helm-external-secrets/config/crds/bases/external-secrets.io_clustersecretstores.yaml

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.8.0
  creationTimestamp: null
  name: clustersecretstores.external-secrets.io
spec:
  group: external-secrets.io
  names:
    categories:
    - externalsecrets
    kind: ClusterSecretStore
    listKind: ClusterSecretStoreList
    plural: clustersecretstores
    shortNames:
    - css
    singular: clustersecretstore
  scope: Cluster
  versions:
  - additionalPrinterColumns:
    - jsonPath: .metadata.creationTimestamp
      name: AGE
      type: date
    name: v1alpha1
    schema:
      openAPIV3Schema:
        description: ClusterSecretStore represents a secure external location for
          storing secrets, which can be referenced as part of `storeRef` fields.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: SecretStoreSpec defines the desired state of SecretStore.
            properties:
              controller:
                description: 'Used to select the correct KES controller (think: ingress.ingressClassName)
                  The KES controller is instantiated with a specific controller name
                  and filters ES based on this property'
                type: string
              provider:
                description: Used to configure the provider. Only one provider may
                  be set
                maxProperties: 1
                minProperties: 1
                properties:
                  akeyless:
                    description: Akeyless configures this store to sync secrets using
                      Akeyless Vault provider
                    properties:
                      akeylessGWApiURL:
                        description: Akeyless GW API Url from which the secrets to
                          be fetched from.
                        type: string
                      authSecretRef:
                        description: Auth configures how the operator authenticates
                          with Akeyless.
                        properties:
                          secretRef:
                            description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM:
                              AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
                            properties:
                              accessID:
                                description: The SecretAccessID is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              accessType:
                                description: A reference to a specific 'key' within
                                  a Secret resource, In some instances, `key` is a
                                  required field.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              accessTypeParam:
                                description: A reference to a specific 'key' within
                                  a Secret resource, In some instances, `key` is a
                                  required field.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                        required:
                        - secretRef
                        type: object
                    required:
                    - akeylessGWApiURL
                    - authSecretRef
                    type: object
                  alibaba:
                    description: Alibaba configures this store to sync secrets using
                      Alibaba Cloud provider
                    properties:
                      auth:
                        description: AlibabaAuth contains a secretRef for credentials.
                        properties:
                          secretRef:
                            description: AlibabaAuthSecretRef holds secret references
                              for Alibaba credentials.
                            properties:
                              accessKeyIDSecretRef:
                                description: The AccessKeyID is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              accessKeySecretSecretRef:
                                description: The AccessKeySecret is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            required:
                            - accessKeyIDSecretRef
                            - accessKeySecretSecretRef
                            type: object
                        required:
                        - secretRef
                        type: object
                      endpoint:
                        type: string
                      regionID:
                        description: Alibaba Region to be used for the provider
                        type: string
                    required:
                    - auth
                    - regionID
                    type: object
                  aws:
                    description: AWS configures this store to sync secrets using AWS
                      Secret Manager provider
                    properties:
                      auth:
                        description: 'Auth defines the information necessary to authenticate
                          against AWS if not set aws sdk will infer credentials from
                          your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                        properties:
                          jwt:
                            description: Authenticate against AWS using service account
                              tokens.
                            properties:
                              serviceAccountRef:
                                description: A reference to a ServiceAccount resource.
                                properties:
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            type: object
                          secretRef:
                            description: AWSAuthSecretRef holds secret references
                              for AWS credentials both AccessKeyID and SecretAccessKey
                              must be defined in order to properly authenticate.
                            properties:
                              accessKeyIDSecretRef:
                                description: The AccessKeyID is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              secretAccessKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                        type: object
                      region:
                        description: AWS Region to be used for the provider
                        type: string
                      role:
                        description: Role is a Role ARN which the SecretManager provider
                          will assume
                        type: string
                      service:
                        description: Service defines which service should be used
                          to fetch the secrets
                        enum:
                        - SecretsManager
                        - ParameterStore
                        type: string
                    required:
                    - region
                    - service
                    type: object
                  azurekv:
                    description: AzureKV configures this store to sync secrets using
                      Azure Key Vault provider
                    properties:
                      authSecretRef:
                        description: Auth configures how the operator authenticates
                          with Azure. Required for ServicePrincipal auth type.
                        properties:
                          clientId:
                            description: The Azure clientId of the service principle
                              used for authentication.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                          clientSecret:
                            description: The Azure ClientSecret of the service principle
                              used for authentication.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                        required:
                        - clientId
                        - clientSecret
                        type: object
                      authType:
                        default: ServicePrincipal
                        description: 'Auth type defines how to authenticate to the
                          keyvault service. Valid values are: - "ServicePrincipal"
                          (default): Using a service principal (tenantId, clientId,
                          clientSecret) - "ManagedIdentity": Using Managed Identity
                          assigned to the pod (see aad-pod-identity)'
                        enum:
                        - ServicePrincipal
                        - ManagedIdentity
                        type: string
                      identityId:
                        description: If multiple Managed Identity is assigned to the
                          pod, you can select the one to be used
                        type: string
                      tenantId:
                        description: TenantID configures the Azure Tenant to send
                          requests to. Required for ServicePrincipal auth type.
                        type: string
                      vaultUrl:
                        description: Vault Url from which the secrets to be fetched
                          from.
                        type: string
                    required:
                    - vaultUrl
                    type: object
                  fake:
                    description: Fake configures a store with static key/value pairs
                    properties:
                      data:
                        items:
                          properties:
                            key:
                              type: string
                            value:
                              type: string
                            valueMap:
                              additionalProperties:
                                type: string
                              type: object
                            version:
                              type: string
                          required:
                          - key
                          type: object
                        type: array
                    required:
                    - data
                    type: object
                  gcpsm:
                    description: GCPSM configures this store to sync secrets using
                      Google Cloud Platform Secret Manager provider
                    properties:
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against GCP
                        properties:
                          secretRef:
                            properties:
                              secretAccessKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                          workloadIdentity:
                            properties:
                              clusterLocation:
                                type: string
                              clusterName:
                                type: string
                              serviceAccountRef:
                                description: A reference to a ServiceAccount resource.
                                properties:
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - clusterLocation
                            - clusterName
                            - serviceAccountRef
                            type: object
                        type: object
                      projectID:
                        description: ProjectID project where secret is located
                        type: string
                    type: object
                  gitlab:
                    description: GItlab configures this store to sync secrets using
                      Gitlab Variables provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with a GitLab instance.
                        properties:
                          SecretRef:
                            properties:
                              accessToken:
                                description: AccessToken is used for authentication.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                        required:
                        - SecretRef
                        type: object
                      projectID:
                        description: ProjectID specifies a project where secrets are
                          located.
                        type: string
                      url:
                        description: URL configures the GitLab instance URL. Defaults
                          to https://gitlab.com/.
                        type: string
                    required:
                    - auth
                    type: object
                  ibm:
                    description: IBM configures this store to sync secrets using IBM
                      Cloud provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with the IBM secrets manager.
                        properties:
                          secretRef:
                            properties:
                              secretApiKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                        required:
                        - secretRef
                        type: object
                      serviceUrl:
                        description: ServiceURL is the Endpoint URL that is specific
                          to the Secrets Manager service instance
                        type: string
                    required:
                    - auth
                    type: object
                  oracle:
                    description: Oracle configures this store to sync secrets using
                      Oracle Vault provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with the Oracle Vault. If empty, use the instance principal,
                          otherwise the user credentials specified in Auth.
                        properties:
                          secretRef:
                            description: SecretRef to pass through sensitive information.
                            properties:
                              fingerprint:
                                description: Fingerprint is the fingerprint of the
                                  API private key.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              privatekey:
                                description: PrivateKey is the user's API Signing
                                  Key in PEM format, used for authentication.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            required:
                            - fingerprint
                            - privatekey
                            type: object
                          tenancy:
                            description: Tenancy is the tenancy OCID where user is
                              located.
                            type: string
                          user:
                            description: User is an access OCID specific to the account.
                            type: string
                        required:
                        - secretRef
                        - tenancy
                        - user
                        type: object
                      region:
                        description: Region is the region where vault is located.
                        type: string
                      vault:
                        description: Vault is the vault's OCID of the specific vault
                          where secret is located.
                        type: string
                    required:
                    - region
                    - vault
                    type: object
                  vault:
                    description: Vault configures this store to sync secrets using
                      Hashi provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with the Vault server.
                        properties:
                          appRole:
                            description: AppRole authenticates with Vault using the
                              App Role auth mechanism, with the role and secret stored
                              in a Kubernetes Secret resource.
                            properties:
                              path:
                                default: approle
                                description: 'Path where the App Role authentication
                                  backend is mounted in Vault, e.g: "approle"'
                                type: string
                              roleId:
                                description: RoleID configured in the App Role authentication
                                  backend when setting up the authentication backend
                                  in Vault.
                                type: string
                              secretRef:
                                description: Reference to a key in a Secret that contains
                                  the App Role secret used to authenticate with Vault.
                                  The `key` field must be specified and denotes which
                                  entry within the Secret resource is used as the
                                  app role secret.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            required:
                            - path
                            - roleId
                            - secretRef
                            type: object
                          cert:
                            description: Cert authenticates with TLS Certificates
                              by passing client certificate, private key and ca certificate
                              Cert authentication method
                            properties:
                              clientCert:
                                description: ClientCert is a certificate to authenticate
                                  using the Cert Vault authentication method
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              secretRef:
                                description: SecretRef to a key in a Secret resource
                                  containing client private key to authenticate with
                                  Vault using the Cert authentication method
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                          jwt:
                            description: Jwt authenticates with Vault by passing role
                              and JWT token using the JWT/OIDC authentication method
                            properties:
                              path:
                                default: jwt
                                description: 'Path where the JWT authentication backend
                                  is mounted in Vault, e.g: "jwt"'
                                type: string
                              role:
                                description: Role is a JWT role to authenticate using
                                  the JWT/OIDC Vault authentication method
                                type: string
                              secretRef:
                                description: SecretRef to a key in a Secret resource
                                  containing JWT token to authenticate with Vault
                                  using the JWT/OIDC authentication method
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            required:
                            - path
                            type: object
                          kubernetes:
                            description: Kubernetes authenticates with Vault by passing
                              the ServiceAccount token stored in the named Secret
                              resource to the Vault server.
                            properties:
                              mountPath:
                                default: kubernetes
                                description: 'Path where the Kubernetes authentication
                                  backend is mounted in Vault, e.g: "kubernetes"'
                                type: string
                              role:
                                description: A required field containing the Vault
                                  Role to assume. A Role binds a Kubernetes ServiceAccount
                                  with a set of Vault policies.
                                type: string
                              secretRef:
                                description: Optional secret field containing a Kubernetes
                                  ServiceAccount JWT used for authenticating with
                                  Vault. If a name is specified without a key, `token`
                                  is the default. If one is not specified, the one
                                  bound to the controller will be used.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              serviceAccountRef:
                                description: Optional service account field containing
                                  the name of a kubernetes ServiceAccount. If the
                                  service account is specified, the service account
                                  secret token JWT will be used for authenticating
                                  with Vault. If the service account selector is not
                                  supplied, the secretRef will be used instead.
                                properties:
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - mountPath
                            - role
                            type: object
                          ldap:
                            description: Ldap authenticates with Vault by passing
                              username/password pair using the LDAP authentication
                              method
                            properties:
                              path:
                                default: ldap
                                description: 'Path where the LDAP authentication backend
                                  is mounted in Vault, e.g: "ldap"'
                                type: string
                              secretRef:
                                description: SecretRef to a key in a Secret resource
                                  containing password for the LDAP user used to authenticate
                                  with Vault using the LDAP authentication method
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              username:
                                description: Username is a LDAP user name used to
                                  authenticate using the LDAP Vault authentication
                                  method
                                type: string
                            required:
                            - path
                            - username
                            type: object
                          tokenSecretRef:
                            description: TokenSecretRef authenticates with Vault by
                              presenting a token.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                      caBundle:
                        description: PEM encoded CA bundle used to validate Vault
                          server certificate. Only used if the Server URL is using
                          HTTPS protocol. This parameter is ignored for plain HTTP
                          protocol connection. If not set the system root certificates
                          are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Vault server certificate.
                        properties:
                          key:
                            description: The key the value inside of the provider
                              type to use, only used with "Secret" type
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            type: string
                          namespace:
                            description: The namespace the Provider type is in.
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      forwardInconsistent:
                        description: ForwardInconsistent tells Vault to forward read-after-write
                          requests to the Vault leader instead of simply retrying
                          within a loop. This can increase performance if the option
                          is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
                        type: boolean
                      namespace:
                        description: 'Name of the vault namespace. Namespaces is a
                          set of features within Vault Enterprise that allows Vault
                          environments to support Secure Multi-tenancy. e.g: "ns1".
                          More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
                        type: string
                      path:
                        description: 'Path is the mount path of the Vault KV backend
                          endpoint, e.g: "secret". The v2 KV secret engine version
                          specific "/data" path suffix for fetching secrets from Vault
                          is optional and will be appended if not present in specified
                          path.'
                        type: string
                      readYourWrites:
                        description: ReadYourWrites ensures isolated read-after-write
                          semantics by providing discovered cluster replication states
                          in each request. More information about eventual consistency
                          in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
                        type: boolean
                      server:
                        description: 'Server is the connection address for the Vault
                          server, e.g: "https://vault.example.com:8200".'
                        type: string
                      version:
                        default: v2
                        description: Version is the Vault KV secret engine version.
                          This can be either "v1" or "v2". Version defaults to "v2".
                        enum:
                        - v1
                        - v2
                        type: string
                    required:
                    - auth
                    - server
                    type: object
                  webhook:
                    description: Webhook configures this store to sync secrets using
                      a generic templated webhook
                    properties:
                      body:
                        description: Body
                        type: string
                      caBundle:
                        description: PEM encoded CA bundle used to validate webhook
                          server certificate. Only used if the Server URL is using
                          HTTPS protocol. This parameter is ignored for plain HTTP
                          protocol connection. If not set the system root certificates
                          are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          webhook server certificate.
                        properties:
                          key:
                            description: The key the value inside of the provider
                              type to use, only used with "Secret" type
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            type: string
                          namespace:
                            description: The namespace the Provider type is in.
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      headers:
                        additionalProperties:
                          type: string
                        description: Headers
                        type: object
                      method:
                        description: Webhook Method
                        type: string
                      result:
                        description: Result formatting
                        properties:
                          jsonPath:
                            description: Json path of return value
                            type: string
                        type: object
                      secrets:
                        description: Secrets to fill in templates These secrets will
                          be passed to the templating function as key value pairs
                          under the given name
                        items:
                          properties:
                            name:
                              description: Name of this secret in templates
                              type: string
                            secretRef:
                              description: Secret ref to fill in credentials
                              properties:
                                key:
                                  description: The key of the entry in the Secret
                                    resource's `data` field to be used. Some instances
                                    of this field may be defaulted, in others it may
                                    be required.
                                  type: string
                                name:
                                  description: The name of the Secret resource being
                                    referred to.
                                  type: string
                                namespace:
                                  description: Namespace of the resource being referred
                                    to. Ignored if referent is not cluster-scoped.
                                    cluster-scoped defaults to the namespace of the
                                    referent.
                                  type: string
                              type: object
                          required:
                          - name
                          - secretRef
                          type: object
                        type: array
                      timeout:
                        description: Timeout
                        type: string
                      url:
                        description: Webhook url to call
                        type: string
                    required:
                    - result
                    - url
                    type: object
                  yandexlockbox:
                    description: YandexLockbox configures this store to sync secrets
                      using Yandex Lockbox provider
                    properties:
                      apiEndpoint:
                        description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
                        type: string
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against Yandex Lockbox
                        properties:
                          authorizedKeySecretRef:
                            description: The authorized key used for authentication
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Yandex.Cloud server certificate.
                        properties:
                          certSecretRef:
                            description: A reference to a specific 'key' within a
                              Secret resource, In some instances, `key` is a required
                              field.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                    required:
                    - auth
                    type: object
                type: object
              retrySettings:
                description: Used to configure http retries if failed
                properties:
                  maxRetries:
                    format: int32
                    type: integer
                  retryInterval:
                    type: string
                type: object
            required:
            - provider
            type: object
          status:
            description: SecretStoreStatus defines the observed state of the SecretStore.
            properties:
              conditions:
                items:
                  properties:
                    lastTransitionTime:
                      format: date-time
                      type: string
                    message:
                      type: string
                    reason:
                      type: string
                    status:
                      type: string
                    type:
                      type: string
                  required:
                  - status
                  - type
                  type: object
                type: array
            type: object
        type: object
    served: true
    storage: false
    subresources:
      status: {}
  - additionalPrinterColumns:
    - jsonPath: .metadata.creationTimestamp
      name: AGE
      type: date
    name: v1beta1
    schema:
      openAPIV3Schema:
        description: ClusterSecretStore represents a secure external location for
          storing secrets, which can be referenced as part of `storeRef` fields.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: SecretStoreSpec defines the desired state of SecretStore.
            properties:
              controller:
                description: 'Used to select the correct KES controller (think: ingress.ingressClassName)
                  The KES controller is instantiated with a specific controller name
                  and filters ES based on this property'
                type: string
              provider:
                description: Used to configure the provider. Only one provider may
                  be set
                maxProperties: 1
                minProperties: 1
                properties:
                  akeyless:
                    description: Akeyless configures this store to sync secrets using
                      Akeyless Vault provider
                    properties:
                      akeylessGWApiURL:
                        description: Akeyless GW API Url from which the secrets to
                          be fetched from.
                        type: string
                      authSecretRef:
                        description: Auth configures how the operator authenticates
                          with Akeyless.
                        properties:
                          secretRef:
                            description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM:
                              AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
                            properties:
                              accessID:
                                description: The SecretAccessID is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              accessType:
                                description: A reference to a specific 'key' within
                                  a Secret resource, In some instances, `key` is a
                                  required field.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              accessTypeParam:
                                description: A reference to a specific 'key' within
                                  a Secret resource, In some instances, `key` is a
                                  required field.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                        required:
                        - secretRef
                        type: object
                    required:
                    - akeylessGWApiURL
                    - authSecretRef
                    type: object
                  alibaba:
                    description: Alibaba configures this store to sync secrets using
                      Alibaba Cloud provider
                    properties:
                      auth:
                        description: AlibabaAuth contains a secretRef for credentials.
                        properties:
                          secretRef:
                            description: AlibabaAuthSecretRef holds secret references
                              for Alibaba credentials.
                            properties:
                              accessKeyIDSecretRef:
                                description: The AccessKeyID is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              accessKeySecretSecretRef:
                                description: The AccessKeySecret is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            required:
                            - accessKeyIDSecretRef
                            - accessKeySecretSecretRef
                            type: object
                        required:
                        - secretRef
                        type: object
                      endpoint:
                        type: string
                      regionID:
                        description: Alibaba Region to be used for the provider
                        type: string
                    required:
                    - auth
                    - regionID
                    type: object
                  aws:
                    description: AWS configures this store to sync secrets using AWS
                      Secret Manager provider
                    properties:
                      auth:
                        description: 'Auth defines the information necessary to authenticate
                          against AWS if not set aws sdk will infer credentials from
                          your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                        properties:
                          jwt:
                            description: Authenticate against AWS using service account
                              tokens.
                            properties:
                              serviceAccountRef:
                                description: A reference to a ServiceAccount resource.
                                properties:
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            type: object
                          secretRef:
                            description: AWSAuthSecretRef holds secret references
                              for AWS credentials both AccessKeyID and SecretAccessKey
                              must be defined in order to properly authenticate.
                            properties:
                              accessKeyIDSecretRef:
                                description: The AccessKeyID is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              secretAccessKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                        type: object
                      region:
                        description: AWS Region to be used for the provider
                        type: string
                      role:
                        description: Role is a Role ARN which the SecretManager provider
                          will assume
                        type: string
                      service:
                        description: Service defines which service should be used
                          to fetch the secrets
                        enum:
                        - SecretsManager
                        - ParameterStore
                        type: string
                    required:
                    - region
                    - service
                    type: object
                  azurekv:
                    description: AzureKV configures this store to sync secrets using
                      Azure Key Vault provider
                    properties:
                      authSecretRef:
                        description: Auth configures how the operator authenticates
                          with Azure. Required for ServicePrincipal auth type.
                        properties:
                          clientId:
                            description: The Azure clientId of the service principle
                              used for authentication.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                          clientSecret:
                            description: The Azure ClientSecret of the service principle
                              used for authentication.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                        required:
                        - clientId
                        - clientSecret
                        type: object
                      authType:
                        default: ServicePrincipal
                        description: 'Auth type defines how to authenticate to the
                          keyvault service. Valid values are: - "ServicePrincipal"
                          (default): Using a service principal (tenantId, clientId,
                          clientSecret) - "ManagedIdentity": Using Managed Identity
                          assigned to the pod (see aad-pod-identity)'
                        enum:
                        - ServicePrincipal
                        - ManagedIdentity
                        type: string
                      identityId:
                        description: If multiple Managed Identity is assigned to the
                          pod, you can select the one to be used
                        type: string
                      tenantId:
                        description: TenantID configures the Azure Tenant to send
                          requests to. Required for ServicePrincipal auth type.
                        type: string
                      vaultUrl:
                        description: Vault Url from which the secrets to be fetched
                          from.
                        type: string
                    required:
                    - vaultUrl
                    type: object
                  fake:
                    description: Fake configures a store with static key/value pairs
                    properties:
                      data:
                        items:
                          properties:
                            key:
                              type: string
                            value:
                              type: string
                            valueMap:
                              additionalProperties:
                                type: string
                              type: object
                            version:
                              type: string
                          required:
                          - key
                          type: object
                        type: array
                    required:
                    - data
                    type: object
                  gcpsm:
                    description: GCPSM configures this store to sync secrets using
                      Google Cloud Platform Secret Manager provider
                    properties:
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against GCP
                        properties:
                          secretRef:
                            properties:
                              secretAccessKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                          workloadIdentity:
                            properties:
                              clusterLocation:
                                type: string
                              clusterName:
                                type: string
                              serviceAccountRef:
                                description: A reference to a ServiceAccount resource.
                                properties:
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - clusterLocation
                            - clusterName
                            - serviceAccountRef
                            type: object
                        type: object
                      projectID:
                        description: ProjectID project where secret is located
                        type: string
                    type: object
                  gitlab:
                    description: GItlab configures this store to sync secrets using
                      Gitlab Variables provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with a GitLab instance.
                        properties:
                          SecretRef:
                            properties:
                              accessToken:
                                description: AccessToken is used for authentication.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                        required:
                        - SecretRef
                        type: object
                      projectID:
                        description: ProjectID specifies a project where secrets are
                          located.
                        type: string
                      url:
                        description: URL configures the GitLab instance URL. Defaults
                          to https://gitlab.com/.
                        type: string
                    required:
                    - auth
                    type: object
                  ibm:
                    description: IBM configures this store to sync secrets using IBM
                      Cloud provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with the IBM secrets manager.
                        properties:
                          secretRef:
                            properties:
                              secretApiKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                        required:
                        - secretRef
                        type: object
                      serviceUrl:
                        description: ServiceURL is the Endpoint URL that is specific
                          to the Secrets Manager service instance
                        type: string
                    required:
                    - auth
                    type: object
                  oracle:
                    description: Oracle configures this store to sync secrets using
                      Oracle Vault provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with the Oracle Vault. If empty, use the instance principal,
                          otherwise the user credentials specified in Auth.
                        properties:
                          secretRef:
                            description: SecretRef to pass through sensitive information.
                            properties:
                              fingerprint:
                                description: Fingerprint is the fingerprint of the
                                  API private key.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              privatekey:
                                description: PrivateKey is the user's API Signing
                                  Key in PEM format, used for authentication.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            required:
                            - fingerprint
                            - privatekey
                            type: object
                          tenancy:
                            description: Tenancy is the tenancy OCID where user is
                              located.
                            type: string
                          user:
                            description: User is an access OCID specific to the account.
                            type: string
                        required:
                        - secretRef
                        - tenancy
                        - user
                        type: object
                      region:
                        description: Region is the region where vault is located.
                        type: string
                      vault:
                        description: Vault is the vault's OCID of the specific vault
                          where secret is located.
                        type: string
                    required:
                    - region
                    - vault
                    type: object
                  vault:
                    description: Vault configures this store to sync secrets using
                      Hashi provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with the Vault server.
                        properties:
                          appRole:
                            description: AppRole authenticates with Vault using the
                              App Role auth mechanism, with the role and secret stored
                              in a Kubernetes Secret resource.
                            properties:
                              path:
                                default: approle
                                description: 'Path where the App Role authentication
                                  backend is mounted in Vault, e.g: "approle"'
                                type: string
                              roleId:
                                description: RoleID configured in the App Role authentication
                                  backend when setting up the authentication backend
                                  in Vault.
                                type: string
                              secretRef:
                                description: Reference to a key in a Secret that contains
                                  the App Role secret used to authenticate with Vault.
                                  The `key` field must be specified and denotes which
                                  entry within the Secret resource is used as the
                                  app role secret.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            required:
                            - path
                            - roleId
                            - secretRef
                            type: object
                          cert:
                            description: Cert authenticates with TLS Certificates
                              by passing client certificate, private key and ca certificate
                              Cert authentication method
                            properties:
                              clientCert:
                                description: ClientCert is a certificate to authenticate
                                  using the Cert Vault authentication method
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              secretRef:
                                description: SecretRef to a key in a Secret resource
                                  containing client private key to authenticate with
                                  Vault using the Cert authentication method
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                          jwt:
                            description: Jwt authenticates with Vault by passing role
                              and JWT token using the JWT/OIDC authentication method
                            properties:
                              path:
                                default: jwt
                                description: 'Path where the JWT authentication backend
                                  is mounted in Vault, e.g: "jwt"'
                                type: string
                              role:
                                description: Role is a JWT role to authenticate using
                                  the JWT/OIDC Vault authentication method
                                type: string
                              secretRef:
                                description: SecretRef to a key in a Secret resource
                                  containing JWT token to authenticate with Vault
                                  using the JWT/OIDC authentication method
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            required:
                            - path
                            type: object
                          kubernetes:
                            description: Kubernetes authenticates with Vault by passing
                              the ServiceAccount token stored in the named Secret
                              resource to the Vault server.
                            properties:
                              mountPath:
                                default: kubernetes
                                description: 'Path where the Kubernetes authentication
                                  backend is mounted in Vault, e.g: "kubernetes"'
                                type: string
                              role:
                                description: A required field containing the Vault
                                  Role to assume. A Role binds a Kubernetes ServiceAccount
                                  with a set of Vault policies.
                                type: string
                              secretRef:
                                description: Optional secret field containing a Kubernetes
                                  ServiceAccount JWT used for authenticating with
                                  Vault. If a name is specified without a key, `token`
                                  is the default. If one is not specified, the one
                                  bound to the controller will be used.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              serviceAccountRef:
                                description: Optional service account field containing
                                  the name of a kubernetes ServiceAccount. If the
                                  service account is specified, the service account
                                  secret token JWT will be used for authenticating
                                  with Vault. If the service account selector is not
                                  supplied, the secretRef will be used instead.
                                properties:
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - mountPath
                            - role
                            type: object
                          ldap:
                            description: Ldap authenticates with Vault by passing
                              username/password pair using the LDAP authentication
                              method
                            properties:
                              path:
                                default: ldap
                                description: 'Path where the LDAP authentication backend
                                  is mounted in Vault, e.g: "ldap"'
                                type: string
                              secretRef:
                                description: SecretRef to a key in a Secret resource
                                  containing password for the LDAP user used to authenticate
                                  with Vault using the LDAP authentication method
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              username:
                                description: Username is a LDAP user name used to
                                  authenticate using the LDAP Vault authentication
                                  method
                                type: string
                            required:
                            - path
                            - username
                            type: object
                          tokenSecretRef:
                            description: TokenSecretRef authenticates with Vault by
                              presenting a token.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                      caBundle:
                        description: PEM encoded CA bundle used to validate Vault
                          server certificate. Only used if the Server URL is using
                          HTTPS protocol. This parameter is ignored for plain HTTP
                          protocol connection. If not set the system root certificates
                          are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Vault server certificate.
                        properties:
                          key:
                            description: The key the value inside of the provider
                              type to use, only used with "Secret" type
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            type: string
                          namespace:
                            description: The namespace the Provider type is in.
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      forwardInconsistent:
                        description: ForwardInconsistent tells Vault to forward read-after-write
                          requests to the Vault leader instead of simply retrying
                          within a loop. This can increase performance if the option
                          is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
                        type: boolean
                      namespace:
                        description: 'Name of the vault namespace. Namespaces is a
                          set of features within Vault Enterprise that allows Vault
                          environments to support Secure Multi-tenancy. e.g: "ns1".
                          More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
                        type: string
                      path:
                        description: 'Path is the mount path of the Vault KV backend
                          endpoint, e.g: "secret". The v2 KV secret engine version
                          specific "/data" path suffix for fetching secrets from Vault
                          is optional and will be appended if not present in specified
                          path.'
                        type: string
                      readYourWrites:
                        description: ReadYourWrites ensures isolated read-after-write
                          semantics by providing discovered cluster replication states
                          in each request. More information about eventual consistency
                          in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
                        type: boolean
                      server:
                        description: 'Server is the connection address for the Vault
                          server, e.g: "https://vault.example.com:8200".'
                        type: string
                      version:
                        default: v2
                        description: Version is the Vault KV secret engine version.
                          This can be either "v1" or "v2". Version defaults to "v2".
                        enum:
                        - v1
                        - v2
                        type: string
                    required:
                    - auth
                    - server
                    type: object
                  webhook:
                    description: Webhook configures this store to sync secrets using
                      a generic templated webhook
                    properties:
                      body:
                        description: Body
                        type: string
                      caBundle:
                        description: PEM encoded CA bundle used to validate webhook
                          server certificate. Only used if the Server URL is using
                          HTTPS protocol. This parameter is ignored for plain HTTP
                          protocol connection. If not set the system root certificates
                          are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          webhook server certificate.
                        properties:
                          key:
                            description: The key the value inside of the provider
                              type to use, only used with "Secret" type
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            type: string
                          namespace:
                            description: The namespace the Provider type is in.
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      headers:
                        additionalProperties:
                          type: string
                        description: Headers
                        type: object
                      method:
                        description: Webhook Method
                        type: string
                      result:
                        description: Result formatting
                        properties:
                          jsonPath:
                            description: Json path of return value
                            type: string
                        type: object
                      secrets:
                        description: Secrets to fill in templates These secrets will
                          be passed to the templating function as key value pairs
                          under the given name
                        items:
                          properties:
                            name:
                              description: Name of this secret in templates
                              type: string
                            secretRef:
                              description: Secret ref to fill in credentials
                              properties:
                                key:
                                  description: The key of the entry in the Secret
                                    resource's `data` field to be used. Some instances
                                    of this field may be defaulted, in others it may
                                    be required.
                                  type: string
                                name:
                                  description: The name of the Secret resource being
                                    referred to.
                                  type: string
                                namespace:
                                  description: Namespace of the resource being referred
                                    to. Ignored if referent is not cluster-scoped.
                                    cluster-scoped defaults to the namespace of the
                                    referent.
                                  type: string
                              type: object
                          required:
                          - name
                          - secretRef
                          type: object
                        type: array
                      timeout:
                        description: Timeout
                        type: string
                      url:
                        description: Webhook url to call
                        type: string
                    required:
                    - result
                    - url
                    type: object
                  yandexlockbox:
                    description: YandexLockbox configures this store to sync secrets
                      using Yandex Lockbox provider
                    properties:
                      apiEndpoint:
                        description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
                        type: string
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against Yandex Lockbox
                        properties:
                          authorizedKeySecretRef:
                            description: The authorized key used for authentication
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Yandex.Cloud server certificate.
                        properties:
                          certSecretRef:
                            description: A reference to a specific 'key' within a
                              Secret resource, In some instances, `key` is a required
                              field.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                    required:
                    - auth
                    type: object
                type: object
              retrySettings:
                description: Used to configure http retries if failed
                properties:
                  maxRetries:
                    format: int32
                    type: integer
                  retryInterval:
                    type: string
                type: object
            required:
            - provider
            type: object
          status:
            description: SecretStoreStatus defines the observed state of the SecretStore.
            properties:
              conditions:
                items:
                  properties:
                    lastTransitionTime:
                      format: date-time
                      type: string
                    message:
                      type: string
                    reason:
                      type: string
                    status:
                      type: string
                    type:
                      type: string
                  required:
                  - status
                  - type
                  type: object
                type: array
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []