace the Provider type is in.
  20334. Can only be defined when used in a ClusterSecretStore.
  20335. maxLength: 63
  20336. minLength: 1
  20337. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20338. type: string
  20339. type:
  20340. description: The type of provider to use such as "Secret", or "ConfigMap".
  20341. enum:
  20342. - Secret
  20343. - ConfigMap
  20344. type: string
  20345. required:
  20346. - name
  20347. - type
  20348. type: object
  20349. checkAndSet:
  20350. description: |-
  20351. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  20352. Only applies to Vault KV v2 stores. When enabled, write operations must include
  20353. the current version of the secret to prevent unintentional overwrites.
  20354. properties:
  20355. required:
  20356. description: |-
  20357. Required when true, all write operations must include a check-and-set parameter.
  20358. This helps prevent unintentional overwrites of secrets.
  20359. type: boolean
  20360. type: object
  20361. forwardInconsistent:
  20362. description: |-
  20363. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  20364. leader instead of simply retrying within a loop. This can increase performance if
  20365. the option is enabled serverside.
  20366. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  20367. type: boolean
  20368. headers:
  20369. additionalProperties:
  20370. type: string
  20371. description: Headers to be added in Vault request
  20372. type: object
  20373. namespace:
  20374. description: |-
  20375. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  20376. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  20377. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  20378. type: string
  20379. path:
  20380. description: |-
  20381. Path is the mount path of the Vault KV backend endpoint, e.g:
  20382. "secret". The v2 KV secret engine version specific "/data" path suffix
  20383. for fetching secrets from Vault is optional and will be appended
  20384. if not present in specified path.
  20385. type: string
  20386. readYourWrites:
  20387. description: |-
  20388. ReadYourWrites ensures isolated read-after-write semantics by
  20389. providing discovered cluster replication states in each request.
  20390. More information about eventual consistency in Vault can be found here
  20391. https://www.vaultproject.io/docs/enterprise/consistency
  20392. type: boolean
  20393. server:
  20394. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  20395. type: string
  20396. tls:
  20397. description: |-
  20398. The configuration used for client side related TLS communication, when the Vault server
  20399. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  20400. This parameter is ignored for plain HTTP protocol connection.
  20401. It's worth noting this configuration is different from the "TLS certificates auth method",
  20402. which is available under the `auth.cert` section.
  20403. properties:
  20404. certSecretRef:
  20405. description: |-
  20406. CertSecretRef is a certificate added to the transport layer
  20407. when communicating with the Vault server.
  20408. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  20409. properties:
  20410. key:
  20411. description: |-
  20412. A key in the referenced Secret.
  20413. Some instances of this field may be defaulted, in others it may be required.
  20414. maxLength: 253
  20415. minLength: 1
  20416. pattern: ^[-._a-zA-Z0-9]+$
  20417. type: string
  20418. name:
  20419. description: The name of the Secret resource being referred to.
  20420. maxLength: 253
  20421. minLength: 1
  20422. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20423. type: string
  20424. namespace:
  20425. description: |-
  20426. The namespace of the Secret resource being referred to.
  20427. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20428. maxLength: 63
  20429. minLength: 1
  20430. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20431. type: string
  20432. type: object
  20433. keySecretRef:
  20434. description: |-
  20435. KeySecretRef to a key in a Secret resource containing client private key
  20436. added to the transport layer when communicating with the Vault server.
  20437. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  20438. properties:
  20439. key:
  20440. description: |-
  20441. A key in the referenced Secret.
  20442. Some instances of this field may be defaulted, in others it may be required.
  20443. maxLength: 253
  20444. minLength: 1
  20445. pattern: ^[-._a-zA-Z0-9]+$
  20446. type: string
  20447. name:
  20448. description: The name of the Secret resource being referred to.
  20449. maxLength: 253
  20450. minLength: 1
  20451. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20452. type: string
  20453. namespace:
  20454. description: |-
  20455. The namespace of the Secret resource being referred to.
  20456. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20457. maxLength: 63
  20458. minLength: 1
  20459. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20460. type: string
  20461. type: object
  20462. type: object
  20463. version:
  20464. default: v2
  20465. description: |-
  20466. Version is the Vault KV secret engine version. This can be either "v1" or
  20467. "v2". Version defaults to "v2".
  20468. enum:
  20469. - v1
  20470. - v2
  20471. type: string
  20472. required:
  20473. - server
  20474. type: object
  20475. volcengine:
  20476. description: Volcengine configures this store to sync secrets using the Volcengine provider
  20477. properties:
  20478. auth:
  20479. description: |-
  20480. Auth defines the authentication method to use.
  20481. If not specified, the provider will try to use IRSA (IAM Role for Service Account).
  20482. properties:
  20483. secretRef:
  20484. description: |-
  20485. SecretRef defines the static credentials to use for authentication.
  20486. If not set, IRSA is used.
  20487. properties:
  20488. accessKeyID:
  20489. description: AccessKeyID is the reference to the secret containing the Access Key ID.
  20490. properties:
  20491. key:
  20492. description: |-
  20493. A key in the referenced Secret.
  20494. Some instances of this field may be defaulted, in others it may be required.
  20495. maxLength: 253
  20496. minLength: 1
  20497. pattern: ^[-._a-zA-Z0-9]+$
  20498. type: string
  20499. name:
  20500. description: The name of the Secret resource being referred to.
  20501. maxLength: 253
  20502. minLength: 1
  20503. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20504. type: string
  20505. namespace:
  20506. description: |-
  20507. The namespace of the Secret resource being referred to.
  20508. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20509. maxLength: 63
  20510. minLength: 1
  20511. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20512. type: string
  20513. type: object
  20514. secretAccessKey:
  20515. description: SecretAccessKey is the reference to the secret containing the Secret Access Key.
  20516. properties:
  20517. key:
  20518. description: |-
  20519. A key in the referenced Secret.
  20520. Some instances of this field may be defaulted, in others it may be required.
  20521. maxLength: 253
  20522. minLength: 1
  20523. pattern: ^[-._a-zA-Z0-9]+$
  20524. type: string
  20525. name:
  20526. description: The name of the Secret resource being referred to.
  20527. maxLength: 253
  20528. minLength: 1
  20529. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20530. type: string
  20531. namespace:
  20532. description: |-
  20533. The namespace of the Secret resource being referred to.
  20534. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20535. maxLength: 63
  20536. minLength: 1
  20537. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20538. type: string
  20539. type: object
  20540. token:
  20541. description: Token is the reference to the secret containing the STS(Security Token Service) Token.
  20542. properties:
  20543. key:
  20544. description: |-
  20545. A key in the referenced Secret.
  20546. Some instances of this field may be defaulted, in others it may be required.
  20547. maxLength: 253
  20548. minLength: 1
  20549. pattern: ^[-._a-zA-Z0-9]+$
  20550. type: string
  20551. name:
  20552. description: The name of the Secret resource being referred to.
  20553. maxLength: 253
  20554. minLength: 1
  20555. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20556. type: string
  20557. namespace:
  20558. description: |-
  20559. The namespace of the Secret resource being referred to.
  20560. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20561. maxLength: 63
  20562. minLength: 1
  20563. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20564. type: string
  20565. type: object
  20566. required:
  20567. - accessKeyID
  20568. - secretAccessKey
  20569. type: object
  20570. type: object
  20571. region:
  20572. description: Region specifies the Volcengine region to connect to.
  20573. type: string
  20574. required:
  20575. - region
  20576. type: object
  20577. webhook:
  20578. description: Webhook configures this store to sync secrets using a generic templated webhook
  20579. properties:
  20580. auth:
  20581. description: Auth specifies a authorization protocol. Only one protocol may be set.
  20582. maxProperties: 1
  20583. minProperties: 1
  20584. properties:
  20585. ntlm:
  20586. description: NTLMProtocol configures the store to use NTLM for auth
  20587. properties:
  20588. passwordSecret:
  20589. description: |-
  20590. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20591. In some instances, `key` is a required field.
  20592. properties:
  20593. key:
  20594. description: |-
  20595. A key in the referenced Secret.
  20596. Some instances of this field may be defaulted, in others it may be required.
  20597. maxLength: 253
  20598. minLength: 1
  20599. pattern: ^[-._a-zA-Z0-9]+$
  20600. type: string
  20601. name:
  20602. description: The name of the Secret resource being referred to.
  20603. maxLength: 253
  20604. minLength: 1
  20605. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20606. type: string
  20607. namespace:
  20608. description: |-
  20609. The namespace of the Secret resource being referred to.
  20610. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20611. maxLength: 63
  20612. minLength: 1
  20613. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20614. type: string
  20615. type: object
  20616. usernameSecret:
  20617. description: |-
  20618. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20619. In some instances, `key` is a required field.
  20620. properties:
  20621. key:
  20622. description: |-
  20623. A key in the referenced Secret.
  20624. Some instances of this field may be defaulted, in others it may be required.
  20625. maxLength: 253
  20626. minLength: 1
  20627. pattern: ^[-._a-zA-Z0-9]+$
  20628. type: string
  20629. name:
  20630. description: The name of the Secret resource being referred to.
  20631. maxLength: 253
  20632. minLength: 1
  20633. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20634. type: string
  20635. namespace:
  20636. description: |-
  20637. The namespace of the Secret resource being referred to.
  20638. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20639. maxLength: 63
  20640. minLength: 1
  20641. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20642. type: string
  20643. type: object
  20644. required:
  20645. - passwordSecret
  20646. - usernameSecret
  20647. type: object
  20648. type: object
  20649. body:
  20650. description: Body
  20651. type: string
  20652. caBundle:
  20653. description: |-
  20654. PEM encoded CA bundle used to validate webhook server certificate. Only used
  20655. if the Server URL is using HTTPS protocol. This parameter is ignored for
  20656. plain HTTP protocol connection. If not set the system root certificates
  20657. are used to validate the TLS connection.
  20658. format: byte
  20659. type: string
  20660. caProvider:
  20661. description: The provider for the CA bundle to use to validate webhook server certificate.
  20662. properties:
  20663. key:
  20664. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  20665. maxLength: 253
  20666. minLength: 1
  20667. pattern: ^[-._a-zA-Z0-9]+$
  20668. type: string
  20669. name:
  20670. description: The name of the object located at the provider type.
  20671. maxLength: 253
  20672. minLength: 1
  20673. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20674. type: string
  20675. namespace:
  20676. description: The namespace the Provider type is in.
  20677. maxLength: 63
  20678. minLength: 1
  20679. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20680. type: string
  20681. type:
  20682. description: The type of provider to use such as "Secret", or "ConfigMap".
  20683. enum:
  20684. - Secret
  20685. - ConfigMap
  20686. type: string
  20687. required:
  20688. - name
  20689. - type
  20690. type: object
  20691. headers:
  20692. additionalProperties:
  20693. type: string
  20694. description: Headers
  20695. type: object
  20696. method:
  20697. description: Webhook Method
  20698. type: string
  20699. result:
  20700. description: Result formatting
  20701. properties:
  20702. jsonPath:
  20703. description: Json path of return value
  20704. type: string
  20705. type: object
  20706. secrets:
  20707. description: |-
  20708. Secrets to fill in templates
  20709. These secrets will be passed to the templating function as key value pairs under the given name
  20710. items:
  20711. description: WebhookSecret defines a secret that will be passed to the webhook request.
  20712. properties:
  20713. name:
  20714. description: Name of this secret in templates
  20715. type: string
  20716. secretRef:
  20717. description: Secret ref to fill in credentials
  20718. properties:
  20719. key:
  20720. description: |-
  20721. A key in the referenced Secret.
  20722. Some instances of this field may be defaulted, in others it may be required.
  20723. maxLength: 253
  20724. minLength: 1
  20725. pattern: ^[-._a-zA-Z0-9]+$
  20726. type: string
  20727. name:
  20728. description: The name of the Secret resource being referred to.
  20729. maxLength: 253
  20730. minLength: 1
  20731. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20732. type: string
  20733. namespace:
  20734. description: |-
  20735. The namespace of the Secret resource being referred to.
  20736. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20737. maxLength: 63
  20738. minLength: 1
  20739. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20740. type: string
  20741. type: object
  20742. required:
  20743. - name
  20744. - secretRef
  20745. type: object
  20746. type: array
  20747. timeout:
  20748. description: Timeout
  20749. type: string
  20750. url:
  20751. description: Webhook url to call
  20752. type: string
  20753. required:
  20754. - url
  20755. type: object
  20756. yandexcertificatemanager:
  20757. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  20758. properties:
  20759. apiEndpoint:
  20760. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  20761. type: string
  20762. auth:
  20763. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  20764. properties:
  20765. authorizedKeySecretRef:
  20766. description: The authorized key used for authentication
  20767. properties:
  20768. key:
  20769. description: |-
  20770. A key in the referenced Secret.
  20771. Some instances of this field may be defaulted, in others it may be required.
  20772. maxLength: 253
  20773. minLength: 1
  20774. pattern: ^[-._a-zA-Z0-9]+$
  20775. type: string
  20776. name:
  20777. description: The name of the Secret resource being referred to.
  20778. maxLength: 253
  20779. minLength: 1
  20780. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20781. type: string
  20782. namespace:
  20783. description: |-
  20784. The namespace of the Secret resource being referred to.
  20785. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20786. maxLength: 63
  20787. minLength: 1
  20788. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20789. type: string
  20790. type: object
  20791. type: object
  20792. caProvider:
  20793. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  20794. properties:
  20795. certSecretRef:
  20796. description: |-
  20797. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20798. In some instances, `key` is a required field.
  20799. properties:
  20800. key:
  20801. description: |-
  20802. A key in the referenced Secret.
  20803. Some instances of this field may be defaulted, in others it may be required.
  20804. maxLength: 253
  20805. minLength: 1
  20806. pattern: ^[-._a-zA-Z0-9]+$
  20807. type: string
  20808. name:
  20809. description: The name of the Secret resource being referred to.
  20810. maxLength: 253
  20811. minLength: 1
  20812. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20813. type: string
  20814. namespace:
  20815. description: |-
  20816. The namespace of the Secret resource being referred to.
  20817. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20818. maxLength: 63
  20819. minLength: 1
  20820. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20821. type: string
  20822. type: object
  20823. type: object
  20824. fetching:
  20825. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name
  20826. maxProperties: 1
  20827. minProperties: 1
  20828. properties:
  20829. byID:
  20830. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  20831. type: object
  20832. byName:
  20833. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  20834. properties:
  20835. folderID:
  20836. description: The folder to fetch secrets from
  20837. type: string
  20838. required:
  20839. - folderID
  20840. type: object
  20841. type: object
  20842. required:
  20843. - auth
  20844. type: object
  20845. yandexlockbox:
  20846. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  20847. properties:
  20848. apiEndpoint:
  20849. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  20850. type: string
  20851. auth:
  20852. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  20853. properties:
  20854. authorizedKeySecretRef:
  20855. description: The authorized key used for authentication
  20856. properties:
  20857. key:
  20858. description: |-
  20859. A key in the referenced Secret.
  20860. Some instances of this field may be defaulted, in others it may be required.
  20861. maxLength: 253
  20862. minLength: 1
  20863. pattern: ^[-._a-zA-Z0-9]+$
  20864. type: string
  20865. name:
  20866. description: The name of the Secret resource being referred to.
  20867. maxLength: 253
  20868. minLength: 1
  20869. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20870. type: string
  20871. namespace:
  20872. description: |-
  20873. The namespace of the Secret resource being referred to.
  20874. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20875. maxLength: 63
  20876. minLength: 1
  20877. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20878. type: string
  20879. type: object
  20880. type: object
  20881. caProvider:
  20882. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  20883. properties:
  20884. certSecretRef:
  20885. description: |-
  20886. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20887. In some instances, `key` is a required field.
  20888. properties:
  20889. key:
  20890. description: |-
  20891. A key in the referenced Secret.
  20892. Some instances of this field may be defaulted, in others it may be required.
  20893. maxLength: 253
  20894. minLength: 1
  20895. pattern: ^[-._a-zA-Z0-9]+$
  20896. type: string
  20897. name:
  20898. description: The name of the Secret resource being referred to.
  20899. maxLength: 253
  20900. minLength: 1
  20901. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20902. type: string
  20903. namespace:
  20904. description: |-
  20905. The namespace of the Secret resource being referred to.
  20906. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20907. maxLength: 63
  20908. minLength: 1
  20909. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20910. type: string
  20911. type: object
  20912. type: object
  20913. fetching:
  20914. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name
  20915. maxProperties: 1
  20916. minProperties: 1
  20917. properties:
  20918. byID:
  20919. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  20920. type: object
  20921. byName:
  20922. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  20923. properties:
  20924. folderID:
  20925. description: The folder to fetch secrets from
  20926. type: string
  20927. required:
  20928. - folderID
  20929. type: object
  20930. type: object
  20931. required:
  20932. - auth
  20933. type: object
  20934. type: object
  20935. refreshInterval:
  20936. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  20937. type: integer
  20938. retrySettings:
  20939. description: Used to configure HTTP retries on failures.
  20940. properties:
  20941. maxRetries:
  20942. format: int32
  20943. type: integer
  20944. retryInterval:
  20945. type: string
  20946. type: object
  20947. required:
  20948. - provider
  20949. type: object
  20950. status:
  20951. description: SecretStoreStatus defines the observed state of the SecretStore.
  20952. properties:
  20953. capabilities:
  20954. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  20955. type: string
  20956. conditions:
  20957. items:
  20958. description: SecretStoreStatusCondition contains condition information for a SecretStore.
  20959. properties:
  20960. lastTransitionTime:
  20961. format: date-time
  20962. type: string
  20963. message:
  20964. type: string
  20965. reason:
  20966. type: string
  20967. status:
  20968. type: string
  20969. type:
  20970. description: SecretStoreConditionType represents the condition of the SecretStore.
  20971. type: string
  20972. required:
  20973. - status
  20974. - type
  20975. type: object
  20976. type: array
  20977. type: object
  20978. type: object
  20979. served: true
  20980. storage: true
  20981. subresources:
  20982. status: {}
  20983. - additionalPrinterColumns:
  20984. - jsonPath: .metadata.creationTimestamp
  20985. name: AGE
  20986. type: date
  20987. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  20988. name: Status
  20989. type: string
  20990. - jsonPath: .status.capabilities
  20991. name: Capabilities
  20992. type: string
  20993. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  20994. name: Ready
  20995. type: string
  20996. deprecated: true
  20997. name: v1beta1
  20998. schema:
  20999. openAPIV3Schema:
  21000. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  21001. properties:
  21002. apiVersion:
  21003. description: |-
  21004. APIVersion defines the versioned schema of this representation of an object.
  21005. Servers should convert recognized schemas to the latest internal value, and
  21006. may reject unrecognized values.
  21007. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  21008. type: string
  21009. kind:
  21010. description: |-
  21011. Kind is a string value representing the REST resource this object represents.
  21012. Servers may infer this from the endpoint the client submits requests to.
  21013. Cannot be updated.
  21014. In CamelCase.
  21015. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  21016. type: string
  21017. metadata:
  21018. type: object
  21019. spec:
  21020. description: SecretStoreSpec defines the desired state of SecretStore.
  21021. properties:
  21022. conditions:
  21023. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  21024. items:
  21025. description: |-
  21026. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  21027. for a ClusterSecretStore instance.
  21028. properties:
  21029. namespaceRegexes:
  21030. description: Choose namespaces by using regex matching
  21031. items:
  21032. type: string
  21033. type: array
  21034. namespaceSelector:
  21035. description: Choose namespace using a labelSelector
  21036. properties:
  21037. matchExpressions:
  21038. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  21039. items:
  21040. description: |-
  21041. A label selector requirement is a selector that contains values, a key, and an operator that
  21042. relates the key and values.
  21043. properties:
  21044. key:
  21045. description: key is the label key that the selector applies to.
  21046. type: string
  21047. operator:
  21048. description: |-
  21049. operator represents a key's relationship to a set of values.
  21050. Valid operators are In, NotIn, Exists and DoesNotExist.
  21051. type: string
  21052. values:
  21053. description: |-
  21054. values is an array of string values. If the operator is In or NotIn,
  21055. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  21056. the values array must be empty. This array is replaced during a strategic
  21057. merge patch.
  21058. items:
  21059. type: string
  21060. type: array
  21061. x-kubernetes-list-type: atomic
  21062. required:
  21063. - key
  21064. - operator
  21065. type: object
  21066. type: array
  21067. x-kubernetes-list-type: atomic
  21068. matchLabels:
  21069. additionalProperties:
  21070. type: string
  21071. description: |-
  21072. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  21073. map is equivalent to an element of matchExpressions, whose key field is "key", the
  21074. operator is "In", and the values array contains only "value". The requirements are ANDed.
  21075. type: object
  21076. type: object
  21077. x-kubernetes-map-type: atomic
  21078. namespaces:
  21079. description: Choose namespaces by name
  21080. items:
  21081. maxLength: 63
  21082. minLength: 1
  21083. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21084. type: string
  21085. type: array
  21086. type: object
  21087. type: array
  21088. controller:
  21089. description: |-
  21090. Used to select the correct ESO controller (think: ingress.ingressClassName)
  21091. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  21092. type: string
  21093. provider:
  21094. description: Used to configure the provider. Only one provider may be set
  21095. maxProperties: 1
  21096. minProperties: 1
  21097. properties:
  21098. akeyless:
  21099. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  21100. properties:
  21101. akeylessGWApiURL:
  21102. description: Akeyless GW API Url from which the secrets to be fetched from.
  21103. type: string
  21104. authSecretRef:
  21105. description: Auth configures how the operator authenticates with Akeyless.
  21106. properties:
  21107. kubernetesAuth:
  21108. description: |-
  21109. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  21110. token stored in the named Secret resource.
  21111. properties:
  21112. accessID:
  21113. description: the Akeyless Kubernetes auth-method access-id
  21114. type: string
  21115. k8sConfName:
  21116. description: Kubernetes-auth configuration name in Akeyless-Gateway
  21117. type: string
  21118. secretRef:
  21119. description: |-
  21120. Optional secret field containing a Kubernetes ServiceAccount JWT used
  21121. for authenticating with Akeyless. If a name is specified without a key,
  21122. `token` is the default. If one is not specified, the one bound to
  21123. the controller will be used.
  21124. properties:
  21125. key:
  21126. description: |-
  21127. A key in the referenced Secret.
  21128. Some instances of this field may be defaulted, in others it may be required.
  21129. maxLength: 253
  21130. minLength: 1
  21131. pattern: ^[-._a-zA-Z0-9]+$
  21132. type: string
  21133. name:
  21134. description: The name of the Secret resource being referred to.
  21135. maxLength: 253
  21136. minLength: 1
  21137. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21138. type: string
  21139. namespace:
  21140. description: |-
  21141. The namespace of the Secret resource being referred to.
  21142. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21143. maxLength: 63
  21144. minLength: 1
  21145. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21146. type: string
  21147. type: object
  21148. serviceAccountRef:
  21149. description: |-
  21150. Optional service account field containing the name of a kubernetes ServiceAccount.
  21151. If the service account is specified, the service account secret token JWT will be used
  21152. for authenticating with Akeyless. If the service account selector is not supplied,
  21153. the secretRef will be used instead.
  21154. properties:
  21155. audiences:
  21156. description: |-
  21157. Audience specifies the `aud` claim for the service account token
  21158. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  21159. then this audiences will be appended to the list
  21160. items:
  21161. type: string
  21162. type: array
  21163. name:
  21164. description: The name of the ServiceAccount resource being referred to.
  21165. maxLength: 253
  21166. minLength: 1
  21167. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21168. type: string
  21169. namespace:
  21170. description: |-
  21171. Namespace of the resource being referred to.
  21172. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21173. maxLength: 63
  21174. minLength: 1
  21175. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21176. type: string
  21177. required:
  21178. - name
  21179. type: object
  21180. required:
  21181. - accessID
  21182. - k8sConfName
  21183. type: object
  21184. secretRef:
  21185. description: |-
  21186. Reference to a Secret that contains the details
  21187. to authenticate with Akeyless.
  21188. properties:
  21189. accessID:
  21190. description: The SecretAccessID is used for authentication
  21191. properties:
  21192. key:
  21193. description: |-
  21194. A key in the referenced Secret.
  21195. Some instances of this field may be defaulted, in others it may be required.
  21196. maxLength: 253
  21197. minLength: 1
  21198. pattern: ^[-._a-zA-Z0-9]+$
  21199. type: string
  21200. name:
  21201. description: The name of the Secret resource being referred to.
  21202. maxLength: 253
  21203. minLength: 1
  21204. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21205. type: string
  21206. namespace:
  21207. description: |-
  21208. The namespace of the Secret resource being referred to.
  21209. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21210. maxLength: 63
  21211. minLength: 1
  21212. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21213. type: string
  21214. type: object
  21215. accessType:
  21216. description: |-
  21217. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21218. In some instances, `key` is a required field.
  21219. properties:
  21220. key:
  21221. description: |-
  21222. A key in the referenced Secret.
  21223. Some instances of this field may be defaulted, in others it may be required.
  21224. maxLength: 253
  21225. minLength: 1
  21226. pattern: ^[-._a-zA-Z0-9]+$
  21227. type: string
  21228. name:
  21229. description: The name of the Secret resource being referred to.
  21230. maxLength: 253
  21231. minLength: 1
  21232. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21233. type: string
  21234. namespace:
  21235. description: |-
  21236. The namespace of the Secret resource being referred to.
  21237. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21238. maxLength: 63
  21239. minLength: 1
  21240. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21241. type: string
  21242. type: object
  21243. accessTypeParam:
  21244. description: |-
  21245. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21246. In some instances, `key` is a required field.
  21247. properties:
  21248. key:
  21249. description: |-
  21250. A key in the referenced Secret.
  21251. Some instances of this field may be defaulted, in others it may be required.
  21252. maxLength: 253
  21253. minLength: 1
  21254. pattern: ^[-._a-zA-Z0-9]+$
  21255. type: string
  21256. name:
  21257. description: The name of the Secret resource being referred to.
  21258. maxLength: 253
  21259. minLength: 1
  21260. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21261. type: string
  21262. namespace:
  21263. description: |-
  21264. The namespace of the Secret resource being referred to.
  21265. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21266. maxLength: 63
  21267. minLength: 1
  21268. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21269. type: string
  21270. type: object
  21271. type: object
  21272. type: object
  21273. caBundle:
  21274. description: |-
  21275. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  21276. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  21277. are used to validate the TLS connection.
  21278. format: byte
  21279. type: string
  21280. caProvider:
  21281. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  21282. properties:
  21283. key:
  21284. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  21285. maxLength: 253
  21286. minLength: 1
  21287. pattern: ^[-._a-zA-Z0-9]+$
  21288. type: string
  21289. name:
  21290. description: The name of the object located at the provider type.
  21291. maxLength: 253
  21292. minLength: 1
  21293. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21294. type: string
  21295. namespace:
  21296. description: |-
  21297. The namespace the Provider type is in.
  21298. Can only be defined when used in a ClusterSecretStore.
  21299. maxLength: 63
  21300. minLength: 1
  21301. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21302. type: string
  21303. type:
  21304. description: The type of provider to use such as "Secret", or "ConfigMap".
  21305. enum:
  21306. - Secret
  21307. - ConfigMap
  21308. type: string
  21309. required:
  21310. - name
  21311. - type
  21312. type: object
  21313. required:
  21314. - akeylessGWApiURL
  21315. - authSecretRef
  21316. type: object
  21317. alibaba:
  21318. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  21319. properties:
  21320. auth:
  21321. description: AlibabaAuth contains a secretRef for credentials.
  21322. properties:
  21323. rrsa:
  21324. description: AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication).
  21325. properties:
  21326. oidcProviderArn:
  21327. type: string
  21328. oidcTokenFilePath:
  21329. type: string
  21330. roleArn:
  21331. type: string
  21332. sessionName:
  21333. type: string
  21334. required:
  21335. - oidcProviderArn
  21336. - oidcTokenFilePath
  21337. - roleArn
  21338. - sessionName
  21339. type: object
  21340. secretRef:
  21341. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  21342. properties:
  21343. accessKeyIDSecretRef:
  21344. description: The AccessKeyID is used for authentication
  21345. properties:
  21346. key:
  21347. description: |-
  21348. A key in the referenced Secret.
  21349. Some instances of this field may be defaulted, in others it may be required.
  21350. maxLength: 253
  21351. minLength: 1
  21352. pattern: ^[-._a-zA-Z0-9]+$
  21353. type: string
  21354. name:
  21355. description: The name of the Secret resource being referred to.
  21356. maxLength: 253
  21357. minLength: 1
  21358. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21359. type: string
  21360. namespace:
  21361. description: |-
  21362. The namespace of the Secret resource being referred to.
  21363. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21364. maxLength: 63
  21365. minLength: 1
  21366. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21367. type: string
  21368. type: object
  21369. accessKeySecretSecretRef:
  21370. description: The AccessKeySecret is used for authentication
  21371. properties:
  21372. key:
  21373. description: |-
  21374. A key in the referenced Secret.
  21375. Some instances of this field may be defaulted, in others it may be required.
  21376. maxLength: 253
  21377. minLength: 1
  21378. pattern: ^[-._a-zA-Z0-9]+$
  21379. type: string
  21380. name:
  21381. description: The name of the Secret resource being referred to.
  21382. maxLength: 253
  21383. minLength: 1
  21384. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21385. type: string
  21386. namespace:
  21387. description: |-
  21388. The namespace of the Secret resource being referred to.
  21389. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21390. maxLength: 63
  21391. minLength: 1
  21392. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21393. type: string
  21394. type: object
  21395. required:
  21396. - accessKeyIDSecretRef
  21397. - accessKeySecretSecretRef
  21398. type: object
  21399. type: object
  21400. regionID:
  21401. description: Alibaba Region to be used for the provider
  21402. type: string
  21403. required:
  21404. - auth
  21405. - regionID
  21406. type: object
  21407. aws:
  21408. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  21409. properties:
  21410. additionalRoles:
  21411. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  21412. items:
  21413. type: string
  21414. type: array
  21415. auth:
  21416. description: |-
  21417. Auth defines the information necessary to authenticate against AWS
  21418. if not set aws sdk will infer credentials from your environment
  21419. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  21420. properties:
  21421. jwt:
  21422. description: AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster.
  21423. properties:
  21424. serviceAccountRef:
  21425. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  21426. properties:
  21427. audiences:
  21428. description: |-
  21429. Audience specifies the `aud` claim for the service account token
  21430. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  21431. then this audiences will be appended to the list
  21432. items:
  21433. type: string
  21434. type: array
  21435. name:
  21436. description: The name of the ServiceAccount resource being referred to.
  21437. maxLength: 253
  21438. minLength: 1
  21439. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21440. type: string
  21441. namespace:
  21442. description: |-
  21443. Namespace of the resource being referred to.
  21444. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21445. maxLength: 63
  21446. minLength: 1
  21447. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21448. type: string
  21449. required:
  21450. - name
  21451. type: object
  21452. type: object
  21453. secretRef:
  21454. description: |-
  21455. AWSAuthSecretRef holds secret references for AWS credentials
  21456. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  21457. properties:
  21458. accessKeyIDSecretRef:
  21459. description: The AccessKeyID is used for authentication
  21460. properties:
  21461. key:
  21462. description: |-
  21463. A key in the referenced Secret.
  21464. Some instances of this field may be defaulted, in others it may be required.
  21465. maxLength: 253
  21466. minLength: 1
  21467. pattern: ^[-._a-zA-Z0-9]+$
  21468. type: string
  21469. name:
  21470. description: The name of the Secret resource being referred to.
  21471. maxLength: 253
  21472. minLength: 1
  21473. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21474. type: string
  21475. namespace:
  21476. description: |-
  21477. The namespace of the Secret resource being referred to.
  21478. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21479. maxLength: 63
  21480. minLength: 1
  21481. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21482. type: string
  21483. type: object
  21484. secretAccessKeySecretRef:
  21485. description: The SecretAccessKey is used for authentication
  21486. properties:
  21487. key:
  21488. description: |-
  21489. A key in the referenced Secret.
  21490. Some instances of this field may be defaulted, in others it may be required.
  21491. maxLength: 253
  21492. minLength: 1
  21493. pattern: ^[-._a-zA-Z0-9]+$
  21494. type: string
  21495. name:
  21496. description: The name of the Secret resource being referred to.
  21497. maxLength: 253
  21498. minLength: 1
  21499. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21500. type: string
  21501. namespace:
  21502. description: |-
  21503. The namespace of the Secret resource being referred to.
  21504. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21505. maxLength: 63
  21506. minLength: 1
  21507. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21508. type: string
  21509. type: object
  21510. sessionTokenSecretRef:
  21511. description: |-
  21512. The SessionToken used for authentication
  21513. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  21514. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  21515. properties:
  21516. key:
  21517. description: |-
  21518. A key in the referenced Secret.
  21519. Some instances of this field may be defaulted, in others it may be required.
  21520. maxLength: 253
  21521. minLength: 1
  21522. pattern: ^[-._a-zA-Z0-9]+$
  21523. type: string
  21524. name:
  21525. description: The name of the Secret resource being referred to.
  21526. maxLength: 253
  21527. minLength: 1
  21528. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21529. type: string
  21530. namespace:
  21531. description: |-
  21532. The namespace of the Secret resource being referred to.
  21533. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21534. maxLength: 63
  21535. minLength: 1
  21536. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21537. type: string
  21538. type: object
  21539. type: object
  21540. type: object
  21541. externalID:
  21542. description: AWS External ID set on assumed IAM roles
  21543. type: string
  21544. prefix:
  21545. description: Prefix adds a prefix to all retrieved values.
  21546. type: string
  21547. region:
  21548. description: AWS Region to be used for the provider
  21549. type: string
  21550. role:
  21551. description: Role is a Role ARN which the provider will assume
  21552. type: string
  21553. secretsManager:
  21554. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  21555. properties:
  21556. forceDeleteWithoutRecovery:
  21557. description: |-
  21558. Specifies whether to delete the secret without any recovery window. You
  21559. can't use both this parameter and RecoveryWindowInDays in the same call.
  21560. If you don't use either, then by default Secrets Manager uses a 30 day
  21561. recovery window.
  21562. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  21563. type: boolean
  21564. recoveryWindowInDays:
  21565. description: |-
  21566. The number of days from 7 to 30 that Secrets Manager waits before
  21567. permanently deleting the secret. You can't use both this parameter and
  21568. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  21569. then by default Secrets Manager uses a 30 day recovery window.
  21570. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  21571. format: int64
  21572. type: integer
  21573. type: object
  21574. service:
  21575. description: Service defines which service should be used to fetch the secrets
  21576. enum:
  21577. - SecretsManager
  21578. - ParameterStore
  21579. type: string
  21580. sessionTags:
  21581. description: AWS STS assume role session tags
  21582. items:
  21583. description: Tag defines a tag key and value for AWS resources.
  21584. properties:
  21585. key:
  21586. type: string
  21587. value:
  21588. type: string
  21589. required:
  21590. - key
  21591. - value
  21592. type: object
  21593. type: array
  21594. transitiveTagKeys:
  21595. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  21596. items:
  21597. type: string
  21598. type: array
  21599. required:
  21600. - region
  21601. - service
  21602. type: object
  21603. azurekv:
  21604. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  21605. properties:
  21606. authSecretRef:
  21607. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  21608. properties:
  21609. clientCertificate:
  21610. description: The Azure ClientCertificate of the service principle used for authentication.
  21611. properties:
  21612. key:
  21613. description: |-
  21614. A key in the referenced Secret.
  21615. Some instances of this field may be defaulted, in others it may be required.
  21616. maxLength: 253
  21617. minLength: 1
  21618. pattern: ^[-._a-zA-Z0-9]+$
  21619. type: string
  21620. name:
  21621. description: The name of the Secret resource being referred to.
  21622. maxLength: 253
  21623. minLength: 1
  21624. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21625. type: string
  21626. namespace:
  21627. description: |-
  21628. The namespace of the Secret resource being referred to.
  21629. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21630. maxLength: 63
  21631. minLength: 1
  21632. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21633. type: string
  21634. type: object
  21635. clientId:
  21636. description: The Azure clientId of the service principle or managed identity used for authentication.
  21637. properties:
  21638. key:
  21639. description: |-
  21640. A key in the referenced Secret.
  21641. Some instances of this field may be defaulted, in others it may be required.
  21642. maxLength: 253
  21643. minLength: 1
  21644. pattern: ^[-._a-zA-Z0-9]+$
  21645. type: string
  21646. name:
  21647. description: The name of the Secret resource being referred to.
  21648. maxLength: 253
  21649. minLength: 1
  21650. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21651. type: string
  21652. namespace:
  21653. description: |-
  21654. The namespace of the Secret resource being referred to.
  21655. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21656. maxLength: 63
  21657. minLength: 1
  21658. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21659. type: string
  21660. type: object
  21661. clientSecret:
  21662. description: The Azure ClientSecret of the service principle used for authentication.
  21663. properties:
  21664. key:
  21665. description: |-
  21666. A key in the referenced Secret.
  21667. Some instances of this field may be defaulted, in others it may be required.
  21668. maxLength: 253
  21669. minLength: 1
  21670. pattern: ^[-._a-zA-Z0-9]+$
  21671. type: string
  21672. name:
  21673. description: The name of the Secret resource being referred to.
  21674. maxLength: 253
  21675. minLength: 1
  21676. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21677. type: string
  21678. namespace:
  21679. description: |-
  21680. The namespace of the Secret resource being referred to.
  21681. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21682. maxLength: 63
  21683. minLength: 1
  21684. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21685. type: string
  21686. type: object
  21687. tenantId:
  21688. description: The Azure tenantId of the managed identity used for authentication.
  21689. properties:
  21690. key:
  21691. description: |-
  21692. A key in the referenced Secret.
  21693. Some instances of this field may be defaulted, in others it may be required.
  21694. maxLength: 253
  21695. minLength: 1
  21696. pattern: ^[-._a-zA-Z0-9]+$
  21697. type: string
  21698. name:
  21699. description: The name of the Secret resource being referred to.
  21700. maxLength: 253
  21701. minLength: 1
  21702. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21703. type: string
  21704. namespace:
  21705. description: |-
  21706. The namespace of the Secret resource being referred to.
  21707. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21708. maxLength: 63
  21709. minLength: 1
  21710. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21711. type: string
  21712. type: object
  21713. type: object
  21714. authType:
  21715. default: ServicePrincipal
  21716. description: |-
  21717. Auth type defines how to authenticate to the keyvault service.
  21718. Valid values are:
  21719. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  21720. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  21721. enum:
  21722. - ServicePrincipal
  21723. - ManagedIdentity
  21724. - WorkloadIdentity
  21725. type: string
  21726. environmentType:
  21727. default: PublicCloud
  21728. description: |-
  21729. EnvironmentType specifies the Azure cloud environment endpoints to use for
  21730. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  21731. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  21732. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  21733. enum:
  21734. - PublicCloud
  21735. - USGovernmentCloud
  21736. - ChinaCloud
  21737. - GermanCloud
  21738. type: string
  21739. identityId:
  21740. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  21741. type: string
  21742. serviceAccountRef:
  21743. description: |-
  21744. ServiceAccountRef specified the service account
  21745. that should be used when authenticating with WorkloadIdentity.
  21746. properties:
  21747. audiences:
  21748. description: |-
  21749. Audience specifies the `aud` claim for the service account token
  21750. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  21751. then this audiences will be appended to the list
  21752. items:
  21753. type: string
  21754. type: array
  21755. name:
  21756. description: The name of the ServiceAccount resource being referred to.
  21757. maxLength: 253
  21758. minLength: 1
  21759. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21760. type: string
  21761. namespace:
  21762. description: |-
  21763. Namespace of the resource being referred to.
  21764. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21765. maxLength: 63
  21766. minLength: 1
  21767. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21768. type: string
  21769. required:
  21770. - name
  21771. type: object
  21772. tenantId:
  21773. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  21774. type: string
  21775. vaultUrl:
  21776. description: Vault Url from which the secrets to be fetched from.
  21777. type: string
  21778. required:
  21779. - vaultUrl
  21780. type: object
  21781. beyondtrust:
  21782. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  21783. properties:
  21784. auth:
  21785. description: Auth configures how the operator authenticates with Beyondtrust.
  21786. properties:
  21787. apiKey:
  21788. description: APIKey If not provided then ClientID/ClientSecret become required.
  21789. properties:
  21790. secretRef:
  21791. description: SecretRef references a key in a secret that will be used as value.
  21792. properties:
  21793. key:
  21794. description: |-
  21795. A key in the referenced Secret.
  21796. Some instances of this field may be defaulted, in others it may be required.
  21797. maxLength: 253
  21798. minLength: 1
  21799. pattern: ^[-._a-zA-Z0-9]+$
  21800. type: string
  21801. name:
  21802. description: The name of the Secret resource being referred to.
  21803. maxLength: 253
  21804. minLength: 1
  21805. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21806. type: string
  21807. namespace:
  21808. description: |-
  21809. The namespace of the Secret resource being referred to.
  21810. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21811. maxLength: 63
  21812. minLength: 1
  21813. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21814. type: string
  21815. type: object
  21816. value:
  21817. description: Value can be specified directly to set a value without using a secret.
  21818. type: string
  21819. type: object
  21820. certificate:
  21821. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  21822. properties:
  21823. secretRef:
  21824. description: SecretRef references a key in a secret that will be used as value.
  21825. properties:
  21826. key:
  21827. description: |-
  21828. A key in the referenced Secret.
  21829. Some instances of this field may be defaulted, in others it may be required.
  21830. maxLength: 253
  21831. minLength: 1
  21832. pattern: ^[-._a-zA-Z0-9]+$
  21833. type: string
  21834. name:
  21835. description: The name of the Secret resource being referred to.
  21836. maxLength: 253
  21837. minLength: 1
  21838. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21839. type: string
  21840. namespace:
  21841. description: |-
  21842. The namespace of the Secret resource being referred to.
  21843. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21844. maxLength: 63
  21845. minLength: 1
  21846. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21847. type: string
  21848. type: object
  21849. value:
  21850. description: Value can be specified directly to set a value without using a secret.
  21851. type: string
  21852. type: object
  21853. certificateKey:
  21854. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  21855. properties:
  21856. secretRef:
  21857. description: SecretRef references a key in a secret that will be used as value.
  21858. properties:
  21859. key:
  21860. description: |-
  21861. A key in the referenced Secret.
  21862. Some instances of this field may be defaulted, in others it may be required.
  21863. maxLength: 253
  21864. minLength: 1
  21865. pattern: ^[-._a-zA-Z0-9]+$
  21866. type: string
  21867. name:
  21868. description: The name of the Secret resource being referred to.
  21869. maxLength: 253
  21870. minLength: 1
  21871. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21872. type: string
  21873. namespace:
  21874. description: |-
  21875. The namespace of the Secret resource being referred to.
  21876. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21877. maxLength: 63
  21878. minLength: 1
  21879. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21880. type: string
  21881. type: object
  21882. value:
  21883. description: Value can be specified directly to set a value without using a secret.
  21884. type: string
  21885. type: object
  21886. clientId:
  21887. description: ClientID is the API OAuth Client ID.
  21888. properties:
  21889. secretRef:
  21890. description: SecretRef references a key in a secret that will be used as value.
  21891. properties:
  21892. key:
  21893. description: |-
  21894. A key in the referenced Secret.
  21895. Some instances of this field may be defaulted, in others it may be required.
  21896. maxLength: 253
  21897. minLength: 1
  21898. pattern: ^[-._a-zA-Z0-9]+$
  21899. type: string
  21900. name:
  21901. description: The name of the Secret resource being referred to.
  21902. maxLength: 253
  21903. minLength: 1
  21904. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21905. type: string
  21906. namespace:
  21907. description: |-
  21908. The namespace of the Secret resource being referred to.
  21909. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21910. maxLength: 63
  21911. minLength: 1
  21912. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21913. type: string
  21914. type: object
  21915. value:
  21916. description: Value can be specified directly to set a value without using a secret.
  21917. type: string
  21918. type: object
  21919. clientSecret:
  21920. description: ClientSecret is the API OAuth Client Secret.
  21921. properties:
  21922. secretRef:
  21923. description: SecretRef references a key in a secret that will be used as value.
  21924. properties:
  21925. key:
  21926. description: |-
  21927. A key in the referenced Secret.
  21928. Some instances of this field may be defaulted, in others it may be required.
  21929. maxLength: 253
  21930. minLength: 1
  21931. pattern: ^[-._a-zA-Z0-9]+$
  21932. type: string
  21933. name:
  21934. description: The name of the Secret resource being referred to.
  21935. maxLength: 253
  21936. minLength: 1
  21937. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21938. type: string
  21939. namespace:
  21940. description: |-
  21941. The namespace of the Secret resource being referred to.
  21942. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21943. maxLength: 63
  21944. minLength: 1
  21945. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21946. type: string
  21947. type: object
  21948. value:
  21949. description: Value can be specified directly to set a value without using a secret.
  21950. type: string
  21951. type: object
  21952. type: object
  21953. server:
  21954. description: Auth configures how API server works.
  21955. properties:
  21956. apiUrl:
  21957. type: string
  21958. apiVersion:
  21959. type: string
  21960. clientTimeOutSeconds:
  21961. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  21962. type: integer
  21963. decrypt:
  21964. default: true
  21965. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  21966. type: boolean
  21967. retrievalType:
  21968. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  21969. type: string
  21970. separator:
  21971. description: A character that separates the folder names.
  21972. type: string
  21973. verifyCA:
  21974. type: boolean
  21975. required:
  21976. - apiUrl
  21977. - verifyCA
  21978. type: object
  21979. required:
  21980. - auth
  21981. - server
  21982. type: object
  21983. bitwardensecretsmanager:
  21984. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  21985. properties:
  21986. apiURL:
  21987. type: string
  21988. auth:
  21989. description: |-
  21990. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  21991. Make sure that the token being used has permissions on the given secret.
  21992. properties:
  21993. secretRef:
  21994. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  21995. properties:
  21996. credentials:
  21997. description: AccessToken used for the bitwarden instance.
  21998. properties:
  21999. key:
  22000. description: |-
  22001. A key in the referenced Secret.
  22002. Some instances of this field may be defaulted, in others it may be required.
  22003. maxLength: 253
  22004. minLength: 1
  22005. pattern: ^[-._a-zA-Z0-9]+$
  22006. type: string
  22007. name:
  22008. description: The name of the Secret resource being referred to.
  22009. maxLength: 253
  22010. minLength: 1
  22011. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22012. type: string
  22013. namespace:
  22014. description: |-
  22015. The namespace of the Secret resource being referred to.
  22016. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22017. maxLength: 63
  22018. minLength: 1
  22019. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22020. type: string
  22021. type: object
  22022. required:
  22023. - credentials
  22024. type: object
  22025. required:
  22026. - secretRef
  22027. type: object
  22028. bitwardenServerSDKURL:
  22029. type: string
  22030. caBundle:
  22031. description: |-
  22032. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  22033. can be performed.
  22034. type: string
  22035. caProvider:
  22036. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  22037. properties:
  22038. key:
  22039. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  22040. maxLength: 253
  22041. minLength: 1
  22042. pattern: ^[-._a-zA-Z0-9]+$
  22043. type: string
  22044. name:
  22045. description: The name of the object located at the provider type.
  22046. maxLength: 253
  22047. minLength: 1
  22048. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22049. type: string
  22050. namespace:
  22051. description: |-
  22052. The namespace the Provider type is in.
  22053. Can only be defined when used in a ClusterSecretStore.
  22054. maxLength: 63
  22055. minLength: 1
  22056. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22057. type: string
  22058. type:
  22059. description: The type of provider to use such as "Secret", or "ConfigMap".
  22060. enum:
  22061. - Secret
  22062. - ConfigMap
  22063. type: string
  22064. required:
  22065. - name
  22066. - type
  22067. type: object
  22068. identityURL:
  22069. type: string
  22070. organizationID:
  22071. description: OrganizationID determines which organization this secret store manages.
  22072. type: string
  22073. projectID:
  22074. description: ProjectID determines which project this secret store manages.
  22075. type: string
  22076. required:
  22077. - auth
  22078. - organizationID
  22079. - projectID
  22080. type: object
  22081. chef:
  22082. description: Chef configures this store to sync secrets with chef server
  22083. properties:
  22084. auth:
  22085. description: Auth defines the information necessary to authenticate against chef Server
  22086. properties:
  22087. secretRef:
  22088. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  22089. properties:
  22090. privateKeySecretRef:
  22091. description: SecretKey is the Signing Key in PEM format, used for authentication.
  22092. properties:
  22093. key:
  22094. description: |-
  22095. A key in the referenced Secret.
  22096. Some instances of this field may be defaulted, in others it may be required.
  22097. maxLength: 253
  22098. minLength: 1
  22099. pattern: ^[-._a-zA-Z0-9]+$
  22100. type: string
  22101. name:
  22102. description: The name of the Secret resource being referred to.
  22103. maxLength: 253
  22104. minLength: 1
  22105. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22106. type: string
  22107. namespace:
  22108. description: |-
  22109. The namespace of the Secret resource being referred to.
  22110. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22111. maxLength: 63
  22112. minLength: 1
  22113. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22114. type: string
  22115. type: object
  22116. required:
  22117. - privateKeySecretRef
  22118. type: object
  22119. required:
  22120. - secretRef
  22121. type: object
  22122. serverUrl:
  22123. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  22124. type: string
  22125. username:
  22126. description: UserName should be the user ID on the chef server
  22127. type: string
  22128. required:
  22129. - auth
  22130. - serverUrl
  22131. - username
  22132. type: object
  22133. cloudrusm:
  22134. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  22135. properties:
  22136. auth:
  22137. description: CSMAuth contains a secretRef for credentials.
  22138. properties:
  22139. secretRef:
  22140. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  22141. properties:
  22142. accessKeyIDSecretRef:
  22143. description: The AccessKeyID is used for authentication
  22144. properties:
  22145. key:
  22146. description: |-
  22147. A key in the referenced Secret.
  22148. Some instances of this field may be defaulted, in others it may be required.
  22149. maxLength: 253
  22150. minLength: 1
  22151. pattern: ^[-._a-zA-Z0-9]+$
  22152. type: string
  22153. name:
  22154. description: The name of the Secret resource being referred to.
  22155. maxLength: 253
  22156. minLength: 1
  22157. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22158. type: string
  22159. namespace:
  22160. description: |-
  22161. The namespace of the Secret resource being referred to.
  22162. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22163. maxLength: 63
  22164. minLength: 1
  22165. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22166. type: string
  22167. type: object
  22168. accessKeySecretSecretRef:
  22169. description: The AccessKeySecret is used for authentication
  22170. properties:
  22171. key:
  22172. description: |-
  22173. A key in the referenced Secret.
  22174. Some instances of this field may be defaulted, in others it may be required.
  22175. maxLength: 253
  22176. minLength: 1
  22177. pattern: ^[-._a-zA-Z0-9]+$
  22178. type: string
  22179. name:
  22180. description: The name of the Secret resource being referred to.
  22181. maxLength: 253
  22182. minLength: 1
  22183. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22184. type: string
  22185. namespace:
  22186. description: |-
  22187. The namespace of the Secret resource being referred to.
  22188. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22189. maxLength: 63
  22190. minLength: 1
  22191. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22192. type: string
  22193. type: object
  22194. required:
  22195. - accessKeyIDSecretRef
  22196. - accessKeySecretSecretRef
  22197. type: object
  22198. type: object
  22199. projectID:
  22200. description: ProjectID is the project, which the secrets are stored in.
  22201. type: string
  22202. required:
  22203. - auth
  22204. type: object
  22205. conjur:
  22206. description: Conjur configures this store to sync secrets using conjur provider
  22207. properties:
  22208. auth:
  22209. description: Defines authentication settings for connecting to Conjur.
  22210. properties:
  22211. apikey:
  22212. description: Authenticates with Conjur using an API key.
  22213. properties:
  22214. account:
  22215. description: Account is the Conjur organization account name.
  22216. type: string
  22217. apiKeyRef:
  22218. description: |-
  22219. A reference to a specific 'key' containing the Conjur API key
  22220. within a Secret resource. In some instances, `key` is a required field.
  22221. properties:
  22222. key:
  22223. description: |-
  22224. A key in the referenced Secret.
  22225. Some instances of this field may be defaulted, in others it may be required.
  22226. maxLength: 253
  22227. minLength: 1
  22228. pattern: ^[-._a-zA-Z0-9]+$
  22229. type: string
  22230. name:
  22231. description: The name of the Secret resource being referred to.
  22232. maxLength: 253
  22233. minLength: 1
  22234. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22235. type: string
  22236. namespace:
  22237. description: |-
  22238. The namespace of the Secret resource being referred to.
  22239. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22240. maxLength: 63
  22241. minLength: 1
  22242. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22243. type: string
  22244. type: object
  22245. userRef:
  22246. description: |-
  22247. A reference to a specific 'key' containing the Conjur username
  22248. within a Secret resource. In some instances, `key` is a required field.
  22249. properties:
  22250. key:
  22251. description: |-
  22252. A key in the referenced Secret.
  22253. Some instances of this field may be defaulted, in others it may be required.
  22254. maxLength: 253
  22255. minLength: 1
  22256. pattern: ^[-._a-zA-Z0-9]+$
  22257. type: string
  22258. name:
  22259. description: The name of the Secret resource being referred to.
  22260. maxLength: 253
  22261. minLength: 1
  22262. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22263. type: string
  22264. namespace:
  22265. description: |-
  22266. The namespace of the Secret resource being referred to.
  22267. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22268. maxLength: 63
  22269. minLength: 1
  22270. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22271. type: string
  22272. type: object
  22273. required:
  22274. - account
  22275. - apiKeyRef
  22276. - userRef
  22277. type: object
  22278. jwt:
  22279. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  22280. properties:
  22281. account:
  22282. description: Account is the Conjur organization account name.
  22283. type: string
  22284. hostId:
  22285. description: |-
  22286. Optional HostID for JWT authentication. This may be used depending
  22287. on how the Conjur JWT authenticator policy is configured.
  22288. type: string
  22289. secretRef:
  22290. description: |-
  22291. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  22292. authenticate with Conjur using the JWT authentication method.
  22293. properties:
  22294. key:
  22295. description: |-
  22296. A key in the referenced Secret.
  22297. Some instances of this field may be defaulted, in others it may be required.
  22298. maxLength: 253
  22299. minLength: 1
  22300. pattern: ^[-._a-zA-Z0-9]+$
  22301. type: string
  22302. name:
  22303. description: The name of the Secret resource being referred to.
  22304. maxLength: 253
  22305. minLength: 1
  22306. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22307. type: string
  22308. namespace:
  22309. description: |-
  22310. The namespace of the Secret resource being referred to.
  22311. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22312. maxLength: 63
  22313. minLength: 1
  22314. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22315. type: string
  22316. type: object
  22317. serviceAccountRef:
  22318. description: |-
  22319. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  22320. a token for with the `TokenRequest` API.
  22321. properties:
  22322. audiences:
  22323. description: |-
  22324. Audience specifies the `aud` claim for the service account token
  22325. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22326. then this audiences will be appended to the list
  22327. items:
  22328. type: string
  22329. type: array
  22330. name:
  22331. description: The name of the ServiceAccount resource being referred to.
  22332. maxLength: 253
  22333. minLength: 1
  22334. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22335. type: string
  22336. namespace:
  22337. description: |-
  22338. Namespace of the resource being referred to.
  22339. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22340. maxLength: 63
  22341. minLength: 1
  22342. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22343. type: string
  22344. required:
  22345. - name
  22346. type: object
  22347. serviceID:
  22348. description: The conjur authn jwt webservice id
  22349. type: string
  22350. required:
  22351. - account
  22352. - serviceID
  22353. type: object
  22354. type: object
  22355. caBundle:
  22356. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  22357. type: string
  22358. caProvider:
  22359. description: |-
  22360. Used to provide custom certificate authority (CA) certificates
  22361. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  22362. that contains a PEM-encoded certificate.
  22363. properties:
  22364. key:
  22365. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  22366. maxLength: 253
  22367. minLength: 1
  22368. pattern: ^[-._a-zA-Z0-9]+$
  22369. type: string
  22370. name:
  22371. description: The name of the object located at the provider type.
  22372. maxLength: 253
  22373. minLength: 1
  22374. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22375. type: string
  22376. namespace:
  22377. description: |-
  22378. The namespace the Provider type is in.
  22379. Can only be defined when used in a ClusterSecretStore.
  22380. maxLength: 63
  22381. minLength: 1
  22382. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22383. type: string
  22384. type:
  22385. description: The type of provider to use such as "Secret", or "ConfigMap".
  22386. enum:
  22387. - Secret
  22388. - ConfigMap
  22389. type: string
  22390. required:
  22391. - name
  22392. - type
  22393. type: object
  22394. url:
  22395. description: URL is the endpoint of the Conjur instance.
  22396. type: string
  22397. required:
  22398. - auth
  22399. - url
  22400. type: object
  22401. delinea:
  22402. description: |-
  22403. Delinea DevOps Secrets Vault
  22404. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  22405. properties:
  22406. clientId:
  22407. description: ClientID is the non-secret part of the credential.
  22408. properties:
  22409. secretRef:
  22410. description: SecretRef references a key in a secret that will be used as value.
  22411. properties:
  22412. key:
  22413. description: |-
  22414. A key in the referenced Secret.
  22415. Some instances of this field may be defaulted, in others it may be required.
  22416. maxLength: 253
  22417. minLength: 1
  22418. pattern: ^[-._a-zA-Z0-9]+$
  22419. type: string
  22420. name:
  22421. description: The name of the Secret resource being referred to.
  22422. maxLength: 253
  22423. minLength: 1
  22424. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22425. type: string
  22426. namespace:
  22427. description: |-
  22428. The namespace of the Secret resource being referred to.
  22429. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22430. maxLength: 63
  22431. minLength: 1
  22432. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22433. type: string
  22434. type: object
  22435. value:
  22436. description: Value can be specified directly to set a value without using a secret.
  22437. type: string
  22438. type: object
  22439. clientSecret:
  22440. description: ClientSecret is the secret part of the credential.
  22441. properties:
  22442. secretRef:
  22443. description: SecretRef references a key in a secret that will be used as value.
  22444. properties:
  22445. key:
  22446. description: |-
  22447. A key in the referenced Secret.
  22448. Some instances of this field may be defaulted, in others it may be required.
  22449. maxLength: 253
  22450. minLength: 1
  22451. pattern: ^[-._a-zA-Z0-9]+$
  22452. type: string
  22453. name:
  22454. description: The name of the Secret resource being referred to.
  22455. maxLength: 253
  22456. minLength: 1
  22457. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22458. type: string
  22459. namespace:
  22460. description: |-
  22461. The namespace of the Secret resource being referred to.
  22462. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22463. maxLength: 63
  22464. minLength: 1
  22465. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22466. type: string
  22467. type: object
  22468. value:
  22469. description: Value can be specified directly to set a value without using a secret.
  22470. type: string
  22471. type: object
  22472. tenant:
  22473. description: Tenant is the chosen hostname / site name.
  22474. type: string
  22475. tld:
  22476. description: |-
  22477. TLD is based on the server location that was chosen during provisioning.
  22478. If unset, defaults to "com".
  22479. type: string
  22480. urlTemplate:
  22481. description: |-
  22482. URLTemplate
  22483. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  22484. type: string
  22485. required:
  22486. - clientId
  22487. - clientSecret
  22488. - tenant
  22489. type: object
  22490. device42:
  22491. description: Device42 configures this store to sync secrets using the Device42 provider
  22492. properties:
  22493. auth:
  22494. description: Auth configures how secret-manager authenticates with a Device42 instance.
  22495. properties:
  22496. secretRef:
  22497. description: Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider.
  22498. properties:
  22499. credentials:
  22500. description: Username / Password is used for authentication.
  22501. properties:
  22502. key:
  22503. description: |-
  22504. A key in the referenced Secret.
  22505. Some instances of this field may be defaulted, in others it may be required.
  22506. maxLength: 253
  22507. minLength: 1
  22508. pattern: ^[-._a-zA-Z0-9]+$
  22509. type: string
  22510. name:
  22511. description: The name of the Secret resource being referred to.
  22512. maxLength: 253
  22513. minLength: 1
  22514. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22515. type: string
  22516. namespace:
  22517. description: |-
  22518. The namespace of the Secret resource being referred to.
  22519. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22520. maxLength: 63
  22521. minLength: 1
  22522. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22523. type: string
  22524. type: object
  22525. type: object
  22526. required:
  22527. - secretRef
  22528. type: object
  22529. host:
  22530. description: URL configures the Device42 instance URL.
  22531. type: string
  22532. required:
  22533. - auth
  22534. - host
  22535. type: object
  22536. doppler:
  22537. description: Doppler configures this store to sync secrets using the Doppler provider
  22538. properties:
  22539. auth:
  22540. description: Auth configures how the Operator authenticates with the Doppler API
  22541. properties:
  22542. secretRef:
  22543. description: DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider.
  22544. properties:
  22545. dopplerToken:
  22546. description: |-
  22547. The DopplerToken is used for authentication.
  22548. See https://docs.doppler.com/reference/api#authentication for auth token types.
  22549. The Key attribute defaults to dopplerToken if not specified.
  22550. properties:
  22551. key:
  22552. description: |-
  22553. A key in the referenced Secret.
  22554. Some instances of this field may be defaulted, in others it may be required.
  22555. maxLength: 253
  22556. minLength: 1
  22557. pattern: ^[-._a-zA-Z0-9]+$
  22558. type: string
  22559. name:
  22560. description: The name of the Secret resource being referred to.
  22561. maxLength: 253
  22562. minLength: 1
  22563. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22564. type: string
  22565. namespace:
  22566. description: |-
  22567. The namespace of the Secret resource being referred to.
  22568. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22569. maxLength: 63
  22570. minLength: 1
  22571. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22572. type: string
  22573. type: object
  22574. required:
  22575. - dopplerToken
  22576. type: object
  22577. required:
  22578. - secretRef
  22579. type: object
  22580. config:
  22581. description: Doppler config (required if not using a Service Token)
  22582. type: string
  22583. format:
  22584. description: Format enables the downloading of secrets as a file (string)
  22585. enum:
  22586. - json
  22587. - dotnet-json
  22588. - env
  22589. - yaml
  22590. - docker
  22591. type: string
  22592. nameTransformer:
  22593. description: Environment variable compatible name transforms that change secret names to a different format
  22594. enum:
  22595. - upper-camel
  22596. - camel
  22597. - lower-snake
  22598. - tf-var
  22599. - dotnet-env
  22600. - lower-kebab
  22601. type: string
  22602. project:
  22603. description: Doppler project (required if not using a Service Token)
  22604. type: string
  22605. required:
  22606. - auth
  22607. type: object
  22608. fake:
  22609. description: Fake configures a store with static key/value pairs
  22610. properties:
  22611. data:
  22612. items:
  22613. description: FakeProviderData defines a key-value pair for the fake provider used in testing.
  22614. properties:
  22615. key:
  22616. type: string
  22617. value:
  22618. type: string
  22619. version:
  22620. type: string
  22621. required:
  22622. - key
  22623. - value
  22624. type: object
  22625. type: array
  22626. required:
  22627. - data
  22628. type: object
  22629. fortanix:
  22630. description: Fortanix configures this store to sync secrets using the Fortanix provider
  22631. properties:
  22632. apiKey:
  22633. description: APIKey is the API token to access SDKMS Applications.
  22634. properties:
  22635. secretRef:
  22636. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  22637. properties:
  22638. key:
  22639. description: |-
  22640. A key in the referenced Secret.
  22641. Some instances of this field may be defaulted, in others it may be required.
  22642. maxLength: 253
  22643. minLength: 1
  22644. pattern: ^[-._a-zA-Z0-9]+$
  22645. type: string
  22646. name:
  22647. description: The name of the Secret resource being referred to.
  22648. maxLength: 253
  22649. minLength: 1
  22650. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22651. type: string
  22652. namespace:
  22653. description: |-
  22654. The namespace of the Secret resource being referred to.
  22655. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22656. maxLength: 63
  22657. minLength: 1
  22658. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22659. type: string
  22660. type: object
  22661. type: object
  22662. apiUrl:
  22663. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  22664. type: string
  22665. type: object
  22666. gcpsm:
  22667. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  22668. properties:
  22669. auth:
  22670. description: Auth defines the information necessary to authenticate against GCP
  22671. properties:
  22672. secretRef:
  22673. description: GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider.
  22674. properties:
  22675. secretAccessKeySecretRef:
  22676. description: The SecretAccessKey is used for authentication
  22677. properties:
  22678. key:
  22679. description: |-
  22680. A key in the referenced Secret.
  22681. Some instances of this field may be defaulted, in others it may be required.
  22682. maxLength: 253
  22683. minLength: 1
  22684. pattern: ^[-._a-zA-Z0-9]+$
  22685. type: string
  22686. name:
  22687. description: The name of the Secret resource being referred to.
  22688. maxLength: 253
  22689. minLength: 1
  22690. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22691. type: string
  22692. namespace:
  22693. description: |-
  22694. The namespace of the Secret resource being referred to.
  22695. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22696. maxLength: 63
  22697. minLength: 1
  22698. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22699. type: string
  22700. type: object
  22701. type: object
  22702. workloadIdentity:
  22703. description: GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication.
  22704. properties:
  22705. clusterLocation:
  22706. description: |-
  22707. ClusterLocation is the location of the cluster
  22708. If not specified, it fetches information from the metadata server
  22709. type: string
  22710. clusterName:
  22711. description: |-
  22712. ClusterName is the name of the cluster
  22713. If not specified, it fetches information from the metadata server
  22714. type: string
  22715. clusterProjectID:
  22716. description: |-
  22717. ClusterProjectID is the project ID of the cluster
  22718. If not specified, it fetches information from the metadata server
  22719. type: string
  22720. serviceAccountRef:
  22721. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  22722. properties:
  22723. audiences:
  22724. description: |-
  22725. Audience specifies the `aud` claim for the service account token
  22726. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22727. then this audiences will be appended to the list
  22728. items:
  22729. type: string
  22730. type: array
  22731. name:
  22732. description: The name of the ServiceAccount resource being referred to.
  22733. maxLength: 253
  22734. minLength: 1
  22735. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22736. type: string
  22737. namespace:
  22738. description: |-
  22739. Namespace of the resource being referred to.
  22740. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22741. maxLength: 63
  22742. minLength: 1
  22743. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22744. type: string
  22745. required:
  22746. - name
  22747. type: object
  22748. required:
  22749. - serviceAccountRef
  22750. type: object
  22751. type: object
  22752. location:
  22753. description: Location optionally defines a location for a secret
  22754. type: string
  22755. projectID:
  22756. description: ProjectID project where secret is located
  22757. type: string
  22758. type: object
  22759. github:
  22760. description: Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  22761. properties:
  22762. appID:
  22763. description: appID specifies the Github APP that will be used to authenticate the client
  22764. format: int64
  22765. type: integer
  22766. auth:
  22767. description: auth configures how secret-manager authenticates with a Github instance.
  22768. properties:
  22769. privateKey:
  22770. description: |-
  22771. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  22772. In some instances, `key` is a required field.
  22773. properties:
  22774. key:
  22775. description: |-
  22776. A key in the referenced Secret.
  22777. Some instances of this field may be defaulted, in others it may be required.
  22778. maxLength: 253
  22779. minLength: 1
  22780. pattern: ^[-._a-zA-Z0-9]+$
  22781. type: string
  22782. name:
  22783. description: The name of the Secret resource being referred to.
  22784. maxLength: 253
  22785. minLength: 1
  22786. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22787. type: string
  22788. namespace:
  22789. description: |-
  22790. The namespace of the Secret resource being referred to.
  22791. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22792. maxLength: 63
  22793. minLength: 1
  22794. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22795. type: string
  22796. type: object
  22797. required:
  22798. - privateKey
  22799. type: object
  22800. environment:
  22801. description: environment will be used to fetch secrets from a particular environment within a github repository
  22802. type: string
  22803. installationID:
  22804. description: installationID specifies the Github APP installation that will be used to authenticate the client
  22805. format: int64
  22806. type: integer
  22807. organization:
  22808. description: organization will be used to fetch secrets from the Github organization
  22809. type: string
  22810. repository:
  22811. description: repository will be used to fetch secrets from the Github repository within an organization
  22812. type: string
  22813. uploadURL:
  22814. description: Upload URL for enterprise instances. Default to URL.
  22815. type: string
  22816. url:
  22817. default: https://github.com/
  22818. description: URL configures the Github instance URL. Defaults to https://github.com/.
  22819. type: string
  22820. required:
  22821. - appID
  22822. - auth
  22823. - installationID
  22824. - organization
  22825. type: object
  22826. gitlab:
  22827. description: GitLab configures this store to sync secrets using GitLab Variables provider
  22828. properties:
  22829. auth:
  22830. description: Auth configures how secret-manager authenticates with a GitLab instance.
  22831. properties:
  22832. SecretRef:
  22833. description: GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider.
  22834. properties:
  22835. accessToken:
  22836. description: AccessToken is used for authentication.
  22837. properties:
  22838. key:
  22839. description: |-
  22840. A key in the referenced Secret.
  22841. Some instances of this field may be defaulted, in others it may be required.
  22842. maxLength: 253
  22843. minLength: 1
  22844. pattern: ^[-._a-zA-Z0-9]+$
  22845. type: string
  22846. name:
  22847. description: The name of the Secret resource being referred to.
  22848. maxLength: 253
  22849. minLength: 1
  22850. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22851. type: string
  22852. namespace:
  22853. description: |-
  22854. The namespace of the Secret resource being referred to.
  22855. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22856. maxLength: 63
  22857. minLength: 1
  22858. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22859. type: string
  22860. type: object
  22861. type: object
  22862. required:
  22863. - SecretRef
  22864. type: object
  22865. caBundle:
  22866. description: |-
  22867. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  22868. can be performed.
  22869. format: byte
  22870. type: string
  22871. caProvider:
  22872. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  22873. properties:
  22874. key:
  22875. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  22876. maxLength: 253
  22877. minLength: 1
  22878. pattern: ^[-._a-zA-Z0-9]+$
  22879. type: string
  22880. name:
  22881. description: The name of the object located at the provider type.
  22882. maxLength: 253
  22883. minLength: 1
  22884. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22885. type: string
  22886. namespace:
  22887. description: |-
  22888. The namespace the Provider type is in.
  22889. Can only be defined when used in a ClusterSecretStore.
  22890. maxLength: 63
  22891. minLength: 1
  22892. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22893. type: string
  22894. type:
  22895. description: The type of provider to use such as "Secret", or "ConfigMap".
  22896. enum:
  22897. - Secret
  22898. - ConfigMap
  22899. type: string
  22900. required:
  22901. - name
  22902. - type
  22903. type: object
  22904. environment:
  22905. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  22906. type: string
  22907. groupIDs:
  22908. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  22909. items:
  22910. type: string
  22911. type: array
  22912. inheritFromGroups:
  22913. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  22914. type: boolean
  22915. projectID:
  22916. description: ProjectID specifies a project where secrets are located.
  22917. type: string
  22918. url:
  22919. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  22920. type: string
  22921. required:
  22922. - auth
  22923. type: object
  22924. ibm:
  22925. description: IBM configures this store to sync secrets using IBM Cloud provider
  22926. properties:
  22927. auth:
  22928. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  22929. maxProperties: 1
  22930. minProperties: 1
  22931. properties:
  22932. containerAuth:
  22933. description: IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile.
  22934. properties:
  22935. iamEndpoint:
  22936. type: string
  22937. profile:
  22938. description: the IBM Trusted Profile
  22939. type: string
  22940. tokenLocation:
  22941. description: Location the token is mounted on the pod
  22942. type: string
  22943. required:
  22944. - profile
  22945. type: object
  22946. secretRef:
  22947. description: IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider.
  22948. properties:
  22949. secretApiKeySecretRef:
  22950. description: The SecretAccessKey is used for authentication
  22951. properties:
  22952. key:
  22953. description: |-
  22954. A key in the referenced Secret.
  22955. Some instances of this field may be defaulted, in others it may be required.
  22956. maxLength: 253
  22957. minLength: 1
  22958. pattern: ^[-._a-zA-Z0-9]+$
  22959. type: string
  22960. name:
  22961. description: The name of the Secret resource being referred to.
  22962. maxLength: 253
  22963. minLength: 1
  22964. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22965. type: string
  22966. namespace:
  22967. description: |-
  22968. The namespace of the Secret resource being referred to.
  22969. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22970. maxLength: 63
  22971. minLength: 1
  22972. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22973. type: string
  22974. type: object
  22975. type: object
  22976. type: object
  22977. serviceUrl:
  22978. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  22979. type: string
  22980. required:
  22981. - auth
  22982. type: object
  22983. infisical:
  22984. description: Infisical configures this store to sync secrets using the Infisical provider
  22985. properties:
  22986. auth:
  22987. description: Auth configures how the Operator authenticates with the Infisical API
  22988. properties:
  22989. universalAuthCredentials:
  22990. description: UniversalAuthCredentials defines the credentials for Infisical Universal Auth.
  22991. properties:
  22992. clientId:
  22993. description: |-
  22994. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  22995. In some instances, `key` is a required field.
  22996. properties:
  22997. key:
  22998. description: |-
  22999. A key in the referenced Secret.
  23000. Some instances of this field may be defaulted, in others it may be required.
  23001. maxLength: 253
  23002. minLength: 1
  23003. pattern: ^[-._a-zA-Z0-9]+$
  23004. type: string
  23005. name:
  23006. description: The name of the Secret resource being referred to.
  23007. maxLength: 253
  23008. minLength: 1
  23009. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23010. type: string
  23011. namespace:
  23012. description: |-
  23013. The namespace of the Secret resource being referred to.
  23014. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23015. maxLength: 63
  23016. minLength: 1
  23017. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23018. type: string
  23019. type: object
  23020. clientSecret:
  23021. description: |-
  23022. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23023. In some instances, `key` is a required field.
  23024. properties:
  23025. key:
  23026. description: |-
  23027. A key in the referenced Secret.
  23028. Some instances of this field may be defaulted, in others it may be required.
  23029. maxLength: 253
  23030. minLength: 1
  23031. pattern: ^[-._a-zA-Z0-9]+$
  23032. type: string
  23033. name:
  23034. description: The name of the Secret resource being referred to.
  23035. maxLength: 253
  23036. minLength: 1
  23037. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23038. type: string
  23039. namespace:
  23040. description: |-
  23041. The namespace of the Secret resource being referred to.
  23042. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23043. maxLength: 63
  23044. minLength: 1
  23045. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23046. type: string
  23047. type: object
  23048. required:
  23049. - clientId
  23050. - clientSecret
  23051. type: object
  23052. type: object
  23053. hostAPI:
  23054. default: https://app.infisical.com/api
  23055. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  23056. type: string
  23057. secretsScope:
  23058. description: SecretsScope defines the scope of the secrets within the workspace
  23059. properties:
  23060. environmentSlug:
  23061. description: EnvironmentSlug is the required slug identifier for the environment.
  23062. type: string
  23063. expandSecretReferences:
  23064. default: true
  23065. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  23066. type: boolean
  23067. projectSlug:
  23068. description: ProjectSlug is the required slug identifier for the project.
  23069. type: string
  23070. recursive:
  23071. default: false
  23072. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  23073. type: boolean
  23074. secretsPath:
  23075. default: /
  23076. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  23077. type: string
  23078. required:
  23079. - environmentSlug
  23080. - projectSlug
  23081. type: object
  23082. required:
  23083. - auth
  23084. - secretsScope
  23085. type: object
  23086. keepersecurity:
  23087. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  23088. properties:
  23089. authRef:
  23090. description: |-
  23091. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23092. In some instances, `key` is a required field.
  23093. properties:
  23094. key:
  23095. description: |-
  23096. A key in the referenced Secret.
  23097. Some instances of this field may be defaulted, in others it may be required.
  23098. maxLength: 253
  23099. minLength: 1
  23100. pattern: ^[-._a-zA-Z0-9]+$
  23101. type: string
  23102. name:
  23103. description: The name of the Secret resource being referred to.
  23104. maxLength: 253
  23105. minLength: 1
  23106. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23107. type: string
  23108. namespace:
  23109. description: |-
  23110. The namespace of the Secret resource being referred to.
  23111. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23112. maxLength: 63
  23113. minLength: 1
  23114. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23115. type: string
  23116. type: object
  23117. folderID:
  23118. type: string
  23119. required:
  23120. - authRef
  23121. - folderID
  23122. type: object
  23123. kubernetes:
  23124. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  23125. properties:
  23126. auth:
  23127. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  23128. maxProperties: 1
  23129. minProperties: 1
  23130. properties:
  23131. cert:
  23132. description: has both clientCert and clientKey as secretKeySelector
  23133. properties:
  23134. clientCert:
  23135. description: |-
  23136. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23137. In some instances, `key` is a required field.
  23138. properties:
  23139. key:
  23140. description: |-
  23141. A key in the referenced Secret.
  23142. Some instances of this field may be defaulted, in others it may be required.
  23143. maxLength: 253
  23144. minLength: 1
  23145. pattern: ^[-._a-zA-Z0-9]+$
  23146. type: string
  23147. name:
  23148. description: The name of the Secret resource being referred to.
  23149. maxLength: 253
  23150. minLength: 1
  23151. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23152. type: string
  23153. namespace:
  23154. description: |-
  23155. The namespace of the Secret resource being referred to.
  23156. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23157. maxLength: 63
  23158. minLength: 1
  23159. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23160. type: string
  23161. type: object
  23162. clientKey:
  23163. description: |-
  23164. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23165. In some instances, `key` is a required field.
  23166. properties:
  23167. key:
  23168. description: |-
  23169. A key in the referenced Secret.
  23170. Some instances of this field may be defaulted, in others it may be required.
  23171. maxLength: 253
  23172. minLength: 1
  23173. pattern: ^[-._a-zA-Z0-9]+$
  23174. type: string
  23175. name:
  23176. description: The name of the Secret resource being referred to.
  23177. maxLength: 253
  23178. minLength: 1
  23179. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23180. type: string
  23181. namespace:
  23182. description: |-
  23183. The namespace of the Secret resource being referred to.
  23184. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23185. maxLength: 63
  23186. minLength: 1
  23187. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23188. type: string
  23189. type: object
  23190. type: object
  23191. serviceAccount:
  23192. description: points to a service account that should be used for authentication
  23193. properties:
  23194. audiences:
  23195. description: |-
  23196. Audience specifies the `aud` claim for the service account token
  23197. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  23198. then this audiences will be appended to the list
  23199. items:
  23200. type: string
  23201. type: array
  23202. name:
  23203. description: The name of the ServiceAccount resource being referred to.
  23204. maxLength: 253
  23205. minLength: 1
  23206. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23207. type: string
  23208. namespace:
  23209. description: |-
  23210. Namespace of the resource being referred to.
  23211. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23212. maxLength: 63
  23213. minLength: 1
  23214. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23215. type: string
  23216. required:
  23217. - name
  23218. type: object
  23219. token:
  23220. description: use static token to authenticate with
  23221. properties:
  23222. bearerToken:
  23223. description: |-
  23224. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23225. In some instances, `key` is a required field.
  23226. properties:
  23227. key:
  23228. description: |-
  23229. A key in the referenced Secret.
  23230. Some instances of this field may be defaulted, in others it may be required.
  23231. maxLength: 253
  23232. minLength: 1
  23233. pattern: ^[-._a-zA-Z0-9]+$
  23234. type: string
  23235. name:
  23236. description: The name of the Secret resource being referred to.
  23237. maxLength: 253
  23238. minLength: 1
  23239. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23240. type: string
  23241. namespace:
  23242. description: |-
  23243. The namespace of the Secret resource being referred to.
  23244. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23245. maxLength: 63
  23246. minLength: 1
  23247. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23248. type: string
  23249. type: object
  23250. type: object
  23251. type: object
  23252. authRef:
  23253. description: A reference to a secret that contains the auth information.
  23254. properties:
  23255. key:
  23256. description: |-
  23257. A key in the referenced Secret.
  23258. Some instances of this field may be defaulted, in others it may be required.
  23259. maxLength: 253
  23260. minLength: 1
  23261. pattern: ^[-._a-zA-Z0-9]+$
  23262. type: string
  23263. name:
  23264. description: The name of the Secret resource being referred to.
  23265. maxLength: 253
  23266. minLength: 1
  23267. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23268. type: string
  23269. namespace:
  23270. description: |-
  23271. The namespace of the Secret resource being referred to.
  23272. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23273. maxLength: 63
  23274. minLength: 1
  23275. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23276. type: string
  23277. type: object
  23278. remoteNamespace:
  23279. default: default
  23280. description: Remote namespace to fetch the secrets from
  23281. maxLength: 63
  23282. minLength: 1
  23283. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23284. type: string
  23285. server:
  23286. description: configures the Kubernetes server Address.
  23287. properties:
  23288. caBundle:
  23289. description: CABundle is a base64-encoded CA certificate
  23290. format: byte
  23291. type: string
  23292. caProvider:
  23293. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  23294. properties:
  23295. key:
  23296. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  23297. maxLength: 253
  23298. minLength: 1
  23299. pattern: ^[-._a-zA-Z0-9]+$
  23300. type: string
  23301. name:
  23302. description: The name of the object located at the provider type.
  23303. maxLength: 253
  23304. minLength: 1
  23305. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23306. type: string
  23307. namespace:
  23308. description: |-
  23309. The namespace the Provider type is in.
  23310. Can only be defined when used in a ClusterSecretStore.
  23311. maxLength: 63
  23312. minLength: 1
  23313. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23314. type: string
  23315. type:
  23316. description: The type of provider to use such as "Secret", or "ConfigMap".
  23317. enum:
  23318. - Secret
  23319. - ConfigMap
  23320. type: string
  23321. required:
  23322. - name
  23323. - type
  23324. type: object
  23325. url:
  23326. default: kubernetes.default
  23327. description: configures the Kubernetes server Address.
  23328. type: string
  23329. type: object
  23330. type: object
  23331. onboardbase:
  23332. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  23333. properties:
  23334. apiHost:
  23335. default: https://public.onboardbase.com/api/v1/
  23336. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  23337. type: string
  23338. auth:
  23339. description: Auth configures how the Operator authenticates with the Onboardbase API
  23340. properties:
  23341. apiKeyRef:
  23342. description: |-
  23343. OnboardbaseAPIKey is the APIKey generated by an admin account.
  23344. It is used to recognize and authorize access to a project and environment within onboardbase
  23345. properties:
  23346. key:
  23347. description: |-
  23348. A key in the referenced Secret.
  23349. Some instances of this field may be defaulted, in others it may be required.
  23350. maxLength: 253
  23351. minLength: 1
  23352. pattern: ^[-._a-zA-Z0-9]+$
  23353. type: string
  23354. name:
  23355. description: The name of the Secret resource being referred to.
  23356. maxLength: 253
  23357. minLength: 1
  23358. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23359. type: string
  23360. namespace:
  23361. description: |-
  23362. The namespace of the Secret resource being referred to.
  23363. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23364. maxLength: 63
  23365. minLength: 1
  23366. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23367. type: string
  23368. type: object
  23369. passcodeRef:
  23370. description: OnboardbasePasscode is the passcode attached to the API Key
  23371. properties:
  23372. key:
  23373. description: |-
  23374. A key in the referenced Secret.
  23375. Some instances of this field may be defaulted, in others it may be required.
  23376. maxLength: 253
  23377. minLength: 1
  23378. pattern: ^[-._a-zA-Z0-9]+$
  23379. type: string
  23380. name:
  23381. description: The name of the Secret resource being referred to.
  23382. maxLength: 253
  23383. minLength: 1
  23384. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23385. type: string
  23386. namespace:
  23387. description: |-
  23388. The namespace of the Secret resource being referred to.
  23389. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23390. maxLength: 63
  23391. minLength: 1
  23392. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23393. type: string
  23394. type: object
  23395. required:
  23396. - apiKeyRef
  23397. - passcodeRef
  23398. type: object
  23399. environment:
  23400. default: development
  23401. description: Environment is the name of an environmnent within a project to pull the secrets from
  23402. type: string
  23403. project:
  23404. default: development
  23405. description: Project is an onboardbase project that the secrets should be pulled from
  23406. type: string
  23407. required:
  23408. - apiHost
  23409. - auth
  23410. - environment
  23411. - project
  23412. type: object
  23413. onepassword:
  23414. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  23415. properties:
  23416. auth:
  23417. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  23418. properties:
  23419. secretRef:
  23420. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  23421. properties:
  23422. connectTokenSecretRef:
  23423. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  23424. properties:
  23425. key:
  23426. description: |-
  23427. A key in the referenced Secret.
  23428. Some instances of this field may be defaulted, in others it may be required.
  23429. maxLength: 253
  23430. minLength: 1
  23431. pattern: ^[-._a-zA-Z0-9]+$
  23432. type: string
  23433. name:
  23434. description: The name of the Secret resource being referred to.
  23435. maxLength: 253
  23436. minLength: 1
  23437. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23438. type: string
  23439. namespace:
  23440. description: |-
  23441. The namespace of the Secret resource being referred to.
  23442. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23443. maxLength: 63
  23444. minLength: 1
  23445. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23446. type: string
  23447. type: object
  23448. required:
  23449. - connectTokenSecretRef
  23450. type: object
  23451. required:
  23452. - secretRef
  23453. type: object
  23454. connectHost:
  23455. description: ConnectHost defines the OnePassword Connect Server to connect to
  23456. type: string
  23457. vaults:
  23458. additionalProperties:
  23459. type: integer
  23460. description: Vaults defines which OnePassword vaults to search in which order
  23461. type: object
  23462. required:
  23463. - auth
  23464. - connectHost
  23465. - vaults
  23466. type: object
  23467. oracle:
  23468. description: Oracle configures this store to sync secrets using Oracle Vault provider
  23469. properties:
  23470. auth:
  23471. description: |-
  23472. Auth configures how secret-manager authenticates with the Oracle Vault.
  23473. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  23474. properties:
  23475. secretRef:
  23476. description: SecretRef to pass through sensitive information.
  23477. properties:
  23478. fingerprint:
  23479. description: Fingerprint is the fingerprint of the API private key.
  23480. properties:
  23481. key:
  23482. description: |-
  23483. A key in the referenced Secret.
  23484. Some instances of this field may be defaulted, in others it may be required.
  23485. maxLength: 253
  23486. minLength: 1
  23487. pattern: ^[-._a-zA-Z0-9]+$
  23488. type: string
  23489. name:
  23490. description: The name of the Secret resource being referred to.
  23491. maxLength: 253
  23492. minLength: 1
  23493. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23494. type: string
  23495. namespace:
  23496. description: |-
  23497. The namespace of the Secret resource being referred to.
  23498. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23499. maxLength: 63
  23500. minLength: 1
  23501. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23502. type: string
  23503. type: object
  23504. privatekey:
  23505. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  23506. properties:
  23507. key:
  23508. description: |-
  23509. A key in the referenced Secret.
  23510. Some instances of this field may be defaulted, in others it may be required.
  23511. maxLength: 253
  23512. minLength: 1
  23513. pattern: ^[-._a-zA-Z0-9]+$
  23514. type: string
  23515. name:
  23516. description: The name of the Secret resource being referred to.
  23517. maxLength: 253
  23518. minLength: 1
  23519. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23520. type: string
  23521. namespace:
  23522. description: |-
  23523. The namespace of the Secret resource being referred to.
  23524. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23525. maxLength: 63
  23526. minLength: 1
  23527. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23528. type: string
  23529. type: object
  23530. required:
  23531. - fingerprint
  23532. - privatekey
  23533. type: object
  23534. tenancy:
  23535. description: Tenancy is the tenancy OCID where user is located.
  23536. type: string
  23537. user:
  23538. description: User is an access OCID specific to the account.
  23539. type: string
  23540. required:
  23541. - secretRef
  23542. - tenancy
  23543. - user
  23544. type: object
  23545. compartment:
  23546. description: |-
  23547. Compartment is the vault compartment OCID.
  23548. Required for PushSecret
  23549. type: string
  23550. encryptionKey:
  23551. description: |-
  23552. EncryptionKey is the OCID of the encryption key within the vault.
  23553. Required for PushSecret
  23554. type: string
  23555. principalType:
  23556. description: |-
  23557. The type of principal to use for authentication. If left blank, the Auth struct will
  23558. determine the principal type. This optional field must be specified if using
  23559. workload identity.
  23560. enum:
  23561. - ""
  23562. - UserPrincipal
  23563. - InstancePrincipal
  23564. - Workload
  23565. type: string
  23566. region:
  23567. description: Region is the region where vault is located.
  23568. type: string
  23569. serviceAccountRef:
  23570. description: |-
  23571. ServiceAccountRef specified the service account
  23572. that should be used when authenticating with WorkloadIdentity.
  23573. properties:
  23574. audiences:
  23575. description: |-
  23576. Audience specifies the `aud` claim for the service account token
  23577. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  23578. then this audiences will be appended to the list
  23579. items:
  23580. type: string
  23581. type: array
  23582. name:
  23583. description: The name of the ServiceAccount resource being referred to.
  23584. maxLength: 253
  23585. minLength: 1
  23586. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23587. type: string
  23588. namespace:
  23589. description: |-
  23590. Namespace of the resource being referred to.
  23591. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23592. maxLength: 63
  23593. minLength: 1
  23594. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23595. type: string
  23596. required:
  23597. - name
  23598. type: object
  23599. vault:
  23600. description: Vault is the vault's OCID of the specific vault where secret is located.
  23601. type: string
  23602. required:
  23603. - region
  23604. - vault
  23605. type: object
  23606. passbolt:
  23607. description: PassboltProvider defines configuration for the Passbolt provider.
  23608. properties:
  23609. auth:
  23610. description: Auth defines the information necessary to authenticate against Passbolt Server
  23611. properties:
  23612. passwordSecretRef:
  23613. description: PasswordSecretRef is a reference to the secret containing the Passbolt password
  23614. properties:
  23615. key:
  23616. description: |-
  23617. A key in the referenced Secret.
  23618. Some instances of this field may be defaulted, in others it may be required.
  23619. maxLength: 253
  23620. minLength: 1
  23621. pattern: ^[-._a-zA-Z0-9]+$
  23622. type: string
  23623. name:
  23624. description: The name of the Secret resource being referred to.
  23625. maxLength: 253
  23626. minLength: 1
  23627. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23628. type: string
  23629. namespace:
  23630. description: |-
  23631. The namespace of the Secret resource being referred to.
  23632. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23633. maxLength: 63
  23634. minLength: 1
  23635. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23636. type: string
  23637. type: object
  23638. privateKeySecretRef:
  23639. description: PrivateKeySecretRef is a reference to the secret containing the Passbolt private key
  23640. properties:
  23641. key:
  23642. description: |-
  23643. A key in the referenced Secret.
  23644. Some instances of this field may be defaulted, in others it may be required.
  23645. maxLength: 253
  23646. minLength: 1
  23647. pattern: ^[-._a-zA-Z0-9]+$
  23648. type: string
  23649. name:
  23650. description: The name of the Secret resource being referred to.
  23651. maxLength: 253
  23652. minLength: 1
  23653. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23654. type: string
  23655. namespace:
  23656. description: |-
  23657. The namespace of the Secret resource being referred to.
  23658. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23659. maxLength: 63
  23660. minLength: 1
  23661. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23662. type: string
  23663. type: object
  23664. required:
  23665. - passwordSecretRef
  23666. - privateKeySecretRef
  23667. type: object
  23668. host:
  23669. description: Host defines the Passbolt Server to connect to
  23670. type: string
  23671. required:
  23672. - auth
  23673. - host
  23674. type: object
  23675. passworddepot:
  23676. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  23677. properties:
  23678. auth:
  23679. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  23680. properties:
  23681. secretRef:
  23682. description: PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider.
  23683. properties:
  23684. credentials:
  23685. description: Username / Password is used for authentication.
  23686. properties:
  23687. key:
  23688. description: |-
  23689. A key in the referenced Secret.
  23690. Some instances of this field may be defaulted, in others it may be required.
  23691. maxLength: 253
  23692. minLength: 1
  23693. pattern: ^[-._a-zA-Z0-9]+$
  23694. type: string
  23695. name:
  23696. description: The name of the Secret resource being referred to.
  23697. maxLength: 253
  23698. minLength: 1
  23699. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23700. type: string
  23701. namespace:
  23702. description: |-
  23703. The namespace of the Secret resource being referred to.
  23704. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23705. maxLength: 63
  23706. minLength: 1
  23707. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23708. type: string
  23709. type: object
  23710. type: object
  23711. required:
  23712. - secretRef
  23713. type: object
  23714. database:
  23715. description: Database to use as source
  23716. type: string
  23717. host:
  23718. description: URL configures the Password Depot instance URL.
  23719. type: string
  23720. required:
  23721. - auth
  23722. - database
  23723. - host
  23724. type: object
  23725. previder:
  23726. description: Previder configures this store to sync secrets using the Previder provider
  23727. properties:
  23728. auth:
  23729. description: PreviderAuth contains a secretRef for credentials.
  23730. properties:
  23731. secretRef:
  23732. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  23733. properties:
  23734. accessToken:
  23735. description: The AccessToken is used for authentication
  23736. properties:
  23737. key:
  23738. description: |-
  23739. A key in the referenced Secret.
  23740. Some instances of this field may be defaulted, in others it may be required.
  23741. maxLength: 253
  23742. minLength: 1
  23743. pattern: ^[-._a-zA-Z0-9]+$
  23744. type: string
  23745. name:
  23746. description: The name of the Secret resource being referred to.
  23747. maxLength: 253
  23748. minLength: 1
  23749. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23750. type: string
  23751. namespace:
  23752. description: |-
  23753. The namespace of the Secret resource being referred to.
  23754. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23755. maxLength: 63
  23756. minLength: 1
  23757. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23758. type: string
  23759. type: object
  23760. required:
  23761. - accessToken
  23762. type: object
  23763. type: object
  23764. baseUri:
  23765. type: string
  23766. required:
  23767. - auth
  23768. type: object
  23769. pulumi:
  23770. description: Pulumi configures this store to sync secrets using the Pulumi provider
  23771. properties:
  23772. accessToken:
  23773. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  23774. properties:
  23775. secretRef:
  23776. description: SecretRef is a reference to a secret containing the Pulumi API token.
  23777. properties:
  23778. key:
  23779. description: |-
  23780. A key in the referenced Secret.
  23781. Some instances of this field may be defaulted, in others it may be required.
  23782. maxLength: 253
  23783. minLength: 1
  23784. pattern: ^[-._a-zA-Z0-9]+$
  23785. type: string
  23786. name:
  23787. description: The name of the Secret resource being referred to.
  23788. maxLength: 253
  23789. minLength: 1
  23790. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23791. type: string
  23792. namespace:
  23793. description: |-
  23794. The namespace of the Secret resource being referred to.
  23795. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23796. maxLength: 63
  23797. minLength: 1
  23798. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23799. type: string
  23800. type: object
  23801. type: object
  23802. apiUrl:
  23803. default: https://api.pulumi.com/api/esc
  23804. description: APIURL is the URL of the Pulumi API.
  23805. type: string
  23806. environment:
  23807. description: |-
  23808. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  23809. dynamically retrieved values from supported providers including all major clouds,
  23810. and other Pulumi ESC environments.
  23811. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  23812. type: string
  23813. organization:
  23814. description: |-
  23815. Organization are a space to collaborate on shared projects and stacks.
  23816. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  23817. type: string
  23818. project:
  23819. description: Project is the name of the Pulumi ESC project the environment belongs to.
  23820. type: string
  23821. required:
  23822. - accessToken
  23823. - environment
  23824. - organization
  23825. - project
  23826. type: object
  23827. scaleway:
  23828. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  23829. properties:
  23830. accessKey:
  23831. description: AccessKey is the non-secret part of the api key.
  23832. properties:
  23833. secretRef:
  23834. description: SecretRef references a key in a secret that will be used as value.
  23835. properties:
  23836. key:
  23837. description: |-
  23838. A key in the referenced Secret.
  23839. Some instances of this field may be defaulted, in others it may be required.
  23840. maxLength: 253
  23841. minLength: 1
  23842. pattern: ^[-._a-zA-Z0-9]+$
  23843. type: string
  23844. name:
  23845. description: The name of the Secret resource being referred to.
  23846. maxLength: 253
  23847. minLength: 1
  23848. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23849. type: string
  23850. namespace:
  23851. description: |-
  23852. The namespace of the Secret resource being referred to.
  23853. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23854. maxLength: 63
  23855. minLength: 1
  23856. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23857. type: string
  23858. type: object
  23859. value:
  23860. description: Value can be specified directly to set a value without using a secret.
  23861. type: string
  23862. type: object
  23863. apiUrl:
  23864. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  23865. type: string
  23866. projectId:
  23867. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  23868. type: string
  23869. region:
  23870. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  23871. type: string
  23872. secretKey:
  23873. description: SecretKey is the non-secret part of the api key.
  23874. properties:
  23875. secretRef:
  23876. description: SecretRef references a key in a secret that will be used as value.
  23877. properties:
  23878. key:
  23879. description: |-
  23880. A key in the referenced Secret.
  23881. Some instances of this field may be defaulted, in others it may be required.
  23882. maxLength: 253
  23883. minLength: 1
  23884. pattern: ^[-._a-zA-Z0-9]+$
  23885. type: string
  23886. name:
  23887. description: The name of the Secret resource being referred to.
  23888. maxLength: 253
  23889. minLength: 1
  23890. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23891. type: string
  23892. namespace:
  23893. description: |-
  23894. The namespace of the Secret resource being referred to.
  23895. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23896. maxLength: 63
  23897. minLength: 1
  23898. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23899. type: string
  23900. type: object
  23901. value:
  23902. description: Value can be specified directly to set a value without using a secret.
  23903. type: string
  23904. type: object
  23905. required:
  23906. - accessKey
  23907. - projectId
  23908. - region
  23909. - secretKey
  23910. type: object
  23911. secretserver:
  23912. description: |-
  23913. SecretServer configures this store to sync secrets using SecretServer provider
  23914. https://docs.delinea.com/online-help/secret-server/start.htm
  23915. properties:
  23916. password:
  23917. description: Password is the secret server account password.
  23918. properties:
  23919. secretRef:
  23920. description: SecretRef references a key in a secret that will be used as value.
  23921. properties:
  23922. key:
  23923. description: |-
  23924. A key in the referenced Secret.
  23925. Some instances of this field may be defaulted, in others it may be required.
  23926. maxLength: 253
  23927. minLength: 1
  23928. pattern: ^[-._a-zA-Z0-9]+$
  23929. type: string
  23930. name:
  23931. description: The name of the Secret resource being referred to.
  23932. maxLength: 253
  23933. minLength: 1
  23934. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23935. type: string
  23936. namespace:
  23937. description: |-
  23938. The namespace of the Secret resource being referred to.
  23939. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23940. maxLength: 63
  23941. minLength: 1
  23942. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23943. type: string
  23944. type: object
  23945. value:
  23946. description: Value can be specified directly to set a value without using a secret.
  23947. type: string
  23948. type: object
  23949. serverURL:
  23950. description: |-
  23951. ServerURL
  23952. URL to your secret server installation
  23953. type: string
  23954. username:
  23955. description: Username is the secret server account username.
  23956. properties:
  23957. secretRef:
  23958. description: SecretRef references a key in a secret that will be used as value.
  23959. properties:
  23960. key:
  23961. description: |-
  23962. A key in the referenced Secret.
  23963. Some instances of this field may be defaulted, in others it may be required.
  23964. maxLength: 253
  23965. minLength: 1
  23966. pattern: ^[-._a-zA-Z0-9]+$
  23967. type: string
  23968. name:
  23969. description: The name of the Secret resource being referred to.
  23970. maxLength: 253
  23971. minLength: 1
  23972. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23973. type: string
  23974. namespace:
  23975. description: |-
  23976. The namespace of the Secret resource being referred to.
  23977. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23978. maxLength: 63
  23979. minLength: 1
  23980. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23981. type: string
  23982. type: object
  23983. value:
  23984. description: Value can be specified directly to set a value without using a secret.
  23985. type: string
  23986. type: object
  23987. required:
  23988. - password
  23989. - serverURL
  23990. - username
  23991. type: object
  23992. senhasegura:
  23993. description: Senhasegura configures this store to sync secrets using senhasegura provider
  23994. properties:
  23995. auth:
  23996. description: Auth defines parameters to authenticate in senhasegura
  23997. properties:
  23998. clientId:
  23999. type: string
  24000. clientSecretSecretRef:
  24001. description: |-
  24002. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  24003. In some instances, `key` is a required field.
  24004. properties:
  24005. key:
  24006. description: |-
  24007. A key in the referenced Secret.
  24008. Some instances of this field may be defaulted, in others it may be required.
  24009. maxLength: 253
  24010. minLength: 1
  24011. pattern: ^[-._a-zA-Z0-9]+$
  24012. type: string
  24013. name:
  24014. description: The name of the Secret resource being referred to.
  24015. maxLength: 253
  24016. minLength: 1
  24017. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24018. type: string
  24019. namespace:
  24020. description: |-
  24021. The namespace of the Secret resource being referred to.
  24022. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24023. maxLength: 63
  24024. minLength: 1
  24025. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24026. type: string
  24027. type: object
  24028. required:
  24029. - clientId
  24030. - clientSecretSecretRef
  24031. type: object
  24032. ignoreSslCertificate:
  24033. default: false
  24034. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  24035. type: boolean
  24036. module:
  24037. description: Module defines which senhasegura module should be used to get secrets
  24038. type: string
  24039. url:
  24040. description: URL of senhasegura
  24041. type: string
  24042. required:
  24043. - auth
  24044. - module
  24045. - url
  24046. type: object
  24047. vault:
  24048. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  24049. properties:
  24050. auth:
  24051. description: Auth configures how secret-manager authenticates with the Vault server.
  24052. properties:
  24053. appRole:
  24054. description: |-
  24055. AppRole authenticates with Vault using the App Role auth mechanism,
  24056. with the role and secret stored in a Kubernetes Secret resource.
  24057. properties:
  24058. path:
  24059. default: approle
  24060. description: |-
  24061. Path where the App Role authentication backend is mounted
  24062. in Vault, e.g: "approle"
  24063. type: string
  24064. roleId:
  24065. description: |-
  24066. RoleID configured in the App Role authentication backend when setting
  24067. up the authentication backend in Vault.
  24068. type: string
  24069. roleRef:
  24070. description: |-
  24071. Reference to a key in a Secret that contains the App Role ID used
  24072. to authenticate with Vault.
  24073. The `key` field must be specified and denotes which entry within the Secret
  24074. resource is used as the app role id.
  24075. properties:
  24076. key:
  24077. description: |-
  24078. A key in the referenced Secret.
  24079. Some instances of this field may be defaulted, in others it may be required.
  24080. maxLength: 253
  24081. minLength: 1
  24082. pattern: ^[-._a-zA-Z0-9]+$
  24083. type: string
  24084. name:
  24085. description: The name of the Secret resource being referred to.
  24086. maxLength: 253
  24087. minLength: 1
  24088. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24089. type: string
  24090. namespace:
  24091. description: |-
  24092. The namespace of the Secret resource being referred to.
  24093. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24094. maxLength: 63
  24095. minLength: 1
  24096. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24097. type: string
  24098. type: object
  24099. secretRef:
  24100. description: |-
  24101. Reference to a key in a Secret that contains the App Role secret used
  24102. to authenticate with Vault.
  24103. The `key` field must be specified and denotes which entry within the Secret
  24104. resource is used as the app role secret.
  24105. properties:
  24106. key:
  24107. description: |-
  24108. A key in the referenced Secret.
  24109. Some instances of this field may be defaulted, in others it may be required.
  24110. maxLength: 253
  24111. minLength: 1
  24112. pattern: ^[-._a-zA-Z0-9]+$
  24113. type: string
  24114. name:
  24115. description: The name of the Secret resource being referred to.
  24116. maxLength: 253
  24117. minLength: 1
  24118. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24119. type: string
  24120. namespace:
  24121. description: |-
  24122. The namespace of the Secret resource being referred to.
  24123. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24124. maxLength: 63
  24125. minLength: 1
  24126. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24127. type: string
  24128. type: object
  24129. required:
  24130. - path
  24131. - secretRef
  24132. type: object
  24133. cert:
  24134. description: |-
  24135. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  24136. Cert authentication method
  24137. properties:
  24138. clientCert:
  24139. description: |-
  24140. ClientCert is a certificate to authenticate using the Cert Vault
  24141. authentication method
  24142. properties:
  24143. key:
  24144. description: |-
  24145. A key in the referenced Secret.
  24146. Some instances of this field may be defaulted, in others it may be required.
  24147. maxLength: 253
  24148. minLength: 1
  24149. pattern: ^[-._a-zA-Z0-9]+$
  24150. type: string
  24151. name:
  24152. description: The name of the Secret resource being referred to.
  24153. maxLength: 253
  24154. minLength: 1
  24155. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24156. type: string
  24157. namespace:
  24158. description: |-
  24159. The namespace of the Secret resource being referred to.
  24160. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24161. maxLength: 63
  24162. minLength: 1
  24163. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24164. type: string
  24165. type: object
  24166. secretRef:
  24167. description: |-
  24168. SecretRef to a key in a Secret resource containing client private key to
  24169. authenticate with Vault using the Cert authentication method
  24170. properties:
  24171. key:
  24172. description: |-
  24173. A key in the referenced Secret.
  24174. Some instances of this field may be defaulted, in others it may be required.
  24175. maxLength: 253
  24176. minLength: 1
  24177. pattern: ^[-._a-zA-Z0-9]+$
  24178. type: string
  24179. name:
  24180. description: The name of the Secret resource being referred to.
  24181. maxLength: 253
  24182. minLength: 1
  24183. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24184. type: string
  24185. namespace:
  24186. description: |-
  24187. The namespace of the Secret resource being referred to.
  24188. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24189. maxLength: 63
  24190. minLength: 1
  24191. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24192. type: string
  24193. type: object
  24194. type: object
  24195. iam:
  24196. description: |-
  24197. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  24198. AWS IAM authentication method
  24199. properties:
  24200. externalID:
  24201. description: AWS External ID set on assumed IAM roles
  24202. type: string
  24203. jwt:
  24204. description: Specify a service account with IRSA enabled
  24205. properties:
  24206. serviceAccountRef:
  24207. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  24208. properties:
  24209. audiences:
  24210. description: |-
  24211. Audience specifies the `aud` claim for the service account token
  24212. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24213. then this audiences will be appended to the list
  24214. items:
  24215. type: string
  24216. type: array
  24217. name:
  24218. description: The name of the ServiceAccount resource being referred to.
  24219. maxLength: 253
  24220. minLength: 1
  24221. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24222. type: string
  24223. namespace:
  24224. description: |-
  24225. Namespace of the resource being referred to.
  24226. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24227. maxLength: 63
  24228. minLength: 1
  24229. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24230. type: string
  24231. required:
  24232. - name
  24233. type: object
  24234. type: object
  24235. path:
  24236. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  24237. type: string
  24238. region:
  24239. description: AWS region
  24240. type: string
  24241. role:
  24242. description: This is the AWS role to be assumed before talking to vault
  24243. type: string
  24244. secretRef:
  24245. description: Specify credentials in a Secret object
  24246. properties:
  24247. accessKeyIDSecretRef:
  24248. description: The AccessKeyID is used for authentication
  24249. properties:
  24250. key:
  24251. description: |-
  24252. A key in the referenced Secret.
  24253. Some instances of this field may be defaulted, in others it may be required.
  24254. maxLength: 253
  24255. minLength: 1
  24256. pattern: ^[-._a-zA-Z0-9]+$
  24257. type: string
  24258. name:
  24259. description: The name of the Secret resource being referred to.
  24260. maxLength: 253
  24261. minLength: 1
  24262. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24263. type: string
  24264. namespace:
  24265. description: |-
  24266. The namespace of the Secret resource being referred to.
  24267. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24268. maxLength: 63
  24269. minLength: 1
  24270. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24271. type: string
  24272. type: object
  24273. secretAccessKeySecretRef:
  24274. description: The SecretAccessKey is used for authentication
  24275. properties:
  24276. key:
  24277. description: |-
  24278. A key in the referenced Secret.
  24279. Some instances of this field may be defaulted, in others it may be required.
  24280. maxLength: 253
  24281. minLength: 1
  24282. pattern: ^[-._a-zA-Z0-9]+$
  24283. type: string
  24284. name:
  24285. description: The name of the Secret resource being referred to.
  24286. maxLength: 253
  24287. minLength: 1
  24288. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24289. type: string
  24290. namespace:
  24291. description: |-
  24292. The namespace of the Secret resource being referred to.
  24293. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24294. maxLength: 63
  24295. minLength: 1
  24296. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24297. type: string
  24298. type: object
  24299. sessionTokenSecretRef:
  24300. description: |-
  24301. The SessionToken used for authentication
  24302. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  24303. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  24304. properties:
  24305. key:
  24306. description: |-
  24307. A key in the referenced Secret.
  24308. Some instances of this field may be defaulted, in others it may be required.
  24309. maxLength: 253
  24310. minLength: 1
  24311. pattern: ^[-._a-zA-Z0-9]+$
  24312. type: string
  24313. name:
  24314. description: The name of the Secret resource being referred to.
  24315. maxLength: 253
  24316. minLength: 1
  24317. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24318. type: string
  24319. namespace:
  24320. description: |-
  24321. The namespace of the Secret resource being referred to.
  24322. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24323. maxLength: 63
  24324. minLength: 1
  24325. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24326. type: string
  24327. type: object
  24328. type: object
  24329. vaultAwsIamServerID:
  24330. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  24331. type: string
  24332. vaultRole:
  24333. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  24334. type: string
  24335. required:
  24336. - vaultRole
  24337. type: object
  24338. jwt:
  24339. description: |-
  24340. Jwt authenticates with Vault by passing role and JWT token using the
  24341. JWT/OIDC authentication method
  24342. properties:
  24343. kubernetesServiceAccountToken:
  24344. description: |-
  24345. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  24346. a token for with the `TokenRequest` API.
  24347. properties:
  24348. audiences:
  24349. description: |-
  24350. Optional audiences field that will be used to request a temporary Kubernetes service
  24351. account token for the service account referenced by `serviceAccountRef`.
  24352. Defaults to a single audience `vault` it not specified.
  24353. Deprecated: use serviceAccountRef.Audiences instead
  24354. items:
  24355. type: string
  24356. type: array
  24357. expirationSeconds:
  24358. description: |-
  24359. Optional expiration time in seconds that will be used to request a temporary
  24360. Kubernetes service account token for the service account referenced by
  24361. `serviceAccountRef`.
  24362. Deprecated: this will be removed in the future.
  24363. Defaults to 10 minutes.
  24364. format: int64
  24365. type: integer
  24366. serviceAccountRef:
  24367. description: Service account field containing the name of a kubernetes ServiceAccount.
  24368. properties:
  24369. audiences:
  24370. description: |-
  24371. Audience specifies the `aud` claim for the service account token
  24372. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24373. then this audiences will be appended to the list
  24374. items:
  24375. type: string
  24376. type: array
  24377. name:
  24378. description: The name of the ServiceAccount resource being referred to.
  24379. maxLength: 253
  24380. minLength: 1
  24381. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24382. type: string
  24383. namespace:
  24384. description: |-
  24385. Namespace of the resource being referred to.
  24386. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24387. maxLength: 63
  24388. minLength: 1
  24389. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24390. type: string
  24391. required:
  24392. - name
  24393. type: object
  24394. required:
  24395. - serviceAccountRef
  24396. type: object
  24397. path:
  24398. default: jwt
  24399. description: |-
  24400. Path where the JWT authentication backend is mounted
  24401. in Vault, e.g: "jwt"
  24402. type: string
  24403. role:
  24404. description: |-
  24405. Role is a JWT role to authenticate using the JWT/OIDC Vault
  24406. authentication method
  24407. type: string
  24408. secretRef:
  24409. description: |-
  24410. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  24411. authenticate with Vault using the JWT/OIDC authentication method.
  24412. properties:
  24413. key:
  24414. description: |-
  24415. A key in the referenced Secret.
  24416. Some instances of this field may be defaulted, in others it may be required.
  24417. maxLength: 253
  24418. minLength: 1
  24419. pattern: ^[-._a-zA-Z0-9]+$
  24420. type: string
  24421. name:
  24422. description: The name of the Secret resource being referred to.
  24423. maxLength: 253
  24424. minLength: 1
  24425. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24426. type: string
  24427. namespace:
  24428. description: |-
  24429. The namespace of the Secret resource being referred to.
  24430. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24431. maxLength: 63
  24432. minLength: 1
  24433. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24434. type: string
  24435. type: object
  24436. required:
  24437. - path
  24438. type: object
  24439. kubernetes:
  24440. description: |-
  24441. Kubernetes authenticates with Vault by passing the ServiceAccount
  24442. token stored in the named Secret resource to the Vault server.
  24443. properties:
  24444. mountPath:
  24445. default: kubernetes
  24446. description: |-
  24447. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  24448. "kubernetes"
  24449. type: string
  24450. role:
  24451. description: |-
  24452. A required field containing the Vault Role to assume. A Role binds a
  24453. Kubernetes ServiceAccount with a set of Vault policies.
  24454. type: string
  24455. secretRef:
  24456. description: |-
  24457. Optional secret field containing a Kubernetes ServiceAccount JWT used
  24458. for authenticating with Vault. If a name is specified without a key,
  24459. `token` is the default. If one is not specified, the one bound to
  24460. the controller will be used.
  24461. properties:
  24462. key:
  24463. description: |-
  24464. A key in the referenced Secret.
  24465. Some instances of this field may be defaulted, in others it may be required.
  24466. maxLength: 253
  24467. minLength: 1
  24468. pattern: ^[-._a-zA-Z0-9]+$
  24469. type: string
  24470. name:
  24471. description: The name of the Secret resource being referred to.
  24472. maxLength: 253
  24473. minLength: 1
  24474. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24475. type: string
  24476. namespace:
  24477. description: |-
  24478. The namespace of the Secret resource being referred to.
  24479. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24480. maxLength: 63
  24481. minLength: 1
  24482. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24483. type: string
  24484. type: object
  24485. serviceAccountRef:
  24486. description: |-
  24487. Optional service account field containing the name of a kubernetes ServiceAccount.
  24488. If the service account is specified, the service account secret token JWT will be used
  24489. for authenticating with Vault. If the service account selector is not supplied,
  24490. the secretRef will be used instead.
  24491. properties:
  24492. audiences:
  24493. description: |-
  24494. Audience specifies the `aud` claim for the service account token
  24495. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24496. then this audiences will be appended to the list
  24497. items:
  24498. type: string
  24499. type: array
  24500. name:
  24501. description: The name of the ServiceAccount resource being referred to.
  24502. maxLength: 253
  24503. minLength: 1
  24504. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24505. type: string
  24506. namespace:
  24507. description: |-
  24508. Namespace of the resource being referred to.
  24509. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24510. maxLength: 63
  24511. minLength: 1
  24512. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24513. type: string
  24514. required:
  24515. - name
  24516. type: object
  24517. required:
  24518. - mountPath
  24519. - role
  24520. type: object
  24521. ldap:
  24522. description: |-
  24523. Ldap authenticates with Vault by passing username/password pair using
  24524. the LDAP authentication method
  24525. properties:
  24526. path:
  24527. default: ldap
  24528. description: |-
  24529. Path where the LDAP authentication backend is mounted
  24530. in Vault, e.g: "ldap"
  24531. type: string
  24532. secretRef:
  24533. description: |-
  24534. SecretRef to a key in a Secret resource containing password for the LDAP
  24535. user used to authenticate with Vault using the LDAP authentication
  24536. method
  24537. properties:
  24538. key:
  24539. description: |-
  24540. A key in the referenced Secret.
  24541. Some instances of this field may be defaulted, in others it may be required.
  24542. maxLength: 253
  24543. minLength: 1
  24544. pattern: ^[-._a-zA-Z0-9]+$
  24545. type: string
  24546. name:
  24547. description: The name of the Secret resource being referred to.
  24548. maxLength: 253
  24549. minLength: 1
  24550. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24551. type: string
  24552. namespace:
  24553. description: |-
  24554. The namespace of the Secret resource being referred to.
  24555. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24556. maxLength: 63
  24557. minLength: 1
  24558. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24559. type: string
  24560. type: object
  24561. username:
  24562. description: |-
  24563. Username is an LDAP username used to authenticate using the LDAP Vault
  24564. authentication method
  24565. type: string
  24566. required:
  24567. - path
  24568. - username
  24569. type: object
  24570. namespace:
  24571. description: |-
  24572. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  24573. Namespaces is a set of features within Vault Enterprise that allows
  24574. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  24575. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  24576. This will default to Vault.Namespace field if set, or empty otherwise
  24577. type: string
  24578. tokenSecretRef:
  24579. description: TokenSecretRef authenticates with Vault by presenting a token.
  24580. properties:
  24581. key:
  24582. description: |-
  24583. A key in the referenced Secret.
  24584. Some instances of this field may be defaulted, in others it may be required.
  24585. maxLength: 253
  24586. minLength: 1
  24587. pattern: ^[-._a-zA-Z0-9]+$
  24588. type: string
  24589. name:
  24590. description: The name of the Secret resource being referred to.
  24591. maxLength: 253
  24592. minLength: 1
  24593. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24594. type: string
  24595. namespace:
  24596. description: |-
  24597. The namespace of the Secret resource being referred to.
  24598. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24599. maxLength: 63
  24600. minLength: 1
  24601. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24602. type: string
  24603. type: object
  24604. userPass:
  24605. description: UserPass authenticates with Vault by passing username/password pair
  24606. properties:
  24607. path:
  24608. default: userpass
  24609. description: |-
  24610. Path where the UserPassword authentication backend is mounted
  24611. in Vault, e.g: "userpass"
  24612. type: string
  24613. secretRef:
  24614. description: |-
  24615. SecretRef to a key in a Secret resource containing password for the
  24616. user used to authenticate with Vault using the UserPass authentication
  24617. method
  24618. properties:
  24619. key:
  24620. description: |-
  24621. A key in the referenced Secret.
  24622. Some instances of this field may be defaulted, in others it may be required.
  24623. maxLength: 253
  24624. minLength: 1
  24625. pattern: ^[-._a-zA-Z0-9]+$
  24626. type: string
  24627. name:
  24628. description: The name of the Secret resource being referred to.
  24629. maxLength: 253
  24630. minLength: 1
  24631. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24632. type: string
  24633. namespace:
  24634. description: |-
  24635. The namespace of the Secret resource being referred to.
  24636. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24637. maxLength: 63
  24638. minLength: 1
  24639. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24640. type: string
  24641. type: object
  24642. username:
  24643. description: |-
  24644. Username is a username used to authenticate using the UserPass Vault
  24645. authentication method
  24646. type: string
  24647. required:
  24648. - path
  24649. - username
  24650. type: object
  24651. type: object
  24652. caBundle:
  24653. description: |-
  24654. PEM encoded CA bundle used to validate Vault server certificate. Only used
  24655. if the Server URL is using HTTPS protocol. This parameter is ignored for
  24656. plain HTTP protocol connection. If not set the system root certificates
  24657. are used to validate the TLS connection.
  24658. format: byte
  24659. type: string
  24660. caProvider:
  24661. description: The provider for the CA bundle to use to validate Vault server certificate.
  24662. properties:
  24663. key:
  24664. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  24665. maxLength: 253
  24666. minLength: 1
  24667. pattern: ^[-._a-zA-Z0-9]+$
  24668. type: string
  24669. name:
  24670. description: The name of the object located at the provider type.
  24671. maxLength: 253
  24672. minLength: 1
  24673. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24674. type: string
  24675. namespace:
  24676. description: |-
  24677. The namespace the Provider type is in.
  24678. Can only be defined when used in a ClusterSecretStore.
  24679. maxLength: 63
  24680. minLength: 1
  24681. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24682. type: string
  24683. type:
  24684. description: The type of provider to use such as "Secret", or "ConfigMap".
  24685. enum:
  24686. - Secret
  24687. - ConfigMap
  24688. type: string
  24689. required:
  24690. - name
  24691. - type
  24692. type: object
  24693. forwardInconsistent:
  24694. description: |-
  24695. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  24696. leader instead of simply retrying within a loop. This can increase performance if
  24697. the option is enabled serverside.
  24698. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  24699. type: boolean
  24700. headers:
  24701. additionalProperties:
  24702. type: string
  24703. description: Headers to be added in Vault request
  24704. type: object
  24705. namespace:
  24706. description: |-
  24707. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  24708. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  24709. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  24710. type: string
  24711. path:
  24712. description: |-
  24713. Path is the mount path of the Vault KV backend endpoint, e.g:
  24714. "secret". The v2 KV secret engine version specific "/data" path suffix
  24715. for fetching secrets from Vault is optional and will be appended
  24716. if not present in specified path.
  24717. type: string
  24718. readYourWrites:
  24719. description: |-
  24720. ReadYourWrites ensures isolated read-after-write semantics by
  24721. providing discovered cluster replication states in each request.
  24722. More information about eventual consistency in Vault can be found here
  24723. https://www.vaultproject.io/docs/enterprise/consistency
  24724. type: boolean
  24725. server:
  24726. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  24727. type: string
  24728. tls:
  24729. description: |-
  24730. The configuration used for client side related TLS communication, when the Vault server
  24731. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  24732. This parameter is ignored for plain HTTP protocol connection.
  24733. It's worth noting this configuration is different from the "TLS certificates auth method",
  24734. which is available under the `auth.cert` section.
  24735. properties:
  24736. certSecretRef:
  24737. description: |-
  24738. CertSecretRef is a certificate added to the transport layer
  24739. when communicating with the Vault server.
  24740. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  24741. properties:
  24742. key:
  24743. description: |-
  24744. A key in the referenced Secret.
  24745. Some instances of this field may be defaulted, in others it may be required.
  24746. maxLength: 253
  24747. minLength: 1
  24748. pattern: ^[-._a-zA-Z0-9]+$
  24749. type: string
  24750. name:
  24751. description: The name of the Secret resource being referred to.
  24752. maxLength: 253
  24753. minLength: 1
  24754. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24755. type: string
  24756. namespace:
  24757. description: |-
  24758. The namespace of the Secret resource being referred to.
  24759. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24760. maxLength: 63
  24761. minLength: 1
  24762. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24763. type: string
  24764. type: object
  24765. keySecretRef:
  24766. description: |-
  24767. KeySecretRef to a key in a Secret resource containing client private key
  24768. added to the transport layer when communicating with the Vault server.
  24769. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  24770. properties:
  24771. key:
  24772. description: |-
  24773. A key in the referenced Secret.
  24774. Some instances of this field may be defaulted, in others it may be required.
  24775. maxLength: 253
  24776. minLength: 1
  24777. pattern: ^[-._a-zA-Z0-9]+$
  24778. type: string
  24779. name:
  24780. description: The name of the Secret resource being referred to.
  24781. maxLength: 253
  24782. minLength: 1
  24783. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24784. type: string
  24785. namespace:
  24786. description: |-
  24787. The namespace of the Secret resource being referred to.
  24788. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24789. maxLength: 63
  24790. minLength: 1
  24791. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24792. type: string
  24793. type: object
  24794. type: object
  24795. version:
  24796. default: v2
  24797. description: |-
  24798. Version is the Vault KV secret engine version. This can be either "v1" or
  24799. "v2". Version defaults to "v2".
  24800. enum:
  24801. - v1
  24802. - v2
  24803. type: string
  24804. required:
  24805. - server
  24806. type: object
  24807. webhook:
  24808. description: Webhook configures this store to sync secrets using a generic templated webhook
  24809. properties:
  24810. auth:
  24811. description: Auth specifies a authorization protocol. Only one protocol may be set.
  24812. maxProperties: 1
  24813. minProperties: 1
  24814. properties:
  24815. ntlm:
  24816. description: NTLMProtocol configures the store to use NTLM for auth
  24817. properties:
  24818. passwordSecret:
  24819. description: |-
  24820. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  24821. In some instances, `key` is a required field.
  24822. properties:
  24823. key:
  24824. description: |-
  24825. A key in the referenced Secret.
  24826. Some instances of this field may be defaulted, in others it may be required.
  24827. maxLength: 253
  24828. minLength: 1
  24829. pattern: ^[-._a-zA-Z0-9]+$
  24830. type: string
  24831. name:
  24832. description: The name of the Secret resource being referred to.
  24833. maxLength: 253
  24834. minLength: 1
  24835. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24836. type: string
  24837. namespace:
  24838. description: |-
  24839. The namespace of the Secret resource being referred to.
  24840. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24841. maxLength: 63
  24842. minLength: 1
  24843. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24844. type: string
  24845. type: object
  24846. usernameSecret:
  24847. description: |-
  24848. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  24849. In some instances, `key` is a required field.
  24850. properties:
  24851. key:
  24852. description: |-
  24853. A key in the referenced Secret.
  24854. Some instances of this field may be defaulted, in others it may be required.
  24855. maxLength: 253
  24856. minLength: 1
  24857. pattern: ^[-._a-zA-Z0-9]+$
  24858. type: string
  24859. name:
  24860. description: The name of the Secret resource being referred to.
  24861. maxLength: 253
  24862. minLength: 1
  24863. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24864. type: string
  24865. namespace:
  24866. description: |-
  24867. The namespace of the Secret resource being referred to.
  24868. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24869. maxLength: 63
  24870. minLength: 1
  24871. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24872. type: string
  24873. type: object
  24874. required:
  24875. - passwordSecret
  24876. - usernameSecret
  24877. type: object
  24878. type: object
  24879. body:
  24880. description: Body
  24881. type: string
  24882. caBundle:
  24883. description: |-
  24884. PEM encoded CA bundle used to validate webhook server certificate. Only used
  24885. if the Server URL is using HTTPS protocol. This parameter is ignored for
  24886. plain HTTP protocol connection. If not set the system root certificates
  24887. are used to validate the TLS connection.
  24888. format: byte
  24889. type: string
  24890. caProvider:
  24891. description: The provider for the CA bundle to use to validate webhook server certificate.
  24892. properties:
  24893. key:
  24894. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  24895. maxLength: 253
  24896. minLength: 1
  24897. pattern: ^[-._a-zA-Z0-9]+$
  24898. type: string
  24899. name:
  24900. description: The name of the object located at the provider type.
  24901. maxLength: 253
  24902. minLength: 1
  24903. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24904. type: string
  24905. namespace:
  24906. description: The namespace the Provider type is in.
  24907. maxLength: 63
  24908. minLength: 1
  24909. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24910. type: string
  24911. type:
  24912. description: The type of provider to use such as "Secret", or "ConfigMap".
  24913. enum:
  24914. - Secret
  24915. - ConfigMap
  24916. type: string
  24917. required:
  24918. - name
  24919. - type
  24920. type: object
  24921. headers:
  24922. additionalProperties:
  24923. type: string
  24924. description: Headers
  24925. type: object
  24926. method:
  24927. description: Webhook Method
  24928. type: string
  24929. result:
  24930. description: Result formatting
  24931. properties:
  24932. jsonPath:
  24933. description: Json path of return value
  24934. type: string
  24935. type: object
  24936. secrets:
  24937. description: |-
  24938. Secrets to fill in templates
  24939. These secrets will be passed to the templating function as key value pairs under the given name
  24940. items:
  24941. description: WebhookSecret defines a secret to be used in webhook templates.
  24942. properties:
  24943. name:
  24944. description: Name of this secret in templates
  24945. type: string
  24946. secretRef:
  24947. description: Secret ref to fill in credentials
  24948. properties:
  24949. key:
  24950. description: |-
  24951. A key in the referenced Secret.
  24952. Some instances of this field may be defaulted, in others it may be required.
  24953. maxLength: 253
  24954. minLength: 1
  24955. pattern: ^[-._a-zA-Z0-9]+$
  24956. type: string
  24957. name:
  24958. description: The name of the Secret resource being referred to.
  24959. maxLength: 253
  24960. minLength: 1
  24961. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24962. type: string
  24963. namespace:
  24964. description: |-
  24965. The namespace of the Secret resource being referred to.
  24966. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24967. maxLength: 63
  24968. minLength: 1
  24969. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24970. type: string
  24971. type: object
  24972. required:
  24973. - name
  24974. - secretRef
  24975. type: object
  24976. type: array
  24977. timeout:
  24978. description: Timeout
  24979. type: string
  24980. url:
  24981. description: Webhook url to call
  24982. type: string
  24983. required:
  24984. - result
  24985. - url
  24986. type: object
  24987. yandexcertificatemanager:
  24988. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  24989. properties:
  24990. apiEndpoint:
  24991. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  24992. type: string
  24993. auth:
  24994. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  24995. properties:
  24996. authorizedKeySecretRef:
  24997. description: The authorized key used for authentication
  24998. properties:
  24999. key:
  25000. description: |-
  25001. A key in the referenced Secret.
  25002. Some instances of this field may be defaulted, in others it may be required.
  25003. maxLength: 253
  25004. minLength: 1
  25005. pattern: ^[-._a-zA-Z0-9]+$
  25006. type: string
  25007. name:
  25008. description: The name of the Secret resource being referred to.
  25009. maxLength: 253
  25010. minLength: 1
  25011. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25012. type: string
  25013. namespace:
  25014. description: |-
  25015. The namespace of the Secret resource being referred to.
  25016. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25017. maxLength: 63
  25018. minLength: 1
  25019. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25020. type: string
  25021. type: object
  25022. type: object
  25023. caProvider:
  25024. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  25025. properties:
  25026. certSecretRef:
  25027. description: |-
  25028. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25029. In some instances, `key` is a required field.
  25030. properties:
  25031. key:
  25032. description: |-
  25033. A key in the referenced Secret.
  25034. Some instances of this field may be defaulted, in others it may be required.
  25035. maxLength: 253
  25036. minLength: 1
  25037. pattern: ^[-._a-zA-Z0-9]+$
  25038. type: string
  25039. name:
  25040. description: The name of the Secret resource being referred to.
  25041. maxLength: 253
  25042. minLength: 1
  25043. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25044. type: string
  25045. namespace:
  25046. description: |-
  25047. The namespace of the Secret resource being referred to.
  25048. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25049. maxLength: 63
  25050. minLength: 1
  25051. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25052. type: string
  25053. type: object
  25054. type: object
  25055. required:
  25056. - auth
  25057. type: object
  25058. yandexlockbox:
  25059. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  25060. properties:
  25061. apiEndpoint:
  25062. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  25063. type: string
  25064. auth:
  25065. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  25066. properties:
  25067. authorizedKeySecretRef:
  25068. description: The authorized key used for authentication
  25069. properties:
  25070. key:
  25071. description: |-
  25072. A key in the referenced Secret.
  25073. Some instances of this field may be defaulted, in others it may be required.
  25074. maxLength: 253
  25075. minLength: 1
  25076. pattern: ^[-._a-zA-Z0-9]+$
  25077. type: string
  25078. name:
  25079. description: The name of the Secret resource being referred to.
  25080. maxLength: 253
  25081. minLength: 1
  25082. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25083. type: string
  25084. namespace:
  25085. description: |-
  25086. The namespace of the Secret resource being referred to.
  25087. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25088. maxLength: 63
  25089. minLength: 1
  25090. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25091. type: string
  25092. type: object
  25093. type: object
  25094. caProvider:
  25095. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  25096. properties:
  25097. certSecretRef:
  25098. description: |-
  25099. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25100. In some instances, `key` is a required field.
  25101. properties:
  25102. key:
  25103. description: |-
  25104. A key in the referenced Secret.
  25105. Some instances of this field may be defaulted, in others it may be required.
  25106. maxLength: 253
  25107. minLength: 1
  25108. pattern: ^[-._a-zA-Z0-9]+$
  25109. type: string
  25110. name:
  25111. description: The name of the Secret resource being referred to.
  25112. maxLength: 253
  25113. minLength: 1
  25114. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25115. type: string
  25116. namespace:
  25117. description: |-
  25118. The namespace of the Secret resource being referred to.
  25119. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25120. maxLength: 63
  25121. minLength: 1
  25122. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25123. type: string
  25124. type: object
  25125. type: object
  25126. required:
  25127. - auth
  25128. type: object
  25129. type: object
  25130. refreshInterval:
  25131. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  25132. type: integer
  25133. retrySettings:
  25134. description: Used to configure HTTP retries on failures.
  25135. properties:
  25136. maxRetries:
  25137. description: MaxRetries is the maximum number of retry attempts.
  25138. format: int32
  25139. type: integer
  25140. retryInterval:
  25141. description: RetryInterval is the interval between retry attempts.
  25142. type: string
  25143. type: object
  25144. required:
  25145. - provider
  25146. type: object
  25147. status:
  25148. description: SecretStoreStatus defines the observed state of the SecretStore.
  25149. properties:
  25150. capabilities:
  25151. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  25152. type: string
  25153. conditions:
  25154. items:
  25155. description: SecretStoreStatusCondition defines the observed condition of the SecretStore.
  25156. properties:
  25157. lastTransitionTime:
  25158. format: date-time
  25159. type: string
  25160. message:
  25161. type: string
  25162. reason:
  25163. type: string
  25164. status:
  25165. type: string
  25166. type:
  25167. description: SecretStoreConditionType represents the condition type of the SecretStore.
  25168. type: string
  25169. required:
  25170. - status
  25171. - type
  25172. type: object
  25173. type: array
  25174. type: object
  25175. type: object
  25176. served: false
  25177. storage: false
  25178. subresources:
  25179. status: {}
  25180. ---
  25181. apiVersion: apiextensions.k8s.io/v1
  25182. kind: CustomResourceDefinition
  25183. metadata:
  25184. annotations:
  25185. controller-gen.kubebuilder.io/version: v0.19.0
  25186. labels:
  25187. external-secrets.io/component: controller
  25188. name: acraccesstokens.generators.external-secrets.io
  25189. spec:
  25190. group: generators.external-secrets.io
  25191. names:
  25192. categories:
  25193. - external-secrets
  25194. - external-secrets-generators
  25195. kind: ACRAccessToken
  25196. listKind: ACRAccessTokenList
  25197. plural: acraccesstokens
  25198. singular: acraccesstoken
  25199. scope: Namespaced
  25200. versions:
  25201. - name: v1alpha1
  25202. schema:
  25203. openAPIV3Schema:
  25204. description: |-
  25205. ACRAccessToken returns an Azure Container Registry token
  25206. that can be used for pushing/pulling images.
  25207. Note: by default it will return an ACR Refresh Token with full access
  25208. (depending on the identity).
  25209. This can be scoped down to the repository level using .spec.scope.
  25210. In case scope is defined it will return an ACR Access Token.
  25211. See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
  25212. properties:
  25213. apiVersion:
  25214. description: |-
  25215. APIVersion defines the versioned schema of this representation of an object.
  25216. Servers should convert recognized schemas to the latest internal value, and
  25217. may reject unrecognized values.
  25218. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  25219. type: string
  25220. kind:
  25221. description: |-
  25222. Kind is a string value representing the REST resource this object represents.
  25223. Servers may infer this from the endpoint the client submits requests to.
  25224. Cannot be updated.
  25225. In CamelCase.
  25226. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  25227. type: string
  25228. metadata:
  25229. type: object
  25230. spec:
  25231. description: |-
  25232. ACRAccessTokenSpec defines how to generate the access token
  25233. e.g. how to authenticate and which registry to use.
  25234. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  25235. properties:
  25236. auth:
  25237. description: ACRAuth defines the authentication methods for Azure Container Registry.
  25238. properties:
  25239. managedIdentity:
  25240. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  25241. properties:
  25242. identityId:
  25243. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  25244. type: string
  25245. type: object
  25246. servicePrincipal:
  25247. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  25248. properties:
  25249. secretRef:
  25250. description: |-
  25251. AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.
  25252. It uses static credentials stored in a Kind=Secret.
  25253. properties:
  25254. clientId:
  25255. description: The Azure clientId of the service principle used for authentication.
  25256. properties:
  25257. key:
  25258. description: |-
  25259. A key in the referenced Secret.
  25260. Some instances of this field may be defaulted, in others it may be required.
  25261. maxLength: 253
  25262. minLength: 1
  25263. pattern: ^[-._a-zA-Z0-9]+$
  25264. type: string
  25265. name:
  25266. description: The name of the Secret resource being referred to.
  25267. maxLength: 253
  25268. minLength: 1
  25269. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25270. type: string
  25271. namespace:
  25272. description: |-
  25273. The namespace of the Secret resource being referred to.
  25274. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25275. maxLength: 63
  25276. minLength: 1
  25277. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25278. type: string
  25279. type: object
  25280. clientSecret:
  25281. description: The Azure ClientSecret of the service principle used for authentication.
  25282. properties:
  25283. key:
  25284. description: |-
  25285. A key in the referenced Secret.
  25286. Some instances of this field may be defaulted, in others it may be required.
  25287. maxLength: 253
  25288. minLength: 1
  25289. pattern: ^[-._a-zA-Z0-9]+$
  25290. type: string
  25291. name:
  25292. description: The name of the Secret resource being referred to.
  25293. maxLength: 253
  25294. minLength: 1
  25295. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25296. type: string
  25297. namespace:
  25298. description: |-
  25299. The namespace of the Secret resource being referred to.
  25300. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25301. maxLength: 63
  25302. minLength: 1
  25303. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25304. type: string
  25305. type: object
  25306. type: object
  25307. required:
  25308. - secretRef
  25309. type: object
  25310. workloadIdentity:
  25311. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  25312. properties:
  25313. serviceAccountRef:
  25314. description: |-
  25315. ServiceAccountRef specified the service account
  25316. that should be used when authenticating with WorkloadIdentity.
  25317. properties:
  25318. audiences:
  25319. description: |-
  25320. Audience specifies the `aud` claim for the service account token
  25321. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25322. then this audiences will be appended to the list
  25323. items:
  25324. type: string
  25325. type: array
  25326. name:
  25327. description: The name of the ServiceAccount resource being referred to.
  25328. maxLength: 253
  25329. minLength: 1
  25330. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25331. type: string
  25332. namespace:
  25333. description: |-
  25334. Namespace of the resource being referred to.
  25335. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25336. maxLength: 63
  25337. minLength: 1
  25338. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25339. type: string
  25340. required:
  25341. - name
  25342. type: object
  25343. type: object
  25344. type: object
  25345. environmentType:
  25346. default: PublicCloud
  25347. description: |-
  25348. EnvironmentType specifies the Azure cloud environment endpoints to use for
  25349. connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.
  25350. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  25351. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  25352. enum:
  25353. - PublicCloud
  25354. - USGovernmentCloud
  25355. - ChinaCloud
  25356. - GermanCloud
  25357. - AzureStackCloud
  25358. type: string
  25359. registry:
  25360. description: |-
  25361. the domain name of the ACR registry
  25362. e.g. foobarexample.azurecr.io
  25363. type: string
  25364. scope:
  25365. description: |-
  25366. Define the scope for the access token, e.g. pull/push access for a repository.
  25367. if not provided it will return a refresh token that has full scope.
  25368. Note: you need to pin it down to the repository level, there is no wildcard available.
  25369. examples:
  25370. repository:my-repository:pull,push
  25371. repository:my-repository:pull
  25372. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  25373. type: string
  25374. tenantId:
  25375. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  25376. type: string
  25377. required:
  25378. - auth
  25379. - registry
  25380. type: object
  25381. type: object
  25382. served: true
  25383. storage: true
  25384. subresources:
  25385. status: {}
  25386. ---
  25387. apiVersion: apiextensions.k8s.io/v1
  25388. kind: CustomResourceDefinition
  25389. metadata:
  25390. annotations:
  25391. controller-gen.kubebuilder.io/version: v0.19.0
  25392. labels:
  25393. external-secrets.io/component: controller
  25394. name: beyondtrustworkloadcredentialsdynamicsecrets.generators.external-secrets.io
  25395. spec:
  25396. group: generators.external-secrets.io
  25397. names:
  25398. categories:
  25399. - external-secrets
  25400. - external-secrets-generators
  25401. kind: BeyondtrustWorkloadCredentialsDynamicSecret
  25402. listKind: BeyondtrustWorkloadCredentialsDynamicSecretList
  25403. plural: beyondtrustworkloadcredentialsdynamicsecrets
  25404. singular: beyondtrustworkloadcredentialsdynamicsecret
  25405. scope: Namespaced
  25406. versions:
  25407. - name: v1alpha1
  25408. schema:
  25409. openAPIV3Schema:
  25410. description: |-
  25411. BeyondtrustWorkloadCredentialsDynamicSecret represents a generator that requests dynamic credentials from BeyondTrust Workload Credentials.
  25412. This generator calls the BeyondTrust Workload Credentials API to generate fresh, temporary credentials
  25413. (such as AWS STS credentials) each time an ExternalSecret is refreshed.
  25414. Dynamic secret definitions must be created in BeyondTrust Workload Credentials before they can be referenced.
  25415. For complete documentation, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  25416. properties:
  25417. apiVersion:
  25418. description: |-
  25419. APIVersion defines the versioned schema of this representation of an object.
  25420. Servers should convert recognized schemas to the latest internal value, and
  25421. may reject unrecognized values.
  25422. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  25423. type: string
  25424. kind:
  25425. description: |-
  25426. Kind is a string value representing the REST resource this object represents.
  25427. Servers may infer this from the endpoint the client submits requests to.
  25428. Cannot be updated.
  25429. In CamelCase.
  25430. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  25431. type: string
  25432. metadata:
  25433. type: object
  25434. spec:
  25435. description: |-
  25436. BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator.
  25437. This generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials.
  25438. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  25439. properties:
  25440. controller:
  25441. description: |-
  25442. Controller selects the controller that should handle this generator.
  25443. Leave empty to use the default controller.
  25444. type: string
  25445. provider:
  25446. description: |-
  25447. Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication,
  25448. server connection details, and the folder path to the dynamic secret definition.
  25449. The folderPath should point to a dynamic secret definition that has been created in
  25450. BeyondTrust Workload Credentials (e.g., "production/aws-temp").
  25451. For setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  25452. properties:
  25453. auth:
  25454. description: |-
  25455. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  25456. Currently supports API key authentication via Kubernetes secret reference.
  25457. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  25458. properties:
  25459. apikey:
  25460. description: |-
  25461. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  25462. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  25463. properties:
  25464. token:
  25465. description: |-
  25466. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  25467. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  25468. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  25469. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  25470. properties:
  25471. key:
  25472. description: |-
  25473. A key in the referenced Secret.
  25474. Some instances of this field may be defaulted, in others it may be required.
  25475. maxLength: 253
  25476. minLength: 1
  25477. pattern: ^[-._a-zA-Z0-9]+$
  25478. type: string
  25479. name:
  25480. description: The name of the Secret resource being referred to.
  25481. maxLength: 253
  25482. minLength: 1
  25483. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25484. type: string
  25485. namespace:
  25486. description: |-
  25487. The namespace of the Secret resource being referred to.
  25488. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25489. maxLength: 63
  25490. minLength: 1
  25491. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25492. type: string
  25493. type: object
  25494. required:
  25495. - token
  25496. type: object
  25497. required:
  25498. - apikey
  25499. type: object
  25500. caBundle:
  25501. description: |-
  25502. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  25503. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  25504. If not set, the system's trusted root certificates are used.
  25505. format: byte
  25506. type: string
  25507. caProvider:
  25508. description: |-
  25509. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  25510. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  25511. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  25512. properties:
  25513. key:
  25514. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  25515. maxLength: 253
  25516. minLength: 1
  25517. pattern: ^[-._a-zA-Z0-9]+$
  25518. type: string
  25519. name:
  25520. description: The name of the object located at the provider type.
  25521. maxLength: 253
  25522. minLength: 1
  25523. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25524. type: string
  25525. namespace:
  25526. description: |-
  25527. The namespace the Provider type is in.
  25528. Can only be defined when used in a ClusterSecretStore.
  25529. maxLength: 63
  25530. minLength: 1
  25531. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25532. type: string
  25533. type:
  25534. description: The type of provider to use such as "Secret", or "ConfigMap".
  25535. enum:
  25536. - Secret
  25537. - ConfigMap
  25538. type: string
  25539. required:
  25540. - name
  25541. - type
  25542. type: object
  25543. folderPath:
  25544. description: |-
  25545. FolderPath specifies the default folder path for secret retrieval.
  25546. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  25547. Example: "production/database" or "dev/api-keys"
  25548. Leave empty to retrieve secrets from the root folder.
  25549. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  25550. type: string
  25551. server:
  25552. description: |-
  25553. Server configures the BeyondTrust Workload Credentials server connection details.
  25554. Includes the API URL and Site ID for your BeyondTrust instance.
  25555. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  25556. properties:
  25557. apiUrl:
  25558. description: |-
  25559. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  25560. This should be the full URL to your BeyondTrust instance.
  25561. Example: https://api.beyondtrust.io/siie
  25562. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  25563. type: string
  25564. siteId:
  25565. description: |-
  25566. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  25567. This identifier is unique to your BeyondTrust Workload Credentials instance.
  25568. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  25569. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  25570. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  25571. type: string
  25572. required:
  25573. - apiUrl
  25574. - siteId
  25575. type: object
  25576. required:
  25577. - auth
  25578. - server
  25579. type: object
  25580. retrySettings:
  25581. description: |-
  25582. RetrySettings configures exponential backoff for failed API requests.
  25583. If not specified, uses the default retry settings.
  25584. properties:
  25585. maxRetries:
  25586. format: int32
  25587. type: integer
  25588. retryInterval:
  25589. type: string
  25590. type: object
  25591. required:
  25592. - provider
  25593. type: object
  25594. type: object
  25595. served: true
  25596. storage: true
  25597. subresources:
  25598. status: {}
  25599. ---
  25600. apiVersion: apiextensions.k8s.io/v1
  25601. kind: CustomResourceDefinition
  25602. metadata:
  25603. annotations:
  25604. controller-gen.kubebuilder.io/version: v0.19.0
  25605. labels:
  25606. external-secrets.io/component: controller
  25607. name: cloudsmithaccesstokens.generators.external-secrets.io
  25608. spec:
  25609. group: generators.external-secrets.io
  25610. names:
  25611. categories:
  25612. - external-secrets
  25613. - external-secrets-generators
  25614. kind: CloudsmithAccessToken
  25615. listKind: CloudsmithAccessTokenList
  25616. plural: cloudsmithaccesstokens
  25617. singular: cloudsmithaccesstoken
  25618. scope: Namespaced
  25619. versions:
  25620. - name: v1alpha1
  25621. schema:
  25622. openAPIV3Schema:
  25623. description: CloudsmithAccessToken generates Cloudsmith access token using OIDC authentication
  25624. properties:
  25625. apiVersion:
  25626. description: |-
  25627. APIVersion defines the versioned schema of this representation of an object.
  25628. Servers should convert recognized schemas to the latest internal value, and
  25629. may reject unrecognized values.
  25630. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  25631. type: string
  25632. kind:
  25633. description: |-
  25634. Kind is a string value representing the REST resource this object represents.
  25635. Servers may infer this from the endpoint the client submits requests to.
  25636. Cannot be updated.
  25637. In CamelCase.
  25638. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  25639. type: string
  25640. metadata:
  25641. type: object
  25642. spec:
  25643. description: CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication.
  25644. properties:
  25645. apiUrl:
  25646. description: APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io.
  25647. type: string
  25648. orgSlug:
  25649. description: OrgSlug is the organization slug in Cloudsmith
  25650. type: string
  25651. serviceAccountRef:
  25652. description: Name of the service account you are federating with
  25653. properties:
  25654. audiences:
  25655. description: |-
  25656. Audience specifies the `aud` claim for the service account token
  25657. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25658. then this audiences will be appended to the list
  25659. items:
  25660. type: string
  25661. type: array
  25662. name:
  25663. description: The name of the ServiceAccount resource being referred to.
  25664. maxLength: 253
  25665. minLength: 1
  25666. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25667. type: string
  25668. namespace:
  25669. description: |-
  25670. Namespace of the resource being referred to.
  25671. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25672. maxLength: 63
  25673. minLength: 1
  25674. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25675. type: string
  25676. required:
  25677. - name
  25678. type: object
  25679. serviceSlug:
  25680. description: ServiceSlug is the service slug in Cloudsmith for OIDC authentication
  25681. type: string
  25682. required:
  25683. - orgSlug
  25684. - serviceAccountRef
  25685. - serviceSlug
  25686. type: object
  25687. type: object
  25688. served: true
  25689. storage: true
  25690. subresources:
  25691. status: {}
  25692. ---
  25693. apiVersion: apiextensions.k8s.io/v1
  25694. kind: CustomResourceDefinition
  25695. metadata:
  25696. annotations:
  25697. controller-gen.kubebuilder.io/version: v0.19.0
  25698. labels:
  25699. external-secrets.io/component: controller
  25700. name: clustergenerators.generators.external-secrets.io
  25701. spec:
  25702. group: generators.external-secrets.io
  25703. names:
  25704. categories:
  25705. - external-secrets
  25706. - external-secrets-generators
  25707. kind: ClusterGenerator
  25708. listKind: ClusterGeneratorList
  25709. plural: clustergenerators
  25710. singular: clustergenerator
  25711. scope: Cluster
  25712. versions:
  25713. - name: v1alpha1
  25714. schema:
  25715. openAPIV3Schema:
  25716. description: ClusterGenerator represents a cluster-wide generator which can be referenced as part of `generatorRef` fields.
  25717. properties:
  25718. apiVersion:
  25719. description: |-
  25720. APIVersion defines the versioned schema of this representation of an object.
  25721. Servers should convert recognized schemas to the latest internal value, and
  25722. may reject unrecognized values.
  25723. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  25724. type: string
  25725. kind:
  25726. description: |-
  25727. Kind is a string value representing the REST resource this object represents.
  25728. Servers may infer this from the endpoint the client submits requests to.
  25729. Cannot be updated.
  25730. In CamelCase.
  25731. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  25732. type: string
  25733. metadata:
  25734. type: object
  25735. spec:
  25736. description: ClusterGeneratorSpec defines the desired state of a ClusterGenerator.
  25737. properties:
  25738. generator:
  25739. description: Generator the spec for this generator, must match the kind.
  25740. maxProperties: 1
  25741. minProperties: 1
  25742. properties:
  25743. acrAccessTokenSpec:
  25744. description: |-
  25745. ACRAccessTokenSpec defines how to generate the access token
  25746. e.g. how to authenticate and which registry to use.
  25747. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  25748. properties:
  25749. auth:
  25750. description: ACRAuth defines the authentication methods for Azure Container Registry.
  25751. properties:
  25752. managedIdentity:
  25753. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  25754. properties:
  25755. identityId:
  25756. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  25757. type: string
  25758. type: object
  25759. servicePrincipal:
  25760. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  25761. properties:
  25762. secretRef:
  25763. description: |-
  25764. AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.
  25765. It uses static credentials stored in a Kind=Secret.
  25766. properties:
  25767. clientId:
  25768. description: The Azure clientId of the service principle used for authentication.
  25769. properties:
  25770. key:
  25771. description: |-
  25772. A key in the referenced Secret.
  25773. Some instances of this field may be defaulted, in others it may be required.
  25774. maxLength: 253
  25775. minLength: 1
  25776. pattern: ^[-._a-zA-Z0-9]+$
  25777. type: string
  25778. name:
  25779. description: The name of the Secret resource being referred to.
  25780. maxLength: 253
  25781. minLength: 1
  25782. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25783. type: string
  25784. namespace:
  25785. description: |-
  25786. The namespace of the Secret resource being referred to.
  25787. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25788. maxLength: 63
  25789. minLength: 1
  25790. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25791. type: string
  25792. type: object
  25793. clientSecret:
  25794. description: The Azure ClientSecret of the service principle used for authentication.
  25795. properties:
  25796. key:
  25797. description: |-
  25798. A key in the referenced Secret.
  25799. Some instances of this field may be defaulted, in others it may be required.
  25800. maxLength: 253
  25801. minLength: 1
  25802. pattern: ^[-._a-zA-Z0-9]+$
  25803. type: string
  25804. name:
  25805. description: The name of the Secret resource being referred to.
  25806. maxLength: 253
  25807. minLength: 1
  25808. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25809. type: string
  25810. namespace:
  25811. description: |-
  25812. The namespace of the Secret resource being referred to.
  25813. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25814. maxLength: 63
  25815. minLength: 1
  25816. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25817. type: string
  25818. type: object
  25819. type: object
  25820. required:
  25821. - secretRef
  25822. type: object
  25823. workloadIdentity:
  25824. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  25825. properties:
  25826. serviceAccountRef:
  25827. description: |-
  25828. ServiceAccountRef specified the service account
  25829. that should be used when authenticating with WorkloadIdentity.
  25830. properties:
  25831. audiences:
  25832. description: |-
  25833. Audience specifies the `aud` claim for the service account token
  25834. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25835. then this audiences will be appended to the list
  25836. items:
  25837. type: string
  25838. type: array
  25839. name:
  25840. description: The name of the ServiceAccount resource being referred to.
  25841. maxLength: 253
  25842. minLength: 1
  25843. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25844. type: string
  25845. namespace:
  25846. description: |-
  25847. Namespace of the resource being referred to.
  25848. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25849. maxLength: 63
  25850. minLength: 1
  25851. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25852. type: string
  25853. required:
  25854. - name
  25855. type: object
  25856. type: object
  25857. type: object
  25858. environmentType:
  25859. default: PublicCloud
  25860. description: |-
  25861. EnvironmentType specifies the Azure cloud environment endpoints to use for
  25862. connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.
  25863. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  25864. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  25865. enum:
  25866. - PublicCloud
  25867. - USGovernmentCloud
  25868. - ChinaCloud
  25869. - GermanCloud
  25870. - AzureStackCloud
  25871. type: string
  25872. registry:
  25873. description: |-
  25874. the domain name of the ACR registry
  25875. e.g. foobarexample.azurecr.io
  25876. type: string
  25877. scope:
  25878. description: |-
  25879. Define the scope for the access token, e.g. pull/push access for a repository.
  25880. if not provided it will return a refresh token that has full scope.
  25881. Note: you need to pin it down to the repository level, there is no wildcard available.
  25882. examples:
  25883. repository:my-repository:pull,push
  25884. repository:my-repository:pull
  25885. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  25886. type: string
  25887. tenantId:
  25888. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  25889. type: string
  25890. required:
  25891. - auth
  25892. - registry
  25893. type: object
  25894. beyondtrustWorkloadCredentialsDynamicSecretSpec:
  25895. description: |-
  25896. BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator.
  25897. This generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials.
  25898. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  25899. properties:
  25900. controller:
  25901. description: |-
  25902. Controller selects the controller that should handle this generator.
  25903. Leave empty to use the default controller.
  25904. type: string
  25905. provider:
  25906. description: |-
  25907. Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication,
  25908. server connection details, and the folder path to the dynamic secret definition.
  25909. The folderPath should point to a dynamic secret definition that has been created in
  25910. BeyondTrust Workload Credentials (e.g., "production/aws-temp").
  25911. For setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  25912. properties:
  25913. auth:
  25914. description: |-
  25915. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  25916. Currently supports API key authentication via Kubernetes secret reference.
  25917. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  25918. properties:
  25919. apikey:
  25920. description: |-
  25921. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  25922. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  25923. properties:
  25924. token:
  25925. description: |-
  25926. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  25927. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  25928. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  25929. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  25930. properties:
  25931. key:
  25932. description: |-
  25933. A key in the referenced Secret.
  25934. Some instances of this field may be defaulted, in others it may be required.
  25935. maxLength: 253
  25936. minLength: 1
  25937. pattern: ^[-._a-zA-Z0-9]+$
  25938. type: string
  25939. name:
  25940. description: The name of the Secret resource being referred to.
  25941. maxLength: 253
  25942. minLength: 1
  25943. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25944. type: string
  25945. namespace:
  25946. description: |-
  25947. The namespace of the Secret resource being referred to.
  25948. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25949. maxLength: 63
  25950. minLength: 1
  25951. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25952. type: string
  25953. type: object
  25954. required:
  25955. - token
  25956. type: object
  25957. required:
  25958. - apikey
  25959. type: object
  25960. caBundle:
  25961. description: |-
  25962. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  25963. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  25964. If not set, the system's trusted root certificates are used.
  25965. format: byte
  25966. type: string
  25967. caProvider:
  25968. description: |-
  25969. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  25970. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  25971. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  25972. properties:
  25973. key:
  25974. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  25975. maxLength: 253
  25976. minLength: 1
  25977. pattern: ^[-._a-zA-Z0-9]+$
  25978. type: string
  25979. name:
  25980. description: The name of the object located at the provider type.
  25981. maxLength: 253
  25982. minLength: 1
  25983. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25984. type: string
  25985. namespace:
  25986. description: |-
  25987. The namespace the Provider type is in.
  25988. Can only be defined when used in a ClusterSecretStore.
  25989. maxLength: 63
  25990. minLength: 1
  25991. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25992. type: string
  25993. type:
  25994. description: The type of provider to use such as "Secret", or "ConfigMap".
  25995. enum:
  25996. - Secret
  25997. - ConfigMap
  25998. type: string
  25999. required:
  26000. - name
  26001. - type
  26002. type: object
  26003. folderPath:
  26004. description: |-
  26005. FolderPath specifies the default folder path for secret retrieval.
  26006. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  26007. Example: "production/database" or "dev/api-keys"
  26008. Leave empty to retrieve secrets from the root folder.
  26009. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  26010. type: string
  26011. server:
  26012. description: |-
  26013. Server configures the BeyondTrust Workload Credentials server connection details.
  26014. Includes the API URL and Site ID for your BeyondTrust instance.
  26015. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26016. properties:
  26017. apiUrl:
  26018. description: |-
  26019. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  26020. This should be the full URL to your BeyondTrust instance.
  26021. Example: https://api.beyondtrust.io/siie
  26022. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  26023. type: string
  26024. siteId:
  26025. description: |-
  26026. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  26027. This identifier is unique to your BeyondTrust Workload Credentials instance.
  26028. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  26029. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  26030. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26031. type: string
  26032. required:
  26033. - apiUrl
  26034. - siteId
  26035. type: object
  26036. required:
  26037. - auth
  26038. - server
  26039. type: object
  26040. retrySettings:
  26041. description: |-
  26042. RetrySettings configures exponential backoff for failed API requests.
  26043. If not specified, uses the default retry settings.
  26044. properties:
  26045. maxRetries:
  26046. format: int32
  26047. type: integer
  26048. retryInterval:
  26049. type: string
  26050. type: object
  26051. required:
  26052. - provider
  26053. type: object
  26054. cloudsmithAccessTokenSpec:
  26055. description: CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication.
  26056. properties:
  26057. apiUrl:
  26058. description: APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io.
  26059. type: string
  26060. orgSlug:
  26061. description: OrgSlug is the organization slug in Cloudsmith
  26062. type: string
  26063. serviceAccountRef:
  26064. description: Name of the service account you are federating with
  26065. properties:
  26066. audiences:
  26067. description: |-
  26068. Audience specifies the `aud` claim for the service account token
  26069. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26070. then this audiences will be appended to the list
  26071. items:
  26072. type: string
  26073. type: array
  26074. name:
  26075. description: The name of the ServiceAccount resource being referred to.
  26076. maxLength: 253
  26077. minLength: 1
  26078. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26079. type: string
  26080. namespace:
  26081. description: |-
  26082. Namespace of the resource being referred to.
  26083. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26084. maxLength: 63
  26085. minLength: 1
  26086. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26087. type: string
  26088. required:
  26089. - name
  26090. type: object
  26091. serviceSlug:
  26092. description: ServiceSlug is the service slug in Cloudsmith for OIDC authentication
  26093. type: string
  26094. required:
  26095. - orgSlug
  26096. - serviceAccountRef
  26097. - serviceSlug
  26098. type: object
  26099. ecrAuthorizationTokenSpec:
  26100. description: ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token.
  26101. properties:
  26102. auth:
  26103. description: Auth defines how to authenticate with AWS
  26104. properties:
  26105. jwt:
  26106. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  26107. properties:
  26108. serviceAccountRef:
  26109. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  26110. properties:
  26111. audiences:
  26112. description: |-
  26113. Audience specifies the `aud` claim for the service account token
  26114. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26115. then this audiences will be appended to the list
  26116. items:
  26117. type: string
  26118. type: array
  26119. name:
  26120. description: The name of the ServiceAccount resource being referred to.
  26121. maxLength: 253
  26122. minLength: 1
  26123. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26124. type: string
  26125. namespace:
  26126. description: |-
  26127. Namespace of the resource being referred to.
  26128. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26129. maxLength: 63
  26130. minLength: 1
  26131. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26132. type: string
  26133. required:
  26134. - name
  26135. type: object
  26136. type: object
  26137. secretRef:
  26138. description: |-
  26139. AWSAuthSecretRef holds secret references for AWS credentials
  26140. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  26141. properties:
  26142. accessKeyIDSecretRef:
  26143. description: The AccessKeyID is used for authentication
  26144. properties:
  26145. key:
  26146. description: |-
  26147. A key in the referenced Secret.
  26148. Some instances of this field may be defaulted, in others it may be required.
  26149. maxLength: 253
  26150. minLength: 1
  26151. pattern: ^[-._a-zA-Z0-9]+$
  26152. type: string
  26153. name:
  26154. description: The name of the Secret resource being referred to.
  26155. maxLength: 253
  26156. minLength: 1
  26157. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26158. type: string
  26159. namespace:
  26160. description: |-
  26161. The namespace of the Secret resource being referred to.
  26162. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26163. maxLength: 63
  26164. minLength: 1
  26165. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26166. type: string
  26167. type: object
  26168. secretAccessKeySecretRef:
  26169. description: The SecretAccessKey is used for authentication
  26170. properties:
  26171. key:
  26172. description: |-
  26173. A key in the referenced Secret.
  26174. Some instances of this field may be defaulted, in others it may be required.
  26175. maxLength: 253
  26176. minLength: 1
  26177. pattern: ^[-._a-zA-Z0-9]+$
  26178. type: string
  26179. name:
  26180. description: The name of the Secret resource being referred to.
  26181. maxLength: 253
  26182. minLength: 1
  26183. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26184. type: string
  26185. namespace:
  26186. description: |-
  26187. The namespace of the Secret resource being referred to.
  26188. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26189. maxLength: 63
  26190. minLength: 1
  26191. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26192. type: string
  26193. type: object
  26194. sessionTokenSecretRef:
  26195. description: |-
  26196. The SessionToken used for authentication
  26197. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  26198. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  26199. properties:
  26200. key:
  26201. description: |-
  26202. A key in the referenced Secret.
  26203. Some instances of this field may be defaulted, in others it may be required.
  26204. maxLength: 253
  26205. minLength: 1
  26206. pattern: ^[-._a-zA-Z0-9]+$
  26207. type: string
  26208. name:
  26209. description: The name of the Secret resource being referred to.
  26210. maxLength: 253
  26211. minLength: 1
  26212. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26213. type: string
  26214. namespace:
  26215. description: |-
  26216. The namespace of the Secret resource being referred to.
  26217. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26218. maxLength: 63
  26219. minLength: 1
  26220. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26221. type: string
  26222. type: object
  26223. type: object
  26224. type: object
  26225. region:
  26226. description: Region specifies the region to operate in.
  26227. type: string
  26228. role:
  26229. description: |-
  26230. You can assume a role before making calls to the
  26231. desired AWS service.
  26232. type: string
  26233. scope:
  26234. description: |-
  26235. Scope specifies the ECR service scope.
  26236. Valid options are private and public.
  26237. type: string
  26238. required:
  26239. - region
  26240. type: object
  26241. fakeSpec:
  26242. description: FakeSpec contains the static data.
  26243. properties:
  26244. controller:
  26245. description: |-
  26246. Used to select the correct ESO controller (think: ingress.ingressClassName)
  26247. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  26248. type: string
  26249. data:
  26250. additionalProperties:
  26251. type: string
  26252. description: |-
  26253. Data defines the static data returned
  26254. by this generator.
  26255. type: object
  26256. type: object
  26257. gcrAccessTokenSpec:
  26258. description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.
  26259. properties:
  26260. auth:
  26261. description: Auth defines the means for authenticating with GCP
  26262. properties:
  26263. secretRef:
  26264. description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.
  26265. properties:
  26266. secretAccessKeySecretRef:
  26267. description: The SecretAccessKey is used for authentication
  26268. properties:
  26269. key:
  26270. description: |-
  26271. A key in the referenced Secret.
  26272. Some instances of this field may be defaulted, in others it may be required.
  26273. maxLength: 253
  26274. minLength: 1
  26275. pattern: ^[-._a-zA-Z0-9]+$
  26276. type: string
  26277. name:
  26278. description: The name of the Secret resource being referred to.
  26279. maxLength: 253
  26280. minLength: 1
  26281. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26282. type: string
  26283. namespace:
  26284. description: |-
  26285. The namespace of the Secret resource being referred to.
  26286. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26287. maxLength: 63
  26288. minLength: 1
  26289. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26290. type: string
  26291. type: object
  26292. type: object
  26293. workloadIdentity:
  26294. description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.
  26295. properties:
  26296. clusterLocation:
  26297. type: string
  26298. clusterName:
  26299. type: string
  26300. clusterProjectID:
  26301. type: string
  26302. serviceAccountRef:
  26303. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  26304. properties:
  26305. audiences:
  26306. description: |-
  26307. Audience specifies the `aud` claim for the service account token
  26308. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26309. then this audiences will be appended to the list
  26310. items:
  26311. type: string
  26312. type: array
  26313. name:
  26314. description: The name of the ServiceAccount resource being referred to.
  26315. maxLength: 253
  26316. minLength: 1
  26317. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26318. type: string
  26319. namespace:
  26320. description: |-
  26321. Namespace of the resource being referred to.
  26322. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26323. maxLength: 63
  26324. minLength: 1
  26325. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26326. type: string
  26327. required:
  26328. - name
  26329. type: object
  26330. required:
  26331. - clusterLocation
  26332. - clusterName
  26333. - serviceAccountRef
  26334. type: object
  26335. workloadIdentityFederation:
  26336. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  26337. properties:
  26338. audience:
  26339. description: |-
  26340. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  26341. If specified, Audience found in the external account credential config will be overridden with the configured value.
  26342. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  26343. type: string
  26344. awsSecurityCredentials:
  26345. description: |-
  26346. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  26347. when using the AWS metadata server is not an option.
  26348. properties:
  26349. awsCredentialsSecretRef:
  26350. description: |-
  26351. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  26352. Secret should be created with below names for keys
  26353. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  26354. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  26355. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  26356. properties:
  26357. name:
  26358. description: name of the secret.
  26359. maxLength: 253
  26360. minLength: 1
  26361. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26362. type: string
  26363. namespace:
  26364. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  26365. maxLength: 63
  26366. minLength: 1
  26367. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26368. type: string
  26369. required:
  26370. - name
  26371. type: object
  26372. region:
  26373. description: region is for configuring the AWS region to be used.
  26374. example: ap-south-1
  26375. maxLength: 50
  26376. minLength: 1
  26377. pattern: ^[a-z0-9-]+$
  26378. type: string
  26379. required:
  26380. - awsCredentialsSecretRef
  26381. - region
  26382. type: object
  26383. credConfig:
  26384. description: |-
  26385. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  26386. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  26387. serviceAccountRef must be used by providing operators service account details.
  26388. properties:
  26389. key:
  26390. description: key name holding the external account credential config.
  26391. maxLength: 253
  26392. minLength: 1
  26393. pattern: ^[-._a-zA-Z0-9]+$
  26394. type: string
  26395. name:
  26396. description: name of the configmap.
  26397. maxLength: 253
  26398. minLength: 1
  26399. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26400. type: string
  26401. namespace:
  26402. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  26403. maxLength: 63
  26404. minLength: 1
  26405. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26406. type: string
  26407. required:
  26408. - key
  26409. - name
  26410. type: object
  26411. externalTokenEndpoint:
  26412. description: |-
  26413. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  26414. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  26415. URL is having the expected value.
  26416. type: string
  26417. gcpServiceAccountEmail:
  26418. description: |-
  26419. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  26420. after Workload Identity Federation. Use this to grant access through the service account's
  26421. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  26422. service_account_impersonation_url in the external account JSON from credConfig;
  26423. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  26424. on that ServiceAccount.
  26425. example: my-gsa@my-project.iam.gserviceaccount.com
  26426. minLength: 1
  26427. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  26428. type: string
  26429. serviceAccountRef:
  26430. description: |-
  26431. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  26432. when Kubernetes is configured as provider in workload identity pool.
  26433. properties:
  26434. audiences:
  26435. description: |-
  26436. Audience specifies the `aud` claim for the service account token
  26437. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26438. then this audiences will be appended to the list
  26439. items:
  26440. type: string
  26441. type: array
  26442. name:
  26443. description: The name of the ServiceAccount resource being referred to.
  26444. maxLength: 253
  26445. minLength: 1
  26446. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26447. type: string
  26448. namespace:
  26449. description: |-
  26450. Namespace of the resource being referred to.
  26451. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26452. maxLength: 63
  26453. minLength: 1
  26454. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26455. type: string
  26456. required:
  26457. - name
  26458. type: object
  26459. type: object
  26460. type: object
  26461. projectID:
  26462. description: ProjectID defines which project to use to authenticate with
  26463. type: string
  26464. required:
  26465. - auth
  26466. - projectID
  26467. type: object
  26468. githubAccessTokenSpec:
  26469. description: GithubAccessTokenSpec defines the desired state to generate a GitHub access token.
  26470. properties:
  26471. appID:
  26472. type: string
  26473. auth:
  26474. description: Auth configures how ESO authenticates with a Github instance.
  26475. properties:
  26476. privateKey:
  26477. description: GithubSecretRef references a secret containing GitHub credentials.
  26478. properties:
  26479. secretRef:
  26480. description: |-
  26481. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  26482. In some instances, `key` is a required field.
  26483. properties:
  26484. key:
  26485. description: |-
  26486. A key in the referenced Secret.
  26487. Some instances of this field may be defaulted, in others it may be required.
  26488. maxLength: 253
  26489. minLength: 1
  26490. pattern: ^[-._a-zA-Z0-9]+$
  26491. type: string
  26492. name:
  26493. description: The name of the Secret resource being referred to.
  26494. maxLength: 253
  26495. minLength: 1
  26496. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26497. type: string
  26498. namespace:
  26499. description: |-
  26500. The namespace of the Secret resource being referred to.
  26501. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26502. maxLength: 63
  26503. minLength: 1
  26504. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26505. type: string
  26506. type: object
  26507. required:
  26508. - secretRef
  26509. type: object
  26510. required:
  26511. - privateKey
  26512. type: object
  26513. installID:
  26514. type: string
  26515. permissions:
  26516. additionalProperties:
  26517. type: string
  26518. description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
  26519. type: object
  26520. repositories:
  26521. description: |-
  26522. List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
  26523. is installed to.
  26524. items:
  26525. type: string
  26526. type: array
  26527. url:
  26528. description: URL configures the GitHub instance URL. Defaults to https://github.com/.
  26529. type: string
  26530. required:
  26531. - appID
  26532. - auth
  26533. - installID
  26534. type: object
  26535. grafanaSpec:
  26536. description: GrafanaSpec controls the behavior of the grafana generator.
  26537. properties:
  26538. auth:
  26539. description: |-
  26540. Auth is the authentication configuration to authenticate
  26541. against the Grafana instance.
  26542. properties:
  26543. basic:
  26544. description: |-
  26545. Basic auth credentials used to authenticate against the Grafana instance.
  26546. Note: you need a token which has elevated permissions to create service accounts.
  26547. See here for the documentation on basic roles offered by Grafana:
  26548. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  26549. properties:
  26550. password:
  26551. description: A basic auth password used to authenticate against the Grafana instance.
  26552. properties:
  26553. key:
  26554. description: The key where the token is found.
  26555. maxLength: 253
  26556. minLength: 1
  26557. pattern: ^[-._a-zA-Z0-9]+$
  26558. type: string
  26559. name:
  26560. description: The name of the Secret resource being referred to.
  26561. maxLength: 253
  26562. minLength: 1
  26563. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26564. type: string
  26565. type: object
  26566. username:
  26567. description: A basic auth username used to authenticate against the Grafana instance.
  26568. type: string
  26569. required:
  26570. - password
  26571. - username
  26572. type: object
  26573. token:
  26574. description: |-
  26575. A service account token used to authenticate against the Grafana instance.
  26576. Note: you need a token which has elevated permissions to create service accounts.
  26577. See here for the documentation on basic roles offered by Grafana:
  26578. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  26579. properties:
  26580. key:
  26581. description: The key where the token is found.
  26582. maxLength: 253
  26583. minLength: 1
  26584. pattern: ^[-._a-zA-Z0-9]+$
  26585. type: string
  26586. name:
  26587. description: The name of the Secret resource being referred to.
  26588. maxLength: 253
  26589. minLength: 1
  26590. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26591. type: string
  26592. type: object
  26593. type: object
  26594. serviceAccount:
  26595. description: |-
  26596. ServiceAccount is the configuration for the service account that
  26597. is supposed to be generated by the generator.
  26598. properties:
  26599. name:
  26600. description: Name is the name of the service account that will be created by ESO.
  26601. type: string
  26602. role:
  26603. description: |-
  26604. Role is the role of the service account.
  26605. See here for the documentation on basic roles offered by Grafana:
  26606. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  26607. type: string
  26608. required:
  26609. - name
  26610. - role
  26611. type: object
  26612. url:
  26613. description: URL is the URL of the Grafana instance.
  26614. type: string
  26615. required:
  26616. - auth
  26617. - serviceAccount
  26618. - url
  26619. type: object
  26620. mfaSpec:
  26621. description: MFASpec controls the behavior of the mfa generator.
  26622. properties:
  26623. algorithm:
  26624. description: Algorithm to use for encoding. Defaults to SHA1 as per the RFC.
  26625. type: string
  26626. length:
  26627. description: Length defines the token length. Defaults to 6 characters.
  26628. type: integer
  26629. secret:
  26630. description: Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from.
  26631. properties:
  26632. key:
  26633. description: |-
  26634. A key in the referenced Secret.
  26635. Some instances of this field may be defaulted, in others it may be required.
  26636. maxLength: 253
  26637. minLength: 1
  26638. pattern: ^[-._a-zA-Z0-9]+$
  26639. type: string
  26640. name:
  26641. description: The name of the Secret resource being referred to.
  26642. maxLength: 253
  26643. minLength: 1
  26644. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26645. type: string
  26646. namespace:
  26647. description: |-
  26648. The namespace of the Secret resource being referred to.
  26649. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26650. maxLength: 63
  26651. minLength: 1
  26652. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26653. type: string
  26654. type: object
  26655. timePeriod:
  26656. description: TimePeriod defines how long the token can be active. Defaults to 30 seconds.
  26657. type: integer
  26658. when:
  26659. description: When defines a time parameter that can be used to pin the origin time of the generated token.
  26660. format: date-time
  26661. type: string
  26662. required:
  26663. - secret
  26664. type: object
  26665. passwordSpec:
  26666. description: PasswordSpec controls the behavior of the password generator.
  26667. properties:
  26668. allowRepeat:
  26669. default: false
  26670. description: set AllowRepeat to true to allow repeating characters.
  26671. type: boolean
  26672. digits:
  26673. description: |-
  26674. Digits specifies the number of digits in the generated
  26675. password. If omitted it defaults to 25% of the length of the password
  26676. type: integer
  26677. encoding:
  26678. default: raw
  26679. description: |-
  26680. Encoding specifies the encoding of the generated password.
  26681. Valid values are:
  26682. - "raw" (default): no encoding
  26683. - "base64": standard base64 encoding
  26684. - "base64url": base64url encoding
  26685. - "base32": base32 encoding
  26686. - "hex": hexadecimal encoding
  26687. enum:
  26688. - base64
  26689. - base64url
  26690. - base32
  26691. - hex
  26692. - raw
  26693. type: string
  26694. length:
  26695. default: 24
  26696. description: |-
  26697. Length of the password to be generated.
  26698. Defaults to 24
  26699. type: integer
  26700. noUpper:
  26701. default: false
  26702. description: Set NoUpper to disable uppercase characters
  26703. type: boolean
  26704. secretKeys:
  26705. description: |-
  26706. SecretKeys defines the keys that will be populated with generated passwords.
  26707. Defaults to "password" when not set.
  26708. items:
  26709. type: string
  26710. minItems: 1
  26711. type: array
  26712. symbolCharacters:
  26713. description: |-
  26714. SymbolCharacters specifies the special characters that should be used
  26715. in the generated password.
  26716. type: string
  26717. symbols:
  26718. description: |-
  26719. Symbols specifies the number of symbol characters in the generated
  26720. password. If omitted it defaults to 25% of the length of the password
  26721. type: integer
  26722. required:
  26723. - allowRepeat
  26724. - length
  26725. - noUpper
  26726. type: object
  26727. quayAccessTokenSpec:
  26728. description: QuayAccessTokenSpec defines the desired state to generate a Quay access token.
  26729. properties:
  26730. robotAccount:
  26731. description: Name of the robot account you are federating with
  26732. type: string
  26733. serviceAccountRef:
  26734. description: Name of the service account you are federating with
  26735. properties:
  26736. audiences:
  26737. description: |-
  26738. Audience specifies the `aud` claim for the service account token
  26739. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26740. then this audiences will be appended to the list
  26741. items:
  26742. type: string
  26743. type: array
  26744. name:
  26745. description: The name of the ServiceAccount resource being referred to.
  26746. maxLength: 253
  26747. minLength: 1
  26748. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26749. type: string
  26750. namespace:
  26751. description: |-
  26752. Namespace of the resource being referred to.
  26753. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26754. maxLength: 63
  26755. minLength: 1
  26756. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26757. type: string
  26758. required:
  26759. - name
  26760. type: object
  26761. url:
  26762. description: URL configures the Quay instance URL. Defaults to quay.io.
  26763. type: string
  26764. required:
  26765. - robotAccount
  26766. - serviceAccountRef
  26767. type: object
  26768. sshKeySpec:
  26769. description: SSHKeySpec controls the behavior of the ssh key generator.
  26770. properties:
  26771. comment:
  26772. description: Comment specifies an optional comment for the SSH key
  26773. type: string
  26774. keySize:
  26775. description: |-
  26776. KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
  26777. For RSA keys: 2048, 3072, 4096
  26778. For ECDSA keys: 256, 384, 521
  26779. Ignored for ed25519 keys
  26780. maximum: 8192
  26781. minimum: 256
  26782. type: integer
  26783. keyType:
  26784. default: rsa
  26785. description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
  26786. enum:
  26787. - rsa
  26788. - ecdsa
  26789. - ed25519
  26790. type: string
  26791. type: object
  26792. stsSessionTokenSpec:
  26793. description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token.
  26794. properties:
  26795. auth:
  26796. description: Auth defines how to authenticate with AWS
  26797. properties:
  26798. jwt:
  26799. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  26800. properties:
  26801. serviceAccountRef:
  26802. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  26803. properties:
  26804. audiences:
  26805. description: |-
  26806. Audience specifies the `aud` claim for the service account token
  26807. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26808. then this audiences will be appended to the list
  26809. items:
  26810. type: string
  26811. type: array
  26812. name:
  26813. description: The name of the ServiceAccount resource being referred to.
  26814. maxLength: 253
  26815. minLength: 1
  26816. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26817. type: string
  26818. namespace:
  26819. description: |-
  26820. Namespace of the resource being referred to.
  26821. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26822. maxLength: 63
  26823. minLength: 1
  26824. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26825. type: string
  26826. required:
  26827. - name
  26828. type: object
  26829. type: object
  26830. secretRef:
  26831. description: |-
  26832. AWSAuthSecretRef holds secret references for AWS credentials
  26833. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  26834. properties:
  26835. accessKeyIDSecretRef:
  26836. description: The AccessKeyID is used for authentication
  26837. properties:
  26838. key:
  26839. description: |-
  26840. A key in the referenced Secret.
  26841. Some instances of this field may be defaulted, in others it may be required.
  26842. maxLength: 253
  26843. minLength: 1
  26844. pattern: ^[-._a-zA-Z0-9]+$
  26845. type: string
  26846. name:
  26847. description: The name of the Secret resource being referred to.
  26848. maxLength: 253
  26849. minLength: 1
  26850. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26851. type: string
  26852. namespace:
  26853. description: |-
  26854. The namespace of the Secret resource being referred to.
  26855. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26856. maxLength: 63
  26857. minLength: 1
  26858. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26859. type: string
  26860. type: object
  26861. secretAccessKeySecretRef:
  26862. description: The SecretAccessKey is used for authentication
  26863. properties:
  26864. key:
  26865. description: |-
  26866. A key in the referenced Secret.
  26867. Some instances of this field may be defaulted, in others it may be required.
  26868. maxLength: 253
  26869. minLength: 1
  26870. pattern: ^[-._a-zA-Z0-9]+$
  26871. type: string
  26872. name:
  26873. description: The name of the Secret resource being referred to.
  26874. maxLength: 253
  26875. minLength: 1
  26876. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26877. type: string
  26878. namespace:
  26879. description: |-
  26880. The namespace of the Secret resource being referred to.
  26881. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26882. maxLength: 63
  26883. minLength: 1
  26884. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26885. type: string
  26886. type: object
  26887. sessionTokenSecretRef:
  26888. description: |-
  26889. The SessionToken used for authentication
  26890. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  26891. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  26892. properties:
  26893. key:
  26894. description: |-
  26895. A key in the referenced Secret.
  26896. Some instances of this field may be defaulted, in others it may be required.
  26897. maxLength: 253
  26898. minLength: 1
  26899. pattern: ^[-._a-zA-Z0-9]+$
  26900. type: string
  26901. name:
  26902. description: The name of the Secret resource being referred to.
  26903. maxLength: 253
  26904. minLength: 1
  26905. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26906. type: string
  26907. namespace:
  26908. description: |-
  26909. The namespace of the Secret resource being referred to.
  26910. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26911. maxLength: 63
  26912. minLength: 1
  26913. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26914. type: string
  26915. type: object
  26916. type: object
  26917. type: object
  26918. region:
  26919. description: Region specifies the region to operate in.
  26920. type: string
  26921. requestParameters:
  26922. description: RequestParameters contains parameters that can be passed to the STS service.
  26923. properties:
  26924. serialNumber:
  26925. description: |-
  26926. SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
  26927. the GetSessionToken call.
  26928. Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
  26929. (such as arn:aws:iam::123456789012:mfa/user)
  26930. type: string
  26931. sessionDuration:
  26932. format: int32
  26933. type: integer
  26934. tokenCode:
  26935. description: TokenCode is the value provided by the MFA device, if MFA is required.
  26936. type: string
  26937. type: object
  26938. role:
  26939. description: |-
  26940. You can assume a role before making calls to the
  26941. desired AWS service.
  26942. type: string
  26943. required:
  26944. - region
  26945. type: object
  26946. uuidSpec:
  26947. description: UUIDSpec controls the behavior of the uuid generator.
  26948. type: object
  26949. vaultDynamicSecretSpec:
  26950. description: VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret.
  26951. properties:
  26952. allowEmptyResponse:
  26953. default: false
  26954. description: Do not fail if no secrets are found. Useful for requests where no data is expected.
  26955. type: boolean
  26956. controller:
  26957. description: |-
  26958. Used to select the correct ESO controller (think: ingress.ingressClassName)
  26959. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  26960. type: string
  26961. getParameters:
  26962. additionalProperties:
  26963. items:
  26964. type: string
  26965. type: array
  26966. description: |-
  26967. GetParameters are query-string parameters passed to Vault on GET calls.
  26968. Each key may map to multiple values, matching HTTP query-string semantics.
  26969. Ignored for non-GET methods; use Parameters for write bodies.
  26970. type: object
  26971. method:
  26972. description: Vault API method to use (GET/POST/other)
  26973. type: string
  26974. parameters:
  26975. description: Parameters to pass to Vault write (for non-GET methods)
  26976. x-kubernetes-preserve-unknown-fields: true
  26977. path:
  26978. description: Vault path to obtain the dynamic secret from
  26979. type: string
  26980. provider:
  26981. description: Vault provider common spec
  26982. properties:
  26983. auth:
  26984. description: Auth configures how secret-manager authenticates with the Vault server.
  26985. properties:
  26986. appRole:
  26987. description: |-
  26988. AppRole authenticates with Vault using the App Role auth mechanism,
  26989. with the role and secret stored in a Kubernetes Secret resource.
  26990. properties:
  26991. path:
  26992. default: approle
  26993. description: |-
  26994. Path where the App Role authentication backend is mounted
  26995. in Vault, e.g: "approle"
  26996. type: string
  26997. roleId:
  26998. description: |-
  26999. RoleID configured in the App Role authentication backend when setting
  27000. up the authentication backend in Vault.
  27001. type: string
  27002. roleRef:
  27003. description: |-
  27004. Reference to a key in a Secret that contains the App Role ID used
  27005. to authenticate with Vault.
  27006. The `key` field must be specified and denotes which entry within the Secret
  27007. resource is used as the app role id.
  27008. properties:
  27009. key:
  27010. description: |-
  27011. A key in the referenced Secret.
  27012. Some instances of this field may be defaulted, in others it may be required.
  27013. maxLength: 253
  27014. minLength: 1
  27015. pattern: ^[-._a-zA-Z0-9]+$
  27016. type: string
  27017. name:
  27018. description: The name of the Secret resource being referred to.
  27019. maxLength: 253
  27020. minLength: 1
  27021. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27022. type: string
  27023. namespace:
  27024. description: |-
  27025. The namespace of the Secret resource being referred to.
  27026. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27027. maxLength: 63
  27028. minLength: 1
  27029. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27030. type: string
  27031. type: object
  27032. secretRef:
  27033. description: |-
  27034. Reference to a key in a Secret that contains the App Role secret used
  27035. to authenticate with Vault.
  27036. The `key` field must be specified and denotes which entry within the Secret
  27037. resource is used as the app role secret.
  27038. properties:
  27039. key:
  27040. description: |-
  27041. A key in the referenced Secret.
  27042. Some instances of this field may be defaulted, in others it may be required.
  27043. maxLength: 253
  27044. minLength: 1
  27045. pattern: ^[-._a-zA-Z0-9]+$
  27046. type: string
  27047. name:
  27048. description: The name of the Secret resource being referred to.
  27049. maxLength: 253
  27050. minLength: 1
  27051. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27052. type: string
  27053. namespace:
  27054. description: |-
  27055. The namespace of the Secret resource being referred to.
  27056. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27057. maxLength: 63
  27058. minLength: 1
  27059. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27060. type: string
  27061. type: object
  27062. required:
  27063. - path
  27064. - secretRef
  27065. type: object
  27066. cert:
  27067. description: |-
  27068. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  27069. Cert authentication method
  27070. properties:
  27071. clientCert:
  27072. description: |-
  27073. ClientCert is a certificate to authenticate using the Cert Vault
  27074. authentication method
  27075. properties:
  27076. key:
  27077. description: |-
  27078. A key in the referenced Secret.
  27079. Some instances of this field may be defaulted, in others it may be required.
  27080. maxLength: 253
  27081. minLength: 1
  27082. pattern: ^[-._a-zA-Z0-9]+$
  27083. type: string
  27084. name:
  27085. description: The name of the Secret resource being referred to.
  27086. maxLength: 253
  27087. minLength: 1
  27088. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27089. type: string
  27090. namespace:
  27091. description: |-
  27092. The namespace of the Secret resource being referred to.
  27093. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27094. maxLength: 63
  27095. minLength: 1
  27096. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27097. type: string
  27098. type: object
  27099. path:
  27100. default: cert
  27101. description: |-
  27102. Path where the Certificate authentication backend is mounted
  27103. in Vault, e.g: "cert"
  27104. type: string
  27105. secretRef:
  27106. description: |-
  27107. SecretRef to a key in a Secret resource containing client private key to
  27108. authenticate with Vault using the Cert authentication method
  27109. properties:
  27110. key:
  27111. description: |-
  27112. A key in the referenced Secret.
  27113. Some instances of this field may be defaulted, in others it may be required.
  27114. maxLength: 253
  27115. minLength: 1
  27116. pattern: ^[-._a-zA-Z0-9]+$
  27117. type: string
  27118. name:
  27119. description: The name of the Secret resource being referred to.
  27120. maxLength: 253
  27121. minLength: 1
  27122. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27123. type: string
  27124. namespace:
  27125. description: |-
  27126. The namespace of the Secret resource being referred to.
  27127. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27128. maxLength: 63
  27129. minLength: 1
  27130. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27131. type: string
  27132. type: object
  27133. vaultRole:
  27134. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  27135. type: string
  27136. type: object
  27137. gcp:
  27138. description: |-
  27139. Gcp authenticates with Vault using Google Cloud Platform authentication method
  27140. GCP authentication method
  27141. properties:
  27142. location:
  27143. description: Location optionally defines a location/region for the secret
  27144. type: string
  27145. path:
  27146. default: gcp
  27147. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  27148. type: string
  27149. projectID:
  27150. description: Project ID of the Google Cloud Platform project
  27151. type: string
  27152. role:
  27153. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  27154. type: string
  27155. secretRef:
  27156. description: Specify credentials in a Secret object
  27157. properties:
  27158. secretAccessKeySecretRef:
  27159. description: The SecretAccessKey is used for authentication
  27160. properties:
  27161. key:
  27162. description: |-
  27163. A key in the referenced Secret.
  27164. Some instances of this field may be defaulted, in others it may be required.
  27165. maxLength: 253
  27166. minLength: 1
  27167. pattern: ^[-._a-zA-Z0-9]+$
  27168. type: string
  27169. name:
  27170. description: The name of the Secret resource being referred to.
  27171. maxLength: 253
  27172. minLength: 1
  27173. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27174. type: string
  27175. namespace:
  27176. description: |-
  27177. The namespace of the Secret resource being referred to.
  27178. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27179. maxLength: 63
  27180. minLength: 1
  27181. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27182. type: string
  27183. type: object
  27184. type: object
  27185. serviceAccountRef:
  27186. description: ServiceAccountRef to a service account for impersonation
  27187. properties:
  27188. audiences:
  27189. description: |-
  27190. Audience specifies the `aud` claim for the service account token
  27191. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27192. then this audiences will be appended to the list
  27193. items:
  27194. type: string
  27195. type: array
  27196. name:
  27197. description: The name of the ServiceAccount resource being referred to.
  27198. maxLength: 253
  27199. minLength: 1
  27200. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27201. type: string
  27202. namespace:
  27203. description: |-
  27204. Namespace of the resource being referred to.
  27205. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27206. maxLength: 63
  27207. minLength: 1
  27208. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27209. type: string
  27210. required:
  27211. - name
  27212. type: object
  27213. workloadIdentity:
  27214. description: Specify a service account with Workload Identity
  27215. properties:
  27216. clusterLocation:
  27217. description: |-
  27218. ClusterLocation is the location of the cluster
  27219. If not specified, it fetches information from the metadata server
  27220. type: string
  27221. clusterName:
  27222. description: |-
  27223. ClusterName is the name of the cluster
  27224. If not specified, it fetches information from the metadata server
  27225. type: string
  27226. clusterProjectID:
  27227. description: |-
  27228. ClusterProjectID is the project ID of the cluster
  27229. If not specified, it fetches information from the metadata server
  27230. type: string
  27231. serviceAccountRef:
  27232. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  27233. properties:
  27234. audiences:
  27235. description: |-
  27236. Audience specifies the `aud` claim for the service account token
  27237. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27238. then this audiences will be appended to the list
  27239. items:
  27240. type: string
  27241. type: array
  27242. name:
  27243. description: The name of the ServiceAccount resource being referred to.
  27244. maxLength: 253
  27245. minLength: 1
  27246. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27247. type: string
  27248. namespace:
  27249. description: |-
  27250. Namespace of the resource being referred to.
  27251. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27252. maxLength: 63
  27253. minLength: 1
  27254. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27255. type: string
  27256. required:
  27257. - name
  27258. type: object
  27259. required:
  27260. - serviceAccountRef
  27261. type: object
  27262. required:
  27263. - role
  27264. type: object
  27265. iam:
  27266. description: |-
  27267. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  27268. AWS IAM authentication method
  27269. properties:
  27270. externalID:
  27271. description: AWS External ID set on assumed IAM roles
  27272. type: string
  27273. jwt:
  27274. description: Specify a service account with IRSA enabled
  27275. properties:
  27276. serviceAccountRef:
  27277. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  27278. properties:
  27279. audiences:
  27280. description: |-
  27281. Audience specifies the `aud` claim for the service account token
  27282. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27283. then this audiences will be appended to the list
  27284. items:
  27285. type: string
  27286. type: array
  27287. name:
  27288. description: The name of the ServiceAccount resource being referred to.
  27289. maxLength: 253
  27290. minLength: 1
  27291. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27292. type: string
  27293. namespace:
  27294. description: |-
  27295. Namespace of the resource being referred to.
  27296. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27297. maxLength: 63
  27298. minLength: 1
  27299. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27300. type: string
  27301. required:
  27302. - name
  27303. type: object
  27304. type: object
  27305. path:
  27306. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  27307. type: string
  27308. region:
  27309. description: AWS region
  27310. type: string
  27311. role:
  27312. description: This is the AWS role to be assumed before talking to vault
  27313. type: string
  27314. secretRef:
  27315. description: Specify credentials in a Secret object
  27316. properties:
  27317. accessKeyIDSecretRef:
  27318. description: The AccessKeyID is used for authentication
  27319. properties:
  27320. key:
  27321. description: |-
  27322. A key in the referenced Secret.
  27323. Some instances of this field may be defaulted, in others it may be required.
  27324. maxLength: 253
  27325. minLength: 1
  27326. pattern: ^[-._a-zA-Z0-9]+$
  27327. type: string
  27328. name:
  27329. description: The name of the Secret resource being referred to.
  27330. maxLength: 253
  27331. minLength: 1
  27332. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27333. type: string
  27334. namespace:
  27335. description: |-
  27336. The namespace of the Secret resource being referred to.
  27337. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27338. maxLength: 63
  27339. minLength: 1
  27340. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27341. type: string
  27342. type: object
  27343. secretAccessKeySecretRef:
  27344. description: The SecretAccessKey is used for authentication
  27345. properties:
  27346. key:
  27347. description: |-
  27348. A key in the referenced Secret.
  27349. Some instances of this field may be defaulted, in others it may be required.
  27350. maxLength: 253
  27351. minLength: 1
  27352. pattern: ^[-._a-zA-Z0-9]+$
  27353. type: string
  27354. name:
  27355. description: The name of the Secret resource being referred to.
  27356. maxLength: 253
  27357. minLength: 1
  27358. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27359. type: string
  27360. namespace:
  27361. description: |-
  27362. The namespace of the Secret resource being referred to.
  27363. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27364. maxLength: 63
  27365. minLength: 1
  27366. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27367. type: string
  27368. type: object
  27369. sessionTokenSecretRef:
  27370. description: |-
  27371. The SessionToken used for authentication
  27372. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  27373. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  27374. properties:
  27375. key:
  27376. description: |-
  27377. A key in the referenced Secret.
  27378. Some instances of this field may be defaulted, in others it may be required.
  27379. maxLength: 253
  27380. minLength: 1
  27381. pattern: ^[-._a-zA-Z0-9]+$
  27382. type: string
  27383. name:
  27384. description: The name of the Secret resource being referred to.
  27385. maxLength: 253
  27386. minLength: 1
  27387. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27388. type: string
  27389. namespace:
  27390. description: |-
  27391. The namespace of the Secret resource being referred to.
  27392. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27393. maxLength: 63
  27394. minLength: 1
  27395. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27396. type: string
  27397. type: object
  27398. type: object
  27399. vaultAwsIamServerID:
  27400. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  27401. type: string
  27402. vaultRole:
  27403. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  27404. type: string
  27405. required:
  27406. - vaultRole
  27407. type: object
  27408. jwt:
  27409. description: |-
  27410. Jwt authenticates with Vault by passing role and JWT token using the
  27411. JWT/OIDC authentication method
  27412. properties:
  27413. kubernetesServiceAccountToken:
  27414. description: |-
  27415. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  27416. a token for with the `TokenRequest` API.
  27417. properties:
  27418. audiences:
  27419. description: |-
  27420. Optional audiences field that will be used to request a temporary Kubernetes service
  27421. account token for the service account referenced by `serviceAccountRef`.
  27422. Defaults to a single audience `vault` it not specified.
  27423. Deprecated: use serviceAccountRef.Audiences instead
  27424. items:
  27425. type: string
  27426. type: array
  27427. expirationSeconds:
  27428. description: |-
  27429. Optional expiration time in seconds that will be used to request a temporary
  27430. Kubernetes service account token for the service account referenced by
  27431. `serviceAccountRef`.
  27432. Deprecated: this will be removed in the future.
  27433. Defaults to 10 minutes.
  27434. format: int64
  27435. type: integer
  27436. serviceAccountRef:
  27437. description: Service account field containing the name of a kubernetes ServiceAccount.
  27438. properties:
  27439. audiences:
  27440. description: |-
  27441. Audience specifies the `aud` claim for the service account token
  27442. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27443. then this audiences will be appended to the list
  27444. items:
  27445. type: string
  27446. type: array
  27447. name:
  27448. description: The name of the ServiceAccount resource being referred to.
  27449. maxLength: 253
  27450. minLength: 1
  27451. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27452. type: string
  27453. namespace:
  27454. description: |-
  27455. Namespace of the resource being referred to.
  27456. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27457. maxLength: 63
  27458. minLength: 1
  27459. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27460. type: string
  27461. required:
  27462. - name
  27463. type: object
  27464. required:
  27465. - serviceAccountRef
  27466. type: object
  27467. path:
  27468. default: jwt
  27469. description: |-
  27470. Path where the JWT authentication backend is mounted
  27471. in Vault, e.g: "jwt"
  27472. type: string
  27473. role:
  27474. description: |-
  27475. Role is a JWT role to authenticate using the JWT/OIDC Vault
  27476. authentication method
  27477. type: string
  27478. secretRef:
  27479. description: |-
  27480. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  27481. authenticate with Vault using the JWT/OIDC authentication method.
  27482. properties:
  27483. key:
  27484. description: |-
  27485. A key in the referenced Secret.
  27486. Some instances of this field may be defaulted, in others it may be required.
  27487. maxLength: 253
  27488. minLength: 1
  27489. pattern: ^[-._a-zA-Z0-9]+$
  27490. type: string
  27491. name:
  27492. description: The name of the Secret resource being referred to.
  27493. maxLength: 253
  27494. minLength: 1
  27495. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27496. type: string
  27497. namespace:
  27498. description: |-
  27499. The namespace of the Secret resource being referred to.
  27500. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27501. maxLength: 63
  27502. minLength: 1
  27503. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27504. type: string
  27505. type: object
  27506. required:
  27507. - path
  27508. type: object
  27509. kubernetes:
  27510. description: |-
  27511. Kubernetes authenticates with Vault by passing the ServiceAccount
  27512. token stored in the named Secret resource to the Vault server.
  27513. properties:
  27514. mountPath:
  27515. default: kubernetes
  27516. description: |-
  27517. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  27518. "kubernetes"
  27519. type: string
  27520. role:
  27521. description: |-
  27522. A required field containing the Vault Role to assume. A Role binds a
  27523. Kubernetes ServiceAccount with a set of Vault policies.
  27524. type: string
  27525. secretRef:
  27526. description: |-
  27527. Optional secret field containing a Kubernetes ServiceAccount JWT used
  27528. for authenticating with Vault. If a name is specified without a key,
  27529. `token` is the default. If one is not specified, the one bound to
  27530. the controller will be used.
  27531. properties:
  27532. key:
  27533. description: |-
  27534. A key in the referenced Secret.
  27535. Some instances of this field may be defaulted, in others it may be required.
  27536. maxLength: 253
  27537. minLength: 1
  27538. pattern: ^[-._a-zA-Z0-9]+$
  27539. type: string
  27540. name:
  27541. description: The name of the Secret resource being referred to.
  27542. maxLength: 253
  27543. minLength: 1
  27544. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27545. type: string
  27546. namespace:
  27547. description: |-
  27548. The namespace of the Secret resource being referred to.
  27549. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27550. maxLength: 63
  27551. minLength: 1
  27552. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27553. type: string
  27554. type: object
  27555. serviceAccountRef:
  27556. description: |-
  27557. Optional service account field containing the name of a kubernetes ServiceAccount.
  27558. If the service account is specified, the service account secret token JWT will be used
  27559. for authenticating with Vault. If the service account selector is not supplied,
  27560. the secretRef will be used instead.
  27561. properties:
  27562. audiences:
  27563. description: |-
  27564. Audience specifies the `aud` claim for the service account token
  27565. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27566. then this audiences will be appended to the list
  27567. items:
  27568. type: string
  27569. type: array
  27570. name:
  27571. description: The name of the ServiceAccount resource being referred to.
  27572. maxLength: 253
  27573. minLength: 1
  27574. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27575. type: string
  27576. namespace:
  27577. description: |-
  27578. Namespace of the resource being referred to.
  27579. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27580. maxLength: 63
  27581. minLength: 1
  27582. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27583. type: string
  27584. required:
  27585. - name
  27586. type: object
  27587. required:
  27588. - mountPath
  27589. - role
  27590. type: object
  27591. ldap:
  27592. description: |-
  27593. Ldap authenticates with Vault by passing username/password pair using
  27594. the LDAP authentication method
  27595. properties:
  27596. path:
  27597. default: ldap
  27598. description: |-
  27599. Path where the LDAP authentication backend is mounted
  27600. in Vault, e.g: "ldap"
  27601. type: string
  27602. secretRef:
  27603. description: |-
  27604. SecretRef to a key in a Secret resource containing password for the LDAP
  27605. user used to authenticate with Vault using the LDAP authentication
  27606. method
  27607. properties:
  27608. key:
  27609. description: |-
  27610. A key in the referenced Secret.
  27611. Some instances of this field may be defaulted, in others it may be required.
  27612. maxLength: 253
  27613. minLength: 1
  27614. pattern: ^[-._a-zA-Z0-9]+$
  27615. type: string
  27616. name:
  27617. description: The name of the Secret resource being referred to.
  27618. maxLength: 253
  27619. minLength: 1
  27620. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27621. type: string
  27622. namespace:
  27623. description: |-
  27624. The namespace of the Secret resource being referred to.
  27625. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27626. maxLength: 63
  27627. minLength: 1
  27628. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27629. type: string
  27630. type: object
  27631. username:
  27632. description: |-
  27633. Username is an LDAP username used to authenticate using the LDAP Vault
  27634. authentication method
  27635. type: string
  27636. required:
  27637. - path
  27638. - username
  27639. type: object
  27640. namespace:
  27641. description: |-
  27642. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  27643. Namespaces is a set of features within Vault Enterprise that allows
  27644. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  27645. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  27646. This will default to Vault.Namespace field if set, or empty otherwise
  27647. type: string
  27648. tokenSecretRef:
  27649. description: TokenSecretRef authenticates with Vault by presenting a token.
  27650. properties:
  27651. key:
  27652. description: |-
  27653. A key in the referenced Secret.
  27654. Some instances of this field may be defaulted, in others it may be required.
  27655. maxLength: 253
  27656. minLength: 1
  27657. pattern: ^[-._a-zA-Z0-9]+$
  27658. type: string
  27659. name:
  27660. description: The name of the Secret resource being referred to.
  27661. maxLength: 253
  27662. minLength: 1
  27663. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27664. type: string
  27665. namespace:
  27666. description: |-
  27667. The namespace of the Secret resource being referred to.
  27668. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27669. maxLength: 63
  27670. minLength: 1
  27671. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27672. type: string
  27673. type: object
  27674. userPass:
  27675. description: UserPass authenticates with Vault by passing username/password pair
  27676. properties:
  27677. path:
  27678. default: userpass
  27679. description: |-
  27680. Path where the UserPassword authentication backend is mounted
  27681. in Vault, e.g: "userpass"
  27682. type: string
  27683. secretRef:
  27684. description: |-
  27685. SecretRef to a key in a Secret resource containing password for the
  27686. user used to authenticate with Vault using the UserPass authentication
  27687. method
  27688. properties:
  27689. key:
  27690. description: |-
  27691. A key in the referenced Secret.
  27692. Some instances of this field may be defaulted, in others it may be required.
  27693. maxLength: 253
  27694. minLength: 1
  27695. pattern: ^[-._a-zA-Z0-9]+$
  27696. type: string
  27697. name:
  27698. description: The name of the Secret resource being referred to.
  27699. maxLength: 253
  27700. minLength: 1
  27701. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27702. type: string
  27703. namespace:
  27704. description: |-
  27705. The namespace of the Secret resource being referred to.
  27706. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27707. maxLength: 63
  27708. minLength: 1
  27709. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27710. type: string
  27711. type: object
  27712. username:
  27713. description: |-
  27714. Username is a username used to authenticate using the UserPass Vault
  27715. authentication method
  27716. type: string
  27717. required:
  27718. - path
  27719. - username
  27720. type: object
  27721. type: object
  27722. caBundle:
  27723. description: |-
  27724. PEM encoded CA bundle used to validate Vault server certificate. Only used
  27725. if the Server URL is using HTTPS protocol. This parameter is ignored for
  27726. plain HTTP protocol connection. If not set the system root certificates
  27727. are used to validate the TLS connection.
  27728. format: byte
  27729. type: string
  27730. caProvider:
  27731. description: The provider for the CA bundle to use to validate Vault server certificate.
  27732. properties:
  27733. key:
  27734. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  27735. maxLength: 253
  27736. minLength: 1
  27737. pattern: ^[-._a-zA-Z0-9]+$
  27738. type: string
  27739. name:
  27740. description: The name of the object located at the provider type.
  27741. maxLength: 253
  27742. minLength: 1
  27743. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27744. type: string
  27745. namespace:
  27746. description: |-
  27747. The namespace the Provider type is in.
  27748. Can only be defined when used in a ClusterSecretStore.
  27749. maxLength: 63
  27750. minLength: 1
  27751. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27752. type: string
  27753. type:
  27754. description: The type of provider to use such as "Secret", or "ConfigMap".
  27755. enum:
  27756. - Secret
  27757. - ConfigMap
  27758. type: string
  27759. required:
  27760. - name
  27761. - type
  27762. type: object
  27763. checkAndSet:
  27764. description: |-
  27765. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  27766. Only applies to Vault KV v2 stores. When enabled, write operations must include
  27767. the current version of the secret to prevent unintentional overwrites.
  27768. properties:
  27769. required:
  27770. description: |-
  27771. Required when true, all write operations must include a check-and-set parameter.
  27772. This helps prevent unintentional overwrites of secrets.
  27773. type: boolean
  27774. type: object
  27775. forwardInconsistent:
  27776. description: |-
  27777. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  27778. leader instead of simply retrying within a loop. This can increase performance if
  27779. the option is enabled serverside.
  27780. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  27781. type: boolean
  27782. headers:
  27783. additionalProperties:
  27784. type: string
  27785. description: Headers to be added in Vault request
  27786. type: object
  27787. namespace:
  27788. description: |-
  27789. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  27790. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  27791. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  27792. type: string
  27793. path:
  27794. description: |-
  27795. Path is the mount path of the Vault KV backend endpoint, e.g:
  27796. "secret". The v2 KV secret engine version specific "/data" path suffix
  27797. for fetching secrets from Vault is optional and will be appended
  27798. if not present in specified path.
  27799. type: string
  27800. readYourWrites:
  27801. description: |-
  27802. ReadYourWrites ensures isolated read-after-write semantics by
  27803. providing discovered cluster replication states in each request.
  27804. More information about eventual consistency in Vault can be found here
  27805. https://www.vaultproject.io/docs/enterprise/consistency
  27806. type: boolean
  27807. server:
  27808. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  27809. type: string
  27810. tls:
  27811. description: |-
  27812. The configuration used for client side related TLS communication, when the Vault server
  27813. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  27814. This parameter is ignored for plain HTTP protocol connection.
  27815. It's worth noting this configuration is different from the "TLS certificates auth method",
  27816. which is available under the `auth.cert` section.
  27817. properties:
  27818. certSecretRef:
  27819. description: |-
  27820. CertSecretRef is a certificate added to the transport layer
  27821. when communicating with the Vault server.
  27822. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  27823. properties:
  27824. key:
  27825. description: |-
  27826. A key in the referenced Secret.
  27827. Some instances of this field may be defaulted, in others it may be required.
  27828. maxLength: 253
  27829. minLength: 1
  27830. pattern: ^[-._a-zA-Z0-9]+$
  27831. type: string
  27832. name:
  27833. description: The name of the Secret resource being referred to.
  27834. maxLength: 253
  27835. minLength: 1
  27836. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27837. type: string
  27838. namespace:
  27839. description: |-
  27840. The namespace of the Secret resource being referred to.
  27841. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27842. maxLength: 63
  27843. minLength: 1
  27844. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27845. type: string
  27846. type: object
  27847. keySecretRef:
  27848. description: |-
  27849. KeySecretRef to a key in a Secret resource containing client private key
  27850. added to the transport layer when communicating with the Vault server.
  27851. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  27852. properties:
  27853. key:
  27854. description: |-
  27855. A key in the referenced Secret.
  27856. Some instances of this field may be defaulted, in others it may be required.
  27857. maxLength: 253
  27858. minLength: 1
  27859. pattern: ^[-._a-zA-Z0-9]+$
  27860. type: string
  27861. name:
  27862. description: The name of the Secret resource being referred to.
  27863. maxLength: 253
  27864. minLength: 1
  27865. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27866. type: string
  27867. namespace:
  27868. description: |-
  27869. The namespace of the Secret resource being referred to.
  27870. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27871. maxLength: 63
  27872. minLength: 1
  27873. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27874. type: string
  27875. type: object
  27876. type: object
  27877. version:
  27878. default: v2
  27879. description: |-
  27880. Version is the Vault KV secret engine version. This can be either "v1" or
  27881. "v2". Version defaults to "v2".
  27882. enum:
  27883. - v1
  27884. - v2
  27885. type: string
  27886. required:
  27887. - server
  27888. type: object
  27889. resultType:
  27890. default: Data
  27891. description: |-
  27892. Result type defines which data is returned from the generator.
  27893. By default, it is the "data" section of the Vault API response.
  27894. When using e.g. /auth/token/create the "data" section is empty but
  27895. the "auth" section contains the generated token.
  27896. Please refer to the vault docs regarding the result data structure.
  27897. Additionally, accessing the raw response is possibly by using "Raw" result type.
  27898. enum:
  27899. - Data
  27900. - Auth
  27901. - Raw
  27902. type: string
  27903. retrySettings:
  27904. description: Used to configure http retries if failed
  27905. properties:
  27906. maxRetries:
  27907. format: int32
  27908. type: integer
  27909. retryInterval:
  27910. type: string
  27911. type: object
  27912. required:
  27913. - path
  27914. - provider
  27915. type: object
  27916. webhookSpec:
  27917. description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
  27918. properties:
  27919. auth:
  27920. description: Auth specifies a authorization protocol. Only one protocol may be set.
  27921. maxProperties: 1
  27922. minProperties: 1
  27923. properties:
  27924. ntlm:
  27925. description: NTLMProtocol configures the store to use NTLM for auth
  27926. properties:
  27927. passwordSecret:
  27928. description: |-
  27929. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  27930. In some instances, `key` is a required field.
  27931. properties:
  27932. key:
  27933. description: |-
  27934. A key in the referenced Secret.
  27935. Some instances of this field may be defaulted, in others it may be required.
  27936. maxLength: 253
  27937. minLength: 1
  27938. pattern: ^[-._a-zA-Z0-9]+$
  27939. type: string
  27940. name:
  27941. description: The name of the Secret resource being referred to.
  27942. maxLength: 253
  27943. minLength: 1
  27944. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27945. type: string
  27946. namespace:
  27947. description: |-
  27948. The namespace of the Secret resource being referred to.
  27949. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27950. maxLength: 63
  27951. minLength: 1
  27952. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27953. type: string
  27954. type: object
  27955. usernameSecret:
  27956. description: |-
  27957. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  27958. In some instances, `key` is a required field.
  27959. properties:
  27960. key:
  27961. description: |-
  27962. A key in the referenced Secret.
  27963. Some instances of this field may be defaulted, in others it may be required.
  27964. maxLength: 253
  27965. minLength: 1
  27966. pattern: ^[-._a-zA-Z0-9]+$
  27967. type: string
  27968. name:
  27969. description: The name of the Secret resource being referred to.
  27970. maxLength: 253
  27971. minLength: 1
  27972. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27973. type: string
  27974. namespace:
  27975. description: |-
  27976. The namespace of the Secret resource being referred to.
  27977. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27978. maxLength: 63
  27979. minLength: 1
  27980. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27981. type: string
  27982. type: object
  27983. required:
  27984. - passwordSecret
  27985. - usernameSecret
  27986. type: object
  27987. type: object
  27988. body:
  27989. description: Body
  27990. type: string
  27991. caBundle:
  27992. description: |-
  27993. PEM encoded CA bundle used to validate webhook server certificate. Only used
  27994. if the Server URL is using HTTPS protocol. This parameter is ignored for
  27995. plain HTTP protocol connection. If not set the system root certificates
  27996. are used to validate the TLS connection.
  27997. format: byte
  27998. type: string
  27999. caProvider:
  28000. description: The provider for the CA bundle to use to validate webhook server certificate.
  28001. properties:
  28002. key:
  28003. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  28004. maxLength: 253
  28005. minLength: 1
  28006. pattern: ^[-._a-zA-Z0-9]+$
  28007. type: string
  28008. name:
  28009. description: The name of the object located at the provider type.
  28010. maxLength: 253
  28011. minLength: 1
  28012. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28013. type: string
  28014. namespace:
  28015. description: The namespace the Provider type is in.
  28016. maxLength: 63
  28017. minLength: 1
  28018. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28019. type: string
  28020. type:
  28021. description: The type of provider to use such as "Secret", or "ConfigMap".
  28022. enum:
  28023. - Secret
  28024. - ConfigMap
  28025. type: string
  28026. required:
  28027. - name
  28028. - type
  28029. type: object
  28030. headers:
  28031. additionalProperties:
  28032. type: string
  28033. description: Headers
  28034. type: object
  28035. method:
  28036. description: Webhook Method
  28037. type: string
  28038. result:
  28039. description: Result formatting
  28040. properties:
  28041. jsonPath:
  28042. description: Json path of return value
  28043. type: string
  28044. type: object
  28045. secrets:
  28046. description: |-
  28047. Secrets to fill in templates
  28048. These secrets will be passed to the templating function as key value pairs under the given name
  28049. items:
  28050. description: WebhookSecret defines a secret reference that will be used in webhook templates.
  28051. properties:
  28052. name:
  28053. description: Name of this secret in templates
  28054. type: string
  28055. secretRef:
  28056. description: Secret ref to fill in credentials
  28057. properties:
  28058. key:
  28059. description: The key where the token is found.
  28060. maxLength: 253
  28061. minLength: 1
  28062. pattern: ^[-._a-zA-Z0-9]+$
  28063. type: string
  28064. name:
  28065. description: The name of the Secret resource being referred to.
  28066. maxLength: 253
  28067. minLength: 1
  28068. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28069. type: string
  28070. type: object
  28071. required:
  28072. - name
  28073. - secretRef
  28074. type: object
  28075. type: array
  28076. timeout:
  28077. description: Timeout
  28078. type: string
  28079. url:
  28080. description: Webhook url to call
  28081. type: string
  28082. required:
  28083. - result
  28084. - url
  28085. type: object
  28086. type: object
  28087. kind:
  28088. description: Kind the kind of this generator.
  28089. enum:
  28090. - ACRAccessToken
  28091. - BeyondtrustWorkloadCredentialsDynamicSecret
  28092. - CloudsmithAccessToken
  28093. - ECRAuthorizationToken
  28094. - Fake
  28095. - GCRAccessToken
  28096. - GithubAccessToken
  28097. - QuayAccessToken
  28098. - Password
  28099. - SSHKey
  28100. - STSSessionToken
  28101. - UUID
  28102. - VaultDynamicSecret
  28103. - Webhook
  28104. - Grafana
  28105. - MFA
  28106. type: string
  28107. required:
  28108. - generator
  28109. - kind
  28110. type: object
  28111. type: object
  28112. served: true
  28113. storage: true
  28114. subresources:
  28115. status: {}
  28116. ---
  28117. apiVersion: apiextensions.k8s.io/v1
  28118. kind: CustomResourceDefinition
  28119. metadata:
  28120. annotations:
  28121. controller-gen.kubebuilder.io/version: v0.19.0
  28122. labels:
  28123. external-secrets.io/component: controller
  28124. name: ecrauthorizationtokens.generators.external-secrets.io
  28125. spec:
  28126. group: generators.external-secrets.io
  28127. names:
  28128. categories:
  28129. - external-secrets
  28130. - external-secrets-generators
  28131. kind: ECRAuthorizationToken
  28132. listKind: ECRAuthorizationTokenList
  28133. plural: ecrauthorizationtokens
  28134. singular: ecrauthorizationtoken
  28135. scope: Namespaced
  28136. versions:
  28137. - name: v1alpha1
  28138. schema:
  28139. openAPIV3Schema:
  28140. description: |-
  28141. ECRAuthorizationToken uses the GetAuthorizationToken API to retrieve an authorization token.
  28142. The authorization token is valid for 12 hours.
  28143. The authorizationToken returned is a base64 encoded string that can be decoded
  28144. and used in a docker login command to authenticate to a registry.
  28145. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
  28146. properties:
  28147. apiVersion:
  28148. description: |-
  28149. APIVersion defines the versioned schema of this representation of an object.
  28150. Servers should convert recognized schemas to the latest internal value, and
  28151. may reject unrecognized values.
  28152. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28153. type: string
  28154. kind:
  28155. description: |-
  28156. Kind is a string value representing the REST resource this object represents.
  28157. Servers may infer this from the endpoint the client submits requests to.
  28158. Cannot be updated.
  28159. In CamelCase.
  28160. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28161. type: string
  28162. metadata:
  28163. type: object
  28164. spec:
  28165. description: ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token.
  28166. properties:
  28167. auth:
  28168. description: Auth defines how to authenticate with AWS
  28169. properties:
  28170. jwt:
  28171. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  28172. properties:
  28173. serviceAccountRef:
  28174. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  28175. properties:
  28176. audiences:
  28177. description: |-
  28178. Audience specifies the `aud` claim for the service account token
  28179. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28180. then this audiences will be appended to the list
  28181. items:
  28182. type: string
  28183. type: array
  28184. name:
  28185. description: The name of the ServiceAccount resource being referred to.
  28186. maxLength: 253
  28187. minLength: 1
  28188. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28189. type: string
  28190. namespace:
  28191. description: |-
  28192. Namespace of the resource being referred to.
  28193. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28194. maxLength: 63
  28195. minLength: 1
  28196. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28197. type: string
  28198. required:
  28199. - name
  28200. type: object
  28201. type: object
  28202. secretRef:
  28203. description: |-
  28204. AWSAuthSecretRef holds secret references for AWS credentials
  28205. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  28206. properties:
  28207. accessKeyIDSecretRef:
  28208. description: The AccessKeyID is used for authentication
  28209. properties:
  28210. key:
  28211. description: |-
  28212. A key in the referenced Secret.
  28213. Some instances of this field may be defaulted, in others it may be required.
  28214. maxLength: 253
  28215. minLength: 1
  28216. pattern: ^[-._a-zA-Z0-9]+$
  28217. type: string
  28218. name:
  28219. description: The name of the Secret resource being referred to.
  28220. maxLength: 253
  28221. minLength: 1
  28222. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28223. type: string
  28224. namespace:
  28225. description: |-
  28226. The namespace of the Secret resource being referred to.
  28227. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28228. maxLength: 63
  28229. minLength: 1
  28230. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28231. type: string
  28232. type: object
  28233. secretAccessKeySecretRef:
  28234. description: The SecretAccessKey is used for authentication
  28235. properties:
  28236. key:
  28237. description: |-
  28238. A key in the referenced Secret.
  28239. Some instances of this field may be defaulted, in others it may be required.
  28240. maxLength: 253
  28241. minLength: 1
  28242. pattern: ^[-._a-zA-Z0-9]+$
  28243. type: string
  28244. name:
  28245. description: The name of the Secret resource being referred to.
  28246. maxLength: 253
  28247. minLength: 1
  28248. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28249. type: string
  28250. namespace:
  28251. description: |-
  28252. The namespace of the Secret resource being referred to.
  28253. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28254. maxLength: 63
  28255. minLength: 1
  28256. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28257. type: string
  28258. type: object
  28259. sessionTokenSecretRef:
  28260. description: |-
  28261. The SessionToken used for authentication
  28262. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  28263. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  28264. properties:
  28265. key:
  28266. description: |-
  28267. A key in the referenced Secret.
  28268. Some instances of this field may be defaulted, in others it may be required.
  28269. maxLength: 253
  28270. minLength: 1
  28271. pattern: ^[-._a-zA-Z0-9]+$
  28272. type: string
  28273. name:
  28274. description: The name of the Secret resource being referred to.
  28275. maxLength: 253
  28276. minLength: 1
  28277. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28278. type: string
  28279. namespace:
  28280. description: |-
  28281. The namespace of the Secret resource being referred to.
  28282. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28283. maxLength: 63
  28284. minLength: 1
  28285. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28286. type: string
  28287. type: object
  28288. type: object
  28289. type: object
  28290. region:
  28291. description: Region specifies the region to operate in.
  28292. type: string
  28293. role:
  28294. description: |-
  28295. You can assume a role before making calls to the
  28296. desired AWS service.
  28297. type: string
  28298. scope:
  28299. description: |-
  28300. Scope specifies the ECR service scope.
  28301. Valid options are private and public.
  28302. type: string
  28303. required:
  28304. - region
  28305. type: object
  28306. type: object
  28307. served: true
  28308. storage: true
  28309. subresources:
  28310. status: {}
  28311. ---
  28312. apiVersion: apiextensions.k8s.io/v1
  28313. kind: CustomResourceDefinition
  28314. metadata:
  28315. annotations:
  28316. controller-gen.kubebuilder.io/version: v0.19.0
  28317. labels:
  28318. external-secrets.io/component: controller
  28319. name: fakes.generators.external-secrets.io
  28320. spec:
  28321. group: generators.external-secrets.io
  28322. names:
  28323. categories:
  28324. - external-secrets
  28325. - external-secrets-generators
  28326. kind: Fake
  28327. listKind: FakeList
  28328. plural: fakes
  28329. singular: fake
  28330. scope: Namespaced
  28331. versions:
  28332. - name: v1alpha1
  28333. schema:
  28334. openAPIV3Schema:
  28335. description: |-
  28336. Fake generator is used for testing. It lets you define
  28337. a static set of credentials that is always returned.
  28338. properties:
  28339. apiVersion:
  28340. description: |-
  28341. APIVersion defines the versioned schema of this representation of an object.
  28342. Servers should convert recognized schemas to the latest internal value, and
  28343. may reject unrecognized values.
  28344. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28345. type: string
  28346. kind:
  28347. description: |-
  28348. Kind is a string value representing the REST resource this object represents.
  28349. Servers may infer this from the endpoint the client submits requests to.
  28350. Cannot be updated.
  28351. In CamelCase.
  28352. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28353. type: string
  28354. metadata:
  28355. type: object
  28356. spec:
  28357. description: FakeSpec contains the static data.
  28358. properties:
  28359. controller:
  28360. description: |-
  28361. Used to select the correct ESO controller (think: ingress.ingressClassName)
  28362. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  28363. type: string
  28364. data:
  28365. additionalProperties:
  28366. type: string
  28367. description: |-
  28368. Data defines the static data returned
  28369. by this generator.
  28370. type: object
  28371. type: object
  28372. type: object
  28373. served: true
  28374. storage: true
  28375. subresources:
  28376. status: {}
  28377. ---
  28378. apiVersion: apiextensions.k8s.io/v1
  28379. kind: CustomResourceDefinition
  28380. metadata:
  28381. annotations:
  28382. controller-gen.kubebuilder.io/version: v0.19.0
  28383. labels:
  28384. external-secrets.io/component: controller
  28385. name: gcraccesstokens.generators.external-secrets.io
  28386. spec:
  28387. group: generators.external-secrets.io
  28388. names:
  28389. categories:
  28390. - external-secrets
  28391. - external-secrets-generators
  28392. kind: GCRAccessToken
  28393. listKind: GCRAccessTokenList
  28394. plural: gcraccesstokens
  28395. singular: gcraccesstoken
  28396. scope: Namespaced
  28397. versions:
  28398. - name: v1alpha1
  28399. schema:
  28400. openAPIV3Schema:
  28401. description: |-
  28402. GCRAccessToken generates an GCP access token
  28403. that can be used to authenticate with GCR.
  28404. properties:
  28405. apiVersion:
  28406. description: |-
  28407. APIVersion defines the versioned schema of this representation of an object.
  28408. Servers should convert recognized schemas to the latest internal value, and
  28409. may reject unrecognized values.
  28410. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28411. type: string
  28412. kind:
  28413. description: |-
  28414. Kind is a string value representing the REST resource this object represents.
  28415. Servers may infer this from the endpoint the client submits requests to.
  28416. Cannot be updated.
  28417. In CamelCase.
  28418. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28419. type: string
  28420. metadata:
  28421. type: object
  28422. spec:
  28423. description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.
  28424. properties:
  28425. auth:
  28426. description: Auth defines the means for authenticating with GCP
  28427. properties:
  28428. secretRef:
  28429. description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.
  28430. properties:
  28431. secretAccessKeySecretRef:
  28432. description: The SecretAccessKey is used for authentication
  28433. properties:
  28434. key:
  28435. description: |-
  28436. A key in the referenced Secret.
  28437. Some instances of this field may be defaulted, in others it may be required.
  28438. maxLength: 253
  28439. minLength: 1
  28440. pattern: ^[-._a-zA-Z0-9]+$
  28441. type: string
  28442. name:
  28443. description: The name of the Secret resource being referred to.
  28444. maxLength: 253
  28445. minLength: 1
  28446. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28447. type: string
  28448. namespace:
  28449. description: |-
  28450. The namespace of the Secret resource being referred to.
  28451. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28452. maxLength: 63
  28453. minLength: 1
  28454. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28455. type: string
  28456. type: object
  28457. type: object
  28458. workloadIdentity:
  28459. description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.
  28460. properties:
  28461. clusterLocation:
  28462. type: string
  28463. clusterName:
  28464. type: string
  28465. clusterProjectID:
  28466. type: string
  28467. serviceAccountRef:
  28468. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  28469. properties:
  28470. audiences:
  28471. description: |-
  28472. Audience specifies the `aud` claim for the service account token
  28473. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28474. then this audiences will be appended to the list
  28475. items:
  28476. type: string
  28477. type: array
  28478. name:
  28479. description: The name of the ServiceAccount resource being referred to.
  28480. maxLength: 253
  28481. minLength: 1
  28482. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28483. type: string
  28484. namespace:
  28485. description: |-
  28486. Namespace of the resource being referred to.
  28487. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28488. maxLength: 63
  28489. minLength: 1
  28490. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28491. type: string
  28492. required:
  28493. - name
  28494. type: object
  28495. required:
  28496. - clusterLocation
  28497. - clusterName
  28498. - serviceAccountRef
  28499. type: object
  28500. workloadIdentityFederation:
  28501. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  28502. properties:
  28503. audience:
  28504. description: |-
  28505. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  28506. If specified, Audience found in the external account credential config will be overridden with the configured value.
  28507. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  28508. type: string
  28509. awsSecurityCredentials:
  28510. description: |-
  28511. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  28512. when using the AWS metadata server is not an option.
  28513. properties:
  28514. awsCredentialsSecretRef:
  28515. description: |-
  28516. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  28517. Secret should be created with below names for keys
  28518. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  28519. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  28520. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  28521. properties:
  28522. name:
  28523. description: name of the secret.
  28524. maxLength: 253
  28525. minLength: 1
  28526. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28527. type: string
  28528. namespace:
  28529. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  28530. maxLength: 63
  28531. minLength: 1
  28532. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28533. type: string
  28534. required:
  28535. - name
  28536. type: object
  28537. region:
  28538. description: region is for configuring the AWS region to be used.
  28539. example: ap-south-1
  28540. maxLength: 50
  28541. minLength: 1
  28542. pattern: ^[a-z0-9-]+$
  28543. type: string
  28544. required:
  28545. - awsCredentialsSecretRef
  28546. - region
  28547. type: object
  28548. credConfig:
  28549. description: |-
  28550. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  28551. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  28552. serviceAccountRef must be used by providing operators service account details.
  28553. properties:
  28554. key:
  28555. description: key name holding the external account credential config.
  28556. maxLength: 253
  28557. minLength: 1
  28558. pattern: ^[-._a-zA-Z0-9]+$
  28559. type: string
  28560. name:
  28561. description: name of the configmap.
  28562. maxLength: 253
  28563. minLength: 1
  28564. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28565. type: string
  28566. namespace:
  28567. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  28568. maxLength: 63
  28569. minLength: 1
  28570. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28571. type: string
  28572. required:
  28573. - key
  28574. - name
  28575. type: object
  28576. externalTokenEndpoint:
  28577. description: |-
  28578. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  28579. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  28580. URL is having the expected value.
  28581. type: string
  28582. gcpServiceAccountEmail:
  28583. description: |-
  28584. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  28585. after Workload Identity Federation. Use this to grant access through the service account's
  28586. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  28587. service_account_impersonation_url in the external account JSON from credConfig;
  28588. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  28589. on that ServiceAccount.
  28590. example: my-gsa@my-project.iam.gserviceaccount.com
  28591. minLength: 1
  28592. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  28593. type: string
  28594. serviceAccountRef:
  28595. description: |-
  28596. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  28597. when Kubernetes is configured as provider in workload identity pool.
  28598. properties:
  28599. audiences:
  28600. description: |-
  28601. Audience specifies the `aud` claim for the service account token
  28602. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28603. then this audiences will be appended to the list
  28604. items:
  28605. type: string
  28606. type: array
  28607. name:
  28608. description: The name of the ServiceAccount resource being referred to.
  28609. maxLength: 253
  28610. minLength: 1
  28611. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28612. type: string
  28613. namespace:
  28614. description: |-
  28615. Namespace of the resource being referred to.
  28616. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28617. maxLength: 63
  28618. minLength: 1
  28619. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28620. type: string
  28621. required:
  28622. - name
  28623. type: object
  28624. type: object
  28625. type: object
  28626. projectID:
  28627. description: ProjectID defines which project to use to authenticate with
  28628. type: string
  28629. required:
  28630. - auth
  28631. - projectID
  28632. type: object
  28633. type: object
  28634. served: true
  28635. storage: true
  28636. subresources:
  28637. status: {}
  28638. ---
  28639. apiVersion: apiextensions.k8s.io/v1
  28640. kind: CustomResourceDefinition
  28641. metadata:
  28642. annotations:
  28643. controller-gen.kubebuilder.io/version: v0.19.0
  28644. labels:
  28645. external-secrets.io/component: controller
  28646. name: generatorstates.generators.external-secrets.io
  28647. spec:
  28648. group: generators.external-secrets.io
  28649. names:
  28650. categories:
  28651. - external-secrets
  28652. - external-secrets-generators
  28653. kind: GeneratorState
  28654. listKind: GeneratorStateList
  28655. plural: generatorstates
  28656. shortNames:
  28657. - gs
  28658. singular: generatorstate
  28659. scope: Namespaced
  28660. versions:
  28661. - additionalPrinterColumns:
  28662. - jsonPath: .spec.garbageCollectionDeadline
  28663. name: GC Deadline
  28664. type: string
  28665. - jsonPath: .metadata.creationTimestamp
  28666. name: Age
  28667. type: date
  28668. name: v1alpha1
  28669. schema:
  28670. openAPIV3Schema:
  28671. description: GeneratorState represents the state created and managed by a generator resource.
  28672. properties:
  28673. apiVersion:
  28674. description: |-
  28675. APIVersion defines the versioned schema of this representation of an object.
  28676. Servers should convert recognized schemas to the latest internal value, and
  28677. may reject unrecognized values.
  28678. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28679. type: string
  28680. kind:
  28681. description: |-
  28682. Kind is a string value representing the REST resource this object represents.
  28683. Servers may infer this from the endpoint the client submits requests to.
  28684. Cannot be updated.
  28685. In CamelCase.
  28686. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28687. type: string
  28688. metadata:
  28689. type: object
  28690. spec:
  28691. description: GeneratorStateSpec defines the desired state of a generator state resource.
  28692. properties:
  28693. garbageCollectionDeadline:
  28694. description: |-
  28695. GarbageCollectionDeadline is the time after which the generator state
  28696. will be deleted.
  28697. It is set by the controller which creates the generator state and
  28698. can be set configured by the user.
  28699. If the garbage collection deadline is not set the generator state will not be deleted.
  28700. format: date-time
  28701. type: string
  28702. resource:
  28703. description: |-
  28704. Resource is the generator manifest that produced the state.
  28705. It is a snapshot of the generator manifest at the time the state was produced.
  28706. This manifest will be used to delete the resource. Any configuration that is referenced
  28707. in the manifest should be available at the time of garbage collection. If that is not the case deletion will
  28708. be blocked by a finalizer.
  28709. x-kubernetes-preserve-unknown-fields: true
  28710. state:
  28711. description: State is the state that was produced by the generator implementation.
  28712. x-kubernetes-preserve-unknown-fields: true
  28713. required:
  28714. - resource
  28715. - state
  28716. type: object
  28717. status:
  28718. description: GeneratorStateStatus defines the observed state of a generator state resource.
  28719. properties:
  28720. conditions:
  28721. items:
  28722. description: GeneratorStateStatusCondition represents the observed condition of a generator state.
  28723. properties:
  28724. lastTransitionTime:
  28725. format: date-time
  28726. type: string
  28727. message:
  28728. type: string
  28729. reason:
  28730. type: string
  28731. status:
  28732. type: string
  28733. type:
  28734. description: GeneratorStateConditionType represents the type of condition for a generator state.
  28735. type: string
  28736. required:
  28737. - status
  28738. - type
  28739. type: object
  28740. type: array
  28741. type: object
  28742. type: object
  28743. served: true
  28744. storage: true
  28745. subresources: {}
  28746. ---
  28747. apiVersion: apiextensions.k8s.io/v1
  28748. kind: CustomResourceDefinition
  28749. metadata:
  28750. annotations:
  28751. controller-gen.kubebuilder.io/version: v0.19.0
  28752. labels:
  28753. external-secrets.io/component: controller
  28754. name: githubaccesstokens.generators.external-secrets.io
  28755. spec:
  28756. group: generators.external-secrets.io
  28757. names:
  28758. categories:
  28759. - external-secrets
  28760. - external-secrets-generators
  28761. kind: GithubAccessToken
  28762. listKind: GithubAccessTokenList
  28763. plural: githubaccesstokens
  28764. singular: githubaccesstoken
  28765. scope: Namespaced
  28766. versions:
  28767. - name: v1alpha1
  28768. schema:
  28769. openAPIV3Schema:
  28770. description: GithubAccessToken generates ghs_ accessToken
  28771. properties:
  28772. apiVersion:
  28773. description: |-
  28774. APIVersion defines the versioned schema of this representation of an object.
  28775. Servers should convert recognized schemas to the latest internal value, and
  28776. may reject unrecognized values.
  28777. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28778. type: string
  28779. kind:
  28780. description: |-
  28781. Kind is a string value representing the REST resource this object represents.
  28782. Servers may infer this from the endpoint the client submits requests to.
  28783. Cannot be updated.
  28784. In CamelCase.
  28785. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28786. type: string
  28787. metadata:
  28788. type: object
  28789. spec:
  28790. description: GithubAccessTokenSpec defines the desired state to generate a GitHub access token.
  28791. properties:
  28792. appID:
  28793. type: string
  28794. auth:
  28795. description: Auth configures how ESO authenticates with a Github instance.
  28796. properties:
  28797. privateKey:
  28798. description: GithubSecretRef references a secret containing GitHub credentials.
  28799. properties:
  28800. secretRef:
  28801. description: |-
  28802. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  28803. In some instances, `key` is a required field.
  28804. properties:
  28805. key:
  28806. description: |-
  28807. A key in the referenced Secret.
  28808. Some instances of this field may be defaulted, in others it may be required.
  28809. maxLength: 253
  28810. minLength: 1
  28811. pattern: ^[-._a-zA-Z0-9]+$
  28812. type: string
  28813. name:
  28814. description: The name of the Secret resource being referred to.
  28815. maxLength: 253
  28816. minLength: 1
  28817. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28818. type: string
  28819. namespace:
  28820. description: |-
  28821. The namespace of the Secret resource being referred to.
  28822. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28823. maxLength: 63
  28824. minLength: 1
  28825. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28826. type: string
  28827. type: object
  28828. required:
  28829. - secretRef
  28830. type: object
  28831. required:
  28832. - privateKey
  28833. type: object
  28834. installID:
  28835. type: string
  28836. permissions:
  28837. additionalProperties:
  28838. type: string
  28839. description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
  28840. type: object
  28841. repositories:
  28842. description: |-
  28843. List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
  28844. is installed to.
  28845. items:
  28846. type: string
  28847. type: array
  28848. url:
  28849. description: URL configures the GitHub instance URL. Defaults to https://github.com/.
  28850. type: string
  28851. required:
  28852. - appID
  28853. - auth
  28854. - installID
  28855. type: object
  28856. type: object
  28857. served: true
  28858. storage: true
  28859. subresources:
  28860. status: {}
  28861. ---
  28862. apiVersion: apiextensions.k8s.io/v1
  28863. kind: CustomResourceDefinition
  28864. metadata:
  28865. annotations:
  28866. controller-gen.kubebuilder.io/version: v0.19.0
  28867. labels:
  28868. external-secrets.io/component: controller
  28869. name: grafanas.generators.external-secrets.io
  28870. spec:
  28871. group: generators.external-secrets.io
  28872. names:
  28873. categories:
  28874. - external-secrets
  28875. - external-secrets-generators
  28876. kind: Grafana
  28877. listKind: GrafanaList
  28878. plural: grafanas
  28879. singular: grafana
  28880. scope: Namespaced
  28881. versions:
  28882. - name: v1alpha1
  28883. schema:
  28884. openAPIV3Schema:
  28885. description: Grafana represents a generator for Grafana service account tokens.
  28886. properties:
  28887. apiVersion:
  28888. description: |-
  28889. APIVersion defines the versioned schema of this representation of an object.
  28890. Servers should convert recognized schemas to the latest internal value, and
  28891. may reject unrecognized values.
  28892. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28893. type: string
  28894. kind:
  28895. description: |-
  28896. Kind is a string value representing the REST resource this object represents.
  28897. Servers may infer this from the endpoint the client submits requests to.
  28898. Cannot be updated.
  28899. In CamelCase.
  28900. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28901. type: string
  28902. metadata:
  28903. type: object
  28904. spec:
  28905. description: GrafanaSpec controls the behavior of the grafana generator.
  28906. properties:
  28907. auth:
  28908. description: |-
  28909. Auth is the authentication configuration to authenticate
  28910. against the Grafana instance.
  28911. properties:
  28912. basic:
  28913. description: |-
  28914. Basic auth credentials used to authenticate against the Grafana instance.
  28915. Note: you need a token which has elevated permissions to create service accounts.
  28916. See here for the documentation on basic roles offered by Grafana:
  28917. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  28918. properties:
  28919. password:
  28920. description: A basic auth password used to authenticate against the Grafana instance.
  28921. properties:
  28922. key:
  28923. description: The key where the token is found.
  28924. maxLength: 253
  28925. minLength: 1
  28926. pattern: ^[-._a-zA-Z0-9]+$
  28927. type: string
  28928. name:
  28929. description: The name of the Secret resource being referred to.
  28930. maxLength: 253
  28931. minLength: 1
  28932. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28933. type: string
  28934. type: object
  28935. username:
  28936. description: A basic auth username used to authenticate against the Grafana instance.
  28937. type: string
  28938. required:
  28939. - password
  28940. - username
  28941. type: object
  28942. token:
  28943. description: |-
  28944. A service account token used to authenticate against the Grafana instance.
  28945. Note: you need a token which has elevated permissions to create service accounts.
  28946. See here for the documentation on basic roles offered by Grafana:
  28947. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  28948. properties:
  28949. key:
  28950. description: The key where the token is found.
  28951. maxLength: 253
  28952. minLength: 1
  28953. pattern: ^[-._a-zA-Z0-9]+$
  28954. type: string
  28955. name:
  28956. description: The name of the Secret resource being referred to.
  28957. maxLength: 253
  28958. minLength: 1
  28959. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28960. type: string
  28961. type: object
  28962. type: object
  28963. serviceAccount:
  28964. description: |-
  28965. ServiceAccount is the configuration for the service account that
  28966. is supposed to be generated by the generator.
  28967. properties:
  28968. name:
  28969. description: Name is the name of the service account that will be created by ESO.
  28970. type: string
  28971. role:
  28972. description: |-
  28973. Role is the role of the service account.
  28974. See here for the documentation on basic roles offered by Grafana:
  28975. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  28976. type: string
  28977. required:
  28978. - name
  28979. - role
  28980. type: object
  28981. url:
  28982. description: URL is the URL of the Grafana instance.
  28983. type: string
  28984. required:
  28985. - auth
  28986. - serviceAccount
  28987. - url
  28988. type: object
  28989. type: object
  28990. served: true
  28991. storage: true
  28992. subresources:
  28993. status: {}
  28994. ---
  28995. apiVersion: apiextensions.k8s.io/v1
  28996. kind: CustomResourceDefinition
  28997. metadata:
  28998. annotations:
  28999. controller-gen.kubebuilder.io/version: v0.19.0
  29000. labels:
  29001. external-secrets.io/component: controller
  29002. name: mfas.generators.external-secrets.io
  29003. spec:
  29004. group: generators.external-secrets.io
  29005. names:
  29006. categories:
  29007. - external-secrets
  29008. - external-secrets-generators
  29009. kind: MFA
  29010. listKind: MFAList
  29011. plural: mfas
  29012. singular: mfa
  29013. scope: Namespaced
  29014. versions:
  29015. - name: v1alpha1
  29016. schema:
  29017. openAPIV3Schema:
  29018. description: MFA generates a new TOTP token that is compliant with RFC 6238.
  29019. properties:
  29020. apiVersion:
  29021. description: |-
  29022. APIVersion defines the versioned schema of this representation of an object.
  29023. Servers should convert recognized schemas to the latest internal value, and
  29024. may reject unrecognized values.
  29025. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29026. type: string
  29027. kind:
  29028. description: |-
  29029. Kind is a string value representing the REST resource this object represents.
  29030. Servers may infer this from the endpoint the client submits requests to.
  29031. Cannot be updated.
  29032. In CamelCase.
  29033. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29034. type: string
  29035. metadata:
  29036. type: object
  29037. spec:
  29038. description: MFASpec controls the behavior of the mfa generator.
  29039. properties:
  29040. algorithm:
  29041. description: Algorithm to use for encoding. Defaults to SHA1 as per the RFC.
  29042. type: string
  29043. length:
  29044. description: Length defines the token length. Defaults to 6 characters.
  29045. type: integer
  29046. secret:
  29047. description: Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from.
  29048. properties:
  29049. key:
  29050. description: |-
  29051. A key in the referenced Secret.
  29052. Some instances of this field may be defaulted, in others it may be required.
  29053. maxLength: 253
  29054. minLength: 1
  29055. pattern: ^[-._a-zA-Z0-9]+$
  29056. type: string
  29057. name:
  29058. description: The name of the Secret resource being referred to.
  29059. maxLength: 253
  29060. minLength: 1
  29061. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29062. type: string
  29063. namespace:
  29064. description: |-
  29065. The namespace of the Secret resource being referred to.
  29066. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29067. maxLength: 63
  29068. minLength: 1
  29069. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29070. type: string
  29071. type: object
  29072. timePeriod:
  29073. description: TimePeriod defines how long the token can be active. Defaults to 30 seconds.
  29074. type: integer
  29075. when:
  29076. description: When defines a time parameter that can be used to pin the origin time of the generated token.
  29077. format: date-time
  29078. type: string
  29079. required:
  29080. - secret
  29081. type: object
  29082. type: object
  29083. served: true
  29084. storage: true
  29085. subresources:
  29086. status: {}
  29087. ---
  29088. apiVersion: apiextensions.k8s.io/v1
  29089. kind: CustomResourceDefinition
  29090. metadata:
  29091. annotations:
  29092. controller-gen.kubebuilder.io/version: v0.19.0
  29093. labels:
  29094. external-secrets.io/component: controller
  29095. name: passwords.generators.external-secrets.io
  29096. spec:
  29097. group: generators.external-secrets.io
  29098. names:
  29099. categories:
  29100. - external-secrets
  29101. - external-secrets-generators
  29102. kind: Password
  29103. listKind: PasswordList
  29104. plural: passwords
  29105. singular: password
  29106. scope: Namespaced
  29107. versions:
  29108. - name: v1alpha1
  29109. schema:
  29110. openAPIV3Schema:
  29111. description: |-
  29112. Password generates a random password based on the
  29113. configuration parameters in spec.
  29114. You can specify the length, characterset and other attributes.
  29115. properties:
  29116. apiVersion:
  29117. description: |-
  29118. APIVersion defines the versioned schema of this representation of an object.
  29119. Servers should convert recognized schemas to the latest internal value, and
  29120. may reject unrecognized values.
  29121. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29122. type: string
  29123. kind:
  29124. description: |-
  29125. Kind is a string value representing the REST resource this object represents.
  29126. Servers may infer this from the endpoint the client submits requests to.
  29127. Cannot be updated.
  29128. In CamelCase.
  29129. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29130. type: string
  29131. metadata:
  29132. type: object
  29133. spec:
  29134. description: PasswordSpec controls the behavior of the password generator.
  29135. properties:
  29136. allowRepeat:
  29137. default: false
  29138. description: set AllowRepeat to true to allow repeating characters.
  29139. type: boolean
  29140. digits:
  29141. description: |-
  29142. Digits specifies the number of digits in the generated
  29143. password. If omitted it defaults to 25% of the length of the password
  29144. type: integer
  29145. encoding:
  29146. default: raw
  29147. description: |-
  29148. Encoding specifies the encoding of the generated password.
  29149. Valid values are:
  29150. - "raw" (default): no encoding
  29151. - "base64": standard base64 encoding
  29152. - "base64url": base64url encoding
  29153. - "base32": base32 encoding
  29154. - "hex": hexadecimal encoding
  29155. enum:
  29156. - base64
  29157. - base64url
  29158. - base32
  29159. - hex
  29160. - raw
  29161. type: string
  29162. length:
  29163. default: 24
  29164. description: |-
  29165. Length of the password to be generated.
  29166. Defaults to 24
  29167. type: integer
  29168. noUpper:
  29169. default: false
  29170. description: Set NoUpper to disable uppercase characters
  29171. type: boolean
  29172. secretKeys:
  29173. description: |-
  29174. SecretKeys defines the keys that will be populated with generated passwords.
  29175. Defaults to "password" when not set.
  29176. items:
  29177. type: string
  29178. minItems: 1
  29179. type: array
  29180. symbolCharacters:
  29181. description: |-
  29182. SymbolCharacters specifies the special characters that should be used
  29183. in the generated password.
  29184. type: string
  29185. symbols:
  29186. description: |-
  29187. Symbols specifies the number of symbol characters in the generated
  29188. password. If omitted it defaults to 25% of the length of the password
  29189. type: integer
  29190. required:
  29191. - allowRepeat
  29192. - length
  29193. - noUpper
  29194. type: object
  29195. type: object
  29196. served: true
  29197. storage: true
  29198. subresources:
  29199. status: {}
  29200. ---
  29201. apiVersion: apiextensions.k8s.io/v1
  29202. kind: CustomResourceDefinition
  29203. metadata:
  29204. annotations:
  29205. controller-gen.kubebuilder.io/version: v0.19.0
  29206. labels:
  29207. external-secrets.io/component: controller
  29208. name: quayaccesstokens.generators.external-secrets.io
  29209. spec:
  29210. group: generators.external-secrets.io
  29211. names:
  29212. categories:
  29213. - external-secrets
  29214. - external-secrets-generators
  29215. kind: QuayAccessToken
  29216. listKind: QuayAccessTokenList
  29217. plural: quayaccesstokens
  29218. singular: quayaccesstoken
  29219. scope: Namespaced
  29220. versions:
  29221. - name: v1alpha1
  29222. schema:
  29223. openAPIV3Schema:
  29224. description: QuayAccessToken generates Quay oauth token for pulling/pushing images
  29225. properties:
  29226. apiVersion:
  29227. description: |-
  29228. APIVersion defines the versioned schema of this representation of an object.
  29229. Servers should convert recognized schemas to the latest internal value, and
  29230. may reject unrecognized values.
  29231. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29232. type: string
  29233. kind:
  29234. description: |-
  29235. Kind is a string value representing the REST resource this object represents.
  29236. Servers may infer this from the endpoint the client submits requests to.
  29237. Cannot be updated.
  29238. In CamelCase.
  29239. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29240. type: string
  29241. metadata:
  29242. type: object
  29243. spec:
  29244. description: QuayAccessTokenSpec defines the desired state to generate a Quay access token.
  29245. properties:
  29246. robotAccount:
  29247. description: Name of the robot account you are federating with
  29248. type: string
  29249. serviceAccountRef:
  29250. description: Name of the service account you are federating with
  29251. properties:
  29252. audiences:
  29253. description: |-
  29254. Audience specifies the `aud` claim for the service account token
  29255. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29256. then this audiences will be appended to the list
  29257. items:
  29258. type: string
  29259. type: array
  29260. name:
  29261. description: The name of the ServiceAccount resource being referred to.
  29262. maxLength: 253
  29263. minLength: 1
  29264. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29265. type: string
  29266. namespace:
  29267. description: |-
  29268. Namespace of the resource being referred to.
  29269. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29270. maxLength: 63
  29271. minLength: 1
  29272. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29273. type: string
  29274. required:
  29275. - name
  29276. type: object
  29277. url:
  29278. description: URL configures the Quay instance URL. Defaults to quay.io.
  29279. type: string
  29280. required:
  29281. - robotAccount
  29282. - serviceAccountRef
  29283. type: object
  29284. type: object
  29285. served: true
  29286. storage: true
  29287. subresources:
  29288. status: {}
  29289. ---
  29290. apiVersion: apiextensions.k8s.io/v1
  29291. kind: CustomResourceDefinition
  29292. metadata:
  29293. annotations:
  29294. controller-gen.kubebuilder.io/version: v0.19.0
  29295. labels:
  29296. external-secrets.io/component: controller
  29297. name: sshkeys.generators.external-secrets.io
  29298. spec:
  29299. group: generators.external-secrets.io
  29300. names:
  29301. categories:
  29302. - external-secrets
  29303. - external-secrets-generators
  29304. kind: SSHKey
  29305. listKind: SSHKeyList
  29306. plural: sshkeys
  29307. singular: sshkey
  29308. scope: Namespaced
  29309. versions:
  29310. - name: v1alpha1
  29311. schema:
  29312. openAPIV3Schema:
  29313. description: SSHKey generates SSH key pairs.
  29314. properties:
  29315. apiVersion:
  29316. description: |-
  29317. APIVersion defines the versioned schema of this representation of an object.
  29318. Servers should convert recognized schemas to the latest internal value, and
  29319. may reject unrecognized values.
  29320. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29321. type: string
  29322. kind:
  29323. description: |-
  29324. Kind is a string value representing the REST resource this object represents.
  29325. Servers may infer this from the endpoint the client submits requests to.
  29326. Cannot be updated.
  29327. In CamelCase.
  29328. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29329. type: string
  29330. metadata:
  29331. type: object
  29332. spec:
  29333. description: SSHKeySpec controls the behavior of the ssh key generator.
  29334. properties:
  29335. comment:
  29336. description: Comment specifies an optional comment for the SSH key
  29337. type: string
  29338. keySize:
  29339. description: |-
  29340. KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
  29341. For RSA keys: 2048, 3072, 4096
  29342. For ECDSA keys: 256, 384, 521
  29343. Ignored for ed25519 keys
  29344. maximum: 8192
  29345. minimum: 256
  29346. type: integer
  29347. keyType:
  29348. default: rsa
  29349. description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
  29350. enum:
  29351. - rsa
  29352. - ecdsa
  29353. - ed25519
  29354. type: string
  29355. type: object
  29356. type: object
  29357. served: true
  29358. storage: true
  29359. subresources:
  29360. status: {}
  29361. ---
  29362. apiVersion: apiextensions.k8s.io/v1
  29363. kind: CustomResourceDefinition
  29364. metadata:
  29365. annotations:
  29366. controller-gen.kubebuilder.io/version: v0.19.0
  29367. labels:
  29368. external-secrets.io/component: controller
  29369. name: stssessiontokens.generators.external-secrets.io
  29370. spec:
  29371. group: generators.external-secrets.io
  29372. names:
  29373. categories:
  29374. - external-secrets
  29375. - external-secrets-generators
  29376. kind: STSSessionToken
  29377. listKind: STSSessionTokenList
  29378. plural: stssessiontokens
  29379. singular: stssessiontoken
  29380. scope: Namespaced
  29381. versions:
  29382. - name: v1alpha1
  29383. schema:
  29384. openAPIV3Schema:
  29385. description: |-
  29386. STSSessionToken uses the GetSessionToken API to retrieve an authorization token.
  29387. The authorization token is valid for 12 hours.
  29388. The authorizationToken returned is a base64 encoded string that can be decoded.
  29389. For more information, see GetSessionToken (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html).
  29390. properties:
  29391. apiVersion:
  29392. description: |-
  29393. APIVersion defines the versioned schema of this representation of an object.
  29394. Servers should convert recognized schemas to the latest internal value, and
  29395. may reject unrecognized values.
  29396. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29397. type: string
  29398. kind:
  29399. description: |-
  29400. Kind is a string value representing the REST resource this object represents.
  29401. Servers may infer this from the endpoint the client submits requests to.
  29402. Cannot be updated.
  29403. In CamelCase.
  29404. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29405. type: string
  29406. metadata:
  29407. type: object
  29408. spec:
  29409. description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token.
  29410. properties:
  29411. auth:
  29412. description: Auth defines how to authenticate with AWS
  29413. properties:
  29414. jwt:
  29415. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  29416. properties:
  29417. serviceAccountRef:
  29418. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  29419. properties:
  29420. audiences:
  29421. description: |-
  29422. Audience specifies the `aud` claim for the service account token
  29423. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29424. then this audiences will be appended to the list
  29425. items:
  29426. type: string
  29427. type: array
  29428. name:
  29429. description: The name of the ServiceAccount resource being referred to.
  29430. maxLength: 253
  29431. minLength: 1
  29432. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29433. type: string
  29434. namespace:
  29435. description: |-
  29436. Namespace of the resource being referred to.
  29437. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29438. maxLength: 63
  29439. minLength: 1
  29440. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29441. type: string
  29442. required:
  29443. - name
  29444. type: object
  29445. type: object
  29446. secretRef:
  29447. description: |-
  29448. AWSAuthSecretRef holds secret references for AWS credentials
  29449. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  29450. properties:
  29451. accessKeyIDSecretRef:
  29452. description: The AccessKeyID is used for authentication
  29453. properties:
  29454. key:
  29455. description: |-
  29456. A key in the referenced Secret.
  29457. Some instances of this field may be defaulted, in others it may be required.
  29458. maxLength: 253
  29459. minLength: 1
  29460. pattern: ^[-._a-zA-Z0-9]+$
  29461. type: string
  29462. name:
  29463. description: The name of the Secret resource being referred to.
  29464. maxLength: 253
  29465. minLength: 1
  29466. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29467. type: string
  29468. namespace:
  29469. description: |-
  29470. The namespace of the Secret resource being referred to.
  29471. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29472. maxLength: 63
  29473. minLength: 1
  29474. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29475. type: string
  29476. type: object
  29477. secretAccessKeySecretRef:
  29478. description: The SecretAccessKey is used for authentication
  29479. properties:
  29480. key:
  29481. description: |-
  29482. A key in the referenced Secret.
  29483. Some instances of this field may be defaulted, in others it may be required.
  29484. maxLength: 253
  29485. minLength: 1
  29486. pattern: ^[-._a-zA-Z0-9]+$
  29487. type: string
  29488. name:
  29489. description: The name of the Secret resource being referred to.
  29490. maxLength: 253
  29491. minLength: 1
  29492. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29493. type: string
  29494. namespace:
  29495. description: |-
  29496. The namespace of the Secret resource being referred to.
  29497. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29498. maxLength: 63
  29499. minLength: 1
  29500. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29501. type: string
  29502. type: object
  29503. sessionTokenSecretRef:
  29504. description: |-
  29505. The SessionToken used for authentication
  29506. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  29507. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  29508. properties:
  29509. key:
  29510. description: |-
  29511. A key in the referenced Secret.
  29512. Some instances of this field may be defaulted, in others it may be required.
  29513. maxLength: 253
  29514. minLength: 1
  29515. pattern: ^[-._a-zA-Z0-9]+$
  29516. type: string
  29517. name:
  29518. description: The name of the Secret resource being referred to.
  29519. maxLength: 253
  29520. minLength: 1
  29521. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29522. type: string
  29523. namespace:
  29524. description: |-
  29525. The namespace of the Secret resource being referred to.
  29526. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29527. maxLength: 63
  29528. minLength: 1
  29529. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29530. type: string
  29531. type: object
  29532. type: object
  29533. type: object
  29534. region:
  29535. description: Region specifies the region to operate in.
  29536. type: string
  29537. requestParameters:
  29538. description: RequestParameters contains parameters that can be passed to the STS service.
  29539. properties:
  29540. serialNumber:
  29541. description: |-
  29542. SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
  29543. the GetSessionToken call.
  29544. Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
  29545. (such as arn:aws:iam::123456789012:mfa/user)
  29546. type: string
  29547. sessionDuration:
  29548. format: int32
  29549. type: integer
  29550. tokenCode:
  29551. description: TokenCode is the value provided by the MFA device, if MFA is required.
  29552. type: string
  29553. type: object
  29554. role:
  29555. description: |-
  29556. You can assume a role before making calls to the
  29557. desired AWS service.
  29558. type: string
  29559. required:
  29560. - region
  29561. type: object
  29562. type: object
  29563. served: true
  29564. storage: true
  29565. subresources:
  29566. status: {}
  29567. ---
  29568. apiVersion: apiextensions.k8s.io/v1
  29569. kind: CustomResourceDefinition
  29570. metadata:
  29571. annotations:
  29572. controller-gen.kubebuilder.io/version: v0.19.0
  29573. labels:
  29574. external-secrets.io/component: controller
  29575. name: uuids.generators.external-secrets.io
  29576. spec:
  29577. group: generators.external-secrets.io
  29578. names:
  29579. categories:
  29580. - external-secrets
  29581. - external-secrets-generators
  29582. kind: UUID
  29583. listKind: UUIDList
  29584. plural: uuids
  29585. singular: uuid
  29586. scope: Namespaced
  29587. versions:
  29588. - name: v1alpha1
  29589. schema:
  29590. openAPIV3Schema:
  29591. description: UUID generates a version 1 UUID (e56657e3-764f-11ef-a397-65231a88c216).
  29592. properties:
  29593. apiVersion:
  29594. description: |-
  29595. APIVersion defines the versioned schema of this representation of an object.
  29596. Servers should convert recognized schemas to the latest internal value, and
  29597. may reject unrecognized values.
  29598. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29599. type: string
  29600. kind:
  29601. description: |-
  29602. Kind is a string value representing the REST resource this object represents.
  29603. Servers may infer this from the endpoint the client submits requests to.
  29604. Cannot be updated.
  29605. In CamelCase.
  29606. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29607. type: string
  29608. metadata:
  29609. type: object
  29610. spec:
  29611. description: UUIDSpec controls the behavior of the uuid generator.
  29612. type: object
  29613. type: object
  29614. served: true
  29615. storage: true
  29616. subresources:
  29617. status: {}
  29618. ---
  29619. apiVersion: apiextensions.k8s.io/v1
  29620. kind: CustomResourceDefinition
  29621. metadata:
  29622. annotations:
  29623. controller-gen.kubebuilder.io/version: v0.19.0
  29624. labels:
  29625. external-secrets.io/component: controller
  29626. name: vaultdynamicsecrets.generators.external-secrets.io
  29627. spec:
  29628. group: generators.external-secrets.io
  29629. names:
  29630. categories:
  29631. - external-secrets
  29632. - external-secrets-generators
  29633. kind: VaultDynamicSecret
  29634. listKind: VaultDynamicSecretList
  29635. plural: vaultdynamicsecrets
  29636. singular: vaultdynamicsecret
  29637. scope: Namespaced
  29638. versions:
  29639. - name: v1alpha1
  29640. schema:
  29641. openAPIV3Schema:
  29642. description: VaultDynamicSecret represents a generator that can create dynamic secrets from HashiCorp Vault.
  29643. properties:
  29644. apiVersion:
  29645. description: |-
  29646. APIVersion defines the versioned schema of this representation of an object.
  29647. Servers should convert recognized schemas to the latest internal value, and
  29648. may reject unrecognized values.
  29649. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29650. type: string
  29651. kind:
  29652. description: |-
  29653. Kind is a string value representing the REST resource this object represents.
  29654. Servers may infer this from the endpoint the client submits requests to.
  29655. Cannot be updated.
  29656. In CamelCase.
  29657. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29658. type: string
  29659. metadata:
  29660. type: object
  29661. spec:
  29662. description: VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret.
  29663. properties:
  29664. allowEmptyResponse:
  29665. default: false
  29666. description: Do not fail if no secrets are found. Useful for requests where no data is expected.
  29667. type: boolean
  29668. controller:
  29669. description: |-
  29670. Used to select the correct ESO controller (think: ingress.ingressClassName)
  29671. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  29672. type: string
  29673. getParameters:
  29674. additionalProperties:
  29675. items:
  29676. type: string
  29677. type: array
  29678. description: |-
  29679. GetParameters are query-string parameters passed to Vault on GET calls.
  29680. Each key may map to multiple values, matching HTTP query-string semantics.
  29681. Ignored for non-GET methods; use Parameters for write bodies.
  29682. type: object
  29683. method:
  29684. description: Vault API method to use (GET/POST/other)
  29685. type: string
  29686. parameters:
  29687. description: Parameters to pass to Vault write (for non-GET methods)
  29688. x-kubernetes-preserve-unknown-fields: true
  29689. path:
  29690. description: Vault path to obtain the dynamic secret from
  29691. type: string
  29692. provider:
  29693. description: Vault provider common spec
  29694. properties:
  29695. auth:
  29696. description: Auth configures how secret-manager authenticates with the Vault server.
  29697. properties:
  29698. appRole:
  29699. description: |-
  29700. AppRole authenticates with Vault using the App Role auth mechanism,
  29701. with the role and secret stored in a Kubernetes Secret resource.
  29702. properties:
  29703. path:
  29704. default: approle
  29705. description: |-
  29706. Path where the App Role authentication backend is mounted
  29707. in Vault, e.g: "approle"
  29708. type: string
  29709. roleId:
  29710. description: |-
  29711. RoleID configured in the App Role authentication backend when setting
  29712. up the authentication backend in Vault.
  29713. type: string
  29714. roleRef:
  29715. description: |-
  29716. Reference to a key in a Secret that contains the App Role ID used
  29717. to authenticate with Vault.
  29718. The `key` field must be specified and denotes which entry within the Secret
  29719. resource is used as the app role id.
  29720. properties:
  29721. key:
  29722. description: |-
  29723. A key in the referenced Secret.
  29724. Some instances of this field may be defaulted, in others it may be required.
  29725. maxLength: 253
  29726. minLength: 1
  29727. pattern: ^[-._a-zA-Z0-9]+$
  29728. type: string
  29729. name:
  29730. description: The name of the Secret resource being referred to.
  29731. maxLength: 253
  29732. minLength: 1
  29733. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29734. type: string
  29735. namespace:
  29736. description: |-
  29737. The namespace of the Secret resource being referred to.
  29738. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29739. maxLength: 63
  29740. minLength: 1
  29741. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29742. type: string
  29743. type: object
  29744. secretRef:
  29745. description: |-
  29746. Reference to a key in a Secret that contains the App Role secret used
  29747. to authenticate with Vault.
  29748. The `key` field must be specified and denotes which entry within the Secret
  29749. resource is used as the app role secret.
  29750. properties:
  29751. key:
  29752. description: |-
  29753. A key in the referenced Secret.
  29754. Some instances of this field may be defaulted, in others it may be required.
  29755. maxLength: 253
  29756. minLength: 1
  29757. pattern: ^[-._a-zA-Z0-9]+$
  29758. type: string
  29759. name:
  29760. description: The name of the Secret resource being referred to.
  29761. maxLength: 253
  29762. minLength: 1
  29763. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29764. type: string
  29765. namespace:
  29766. description: |-
  29767. The namespace of the Secret resource being referred to.
  29768. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29769. maxLength: 63
  29770. minLength: 1
  29771. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29772. type: string
  29773. type: object
  29774. required:
  29775. - path
  29776. - secretRef
  29777. type: object
  29778. cert:
  29779. description: |-
  29780. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  29781. Cert authentication method
  29782. properties:
  29783. clientCert:
  29784. description: |-
  29785. ClientCert is a certificate to authenticate using the Cert Vault
  29786. authentication method
  29787. properties:
  29788. key:
  29789. description: |-
  29790. A key in the referenced Secret.
  29791. Some instances of this field may be defaulted, in others it may be required.
  29792. maxLength: 253
  29793. minLength: 1
  29794. pattern: ^[-._a-zA-Z0-9]+$
  29795. type: string
  29796. name:
  29797. description: The name of the Secret resource being referred to.
  29798. maxLength: 253
  29799. minLength: 1
  29800. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29801. type: string
  29802. namespace:
  29803. description: |-
  29804. The namespace of the Secret resource being referred to.
  29805. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29806. maxLength: 63
  29807. minLength: 1
  29808. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29809. type: string
  29810. type: object
  29811. path:
  29812. default: cert
  29813. description: |-
  29814. Path where the Certificate authentication backend is mounted
  29815. in Vault, e.g: "cert"
  29816. type: string
  29817. secretRef:
  29818. description: |-
  29819. SecretRef to a key in a Secret resource containing client private key to
  29820. authenticate with Vault using the Cert authentication method
  29821. properties:
  29822. key:
  29823. description: |-
  29824. A key in the referenced Secret.
  29825. Some instances of this field may be defaulted, in others it may be required.
  29826. maxLength: 253
  29827. minLength: 1
  29828. pattern: ^[-._a-zA-Z0-9]+$
  29829. type: string
  29830. name:
  29831. description: The name of the Secret resource being referred to.
  29832. maxLength: 253
  29833. minLength: 1
  29834. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29835. type: string
  29836. namespace:
  29837. description: |-
  29838. The namespace of the Secret resource being referred to.
  29839. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29840. maxLength: 63
  29841. minLength: 1
  29842. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29843. type: string
  29844. type: object
  29845. vaultRole:
  29846. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  29847. type: string
  29848. type: object
  29849. gcp:
  29850. description: |-
  29851. Gcp authenticates with Vault using Google Cloud Platform authentication method
  29852. GCP authentication method
  29853. properties:
  29854. location:
  29855. description: Location optionally defines a location/region for the secret
  29856. type: string
  29857. path:
  29858. default: gcp
  29859. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  29860. type: string
  29861. projectID:
  29862. description: Project ID of the Google Cloud Platform project
  29863. type: string
  29864. role:
  29865. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  29866. type: string
  29867. secretRef:
  29868. description: Specify credentials in a Secret object
  29869. properties:
  29870. secretAccessKeySecretRef:
  29871. description: The SecretAccessKey is used for authentication
  29872. properties:
  29873. key:
  29874. description: |-
  29875. A key in the referenced Secret.
  29876. Some instances of this field may be defaulted, in others it may be required.
  29877. maxLength: 253
  29878. minLength: 1
  29879. pattern: ^[-._a-zA-Z0-9]+$
  29880. type: string
  29881. name:
  29882. description: The name of the Secret resource being referred to.
  29883. maxLength: 253
  29884. minLength: 1
  29885. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29886. type: string
  29887. namespace:
  29888. description: |-
  29889. The namespace of the Secret resource being referred to.
  29890. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29891. maxLength: 63
  29892. minLength: 1
  29893. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29894. type: string
  29895. type: object
  29896. type: object
  29897. serviceAccountRef:
  29898. description: ServiceAccountRef to a service account for impersonation
  29899. properties:
  29900. audiences:
  29901. description: |-
  29902. Audience specifies the `aud` claim for the service account token
  29903. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29904. then this audiences will be appended to the list
  29905. items:
  29906. type: string
  29907. type: array
  29908. name:
  29909. description: The name of the ServiceAccount resource being referred to.
  29910. maxLength: 253
  29911. minLength: 1
  29912. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29913. type: string
  29914. namespace:
  29915. description: |-
  29916. Namespace of the resource being referred to.
  29917. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29918. maxLength: 63
  29919. minLength: 1
  29920. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29921. type: string
  29922. required:
  29923. - name
  29924. type: object
  29925. workloadIdentity:
  29926. description: Specify a service account with Workload Identity
  29927. properties:
  29928. clusterLocation:
  29929. description: |-
  29930. ClusterLocation is the location of the cluster
  29931. If not specified, it fetches information from the metadata server
  29932. type: string
  29933. clusterName:
  29934. description: |-
  29935. ClusterName is the name of the cluster
  29936. If not specified, it fetches information from the metadata server
  29937. type: string
  29938. clusterProjectID:
  29939. description: |-
  29940. ClusterProjectID is the project ID of the cluster
  29941. If not specified, it fetches information from the metadata server
  29942. type: string
  29943. serviceAccountRef:
  29944. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  29945. properties:
  29946. audiences:
  29947. description: |-
  29948. Audience specifies the `aud` claim for the service account token
  29949. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29950. then this audiences will be appended to the list
  29951. items:
  29952. type: string
  29953. type: array
  29954. name:
  29955. description: The name of the ServiceAccount resource being referred to.
  29956. maxLength: 253
  29957. minLength: 1
  29958. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29959. type: string
  29960. namespace:
  29961. description: |-
  29962. Namespace of the resource being referred to.
  29963. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29964. maxLength: 63
  29965. minLength: 1
  29966. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29967. type: string
  29968. required:
  29969. - name
  29970. type: object
  29971. required:
  29972. - serviceAccountRef
  29973. type: object
  29974. required:
  29975. - role
  29976. type: object
  29977. iam:
  29978. description: |-
  29979. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  29980. AWS IAM authentication method
  29981. properties:
  29982. externalID:
  29983. description: AWS External ID set on assumed IAM roles
  29984. type: string
  29985. jwt:
  29986. description: Specify a service account with IRSA enabled
  29987. properties:
  29988. serviceAccountRef:
  29989. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  29990. properties:
  29991. audiences:
  29992. description: |-
  29993. Audience specifies the `aud` claim for the service account token
  29994. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29995. then this audiences will be appended to the list
  29996. items:
  29997. type: string
  29998. type: array
  29999. name:
  30000. description: The name of the ServiceAccount resource being referred to.
  30001. maxLength: 253
  30002. minLength: 1
  30003. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30004. type: string
  30005. namespace:
  30006. description: |-
  30007. Namespace of the resource being referred to.
  30008. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30009. maxLength: 63
  30010. minLength: 1
  30011. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30012. type: string
  30013. required:
  30014. - name
  30015. type: object
  30016. type: object
  30017. path:
  30018. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  30019. type: string
  30020. region:
  30021. description: AWS region
  30022. type: string
  30023. role:
  30024. description: This is the AWS role to be assumed before talking to vault
  30025. type: string
  30026. secretRef:
  30027. description: Specify credentials in a Secret object
  30028. properties:
  30029. accessKeyIDSecretRef:
  30030. description: The AccessKeyID is used for authentication
  30031. properties:
  30032. key:
  30033. description: |-
  30034. A key in the referenced Secret.
  30035. Some instances of this field may be defaulted, in others it may be required.
  30036. maxLength: 253
  30037. minLength: 1
  30038. pattern: ^[-._a-zA-Z0-9]+$
  30039. type: string
  30040. name:
  30041. description: The name of the Secret resource being referred to.
  30042. maxLength: 253
  30043. minLength: 1
  30044. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30045. type: string
  30046. namespace:
  30047. description: |-
  30048. The namespace of the Secret resource being referred to.
  30049. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30050. maxLength: 63
  30051. minLength: 1
  30052. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30053. type: string
  30054. type: object
  30055. secretAccessKeySecretRef:
  30056. description: The SecretAccessKey is used for authentication
  30057. properties:
  30058. key:
  30059. description: |-
  30060. A key in the referenced Secret.
  30061. Some instances of this field may be defaulted, in others it may be required.
  30062. maxLength: 253
  30063. minLength: 1
  30064. pattern: ^[-._a-zA-Z0-9]+$
  30065. type: string
  30066. name:
  30067. description: The name of the Secret resource being referred to.
  30068. maxLength: 253
  30069. minLength: 1
  30070. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30071. type: string
  30072. namespace:
  30073. description: |-
  30074. The namespace of the Secret resource being referred to.
  30075. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30076. maxLength: 63
  30077. minLength: 1
  30078. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30079. type: string
  30080. type: object
  30081. sessionTokenSecretRef:
  30082. description: |-
  30083. The SessionToken used for authentication
  30084. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  30085. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  30086. properties:
  30087. key:
  30088. description: |-
  30089. A key in the referenced Secret.
  30090. Some instances of this field may be defaulted, in others it may be required.
  30091. maxLength: 253
  30092. minLength: 1
  30093. pattern: ^[-._a-zA-Z0-9]+$
  30094. type: string
  30095. name:
  30096. description: The name of the Secret resource being referred to.
  30097. maxLength: 253
  30098. minLength: 1
  30099. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30100. type: string
  30101. namespace:
  30102. description: |-
  30103. The namespace of the Secret resource being referred to.
  30104. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30105. maxLength: 63
  30106. minLength: 1
  30107. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30108. type: string
  30109. type: object
  30110. type: object
  30111. vaultAwsIamServerID:
  30112. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  30113. type: string
  30114. vaultRole:
  30115. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  30116. type: string
  30117. required:
  30118. - vaultRole
  30119. type: object
  30120. jwt:
  30121. description: |-
  30122. Jwt authenticates with Vault by passing role and JWT token using the
  30123. JWT/OIDC authentication method
  30124. properties:
  30125. kubernetesServiceAccountToken:
  30126. description: |-
  30127. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  30128. a token for with the `TokenRequest` API.
  30129. properties:
  30130. audiences:
  30131. description: |-
  30132. Optional audiences field that will be used to request a temporary Kubernetes service
  30133. account token for the service account referenced by `serviceAccountRef`.
  30134. Defaults to a single audience `vault` it not specified.
  30135. Deprecated: use serviceAccountRef.Audiences instead
  30136. items:
  30137. type: string
  30138. type: array
  30139. expirationSeconds:
  30140. description: |-
  30141. Optional expiration time in seconds that will be used to request a temporary
  30142. Kubernetes service account token for the service account referenced by
  30143. `serviceAccountRef`.
  30144. Deprecated: this will be removed in the future.
  30145. Defaults to 10 minutes.
  30146. format: int64
  30147. type: integer
  30148. serviceAccountRef:
  30149. description: Service account field containing the name of a kubernetes ServiceAccount.
  30150. properties:
  30151. audiences:
  30152. description: |-
  30153. Audience specifies the `aud` claim for the service account token
  30154. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30155. then this audiences will be appended to the list
  30156. items:
  30157. type: string
  30158. type: array
  30159. name:
  30160. description: The name of the ServiceAccount resource being referred to.
  30161. maxLength: 253
  30162. minLength: 1
  30163. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30164. type: string
  30165. namespace:
  30166. description: |-
  30167. Namespace of the resource being referred to.
  30168. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30169. maxLength: 63
  30170. minLength: 1
  30171. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30172. type: string
  30173. required:
  30174. - name
  30175. type: object
  30176. required:
  30177. - serviceAccountRef
  30178. type: object
  30179. path:
  30180. default: jwt
  30181. description: |-
  30182. Path where the JWT authentication backend is mounted
  30183. in Vault, e.g: "jwt"
  30184. type: string
  30185. role:
  30186. description: |-
  30187. Role is a JWT role to authenticate using the JWT/OIDC Vault
  30188. authentication method
  30189. type: string
  30190. secretRef:
  30191. description: |-
  30192. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  30193. authenticate with Vault using the JWT/OIDC authentication method.
  30194. properties:
  30195. key:
  30196. description: |-
  30197. A key in the referenced Secret.
  30198. Some instances of this field may be defaulted, in others it may be required.
  30199. maxLength: 253
  30200. minLength: 1
  30201. pattern: ^[-._a-zA-Z0-9]+$
  30202. type: string
  30203. name:
  30204. description: The name of the Secret resource being referred to.
  30205. maxLength: 253
  30206. minLength: 1
  30207. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30208. type: string
  30209. namespace:
  30210. description: |-
  30211. The namespace of the Secret resource being referred to.
  30212. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30213. maxLength: 63
  30214. minLength: 1
  30215. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30216. type: string
  30217. type: object
  30218. required:
  30219. - path
  30220. type: object
  30221. kubernetes:
  30222. description: |-
  30223. Kubernetes authenticates with Vault by passing the ServiceAccount
  30224. token stored in the named Secret resource to the Vault server.
  30225. properties:
  30226. mountPath:
  30227. default: kubernetes
  30228. description: |-
  30229. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  30230. "kubernetes"
  30231. type: string
  30232. role:
  30233. description: |-
  30234. A required field containing the Vault Role to assume. A Role binds a
  30235. Kubernetes ServiceAccount with a set of Vault policies.
  30236. type: string
  30237. secretRef:
  30238. description: |-
  30239. Optional secret field containing a Kubernetes ServiceAccount JWT used
  30240. for authenticating with Vault. If a name is specified without a key,
  30241. `token` is the default. If one is not specified, the one bound to
  30242. the controller will be used.
  30243. properties:
  30244. key:
  30245. description: |-
  30246. A key in the referenced Secret.
  30247. Some instances of this field may be defaulted, in others it may be required.
  30248. maxLength: 253
  30249. minLength: 1
  30250. pattern: ^[-._a-zA-Z0-9]+$
  30251. type: string
  30252. name:
  30253. description: The name of the Secret resource being referred to.
  30254. maxLength: 253
  30255. minLength: 1
  30256. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30257. type: string
  30258. namespace:
  30259. description: |-
  30260. The namespace of the Secret resource being referred to.
  30261. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30262. maxLength: 63
  30263. minLength: 1
  30264. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30265. type: string
  30266. type: object
  30267. serviceAccountRef:
  30268. description: |-
  30269. Optional service account field containing the name of a kubernetes ServiceAccount.
  30270. If the service account is specified, the service account secret token JWT will be used
  30271. for authenticating with Vault. If the service account selector is not supplied,
  30272. the secretRef will be used instead.
  30273. properties:
  30274. audiences:
  30275. description: |-
  30276. Audience specifies the `aud` claim for the service account token
  30277. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30278. then this audiences will be appended to the list
  30279. items:
  30280. type: string
  30281. type: array
  30282. name:
  30283. description: The name of the ServiceAccount resource being referred to.
  30284. maxLength: 253
  30285. minLength: 1
  30286. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30287. type: string
  30288. namespace:
  30289. description: |-
  30290. Namespace of the resource being referred to.
  30291. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30292. maxLength: 63
  30293. minLength: 1
  30294. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30295. type: string
  30296. required:
  30297. - name
  30298. type: object
  30299. required:
  30300. - mountPath
  30301. - role
  30302. type: object
  30303. ldap:
  30304. description: |-
  30305. Ldap authenticates with Vault by passing username/password pair using
  30306. the LDAP authentication method
  30307. properties:
  30308. path:
  30309. default: ldap
  30310. description: |-
  30311. Path where the LDAP authentication backend is mounted
  30312. in Vault, e.g: "ldap"
  30313. type: string
  30314. secretRef:
  30315. description: |-
  30316. SecretRef to a key in a Secret resource containing password for the LDAP
  30317. user used to authenticate with Vault using the LDAP authentication
  30318. method
  30319. properties:
  30320. key:
  30321. description: |-
  30322. A key in the referenced Secret.
  30323. Some instances of this field may be defaulted, in others it may be required.
  30324. maxLength: 253
  30325. minLength: 1
  30326. pattern: ^[-._a-zA-Z0-9]+$
  30327. type: string
  30328. name:
  30329. description: The name of the Secret resource being referred to.
  30330. maxLength: 253
  30331. minLength: 1
  30332. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30333. type: string
  30334. namespace:
  30335. description: |-
  30336. The namespace of the Secret resource being referred to.
  30337. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30338. maxLength: 63
  30339. minLength: 1
  30340. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30341. type: string
  30342. type: object
  30343. username:
  30344. description: |-
  30345. Username is an LDAP username used to authenticate using the LDAP Vault
  30346. authentication method
  30347. type: string
  30348. required:
  30349. - path
  30350. - username
  30351. type: object
  30352. namespace:
  30353. description: |-
  30354. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  30355. Namespaces is a set of features within Vault Enterprise that allows
  30356. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  30357. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  30358. This will default to Vault.Namespace field if set, or empty otherwise
  30359. type: string
  30360. tokenSecretRef:
  30361. description: TokenSecretRef authenticates with Vault by presenting a token.
  30362. properties:
  30363. key:
  30364. description: |-
  30365. A key in the referenced Secret.
  30366. Some instances of this field may be defaulted, in others it may be required.
  30367. maxLength: 253
  30368. minLength: 1
  30369. pattern: ^[-._a-zA-Z0-9]+$
  30370. type: string
  30371. name:
  30372. description: The name of the Secret resource being referred to.
  30373. maxLength: 253
  30374. minLength: 1
  30375. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30376. type: string
  30377. namespace:
  30378. description: |-
  30379. The namespace of the Secret resource being referred to.
  30380. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30381. maxLength: 63
  30382. minLength: 1
  30383. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30384. type: string
  30385. type: object
  30386. userPass:
  30387. description: UserPass authenticates with Vault by passing username/password pair
  30388. properties:
  30389. path:
  30390. default: userpass
  30391. description: |-
  30392. Path where the UserPassword authentication backend is mounted
  30393. in Vault, e.g: "userpass"
  30394. type: string
  30395. secretRef:
  30396. description: |-
  30397. SecretRef to a key in a Secret resource containing password for the
  30398. user used to authenticate with Vault using the UserPass authentication
  30399. method
  30400. properties:
  30401. key:
  30402. description: |-
  30403. A key in the referenced Secret.
  30404. Some instances of this field may be defaulted, in others it may be required.
  30405. maxLength: 253
  30406. minLength: 1
  30407. pattern: ^[-._a-zA-Z0-9]+$
  30408. type: string
  30409. name:
  30410. description: The name of the Secret resource being referred to.
  30411. maxLength: 253
  30412. minLength: 1
  30413. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30414. type: string
  30415. namespace:
  30416. description: |-
  30417. The namespace of the Secret resource being referred to.
  30418. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30419. maxLength: 63
  30420. minLength: 1
  30421. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30422. type: string
  30423. type: object
  30424. username:
  30425. description: |-
  30426. Username is a username used to authenticate using the UserPass Vault
  30427. authentication method
  30428. type: string
  30429. required:
  30430. - path
  30431. - username
  30432. type: object
  30433. type: object
  30434. caBundle:
  30435. description: |-
  30436. PEM encoded CA bundle used to validate Vault server certificate. Only used
  30437. if the Server URL is using HTTPS protocol. This parameter is ignored for
  30438. plain HTTP protocol connection. If not set the system root certificates
  30439. are used to validate the TLS connection.
  30440. format: byte
  30441. type: string
  30442. caProvider:
  30443. description: The provider for the CA bundle to use to validate Vault server certificate.
  30444. properties:
  30445. key:
  30446. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  30447. maxLength: 253
  30448. minLength: 1
  30449. pattern: ^[-._a-zA-Z0-9]+$
  30450. type: string
  30451. name:
  30452. description: The name of the object located at the provider type.
  30453. maxLength: 253
  30454. minLength: 1
  30455. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30456. type: string
  30457. namespace:
  30458. description: |-
  30459. The namespace the Provider type is in.
  30460. Can only be defined when used in a ClusterSecretStore.
  30461. maxLength: 63
  30462. minLength: 1
  30463. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30464. type: string
  30465. type:
  30466. description: The type of provider to use such as "Secret", or "ConfigMap".
  30467. enum:
  30468. - Secret
  30469. - ConfigMap
  30470. type: string
  30471. required:
  30472. - name
  30473. - type
  30474. type: object
  30475. checkAndSet:
  30476. description: |-
  30477. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  30478. Only applies to Vault KV v2 stores. When enabled, write operations must include
  30479. the current version of the secret to prevent unintentional overwrites.
  30480. properties:
  30481. required:
  30482. description: |-
  30483. Required when true, all write operations must include a check-and-set parameter.
  30484. This helps prevent unintentional overwrites of secrets.
  30485. type: boolean
  30486. type: object
  30487. forwardInconsistent:
  30488. description: |-
  30489. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  30490. leader instead of simply retrying within a loop. This can increase performance if
  30491. the option is enabled serverside.
  30492. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  30493. type: boolean
  30494. headers:
  30495. additionalProperties:
  30496. type: string
  30497. description: Headers to be added in Vault request
  30498. type: object
  30499. namespace:
  30500. description: |-
  30501. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  30502. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  30503. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  30504. type: string
  30505. path:
  30506. description: |-
  30507. Path is the mount path of the Vault KV backend endpoint, e.g:
  30508. "secret". The v2 KV secret engine version specific "/data" path suffix
  30509. for fetching secrets from Vault is optional and will be appended
  30510. if not present in specified path.
  30511. type: string
  30512. readYourWrites:
  30513. description: |-
  30514. ReadYourWrites ensures isolated read-after-write semantics by
  30515. providing discovered cluster replication states in each request.
  30516. More information about eventual consistency in Vault can be found here
  30517. https://www.vaultproject.io/docs/enterprise/consistency
  30518. type: boolean
  30519. server:
  30520. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  30521. type: string
  30522. tls:
  30523. description: |-
  30524. The configuration used for client side related TLS communication, when the Vault server
  30525. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  30526. This parameter is ignored for plain HTTP protocol connection.
  30527. It's worth noting this configuration is different from the "TLS certificates auth method",
  30528. which is available under the `auth.cert` section.
  30529. properties:
  30530. certSecretRef:
  30531. description: |-
  30532. CertSecretRef is a certificate added to the transport layer
  30533. when communicating with the Vault server.
  30534. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  30535. properties:
  30536. key:
  30537. description: |-
  30538. A key in the referenced Secret.
  30539. Some instances of this field may be defaulted, in others it may be required.
  30540. maxLength: 253
  30541. minLength: 1
  30542. pattern: ^[-._a-zA-Z0-9]+$
  30543. type: string
  30544. name:
  30545. description: The name of the Secret resource being referred to.
  30546. maxLength: 253
  30547. minLength: 1
  30548. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30549. type: string
  30550. namespace:
  30551. description: |-
  30552. The namespace of the Secret resource being referred to.
  30553. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30554. maxLength: 63
  30555. minLength: 1
  30556. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30557. type: string
  30558. type: object
  30559. keySecretRef:
  30560. description: |-
  30561. KeySecretRef to a key in a Secret resource containing client private key
  30562. added to the transport layer when communicating with the Vault server.
  30563. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  30564. properties:
  30565. key:
  30566. description: |-
  30567. A key in the referenced Secret.
  30568. Some instances of this field may be defaulted, in others it may be required.
  30569. maxLength: 253
  30570. minLength: 1
  30571. pattern: ^[-._a-zA-Z0-9]+$
  30572. type: string
  30573. name:
  30574. description: The name of the Secret resource being referred to.
  30575. maxLength: 253
  30576. minLength: 1
  30577. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30578. type: string
  30579. namespace:
  30580. description: |-
  30581. The namespace of the Secret resource being referred to.
  30582. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30583. maxLength: 63
  30584. minLength: 1
  30585. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30586. type: string
  30587. type: object
  30588. type: object
  30589. version:
  30590. default: v2
  30591. description: |-
  30592. Version is the Vault KV secret engine version. This can be either "v1" or
  30593. "v2". Version defaults to "v2".
  30594. enum:
  30595. - v1
  30596. - v2
  30597. type: string
  30598. required:
  30599. - server
  30600. type: object
  30601. resultType:
  30602. default: Data
  30603. description: |-
  30604. Result type defines which data is returned from the generator.
  30605. By default, it is the "data" section of the Vault API response.
  30606. When using e.g. /auth/token/create the "data" section is empty but
  30607. the "auth" section contains the generated token.
  30608. Please refer to the vault docs regarding the result data structure.
  30609. Additionally, accessing the raw response is possibly by using "Raw" result type.
  30610. enum:
  30611. - Data
  30612. - Auth
  30613. - Raw
  30614. type: string
  30615. retrySettings:
  30616. description: Used to configure http retries if failed
  30617. properties:
  30618. maxRetries:
  30619. format: int32
  30620. type: integer
  30621. retryInterval:
  30622. type: string
  30623. type: object
  30624. required:
  30625. - path
  30626. - provider
  30627. type: object
  30628. type: object
  30629. served: true
  30630. storage: true
  30631. subresources:
  30632. status: {}
  30633. ---
  30634. apiVersion: apiextensions.k8s.io/v1
  30635. kind: CustomResourceDefinition
  30636. metadata:
  30637. annotations:
  30638. controller-gen.kubebuilder.io/version: v0.19.0
  30639. labels:
  30640. external-secrets.io/component: controller
  30641. name: webhooks.generators.external-secrets.io
  30642. spec:
  30643. group: generators.external-secrets.io
  30644. names:
  30645. categories:
  30646. - external-secrets
  30647. - external-secrets-generators
  30648. kind: Webhook
  30649. listKind: WebhookList
  30650. plural: webhooks
  30651. singular: webhook
  30652. scope: Namespaced
  30653. versions:
  30654. - name: v1alpha1
  30655. schema:
  30656. openAPIV3Schema:
  30657. description: |-
  30658. Webhook connects to a third party API server to handle the secrets generation
  30659. configuration parameters in spec.
  30660. You can specify the server, the token, and additional body parameters.
  30661. See documentation for the full API specification for requests and responses.
  30662. properties:
  30663. apiVersion:
  30664. description: |-
  30665. APIVersion defines the versioned schema of this representation of an object.
  30666. Servers should convert recognized schemas to the latest internal value, and
  30667. may reject unrecognized values.
  30668. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  30669. type: string
  30670. kind:
  30671. description: |-
  30672. Kind is a string value representing the REST resource this object represents.
  30673. Servers may infer this from the endpoint the client submits requests to.
  30674. Cannot be updated.
  30675. In CamelCase.
  30676. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30677. type: string
  30678. metadata:
  30679. type: object
  30680. spec:
  30681. description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
  30682. properties:
  30683. auth:
  30684. description: Auth specifies a authorization protocol. Only one protocol may be set.
  30685. maxProperties: 1
  30686. minProperties: 1
  30687. properties:
  30688. ntlm:
  30689. description: NTLMProtocol configures the store to use NTLM for auth
  30690. properties:
  30691. passwordSecret:
  30692. description: |-
  30693. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  30694. In some instances, `key` is a required field.
  30695. properties:
  30696. key:
  30697. description: |-
  30698. A key in the referenced Secret.
  30699. Some instances of this field may be defaulted, in others it may be required.
  30700. maxLength: 253
  30701. minLength: 1
  30702. pattern: ^[-._a-zA-Z0-9]+$
  30703. type: string
  30704. name:
  30705. description: The name of the Secret resource being referred to.
  30706. maxLength: 253
  30707. minLength: 1
  30708. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30709. type: string
  30710. namespace:
  30711. description: |-
  30712. The namespace of the Secret resource being referred to.
  30713. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30714. maxLength: 63
  30715. minLength: 1
  30716. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30717. type: string
  30718. type: object
  30719. usernameSecret:
  30720. description: |-
  30721. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  30722. In some instances, `key` is a required field.
  30723. properties:
  30724. key:
  30725. description: |-
  30726. A key in the referenced Secret.
  30727. Some instances of this field may be defaulted, in others it may be required.
  30728. maxLength: 253
  30729. minLength: 1
  30730. pattern: ^[-._a-zA-Z0-9]+$
  30731. type: string
  30732. name:
  30733. description: The name of the Secret resource being referred to.
  30734. maxLength: 253
  30735. minLength: 1
  30736. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30737. type: string
  30738. namespace:
  30739. description: |-
  30740. The namespace of the Secret resource being referred to.
  30741. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30742. maxLength: 63
  30743. minLength: 1
  30744. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30745. type: string
  30746. type: object
  30747. required:
  30748. - passwordSecret
  30749. - usernameSecret
  30750. type: object
  30751. type: object
  30752. body:
  30753. description: Body
  30754. type: string
  30755. caBundle:
  30756. description: |-
  30757. PEM encoded CA bundle used to validate webhook server certificate. Only used
  30758. if the Server URL is using HTTPS protocol. This parameter is ignored for
  30759. plain HTTP protocol connection. If not set the system root certificates
  30760. are used to validate the TLS connection.
  30761. format: byte
  30762. type: string
  30763. caProvider:
  30764. description: The provider for the CA bundle to use to validate webhook server certificate.
  30765. properties:
  30766. key:
  30767. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  30768. maxLength: 253
  30769. minLength: 1
  30770. pattern: ^[-._a-zA-Z0-9]+$
  30771. type: string
  30772. name:
  30773. description: The name of the object located at the provider type.
  30774. maxLength: 253
  30775. minLength: 1
  30776. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30777. type: string
  30778. namespace:
  30779. description: The namespace the Provider type is in.
  30780. maxLength: 63
  30781. minLength: 1
  30782. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30783. type: string
  30784. type:
  30785. description: The type of provider to use such as "Secret", or "ConfigMap".
  30786. enum:
  30787. - Secret
  30788. - ConfigMap
  30789. type: string
  30790. required:
  30791. - name
  30792. - type
  30793. type: object
  30794. headers:
  30795. additionalProperties:
  30796. type: string
  30797. description: Headers
  30798. type: object
  30799. method:
  30800. description: Webhook Method
  30801. type: string
  30802. result:
  30803. description: Result formatting
  30804. properties:
  30805. jsonPath:
  30806. description: Json path of return value
  30807. type: string
  30808. type: object
  30809. secrets:
  30810. description: |-
  30811. Secrets to fill in templates
  30812. These secrets will be passed to the templating function as key value pairs under the given name
  30813. items:
  30814. description: WebhookSecret defines a secret reference that will be used in webhook templates.
  30815. properties:
  30816. name:
  30817. description: Name of this secret in templates
  30818. type: string
  30819. secretRef:
  30820. description: Secret ref to fill in credentials
  30821. properties:
  30822. key:
  30823. description: The key where the token is found.
  30824. maxLength: 253
  30825. minLength: 1
  30826. pattern: ^[-._a-zA-Z0-9]+$
  30827. type: string
  30828. name:
  30829. description: The name of the Secret resource being referred to.
  30830. maxLength: 253
  30831. minLength: 1
  30832. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30833. type: string
  30834. type: object
  30835. required:
  30836. - name
  30837. - secretRef
  30838. type: object
  30839. type: array
  30840. timeout:
  30841. description: Timeout
  30842. type: string
  30843. url:
  30844. description: Webhook url to call
  30845. type: string
  30846. required:
  30847. - result
  30848. - url
  30849. type: object
  30850. type: object
  30851. served: true
  30852. storage: true
  30853. subresources:
  30854. status: {}