bundle.yaml 354 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799380038013802380338043805380638073808380938103811381238133814381538163817381838193820382138223823382438253826382738283829383038313832383338343835383638373838383938403841384238433844384538463847384838493850385138523853385438553856385738583859386038613862386338643865386638673868386938703871387238733874387538763877387838793880388138823883388438853886388738883889389038913892389338943895389638973898389939003901390239033904390539063907390839093910391139123913391439153916391739183919392039213922392339243925392639273928392939303931393239333934393539363937393839393940394139423943394439453946394739483949395039513952395339543955395639573958395939603961396239633964396539663967396839693970397139723973397439753976397739783979398039813982398339843985398639873988398939903991399239933994399539963997399839994000400140024003400440054006400740084009401040114012401340144015401640174018401940204021402240234024402540264027402840294030403140324033403440354036403740384039404040414042404340444045404640474048404940504051405240534054405540564057405840594060406140624063406440654066406740684069407040714072407340744075407640774078407940804081408240834084408540864087408840894090409140924093409440954096409740984099410041014102410341044105410641074108410941104111411241134114411541164117411841194120412141224123412441254126412741284129413041314132413341344135413641374138413941404141414241434144414541464147414841494150415141524153415441554156415741584159416041614162416341644165416641674168416941704171417241734174417541764177417841794180418141824183418441854186418741884189419041914192419341944195419641974198419942004201420242034204420542064207420842094210421142124213421442154216421742184219422042214222422342244225422642274228422942304231423242334234423542364237423842394240424142424243424442454246424742484249425042514252425342544255425642574258425942604261426242634264426542664267426842694270427142724273427442754276427742784279428042814282428342844285428642874288428942904291429242934294429542964297429842994300430143024303430443054306430743084309431043114312431343144315431643174318431943204321432243234324432543264327432843294330433143324333433443354336433743384339434043414342434343444345434643474348434943504351435243534354435543564357435843594360436143624363436443654366436743684369437043714372437343744375437643774378437943804381438243834384438543864387438843894390439143924393439443954396439743984399440044014402440344044405440644074408440944104411441244134414441544164417441844194420442144224423442444254426442744284429443044314432443344344435443644374438443944404441444244434444444544464447444844494450445144524453445444554456445744584459446044614462446344644465446644674468446944704471447244734474447544764477447844794480448144824483448444854486448744884489449044914492449344944495449644974498449945004501450245034504450545064507450845094510451145124513451445154516451745184519452045214522452345244525452645274528452945304531453245334534453545364537453845394540454145424543454445454546454745484549455045514552455345544555455645574558455945604561456245634564456545664567456845694570457145724573457445754576457745784579458045814582458345844585458645874588458945904591459245934594459545964597459845994600460146024603460446054606460746084609461046114612461346144615461646174618461946204621462246234624462546264627462846294630463146324633463446354636463746384639464046414642464346444645464646474648464946504651465246534654465546564657465846594660466146624663466446654666466746684669467046714672467346744675467646774678467946804681468246834684468546864687468846894690469146924693469446954696469746984699470047014702470347044705470647074708470947104711471247134714471547164717471847194720472147224723472447254726472747284729473047314732473347344735473647374738473947404741474247434744474547464747474847494750475147524753475447554756475747584759476047614762476347644765476647674768476947704771477247734774477547764777477847794780478147824783478447854786478747884789479047914792479347944795479647974798479948004801480248034804480548064807480848094810481148124813481448154816481748184819482048214822482348244825482648274828482948304831483248334834483548364837483848394840484148424843484448454846484748484849485048514852485348544855485648574858485948604861486248634864486548664867486848694870487148724873487448754876487748784879488048814882488348844885488648874888488948904891489248934894489548964897489848994900490149024903490449054906490749084909491049114912491349144915491649174918491949204921492249234924492549264927492849294930493149324933493449354936493749384939494049414942494349444945494649474948494949504951495249534954495549564957495849594960496149624963496449654966496749684969497049714972497349744975497649774978497949804981498249834984498549864987498849894990499149924993499449954996499749984999500050015002500350045005500650075008500950105011501250135014501550165017501850195020502150225023502450255026502750285029503050315032503350345035503650375038503950405041504250435044504550465047504850495050505150525053505450555056505750585059506050615062506350645065506650675068506950705071507250735074507550765077507850795080508150825083508450855086508750885089509050915092509350945095509650975098509951005101510251035104510551065107510851095110511151125113511451155116511751185119512051215122512351245125512651275128512951305131513251335134513551365137513851395140514151425143514451455146514751485149515051515152515351545155515651575158515951605161516251635164516551665167516851695170517151725173517451755176517751785179518051815182518351845185518651875188518951905191519251935194519551965197519851995200520152025203520452055206520752085209521052115212521352145215521652175218521952205221522252235224522552265227522852295230523152325233523452355236523752385239524052415242524352445245524652475248524952505251525252535254525552565257525852595260526152625263526452655266526752685269527052715272527352745275527652775278527952805281528252835284528552865287528852895290529152925293529452955296529752985299530053015302530353045305530653075308530953105311531253135314531553165317531853195320532153225323532453255326532753285329533053315332533353345335533653375338533953405341534253435344534553465347534853495350535153525353535453555356535753585359536053615362536353645365536653675368536953705371537253735374537553765377537853795380538153825383538453855386538753885389539053915392539353945395539653975398539954005401540254035404540554065407540854095410541154125413541454155416541754185419542054215422542354245425542654275428542954305431543254335434543554365437543854395440544154425443544454455446544754485449545054515452545354545455545654575458545954605461546254635464546554665467546854695470547154725473547454755476547754785479548054815482548354845485548654875488548954905491549254935494549554965497549854995500550155025503550455055506550755085509551055115512551355145515551655175518551955205521552255235524552555265527552855295530553155325533553455355536553755385539554055415542554355445545554655475548554955505551555255535554555555565557555855595560556155625563556455655566556755685569557055715572557355745575557655775578557955805581558255835584558555865587558855895590559155925593559455955596559755985599560056015602560356045605560656075608560956105611561256135614561556165617561856195620562156225623562456255626562756285629563056315632563356345635563656375638563956405641564256435644564556465647564856495650565156525653565456555656565756585659566056615662566356645665566656675668566956705671567256735674567556765677567856795680568156825683568456855686568756885689569056915692569356945695569656975698569957005701570257035704570557065707570857095710571157125713571457155716571757185719572057215722572357245725572657275728572957305731573257335734573557365737573857395740574157425743574457455746574757485749575057515752575357545755575657575758575957605761576257635764576557665767576857695770577157725773577457755776577757785779578057815782578357845785578657875788578957905791579257935794579557965797579857995800
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.9.2
  6. creationTimestamp: null
  7. name: clusterexternalsecrets.external-secrets.io
  8. spec:
  9. group: external-secrets.io
  10. names:
  11. categories:
  12. - externalsecrets
  13. kind: ClusterExternalSecret
  14. listKind: ClusterExternalSecretList
  15. plural: clusterexternalsecrets
  16. shortNames:
  17. - ces
  18. singular: clusterexternalsecret
  19. scope: Cluster
  20. versions:
  21. - additionalPrinterColumns:
  22. - jsonPath: .spec.secretStoreRef.name
  23. name: Store
  24. type: string
  25. - jsonPath: .spec.refreshInterval
  26. name: Refresh Interval
  27. type: string
  28. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  29. name: Status
  30. type: string
  31. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  32. name: Ready
  33. type: string
  34. name: v1beta1
  35. schema:
  36. openAPIV3Schema:
  37. description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
  38. properties:
  39. apiVersion:
  40. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  41. type: string
  42. kind:
  43. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  44. type: string
  45. metadata:
  46. type: object
  47. spec:
  48. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  49. properties:
  50. externalSecretName:
  51. description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
  52. type: string
  53. externalSecretSpec:
  54. description: The spec for the ExternalSecrets to be created
  55. properties:
  56. data:
  57. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  58. items:
  59. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  60. properties:
  61. remoteRef:
  62. description: ExternalSecretDataRemoteRef defines Provider data location.
  63. properties:
  64. conversionStrategy:
  65. default: Default
  66. description: Used to define a conversion Strategy
  67. type: string
  68. decodingStrategy:
  69. default: None
  70. description: Used to define a decoding Strategy
  71. type: string
  72. key:
  73. description: Key is the key used in the Provider, mandatory
  74. type: string
  75. metadataPolicy:
  76. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  77. type: string
  78. property:
  79. description: Used to select a specific property of the Provider value (if a map), if supported
  80. type: string
  81. version:
  82. description: Used to select a specific version of the Provider value, if supported
  83. type: string
  84. required:
  85. - key
  86. type: object
  87. secretKey:
  88. type: string
  89. required:
  90. - remoteRef
  91. - secretKey
  92. type: object
  93. type: array
  94. dataFrom:
  95. description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
  96. items:
  97. properties:
  98. extract:
  99. description: Used to extract multiple key/value pairs from one secret
  100. properties:
  101. conversionStrategy:
  102. default: Default
  103. description: Used to define a conversion Strategy
  104. type: string
  105. decodingStrategy:
  106. default: None
  107. description: Used to define a decoding Strategy
  108. type: string
  109. key:
  110. description: Key is the key used in the Provider, mandatory
  111. type: string
  112. metadataPolicy:
  113. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  114. type: string
  115. property:
  116. description: Used to select a specific property of the Provider value (if a map), if supported
  117. type: string
  118. version:
  119. description: Used to select a specific version of the Provider value, if supported
  120. type: string
  121. required:
  122. - key
  123. type: object
  124. find:
  125. description: Used to find secrets based on tags or regular expressions
  126. properties:
  127. conversionStrategy:
  128. default: Default
  129. description: Used to define a conversion Strategy
  130. type: string
  131. decodingStrategy:
  132. default: None
  133. description: Used to define a decoding Strategy
  134. type: string
  135. name:
  136. description: Finds secrets based on the name.
  137. properties:
  138. regexp:
  139. description: Finds secrets base
  140. type: string
  141. type: object
  142. path:
  143. description: A root path to start the find operations.
  144. type: string
  145. tags:
  146. additionalProperties:
  147. type: string
  148. description: Find secrets based on tags.
  149. type: object
  150. type: object
  151. rewrite:
  152. description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  153. items:
  154. properties:
  155. regexp:
  156. description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
  157. properties:
  158. source:
  159. description: Used to define the regular expression of a re.Compiler.
  160. type: string
  161. target:
  162. description: Used to define the target pattern of a ReplaceAll operation.
  163. type: string
  164. required:
  165. - source
  166. - target
  167. type: object
  168. type: object
  169. type: array
  170. type: object
  171. type: array
  172. refreshInterval:
  173. default: 1h
  174. description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
  175. type: string
  176. secretStoreRef:
  177. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  178. properties:
  179. kind:
  180. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  181. type: string
  182. name:
  183. description: Name of the SecretStore resource
  184. type: string
  185. required:
  186. - name
  187. type: object
  188. target:
  189. default:
  190. creationPolicy: Owner
  191. deletionPolicy: Retain
  192. description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
  193. properties:
  194. creationPolicy:
  195. default: Owner
  196. description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
  197. enum:
  198. - Owner
  199. - Orphan
  200. - Merge
  201. - None
  202. type: string
  203. deletionPolicy:
  204. default: Retain
  205. description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
  206. enum:
  207. - Delete
  208. - Merge
  209. - Retain
  210. type: string
  211. immutable:
  212. description: Immutable defines if the final secret will be immutable
  213. type: boolean
  214. name:
  215. description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
  216. type: string
  217. template:
  218. description: Template defines a blueprint for the created Secret resource.
  219. properties:
  220. data:
  221. additionalProperties:
  222. type: string
  223. type: object
  224. engineVersion:
  225. default: v2
  226. type: string
  227. metadata:
  228. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  229. properties:
  230. annotations:
  231. additionalProperties:
  232. type: string
  233. type: object
  234. labels:
  235. additionalProperties:
  236. type: string
  237. type: object
  238. type: object
  239. templateFrom:
  240. items:
  241. maxProperties: 1
  242. minProperties: 1
  243. properties:
  244. configMap:
  245. properties:
  246. items:
  247. items:
  248. properties:
  249. key:
  250. type: string
  251. required:
  252. - key
  253. type: object
  254. type: array
  255. name:
  256. type: string
  257. required:
  258. - items
  259. - name
  260. type: object
  261. secret:
  262. properties:
  263. items:
  264. items:
  265. properties:
  266. key:
  267. type: string
  268. required:
  269. - key
  270. type: object
  271. type: array
  272. name:
  273. type: string
  274. required:
  275. - items
  276. - name
  277. type: object
  278. type: object
  279. type: array
  280. type:
  281. type: string
  282. type: object
  283. type: object
  284. required:
  285. - secretStoreRef
  286. type: object
  287. namespaceSelector:
  288. description: The labels to select by to find the Namespaces to create the ExternalSecrets in.
  289. properties:
  290. matchExpressions:
  291. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  292. items:
  293. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  294. properties:
  295. key:
  296. description: key is the label key that the selector applies to.
  297. type: string
  298. operator:
  299. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  300. type: string
  301. values:
  302. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  303. items:
  304. type: string
  305. type: array
  306. required:
  307. - key
  308. - operator
  309. type: object
  310. type: array
  311. matchLabels:
  312. additionalProperties:
  313. type: string
  314. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  315. type: object
  316. type: object
  317. x-kubernetes-map-type: atomic
  318. refreshTime:
  319. description: The time in which the controller should reconcile it's objects and recheck namespaces for labels.
  320. type: string
  321. required:
  322. - externalSecretSpec
  323. - namespaceSelector
  324. type: object
  325. status:
  326. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  327. properties:
  328. conditions:
  329. items:
  330. properties:
  331. message:
  332. type: string
  333. status:
  334. type: string
  335. type:
  336. type: string
  337. required:
  338. - status
  339. - type
  340. type: object
  341. type: array
  342. failedNamespaces:
  343. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  344. items:
  345. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  346. properties:
  347. namespace:
  348. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  349. type: string
  350. reason:
  351. description: Reason is why the ExternalSecret failed to apply to the namespace
  352. type: string
  353. required:
  354. - namespace
  355. type: object
  356. type: array
  357. provisionedNamespaces:
  358. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  359. items:
  360. type: string
  361. type: array
  362. type: object
  363. type: object
  364. served: true
  365. storage: true
  366. subresources:
  367. status: {}
  368. conversion:
  369. strategy: Webhook
  370. webhook:
  371. conversionReviewVersions:
  372. - v1
  373. clientConfig:
  374. service:
  375. name: kubernetes
  376. namespace: default
  377. path: /convert
  378. ---
  379. apiVersion: apiextensions.k8s.io/v1
  380. kind: CustomResourceDefinition
  381. metadata:
  382. annotations:
  383. controller-gen.kubebuilder.io/version: v0.9.2
  384. creationTimestamp: null
  385. name: clustersecretstores.external-secrets.io
  386. spec:
  387. group: external-secrets.io
  388. names:
  389. categories:
  390. - externalsecrets
  391. kind: ClusterSecretStore
  392. listKind: ClusterSecretStoreList
  393. plural: clustersecretstores
  394. shortNames:
  395. - css
  396. singular: clustersecretstore
  397. scope: Cluster
  398. versions:
  399. - additionalPrinterColumns:
  400. - jsonPath: .metadata.creationTimestamp
  401. name: AGE
  402. type: date
  403. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  404. name: Status
  405. type: string
  406. deprecated: true
  407. name: v1alpha1
  408. schema:
  409. openAPIV3Schema:
  410. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  411. properties:
  412. apiVersion:
  413. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  414. type: string
  415. kind:
  416. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  417. type: string
  418. metadata:
  419. type: object
  420. spec:
  421. description: SecretStoreSpec defines the desired state of SecretStore.
  422. properties:
  423. controller:
  424. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  425. type: string
  426. provider:
  427. description: Used to configure the provider. Only one provider may be set
  428. maxProperties: 1
  429. minProperties: 1
  430. properties:
  431. akeyless:
  432. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  433. properties:
  434. akeylessGWApiURL:
  435. description: Akeyless GW API Url from which the secrets to be fetched from.
  436. type: string
  437. authSecretRef:
  438. description: Auth configures how the operator authenticates with Akeyless.
  439. properties:
  440. kubernetesAuth:
  441. description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
  442. properties:
  443. accessID:
  444. description: the Akeyless Kubernetes auth-method access-id
  445. type: string
  446. k8sConfName:
  447. description: Kubernetes-auth configuration name in Akeyless-Gateway
  448. type: string
  449. secretRef:
  450. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  451. properties:
  452. key:
  453. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  454. type: string
  455. name:
  456. description: The name of the Secret resource being referred to.
  457. type: string
  458. namespace:
  459. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  460. type: string
  461. type: object
  462. serviceAccountRef:
  463. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
  464. properties:
  465. audiences:
  466. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  467. items:
  468. type: string
  469. type: array
  470. name:
  471. description: The name of the ServiceAccount resource being referred to.
  472. type: string
  473. namespace:
  474. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  475. type: string
  476. required:
  477. - name
  478. type: object
  479. required:
  480. - accessID
  481. - k8sConfName
  482. type: object
  483. secretRef:
  484. description: Reference to a Secret that contains the details to authenticate with Akeyless.
  485. properties:
  486. accessID:
  487. description: The SecretAccessID is used for authentication
  488. properties:
  489. key:
  490. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  491. type: string
  492. name:
  493. description: The name of the Secret resource being referred to.
  494. type: string
  495. namespace:
  496. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  497. type: string
  498. type: object
  499. accessType:
  500. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  501. properties:
  502. key:
  503. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  504. type: string
  505. name:
  506. description: The name of the Secret resource being referred to.
  507. type: string
  508. namespace:
  509. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  510. type: string
  511. type: object
  512. accessTypeParam:
  513. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  514. properties:
  515. key:
  516. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  517. type: string
  518. name:
  519. description: The name of the Secret resource being referred to.
  520. type: string
  521. namespace:
  522. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  523. type: string
  524. type: object
  525. type: object
  526. type: object
  527. required:
  528. - akeylessGWApiURL
  529. - authSecretRef
  530. type: object
  531. alibaba:
  532. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  533. properties:
  534. auth:
  535. description: AlibabaAuth contains a secretRef for credentials.
  536. properties:
  537. secretRef:
  538. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  539. properties:
  540. accessKeyIDSecretRef:
  541. description: The AccessKeyID is used for authentication
  542. properties:
  543. key:
  544. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  545. type: string
  546. name:
  547. description: The name of the Secret resource being referred to.
  548. type: string
  549. namespace:
  550. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  551. type: string
  552. type: object
  553. accessKeySecretSecretRef:
  554. description: The AccessKeySecret is used for authentication
  555. properties:
  556. key:
  557. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  558. type: string
  559. name:
  560. description: The name of the Secret resource being referred to.
  561. type: string
  562. namespace:
  563. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  564. type: string
  565. type: object
  566. required:
  567. - accessKeyIDSecretRef
  568. - accessKeySecretSecretRef
  569. type: object
  570. required:
  571. - secretRef
  572. type: object
  573. endpoint:
  574. type: string
  575. regionID:
  576. description: Alibaba Region to be used for the provider
  577. type: string
  578. required:
  579. - auth
  580. - regionID
  581. type: object
  582. aws:
  583. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  584. properties:
  585. auth:
  586. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  587. properties:
  588. jwt:
  589. description: Authenticate against AWS using service account tokens.
  590. properties:
  591. serviceAccountRef:
  592. description: A reference to a ServiceAccount resource.
  593. properties:
  594. audiences:
  595. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  596. items:
  597. type: string
  598. type: array
  599. name:
  600. description: The name of the ServiceAccount resource being referred to.
  601. type: string
  602. namespace:
  603. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  604. type: string
  605. required:
  606. - name
  607. type: object
  608. type: object
  609. secretRef:
  610. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  611. properties:
  612. accessKeyIDSecretRef:
  613. description: The AccessKeyID is used for authentication
  614. properties:
  615. key:
  616. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  617. type: string
  618. name:
  619. description: The name of the Secret resource being referred to.
  620. type: string
  621. namespace:
  622. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  623. type: string
  624. type: object
  625. secretAccessKeySecretRef:
  626. description: The SecretAccessKey is used for authentication
  627. properties:
  628. key:
  629. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  630. type: string
  631. name:
  632. description: The name of the Secret resource being referred to.
  633. type: string
  634. namespace:
  635. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  636. type: string
  637. type: object
  638. type: object
  639. type: object
  640. region:
  641. description: AWS Region to be used for the provider
  642. type: string
  643. role:
  644. description: Role is a Role ARN which the SecretManager provider will assume
  645. type: string
  646. service:
  647. description: Service defines which service should be used to fetch the secrets
  648. enum:
  649. - SecretsManager
  650. - ParameterStore
  651. type: string
  652. required:
  653. - region
  654. - service
  655. type: object
  656. azurekv:
  657. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  658. properties:
  659. authSecretRef:
  660. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  661. properties:
  662. clientId:
  663. description: The Azure clientId of the service principle used for authentication.
  664. properties:
  665. key:
  666. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  667. type: string
  668. name:
  669. description: The name of the Secret resource being referred to.
  670. type: string
  671. namespace:
  672. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  673. type: string
  674. type: object
  675. clientSecret:
  676. description: The Azure ClientSecret of the service principle used for authentication.
  677. properties:
  678. key:
  679. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  680. type: string
  681. name:
  682. description: The name of the Secret resource being referred to.
  683. type: string
  684. namespace:
  685. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  686. type: string
  687. type: object
  688. type: object
  689. authType:
  690. default: ServicePrincipal
  691. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  692. enum:
  693. - ServicePrincipal
  694. - ManagedIdentity
  695. - WorkloadIdentity
  696. type: string
  697. identityId:
  698. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  699. type: string
  700. serviceAccountRef:
  701. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  702. properties:
  703. audiences:
  704. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  705. items:
  706. type: string
  707. type: array
  708. name:
  709. description: The name of the ServiceAccount resource being referred to.
  710. type: string
  711. namespace:
  712. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  713. type: string
  714. required:
  715. - name
  716. type: object
  717. tenantId:
  718. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  719. type: string
  720. vaultUrl:
  721. description: Vault Url from which the secrets to be fetched from.
  722. type: string
  723. required:
  724. - vaultUrl
  725. type: object
  726. fake:
  727. description: Fake configures a store with static key/value pairs
  728. properties:
  729. data:
  730. items:
  731. properties:
  732. key:
  733. type: string
  734. value:
  735. type: string
  736. valueMap:
  737. additionalProperties:
  738. type: string
  739. type: object
  740. version:
  741. type: string
  742. required:
  743. - key
  744. type: object
  745. type: array
  746. required:
  747. - data
  748. type: object
  749. gcpsm:
  750. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  751. properties:
  752. auth:
  753. description: Auth defines the information necessary to authenticate against GCP
  754. properties:
  755. secretRef:
  756. properties:
  757. secretAccessKeySecretRef:
  758. description: The SecretAccessKey is used for authentication
  759. properties:
  760. key:
  761. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  762. type: string
  763. name:
  764. description: The name of the Secret resource being referred to.
  765. type: string
  766. namespace:
  767. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  768. type: string
  769. type: object
  770. type: object
  771. workloadIdentity:
  772. properties:
  773. clusterLocation:
  774. type: string
  775. clusterName:
  776. type: string
  777. clusterProjectID:
  778. type: string
  779. serviceAccountRef:
  780. description: A reference to a ServiceAccount resource.
  781. properties:
  782. audiences:
  783. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  784. items:
  785. type: string
  786. type: array
  787. name:
  788. description: The name of the ServiceAccount resource being referred to.
  789. type: string
  790. namespace:
  791. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  792. type: string
  793. required:
  794. - name
  795. type: object
  796. required:
  797. - clusterLocation
  798. - clusterName
  799. - serviceAccountRef
  800. type: object
  801. type: object
  802. projectID:
  803. description: ProjectID project where secret is located
  804. type: string
  805. type: object
  806. gitlab:
  807. description: Gitlab configures this store to sync secrets using Gitlab Variables provider
  808. properties:
  809. auth:
  810. description: Auth configures how secret-manager authenticates with a GitLab instance.
  811. properties:
  812. SecretRef:
  813. properties:
  814. accessToken:
  815. description: AccessToken is used for authentication.
  816. properties:
  817. key:
  818. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  819. type: string
  820. name:
  821. description: The name of the Secret resource being referred to.
  822. type: string
  823. namespace:
  824. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  825. type: string
  826. type: object
  827. type: object
  828. required:
  829. - SecretRef
  830. type: object
  831. projectID:
  832. description: ProjectID specifies a project where secrets are located.
  833. type: string
  834. url:
  835. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  836. type: string
  837. required:
  838. - auth
  839. type: object
  840. ibm:
  841. description: IBM configures this store to sync secrets using IBM Cloud provider
  842. properties:
  843. auth:
  844. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  845. properties:
  846. secretRef:
  847. properties:
  848. secretApiKeySecretRef:
  849. description: The SecretAccessKey is used for authentication
  850. properties:
  851. key:
  852. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  853. type: string
  854. name:
  855. description: The name of the Secret resource being referred to.
  856. type: string
  857. namespace:
  858. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  859. type: string
  860. type: object
  861. type: object
  862. required:
  863. - secretRef
  864. type: object
  865. serviceUrl:
  866. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  867. type: string
  868. required:
  869. - auth
  870. type: object
  871. kubernetes:
  872. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  873. properties:
  874. auth:
  875. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  876. maxProperties: 1
  877. minProperties: 1
  878. properties:
  879. cert:
  880. description: has both clientCert and clientKey as secretKeySelector
  881. properties:
  882. clientCert:
  883. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  884. properties:
  885. key:
  886. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  887. type: string
  888. name:
  889. description: The name of the Secret resource being referred to.
  890. type: string
  891. namespace:
  892. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  893. type: string
  894. type: object
  895. clientKey:
  896. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  897. properties:
  898. key:
  899. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  900. type: string
  901. name:
  902. description: The name of the Secret resource being referred to.
  903. type: string
  904. namespace:
  905. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  906. type: string
  907. type: object
  908. type: object
  909. serviceAccount:
  910. description: points to a service account that should be used for authentication
  911. properties:
  912. serviceAccount:
  913. description: A reference to a ServiceAccount resource.
  914. properties:
  915. audiences:
  916. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  917. items:
  918. type: string
  919. type: array
  920. name:
  921. description: The name of the ServiceAccount resource being referred to.
  922. type: string
  923. namespace:
  924. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  925. type: string
  926. required:
  927. - name
  928. type: object
  929. type: object
  930. token:
  931. description: use static token to authenticate with
  932. properties:
  933. bearerToken:
  934. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  935. properties:
  936. key:
  937. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  938. type: string
  939. name:
  940. description: The name of the Secret resource being referred to.
  941. type: string
  942. namespace:
  943. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  944. type: string
  945. type: object
  946. type: object
  947. type: object
  948. remoteNamespace:
  949. default: default
  950. description: Remote namespace to fetch the secrets from
  951. type: string
  952. server:
  953. description: configures the Kubernetes server Address.
  954. properties:
  955. caBundle:
  956. description: CABundle is a base64-encoded CA certificate
  957. format: byte
  958. type: string
  959. caProvider:
  960. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  961. properties:
  962. key:
  963. description: The key the value inside of the provider type to use, only used with "Secret" type
  964. type: string
  965. name:
  966. description: The name of the object located at the provider type.
  967. type: string
  968. namespace:
  969. description: The namespace the Provider type is in.
  970. type: string
  971. type:
  972. description: The type of provider to use such as "Secret", or "ConfigMap".
  973. enum:
  974. - Secret
  975. - ConfigMap
  976. type: string
  977. required:
  978. - name
  979. - type
  980. type: object
  981. url:
  982. default: kubernetes.default
  983. description: configures the Kubernetes server Address.
  984. type: string
  985. type: object
  986. required:
  987. - auth
  988. type: object
  989. oracle:
  990. description: Oracle configures this store to sync secrets using Oracle Vault provider
  991. properties:
  992. auth:
  993. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  994. properties:
  995. secretRef:
  996. description: SecretRef to pass through sensitive information.
  997. properties:
  998. fingerprint:
  999. description: Fingerprint is the fingerprint of the API private key.
  1000. properties:
  1001. key:
  1002. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1003. type: string
  1004. name:
  1005. description: The name of the Secret resource being referred to.
  1006. type: string
  1007. namespace:
  1008. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1009. type: string
  1010. type: object
  1011. privatekey:
  1012. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  1013. properties:
  1014. key:
  1015. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1016. type: string
  1017. name:
  1018. description: The name of the Secret resource being referred to.
  1019. type: string
  1020. namespace:
  1021. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1022. type: string
  1023. type: object
  1024. required:
  1025. - fingerprint
  1026. - privatekey
  1027. type: object
  1028. tenancy:
  1029. description: Tenancy is the tenancy OCID where user is located.
  1030. type: string
  1031. user:
  1032. description: User is an access OCID specific to the account.
  1033. type: string
  1034. required:
  1035. - secretRef
  1036. - tenancy
  1037. - user
  1038. type: object
  1039. region:
  1040. description: Region is the region where vault is located.
  1041. type: string
  1042. vault:
  1043. description: Vault is the vault's OCID of the specific vault where secret is located.
  1044. type: string
  1045. required:
  1046. - region
  1047. - vault
  1048. type: object
  1049. vault:
  1050. description: Vault configures this store to sync secrets using Hashi provider
  1051. properties:
  1052. auth:
  1053. description: Auth configures how secret-manager authenticates with the Vault server.
  1054. properties:
  1055. appRole:
  1056. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  1057. properties:
  1058. path:
  1059. default: approle
  1060. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  1061. type: string
  1062. roleId:
  1063. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  1064. type: string
  1065. secretRef:
  1066. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  1067. properties:
  1068. key:
  1069. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1070. type: string
  1071. name:
  1072. description: The name of the Secret resource being referred to.
  1073. type: string
  1074. namespace:
  1075. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1076. type: string
  1077. type: object
  1078. required:
  1079. - path
  1080. - roleId
  1081. - secretRef
  1082. type: object
  1083. cert:
  1084. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  1085. properties:
  1086. clientCert:
  1087. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  1088. properties:
  1089. key:
  1090. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1091. type: string
  1092. name:
  1093. description: The name of the Secret resource being referred to.
  1094. type: string
  1095. namespace:
  1096. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1097. type: string
  1098. type: object
  1099. secretRef:
  1100. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  1101. properties:
  1102. key:
  1103. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1104. type: string
  1105. name:
  1106. description: The name of the Secret resource being referred to.
  1107. type: string
  1108. namespace:
  1109. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1110. type: string
  1111. type: object
  1112. type: object
  1113. jwt:
  1114. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  1115. properties:
  1116. kubernetesServiceAccountToken:
  1117. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  1118. properties:
  1119. audiences:
  1120. description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
  1121. items:
  1122. type: string
  1123. type: array
  1124. expirationSeconds:
  1125. description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
  1126. format: int64
  1127. type: integer
  1128. serviceAccountRef:
  1129. description: Service account field containing the name of a kubernetes ServiceAccount.
  1130. properties:
  1131. audiences:
  1132. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  1133. items:
  1134. type: string
  1135. type: array
  1136. name:
  1137. description: The name of the ServiceAccount resource being referred to.
  1138. type: string
  1139. namespace:
  1140. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1141. type: string
  1142. required:
  1143. - name
  1144. type: object
  1145. required:
  1146. - serviceAccountRef
  1147. type: object
  1148. path:
  1149. default: jwt
  1150. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  1151. type: string
  1152. role:
  1153. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  1154. type: string
  1155. secretRef:
  1156. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  1157. properties:
  1158. key:
  1159. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1160. type: string
  1161. name:
  1162. description: The name of the Secret resource being referred to.
  1163. type: string
  1164. namespace:
  1165. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1166. type: string
  1167. type: object
  1168. required:
  1169. - path
  1170. type: object
  1171. kubernetes:
  1172. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  1173. properties:
  1174. mountPath:
  1175. default: kubernetes
  1176. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  1177. type: string
  1178. role:
  1179. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  1180. type: string
  1181. secretRef:
  1182. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  1183. properties:
  1184. key:
  1185. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1186. type: string
  1187. name:
  1188. description: The name of the Secret resource being referred to.
  1189. type: string
  1190. namespace:
  1191. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1192. type: string
  1193. type: object
  1194. serviceAccountRef:
  1195. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  1196. properties:
  1197. audiences:
  1198. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  1199. items:
  1200. type: string
  1201. type: array
  1202. name:
  1203. description: The name of the ServiceAccount resource being referred to.
  1204. type: string
  1205. namespace:
  1206. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1207. type: string
  1208. required:
  1209. - name
  1210. type: object
  1211. required:
  1212. - mountPath
  1213. - role
  1214. type: object
  1215. ldap:
  1216. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  1217. properties:
  1218. path:
  1219. default: ldap
  1220. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  1221. type: string
  1222. secretRef:
  1223. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  1224. properties:
  1225. key:
  1226. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1227. type: string
  1228. name:
  1229. description: The name of the Secret resource being referred to.
  1230. type: string
  1231. namespace:
  1232. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1233. type: string
  1234. type: object
  1235. username:
  1236. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  1237. type: string
  1238. required:
  1239. - path
  1240. - username
  1241. type: object
  1242. tokenSecretRef:
  1243. description: TokenSecretRef authenticates with Vault by presenting a token.
  1244. properties:
  1245. key:
  1246. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1247. type: string
  1248. name:
  1249. description: The name of the Secret resource being referred to.
  1250. type: string
  1251. namespace:
  1252. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1253. type: string
  1254. type: object
  1255. type: object
  1256. caBundle:
  1257. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  1258. format: byte
  1259. type: string
  1260. caProvider:
  1261. description: The provider for the CA bundle to use to validate Vault server certificate.
  1262. properties:
  1263. key:
  1264. description: The key the value inside of the provider type to use, only used with "Secret" type
  1265. type: string
  1266. name:
  1267. description: The name of the object located at the provider type.
  1268. type: string
  1269. namespace:
  1270. description: The namespace the Provider type is in.
  1271. type: string
  1272. type:
  1273. description: The type of provider to use such as "Secret", or "ConfigMap".
  1274. enum:
  1275. - Secret
  1276. - ConfigMap
  1277. type: string
  1278. required:
  1279. - name
  1280. - type
  1281. type: object
  1282. forwardInconsistent:
  1283. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  1284. type: boolean
  1285. namespace:
  1286. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  1287. type: string
  1288. path:
  1289. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  1290. type: string
  1291. readYourWrites:
  1292. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  1293. type: boolean
  1294. server:
  1295. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  1296. type: string
  1297. version:
  1298. default: v2
  1299. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  1300. enum:
  1301. - v1
  1302. - v2
  1303. type: string
  1304. required:
  1305. - auth
  1306. - server
  1307. type: object
  1308. webhook:
  1309. description: Webhook configures this store to sync secrets using a generic templated webhook
  1310. properties:
  1311. body:
  1312. description: Body
  1313. type: string
  1314. caBundle:
  1315. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  1316. format: byte
  1317. type: string
  1318. caProvider:
  1319. description: The provider for the CA bundle to use to validate webhook server certificate.
  1320. properties:
  1321. key:
  1322. description: The key the value inside of the provider type to use, only used with "Secret" type
  1323. type: string
  1324. name:
  1325. description: The name of the object located at the provider type.
  1326. type: string
  1327. namespace:
  1328. description: The namespace the Provider type is in.
  1329. type: string
  1330. type:
  1331. description: The type of provider to use such as "Secret", or "ConfigMap".
  1332. enum:
  1333. - Secret
  1334. - ConfigMap
  1335. type: string
  1336. required:
  1337. - name
  1338. - type
  1339. type: object
  1340. headers:
  1341. additionalProperties:
  1342. type: string
  1343. description: Headers
  1344. type: object
  1345. method:
  1346. description: Webhook Method
  1347. type: string
  1348. result:
  1349. description: Result formatting
  1350. properties:
  1351. jsonPath:
  1352. description: Json path of return value
  1353. type: string
  1354. type: object
  1355. secrets:
  1356. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  1357. items:
  1358. properties:
  1359. name:
  1360. description: Name of this secret in templates
  1361. type: string
  1362. secretRef:
  1363. description: Secret ref to fill in credentials
  1364. properties:
  1365. key:
  1366. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1367. type: string
  1368. name:
  1369. description: The name of the Secret resource being referred to.
  1370. type: string
  1371. namespace:
  1372. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1373. type: string
  1374. type: object
  1375. required:
  1376. - name
  1377. - secretRef
  1378. type: object
  1379. type: array
  1380. timeout:
  1381. description: Timeout
  1382. type: string
  1383. url:
  1384. description: Webhook url to call
  1385. type: string
  1386. required:
  1387. - result
  1388. - url
  1389. type: object
  1390. yandexlockbox:
  1391. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  1392. properties:
  1393. apiEndpoint:
  1394. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  1395. type: string
  1396. auth:
  1397. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  1398. properties:
  1399. authorizedKeySecretRef:
  1400. description: The authorized key used for authentication
  1401. properties:
  1402. key:
  1403. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1404. type: string
  1405. name:
  1406. description: The name of the Secret resource being referred to.
  1407. type: string
  1408. namespace:
  1409. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1410. type: string
  1411. type: object
  1412. type: object
  1413. caProvider:
  1414. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  1415. properties:
  1416. certSecretRef:
  1417. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1418. properties:
  1419. key:
  1420. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1421. type: string
  1422. name:
  1423. description: The name of the Secret resource being referred to.
  1424. type: string
  1425. namespace:
  1426. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1427. type: string
  1428. type: object
  1429. type: object
  1430. required:
  1431. - auth
  1432. type: object
  1433. type: object
  1434. retrySettings:
  1435. description: Used to configure http retries if failed
  1436. properties:
  1437. maxRetries:
  1438. format: int32
  1439. type: integer
  1440. retryInterval:
  1441. type: string
  1442. type: object
  1443. required:
  1444. - provider
  1445. type: object
  1446. status:
  1447. description: SecretStoreStatus defines the observed state of the SecretStore.
  1448. properties:
  1449. conditions:
  1450. items:
  1451. properties:
  1452. lastTransitionTime:
  1453. format: date-time
  1454. type: string
  1455. message:
  1456. type: string
  1457. reason:
  1458. type: string
  1459. status:
  1460. type: string
  1461. type:
  1462. type: string
  1463. required:
  1464. - status
  1465. - type
  1466. type: object
  1467. type: array
  1468. type: object
  1469. type: object
  1470. served: true
  1471. storage: false
  1472. subresources:
  1473. status: {}
  1474. - additionalPrinterColumns:
  1475. - jsonPath: .metadata.creationTimestamp
  1476. name: AGE
  1477. type: date
  1478. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  1479. name: Status
  1480. type: string
  1481. - jsonPath: .status.capabilities
  1482. name: Capabilities
  1483. type: string
  1484. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  1485. name: Ready
  1486. type: string
  1487. name: v1beta1
  1488. schema:
  1489. openAPIV3Schema:
  1490. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  1491. properties:
  1492. apiVersion:
  1493. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  1494. type: string
  1495. kind:
  1496. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  1497. type: string
  1498. metadata:
  1499. type: object
  1500. spec:
  1501. description: SecretStoreSpec defines the desired state of SecretStore.
  1502. properties:
  1503. controller:
  1504. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  1505. type: string
  1506. provider:
  1507. description: Used to configure the provider. Only one provider may be set
  1508. maxProperties: 1
  1509. minProperties: 1
  1510. properties:
  1511. akeyless:
  1512. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  1513. properties:
  1514. akeylessGWApiURL:
  1515. description: Akeyless GW API Url from which the secrets to be fetched from.
  1516. type: string
  1517. authSecretRef:
  1518. description: Auth configures how the operator authenticates with Akeyless.
  1519. properties:
  1520. kubernetesAuth:
  1521. description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
  1522. properties:
  1523. accessID:
  1524. description: the Akeyless Kubernetes auth-method access-id
  1525. type: string
  1526. k8sConfName:
  1527. description: Kubernetes-auth configuration name in Akeyless-Gateway
  1528. type: string
  1529. secretRef:
  1530. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  1531. properties:
  1532. key:
  1533. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1534. type: string
  1535. name:
  1536. description: The name of the Secret resource being referred to.
  1537. type: string
  1538. namespace:
  1539. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1540. type: string
  1541. type: object
  1542. serviceAccountRef:
  1543. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
  1544. properties:
  1545. audiences:
  1546. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  1547. items:
  1548. type: string
  1549. type: array
  1550. name:
  1551. description: The name of the ServiceAccount resource being referred to.
  1552. type: string
  1553. namespace:
  1554. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1555. type: string
  1556. required:
  1557. - name
  1558. type: object
  1559. required:
  1560. - accessID
  1561. - k8sConfName
  1562. type: object
  1563. secretRef:
  1564. description: Reference to a Secret that contains the details to authenticate with Akeyless.
  1565. properties:
  1566. accessID:
  1567. description: The SecretAccessID is used for authentication
  1568. properties:
  1569. key:
  1570. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1571. type: string
  1572. name:
  1573. description: The name of the Secret resource being referred to.
  1574. type: string
  1575. namespace:
  1576. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1577. type: string
  1578. type: object
  1579. accessType:
  1580. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1581. properties:
  1582. key:
  1583. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1584. type: string
  1585. name:
  1586. description: The name of the Secret resource being referred to.
  1587. type: string
  1588. namespace:
  1589. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1590. type: string
  1591. type: object
  1592. accessTypeParam:
  1593. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1594. properties:
  1595. key:
  1596. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1597. type: string
  1598. name:
  1599. description: The name of the Secret resource being referred to.
  1600. type: string
  1601. namespace:
  1602. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1603. type: string
  1604. type: object
  1605. type: object
  1606. type: object
  1607. required:
  1608. - akeylessGWApiURL
  1609. - authSecretRef
  1610. type: object
  1611. alibaba:
  1612. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  1613. properties:
  1614. auth:
  1615. description: AlibabaAuth contains a secretRef for credentials.
  1616. properties:
  1617. secretRef:
  1618. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  1619. properties:
  1620. accessKeyIDSecretRef:
  1621. description: The AccessKeyID is used for authentication
  1622. properties:
  1623. key:
  1624. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1625. type: string
  1626. name:
  1627. description: The name of the Secret resource being referred to.
  1628. type: string
  1629. namespace:
  1630. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1631. type: string
  1632. type: object
  1633. accessKeySecretSecretRef:
  1634. description: The AccessKeySecret is used for authentication
  1635. properties:
  1636. key:
  1637. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1638. type: string
  1639. name:
  1640. description: The name of the Secret resource being referred to.
  1641. type: string
  1642. namespace:
  1643. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1644. type: string
  1645. type: object
  1646. required:
  1647. - accessKeyIDSecretRef
  1648. - accessKeySecretSecretRef
  1649. type: object
  1650. required:
  1651. - secretRef
  1652. type: object
  1653. endpoint:
  1654. type: string
  1655. regionID:
  1656. description: Alibaba Region to be used for the provider
  1657. type: string
  1658. required:
  1659. - auth
  1660. - regionID
  1661. type: object
  1662. aws:
  1663. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  1664. properties:
  1665. auth:
  1666. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  1667. properties:
  1668. jwt:
  1669. description: Authenticate against AWS using service account tokens.
  1670. properties:
  1671. serviceAccountRef:
  1672. description: A reference to a ServiceAccount resource.
  1673. properties:
  1674. audiences:
  1675. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  1676. items:
  1677. type: string
  1678. type: array
  1679. name:
  1680. description: The name of the ServiceAccount resource being referred to.
  1681. type: string
  1682. namespace:
  1683. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1684. type: string
  1685. required:
  1686. - name
  1687. type: object
  1688. type: object
  1689. secretRef:
  1690. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  1691. properties:
  1692. accessKeyIDSecretRef:
  1693. description: The AccessKeyID is used for authentication
  1694. properties:
  1695. key:
  1696. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1697. type: string
  1698. name:
  1699. description: The name of the Secret resource being referred to.
  1700. type: string
  1701. namespace:
  1702. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1703. type: string
  1704. type: object
  1705. secretAccessKeySecretRef:
  1706. description: The SecretAccessKey is used for authentication
  1707. properties:
  1708. key:
  1709. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1710. type: string
  1711. name:
  1712. description: The name of the Secret resource being referred to.
  1713. type: string
  1714. namespace:
  1715. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1716. type: string
  1717. type: object
  1718. type: object
  1719. type: object
  1720. region:
  1721. description: AWS Region to be used for the provider
  1722. type: string
  1723. role:
  1724. description: Role is a Role ARN which the SecretManager provider will assume
  1725. type: string
  1726. service:
  1727. description: Service defines which service should be used to fetch the secrets
  1728. enum:
  1729. - SecretsManager
  1730. - ParameterStore
  1731. type: string
  1732. required:
  1733. - region
  1734. - service
  1735. type: object
  1736. azurekv:
  1737. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  1738. properties:
  1739. authSecretRef:
  1740. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  1741. properties:
  1742. clientId:
  1743. description: The Azure clientId of the service principle used for authentication.
  1744. properties:
  1745. key:
  1746. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1747. type: string
  1748. name:
  1749. description: The name of the Secret resource being referred to.
  1750. type: string
  1751. namespace:
  1752. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1753. type: string
  1754. type: object
  1755. clientSecret:
  1756. description: The Azure ClientSecret of the service principle used for authentication.
  1757. properties:
  1758. key:
  1759. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1760. type: string
  1761. name:
  1762. description: The name of the Secret resource being referred to.
  1763. type: string
  1764. namespace:
  1765. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1766. type: string
  1767. type: object
  1768. type: object
  1769. authType:
  1770. default: ServicePrincipal
  1771. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  1772. enum:
  1773. - ServicePrincipal
  1774. - ManagedIdentity
  1775. - WorkloadIdentity
  1776. type: string
  1777. environmentType:
  1778. default: PublicCloud
  1779. description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
  1780. enum:
  1781. - PublicCloud
  1782. - USGovernmentCloud
  1783. - ChinaCloud
  1784. - GermanCloud
  1785. type: string
  1786. identityId:
  1787. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  1788. type: string
  1789. serviceAccountRef:
  1790. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  1791. properties:
  1792. audiences:
  1793. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  1794. items:
  1795. type: string
  1796. type: array
  1797. name:
  1798. description: The name of the ServiceAccount resource being referred to.
  1799. type: string
  1800. namespace:
  1801. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1802. type: string
  1803. required:
  1804. - name
  1805. type: object
  1806. tenantId:
  1807. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  1808. type: string
  1809. vaultUrl:
  1810. description: Vault Url from which the secrets to be fetched from.
  1811. type: string
  1812. required:
  1813. - vaultUrl
  1814. type: object
  1815. fake:
  1816. description: Fake configures a store with static key/value pairs
  1817. properties:
  1818. data:
  1819. items:
  1820. properties:
  1821. key:
  1822. type: string
  1823. value:
  1824. type: string
  1825. valueMap:
  1826. additionalProperties:
  1827. type: string
  1828. type: object
  1829. version:
  1830. type: string
  1831. required:
  1832. - key
  1833. type: object
  1834. type: array
  1835. required:
  1836. - data
  1837. type: object
  1838. gcpsm:
  1839. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  1840. properties:
  1841. auth:
  1842. description: Auth defines the information necessary to authenticate against GCP
  1843. properties:
  1844. secretRef:
  1845. properties:
  1846. secretAccessKeySecretRef:
  1847. description: The SecretAccessKey is used for authentication
  1848. properties:
  1849. key:
  1850. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1851. type: string
  1852. name:
  1853. description: The name of the Secret resource being referred to.
  1854. type: string
  1855. namespace:
  1856. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1857. type: string
  1858. type: object
  1859. type: object
  1860. workloadIdentity:
  1861. properties:
  1862. clusterLocation:
  1863. type: string
  1864. clusterName:
  1865. type: string
  1866. clusterProjectID:
  1867. type: string
  1868. serviceAccountRef:
  1869. description: A reference to a ServiceAccount resource.
  1870. properties:
  1871. audiences:
  1872. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  1873. items:
  1874. type: string
  1875. type: array
  1876. name:
  1877. description: The name of the ServiceAccount resource being referred to.
  1878. type: string
  1879. namespace:
  1880. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1881. type: string
  1882. required:
  1883. - name
  1884. type: object
  1885. required:
  1886. - clusterLocation
  1887. - clusterName
  1888. - serviceAccountRef
  1889. type: object
  1890. type: object
  1891. projectID:
  1892. description: ProjectID project where secret is located
  1893. type: string
  1894. type: object
  1895. gitlab:
  1896. description: Gitlab configures this store to sync secrets using Gitlab Variables provider
  1897. properties:
  1898. auth:
  1899. description: Auth configures how secret-manager authenticates with a GitLab instance.
  1900. properties:
  1901. SecretRef:
  1902. properties:
  1903. accessToken:
  1904. description: AccessToken is used for authentication.
  1905. properties:
  1906. key:
  1907. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1908. type: string
  1909. name:
  1910. description: The name of the Secret resource being referred to.
  1911. type: string
  1912. namespace:
  1913. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1914. type: string
  1915. type: object
  1916. type: object
  1917. required:
  1918. - SecretRef
  1919. type: object
  1920. projectID:
  1921. description: ProjectID specifies a project where secrets are located.
  1922. type: string
  1923. url:
  1924. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  1925. type: string
  1926. required:
  1927. - auth
  1928. type: object
  1929. ibm:
  1930. description: IBM configures this store to sync secrets using IBM Cloud provider
  1931. properties:
  1932. auth:
  1933. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  1934. maxProperties: 1
  1935. minProperties: 1
  1936. properties:
  1937. containerAuth:
  1938. description: IBM Container-based auth with IAM Trusted Profile.
  1939. properties:
  1940. iamEndpoint:
  1941. type: string
  1942. profile:
  1943. description: the IBM Trusted Profile
  1944. type: string
  1945. tokenLocation:
  1946. description: Location the token is mounted on the pod
  1947. type: string
  1948. required:
  1949. - profile
  1950. type: object
  1951. secretRef:
  1952. properties:
  1953. secretApiKeySecretRef:
  1954. description: The SecretAccessKey is used for authentication
  1955. properties:
  1956. key:
  1957. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1958. type: string
  1959. name:
  1960. description: The name of the Secret resource being referred to.
  1961. type: string
  1962. namespace:
  1963. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1964. type: string
  1965. type: object
  1966. type: object
  1967. type: object
  1968. serviceUrl:
  1969. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  1970. type: string
  1971. required:
  1972. - auth
  1973. type: object
  1974. kubernetes:
  1975. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  1976. properties:
  1977. auth:
  1978. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  1979. maxProperties: 1
  1980. minProperties: 1
  1981. properties:
  1982. cert:
  1983. description: has both clientCert and clientKey as secretKeySelector
  1984. properties:
  1985. clientCert:
  1986. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1987. properties:
  1988. key:
  1989. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1990. type: string
  1991. name:
  1992. description: The name of the Secret resource being referred to.
  1993. type: string
  1994. namespace:
  1995. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1996. type: string
  1997. type: object
  1998. clientKey:
  1999. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2000. properties:
  2001. key:
  2002. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2003. type: string
  2004. name:
  2005. description: The name of the Secret resource being referred to.
  2006. type: string
  2007. namespace:
  2008. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2009. type: string
  2010. type: object
  2011. type: object
  2012. serviceAccount:
  2013. description: points to a service account that should be used for authentication
  2014. properties:
  2015. audiences:
  2016. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  2017. items:
  2018. type: string
  2019. type: array
  2020. name:
  2021. description: The name of the ServiceAccount resource being referred to.
  2022. type: string
  2023. namespace:
  2024. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2025. type: string
  2026. required:
  2027. - name
  2028. type: object
  2029. token:
  2030. description: use static token to authenticate with
  2031. properties:
  2032. bearerToken:
  2033. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2034. properties:
  2035. key:
  2036. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2037. type: string
  2038. name:
  2039. description: The name of the Secret resource being referred to.
  2040. type: string
  2041. namespace:
  2042. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2043. type: string
  2044. type: object
  2045. type: object
  2046. type: object
  2047. remoteNamespace:
  2048. default: default
  2049. description: Remote namespace to fetch the secrets from
  2050. type: string
  2051. server:
  2052. description: configures the Kubernetes server Address.
  2053. properties:
  2054. caBundle:
  2055. description: CABundle is a base64-encoded CA certificate
  2056. format: byte
  2057. type: string
  2058. caProvider:
  2059. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  2060. properties:
  2061. key:
  2062. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2063. type: string
  2064. name:
  2065. description: The name of the object located at the provider type.
  2066. type: string
  2067. namespace:
  2068. description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
  2069. type: string
  2070. type:
  2071. description: The type of provider to use such as "Secret", or "ConfigMap".
  2072. enum:
  2073. - Secret
  2074. - ConfigMap
  2075. type: string
  2076. required:
  2077. - name
  2078. - type
  2079. type: object
  2080. url:
  2081. default: kubernetes.default
  2082. description: configures the Kubernetes server Address.
  2083. type: string
  2084. type: object
  2085. required:
  2086. - auth
  2087. type: object
  2088. onepassword:
  2089. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  2090. properties:
  2091. auth:
  2092. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  2093. properties:
  2094. secretRef:
  2095. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  2096. properties:
  2097. connectTokenSecretRef:
  2098. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  2099. properties:
  2100. key:
  2101. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2102. type: string
  2103. name:
  2104. description: The name of the Secret resource being referred to.
  2105. type: string
  2106. namespace:
  2107. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2108. type: string
  2109. type: object
  2110. required:
  2111. - connectTokenSecretRef
  2112. type: object
  2113. required:
  2114. - secretRef
  2115. type: object
  2116. connectHost:
  2117. description: ConnectHost defines the OnePassword Connect Server to connect to
  2118. type: string
  2119. vaults:
  2120. additionalProperties:
  2121. type: integer
  2122. description: Vaults defines which OnePassword vaults to search in which order
  2123. type: object
  2124. required:
  2125. - auth
  2126. - connectHost
  2127. - vaults
  2128. type: object
  2129. oracle:
  2130. description: Oracle configures this store to sync secrets using Oracle Vault provider
  2131. properties:
  2132. auth:
  2133. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  2134. properties:
  2135. secretRef:
  2136. description: SecretRef to pass through sensitive information.
  2137. properties:
  2138. fingerprint:
  2139. description: Fingerprint is the fingerprint of the API private key.
  2140. properties:
  2141. key:
  2142. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2143. type: string
  2144. name:
  2145. description: The name of the Secret resource being referred to.
  2146. type: string
  2147. namespace:
  2148. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2149. type: string
  2150. type: object
  2151. privatekey:
  2152. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  2153. properties:
  2154. key:
  2155. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2156. type: string
  2157. name:
  2158. description: The name of the Secret resource being referred to.
  2159. type: string
  2160. namespace:
  2161. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2162. type: string
  2163. type: object
  2164. required:
  2165. - fingerprint
  2166. - privatekey
  2167. type: object
  2168. tenancy:
  2169. description: Tenancy is the tenancy OCID where user is located.
  2170. type: string
  2171. user:
  2172. description: User is an access OCID specific to the account.
  2173. type: string
  2174. required:
  2175. - secretRef
  2176. - tenancy
  2177. - user
  2178. type: object
  2179. region:
  2180. description: Region is the region where vault is located.
  2181. type: string
  2182. vault:
  2183. description: Vault is the vault's OCID of the specific vault where secret is located.
  2184. type: string
  2185. required:
  2186. - region
  2187. - vault
  2188. type: object
  2189. senhasegura:
  2190. description: Senhasegura configures this store to sync secrets using senhasegura provider
  2191. properties:
  2192. auth:
  2193. description: Auth defines parameters to authenticate in senhasegura
  2194. properties:
  2195. clientId:
  2196. type: string
  2197. clientSecretSecretRef:
  2198. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2199. properties:
  2200. key:
  2201. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2202. type: string
  2203. name:
  2204. description: The name of the Secret resource being referred to.
  2205. type: string
  2206. namespace:
  2207. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2208. type: string
  2209. type: object
  2210. required:
  2211. - clientId
  2212. - clientSecretSecretRef
  2213. type: object
  2214. ignoreSslCertificate:
  2215. default: false
  2216. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  2217. type: boolean
  2218. module:
  2219. description: Module defines which senhasegura module should be used to get secrets
  2220. type: string
  2221. url:
  2222. description: URL of senhasegura
  2223. type: string
  2224. required:
  2225. - auth
  2226. - module
  2227. - url
  2228. type: object
  2229. vault:
  2230. description: Vault configures this store to sync secrets using Hashi provider
  2231. properties:
  2232. auth:
  2233. description: Auth configures how secret-manager authenticates with the Vault server.
  2234. properties:
  2235. appRole:
  2236. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  2237. properties:
  2238. path:
  2239. default: approle
  2240. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  2241. type: string
  2242. roleId:
  2243. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  2244. type: string
  2245. secretRef:
  2246. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  2247. properties:
  2248. key:
  2249. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2250. type: string
  2251. name:
  2252. description: The name of the Secret resource being referred to.
  2253. type: string
  2254. namespace:
  2255. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2256. type: string
  2257. type: object
  2258. required:
  2259. - path
  2260. - roleId
  2261. - secretRef
  2262. type: object
  2263. cert:
  2264. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  2265. properties:
  2266. clientCert:
  2267. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  2268. properties:
  2269. key:
  2270. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2271. type: string
  2272. name:
  2273. description: The name of the Secret resource being referred to.
  2274. type: string
  2275. namespace:
  2276. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2277. type: string
  2278. type: object
  2279. secretRef:
  2280. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  2281. properties:
  2282. key:
  2283. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2284. type: string
  2285. name:
  2286. description: The name of the Secret resource being referred to.
  2287. type: string
  2288. namespace:
  2289. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2290. type: string
  2291. type: object
  2292. type: object
  2293. jwt:
  2294. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  2295. properties:
  2296. kubernetesServiceAccountToken:
  2297. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  2298. properties:
  2299. audiences:
  2300. description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
  2301. items:
  2302. type: string
  2303. type: array
  2304. expirationSeconds:
  2305. description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
  2306. format: int64
  2307. type: integer
  2308. serviceAccountRef:
  2309. description: Service account field containing the name of a kubernetes ServiceAccount.
  2310. properties:
  2311. audiences:
  2312. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  2313. items:
  2314. type: string
  2315. type: array
  2316. name:
  2317. description: The name of the ServiceAccount resource being referred to.
  2318. type: string
  2319. namespace:
  2320. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2321. type: string
  2322. required:
  2323. - name
  2324. type: object
  2325. required:
  2326. - serviceAccountRef
  2327. type: object
  2328. path:
  2329. default: jwt
  2330. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  2331. type: string
  2332. role:
  2333. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  2334. type: string
  2335. secretRef:
  2336. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  2337. properties:
  2338. key:
  2339. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2340. type: string
  2341. name:
  2342. description: The name of the Secret resource being referred to.
  2343. type: string
  2344. namespace:
  2345. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2346. type: string
  2347. type: object
  2348. required:
  2349. - path
  2350. type: object
  2351. kubernetes:
  2352. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  2353. properties:
  2354. mountPath:
  2355. default: kubernetes
  2356. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  2357. type: string
  2358. role:
  2359. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  2360. type: string
  2361. secretRef:
  2362. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  2363. properties:
  2364. key:
  2365. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2366. type: string
  2367. name:
  2368. description: The name of the Secret resource being referred to.
  2369. type: string
  2370. namespace:
  2371. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2372. type: string
  2373. type: object
  2374. serviceAccountRef:
  2375. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  2376. properties:
  2377. audiences:
  2378. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  2379. items:
  2380. type: string
  2381. type: array
  2382. name:
  2383. description: The name of the ServiceAccount resource being referred to.
  2384. type: string
  2385. namespace:
  2386. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2387. type: string
  2388. required:
  2389. - name
  2390. type: object
  2391. required:
  2392. - mountPath
  2393. - role
  2394. type: object
  2395. ldap:
  2396. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  2397. properties:
  2398. path:
  2399. default: ldap
  2400. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  2401. type: string
  2402. secretRef:
  2403. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  2404. properties:
  2405. key:
  2406. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2407. type: string
  2408. name:
  2409. description: The name of the Secret resource being referred to.
  2410. type: string
  2411. namespace:
  2412. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2413. type: string
  2414. type: object
  2415. username:
  2416. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  2417. type: string
  2418. required:
  2419. - path
  2420. - username
  2421. type: object
  2422. tokenSecretRef:
  2423. description: TokenSecretRef authenticates with Vault by presenting a token.
  2424. properties:
  2425. key:
  2426. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2427. type: string
  2428. name:
  2429. description: The name of the Secret resource being referred to.
  2430. type: string
  2431. namespace:
  2432. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2433. type: string
  2434. type: object
  2435. type: object
  2436. caBundle:
  2437. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  2438. format: byte
  2439. type: string
  2440. caProvider:
  2441. description: The provider for the CA bundle to use to validate Vault server certificate.
  2442. properties:
  2443. key:
  2444. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2445. type: string
  2446. name:
  2447. description: The name of the object located at the provider type.
  2448. type: string
  2449. namespace:
  2450. description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
  2451. type: string
  2452. type:
  2453. description: The type of provider to use such as "Secret", or "ConfigMap".
  2454. enum:
  2455. - Secret
  2456. - ConfigMap
  2457. type: string
  2458. required:
  2459. - name
  2460. - type
  2461. type: object
  2462. forwardInconsistent:
  2463. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  2464. type: boolean
  2465. namespace:
  2466. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  2467. type: string
  2468. path:
  2469. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  2470. type: string
  2471. readYourWrites:
  2472. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  2473. type: boolean
  2474. server:
  2475. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  2476. type: string
  2477. version:
  2478. default: v2
  2479. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  2480. enum:
  2481. - v1
  2482. - v2
  2483. type: string
  2484. required:
  2485. - auth
  2486. - server
  2487. type: object
  2488. webhook:
  2489. description: Webhook configures this store to sync secrets using a generic templated webhook
  2490. properties:
  2491. body:
  2492. description: Body
  2493. type: string
  2494. caBundle:
  2495. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  2496. format: byte
  2497. type: string
  2498. caProvider:
  2499. description: The provider for the CA bundle to use to validate webhook server certificate.
  2500. properties:
  2501. key:
  2502. description: The key the value inside of the provider type to use, only used with "Secret" type
  2503. type: string
  2504. name:
  2505. description: The name of the object located at the provider type.
  2506. type: string
  2507. namespace:
  2508. description: The namespace the Provider type is in.
  2509. type: string
  2510. type:
  2511. description: The type of provider to use such as "Secret", or "ConfigMap".
  2512. enum:
  2513. - Secret
  2514. - ConfigMap
  2515. type: string
  2516. required:
  2517. - name
  2518. - type
  2519. type: object
  2520. headers:
  2521. additionalProperties:
  2522. type: string
  2523. description: Headers
  2524. type: object
  2525. method:
  2526. description: Webhook Method
  2527. type: string
  2528. result:
  2529. description: Result formatting
  2530. properties:
  2531. jsonPath:
  2532. description: Json path of return value
  2533. type: string
  2534. type: object
  2535. secrets:
  2536. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  2537. items:
  2538. properties:
  2539. name:
  2540. description: Name of this secret in templates
  2541. type: string
  2542. secretRef:
  2543. description: Secret ref to fill in credentials
  2544. properties:
  2545. key:
  2546. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2547. type: string
  2548. name:
  2549. description: The name of the Secret resource being referred to.
  2550. type: string
  2551. namespace:
  2552. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2553. type: string
  2554. type: object
  2555. required:
  2556. - name
  2557. - secretRef
  2558. type: object
  2559. type: array
  2560. timeout:
  2561. description: Timeout
  2562. type: string
  2563. url:
  2564. description: Webhook url to call
  2565. type: string
  2566. required:
  2567. - result
  2568. - url
  2569. type: object
  2570. yandexcertificatemanager:
  2571. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  2572. properties:
  2573. apiEndpoint:
  2574. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  2575. type: string
  2576. auth:
  2577. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  2578. properties:
  2579. authorizedKeySecretRef:
  2580. description: The authorized key used for authentication
  2581. properties:
  2582. key:
  2583. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2584. type: string
  2585. name:
  2586. description: The name of the Secret resource being referred to.
  2587. type: string
  2588. namespace:
  2589. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2590. type: string
  2591. type: object
  2592. type: object
  2593. caProvider:
  2594. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  2595. properties:
  2596. certSecretRef:
  2597. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2598. properties:
  2599. key:
  2600. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2601. type: string
  2602. name:
  2603. description: The name of the Secret resource being referred to.
  2604. type: string
  2605. namespace:
  2606. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2607. type: string
  2608. type: object
  2609. type: object
  2610. required:
  2611. - auth
  2612. type: object
  2613. yandexlockbox:
  2614. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  2615. properties:
  2616. apiEndpoint:
  2617. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  2618. type: string
  2619. auth:
  2620. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  2621. properties:
  2622. authorizedKeySecretRef:
  2623. description: The authorized key used for authentication
  2624. properties:
  2625. key:
  2626. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2627. type: string
  2628. name:
  2629. description: The name of the Secret resource being referred to.
  2630. type: string
  2631. namespace:
  2632. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2633. type: string
  2634. type: object
  2635. type: object
  2636. caProvider:
  2637. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  2638. properties:
  2639. certSecretRef:
  2640. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2641. properties:
  2642. key:
  2643. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2644. type: string
  2645. name:
  2646. description: The name of the Secret resource being referred to.
  2647. type: string
  2648. namespace:
  2649. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2650. type: string
  2651. type: object
  2652. type: object
  2653. required:
  2654. - auth
  2655. type: object
  2656. type: object
  2657. refreshInterval:
  2658. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  2659. type: integer
  2660. retrySettings:
  2661. description: Used to configure http retries if failed
  2662. properties:
  2663. maxRetries:
  2664. format: int32
  2665. type: integer
  2666. retryInterval:
  2667. type: string
  2668. type: object
  2669. required:
  2670. - provider
  2671. type: object
  2672. status:
  2673. description: SecretStoreStatus defines the observed state of the SecretStore.
  2674. properties:
  2675. capabilities:
  2676. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  2677. type: string
  2678. conditions:
  2679. items:
  2680. properties:
  2681. lastTransitionTime:
  2682. format: date-time
  2683. type: string
  2684. message:
  2685. type: string
  2686. reason:
  2687. type: string
  2688. status:
  2689. type: string
  2690. type:
  2691. type: string
  2692. required:
  2693. - status
  2694. - type
  2695. type: object
  2696. type: array
  2697. type: object
  2698. type: object
  2699. served: true
  2700. storage: true
  2701. subresources:
  2702. status: {}
  2703. conversion:
  2704. strategy: Webhook
  2705. webhook:
  2706. conversionReviewVersions:
  2707. - v1
  2708. clientConfig:
  2709. service:
  2710. name: kubernetes
  2711. namespace: default
  2712. path: /convert
  2713. ---
  2714. apiVersion: apiextensions.k8s.io/v1
  2715. kind: CustomResourceDefinition
  2716. metadata:
  2717. annotations:
  2718. controller-gen.kubebuilder.io/version: v0.9.2
  2719. creationTimestamp: null
  2720. name: externalsecrets.external-secrets.io
  2721. spec:
  2722. group: external-secrets.io
  2723. names:
  2724. categories:
  2725. - externalsecrets
  2726. kind: ExternalSecret
  2727. listKind: ExternalSecretList
  2728. plural: externalsecrets
  2729. shortNames:
  2730. - es
  2731. singular: externalsecret
  2732. scope: Namespaced
  2733. versions:
  2734. - additionalPrinterColumns:
  2735. - jsonPath: .spec.secretStoreRef.name
  2736. name: Store
  2737. type: string
  2738. - jsonPath: .spec.refreshInterval
  2739. name: Refresh Interval
  2740. type: string
  2741. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2742. name: Status
  2743. type: string
  2744. deprecated: true
  2745. name: v1alpha1
  2746. schema:
  2747. openAPIV3Schema:
  2748. description: ExternalSecret is the Schema for the external-secrets API.
  2749. properties:
  2750. apiVersion:
  2751. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  2752. type: string
  2753. kind:
  2754. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  2755. type: string
  2756. metadata:
  2757. type: object
  2758. spec:
  2759. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  2760. properties:
  2761. data:
  2762. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  2763. items:
  2764. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  2765. properties:
  2766. remoteRef:
  2767. description: ExternalSecretDataRemoteRef defines Provider data location.
  2768. properties:
  2769. conversionStrategy:
  2770. default: Default
  2771. description: Used to define a conversion Strategy
  2772. type: string
  2773. key:
  2774. description: Key is the key used in the Provider, mandatory
  2775. type: string
  2776. property:
  2777. description: Used to select a specific property of the Provider value (if a map), if supported
  2778. type: string
  2779. version:
  2780. description: Used to select a specific version of the Provider value, if supported
  2781. type: string
  2782. required:
  2783. - key
  2784. type: object
  2785. secretKey:
  2786. type: string
  2787. required:
  2788. - remoteRef
  2789. - secretKey
  2790. type: object
  2791. type: array
  2792. dataFrom:
  2793. description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
  2794. items:
  2795. description: ExternalSecretDataRemoteRef defines Provider data location.
  2796. properties:
  2797. conversionStrategy:
  2798. default: Default
  2799. description: Used to define a conversion Strategy
  2800. type: string
  2801. key:
  2802. description: Key is the key used in the Provider, mandatory
  2803. type: string
  2804. property:
  2805. description: Used to select a specific property of the Provider value (if a map), if supported
  2806. type: string
  2807. version:
  2808. description: Used to select a specific version of the Provider value, if supported
  2809. type: string
  2810. required:
  2811. - key
  2812. type: object
  2813. type: array
  2814. refreshInterval:
  2815. default: 1h
  2816. description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
  2817. type: string
  2818. secretStoreRef:
  2819. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  2820. properties:
  2821. kind:
  2822. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  2823. type: string
  2824. name:
  2825. description: Name of the SecretStore resource
  2826. type: string
  2827. required:
  2828. - name
  2829. type: object
  2830. target:
  2831. description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
  2832. properties:
  2833. creationPolicy:
  2834. default: Owner
  2835. description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
  2836. type: string
  2837. immutable:
  2838. description: Immutable defines if the final secret will be immutable
  2839. type: boolean
  2840. name:
  2841. description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
  2842. type: string
  2843. template:
  2844. description: Template defines a blueprint for the created Secret resource.
  2845. properties:
  2846. data:
  2847. additionalProperties:
  2848. type: string
  2849. type: object
  2850. engineVersion:
  2851. default: v1
  2852. description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
  2853. type: string
  2854. metadata:
  2855. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  2856. properties:
  2857. annotations:
  2858. additionalProperties:
  2859. type: string
  2860. type: object
  2861. labels:
  2862. additionalProperties:
  2863. type: string
  2864. type: object
  2865. type: object
  2866. templateFrom:
  2867. items:
  2868. maxProperties: 1
  2869. minProperties: 1
  2870. properties:
  2871. configMap:
  2872. properties:
  2873. items:
  2874. items:
  2875. properties:
  2876. key:
  2877. type: string
  2878. required:
  2879. - key
  2880. type: object
  2881. type: array
  2882. name:
  2883. type: string
  2884. required:
  2885. - items
  2886. - name
  2887. type: object
  2888. secret:
  2889. properties:
  2890. items:
  2891. items:
  2892. properties:
  2893. key:
  2894. type: string
  2895. required:
  2896. - key
  2897. type: object
  2898. type: array
  2899. name:
  2900. type: string
  2901. required:
  2902. - items
  2903. - name
  2904. type: object
  2905. type: object
  2906. type: array
  2907. type:
  2908. type: string
  2909. type: object
  2910. type: object
  2911. required:
  2912. - secretStoreRef
  2913. - target
  2914. type: object
  2915. status:
  2916. properties:
  2917. conditions:
  2918. items:
  2919. properties:
  2920. lastTransitionTime:
  2921. format: date-time
  2922. type: string
  2923. message:
  2924. type: string
  2925. reason:
  2926. type: string
  2927. status:
  2928. type: string
  2929. type:
  2930. type: string
  2931. required:
  2932. - status
  2933. - type
  2934. type: object
  2935. type: array
  2936. refreshTime:
  2937. description: refreshTime is the time and date the external secret was fetched and the target secret updated
  2938. format: date-time
  2939. nullable: true
  2940. type: string
  2941. syncedResourceVersion:
  2942. description: SyncedResourceVersion keeps track of the last synced version
  2943. type: string
  2944. type: object
  2945. type: object
  2946. served: true
  2947. storage: false
  2948. subresources:
  2949. status: {}
  2950. - additionalPrinterColumns:
  2951. - jsonPath: .spec.secretStoreRef.name
  2952. name: Store
  2953. type: string
  2954. - jsonPath: .spec.refreshInterval
  2955. name: Refresh Interval
  2956. type: string
  2957. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2958. name: Status
  2959. type: string
  2960. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  2961. name: Ready
  2962. type: string
  2963. name: v1beta1
  2964. schema:
  2965. openAPIV3Schema:
  2966. description: ExternalSecret is the Schema for the external-secrets API.
  2967. properties:
  2968. apiVersion:
  2969. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  2970. type: string
  2971. kind:
  2972. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  2973. type: string
  2974. metadata:
  2975. type: object
  2976. spec:
  2977. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  2978. properties:
  2979. data:
  2980. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  2981. items:
  2982. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  2983. properties:
  2984. remoteRef:
  2985. description: ExternalSecretDataRemoteRef defines Provider data location.
  2986. properties:
  2987. conversionStrategy:
  2988. default: Default
  2989. description: Used to define a conversion Strategy
  2990. type: string
  2991. decodingStrategy:
  2992. default: None
  2993. description: Used to define a decoding Strategy
  2994. type: string
  2995. key:
  2996. description: Key is the key used in the Provider, mandatory
  2997. type: string
  2998. metadataPolicy:
  2999. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  3000. type: string
  3001. property:
  3002. description: Used to select a specific property of the Provider value (if a map), if supported
  3003. type: string
  3004. version:
  3005. description: Used to select a specific version of the Provider value, if supported
  3006. type: string
  3007. required:
  3008. - key
  3009. type: object
  3010. secretKey:
  3011. type: string
  3012. required:
  3013. - remoteRef
  3014. - secretKey
  3015. type: object
  3016. type: array
  3017. dataFrom:
  3018. description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
  3019. items:
  3020. properties:
  3021. extract:
  3022. description: Used to extract multiple key/value pairs from one secret
  3023. properties:
  3024. conversionStrategy:
  3025. default: Default
  3026. description: Used to define a conversion Strategy
  3027. type: string
  3028. decodingStrategy:
  3029. default: None
  3030. description: Used to define a decoding Strategy
  3031. type: string
  3032. key:
  3033. description: Key is the key used in the Provider, mandatory
  3034. type: string
  3035. metadataPolicy:
  3036. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  3037. type: string
  3038. property:
  3039. description: Used to select a specific property of the Provider value (if a map), if supported
  3040. type: string
  3041. version:
  3042. description: Used to select a specific version of the Provider value, if supported
  3043. type: string
  3044. required:
  3045. - key
  3046. type: object
  3047. find:
  3048. description: Used to find secrets based on tags or regular expressions
  3049. properties:
  3050. conversionStrategy:
  3051. default: Default
  3052. description: Used to define a conversion Strategy
  3053. type: string
  3054. decodingStrategy:
  3055. default: None
  3056. description: Used to define a decoding Strategy
  3057. type: string
  3058. name:
  3059. description: Finds secrets based on the name.
  3060. properties:
  3061. regexp:
  3062. description: Finds secrets base
  3063. type: string
  3064. type: object
  3065. path:
  3066. description: A root path to start the find operations.
  3067. type: string
  3068. tags:
  3069. additionalProperties:
  3070. type: string
  3071. description: Find secrets based on tags.
  3072. type: object
  3073. type: object
  3074. rewrite:
  3075. description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  3076. items:
  3077. properties:
  3078. regexp:
  3079. description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
  3080. properties:
  3081. source:
  3082. description: Used to define the regular expression of a re.Compiler.
  3083. type: string
  3084. target:
  3085. description: Used to define the target pattern of a ReplaceAll operation.
  3086. type: string
  3087. required:
  3088. - source
  3089. - target
  3090. type: object
  3091. type: object
  3092. type: array
  3093. type: object
  3094. type: array
  3095. refreshInterval:
  3096. default: 1h
  3097. description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
  3098. type: string
  3099. secretStoreRef:
  3100. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  3101. properties:
  3102. kind:
  3103. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  3104. type: string
  3105. name:
  3106. description: Name of the SecretStore resource
  3107. type: string
  3108. required:
  3109. - name
  3110. type: object
  3111. target:
  3112. default:
  3113. creationPolicy: Owner
  3114. deletionPolicy: Retain
  3115. description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
  3116. properties:
  3117. creationPolicy:
  3118. default: Owner
  3119. description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
  3120. enum:
  3121. - Owner
  3122. - Orphan
  3123. - Merge
  3124. - None
  3125. type: string
  3126. deletionPolicy:
  3127. default: Retain
  3128. description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
  3129. enum:
  3130. - Delete
  3131. - Merge
  3132. - Retain
  3133. type: string
  3134. immutable:
  3135. description: Immutable defines if the final secret will be immutable
  3136. type: boolean
  3137. name:
  3138. description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
  3139. type: string
  3140. template:
  3141. description: Template defines a blueprint for the created Secret resource.
  3142. properties:
  3143. data:
  3144. additionalProperties:
  3145. type: string
  3146. type: object
  3147. engineVersion:
  3148. default: v2
  3149. type: string
  3150. metadata:
  3151. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  3152. properties:
  3153. annotations:
  3154. additionalProperties:
  3155. type: string
  3156. type: object
  3157. labels:
  3158. additionalProperties:
  3159. type: string
  3160. type: object
  3161. type: object
  3162. templateFrom:
  3163. items:
  3164. maxProperties: 1
  3165. minProperties: 1
  3166. properties:
  3167. configMap:
  3168. properties:
  3169. items:
  3170. items:
  3171. properties:
  3172. key:
  3173. type: string
  3174. required:
  3175. - key
  3176. type: object
  3177. type: array
  3178. name:
  3179. type: string
  3180. required:
  3181. - items
  3182. - name
  3183. type: object
  3184. secret:
  3185. properties:
  3186. items:
  3187. items:
  3188. properties:
  3189. key:
  3190. type: string
  3191. required:
  3192. - key
  3193. type: object
  3194. type: array
  3195. name:
  3196. type: string
  3197. required:
  3198. - items
  3199. - name
  3200. type: object
  3201. type: object
  3202. type: array
  3203. type:
  3204. type: string
  3205. type: object
  3206. type: object
  3207. required:
  3208. - secretStoreRef
  3209. type: object
  3210. status:
  3211. properties:
  3212. conditions:
  3213. items:
  3214. properties:
  3215. lastTransitionTime:
  3216. format: date-time
  3217. type: string
  3218. message:
  3219. type: string
  3220. reason:
  3221. type: string
  3222. status:
  3223. type: string
  3224. type:
  3225. type: string
  3226. required:
  3227. - status
  3228. - type
  3229. type: object
  3230. type: array
  3231. refreshTime:
  3232. description: refreshTime is the time and date the external secret was fetched and the target secret updated
  3233. format: date-time
  3234. nullable: true
  3235. type: string
  3236. syncedResourceVersion:
  3237. description: SyncedResourceVersion keeps track of the last synced version
  3238. type: string
  3239. type: object
  3240. type: object
  3241. served: true
  3242. storage: true
  3243. subresources:
  3244. status: {}
  3245. conversion:
  3246. strategy: Webhook
  3247. webhook:
  3248. conversionReviewVersions:
  3249. - v1
  3250. clientConfig:
  3251. service:
  3252. name: kubernetes
  3253. namespace: default
  3254. path: /convert
  3255. ---
  3256. apiVersion: apiextensions.k8s.io/v1
  3257. kind: CustomResourceDefinition
  3258. metadata:
  3259. annotations:
  3260. controller-gen.kubebuilder.io/version: v0.9.2
  3261. creationTimestamp: null
  3262. name: pushsecrets.external-secrets.io
  3263. spec:
  3264. group: external-secrets.io
  3265. names:
  3266. categories:
  3267. - pushsecrets
  3268. kind: PushSecret
  3269. listKind: PushSecretList
  3270. plural: pushsecrets
  3271. singular: pushsecret
  3272. scope: Namespaced
  3273. versions:
  3274. - additionalPrinterColumns:
  3275. - jsonPath: .metadata.creationTimestamp
  3276. name: AGE
  3277. type: date
  3278. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  3279. name: Status
  3280. type: string
  3281. name: v1alpha1
  3282. schema:
  3283. openAPIV3Schema:
  3284. properties:
  3285. apiVersion:
  3286. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  3287. type: string
  3288. kind:
  3289. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  3290. type: string
  3291. metadata:
  3292. type: object
  3293. spec:
  3294. description: PushSecretSpec configures the behavior of the PushSecret.
  3295. properties:
  3296. data:
  3297. description: Secret Data that should be pushed to providers
  3298. items:
  3299. properties:
  3300. match:
  3301. description: Match a given Secret Key to be pushed to the provider.
  3302. properties:
  3303. remoteRef:
  3304. description: Remote Refs to push to providers.
  3305. properties:
  3306. remoteKey:
  3307. description: Name of the resulting provider secret.
  3308. type: string
  3309. required:
  3310. - remoteKey
  3311. type: object
  3312. secretKey:
  3313. description: Secret Key to be pushed
  3314. type: string
  3315. required:
  3316. - remoteRef
  3317. - secretKey
  3318. type: object
  3319. required:
  3320. - match
  3321. type: object
  3322. type: array
  3323. refreshInterval:
  3324. description: The Interval to which External Secrets will try to push a secret definition
  3325. type: string
  3326. secretStoreRefs:
  3327. items:
  3328. properties:
  3329. kind:
  3330. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  3331. type: string
  3332. labelSelector:
  3333. description: Optionally, sync to secret stores with label selector
  3334. properties:
  3335. matchExpressions:
  3336. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  3337. items:
  3338. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  3339. properties:
  3340. key:
  3341. description: key is the label key that the selector applies to.
  3342. type: string
  3343. operator:
  3344. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  3345. type: string
  3346. values:
  3347. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  3348. items:
  3349. type: string
  3350. type: array
  3351. required:
  3352. - key
  3353. - operator
  3354. type: object
  3355. type: array
  3356. matchLabels:
  3357. additionalProperties:
  3358. type: string
  3359. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  3360. type: object
  3361. type: object
  3362. x-kubernetes-map-type: atomic
  3363. name:
  3364. description: Optionally, sync to the SecretStore of the given name
  3365. type: string
  3366. type: object
  3367. type: array
  3368. selector:
  3369. description: The Secret Selector (k8s source) for the Push Secret
  3370. properties:
  3371. secret:
  3372. description: Select a Secret to Push.
  3373. properties:
  3374. name:
  3375. description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
  3376. type: string
  3377. required:
  3378. - name
  3379. type: object
  3380. required:
  3381. - secret
  3382. type: object
  3383. required:
  3384. - secretStoreRefs
  3385. - selector
  3386. type: object
  3387. status:
  3388. description: PushSecretStatus indicates the history of the status of PushSecret.
  3389. properties:
  3390. conditions:
  3391. items:
  3392. description: PushSecretStatusCondition indicates the status of the PushSecret.
  3393. properties:
  3394. lastTransitionTime:
  3395. format: date-time
  3396. type: string
  3397. message:
  3398. type: string
  3399. reason:
  3400. type: string
  3401. status:
  3402. type: string
  3403. type:
  3404. description: PushSecretConditionType indicates the condition of the PushSecret.
  3405. type: string
  3406. required:
  3407. - status
  3408. - type
  3409. type: object
  3410. type: array
  3411. refreshTime:
  3412. description: refreshTime is the time and date the external secret was fetched and the target secret updated
  3413. format: date-time
  3414. nullable: true
  3415. type: string
  3416. syncedPushSecrets:
  3417. additionalProperties:
  3418. items:
  3419. properties:
  3420. match:
  3421. description: Match a given Secret Key to be pushed to the provider.
  3422. properties:
  3423. remoteRef:
  3424. description: Remote Refs to push to providers.
  3425. properties:
  3426. remoteKey:
  3427. description: Name of the resulting provider secret.
  3428. type: string
  3429. required:
  3430. - remoteKey
  3431. type: object
  3432. secretKey:
  3433. description: Secret Key to be pushed
  3434. type: string
  3435. required:
  3436. - remoteRef
  3437. - secretKey
  3438. type: object
  3439. required:
  3440. - match
  3441. type: object
  3442. type: array
  3443. description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore.
  3444. type: object
  3445. syncedResourceVersion:
  3446. description: SyncedResourceVersion keeps track of the last synced version.
  3447. type: string
  3448. required:
  3449. - syncedPushSecrets
  3450. type: object
  3451. type: object
  3452. served: true
  3453. storage: true
  3454. subresources:
  3455. status: {}
  3456. conversion:
  3457. strategy: Webhook
  3458. webhook:
  3459. conversionReviewVersions:
  3460. - v1
  3461. clientConfig:
  3462. service:
  3463. name: kubernetes
  3464. namespace: default
  3465. path: /convert
  3466. ---
  3467. apiVersion: apiextensions.k8s.io/v1
  3468. kind: CustomResourceDefinition
  3469. metadata:
  3470. annotations:
  3471. controller-gen.kubebuilder.io/version: v0.9.2
  3472. creationTimestamp: null
  3473. name: secretstores.external-secrets.io
  3474. spec:
  3475. group: external-secrets.io
  3476. names:
  3477. categories:
  3478. - externalsecrets
  3479. kind: SecretStore
  3480. listKind: SecretStoreList
  3481. plural: secretstores
  3482. shortNames:
  3483. - ss
  3484. singular: secretstore
  3485. scope: Namespaced
  3486. versions:
  3487. - additionalPrinterColumns:
  3488. - jsonPath: .metadata.creationTimestamp
  3489. name: AGE
  3490. type: date
  3491. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  3492. name: Status
  3493. type: string
  3494. deprecated: true
  3495. name: v1alpha1
  3496. schema:
  3497. openAPIV3Schema:
  3498. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  3499. properties:
  3500. apiVersion:
  3501. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  3502. type: string
  3503. kind:
  3504. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  3505. type: string
  3506. metadata:
  3507. type: object
  3508. spec:
  3509. description: SecretStoreSpec defines the desired state of SecretStore.
  3510. properties:
  3511. controller:
  3512. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  3513. type: string
  3514. provider:
  3515. description: Used to configure the provider. Only one provider may be set
  3516. maxProperties: 1
  3517. minProperties: 1
  3518. properties:
  3519. akeyless:
  3520. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  3521. properties:
  3522. akeylessGWApiURL:
  3523. description: Akeyless GW API Url from which the secrets to be fetched from.
  3524. type: string
  3525. authSecretRef:
  3526. description: Auth configures how the operator authenticates with Akeyless.
  3527. properties:
  3528. kubernetesAuth:
  3529. description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
  3530. properties:
  3531. accessID:
  3532. description: the Akeyless Kubernetes auth-method access-id
  3533. type: string
  3534. k8sConfName:
  3535. description: Kubernetes-auth configuration name in Akeyless-Gateway
  3536. type: string
  3537. secretRef:
  3538. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  3539. properties:
  3540. key:
  3541. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3542. type: string
  3543. name:
  3544. description: The name of the Secret resource being referred to.
  3545. type: string
  3546. namespace:
  3547. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3548. type: string
  3549. type: object
  3550. serviceAccountRef:
  3551. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
  3552. properties:
  3553. audiences:
  3554. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  3555. items:
  3556. type: string
  3557. type: array
  3558. name:
  3559. description: The name of the ServiceAccount resource being referred to.
  3560. type: string
  3561. namespace:
  3562. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3563. type: string
  3564. required:
  3565. - name
  3566. type: object
  3567. required:
  3568. - accessID
  3569. - k8sConfName
  3570. type: object
  3571. secretRef:
  3572. description: Reference to a Secret that contains the details to authenticate with Akeyless.
  3573. properties:
  3574. accessID:
  3575. description: The SecretAccessID is used for authentication
  3576. properties:
  3577. key:
  3578. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3579. type: string
  3580. name:
  3581. description: The name of the Secret resource being referred to.
  3582. type: string
  3583. namespace:
  3584. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3585. type: string
  3586. type: object
  3587. accessType:
  3588. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3589. properties:
  3590. key:
  3591. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3592. type: string
  3593. name:
  3594. description: The name of the Secret resource being referred to.
  3595. type: string
  3596. namespace:
  3597. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3598. type: string
  3599. type: object
  3600. accessTypeParam:
  3601. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3602. properties:
  3603. key:
  3604. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3605. type: string
  3606. name:
  3607. description: The name of the Secret resource being referred to.
  3608. type: string
  3609. namespace:
  3610. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3611. type: string
  3612. type: object
  3613. type: object
  3614. type: object
  3615. required:
  3616. - akeylessGWApiURL
  3617. - authSecretRef
  3618. type: object
  3619. alibaba:
  3620. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  3621. properties:
  3622. auth:
  3623. description: AlibabaAuth contains a secretRef for credentials.
  3624. properties:
  3625. secretRef:
  3626. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  3627. properties:
  3628. accessKeyIDSecretRef:
  3629. description: The AccessKeyID is used for authentication
  3630. properties:
  3631. key:
  3632. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3633. type: string
  3634. name:
  3635. description: The name of the Secret resource being referred to.
  3636. type: string
  3637. namespace:
  3638. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3639. type: string
  3640. type: object
  3641. accessKeySecretSecretRef:
  3642. description: The AccessKeySecret is used for authentication
  3643. properties:
  3644. key:
  3645. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3646. type: string
  3647. name:
  3648. description: The name of the Secret resource being referred to.
  3649. type: string
  3650. namespace:
  3651. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3652. type: string
  3653. type: object
  3654. required:
  3655. - accessKeyIDSecretRef
  3656. - accessKeySecretSecretRef
  3657. type: object
  3658. required:
  3659. - secretRef
  3660. type: object
  3661. endpoint:
  3662. type: string
  3663. regionID:
  3664. description: Alibaba Region to be used for the provider
  3665. type: string
  3666. required:
  3667. - auth
  3668. - regionID
  3669. type: object
  3670. aws:
  3671. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  3672. properties:
  3673. auth:
  3674. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  3675. properties:
  3676. jwt:
  3677. description: Authenticate against AWS using service account tokens.
  3678. properties:
  3679. serviceAccountRef:
  3680. description: A reference to a ServiceAccount resource.
  3681. properties:
  3682. audiences:
  3683. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  3684. items:
  3685. type: string
  3686. type: array
  3687. name:
  3688. description: The name of the ServiceAccount resource being referred to.
  3689. type: string
  3690. namespace:
  3691. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3692. type: string
  3693. required:
  3694. - name
  3695. type: object
  3696. type: object
  3697. secretRef:
  3698. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  3699. properties:
  3700. accessKeyIDSecretRef:
  3701. description: The AccessKeyID is used for authentication
  3702. properties:
  3703. key:
  3704. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3705. type: string
  3706. name:
  3707. description: The name of the Secret resource being referred to.
  3708. type: string
  3709. namespace:
  3710. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3711. type: string
  3712. type: object
  3713. secretAccessKeySecretRef:
  3714. description: The SecretAccessKey is used for authentication
  3715. properties:
  3716. key:
  3717. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3718. type: string
  3719. name:
  3720. description: The name of the Secret resource being referred to.
  3721. type: string
  3722. namespace:
  3723. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3724. type: string
  3725. type: object
  3726. type: object
  3727. type: object
  3728. region:
  3729. description: AWS Region to be used for the provider
  3730. type: string
  3731. role:
  3732. description: Role is a Role ARN which the SecretManager provider will assume
  3733. type: string
  3734. service:
  3735. description: Service defines which service should be used to fetch the secrets
  3736. enum:
  3737. - SecretsManager
  3738. - ParameterStore
  3739. type: string
  3740. required:
  3741. - region
  3742. - service
  3743. type: object
  3744. azurekv:
  3745. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  3746. properties:
  3747. authSecretRef:
  3748. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  3749. properties:
  3750. clientId:
  3751. description: The Azure clientId of the service principle used for authentication.
  3752. properties:
  3753. key:
  3754. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3755. type: string
  3756. name:
  3757. description: The name of the Secret resource being referred to.
  3758. type: string
  3759. namespace:
  3760. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3761. type: string
  3762. type: object
  3763. clientSecret:
  3764. description: The Azure ClientSecret of the service principle used for authentication.
  3765. properties:
  3766. key:
  3767. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3768. type: string
  3769. name:
  3770. description: The name of the Secret resource being referred to.
  3771. type: string
  3772. namespace:
  3773. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3774. type: string
  3775. type: object
  3776. type: object
  3777. authType:
  3778. default: ServicePrincipal
  3779. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  3780. enum:
  3781. - ServicePrincipal
  3782. - ManagedIdentity
  3783. - WorkloadIdentity
  3784. type: string
  3785. identityId:
  3786. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  3787. type: string
  3788. serviceAccountRef:
  3789. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  3790. properties:
  3791. audiences:
  3792. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  3793. items:
  3794. type: string
  3795. type: array
  3796. name:
  3797. description: The name of the ServiceAccount resource being referred to.
  3798. type: string
  3799. namespace:
  3800. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3801. type: string
  3802. required:
  3803. - name
  3804. type: object
  3805. tenantId:
  3806. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  3807. type: string
  3808. vaultUrl:
  3809. description: Vault Url from which the secrets to be fetched from.
  3810. type: string
  3811. required:
  3812. - vaultUrl
  3813. type: object
  3814. fake:
  3815. description: Fake configures a store with static key/value pairs
  3816. properties:
  3817. data:
  3818. items:
  3819. properties:
  3820. key:
  3821. type: string
  3822. value:
  3823. type: string
  3824. valueMap:
  3825. additionalProperties:
  3826. type: string
  3827. type: object
  3828. version:
  3829. type: string
  3830. required:
  3831. - key
  3832. type: object
  3833. type: array
  3834. required:
  3835. - data
  3836. type: object
  3837. gcpsm:
  3838. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  3839. properties:
  3840. auth:
  3841. description: Auth defines the information necessary to authenticate against GCP
  3842. properties:
  3843. secretRef:
  3844. properties:
  3845. secretAccessKeySecretRef:
  3846. description: The SecretAccessKey is used for authentication
  3847. properties:
  3848. key:
  3849. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3850. type: string
  3851. name:
  3852. description: The name of the Secret resource being referred to.
  3853. type: string
  3854. namespace:
  3855. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3856. type: string
  3857. type: object
  3858. type: object
  3859. workloadIdentity:
  3860. properties:
  3861. clusterLocation:
  3862. type: string
  3863. clusterName:
  3864. type: string
  3865. clusterProjectID:
  3866. type: string
  3867. serviceAccountRef:
  3868. description: A reference to a ServiceAccount resource.
  3869. properties:
  3870. audiences:
  3871. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  3872. items:
  3873. type: string
  3874. type: array
  3875. name:
  3876. description: The name of the ServiceAccount resource being referred to.
  3877. type: string
  3878. namespace:
  3879. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3880. type: string
  3881. required:
  3882. - name
  3883. type: object
  3884. required:
  3885. - clusterLocation
  3886. - clusterName
  3887. - serviceAccountRef
  3888. type: object
  3889. type: object
  3890. projectID:
  3891. description: ProjectID project where secret is located
  3892. type: string
  3893. type: object
  3894. gitlab:
  3895. description: Gitlab configures this store to sync secrets using Gitlab Variables provider
  3896. properties:
  3897. auth:
  3898. description: Auth configures how secret-manager authenticates with a GitLab instance.
  3899. properties:
  3900. SecretRef:
  3901. properties:
  3902. accessToken:
  3903. description: AccessToken is used for authentication.
  3904. properties:
  3905. key:
  3906. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3907. type: string
  3908. name:
  3909. description: The name of the Secret resource being referred to.
  3910. type: string
  3911. namespace:
  3912. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3913. type: string
  3914. type: object
  3915. type: object
  3916. required:
  3917. - SecretRef
  3918. type: object
  3919. projectID:
  3920. description: ProjectID specifies a project where secrets are located.
  3921. type: string
  3922. url:
  3923. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  3924. type: string
  3925. required:
  3926. - auth
  3927. type: object
  3928. ibm:
  3929. description: IBM configures this store to sync secrets using IBM Cloud provider
  3930. properties:
  3931. auth:
  3932. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  3933. properties:
  3934. secretRef:
  3935. properties:
  3936. secretApiKeySecretRef:
  3937. description: The SecretAccessKey is used for authentication
  3938. properties:
  3939. key:
  3940. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3941. type: string
  3942. name:
  3943. description: The name of the Secret resource being referred to.
  3944. type: string
  3945. namespace:
  3946. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3947. type: string
  3948. type: object
  3949. type: object
  3950. required:
  3951. - secretRef
  3952. type: object
  3953. serviceUrl:
  3954. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  3955. type: string
  3956. required:
  3957. - auth
  3958. type: object
  3959. kubernetes:
  3960. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  3961. properties:
  3962. auth:
  3963. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  3964. maxProperties: 1
  3965. minProperties: 1
  3966. properties:
  3967. cert:
  3968. description: has both clientCert and clientKey as secretKeySelector
  3969. properties:
  3970. clientCert:
  3971. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3972. properties:
  3973. key:
  3974. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3975. type: string
  3976. name:
  3977. description: The name of the Secret resource being referred to.
  3978. type: string
  3979. namespace:
  3980. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3981. type: string
  3982. type: object
  3983. clientKey:
  3984. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3985. properties:
  3986. key:
  3987. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3988. type: string
  3989. name:
  3990. description: The name of the Secret resource being referred to.
  3991. type: string
  3992. namespace:
  3993. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3994. type: string
  3995. type: object
  3996. type: object
  3997. serviceAccount:
  3998. description: points to a service account that should be used for authentication
  3999. properties:
  4000. serviceAccount:
  4001. description: A reference to a ServiceAccount resource.
  4002. properties:
  4003. audiences:
  4004. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  4005. items:
  4006. type: string
  4007. type: array
  4008. name:
  4009. description: The name of the ServiceAccount resource being referred to.
  4010. type: string
  4011. namespace:
  4012. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4013. type: string
  4014. required:
  4015. - name
  4016. type: object
  4017. type: object
  4018. token:
  4019. description: use static token to authenticate with
  4020. properties:
  4021. bearerToken:
  4022. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4023. properties:
  4024. key:
  4025. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4026. type: string
  4027. name:
  4028. description: The name of the Secret resource being referred to.
  4029. type: string
  4030. namespace:
  4031. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4032. type: string
  4033. type: object
  4034. type: object
  4035. type: object
  4036. remoteNamespace:
  4037. default: default
  4038. description: Remote namespace to fetch the secrets from
  4039. type: string
  4040. server:
  4041. description: configures the Kubernetes server Address.
  4042. properties:
  4043. caBundle:
  4044. description: CABundle is a base64-encoded CA certificate
  4045. format: byte
  4046. type: string
  4047. caProvider:
  4048. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  4049. properties:
  4050. key:
  4051. description: The key the value inside of the provider type to use, only used with "Secret" type
  4052. type: string
  4053. name:
  4054. description: The name of the object located at the provider type.
  4055. type: string
  4056. namespace:
  4057. description: The namespace the Provider type is in.
  4058. type: string
  4059. type:
  4060. description: The type of provider to use such as "Secret", or "ConfigMap".
  4061. enum:
  4062. - Secret
  4063. - ConfigMap
  4064. type: string
  4065. required:
  4066. - name
  4067. - type
  4068. type: object
  4069. url:
  4070. default: kubernetes.default
  4071. description: configures the Kubernetes server Address.
  4072. type: string
  4073. type: object
  4074. required:
  4075. - auth
  4076. type: object
  4077. oracle:
  4078. description: Oracle configures this store to sync secrets using Oracle Vault provider
  4079. properties:
  4080. auth:
  4081. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  4082. properties:
  4083. secretRef:
  4084. description: SecretRef to pass through sensitive information.
  4085. properties:
  4086. fingerprint:
  4087. description: Fingerprint is the fingerprint of the API private key.
  4088. properties:
  4089. key:
  4090. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4091. type: string
  4092. name:
  4093. description: The name of the Secret resource being referred to.
  4094. type: string
  4095. namespace:
  4096. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4097. type: string
  4098. type: object
  4099. privatekey:
  4100. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  4101. properties:
  4102. key:
  4103. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4104. type: string
  4105. name:
  4106. description: The name of the Secret resource being referred to.
  4107. type: string
  4108. namespace:
  4109. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4110. type: string
  4111. type: object
  4112. required:
  4113. - fingerprint
  4114. - privatekey
  4115. type: object
  4116. tenancy:
  4117. description: Tenancy is the tenancy OCID where user is located.
  4118. type: string
  4119. user:
  4120. description: User is an access OCID specific to the account.
  4121. type: string
  4122. required:
  4123. - secretRef
  4124. - tenancy
  4125. - user
  4126. type: object
  4127. region:
  4128. description: Region is the region where vault is located.
  4129. type: string
  4130. vault:
  4131. description: Vault is the vault's OCID of the specific vault where secret is located.
  4132. type: string
  4133. required:
  4134. - region
  4135. - vault
  4136. type: object
  4137. vault:
  4138. description: Vault configures this store to sync secrets using Hashi provider
  4139. properties:
  4140. auth:
  4141. description: Auth configures how secret-manager authenticates with the Vault server.
  4142. properties:
  4143. appRole:
  4144. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  4145. properties:
  4146. path:
  4147. default: approle
  4148. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  4149. type: string
  4150. roleId:
  4151. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  4152. type: string
  4153. secretRef:
  4154. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  4155. properties:
  4156. key:
  4157. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4158. type: string
  4159. name:
  4160. description: The name of the Secret resource being referred to.
  4161. type: string
  4162. namespace:
  4163. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4164. type: string
  4165. type: object
  4166. required:
  4167. - path
  4168. - roleId
  4169. - secretRef
  4170. type: object
  4171. cert:
  4172. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  4173. properties:
  4174. clientCert:
  4175. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  4176. properties:
  4177. key:
  4178. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4179. type: string
  4180. name:
  4181. description: The name of the Secret resource being referred to.
  4182. type: string
  4183. namespace:
  4184. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4185. type: string
  4186. type: object
  4187. secretRef:
  4188. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  4189. properties:
  4190. key:
  4191. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4192. type: string
  4193. name:
  4194. description: The name of the Secret resource being referred to.
  4195. type: string
  4196. namespace:
  4197. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4198. type: string
  4199. type: object
  4200. type: object
  4201. jwt:
  4202. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  4203. properties:
  4204. kubernetesServiceAccountToken:
  4205. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  4206. properties:
  4207. audiences:
  4208. description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
  4209. items:
  4210. type: string
  4211. type: array
  4212. expirationSeconds:
  4213. description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
  4214. format: int64
  4215. type: integer
  4216. serviceAccountRef:
  4217. description: Service account field containing the name of a kubernetes ServiceAccount.
  4218. properties:
  4219. audiences:
  4220. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  4221. items:
  4222. type: string
  4223. type: array
  4224. name:
  4225. description: The name of the ServiceAccount resource being referred to.
  4226. type: string
  4227. namespace:
  4228. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4229. type: string
  4230. required:
  4231. - name
  4232. type: object
  4233. required:
  4234. - serviceAccountRef
  4235. type: object
  4236. path:
  4237. default: jwt
  4238. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  4239. type: string
  4240. role:
  4241. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  4242. type: string
  4243. secretRef:
  4244. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  4245. properties:
  4246. key:
  4247. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4248. type: string
  4249. name:
  4250. description: The name of the Secret resource being referred to.
  4251. type: string
  4252. namespace:
  4253. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4254. type: string
  4255. type: object
  4256. required:
  4257. - path
  4258. type: object
  4259. kubernetes:
  4260. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  4261. properties:
  4262. mountPath:
  4263. default: kubernetes
  4264. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  4265. type: string
  4266. role:
  4267. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  4268. type: string
  4269. secretRef:
  4270. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  4271. properties:
  4272. key:
  4273. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4274. type: string
  4275. name:
  4276. description: The name of the Secret resource being referred to.
  4277. type: string
  4278. namespace:
  4279. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4280. type: string
  4281. type: object
  4282. serviceAccountRef:
  4283. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  4284. properties:
  4285. audiences:
  4286. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  4287. items:
  4288. type: string
  4289. type: array
  4290. name:
  4291. description: The name of the ServiceAccount resource being referred to.
  4292. type: string
  4293. namespace:
  4294. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4295. type: string
  4296. required:
  4297. - name
  4298. type: object
  4299. required:
  4300. - mountPath
  4301. - role
  4302. type: object
  4303. ldap:
  4304. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  4305. properties:
  4306. path:
  4307. default: ldap
  4308. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  4309. type: string
  4310. secretRef:
  4311. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  4312. properties:
  4313. key:
  4314. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4315. type: string
  4316. name:
  4317. description: The name of the Secret resource being referred to.
  4318. type: string
  4319. namespace:
  4320. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4321. type: string
  4322. type: object
  4323. username:
  4324. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  4325. type: string
  4326. required:
  4327. - path
  4328. - username
  4329. type: object
  4330. tokenSecretRef:
  4331. description: TokenSecretRef authenticates with Vault by presenting a token.
  4332. properties:
  4333. key:
  4334. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4335. type: string
  4336. name:
  4337. description: The name of the Secret resource being referred to.
  4338. type: string
  4339. namespace:
  4340. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4341. type: string
  4342. type: object
  4343. type: object
  4344. caBundle:
  4345. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  4346. format: byte
  4347. type: string
  4348. caProvider:
  4349. description: The provider for the CA bundle to use to validate Vault server certificate.
  4350. properties:
  4351. key:
  4352. description: The key the value inside of the provider type to use, only used with "Secret" type
  4353. type: string
  4354. name:
  4355. description: The name of the object located at the provider type.
  4356. type: string
  4357. namespace:
  4358. description: The namespace the Provider type is in.
  4359. type: string
  4360. type:
  4361. description: The type of provider to use such as "Secret", or "ConfigMap".
  4362. enum:
  4363. - Secret
  4364. - ConfigMap
  4365. type: string
  4366. required:
  4367. - name
  4368. - type
  4369. type: object
  4370. forwardInconsistent:
  4371. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  4372. type: boolean
  4373. namespace:
  4374. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  4375. type: string
  4376. path:
  4377. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  4378. type: string
  4379. readYourWrites:
  4380. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  4381. type: boolean
  4382. server:
  4383. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  4384. type: string
  4385. version:
  4386. default: v2
  4387. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  4388. enum:
  4389. - v1
  4390. - v2
  4391. type: string
  4392. required:
  4393. - auth
  4394. - server
  4395. type: object
  4396. webhook:
  4397. description: Webhook configures this store to sync secrets using a generic templated webhook
  4398. properties:
  4399. body:
  4400. description: Body
  4401. type: string
  4402. caBundle:
  4403. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  4404. format: byte
  4405. type: string
  4406. caProvider:
  4407. description: The provider for the CA bundle to use to validate webhook server certificate.
  4408. properties:
  4409. key:
  4410. description: The key the value inside of the provider type to use, only used with "Secret" type
  4411. type: string
  4412. name:
  4413. description: The name of the object located at the provider type.
  4414. type: string
  4415. namespace:
  4416. description: The namespace the Provider type is in.
  4417. type: string
  4418. type:
  4419. description: The type of provider to use such as "Secret", or "ConfigMap".
  4420. enum:
  4421. - Secret
  4422. - ConfigMap
  4423. type: string
  4424. required:
  4425. - name
  4426. - type
  4427. type: object
  4428. headers:
  4429. additionalProperties:
  4430. type: string
  4431. description: Headers
  4432. type: object
  4433. method:
  4434. description: Webhook Method
  4435. type: string
  4436. result:
  4437. description: Result formatting
  4438. properties:
  4439. jsonPath:
  4440. description: Json path of return value
  4441. type: string
  4442. type: object
  4443. secrets:
  4444. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  4445. items:
  4446. properties:
  4447. name:
  4448. description: Name of this secret in templates
  4449. type: string
  4450. secretRef:
  4451. description: Secret ref to fill in credentials
  4452. properties:
  4453. key:
  4454. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4455. type: string
  4456. name:
  4457. description: The name of the Secret resource being referred to.
  4458. type: string
  4459. namespace:
  4460. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4461. type: string
  4462. type: object
  4463. required:
  4464. - name
  4465. - secretRef
  4466. type: object
  4467. type: array
  4468. timeout:
  4469. description: Timeout
  4470. type: string
  4471. url:
  4472. description: Webhook url to call
  4473. type: string
  4474. required:
  4475. - result
  4476. - url
  4477. type: object
  4478. yandexlockbox:
  4479. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  4480. properties:
  4481. apiEndpoint:
  4482. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  4483. type: string
  4484. auth:
  4485. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  4486. properties:
  4487. authorizedKeySecretRef:
  4488. description: The authorized key used for authentication
  4489. properties:
  4490. key:
  4491. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4492. type: string
  4493. name:
  4494. description: The name of the Secret resource being referred to.
  4495. type: string
  4496. namespace:
  4497. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4498. type: string
  4499. type: object
  4500. type: object
  4501. caProvider:
  4502. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  4503. properties:
  4504. certSecretRef:
  4505. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4506. properties:
  4507. key:
  4508. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4509. type: string
  4510. name:
  4511. description: The name of the Secret resource being referred to.
  4512. type: string
  4513. namespace:
  4514. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4515. type: string
  4516. type: object
  4517. type: object
  4518. required:
  4519. - auth
  4520. type: object
  4521. type: object
  4522. retrySettings:
  4523. description: Used to configure http retries if failed
  4524. properties:
  4525. maxRetries:
  4526. format: int32
  4527. type: integer
  4528. retryInterval:
  4529. type: string
  4530. type: object
  4531. required:
  4532. - provider
  4533. type: object
  4534. status:
  4535. description: SecretStoreStatus defines the observed state of the SecretStore.
  4536. properties:
  4537. conditions:
  4538. items:
  4539. properties:
  4540. lastTransitionTime:
  4541. format: date-time
  4542. type: string
  4543. message:
  4544. type: string
  4545. reason:
  4546. type: string
  4547. status:
  4548. type: string
  4549. type:
  4550. type: string
  4551. required:
  4552. - status
  4553. - type
  4554. type: object
  4555. type: array
  4556. type: object
  4557. type: object
  4558. served: true
  4559. storage: false
  4560. subresources:
  4561. status: {}
  4562. - additionalPrinterColumns:
  4563. - jsonPath: .metadata.creationTimestamp
  4564. name: AGE
  4565. type: date
  4566. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  4567. name: Status
  4568. type: string
  4569. - jsonPath: .status.capabilities
  4570. name: Capabilities
  4571. type: string
  4572. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  4573. name: Ready
  4574. type: string
  4575. name: v1beta1
  4576. schema:
  4577. openAPIV3Schema:
  4578. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  4579. properties:
  4580. apiVersion:
  4581. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  4582. type: string
  4583. kind:
  4584. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  4585. type: string
  4586. metadata:
  4587. type: object
  4588. spec:
  4589. description: SecretStoreSpec defines the desired state of SecretStore.
  4590. properties:
  4591. controller:
  4592. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  4593. type: string
  4594. provider:
  4595. description: Used to configure the provider. Only one provider may be set
  4596. maxProperties: 1
  4597. minProperties: 1
  4598. properties:
  4599. akeyless:
  4600. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  4601. properties:
  4602. akeylessGWApiURL:
  4603. description: Akeyless GW API Url from which the secrets to be fetched from.
  4604. type: string
  4605. authSecretRef:
  4606. description: Auth configures how the operator authenticates with Akeyless.
  4607. properties:
  4608. kubernetesAuth:
  4609. description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
  4610. properties:
  4611. accessID:
  4612. description: the Akeyless Kubernetes auth-method access-id
  4613. type: string
  4614. k8sConfName:
  4615. description: Kubernetes-auth configuration name in Akeyless-Gateway
  4616. type: string
  4617. secretRef:
  4618. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  4619. properties:
  4620. key:
  4621. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4622. type: string
  4623. name:
  4624. description: The name of the Secret resource being referred to.
  4625. type: string
  4626. namespace:
  4627. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4628. type: string
  4629. type: object
  4630. serviceAccountRef:
  4631. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
  4632. properties:
  4633. audiences:
  4634. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  4635. items:
  4636. type: string
  4637. type: array
  4638. name:
  4639. description: The name of the ServiceAccount resource being referred to.
  4640. type: string
  4641. namespace:
  4642. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4643. type: string
  4644. required:
  4645. - name
  4646. type: object
  4647. required:
  4648. - accessID
  4649. - k8sConfName
  4650. type: object
  4651. secretRef:
  4652. description: Reference to a Secret that contains the details to authenticate with Akeyless.
  4653. properties:
  4654. accessID:
  4655. description: The SecretAccessID is used for authentication
  4656. properties:
  4657. key:
  4658. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4659. type: string
  4660. name:
  4661. description: The name of the Secret resource being referred to.
  4662. type: string
  4663. namespace:
  4664. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4665. type: string
  4666. type: object
  4667. accessType:
  4668. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4669. properties:
  4670. key:
  4671. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4672. type: string
  4673. name:
  4674. description: The name of the Secret resource being referred to.
  4675. type: string
  4676. namespace:
  4677. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4678. type: string
  4679. type: object
  4680. accessTypeParam:
  4681. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4682. properties:
  4683. key:
  4684. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4685. type: string
  4686. name:
  4687. description: The name of the Secret resource being referred to.
  4688. type: string
  4689. namespace:
  4690. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4691. type: string
  4692. type: object
  4693. type: object
  4694. type: object
  4695. required:
  4696. - akeylessGWApiURL
  4697. - authSecretRef
  4698. type: object
  4699. alibaba:
  4700. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  4701. properties:
  4702. auth:
  4703. description: AlibabaAuth contains a secretRef for credentials.
  4704. properties:
  4705. secretRef:
  4706. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  4707. properties:
  4708. accessKeyIDSecretRef:
  4709. description: The AccessKeyID is used for authentication
  4710. properties:
  4711. key:
  4712. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4713. type: string
  4714. name:
  4715. description: The name of the Secret resource being referred to.
  4716. type: string
  4717. namespace:
  4718. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4719. type: string
  4720. type: object
  4721. accessKeySecretSecretRef:
  4722. description: The AccessKeySecret is used for authentication
  4723. properties:
  4724. key:
  4725. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4726. type: string
  4727. name:
  4728. description: The name of the Secret resource being referred to.
  4729. type: string
  4730. namespace:
  4731. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4732. type: string
  4733. type: object
  4734. required:
  4735. - accessKeyIDSecretRef
  4736. - accessKeySecretSecretRef
  4737. type: object
  4738. required:
  4739. - secretRef
  4740. type: object
  4741. endpoint:
  4742. type: string
  4743. regionID:
  4744. description: Alibaba Region to be used for the provider
  4745. type: string
  4746. required:
  4747. - auth
  4748. - regionID
  4749. type: object
  4750. aws:
  4751. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  4752. properties:
  4753. auth:
  4754. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  4755. properties:
  4756. jwt:
  4757. description: Authenticate against AWS using service account tokens.
  4758. properties:
  4759. serviceAccountRef:
  4760. description: A reference to a ServiceAccount resource.
  4761. properties:
  4762. audiences:
  4763. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  4764. items:
  4765. type: string
  4766. type: array
  4767. name:
  4768. description: The name of the ServiceAccount resource being referred to.
  4769. type: string
  4770. namespace:
  4771. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4772. type: string
  4773. required:
  4774. - name
  4775. type: object
  4776. type: object
  4777. secretRef:
  4778. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  4779. properties:
  4780. accessKeyIDSecretRef:
  4781. description: The AccessKeyID is used for authentication
  4782. properties:
  4783. key:
  4784. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4785. type: string
  4786. name:
  4787. description: The name of the Secret resource being referred to.
  4788. type: string
  4789. namespace:
  4790. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4791. type: string
  4792. type: object
  4793. secretAccessKeySecretRef:
  4794. description: The SecretAccessKey is used for authentication
  4795. properties:
  4796. key:
  4797. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4798. type: string
  4799. name:
  4800. description: The name of the Secret resource being referred to.
  4801. type: string
  4802. namespace:
  4803. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4804. type: string
  4805. type: object
  4806. type: object
  4807. type: object
  4808. region:
  4809. description: AWS Region to be used for the provider
  4810. type: string
  4811. role:
  4812. description: Role is a Role ARN which the SecretManager provider will assume
  4813. type: string
  4814. service:
  4815. description: Service defines which service should be used to fetch the secrets
  4816. enum:
  4817. - SecretsManager
  4818. - ParameterStore
  4819. type: string
  4820. required:
  4821. - region
  4822. - service
  4823. type: object
  4824. azurekv:
  4825. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  4826. properties:
  4827. authSecretRef:
  4828. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  4829. properties:
  4830. clientId:
  4831. description: The Azure clientId of the service principle used for authentication.
  4832. properties:
  4833. key:
  4834. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4835. type: string
  4836. name:
  4837. description: The name of the Secret resource being referred to.
  4838. type: string
  4839. namespace:
  4840. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4841. type: string
  4842. type: object
  4843. clientSecret:
  4844. description: The Azure ClientSecret of the service principle used for authentication.
  4845. properties:
  4846. key:
  4847. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4848. type: string
  4849. name:
  4850. description: The name of the Secret resource being referred to.
  4851. type: string
  4852. namespace:
  4853. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4854. type: string
  4855. type: object
  4856. type: object
  4857. authType:
  4858. default: ServicePrincipal
  4859. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  4860. enum:
  4861. - ServicePrincipal
  4862. - ManagedIdentity
  4863. - WorkloadIdentity
  4864. type: string
  4865. environmentType:
  4866. default: PublicCloud
  4867. description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
  4868. enum:
  4869. - PublicCloud
  4870. - USGovernmentCloud
  4871. - ChinaCloud
  4872. - GermanCloud
  4873. type: string
  4874. identityId:
  4875. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  4876. type: string
  4877. serviceAccountRef:
  4878. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  4879. properties:
  4880. audiences:
  4881. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  4882. items:
  4883. type: string
  4884. type: array
  4885. name:
  4886. description: The name of the ServiceAccount resource being referred to.
  4887. type: string
  4888. namespace:
  4889. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4890. type: string
  4891. required:
  4892. - name
  4893. type: object
  4894. tenantId:
  4895. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  4896. type: string
  4897. vaultUrl:
  4898. description: Vault Url from which the secrets to be fetched from.
  4899. type: string
  4900. required:
  4901. - vaultUrl
  4902. type: object
  4903. fake:
  4904. description: Fake configures a store with static key/value pairs
  4905. properties:
  4906. data:
  4907. items:
  4908. properties:
  4909. key:
  4910. type: string
  4911. value:
  4912. type: string
  4913. valueMap:
  4914. additionalProperties:
  4915. type: string
  4916. type: object
  4917. version:
  4918. type: string
  4919. required:
  4920. - key
  4921. type: object
  4922. type: array
  4923. required:
  4924. - data
  4925. type: object
  4926. gcpsm:
  4927. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  4928. properties:
  4929. auth:
  4930. description: Auth defines the information necessary to authenticate against GCP
  4931. properties:
  4932. secretRef:
  4933. properties:
  4934. secretAccessKeySecretRef:
  4935. description: The SecretAccessKey is used for authentication
  4936. properties:
  4937. key:
  4938. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4939. type: string
  4940. name:
  4941. description: The name of the Secret resource being referred to.
  4942. type: string
  4943. namespace:
  4944. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4945. type: string
  4946. type: object
  4947. type: object
  4948. workloadIdentity:
  4949. properties:
  4950. clusterLocation:
  4951. type: string
  4952. clusterName:
  4953. type: string
  4954. clusterProjectID:
  4955. type: string
  4956. serviceAccountRef:
  4957. description: A reference to a ServiceAccount resource.
  4958. properties:
  4959. audiences:
  4960. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  4961. items:
  4962. type: string
  4963. type: array
  4964. name:
  4965. description: The name of the ServiceAccount resource being referred to.
  4966. type: string
  4967. namespace:
  4968. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4969. type: string
  4970. required:
  4971. - name
  4972. type: object
  4973. required:
  4974. - clusterLocation
  4975. - clusterName
  4976. - serviceAccountRef
  4977. type: object
  4978. type: object
  4979. projectID:
  4980. description: ProjectID project where secret is located
  4981. type: string
  4982. type: object
  4983. gitlab:
  4984. description: Gitlab configures this store to sync secrets using Gitlab Variables provider
  4985. properties:
  4986. auth:
  4987. description: Auth configures how secret-manager authenticates with a GitLab instance.
  4988. properties:
  4989. SecretRef:
  4990. properties:
  4991. accessToken:
  4992. description: AccessToken is used for authentication.
  4993. properties:
  4994. key:
  4995. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4996. type: string
  4997. name:
  4998. description: The name of the Secret resource being referred to.
  4999. type: string
  5000. namespace:
  5001. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5002. type: string
  5003. type: object
  5004. type: object
  5005. required:
  5006. - SecretRef
  5007. type: object
  5008. projectID:
  5009. description: ProjectID specifies a project where secrets are located.
  5010. type: string
  5011. url:
  5012. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  5013. type: string
  5014. required:
  5015. - auth
  5016. type: object
  5017. ibm:
  5018. description: IBM configures this store to sync secrets using IBM Cloud provider
  5019. properties:
  5020. auth:
  5021. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  5022. maxProperties: 1
  5023. minProperties: 1
  5024. properties:
  5025. containerAuth:
  5026. description: IBM Container-based auth with IAM Trusted Profile.
  5027. properties:
  5028. iamEndpoint:
  5029. type: string
  5030. profile:
  5031. description: the IBM Trusted Profile
  5032. type: string
  5033. tokenLocation:
  5034. description: Location the token is mounted on the pod
  5035. type: string
  5036. required:
  5037. - profile
  5038. type: object
  5039. secretRef:
  5040. properties:
  5041. secretApiKeySecretRef:
  5042. description: The SecretAccessKey is used for authentication
  5043. properties:
  5044. key:
  5045. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5046. type: string
  5047. name:
  5048. description: The name of the Secret resource being referred to.
  5049. type: string
  5050. namespace:
  5051. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5052. type: string
  5053. type: object
  5054. type: object
  5055. type: object
  5056. serviceUrl:
  5057. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  5058. type: string
  5059. required:
  5060. - auth
  5061. type: object
  5062. kubernetes:
  5063. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  5064. properties:
  5065. auth:
  5066. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  5067. maxProperties: 1
  5068. minProperties: 1
  5069. properties:
  5070. cert:
  5071. description: has both clientCert and clientKey as secretKeySelector
  5072. properties:
  5073. clientCert:
  5074. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  5075. properties:
  5076. key:
  5077. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5078. type: string
  5079. name:
  5080. description: The name of the Secret resource being referred to.
  5081. type: string
  5082. namespace:
  5083. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5084. type: string
  5085. type: object
  5086. clientKey:
  5087. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  5088. properties:
  5089. key:
  5090. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5091. type: string
  5092. name:
  5093. description: The name of the Secret resource being referred to.
  5094. type: string
  5095. namespace:
  5096. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5097. type: string
  5098. type: object
  5099. type: object
  5100. serviceAccount:
  5101. description: points to a service account that should be used for authentication
  5102. properties:
  5103. audiences:
  5104. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  5105. items:
  5106. type: string
  5107. type: array
  5108. name:
  5109. description: The name of the ServiceAccount resource being referred to.
  5110. type: string
  5111. namespace:
  5112. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5113. type: string
  5114. required:
  5115. - name
  5116. type: object
  5117. token:
  5118. description: use static token to authenticate with
  5119. properties:
  5120. bearerToken:
  5121. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  5122. properties:
  5123. key:
  5124. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5125. type: string
  5126. name:
  5127. description: The name of the Secret resource being referred to.
  5128. type: string
  5129. namespace:
  5130. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5131. type: string
  5132. type: object
  5133. type: object
  5134. type: object
  5135. remoteNamespace:
  5136. default: default
  5137. description: Remote namespace to fetch the secrets from
  5138. type: string
  5139. server:
  5140. description: configures the Kubernetes server Address.
  5141. properties:
  5142. caBundle:
  5143. description: CABundle is a base64-encoded CA certificate
  5144. format: byte
  5145. type: string
  5146. caProvider:
  5147. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  5148. properties:
  5149. key:
  5150. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5151. type: string
  5152. name:
  5153. description: The name of the object located at the provider type.
  5154. type: string
  5155. namespace:
  5156. description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
  5157. type: string
  5158. type:
  5159. description: The type of provider to use such as "Secret", or "ConfigMap".
  5160. enum:
  5161. - Secret
  5162. - ConfigMap
  5163. type: string
  5164. required:
  5165. - name
  5166. - type
  5167. type: object
  5168. url:
  5169. default: kubernetes.default
  5170. description: configures the Kubernetes server Address.
  5171. type: string
  5172. type: object
  5173. required:
  5174. - auth
  5175. type: object
  5176. onepassword:
  5177. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  5178. properties:
  5179. auth:
  5180. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  5181. properties:
  5182. secretRef:
  5183. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  5184. properties:
  5185. connectTokenSecretRef:
  5186. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  5187. properties:
  5188. key:
  5189. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5190. type: string
  5191. name:
  5192. description: The name of the Secret resource being referred to.
  5193. type: string
  5194. namespace:
  5195. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5196. type: string
  5197. type: object
  5198. required:
  5199. - connectTokenSecretRef
  5200. type: object
  5201. required:
  5202. - secretRef
  5203. type: object
  5204. connectHost:
  5205. description: ConnectHost defines the OnePassword Connect Server to connect to
  5206. type: string
  5207. vaults:
  5208. additionalProperties:
  5209. type: integer
  5210. description: Vaults defines which OnePassword vaults to search in which order
  5211. type: object
  5212. required:
  5213. - auth
  5214. - connectHost
  5215. - vaults
  5216. type: object
  5217. oracle:
  5218. description: Oracle configures this store to sync secrets using Oracle Vault provider
  5219. properties:
  5220. auth:
  5221. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  5222. properties:
  5223. secretRef:
  5224. description: SecretRef to pass through sensitive information.
  5225. properties:
  5226. fingerprint:
  5227. description: Fingerprint is the fingerprint of the API private key.
  5228. properties:
  5229. key:
  5230. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5231. type: string
  5232. name:
  5233. description: The name of the Secret resource being referred to.
  5234. type: string
  5235. namespace:
  5236. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5237. type: string
  5238. type: object
  5239. privatekey:
  5240. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  5241. properties:
  5242. key:
  5243. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5244. type: string
  5245. name:
  5246. description: The name of the Secret resource being referred to.
  5247. type: string
  5248. namespace:
  5249. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5250. type: string
  5251. type: object
  5252. required:
  5253. - fingerprint
  5254. - privatekey
  5255. type: object
  5256. tenancy:
  5257. description: Tenancy is the tenancy OCID where user is located.
  5258. type: string
  5259. user:
  5260. description: User is an access OCID specific to the account.
  5261. type: string
  5262. required:
  5263. - secretRef
  5264. - tenancy
  5265. - user
  5266. type: object
  5267. region:
  5268. description: Region is the region where vault is located.
  5269. type: string
  5270. vault:
  5271. description: Vault is the vault's OCID of the specific vault where secret is located.
  5272. type: string
  5273. required:
  5274. - region
  5275. - vault
  5276. type: object
  5277. senhasegura:
  5278. description: Senhasegura configures this store to sync secrets using senhasegura provider
  5279. properties:
  5280. auth:
  5281. description: Auth defines parameters to authenticate in senhasegura
  5282. properties:
  5283. clientId:
  5284. type: string
  5285. clientSecretSecretRef:
  5286. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  5287. properties:
  5288. key:
  5289. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5290. type: string
  5291. name:
  5292. description: The name of the Secret resource being referred to.
  5293. type: string
  5294. namespace:
  5295. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5296. type: string
  5297. type: object
  5298. required:
  5299. - clientId
  5300. - clientSecretSecretRef
  5301. type: object
  5302. ignoreSslCertificate:
  5303. default: false
  5304. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  5305. type: boolean
  5306. module:
  5307. description: Module defines which senhasegura module should be used to get secrets
  5308. type: string
  5309. url:
  5310. description: URL of senhasegura
  5311. type: string
  5312. required:
  5313. - auth
  5314. - module
  5315. - url
  5316. type: object
  5317. vault:
  5318. description: Vault configures this store to sync secrets using Hashi provider
  5319. properties:
  5320. auth:
  5321. description: Auth configures how secret-manager authenticates with the Vault server.
  5322. properties:
  5323. appRole:
  5324. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  5325. properties:
  5326. path:
  5327. default: approle
  5328. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  5329. type: string
  5330. roleId:
  5331. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  5332. type: string
  5333. secretRef:
  5334. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  5335. properties:
  5336. key:
  5337. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5338. type: string
  5339. name:
  5340. description: The name of the Secret resource being referred to.
  5341. type: string
  5342. namespace:
  5343. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5344. type: string
  5345. type: object
  5346. required:
  5347. - path
  5348. - roleId
  5349. - secretRef
  5350. type: object
  5351. cert:
  5352. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  5353. properties:
  5354. clientCert:
  5355. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  5356. properties:
  5357. key:
  5358. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5359. type: string
  5360. name:
  5361. description: The name of the Secret resource being referred to.
  5362. type: string
  5363. namespace:
  5364. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5365. type: string
  5366. type: object
  5367. secretRef:
  5368. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  5369. properties:
  5370. key:
  5371. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5372. type: string
  5373. name:
  5374. description: The name of the Secret resource being referred to.
  5375. type: string
  5376. namespace:
  5377. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5378. type: string
  5379. type: object
  5380. type: object
  5381. jwt:
  5382. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  5383. properties:
  5384. kubernetesServiceAccountToken:
  5385. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  5386. properties:
  5387. audiences:
  5388. description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
  5389. items:
  5390. type: string
  5391. type: array
  5392. expirationSeconds:
  5393. description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
  5394. format: int64
  5395. type: integer
  5396. serviceAccountRef:
  5397. description: Service account field containing the name of a kubernetes ServiceAccount.
  5398. properties:
  5399. audiences:
  5400. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  5401. items:
  5402. type: string
  5403. type: array
  5404. name:
  5405. description: The name of the ServiceAccount resource being referred to.
  5406. type: string
  5407. namespace:
  5408. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5409. type: string
  5410. required:
  5411. - name
  5412. type: object
  5413. required:
  5414. - serviceAccountRef
  5415. type: object
  5416. path:
  5417. default: jwt
  5418. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  5419. type: string
  5420. role:
  5421. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  5422. type: string
  5423. secretRef:
  5424. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  5425. properties:
  5426. key:
  5427. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5428. type: string
  5429. name:
  5430. description: The name of the Secret resource being referred to.
  5431. type: string
  5432. namespace:
  5433. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5434. type: string
  5435. type: object
  5436. required:
  5437. - path
  5438. type: object
  5439. kubernetes:
  5440. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  5441. properties:
  5442. mountPath:
  5443. default: kubernetes
  5444. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  5445. type: string
  5446. role:
  5447. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  5448. type: string
  5449. secretRef:
  5450. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  5451. properties:
  5452. key:
  5453. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5454. type: string
  5455. name:
  5456. description: The name of the Secret resource being referred to.
  5457. type: string
  5458. namespace:
  5459. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5460. type: string
  5461. type: object
  5462. serviceAccountRef:
  5463. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  5464. properties:
  5465. audiences:
  5466. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  5467. items:
  5468. type: string
  5469. type: array
  5470. name:
  5471. description: The name of the ServiceAccount resource being referred to.
  5472. type: string
  5473. namespace:
  5474. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5475. type: string
  5476. required:
  5477. - name
  5478. type: object
  5479. required:
  5480. - mountPath
  5481. - role
  5482. type: object
  5483. ldap:
  5484. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  5485. properties:
  5486. path:
  5487. default: ldap
  5488. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  5489. type: string
  5490. secretRef:
  5491. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  5492. properties:
  5493. key:
  5494. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5495. type: string
  5496. name:
  5497. description: The name of the Secret resource being referred to.
  5498. type: string
  5499. namespace:
  5500. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5501. type: string
  5502. type: object
  5503. username:
  5504. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  5505. type: string
  5506. required:
  5507. - path
  5508. - username
  5509. type: object
  5510. tokenSecretRef:
  5511. description: TokenSecretRef authenticates with Vault by presenting a token.
  5512. properties:
  5513. key:
  5514. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5515. type: string
  5516. name:
  5517. description: The name of the Secret resource being referred to.
  5518. type: string
  5519. namespace:
  5520. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5521. type: string
  5522. type: object
  5523. type: object
  5524. caBundle:
  5525. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  5526. format: byte
  5527. type: string
  5528. caProvider:
  5529. description: The provider for the CA bundle to use to validate Vault server certificate.
  5530. properties:
  5531. key:
  5532. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5533. type: string
  5534. name:
  5535. description: The name of the object located at the provider type.
  5536. type: string
  5537. namespace:
  5538. description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
  5539. type: string
  5540. type:
  5541. description: The type of provider to use such as "Secret", or "ConfigMap".
  5542. enum:
  5543. - Secret
  5544. - ConfigMap
  5545. type: string
  5546. required:
  5547. - name
  5548. - type
  5549. type: object
  5550. forwardInconsistent:
  5551. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  5552. type: boolean
  5553. namespace:
  5554. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  5555. type: string
  5556. path:
  5557. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  5558. type: string
  5559. readYourWrites:
  5560. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  5561. type: boolean
  5562. server:
  5563. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  5564. type: string
  5565. version:
  5566. default: v2
  5567. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  5568. enum:
  5569. - v1
  5570. - v2
  5571. type: string
  5572. required:
  5573. - auth
  5574. - server
  5575. type: object
  5576. webhook:
  5577. description: Webhook configures this store to sync secrets using a generic templated webhook
  5578. properties:
  5579. body:
  5580. description: Body
  5581. type: string
  5582. caBundle:
  5583. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  5584. format: byte
  5585. type: string
  5586. caProvider:
  5587. description: The provider for the CA bundle to use to validate webhook server certificate.
  5588. properties:
  5589. key:
  5590. description: The key the value inside of the provider type to use, only used with "Secret" type
  5591. type: string
  5592. name:
  5593. description: The name of the object located at the provider type.
  5594. type: string
  5595. namespace:
  5596. description: The namespace the Provider type is in.
  5597. type: string
  5598. type:
  5599. description: The type of provider to use such as "Secret", or "ConfigMap".
  5600. enum:
  5601. - Secret
  5602. - ConfigMap
  5603. type: string
  5604. required:
  5605. - name
  5606. - type
  5607. type: object
  5608. headers:
  5609. additionalProperties:
  5610. type: string
  5611. description: Headers
  5612. type: object
  5613. method:
  5614. description: Webhook Method
  5615. type: string
  5616. result:
  5617. description: Result formatting
  5618. properties:
  5619. jsonPath:
  5620. description: Json path of return value
  5621. type: string
  5622. type: object
  5623. secrets:
  5624. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  5625. items:
  5626. properties:
  5627. name:
  5628. description: Name of this secret in templates
  5629. type: string
  5630. secretRef:
  5631. description: Secret ref to fill in credentials
  5632. properties:
  5633. key:
  5634. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5635. type: string
  5636. name:
  5637. description: The name of the Secret resource being referred to.
  5638. type: string
  5639. namespace:
  5640. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5641. type: string
  5642. type: object
  5643. required:
  5644. - name
  5645. - secretRef
  5646. type: object
  5647. type: array
  5648. timeout:
  5649. description: Timeout
  5650. type: string
  5651. url:
  5652. description: Webhook url to call
  5653. type: string
  5654. required:
  5655. - result
  5656. - url
  5657. type: object
  5658. yandexcertificatemanager:
  5659. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  5660. properties:
  5661. apiEndpoint:
  5662. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  5663. type: string
  5664. auth:
  5665. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  5666. properties:
  5667. authorizedKeySecretRef:
  5668. description: The authorized key used for authentication
  5669. properties:
  5670. key:
  5671. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5672. type: string
  5673. name:
  5674. description: The name of the Secret resource being referred to.
  5675. type: string
  5676. namespace:
  5677. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5678. type: string
  5679. type: object
  5680. type: object
  5681. caProvider:
  5682. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  5683. properties:
  5684. certSecretRef:
  5685. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  5686. properties:
  5687. key:
  5688. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5689. type: string
  5690. name:
  5691. description: The name of the Secret resource being referred to.
  5692. type: string
  5693. namespace:
  5694. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5695. type: string
  5696. type: object
  5697. type: object
  5698. required:
  5699. - auth
  5700. type: object
  5701. yandexlockbox:
  5702. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  5703. properties:
  5704. apiEndpoint:
  5705. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  5706. type: string
  5707. auth:
  5708. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  5709. properties:
  5710. authorizedKeySecretRef:
  5711. description: The authorized key used for authentication
  5712. properties:
  5713. key:
  5714. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5715. type: string
  5716. name:
  5717. description: The name of the Secret resource being referred to.
  5718. type: string
  5719. namespace:
  5720. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5721. type: string
  5722. type: object
  5723. type: object
  5724. caProvider:
  5725. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  5726. properties:
  5727. certSecretRef:
  5728. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  5729. properties:
  5730. key:
  5731. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5732. type: string
  5733. name:
  5734. description: The name of the Secret resource being referred to.
  5735. type: string
  5736. namespace:
  5737. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5738. type: string
  5739. type: object
  5740. type: object
  5741. required:
  5742. - auth
  5743. type: object
  5744. type: object
  5745. refreshInterval:
  5746. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  5747. type: integer
  5748. retrySettings:
  5749. description: Used to configure http retries if failed
  5750. properties:
  5751. maxRetries:
  5752. format: int32
  5753. type: integer
  5754. retryInterval:
  5755. type: string
  5756. type: object
  5757. required:
  5758. - provider
  5759. type: object
  5760. status:
  5761. description: SecretStoreStatus defines the observed state of the SecretStore.
  5762. properties:
  5763. capabilities:
  5764. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  5765. type: string
  5766. conditions:
  5767. items:
  5768. properties:
  5769. lastTransitionTime:
  5770. format: date-time
  5771. type: string
  5772. message:
  5773. type: string
  5774. reason:
  5775. type: string
  5776. status:
  5777. type: string
  5778. type:
  5779. type: string
  5780. required:
  5781. - status
  5782. - type
  5783. type: object
  5784. type: array
  5785. type: object
  5786. type: object
  5787. served: true
  5788. storage: true
  5789. subresources:
  5790. status: {}
  5791. conversion:
  5792. strategy: Webhook
  5793. webhook:
  5794. conversionReviewVersions:
  5795. - v1
  5796. clientConfig:
  5797. service:
  5798. name: kubernetes
  5799. namespace: default
  5800. path: /convert