bundle.yaml 678 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799380038013802380338043805380638073808380938103811381238133814381538163817381838193820382138223823382438253826382738283829383038313832383338343835383638373838383938403841384238433844384538463847384838493850385138523853385438553856385738583859386038613862386338643865386638673868386938703871387238733874387538763877387838793880388138823883388438853886388738883889389038913892389338943895389638973898389939003901390239033904390539063907390839093910391139123913391439153916391739183919392039213922392339243925392639273928392939303931393239333934393539363937393839393940394139423943394439453946394739483949395039513952395339543955395639573958395939603961396239633964396539663967396839693970397139723973397439753976397739783979398039813982398339843985398639873988398939903991399239933994399539963997399839994000400140024003400440054006400740084009401040114012401340144015401640174018401940204021402240234024402540264027402840294030403140324033403440354036403740384039404040414042404340444045404640474048404940504051405240534054405540564057405840594060406140624063406440654066406740684069407040714072407340744075407640774078407940804081408240834084408540864087408840894090409140924093409440954096409740984099410041014102410341044105410641074108410941104111411241134114411541164117411841194120412141224123412441254126412741284129413041314132413341344135413641374138413941404141414241434144414541464147414841494150415141524153415441554156415741584159416041614162416341644165416641674168416941704171417241734174417541764177417841794180418141824183418441854186418741884189419041914192419341944195419641974198419942004201420242034204420542064207420842094210421142124213421442154216421742184219422042214222422342244225422642274228422942304231423242334234423542364237423842394240424142424243424442454246424742484249425042514252425342544255425642574258425942604261426242634264426542664267426842694270427142724273427442754276427742784279428042814282428342844285428642874288428942904291429242934294429542964297429842994300430143024303430443054306430743084309431043114312431343144315431643174318431943204321432243234324432543264327432843294330433143324333433443354336433743384339434043414342434343444345434643474348434943504351435243534354435543564357435843594360436143624363436443654366436743684369437043714372437343744375437643774378437943804381438243834384438543864387438843894390439143924393439443954396439743984399440044014402440344044405440644074408440944104411441244134414441544164417441844194420442144224423442444254426442744284429443044314432443344344435443644374438443944404441444244434444444544464447444844494450445144524453445444554456445744584459446044614462446344644465446644674468446944704471447244734474447544764477447844794480448144824483448444854486448744884489449044914492449344944495449644974498449945004501450245034504450545064507450845094510451145124513451445154516451745184519452045214522452345244525452645274528452945304531453245334534453545364537453845394540454145424543454445454546454745484549455045514552455345544555455645574558455945604561456245634564456545664567456845694570457145724573457445754576457745784579458045814582458345844585458645874588458945904591459245934594459545964597459845994600460146024603460446054606460746084609461046114612461346144615461646174618461946204621462246234624462546264627462846294630463146324633463446354636463746384639464046414642464346444645464646474648464946504651465246534654465546564657465846594660466146624663466446654666466746684669467046714672467346744675467646774678467946804681468246834684468546864687468846894690469146924693469446954696469746984699470047014702470347044705470647074708470947104711471247134714471547164717471847194720472147224723472447254726472747284729473047314732473347344735473647374738473947404741474247434744474547464747474847494750475147524753475447554756475747584759476047614762476347644765476647674768476947704771477247734774477547764777477847794780478147824783478447854786478747884789479047914792479347944795479647974798479948004801480248034804480548064807480848094810481148124813481448154816481748184819482048214822482348244825482648274828482948304831483248334834483548364837483848394840484148424843484448454846484748484849485048514852485348544855485648574858485948604861486248634864486548664867486848694870487148724873487448754876487748784879488048814882488348844885488648874888488948904891489248934894489548964897489848994900490149024903490449054906490749084909491049114912491349144915491649174918491949204921492249234924492549264927492849294930493149324933493449354936493749384939494049414942494349444945494649474948494949504951495249534954495549564957495849594960496149624963496449654966496749684969497049714972497349744975497649774978497949804981498249834984498549864987498849894990499149924993499449954996499749984999500050015002500350045005500650075008500950105011501250135014501550165017501850195020502150225023502450255026502750285029503050315032503350345035503650375038503950405041504250435044504550465047504850495050505150525053505450555056505750585059506050615062506350645065506650675068506950705071507250735074507550765077507850795080508150825083508450855086508750885089509050915092509350945095509650975098509951005101510251035104510551065107510851095110511151125113511451155116511751185119512051215122512351245125512651275128512951305131513251335134513551365137513851395140514151425143514451455146514751485149515051515152515351545155515651575158515951605161516251635164516551665167516851695170517151725173517451755176517751785179518051815182518351845185518651875188518951905191519251935194519551965197519851995200520152025203520452055206520752085209521052115212521352145215521652175218521952205221522252235224522552265227522852295230523152325233523452355236523752385239524052415242524352445245524652475248524952505251525252535254525552565257525852595260526152625263526452655266526752685269527052715272527352745275527652775278527952805281528252835284528552865287528852895290529152925293529452955296529752985299530053015302530353045305530653075308530953105311531253135314531553165317531853195320532153225323532453255326532753285329533053315332533353345335533653375338533953405341534253435344534553465347534853495350535153525353535453555356535753585359536053615362536353645365536653675368536953705371537253735374537553765377537853795380538153825383538453855386538753885389539053915392539353945395539653975398539954005401540254035404540554065407540854095410541154125413541454155416541754185419542054215422542354245425542654275428542954305431543254335434543554365437543854395440544154425443544454455446544754485449545054515452545354545455545654575458545954605461546254635464546554665467546854695470547154725473547454755476547754785479548054815482548354845485548654875488548954905491549254935494549554965497549854995500550155025503550455055506550755085509551055115512551355145515551655175518551955205521552255235524552555265527552855295530553155325533553455355536553755385539554055415542554355445545554655475548554955505551555255535554555555565557555855595560556155625563556455655566556755685569557055715572557355745575557655775578557955805581558255835584558555865587558855895590559155925593559455955596559755985599560056015602560356045605560656075608560956105611561256135614561556165617561856195620562156225623562456255626562756285629563056315632563356345635563656375638563956405641564256435644564556465647564856495650565156525653565456555656565756585659566056615662566356645665566656675668566956705671567256735674567556765677567856795680568156825683568456855686568756885689569056915692569356945695569656975698569957005701570257035704570557065707570857095710571157125713571457155716571757185719572057215722572357245725572657275728572957305731573257335734573557365737573857395740574157425743574457455746574757485749575057515752575357545755575657575758575957605761576257635764576557665767576857695770577157725773577457755776577757785779578057815782578357845785578657875788578957905791579257935794579557965797579857995800580158025803580458055806580758085809581058115812581358145815581658175818581958205821582258235824582558265827582858295830583158325833583458355836583758385839584058415842584358445845584658475848584958505851585258535854585558565857585858595860586158625863586458655866586758685869587058715872587358745875587658775878587958805881588258835884588558865887588858895890589158925893589458955896589758985899590059015902590359045905590659075908590959105911591259135914591559165917591859195920592159225923592459255926592759285929593059315932593359345935593659375938593959405941594259435944594559465947594859495950595159525953595459555956595759585959596059615962596359645965596659675968596959705971597259735974597559765977597859795980598159825983598459855986598759885989599059915992599359945995599659975998599960006001600260036004600560066007600860096010601160126013601460156016601760186019602060216022602360246025602660276028602960306031603260336034603560366037603860396040604160426043604460456046604760486049605060516052605360546055605660576058605960606061606260636064606560666067606860696070607160726073607460756076607760786079608060816082608360846085608660876088608960906091609260936094609560966097609860996100610161026103610461056106610761086109611061116112611361146115611661176118611961206121612261236124612561266127612861296130613161326133613461356136613761386139614061416142614361446145614661476148614961506151615261536154615561566157615861596160616161626163616461656166616761686169617061716172617361746175617661776178617961806181618261836184618561866187618861896190619161926193619461956196619761986199620062016202620362046205620662076208620962106211621262136214621562166217621862196220622162226223622462256226622762286229623062316232623362346235623662376238623962406241624262436244624562466247624862496250625162526253625462556256625762586259626062616262626362646265626662676268626962706271627262736274627562766277627862796280628162826283628462856286628762886289629062916292629362946295629662976298629963006301630263036304630563066307630863096310631163126313631463156316631763186319632063216322632363246325632663276328632963306331633263336334633563366337633863396340634163426343634463456346634763486349635063516352635363546355635663576358635963606361636263636364636563666367636863696370637163726373637463756376637763786379638063816382638363846385638663876388638963906391639263936394639563966397639863996400640164026403640464056406640764086409641064116412641364146415641664176418641964206421642264236424642564266427642864296430643164326433643464356436643764386439644064416442644364446445644664476448644964506451645264536454645564566457645864596460646164626463646464656466646764686469647064716472647364746475647664776478647964806481648264836484648564866487648864896490649164926493649464956496649764986499650065016502650365046505650665076508650965106511651265136514651565166517651865196520652165226523652465256526652765286529653065316532653365346535653665376538653965406541654265436544654565466547654865496550655165526553655465556556655765586559656065616562656365646565656665676568656965706571657265736574657565766577657865796580658165826583658465856586658765886589659065916592659365946595659665976598659966006601660266036604660566066607660866096610661166126613661466156616661766186619662066216622662366246625662666276628662966306631663266336634663566366637663866396640664166426643664466456646664766486649665066516652665366546655665666576658665966606661666266636664666566666667666866696670667166726673667466756676667766786679668066816682668366846685668666876688668966906691669266936694669566966697669866996700670167026703670467056706670767086709671067116712671367146715671667176718671967206721672267236724672567266727672867296730673167326733673467356736673767386739674067416742674367446745674667476748674967506751675267536754675567566757675867596760676167626763676467656766676767686769677067716772677367746775677667776778677967806781678267836784678567866787678867896790679167926793679467956796679767986799680068016802680368046805680668076808680968106811681268136814681568166817681868196820682168226823682468256826682768286829683068316832683368346835683668376838683968406841684268436844684568466847684868496850685168526853685468556856685768586859686068616862686368646865686668676868686968706871687268736874687568766877687868796880688168826883688468856886688768886889689068916892689368946895689668976898689969006901690269036904690569066907690869096910691169126913691469156916691769186919692069216922692369246925692669276928692969306931693269336934693569366937693869396940694169426943694469456946694769486949695069516952695369546955695669576958695969606961696269636964696569666967696869696970697169726973697469756976697769786979698069816982698369846985698669876988698969906991699269936994699569966997699869997000700170027003700470057006700770087009701070117012701370147015701670177018701970207021702270237024702570267027702870297030703170327033703470357036703770387039704070417042704370447045704670477048704970507051705270537054705570567057705870597060706170627063706470657066706770687069707070717072707370747075707670777078707970807081708270837084708570867087708870897090709170927093709470957096709770987099710071017102710371047105710671077108710971107111711271137114711571167117711871197120712171227123712471257126712771287129713071317132713371347135713671377138713971407141714271437144714571467147714871497150715171527153715471557156715771587159716071617162716371647165716671677168716971707171717271737174717571767177717871797180718171827183718471857186718771887189719071917192719371947195719671977198719972007201720272037204720572067207720872097210721172127213721472157216721772187219722072217222722372247225722672277228722972307231723272337234723572367237723872397240724172427243724472457246724772487249725072517252725372547255725672577258725972607261726272637264726572667267726872697270727172727273727472757276727772787279728072817282728372847285728672877288728972907291729272937294729572967297729872997300730173027303730473057306730773087309731073117312731373147315731673177318731973207321732273237324732573267327732873297330733173327333733473357336733773387339734073417342734373447345734673477348734973507351735273537354735573567357735873597360736173627363736473657366736773687369737073717372737373747375737673777378737973807381738273837384738573867387738873897390739173927393739473957396739773987399740074017402740374047405740674077408740974107411741274137414741574167417741874197420742174227423742474257426742774287429743074317432743374347435743674377438743974407441744274437444744574467447744874497450745174527453745474557456745774587459746074617462746374647465746674677468746974707471747274737474747574767477747874797480748174827483748474857486748774887489749074917492749374947495749674977498749975007501750275037504750575067507750875097510751175127513751475157516751775187519752075217522752375247525752675277528752975307531753275337534753575367537753875397540754175427543754475457546754775487549755075517552755375547555755675577558755975607561756275637564756575667567756875697570757175727573757475757576757775787579758075817582758375847585758675877588758975907591759275937594759575967597759875997600760176027603760476057606760776087609761076117612761376147615761676177618761976207621762276237624762576267627762876297630763176327633763476357636763776387639764076417642764376447645764676477648764976507651765276537654765576567657765876597660766176627663766476657666766776687669767076717672767376747675767676777678767976807681768276837684768576867687768876897690769176927693769476957696769776987699770077017702770377047705770677077708770977107711771277137714771577167717771877197720772177227723772477257726772777287729773077317732773377347735773677377738773977407741774277437744774577467747774877497750775177527753775477557756775777587759776077617762776377647765776677677768776977707771777277737774777577767777777877797780778177827783778477857786778777887789779077917792779377947795779677977798779978007801780278037804780578067807780878097810781178127813781478157816781778187819782078217822782378247825782678277828782978307831783278337834783578367837783878397840784178427843784478457846784778487849785078517852785378547855785678577858785978607861786278637864786578667867786878697870787178727873787478757876787778787879788078817882788378847885788678877888788978907891789278937894789578967897789878997900790179027903790479057906790779087909791079117912791379147915791679177918791979207921792279237924792579267927792879297930793179327933793479357936793779387939794079417942794379447945794679477948794979507951795279537954795579567957795879597960796179627963796479657966796779687969797079717972797379747975797679777978797979807981798279837984798579867987798879897990799179927993799479957996799779987999800080018002800380048005800680078008800980108011801280138014801580168017801880198020802180228023802480258026802780288029803080318032803380348035803680378038803980408041804280438044804580468047804880498050805180528053805480558056805780588059806080618062806380648065806680678068806980708071807280738074807580768077807880798080808180828083808480858086808780888089809080918092809380948095809680978098809981008101810281038104810581068107810881098110811181128113811481158116811781188119812081218122812381248125812681278128812981308131813281338134813581368137813881398140814181428143814481458146814781488149815081518152815381548155815681578158815981608161816281638164816581668167816881698170817181728173817481758176817781788179818081818182818381848185818681878188818981908191819281938194819581968197819881998200820182028203820482058206820782088209821082118212821382148215821682178218821982208221822282238224822582268227822882298230823182328233823482358236823782388239824082418242824382448245824682478248824982508251825282538254825582568257825882598260826182628263826482658266826782688269827082718272827382748275827682778278827982808281828282838284828582868287828882898290829182928293829482958296829782988299830083018302830383048305830683078308830983108311831283138314831583168317831883198320832183228323832483258326832783288329833083318332833383348335833683378338833983408341834283438344834583468347834883498350835183528353835483558356835783588359836083618362836383648365836683678368836983708371837283738374837583768377837883798380838183828383838483858386838783888389839083918392839383948395839683978398839984008401840284038404840584068407840884098410841184128413841484158416841784188419842084218422842384248425842684278428842984308431843284338434843584368437843884398440844184428443844484458446844784488449845084518452845384548455845684578458845984608461846284638464846584668467846884698470847184728473847484758476847784788479848084818482848384848485848684878488848984908491849284938494849584968497849884998500850185028503850485058506850785088509851085118512851385148515851685178518851985208521852285238524852585268527852885298530853185328533853485358536853785388539854085418542854385448545854685478548854985508551855285538554855585568557855885598560856185628563856485658566856785688569857085718572857385748575857685778578857985808581858285838584858585868587858885898590859185928593859485958596859785988599860086018602860386048605860686078608860986108611861286138614861586168617861886198620862186228623862486258626862786288629863086318632863386348635863686378638863986408641864286438644864586468647864886498650865186528653865486558656865786588659866086618662866386648665866686678668866986708671867286738674867586768677867886798680868186828683868486858686868786888689869086918692869386948695869686978698869987008701870287038704870587068707870887098710871187128713871487158716871787188719872087218722872387248725872687278728872987308731873287338734873587368737873887398740874187428743874487458746874787488749875087518752875387548755875687578758875987608761876287638764876587668767876887698770877187728773877487758776877787788779878087818782878387848785878687878788878987908791879287938794879587968797879887998800880188028803880488058806880788088809881088118812881388148815881688178818881988208821882288238824882588268827882888298830883188328833883488358836883788388839884088418842884388448845884688478848884988508851885288538854885588568857885888598860886188628863886488658866886788688869887088718872887388748875887688778878887988808881888288838884888588868887888888898890889188928893889488958896889788988899890089018902890389048905890689078908890989108911891289138914891589168917891889198920892189228923892489258926892789288929893089318932893389348935893689378938893989408941894289438944894589468947894889498950895189528953895489558956895789588959896089618962896389648965896689678968896989708971897289738974897589768977897889798980898189828983898489858986898789888989899089918992899389948995899689978998899990009001900290039004900590069007900890099010901190129013901490159016901790189019902090219022902390249025902690279028902990309031903290339034903590369037903890399040904190429043904490459046904790489049905090519052905390549055905690579058905990609061906290639064906590669067906890699070907190729073907490759076907790789079908090819082908390849085908690879088908990909091909290939094909590969097909890999100910191029103910491059106910791089109911091119112911391149115911691179118911991209121912291239124912591269127912891299130913191329133913491359136913791389139914091419142914391449145914691479148914991509151915291539154915591569157915891599160916191629163916491659166916791689169917091719172917391749175917691779178917991809181918291839184918591869187918891899190919191929193919491959196919791989199920092019202920392049205920692079208920992109211921292139214921592169217921892199220922192229223922492259226922792289229923092319232923392349235923692379238923992409241924292439244924592469247924892499250925192529253925492559256925792589259926092619262926392649265926692679268926992709271927292739274927592769277927892799280928192829283928492859286928792889289929092919292929392949295929692979298929993009301930293039304930593069307930893099310931193129313931493159316931793189319932093219322932393249325932693279328932993309331933293339334933593369337933893399340934193429343934493459346934793489349935093519352935393549355935693579358935993609361936293639364936593669367936893699370937193729373937493759376937793789379938093819382938393849385938693879388938993909391939293939394939593969397939893999400940194029403940494059406940794089409941094119412941394149415941694179418941994209421942294239424942594269427942894299430943194329433943494359436943794389439944094419442944394449445944694479448944994509451945294539454945594569457945894599460946194629463946494659466946794689469947094719472947394749475947694779478947994809481948294839484948594869487948894899490949194929493949494959496949794989499950095019502950395049505950695079508950995109511951295139514951595169517951895199520952195229523952495259526952795289529953095319532953395349535953695379538953995409541954295439544954595469547954895499550955195529553955495559556955795589559956095619562956395649565956695679568956995709571957295739574957595769577957895799580958195829583958495859586958795889589959095919592959395949595959695979598959996009601960296039604960596069607960896099610961196129613961496159616961796189619962096219622962396249625962696279628962996309631963296339634963596369637963896399640964196429643964496459646964796489649965096519652965396549655965696579658965996609661966296639664966596669667966896699670967196729673967496759676967796789679968096819682968396849685968696879688968996909691969296939694969596969697969896999700970197029703970497059706970797089709971097119712971397149715971697179718971997209721972297239724972597269727972897299730973197329733973497359736973797389739974097419742974397449745974697479748974997509751975297539754975597569757975897599760976197629763976497659766976797689769977097719772977397749775977697779778977997809781978297839784978597869787978897899790979197929793979497959796979797989799980098019802980398049805980698079808980998109811981298139814981598169817981898199820982198229823982498259826982798289829983098319832983398349835983698379838983998409841984298439844984598469847984898499850985198529853985498559856985798589859986098619862986398649865986698679868986998709871987298739874987598769877987898799880988198829883988498859886988798889889989098919892989398949895989698979898989999009901990299039904990599069907990899099910991199129913991499159916991799189919992099219922992399249925992699279928992999309931993299339934993599369937993899399940994199429943994499459946994799489949995099519952995399549955995699579958995999609961996299639964996599669967996899699970997199729973997499759976997799789979998099819982998399849985998699879988998999909991999299939994999599969997999899991000010001100021000310004100051000610007100081000910010100111001210013100141001510016100171001810019100201002110022100231002410025100261002710028100291003010031100321003310034100351003610037100381003910040100411004210043100441004510046100471004810049100501005110052100531005410055100561005710058100591006010061100621006310064100651006610067100681006910070100711007210073100741007510076100771007810079100801008110082100831008410085100861008710088100891009010091100921009310094100951009610097100981009910100101011010210103101041010510106101071010810109101101011110112101131011410115101161011710118101191012010121101221012310124101251012610127101281012910130101311013210133101341013510136101371013810139101401014110142101431014410145101461014710148101491015010151101521015310154101551015610157101581015910160101611016210163101641016510166101671016810169101701017110172101731017410175101761017710178101791018010181101821018310184101851018610187101881018910190101911019210193101941019510196101971019810199102001020110202102031020410205102061020710208102091021010211102121021310214102151021610217102181021910220102211022210223102241022510226102271022810229102301023110232102331023410235102361023710238102391024010241102421024310244102451024610247102481024910250102511025210253102541025510256102571025810259102601026110262102631026410265102661026710268102691027010271102721027310274102751027610277102781027910280102811028210283102841028510286102871028810289102901029110292102931029410295102961029710298102991030010301103021030310304103051030610307103081030910310103111031210313103141031510316103171031810319103201032110322103231032410325103261032710328103291033010331103321033310334103351033610337103381033910340103411034210343103441034510346103471034810349103501035110352103531035410355103561035710358103591036010361103621036310364103651036610367103681036910370103711037210373103741037510376103771037810379103801038110382103831038410385103861038710388103891039010391103921039310394103951039610397103981039910400104011040210403104041040510406104071040810409104101041110412104131041410415104161041710418104191042010421104221042310424104251042610427104281042910430104311043210433104341043510436104371043810439104401044110442104431044410445104461044710448104491045010451104521045310454104551045610457104581045910460104611046210463104641046510466104671046810469104701047110472104731047410475104761047710478104791048010481104821048310484104851048610487104881048910490104911049210493104941049510496104971049810499105001050110502105031050410505105061050710508105091051010511105121051310514105151051610517105181051910520105211052210523105241052510526105271052810529105301053110532105331053410535105361053710538105391054010541105421054310544105451054610547105481054910550105511055210553105541055510556105571055810559105601056110562105631056410565105661056710568105691057010571105721057310574105751057610577105781057910580105811058210583105841058510586105871058810589105901059110592105931059410595105961059710598105991060010601106021060310604106051060610607106081060910610106111061210613106141061510616106171061810619106201062110622106231062410625106261062710628106291063010631106321063310634106351063610637106381063910640106411064210643106441064510646106471064810649106501065110652106531065410655106561065710658106591066010661106621066310664106651066610667106681066910670106711067210673106741067510676106771067810679106801068110682106831068410685106861068710688106891069010691106921069310694106951069610697106981069910700107011070210703107041070510706107071070810709107101071110712107131071410715107161071710718107191072010721107221072310724107251072610727107281072910730107311073210733107341073510736107371073810739107401074110742107431074410745107461074710748107491075010751107521075310754107551075610757107581075910760107611076210763107641076510766107671076810769107701077110772107731077410775107761077710778107791078010781107821078310784107851078610787107881078910790107911079210793107941079510796107971079810799108001080110802108031080410805108061080710808108091081010811108121081310814108151081610817108181081910820108211082210823108241082510826108271082810829108301083110832108331083410835108361083710838108391084010841108421084310844108451084610847108481084910850108511085210853108541085510856108571085810859108601086110862108631086410865108661086710868108691087010871108721087310874108751087610877108781087910880108811088210883108841088510886108871088810889108901089110892108931089410895108961089710898108991090010901109021090310904109051090610907109081090910910109111091210913109141091510916109171091810919109201092110922109231092410925109261092710928109291093010931109321093310934109351093610937109381093910940109411094210943109441094510946109471094810949109501095110952109531095410955109561095710958109591096010961109621096310964109651096610967109681096910970109711097210973109741097510976109771097810979109801098110982109831098410985109861098710988109891099010991109921099310994109951099610997109981099911000110011100211003110041100511006110071100811009110101101111012110131101411015110161101711018110191102011021110221102311024110251102611027110281102911030110311103211033110341103511036110371103811039110401104111042110431104411045110461104711048110491105011051110521105311054110551105611057110581105911060110611106211063110641106511066110671106811069110701107111072110731107411075110761107711078110791108011081110821108311084110851108611087110881108911090110911109211093110941109511096110971109811099111001110111102111031110411105111061110711108111091111011111111121111311114111151111611117111181111911120111211112211123111241112511126111271112811129111301113111132111331113411135111361113711138111391114011141111421114311144111451114611147111481114911150111511115211153111541115511156111571115811159111601116111162111631116411165111661116711168111691117011171111721117311174111751117611177111781117911180111811118211183111841118511186111871118811189111901119111192111931119411195111961119711198111991120011201112021120311204112051120611207112081120911210112111121211213112141121511216112171121811219112201122111222112231122411225112261122711228112291123011231112321123311234112351123611237112381123911240112411124211243112441124511246112471124811249112501125111252112531125411255112561125711258112591126011261112621126311264112651126611267112681126911270112711127211273112741127511276112771127811279112801128111282112831128411285112861128711288112891129011291112921129311294112951129611297112981129911300113011130211303113041130511306113071130811309113101131111312113131131411315113161131711318113191132011321113221132311324113251132611327113281132911330113311133211333113341133511336113371133811339113401134111342113431134411345113461134711348113491135011351113521135311354113551135611357113581135911360113611136211363113641136511366113671136811369113701137111372113731137411375113761137711378113791138011381113821138311384113851138611387113881138911390113911139211393113941139511396113971139811399114001140111402114031140411405114061140711408114091141011411114121141311414114151141611417114181141911420114211142211423114241142511426114271142811429114301143111432114331143411435114361143711438114391144011441114421144311444114451144611447114481144911450114511145211453114541145511456114571145811459114601146111462114631146411465114661146711468114691147011471114721147311474114751147611477114781147911480114811148211483114841148511486114871148811489114901149111492114931149411495114961149711498114991150011501115021150311504115051150611507115081150911510115111151211513115141151511516115171151811519115201152111522115231152411525115261152711528115291153011531115321153311534115351153611537115381153911540115411154211543115441154511546115471154811549115501155111552115531155411555115561155711558115591156011561115621156311564115651156611567115681156911570115711157211573115741157511576115771157811579115801158111582115831158411585115861158711588115891159011591115921159311594115951159611597115981159911600116011160211603116041160511606116071160811609116101161111612116131161411615116161161711618116191162011621116221162311624116251162611627116281162911630116311163211633116341163511636116371163811639116401164111642116431164411645116461164711648116491165011651116521165311654116551165611657116581165911660116611166211663116641166511666116671166811669116701167111672116731167411675116761167711678116791168011681116821168311684116851168611687116881168911690116911169211693116941169511696116971169811699117001170111702117031170411705117061170711708117091171011711117121171311714117151171611717117181171911720117211172211723117241172511726117271172811729117301173111732117331173411735117361173711738117391174011741117421174311744117451174611747117481174911750117511175211753117541175511756117571175811759117601176111762117631176411765117661176711768117691177011771117721177311774117751177611777117781177911780117811178211783117841178511786117871178811789117901179111792117931179411795117961179711798117991180011801118021180311804118051180611807118081180911810118111181211813118141181511816118171181811819118201182111822118231182411825118261182711828118291183011831118321183311834118351183611837118381183911840118411184211843118441184511846118471184811849118501185111852118531185411855118561185711858118591186011861118621186311864118651186611867118681186911870118711187211873118741187511876118771187811879118801188111882118831188411885118861188711888118891189011891118921189311894118951189611897118981189911900119011190211903119041190511906119071190811909119101191111912119131191411915119161191711918119191192011921119221192311924119251192611927119281192911930119311193211933119341193511936119371193811939119401194111942119431194411945119461194711948119491195011951119521195311954119551195611957119581195911960119611196211963119641196511966119671196811969119701197111972119731197411975119761197711978119791198011981119821198311984119851198611987119881198911990119911199211993119941199511996119971199811999120001200112002120031200412005120061200712008120091201012011120121201312014120151201612017120181201912020120211202212023120241202512026120271202812029120301203112032120331203412035120361203712038120391204012041120421204312044120451204612047120481204912050120511205212053120541205512056120571205812059120601206112062120631206412065120661206712068120691207012071120721207312074120751207612077120781207912080120811208212083120841208512086120871208812089120901209112092120931209412095120961209712098120991210012101121021210312104121051210612107121081210912110121111211212113121141211512116121171211812119121201212112122121231212412125121261212712128121291213012131121321213312134121351213612137121381213912140121411214212143121441214512146121471214812149121501215112152
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.15.0
  6. name: clusterexternalsecrets.external-secrets.io
  7. spec:
  8. group: external-secrets.io
  9. names:
  10. categories:
  11. - externalsecrets
  12. kind: ClusterExternalSecret
  13. listKind: ClusterExternalSecretList
  14. plural: clusterexternalsecrets
  15. shortNames:
  16. - ces
  17. singular: clusterexternalsecret
  18. scope: Cluster
  19. versions:
  20. - additionalPrinterColumns:
  21. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  22. name: Store
  23. type: string
  24. - jsonPath: .spec.refreshTime
  25. name: Refresh Interval
  26. type: string
  27. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  28. name: Ready
  29. type: string
  30. name: v1beta1
  31. schema:
  32. openAPIV3Schema:
  33. description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
  34. properties:
  35. apiVersion:
  36. description: |-
  37. APIVersion defines the versioned schema of this representation of an object.
  38. Servers should convert recognized schemas to the latest internal value, and
  39. may reject unrecognized values.
  40. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  41. type: string
  42. kind:
  43. description: |-
  44. Kind is a string value representing the REST resource this object represents.
  45. Servers may infer this from the endpoint the client submits requests to.
  46. Cannot be updated.
  47. In CamelCase.
  48. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  49. type: string
  50. metadata:
  51. type: object
  52. spec:
  53. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  54. properties:
  55. externalSecretMetadata:
  56. description: The metadata of the external secrets to be created
  57. properties:
  58. annotations:
  59. additionalProperties:
  60. type: string
  61. type: object
  62. labels:
  63. additionalProperties:
  64. type: string
  65. type: object
  66. type: object
  67. externalSecretName:
  68. description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
  69. type: string
  70. externalSecretSpec:
  71. description: The spec for the ExternalSecrets to be created
  72. properties:
  73. data:
  74. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  75. items:
  76. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  77. properties:
  78. remoteRef:
  79. description: |-
  80. RemoteRef points to the remote secret and defines
  81. which secret (version/property/..) to fetch.
  82. properties:
  83. conversionStrategy:
  84. default: Default
  85. description: Used to define a conversion Strategy
  86. enum:
  87. - Default
  88. - Unicode
  89. type: string
  90. decodingStrategy:
  91. default: None
  92. description: Used to define a decoding Strategy
  93. enum:
  94. - Auto
  95. - Base64
  96. - Base64URL
  97. - None
  98. type: string
  99. key:
  100. description: Key is the key used in the Provider, mandatory
  101. type: string
  102. metadataPolicy:
  103. default: None
  104. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  105. enum:
  106. - None
  107. - Fetch
  108. type: string
  109. property:
  110. description: Used to select a specific property of the Provider value (if a map), if supported
  111. type: string
  112. version:
  113. description: Used to select a specific version of the Provider value, if supported
  114. type: string
  115. required:
  116. - key
  117. type: object
  118. secretKey:
  119. description: |-
  120. SecretKey defines the key in which the controller stores
  121. the value. This is the key in the Kind=Secret
  122. type: string
  123. sourceRef:
  124. description: |-
  125. SourceRef allows you to override the source
  126. from which the value will pulled from.
  127. maxProperties: 1
  128. properties:
  129. generatorRef:
  130. description: |-
  131. GeneratorRef points to a generator custom resource.
  132. Deprecated: The generatorRef is not implemented in .data[].
  133. this will be removed with v1.
  134. properties:
  135. apiVersion:
  136. default: generators.external-secrets.io/v1alpha1
  137. description: Specify the apiVersion of the generator resource
  138. type: string
  139. kind:
  140. description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
  141. type: string
  142. name:
  143. description: Specify the name of the generator resource
  144. type: string
  145. required:
  146. - kind
  147. - name
  148. type: object
  149. storeRef:
  150. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  151. properties:
  152. kind:
  153. description: |-
  154. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  155. Defaults to `SecretStore`
  156. type: string
  157. name:
  158. description: Name of the SecretStore resource
  159. type: string
  160. required:
  161. - name
  162. type: object
  163. type: object
  164. required:
  165. - remoteRef
  166. - secretKey
  167. type: object
  168. type: array
  169. dataFrom:
  170. description: |-
  171. DataFrom is used to fetch all properties from a specific Provider data
  172. If multiple entries are specified, the Secret keys are merged in the specified order
  173. items:
  174. properties:
  175. extract:
  176. description: |-
  177. Used to extract multiple key/value pairs from one secret
  178. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  179. properties:
  180. conversionStrategy:
  181. default: Default
  182. description: Used to define a conversion Strategy
  183. enum:
  184. - Default
  185. - Unicode
  186. type: string
  187. decodingStrategy:
  188. default: None
  189. description: Used to define a decoding Strategy
  190. enum:
  191. - Auto
  192. - Base64
  193. - Base64URL
  194. - None
  195. type: string
  196. key:
  197. description: Key is the key used in the Provider, mandatory
  198. type: string
  199. metadataPolicy:
  200. default: None
  201. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  202. enum:
  203. - None
  204. - Fetch
  205. type: string
  206. property:
  207. description: Used to select a specific property of the Provider value (if a map), if supported
  208. type: string
  209. version:
  210. description: Used to select a specific version of the Provider value, if supported
  211. type: string
  212. required:
  213. - key
  214. type: object
  215. find:
  216. description: |-
  217. Used to find secrets based on tags or regular expressions
  218. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  219. properties:
  220. conversionStrategy:
  221. default: Default
  222. description: Used to define a conversion Strategy
  223. enum:
  224. - Default
  225. - Unicode
  226. type: string
  227. decodingStrategy:
  228. default: None
  229. description: Used to define a decoding Strategy
  230. enum:
  231. - Auto
  232. - Base64
  233. - Base64URL
  234. - None
  235. type: string
  236. name:
  237. description: Finds secrets based on the name.
  238. properties:
  239. regexp:
  240. description: Finds secrets base
  241. type: string
  242. type: object
  243. path:
  244. description: A root path to start the find operations.
  245. type: string
  246. tags:
  247. additionalProperties:
  248. type: string
  249. description: Find secrets based on tags.
  250. type: object
  251. type: object
  252. rewrite:
  253. description: |-
  254. Used to rewrite secret Keys after getting them from the secret Provider
  255. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  256. items:
  257. properties:
  258. regexp:
  259. description: |-
  260. Used to rewrite with regular expressions.
  261. The resulting key will be the output of a regexp.ReplaceAll operation.
  262. properties:
  263. source:
  264. description: Used to define the regular expression of a re.Compiler.
  265. type: string
  266. target:
  267. description: Used to define the target pattern of a ReplaceAll operation.
  268. type: string
  269. required:
  270. - source
  271. - target
  272. type: object
  273. transform:
  274. description: |-
  275. Used to apply string transformation on the secrets.
  276. The resulting key will be the output of the template applied by the operation.
  277. properties:
  278. template:
  279. description: |-
  280. Used to define the template to apply on the secret name.
  281. `.value ` will specify the secret name in the template.
  282. type: string
  283. required:
  284. - template
  285. type: object
  286. type: object
  287. type: array
  288. sourceRef:
  289. description: |-
  290. SourceRef points to a store or generator
  291. which contains secret values ready to use.
  292. Use this in combination with Extract or Find pull values out of
  293. a specific SecretStore.
  294. When sourceRef points to a generator Extract or Find is not supported.
  295. The generator returns a static map of values
  296. maxProperties: 1
  297. properties:
  298. generatorRef:
  299. description: GeneratorRef points to a generator custom resource.
  300. properties:
  301. apiVersion:
  302. default: generators.external-secrets.io/v1alpha1
  303. description: Specify the apiVersion of the generator resource
  304. type: string
  305. kind:
  306. description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
  307. type: string
  308. name:
  309. description: Specify the name of the generator resource
  310. type: string
  311. required:
  312. - kind
  313. - name
  314. type: object
  315. storeRef:
  316. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  317. properties:
  318. kind:
  319. description: |-
  320. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  321. Defaults to `SecretStore`
  322. type: string
  323. name:
  324. description: Name of the SecretStore resource
  325. type: string
  326. required:
  327. - name
  328. type: object
  329. type: object
  330. type: object
  331. type: array
  332. refreshInterval:
  333. default: 1h
  334. description: |-
  335. RefreshInterval is the amount of time before the values are read again from the SecretStore provider
  336. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  337. May be set to zero to fetch and create it once. Defaults to 1h.
  338. type: string
  339. secretStoreRef:
  340. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  341. properties:
  342. kind:
  343. description: |-
  344. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  345. Defaults to `SecretStore`
  346. type: string
  347. name:
  348. description: Name of the SecretStore resource
  349. type: string
  350. required:
  351. - name
  352. type: object
  353. target:
  354. default:
  355. creationPolicy: Owner
  356. deletionPolicy: Retain
  357. description: |-
  358. ExternalSecretTarget defines the Kubernetes Secret to be created
  359. There can be only one target per ExternalSecret.
  360. properties:
  361. creationPolicy:
  362. default: Owner
  363. description: |-
  364. CreationPolicy defines rules on how to create the resulting Secret
  365. Defaults to 'Owner'
  366. enum:
  367. - Owner
  368. - Orphan
  369. - Merge
  370. - None
  371. type: string
  372. deletionPolicy:
  373. default: Retain
  374. description: |-
  375. DeletionPolicy defines rules on how to delete the resulting Secret
  376. Defaults to 'Retain'
  377. enum:
  378. - Delete
  379. - Merge
  380. - Retain
  381. type: string
  382. immutable:
  383. description: Immutable defines if the final secret will be immutable
  384. type: boolean
  385. name:
  386. description: |-
  387. Name defines the name of the Secret resource to be managed
  388. This field is immutable
  389. Defaults to the .metadata.name of the ExternalSecret resource
  390. type: string
  391. template:
  392. description: Template defines a blueprint for the created Secret resource.
  393. properties:
  394. data:
  395. additionalProperties:
  396. type: string
  397. type: object
  398. engineVersion:
  399. default: v2
  400. description: |-
  401. EngineVersion specifies the template engine version
  402. that should be used to compile/execute the
  403. template specified in .data and .templateFrom[].
  404. enum:
  405. - v1
  406. - v2
  407. type: string
  408. mergePolicy:
  409. default: Replace
  410. enum:
  411. - Replace
  412. - Merge
  413. type: string
  414. metadata:
  415. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  416. properties:
  417. annotations:
  418. additionalProperties:
  419. type: string
  420. type: object
  421. labels:
  422. additionalProperties:
  423. type: string
  424. type: object
  425. type: object
  426. templateFrom:
  427. items:
  428. properties:
  429. configMap:
  430. properties:
  431. items:
  432. items:
  433. properties:
  434. key:
  435. type: string
  436. templateAs:
  437. default: Values
  438. enum:
  439. - Values
  440. - KeysAndValues
  441. type: string
  442. required:
  443. - key
  444. type: object
  445. type: array
  446. name:
  447. type: string
  448. required:
  449. - items
  450. - name
  451. type: object
  452. literal:
  453. type: string
  454. secret:
  455. properties:
  456. items:
  457. items:
  458. properties:
  459. key:
  460. type: string
  461. templateAs:
  462. default: Values
  463. enum:
  464. - Values
  465. - KeysAndValues
  466. type: string
  467. required:
  468. - key
  469. type: object
  470. type: array
  471. name:
  472. type: string
  473. required:
  474. - items
  475. - name
  476. type: object
  477. target:
  478. default: Data
  479. enum:
  480. - Data
  481. - Annotations
  482. - Labels
  483. type: string
  484. type: object
  485. type: array
  486. type:
  487. type: string
  488. type: object
  489. type: object
  490. type: object
  491. namespaceSelector:
  492. description: |-
  493. The labels to select by to find the Namespaces to create the ExternalSecrets in.
  494. Deprecated: Use NamespaceSelectors instead.
  495. properties:
  496. matchExpressions:
  497. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  498. items:
  499. description: |-
  500. A label selector requirement is a selector that contains values, a key, and an operator that
  501. relates the key and values.
  502. properties:
  503. key:
  504. description: key is the label key that the selector applies to.
  505. type: string
  506. operator:
  507. description: |-
  508. operator represents a key's relationship to a set of values.
  509. Valid operators are In, NotIn, Exists and DoesNotExist.
  510. type: string
  511. values:
  512. description: |-
  513. values is an array of string values. If the operator is In or NotIn,
  514. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  515. the values array must be empty. This array is replaced during a strategic
  516. merge patch.
  517. items:
  518. type: string
  519. type: array
  520. x-kubernetes-list-type: atomic
  521. required:
  522. - key
  523. - operator
  524. type: object
  525. type: array
  526. x-kubernetes-list-type: atomic
  527. matchLabels:
  528. additionalProperties:
  529. type: string
  530. description: |-
  531. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  532. map is equivalent to an element of matchExpressions, whose key field is "key", the
  533. operator is "In", and the values array contains only "value". The requirements are ANDed.
  534. type: object
  535. type: object
  536. x-kubernetes-map-type: atomic
  537. namespaceSelectors:
  538. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  539. items:
  540. description: |-
  541. A label selector is a label query over a set of resources. The result of matchLabels and
  542. matchExpressions are ANDed. An empty label selector matches all objects. A null
  543. label selector matches no objects.
  544. properties:
  545. matchExpressions:
  546. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  547. items:
  548. description: |-
  549. A label selector requirement is a selector that contains values, a key, and an operator that
  550. relates the key and values.
  551. properties:
  552. key:
  553. description: key is the label key that the selector applies to.
  554. type: string
  555. operator:
  556. description: |-
  557. operator represents a key's relationship to a set of values.
  558. Valid operators are In, NotIn, Exists and DoesNotExist.
  559. type: string
  560. values:
  561. description: |-
  562. values is an array of string values. If the operator is In or NotIn,
  563. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  564. the values array must be empty. This array is replaced during a strategic
  565. merge patch.
  566. items:
  567. type: string
  568. type: array
  569. x-kubernetes-list-type: atomic
  570. required:
  571. - key
  572. - operator
  573. type: object
  574. type: array
  575. x-kubernetes-list-type: atomic
  576. matchLabels:
  577. additionalProperties:
  578. type: string
  579. description: |-
  580. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  581. map is equivalent to an element of matchExpressions, whose key field is "key", the
  582. operator is "In", and the values array contains only "value". The requirements are ANDed.
  583. type: object
  584. type: object
  585. x-kubernetes-map-type: atomic
  586. type: array
  587. namespaces:
  588. description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
  589. items:
  590. type: string
  591. type: array
  592. refreshTime:
  593. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  594. type: string
  595. required:
  596. - externalSecretSpec
  597. type: object
  598. status:
  599. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  600. properties:
  601. conditions:
  602. items:
  603. properties:
  604. message:
  605. type: string
  606. status:
  607. type: string
  608. type:
  609. type: string
  610. required:
  611. - status
  612. - type
  613. type: object
  614. type: array
  615. externalSecretName:
  616. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  617. type: string
  618. failedNamespaces:
  619. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  620. items:
  621. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  622. properties:
  623. namespace:
  624. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  625. type: string
  626. reason:
  627. description: Reason is why the ExternalSecret failed to apply to the namespace
  628. type: string
  629. required:
  630. - namespace
  631. type: object
  632. type: array
  633. provisionedNamespaces:
  634. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  635. items:
  636. type: string
  637. type: array
  638. type: object
  639. type: object
  640. served: true
  641. storage: true
  642. subresources:
  643. status: {}
  644. conversion:
  645. strategy: Webhook
  646. webhook:
  647. conversionReviewVersions:
  648. - v1
  649. clientConfig:
  650. service:
  651. name: kubernetes
  652. namespace: default
  653. path: /convert
  654. ---
  655. apiVersion: apiextensions.k8s.io/v1
  656. kind: CustomResourceDefinition
  657. metadata:
  658. annotations:
  659. controller-gen.kubebuilder.io/version: v0.15.0
  660. name: clustersecretstores.external-secrets.io
  661. spec:
  662. group: external-secrets.io
  663. names:
  664. categories:
  665. - externalsecrets
  666. kind: ClusterSecretStore
  667. listKind: ClusterSecretStoreList
  668. plural: clustersecretstores
  669. shortNames:
  670. - css
  671. singular: clustersecretstore
  672. scope: Cluster
  673. versions:
  674. - additionalPrinterColumns:
  675. - jsonPath: .metadata.creationTimestamp
  676. name: AGE
  677. type: date
  678. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  679. name: Status
  680. type: string
  681. deprecated: true
  682. name: v1alpha1
  683. schema:
  684. openAPIV3Schema:
  685. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  686. properties:
  687. apiVersion:
  688. description: |-
  689. APIVersion defines the versioned schema of this representation of an object.
  690. Servers should convert recognized schemas to the latest internal value, and
  691. may reject unrecognized values.
  692. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  693. type: string
  694. kind:
  695. description: |-
  696. Kind is a string value representing the REST resource this object represents.
  697. Servers may infer this from the endpoint the client submits requests to.
  698. Cannot be updated.
  699. In CamelCase.
  700. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  701. type: string
  702. metadata:
  703. type: object
  704. spec:
  705. description: SecretStoreSpec defines the desired state of SecretStore.
  706. properties:
  707. controller:
  708. description: |-
  709. Used to select the correct ESO controller (think: ingress.ingressClassName)
  710. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  711. type: string
  712. provider:
  713. description: Used to configure the provider. Only one provider may be set
  714. maxProperties: 1
  715. minProperties: 1
  716. properties:
  717. akeyless:
  718. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  719. properties:
  720. akeylessGWApiURL:
  721. description: Akeyless GW API Url from which the secrets to be fetched from.
  722. type: string
  723. authSecretRef:
  724. description: Auth configures how the operator authenticates with Akeyless.
  725. properties:
  726. kubernetesAuth:
  727. description: |-
  728. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  729. token stored in the named Secret resource.
  730. properties:
  731. accessID:
  732. description: the Akeyless Kubernetes auth-method access-id
  733. type: string
  734. k8sConfName:
  735. description: Kubernetes-auth configuration name in Akeyless-Gateway
  736. type: string
  737. secretRef:
  738. description: |-
  739. Optional secret field containing a Kubernetes ServiceAccount JWT used
  740. for authenticating with Akeyless. If a name is specified without a key,
  741. `token` is the default. If one is not specified, the one bound to
  742. the controller will be used.
  743. properties:
  744. key:
  745. description: |-
  746. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  747. defaulted, in others it may be required.
  748. type: string
  749. name:
  750. description: The name of the Secret resource being referred to.
  751. type: string
  752. namespace:
  753. description: |-
  754. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  755. to the namespace of the referent.
  756. type: string
  757. type: object
  758. serviceAccountRef:
  759. description: |-
  760. Optional service account field containing the name of a kubernetes ServiceAccount.
  761. If the service account is specified, the service account secret token JWT will be used
  762. for authenticating with Akeyless. If the service account selector is not supplied,
  763. the secretRef will be used instead.
  764. properties:
  765. audiences:
  766. description: |-
  767. Audience specifies the `aud` claim for the service account token
  768. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  769. then this audiences will be appended to the list
  770. items:
  771. type: string
  772. type: array
  773. name:
  774. description: The name of the ServiceAccount resource being referred to.
  775. type: string
  776. namespace:
  777. description: |-
  778. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  779. to the namespace of the referent.
  780. type: string
  781. required:
  782. - name
  783. type: object
  784. required:
  785. - accessID
  786. - k8sConfName
  787. type: object
  788. secretRef:
  789. description: |-
  790. Reference to a Secret that contains the details
  791. to authenticate with Akeyless.
  792. properties:
  793. accessID:
  794. description: The SecretAccessID is used for authentication
  795. properties:
  796. key:
  797. description: |-
  798. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  799. defaulted, in others it may be required.
  800. type: string
  801. name:
  802. description: The name of the Secret resource being referred to.
  803. type: string
  804. namespace:
  805. description: |-
  806. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  807. to the namespace of the referent.
  808. type: string
  809. type: object
  810. accessType:
  811. description: |-
  812. A reference to a specific 'key' within a Secret resource,
  813. In some instances, `key` is a required field.
  814. properties:
  815. key:
  816. description: |-
  817. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  818. defaulted, in others it may be required.
  819. type: string
  820. name:
  821. description: The name of the Secret resource being referred to.
  822. type: string
  823. namespace:
  824. description: |-
  825. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  826. to the namespace of the referent.
  827. type: string
  828. type: object
  829. accessTypeParam:
  830. description: |-
  831. A reference to a specific 'key' within a Secret resource,
  832. In some instances, `key` is a required field.
  833. properties:
  834. key:
  835. description: |-
  836. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  837. defaulted, in others it may be required.
  838. type: string
  839. name:
  840. description: The name of the Secret resource being referred to.
  841. type: string
  842. namespace:
  843. description: |-
  844. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  845. to the namespace of the referent.
  846. type: string
  847. type: object
  848. type: object
  849. type: object
  850. caBundle:
  851. description: |-
  852. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  853. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  854. are used to validate the TLS connection.
  855. format: byte
  856. type: string
  857. caProvider:
  858. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  859. properties:
  860. key:
  861. description: The key the value inside of the provider type to use, only used with "Secret" type
  862. type: string
  863. name:
  864. description: The name of the object located at the provider type.
  865. type: string
  866. namespace:
  867. description: The namespace the Provider type is in.
  868. type: string
  869. type:
  870. description: The type of provider to use such as "Secret", or "ConfigMap".
  871. enum:
  872. - Secret
  873. - ConfigMap
  874. type: string
  875. required:
  876. - name
  877. - type
  878. type: object
  879. required:
  880. - akeylessGWApiURL
  881. - authSecretRef
  882. type: object
  883. alibaba:
  884. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  885. properties:
  886. auth:
  887. description: AlibabaAuth contains a secretRef for credentials.
  888. properties:
  889. rrsa:
  890. description: Authenticate against Alibaba using RRSA.
  891. properties:
  892. oidcProviderArn:
  893. type: string
  894. oidcTokenFilePath:
  895. type: string
  896. roleArn:
  897. type: string
  898. sessionName:
  899. type: string
  900. required:
  901. - oidcProviderArn
  902. - oidcTokenFilePath
  903. - roleArn
  904. - sessionName
  905. type: object
  906. secretRef:
  907. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  908. properties:
  909. accessKeyIDSecretRef:
  910. description: The AccessKeyID is used for authentication
  911. properties:
  912. key:
  913. description: |-
  914. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  915. defaulted, in others it may be required.
  916. type: string
  917. name:
  918. description: The name of the Secret resource being referred to.
  919. type: string
  920. namespace:
  921. description: |-
  922. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  923. to the namespace of the referent.
  924. type: string
  925. type: object
  926. accessKeySecretSecretRef:
  927. description: The AccessKeySecret is used for authentication
  928. properties:
  929. key:
  930. description: |-
  931. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  932. defaulted, in others it may be required.
  933. type: string
  934. name:
  935. description: The name of the Secret resource being referred to.
  936. type: string
  937. namespace:
  938. description: |-
  939. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  940. to the namespace of the referent.
  941. type: string
  942. type: object
  943. required:
  944. - accessKeyIDSecretRef
  945. - accessKeySecretSecretRef
  946. type: object
  947. type: object
  948. regionID:
  949. description: Alibaba Region to be used for the provider
  950. type: string
  951. required:
  952. - auth
  953. - regionID
  954. type: object
  955. aws:
  956. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  957. properties:
  958. auth:
  959. description: |-
  960. Auth defines the information necessary to authenticate against AWS
  961. if not set aws sdk will infer credentials from your environment
  962. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  963. properties:
  964. jwt:
  965. description: Authenticate against AWS using service account tokens.
  966. properties:
  967. serviceAccountRef:
  968. description: A reference to a ServiceAccount resource.
  969. properties:
  970. audiences:
  971. description: |-
  972. Audience specifies the `aud` claim for the service account token
  973. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  974. then this audiences will be appended to the list
  975. items:
  976. type: string
  977. type: array
  978. name:
  979. description: The name of the ServiceAccount resource being referred to.
  980. type: string
  981. namespace:
  982. description: |-
  983. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  984. to the namespace of the referent.
  985. type: string
  986. required:
  987. - name
  988. type: object
  989. type: object
  990. secretRef:
  991. description: |-
  992. AWSAuthSecretRef holds secret references for AWS credentials
  993. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  994. properties:
  995. accessKeyIDSecretRef:
  996. description: The AccessKeyID is used for authentication
  997. properties:
  998. key:
  999. description: |-
  1000. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1001. defaulted, in others it may be required.
  1002. type: string
  1003. name:
  1004. description: The name of the Secret resource being referred to.
  1005. type: string
  1006. namespace:
  1007. description: |-
  1008. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1009. to the namespace of the referent.
  1010. type: string
  1011. type: object
  1012. secretAccessKeySecretRef:
  1013. description: The SecretAccessKey is used for authentication
  1014. properties:
  1015. key:
  1016. description: |-
  1017. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1018. defaulted, in others it may be required.
  1019. type: string
  1020. name:
  1021. description: The name of the Secret resource being referred to.
  1022. type: string
  1023. namespace:
  1024. description: |-
  1025. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1026. to the namespace of the referent.
  1027. type: string
  1028. type: object
  1029. type: object
  1030. type: object
  1031. region:
  1032. description: AWS Region to be used for the provider
  1033. type: string
  1034. role:
  1035. description: Role is a Role ARN which the SecretManager provider will assume
  1036. type: string
  1037. service:
  1038. description: Service defines which service should be used to fetch the secrets
  1039. enum:
  1040. - SecretsManager
  1041. - ParameterStore
  1042. type: string
  1043. required:
  1044. - region
  1045. - service
  1046. type: object
  1047. azurekv:
  1048. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  1049. properties:
  1050. authSecretRef:
  1051. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  1052. properties:
  1053. clientId:
  1054. description: The Azure clientId of the service principle used for authentication.
  1055. properties:
  1056. key:
  1057. description: |-
  1058. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1059. defaulted, in others it may be required.
  1060. type: string
  1061. name:
  1062. description: The name of the Secret resource being referred to.
  1063. type: string
  1064. namespace:
  1065. description: |-
  1066. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1067. to the namespace of the referent.
  1068. type: string
  1069. type: object
  1070. clientSecret:
  1071. description: The Azure ClientSecret of the service principle used for authentication.
  1072. properties:
  1073. key:
  1074. description: |-
  1075. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1076. defaulted, in others it may be required.
  1077. type: string
  1078. name:
  1079. description: The name of the Secret resource being referred to.
  1080. type: string
  1081. namespace:
  1082. description: |-
  1083. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1084. to the namespace of the referent.
  1085. type: string
  1086. type: object
  1087. type: object
  1088. authType:
  1089. default: ServicePrincipal
  1090. description: |-
  1091. Auth type defines how to authenticate to the keyvault service.
  1092. Valid values are:
  1093. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  1094. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  1095. enum:
  1096. - ServicePrincipal
  1097. - ManagedIdentity
  1098. - WorkloadIdentity
  1099. type: string
  1100. identityId:
  1101. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  1102. type: string
  1103. serviceAccountRef:
  1104. description: |-
  1105. ServiceAccountRef specified the service account
  1106. that should be used when authenticating with WorkloadIdentity.
  1107. properties:
  1108. audiences:
  1109. description: |-
  1110. Audience specifies the `aud` claim for the service account token
  1111. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1112. then this audiences will be appended to the list
  1113. items:
  1114. type: string
  1115. type: array
  1116. name:
  1117. description: The name of the ServiceAccount resource being referred to.
  1118. type: string
  1119. namespace:
  1120. description: |-
  1121. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1122. to the namespace of the referent.
  1123. type: string
  1124. required:
  1125. - name
  1126. type: object
  1127. tenantId:
  1128. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  1129. type: string
  1130. vaultUrl:
  1131. description: Vault Url from which the secrets to be fetched from.
  1132. type: string
  1133. required:
  1134. - vaultUrl
  1135. type: object
  1136. fake:
  1137. description: Fake configures a store with static key/value pairs
  1138. properties:
  1139. data:
  1140. items:
  1141. properties:
  1142. key:
  1143. type: string
  1144. value:
  1145. type: string
  1146. valueMap:
  1147. additionalProperties:
  1148. type: string
  1149. type: object
  1150. version:
  1151. type: string
  1152. required:
  1153. - key
  1154. type: object
  1155. type: array
  1156. required:
  1157. - data
  1158. type: object
  1159. gcpsm:
  1160. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  1161. properties:
  1162. auth:
  1163. description: Auth defines the information necessary to authenticate against GCP
  1164. properties:
  1165. secretRef:
  1166. properties:
  1167. secretAccessKeySecretRef:
  1168. description: The SecretAccessKey is used for authentication
  1169. properties:
  1170. key:
  1171. description: |-
  1172. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1173. defaulted, in others it may be required.
  1174. type: string
  1175. name:
  1176. description: The name of the Secret resource being referred to.
  1177. type: string
  1178. namespace:
  1179. description: |-
  1180. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1181. to the namespace of the referent.
  1182. type: string
  1183. type: object
  1184. type: object
  1185. workloadIdentity:
  1186. properties:
  1187. clusterLocation:
  1188. type: string
  1189. clusterName:
  1190. type: string
  1191. clusterProjectID:
  1192. type: string
  1193. serviceAccountRef:
  1194. description: A reference to a ServiceAccount resource.
  1195. properties:
  1196. audiences:
  1197. description: |-
  1198. Audience specifies the `aud` claim for the service account token
  1199. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1200. then this audiences will be appended to the list
  1201. items:
  1202. type: string
  1203. type: array
  1204. name:
  1205. description: The name of the ServiceAccount resource being referred to.
  1206. type: string
  1207. namespace:
  1208. description: |-
  1209. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1210. to the namespace of the referent.
  1211. type: string
  1212. required:
  1213. - name
  1214. type: object
  1215. required:
  1216. - clusterLocation
  1217. - clusterName
  1218. - serviceAccountRef
  1219. type: object
  1220. type: object
  1221. projectID:
  1222. description: ProjectID project where secret is located
  1223. type: string
  1224. type: object
  1225. gitlab:
  1226. description: GitLab configures this store to sync secrets using GitLab Variables provider
  1227. properties:
  1228. auth:
  1229. description: Auth configures how secret-manager authenticates with a GitLab instance.
  1230. properties:
  1231. SecretRef:
  1232. properties:
  1233. accessToken:
  1234. description: AccessToken is used for authentication.
  1235. properties:
  1236. key:
  1237. description: |-
  1238. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1239. defaulted, in others it may be required.
  1240. type: string
  1241. name:
  1242. description: The name of the Secret resource being referred to.
  1243. type: string
  1244. namespace:
  1245. description: |-
  1246. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1247. to the namespace of the referent.
  1248. type: string
  1249. type: object
  1250. type: object
  1251. required:
  1252. - SecretRef
  1253. type: object
  1254. projectID:
  1255. description: ProjectID specifies a project where secrets are located.
  1256. type: string
  1257. url:
  1258. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  1259. type: string
  1260. required:
  1261. - auth
  1262. type: object
  1263. ibm:
  1264. description: IBM configures this store to sync secrets using IBM Cloud provider
  1265. properties:
  1266. auth:
  1267. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  1268. properties:
  1269. secretRef:
  1270. properties:
  1271. secretApiKeySecretRef:
  1272. description: The SecretAccessKey is used for authentication
  1273. properties:
  1274. key:
  1275. description: |-
  1276. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1277. defaulted, in others it may be required.
  1278. type: string
  1279. name:
  1280. description: The name of the Secret resource being referred to.
  1281. type: string
  1282. namespace:
  1283. description: |-
  1284. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1285. to the namespace of the referent.
  1286. type: string
  1287. type: object
  1288. type: object
  1289. required:
  1290. - secretRef
  1291. type: object
  1292. serviceUrl:
  1293. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  1294. type: string
  1295. required:
  1296. - auth
  1297. type: object
  1298. kubernetes:
  1299. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  1300. properties:
  1301. auth:
  1302. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  1303. maxProperties: 1
  1304. minProperties: 1
  1305. properties:
  1306. cert:
  1307. description: has both clientCert and clientKey as secretKeySelector
  1308. properties:
  1309. clientCert:
  1310. description: |-
  1311. A reference to a specific 'key' within a Secret resource,
  1312. In some instances, `key` is a required field.
  1313. properties:
  1314. key:
  1315. description: |-
  1316. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1317. defaulted, in others it may be required.
  1318. type: string
  1319. name:
  1320. description: The name of the Secret resource being referred to.
  1321. type: string
  1322. namespace:
  1323. description: |-
  1324. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1325. to the namespace of the referent.
  1326. type: string
  1327. type: object
  1328. clientKey:
  1329. description: |-
  1330. A reference to a specific 'key' within a Secret resource,
  1331. In some instances, `key` is a required field.
  1332. properties:
  1333. key:
  1334. description: |-
  1335. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1336. defaulted, in others it may be required.
  1337. type: string
  1338. name:
  1339. description: The name of the Secret resource being referred to.
  1340. type: string
  1341. namespace:
  1342. description: |-
  1343. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1344. to the namespace of the referent.
  1345. type: string
  1346. type: object
  1347. type: object
  1348. serviceAccount:
  1349. description: points to a service account that should be used for authentication
  1350. properties:
  1351. serviceAccount:
  1352. description: A reference to a ServiceAccount resource.
  1353. properties:
  1354. audiences:
  1355. description: |-
  1356. Audience specifies the `aud` claim for the service account token
  1357. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1358. then this audiences will be appended to the list
  1359. items:
  1360. type: string
  1361. type: array
  1362. name:
  1363. description: The name of the ServiceAccount resource being referred to.
  1364. type: string
  1365. namespace:
  1366. description: |-
  1367. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1368. to the namespace of the referent.
  1369. type: string
  1370. required:
  1371. - name
  1372. type: object
  1373. type: object
  1374. token:
  1375. description: use static token to authenticate with
  1376. properties:
  1377. bearerToken:
  1378. description: |-
  1379. A reference to a specific 'key' within a Secret resource,
  1380. In some instances, `key` is a required field.
  1381. properties:
  1382. key:
  1383. description: |-
  1384. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1385. defaulted, in others it may be required.
  1386. type: string
  1387. name:
  1388. description: The name of the Secret resource being referred to.
  1389. type: string
  1390. namespace:
  1391. description: |-
  1392. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1393. to the namespace of the referent.
  1394. type: string
  1395. type: object
  1396. type: object
  1397. type: object
  1398. remoteNamespace:
  1399. default: default
  1400. description: Remote namespace to fetch the secrets from
  1401. type: string
  1402. server:
  1403. description: configures the Kubernetes server Address.
  1404. properties:
  1405. caBundle:
  1406. description: CABundle is a base64-encoded CA certificate
  1407. format: byte
  1408. type: string
  1409. caProvider:
  1410. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  1411. properties:
  1412. key:
  1413. description: The key the value inside of the provider type to use, only used with "Secret" type
  1414. type: string
  1415. name:
  1416. description: The name of the object located at the provider type.
  1417. type: string
  1418. namespace:
  1419. description: The namespace the Provider type is in.
  1420. type: string
  1421. type:
  1422. description: The type of provider to use such as "Secret", or "ConfigMap".
  1423. enum:
  1424. - Secret
  1425. - ConfigMap
  1426. type: string
  1427. required:
  1428. - name
  1429. - type
  1430. type: object
  1431. url:
  1432. default: kubernetes.default
  1433. description: configures the Kubernetes server Address.
  1434. type: string
  1435. type: object
  1436. required:
  1437. - auth
  1438. type: object
  1439. oracle:
  1440. description: Oracle configures this store to sync secrets using Oracle Vault provider
  1441. properties:
  1442. auth:
  1443. description: |-
  1444. Auth configures how secret-manager authenticates with the Oracle Vault.
  1445. If empty, instance principal is used. Optionally, the authenticating principal type
  1446. and/or user data may be supplied for the use of workload identity and user principal.
  1447. properties:
  1448. secretRef:
  1449. description: SecretRef to pass through sensitive information.
  1450. properties:
  1451. fingerprint:
  1452. description: Fingerprint is the fingerprint of the API private key.
  1453. properties:
  1454. key:
  1455. description: |-
  1456. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1457. defaulted, in others it may be required.
  1458. type: string
  1459. name:
  1460. description: The name of the Secret resource being referred to.
  1461. type: string
  1462. namespace:
  1463. description: |-
  1464. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1465. to the namespace of the referent.
  1466. type: string
  1467. type: object
  1468. privatekey:
  1469. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  1470. properties:
  1471. key:
  1472. description: |-
  1473. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1474. defaulted, in others it may be required.
  1475. type: string
  1476. name:
  1477. description: The name of the Secret resource being referred to.
  1478. type: string
  1479. namespace:
  1480. description: |-
  1481. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1482. to the namespace of the referent.
  1483. type: string
  1484. type: object
  1485. required:
  1486. - fingerprint
  1487. - privatekey
  1488. type: object
  1489. tenancy:
  1490. description: Tenancy is the tenancy OCID where user is located.
  1491. type: string
  1492. user:
  1493. description: User is an access OCID specific to the account.
  1494. type: string
  1495. required:
  1496. - secretRef
  1497. - tenancy
  1498. - user
  1499. type: object
  1500. compartment:
  1501. description: |-
  1502. Compartment is the vault compartment OCID.
  1503. Required for PushSecret
  1504. type: string
  1505. encryptionKey:
  1506. description: |-
  1507. EncryptionKey is the OCID of the encryption key within the vault.
  1508. Required for PushSecret
  1509. type: string
  1510. principalType:
  1511. description: |-
  1512. The type of principal to use for authentication. If left blank, the Auth struct will
  1513. determine the principal type. This optional field must be specified if using
  1514. workload identity.
  1515. enum:
  1516. - ""
  1517. - UserPrincipal
  1518. - InstancePrincipal
  1519. - Workload
  1520. type: string
  1521. region:
  1522. description: Region is the region where vault is located.
  1523. type: string
  1524. serviceAccountRef:
  1525. description: |-
  1526. ServiceAccountRef specified the service account
  1527. that should be used when authenticating with WorkloadIdentity.
  1528. properties:
  1529. audiences:
  1530. description: |-
  1531. Audience specifies the `aud` claim for the service account token
  1532. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1533. then this audiences will be appended to the list
  1534. items:
  1535. type: string
  1536. type: array
  1537. name:
  1538. description: The name of the ServiceAccount resource being referred to.
  1539. type: string
  1540. namespace:
  1541. description: |-
  1542. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1543. to the namespace of the referent.
  1544. type: string
  1545. required:
  1546. - name
  1547. type: object
  1548. vault:
  1549. description: Vault is the vault's OCID of the specific vault where secret is located.
  1550. type: string
  1551. required:
  1552. - region
  1553. - vault
  1554. type: object
  1555. passworddepot:
  1556. description: Configures a store to sync secrets with a Password Depot instance.
  1557. properties:
  1558. auth:
  1559. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  1560. properties:
  1561. secretRef:
  1562. properties:
  1563. credentials:
  1564. description: Username / Password is used for authentication.
  1565. properties:
  1566. key:
  1567. description: |-
  1568. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1569. defaulted, in others it may be required.
  1570. type: string
  1571. name:
  1572. description: The name of the Secret resource being referred to.
  1573. type: string
  1574. namespace:
  1575. description: |-
  1576. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1577. to the namespace of the referent.
  1578. type: string
  1579. type: object
  1580. type: object
  1581. required:
  1582. - secretRef
  1583. type: object
  1584. database:
  1585. description: Database to use as source
  1586. type: string
  1587. host:
  1588. description: URL configures the Password Depot instance URL.
  1589. type: string
  1590. required:
  1591. - auth
  1592. - database
  1593. - host
  1594. type: object
  1595. vault:
  1596. description: Vault configures this store to sync secrets using Hashi provider
  1597. properties:
  1598. auth:
  1599. description: Auth configures how secret-manager authenticates with the Vault server.
  1600. properties:
  1601. appRole:
  1602. description: |-
  1603. AppRole authenticates with Vault using the App Role auth mechanism,
  1604. with the role and secret stored in a Kubernetes Secret resource.
  1605. properties:
  1606. path:
  1607. default: approle
  1608. description: |-
  1609. Path where the App Role authentication backend is mounted
  1610. in Vault, e.g: "approle"
  1611. type: string
  1612. roleId:
  1613. description: |-
  1614. RoleID configured in the App Role authentication backend when setting
  1615. up the authentication backend in Vault.
  1616. type: string
  1617. secretRef:
  1618. description: |-
  1619. Reference to a key in a Secret that contains the App Role secret used
  1620. to authenticate with Vault.
  1621. The `key` field must be specified and denotes which entry within the Secret
  1622. resource is used as the app role secret.
  1623. properties:
  1624. key:
  1625. description: |-
  1626. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1627. defaulted, in others it may be required.
  1628. type: string
  1629. name:
  1630. description: The name of the Secret resource being referred to.
  1631. type: string
  1632. namespace:
  1633. description: |-
  1634. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1635. to the namespace of the referent.
  1636. type: string
  1637. type: object
  1638. required:
  1639. - path
  1640. - roleId
  1641. - secretRef
  1642. type: object
  1643. cert:
  1644. description: |-
  1645. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  1646. Cert authentication method
  1647. properties:
  1648. clientCert:
  1649. description: |-
  1650. ClientCert is a certificate to authenticate using the Cert Vault
  1651. authentication method
  1652. properties:
  1653. key:
  1654. description: |-
  1655. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1656. defaulted, in others it may be required.
  1657. type: string
  1658. name:
  1659. description: The name of the Secret resource being referred to.
  1660. type: string
  1661. namespace:
  1662. description: |-
  1663. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1664. to the namespace of the referent.
  1665. type: string
  1666. type: object
  1667. secretRef:
  1668. description: |-
  1669. SecretRef to a key in a Secret resource containing client private key to
  1670. authenticate with Vault using the Cert authentication method
  1671. properties:
  1672. key:
  1673. description: |-
  1674. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1675. defaulted, in others it may be required.
  1676. type: string
  1677. name:
  1678. description: The name of the Secret resource being referred to.
  1679. type: string
  1680. namespace:
  1681. description: |-
  1682. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1683. to the namespace of the referent.
  1684. type: string
  1685. type: object
  1686. type: object
  1687. jwt:
  1688. description: |-
  1689. Jwt authenticates with Vault by passing role and JWT token using the
  1690. JWT/OIDC authentication method
  1691. properties:
  1692. kubernetesServiceAccountToken:
  1693. description: |-
  1694. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  1695. a token for with the `TokenRequest` API.
  1696. properties:
  1697. audiences:
  1698. description: |-
  1699. Optional audiences field that will be used to request a temporary Kubernetes service
  1700. account token for the service account referenced by `serviceAccountRef`.
  1701. Defaults to a single audience `vault` it not specified.
  1702. items:
  1703. type: string
  1704. type: array
  1705. expirationSeconds:
  1706. description: |-
  1707. Optional expiration time in seconds that will be used to request a temporary
  1708. Kubernetes service account token for the service account referenced by
  1709. `serviceAccountRef`.
  1710. Defaults to 10 minutes.
  1711. format: int64
  1712. type: integer
  1713. serviceAccountRef:
  1714. description: Service account field containing the name of a kubernetes ServiceAccount.
  1715. properties:
  1716. audiences:
  1717. description: |-
  1718. Audience specifies the `aud` claim for the service account token
  1719. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1720. then this audiences will be appended to the list
  1721. items:
  1722. type: string
  1723. type: array
  1724. name:
  1725. description: The name of the ServiceAccount resource being referred to.
  1726. type: string
  1727. namespace:
  1728. description: |-
  1729. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1730. to the namespace of the referent.
  1731. type: string
  1732. required:
  1733. - name
  1734. type: object
  1735. required:
  1736. - serviceAccountRef
  1737. type: object
  1738. path:
  1739. default: jwt
  1740. description: |-
  1741. Path where the JWT authentication backend is mounted
  1742. in Vault, e.g: "jwt"
  1743. type: string
  1744. role:
  1745. description: |-
  1746. Role is a JWT role to authenticate using the JWT/OIDC Vault
  1747. authentication method
  1748. type: string
  1749. secretRef:
  1750. description: |-
  1751. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  1752. authenticate with Vault using the JWT/OIDC authentication method.
  1753. properties:
  1754. key:
  1755. description: |-
  1756. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1757. defaulted, in others it may be required.
  1758. type: string
  1759. name:
  1760. description: The name of the Secret resource being referred to.
  1761. type: string
  1762. namespace:
  1763. description: |-
  1764. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1765. to the namespace of the referent.
  1766. type: string
  1767. type: object
  1768. required:
  1769. - path
  1770. type: object
  1771. kubernetes:
  1772. description: |-
  1773. Kubernetes authenticates with Vault by passing the ServiceAccount
  1774. token stored in the named Secret resource to the Vault server.
  1775. properties:
  1776. mountPath:
  1777. default: kubernetes
  1778. description: |-
  1779. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  1780. "kubernetes"
  1781. type: string
  1782. role:
  1783. description: |-
  1784. A required field containing the Vault Role to assume. A Role binds a
  1785. Kubernetes ServiceAccount with a set of Vault policies.
  1786. type: string
  1787. secretRef:
  1788. description: |-
  1789. Optional secret field containing a Kubernetes ServiceAccount JWT used
  1790. for authenticating with Vault. If a name is specified without a key,
  1791. `token` is the default. If one is not specified, the one bound to
  1792. the controller will be used.
  1793. properties:
  1794. key:
  1795. description: |-
  1796. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1797. defaulted, in others it may be required.
  1798. type: string
  1799. name:
  1800. description: The name of the Secret resource being referred to.
  1801. type: string
  1802. namespace:
  1803. description: |-
  1804. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1805. to the namespace of the referent.
  1806. type: string
  1807. type: object
  1808. serviceAccountRef:
  1809. description: |-
  1810. Optional service account field containing the name of a kubernetes ServiceAccount.
  1811. If the service account is specified, the service account secret token JWT will be used
  1812. for authenticating with Vault. If the service account selector is not supplied,
  1813. the secretRef will be used instead.
  1814. properties:
  1815. audiences:
  1816. description: |-
  1817. Audience specifies the `aud` claim for the service account token
  1818. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1819. then this audiences will be appended to the list
  1820. items:
  1821. type: string
  1822. type: array
  1823. name:
  1824. description: The name of the ServiceAccount resource being referred to.
  1825. type: string
  1826. namespace:
  1827. description: |-
  1828. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1829. to the namespace of the referent.
  1830. type: string
  1831. required:
  1832. - name
  1833. type: object
  1834. required:
  1835. - mountPath
  1836. - role
  1837. type: object
  1838. ldap:
  1839. description: |-
  1840. Ldap authenticates with Vault by passing username/password pair using
  1841. the LDAP authentication method
  1842. properties:
  1843. path:
  1844. default: ldap
  1845. description: |-
  1846. Path where the LDAP authentication backend is mounted
  1847. in Vault, e.g: "ldap"
  1848. type: string
  1849. secretRef:
  1850. description: |-
  1851. SecretRef to a key in a Secret resource containing password for the LDAP
  1852. user used to authenticate with Vault using the LDAP authentication
  1853. method
  1854. properties:
  1855. key:
  1856. description: |-
  1857. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1858. defaulted, in others it may be required.
  1859. type: string
  1860. name:
  1861. description: The name of the Secret resource being referred to.
  1862. type: string
  1863. namespace:
  1864. description: |-
  1865. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1866. to the namespace of the referent.
  1867. type: string
  1868. type: object
  1869. username:
  1870. description: |-
  1871. Username is a LDAP user name used to authenticate using the LDAP Vault
  1872. authentication method
  1873. type: string
  1874. required:
  1875. - path
  1876. - username
  1877. type: object
  1878. tokenSecretRef:
  1879. description: TokenSecretRef authenticates with Vault by presenting a token.
  1880. properties:
  1881. key:
  1882. description: |-
  1883. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1884. defaulted, in others it may be required.
  1885. type: string
  1886. name:
  1887. description: The name of the Secret resource being referred to.
  1888. type: string
  1889. namespace:
  1890. description: |-
  1891. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1892. to the namespace of the referent.
  1893. type: string
  1894. type: object
  1895. type: object
  1896. caBundle:
  1897. description: |-
  1898. PEM encoded CA bundle used to validate Vault server certificate. Only used
  1899. if the Server URL is using HTTPS protocol. This parameter is ignored for
  1900. plain HTTP protocol connection. If not set the system root certificates
  1901. are used to validate the TLS connection.
  1902. format: byte
  1903. type: string
  1904. caProvider:
  1905. description: The provider for the CA bundle to use to validate Vault server certificate.
  1906. properties:
  1907. key:
  1908. description: The key the value inside of the provider type to use, only used with "Secret" type
  1909. type: string
  1910. name:
  1911. description: The name of the object located at the provider type.
  1912. type: string
  1913. namespace:
  1914. description: The namespace the Provider type is in.
  1915. type: string
  1916. type:
  1917. description: The type of provider to use such as "Secret", or "ConfigMap".
  1918. enum:
  1919. - Secret
  1920. - ConfigMap
  1921. type: string
  1922. required:
  1923. - name
  1924. - type
  1925. type: object
  1926. forwardInconsistent:
  1927. description: |-
  1928. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  1929. leader instead of simply retrying within a loop. This can increase performance if
  1930. the option is enabled serverside.
  1931. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  1932. type: boolean
  1933. namespace:
  1934. description: |-
  1935. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  1936. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  1937. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  1938. type: string
  1939. path:
  1940. description: |-
  1941. Path is the mount path of the Vault KV backend endpoint, e.g:
  1942. "secret". The v2 KV secret engine version specific "/data" path suffix
  1943. for fetching secrets from Vault is optional and will be appended
  1944. if not present in specified path.
  1945. type: string
  1946. readYourWrites:
  1947. description: |-
  1948. ReadYourWrites ensures isolated read-after-write semantics by
  1949. providing discovered cluster replication states in each request.
  1950. More information about eventual consistency in Vault can be found here
  1951. https://www.vaultproject.io/docs/enterprise/consistency
  1952. type: boolean
  1953. server:
  1954. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  1955. type: string
  1956. version:
  1957. default: v2
  1958. description: |-
  1959. Version is the Vault KV secret engine version. This can be either "v1" or
  1960. "v2". Version defaults to "v2".
  1961. enum:
  1962. - v1
  1963. - v2
  1964. type: string
  1965. required:
  1966. - auth
  1967. - server
  1968. type: object
  1969. webhook:
  1970. description: Webhook configures this store to sync secrets using a generic templated webhook
  1971. properties:
  1972. body:
  1973. description: Body
  1974. type: string
  1975. caBundle:
  1976. description: |-
  1977. PEM encoded CA bundle used to validate webhook server certificate. Only used
  1978. if the Server URL is using HTTPS protocol. This parameter is ignored for
  1979. plain HTTP protocol connection. If not set the system root certificates
  1980. are used to validate the TLS connection.
  1981. format: byte
  1982. type: string
  1983. caProvider:
  1984. description: The provider for the CA bundle to use to validate webhook server certificate.
  1985. properties:
  1986. key:
  1987. description: The key the value inside of the provider type to use, only used with "Secret" type
  1988. type: string
  1989. name:
  1990. description: The name of the object located at the provider type.
  1991. type: string
  1992. namespace:
  1993. description: The namespace the Provider type is in.
  1994. type: string
  1995. type:
  1996. description: The type of provider to use such as "Secret", or "ConfigMap".
  1997. enum:
  1998. - Secret
  1999. - ConfigMap
  2000. type: string
  2001. required:
  2002. - name
  2003. - type
  2004. type: object
  2005. headers:
  2006. additionalProperties:
  2007. type: string
  2008. description: Headers
  2009. type: object
  2010. method:
  2011. description: Webhook Method
  2012. type: string
  2013. result:
  2014. description: Result formatting
  2015. properties:
  2016. jsonPath:
  2017. description: Json path of return value
  2018. type: string
  2019. type: object
  2020. secrets:
  2021. description: |-
  2022. Secrets to fill in templates
  2023. These secrets will be passed to the templating function as key value pairs under the given name
  2024. items:
  2025. properties:
  2026. name:
  2027. description: Name of this secret in templates
  2028. type: string
  2029. secretRef:
  2030. description: Secret ref to fill in credentials
  2031. properties:
  2032. key:
  2033. description: |-
  2034. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2035. defaulted, in others it may be required.
  2036. type: string
  2037. name:
  2038. description: The name of the Secret resource being referred to.
  2039. type: string
  2040. namespace:
  2041. description: |-
  2042. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2043. to the namespace of the referent.
  2044. type: string
  2045. type: object
  2046. required:
  2047. - name
  2048. - secretRef
  2049. type: object
  2050. type: array
  2051. timeout:
  2052. description: Timeout
  2053. type: string
  2054. url:
  2055. description: Webhook url to call
  2056. type: string
  2057. required:
  2058. - result
  2059. - url
  2060. type: object
  2061. yandexlockbox:
  2062. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  2063. properties:
  2064. apiEndpoint:
  2065. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  2066. type: string
  2067. auth:
  2068. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  2069. properties:
  2070. authorizedKeySecretRef:
  2071. description: The authorized key used for authentication
  2072. properties:
  2073. key:
  2074. description: |-
  2075. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2076. defaulted, in others it may be required.
  2077. type: string
  2078. name:
  2079. description: The name of the Secret resource being referred to.
  2080. type: string
  2081. namespace:
  2082. description: |-
  2083. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2084. to the namespace of the referent.
  2085. type: string
  2086. type: object
  2087. type: object
  2088. caProvider:
  2089. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  2090. properties:
  2091. certSecretRef:
  2092. description: |-
  2093. A reference to a specific 'key' within a Secret resource,
  2094. In some instances, `key` is a required field.
  2095. properties:
  2096. key:
  2097. description: |-
  2098. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2099. defaulted, in others it may be required.
  2100. type: string
  2101. name:
  2102. description: The name of the Secret resource being referred to.
  2103. type: string
  2104. namespace:
  2105. description: |-
  2106. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2107. to the namespace of the referent.
  2108. type: string
  2109. type: object
  2110. type: object
  2111. required:
  2112. - auth
  2113. type: object
  2114. type: object
  2115. retrySettings:
  2116. description: Used to configure http retries if failed
  2117. properties:
  2118. maxRetries:
  2119. format: int32
  2120. type: integer
  2121. retryInterval:
  2122. type: string
  2123. type: object
  2124. required:
  2125. - provider
  2126. type: object
  2127. status:
  2128. description: SecretStoreStatus defines the observed state of the SecretStore.
  2129. properties:
  2130. conditions:
  2131. items:
  2132. properties:
  2133. lastTransitionTime:
  2134. format: date-time
  2135. type: string
  2136. message:
  2137. type: string
  2138. reason:
  2139. type: string
  2140. status:
  2141. type: string
  2142. type:
  2143. type: string
  2144. required:
  2145. - status
  2146. - type
  2147. type: object
  2148. type: array
  2149. type: object
  2150. type: object
  2151. served: true
  2152. storage: false
  2153. subresources:
  2154. status: {}
  2155. - additionalPrinterColumns:
  2156. - jsonPath: .metadata.creationTimestamp
  2157. name: AGE
  2158. type: date
  2159. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2160. name: Status
  2161. type: string
  2162. - jsonPath: .status.capabilities
  2163. name: Capabilities
  2164. type: string
  2165. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  2166. name: Ready
  2167. type: string
  2168. name: v1beta1
  2169. schema:
  2170. openAPIV3Schema:
  2171. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  2172. properties:
  2173. apiVersion:
  2174. description: |-
  2175. APIVersion defines the versioned schema of this representation of an object.
  2176. Servers should convert recognized schemas to the latest internal value, and
  2177. may reject unrecognized values.
  2178. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  2179. type: string
  2180. kind:
  2181. description: |-
  2182. Kind is a string value representing the REST resource this object represents.
  2183. Servers may infer this from the endpoint the client submits requests to.
  2184. Cannot be updated.
  2185. In CamelCase.
  2186. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  2187. type: string
  2188. metadata:
  2189. type: object
  2190. spec:
  2191. description: SecretStoreSpec defines the desired state of SecretStore.
  2192. properties:
  2193. conditions:
  2194. description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
  2195. items:
  2196. description: |-
  2197. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  2198. for a ClusterSecretStore instance.
  2199. properties:
  2200. namespaceSelector:
  2201. description: Choose namespace using a labelSelector
  2202. properties:
  2203. matchExpressions:
  2204. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2205. items:
  2206. description: |-
  2207. A label selector requirement is a selector that contains values, a key, and an operator that
  2208. relates the key and values.
  2209. properties:
  2210. key:
  2211. description: key is the label key that the selector applies to.
  2212. type: string
  2213. operator:
  2214. description: |-
  2215. operator represents a key's relationship to a set of values.
  2216. Valid operators are In, NotIn, Exists and DoesNotExist.
  2217. type: string
  2218. values:
  2219. description: |-
  2220. values is an array of string values. If the operator is In or NotIn,
  2221. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2222. the values array must be empty. This array is replaced during a strategic
  2223. merge patch.
  2224. items:
  2225. type: string
  2226. type: array
  2227. x-kubernetes-list-type: atomic
  2228. required:
  2229. - key
  2230. - operator
  2231. type: object
  2232. type: array
  2233. x-kubernetes-list-type: atomic
  2234. matchLabels:
  2235. additionalProperties:
  2236. type: string
  2237. description: |-
  2238. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2239. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2240. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2241. type: object
  2242. type: object
  2243. x-kubernetes-map-type: atomic
  2244. namespaces:
  2245. description: Choose namespaces by name
  2246. items:
  2247. type: string
  2248. type: array
  2249. type: object
  2250. type: array
  2251. controller:
  2252. description: |-
  2253. Used to select the correct ESO controller (think: ingress.ingressClassName)
  2254. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  2255. type: string
  2256. provider:
  2257. description: Used to configure the provider. Only one provider may be set
  2258. maxProperties: 1
  2259. minProperties: 1
  2260. properties:
  2261. akeyless:
  2262. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  2263. properties:
  2264. akeylessGWApiURL:
  2265. description: Akeyless GW API Url from which the secrets to be fetched from.
  2266. type: string
  2267. authSecretRef:
  2268. description: Auth configures how the operator authenticates with Akeyless.
  2269. properties:
  2270. kubernetesAuth:
  2271. description: |-
  2272. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  2273. token stored in the named Secret resource.
  2274. properties:
  2275. accessID:
  2276. description: the Akeyless Kubernetes auth-method access-id
  2277. type: string
  2278. k8sConfName:
  2279. description: Kubernetes-auth configuration name in Akeyless-Gateway
  2280. type: string
  2281. secretRef:
  2282. description: |-
  2283. Optional secret field containing a Kubernetes ServiceAccount JWT used
  2284. for authenticating with Akeyless. If a name is specified without a key,
  2285. `token` is the default. If one is not specified, the one bound to
  2286. the controller will be used.
  2287. properties:
  2288. key:
  2289. description: |-
  2290. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2291. defaulted, in others it may be required.
  2292. type: string
  2293. name:
  2294. description: The name of the Secret resource being referred to.
  2295. type: string
  2296. namespace:
  2297. description: |-
  2298. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2299. to the namespace of the referent.
  2300. type: string
  2301. type: object
  2302. serviceAccountRef:
  2303. description: |-
  2304. Optional service account field containing the name of a kubernetes ServiceAccount.
  2305. If the service account is specified, the service account secret token JWT will be used
  2306. for authenticating with Akeyless. If the service account selector is not supplied,
  2307. the secretRef will be used instead.
  2308. properties:
  2309. audiences:
  2310. description: |-
  2311. Audience specifies the `aud` claim for the service account token
  2312. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2313. then this audiences will be appended to the list
  2314. items:
  2315. type: string
  2316. type: array
  2317. name:
  2318. description: The name of the ServiceAccount resource being referred to.
  2319. type: string
  2320. namespace:
  2321. description: |-
  2322. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2323. to the namespace of the referent.
  2324. type: string
  2325. required:
  2326. - name
  2327. type: object
  2328. required:
  2329. - accessID
  2330. - k8sConfName
  2331. type: object
  2332. secretRef:
  2333. description: |-
  2334. Reference to a Secret that contains the details
  2335. to authenticate with Akeyless.
  2336. properties:
  2337. accessID:
  2338. description: The SecretAccessID is used for authentication
  2339. properties:
  2340. key:
  2341. description: |-
  2342. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2343. defaulted, in others it may be required.
  2344. type: string
  2345. name:
  2346. description: The name of the Secret resource being referred to.
  2347. type: string
  2348. namespace:
  2349. description: |-
  2350. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2351. to the namespace of the referent.
  2352. type: string
  2353. type: object
  2354. accessType:
  2355. description: |-
  2356. A reference to a specific 'key' within a Secret resource,
  2357. In some instances, `key` is a required field.
  2358. properties:
  2359. key:
  2360. description: |-
  2361. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2362. defaulted, in others it may be required.
  2363. type: string
  2364. name:
  2365. description: The name of the Secret resource being referred to.
  2366. type: string
  2367. namespace:
  2368. description: |-
  2369. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2370. to the namespace of the referent.
  2371. type: string
  2372. type: object
  2373. accessTypeParam:
  2374. description: |-
  2375. A reference to a specific 'key' within a Secret resource,
  2376. In some instances, `key` is a required field.
  2377. properties:
  2378. key:
  2379. description: |-
  2380. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2381. defaulted, in others it may be required.
  2382. type: string
  2383. name:
  2384. description: The name of the Secret resource being referred to.
  2385. type: string
  2386. namespace:
  2387. description: |-
  2388. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2389. to the namespace of the referent.
  2390. type: string
  2391. type: object
  2392. type: object
  2393. type: object
  2394. caBundle:
  2395. description: |-
  2396. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  2397. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  2398. are used to validate the TLS connection.
  2399. format: byte
  2400. type: string
  2401. caProvider:
  2402. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  2403. properties:
  2404. key:
  2405. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2406. type: string
  2407. name:
  2408. description: The name of the object located at the provider type.
  2409. type: string
  2410. namespace:
  2411. description: |-
  2412. The namespace the Provider type is in.
  2413. Can only be defined when used in a ClusterSecretStore.
  2414. type: string
  2415. type:
  2416. description: The type of provider to use such as "Secret", or "ConfigMap".
  2417. enum:
  2418. - Secret
  2419. - ConfigMap
  2420. type: string
  2421. required:
  2422. - name
  2423. - type
  2424. type: object
  2425. required:
  2426. - akeylessGWApiURL
  2427. - authSecretRef
  2428. type: object
  2429. alibaba:
  2430. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  2431. properties:
  2432. auth:
  2433. description: AlibabaAuth contains a secretRef for credentials.
  2434. properties:
  2435. rrsa:
  2436. description: Authenticate against Alibaba using RRSA.
  2437. properties:
  2438. oidcProviderArn:
  2439. type: string
  2440. oidcTokenFilePath:
  2441. type: string
  2442. roleArn:
  2443. type: string
  2444. sessionName:
  2445. type: string
  2446. required:
  2447. - oidcProviderArn
  2448. - oidcTokenFilePath
  2449. - roleArn
  2450. - sessionName
  2451. type: object
  2452. secretRef:
  2453. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  2454. properties:
  2455. accessKeyIDSecretRef:
  2456. description: The AccessKeyID is used for authentication
  2457. properties:
  2458. key:
  2459. description: |-
  2460. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2461. defaulted, in others it may be required.
  2462. type: string
  2463. name:
  2464. description: The name of the Secret resource being referred to.
  2465. type: string
  2466. namespace:
  2467. description: |-
  2468. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2469. to the namespace of the referent.
  2470. type: string
  2471. type: object
  2472. accessKeySecretSecretRef:
  2473. description: The AccessKeySecret is used for authentication
  2474. properties:
  2475. key:
  2476. description: |-
  2477. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2478. defaulted, in others it may be required.
  2479. type: string
  2480. name:
  2481. description: The name of the Secret resource being referred to.
  2482. type: string
  2483. namespace:
  2484. description: |-
  2485. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2486. to the namespace of the referent.
  2487. type: string
  2488. type: object
  2489. required:
  2490. - accessKeyIDSecretRef
  2491. - accessKeySecretSecretRef
  2492. type: object
  2493. type: object
  2494. regionID:
  2495. description: Alibaba Region to be used for the provider
  2496. type: string
  2497. required:
  2498. - auth
  2499. - regionID
  2500. type: object
  2501. aws:
  2502. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  2503. properties:
  2504. additionalRoles:
  2505. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  2506. items:
  2507. type: string
  2508. type: array
  2509. auth:
  2510. description: |-
  2511. Auth defines the information necessary to authenticate against AWS
  2512. if not set aws sdk will infer credentials from your environment
  2513. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  2514. properties:
  2515. jwt:
  2516. description: Authenticate against AWS using service account tokens.
  2517. properties:
  2518. serviceAccountRef:
  2519. description: A reference to a ServiceAccount resource.
  2520. properties:
  2521. audiences:
  2522. description: |-
  2523. Audience specifies the `aud` claim for the service account token
  2524. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2525. then this audiences will be appended to the list
  2526. items:
  2527. type: string
  2528. type: array
  2529. name:
  2530. description: The name of the ServiceAccount resource being referred to.
  2531. type: string
  2532. namespace:
  2533. description: |-
  2534. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2535. to the namespace of the referent.
  2536. type: string
  2537. required:
  2538. - name
  2539. type: object
  2540. type: object
  2541. secretRef:
  2542. description: |-
  2543. AWSAuthSecretRef holds secret references for AWS credentials
  2544. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  2545. properties:
  2546. accessKeyIDSecretRef:
  2547. description: The AccessKeyID is used for authentication
  2548. properties:
  2549. key:
  2550. description: |-
  2551. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2552. defaulted, in others it may be required.
  2553. type: string
  2554. name:
  2555. description: The name of the Secret resource being referred to.
  2556. type: string
  2557. namespace:
  2558. description: |-
  2559. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2560. to the namespace of the referent.
  2561. type: string
  2562. type: object
  2563. secretAccessKeySecretRef:
  2564. description: The SecretAccessKey is used for authentication
  2565. properties:
  2566. key:
  2567. description: |-
  2568. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2569. defaulted, in others it may be required.
  2570. type: string
  2571. name:
  2572. description: The name of the Secret resource being referred to.
  2573. type: string
  2574. namespace:
  2575. description: |-
  2576. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2577. to the namespace of the referent.
  2578. type: string
  2579. type: object
  2580. sessionTokenSecretRef:
  2581. description: |-
  2582. The SessionToken used for authentication
  2583. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  2584. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  2585. properties:
  2586. key:
  2587. description: |-
  2588. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2589. defaulted, in others it may be required.
  2590. type: string
  2591. name:
  2592. description: The name of the Secret resource being referred to.
  2593. type: string
  2594. namespace:
  2595. description: |-
  2596. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2597. to the namespace of the referent.
  2598. type: string
  2599. type: object
  2600. type: object
  2601. type: object
  2602. externalID:
  2603. description: AWS External ID set on assumed IAM roles
  2604. type: string
  2605. region:
  2606. description: AWS Region to be used for the provider
  2607. type: string
  2608. role:
  2609. description: Role is a Role ARN which the provider will assume
  2610. type: string
  2611. secretsManager:
  2612. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  2613. properties:
  2614. forceDeleteWithoutRecovery:
  2615. description: |-
  2616. Specifies whether to delete the secret without any recovery window. You
  2617. can't use both this parameter and RecoveryWindowInDays in the same call.
  2618. If you don't use either, then by default Secrets Manager uses a 30 day
  2619. recovery window.
  2620. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  2621. type: boolean
  2622. recoveryWindowInDays:
  2623. description: |-
  2624. The number of days from 7 to 30 that Secrets Manager waits before
  2625. permanently deleting the secret. You can't use both this parameter and
  2626. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  2627. then by default Secrets Manager uses a 30 day recovery window.
  2628. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  2629. format: int64
  2630. type: integer
  2631. type: object
  2632. service:
  2633. description: Service defines which service should be used to fetch the secrets
  2634. enum:
  2635. - SecretsManager
  2636. - ParameterStore
  2637. type: string
  2638. sessionTags:
  2639. description: AWS STS assume role session tags
  2640. items:
  2641. properties:
  2642. key:
  2643. type: string
  2644. value:
  2645. type: string
  2646. required:
  2647. - key
  2648. - value
  2649. type: object
  2650. type: array
  2651. transitiveTagKeys:
  2652. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  2653. items:
  2654. type: string
  2655. type: array
  2656. required:
  2657. - region
  2658. - service
  2659. type: object
  2660. azurekv:
  2661. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  2662. properties:
  2663. authSecretRef:
  2664. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  2665. properties:
  2666. clientCertificate:
  2667. description: The Azure ClientCertificate of the service principle used for authentication.
  2668. properties:
  2669. key:
  2670. description: |-
  2671. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2672. defaulted, in others it may be required.
  2673. type: string
  2674. name:
  2675. description: The name of the Secret resource being referred to.
  2676. type: string
  2677. namespace:
  2678. description: |-
  2679. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2680. to the namespace of the referent.
  2681. type: string
  2682. type: object
  2683. clientId:
  2684. description: The Azure clientId of the service principle or managed identity used for authentication.
  2685. properties:
  2686. key:
  2687. description: |-
  2688. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2689. defaulted, in others it may be required.
  2690. type: string
  2691. name:
  2692. description: The name of the Secret resource being referred to.
  2693. type: string
  2694. namespace:
  2695. description: |-
  2696. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2697. to the namespace of the referent.
  2698. type: string
  2699. type: object
  2700. clientSecret:
  2701. description: The Azure ClientSecret of the service principle used for authentication.
  2702. properties:
  2703. key:
  2704. description: |-
  2705. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2706. defaulted, in others it may be required.
  2707. type: string
  2708. name:
  2709. description: The name of the Secret resource being referred to.
  2710. type: string
  2711. namespace:
  2712. description: |-
  2713. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2714. to the namespace of the referent.
  2715. type: string
  2716. type: object
  2717. tenantId:
  2718. description: The Azure tenantId of the managed identity used for authentication.
  2719. properties:
  2720. key:
  2721. description: |-
  2722. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2723. defaulted, in others it may be required.
  2724. type: string
  2725. name:
  2726. description: The name of the Secret resource being referred to.
  2727. type: string
  2728. namespace:
  2729. description: |-
  2730. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2731. to the namespace of the referent.
  2732. type: string
  2733. type: object
  2734. type: object
  2735. authType:
  2736. default: ServicePrincipal
  2737. description: |-
  2738. Auth type defines how to authenticate to the keyvault service.
  2739. Valid values are:
  2740. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  2741. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  2742. enum:
  2743. - ServicePrincipal
  2744. - ManagedIdentity
  2745. - WorkloadIdentity
  2746. type: string
  2747. environmentType:
  2748. default: PublicCloud
  2749. description: |-
  2750. EnvironmentType specifies the Azure cloud environment endpoints to use for
  2751. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  2752. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  2753. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  2754. enum:
  2755. - PublicCloud
  2756. - USGovernmentCloud
  2757. - ChinaCloud
  2758. - GermanCloud
  2759. type: string
  2760. identityId:
  2761. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  2762. type: string
  2763. serviceAccountRef:
  2764. description: |-
  2765. ServiceAccountRef specified the service account
  2766. that should be used when authenticating with WorkloadIdentity.
  2767. properties:
  2768. audiences:
  2769. description: |-
  2770. Audience specifies the `aud` claim for the service account token
  2771. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2772. then this audiences will be appended to the list
  2773. items:
  2774. type: string
  2775. type: array
  2776. name:
  2777. description: The name of the ServiceAccount resource being referred to.
  2778. type: string
  2779. namespace:
  2780. description: |-
  2781. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2782. to the namespace of the referent.
  2783. type: string
  2784. required:
  2785. - name
  2786. type: object
  2787. tenantId:
  2788. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  2789. type: string
  2790. vaultUrl:
  2791. description: Vault Url from which the secrets to be fetched from.
  2792. type: string
  2793. required:
  2794. - vaultUrl
  2795. type: object
  2796. chef:
  2797. description: Chef configures this store to sync secrets with chef server
  2798. properties:
  2799. auth:
  2800. description: Auth defines the information necessary to authenticate against chef Server
  2801. properties:
  2802. secretRef:
  2803. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  2804. properties:
  2805. privateKeySecretRef:
  2806. description: SecretKey is the Signing Key in PEM format, used for authentication.
  2807. properties:
  2808. key:
  2809. description: |-
  2810. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2811. defaulted, in others it may be required.
  2812. type: string
  2813. name:
  2814. description: The name of the Secret resource being referred to.
  2815. type: string
  2816. namespace:
  2817. description: |-
  2818. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2819. to the namespace of the referent.
  2820. type: string
  2821. type: object
  2822. required:
  2823. - privateKeySecretRef
  2824. type: object
  2825. required:
  2826. - secretRef
  2827. type: object
  2828. serverUrl:
  2829. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  2830. type: string
  2831. username:
  2832. description: UserName should be the user ID on the chef server
  2833. type: string
  2834. required:
  2835. - auth
  2836. - serverUrl
  2837. - username
  2838. type: object
  2839. conjur:
  2840. description: Conjur configures this store to sync secrets using conjur provider
  2841. properties:
  2842. auth:
  2843. properties:
  2844. apikey:
  2845. properties:
  2846. account:
  2847. type: string
  2848. apiKeyRef:
  2849. description: |-
  2850. A reference to a specific 'key' within a Secret resource,
  2851. In some instances, `key` is a required field.
  2852. properties:
  2853. key:
  2854. description: |-
  2855. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2856. defaulted, in others it may be required.
  2857. type: string
  2858. name:
  2859. description: The name of the Secret resource being referred to.
  2860. type: string
  2861. namespace:
  2862. description: |-
  2863. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2864. to the namespace of the referent.
  2865. type: string
  2866. type: object
  2867. userRef:
  2868. description: |-
  2869. A reference to a specific 'key' within a Secret resource,
  2870. In some instances, `key` is a required field.
  2871. properties:
  2872. key:
  2873. description: |-
  2874. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2875. defaulted, in others it may be required.
  2876. type: string
  2877. name:
  2878. description: The name of the Secret resource being referred to.
  2879. type: string
  2880. namespace:
  2881. description: |-
  2882. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2883. to the namespace of the referent.
  2884. type: string
  2885. type: object
  2886. required:
  2887. - account
  2888. - apiKeyRef
  2889. - userRef
  2890. type: object
  2891. jwt:
  2892. properties:
  2893. account:
  2894. type: string
  2895. hostId:
  2896. description: |-
  2897. Optional HostID for JWT authentication. This may be used depending
  2898. on how the Conjur JWT authenticator policy is configured.
  2899. type: string
  2900. secretRef:
  2901. description: |-
  2902. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  2903. authenticate with Conjur using the JWT authentication method.
  2904. properties:
  2905. key:
  2906. description: |-
  2907. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2908. defaulted, in others it may be required.
  2909. type: string
  2910. name:
  2911. description: The name of the Secret resource being referred to.
  2912. type: string
  2913. namespace:
  2914. description: |-
  2915. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2916. to the namespace of the referent.
  2917. type: string
  2918. type: object
  2919. serviceAccountRef:
  2920. description: |-
  2921. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  2922. a token for with the `TokenRequest` API.
  2923. properties:
  2924. audiences:
  2925. description: |-
  2926. Audience specifies the `aud` claim for the service account token
  2927. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2928. then this audiences will be appended to the list
  2929. items:
  2930. type: string
  2931. type: array
  2932. name:
  2933. description: The name of the ServiceAccount resource being referred to.
  2934. type: string
  2935. namespace:
  2936. description: |-
  2937. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2938. to the namespace of the referent.
  2939. type: string
  2940. required:
  2941. - name
  2942. type: object
  2943. serviceID:
  2944. description: The conjur authn jwt webservice id
  2945. type: string
  2946. required:
  2947. - account
  2948. - serviceID
  2949. type: object
  2950. type: object
  2951. caBundle:
  2952. type: string
  2953. caProvider:
  2954. description: |-
  2955. Used to provide custom certificate authority (CA) certificates
  2956. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  2957. that contains a PEM-encoded certificate.
  2958. properties:
  2959. key:
  2960. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2961. type: string
  2962. name:
  2963. description: The name of the object located at the provider type.
  2964. type: string
  2965. namespace:
  2966. description: |-
  2967. The namespace the Provider type is in.
  2968. Can only be defined when used in a ClusterSecretStore.
  2969. type: string
  2970. type:
  2971. description: The type of provider to use such as "Secret", or "ConfigMap".
  2972. enum:
  2973. - Secret
  2974. - ConfigMap
  2975. type: string
  2976. required:
  2977. - name
  2978. - type
  2979. type: object
  2980. url:
  2981. type: string
  2982. required:
  2983. - auth
  2984. - url
  2985. type: object
  2986. delinea:
  2987. description: |-
  2988. Delinea DevOps Secrets Vault
  2989. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  2990. properties:
  2991. clientId:
  2992. description: ClientID is the non-secret part of the credential.
  2993. properties:
  2994. secretRef:
  2995. description: SecretRef references a key in a secret that will be used as value.
  2996. properties:
  2997. key:
  2998. description: |-
  2999. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3000. defaulted, in others it may be required.
  3001. type: string
  3002. name:
  3003. description: The name of the Secret resource being referred to.
  3004. type: string
  3005. namespace:
  3006. description: |-
  3007. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3008. to the namespace of the referent.
  3009. type: string
  3010. type: object
  3011. value:
  3012. description: Value can be specified directly to set a value without using a secret.
  3013. type: string
  3014. type: object
  3015. clientSecret:
  3016. description: ClientSecret is the secret part of the credential.
  3017. properties:
  3018. secretRef:
  3019. description: SecretRef references a key in a secret that will be used as value.
  3020. properties:
  3021. key:
  3022. description: |-
  3023. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3024. defaulted, in others it may be required.
  3025. type: string
  3026. name:
  3027. description: The name of the Secret resource being referred to.
  3028. type: string
  3029. namespace:
  3030. description: |-
  3031. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3032. to the namespace of the referent.
  3033. type: string
  3034. type: object
  3035. value:
  3036. description: Value can be specified directly to set a value without using a secret.
  3037. type: string
  3038. type: object
  3039. tenant:
  3040. description: Tenant is the chosen hostname / site name.
  3041. type: string
  3042. tld:
  3043. description: |-
  3044. TLD is based on the server location that was chosen during provisioning.
  3045. If unset, defaults to "com".
  3046. type: string
  3047. urlTemplate:
  3048. description: |-
  3049. URLTemplate
  3050. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  3051. type: string
  3052. required:
  3053. - clientId
  3054. - clientSecret
  3055. - tenant
  3056. type: object
  3057. device42:
  3058. description: Device42 configures this store to sync secrets using the Device42 provider
  3059. properties:
  3060. auth:
  3061. description: Auth configures how secret-manager authenticates with a Device42 instance.
  3062. properties:
  3063. secretRef:
  3064. properties:
  3065. credentials:
  3066. description: Username / Password is used for authentication.
  3067. properties:
  3068. key:
  3069. description: |-
  3070. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3071. defaulted, in others it may be required.
  3072. type: string
  3073. name:
  3074. description: The name of the Secret resource being referred to.
  3075. type: string
  3076. namespace:
  3077. description: |-
  3078. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3079. to the namespace of the referent.
  3080. type: string
  3081. type: object
  3082. type: object
  3083. required:
  3084. - secretRef
  3085. type: object
  3086. host:
  3087. description: URL configures the Device42 instance URL.
  3088. type: string
  3089. required:
  3090. - auth
  3091. - host
  3092. type: object
  3093. doppler:
  3094. description: Doppler configures this store to sync secrets using the Doppler provider
  3095. properties:
  3096. auth:
  3097. description: Auth configures how the Operator authenticates with the Doppler API
  3098. properties:
  3099. secretRef:
  3100. properties:
  3101. dopplerToken:
  3102. description: |-
  3103. The DopplerToken is used for authentication.
  3104. See https://docs.doppler.com/reference/api#authentication for auth token types.
  3105. The Key attribute defaults to dopplerToken if not specified.
  3106. properties:
  3107. key:
  3108. description: |-
  3109. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3110. defaulted, in others it may be required.
  3111. type: string
  3112. name:
  3113. description: The name of the Secret resource being referred to.
  3114. type: string
  3115. namespace:
  3116. description: |-
  3117. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3118. to the namespace of the referent.
  3119. type: string
  3120. type: object
  3121. required:
  3122. - dopplerToken
  3123. type: object
  3124. required:
  3125. - secretRef
  3126. type: object
  3127. config:
  3128. description: Doppler config (required if not using a Service Token)
  3129. type: string
  3130. format:
  3131. description: Format enables the downloading of secrets as a file (string)
  3132. enum:
  3133. - json
  3134. - dotnet-json
  3135. - env
  3136. - yaml
  3137. - docker
  3138. type: string
  3139. nameTransformer:
  3140. description: Environment variable compatible name transforms that change secret names to a different format
  3141. enum:
  3142. - upper-camel
  3143. - camel
  3144. - lower-snake
  3145. - tf-var
  3146. - dotnet-env
  3147. - lower-kebab
  3148. type: string
  3149. project:
  3150. description: Doppler project (required if not using a Service Token)
  3151. type: string
  3152. required:
  3153. - auth
  3154. type: object
  3155. fake:
  3156. description: Fake configures a store with static key/value pairs
  3157. properties:
  3158. data:
  3159. items:
  3160. properties:
  3161. key:
  3162. type: string
  3163. value:
  3164. type: string
  3165. valueMap:
  3166. additionalProperties:
  3167. type: string
  3168. description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
  3169. type: object
  3170. version:
  3171. type: string
  3172. required:
  3173. - key
  3174. type: object
  3175. type: array
  3176. required:
  3177. - data
  3178. type: object
  3179. fortanix:
  3180. description: Fortanix configures this store to sync secrets using the Fortanix provider
  3181. properties:
  3182. apiKey:
  3183. description: APIKey is the API token to access SDKMS Applications.
  3184. properties:
  3185. secretRef:
  3186. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  3187. properties:
  3188. key:
  3189. description: |-
  3190. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3191. defaulted, in others it may be required.
  3192. type: string
  3193. name:
  3194. description: The name of the Secret resource being referred to.
  3195. type: string
  3196. namespace:
  3197. description: |-
  3198. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3199. to the namespace of the referent.
  3200. type: string
  3201. type: object
  3202. type: object
  3203. apiUrl:
  3204. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  3205. type: string
  3206. type: object
  3207. gcpsm:
  3208. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  3209. properties:
  3210. auth:
  3211. description: Auth defines the information necessary to authenticate against GCP
  3212. properties:
  3213. secretRef:
  3214. properties:
  3215. secretAccessKeySecretRef:
  3216. description: The SecretAccessKey is used for authentication
  3217. properties:
  3218. key:
  3219. description: |-
  3220. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3221. defaulted, in others it may be required.
  3222. type: string
  3223. name:
  3224. description: The name of the Secret resource being referred to.
  3225. type: string
  3226. namespace:
  3227. description: |-
  3228. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3229. to the namespace of the referent.
  3230. type: string
  3231. type: object
  3232. type: object
  3233. workloadIdentity:
  3234. properties:
  3235. clusterLocation:
  3236. type: string
  3237. clusterName:
  3238. type: string
  3239. clusterProjectID:
  3240. type: string
  3241. serviceAccountRef:
  3242. description: A reference to a ServiceAccount resource.
  3243. properties:
  3244. audiences:
  3245. description: |-
  3246. Audience specifies the `aud` claim for the service account token
  3247. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3248. then this audiences will be appended to the list
  3249. items:
  3250. type: string
  3251. type: array
  3252. name:
  3253. description: The name of the ServiceAccount resource being referred to.
  3254. type: string
  3255. namespace:
  3256. description: |-
  3257. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3258. to the namespace of the referent.
  3259. type: string
  3260. required:
  3261. - name
  3262. type: object
  3263. required:
  3264. - clusterLocation
  3265. - clusterName
  3266. - serviceAccountRef
  3267. type: object
  3268. type: object
  3269. location:
  3270. description: Location optionally defines a location for a secret
  3271. type: string
  3272. projectID:
  3273. description: ProjectID project where secret is located
  3274. type: string
  3275. type: object
  3276. gitlab:
  3277. description: GitLab configures this store to sync secrets using GitLab Variables provider
  3278. properties:
  3279. auth:
  3280. description: Auth configures how secret-manager authenticates with a GitLab instance.
  3281. properties:
  3282. SecretRef:
  3283. properties:
  3284. accessToken:
  3285. description: AccessToken is used for authentication.
  3286. properties:
  3287. key:
  3288. description: |-
  3289. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3290. defaulted, in others it may be required.
  3291. type: string
  3292. name:
  3293. description: The name of the Secret resource being referred to.
  3294. type: string
  3295. namespace:
  3296. description: |-
  3297. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3298. to the namespace of the referent.
  3299. type: string
  3300. type: object
  3301. type: object
  3302. required:
  3303. - SecretRef
  3304. type: object
  3305. environment:
  3306. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  3307. type: string
  3308. groupIDs:
  3309. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  3310. items:
  3311. type: string
  3312. type: array
  3313. inheritFromGroups:
  3314. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  3315. type: boolean
  3316. projectID:
  3317. description: ProjectID specifies a project where secrets are located.
  3318. type: string
  3319. url:
  3320. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  3321. type: string
  3322. required:
  3323. - auth
  3324. type: object
  3325. ibm:
  3326. description: IBM configures this store to sync secrets using IBM Cloud provider
  3327. properties:
  3328. auth:
  3329. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  3330. maxProperties: 1
  3331. minProperties: 1
  3332. properties:
  3333. containerAuth:
  3334. description: IBM Container-based auth with IAM Trusted Profile.
  3335. properties:
  3336. iamEndpoint:
  3337. type: string
  3338. profile:
  3339. description: the IBM Trusted Profile
  3340. type: string
  3341. tokenLocation:
  3342. description: Location the token is mounted on the pod
  3343. type: string
  3344. required:
  3345. - profile
  3346. type: object
  3347. secretRef:
  3348. properties:
  3349. secretApiKeySecretRef:
  3350. description: The SecretAccessKey is used for authentication
  3351. properties:
  3352. key:
  3353. description: |-
  3354. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3355. defaulted, in others it may be required.
  3356. type: string
  3357. name:
  3358. description: The name of the Secret resource being referred to.
  3359. type: string
  3360. namespace:
  3361. description: |-
  3362. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3363. to the namespace of the referent.
  3364. type: string
  3365. type: object
  3366. type: object
  3367. type: object
  3368. serviceUrl:
  3369. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  3370. type: string
  3371. required:
  3372. - auth
  3373. type: object
  3374. infisical:
  3375. description: Infisical configures this store to sync secrets using the Infisical provider
  3376. properties:
  3377. auth:
  3378. description: Auth configures how the Operator authenticates with the Infisical API
  3379. properties:
  3380. universalAuthCredentials:
  3381. properties:
  3382. clientId:
  3383. description: |-
  3384. A reference to a specific 'key' within a Secret resource,
  3385. In some instances, `key` is a required field.
  3386. properties:
  3387. key:
  3388. description: |-
  3389. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3390. defaulted, in others it may be required.
  3391. type: string
  3392. name:
  3393. description: The name of the Secret resource being referred to.
  3394. type: string
  3395. namespace:
  3396. description: |-
  3397. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3398. to the namespace of the referent.
  3399. type: string
  3400. type: object
  3401. clientSecret:
  3402. description: |-
  3403. A reference to a specific 'key' within a Secret resource,
  3404. In some instances, `key` is a required field.
  3405. properties:
  3406. key:
  3407. description: |-
  3408. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3409. defaulted, in others it may be required.
  3410. type: string
  3411. name:
  3412. description: The name of the Secret resource being referred to.
  3413. type: string
  3414. namespace:
  3415. description: |-
  3416. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3417. to the namespace of the referent.
  3418. type: string
  3419. type: object
  3420. required:
  3421. - clientId
  3422. - clientSecret
  3423. type: object
  3424. type: object
  3425. hostAPI:
  3426. default: https://app.infisical.com/api
  3427. type: string
  3428. secretsScope:
  3429. properties:
  3430. environmentSlug:
  3431. type: string
  3432. projectSlug:
  3433. type: string
  3434. secretsPath:
  3435. default: /
  3436. type: string
  3437. required:
  3438. - environmentSlug
  3439. - projectSlug
  3440. type: object
  3441. required:
  3442. - auth
  3443. - secretsScope
  3444. type: object
  3445. keepersecurity:
  3446. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  3447. properties:
  3448. authRef:
  3449. description: |-
  3450. A reference to a specific 'key' within a Secret resource,
  3451. In some instances, `key` is a required field.
  3452. properties:
  3453. key:
  3454. description: |-
  3455. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3456. defaulted, in others it may be required.
  3457. type: string
  3458. name:
  3459. description: The name of the Secret resource being referred to.
  3460. type: string
  3461. namespace:
  3462. description: |-
  3463. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3464. to the namespace of the referent.
  3465. type: string
  3466. type: object
  3467. folderID:
  3468. type: string
  3469. required:
  3470. - authRef
  3471. - folderID
  3472. type: object
  3473. kubernetes:
  3474. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  3475. properties:
  3476. auth:
  3477. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  3478. maxProperties: 1
  3479. minProperties: 1
  3480. properties:
  3481. cert:
  3482. description: has both clientCert and clientKey as secretKeySelector
  3483. properties:
  3484. clientCert:
  3485. description: |-
  3486. A reference to a specific 'key' within a Secret resource,
  3487. In some instances, `key` is a required field.
  3488. properties:
  3489. key:
  3490. description: |-
  3491. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3492. defaulted, in others it may be required.
  3493. type: string
  3494. name:
  3495. description: The name of the Secret resource being referred to.
  3496. type: string
  3497. namespace:
  3498. description: |-
  3499. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3500. to the namespace of the referent.
  3501. type: string
  3502. type: object
  3503. clientKey:
  3504. description: |-
  3505. A reference to a specific 'key' within a Secret resource,
  3506. In some instances, `key` is a required field.
  3507. properties:
  3508. key:
  3509. description: |-
  3510. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3511. defaulted, in others it may be required.
  3512. type: string
  3513. name:
  3514. description: The name of the Secret resource being referred to.
  3515. type: string
  3516. namespace:
  3517. description: |-
  3518. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3519. to the namespace of the referent.
  3520. type: string
  3521. type: object
  3522. type: object
  3523. serviceAccount:
  3524. description: points to a service account that should be used for authentication
  3525. properties:
  3526. audiences:
  3527. description: |-
  3528. Audience specifies the `aud` claim for the service account token
  3529. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3530. then this audiences will be appended to the list
  3531. items:
  3532. type: string
  3533. type: array
  3534. name:
  3535. description: The name of the ServiceAccount resource being referred to.
  3536. type: string
  3537. namespace:
  3538. description: |-
  3539. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3540. to the namespace of the referent.
  3541. type: string
  3542. required:
  3543. - name
  3544. type: object
  3545. token:
  3546. description: use static token to authenticate with
  3547. properties:
  3548. bearerToken:
  3549. description: |-
  3550. A reference to a specific 'key' within a Secret resource,
  3551. In some instances, `key` is a required field.
  3552. properties:
  3553. key:
  3554. description: |-
  3555. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3556. defaulted, in others it may be required.
  3557. type: string
  3558. name:
  3559. description: The name of the Secret resource being referred to.
  3560. type: string
  3561. namespace:
  3562. description: |-
  3563. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3564. to the namespace of the referent.
  3565. type: string
  3566. type: object
  3567. type: object
  3568. type: object
  3569. remoteNamespace:
  3570. default: default
  3571. description: Remote namespace to fetch the secrets from
  3572. type: string
  3573. server:
  3574. description: configures the Kubernetes server Address.
  3575. properties:
  3576. caBundle:
  3577. description: CABundle is a base64-encoded CA certificate
  3578. format: byte
  3579. type: string
  3580. caProvider:
  3581. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  3582. properties:
  3583. key:
  3584. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3585. type: string
  3586. name:
  3587. description: The name of the object located at the provider type.
  3588. type: string
  3589. namespace:
  3590. description: |-
  3591. The namespace the Provider type is in.
  3592. Can only be defined when used in a ClusterSecretStore.
  3593. type: string
  3594. type:
  3595. description: The type of provider to use such as "Secret", or "ConfigMap".
  3596. enum:
  3597. - Secret
  3598. - ConfigMap
  3599. type: string
  3600. required:
  3601. - name
  3602. - type
  3603. type: object
  3604. url:
  3605. default: kubernetes.default
  3606. description: configures the Kubernetes server Address.
  3607. type: string
  3608. type: object
  3609. required:
  3610. - auth
  3611. type: object
  3612. onboardbase:
  3613. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  3614. properties:
  3615. apiHost:
  3616. default: https://public.onboardbase.com/api/v1/
  3617. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  3618. type: string
  3619. auth:
  3620. description: Auth configures how the Operator authenticates with the Onboardbase API
  3621. properties:
  3622. apiKeyRef:
  3623. description: |-
  3624. OnboardbaseAPIKey is the APIKey generated by an admin account.
  3625. It is used to recognize and authorize access to a project and environment within onboardbase
  3626. properties:
  3627. key:
  3628. description: |-
  3629. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3630. defaulted, in others it may be required.
  3631. type: string
  3632. name:
  3633. description: The name of the Secret resource being referred to.
  3634. type: string
  3635. namespace:
  3636. description: |-
  3637. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3638. to the namespace of the referent.
  3639. type: string
  3640. type: object
  3641. passcodeRef:
  3642. description: OnboardbasePasscode is the passcode attached to the API Key
  3643. properties:
  3644. key:
  3645. description: |-
  3646. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3647. defaulted, in others it may be required.
  3648. type: string
  3649. name:
  3650. description: The name of the Secret resource being referred to.
  3651. type: string
  3652. namespace:
  3653. description: |-
  3654. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3655. to the namespace of the referent.
  3656. type: string
  3657. type: object
  3658. required:
  3659. - apiKeyRef
  3660. - passcodeRef
  3661. type: object
  3662. environment:
  3663. default: development
  3664. description: Environment is the name of an environmnent within a project to pull the secrets from
  3665. type: string
  3666. project:
  3667. default: development
  3668. description: Project is an onboardbase project that the secrets should be pulled from
  3669. type: string
  3670. required:
  3671. - apiHost
  3672. - auth
  3673. - environment
  3674. - project
  3675. type: object
  3676. onepassword:
  3677. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  3678. properties:
  3679. auth:
  3680. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  3681. properties:
  3682. secretRef:
  3683. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  3684. properties:
  3685. connectTokenSecretRef:
  3686. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  3687. properties:
  3688. key:
  3689. description: |-
  3690. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3691. defaulted, in others it may be required.
  3692. type: string
  3693. name:
  3694. description: The name of the Secret resource being referred to.
  3695. type: string
  3696. namespace:
  3697. description: |-
  3698. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3699. to the namespace of the referent.
  3700. type: string
  3701. type: object
  3702. required:
  3703. - connectTokenSecretRef
  3704. type: object
  3705. required:
  3706. - secretRef
  3707. type: object
  3708. connectHost:
  3709. description: ConnectHost defines the OnePassword Connect Server to connect to
  3710. type: string
  3711. vaults:
  3712. additionalProperties:
  3713. type: integer
  3714. description: Vaults defines which OnePassword vaults to search in which order
  3715. type: object
  3716. required:
  3717. - auth
  3718. - connectHost
  3719. - vaults
  3720. type: object
  3721. oracle:
  3722. description: Oracle configures this store to sync secrets using Oracle Vault provider
  3723. properties:
  3724. auth:
  3725. description: |-
  3726. Auth configures how secret-manager authenticates with the Oracle Vault.
  3727. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  3728. properties:
  3729. secretRef:
  3730. description: SecretRef to pass through sensitive information.
  3731. properties:
  3732. fingerprint:
  3733. description: Fingerprint is the fingerprint of the API private key.
  3734. properties:
  3735. key:
  3736. description: |-
  3737. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3738. defaulted, in others it may be required.
  3739. type: string
  3740. name:
  3741. description: The name of the Secret resource being referred to.
  3742. type: string
  3743. namespace:
  3744. description: |-
  3745. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3746. to the namespace of the referent.
  3747. type: string
  3748. type: object
  3749. privatekey:
  3750. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  3751. properties:
  3752. key:
  3753. description: |-
  3754. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3755. defaulted, in others it may be required.
  3756. type: string
  3757. name:
  3758. description: The name of the Secret resource being referred to.
  3759. type: string
  3760. namespace:
  3761. description: |-
  3762. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3763. to the namespace of the referent.
  3764. type: string
  3765. type: object
  3766. required:
  3767. - fingerprint
  3768. - privatekey
  3769. type: object
  3770. tenancy:
  3771. description: Tenancy is the tenancy OCID where user is located.
  3772. type: string
  3773. user:
  3774. description: User is an access OCID specific to the account.
  3775. type: string
  3776. required:
  3777. - secretRef
  3778. - tenancy
  3779. - user
  3780. type: object
  3781. compartment:
  3782. description: |-
  3783. Compartment is the vault compartment OCID.
  3784. Required for PushSecret
  3785. type: string
  3786. encryptionKey:
  3787. description: |-
  3788. EncryptionKey is the OCID of the encryption key within the vault.
  3789. Required for PushSecret
  3790. type: string
  3791. principalType:
  3792. description: |-
  3793. The type of principal to use for authentication. If left blank, the Auth struct will
  3794. determine the principal type. This optional field must be specified if using
  3795. workload identity.
  3796. enum:
  3797. - ""
  3798. - UserPrincipal
  3799. - InstancePrincipal
  3800. - Workload
  3801. type: string
  3802. region:
  3803. description: Region is the region where vault is located.
  3804. type: string
  3805. serviceAccountRef:
  3806. description: |-
  3807. ServiceAccountRef specified the service account
  3808. that should be used when authenticating with WorkloadIdentity.
  3809. properties:
  3810. audiences:
  3811. description: |-
  3812. Audience specifies the `aud` claim for the service account token
  3813. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3814. then this audiences will be appended to the list
  3815. items:
  3816. type: string
  3817. type: array
  3818. name:
  3819. description: The name of the ServiceAccount resource being referred to.
  3820. type: string
  3821. namespace:
  3822. description: |-
  3823. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3824. to the namespace of the referent.
  3825. type: string
  3826. required:
  3827. - name
  3828. type: object
  3829. vault:
  3830. description: Vault is the vault's OCID of the specific vault where secret is located.
  3831. type: string
  3832. required:
  3833. - region
  3834. - vault
  3835. type: object
  3836. passbolt:
  3837. properties:
  3838. auth:
  3839. description: Auth defines the information necessary to authenticate against Passbolt Server
  3840. properties:
  3841. passwordSecretRef:
  3842. description: |-
  3843. A reference to a specific 'key' within a Secret resource,
  3844. In some instances, `key` is a required field.
  3845. properties:
  3846. key:
  3847. description: |-
  3848. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3849. defaulted, in others it may be required.
  3850. type: string
  3851. name:
  3852. description: The name of the Secret resource being referred to.
  3853. type: string
  3854. namespace:
  3855. description: |-
  3856. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3857. to the namespace of the referent.
  3858. type: string
  3859. type: object
  3860. privateKeySecretRef:
  3861. description: |-
  3862. A reference to a specific 'key' within a Secret resource,
  3863. In some instances, `key` is a required field.
  3864. properties:
  3865. key:
  3866. description: |-
  3867. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3868. defaulted, in others it may be required.
  3869. type: string
  3870. name:
  3871. description: The name of the Secret resource being referred to.
  3872. type: string
  3873. namespace:
  3874. description: |-
  3875. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3876. to the namespace of the referent.
  3877. type: string
  3878. type: object
  3879. required:
  3880. - passwordSecretRef
  3881. - privateKeySecretRef
  3882. type: object
  3883. host:
  3884. description: Host defines the Passbolt Server to connect to
  3885. type: string
  3886. required:
  3887. - auth
  3888. - host
  3889. type: object
  3890. passworddepot:
  3891. description: Configures a store to sync secrets with a Password Depot instance.
  3892. properties:
  3893. auth:
  3894. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  3895. properties:
  3896. secretRef:
  3897. properties:
  3898. credentials:
  3899. description: Username / Password is used for authentication.
  3900. properties:
  3901. key:
  3902. description: |-
  3903. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3904. defaulted, in others it may be required.
  3905. type: string
  3906. name:
  3907. description: The name of the Secret resource being referred to.
  3908. type: string
  3909. namespace:
  3910. description: |-
  3911. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3912. to the namespace of the referent.
  3913. type: string
  3914. type: object
  3915. type: object
  3916. required:
  3917. - secretRef
  3918. type: object
  3919. database:
  3920. description: Database to use as source
  3921. type: string
  3922. host:
  3923. description: URL configures the Password Depot instance URL.
  3924. type: string
  3925. required:
  3926. - auth
  3927. - database
  3928. - host
  3929. type: object
  3930. pulumi:
  3931. description: Pulumi configures this store to sync secrets using the Pulumi provider
  3932. properties:
  3933. accessToken:
  3934. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  3935. properties:
  3936. secretRef:
  3937. description: SecretRef is a reference to a secret containing the Pulumi API token.
  3938. properties:
  3939. key:
  3940. description: |-
  3941. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3942. defaulted, in others it may be required.
  3943. type: string
  3944. name:
  3945. description: The name of the Secret resource being referred to.
  3946. type: string
  3947. namespace:
  3948. description: |-
  3949. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3950. to the namespace of the referent.
  3951. type: string
  3952. type: object
  3953. type: object
  3954. apiUrl:
  3955. default: https://api.pulumi.com
  3956. description: APIURL is the URL of the Pulumi API.
  3957. type: string
  3958. environment:
  3959. description: |-
  3960. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  3961. dynamically retrieved values from supported providers including all major clouds,
  3962. and other Pulumi ESC environments.
  3963. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  3964. type: string
  3965. organization:
  3966. description: |-
  3967. Organization are a space to collaborate on shared projects and stacks.
  3968. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  3969. type: string
  3970. required:
  3971. - accessToken
  3972. - environment
  3973. - organization
  3974. type: object
  3975. scaleway:
  3976. description: Scaleway
  3977. properties:
  3978. accessKey:
  3979. description: AccessKey is the non-secret part of the api key.
  3980. properties:
  3981. secretRef:
  3982. description: SecretRef references a key in a secret that will be used as value.
  3983. properties:
  3984. key:
  3985. description: |-
  3986. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3987. defaulted, in others it may be required.
  3988. type: string
  3989. name:
  3990. description: The name of the Secret resource being referred to.
  3991. type: string
  3992. namespace:
  3993. description: |-
  3994. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3995. to the namespace of the referent.
  3996. type: string
  3997. type: object
  3998. value:
  3999. description: Value can be specified directly to set a value without using a secret.
  4000. type: string
  4001. type: object
  4002. apiUrl:
  4003. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  4004. type: string
  4005. projectId:
  4006. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  4007. type: string
  4008. region:
  4009. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  4010. type: string
  4011. secretKey:
  4012. description: SecretKey is the non-secret part of the api key.
  4013. properties:
  4014. secretRef:
  4015. description: SecretRef references a key in a secret that will be used as value.
  4016. properties:
  4017. key:
  4018. description: |-
  4019. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4020. defaulted, in others it may be required.
  4021. type: string
  4022. name:
  4023. description: The name of the Secret resource being referred to.
  4024. type: string
  4025. namespace:
  4026. description: |-
  4027. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4028. to the namespace of the referent.
  4029. type: string
  4030. type: object
  4031. value:
  4032. description: Value can be specified directly to set a value without using a secret.
  4033. type: string
  4034. type: object
  4035. required:
  4036. - accessKey
  4037. - projectId
  4038. - region
  4039. - secretKey
  4040. type: object
  4041. secretserver:
  4042. description: |-
  4043. SecretServer configures this store to sync secrets using SecretServer provider
  4044. https://docs.delinea.com/online-help/secret-server/start.htm
  4045. properties:
  4046. password:
  4047. description: Password is the secret server account password.
  4048. properties:
  4049. secretRef:
  4050. description: SecretRef references a key in a secret that will be used as value.
  4051. properties:
  4052. key:
  4053. description: |-
  4054. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4055. defaulted, in others it may be required.
  4056. type: string
  4057. name:
  4058. description: The name of the Secret resource being referred to.
  4059. type: string
  4060. namespace:
  4061. description: |-
  4062. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4063. to the namespace of the referent.
  4064. type: string
  4065. type: object
  4066. value:
  4067. description: Value can be specified directly to set a value without using a secret.
  4068. type: string
  4069. type: object
  4070. serverURL:
  4071. description: |-
  4072. ServerURL
  4073. URL to your secret server installation
  4074. type: string
  4075. username:
  4076. description: Username is the secret server account username.
  4077. properties:
  4078. secretRef:
  4079. description: SecretRef references a key in a secret that will be used as value.
  4080. properties:
  4081. key:
  4082. description: |-
  4083. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4084. defaulted, in others it may be required.
  4085. type: string
  4086. name:
  4087. description: The name of the Secret resource being referred to.
  4088. type: string
  4089. namespace:
  4090. description: |-
  4091. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4092. to the namespace of the referent.
  4093. type: string
  4094. type: object
  4095. value:
  4096. description: Value can be specified directly to set a value without using a secret.
  4097. type: string
  4098. type: object
  4099. required:
  4100. - password
  4101. - serverURL
  4102. - username
  4103. type: object
  4104. senhasegura:
  4105. description: Senhasegura configures this store to sync secrets using senhasegura provider
  4106. properties:
  4107. auth:
  4108. description: Auth defines parameters to authenticate in senhasegura
  4109. properties:
  4110. clientId:
  4111. type: string
  4112. clientSecretSecretRef:
  4113. description: |-
  4114. A reference to a specific 'key' within a Secret resource,
  4115. In some instances, `key` is a required field.
  4116. properties:
  4117. key:
  4118. description: |-
  4119. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4120. defaulted, in others it may be required.
  4121. type: string
  4122. name:
  4123. description: The name of the Secret resource being referred to.
  4124. type: string
  4125. namespace:
  4126. description: |-
  4127. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4128. to the namespace of the referent.
  4129. type: string
  4130. type: object
  4131. required:
  4132. - clientId
  4133. - clientSecretSecretRef
  4134. type: object
  4135. ignoreSslCertificate:
  4136. default: false
  4137. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  4138. type: boolean
  4139. module:
  4140. description: Module defines which senhasegura module should be used to get secrets
  4141. type: string
  4142. url:
  4143. description: URL of senhasegura
  4144. type: string
  4145. required:
  4146. - auth
  4147. - module
  4148. - url
  4149. type: object
  4150. vault:
  4151. description: Vault configures this store to sync secrets using Hashi provider
  4152. properties:
  4153. auth:
  4154. description: Auth configures how secret-manager authenticates with the Vault server.
  4155. properties:
  4156. appRole:
  4157. description: |-
  4158. AppRole authenticates with Vault using the App Role auth mechanism,
  4159. with the role and secret stored in a Kubernetes Secret resource.
  4160. properties:
  4161. path:
  4162. default: approle
  4163. description: |-
  4164. Path where the App Role authentication backend is mounted
  4165. in Vault, e.g: "approle"
  4166. type: string
  4167. roleId:
  4168. description: |-
  4169. RoleID configured in the App Role authentication backend when setting
  4170. up the authentication backend in Vault.
  4171. type: string
  4172. roleRef:
  4173. description: |-
  4174. Reference to a key in a Secret that contains the App Role ID used
  4175. to authenticate with Vault.
  4176. The `key` field must be specified and denotes which entry within the Secret
  4177. resource is used as the app role id.
  4178. properties:
  4179. key:
  4180. description: |-
  4181. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4182. defaulted, in others it may be required.
  4183. type: string
  4184. name:
  4185. description: The name of the Secret resource being referred to.
  4186. type: string
  4187. namespace:
  4188. description: |-
  4189. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4190. to the namespace of the referent.
  4191. type: string
  4192. type: object
  4193. secretRef:
  4194. description: |-
  4195. Reference to a key in a Secret that contains the App Role secret used
  4196. to authenticate with Vault.
  4197. The `key` field must be specified and denotes which entry within the Secret
  4198. resource is used as the app role secret.
  4199. properties:
  4200. key:
  4201. description: |-
  4202. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4203. defaulted, in others it may be required.
  4204. type: string
  4205. name:
  4206. description: The name of the Secret resource being referred to.
  4207. type: string
  4208. namespace:
  4209. description: |-
  4210. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4211. to the namespace of the referent.
  4212. type: string
  4213. type: object
  4214. required:
  4215. - path
  4216. - secretRef
  4217. type: object
  4218. cert:
  4219. description: |-
  4220. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  4221. Cert authentication method
  4222. properties:
  4223. clientCert:
  4224. description: |-
  4225. ClientCert is a certificate to authenticate using the Cert Vault
  4226. authentication method
  4227. properties:
  4228. key:
  4229. description: |-
  4230. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4231. defaulted, in others it may be required.
  4232. type: string
  4233. name:
  4234. description: The name of the Secret resource being referred to.
  4235. type: string
  4236. namespace:
  4237. description: |-
  4238. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4239. to the namespace of the referent.
  4240. type: string
  4241. type: object
  4242. secretRef:
  4243. description: |-
  4244. SecretRef to a key in a Secret resource containing client private key to
  4245. authenticate with Vault using the Cert authentication method
  4246. properties:
  4247. key:
  4248. description: |-
  4249. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4250. defaulted, in others it may be required.
  4251. type: string
  4252. name:
  4253. description: The name of the Secret resource being referred to.
  4254. type: string
  4255. namespace:
  4256. description: |-
  4257. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4258. to the namespace of the referent.
  4259. type: string
  4260. type: object
  4261. type: object
  4262. iam:
  4263. description: |-
  4264. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  4265. AWS IAM authentication method
  4266. properties:
  4267. externalID:
  4268. description: AWS External ID set on assumed IAM roles
  4269. type: string
  4270. jwt:
  4271. description: Specify a service account with IRSA enabled
  4272. properties:
  4273. serviceAccountRef:
  4274. description: A reference to a ServiceAccount resource.
  4275. properties:
  4276. audiences:
  4277. description: |-
  4278. Audience specifies the `aud` claim for the service account token
  4279. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4280. then this audiences will be appended to the list
  4281. items:
  4282. type: string
  4283. type: array
  4284. name:
  4285. description: The name of the ServiceAccount resource being referred to.
  4286. type: string
  4287. namespace:
  4288. description: |-
  4289. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4290. to the namespace of the referent.
  4291. type: string
  4292. required:
  4293. - name
  4294. type: object
  4295. type: object
  4296. path:
  4297. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  4298. type: string
  4299. region:
  4300. description: AWS region
  4301. type: string
  4302. role:
  4303. description: This is the AWS role to be assumed before talking to vault
  4304. type: string
  4305. secretRef:
  4306. description: Specify credentials in a Secret object
  4307. properties:
  4308. accessKeyIDSecretRef:
  4309. description: The AccessKeyID is used for authentication
  4310. properties:
  4311. key:
  4312. description: |-
  4313. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4314. defaulted, in others it may be required.
  4315. type: string
  4316. name:
  4317. description: The name of the Secret resource being referred to.
  4318. type: string
  4319. namespace:
  4320. description: |-
  4321. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4322. to the namespace of the referent.
  4323. type: string
  4324. type: object
  4325. secretAccessKeySecretRef:
  4326. description: The SecretAccessKey is used for authentication
  4327. properties:
  4328. key:
  4329. description: |-
  4330. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4331. defaulted, in others it may be required.
  4332. type: string
  4333. name:
  4334. description: The name of the Secret resource being referred to.
  4335. type: string
  4336. namespace:
  4337. description: |-
  4338. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4339. to the namespace of the referent.
  4340. type: string
  4341. type: object
  4342. sessionTokenSecretRef:
  4343. description: |-
  4344. The SessionToken used for authentication
  4345. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  4346. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  4347. properties:
  4348. key:
  4349. description: |-
  4350. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4351. defaulted, in others it may be required.
  4352. type: string
  4353. name:
  4354. description: The name of the Secret resource being referred to.
  4355. type: string
  4356. namespace:
  4357. description: |-
  4358. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4359. to the namespace of the referent.
  4360. type: string
  4361. type: object
  4362. type: object
  4363. vaultAwsIamServerID:
  4364. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  4365. type: string
  4366. vaultRole:
  4367. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  4368. type: string
  4369. required:
  4370. - vaultRole
  4371. type: object
  4372. jwt:
  4373. description: |-
  4374. Jwt authenticates with Vault by passing role and JWT token using the
  4375. JWT/OIDC authentication method
  4376. properties:
  4377. kubernetesServiceAccountToken:
  4378. description: |-
  4379. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  4380. a token for with the `TokenRequest` API.
  4381. properties:
  4382. audiences:
  4383. description: |-
  4384. Optional audiences field that will be used to request a temporary Kubernetes service
  4385. account token for the service account referenced by `serviceAccountRef`.
  4386. Defaults to a single audience `vault` it not specified.
  4387. Deprecated: use serviceAccountRef.Audiences instead
  4388. items:
  4389. type: string
  4390. type: array
  4391. expirationSeconds:
  4392. description: |-
  4393. Optional expiration time in seconds that will be used to request a temporary
  4394. Kubernetes service account token for the service account referenced by
  4395. `serviceAccountRef`.
  4396. Deprecated: this will be removed in the future.
  4397. Defaults to 10 minutes.
  4398. format: int64
  4399. type: integer
  4400. serviceAccountRef:
  4401. description: Service account field containing the name of a kubernetes ServiceAccount.
  4402. properties:
  4403. audiences:
  4404. description: |-
  4405. Audience specifies the `aud` claim for the service account token
  4406. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4407. then this audiences will be appended to the list
  4408. items:
  4409. type: string
  4410. type: array
  4411. name:
  4412. description: The name of the ServiceAccount resource being referred to.
  4413. type: string
  4414. namespace:
  4415. description: |-
  4416. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4417. to the namespace of the referent.
  4418. type: string
  4419. required:
  4420. - name
  4421. type: object
  4422. required:
  4423. - serviceAccountRef
  4424. type: object
  4425. path:
  4426. default: jwt
  4427. description: |-
  4428. Path where the JWT authentication backend is mounted
  4429. in Vault, e.g: "jwt"
  4430. type: string
  4431. role:
  4432. description: |-
  4433. Role is a JWT role to authenticate using the JWT/OIDC Vault
  4434. authentication method
  4435. type: string
  4436. secretRef:
  4437. description: |-
  4438. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  4439. authenticate with Vault using the JWT/OIDC authentication method.
  4440. properties:
  4441. key:
  4442. description: |-
  4443. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4444. defaulted, in others it may be required.
  4445. type: string
  4446. name:
  4447. description: The name of the Secret resource being referred to.
  4448. type: string
  4449. namespace:
  4450. description: |-
  4451. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4452. to the namespace of the referent.
  4453. type: string
  4454. type: object
  4455. required:
  4456. - path
  4457. type: object
  4458. kubernetes:
  4459. description: |-
  4460. Kubernetes authenticates with Vault by passing the ServiceAccount
  4461. token stored in the named Secret resource to the Vault server.
  4462. properties:
  4463. mountPath:
  4464. default: kubernetes
  4465. description: |-
  4466. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  4467. "kubernetes"
  4468. type: string
  4469. role:
  4470. description: |-
  4471. A required field containing the Vault Role to assume. A Role binds a
  4472. Kubernetes ServiceAccount with a set of Vault policies.
  4473. type: string
  4474. secretRef:
  4475. description: |-
  4476. Optional secret field containing a Kubernetes ServiceAccount JWT used
  4477. for authenticating with Vault. If a name is specified without a key,
  4478. `token` is the default. If one is not specified, the one bound to
  4479. the controller will be used.
  4480. properties:
  4481. key:
  4482. description: |-
  4483. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4484. defaulted, in others it may be required.
  4485. type: string
  4486. name:
  4487. description: The name of the Secret resource being referred to.
  4488. type: string
  4489. namespace:
  4490. description: |-
  4491. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4492. to the namespace of the referent.
  4493. type: string
  4494. type: object
  4495. serviceAccountRef:
  4496. description: |-
  4497. Optional service account field containing the name of a kubernetes ServiceAccount.
  4498. If the service account is specified, the service account secret token JWT will be used
  4499. for authenticating with Vault. If the service account selector is not supplied,
  4500. the secretRef will be used instead.
  4501. properties:
  4502. audiences:
  4503. description: |-
  4504. Audience specifies the `aud` claim for the service account token
  4505. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4506. then this audiences will be appended to the list
  4507. items:
  4508. type: string
  4509. type: array
  4510. name:
  4511. description: The name of the ServiceAccount resource being referred to.
  4512. type: string
  4513. namespace:
  4514. description: |-
  4515. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4516. to the namespace of the referent.
  4517. type: string
  4518. required:
  4519. - name
  4520. type: object
  4521. required:
  4522. - mountPath
  4523. - role
  4524. type: object
  4525. ldap:
  4526. description: |-
  4527. Ldap authenticates with Vault by passing username/password pair using
  4528. the LDAP authentication method
  4529. properties:
  4530. path:
  4531. default: ldap
  4532. description: |-
  4533. Path where the LDAP authentication backend is mounted
  4534. in Vault, e.g: "ldap"
  4535. type: string
  4536. secretRef:
  4537. description: |-
  4538. SecretRef to a key in a Secret resource containing password for the LDAP
  4539. user used to authenticate with Vault using the LDAP authentication
  4540. method
  4541. properties:
  4542. key:
  4543. description: |-
  4544. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4545. defaulted, in others it may be required.
  4546. type: string
  4547. name:
  4548. description: The name of the Secret resource being referred to.
  4549. type: string
  4550. namespace:
  4551. description: |-
  4552. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4553. to the namespace of the referent.
  4554. type: string
  4555. type: object
  4556. username:
  4557. description: |-
  4558. Username is a LDAP user name used to authenticate using the LDAP Vault
  4559. authentication method
  4560. type: string
  4561. required:
  4562. - path
  4563. - username
  4564. type: object
  4565. namespace:
  4566. description: |-
  4567. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  4568. Namespaces is a set of features within Vault Enterprise that allows
  4569. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  4570. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  4571. This will default to Vault.Namespace field if set, or empty otherwise
  4572. type: string
  4573. tokenSecretRef:
  4574. description: TokenSecretRef authenticates with Vault by presenting a token.
  4575. properties:
  4576. key:
  4577. description: |-
  4578. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4579. defaulted, in others it may be required.
  4580. type: string
  4581. name:
  4582. description: The name of the Secret resource being referred to.
  4583. type: string
  4584. namespace:
  4585. description: |-
  4586. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4587. to the namespace of the referent.
  4588. type: string
  4589. type: object
  4590. userPass:
  4591. description: UserPass authenticates with Vault by passing username/password pair
  4592. properties:
  4593. path:
  4594. default: user
  4595. description: |-
  4596. Path where the UserPassword authentication backend is mounted
  4597. in Vault, e.g: "user"
  4598. type: string
  4599. secretRef:
  4600. description: |-
  4601. SecretRef to a key in a Secret resource containing password for the
  4602. user used to authenticate with Vault using the UserPass authentication
  4603. method
  4604. properties:
  4605. key:
  4606. description: |-
  4607. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4608. defaulted, in others it may be required.
  4609. type: string
  4610. name:
  4611. description: The name of the Secret resource being referred to.
  4612. type: string
  4613. namespace:
  4614. description: |-
  4615. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4616. to the namespace of the referent.
  4617. type: string
  4618. type: object
  4619. username:
  4620. description: |-
  4621. Username is a user name used to authenticate using the UserPass Vault
  4622. authentication method
  4623. type: string
  4624. required:
  4625. - path
  4626. - username
  4627. type: object
  4628. type: object
  4629. caBundle:
  4630. description: |-
  4631. PEM encoded CA bundle used to validate Vault server certificate. Only used
  4632. if the Server URL is using HTTPS protocol. This parameter is ignored for
  4633. plain HTTP protocol connection. If not set the system root certificates
  4634. are used to validate the TLS connection.
  4635. format: byte
  4636. type: string
  4637. caProvider:
  4638. description: The provider for the CA bundle to use to validate Vault server certificate.
  4639. properties:
  4640. key:
  4641. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  4642. type: string
  4643. name:
  4644. description: The name of the object located at the provider type.
  4645. type: string
  4646. namespace:
  4647. description: |-
  4648. The namespace the Provider type is in.
  4649. Can only be defined when used in a ClusterSecretStore.
  4650. type: string
  4651. type:
  4652. description: The type of provider to use such as "Secret", or "ConfigMap".
  4653. enum:
  4654. - Secret
  4655. - ConfigMap
  4656. type: string
  4657. required:
  4658. - name
  4659. - type
  4660. type: object
  4661. forwardInconsistent:
  4662. description: |-
  4663. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  4664. leader instead of simply retrying within a loop. This can increase performance if
  4665. the option is enabled serverside.
  4666. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  4667. type: boolean
  4668. namespace:
  4669. description: |-
  4670. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  4671. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  4672. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  4673. type: string
  4674. path:
  4675. description: |-
  4676. Path is the mount path of the Vault KV backend endpoint, e.g:
  4677. "secret". The v2 KV secret engine version specific "/data" path suffix
  4678. for fetching secrets from Vault is optional and will be appended
  4679. if not present in specified path.
  4680. type: string
  4681. readYourWrites:
  4682. description: |-
  4683. ReadYourWrites ensures isolated read-after-write semantics by
  4684. providing discovered cluster replication states in each request.
  4685. More information about eventual consistency in Vault can be found here
  4686. https://www.vaultproject.io/docs/enterprise/consistency
  4687. type: boolean
  4688. server:
  4689. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  4690. type: string
  4691. tls:
  4692. description: |-
  4693. The configuration used for client side related TLS communication, when the Vault server
  4694. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  4695. This parameter is ignored for plain HTTP protocol connection.
  4696. It's worth noting this configuration is different from the "TLS certificates auth method",
  4697. which is available under the `auth.cert` section.
  4698. properties:
  4699. certSecretRef:
  4700. description: |-
  4701. CertSecretRef is a certificate added to the transport layer
  4702. when communicating with the Vault server.
  4703. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  4704. properties:
  4705. key:
  4706. description: |-
  4707. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4708. defaulted, in others it may be required.
  4709. type: string
  4710. name:
  4711. description: The name of the Secret resource being referred to.
  4712. type: string
  4713. namespace:
  4714. description: |-
  4715. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4716. to the namespace of the referent.
  4717. type: string
  4718. type: object
  4719. keySecretRef:
  4720. description: |-
  4721. KeySecretRef to a key in a Secret resource containing client private key
  4722. added to the transport layer when communicating with the Vault server.
  4723. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  4724. properties:
  4725. key:
  4726. description: |-
  4727. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4728. defaulted, in others it may be required.
  4729. type: string
  4730. name:
  4731. description: The name of the Secret resource being referred to.
  4732. type: string
  4733. namespace:
  4734. description: |-
  4735. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4736. to the namespace of the referent.
  4737. type: string
  4738. type: object
  4739. type: object
  4740. version:
  4741. default: v2
  4742. description: |-
  4743. Version is the Vault KV secret engine version. This can be either "v1" or
  4744. "v2". Version defaults to "v2".
  4745. enum:
  4746. - v1
  4747. - v2
  4748. type: string
  4749. required:
  4750. - auth
  4751. - server
  4752. type: object
  4753. webhook:
  4754. description: Webhook configures this store to sync secrets using a generic templated webhook
  4755. properties:
  4756. body:
  4757. description: Body
  4758. type: string
  4759. caBundle:
  4760. description: |-
  4761. PEM encoded CA bundle used to validate webhook server certificate. Only used
  4762. if the Server URL is using HTTPS protocol. This parameter is ignored for
  4763. plain HTTP protocol connection. If not set the system root certificates
  4764. are used to validate the TLS connection.
  4765. format: byte
  4766. type: string
  4767. caProvider:
  4768. description: The provider for the CA bundle to use to validate webhook server certificate.
  4769. properties:
  4770. key:
  4771. description: The key the value inside of the provider type to use, only used with "Secret" type
  4772. type: string
  4773. name:
  4774. description: The name of the object located at the provider type.
  4775. type: string
  4776. namespace:
  4777. description: The namespace the Provider type is in.
  4778. type: string
  4779. type:
  4780. description: The type of provider to use such as "Secret", or "ConfigMap".
  4781. enum:
  4782. - Secret
  4783. - ConfigMap
  4784. type: string
  4785. required:
  4786. - name
  4787. - type
  4788. type: object
  4789. headers:
  4790. additionalProperties:
  4791. type: string
  4792. description: Headers
  4793. type: object
  4794. method:
  4795. description: Webhook Method
  4796. type: string
  4797. result:
  4798. description: Result formatting
  4799. properties:
  4800. jsonPath:
  4801. description: Json path of return value
  4802. type: string
  4803. type: object
  4804. secrets:
  4805. description: |-
  4806. Secrets to fill in templates
  4807. These secrets will be passed to the templating function as key value pairs under the given name
  4808. items:
  4809. properties:
  4810. name:
  4811. description: Name of this secret in templates
  4812. type: string
  4813. secretRef:
  4814. description: Secret ref to fill in credentials
  4815. properties:
  4816. key:
  4817. description: |-
  4818. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4819. defaulted, in others it may be required.
  4820. type: string
  4821. name:
  4822. description: The name of the Secret resource being referred to.
  4823. type: string
  4824. namespace:
  4825. description: |-
  4826. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4827. to the namespace of the referent.
  4828. type: string
  4829. type: object
  4830. required:
  4831. - name
  4832. - secretRef
  4833. type: object
  4834. type: array
  4835. timeout:
  4836. description: Timeout
  4837. type: string
  4838. url:
  4839. description: Webhook url to call
  4840. type: string
  4841. required:
  4842. - result
  4843. - url
  4844. type: object
  4845. yandexcertificatemanager:
  4846. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  4847. properties:
  4848. apiEndpoint:
  4849. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  4850. type: string
  4851. auth:
  4852. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  4853. properties:
  4854. authorizedKeySecretRef:
  4855. description: The authorized key used for authentication
  4856. properties:
  4857. key:
  4858. description: |-
  4859. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4860. defaulted, in others it may be required.
  4861. type: string
  4862. name:
  4863. description: The name of the Secret resource being referred to.
  4864. type: string
  4865. namespace:
  4866. description: |-
  4867. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4868. to the namespace of the referent.
  4869. type: string
  4870. type: object
  4871. type: object
  4872. caProvider:
  4873. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  4874. properties:
  4875. certSecretRef:
  4876. description: |-
  4877. A reference to a specific 'key' within a Secret resource,
  4878. In some instances, `key` is a required field.
  4879. properties:
  4880. key:
  4881. description: |-
  4882. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4883. defaulted, in others it may be required.
  4884. type: string
  4885. name:
  4886. description: The name of the Secret resource being referred to.
  4887. type: string
  4888. namespace:
  4889. description: |-
  4890. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4891. to the namespace of the referent.
  4892. type: string
  4893. type: object
  4894. type: object
  4895. required:
  4896. - auth
  4897. type: object
  4898. yandexlockbox:
  4899. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  4900. properties:
  4901. apiEndpoint:
  4902. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  4903. type: string
  4904. auth:
  4905. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  4906. properties:
  4907. authorizedKeySecretRef:
  4908. description: The authorized key used for authentication
  4909. properties:
  4910. key:
  4911. description: |-
  4912. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4913. defaulted, in others it may be required.
  4914. type: string
  4915. name:
  4916. description: The name of the Secret resource being referred to.
  4917. type: string
  4918. namespace:
  4919. description: |-
  4920. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4921. to the namespace of the referent.
  4922. type: string
  4923. type: object
  4924. type: object
  4925. caProvider:
  4926. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  4927. properties:
  4928. certSecretRef:
  4929. description: |-
  4930. A reference to a specific 'key' within a Secret resource,
  4931. In some instances, `key` is a required field.
  4932. properties:
  4933. key:
  4934. description: |-
  4935. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4936. defaulted, in others it may be required.
  4937. type: string
  4938. name:
  4939. description: The name of the Secret resource being referred to.
  4940. type: string
  4941. namespace:
  4942. description: |-
  4943. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4944. to the namespace of the referent.
  4945. type: string
  4946. type: object
  4947. type: object
  4948. required:
  4949. - auth
  4950. type: object
  4951. type: object
  4952. refreshInterval:
  4953. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  4954. type: integer
  4955. retrySettings:
  4956. description: Used to configure http retries if failed
  4957. properties:
  4958. maxRetries:
  4959. format: int32
  4960. type: integer
  4961. retryInterval:
  4962. type: string
  4963. type: object
  4964. required:
  4965. - provider
  4966. type: object
  4967. status:
  4968. description: SecretStoreStatus defines the observed state of the SecretStore.
  4969. properties:
  4970. capabilities:
  4971. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  4972. type: string
  4973. conditions:
  4974. items:
  4975. properties:
  4976. lastTransitionTime:
  4977. format: date-time
  4978. type: string
  4979. message:
  4980. type: string
  4981. reason:
  4982. type: string
  4983. status:
  4984. type: string
  4985. type:
  4986. type: string
  4987. required:
  4988. - status
  4989. - type
  4990. type: object
  4991. type: array
  4992. type: object
  4993. type: object
  4994. served: true
  4995. storage: true
  4996. subresources:
  4997. status: {}
  4998. conversion:
  4999. strategy: Webhook
  5000. webhook:
  5001. conversionReviewVersions:
  5002. - v1
  5003. clientConfig:
  5004. service:
  5005. name: kubernetes
  5006. namespace: default
  5007. path: /convert
  5008. ---
  5009. apiVersion: apiextensions.k8s.io/v1
  5010. kind: CustomResourceDefinition
  5011. metadata:
  5012. annotations:
  5013. controller-gen.kubebuilder.io/version: v0.15.0
  5014. name: externalsecrets.external-secrets.io
  5015. spec:
  5016. group: external-secrets.io
  5017. names:
  5018. categories:
  5019. - externalsecrets
  5020. kind: ExternalSecret
  5021. listKind: ExternalSecretList
  5022. plural: externalsecrets
  5023. shortNames:
  5024. - es
  5025. singular: externalsecret
  5026. scope: Namespaced
  5027. versions:
  5028. - additionalPrinterColumns:
  5029. - jsonPath: .spec.secretStoreRef.name
  5030. name: Store
  5031. type: string
  5032. - jsonPath: .spec.refreshInterval
  5033. name: Refresh Interval
  5034. type: string
  5035. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  5036. name: Status
  5037. type: string
  5038. deprecated: true
  5039. name: v1alpha1
  5040. schema:
  5041. openAPIV3Schema:
  5042. description: ExternalSecret is the Schema for the external-secrets API.
  5043. properties:
  5044. apiVersion:
  5045. description: |-
  5046. APIVersion defines the versioned schema of this representation of an object.
  5047. Servers should convert recognized schemas to the latest internal value, and
  5048. may reject unrecognized values.
  5049. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  5050. type: string
  5051. kind:
  5052. description: |-
  5053. Kind is a string value representing the REST resource this object represents.
  5054. Servers may infer this from the endpoint the client submits requests to.
  5055. Cannot be updated.
  5056. In CamelCase.
  5057. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  5058. type: string
  5059. metadata:
  5060. type: object
  5061. spec:
  5062. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  5063. properties:
  5064. data:
  5065. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  5066. items:
  5067. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  5068. properties:
  5069. remoteRef:
  5070. description: ExternalSecretDataRemoteRef defines Provider data location.
  5071. properties:
  5072. conversionStrategy:
  5073. default: Default
  5074. description: Used to define a conversion Strategy
  5075. enum:
  5076. - Default
  5077. - Unicode
  5078. type: string
  5079. key:
  5080. description: Key is the key used in the Provider, mandatory
  5081. type: string
  5082. property:
  5083. description: Used to select a specific property of the Provider value (if a map), if supported
  5084. type: string
  5085. version:
  5086. description: Used to select a specific version of the Provider value, if supported
  5087. type: string
  5088. required:
  5089. - key
  5090. type: object
  5091. secretKey:
  5092. type: string
  5093. required:
  5094. - remoteRef
  5095. - secretKey
  5096. type: object
  5097. type: array
  5098. dataFrom:
  5099. description: |-
  5100. DataFrom is used to fetch all properties from a specific Provider data
  5101. If multiple entries are specified, the Secret keys are merged in the specified order
  5102. items:
  5103. description: ExternalSecretDataRemoteRef defines Provider data location.
  5104. properties:
  5105. conversionStrategy:
  5106. default: Default
  5107. description: Used to define a conversion Strategy
  5108. enum:
  5109. - Default
  5110. - Unicode
  5111. type: string
  5112. key:
  5113. description: Key is the key used in the Provider, mandatory
  5114. type: string
  5115. property:
  5116. description: Used to select a specific property of the Provider value (if a map), if supported
  5117. type: string
  5118. version:
  5119. description: Used to select a specific version of the Provider value, if supported
  5120. type: string
  5121. required:
  5122. - key
  5123. type: object
  5124. type: array
  5125. refreshInterval:
  5126. default: 1h
  5127. description: |-
  5128. RefreshInterval is the amount of time before the values are read again from the SecretStore provider
  5129. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  5130. May be set to zero to fetch and create it once. Defaults to 1h.
  5131. type: string
  5132. secretStoreRef:
  5133. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  5134. properties:
  5135. kind:
  5136. description: |-
  5137. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  5138. Defaults to `SecretStore`
  5139. type: string
  5140. name:
  5141. description: Name of the SecretStore resource
  5142. type: string
  5143. required:
  5144. - name
  5145. type: object
  5146. target:
  5147. description: |-
  5148. ExternalSecretTarget defines the Kubernetes Secret to be created
  5149. There can be only one target per ExternalSecret.
  5150. properties:
  5151. creationPolicy:
  5152. default: Owner
  5153. description: |-
  5154. CreationPolicy defines rules on how to create the resulting Secret
  5155. Defaults to 'Owner'
  5156. enum:
  5157. - Owner
  5158. - Merge
  5159. - None
  5160. type: string
  5161. immutable:
  5162. description: Immutable defines if the final secret will be immutable
  5163. type: boolean
  5164. name:
  5165. description: |-
  5166. Name defines the name of the Secret resource to be managed
  5167. This field is immutable
  5168. Defaults to the .metadata.name of the ExternalSecret resource
  5169. type: string
  5170. template:
  5171. description: Template defines a blueprint for the created Secret resource.
  5172. properties:
  5173. data:
  5174. additionalProperties:
  5175. type: string
  5176. type: object
  5177. engineVersion:
  5178. default: v1
  5179. description: |-
  5180. EngineVersion specifies the template engine version
  5181. that should be used to compile/execute the
  5182. template specified in .data and .templateFrom[].
  5183. enum:
  5184. - v1
  5185. - v2
  5186. type: string
  5187. metadata:
  5188. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  5189. properties:
  5190. annotations:
  5191. additionalProperties:
  5192. type: string
  5193. type: object
  5194. labels:
  5195. additionalProperties:
  5196. type: string
  5197. type: object
  5198. type: object
  5199. templateFrom:
  5200. items:
  5201. maxProperties: 1
  5202. minProperties: 1
  5203. properties:
  5204. configMap:
  5205. properties:
  5206. items:
  5207. items:
  5208. properties:
  5209. key:
  5210. type: string
  5211. required:
  5212. - key
  5213. type: object
  5214. type: array
  5215. name:
  5216. type: string
  5217. required:
  5218. - items
  5219. - name
  5220. type: object
  5221. secret:
  5222. properties:
  5223. items:
  5224. items:
  5225. properties:
  5226. key:
  5227. type: string
  5228. required:
  5229. - key
  5230. type: object
  5231. type: array
  5232. name:
  5233. type: string
  5234. required:
  5235. - items
  5236. - name
  5237. type: object
  5238. type: object
  5239. type: array
  5240. type:
  5241. type: string
  5242. type: object
  5243. type: object
  5244. required:
  5245. - secretStoreRef
  5246. - target
  5247. type: object
  5248. status:
  5249. properties:
  5250. binding:
  5251. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  5252. properties:
  5253. name:
  5254. default: ""
  5255. description: |-
  5256. Name of the referent.
  5257. This field is effectively required, but due to backwards compatibility is
  5258. allowed to be empty. Instances of this type with an empty value here are
  5259. almost certainly wrong.
  5260. TODO: Add other useful fields. apiVersion, kind, uid?
  5261. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5262. TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
  5263. type: string
  5264. type: object
  5265. x-kubernetes-map-type: atomic
  5266. conditions:
  5267. items:
  5268. properties:
  5269. lastTransitionTime:
  5270. format: date-time
  5271. type: string
  5272. message:
  5273. type: string
  5274. reason:
  5275. type: string
  5276. status:
  5277. type: string
  5278. type:
  5279. type: string
  5280. required:
  5281. - status
  5282. - type
  5283. type: object
  5284. type: array
  5285. refreshTime:
  5286. description: |-
  5287. refreshTime is the time and date the external secret was fetched and
  5288. the target secret updated
  5289. format: date-time
  5290. nullable: true
  5291. type: string
  5292. syncedResourceVersion:
  5293. description: SyncedResourceVersion keeps track of the last synced version
  5294. type: string
  5295. type: object
  5296. type: object
  5297. served: true
  5298. storage: false
  5299. subresources:
  5300. status: {}
  5301. - additionalPrinterColumns:
  5302. - jsonPath: .spec.secretStoreRef.name
  5303. name: Store
  5304. type: string
  5305. - jsonPath: .spec.refreshInterval
  5306. name: Refresh Interval
  5307. type: string
  5308. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  5309. name: Status
  5310. type: string
  5311. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  5312. name: Ready
  5313. type: string
  5314. name: v1beta1
  5315. schema:
  5316. openAPIV3Schema:
  5317. description: ExternalSecret is the Schema for the external-secrets API.
  5318. properties:
  5319. apiVersion:
  5320. description: |-
  5321. APIVersion defines the versioned schema of this representation of an object.
  5322. Servers should convert recognized schemas to the latest internal value, and
  5323. may reject unrecognized values.
  5324. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  5325. type: string
  5326. kind:
  5327. description: |-
  5328. Kind is a string value representing the REST resource this object represents.
  5329. Servers may infer this from the endpoint the client submits requests to.
  5330. Cannot be updated.
  5331. In CamelCase.
  5332. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  5333. type: string
  5334. metadata:
  5335. type: object
  5336. spec:
  5337. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  5338. properties:
  5339. data:
  5340. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  5341. items:
  5342. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  5343. properties:
  5344. remoteRef:
  5345. description: |-
  5346. RemoteRef points to the remote secret and defines
  5347. which secret (version/property/..) to fetch.
  5348. properties:
  5349. conversionStrategy:
  5350. default: Default
  5351. description: Used to define a conversion Strategy
  5352. enum:
  5353. - Default
  5354. - Unicode
  5355. type: string
  5356. decodingStrategy:
  5357. default: None
  5358. description: Used to define a decoding Strategy
  5359. enum:
  5360. - Auto
  5361. - Base64
  5362. - Base64URL
  5363. - None
  5364. type: string
  5365. key:
  5366. description: Key is the key used in the Provider, mandatory
  5367. type: string
  5368. metadataPolicy:
  5369. default: None
  5370. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  5371. enum:
  5372. - None
  5373. - Fetch
  5374. type: string
  5375. property:
  5376. description: Used to select a specific property of the Provider value (if a map), if supported
  5377. type: string
  5378. version:
  5379. description: Used to select a specific version of the Provider value, if supported
  5380. type: string
  5381. required:
  5382. - key
  5383. type: object
  5384. secretKey:
  5385. description: |-
  5386. SecretKey defines the key in which the controller stores
  5387. the value. This is the key in the Kind=Secret
  5388. type: string
  5389. sourceRef:
  5390. description: |-
  5391. SourceRef allows you to override the source
  5392. from which the value will pulled from.
  5393. maxProperties: 1
  5394. properties:
  5395. generatorRef:
  5396. description: |-
  5397. GeneratorRef points to a generator custom resource.
  5398. Deprecated: The generatorRef is not implemented in .data[].
  5399. this will be removed with v1.
  5400. properties:
  5401. apiVersion:
  5402. default: generators.external-secrets.io/v1alpha1
  5403. description: Specify the apiVersion of the generator resource
  5404. type: string
  5405. kind:
  5406. description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
  5407. type: string
  5408. name:
  5409. description: Specify the name of the generator resource
  5410. type: string
  5411. required:
  5412. - kind
  5413. - name
  5414. type: object
  5415. storeRef:
  5416. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  5417. properties:
  5418. kind:
  5419. description: |-
  5420. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  5421. Defaults to `SecretStore`
  5422. type: string
  5423. name:
  5424. description: Name of the SecretStore resource
  5425. type: string
  5426. required:
  5427. - name
  5428. type: object
  5429. type: object
  5430. required:
  5431. - remoteRef
  5432. - secretKey
  5433. type: object
  5434. type: array
  5435. dataFrom:
  5436. description: |-
  5437. DataFrom is used to fetch all properties from a specific Provider data
  5438. If multiple entries are specified, the Secret keys are merged in the specified order
  5439. items:
  5440. properties:
  5441. extract:
  5442. description: |-
  5443. Used to extract multiple key/value pairs from one secret
  5444. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  5445. properties:
  5446. conversionStrategy:
  5447. default: Default
  5448. description: Used to define a conversion Strategy
  5449. enum:
  5450. - Default
  5451. - Unicode
  5452. type: string
  5453. decodingStrategy:
  5454. default: None
  5455. description: Used to define a decoding Strategy
  5456. enum:
  5457. - Auto
  5458. - Base64
  5459. - Base64URL
  5460. - None
  5461. type: string
  5462. key:
  5463. description: Key is the key used in the Provider, mandatory
  5464. type: string
  5465. metadataPolicy:
  5466. default: None
  5467. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  5468. enum:
  5469. - None
  5470. - Fetch
  5471. type: string
  5472. property:
  5473. description: Used to select a specific property of the Provider value (if a map), if supported
  5474. type: string
  5475. version:
  5476. description: Used to select a specific version of the Provider value, if supported
  5477. type: string
  5478. required:
  5479. - key
  5480. type: object
  5481. find:
  5482. description: |-
  5483. Used to find secrets based on tags or regular expressions
  5484. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  5485. properties:
  5486. conversionStrategy:
  5487. default: Default
  5488. description: Used to define a conversion Strategy
  5489. enum:
  5490. - Default
  5491. - Unicode
  5492. type: string
  5493. decodingStrategy:
  5494. default: None
  5495. description: Used to define a decoding Strategy
  5496. enum:
  5497. - Auto
  5498. - Base64
  5499. - Base64URL
  5500. - None
  5501. type: string
  5502. name:
  5503. description: Finds secrets based on the name.
  5504. properties:
  5505. regexp:
  5506. description: Finds secrets base
  5507. type: string
  5508. type: object
  5509. path:
  5510. description: A root path to start the find operations.
  5511. type: string
  5512. tags:
  5513. additionalProperties:
  5514. type: string
  5515. description: Find secrets based on tags.
  5516. type: object
  5517. type: object
  5518. rewrite:
  5519. description: |-
  5520. Used to rewrite secret Keys after getting them from the secret Provider
  5521. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  5522. items:
  5523. properties:
  5524. regexp:
  5525. description: |-
  5526. Used to rewrite with regular expressions.
  5527. The resulting key will be the output of a regexp.ReplaceAll operation.
  5528. properties:
  5529. source:
  5530. description: Used to define the regular expression of a re.Compiler.
  5531. type: string
  5532. target:
  5533. description: Used to define the target pattern of a ReplaceAll operation.
  5534. type: string
  5535. required:
  5536. - source
  5537. - target
  5538. type: object
  5539. transform:
  5540. description: |-
  5541. Used to apply string transformation on the secrets.
  5542. The resulting key will be the output of the template applied by the operation.
  5543. properties:
  5544. template:
  5545. description: |-
  5546. Used to define the template to apply on the secret name.
  5547. `.value ` will specify the secret name in the template.
  5548. type: string
  5549. required:
  5550. - template
  5551. type: object
  5552. type: object
  5553. type: array
  5554. sourceRef:
  5555. description: |-
  5556. SourceRef points to a store or generator
  5557. which contains secret values ready to use.
  5558. Use this in combination with Extract or Find pull values out of
  5559. a specific SecretStore.
  5560. When sourceRef points to a generator Extract or Find is not supported.
  5561. The generator returns a static map of values
  5562. maxProperties: 1
  5563. properties:
  5564. generatorRef:
  5565. description: GeneratorRef points to a generator custom resource.
  5566. properties:
  5567. apiVersion:
  5568. default: generators.external-secrets.io/v1alpha1
  5569. description: Specify the apiVersion of the generator resource
  5570. type: string
  5571. kind:
  5572. description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
  5573. type: string
  5574. name:
  5575. description: Specify the name of the generator resource
  5576. type: string
  5577. required:
  5578. - kind
  5579. - name
  5580. type: object
  5581. storeRef:
  5582. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  5583. properties:
  5584. kind:
  5585. description: |-
  5586. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  5587. Defaults to `SecretStore`
  5588. type: string
  5589. name:
  5590. description: Name of the SecretStore resource
  5591. type: string
  5592. required:
  5593. - name
  5594. type: object
  5595. type: object
  5596. type: object
  5597. type: array
  5598. refreshInterval:
  5599. default: 1h
  5600. description: |-
  5601. RefreshInterval is the amount of time before the values are read again from the SecretStore provider
  5602. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  5603. May be set to zero to fetch and create it once. Defaults to 1h.
  5604. type: string
  5605. secretStoreRef:
  5606. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  5607. properties:
  5608. kind:
  5609. description: |-
  5610. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  5611. Defaults to `SecretStore`
  5612. type: string
  5613. name:
  5614. description: Name of the SecretStore resource
  5615. type: string
  5616. required:
  5617. - name
  5618. type: object
  5619. target:
  5620. default:
  5621. creationPolicy: Owner
  5622. deletionPolicy: Retain
  5623. description: |-
  5624. ExternalSecretTarget defines the Kubernetes Secret to be created
  5625. There can be only one target per ExternalSecret.
  5626. properties:
  5627. creationPolicy:
  5628. default: Owner
  5629. description: |-
  5630. CreationPolicy defines rules on how to create the resulting Secret
  5631. Defaults to 'Owner'
  5632. enum:
  5633. - Owner
  5634. - Orphan
  5635. - Merge
  5636. - None
  5637. type: string
  5638. deletionPolicy:
  5639. default: Retain
  5640. description: |-
  5641. DeletionPolicy defines rules on how to delete the resulting Secret
  5642. Defaults to 'Retain'
  5643. enum:
  5644. - Delete
  5645. - Merge
  5646. - Retain
  5647. type: string
  5648. immutable:
  5649. description: Immutable defines if the final secret will be immutable
  5650. type: boolean
  5651. name:
  5652. description: |-
  5653. Name defines the name of the Secret resource to be managed
  5654. This field is immutable
  5655. Defaults to the .metadata.name of the ExternalSecret resource
  5656. type: string
  5657. template:
  5658. description: Template defines a blueprint for the created Secret resource.
  5659. properties:
  5660. data:
  5661. additionalProperties:
  5662. type: string
  5663. type: object
  5664. engineVersion:
  5665. default: v2
  5666. description: |-
  5667. EngineVersion specifies the template engine version
  5668. that should be used to compile/execute the
  5669. template specified in .data and .templateFrom[].
  5670. enum:
  5671. - v1
  5672. - v2
  5673. type: string
  5674. mergePolicy:
  5675. default: Replace
  5676. enum:
  5677. - Replace
  5678. - Merge
  5679. type: string
  5680. metadata:
  5681. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  5682. properties:
  5683. annotations:
  5684. additionalProperties:
  5685. type: string
  5686. type: object
  5687. labels:
  5688. additionalProperties:
  5689. type: string
  5690. type: object
  5691. type: object
  5692. templateFrom:
  5693. items:
  5694. properties:
  5695. configMap:
  5696. properties:
  5697. items:
  5698. items:
  5699. properties:
  5700. key:
  5701. type: string
  5702. templateAs:
  5703. default: Values
  5704. enum:
  5705. - Values
  5706. - KeysAndValues
  5707. type: string
  5708. required:
  5709. - key
  5710. type: object
  5711. type: array
  5712. name:
  5713. type: string
  5714. required:
  5715. - items
  5716. - name
  5717. type: object
  5718. literal:
  5719. type: string
  5720. secret:
  5721. properties:
  5722. items:
  5723. items:
  5724. properties:
  5725. key:
  5726. type: string
  5727. templateAs:
  5728. default: Values
  5729. enum:
  5730. - Values
  5731. - KeysAndValues
  5732. type: string
  5733. required:
  5734. - key
  5735. type: object
  5736. type: array
  5737. name:
  5738. type: string
  5739. required:
  5740. - items
  5741. - name
  5742. type: object
  5743. target:
  5744. default: Data
  5745. enum:
  5746. - Data
  5747. - Annotations
  5748. - Labels
  5749. type: string
  5750. type: object
  5751. type: array
  5752. type:
  5753. type: string
  5754. type: object
  5755. type: object
  5756. type: object
  5757. status:
  5758. properties:
  5759. binding:
  5760. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  5761. properties:
  5762. name:
  5763. default: ""
  5764. description: |-
  5765. Name of the referent.
  5766. This field is effectively required, but due to backwards compatibility is
  5767. allowed to be empty. Instances of this type with an empty value here are
  5768. almost certainly wrong.
  5769. TODO: Add other useful fields. apiVersion, kind, uid?
  5770. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5771. TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
  5772. type: string
  5773. type: object
  5774. x-kubernetes-map-type: atomic
  5775. conditions:
  5776. items:
  5777. properties:
  5778. lastTransitionTime:
  5779. format: date-time
  5780. type: string
  5781. message:
  5782. type: string
  5783. reason:
  5784. type: string
  5785. status:
  5786. type: string
  5787. type:
  5788. type: string
  5789. required:
  5790. - status
  5791. - type
  5792. type: object
  5793. type: array
  5794. refreshTime:
  5795. description: |-
  5796. refreshTime is the time and date the external secret was fetched and
  5797. the target secret updated
  5798. format: date-time
  5799. nullable: true
  5800. type: string
  5801. syncedResourceVersion:
  5802. description: SyncedResourceVersion keeps track of the last synced version
  5803. type: string
  5804. type: object
  5805. type: object
  5806. served: true
  5807. storage: true
  5808. subresources:
  5809. status: {}
  5810. conversion:
  5811. strategy: Webhook
  5812. webhook:
  5813. conversionReviewVersions:
  5814. - v1
  5815. clientConfig:
  5816. service:
  5817. name: kubernetes
  5818. namespace: default
  5819. path: /convert
  5820. ---
  5821. apiVersion: apiextensions.k8s.io/v1
  5822. kind: CustomResourceDefinition
  5823. metadata:
  5824. annotations:
  5825. controller-gen.kubebuilder.io/version: v0.15.0
  5826. name: pushsecrets.external-secrets.io
  5827. spec:
  5828. group: external-secrets.io
  5829. names:
  5830. categories:
  5831. - pushsecrets
  5832. kind: PushSecret
  5833. listKind: PushSecretList
  5834. plural: pushsecrets
  5835. singular: pushsecret
  5836. scope: Namespaced
  5837. versions:
  5838. - additionalPrinterColumns:
  5839. - jsonPath: .metadata.creationTimestamp
  5840. name: AGE
  5841. type: date
  5842. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  5843. name: Status
  5844. type: string
  5845. name: v1alpha1
  5846. schema:
  5847. openAPIV3Schema:
  5848. properties:
  5849. apiVersion:
  5850. description: |-
  5851. APIVersion defines the versioned schema of this representation of an object.
  5852. Servers should convert recognized schemas to the latest internal value, and
  5853. may reject unrecognized values.
  5854. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  5855. type: string
  5856. kind:
  5857. description: |-
  5858. Kind is a string value representing the REST resource this object represents.
  5859. Servers may infer this from the endpoint the client submits requests to.
  5860. Cannot be updated.
  5861. In CamelCase.
  5862. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  5863. type: string
  5864. metadata:
  5865. type: object
  5866. spec:
  5867. description: PushSecretSpec configures the behavior of the PushSecret.
  5868. properties:
  5869. data:
  5870. description: Secret Data that should be pushed to providers
  5871. items:
  5872. properties:
  5873. conversionStrategy:
  5874. default: None
  5875. description: Used to define a conversion Strategy for the secret keys
  5876. enum:
  5877. - None
  5878. - ReverseUnicode
  5879. type: string
  5880. match:
  5881. description: Match a given Secret Key to be pushed to the provider.
  5882. properties:
  5883. remoteRef:
  5884. description: Remote Refs to push to providers.
  5885. properties:
  5886. property:
  5887. description: Name of the property in the resulting secret
  5888. type: string
  5889. remoteKey:
  5890. description: Name of the resulting provider secret.
  5891. type: string
  5892. required:
  5893. - remoteKey
  5894. type: object
  5895. secretKey:
  5896. description: Secret Key to be pushed
  5897. type: string
  5898. required:
  5899. - remoteRef
  5900. type: object
  5901. metadata:
  5902. description: |-
  5903. Metadata is metadata attached to the secret.
  5904. The structure of metadata is provider specific, please look it up in the provider documentation.
  5905. x-kubernetes-preserve-unknown-fields: true
  5906. required:
  5907. - match
  5908. type: object
  5909. type: array
  5910. deletionPolicy:
  5911. default: None
  5912. description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".'
  5913. enum:
  5914. - Delete
  5915. - None
  5916. type: string
  5917. refreshInterval:
  5918. description: The Interval to which External Secrets will try to push a secret definition
  5919. type: string
  5920. secretStoreRefs:
  5921. items:
  5922. properties:
  5923. kind:
  5924. default: SecretStore
  5925. description: |-
  5926. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  5927. Defaults to `SecretStore`
  5928. type: string
  5929. labelSelector:
  5930. description: Optionally, sync to secret stores with label selector
  5931. properties:
  5932. matchExpressions:
  5933. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  5934. items:
  5935. description: |-
  5936. A label selector requirement is a selector that contains values, a key, and an operator that
  5937. relates the key and values.
  5938. properties:
  5939. key:
  5940. description: key is the label key that the selector applies to.
  5941. type: string
  5942. operator:
  5943. description: |-
  5944. operator represents a key's relationship to a set of values.
  5945. Valid operators are In, NotIn, Exists and DoesNotExist.
  5946. type: string
  5947. values:
  5948. description: |-
  5949. values is an array of string values. If the operator is In or NotIn,
  5950. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  5951. the values array must be empty. This array is replaced during a strategic
  5952. merge patch.
  5953. items:
  5954. type: string
  5955. type: array
  5956. x-kubernetes-list-type: atomic
  5957. required:
  5958. - key
  5959. - operator
  5960. type: object
  5961. type: array
  5962. x-kubernetes-list-type: atomic
  5963. matchLabels:
  5964. additionalProperties:
  5965. type: string
  5966. description: |-
  5967. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  5968. map is equivalent to an element of matchExpressions, whose key field is "key", the
  5969. operator is "In", and the values array contains only "value". The requirements are ANDed.
  5970. type: object
  5971. type: object
  5972. x-kubernetes-map-type: atomic
  5973. name:
  5974. description: Optionally, sync to the SecretStore of the given name
  5975. type: string
  5976. type: object
  5977. type: array
  5978. selector:
  5979. description: The Secret Selector (k8s source) for the Push Secret
  5980. properties:
  5981. secret:
  5982. description: Select a Secret to Push.
  5983. properties:
  5984. name:
  5985. description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
  5986. type: string
  5987. required:
  5988. - name
  5989. type: object
  5990. required:
  5991. - secret
  5992. type: object
  5993. template:
  5994. description: Template defines a blueprint for the created Secret resource.
  5995. properties:
  5996. data:
  5997. additionalProperties:
  5998. type: string
  5999. type: object
  6000. engineVersion:
  6001. default: v2
  6002. description: |-
  6003. EngineVersion specifies the template engine version
  6004. that should be used to compile/execute the
  6005. template specified in .data and .templateFrom[].
  6006. enum:
  6007. - v1
  6008. - v2
  6009. type: string
  6010. mergePolicy:
  6011. default: Replace
  6012. enum:
  6013. - Replace
  6014. - Merge
  6015. type: string
  6016. metadata:
  6017. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  6018. properties:
  6019. annotations:
  6020. additionalProperties:
  6021. type: string
  6022. type: object
  6023. labels:
  6024. additionalProperties:
  6025. type: string
  6026. type: object
  6027. type: object
  6028. templateFrom:
  6029. items:
  6030. properties:
  6031. configMap:
  6032. properties:
  6033. items:
  6034. items:
  6035. properties:
  6036. key:
  6037. type: string
  6038. templateAs:
  6039. default: Values
  6040. enum:
  6041. - Values
  6042. - KeysAndValues
  6043. type: string
  6044. required:
  6045. - key
  6046. type: object
  6047. type: array
  6048. name:
  6049. type: string
  6050. required:
  6051. - items
  6052. - name
  6053. type: object
  6054. literal:
  6055. type: string
  6056. secret:
  6057. properties:
  6058. items:
  6059. items:
  6060. properties:
  6061. key:
  6062. type: string
  6063. templateAs:
  6064. default: Values
  6065. enum:
  6066. - Values
  6067. - KeysAndValues
  6068. type: string
  6069. required:
  6070. - key
  6071. type: object
  6072. type: array
  6073. name:
  6074. type: string
  6075. required:
  6076. - items
  6077. - name
  6078. type: object
  6079. target:
  6080. default: Data
  6081. enum:
  6082. - Data
  6083. - Annotations
  6084. - Labels
  6085. type: string
  6086. type: object
  6087. type: array
  6088. type:
  6089. type: string
  6090. type: object
  6091. updatePolicy:
  6092. default: Replace
  6093. description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".'
  6094. enum:
  6095. - Replace
  6096. - IfNotExists
  6097. type: string
  6098. required:
  6099. - secretStoreRefs
  6100. - selector
  6101. type: object
  6102. status:
  6103. description: PushSecretStatus indicates the history of the status of PushSecret.
  6104. properties:
  6105. conditions:
  6106. items:
  6107. description: PushSecretStatusCondition indicates the status of the PushSecret.
  6108. properties:
  6109. lastTransitionTime:
  6110. format: date-time
  6111. type: string
  6112. message:
  6113. type: string
  6114. reason:
  6115. type: string
  6116. status:
  6117. type: string
  6118. type:
  6119. description: PushSecretConditionType indicates the condition of the PushSecret.
  6120. type: string
  6121. required:
  6122. - status
  6123. - type
  6124. type: object
  6125. type: array
  6126. refreshTime:
  6127. description: |-
  6128. refreshTime is the time and date the external secret was fetched and
  6129. the target secret updated
  6130. format: date-time
  6131. nullable: true
  6132. type: string
  6133. syncedPushSecrets:
  6134. additionalProperties:
  6135. additionalProperties:
  6136. properties:
  6137. conversionStrategy:
  6138. default: None
  6139. description: Used to define a conversion Strategy for the secret keys
  6140. enum:
  6141. - None
  6142. - ReverseUnicode
  6143. type: string
  6144. match:
  6145. description: Match a given Secret Key to be pushed to the provider.
  6146. properties:
  6147. remoteRef:
  6148. description: Remote Refs to push to providers.
  6149. properties:
  6150. property:
  6151. description: Name of the property in the resulting secret
  6152. type: string
  6153. remoteKey:
  6154. description: Name of the resulting provider secret.
  6155. type: string
  6156. required:
  6157. - remoteKey
  6158. type: object
  6159. secretKey:
  6160. description: Secret Key to be pushed
  6161. type: string
  6162. required:
  6163. - remoteRef
  6164. type: object
  6165. metadata:
  6166. description: |-
  6167. Metadata is metadata attached to the secret.
  6168. The structure of metadata is provider specific, please look it up in the provider documentation.
  6169. x-kubernetes-preserve-unknown-fields: true
  6170. required:
  6171. - match
  6172. type: object
  6173. type: object
  6174. description: |-
  6175. Synced PushSecrets, including secrets that already exist in provider.
  6176. Matches secret stores to PushSecretData that was stored to that secret store.
  6177. type: object
  6178. syncedResourceVersion:
  6179. description: SyncedResourceVersion keeps track of the last synced version.
  6180. type: string
  6181. type: object
  6182. type: object
  6183. served: true
  6184. storage: true
  6185. subresources:
  6186. status: {}
  6187. conversion:
  6188. strategy: Webhook
  6189. webhook:
  6190. conversionReviewVersions:
  6191. - v1
  6192. clientConfig:
  6193. service:
  6194. name: kubernetes
  6195. namespace: default
  6196. path: /convert
  6197. ---
  6198. apiVersion: apiextensions.k8s.io/v1
  6199. kind: CustomResourceDefinition
  6200. metadata:
  6201. annotations:
  6202. controller-gen.kubebuilder.io/version: v0.15.0
  6203. name: secretstores.external-secrets.io
  6204. spec:
  6205. group: external-secrets.io
  6206. names:
  6207. categories:
  6208. - externalsecrets
  6209. kind: SecretStore
  6210. listKind: SecretStoreList
  6211. plural: secretstores
  6212. shortNames:
  6213. - ss
  6214. singular: secretstore
  6215. scope: Namespaced
  6216. versions:
  6217. - additionalPrinterColumns:
  6218. - jsonPath: .metadata.creationTimestamp
  6219. name: AGE
  6220. type: date
  6221. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  6222. name: Status
  6223. type: string
  6224. deprecated: true
  6225. name: v1alpha1
  6226. schema:
  6227. openAPIV3Schema:
  6228. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  6229. properties:
  6230. apiVersion:
  6231. description: |-
  6232. APIVersion defines the versioned schema of this representation of an object.
  6233. Servers should convert recognized schemas to the latest internal value, and
  6234. may reject unrecognized values.
  6235. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  6236. type: string
  6237. kind:
  6238. description: |-
  6239. Kind is a string value representing the REST resource this object represents.
  6240. Servers may infer this from the endpoint the client submits requests to.
  6241. Cannot be updated.
  6242. In CamelCase.
  6243. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  6244. type: string
  6245. metadata:
  6246. type: object
  6247. spec:
  6248. description: SecretStoreSpec defines the desired state of SecretStore.
  6249. properties:
  6250. controller:
  6251. description: |-
  6252. Used to select the correct ESO controller (think: ingress.ingressClassName)
  6253. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  6254. type: string
  6255. provider:
  6256. description: Used to configure the provider. Only one provider may be set
  6257. maxProperties: 1
  6258. minProperties: 1
  6259. properties:
  6260. akeyless:
  6261. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  6262. properties:
  6263. akeylessGWApiURL:
  6264. description: Akeyless GW API Url from which the secrets to be fetched from.
  6265. type: string
  6266. authSecretRef:
  6267. description: Auth configures how the operator authenticates with Akeyless.
  6268. properties:
  6269. kubernetesAuth:
  6270. description: |-
  6271. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  6272. token stored in the named Secret resource.
  6273. properties:
  6274. accessID:
  6275. description: the Akeyless Kubernetes auth-method access-id
  6276. type: string
  6277. k8sConfName:
  6278. description: Kubernetes-auth configuration name in Akeyless-Gateway
  6279. type: string
  6280. secretRef:
  6281. description: |-
  6282. Optional secret field containing a Kubernetes ServiceAccount JWT used
  6283. for authenticating with Akeyless. If a name is specified without a key,
  6284. `token` is the default. If one is not specified, the one bound to
  6285. the controller will be used.
  6286. properties:
  6287. key:
  6288. description: |-
  6289. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6290. defaulted, in others it may be required.
  6291. type: string
  6292. name:
  6293. description: The name of the Secret resource being referred to.
  6294. type: string
  6295. namespace:
  6296. description: |-
  6297. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6298. to the namespace of the referent.
  6299. type: string
  6300. type: object
  6301. serviceAccountRef:
  6302. description: |-
  6303. Optional service account field containing the name of a kubernetes ServiceAccount.
  6304. If the service account is specified, the service account secret token JWT will be used
  6305. for authenticating with Akeyless. If the service account selector is not supplied,
  6306. the secretRef will be used instead.
  6307. properties:
  6308. audiences:
  6309. description: |-
  6310. Audience specifies the `aud` claim for the service account token
  6311. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6312. then this audiences will be appended to the list
  6313. items:
  6314. type: string
  6315. type: array
  6316. name:
  6317. description: The name of the ServiceAccount resource being referred to.
  6318. type: string
  6319. namespace:
  6320. description: |-
  6321. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6322. to the namespace of the referent.
  6323. type: string
  6324. required:
  6325. - name
  6326. type: object
  6327. required:
  6328. - accessID
  6329. - k8sConfName
  6330. type: object
  6331. secretRef:
  6332. description: |-
  6333. Reference to a Secret that contains the details
  6334. to authenticate with Akeyless.
  6335. properties:
  6336. accessID:
  6337. description: The SecretAccessID is used for authentication
  6338. properties:
  6339. key:
  6340. description: |-
  6341. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6342. defaulted, in others it may be required.
  6343. type: string
  6344. name:
  6345. description: The name of the Secret resource being referred to.
  6346. type: string
  6347. namespace:
  6348. description: |-
  6349. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6350. to the namespace of the referent.
  6351. type: string
  6352. type: object
  6353. accessType:
  6354. description: |-
  6355. A reference to a specific 'key' within a Secret resource,
  6356. In some instances, `key` is a required field.
  6357. properties:
  6358. key:
  6359. description: |-
  6360. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6361. defaulted, in others it may be required.
  6362. type: string
  6363. name:
  6364. description: The name of the Secret resource being referred to.
  6365. type: string
  6366. namespace:
  6367. description: |-
  6368. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6369. to the namespace of the referent.
  6370. type: string
  6371. type: object
  6372. accessTypeParam:
  6373. description: |-
  6374. A reference to a specific 'key' within a Secret resource,
  6375. In some instances, `key` is a required field.
  6376. properties:
  6377. key:
  6378. description: |-
  6379. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6380. defaulted, in others it may be required.
  6381. type: string
  6382. name:
  6383. description: The name of the Secret resource being referred to.
  6384. type: string
  6385. namespace:
  6386. description: |-
  6387. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6388. to the namespace of the referent.
  6389. type: string
  6390. type: object
  6391. type: object
  6392. type: object
  6393. caBundle:
  6394. description: |-
  6395. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  6396. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  6397. are used to validate the TLS connection.
  6398. format: byte
  6399. type: string
  6400. caProvider:
  6401. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  6402. properties:
  6403. key:
  6404. description: The key the value inside of the provider type to use, only used with "Secret" type
  6405. type: string
  6406. name:
  6407. description: The name of the object located at the provider type.
  6408. type: string
  6409. namespace:
  6410. description: The namespace the Provider type is in.
  6411. type: string
  6412. type:
  6413. description: The type of provider to use such as "Secret", or "ConfigMap".
  6414. enum:
  6415. - Secret
  6416. - ConfigMap
  6417. type: string
  6418. required:
  6419. - name
  6420. - type
  6421. type: object
  6422. required:
  6423. - akeylessGWApiURL
  6424. - authSecretRef
  6425. type: object
  6426. alibaba:
  6427. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  6428. properties:
  6429. auth:
  6430. description: AlibabaAuth contains a secretRef for credentials.
  6431. properties:
  6432. rrsa:
  6433. description: Authenticate against Alibaba using RRSA.
  6434. properties:
  6435. oidcProviderArn:
  6436. type: string
  6437. oidcTokenFilePath:
  6438. type: string
  6439. roleArn:
  6440. type: string
  6441. sessionName:
  6442. type: string
  6443. required:
  6444. - oidcProviderArn
  6445. - oidcTokenFilePath
  6446. - roleArn
  6447. - sessionName
  6448. type: object
  6449. secretRef:
  6450. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  6451. properties:
  6452. accessKeyIDSecretRef:
  6453. description: The AccessKeyID is used for authentication
  6454. properties:
  6455. key:
  6456. description: |-
  6457. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6458. defaulted, in others it may be required.
  6459. type: string
  6460. name:
  6461. description: The name of the Secret resource being referred to.
  6462. type: string
  6463. namespace:
  6464. description: |-
  6465. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6466. to the namespace of the referent.
  6467. type: string
  6468. type: object
  6469. accessKeySecretSecretRef:
  6470. description: The AccessKeySecret is used for authentication
  6471. properties:
  6472. key:
  6473. description: |-
  6474. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6475. defaulted, in others it may be required.
  6476. type: string
  6477. name:
  6478. description: The name of the Secret resource being referred to.
  6479. type: string
  6480. namespace:
  6481. description: |-
  6482. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6483. to the namespace of the referent.
  6484. type: string
  6485. type: object
  6486. required:
  6487. - accessKeyIDSecretRef
  6488. - accessKeySecretSecretRef
  6489. type: object
  6490. type: object
  6491. regionID:
  6492. description: Alibaba Region to be used for the provider
  6493. type: string
  6494. required:
  6495. - auth
  6496. - regionID
  6497. type: object
  6498. aws:
  6499. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  6500. properties:
  6501. auth:
  6502. description: |-
  6503. Auth defines the information necessary to authenticate against AWS
  6504. if not set aws sdk will infer credentials from your environment
  6505. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  6506. properties:
  6507. jwt:
  6508. description: Authenticate against AWS using service account tokens.
  6509. properties:
  6510. serviceAccountRef:
  6511. description: A reference to a ServiceAccount resource.
  6512. properties:
  6513. audiences:
  6514. description: |-
  6515. Audience specifies the `aud` claim for the service account token
  6516. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6517. then this audiences will be appended to the list
  6518. items:
  6519. type: string
  6520. type: array
  6521. name:
  6522. description: The name of the ServiceAccount resource being referred to.
  6523. type: string
  6524. namespace:
  6525. description: |-
  6526. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6527. to the namespace of the referent.
  6528. type: string
  6529. required:
  6530. - name
  6531. type: object
  6532. type: object
  6533. secretRef:
  6534. description: |-
  6535. AWSAuthSecretRef holds secret references for AWS credentials
  6536. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  6537. properties:
  6538. accessKeyIDSecretRef:
  6539. description: The AccessKeyID is used for authentication
  6540. properties:
  6541. key:
  6542. description: |-
  6543. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6544. defaulted, in others it may be required.
  6545. type: string
  6546. name:
  6547. description: The name of the Secret resource being referred to.
  6548. type: string
  6549. namespace:
  6550. description: |-
  6551. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6552. to the namespace of the referent.
  6553. type: string
  6554. type: object
  6555. secretAccessKeySecretRef:
  6556. description: The SecretAccessKey is used for authentication
  6557. properties:
  6558. key:
  6559. description: |-
  6560. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6561. defaulted, in others it may be required.
  6562. type: string
  6563. name:
  6564. description: The name of the Secret resource being referred to.
  6565. type: string
  6566. namespace:
  6567. description: |-
  6568. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6569. to the namespace of the referent.
  6570. type: string
  6571. type: object
  6572. type: object
  6573. type: object
  6574. region:
  6575. description: AWS Region to be used for the provider
  6576. type: string
  6577. role:
  6578. description: Role is a Role ARN which the SecretManager provider will assume
  6579. type: string
  6580. service:
  6581. description: Service defines which service should be used to fetch the secrets
  6582. enum:
  6583. - SecretsManager
  6584. - ParameterStore
  6585. type: string
  6586. required:
  6587. - region
  6588. - service
  6589. type: object
  6590. azurekv:
  6591. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  6592. properties:
  6593. authSecretRef:
  6594. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  6595. properties:
  6596. clientId:
  6597. description: The Azure clientId of the service principle used for authentication.
  6598. properties:
  6599. key:
  6600. description: |-
  6601. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6602. defaulted, in others it may be required.
  6603. type: string
  6604. name:
  6605. description: The name of the Secret resource being referred to.
  6606. type: string
  6607. namespace:
  6608. description: |-
  6609. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6610. to the namespace of the referent.
  6611. type: string
  6612. type: object
  6613. clientSecret:
  6614. description: The Azure ClientSecret of the service principle used for authentication.
  6615. properties:
  6616. key:
  6617. description: |-
  6618. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6619. defaulted, in others it may be required.
  6620. type: string
  6621. name:
  6622. description: The name of the Secret resource being referred to.
  6623. type: string
  6624. namespace:
  6625. description: |-
  6626. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6627. to the namespace of the referent.
  6628. type: string
  6629. type: object
  6630. type: object
  6631. authType:
  6632. default: ServicePrincipal
  6633. description: |-
  6634. Auth type defines how to authenticate to the keyvault service.
  6635. Valid values are:
  6636. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  6637. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  6638. enum:
  6639. - ServicePrincipal
  6640. - ManagedIdentity
  6641. - WorkloadIdentity
  6642. type: string
  6643. identityId:
  6644. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  6645. type: string
  6646. serviceAccountRef:
  6647. description: |-
  6648. ServiceAccountRef specified the service account
  6649. that should be used when authenticating with WorkloadIdentity.
  6650. properties:
  6651. audiences:
  6652. description: |-
  6653. Audience specifies the `aud` claim for the service account token
  6654. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6655. then this audiences will be appended to the list
  6656. items:
  6657. type: string
  6658. type: array
  6659. name:
  6660. description: The name of the ServiceAccount resource being referred to.
  6661. type: string
  6662. namespace:
  6663. description: |-
  6664. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6665. to the namespace of the referent.
  6666. type: string
  6667. required:
  6668. - name
  6669. type: object
  6670. tenantId:
  6671. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  6672. type: string
  6673. vaultUrl:
  6674. description: Vault Url from which the secrets to be fetched from.
  6675. type: string
  6676. required:
  6677. - vaultUrl
  6678. type: object
  6679. fake:
  6680. description: Fake configures a store with static key/value pairs
  6681. properties:
  6682. data:
  6683. items:
  6684. properties:
  6685. key:
  6686. type: string
  6687. value:
  6688. type: string
  6689. valueMap:
  6690. additionalProperties:
  6691. type: string
  6692. type: object
  6693. version:
  6694. type: string
  6695. required:
  6696. - key
  6697. type: object
  6698. type: array
  6699. required:
  6700. - data
  6701. type: object
  6702. gcpsm:
  6703. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  6704. properties:
  6705. auth:
  6706. description: Auth defines the information necessary to authenticate against GCP
  6707. properties:
  6708. secretRef:
  6709. properties:
  6710. secretAccessKeySecretRef:
  6711. description: The SecretAccessKey is used for authentication
  6712. properties:
  6713. key:
  6714. description: |-
  6715. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6716. defaulted, in others it may be required.
  6717. type: string
  6718. name:
  6719. description: The name of the Secret resource being referred to.
  6720. type: string
  6721. namespace:
  6722. description: |-
  6723. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6724. to the namespace of the referent.
  6725. type: string
  6726. type: object
  6727. type: object
  6728. workloadIdentity:
  6729. properties:
  6730. clusterLocation:
  6731. type: string
  6732. clusterName:
  6733. type: string
  6734. clusterProjectID:
  6735. type: string
  6736. serviceAccountRef:
  6737. description: A reference to a ServiceAccount resource.
  6738. properties:
  6739. audiences:
  6740. description: |-
  6741. Audience specifies the `aud` claim for the service account token
  6742. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6743. then this audiences will be appended to the list
  6744. items:
  6745. type: string
  6746. type: array
  6747. name:
  6748. description: The name of the ServiceAccount resource being referred to.
  6749. type: string
  6750. namespace:
  6751. description: |-
  6752. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6753. to the namespace of the referent.
  6754. type: string
  6755. required:
  6756. - name
  6757. type: object
  6758. required:
  6759. - clusterLocation
  6760. - clusterName
  6761. - serviceAccountRef
  6762. type: object
  6763. type: object
  6764. projectID:
  6765. description: ProjectID project where secret is located
  6766. type: string
  6767. type: object
  6768. gitlab:
  6769. description: GitLab configures this store to sync secrets using GitLab Variables provider
  6770. properties:
  6771. auth:
  6772. description: Auth configures how secret-manager authenticates with a GitLab instance.
  6773. properties:
  6774. SecretRef:
  6775. properties:
  6776. accessToken:
  6777. description: AccessToken is used for authentication.
  6778. properties:
  6779. key:
  6780. description: |-
  6781. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6782. defaulted, in others it may be required.
  6783. type: string
  6784. name:
  6785. description: The name of the Secret resource being referred to.
  6786. type: string
  6787. namespace:
  6788. description: |-
  6789. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6790. to the namespace of the referent.
  6791. type: string
  6792. type: object
  6793. type: object
  6794. required:
  6795. - SecretRef
  6796. type: object
  6797. projectID:
  6798. description: ProjectID specifies a project where secrets are located.
  6799. type: string
  6800. url:
  6801. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  6802. type: string
  6803. required:
  6804. - auth
  6805. type: object
  6806. ibm:
  6807. description: IBM configures this store to sync secrets using IBM Cloud provider
  6808. properties:
  6809. auth:
  6810. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  6811. properties:
  6812. secretRef:
  6813. properties:
  6814. secretApiKeySecretRef:
  6815. description: The SecretAccessKey is used for authentication
  6816. properties:
  6817. key:
  6818. description: |-
  6819. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6820. defaulted, in others it may be required.
  6821. type: string
  6822. name:
  6823. description: The name of the Secret resource being referred to.
  6824. type: string
  6825. namespace:
  6826. description: |-
  6827. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6828. to the namespace of the referent.
  6829. type: string
  6830. type: object
  6831. type: object
  6832. required:
  6833. - secretRef
  6834. type: object
  6835. serviceUrl:
  6836. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  6837. type: string
  6838. required:
  6839. - auth
  6840. type: object
  6841. kubernetes:
  6842. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  6843. properties:
  6844. auth:
  6845. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  6846. maxProperties: 1
  6847. minProperties: 1
  6848. properties:
  6849. cert:
  6850. description: has both clientCert and clientKey as secretKeySelector
  6851. properties:
  6852. clientCert:
  6853. description: |-
  6854. A reference to a specific 'key' within a Secret resource,
  6855. In some instances, `key` is a required field.
  6856. properties:
  6857. key:
  6858. description: |-
  6859. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6860. defaulted, in others it may be required.
  6861. type: string
  6862. name:
  6863. description: The name of the Secret resource being referred to.
  6864. type: string
  6865. namespace:
  6866. description: |-
  6867. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6868. to the namespace of the referent.
  6869. type: string
  6870. type: object
  6871. clientKey:
  6872. description: |-
  6873. A reference to a specific 'key' within a Secret resource,
  6874. In some instances, `key` is a required field.
  6875. properties:
  6876. key:
  6877. description: |-
  6878. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6879. defaulted, in others it may be required.
  6880. type: string
  6881. name:
  6882. description: The name of the Secret resource being referred to.
  6883. type: string
  6884. namespace:
  6885. description: |-
  6886. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6887. to the namespace of the referent.
  6888. type: string
  6889. type: object
  6890. type: object
  6891. serviceAccount:
  6892. description: points to a service account that should be used for authentication
  6893. properties:
  6894. serviceAccount:
  6895. description: A reference to a ServiceAccount resource.
  6896. properties:
  6897. audiences:
  6898. description: |-
  6899. Audience specifies the `aud` claim for the service account token
  6900. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6901. then this audiences will be appended to the list
  6902. items:
  6903. type: string
  6904. type: array
  6905. name:
  6906. description: The name of the ServiceAccount resource being referred to.
  6907. type: string
  6908. namespace:
  6909. description: |-
  6910. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6911. to the namespace of the referent.
  6912. type: string
  6913. required:
  6914. - name
  6915. type: object
  6916. type: object
  6917. token:
  6918. description: use static token to authenticate with
  6919. properties:
  6920. bearerToken:
  6921. description: |-
  6922. A reference to a specific 'key' within a Secret resource,
  6923. In some instances, `key` is a required field.
  6924. properties:
  6925. key:
  6926. description: |-
  6927. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6928. defaulted, in others it may be required.
  6929. type: string
  6930. name:
  6931. description: The name of the Secret resource being referred to.
  6932. type: string
  6933. namespace:
  6934. description: |-
  6935. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6936. to the namespace of the referent.
  6937. type: string
  6938. type: object
  6939. type: object
  6940. type: object
  6941. remoteNamespace:
  6942. default: default
  6943. description: Remote namespace to fetch the secrets from
  6944. type: string
  6945. server:
  6946. description: configures the Kubernetes server Address.
  6947. properties:
  6948. caBundle:
  6949. description: CABundle is a base64-encoded CA certificate
  6950. format: byte
  6951. type: string
  6952. caProvider:
  6953. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  6954. properties:
  6955. key:
  6956. description: The key the value inside of the provider type to use, only used with "Secret" type
  6957. type: string
  6958. name:
  6959. description: The name of the object located at the provider type.
  6960. type: string
  6961. namespace:
  6962. description: The namespace the Provider type is in.
  6963. type: string
  6964. type:
  6965. description: The type of provider to use such as "Secret", or "ConfigMap".
  6966. enum:
  6967. - Secret
  6968. - ConfigMap
  6969. type: string
  6970. required:
  6971. - name
  6972. - type
  6973. type: object
  6974. url:
  6975. default: kubernetes.default
  6976. description: configures the Kubernetes server Address.
  6977. type: string
  6978. type: object
  6979. required:
  6980. - auth
  6981. type: object
  6982. oracle:
  6983. description: Oracle configures this store to sync secrets using Oracle Vault provider
  6984. properties:
  6985. auth:
  6986. description: |-
  6987. Auth configures how secret-manager authenticates with the Oracle Vault.
  6988. If empty, instance principal is used. Optionally, the authenticating principal type
  6989. and/or user data may be supplied for the use of workload identity and user principal.
  6990. properties:
  6991. secretRef:
  6992. description: SecretRef to pass through sensitive information.
  6993. properties:
  6994. fingerprint:
  6995. description: Fingerprint is the fingerprint of the API private key.
  6996. properties:
  6997. key:
  6998. description: |-
  6999. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7000. defaulted, in others it may be required.
  7001. type: string
  7002. name:
  7003. description: The name of the Secret resource being referred to.
  7004. type: string
  7005. namespace:
  7006. description: |-
  7007. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7008. to the namespace of the referent.
  7009. type: string
  7010. type: object
  7011. privatekey:
  7012. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  7013. properties:
  7014. key:
  7015. description: |-
  7016. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7017. defaulted, in others it may be required.
  7018. type: string
  7019. name:
  7020. description: The name of the Secret resource being referred to.
  7021. type: string
  7022. namespace:
  7023. description: |-
  7024. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7025. to the namespace of the referent.
  7026. type: string
  7027. type: object
  7028. required:
  7029. - fingerprint
  7030. - privatekey
  7031. type: object
  7032. tenancy:
  7033. description: Tenancy is the tenancy OCID where user is located.
  7034. type: string
  7035. user:
  7036. description: User is an access OCID specific to the account.
  7037. type: string
  7038. required:
  7039. - secretRef
  7040. - tenancy
  7041. - user
  7042. type: object
  7043. compartment:
  7044. description: |-
  7045. Compartment is the vault compartment OCID.
  7046. Required for PushSecret
  7047. type: string
  7048. encryptionKey:
  7049. description: |-
  7050. EncryptionKey is the OCID of the encryption key within the vault.
  7051. Required for PushSecret
  7052. type: string
  7053. principalType:
  7054. description: |-
  7055. The type of principal to use for authentication. If left blank, the Auth struct will
  7056. determine the principal type. This optional field must be specified if using
  7057. workload identity.
  7058. enum:
  7059. - ""
  7060. - UserPrincipal
  7061. - InstancePrincipal
  7062. - Workload
  7063. type: string
  7064. region:
  7065. description: Region is the region where vault is located.
  7066. type: string
  7067. serviceAccountRef:
  7068. description: |-
  7069. ServiceAccountRef specified the service account
  7070. that should be used when authenticating with WorkloadIdentity.
  7071. properties:
  7072. audiences:
  7073. description: |-
  7074. Audience specifies the `aud` claim for the service account token
  7075. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7076. then this audiences will be appended to the list
  7077. items:
  7078. type: string
  7079. type: array
  7080. name:
  7081. description: The name of the ServiceAccount resource being referred to.
  7082. type: string
  7083. namespace:
  7084. description: |-
  7085. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7086. to the namespace of the referent.
  7087. type: string
  7088. required:
  7089. - name
  7090. type: object
  7091. vault:
  7092. description: Vault is the vault's OCID of the specific vault where secret is located.
  7093. type: string
  7094. required:
  7095. - region
  7096. - vault
  7097. type: object
  7098. passworddepot:
  7099. description: Configures a store to sync secrets with a Password Depot instance.
  7100. properties:
  7101. auth:
  7102. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  7103. properties:
  7104. secretRef:
  7105. properties:
  7106. credentials:
  7107. description: Username / Password is used for authentication.
  7108. properties:
  7109. key:
  7110. description: |-
  7111. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7112. defaulted, in others it may be required.
  7113. type: string
  7114. name:
  7115. description: The name of the Secret resource being referred to.
  7116. type: string
  7117. namespace:
  7118. description: |-
  7119. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7120. to the namespace of the referent.
  7121. type: string
  7122. type: object
  7123. type: object
  7124. required:
  7125. - secretRef
  7126. type: object
  7127. database:
  7128. description: Database to use as source
  7129. type: string
  7130. host:
  7131. description: URL configures the Password Depot instance URL.
  7132. type: string
  7133. required:
  7134. - auth
  7135. - database
  7136. - host
  7137. type: object
  7138. vault:
  7139. description: Vault configures this store to sync secrets using Hashi provider
  7140. properties:
  7141. auth:
  7142. description: Auth configures how secret-manager authenticates with the Vault server.
  7143. properties:
  7144. appRole:
  7145. description: |-
  7146. AppRole authenticates with Vault using the App Role auth mechanism,
  7147. with the role and secret stored in a Kubernetes Secret resource.
  7148. properties:
  7149. path:
  7150. default: approle
  7151. description: |-
  7152. Path where the App Role authentication backend is mounted
  7153. in Vault, e.g: "approle"
  7154. type: string
  7155. roleId:
  7156. description: |-
  7157. RoleID configured in the App Role authentication backend when setting
  7158. up the authentication backend in Vault.
  7159. type: string
  7160. secretRef:
  7161. description: |-
  7162. Reference to a key in a Secret that contains the App Role secret used
  7163. to authenticate with Vault.
  7164. The `key` field must be specified and denotes which entry within the Secret
  7165. resource is used as the app role secret.
  7166. properties:
  7167. key:
  7168. description: |-
  7169. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7170. defaulted, in others it may be required.
  7171. type: string
  7172. name:
  7173. description: The name of the Secret resource being referred to.
  7174. type: string
  7175. namespace:
  7176. description: |-
  7177. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7178. to the namespace of the referent.
  7179. type: string
  7180. type: object
  7181. required:
  7182. - path
  7183. - roleId
  7184. - secretRef
  7185. type: object
  7186. cert:
  7187. description: |-
  7188. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  7189. Cert authentication method
  7190. properties:
  7191. clientCert:
  7192. description: |-
  7193. ClientCert is a certificate to authenticate using the Cert Vault
  7194. authentication method
  7195. properties:
  7196. key:
  7197. description: |-
  7198. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7199. defaulted, in others it may be required.
  7200. type: string
  7201. name:
  7202. description: The name of the Secret resource being referred to.
  7203. type: string
  7204. namespace:
  7205. description: |-
  7206. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7207. to the namespace of the referent.
  7208. type: string
  7209. type: object
  7210. secretRef:
  7211. description: |-
  7212. SecretRef to a key in a Secret resource containing client private key to
  7213. authenticate with Vault using the Cert authentication method
  7214. properties:
  7215. key:
  7216. description: |-
  7217. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7218. defaulted, in others it may be required.
  7219. type: string
  7220. name:
  7221. description: The name of the Secret resource being referred to.
  7222. type: string
  7223. namespace:
  7224. description: |-
  7225. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7226. to the namespace of the referent.
  7227. type: string
  7228. type: object
  7229. type: object
  7230. jwt:
  7231. description: |-
  7232. Jwt authenticates with Vault by passing role and JWT token using the
  7233. JWT/OIDC authentication method
  7234. properties:
  7235. kubernetesServiceAccountToken:
  7236. description: |-
  7237. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  7238. a token for with the `TokenRequest` API.
  7239. properties:
  7240. audiences:
  7241. description: |-
  7242. Optional audiences field that will be used to request a temporary Kubernetes service
  7243. account token for the service account referenced by `serviceAccountRef`.
  7244. Defaults to a single audience `vault` it not specified.
  7245. items:
  7246. type: string
  7247. type: array
  7248. expirationSeconds:
  7249. description: |-
  7250. Optional expiration time in seconds that will be used to request a temporary
  7251. Kubernetes service account token for the service account referenced by
  7252. `serviceAccountRef`.
  7253. Defaults to 10 minutes.
  7254. format: int64
  7255. type: integer
  7256. serviceAccountRef:
  7257. description: Service account field containing the name of a kubernetes ServiceAccount.
  7258. properties:
  7259. audiences:
  7260. description: |-
  7261. Audience specifies the `aud` claim for the service account token
  7262. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7263. then this audiences will be appended to the list
  7264. items:
  7265. type: string
  7266. type: array
  7267. name:
  7268. description: The name of the ServiceAccount resource being referred to.
  7269. type: string
  7270. namespace:
  7271. description: |-
  7272. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7273. to the namespace of the referent.
  7274. type: string
  7275. required:
  7276. - name
  7277. type: object
  7278. required:
  7279. - serviceAccountRef
  7280. type: object
  7281. path:
  7282. default: jwt
  7283. description: |-
  7284. Path where the JWT authentication backend is mounted
  7285. in Vault, e.g: "jwt"
  7286. type: string
  7287. role:
  7288. description: |-
  7289. Role is a JWT role to authenticate using the JWT/OIDC Vault
  7290. authentication method
  7291. type: string
  7292. secretRef:
  7293. description: |-
  7294. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  7295. authenticate with Vault using the JWT/OIDC authentication method.
  7296. properties:
  7297. key:
  7298. description: |-
  7299. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7300. defaulted, in others it may be required.
  7301. type: string
  7302. name:
  7303. description: The name of the Secret resource being referred to.
  7304. type: string
  7305. namespace:
  7306. description: |-
  7307. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7308. to the namespace of the referent.
  7309. type: string
  7310. type: object
  7311. required:
  7312. - path
  7313. type: object
  7314. kubernetes:
  7315. description: |-
  7316. Kubernetes authenticates with Vault by passing the ServiceAccount
  7317. token stored in the named Secret resource to the Vault server.
  7318. properties:
  7319. mountPath:
  7320. default: kubernetes
  7321. description: |-
  7322. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  7323. "kubernetes"
  7324. type: string
  7325. role:
  7326. description: |-
  7327. A required field containing the Vault Role to assume. A Role binds a
  7328. Kubernetes ServiceAccount with a set of Vault policies.
  7329. type: string
  7330. secretRef:
  7331. description: |-
  7332. Optional secret field containing a Kubernetes ServiceAccount JWT used
  7333. for authenticating with Vault. If a name is specified without a key,
  7334. `token` is the default. If one is not specified, the one bound to
  7335. the controller will be used.
  7336. properties:
  7337. key:
  7338. description: |-
  7339. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7340. defaulted, in others it may be required.
  7341. type: string
  7342. name:
  7343. description: The name of the Secret resource being referred to.
  7344. type: string
  7345. namespace:
  7346. description: |-
  7347. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7348. to the namespace of the referent.
  7349. type: string
  7350. type: object
  7351. serviceAccountRef:
  7352. description: |-
  7353. Optional service account field containing the name of a kubernetes ServiceAccount.
  7354. If the service account is specified, the service account secret token JWT will be used
  7355. for authenticating with Vault. If the service account selector is not supplied,
  7356. the secretRef will be used instead.
  7357. properties:
  7358. audiences:
  7359. description: |-
  7360. Audience specifies the `aud` claim for the service account token
  7361. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7362. then this audiences will be appended to the list
  7363. items:
  7364. type: string
  7365. type: array
  7366. name:
  7367. description: The name of the ServiceAccount resource being referred to.
  7368. type: string
  7369. namespace:
  7370. description: |-
  7371. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7372. to the namespace of the referent.
  7373. type: string
  7374. required:
  7375. - name
  7376. type: object
  7377. required:
  7378. - mountPath
  7379. - role
  7380. type: object
  7381. ldap:
  7382. description: |-
  7383. Ldap authenticates with Vault by passing username/password pair using
  7384. the LDAP authentication method
  7385. properties:
  7386. path:
  7387. default: ldap
  7388. description: |-
  7389. Path where the LDAP authentication backend is mounted
  7390. in Vault, e.g: "ldap"
  7391. type: string
  7392. secretRef:
  7393. description: |-
  7394. SecretRef to a key in a Secret resource containing password for the LDAP
  7395. user used to authenticate with Vault using the LDAP authentication
  7396. method
  7397. properties:
  7398. key:
  7399. description: |-
  7400. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7401. defaulted, in others it may be required.
  7402. type: string
  7403. name:
  7404. description: The name of the Secret resource being referred to.
  7405. type: string
  7406. namespace:
  7407. description: |-
  7408. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7409. to the namespace of the referent.
  7410. type: string
  7411. type: object
  7412. username:
  7413. description: |-
  7414. Username is a LDAP user name used to authenticate using the LDAP Vault
  7415. authentication method
  7416. type: string
  7417. required:
  7418. - path
  7419. - username
  7420. type: object
  7421. tokenSecretRef:
  7422. description: TokenSecretRef authenticates with Vault by presenting a token.
  7423. properties:
  7424. key:
  7425. description: |-
  7426. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7427. defaulted, in others it may be required.
  7428. type: string
  7429. name:
  7430. description: The name of the Secret resource being referred to.
  7431. type: string
  7432. namespace:
  7433. description: |-
  7434. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7435. to the namespace of the referent.
  7436. type: string
  7437. type: object
  7438. type: object
  7439. caBundle:
  7440. description: |-
  7441. PEM encoded CA bundle used to validate Vault server certificate. Only used
  7442. if the Server URL is using HTTPS protocol. This parameter is ignored for
  7443. plain HTTP protocol connection. If not set the system root certificates
  7444. are used to validate the TLS connection.
  7445. format: byte
  7446. type: string
  7447. caProvider:
  7448. description: The provider for the CA bundle to use to validate Vault server certificate.
  7449. properties:
  7450. key:
  7451. description: The key the value inside of the provider type to use, only used with "Secret" type
  7452. type: string
  7453. name:
  7454. description: The name of the object located at the provider type.
  7455. type: string
  7456. namespace:
  7457. description: The namespace the Provider type is in.
  7458. type: string
  7459. type:
  7460. description: The type of provider to use such as "Secret", or "ConfigMap".
  7461. enum:
  7462. - Secret
  7463. - ConfigMap
  7464. type: string
  7465. required:
  7466. - name
  7467. - type
  7468. type: object
  7469. forwardInconsistent:
  7470. description: |-
  7471. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  7472. leader instead of simply retrying within a loop. This can increase performance if
  7473. the option is enabled serverside.
  7474. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  7475. type: boolean
  7476. namespace:
  7477. description: |-
  7478. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  7479. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  7480. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  7481. type: string
  7482. path:
  7483. description: |-
  7484. Path is the mount path of the Vault KV backend endpoint, e.g:
  7485. "secret". The v2 KV secret engine version specific "/data" path suffix
  7486. for fetching secrets from Vault is optional and will be appended
  7487. if not present in specified path.
  7488. type: string
  7489. readYourWrites:
  7490. description: |-
  7491. ReadYourWrites ensures isolated read-after-write semantics by
  7492. providing discovered cluster replication states in each request.
  7493. More information about eventual consistency in Vault can be found here
  7494. https://www.vaultproject.io/docs/enterprise/consistency
  7495. type: boolean
  7496. server:
  7497. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  7498. type: string
  7499. version:
  7500. default: v2
  7501. description: |-
  7502. Version is the Vault KV secret engine version. This can be either "v1" or
  7503. "v2". Version defaults to "v2".
  7504. enum:
  7505. - v1
  7506. - v2
  7507. type: string
  7508. required:
  7509. - auth
  7510. - server
  7511. type: object
  7512. webhook:
  7513. description: Webhook configures this store to sync secrets using a generic templated webhook
  7514. properties:
  7515. body:
  7516. description: Body
  7517. type: string
  7518. caBundle:
  7519. description: |-
  7520. PEM encoded CA bundle used to validate webhook server certificate. Only used
  7521. if the Server URL is using HTTPS protocol. This parameter is ignored for
  7522. plain HTTP protocol connection. If not set the system root certificates
  7523. are used to validate the TLS connection.
  7524. format: byte
  7525. type: string
  7526. caProvider:
  7527. description: The provider for the CA bundle to use to validate webhook server certificate.
  7528. properties:
  7529. key:
  7530. description: The key the value inside of the provider type to use, only used with "Secret" type
  7531. type: string
  7532. name:
  7533. description: The name of the object located at the provider type.
  7534. type: string
  7535. namespace:
  7536. description: The namespace the Provider type is in.
  7537. type: string
  7538. type:
  7539. description: The type of provider to use such as "Secret", or "ConfigMap".
  7540. enum:
  7541. - Secret
  7542. - ConfigMap
  7543. type: string
  7544. required:
  7545. - name
  7546. - type
  7547. type: object
  7548. headers:
  7549. additionalProperties:
  7550. type: string
  7551. description: Headers
  7552. type: object
  7553. method:
  7554. description: Webhook Method
  7555. type: string
  7556. result:
  7557. description: Result formatting
  7558. properties:
  7559. jsonPath:
  7560. description: Json path of return value
  7561. type: string
  7562. type: object
  7563. secrets:
  7564. description: |-
  7565. Secrets to fill in templates
  7566. These secrets will be passed to the templating function as key value pairs under the given name
  7567. items:
  7568. properties:
  7569. name:
  7570. description: Name of this secret in templates
  7571. type: string
  7572. secretRef:
  7573. description: Secret ref to fill in credentials
  7574. properties:
  7575. key:
  7576. description: |-
  7577. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7578. defaulted, in others it may be required.
  7579. type: string
  7580. name:
  7581. description: The name of the Secret resource being referred to.
  7582. type: string
  7583. namespace:
  7584. description: |-
  7585. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7586. to the namespace of the referent.
  7587. type: string
  7588. type: object
  7589. required:
  7590. - name
  7591. - secretRef
  7592. type: object
  7593. type: array
  7594. timeout:
  7595. description: Timeout
  7596. type: string
  7597. url:
  7598. description: Webhook url to call
  7599. type: string
  7600. required:
  7601. - result
  7602. - url
  7603. type: object
  7604. yandexlockbox:
  7605. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  7606. properties:
  7607. apiEndpoint:
  7608. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  7609. type: string
  7610. auth:
  7611. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  7612. properties:
  7613. authorizedKeySecretRef:
  7614. description: The authorized key used for authentication
  7615. properties:
  7616. key:
  7617. description: |-
  7618. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7619. defaulted, in others it may be required.
  7620. type: string
  7621. name:
  7622. description: The name of the Secret resource being referred to.
  7623. type: string
  7624. namespace:
  7625. description: |-
  7626. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7627. to the namespace of the referent.
  7628. type: string
  7629. type: object
  7630. type: object
  7631. caProvider:
  7632. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  7633. properties:
  7634. certSecretRef:
  7635. description: |-
  7636. A reference to a specific 'key' within a Secret resource,
  7637. In some instances, `key` is a required field.
  7638. properties:
  7639. key:
  7640. description: |-
  7641. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7642. defaulted, in others it may be required.
  7643. type: string
  7644. name:
  7645. description: The name of the Secret resource being referred to.
  7646. type: string
  7647. namespace:
  7648. description: |-
  7649. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7650. to the namespace of the referent.
  7651. type: string
  7652. type: object
  7653. type: object
  7654. required:
  7655. - auth
  7656. type: object
  7657. type: object
  7658. retrySettings:
  7659. description: Used to configure http retries if failed
  7660. properties:
  7661. maxRetries:
  7662. format: int32
  7663. type: integer
  7664. retryInterval:
  7665. type: string
  7666. type: object
  7667. required:
  7668. - provider
  7669. type: object
  7670. status:
  7671. description: SecretStoreStatus defines the observed state of the SecretStore.
  7672. properties:
  7673. conditions:
  7674. items:
  7675. properties:
  7676. lastTransitionTime:
  7677. format: date-time
  7678. type: string
  7679. message:
  7680. type: string
  7681. reason:
  7682. type: string
  7683. status:
  7684. type: string
  7685. type:
  7686. type: string
  7687. required:
  7688. - status
  7689. - type
  7690. type: object
  7691. type: array
  7692. type: object
  7693. type: object
  7694. served: true
  7695. storage: false
  7696. subresources:
  7697. status: {}
  7698. - additionalPrinterColumns:
  7699. - jsonPath: .metadata.creationTimestamp
  7700. name: AGE
  7701. type: date
  7702. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  7703. name: Status
  7704. type: string
  7705. - jsonPath: .status.capabilities
  7706. name: Capabilities
  7707. type: string
  7708. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  7709. name: Ready
  7710. type: string
  7711. name: v1beta1
  7712. schema:
  7713. openAPIV3Schema:
  7714. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  7715. properties:
  7716. apiVersion:
  7717. description: |-
  7718. APIVersion defines the versioned schema of this representation of an object.
  7719. Servers should convert recognized schemas to the latest internal value, and
  7720. may reject unrecognized values.
  7721. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  7722. type: string
  7723. kind:
  7724. description: |-
  7725. Kind is a string value representing the REST resource this object represents.
  7726. Servers may infer this from the endpoint the client submits requests to.
  7727. Cannot be updated.
  7728. In CamelCase.
  7729. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  7730. type: string
  7731. metadata:
  7732. type: object
  7733. spec:
  7734. description: SecretStoreSpec defines the desired state of SecretStore.
  7735. properties:
  7736. conditions:
  7737. description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
  7738. items:
  7739. description: |-
  7740. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  7741. for a ClusterSecretStore instance.
  7742. properties:
  7743. namespaceSelector:
  7744. description: Choose namespace using a labelSelector
  7745. properties:
  7746. matchExpressions:
  7747. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  7748. items:
  7749. description: |-
  7750. A label selector requirement is a selector that contains values, a key, and an operator that
  7751. relates the key and values.
  7752. properties:
  7753. key:
  7754. description: key is the label key that the selector applies to.
  7755. type: string
  7756. operator:
  7757. description: |-
  7758. operator represents a key's relationship to a set of values.
  7759. Valid operators are In, NotIn, Exists and DoesNotExist.
  7760. type: string
  7761. values:
  7762. description: |-
  7763. values is an array of string values. If the operator is In or NotIn,
  7764. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  7765. the values array must be empty. This array is replaced during a strategic
  7766. merge patch.
  7767. items:
  7768. type: string
  7769. type: array
  7770. x-kubernetes-list-type: atomic
  7771. required:
  7772. - key
  7773. - operator
  7774. type: object
  7775. type: array
  7776. x-kubernetes-list-type: atomic
  7777. matchLabels:
  7778. additionalProperties:
  7779. type: string
  7780. description: |-
  7781. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  7782. map is equivalent to an element of matchExpressions, whose key field is "key", the
  7783. operator is "In", and the values array contains only "value". The requirements are ANDed.
  7784. type: object
  7785. type: object
  7786. x-kubernetes-map-type: atomic
  7787. namespaces:
  7788. description: Choose namespaces by name
  7789. items:
  7790. type: string
  7791. type: array
  7792. type: object
  7793. type: array
  7794. controller:
  7795. description: |-
  7796. Used to select the correct ESO controller (think: ingress.ingressClassName)
  7797. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  7798. type: string
  7799. provider:
  7800. description: Used to configure the provider. Only one provider may be set
  7801. maxProperties: 1
  7802. minProperties: 1
  7803. properties:
  7804. akeyless:
  7805. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  7806. properties:
  7807. akeylessGWApiURL:
  7808. description: Akeyless GW API Url from which the secrets to be fetched from.
  7809. type: string
  7810. authSecretRef:
  7811. description: Auth configures how the operator authenticates with Akeyless.
  7812. properties:
  7813. kubernetesAuth:
  7814. description: |-
  7815. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  7816. token stored in the named Secret resource.
  7817. properties:
  7818. accessID:
  7819. description: the Akeyless Kubernetes auth-method access-id
  7820. type: string
  7821. k8sConfName:
  7822. description: Kubernetes-auth configuration name in Akeyless-Gateway
  7823. type: string
  7824. secretRef:
  7825. description: |-
  7826. Optional secret field containing a Kubernetes ServiceAccount JWT used
  7827. for authenticating with Akeyless. If a name is specified without a key,
  7828. `token` is the default. If one is not specified, the one bound to
  7829. the controller will be used.
  7830. properties:
  7831. key:
  7832. description: |-
  7833. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7834. defaulted, in others it may be required.
  7835. type: string
  7836. name:
  7837. description: The name of the Secret resource being referred to.
  7838. type: string
  7839. namespace:
  7840. description: |-
  7841. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7842. to the namespace of the referent.
  7843. type: string
  7844. type: object
  7845. serviceAccountRef:
  7846. description: |-
  7847. Optional service account field containing the name of a kubernetes ServiceAccount.
  7848. If the service account is specified, the service account secret token JWT will be used
  7849. for authenticating with Akeyless. If the service account selector is not supplied,
  7850. the secretRef will be used instead.
  7851. properties:
  7852. audiences:
  7853. description: |-
  7854. Audience specifies the `aud` claim for the service account token
  7855. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7856. then this audiences will be appended to the list
  7857. items:
  7858. type: string
  7859. type: array
  7860. name:
  7861. description: The name of the ServiceAccount resource being referred to.
  7862. type: string
  7863. namespace:
  7864. description: |-
  7865. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7866. to the namespace of the referent.
  7867. type: string
  7868. required:
  7869. - name
  7870. type: object
  7871. required:
  7872. - accessID
  7873. - k8sConfName
  7874. type: object
  7875. secretRef:
  7876. description: |-
  7877. Reference to a Secret that contains the details
  7878. to authenticate with Akeyless.
  7879. properties:
  7880. accessID:
  7881. description: The SecretAccessID is used for authentication
  7882. properties:
  7883. key:
  7884. description: |-
  7885. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7886. defaulted, in others it may be required.
  7887. type: string
  7888. name:
  7889. description: The name of the Secret resource being referred to.
  7890. type: string
  7891. namespace:
  7892. description: |-
  7893. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7894. to the namespace of the referent.
  7895. type: string
  7896. type: object
  7897. accessType:
  7898. description: |-
  7899. A reference to a specific 'key' within a Secret resource,
  7900. In some instances, `key` is a required field.
  7901. properties:
  7902. key:
  7903. description: |-
  7904. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7905. defaulted, in others it may be required.
  7906. type: string
  7907. name:
  7908. description: The name of the Secret resource being referred to.
  7909. type: string
  7910. namespace:
  7911. description: |-
  7912. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7913. to the namespace of the referent.
  7914. type: string
  7915. type: object
  7916. accessTypeParam:
  7917. description: |-
  7918. A reference to a specific 'key' within a Secret resource,
  7919. In some instances, `key` is a required field.
  7920. properties:
  7921. key:
  7922. description: |-
  7923. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7924. defaulted, in others it may be required.
  7925. type: string
  7926. name:
  7927. description: The name of the Secret resource being referred to.
  7928. type: string
  7929. namespace:
  7930. description: |-
  7931. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7932. to the namespace of the referent.
  7933. type: string
  7934. type: object
  7935. type: object
  7936. type: object
  7937. caBundle:
  7938. description: |-
  7939. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  7940. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  7941. are used to validate the TLS connection.
  7942. format: byte
  7943. type: string
  7944. caProvider:
  7945. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  7946. properties:
  7947. key:
  7948. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  7949. type: string
  7950. name:
  7951. description: The name of the object located at the provider type.
  7952. type: string
  7953. namespace:
  7954. description: |-
  7955. The namespace the Provider type is in.
  7956. Can only be defined when used in a ClusterSecretStore.
  7957. type: string
  7958. type:
  7959. description: The type of provider to use such as "Secret", or "ConfigMap".
  7960. enum:
  7961. - Secret
  7962. - ConfigMap
  7963. type: string
  7964. required:
  7965. - name
  7966. - type
  7967. type: object
  7968. required:
  7969. - akeylessGWApiURL
  7970. - authSecretRef
  7971. type: object
  7972. alibaba:
  7973. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  7974. properties:
  7975. auth:
  7976. description: AlibabaAuth contains a secretRef for credentials.
  7977. properties:
  7978. rrsa:
  7979. description: Authenticate against Alibaba using RRSA.
  7980. properties:
  7981. oidcProviderArn:
  7982. type: string
  7983. oidcTokenFilePath:
  7984. type: string
  7985. roleArn:
  7986. type: string
  7987. sessionName:
  7988. type: string
  7989. required:
  7990. - oidcProviderArn
  7991. - oidcTokenFilePath
  7992. - roleArn
  7993. - sessionName
  7994. type: object
  7995. secretRef:
  7996. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  7997. properties:
  7998. accessKeyIDSecretRef:
  7999. description: The AccessKeyID is used for authentication
  8000. properties:
  8001. key:
  8002. description: |-
  8003. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8004. defaulted, in others it may be required.
  8005. type: string
  8006. name:
  8007. description: The name of the Secret resource being referred to.
  8008. type: string
  8009. namespace:
  8010. description: |-
  8011. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8012. to the namespace of the referent.
  8013. type: string
  8014. type: object
  8015. accessKeySecretSecretRef:
  8016. description: The AccessKeySecret is used for authentication
  8017. properties:
  8018. key:
  8019. description: |-
  8020. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8021. defaulted, in others it may be required.
  8022. type: string
  8023. name:
  8024. description: The name of the Secret resource being referred to.
  8025. type: string
  8026. namespace:
  8027. description: |-
  8028. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8029. to the namespace of the referent.
  8030. type: string
  8031. type: object
  8032. required:
  8033. - accessKeyIDSecretRef
  8034. - accessKeySecretSecretRef
  8035. type: object
  8036. type: object
  8037. regionID:
  8038. description: Alibaba Region to be used for the provider
  8039. type: string
  8040. required:
  8041. - auth
  8042. - regionID
  8043. type: object
  8044. aws:
  8045. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  8046. properties:
  8047. additionalRoles:
  8048. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  8049. items:
  8050. type: string
  8051. type: array
  8052. auth:
  8053. description: |-
  8054. Auth defines the information necessary to authenticate against AWS
  8055. if not set aws sdk will infer credentials from your environment
  8056. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  8057. properties:
  8058. jwt:
  8059. description: Authenticate against AWS using service account tokens.
  8060. properties:
  8061. serviceAccountRef:
  8062. description: A reference to a ServiceAccount resource.
  8063. properties:
  8064. audiences:
  8065. description: |-
  8066. Audience specifies the `aud` claim for the service account token
  8067. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8068. then this audiences will be appended to the list
  8069. items:
  8070. type: string
  8071. type: array
  8072. name:
  8073. description: The name of the ServiceAccount resource being referred to.
  8074. type: string
  8075. namespace:
  8076. description: |-
  8077. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8078. to the namespace of the referent.
  8079. type: string
  8080. required:
  8081. - name
  8082. type: object
  8083. type: object
  8084. secretRef:
  8085. description: |-
  8086. AWSAuthSecretRef holds secret references for AWS credentials
  8087. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  8088. properties:
  8089. accessKeyIDSecretRef:
  8090. description: The AccessKeyID is used for authentication
  8091. properties:
  8092. key:
  8093. description: |-
  8094. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8095. defaulted, in others it may be required.
  8096. type: string
  8097. name:
  8098. description: The name of the Secret resource being referred to.
  8099. type: string
  8100. namespace:
  8101. description: |-
  8102. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8103. to the namespace of the referent.
  8104. type: string
  8105. type: object
  8106. secretAccessKeySecretRef:
  8107. description: The SecretAccessKey is used for authentication
  8108. properties:
  8109. key:
  8110. description: |-
  8111. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8112. defaulted, in others it may be required.
  8113. type: string
  8114. name:
  8115. description: The name of the Secret resource being referred to.
  8116. type: string
  8117. namespace:
  8118. description: |-
  8119. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8120. to the namespace of the referent.
  8121. type: string
  8122. type: object
  8123. sessionTokenSecretRef:
  8124. description: |-
  8125. The SessionToken used for authentication
  8126. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  8127. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  8128. properties:
  8129. key:
  8130. description: |-
  8131. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8132. defaulted, in others it may be required.
  8133. type: string
  8134. name:
  8135. description: The name of the Secret resource being referred to.
  8136. type: string
  8137. namespace:
  8138. description: |-
  8139. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8140. to the namespace of the referent.
  8141. type: string
  8142. type: object
  8143. type: object
  8144. type: object
  8145. externalID:
  8146. description: AWS External ID set on assumed IAM roles
  8147. type: string
  8148. region:
  8149. description: AWS Region to be used for the provider
  8150. type: string
  8151. role:
  8152. description: Role is a Role ARN which the provider will assume
  8153. type: string
  8154. secretsManager:
  8155. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  8156. properties:
  8157. forceDeleteWithoutRecovery:
  8158. description: |-
  8159. Specifies whether to delete the secret without any recovery window. You
  8160. can't use both this parameter and RecoveryWindowInDays in the same call.
  8161. If you don't use either, then by default Secrets Manager uses a 30 day
  8162. recovery window.
  8163. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  8164. type: boolean
  8165. recoveryWindowInDays:
  8166. description: |-
  8167. The number of days from 7 to 30 that Secrets Manager waits before
  8168. permanently deleting the secret. You can't use both this parameter and
  8169. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  8170. then by default Secrets Manager uses a 30 day recovery window.
  8171. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  8172. format: int64
  8173. type: integer
  8174. type: object
  8175. service:
  8176. description: Service defines which service should be used to fetch the secrets
  8177. enum:
  8178. - SecretsManager
  8179. - ParameterStore
  8180. type: string
  8181. sessionTags:
  8182. description: AWS STS assume role session tags
  8183. items:
  8184. properties:
  8185. key:
  8186. type: string
  8187. value:
  8188. type: string
  8189. required:
  8190. - key
  8191. - value
  8192. type: object
  8193. type: array
  8194. transitiveTagKeys:
  8195. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  8196. items:
  8197. type: string
  8198. type: array
  8199. required:
  8200. - region
  8201. - service
  8202. type: object
  8203. azurekv:
  8204. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  8205. properties:
  8206. authSecretRef:
  8207. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  8208. properties:
  8209. clientCertificate:
  8210. description: The Azure ClientCertificate of the service principle used for authentication.
  8211. properties:
  8212. key:
  8213. description: |-
  8214. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8215. defaulted, in others it may be required.
  8216. type: string
  8217. name:
  8218. description: The name of the Secret resource being referred to.
  8219. type: string
  8220. namespace:
  8221. description: |-
  8222. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8223. to the namespace of the referent.
  8224. type: string
  8225. type: object
  8226. clientId:
  8227. description: The Azure clientId of the service principle or managed identity used for authentication.
  8228. properties:
  8229. key:
  8230. description: |-
  8231. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8232. defaulted, in others it may be required.
  8233. type: string
  8234. name:
  8235. description: The name of the Secret resource being referred to.
  8236. type: string
  8237. namespace:
  8238. description: |-
  8239. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8240. to the namespace of the referent.
  8241. type: string
  8242. type: object
  8243. clientSecret:
  8244. description: The Azure ClientSecret of the service principle used for authentication.
  8245. properties:
  8246. key:
  8247. description: |-
  8248. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8249. defaulted, in others it may be required.
  8250. type: string
  8251. name:
  8252. description: The name of the Secret resource being referred to.
  8253. type: string
  8254. namespace:
  8255. description: |-
  8256. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8257. to the namespace of the referent.
  8258. type: string
  8259. type: object
  8260. tenantId:
  8261. description: The Azure tenantId of the managed identity used for authentication.
  8262. properties:
  8263. key:
  8264. description: |-
  8265. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8266. defaulted, in others it may be required.
  8267. type: string
  8268. name:
  8269. description: The name of the Secret resource being referred to.
  8270. type: string
  8271. namespace:
  8272. description: |-
  8273. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8274. to the namespace of the referent.
  8275. type: string
  8276. type: object
  8277. type: object
  8278. authType:
  8279. default: ServicePrincipal
  8280. description: |-
  8281. Auth type defines how to authenticate to the keyvault service.
  8282. Valid values are:
  8283. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  8284. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  8285. enum:
  8286. - ServicePrincipal
  8287. - ManagedIdentity
  8288. - WorkloadIdentity
  8289. type: string
  8290. environmentType:
  8291. default: PublicCloud
  8292. description: |-
  8293. EnvironmentType specifies the Azure cloud environment endpoints to use for
  8294. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  8295. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  8296. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  8297. enum:
  8298. - PublicCloud
  8299. - USGovernmentCloud
  8300. - ChinaCloud
  8301. - GermanCloud
  8302. type: string
  8303. identityId:
  8304. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  8305. type: string
  8306. serviceAccountRef:
  8307. description: |-
  8308. ServiceAccountRef specified the service account
  8309. that should be used when authenticating with WorkloadIdentity.
  8310. properties:
  8311. audiences:
  8312. description: |-
  8313. Audience specifies the `aud` claim for the service account token
  8314. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8315. then this audiences will be appended to the list
  8316. items:
  8317. type: string
  8318. type: array
  8319. name:
  8320. description: The name of the ServiceAccount resource being referred to.
  8321. type: string
  8322. namespace:
  8323. description: |-
  8324. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8325. to the namespace of the referent.
  8326. type: string
  8327. required:
  8328. - name
  8329. type: object
  8330. tenantId:
  8331. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  8332. type: string
  8333. vaultUrl:
  8334. description: Vault Url from which the secrets to be fetched from.
  8335. type: string
  8336. required:
  8337. - vaultUrl
  8338. type: object
  8339. chef:
  8340. description: Chef configures this store to sync secrets with chef server
  8341. properties:
  8342. auth:
  8343. description: Auth defines the information necessary to authenticate against chef Server
  8344. properties:
  8345. secretRef:
  8346. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  8347. properties:
  8348. privateKeySecretRef:
  8349. description: SecretKey is the Signing Key in PEM format, used for authentication.
  8350. properties:
  8351. key:
  8352. description: |-
  8353. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8354. defaulted, in others it may be required.
  8355. type: string
  8356. name:
  8357. description: The name of the Secret resource being referred to.
  8358. type: string
  8359. namespace:
  8360. description: |-
  8361. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8362. to the namespace of the referent.
  8363. type: string
  8364. type: object
  8365. required:
  8366. - privateKeySecretRef
  8367. type: object
  8368. required:
  8369. - secretRef
  8370. type: object
  8371. serverUrl:
  8372. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  8373. type: string
  8374. username:
  8375. description: UserName should be the user ID on the chef server
  8376. type: string
  8377. required:
  8378. - auth
  8379. - serverUrl
  8380. - username
  8381. type: object
  8382. conjur:
  8383. description: Conjur configures this store to sync secrets using conjur provider
  8384. properties:
  8385. auth:
  8386. properties:
  8387. apikey:
  8388. properties:
  8389. account:
  8390. type: string
  8391. apiKeyRef:
  8392. description: |-
  8393. A reference to a specific 'key' within a Secret resource,
  8394. In some instances, `key` is a required field.
  8395. properties:
  8396. key:
  8397. description: |-
  8398. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8399. defaulted, in others it may be required.
  8400. type: string
  8401. name:
  8402. description: The name of the Secret resource being referred to.
  8403. type: string
  8404. namespace:
  8405. description: |-
  8406. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8407. to the namespace of the referent.
  8408. type: string
  8409. type: object
  8410. userRef:
  8411. description: |-
  8412. A reference to a specific 'key' within a Secret resource,
  8413. In some instances, `key` is a required field.
  8414. properties:
  8415. key:
  8416. description: |-
  8417. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8418. defaulted, in others it may be required.
  8419. type: string
  8420. name:
  8421. description: The name of the Secret resource being referred to.
  8422. type: string
  8423. namespace:
  8424. description: |-
  8425. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8426. to the namespace of the referent.
  8427. type: string
  8428. type: object
  8429. required:
  8430. - account
  8431. - apiKeyRef
  8432. - userRef
  8433. type: object
  8434. jwt:
  8435. properties:
  8436. account:
  8437. type: string
  8438. hostId:
  8439. description: |-
  8440. Optional HostID for JWT authentication. This may be used depending
  8441. on how the Conjur JWT authenticator policy is configured.
  8442. type: string
  8443. secretRef:
  8444. description: |-
  8445. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  8446. authenticate with Conjur using the JWT authentication method.
  8447. properties:
  8448. key:
  8449. description: |-
  8450. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8451. defaulted, in others it may be required.
  8452. type: string
  8453. name:
  8454. description: The name of the Secret resource being referred to.
  8455. type: string
  8456. namespace:
  8457. description: |-
  8458. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8459. to the namespace of the referent.
  8460. type: string
  8461. type: object
  8462. serviceAccountRef:
  8463. description: |-
  8464. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  8465. a token for with the `TokenRequest` API.
  8466. properties:
  8467. audiences:
  8468. description: |-
  8469. Audience specifies the `aud` claim for the service account token
  8470. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8471. then this audiences will be appended to the list
  8472. items:
  8473. type: string
  8474. type: array
  8475. name:
  8476. description: The name of the ServiceAccount resource being referred to.
  8477. type: string
  8478. namespace:
  8479. description: |-
  8480. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8481. to the namespace of the referent.
  8482. type: string
  8483. required:
  8484. - name
  8485. type: object
  8486. serviceID:
  8487. description: The conjur authn jwt webservice id
  8488. type: string
  8489. required:
  8490. - account
  8491. - serviceID
  8492. type: object
  8493. type: object
  8494. caBundle:
  8495. type: string
  8496. caProvider:
  8497. description: |-
  8498. Used to provide custom certificate authority (CA) certificates
  8499. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  8500. that contains a PEM-encoded certificate.
  8501. properties:
  8502. key:
  8503. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8504. type: string
  8505. name:
  8506. description: The name of the object located at the provider type.
  8507. type: string
  8508. namespace:
  8509. description: |-
  8510. The namespace the Provider type is in.
  8511. Can only be defined when used in a ClusterSecretStore.
  8512. type: string
  8513. type:
  8514. description: The type of provider to use such as "Secret", or "ConfigMap".
  8515. enum:
  8516. - Secret
  8517. - ConfigMap
  8518. type: string
  8519. required:
  8520. - name
  8521. - type
  8522. type: object
  8523. url:
  8524. type: string
  8525. required:
  8526. - auth
  8527. - url
  8528. type: object
  8529. delinea:
  8530. description: |-
  8531. Delinea DevOps Secrets Vault
  8532. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  8533. properties:
  8534. clientId:
  8535. description: ClientID is the non-secret part of the credential.
  8536. properties:
  8537. secretRef:
  8538. description: SecretRef references a key in a secret that will be used as value.
  8539. properties:
  8540. key:
  8541. description: |-
  8542. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8543. defaulted, in others it may be required.
  8544. type: string
  8545. name:
  8546. description: The name of the Secret resource being referred to.
  8547. type: string
  8548. namespace:
  8549. description: |-
  8550. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8551. to the namespace of the referent.
  8552. type: string
  8553. type: object
  8554. value:
  8555. description: Value can be specified directly to set a value without using a secret.
  8556. type: string
  8557. type: object
  8558. clientSecret:
  8559. description: ClientSecret is the secret part of the credential.
  8560. properties:
  8561. secretRef:
  8562. description: SecretRef references a key in a secret that will be used as value.
  8563. properties:
  8564. key:
  8565. description: |-
  8566. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8567. defaulted, in others it may be required.
  8568. type: string
  8569. name:
  8570. description: The name of the Secret resource being referred to.
  8571. type: string
  8572. namespace:
  8573. description: |-
  8574. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8575. to the namespace of the referent.
  8576. type: string
  8577. type: object
  8578. value:
  8579. description: Value can be specified directly to set a value without using a secret.
  8580. type: string
  8581. type: object
  8582. tenant:
  8583. description: Tenant is the chosen hostname / site name.
  8584. type: string
  8585. tld:
  8586. description: |-
  8587. TLD is based on the server location that was chosen during provisioning.
  8588. If unset, defaults to "com".
  8589. type: string
  8590. urlTemplate:
  8591. description: |-
  8592. URLTemplate
  8593. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  8594. type: string
  8595. required:
  8596. - clientId
  8597. - clientSecret
  8598. - tenant
  8599. type: object
  8600. device42:
  8601. description: Device42 configures this store to sync secrets using the Device42 provider
  8602. properties:
  8603. auth:
  8604. description: Auth configures how secret-manager authenticates with a Device42 instance.
  8605. properties:
  8606. secretRef:
  8607. properties:
  8608. credentials:
  8609. description: Username / Password is used for authentication.
  8610. properties:
  8611. key:
  8612. description: |-
  8613. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8614. defaulted, in others it may be required.
  8615. type: string
  8616. name:
  8617. description: The name of the Secret resource being referred to.
  8618. type: string
  8619. namespace:
  8620. description: |-
  8621. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8622. to the namespace of the referent.
  8623. type: string
  8624. type: object
  8625. type: object
  8626. required:
  8627. - secretRef
  8628. type: object
  8629. host:
  8630. description: URL configures the Device42 instance URL.
  8631. type: string
  8632. required:
  8633. - auth
  8634. - host
  8635. type: object
  8636. doppler:
  8637. description: Doppler configures this store to sync secrets using the Doppler provider
  8638. properties:
  8639. auth:
  8640. description: Auth configures how the Operator authenticates with the Doppler API
  8641. properties:
  8642. secretRef:
  8643. properties:
  8644. dopplerToken:
  8645. description: |-
  8646. The DopplerToken is used for authentication.
  8647. See https://docs.doppler.com/reference/api#authentication for auth token types.
  8648. The Key attribute defaults to dopplerToken if not specified.
  8649. properties:
  8650. key:
  8651. description: |-
  8652. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8653. defaulted, in others it may be required.
  8654. type: string
  8655. name:
  8656. description: The name of the Secret resource being referred to.
  8657. type: string
  8658. namespace:
  8659. description: |-
  8660. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8661. to the namespace of the referent.
  8662. type: string
  8663. type: object
  8664. required:
  8665. - dopplerToken
  8666. type: object
  8667. required:
  8668. - secretRef
  8669. type: object
  8670. config:
  8671. description: Doppler config (required if not using a Service Token)
  8672. type: string
  8673. format:
  8674. description: Format enables the downloading of secrets as a file (string)
  8675. enum:
  8676. - json
  8677. - dotnet-json
  8678. - env
  8679. - yaml
  8680. - docker
  8681. type: string
  8682. nameTransformer:
  8683. description: Environment variable compatible name transforms that change secret names to a different format
  8684. enum:
  8685. - upper-camel
  8686. - camel
  8687. - lower-snake
  8688. - tf-var
  8689. - dotnet-env
  8690. - lower-kebab
  8691. type: string
  8692. project:
  8693. description: Doppler project (required if not using a Service Token)
  8694. type: string
  8695. required:
  8696. - auth
  8697. type: object
  8698. fake:
  8699. description: Fake configures a store with static key/value pairs
  8700. properties:
  8701. data:
  8702. items:
  8703. properties:
  8704. key:
  8705. type: string
  8706. value:
  8707. type: string
  8708. valueMap:
  8709. additionalProperties:
  8710. type: string
  8711. description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
  8712. type: object
  8713. version:
  8714. type: string
  8715. required:
  8716. - key
  8717. type: object
  8718. type: array
  8719. required:
  8720. - data
  8721. type: object
  8722. fortanix:
  8723. description: Fortanix configures this store to sync secrets using the Fortanix provider
  8724. properties:
  8725. apiKey:
  8726. description: APIKey is the API token to access SDKMS Applications.
  8727. properties:
  8728. secretRef:
  8729. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  8730. properties:
  8731. key:
  8732. description: |-
  8733. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8734. defaulted, in others it may be required.
  8735. type: string
  8736. name:
  8737. description: The name of the Secret resource being referred to.
  8738. type: string
  8739. namespace:
  8740. description: |-
  8741. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8742. to the namespace of the referent.
  8743. type: string
  8744. type: object
  8745. type: object
  8746. apiUrl:
  8747. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  8748. type: string
  8749. type: object
  8750. gcpsm:
  8751. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  8752. properties:
  8753. auth:
  8754. description: Auth defines the information necessary to authenticate against GCP
  8755. properties:
  8756. secretRef:
  8757. properties:
  8758. secretAccessKeySecretRef:
  8759. description: The SecretAccessKey is used for authentication
  8760. properties:
  8761. key:
  8762. description: |-
  8763. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8764. defaulted, in others it may be required.
  8765. type: string
  8766. name:
  8767. description: The name of the Secret resource being referred to.
  8768. type: string
  8769. namespace:
  8770. description: |-
  8771. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8772. to the namespace of the referent.
  8773. type: string
  8774. type: object
  8775. type: object
  8776. workloadIdentity:
  8777. properties:
  8778. clusterLocation:
  8779. type: string
  8780. clusterName:
  8781. type: string
  8782. clusterProjectID:
  8783. type: string
  8784. serviceAccountRef:
  8785. description: A reference to a ServiceAccount resource.
  8786. properties:
  8787. audiences:
  8788. description: |-
  8789. Audience specifies the `aud` claim for the service account token
  8790. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8791. then this audiences will be appended to the list
  8792. items:
  8793. type: string
  8794. type: array
  8795. name:
  8796. description: The name of the ServiceAccount resource being referred to.
  8797. type: string
  8798. namespace:
  8799. description: |-
  8800. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8801. to the namespace of the referent.
  8802. type: string
  8803. required:
  8804. - name
  8805. type: object
  8806. required:
  8807. - clusterLocation
  8808. - clusterName
  8809. - serviceAccountRef
  8810. type: object
  8811. type: object
  8812. location:
  8813. description: Location optionally defines a location for a secret
  8814. type: string
  8815. projectID:
  8816. description: ProjectID project where secret is located
  8817. type: string
  8818. type: object
  8819. gitlab:
  8820. description: GitLab configures this store to sync secrets using GitLab Variables provider
  8821. properties:
  8822. auth:
  8823. description: Auth configures how secret-manager authenticates with a GitLab instance.
  8824. properties:
  8825. SecretRef:
  8826. properties:
  8827. accessToken:
  8828. description: AccessToken is used for authentication.
  8829. properties:
  8830. key:
  8831. description: |-
  8832. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8833. defaulted, in others it may be required.
  8834. type: string
  8835. name:
  8836. description: The name of the Secret resource being referred to.
  8837. type: string
  8838. namespace:
  8839. description: |-
  8840. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8841. to the namespace of the referent.
  8842. type: string
  8843. type: object
  8844. type: object
  8845. required:
  8846. - SecretRef
  8847. type: object
  8848. environment:
  8849. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  8850. type: string
  8851. groupIDs:
  8852. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  8853. items:
  8854. type: string
  8855. type: array
  8856. inheritFromGroups:
  8857. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  8858. type: boolean
  8859. projectID:
  8860. description: ProjectID specifies a project where secrets are located.
  8861. type: string
  8862. url:
  8863. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  8864. type: string
  8865. required:
  8866. - auth
  8867. type: object
  8868. ibm:
  8869. description: IBM configures this store to sync secrets using IBM Cloud provider
  8870. properties:
  8871. auth:
  8872. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  8873. maxProperties: 1
  8874. minProperties: 1
  8875. properties:
  8876. containerAuth:
  8877. description: IBM Container-based auth with IAM Trusted Profile.
  8878. properties:
  8879. iamEndpoint:
  8880. type: string
  8881. profile:
  8882. description: the IBM Trusted Profile
  8883. type: string
  8884. tokenLocation:
  8885. description: Location the token is mounted on the pod
  8886. type: string
  8887. required:
  8888. - profile
  8889. type: object
  8890. secretRef:
  8891. properties:
  8892. secretApiKeySecretRef:
  8893. description: The SecretAccessKey is used for authentication
  8894. properties:
  8895. key:
  8896. description: |-
  8897. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8898. defaulted, in others it may be required.
  8899. type: string
  8900. name:
  8901. description: The name of the Secret resource being referred to.
  8902. type: string
  8903. namespace:
  8904. description: |-
  8905. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8906. to the namespace of the referent.
  8907. type: string
  8908. type: object
  8909. type: object
  8910. type: object
  8911. serviceUrl:
  8912. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  8913. type: string
  8914. required:
  8915. - auth
  8916. type: object
  8917. infisical:
  8918. description: Infisical configures this store to sync secrets using the Infisical provider
  8919. properties:
  8920. auth:
  8921. description: Auth configures how the Operator authenticates with the Infisical API
  8922. properties:
  8923. universalAuthCredentials:
  8924. properties:
  8925. clientId:
  8926. description: |-
  8927. A reference to a specific 'key' within a Secret resource,
  8928. In some instances, `key` is a required field.
  8929. properties:
  8930. key:
  8931. description: |-
  8932. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8933. defaulted, in others it may be required.
  8934. type: string
  8935. name:
  8936. description: The name of the Secret resource being referred to.
  8937. type: string
  8938. namespace:
  8939. description: |-
  8940. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8941. to the namespace of the referent.
  8942. type: string
  8943. type: object
  8944. clientSecret:
  8945. description: |-
  8946. A reference to a specific 'key' within a Secret resource,
  8947. In some instances, `key` is a required field.
  8948. properties:
  8949. key:
  8950. description: |-
  8951. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8952. defaulted, in others it may be required.
  8953. type: string
  8954. name:
  8955. description: The name of the Secret resource being referred to.
  8956. type: string
  8957. namespace:
  8958. description: |-
  8959. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8960. to the namespace of the referent.
  8961. type: string
  8962. type: object
  8963. required:
  8964. - clientId
  8965. - clientSecret
  8966. type: object
  8967. type: object
  8968. hostAPI:
  8969. default: https://app.infisical.com/api
  8970. type: string
  8971. secretsScope:
  8972. properties:
  8973. environmentSlug:
  8974. type: string
  8975. projectSlug:
  8976. type: string
  8977. secretsPath:
  8978. default: /
  8979. type: string
  8980. required:
  8981. - environmentSlug
  8982. - projectSlug
  8983. type: object
  8984. required:
  8985. - auth
  8986. - secretsScope
  8987. type: object
  8988. keepersecurity:
  8989. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  8990. properties:
  8991. authRef:
  8992. description: |-
  8993. A reference to a specific 'key' within a Secret resource,
  8994. In some instances, `key` is a required field.
  8995. properties:
  8996. key:
  8997. description: |-
  8998. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8999. defaulted, in others it may be required.
  9000. type: string
  9001. name:
  9002. description: The name of the Secret resource being referred to.
  9003. type: string
  9004. namespace:
  9005. description: |-
  9006. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9007. to the namespace of the referent.
  9008. type: string
  9009. type: object
  9010. folderID:
  9011. type: string
  9012. required:
  9013. - authRef
  9014. - folderID
  9015. type: object
  9016. kubernetes:
  9017. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  9018. properties:
  9019. auth:
  9020. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  9021. maxProperties: 1
  9022. minProperties: 1
  9023. properties:
  9024. cert:
  9025. description: has both clientCert and clientKey as secretKeySelector
  9026. properties:
  9027. clientCert:
  9028. description: |-
  9029. A reference to a specific 'key' within a Secret resource,
  9030. In some instances, `key` is a required field.
  9031. properties:
  9032. key:
  9033. description: |-
  9034. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9035. defaulted, in others it may be required.
  9036. type: string
  9037. name:
  9038. description: The name of the Secret resource being referred to.
  9039. type: string
  9040. namespace:
  9041. description: |-
  9042. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9043. to the namespace of the referent.
  9044. type: string
  9045. type: object
  9046. clientKey:
  9047. description: |-
  9048. A reference to a specific 'key' within a Secret resource,
  9049. In some instances, `key` is a required field.
  9050. properties:
  9051. key:
  9052. description: |-
  9053. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9054. defaulted, in others it may be required.
  9055. type: string
  9056. name:
  9057. description: The name of the Secret resource being referred to.
  9058. type: string
  9059. namespace:
  9060. description: |-
  9061. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9062. to the namespace of the referent.
  9063. type: string
  9064. type: object
  9065. type: object
  9066. serviceAccount:
  9067. description: points to a service account that should be used for authentication
  9068. properties:
  9069. audiences:
  9070. description: |-
  9071. Audience specifies the `aud` claim for the service account token
  9072. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9073. then this audiences will be appended to the list
  9074. items:
  9075. type: string
  9076. type: array
  9077. name:
  9078. description: The name of the ServiceAccount resource being referred to.
  9079. type: string
  9080. namespace:
  9081. description: |-
  9082. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9083. to the namespace of the referent.
  9084. type: string
  9085. required:
  9086. - name
  9087. type: object
  9088. token:
  9089. description: use static token to authenticate with
  9090. properties:
  9091. bearerToken:
  9092. description: |-
  9093. A reference to a specific 'key' within a Secret resource,
  9094. In some instances, `key` is a required field.
  9095. properties:
  9096. key:
  9097. description: |-
  9098. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9099. defaulted, in others it may be required.
  9100. type: string
  9101. name:
  9102. description: The name of the Secret resource being referred to.
  9103. type: string
  9104. namespace:
  9105. description: |-
  9106. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9107. to the namespace of the referent.
  9108. type: string
  9109. type: object
  9110. type: object
  9111. type: object
  9112. remoteNamespace:
  9113. default: default
  9114. description: Remote namespace to fetch the secrets from
  9115. type: string
  9116. server:
  9117. description: configures the Kubernetes server Address.
  9118. properties:
  9119. caBundle:
  9120. description: CABundle is a base64-encoded CA certificate
  9121. format: byte
  9122. type: string
  9123. caProvider:
  9124. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  9125. properties:
  9126. key:
  9127. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  9128. type: string
  9129. name:
  9130. description: The name of the object located at the provider type.
  9131. type: string
  9132. namespace:
  9133. description: |-
  9134. The namespace the Provider type is in.
  9135. Can only be defined when used in a ClusterSecretStore.
  9136. type: string
  9137. type:
  9138. description: The type of provider to use such as "Secret", or "ConfigMap".
  9139. enum:
  9140. - Secret
  9141. - ConfigMap
  9142. type: string
  9143. required:
  9144. - name
  9145. - type
  9146. type: object
  9147. url:
  9148. default: kubernetes.default
  9149. description: configures the Kubernetes server Address.
  9150. type: string
  9151. type: object
  9152. required:
  9153. - auth
  9154. type: object
  9155. onboardbase:
  9156. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  9157. properties:
  9158. apiHost:
  9159. default: https://public.onboardbase.com/api/v1/
  9160. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  9161. type: string
  9162. auth:
  9163. description: Auth configures how the Operator authenticates with the Onboardbase API
  9164. properties:
  9165. apiKeyRef:
  9166. description: |-
  9167. OnboardbaseAPIKey is the APIKey generated by an admin account.
  9168. It is used to recognize and authorize access to a project and environment within onboardbase
  9169. properties:
  9170. key:
  9171. description: |-
  9172. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9173. defaulted, in others it may be required.
  9174. type: string
  9175. name:
  9176. description: The name of the Secret resource being referred to.
  9177. type: string
  9178. namespace:
  9179. description: |-
  9180. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9181. to the namespace of the referent.
  9182. type: string
  9183. type: object
  9184. passcodeRef:
  9185. description: OnboardbasePasscode is the passcode attached to the API Key
  9186. properties:
  9187. key:
  9188. description: |-
  9189. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9190. defaulted, in others it may be required.
  9191. type: string
  9192. name:
  9193. description: The name of the Secret resource being referred to.
  9194. type: string
  9195. namespace:
  9196. description: |-
  9197. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9198. to the namespace of the referent.
  9199. type: string
  9200. type: object
  9201. required:
  9202. - apiKeyRef
  9203. - passcodeRef
  9204. type: object
  9205. environment:
  9206. default: development
  9207. description: Environment is the name of an environmnent within a project to pull the secrets from
  9208. type: string
  9209. project:
  9210. default: development
  9211. description: Project is an onboardbase project that the secrets should be pulled from
  9212. type: string
  9213. required:
  9214. - apiHost
  9215. - auth
  9216. - environment
  9217. - project
  9218. type: object
  9219. onepassword:
  9220. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  9221. properties:
  9222. auth:
  9223. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  9224. properties:
  9225. secretRef:
  9226. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  9227. properties:
  9228. connectTokenSecretRef:
  9229. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  9230. properties:
  9231. key:
  9232. description: |-
  9233. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9234. defaulted, in others it may be required.
  9235. type: string
  9236. name:
  9237. description: The name of the Secret resource being referred to.
  9238. type: string
  9239. namespace:
  9240. description: |-
  9241. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9242. to the namespace of the referent.
  9243. type: string
  9244. type: object
  9245. required:
  9246. - connectTokenSecretRef
  9247. type: object
  9248. required:
  9249. - secretRef
  9250. type: object
  9251. connectHost:
  9252. description: ConnectHost defines the OnePassword Connect Server to connect to
  9253. type: string
  9254. vaults:
  9255. additionalProperties:
  9256. type: integer
  9257. description: Vaults defines which OnePassword vaults to search in which order
  9258. type: object
  9259. required:
  9260. - auth
  9261. - connectHost
  9262. - vaults
  9263. type: object
  9264. oracle:
  9265. description: Oracle configures this store to sync secrets using Oracle Vault provider
  9266. properties:
  9267. auth:
  9268. description: |-
  9269. Auth configures how secret-manager authenticates with the Oracle Vault.
  9270. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  9271. properties:
  9272. secretRef:
  9273. description: SecretRef to pass through sensitive information.
  9274. properties:
  9275. fingerprint:
  9276. description: Fingerprint is the fingerprint of the API private key.
  9277. properties:
  9278. key:
  9279. description: |-
  9280. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9281. defaulted, in others it may be required.
  9282. type: string
  9283. name:
  9284. description: The name of the Secret resource being referred to.
  9285. type: string
  9286. namespace:
  9287. description: |-
  9288. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9289. to the namespace of the referent.
  9290. type: string
  9291. type: object
  9292. privatekey:
  9293. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  9294. properties:
  9295. key:
  9296. description: |-
  9297. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9298. defaulted, in others it may be required.
  9299. type: string
  9300. name:
  9301. description: The name of the Secret resource being referred to.
  9302. type: string
  9303. namespace:
  9304. description: |-
  9305. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9306. to the namespace of the referent.
  9307. type: string
  9308. type: object
  9309. required:
  9310. - fingerprint
  9311. - privatekey
  9312. type: object
  9313. tenancy:
  9314. description: Tenancy is the tenancy OCID where user is located.
  9315. type: string
  9316. user:
  9317. description: User is an access OCID specific to the account.
  9318. type: string
  9319. required:
  9320. - secretRef
  9321. - tenancy
  9322. - user
  9323. type: object
  9324. compartment:
  9325. description: |-
  9326. Compartment is the vault compartment OCID.
  9327. Required for PushSecret
  9328. type: string
  9329. encryptionKey:
  9330. description: |-
  9331. EncryptionKey is the OCID of the encryption key within the vault.
  9332. Required for PushSecret
  9333. type: string
  9334. principalType:
  9335. description: |-
  9336. The type of principal to use for authentication. If left blank, the Auth struct will
  9337. determine the principal type. This optional field must be specified if using
  9338. workload identity.
  9339. enum:
  9340. - ""
  9341. - UserPrincipal
  9342. - InstancePrincipal
  9343. - Workload
  9344. type: string
  9345. region:
  9346. description: Region is the region where vault is located.
  9347. type: string
  9348. serviceAccountRef:
  9349. description: |-
  9350. ServiceAccountRef specified the service account
  9351. that should be used when authenticating with WorkloadIdentity.
  9352. properties:
  9353. audiences:
  9354. description: |-
  9355. Audience specifies the `aud` claim for the service account token
  9356. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9357. then this audiences will be appended to the list
  9358. items:
  9359. type: string
  9360. type: array
  9361. name:
  9362. description: The name of the ServiceAccount resource being referred to.
  9363. type: string
  9364. namespace:
  9365. description: |-
  9366. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9367. to the namespace of the referent.
  9368. type: string
  9369. required:
  9370. - name
  9371. type: object
  9372. vault:
  9373. description: Vault is the vault's OCID of the specific vault where secret is located.
  9374. type: string
  9375. required:
  9376. - region
  9377. - vault
  9378. type: object
  9379. passbolt:
  9380. properties:
  9381. auth:
  9382. description: Auth defines the information necessary to authenticate against Passbolt Server
  9383. properties:
  9384. passwordSecretRef:
  9385. description: |-
  9386. A reference to a specific 'key' within a Secret resource,
  9387. In some instances, `key` is a required field.
  9388. properties:
  9389. key:
  9390. description: |-
  9391. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9392. defaulted, in others it may be required.
  9393. type: string
  9394. name:
  9395. description: The name of the Secret resource being referred to.
  9396. type: string
  9397. namespace:
  9398. description: |-
  9399. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9400. to the namespace of the referent.
  9401. type: string
  9402. type: object
  9403. privateKeySecretRef:
  9404. description: |-
  9405. A reference to a specific 'key' within a Secret resource,
  9406. In some instances, `key` is a required field.
  9407. properties:
  9408. key:
  9409. description: |-
  9410. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9411. defaulted, in others it may be required.
  9412. type: string
  9413. name:
  9414. description: The name of the Secret resource being referred to.
  9415. type: string
  9416. namespace:
  9417. description: |-
  9418. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9419. to the namespace of the referent.
  9420. type: string
  9421. type: object
  9422. required:
  9423. - passwordSecretRef
  9424. - privateKeySecretRef
  9425. type: object
  9426. host:
  9427. description: Host defines the Passbolt Server to connect to
  9428. type: string
  9429. required:
  9430. - auth
  9431. - host
  9432. type: object
  9433. passworddepot:
  9434. description: Configures a store to sync secrets with a Password Depot instance.
  9435. properties:
  9436. auth:
  9437. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  9438. properties:
  9439. secretRef:
  9440. properties:
  9441. credentials:
  9442. description: Username / Password is used for authentication.
  9443. properties:
  9444. key:
  9445. description: |-
  9446. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9447. defaulted, in others it may be required.
  9448. type: string
  9449. name:
  9450. description: The name of the Secret resource being referred to.
  9451. type: string
  9452. namespace:
  9453. description: |-
  9454. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9455. to the namespace of the referent.
  9456. type: string
  9457. type: object
  9458. type: object
  9459. required:
  9460. - secretRef
  9461. type: object
  9462. database:
  9463. description: Database to use as source
  9464. type: string
  9465. host:
  9466. description: URL configures the Password Depot instance URL.
  9467. type: string
  9468. required:
  9469. - auth
  9470. - database
  9471. - host
  9472. type: object
  9473. pulumi:
  9474. description: Pulumi configures this store to sync secrets using the Pulumi provider
  9475. properties:
  9476. accessToken:
  9477. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  9478. properties:
  9479. secretRef:
  9480. description: SecretRef is a reference to a secret containing the Pulumi API token.
  9481. properties:
  9482. key:
  9483. description: |-
  9484. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9485. defaulted, in others it may be required.
  9486. type: string
  9487. name:
  9488. description: The name of the Secret resource being referred to.
  9489. type: string
  9490. namespace:
  9491. description: |-
  9492. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9493. to the namespace of the referent.
  9494. type: string
  9495. type: object
  9496. type: object
  9497. apiUrl:
  9498. default: https://api.pulumi.com
  9499. description: APIURL is the URL of the Pulumi API.
  9500. type: string
  9501. environment:
  9502. description: |-
  9503. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  9504. dynamically retrieved values from supported providers including all major clouds,
  9505. and other Pulumi ESC environments.
  9506. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  9507. type: string
  9508. organization:
  9509. description: |-
  9510. Organization are a space to collaborate on shared projects and stacks.
  9511. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  9512. type: string
  9513. required:
  9514. - accessToken
  9515. - environment
  9516. - organization
  9517. type: object
  9518. scaleway:
  9519. description: Scaleway
  9520. properties:
  9521. accessKey:
  9522. description: AccessKey is the non-secret part of the api key.
  9523. properties:
  9524. secretRef:
  9525. description: SecretRef references a key in a secret that will be used as value.
  9526. properties:
  9527. key:
  9528. description: |-
  9529. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9530. defaulted, in others it may be required.
  9531. type: string
  9532. name:
  9533. description: The name of the Secret resource being referred to.
  9534. type: string
  9535. namespace:
  9536. description: |-
  9537. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9538. to the namespace of the referent.
  9539. type: string
  9540. type: object
  9541. value:
  9542. description: Value can be specified directly to set a value without using a secret.
  9543. type: string
  9544. type: object
  9545. apiUrl:
  9546. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  9547. type: string
  9548. projectId:
  9549. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  9550. type: string
  9551. region:
  9552. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  9553. type: string
  9554. secretKey:
  9555. description: SecretKey is the non-secret part of the api key.
  9556. properties:
  9557. secretRef:
  9558. description: SecretRef references a key in a secret that will be used as value.
  9559. properties:
  9560. key:
  9561. description: |-
  9562. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9563. defaulted, in others it may be required.
  9564. type: string
  9565. name:
  9566. description: The name of the Secret resource being referred to.
  9567. type: string
  9568. namespace:
  9569. description: |-
  9570. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9571. to the namespace of the referent.
  9572. type: string
  9573. type: object
  9574. value:
  9575. description: Value can be specified directly to set a value without using a secret.
  9576. type: string
  9577. type: object
  9578. required:
  9579. - accessKey
  9580. - projectId
  9581. - region
  9582. - secretKey
  9583. type: object
  9584. secretserver:
  9585. description: |-
  9586. SecretServer configures this store to sync secrets using SecretServer provider
  9587. https://docs.delinea.com/online-help/secret-server/start.htm
  9588. properties:
  9589. password:
  9590. description: Password is the secret server account password.
  9591. properties:
  9592. secretRef:
  9593. description: SecretRef references a key in a secret that will be used as value.
  9594. properties:
  9595. key:
  9596. description: |-
  9597. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9598. defaulted, in others it may be required.
  9599. type: string
  9600. name:
  9601. description: The name of the Secret resource being referred to.
  9602. type: string
  9603. namespace:
  9604. description: |-
  9605. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9606. to the namespace of the referent.
  9607. type: string
  9608. type: object
  9609. value:
  9610. description: Value can be specified directly to set a value without using a secret.
  9611. type: string
  9612. type: object
  9613. serverURL:
  9614. description: |-
  9615. ServerURL
  9616. URL to your secret server installation
  9617. type: string
  9618. username:
  9619. description: Username is the secret server account username.
  9620. properties:
  9621. secretRef:
  9622. description: SecretRef references a key in a secret that will be used as value.
  9623. properties:
  9624. key:
  9625. description: |-
  9626. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9627. defaulted, in others it may be required.
  9628. type: string
  9629. name:
  9630. description: The name of the Secret resource being referred to.
  9631. type: string
  9632. namespace:
  9633. description: |-
  9634. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9635. to the namespace of the referent.
  9636. type: string
  9637. type: object
  9638. value:
  9639. description: Value can be specified directly to set a value without using a secret.
  9640. type: string
  9641. type: object
  9642. required:
  9643. - password
  9644. - serverURL
  9645. - username
  9646. type: object
  9647. senhasegura:
  9648. description: Senhasegura configures this store to sync secrets using senhasegura provider
  9649. properties:
  9650. auth:
  9651. description: Auth defines parameters to authenticate in senhasegura
  9652. properties:
  9653. clientId:
  9654. type: string
  9655. clientSecretSecretRef:
  9656. description: |-
  9657. A reference to a specific 'key' within a Secret resource,
  9658. In some instances, `key` is a required field.
  9659. properties:
  9660. key:
  9661. description: |-
  9662. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9663. defaulted, in others it may be required.
  9664. type: string
  9665. name:
  9666. description: The name of the Secret resource being referred to.
  9667. type: string
  9668. namespace:
  9669. description: |-
  9670. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9671. to the namespace of the referent.
  9672. type: string
  9673. type: object
  9674. required:
  9675. - clientId
  9676. - clientSecretSecretRef
  9677. type: object
  9678. ignoreSslCertificate:
  9679. default: false
  9680. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  9681. type: boolean
  9682. module:
  9683. description: Module defines which senhasegura module should be used to get secrets
  9684. type: string
  9685. url:
  9686. description: URL of senhasegura
  9687. type: string
  9688. required:
  9689. - auth
  9690. - module
  9691. - url
  9692. type: object
  9693. vault:
  9694. description: Vault configures this store to sync secrets using Hashi provider
  9695. properties:
  9696. auth:
  9697. description: Auth configures how secret-manager authenticates with the Vault server.
  9698. properties:
  9699. appRole:
  9700. description: |-
  9701. AppRole authenticates with Vault using the App Role auth mechanism,
  9702. with the role and secret stored in a Kubernetes Secret resource.
  9703. properties:
  9704. path:
  9705. default: approle
  9706. description: |-
  9707. Path where the App Role authentication backend is mounted
  9708. in Vault, e.g: "approle"
  9709. type: string
  9710. roleId:
  9711. description: |-
  9712. RoleID configured in the App Role authentication backend when setting
  9713. up the authentication backend in Vault.
  9714. type: string
  9715. roleRef:
  9716. description: |-
  9717. Reference to a key in a Secret that contains the App Role ID used
  9718. to authenticate with Vault.
  9719. The `key` field must be specified and denotes which entry within the Secret
  9720. resource is used as the app role id.
  9721. properties:
  9722. key:
  9723. description: |-
  9724. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9725. defaulted, in others it may be required.
  9726. type: string
  9727. name:
  9728. description: The name of the Secret resource being referred to.
  9729. type: string
  9730. namespace:
  9731. description: |-
  9732. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9733. to the namespace of the referent.
  9734. type: string
  9735. type: object
  9736. secretRef:
  9737. description: |-
  9738. Reference to a key in a Secret that contains the App Role secret used
  9739. to authenticate with Vault.
  9740. The `key` field must be specified and denotes which entry within the Secret
  9741. resource is used as the app role secret.
  9742. properties:
  9743. key:
  9744. description: |-
  9745. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9746. defaulted, in others it may be required.
  9747. type: string
  9748. name:
  9749. description: The name of the Secret resource being referred to.
  9750. type: string
  9751. namespace:
  9752. description: |-
  9753. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9754. to the namespace of the referent.
  9755. type: string
  9756. type: object
  9757. required:
  9758. - path
  9759. - secretRef
  9760. type: object
  9761. cert:
  9762. description: |-
  9763. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  9764. Cert authentication method
  9765. properties:
  9766. clientCert:
  9767. description: |-
  9768. ClientCert is a certificate to authenticate using the Cert Vault
  9769. authentication method
  9770. properties:
  9771. key:
  9772. description: |-
  9773. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9774. defaulted, in others it may be required.
  9775. type: string
  9776. name:
  9777. description: The name of the Secret resource being referred to.
  9778. type: string
  9779. namespace:
  9780. description: |-
  9781. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9782. to the namespace of the referent.
  9783. type: string
  9784. type: object
  9785. secretRef:
  9786. description: |-
  9787. SecretRef to a key in a Secret resource containing client private key to
  9788. authenticate with Vault using the Cert authentication method
  9789. properties:
  9790. key:
  9791. description: |-
  9792. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9793. defaulted, in others it may be required.
  9794. type: string
  9795. name:
  9796. description: The name of the Secret resource being referred to.
  9797. type: string
  9798. namespace:
  9799. description: |-
  9800. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9801. to the namespace of the referent.
  9802. type: string
  9803. type: object
  9804. type: object
  9805. iam:
  9806. description: |-
  9807. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  9808. AWS IAM authentication method
  9809. properties:
  9810. externalID:
  9811. description: AWS External ID set on assumed IAM roles
  9812. type: string
  9813. jwt:
  9814. description: Specify a service account with IRSA enabled
  9815. properties:
  9816. serviceAccountRef:
  9817. description: A reference to a ServiceAccount resource.
  9818. properties:
  9819. audiences:
  9820. description: |-
  9821. Audience specifies the `aud` claim for the service account token
  9822. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9823. then this audiences will be appended to the list
  9824. items:
  9825. type: string
  9826. type: array
  9827. name:
  9828. description: The name of the ServiceAccount resource being referred to.
  9829. type: string
  9830. namespace:
  9831. description: |-
  9832. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9833. to the namespace of the referent.
  9834. type: string
  9835. required:
  9836. - name
  9837. type: object
  9838. type: object
  9839. path:
  9840. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  9841. type: string
  9842. region:
  9843. description: AWS region
  9844. type: string
  9845. role:
  9846. description: This is the AWS role to be assumed before talking to vault
  9847. type: string
  9848. secretRef:
  9849. description: Specify credentials in a Secret object
  9850. properties:
  9851. accessKeyIDSecretRef:
  9852. description: The AccessKeyID is used for authentication
  9853. properties:
  9854. key:
  9855. description: |-
  9856. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9857. defaulted, in others it may be required.
  9858. type: string
  9859. name:
  9860. description: The name of the Secret resource being referred to.
  9861. type: string
  9862. namespace:
  9863. description: |-
  9864. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9865. to the namespace of the referent.
  9866. type: string
  9867. type: object
  9868. secretAccessKeySecretRef:
  9869. description: The SecretAccessKey is used for authentication
  9870. properties:
  9871. key:
  9872. description: |-
  9873. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9874. defaulted, in others it may be required.
  9875. type: string
  9876. name:
  9877. description: The name of the Secret resource being referred to.
  9878. type: string
  9879. namespace:
  9880. description: |-
  9881. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9882. to the namespace of the referent.
  9883. type: string
  9884. type: object
  9885. sessionTokenSecretRef:
  9886. description: |-
  9887. The SessionToken used for authentication
  9888. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  9889. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  9890. properties:
  9891. key:
  9892. description: |-
  9893. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9894. defaulted, in others it may be required.
  9895. type: string
  9896. name:
  9897. description: The name of the Secret resource being referred to.
  9898. type: string
  9899. namespace:
  9900. description: |-
  9901. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9902. to the namespace of the referent.
  9903. type: string
  9904. type: object
  9905. type: object
  9906. vaultAwsIamServerID:
  9907. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  9908. type: string
  9909. vaultRole:
  9910. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  9911. type: string
  9912. required:
  9913. - vaultRole
  9914. type: object
  9915. jwt:
  9916. description: |-
  9917. Jwt authenticates with Vault by passing role and JWT token using the
  9918. JWT/OIDC authentication method
  9919. properties:
  9920. kubernetesServiceAccountToken:
  9921. description: |-
  9922. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  9923. a token for with the `TokenRequest` API.
  9924. properties:
  9925. audiences:
  9926. description: |-
  9927. Optional audiences field that will be used to request a temporary Kubernetes service
  9928. account token for the service account referenced by `serviceAccountRef`.
  9929. Defaults to a single audience `vault` it not specified.
  9930. Deprecated: use serviceAccountRef.Audiences instead
  9931. items:
  9932. type: string
  9933. type: array
  9934. expirationSeconds:
  9935. description: |-
  9936. Optional expiration time in seconds that will be used to request a temporary
  9937. Kubernetes service account token for the service account referenced by
  9938. `serviceAccountRef`.
  9939. Deprecated: this will be removed in the future.
  9940. Defaults to 10 minutes.
  9941. format: int64
  9942. type: integer
  9943. serviceAccountRef:
  9944. description: Service account field containing the name of a kubernetes ServiceAccount.
  9945. properties:
  9946. audiences:
  9947. description: |-
  9948. Audience specifies the `aud` claim for the service account token
  9949. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9950. then this audiences will be appended to the list
  9951. items:
  9952. type: string
  9953. type: array
  9954. name:
  9955. description: The name of the ServiceAccount resource being referred to.
  9956. type: string
  9957. namespace:
  9958. description: |-
  9959. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9960. to the namespace of the referent.
  9961. type: string
  9962. required:
  9963. - name
  9964. type: object
  9965. required:
  9966. - serviceAccountRef
  9967. type: object
  9968. path:
  9969. default: jwt
  9970. description: |-
  9971. Path where the JWT authentication backend is mounted
  9972. in Vault, e.g: "jwt"
  9973. type: string
  9974. role:
  9975. description: |-
  9976. Role is a JWT role to authenticate using the JWT/OIDC Vault
  9977. authentication method
  9978. type: string
  9979. secretRef:
  9980. description: |-
  9981. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  9982. authenticate with Vault using the JWT/OIDC authentication method.
  9983. properties:
  9984. key:
  9985. description: |-
  9986. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9987. defaulted, in others it may be required.
  9988. type: string
  9989. name:
  9990. description: The name of the Secret resource being referred to.
  9991. type: string
  9992. namespace:
  9993. description: |-
  9994. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9995. to the namespace of the referent.
  9996. type: string
  9997. type: object
  9998. required:
  9999. - path
  10000. type: object
  10001. kubernetes:
  10002. description: |-
  10003. Kubernetes authenticates with Vault by passing the ServiceAccount
  10004. token stored in the named Secret resource to the Vault server.
  10005. properties:
  10006. mountPath:
  10007. default: kubernetes
  10008. description: |-
  10009. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  10010. "kubernetes"
  10011. type: string
  10012. role:
  10013. description: |-
  10014. A required field containing the Vault Role to assume. A Role binds a
  10015. Kubernetes ServiceAccount with a set of Vault policies.
  10016. type: string
  10017. secretRef:
  10018. description: |-
  10019. Optional secret field containing a Kubernetes ServiceAccount JWT used
  10020. for authenticating with Vault. If a name is specified without a key,
  10021. `token` is the default. If one is not specified, the one bound to
  10022. the controller will be used.
  10023. properties:
  10024. key:
  10025. description: |-
  10026. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10027. defaulted, in others it may be required.
  10028. type: string
  10029. name:
  10030. description: The name of the Secret resource being referred to.
  10031. type: string
  10032. namespace:
  10033. description: |-
  10034. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10035. to the namespace of the referent.
  10036. type: string
  10037. type: object
  10038. serviceAccountRef:
  10039. description: |-
  10040. Optional service account field containing the name of a kubernetes ServiceAccount.
  10041. If the service account is specified, the service account secret token JWT will be used
  10042. for authenticating with Vault. If the service account selector is not supplied,
  10043. the secretRef will be used instead.
  10044. properties:
  10045. audiences:
  10046. description: |-
  10047. Audience specifies the `aud` claim for the service account token
  10048. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10049. then this audiences will be appended to the list
  10050. items:
  10051. type: string
  10052. type: array
  10053. name:
  10054. description: The name of the ServiceAccount resource being referred to.
  10055. type: string
  10056. namespace:
  10057. description: |-
  10058. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10059. to the namespace of the referent.
  10060. type: string
  10061. required:
  10062. - name
  10063. type: object
  10064. required:
  10065. - mountPath
  10066. - role
  10067. type: object
  10068. ldap:
  10069. description: |-
  10070. Ldap authenticates with Vault by passing username/password pair using
  10071. the LDAP authentication method
  10072. properties:
  10073. path:
  10074. default: ldap
  10075. description: |-
  10076. Path where the LDAP authentication backend is mounted
  10077. in Vault, e.g: "ldap"
  10078. type: string
  10079. secretRef:
  10080. description: |-
  10081. SecretRef to a key in a Secret resource containing password for the LDAP
  10082. user used to authenticate with Vault using the LDAP authentication
  10083. method
  10084. properties:
  10085. key:
  10086. description: |-
  10087. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10088. defaulted, in others it may be required.
  10089. type: string
  10090. name:
  10091. description: The name of the Secret resource being referred to.
  10092. type: string
  10093. namespace:
  10094. description: |-
  10095. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10096. to the namespace of the referent.
  10097. type: string
  10098. type: object
  10099. username:
  10100. description: |-
  10101. Username is a LDAP user name used to authenticate using the LDAP Vault
  10102. authentication method
  10103. type: string
  10104. required:
  10105. - path
  10106. - username
  10107. type: object
  10108. namespace:
  10109. description: |-
  10110. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  10111. Namespaces is a set of features within Vault Enterprise that allows
  10112. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  10113. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  10114. This will default to Vault.Namespace field if set, or empty otherwise
  10115. type: string
  10116. tokenSecretRef:
  10117. description: TokenSecretRef authenticates with Vault by presenting a token.
  10118. properties:
  10119. key:
  10120. description: |-
  10121. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10122. defaulted, in others it may be required.
  10123. type: string
  10124. name:
  10125. description: The name of the Secret resource being referred to.
  10126. type: string
  10127. namespace:
  10128. description: |-
  10129. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10130. to the namespace of the referent.
  10131. type: string
  10132. type: object
  10133. userPass:
  10134. description: UserPass authenticates with Vault by passing username/password pair
  10135. properties:
  10136. path:
  10137. default: user
  10138. description: |-
  10139. Path where the UserPassword authentication backend is mounted
  10140. in Vault, e.g: "user"
  10141. type: string
  10142. secretRef:
  10143. description: |-
  10144. SecretRef to a key in a Secret resource containing password for the
  10145. user used to authenticate with Vault using the UserPass authentication
  10146. method
  10147. properties:
  10148. key:
  10149. description: |-
  10150. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10151. defaulted, in others it may be required.
  10152. type: string
  10153. name:
  10154. description: The name of the Secret resource being referred to.
  10155. type: string
  10156. namespace:
  10157. description: |-
  10158. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10159. to the namespace of the referent.
  10160. type: string
  10161. type: object
  10162. username:
  10163. description: |-
  10164. Username is a user name used to authenticate using the UserPass Vault
  10165. authentication method
  10166. type: string
  10167. required:
  10168. - path
  10169. - username
  10170. type: object
  10171. type: object
  10172. caBundle:
  10173. description: |-
  10174. PEM encoded CA bundle used to validate Vault server certificate. Only used
  10175. if the Server URL is using HTTPS protocol. This parameter is ignored for
  10176. plain HTTP protocol connection. If not set the system root certificates
  10177. are used to validate the TLS connection.
  10178. format: byte
  10179. type: string
  10180. caProvider:
  10181. description: The provider for the CA bundle to use to validate Vault server certificate.
  10182. properties:
  10183. key:
  10184. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  10185. type: string
  10186. name:
  10187. description: The name of the object located at the provider type.
  10188. type: string
  10189. namespace:
  10190. description: |-
  10191. The namespace the Provider type is in.
  10192. Can only be defined when used in a ClusterSecretStore.
  10193. type: string
  10194. type:
  10195. description: The type of provider to use such as "Secret", or "ConfigMap".
  10196. enum:
  10197. - Secret
  10198. - ConfigMap
  10199. type: string
  10200. required:
  10201. - name
  10202. - type
  10203. type: object
  10204. forwardInconsistent:
  10205. description: |-
  10206. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  10207. leader instead of simply retrying within a loop. This can increase performance if
  10208. the option is enabled serverside.
  10209. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  10210. type: boolean
  10211. namespace:
  10212. description: |-
  10213. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  10214. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  10215. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  10216. type: string
  10217. path:
  10218. description: |-
  10219. Path is the mount path of the Vault KV backend endpoint, e.g:
  10220. "secret". The v2 KV secret engine version specific "/data" path suffix
  10221. for fetching secrets from Vault is optional and will be appended
  10222. if not present in specified path.
  10223. type: string
  10224. readYourWrites:
  10225. description: |-
  10226. ReadYourWrites ensures isolated read-after-write semantics by
  10227. providing discovered cluster replication states in each request.
  10228. More information about eventual consistency in Vault can be found here
  10229. https://www.vaultproject.io/docs/enterprise/consistency
  10230. type: boolean
  10231. server:
  10232. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  10233. type: string
  10234. tls:
  10235. description: |-
  10236. The configuration used for client side related TLS communication, when the Vault server
  10237. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  10238. This parameter is ignored for plain HTTP protocol connection.
  10239. It's worth noting this configuration is different from the "TLS certificates auth method",
  10240. which is available under the `auth.cert` section.
  10241. properties:
  10242. certSecretRef:
  10243. description: |-
  10244. CertSecretRef is a certificate added to the transport layer
  10245. when communicating with the Vault server.
  10246. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  10247. properties:
  10248. key:
  10249. description: |-
  10250. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10251. defaulted, in others it may be required.
  10252. type: string
  10253. name:
  10254. description: The name of the Secret resource being referred to.
  10255. type: string
  10256. namespace:
  10257. description: |-
  10258. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10259. to the namespace of the referent.
  10260. type: string
  10261. type: object
  10262. keySecretRef:
  10263. description: |-
  10264. KeySecretRef to a key in a Secret resource containing client private key
  10265. added to the transport layer when communicating with the Vault server.
  10266. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  10267. properties:
  10268. key:
  10269. description: |-
  10270. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10271. defaulted, in others it may be required.
  10272. type: string
  10273. name:
  10274. description: The name of the Secret resource being referred to.
  10275. type: string
  10276. namespace:
  10277. description: |-
  10278. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10279. to the namespace of the referent.
  10280. type: string
  10281. type: object
  10282. type: object
  10283. version:
  10284. default: v2
  10285. description: |-
  10286. Version is the Vault KV secret engine version. This can be either "v1" or
  10287. "v2". Version defaults to "v2".
  10288. enum:
  10289. - v1
  10290. - v2
  10291. type: string
  10292. required:
  10293. - auth
  10294. - server
  10295. type: object
  10296. webhook:
  10297. description: Webhook configures this store to sync secrets using a generic templated webhook
  10298. properties:
  10299. body:
  10300. description: Body
  10301. type: string
  10302. caBundle:
  10303. description: |-
  10304. PEM encoded CA bundle used to validate webhook server certificate. Only used
  10305. if the Server URL is using HTTPS protocol. This parameter is ignored for
  10306. plain HTTP protocol connection. If not set the system root certificates
  10307. are used to validate the TLS connection.
  10308. format: byte
  10309. type: string
  10310. caProvider:
  10311. description: The provider for the CA bundle to use to validate webhook server certificate.
  10312. properties:
  10313. key:
  10314. description: The key the value inside of the provider type to use, only used with "Secret" type
  10315. type: string
  10316. name:
  10317. description: The name of the object located at the provider type.
  10318. type: string
  10319. namespace:
  10320. description: The namespace the Provider type is in.
  10321. type: string
  10322. type:
  10323. description: The type of provider to use such as "Secret", or "ConfigMap".
  10324. enum:
  10325. - Secret
  10326. - ConfigMap
  10327. type: string
  10328. required:
  10329. - name
  10330. - type
  10331. type: object
  10332. headers:
  10333. additionalProperties:
  10334. type: string
  10335. description: Headers
  10336. type: object
  10337. method:
  10338. description: Webhook Method
  10339. type: string
  10340. result:
  10341. description: Result formatting
  10342. properties:
  10343. jsonPath:
  10344. description: Json path of return value
  10345. type: string
  10346. type: object
  10347. secrets:
  10348. description: |-
  10349. Secrets to fill in templates
  10350. These secrets will be passed to the templating function as key value pairs under the given name
  10351. items:
  10352. properties:
  10353. name:
  10354. description: Name of this secret in templates
  10355. type: string
  10356. secretRef:
  10357. description: Secret ref to fill in credentials
  10358. properties:
  10359. key:
  10360. description: |-
  10361. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10362. defaulted, in others it may be required.
  10363. type: string
  10364. name:
  10365. description: The name of the Secret resource being referred to.
  10366. type: string
  10367. namespace:
  10368. description: |-
  10369. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10370. to the namespace of the referent.
  10371. type: string
  10372. type: object
  10373. required:
  10374. - name
  10375. - secretRef
  10376. type: object
  10377. type: array
  10378. timeout:
  10379. description: Timeout
  10380. type: string
  10381. url:
  10382. description: Webhook url to call
  10383. type: string
  10384. required:
  10385. - result
  10386. - url
  10387. type: object
  10388. yandexcertificatemanager:
  10389. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  10390. properties:
  10391. apiEndpoint:
  10392. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  10393. type: string
  10394. auth:
  10395. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  10396. properties:
  10397. authorizedKeySecretRef:
  10398. description: The authorized key used for authentication
  10399. properties:
  10400. key:
  10401. description: |-
  10402. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10403. defaulted, in others it may be required.
  10404. type: string
  10405. name:
  10406. description: The name of the Secret resource being referred to.
  10407. type: string
  10408. namespace:
  10409. description: |-
  10410. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10411. to the namespace of the referent.
  10412. type: string
  10413. type: object
  10414. type: object
  10415. caProvider:
  10416. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  10417. properties:
  10418. certSecretRef:
  10419. description: |-
  10420. A reference to a specific 'key' within a Secret resource,
  10421. In some instances, `key` is a required field.
  10422. properties:
  10423. key:
  10424. description: |-
  10425. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10426. defaulted, in others it may be required.
  10427. type: string
  10428. name:
  10429. description: The name of the Secret resource being referred to.
  10430. type: string
  10431. namespace:
  10432. description: |-
  10433. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10434. to the namespace of the referent.
  10435. type: string
  10436. type: object
  10437. type: object
  10438. required:
  10439. - auth
  10440. type: object
  10441. yandexlockbox:
  10442. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  10443. properties:
  10444. apiEndpoint:
  10445. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  10446. type: string
  10447. auth:
  10448. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  10449. properties:
  10450. authorizedKeySecretRef:
  10451. description: The authorized key used for authentication
  10452. properties:
  10453. key:
  10454. description: |-
  10455. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10456. defaulted, in others it may be required.
  10457. type: string
  10458. name:
  10459. description: The name of the Secret resource being referred to.
  10460. type: string
  10461. namespace:
  10462. description: |-
  10463. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10464. to the namespace of the referent.
  10465. type: string
  10466. type: object
  10467. type: object
  10468. caProvider:
  10469. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  10470. properties:
  10471. certSecretRef:
  10472. description: |-
  10473. A reference to a specific 'key' within a Secret resource,
  10474. In some instances, `key` is a required field.
  10475. properties:
  10476. key:
  10477. description: |-
  10478. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10479. defaulted, in others it may be required.
  10480. type: string
  10481. name:
  10482. description: The name of the Secret resource being referred to.
  10483. type: string
  10484. namespace:
  10485. description: |-
  10486. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10487. to the namespace of the referent.
  10488. type: string
  10489. type: object
  10490. type: object
  10491. required:
  10492. - auth
  10493. type: object
  10494. type: object
  10495. refreshInterval:
  10496. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  10497. type: integer
  10498. retrySettings:
  10499. description: Used to configure http retries if failed
  10500. properties:
  10501. maxRetries:
  10502. format: int32
  10503. type: integer
  10504. retryInterval:
  10505. type: string
  10506. type: object
  10507. required:
  10508. - provider
  10509. type: object
  10510. status:
  10511. description: SecretStoreStatus defines the observed state of the SecretStore.
  10512. properties:
  10513. capabilities:
  10514. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  10515. type: string
  10516. conditions:
  10517. items:
  10518. properties:
  10519. lastTransitionTime:
  10520. format: date-time
  10521. type: string
  10522. message:
  10523. type: string
  10524. reason:
  10525. type: string
  10526. status:
  10527. type: string
  10528. type:
  10529. type: string
  10530. required:
  10531. - status
  10532. - type
  10533. type: object
  10534. type: array
  10535. type: object
  10536. type: object
  10537. served: true
  10538. storage: true
  10539. subresources:
  10540. status: {}
  10541. conversion:
  10542. strategy: Webhook
  10543. webhook:
  10544. conversionReviewVersions:
  10545. - v1
  10546. clientConfig:
  10547. service:
  10548. name: kubernetes
  10549. namespace: default
  10550. path: /convert
  10551. ---
  10552. apiVersion: apiextensions.k8s.io/v1
  10553. kind: CustomResourceDefinition
  10554. metadata:
  10555. annotations:
  10556. controller-gen.kubebuilder.io/version: v0.15.0
  10557. name: acraccesstokens.generators.external-secrets.io
  10558. spec:
  10559. group: generators.external-secrets.io
  10560. names:
  10561. categories:
  10562. - acraccesstoken
  10563. kind: ACRAccessToken
  10564. listKind: ACRAccessTokenList
  10565. plural: acraccesstokens
  10566. shortNames:
  10567. - acraccesstoken
  10568. singular: acraccesstoken
  10569. scope: Namespaced
  10570. versions:
  10571. - name: v1alpha1
  10572. schema:
  10573. openAPIV3Schema:
  10574. description: |-
  10575. ACRAccessToken returns a Azure Container Registry token
  10576. that can be used for pushing/pulling images.
  10577. Note: by default it will return an ACR Refresh Token with full access
  10578. (depending on the identity).
  10579. This can be scoped down to the repository level using .spec.scope.
  10580. In case scope is defined it will return an ACR Access Token.
  10581. See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
  10582. properties:
  10583. apiVersion:
  10584. description: |-
  10585. APIVersion defines the versioned schema of this representation of an object.
  10586. Servers should convert recognized schemas to the latest internal value, and
  10587. may reject unrecognized values.
  10588. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  10589. type: string
  10590. kind:
  10591. description: |-
  10592. Kind is a string value representing the REST resource this object represents.
  10593. Servers may infer this from the endpoint the client submits requests to.
  10594. Cannot be updated.
  10595. In CamelCase.
  10596. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  10597. type: string
  10598. metadata:
  10599. type: object
  10600. spec:
  10601. description: |-
  10602. ACRAccessTokenSpec defines how to generate the access token
  10603. e.g. how to authenticate and which registry to use.
  10604. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  10605. properties:
  10606. auth:
  10607. properties:
  10608. managedIdentity:
  10609. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  10610. properties:
  10611. identityId:
  10612. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  10613. type: string
  10614. type: object
  10615. servicePrincipal:
  10616. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  10617. properties:
  10618. secretRef:
  10619. description: |-
  10620. Configuration used to authenticate with Azure using static
  10621. credentials stored in a Kind=Secret.
  10622. properties:
  10623. clientId:
  10624. description: The Azure clientId of the service principle used for authentication.
  10625. properties:
  10626. key:
  10627. description: |-
  10628. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10629. defaulted, in others it may be required.
  10630. type: string
  10631. name:
  10632. description: The name of the Secret resource being referred to.
  10633. type: string
  10634. namespace:
  10635. description: |-
  10636. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10637. to the namespace of the referent.
  10638. type: string
  10639. type: object
  10640. clientSecret:
  10641. description: The Azure ClientSecret of the service principle used for authentication.
  10642. properties:
  10643. key:
  10644. description: |-
  10645. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10646. defaulted, in others it may be required.
  10647. type: string
  10648. name:
  10649. description: The name of the Secret resource being referred to.
  10650. type: string
  10651. namespace:
  10652. description: |-
  10653. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10654. to the namespace of the referent.
  10655. type: string
  10656. type: object
  10657. type: object
  10658. required:
  10659. - secretRef
  10660. type: object
  10661. workloadIdentity:
  10662. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  10663. properties:
  10664. serviceAccountRef:
  10665. description: |-
  10666. ServiceAccountRef specified the service account
  10667. that should be used when authenticating with WorkloadIdentity.
  10668. properties:
  10669. audiences:
  10670. description: |-
  10671. Audience specifies the `aud` claim for the service account token
  10672. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10673. then this audiences will be appended to the list
  10674. items:
  10675. type: string
  10676. type: array
  10677. name:
  10678. description: The name of the ServiceAccount resource being referred to.
  10679. type: string
  10680. namespace:
  10681. description: |-
  10682. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10683. to the namespace of the referent.
  10684. type: string
  10685. required:
  10686. - name
  10687. type: object
  10688. type: object
  10689. type: object
  10690. environmentType:
  10691. default: PublicCloud
  10692. description: |-
  10693. EnvironmentType specifies the Azure cloud environment endpoints to use for
  10694. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  10695. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  10696. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  10697. enum:
  10698. - PublicCloud
  10699. - USGovernmentCloud
  10700. - ChinaCloud
  10701. - GermanCloud
  10702. type: string
  10703. registry:
  10704. description: |-
  10705. the domain name of the ACR registry
  10706. e.g. foobarexample.azurecr.io
  10707. type: string
  10708. scope:
  10709. description: |-
  10710. Define the scope for the access token, e.g. pull/push access for a repository.
  10711. if not provided it will return a refresh token that has full scope.
  10712. Note: you need to pin it down to the repository level, there is no wildcard available.
  10713. examples:
  10714. repository:my-repository:pull,push
  10715. repository:my-repository:pull
  10716. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  10717. type: string
  10718. tenantId:
  10719. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  10720. type: string
  10721. required:
  10722. - auth
  10723. - registry
  10724. type: object
  10725. type: object
  10726. served: true
  10727. storage: true
  10728. subresources:
  10729. status: {}
  10730. conversion:
  10731. strategy: Webhook
  10732. webhook:
  10733. conversionReviewVersions:
  10734. - v1
  10735. clientConfig:
  10736. service:
  10737. name: kubernetes
  10738. namespace: default
  10739. path: /convert
  10740. ---
  10741. apiVersion: apiextensions.k8s.io/v1
  10742. kind: CustomResourceDefinition
  10743. metadata:
  10744. annotations:
  10745. controller-gen.kubebuilder.io/version: v0.15.0
  10746. name: ecrauthorizationtokens.generators.external-secrets.io
  10747. spec:
  10748. group: generators.external-secrets.io
  10749. names:
  10750. categories:
  10751. - ecrauthorizationtoken
  10752. kind: ECRAuthorizationToken
  10753. listKind: ECRAuthorizationTokenList
  10754. plural: ecrauthorizationtokens
  10755. shortNames:
  10756. - ecrauthorizationtoken
  10757. singular: ecrauthorizationtoken
  10758. scope: Namespaced
  10759. versions:
  10760. - name: v1alpha1
  10761. schema:
  10762. openAPIV3Schema:
  10763. description: |-
  10764. ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an
  10765. authorization token.
  10766. The authorization token is valid for 12 hours.
  10767. The authorizationToken returned is a base64 encoded string that can be decoded
  10768. and used in a docker login command to authenticate to a registry.
  10769. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
  10770. properties:
  10771. apiVersion:
  10772. description: |-
  10773. APIVersion defines the versioned schema of this representation of an object.
  10774. Servers should convert recognized schemas to the latest internal value, and
  10775. may reject unrecognized values.
  10776. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  10777. type: string
  10778. kind:
  10779. description: |-
  10780. Kind is a string value representing the REST resource this object represents.
  10781. Servers may infer this from the endpoint the client submits requests to.
  10782. Cannot be updated.
  10783. In CamelCase.
  10784. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  10785. type: string
  10786. metadata:
  10787. type: object
  10788. spec:
  10789. properties:
  10790. auth:
  10791. description: Auth defines how to authenticate with AWS
  10792. properties:
  10793. jwt:
  10794. description: Authenticate against AWS using service account tokens.
  10795. properties:
  10796. serviceAccountRef:
  10797. description: A reference to a ServiceAccount resource.
  10798. properties:
  10799. audiences:
  10800. description: |-
  10801. Audience specifies the `aud` claim for the service account token
  10802. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10803. then this audiences will be appended to the list
  10804. items:
  10805. type: string
  10806. type: array
  10807. name:
  10808. description: The name of the ServiceAccount resource being referred to.
  10809. type: string
  10810. namespace:
  10811. description: |-
  10812. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10813. to the namespace of the referent.
  10814. type: string
  10815. required:
  10816. - name
  10817. type: object
  10818. type: object
  10819. secretRef:
  10820. description: |-
  10821. AWSAuthSecretRef holds secret references for AWS credentials
  10822. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  10823. properties:
  10824. accessKeyIDSecretRef:
  10825. description: The AccessKeyID is used for authentication
  10826. properties:
  10827. key:
  10828. description: |-
  10829. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10830. defaulted, in others it may be required.
  10831. type: string
  10832. name:
  10833. description: The name of the Secret resource being referred to.
  10834. type: string
  10835. namespace:
  10836. description: |-
  10837. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10838. to the namespace of the referent.
  10839. type: string
  10840. type: object
  10841. secretAccessKeySecretRef:
  10842. description: The SecretAccessKey is used for authentication
  10843. properties:
  10844. key:
  10845. description: |-
  10846. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10847. defaulted, in others it may be required.
  10848. type: string
  10849. name:
  10850. description: The name of the Secret resource being referred to.
  10851. type: string
  10852. namespace:
  10853. description: |-
  10854. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10855. to the namespace of the referent.
  10856. type: string
  10857. type: object
  10858. sessionTokenSecretRef:
  10859. description: |-
  10860. The SessionToken used for authentication
  10861. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  10862. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  10863. properties:
  10864. key:
  10865. description: |-
  10866. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10867. defaulted, in others it may be required.
  10868. type: string
  10869. name:
  10870. description: The name of the Secret resource being referred to.
  10871. type: string
  10872. namespace:
  10873. description: |-
  10874. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10875. to the namespace of the referent.
  10876. type: string
  10877. type: object
  10878. type: object
  10879. type: object
  10880. region:
  10881. description: Region specifies the region to operate in.
  10882. type: string
  10883. role:
  10884. description: |-
  10885. You can assume a role before making calls to the
  10886. desired AWS service.
  10887. type: string
  10888. required:
  10889. - region
  10890. type: object
  10891. type: object
  10892. served: true
  10893. storage: true
  10894. subresources:
  10895. status: {}
  10896. conversion:
  10897. strategy: Webhook
  10898. webhook:
  10899. conversionReviewVersions:
  10900. - v1
  10901. clientConfig:
  10902. service:
  10903. name: kubernetes
  10904. namespace: default
  10905. path: /convert
  10906. ---
  10907. apiVersion: apiextensions.k8s.io/v1
  10908. kind: CustomResourceDefinition
  10909. metadata:
  10910. annotations:
  10911. controller-gen.kubebuilder.io/version: v0.15.0
  10912. name: fakes.generators.external-secrets.io
  10913. spec:
  10914. group: generators.external-secrets.io
  10915. names:
  10916. categories:
  10917. - fake
  10918. kind: Fake
  10919. listKind: FakeList
  10920. plural: fakes
  10921. shortNames:
  10922. - fake
  10923. singular: fake
  10924. scope: Namespaced
  10925. versions:
  10926. - name: v1alpha1
  10927. schema:
  10928. openAPIV3Schema:
  10929. description: |-
  10930. Fake generator is used for testing. It lets you define
  10931. a static set of credentials that is always returned.
  10932. properties:
  10933. apiVersion:
  10934. description: |-
  10935. APIVersion defines the versioned schema of this representation of an object.
  10936. Servers should convert recognized schemas to the latest internal value, and
  10937. may reject unrecognized values.
  10938. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  10939. type: string
  10940. kind:
  10941. description: |-
  10942. Kind is a string value representing the REST resource this object represents.
  10943. Servers may infer this from the endpoint the client submits requests to.
  10944. Cannot be updated.
  10945. In CamelCase.
  10946. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  10947. type: string
  10948. metadata:
  10949. type: object
  10950. spec:
  10951. description: FakeSpec contains the static data.
  10952. properties:
  10953. controller:
  10954. description: |-
  10955. Used to select the correct ESO controller (think: ingress.ingressClassName)
  10956. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  10957. type: string
  10958. data:
  10959. additionalProperties:
  10960. type: string
  10961. description: |-
  10962. Data defines the static data returned
  10963. by this generator.
  10964. type: object
  10965. type: object
  10966. type: object
  10967. served: true
  10968. storage: true
  10969. subresources:
  10970. status: {}
  10971. conversion:
  10972. strategy: Webhook
  10973. webhook:
  10974. conversionReviewVersions:
  10975. - v1
  10976. clientConfig:
  10977. service:
  10978. name: kubernetes
  10979. namespace: default
  10980. path: /convert
  10981. ---
  10982. apiVersion: apiextensions.k8s.io/v1
  10983. kind: CustomResourceDefinition
  10984. metadata:
  10985. annotations:
  10986. controller-gen.kubebuilder.io/version: v0.15.0
  10987. name: gcraccesstokens.generators.external-secrets.io
  10988. spec:
  10989. group: generators.external-secrets.io
  10990. names:
  10991. categories:
  10992. - gcraccesstoken
  10993. kind: GCRAccessToken
  10994. listKind: GCRAccessTokenList
  10995. plural: gcraccesstokens
  10996. shortNames:
  10997. - gcraccesstoken
  10998. singular: gcraccesstoken
  10999. scope: Namespaced
  11000. versions:
  11001. - name: v1alpha1
  11002. schema:
  11003. openAPIV3Schema:
  11004. description: |-
  11005. GCRAccessToken generates an GCP access token
  11006. that can be used to authenticate with GCR.
  11007. properties:
  11008. apiVersion:
  11009. description: |-
  11010. APIVersion defines the versioned schema of this representation of an object.
  11011. Servers should convert recognized schemas to the latest internal value, and
  11012. may reject unrecognized values.
  11013. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  11014. type: string
  11015. kind:
  11016. description: |-
  11017. Kind is a string value representing the REST resource this object represents.
  11018. Servers may infer this from the endpoint the client submits requests to.
  11019. Cannot be updated.
  11020. In CamelCase.
  11021. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  11022. type: string
  11023. metadata:
  11024. type: object
  11025. spec:
  11026. properties:
  11027. auth:
  11028. description: Auth defines the means for authenticating with GCP
  11029. properties:
  11030. secretRef:
  11031. properties:
  11032. secretAccessKeySecretRef:
  11033. description: The SecretAccessKey is used for authentication
  11034. properties:
  11035. key:
  11036. description: |-
  11037. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11038. defaulted, in others it may be required.
  11039. type: string
  11040. name:
  11041. description: The name of the Secret resource being referred to.
  11042. type: string
  11043. namespace:
  11044. description: |-
  11045. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11046. to the namespace of the referent.
  11047. type: string
  11048. type: object
  11049. type: object
  11050. workloadIdentity:
  11051. properties:
  11052. clusterLocation:
  11053. type: string
  11054. clusterName:
  11055. type: string
  11056. clusterProjectID:
  11057. type: string
  11058. serviceAccountRef:
  11059. description: A reference to a ServiceAccount resource.
  11060. properties:
  11061. audiences:
  11062. description: |-
  11063. Audience specifies the `aud` claim for the service account token
  11064. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11065. then this audiences will be appended to the list
  11066. items:
  11067. type: string
  11068. type: array
  11069. name:
  11070. description: The name of the ServiceAccount resource being referred to.
  11071. type: string
  11072. namespace:
  11073. description: |-
  11074. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11075. to the namespace of the referent.
  11076. type: string
  11077. required:
  11078. - name
  11079. type: object
  11080. required:
  11081. - clusterLocation
  11082. - clusterName
  11083. - serviceAccountRef
  11084. type: object
  11085. type: object
  11086. projectID:
  11087. description: ProjectID defines which project to use to authenticate with
  11088. type: string
  11089. required:
  11090. - auth
  11091. - projectID
  11092. type: object
  11093. type: object
  11094. served: true
  11095. storage: true
  11096. subresources:
  11097. status: {}
  11098. conversion:
  11099. strategy: Webhook
  11100. webhook:
  11101. conversionReviewVersions:
  11102. - v1
  11103. clientConfig:
  11104. service:
  11105. name: kubernetes
  11106. namespace: default
  11107. path: /convert
  11108. ---
  11109. apiVersion: apiextensions.k8s.io/v1
  11110. kind: CustomResourceDefinition
  11111. metadata:
  11112. annotations:
  11113. controller-gen.kubebuilder.io/version: v0.15.0
  11114. name: githubaccesstokens.generators.external-secrets.io
  11115. spec:
  11116. group: generators.external-secrets.io
  11117. names:
  11118. categories:
  11119. - githubaccesstoken
  11120. kind: GithubAccessToken
  11121. listKind: GithubAccessTokenList
  11122. plural: githubaccesstokens
  11123. shortNames:
  11124. - githubaccesstoken
  11125. singular: githubaccesstoken
  11126. scope: Namespaced
  11127. versions:
  11128. - name: v1alpha1
  11129. schema:
  11130. openAPIV3Schema:
  11131. description: GithubAccessToken generates ghs_ accessToken
  11132. properties:
  11133. apiVersion:
  11134. description: |-
  11135. APIVersion defines the versioned schema of this representation of an object.
  11136. Servers should convert recognized schemas to the latest internal value, and
  11137. may reject unrecognized values.
  11138. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  11139. type: string
  11140. kind:
  11141. description: |-
  11142. Kind is a string value representing the REST resource this object represents.
  11143. Servers may infer this from the endpoint the client submits requests to.
  11144. Cannot be updated.
  11145. In CamelCase.
  11146. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  11147. type: string
  11148. metadata:
  11149. type: object
  11150. spec:
  11151. properties:
  11152. appID:
  11153. type: string
  11154. auth:
  11155. description: Auth configures how ESO authenticates with a Github instance.
  11156. properties:
  11157. privatKey:
  11158. properties:
  11159. secretRef:
  11160. description: |-
  11161. A reference to a specific 'key' within a Secret resource,
  11162. In some instances, `key` is a required field.
  11163. properties:
  11164. key:
  11165. description: |-
  11166. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11167. defaulted, in others it may be required.
  11168. type: string
  11169. name:
  11170. description: The name of the Secret resource being referred to.
  11171. type: string
  11172. namespace:
  11173. description: |-
  11174. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11175. to the namespace of the referent.
  11176. type: string
  11177. type: object
  11178. required:
  11179. - secretRef
  11180. type: object
  11181. required:
  11182. - privatKey
  11183. type: object
  11184. installID:
  11185. type: string
  11186. url:
  11187. description: URL configures the Github instance URL. Defaults to https://github.com/.
  11188. type: string
  11189. required:
  11190. - appID
  11191. - auth
  11192. - installID
  11193. type: object
  11194. type: object
  11195. served: true
  11196. storage: true
  11197. subresources:
  11198. status: {}
  11199. conversion:
  11200. strategy: Webhook
  11201. webhook:
  11202. conversionReviewVersions:
  11203. - v1
  11204. clientConfig:
  11205. service:
  11206. name: kubernetes
  11207. namespace: default
  11208. path: /convert
  11209. ---
  11210. apiVersion: apiextensions.k8s.io/v1
  11211. kind: CustomResourceDefinition
  11212. metadata:
  11213. annotations:
  11214. controller-gen.kubebuilder.io/version: v0.15.0
  11215. name: passwords.generators.external-secrets.io
  11216. spec:
  11217. group: generators.external-secrets.io
  11218. names:
  11219. categories:
  11220. - password
  11221. kind: Password
  11222. listKind: PasswordList
  11223. plural: passwords
  11224. shortNames:
  11225. - password
  11226. singular: password
  11227. scope: Namespaced
  11228. versions:
  11229. - name: v1alpha1
  11230. schema:
  11231. openAPIV3Schema:
  11232. description: |-
  11233. Password generates a random password based on the
  11234. configuration parameters in spec.
  11235. You can specify the length, characterset and other attributes.
  11236. properties:
  11237. apiVersion:
  11238. description: |-
  11239. APIVersion defines the versioned schema of this representation of an object.
  11240. Servers should convert recognized schemas to the latest internal value, and
  11241. may reject unrecognized values.
  11242. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  11243. type: string
  11244. kind:
  11245. description: |-
  11246. Kind is a string value representing the REST resource this object represents.
  11247. Servers may infer this from the endpoint the client submits requests to.
  11248. Cannot be updated.
  11249. In CamelCase.
  11250. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  11251. type: string
  11252. metadata:
  11253. type: object
  11254. spec:
  11255. description: PasswordSpec controls the behavior of the password generator.
  11256. properties:
  11257. allowRepeat:
  11258. default: false
  11259. description: set AllowRepeat to true to allow repeating characters.
  11260. type: boolean
  11261. digits:
  11262. description: |-
  11263. Digits specifies the number of digits in the generated
  11264. password. If omitted it defaults to 25% of the length of the password
  11265. type: integer
  11266. length:
  11267. default: 24
  11268. description: |-
  11269. Length of the password to be generated.
  11270. Defaults to 24
  11271. type: integer
  11272. noUpper:
  11273. default: false
  11274. description: Set NoUpper to disable uppercase characters
  11275. type: boolean
  11276. symbolCharacters:
  11277. description: |-
  11278. SymbolCharacters specifies the special characters that should be used
  11279. in the generated password.
  11280. type: string
  11281. symbols:
  11282. description: |-
  11283. Symbols specifies the number of symbol characters in the generated
  11284. password. If omitted it defaults to 25% of the length of the password
  11285. type: integer
  11286. required:
  11287. - allowRepeat
  11288. - length
  11289. - noUpper
  11290. type: object
  11291. type: object
  11292. served: true
  11293. storage: true
  11294. subresources:
  11295. status: {}
  11296. conversion:
  11297. strategy: Webhook
  11298. webhook:
  11299. conversionReviewVersions:
  11300. - v1
  11301. clientConfig:
  11302. service:
  11303. name: kubernetes
  11304. namespace: default
  11305. path: /convert
  11306. ---
  11307. apiVersion: apiextensions.k8s.io/v1
  11308. kind: CustomResourceDefinition
  11309. metadata:
  11310. annotations:
  11311. controller-gen.kubebuilder.io/version: v0.15.0
  11312. name: vaultdynamicsecrets.generators.external-secrets.io
  11313. spec:
  11314. group: generators.external-secrets.io
  11315. names:
  11316. categories:
  11317. - vaultdynamicsecret
  11318. kind: VaultDynamicSecret
  11319. listKind: VaultDynamicSecretList
  11320. plural: vaultdynamicsecrets
  11321. shortNames:
  11322. - vaultdynamicsecret
  11323. singular: vaultdynamicsecret
  11324. scope: Namespaced
  11325. versions:
  11326. - name: v1alpha1
  11327. schema:
  11328. openAPIV3Schema:
  11329. properties:
  11330. apiVersion:
  11331. description: |-
  11332. APIVersion defines the versioned schema of this representation of an object.
  11333. Servers should convert recognized schemas to the latest internal value, and
  11334. may reject unrecognized values.
  11335. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  11336. type: string
  11337. kind:
  11338. description: |-
  11339. Kind is a string value representing the REST resource this object represents.
  11340. Servers may infer this from the endpoint the client submits requests to.
  11341. Cannot be updated.
  11342. In CamelCase.
  11343. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  11344. type: string
  11345. metadata:
  11346. type: object
  11347. spec:
  11348. properties:
  11349. controller:
  11350. description: |-
  11351. Used to select the correct ESO controller (think: ingress.ingressClassName)
  11352. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  11353. type: string
  11354. method:
  11355. description: Vault API method to use (GET/POST/other)
  11356. type: string
  11357. parameters:
  11358. description: Parameters to pass to Vault write (for non-GET methods)
  11359. x-kubernetes-preserve-unknown-fields: true
  11360. path:
  11361. description: Vault path to obtain the dynamic secret from
  11362. type: string
  11363. provider:
  11364. description: Vault provider common spec
  11365. properties:
  11366. auth:
  11367. description: Auth configures how secret-manager authenticates with the Vault server.
  11368. properties:
  11369. appRole:
  11370. description: |-
  11371. AppRole authenticates with Vault using the App Role auth mechanism,
  11372. with the role and secret stored in a Kubernetes Secret resource.
  11373. properties:
  11374. path:
  11375. default: approle
  11376. description: |-
  11377. Path where the App Role authentication backend is mounted
  11378. in Vault, e.g: "approle"
  11379. type: string
  11380. roleId:
  11381. description: |-
  11382. RoleID configured in the App Role authentication backend when setting
  11383. up the authentication backend in Vault.
  11384. type: string
  11385. roleRef:
  11386. description: |-
  11387. Reference to a key in a Secret that contains the App Role ID used
  11388. to authenticate with Vault.
  11389. The `key` field must be specified and denotes which entry within the Secret
  11390. resource is used as the app role id.
  11391. properties:
  11392. key:
  11393. description: |-
  11394. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11395. defaulted, in others it may be required.
  11396. type: string
  11397. name:
  11398. description: The name of the Secret resource being referred to.
  11399. type: string
  11400. namespace:
  11401. description: |-
  11402. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11403. to the namespace of the referent.
  11404. type: string
  11405. type: object
  11406. secretRef:
  11407. description: |-
  11408. Reference to a key in a Secret that contains the App Role secret used
  11409. to authenticate with Vault.
  11410. The `key` field must be specified and denotes which entry within the Secret
  11411. resource is used as the app role secret.
  11412. properties:
  11413. key:
  11414. description: |-
  11415. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11416. defaulted, in others it may be required.
  11417. type: string
  11418. name:
  11419. description: The name of the Secret resource being referred to.
  11420. type: string
  11421. namespace:
  11422. description: |-
  11423. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11424. to the namespace of the referent.
  11425. type: string
  11426. type: object
  11427. required:
  11428. - path
  11429. - secretRef
  11430. type: object
  11431. cert:
  11432. description: |-
  11433. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  11434. Cert authentication method
  11435. properties:
  11436. clientCert:
  11437. description: |-
  11438. ClientCert is a certificate to authenticate using the Cert Vault
  11439. authentication method
  11440. properties:
  11441. key:
  11442. description: |-
  11443. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11444. defaulted, in others it may be required.
  11445. type: string
  11446. name:
  11447. description: The name of the Secret resource being referred to.
  11448. type: string
  11449. namespace:
  11450. description: |-
  11451. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11452. to the namespace of the referent.
  11453. type: string
  11454. type: object
  11455. secretRef:
  11456. description: |-
  11457. SecretRef to a key in a Secret resource containing client private key to
  11458. authenticate with Vault using the Cert authentication method
  11459. properties:
  11460. key:
  11461. description: |-
  11462. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11463. defaulted, in others it may be required.
  11464. type: string
  11465. name:
  11466. description: The name of the Secret resource being referred to.
  11467. type: string
  11468. namespace:
  11469. description: |-
  11470. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11471. to the namespace of the referent.
  11472. type: string
  11473. type: object
  11474. type: object
  11475. iam:
  11476. description: |-
  11477. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  11478. AWS IAM authentication method
  11479. properties:
  11480. externalID:
  11481. description: AWS External ID set on assumed IAM roles
  11482. type: string
  11483. jwt:
  11484. description: Specify a service account with IRSA enabled
  11485. properties:
  11486. serviceAccountRef:
  11487. description: A reference to a ServiceAccount resource.
  11488. properties:
  11489. audiences:
  11490. description: |-
  11491. Audience specifies the `aud` claim for the service account token
  11492. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11493. then this audiences will be appended to the list
  11494. items:
  11495. type: string
  11496. type: array
  11497. name:
  11498. description: The name of the ServiceAccount resource being referred to.
  11499. type: string
  11500. namespace:
  11501. description: |-
  11502. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11503. to the namespace of the referent.
  11504. type: string
  11505. required:
  11506. - name
  11507. type: object
  11508. type: object
  11509. path:
  11510. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  11511. type: string
  11512. region:
  11513. description: AWS region
  11514. type: string
  11515. role:
  11516. description: This is the AWS role to be assumed before talking to vault
  11517. type: string
  11518. secretRef:
  11519. description: Specify credentials in a Secret object
  11520. properties:
  11521. accessKeyIDSecretRef:
  11522. description: The AccessKeyID is used for authentication
  11523. properties:
  11524. key:
  11525. description: |-
  11526. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11527. defaulted, in others it may be required.
  11528. type: string
  11529. name:
  11530. description: The name of the Secret resource being referred to.
  11531. type: string
  11532. namespace:
  11533. description: |-
  11534. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11535. to the namespace of the referent.
  11536. type: string
  11537. type: object
  11538. secretAccessKeySecretRef:
  11539. description: The SecretAccessKey is used for authentication
  11540. properties:
  11541. key:
  11542. description: |-
  11543. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11544. defaulted, in others it may be required.
  11545. type: string
  11546. name:
  11547. description: The name of the Secret resource being referred to.
  11548. type: string
  11549. namespace:
  11550. description: |-
  11551. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11552. to the namespace of the referent.
  11553. type: string
  11554. type: object
  11555. sessionTokenSecretRef:
  11556. description: |-
  11557. The SessionToken used for authentication
  11558. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  11559. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  11560. properties:
  11561. key:
  11562. description: |-
  11563. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11564. defaulted, in others it may be required.
  11565. type: string
  11566. name:
  11567. description: The name of the Secret resource being referred to.
  11568. type: string
  11569. namespace:
  11570. description: |-
  11571. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11572. to the namespace of the referent.
  11573. type: string
  11574. type: object
  11575. type: object
  11576. vaultAwsIamServerID:
  11577. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  11578. type: string
  11579. vaultRole:
  11580. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  11581. type: string
  11582. required:
  11583. - vaultRole
  11584. type: object
  11585. jwt:
  11586. description: |-
  11587. Jwt authenticates with Vault by passing role and JWT token using the
  11588. JWT/OIDC authentication method
  11589. properties:
  11590. kubernetesServiceAccountToken:
  11591. description: |-
  11592. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  11593. a token for with the `TokenRequest` API.
  11594. properties:
  11595. audiences:
  11596. description: |-
  11597. Optional audiences field that will be used to request a temporary Kubernetes service
  11598. account token for the service account referenced by `serviceAccountRef`.
  11599. Defaults to a single audience `vault` it not specified.
  11600. Deprecated: use serviceAccountRef.Audiences instead
  11601. items:
  11602. type: string
  11603. type: array
  11604. expirationSeconds:
  11605. description: |-
  11606. Optional expiration time in seconds that will be used to request a temporary
  11607. Kubernetes service account token for the service account referenced by
  11608. `serviceAccountRef`.
  11609. Deprecated: this will be removed in the future.
  11610. Defaults to 10 minutes.
  11611. format: int64
  11612. type: integer
  11613. serviceAccountRef:
  11614. description: Service account field containing the name of a kubernetes ServiceAccount.
  11615. properties:
  11616. audiences:
  11617. description: |-
  11618. Audience specifies the `aud` claim for the service account token
  11619. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11620. then this audiences will be appended to the list
  11621. items:
  11622. type: string
  11623. type: array
  11624. name:
  11625. description: The name of the ServiceAccount resource being referred to.
  11626. type: string
  11627. namespace:
  11628. description: |-
  11629. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11630. to the namespace of the referent.
  11631. type: string
  11632. required:
  11633. - name
  11634. type: object
  11635. required:
  11636. - serviceAccountRef
  11637. type: object
  11638. path:
  11639. default: jwt
  11640. description: |-
  11641. Path where the JWT authentication backend is mounted
  11642. in Vault, e.g: "jwt"
  11643. type: string
  11644. role:
  11645. description: |-
  11646. Role is a JWT role to authenticate using the JWT/OIDC Vault
  11647. authentication method
  11648. type: string
  11649. secretRef:
  11650. description: |-
  11651. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  11652. authenticate with Vault using the JWT/OIDC authentication method.
  11653. properties:
  11654. key:
  11655. description: |-
  11656. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11657. defaulted, in others it may be required.
  11658. type: string
  11659. name:
  11660. description: The name of the Secret resource being referred to.
  11661. type: string
  11662. namespace:
  11663. description: |-
  11664. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11665. to the namespace of the referent.
  11666. type: string
  11667. type: object
  11668. required:
  11669. - path
  11670. type: object
  11671. kubernetes:
  11672. description: |-
  11673. Kubernetes authenticates with Vault by passing the ServiceAccount
  11674. token stored in the named Secret resource to the Vault server.
  11675. properties:
  11676. mountPath:
  11677. default: kubernetes
  11678. description: |-
  11679. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  11680. "kubernetes"
  11681. type: string
  11682. role:
  11683. description: |-
  11684. A required field containing the Vault Role to assume. A Role binds a
  11685. Kubernetes ServiceAccount with a set of Vault policies.
  11686. type: string
  11687. secretRef:
  11688. description: |-
  11689. Optional secret field containing a Kubernetes ServiceAccount JWT used
  11690. for authenticating with Vault. If a name is specified without a key,
  11691. `token` is the default. If one is not specified, the one bound to
  11692. the controller will be used.
  11693. properties:
  11694. key:
  11695. description: |-
  11696. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11697. defaulted, in others it may be required.
  11698. type: string
  11699. name:
  11700. description: The name of the Secret resource being referred to.
  11701. type: string
  11702. namespace:
  11703. description: |-
  11704. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11705. to the namespace of the referent.
  11706. type: string
  11707. type: object
  11708. serviceAccountRef:
  11709. description: |-
  11710. Optional service account field containing the name of a kubernetes ServiceAccount.
  11711. If the service account is specified, the service account secret token JWT will be used
  11712. for authenticating with Vault. If the service account selector is not supplied,
  11713. the secretRef will be used instead.
  11714. properties:
  11715. audiences:
  11716. description: |-
  11717. Audience specifies the `aud` claim for the service account token
  11718. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11719. then this audiences will be appended to the list
  11720. items:
  11721. type: string
  11722. type: array
  11723. name:
  11724. description: The name of the ServiceAccount resource being referred to.
  11725. type: string
  11726. namespace:
  11727. description: |-
  11728. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11729. to the namespace of the referent.
  11730. type: string
  11731. required:
  11732. - name
  11733. type: object
  11734. required:
  11735. - mountPath
  11736. - role
  11737. type: object
  11738. ldap:
  11739. description: |-
  11740. Ldap authenticates with Vault by passing username/password pair using
  11741. the LDAP authentication method
  11742. properties:
  11743. path:
  11744. default: ldap
  11745. description: |-
  11746. Path where the LDAP authentication backend is mounted
  11747. in Vault, e.g: "ldap"
  11748. type: string
  11749. secretRef:
  11750. description: |-
  11751. SecretRef to a key in a Secret resource containing password for the LDAP
  11752. user used to authenticate with Vault using the LDAP authentication
  11753. method
  11754. properties:
  11755. key:
  11756. description: |-
  11757. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11758. defaulted, in others it may be required.
  11759. type: string
  11760. name:
  11761. description: The name of the Secret resource being referred to.
  11762. type: string
  11763. namespace:
  11764. description: |-
  11765. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11766. to the namespace of the referent.
  11767. type: string
  11768. type: object
  11769. username:
  11770. description: |-
  11771. Username is a LDAP user name used to authenticate using the LDAP Vault
  11772. authentication method
  11773. type: string
  11774. required:
  11775. - path
  11776. - username
  11777. type: object
  11778. namespace:
  11779. description: |-
  11780. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  11781. Namespaces is a set of features within Vault Enterprise that allows
  11782. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  11783. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  11784. This will default to Vault.Namespace field if set, or empty otherwise
  11785. type: string
  11786. tokenSecretRef:
  11787. description: TokenSecretRef authenticates with Vault by presenting a token.
  11788. properties:
  11789. key:
  11790. description: |-
  11791. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11792. defaulted, in others it may be required.
  11793. type: string
  11794. name:
  11795. description: The name of the Secret resource being referred to.
  11796. type: string
  11797. namespace:
  11798. description: |-
  11799. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11800. to the namespace of the referent.
  11801. type: string
  11802. type: object
  11803. userPass:
  11804. description: UserPass authenticates with Vault by passing username/password pair
  11805. properties:
  11806. path:
  11807. default: user
  11808. description: |-
  11809. Path where the UserPassword authentication backend is mounted
  11810. in Vault, e.g: "user"
  11811. type: string
  11812. secretRef:
  11813. description: |-
  11814. SecretRef to a key in a Secret resource containing password for the
  11815. user used to authenticate with Vault using the UserPass authentication
  11816. method
  11817. properties:
  11818. key:
  11819. description: |-
  11820. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11821. defaulted, in others it may be required.
  11822. type: string
  11823. name:
  11824. description: The name of the Secret resource being referred to.
  11825. type: string
  11826. namespace:
  11827. description: |-
  11828. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11829. to the namespace of the referent.
  11830. type: string
  11831. type: object
  11832. username:
  11833. description: |-
  11834. Username is a user name used to authenticate using the UserPass Vault
  11835. authentication method
  11836. type: string
  11837. required:
  11838. - path
  11839. - username
  11840. type: object
  11841. type: object
  11842. caBundle:
  11843. description: |-
  11844. PEM encoded CA bundle used to validate Vault server certificate. Only used
  11845. if the Server URL is using HTTPS protocol. This parameter is ignored for
  11846. plain HTTP protocol connection. If not set the system root certificates
  11847. are used to validate the TLS connection.
  11848. format: byte
  11849. type: string
  11850. caProvider:
  11851. description: The provider for the CA bundle to use to validate Vault server certificate.
  11852. properties:
  11853. key:
  11854. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  11855. type: string
  11856. name:
  11857. description: The name of the object located at the provider type.
  11858. type: string
  11859. namespace:
  11860. description: |-
  11861. The namespace the Provider type is in.
  11862. Can only be defined when used in a ClusterSecretStore.
  11863. type: string
  11864. type:
  11865. description: The type of provider to use such as "Secret", or "ConfigMap".
  11866. enum:
  11867. - Secret
  11868. - ConfigMap
  11869. type: string
  11870. required:
  11871. - name
  11872. - type
  11873. type: object
  11874. forwardInconsistent:
  11875. description: |-
  11876. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  11877. leader instead of simply retrying within a loop. This can increase performance if
  11878. the option is enabled serverside.
  11879. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  11880. type: boolean
  11881. namespace:
  11882. description: |-
  11883. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  11884. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  11885. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  11886. type: string
  11887. path:
  11888. description: |-
  11889. Path is the mount path of the Vault KV backend endpoint, e.g:
  11890. "secret". The v2 KV secret engine version specific "/data" path suffix
  11891. for fetching secrets from Vault is optional and will be appended
  11892. if not present in specified path.
  11893. type: string
  11894. readYourWrites:
  11895. description: |-
  11896. ReadYourWrites ensures isolated read-after-write semantics by
  11897. providing discovered cluster replication states in each request.
  11898. More information about eventual consistency in Vault can be found here
  11899. https://www.vaultproject.io/docs/enterprise/consistency
  11900. type: boolean
  11901. server:
  11902. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  11903. type: string
  11904. tls:
  11905. description: |-
  11906. The configuration used for client side related TLS communication, when the Vault server
  11907. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  11908. This parameter is ignored for plain HTTP protocol connection.
  11909. It's worth noting this configuration is different from the "TLS certificates auth method",
  11910. which is available under the `auth.cert` section.
  11911. properties:
  11912. certSecretRef:
  11913. description: |-
  11914. CertSecretRef is a certificate added to the transport layer
  11915. when communicating with the Vault server.
  11916. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  11917. properties:
  11918. key:
  11919. description: |-
  11920. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11921. defaulted, in others it may be required.
  11922. type: string
  11923. name:
  11924. description: The name of the Secret resource being referred to.
  11925. type: string
  11926. namespace:
  11927. description: |-
  11928. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11929. to the namespace of the referent.
  11930. type: string
  11931. type: object
  11932. keySecretRef:
  11933. description: |-
  11934. KeySecretRef to a key in a Secret resource containing client private key
  11935. added to the transport layer when communicating with the Vault server.
  11936. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  11937. properties:
  11938. key:
  11939. description: |-
  11940. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11941. defaulted, in others it may be required.
  11942. type: string
  11943. name:
  11944. description: The name of the Secret resource being referred to.
  11945. type: string
  11946. namespace:
  11947. description: |-
  11948. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11949. to the namespace of the referent.
  11950. type: string
  11951. type: object
  11952. type: object
  11953. version:
  11954. default: v2
  11955. description: |-
  11956. Version is the Vault KV secret engine version. This can be either "v1" or
  11957. "v2". Version defaults to "v2".
  11958. enum:
  11959. - v1
  11960. - v2
  11961. type: string
  11962. required:
  11963. - auth
  11964. - server
  11965. type: object
  11966. resultType:
  11967. default: Data
  11968. description: |-
  11969. Result type defines which data is returned from the generator.
  11970. By default it is the "data" section of the Vault API response.
  11971. When using e.g. /auth/token/create the "data" section is empty but
  11972. the "auth" section contains the generated token.
  11973. Please refer to the vault docs regarding the result data structure.
  11974. enum:
  11975. - Data
  11976. - Auth
  11977. type: string
  11978. required:
  11979. - path
  11980. - provider
  11981. type: object
  11982. type: object
  11983. served: true
  11984. storage: true
  11985. subresources:
  11986. status: {}
  11987. conversion:
  11988. strategy: Webhook
  11989. webhook:
  11990. conversionReviewVersions:
  11991. - v1
  11992. clientConfig:
  11993. service:
  11994. name: kubernetes
  11995. namespace: default
  11996. path: /convert
  11997. ---
  11998. apiVersion: apiextensions.k8s.io/v1
  11999. kind: CustomResourceDefinition
  12000. metadata:
  12001. annotations:
  12002. controller-gen.kubebuilder.io/version: v0.15.0
  12003. name: webhooks.generators.external-secrets.io
  12004. spec:
  12005. group: generators.external-secrets.io
  12006. names:
  12007. categories:
  12008. - webhook
  12009. kind: Webhook
  12010. listKind: WebhookList
  12011. plural: webhooks
  12012. shortNames:
  12013. - webhookl
  12014. singular: webhook
  12015. scope: Namespaced
  12016. versions:
  12017. - name: v1alpha1
  12018. schema:
  12019. openAPIV3Schema:
  12020. description: |-
  12021. Webhook connects to a third party API server to handle the secrets generation
  12022. configuration parameters in spec.
  12023. You can specify the server, the token, and additional body parameters.
  12024. See documentation for the full API specification for requests and responses.
  12025. properties:
  12026. apiVersion:
  12027. description: |-
  12028. APIVersion defines the versioned schema of this representation of an object.
  12029. Servers should convert recognized schemas to the latest internal value, and
  12030. may reject unrecognized values.
  12031. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  12032. type: string
  12033. kind:
  12034. description: |-
  12035. Kind is a string value representing the REST resource this object represents.
  12036. Servers may infer this from the endpoint the client submits requests to.
  12037. Cannot be updated.
  12038. In CamelCase.
  12039. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  12040. type: string
  12041. metadata:
  12042. type: object
  12043. spec:
  12044. description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
  12045. properties:
  12046. body:
  12047. description: Body
  12048. type: string
  12049. caBundle:
  12050. description: |-
  12051. PEM encoded CA bundle used to validate webhook server certificate. Only used
  12052. if the Server URL is using HTTPS protocol. This parameter is ignored for
  12053. plain HTTP protocol connection. If not set the system root certificates
  12054. are used to validate the TLS connection.
  12055. format: byte
  12056. type: string
  12057. caProvider:
  12058. description: The provider for the CA bundle to use to validate webhook server certificate.
  12059. properties:
  12060. key:
  12061. description: The key the value inside of the provider type to use, only used with "Secret" type
  12062. type: string
  12063. name:
  12064. description: The name of the object located at the provider type.
  12065. type: string
  12066. namespace:
  12067. description: The namespace the Provider type is in.
  12068. type: string
  12069. type:
  12070. description: The type of provider to use such as "Secret", or "ConfigMap".
  12071. enum:
  12072. - Secret
  12073. - ConfigMap
  12074. type: string
  12075. required:
  12076. - name
  12077. - type
  12078. type: object
  12079. headers:
  12080. additionalProperties:
  12081. type: string
  12082. description: Headers
  12083. type: object
  12084. method:
  12085. description: Webhook Method
  12086. type: string
  12087. result:
  12088. description: Result formatting
  12089. properties:
  12090. jsonPath:
  12091. description: Json path of return value
  12092. type: string
  12093. type: object
  12094. secrets:
  12095. description: |-
  12096. Secrets to fill in templates
  12097. These secrets will be passed to the templating function as key value pairs under the given name
  12098. items:
  12099. properties:
  12100. name:
  12101. description: Name of this secret in templates
  12102. type: string
  12103. secretRef:
  12104. description: Secret ref to fill in credentials
  12105. properties:
  12106. key:
  12107. description: The key where the token is found.
  12108. type: string
  12109. name:
  12110. description: The name of the Secret resource being referred to.
  12111. type: string
  12112. type: object
  12113. required:
  12114. - name
  12115. - secretRef
  12116. type: object
  12117. type: array
  12118. timeout:
  12119. description: Timeout
  12120. type: string
  12121. url:
  12122. description: Webhook url to call
  12123. type: string
  12124. required:
  12125. - result
  12126. - url
  12127. type: object
  12128. type: object
  12129. served: true
  12130. storage: true
  12131. subresources:
  12132. status: {}
  12133. conversion:
  12134. strategy: Webhook
  12135. webhook:
  12136. conversionReviewVersions:
  12137. - v1
  12138. clientConfig:
  12139. service:
  12140. name: kubernetes
  12141. namespace: default
  12142. path: /convert