bundle.yaml 650 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439444044414442444344444445444644474448444944504451445244534454445544564457445844594460446144624463446444654466446744684469447044714472447344744475447644774478447944804481448244834484448544864487448844894490449144924493449444954496449744984499450045014502450345044505450645074508450945104511451245134514451545164517451845194520452145224523452445254526452745284529453045314532453345344535453645374538453945404541454245434544454545464547454845494550455145524553455445554556455745584559456045614562456345644565456645674568456945704571457245734574457545764577457845794580458145824583458445854586458745884589459045914592459345944595459645974598459946004601460246034604460546064607460846094610461146124613461446154616461746184619462046214622462346244625462646274628462946304631463246334634463546364637463846394640464146424643464446454646464746484649465046514652465346544655465646574658465946604661466246634664466546664667466846694670467146724673467446754676467746784679468046814682468346844685468646874688468946904691469246934694469546964697469846994700470147024703470447054706470747084709471047114712471347144715471647174718471947204721472247234724472547264727472847294730473147324733473447354736473747384739474047414742474347444745474647474748474947504751475247534754475547564757475847594760476147624763476447654766476747684769477047714772477347744775477647774778477947804781478247834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808480948104811481248134814481548164817481848194820482148224823482448254826482748284829483048314832483348344835483648374838483948404841484248434844484548464847484848494850485148524853485448554856485748584859486048614862486348644865486648674868486948704871487248734874487548764877487848794880488148824883488448854886488748884889489048914892489348944895489648974898489949004901490249034904490549064907490849094910491149124913491449154916491749184919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943494449454946494749484949495049514952495349544955495649574958495949604961496249634964496549664967496849694970497149724973497449754976497749784979498049814982498349844985498649874988498949904991499249934994499549964997499849995000500150025003500450055006500750085009501050115012501350145015501650175018501950205021502250235024502550265027502850295030503150325033503450355036503750385039504050415042504350445045504650475048504950505051505250535054505550565057505850595060506150625063506450655066506750685069507050715072507350745075507650775078507950805081508250835084508550865087508850895090509150925093509450955096509750985099510051015102510351045105510651075108510951105111511251135114511551165117511851195120512151225123512451255126512751285129513051315132513351345135513651375138513951405141514251435144514551465147514851495150515151525153515451555156515751585159516051615162516351645165516651675168516951705171517251735174517551765177517851795180518151825183518451855186518751885189519051915192519351945195519651975198519952005201520252035204520552065207520852095210521152125213521452155216521752185219522052215222522352245225522652275228522952305231523252335234523552365237523852395240524152425243524452455246524752485249525052515252525352545255525652575258525952605261526252635264526552665267526852695270527152725273527452755276527752785279528052815282528352845285528652875288528952905291529252935294529552965297529852995300530153025303530453055306530753085309531053115312531353145315531653175318531953205321532253235324532553265327532853295330533153325333533453355336533753385339534053415342534353445345534653475348534953505351535253535354535553565357535853595360536153625363536453655366536753685369537053715372537353745375537653775378537953805381538253835384538553865387538853895390539153925393539453955396539753985399540054015402540354045405540654075408540954105411541254135414541554165417541854195420542154225423542454255426542754285429543054315432543354345435543654375438543954405441544254435444544554465447544854495450545154525453545454555456545754585459546054615462546354645465546654675468546954705471547254735474547554765477547854795480548154825483548454855486548754885489549054915492549354945495549654975498549955005501550255035504550555065507550855095510551155125513551455155516551755185519552055215522552355245525552655275528552955305531553255335534553555365537553855395540554155425543554455455546554755485549555055515552555355545555555655575558555955605561556255635564556555665567556855695570557155725573557455755576557755785579558055815582558355845585558655875588558955905591559255935594559555965597559855995600560156025603560456055606560756085609561056115612561356145615561656175618561956205621562256235624562556265627562856295630563156325633563456355636563756385639564056415642564356445645564656475648564956505651565256535654565556565657565856595660566156625663566456655666566756685669567056715672567356745675567656775678567956805681568256835684568556865687568856895690569156925693569456955696569756985699570057015702570357045705570657075708570957105711571257135714571557165717571857195720572157225723572457255726572757285729573057315732573357345735573657375738573957405741574257435744574557465747574857495750575157525753575457555756575757585759576057615762576357645765576657675768576957705771577257735774577557765777577857795780578157825783578457855786578757885789579057915792579357945795579657975798579958005801580258035804580558065807580858095810581158125813581458155816581758185819582058215822582358245825582658275828582958305831583258335834583558365837583858395840584158425843584458455846584758485849585058515852585358545855585658575858585958605861586258635864586558665867586858695870587158725873587458755876587758785879588058815882588358845885588658875888588958905891589258935894589558965897589858995900590159025903590459055906590759085909591059115912591359145915591659175918591959205921592259235924592559265927592859295930593159325933593459355936593759385939594059415942594359445945594659475948594959505951595259535954595559565957595859595960596159625963596459655966596759685969597059715972597359745975597659775978597959805981598259835984598559865987598859895990599159925993599459955996599759985999600060016002600360046005600660076008600960106011601260136014601560166017601860196020602160226023602460256026602760286029603060316032603360346035603660376038603960406041604260436044604560466047604860496050605160526053605460556056605760586059606060616062606360646065606660676068606960706071607260736074607560766077607860796080608160826083608460856086608760886089609060916092609360946095609660976098609961006101610261036104610561066107610861096110611161126113611461156116611761186119612061216122612361246125612661276128612961306131613261336134613561366137613861396140614161426143614461456146614761486149615061516152615361546155615661576158615961606161616261636164616561666167616861696170617161726173617461756176617761786179618061816182618361846185618661876188618961906191619261936194619561966197619861996200620162026203620462056206620762086209621062116212621362146215621662176218621962206221622262236224622562266227622862296230623162326233623462356236623762386239624062416242624362446245624662476248624962506251625262536254625562566257625862596260626162626263626462656266626762686269627062716272627362746275627662776278627962806281628262836284628562866287628862896290629162926293629462956296629762986299630063016302630363046305630663076308630963106311631263136314631563166317631863196320632163226323632463256326632763286329633063316332633363346335633663376338633963406341634263436344634563466347634863496350635163526353635463556356635763586359636063616362636363646365636663676368636963706371637263736374637563766377637863796380638163826383638463856386638763886389639063916392639363946395639663976398639964006401640264036404640564066407640864096410641164126413641464156416641764186419642064216422642364246425642664276428642964306431643264336434643564366437643864396440644164426443644464456446644764486449645064516452645364546455645664576458645964606461646264636464646564666467646864696470647164726473647464756476647764786479648064816482648364846485648664876488648964906491649264936494649564966497649864996500650165026503650465056506650765086509651065116512651365146515651665176518651965206521652265236524652565266527652865296530653165326533653465356536653765386539654065416542654365446545654665476548654965506551655265536554655565566557655865596560656165626563656465656566656765686569657065716572657365746575657665776578657965806581658265836584658565866587658865896590659165926593659465956596659765986599660066016602660366046605660666076608660966106611661266136614661566166617661866196620662166226623662466256626662766286629663066316632663366346635663666376638663966406641664266436644664566466647664866496650665166526653665466556656665766586659666066616662666366646665666666676668666966706671667266736674667566766677667866796680668166826683668466856686668766886689669066916692669366946695669666976698669967006701670267036704670567066707670867096710671167126713671467156716671767186719672067216722672367246725672667276728672967306731673267336734673567366737673867396740674167426743674467456746674767486749675067516752675367546755675667576758675967606761676267636764676567666767676867696770677167726773677467756776677767786779678067816782678367846785678667876788678967906791679267936794679567966797679867996800680168026803680468056806680768086809681068116812681368146815681668176818681968206821682268236824682568266827682868296830683168326833683468356836683768386839684068416842684368446845684668476848684968506851685268536854685568566857685868596860686168626863686468656866686768686869687068716872687368746875687668776878687968806881688268836884688568866887688868896890689168926893689468956896689768986899690069016902690369046905690669076908690969106911691269136914691569166917691869196920692169226923692469256926692769286929693069316932693369346935693669376938693969406941694269436944694569466947694869496950695169526953695469556956695769586959696069616962696369646965696669676968696969706971697269736974697569766977697869796980698169826983698469856986698769886989699069916992699369946995699669976998699970007001700270037004700570067007700870097010701170127013701470157016701770187019702070217022702370247025702670277028702970307031703270337034703570367037703870397040704170427043704470457046704770487049705070517052705370547055705670577058705970607061706270637064706570667067706870697070707170727073707470757076707770787079708070817082708370847085708670877088708970907091709270937094709570967097709870997100710171027103710471057106710771087109711071117112711371147115711671177118711971207121712271237124712571267127712871297130713171327133713471357136713771387139714071417142714371447145714671477148714971507151715271537154715571567157715871597160716171627163716471657166716771687169717071717172717371747175717671777178717971807181718271837184718571867187718871897190719171927193719471957196719771987199720072017202720372047205720672077208720972107211721272137214721572167217721872197220722172227223722472257226722772287229723072317232723372347235723672377238723972407241724272437244724572467247724872497250725172527253725472557256725772587259726072617262726372647265726672677268726972707271727272737274727572767277727872797280728172827283728472857286728772887289729072917292729372947295729672977298729973007301730273037304730573067307730873097310731173127313731473157316731773187319732073217322732373247325732673277328732973307331733273337334733573367337733873397340734173427343734473457346734773487349735073517352735373547355735673577358735973607361736273637364736573667367736873697370737173727373737473757376737773787379738073817382738373847385738673877388738973907391739273937394739573967397739873997400740174027403740474057406740774087409741074117412741374147415741674177418741974207421742274237424742574267427742874297430743174327433743474357436743774387439744074417442744374447445744674477448744974507451745274537454745574567457745874597460746174627463746474657466746774687469747074717472747374747475747674777478747974807481748274837484748574867487748874897490749174927493749474957496749774987499750075017502750375047505750675077508750975107511751275137514751575167517751875197520752175227523752475257526752775287529753075317532753375347535753675377538753975407541754275437544754575467547754875497550755175527553755475557556755775587559756075617562756375647565756675677568756975707571757275737574757575767577757875797580758175827583758475857586758775887589759075917592759375947595759675977598759976007601760276037604760576067607760876097610761176127613761476157616761776187619762076217622762376247625762676277628762976307631763276337634763576367637763876397640764176427643764476457646764776487649765076517652765376547655765676577658765976607661766276637664766576667667766876697670767176727673767476757676767776787679768076817682768376847685768676877688768976907691769276937694769576967697769876997700770177027703770477057706770777087709771077117712771377147715771677177718771977207721772277237724772577267727772877297730773177327733773477357736773777387739774077417742774377447745774677477748774977507751775277537754775577567757775877597760776177627763776477657766776777687769777077717772777377747775777677777778777977807781778277837784778577867787778877897790779177927793779477957796779777987799780078017802780378047805780678077808780978107811781278137814781578167817781878197820782178227823782478257826782778287829783078317832783378347835783678377838783978407841784278437844784578467847784878497850785178527853785478557856785778587859786078617862786378647865786678677868786978707871787278737874787578767877787878797880788178827883788478857886788778887889789078917892789378947895789678977898789979007901790279037904790579067907790879097910791179127913791479157916791779187919792079217922792379247925792679277928792979307931793279337934793579367937793879397940794179427943794479457946794779487949795079517952795379547955795679577958795979607961796279637964796579667967796879697970797179727973797479757976797779787979798079817982798379847985798679877988798979907991799279937994799579967997799879998000800180028003800480058006800780088009801080118012801380148015801680178018801980208021802280238024802580268027802880298030803180328033803480358036803780388039804080418042804380448045804680478048804980508051805280538054805580568057805880598060806180628063806480658066806780688069807080718072807380748075807680778078807980808081808280838084808580868087808880898090809180928093809480958096809780988099810081018102810381048105810681078108810981108111811281138114811581168117811881198120812181228123812481258126812781288129813081318132813381348135813681378138813981408141814281438144814581468147814881498150815181528153815481558156815781588159816081618162816381648165816681678168816981708171817281738174817581768177817881798180818181828183818481858186818781888189819081918192819381948195819681978198819982008201820282038204820582068207820882098210821182128213821482158216821782188219822082218222822382248225822682278228822982308231823282338234823582368237823882398240824182428243824482458246824782488249825082518252825382548255825682578258825982608261826282638264826582668267826882698270827182728273827482758276827782788279828082818282828382848285828682878288828982908291829282938294829582968297829882998300830183028303830483058306830783088309831083118312831383148315831683178318831983208321832283238324832583268327832883298330833183328333833483358336833783388339834083418342834383448345834683478348834983508351835283538354835583568357835883598360836183628363836483658366836783688369837083718372837383748375837683778378837983808381838283838384838583868387838883898390839183928393839483958396839783988399840084018402840384048405840684078408840984108411841284138414841584168417841884198420842184228423842484258426842784288429843084318432843384348435843684378438843984408441844284438444844584468447844884498450845184528453845484558456845784588459846084618462846384648465846684678468846984708471847284738474847584768477847884798480848184828483848484858486848784888489849084918492849384948495849684978498849985008501850285038504850585068507850885098510851185128513851485158516851785188519852085218522852385248525852685278528852985308531853285338534853585368537853885398540854185428543854485458546854785488549855085518552855385548555855685578558855985608561856285638564856585668567856885698570857185728573857485758576857785788579858085818582858385848585858685878588858985908591859285938594859585968597859885998600860186028603860486058606860786088609861086118612861386148615861686178618861986208621862286238624862586268627862886298630863186328633863486358636863786388639864086418642864386448645864686478648864986508651865286538654865586568657865886598660866186628663866486658666866786688669867086718672867386748675867686778678867986808681868286838684868586868687868886898690869186928693869486958696869786988699870087018702870387048705870687078708870987108711871287138714871587168717871887198720872187228723872487258726872787288729873087318732873387348735873687378738873987408741874287438744874587468747874887498750875187528753875487558756875787588759876087618762876387648765876687678768876987708771877287738774877587768777877887798780878187828783878487858786878787888789879087918792879387948795879687978798879988008801880288038804880588068807880888098810881188128813881488158816881788188819882088218822882388248825882688278828882988308831883288338834883588368837883888398840884188428843884488458846884788488849885088518852885388548855885688578858885988608861886288638864886588668867886888698870887188728873887488758876887788788879888088818882888388848885888688878888888988908891889288938894889588968897889888998900890189028903890489058906890789088909891089118912891389148915891689178918891989208921892289238924892589268927892889298930893189328933893489358936893789388939894089418942894389448945894689478948894989508951895289538954895589568957895889598960896189628963896489658966896789688969897089718972897389748975897689778978897989808981898289838984898589868987898889898990899189928993899489958996899789988999900090019002900390049005900690079008900990109011901290139014901590169017901890199020902190229023902490259026902790289029903090319032903390349035903690379038903990409041904290439044904590469047904890499050905190529053905490559056905790589059906090619062906390649065906690679068906990709071907290739074907590769077907890799080908190829083908490859086908790889089909090919092909390949095909690979098909991009101910291039104910591069107910891099110911191129113911491159116911791189119912091219122912391249125912691279128912991309131913291339134913591369137913891399140914191429143914491459146914791489149915091519152915391549155915691579158915991609161916291639164916591669167916891699170917191729173917491759176917791789179918091819182918391849185918691879188918991909191919291939194919591969197919891999200920192029203920492059206920792089209921092119212921392149215921692179218921992209221922292239224922592269227922892299230923192329233923492359236923792389239924092419242924392449245924692479248924992509251925292539254925592569257925892599260926192629263926492659266926792689269927092719272927392749275927692779278927992809281928292839284928592869287928892899290929192929293929492959296929792989299930093019302930393049305930693079308930993109311931293139314931593169317931893199320932193229323932493259326932793289329933093319332933393349335933693379338933993409341934293439344934593469347934893499350935193529353935493559356935793589359936093619362936393649365936693679368936993709371937293739374937593769377937893799380938193829383938493859386938793889389939093919392939393949395939693979398939994009401940294039404940594069407940894099410941194129413941494159416941794189419942094219422942394249425942694279428942994309431943294339434943594369437943894399440944194429443944494459446944794489449945094519452945394549455945694579458945994609461946294639464946594669467946894699470947194729473947494759476947794789479948094819482948394849485948694879488948994909491949294939494949594969497949894999500950195029503950495059506950795089509951095119512951395149515951695179518951995209521952295239524952595269527952895299530953195329533953495359536953795389539954095419542954395449545954695479548954995509551955295539554955595569557955895599560956195629563956495659566956795689569957095719572957395749575957695779578957995809581958295839584958595869587958895899590959195929593959495959596959795989599960096019602960396049605960696079608960996109611961296139614961596169617961896199620962196229623962496259626962796289629963096319632963396349635963696379638963996409641964296439644964596469647964896499650965196529653965496559656965796589659966096619662966396649665966696679668966996709671967296739674967596769677967896799680968196829683968496859686968796889689969096919692969396949695969696979698969997009701970297039704970597069707970897099710971197129713971497159716971797189719972097219722972397249725972697279728972997309731973297339734973597369737973897399740974197429743974497459746974797489749975097519752975397549755975697579758975997609761976297639764976597669767976897699770977197729773977497759776977797789779978097819782978397849785978697879788978997909791979297939794979597969797979897999800980198029803980498059806980798089809981098119812981398149815981698179818981998209821982298239824982598269827982898299830983198329833983498359836983798389839984098419842984398449845984698479848984998509851985298539854985598569857985898599860986198629863986498659866986798689869987098719872987398749875987698779878987998809881988298839884988598869887988898899890989198929893989498959896989798989899990099019902990399049905990699079908990999109911991299139914991599169917991899199920992199229923992499259926992799289929993099319932993399349935993699379938993999409941994299439944994599469947994899499950995199529953995499559956995799589959996099619962996399649965996699679968996999709971997299739974997599769977997899799980998199829983998499859986998799889989999099919992999399949995999699979998999910000100011000210003100041000510006100071000810009100101001110012100131001410015100161001710018100191002010021100221002310024100251002610027100281002910030100311003210033100341003510036100371003810039100401004110042100431004410045100461004710048100491005010051100521005310054100551005610057100581005910060100611006210063100641006510066100671006810069100701007110072100731007410075100761007710078100791008010081100821008310084100851008610087100881008910090100911009210093100941009510096100971009810099101001010110102101031010410105101061010710108101091011010111101121011310114101151011610117101181011910120101211012210123101241012510126101271012810129101301013110132101331013410135101361013710138101391014010141101421014310144101451014610147101481014910150101511015210153101541015510156101571015810159101601016110162101631016410165101661016710168101691017010171101721017310174101751017610177101781017910180101811018210183101841018510186101871018810189101901019110192101931019410195101961019710198101991020010201102021020310204102051020610207102081020910210102111021210213102141021510216102171021810219102201022110222102231022410225102261022710228102291023010231102321023310234102351023610237102381023910240102411024210243102441024510246102471024810249102501025110252102531025410255102561025710258102591026010261102621026310264102651026610267102681026910270102711027210273102741027510276102771027810279102801028110282102831028410285102861028710288102891029010291102921029310294102951029610297102981029910300103011030210303103041030510306103071030810309103101031110312103131031410315103161031710318103191032010321103221032310324103251032610327103281032910330103311033210333103341033510336103371033810339103401034110342103431034410345103461034710348103491035010351103521035310354103551035610357103581035910360103611036210363103641036510366103671036810369103701037110372103731037410375103761037710378103791038010381103821038310384103851038610387103881038910390103911039210393103941039510396103971039810399104001040110402104031040410405104061040710408104091041010411104121041310414104151041610417104181041910420104211042210423104241042510426104271042810429104301043110432104331043410435104361043710438104391044010441104421044310444104451044610447104481044910450104511045210453104541045510456104571045810459104601046110462104631046410465104661046710468104691047010471104721047310474104751047610477104781047910480104811048210483104841048510486104871048810489104901049110492104931049410495104961049710498104991050010501105021050310504105051050610507105081050910510105111051210513105141051510516105171051810519105201052110522105231052410525105261052710528105291053010531105321053310534105351053610537105381053910540105411054210543105441054510546105471054810549105501055110552105531055410555105561055710558105591056010561105621056310564105651056610567105681056910570105711057210573105741057510576105771057810579105801058110582105831058410585105861058710588105891059010591105921059310594105951059610597105981059910600106011060210603106041060510606106071060810609106101061110612106131061410615106161061710618106191062010621106221062310624106251062610627106281062910630106311063210633106341063510636106371063810639106401064110642106431064410645106461064710648106491065010651106521065310654106551065610657106581065910660106611066210663106641066510666106671066810669106701067110672106731067410675106761067710678106791068010681106821068310684106851068610687106881068910690106911069210693106941069510696106971069810699107001070110702107031070410705107061070710708107091071010711107121071310714107151071610717107181071910720107211072210723107241072510726107271072810729107301073110732107331073410735107361073710738107391074010741107421074310744107451074610747107481074910750107511075210753107541075510756107571075810759107601076110762107631076410765107661076710768107691077010771107721077310774107751077610777107781077910780107811078210783107841078510786107871078810789107901079110792107931079410795107961079710798107991080010801108021080310804108051080610807108081080910810108111081210813108141081510816108171081810819108201082110822108231082410825108261082710828108291083010831108321083310834108351083610837108381083910840108411084210843108441084510846108471084810849108501085110852108531085410855108561085710858108591086010861108621086310864108651086610867108681086910870108711087210873108741087510876108771087810879108801088110882108831088410885108861088710888108891089010891108921089310894108951089610897108981089910900109011090210903109041090510906109071090810909109101091110912109131091410915109161091710918109191092010921109221092310924109251092610927109281092910930109311093210933109341093510936109371093810939109401094110942109431094410945109461094710948109491095010951109521095310954109551095610957109581095910960109611096210963109641096510966109671096810969109701097110972109731097410975109761097710978109791098010981109821098310984109851098610987109881098910990109911099210993109941099510996109971099810999110001100111002110031100411005110061100711008110091101011011110121101311014110151101611017110181101911020110211102211023110241102511026110271102811029110301103111032110331103411035110361103711038110391104011041110421104311044110451104611047110481104911050110511105211053110541105511056110571105811059110601106111062110631106411065110661106711068110691107011071110721107311074110751107611077110781107911080110811108211083110841108511086110871108811089110901109111092110931109411095110961109711098110991110011101111021110311104111051110611107111081110911110111111111211113111141111511116111171111811119111201112111122111231112411125111261112711128111291113011131111321113311134111351113611137111381113911140111411114211143111441114511146111471114811149111501115111152111531115411155111561115711158111591116011161111621116311164111651116611167111681116911170111711117211173111741117511176111771117811179111801118111182111831118411185111861118711188111891119011191111921119311194111951119611197111981119911200112011120211203112041120511206112071120811209112101121111212112131121411215112161121711218112191122011221112221122311224112251122611227112281122911230112311123211233112341123511236112371123811239112401124111242112431124411245112461124711248112491125011251112521125311254112551125611257112581125911260112611126211263112641126511266112671126811269112701127111272112731127411275112761127711278112791128011281112821128311284112851128611287112881128911290112911129211293112941129511296112971129811299113001130111302113031130411305113061130711308113091131011311113121131311314113151131611317113181131911320113211132211323113241132511326113271132811329113301133111332113331133411335113361133711338113391134011341113421134311344113451134611347113481134911350113511135211353113541135511356113571135811359113601136111362113631136411365113661136711368113691137011371113721137311374113751137611377113781137911380113811138211383113841138511386113871138811389113901139111392113931139411395113961139711398113991140011401114021140311404114051140611407114081140911410114111141211413114141141511416114171141811419114201142111422114231142411425114261142711428114291143011431114321143311434114351143611437114381143911440114411144211443114441144511446114471144811449114501145111452114531145411455114561145711458114591146011461114621146311464114651146611467114681146911470114711147211473114741147511476114771147811479114801148111482114831148411485114861148711488114891149011491114921149311494114951149611497114981149911500115011150211503115041150511506115071150811509115101151111512115131151411515115161151711518115191152011521115221152311524115251152611527115281152911530115311153211533115341153511536115371153811539115401154111542115431154411545115461154711548115491155011551115521155311554115551155611557115581155911560115611156211563115641156511566115671156811569115701157111572115731157411575115761157711578115791158011581115821158311584115851158611587115881158911590115911159211593115941159511596115971159811599116001160111602116031160411605116061160711608116091161011611116121161311614116151161611617116181161911620116211162211623116241162511626116271162811629116301163111632116331163411635116361163711638116391164011641116421164311644116451164611647116481164911650116511165211653116541165511656116571165811659116601166111662116631166411665116661166711668116691167011671116721167311674116751167611677116781167911680116811168211683116841168511686
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.14.0
  6. name: clusterexternalsecrets.external-secrets.io
  7. spec:
  8. group: external-secrets.io
  9. names:
  10. categories:
  11. - externalsecrets
  12. kind: ClusterExternalSecret
  13. listKind: ClusterExternalSecretList
  14. plural: clusterexternalsecrets
  15. shortNames:
  16. - ces
  17. singular: clusterexternalsecret
  18. scope: Cluster
  19. versions:
  20. - additionalPrinterColumns:
  21. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  22. name: Store
  23. type: string
  24. - jsonPath: .spec.refreshTime
  25. name: Refresh Interval
  26. type: string
  27. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  28. name: Ready
  29. type: string
  30. name: v1beta1
  31. schema:
  32. openAPIV3Schema:
  33. description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
  34. properties:
  35. apiVersion:
  36. description: |-
  37. APIVersion defines the versioned schema of this representation of an object.
  38. Servers should convert recognized schemas to the latest internal value, and
  39. may reject unrecognized values.
  40. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  41. type: string
  42. kind:
  43. description: |-
  44. Kind is a string value representing the REST resource this object represents.
  45. Servers may infer this from the endpoint the client submits requests to.
  46. Cannot be updated.
  47. In CamelCase.
  48. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  49. type: string
  50. metadata:
  51. type: object
  52. spec:
  53. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  54. properties:
  55. externalSecretMetadata:
  56. description: The metadata of the external secrets to be created
  57. properties:
  58. annotations:
  59. additionalProperties:
  60. type: string
  61. type: object
  62. labels:
  63. additionalProperties:
  64. type: string
  65. type: object
  66. type: object
  67. externalSecretName:
  68. description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
  69. type: string
  70. externalSecretSpec:
  71. description: The spec for the ExternalSecrets to be created
  72. properties:
  73. data:
  74. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  75. items:
  76. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  77. properties:
  78. remoteRef:
  79. description: |-
  80. RemoteRef points to the remote secret and defines
  81. which secret (version/property/..) to fetch.
  82. properties:
  83. conversionStrategy:
  84. default: Default
  85. description: Used to define a conversion Strategy
  86. enum:
  87. - Default
  88. - Unicode
  89. type: string
  90. decodingStrategy:
  91. default: None
  92. description: Used to define a decoding Strategy
  93. enum:
  94. - Auto
  95. - Base64
  96. - Base64URL
  97. - None
  98. type: string
  99. key:
  100. description: Key is the key used in the Provider, mandatory
  101. type: string
  102. metadataPolicy:
  103. default: None
  104. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  105. enum:
  106. - None
  107. - Fetch
  108. type: string
  109. property:
  110. description: Used to select a specific property of the Provider value (if a map), if supported
  111. type: string
  112. version:
  113. description: Used to select a specific version of the Provider value, if supported
  114. type: string
  115. required:
  116. - key
  117. type: object
  118. secretKey:
  119. description: |-
  120. SecretKey defines the key in which the controller stores
  121. the value. This is the key in the Kind=Secret
  122. type: string
  123. sourceRef:
  124. description: |-
  125. SourceRef allows you to override the source
  126. from which the value will pulled from.
  127. maxProperties: 1
  128. properties:
  129. generatorRef:
  130. description: |-
  131. GeneratorRef points to a generator custom resource.
  132. Deprecated: The generatorRef is not implemented in .data[].
  133. this will be removed with v1.
  134. properties:
  135. apiVersion:
  136. default: generators.external-secrets.io/v1alpha1
  137. description: Specify the apiVersion of the generator resource
  138. type: string
  139. kind:
  140. description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
  141. type: string
  142. name:
  143. description: Specify the name of the generator resource
  144. type: string
  145. required:
  146. - kind
  147. - name
  148. type: object
  149. storeRef:
  150. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  151. properties:
  152. kind:
  153. description: |-
  154. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  155. Defaults to `SecretStore`
  156. type: string
  157. name:
  158. description: Name of the SecretStore resource
  159. type: string
  160. required:
  161. - name
  162. type: object
  163. type: object
  164. required:
  165. - remoteRef
  166. - secretKey
  167. type: object
  168. type: array
  169. dataFrom:
  170. description: |-
  171. DataFrom is used to fetch all properties from a specific Provider data
  172. If multiple entries are specified, the Secret keys are merged in the specified order
  173. items:
  174. properties:
  175. extract:
  176. description: |-
  177. Used to extract multiple key/value pairs from one secret
  178. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  179. properties:
  180. conversionStrategy:
  181. default: Default
  182. description: Used to define a conversion Strategy
  183. enum:
  184. - Default
  185. - Unicode
  186. type: string
  187. decodingStrategy:
  188. default: None
  189. description: Used to define a decoding Strategy
  190. enum:
  191. - Auto
  192. - Base64
  193. - Base64URL
  194. - None
  195. type: string
  196. key:
  197. description: Key is the key used in the Provider, mandatory
  198. type: string
  199. metadataPolicy:
  200. default: None
  201. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  202. enum:
  203. - None
  204. - Fetch
  205. type: string
  206. property:
  207. description: Used to select a specific property of the Provider value (if a map), if supported
  208. type: string
  209. version:
  210. description: Used to select a specific version of the Provider value, if supported
  211. type: string
  212. required:
  213. - key
  214. type: object
  215. find:
  216. description: |-
  217. Used to find secrets based on tags or regular expressions
  218. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  219. properties:
  220. conversionStrategy:
  221. default: Default
  222. description: Used to define a conversion Strategy
  223. enum:
  224. - Default
  225. - Unicode
  226. type: string
  227. decodingStrategy:
  228. default: None
  229. description: Used to define a decoding Strategy
  230. enum:
  231. - Auto
  232. - Base64
  233. - Base64URL
  234. - None
  235. type: string
  236. name:
  237. description: Finds secrets based on the name.
  238. properties:
  239. regexp:
  240. description: Finds secrets base
  241. type: string
  242. type: object
  243. path:
  244. description: A root path to start the find operations.
  245. type: string
  246. tags:
  247. additionalProperties:
  248. type: string
  249. description: Find secrets based on tags.
  250. type: object
  251. type: object
  252. rewrite:
  253. description: |-
  254. Used to rewrite secret Keys after getting them from the secret Provider
  255. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  256. items:
  257. properties:
  258. regexp:
  259. description: |-
  260. Used to rewrite with regular expressions.
  261. The resulting key will be the output of a regexp.ReplaceAll operation.
  262. properties:
  263. source:
  264. description: Used to define the regular expression of a re.Compiler.
  265. type: string
  266. target:
  267. description: Used to define the target pattern of a ReplaceAll operation.
  268. type: string
  269. required:
  270. - source
  271. - target
  272. type: object
  273. transform:
  274. description: |-
  275. Used to apply string transformation on the secrets.
  276. The resulting key will be the output of the template applied by the operation.
  277. properties:
  278. template:
  279. description: |-
  280. Used to define the template to apply on the secret name.
  281. `.value ` will specify the secret name in the template.
  282. type: string
  283. required:
  284. - template
  285. type: object
  286. type: object
  287. type: array
  288. sourceRef:
  289. description: |-
  290. SourceRef points to a store or generator
  291. which contains secret values ready to use.
  292. Use this in combination with Extract or Find pull values out of
  293. a specific SecretStore.
  294. When sourceRef points to a generator Extract or Find is not supported.
  295. The generator returns a static map of values
  296. maxProperties: 1
  297. properties:
  298. generatorRef:
  299. description: GeneratorRef points to a generator custom resource.
  300. properties:
  301. apiVersion:
  302. default: generators.external-secrets.io/v1alpha1
  303. description: Specify the apiVersion of the generator resource
  304. type: string
  305. kind:
  306. description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
  307. type: string
  308. name:
  309. description: Specify the name of the generator resource
  310. type: string
  311. required:
  312. - kind
  313. - name
  314. type: object
  315. storeRef:
  316. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  317. properties:
  318. kind:
  319. description: |-
  320. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  321. Defaults to `SecretStore`
  322. type: string
  323. name:
  324. description: Name of the SecretStore resource
  325. type: string
  326. required:
  327. - name
  328. type: object
  329. type: object
  330. type: object
  331. type: array
  332. refreshInterval:
  333. default: 1h
  334. description: |-
  335. RefreshInterval is the amount of time before the values are read again from the SecretStore provider
  336. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  337. May be set to zero to fetch and create it once. Defaults to 1h.
  338. type: string
  339. secretStoreRef:
  340. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  341. properties:
  342. kind:
  343. description: |-
  344. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  345. Defaults to `SecretStore`
  346. type: string
  347. name:
  348. description: Name of the SecretStore resource
  349. type: string
  350. required:
  351. - name
  352. type: object
  353. target:
  354. default:
  355. creationPolicy: Owner
  356. deletionPolicy: Retain
  357. description: |-
  358. ExternalSecretTarget defines the Kubernetes Secret to be created
  359. There can be only one target per ExternalSecret.
  360. properties:
  361. creationPolicy:
  362. default: Owner
  363. description: |-
  364. CreationPolicy defines rules on how to create the resulting Secret
  365. Defaults to 'Owner'
  366. enum:
  367. - Owner
  368. - Orphan
  369. - Merge
  370. - None
  371. type: string
  372. deletionPolicy:
  373. default: Retain
  374. description: |-
  375. DeletionPolicy defines rules on how to delete the resulting Secret
  376. Defaults to 'Retain'
  377. enum:
  378. - Delete
  379. - Merge
  380. - Retain
  381. type: string
  382. immutable:
  383. description: Immutable defines if the final secret will be immutable
  384. type: boolean
  385. name:
  386. description: |-
  387. Name defines the name of the Secret resource to be managed
  388. This field is immutable
  389. Defaults to the .metadata.name of the ExternalSecret resource
  390. type: string
  391. template:
  392. description: Template defines a blueprint for the created Secret resource.
  393. properties:
  394. data:
  395. additionalProperties:
  396. type: string
  397. type: object
  398. engineVersion:
  399. default: v2
  400. description: |-
  401. EngineVersion specifies the template engine version
  402. that should be used to compile/execute the
  403. template specified in .data and .templateFrom[].
  404. enum:
  405. - v1
  406. - v2
  407. type: string
  408. mergePolicy:
  409. default: Replace
  410. enum:
  411. - Replace
  412. - Merge
  413. type: string
  414. metadata:
  415. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  416. properties:
  417. annotations:
  418. additionalProperties:
  419. type: string
  420. type: object
  421. labels:
  422. additionalProperties:
  423. type: string
  424. type: object
  425. type: object
  426. templateFrom:
  427. items:
  428. properties:
  429. configMap:
  430. properties:
  431. items:
  432. items:
  433. properties:
  434. key:
  435. type: string
  436. templateAs:
  437. default: Values
  438. enum:
  439. - Values
  440. - KeysAndValues
  441. type: string
  442. required:
  443. - key
  444. type: object
  445. type: array
  446. name:
  447. type: string
  448. required:
  449. - items
  450. - name
  451. type: object
  452. literal:
  453. type: string
  454. secret:
  455. properties:
  456. items:
  457. items:
  458. properties:
  459. key:
  460. type: string
  461. templateAs:
  462. default: Values
  463. enum:
  464. - Values
  465. - KeysAndValues
  466. type: string
  467. required:
  468. - key
  469. type: object
  470. type: array
  471. name:
  472. type: string
  473. required:
  474. - items
  475. - name
  476. type: object
  477. target:
  478. default: Data
  479. enum:
  480. - Data
  481. - Annotations
  482. - Labels
  483. type: string
  484. type: object
  485. type: array
  486. type:
  487. type: string
  488. type: object
  489. type: object
  490. type: object
  491. namespaceSelector:
  492. description: The labels to select by to find the Namespaces to create the ExternalSecrets in.
  493. properties:
  494. matchExpressions:
  495. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  496. items:
  497. description: |-
  498. A label selector requirement is a selector that contains values, a key, and an operator that
  499. relates the key and values.
  500. properties:
  501. key:
  502. description: key is the label key that the selector applies to.
  503. type: string
  504. operator:
  505. description: |-
  506. operator represents a key's relationship to a set of values.
  507. Valid operators are In, NotIn, Exists and DoesNotExist.
  508. type: string
  509. values:
  510. description: |-
  511. values is an array of string values. If the operator is In or NotIn,
  512. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  513. the values array must be empty. This array is replaced during a strategic
  514. merge patch.
  515. items:
  516. type: string
  517. type: array
  518. required:
  519. - key
  520. - operator
  521. type: object
  522. type: array
  523. matchLabels:
  524. additionalProperties:
  525. type: string
  526. description: |-
  527. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  528. map is equivalent to an element of matchExpressions, whose key field is "key", the
  529. operator is "In", and the values array contains only "value". The requirements are ANDed.
  530. type: object
  531. type: object
  532. x-kubernetes-map-type: atomic
  533. namespaces:
  534. description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing.
  535. items:
  536. type: string
  537. type: array
  538. refreshTime:
  539. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  540. type: string
  541. required:
  542. - externalSecretSpec
  543. type: object
  544. status:
  545. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  546. properties:
  547. conditions:
  548. items:
  549. properties:
  550. message:
  551. type: string
  552. status:
  553. type: string
  554. type:
  555. type: string
  556. required:
  557. - status
  558. - type
  559. type: object
  560. type: array
  561. externalSecretName:
  562. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  563. type: string
  564. failedNamespaces:
  565. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  566. items:
  567. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  568. properties:
  569. namespace:
  570. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  571. type: string
  572. reason:
  573. description: Reason is why the ExternalSecret failed to apply to the namespace
  574. type: string
  575. required:
  576. - namespace
  577. type: object
  578. type: array
  579. provisionedNamespaces:
  580. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  581. items:
  582. type: string
  583. type: array
  584. type: object
  585. type: object
  586. served: true
  587. storage: true
  588. subresources:
  589. status: {}
  590. conversion:
  591. strategy: Webhook
  592. webhook:
  593. conversionReviewVersions:
  594. - v1
  595. clientConfig:
  596. service:
  597. name: kubernetes
  598. namespace: default
  599. path: /convert
  600. ---
  601. apiVersion: apiextensions.k8s.io/v1
  602. kind: CustomResourceDefinition
  603. metadata:
  604. annotations:
  605. controller-gen.kubebuilder.io/version: v0.14.0
  606. name: clustersecretstores.external-secrets.io
  607. spec:
  608. group: external-secrets.io
  609. names:
  610. categories:
  611. - externalsecrets
  612. kind: ClusterSecretStore
  613. listKind: ClusterSecretStoreList
  614. plural: clustersecretstores
  615. shortNames:
  616. - css
  617. singular: clustersecretstore
  618. scope: Cluster
  619. versions:
  620. - additionalPrinterColumns:
  621. - jsonPath: .metadata.creationTimestamp
  622. name: AGE
  623. type: date
  624. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  625. name: Status
  626. type: string
  627. deprecated: true
  628. name: v1alpha1
  629. schema:
  630. openAPIV3Schema:
  631. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  632. properties:
  633. apiVersion:
  634. description: |-
  635. APIVersion defines the versioned schema of this representation of an object.
  636. Servers should convert recognized schemas to the latest internal value, and
  637. may reject unrecognized values.
  638. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  639. type: string
  640. kind:
  641. description: |-
  642. Kind is a string value representing the REST resource this object represents.
  643. Servers may infer this from the endpoint the client submits requests to.
  644. Cannot be updated.
  645. In CamelCase.
  646. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  647. type: string
  648. metadata:
  649. type: object
  650. spec:
  651. description: SecretStoreSpec defines the desired state of SecretStore.
  652. properties:
  653. controller:
  654. description: |-
  655. Used to select the correct ESO controller (think: ingress.ingressClassName)
  656. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  657. type: string
  658. provider:
  659. description: Used to configure the provider. Only one provider may be set
  660. maxProperties: 1
  661. minProperties: 1
  662. properties:
  663. akeyless:
  664. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  665. properties:
  666. akeylessGWApiURL:
  667. description: Akeyless GW API Url from which the secrets to be fetched from.
  668. type: string
  669. authSecretRef:
  670. description: Auth configures how the operator authenticates with Akeyless.
  671. properties:
  672. kubernetesAuth:
  673. description: |-
  674. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  675. token stored in the named Secret resource.
  676. properties:
  677. accessID:
  678. description: the Akeyless Kubernetes auth-method access-id
  679. type: string
  680. k8sConfName:
  681. description: Kubernetes-auth configuration name in Akeyless-Gateway
  682. type: string
  683. secretRef:
  684. description: |-
  685. Optional secret field containing a Kubernetes ServiceAccount JWT used
  686. for authenticating with Akeyless. If a name is specified without a key,
  687. `token` is the default. If one is not specified, the one bound to
  688. the controller will be used.
  689. properties:
  690. key:
  691. description: |-
  692. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  693. defaulted, in others it may be required.
  694. type: string
  695. name:
  696. description: The name of the Secret resource being referred to.
  697. type: string
  698. namespace:
  699. description: |-
  700. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  701. to the namespace of the referent.
  702. type: string
  703. type: object
  704. serviceAccountRef:
  705. description: |-
  706. Optional service account field containing the name of a kubernetes ServiceAccount.
  707. If the service account is specified, the service account secret token JWT will be used
  708. for authenticating with Akeyless. If the service account selector is not supplied,
  709. the secretRef will be used instead.
  710. properties:
  711. audiences:
  712. description: |-
  713. Audience specifies the `aud` claim for the service account token
  714. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  715. then this audiences will be appended to the list
  716. items:
  717. type: string
  718. type: array
  719. name:
  720. description: The name of the ServiceAccount resource being referred to.
  721. type: string
  722. namespace:
  723. description: |-
  724. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  725. to the namespace of the referent.
  726. type: string
  727. required:
  728. - name
  729. type: object
  730. required:
  731. - accessID
  732. - k8sConfName
  733. type: object
  734. secretRef:
  735. description: |-
  736. Reference to a Secret that contains the details
  737. to authenticate with Akeyless.
  738. properties:
  739. accessID:
  740. description: The SecretAccessID is used for authentication
  741. properties:
  742. key:
  743. description: |-
  744. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  745. defaulted, in others it may be required.
  746. type: string
  747. name:
  748. description: The name of the Secret resource being referred to.
  749. type: string
  750. namespace:
  751. description: |-
  752. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  753. to the namespace of the referent.
  754. type: string
  755. type: object
  756. accessType:
  757. description: |-
  758. A reference to a specific 'key' within a Secret resource,
  759. In some instances, `key` is a required field.
  760. properties:
  761. key:
  762. description: |-
  763. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  764. defaulted, in others it may be required.
  765. type: string
  766. name:
  767. description: The name of the Secret resource being referred to.
  768. type: string
  769. namespace:
  770. description: |-
  771. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  772. to the namespace of the referent.
  773. type: string
  774. type: object
  775. accessTypeParam:
  776. description: |-
  777. A reference to a specific 'key' within a Secret resource,
  778. In some instances, `key` is a required field.
  779. properties:
  780. key:
  781. description: |-
  782. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  783. defaulted, in others it may be required.
  784. type: string
  785. name:
  786. description: The name of the Secret resource being referred to.
  787. type: string
  788. namespace:
  789. description: |-
  790. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  791. to the namespace of the referent.
  792. type: string
  793. type: object
  794. type: object
  795. type: object
  796. caBundle:
  797. description: |-
  798. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  799. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  800. are used to validate the TLS connection.
  801. format: byte
  802. type: string
  803. caProvider:
  804. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  805. properties:
  806. key:
  807. description: The key the value inside of the provider type to use, only used with "Secret" type
  808. type: string
  809. name:
  810. description: The name of the object located at the provider type.
  811. type: string
  812. namespace:
  813. description: The namespace the Provider type is in.
  814. type: string
  815. type:
  816. description: The type of provider to use such as "Secret", or "ConfigMap".
  817. enum:
  818. - Secret
  819. - ConfigMap
  820. type: string
  821. required:
  822. - name
  823. - type
  824. type: object
  825. required:
  826. - akeylessGWApiURL
  827. - authSecretRef
  828. type: object
  829. alibaba:
  830. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  831. properties:
  832. auth:
  833. description: AlibabaAuth contains a secretRef for credentials.
  834. properties:
  835. rrsa:
  836. description: Authenticate against Alibaba using RRSA.
  837. properties:
  838. oidcProviderArn:
  839. type: string
  840. oidcTokenFilePath:
  841. type: string
  842. roleArn:
  843. type: string
  844. sessionName:
  845. type: string
  846. required:
  847. - oidcProviderArn
  848. - oidcTokenFilePath
  849. - roleArn
  850. - sessionName
  851. type: object
  852. secretRef:
  853. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  854. properties:
  855. accessKeyIDSecretRef:
  856. description: The AccessKeyID is used for authentication
  857. properties:
  858. key:
  859. description: |-
  860. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  861. defaulted, in others it may be required.
  862. type: string
  863. name:
  864. description: The name of the Secret resource being referred to.
  865. type: string
  866. namespace:
  867. description: |-
  868. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  869. to the namespace of the referent.
  870. type: string
  871. type: object
  872. accessKeySecretSecretRef:
  873. description: The AccessKeySecret is used for authentication
  874. properties:
  875. key:
  876. description: |-
  877. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  878. defaulted, in others it may be required.
  879. type: string
  880. name:
  881. description: The name of the Secret resource being referred to.
  882. type: string
  883. namespace:
  884. description: |-
  885. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  886. to the namespace of the referent.
  887. type: string
  888. type: object
  889. required:
  890. - accessKeyIDSecretRef
  891. - accessKeySecretSecretRef
  892. type: object
  893. type: object
  894. regionID:
  895. description: Alibaba Region to be used for the provider
  896. type: string
  897. required:
  898. - auth
  899. - regionID
  900. type: object
  901. aws:
  902. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  903. properties:
  904. auth:
  905. description: |-
  906. Auth defines the information necessary to authenticate against AWS
  907. if not set aws sdk will infer credentials from your environment
  908. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  909. properties:
  910. jwt:
  911. description: Authenticate against AWS using service account tokens.
  912. properties:
  913. serviceAccountRef:
  914. description: A reference to a ServiceAccount resource.
  915. properties:
  916. audiences:
  917. description: |-
  918. Audience specifies the `aud` claim for the service account token
  919. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  920. then this audiences will be appended to the list
  921. items:
  922. type: string
  923. type: array
  924. name:
  925. description: The name of the ServiceAccount resource being referred to.
  926. type: string
  927. namespace:
  928. description: |-
  929. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  930. to the namespace of the referent.
  931. type: string
  932. required:
  933. - name
  934. type: object
  935. type: object
  936. secretRef:
  937. description: |-
  938. AWSAuthSecretRef holds secret references for AWS credentials
  939. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  940. properties:
  941. accessKeyIDSecretRef:
  942. description: The AccessKeyID is used for authentication
  943. properties:
  944. key:
  945. description: |-
  946. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  947. defaulted, in others it may be required.
  948. type: string
  949. name:
  950. description: The name of the Secret resource being referred to.
  951. type: string
  952. namespace:
  953. description: |-
  954. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  955. to the namespace of the referent.
  956. type: string
  957. type: object
  958. secretAccessKeySecretRef:
  959. description: The SecretAccessKey is used for authentication
  960. properties:
  961. key:
  962. description: |-
  963. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  964. defaulted, in others it may be required.
  965. type: string
  966. name:
  967. description: The name of the Secret resource being referred to.
  968. type: string
  969. namespace:
  970. description: |-
  971. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  972. to the namespace of the referent.
  973. type: string
  974. type: object
  975. type: object
  976. type: object
  977. region:
  978. description: AWS Region to be used for the provider
  979. type: string
  980. role:
  981. description: Role is a Role ARN which the SecretManager provider will assume
  982. type: string
  983. service:
  984. description: Service defines which service should be used to fetch the secrets
  985. enum:
  986. - SecretsManager
  987. - ParameterStore
  988. type: string
  989. required:
  990. - region
  991. - service
  992. type: object
  993. azurekv:
  994. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  995. properties:
  996. authSecretRef:
  997. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  998. properties:
  999. clientId:
  1000. description: The Azure clientId of the service principle used for authentication.
  1001. properties:
  1002. key:
  1003. description: |-
  1004. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1005. defaulted, in others it may be required.
  1006. type: string
  1007. name:
  1008. description: The name of the Secret resource being referred to.
  1009. type: string
  1010. namespace:
  1011. description: |-
  1012. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1013. to the namespace of the referent.
  1014. type: string
  1015. type: object
  1016. clientSecret:
  1017. description: The Azure ClientSecret of the service principle used for authentication.
  1018. properties:
  1019. key:
  1020. description: |-
  1021. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1022. defaulted, in others it may be required.
  1023. type: string
  1024. name:
  1025. description: The name of the Secret resource being referred to.
  1026. type: string
  1027. namespace:
  1028. description: |-
  1029. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1030. to the namespace of the referent.
  1031. type: string
  1032. type: object
  1033. type: object
  1034. authType:
  1035. default: ServicePrincipal
  1036. description: |-
  1037. Auth type defines how to authenticate to the keyvault service.
  1038. Valid values are:
  1039. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  1040. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  1041. enum:
  1042. - ServicePrincipal
  1043. - ManagedIdentity
  1044. - WorkloadIdentity
  1045. type: string
  1046. identityId:
  1047. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  1048. type: string
  1049. serviceAccountRef:
  1050. description: |-
  1051. ServiceAccountRef specified the service account
  1052. that should be used when authenticating with WorkloadIdentity.
  1053. properties:
  1054. audiences:
  1055. description: |-
  1056. Audience specifies the `aud` claim for the service account token
  1057. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1058. then this audiences will be appended to the list
  1059. items:
  1060. type: string
  1061. type: array
  1062. name:
  1063. description: The name of the ServiceAccount resource being referred to.
  1064. type: string
  1065. namespace:
  1066. description: |-
  1067. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1068. to the namespace of the referent.
  1069. type: string
  1070. required:
  1071. - name
  1072. type: object
  1073. tenantId:
  1074. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  1075. type: string
  1076. vaultUrl:
  1077. description: Vault Url from which the secrets to be fetched from.
  1078. type: string
  1079. required:
  1080. - vaultUrl
  1081. type: object
  1082. fake:
  1083. description: Fake configures a store with static key/value pairs
  1084. properties:
  1085. data:
  1086. items:
  1087. properties:
  1088. key:
  1089. type: string
  1090. value:
  1091. type: string
  1092. valueMap:
  1093. additionalProperties:
  1094. type: string
  1095. type: object
  1096. version:
  1097. type: string
  1098. required:
  1099. - key
  1100. type: object
  1101. type: array
  1102. required:
  1103. - data
  1104. type: object
  1105. gcpsm:
  1106. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  1107. properties:
  1108. auth:
  1109. description: Auth defines the information necessary to authenticate against GCP
  1110. properties:
  1111. secretRef:
  1112. properties:
  1113. secretAccessKeySecretRef:
  1114. description: The SecretAccessKey is used for authentication
  1115. properties:
  1116. key:
  1117. description: |-
  1118. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1119. defaulted, in others it may be required.
  1120. type: string
  1121. name:
  1122. description: The name of the Secret resource being referred to.
  1123. type: string
  1124. namespace:
  1125. description: |-
  1126. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1127. to the namespace of the referent.
  1128. type: string
  1129. type: object
  1130. type: object
  1131. workloadIdentity:
  1132. properties:
  1133. clusterLocation:
  1134. type: string
  1135. clusterName:
  1136. type: string
  1137. clusterProjectID:
  1138. type: string
  1139. serviceAccountRef:
  1140. description: A reference to a ServiceAccount resource.
  1141. properties:
  1142. audiences:
  1143. description: |-
  1144. Audience specifies the `aud` claim for the service account token
  1145. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1146. then this audiences will be appended to the list
  1147. items:
  1148. type: string
  1149. type: array
  1150. name:
  1151. description: The name of the ServiceAccount resource being referred to.
  1152. type: string
  1153. namespace:
  1154. description: |-
  1155. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1156. to the namespace of the referent.
  1157. type: string
  1158. required:
  1159. - name
  1160. type: object
  1161. required:
  1162. - clusterLocation
  1163. - clusterName
  1164. - serviceAccountRef
  1165. type: object
  1166. type: object
  1167. projectID:
  1168. description: ProjectID project where secret is located
  1169. type: string
  1170. type: object
  1171. gitlab:
  1172. description: GitLab configures this store to sync secrets using GitLab Variables provider
  1173. properties:
  1174. auth:
  1175. description: Auth configures how secret-manager authenticates with a GitLab instance.
  1176. properties:
  1177. SecretRef:
  1178. properties:
  1179. accessToken:
  1180. description: AccessToken is used for authentication.
  1181. properties:
  1182. key:
  1183. description: |-
  1184. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1185. defaulted, in others it may be required.
  1186. type: string
  1187. name:
  1188. description: The name of the Secret resource being referred to.
  1189. type: string
  1190. namespace:
  1191. description: |-
  1192. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1193. to the namespace of the referent.
  1194. type: string
  1195. type: object
  1196. type: object
  1197. required:
  1198. - SecretRef
  1199. type: object
  1200. projectID:
  1201. description: ProjectID specifies a project where secrets are located.
  1202. type: string
  1203. url:
  1204. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  1205. type: string
  1206. required:
  1207. - auth
  1208. type: object
  1209. ibm:
  1210. description: IBM configures this store to sync secrets using IBM Cloud provider
  1211. properties:
  1212. auth:
  1213. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  1214. properties:
  1215. secretRef:
  1216. properties:
  1217. secretApiKeySecretRef:
  1218. description: The SecretAccessKey is used for authentication
  1219. properties:
  1220. key:
  1221. description: |-
  1222. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1223. defaulted, in others it may be required.
  1224. type: string
  1225. name:
  1226. description: The name of the Secret resource being referred to.
  1227. type: string
  1228. namespace:
  1229. description: |-
  1230. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1231. to the namespace of the referent.
  1232. type: string
  1233. type: object
  1234. type: object
  1235. required:
  1236. - secretRef
  1237. type: object
  1238. serviceUrl:
  1239. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  1240. type: string
  1241. required:
  1242. - auth
  1243. type: object
  1244. kubernetes:
  1245. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  1246. properties:
  1247. auth:
  1248. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  1249. maxProperties: 1
  1250. minProperties: 1
  1251. properties:
  1252. cert:
  1253. description: has both clientCert and clientKey as secretKeySelector
  1254. properties:
  1255. clientCert:
  1256. description: |-
  1257. A reference to a specific 'key' within a Secret resource,
  1258. In some instances, `key` is a required field.
  1259. properties:
  1260. key:
  1261. description: |-
  1262. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1263. defaulted, in others it may be required.
  1264. type: string
  1265. name:
  1266. description: The name of the Secret resource being referred to.
  1267. type: string
  1268. namespace:
  1269. description: |-
  1270. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1271. to the namespace of the referent.
  1272. type: string
  1273. type: object
  1274. clientKey:
  1275. description: |-
  1276. A reference to a specific 'key' within a Secret resource,
  1277. In some instances, `key` is a required field.
  1278. properties:
  1279. key:
  1280. description: |-
  1281. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1282. defaulted, in others it may be required.
  1283. type: string
  1284. name:
  1285. description: The name of the Secret resource being referred to.
  1286. type: string
  1287. namespace:
  1288. description: |-
  1289. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1290. to the namespace of the referent.
  1291. type: string
  1292. type: object
  1293. type: object
  1294. serviceAccount:
  1295. description: points to a service account that should be used for authentication
  1296. properties:
  1297. serviceAccount:
  1298. description: A reference to a ServiceAccount resource.
  1299. properties:
  1300. audiences:
  1301. description: |-
  1302. Audience specifies the `aud` claim for the service account token
  1303. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1304. then this audiences will be appended to the list
  1305. items:
  1306. type: string
  1307. type: array
  1308. name:
  1309. description: The name of the ServiceAccount resource being referred to.
  1310. type: string
  1311. namespace:
  1312. description: |-
  1313. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1314. to the namespace of the referent.
  1315. type: string
  1316. required:
  1317. - name
  1318. type: object
  1319. type: object
  1320. token:
  1321. description: use static token to authenticate with
  1322. properties:
  1323. bearerToken:
  1324. description: |-
  1325. A reference to a specific 'key' within a Secret resource,
  1326. In some instances, `key` is a required field.
  1327. properties:
  1328. key:
  1329. description: |-
  1330. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1331. defaulted, in others it may be required.
  1332. type: string
  1333. name:
  1334. description: The name of the Secret resource being referred to.
  1335. type: string
  1336. namespace:
  1337. description: |-
  1338. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1339. to the namespace of the referent.
  1340. type: string
  1341. type: object
  1342. type: object
  1343. type: object
  1344. remoteNamespace:
  1345. default: default
  1346. description: Remote namespace to fetch the secrets from
  1347. type: string
  1348. server:
  1349. description: configures the Kubernetes server Address.
  1350. properties:
  1351. caBundle:
  1352. description: CABundle is a base64-encoded CA certificate
  1353. format: byte
  1354. type: string
  1355. caProvider:
  1356. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  1357. properties:
  1358. key:
  1359. description: The key the value inside of the provider type to use, only used with "Secret" type
  1360. type: string
  1361. name:
  1362. description: The name of the object located at the provider type.
  1363. type: string
  1364. namespace:
  1365. description: The namespace the Provider type is in.
  1366. type: string
  1367. type:
  1368. description: The type of provider to use such as "Secret", or "ConfigMap".
  1369. enum:
  1370. - Secret
  1371. - ConfigMap
  1372. type: string
  1373. required:
  1374. - name
  1375. - type
  1376. type: object
  1377. url:
  1378. default: kubernetes.default
  1379. description: configures the Kubernetes server Address.
  1380. type: string
  1381. type: object
  1382. required:
  1383. - auth
  1384. type: object
  1385. oracle:
  1386. description: Oracle configures this store to sync secrets using Oracle Vault provider
  1387. properties:
  1388. auth:
  1389. description: |-
  1390. Auth configures how secret-manager authenticates with the Oracle Vault.
  1391. If empty, instance principal is used. Optionally, the authenticating principal type
  1392. and/or user data may be supplied for the use of workload identity and user principal.
  1393. properties:
  1394. secretRef:
  1395. description: SecretRef to pass through sensitive information.
  1396. properties:
  1397. fingerprint:
  1398. description: Fingerprint is the fingerprint of the API private key.
  1399. properties:
  1400. key:
  1401. description: |-
  1402. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1403. defaulted, in others it may be required.
  1404. type: string
  1405. name:
  1406. description: The name of the Secret resource being referred to.
  1407. type: string
  1408. namespace:
  1409. description: |-
  1410. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1411. to the namespace of the referent.
  1412. type: string
  1413. type: object
  1414. privatekey:
  1415. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  1416. properties:
  1417. key:
  1418. description: |-
  1419. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1420. defaulted, in others it may be required.
  1421. type: string
  1422. name:
  1423. description: The name of the Secret resource being referred to.
  1424. type: string
  1425. namespace:
  1426. description: |-
  1427. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1428. to the namespace of the referent.
  1429. type: string
  1430. type: object
  1431. required:
  1432. - fingerprint
  1433. - privatekey
  1434. type: object
  1435. tenancy:
  1436. description: Tenancy is the tenancy OCID where user is located.
  1437. type: string
  1438. user:
  1439. description: User is an access OCID specific to the account.
  1440. type: string
  1441. required:
  1442. - secretRef
  1443. - tenancy
  1444. - user
  1445. type: object
  1446. compartment:
  1447. description: |-
  1448. Compartment is the vault compartment OCID.
  1449. Required for PushSecret
  1450. type: string
  1451. encryptionKey:
  1452. description: |-
  1453. EncryptionKey is the OCID of the encryption key within the vault.
  1454. Required for PushSecret
  1455. type: string
  1456. principalType:
  1457. description: |-
  1458. The type of principal to use for authentication. If left blank, the Auth struct will
  1459. determine the principal type. This optional field must be specified if using
  1460. workload identity.
  1461. enum:
  1462. - ""
  1463. - UserPrincipal
  1464. - InstancePrincipal
  1465. - Workload
  1466. type: string
  1467. region:
  1468. description: Region is the region where vault is located.
  1469. type: string
  1470. serviceAccountRef:
  1471. description: |-
  1472. ServiceAccountRef specified the service account
  1473. that should be used when authenticating with WorkloadIdentity.
  1474. properties:
  1475. audiences:
  1476. description: |-
  1477. Audience specifies the `aud` claim for the service account token
  1478. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1479. then this audiences will be appended to the list
  1480. items:
  1481. type: string
  1482. type: array
  1483. name:
  1484. description: The name of the ServiceAccount resource being referred to.
  1485. type: string
  1486. namespace:
  1487. description: |-
  1488. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1489. to the namespace of the referent.
  1490. type: string
  1491. required:
  1492. - name
  1493. type: object
  1494. vault:
  1495. description: Vault is the vault's OCID of the specific vault where secret is located.
  1496. type: string
  1497. required:
  1498. - region
  1499. - vault
  1500. type: object
  1501. passworddepot:
  1502. description: Configures a store to sync secrets with a Password Depot instance.
  1503. properties:
  1504. auth:
  1505. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  1506. properties:
  1507. secretRef:
  1508. properties:
  1509. credentials:
  1510. description: Username / Password is used for authentication.
  1511. properties:
  1512. key:
  1513. description: |-
  1514. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1515. defaulted, in others it may be required.
  1516. type: string
  1517. name:
  1518. description: The name of the Secret resource being referred to.
  1519. type: string
  1520. namespace:
  1521. description: |-
  1522. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1523. to the namespace of the referent.
  1524. type: string
  1525. type: object
  1526. type: object
  1527. required:
  1528. - secretRef
  1529. type: object
  1530. database:
  1531. description: Database to use as source
  1532. type: string
  1533. host:
  1534. description: URL configures the Password Depot instance URL.
  1535. type: string
  1536. required:
  1537. - auth
  1538. - database
  1539. - host
  1540. type: object
  1541. vault:
  1542. description: Vault configures this store to sync secrets using Hashi provider
  1543. properties:
  1544. auth:
  1545. description: Auth configures how secret-manager authenticates with the Vault server.
  1546. properties:
  1547. appRole:
  1548. description: |-
  1549. AppRole authenticates with Vault using the App Role auth mechanism,
  1550. with the role and secret stored in a Kubernetes Secret resource.
  1551. properties:
  1552. path:
  1553. default: approle
  1554. description: |-
  1555. Path where the App Role authentication backend is mounted
  1556. in Vault, e.g: "approle"
  1557. type: string
  1558. roleId:
  1559. description: |-
  1560. RoleID configured in the App Role authentication backend when setting
  1561. up the authentication backend in Vault.
  1562. type: string
  1563. secretRef:
  1564. description: |-
  1565. Reference to a key in a Secret that contains the App Role secret used
  1566. to authenticate with Vault.
  1567. The `key` field must be specified and denotes which entry within the Secret
  1568. resource is used as the app role secret.
  1569. properties:
  1570. key:
  1571. description: |-
  1572. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1573. defaulted, in others it may be required.
  1574. type: string
  1575. name:
  1576. description: The name of the Secret resource being referred to.
  1577. type: string
  1578. namespace:
  1579. description: |-
  1580. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1581. to the namespace of the referent.
  1582. type: string
  1583. type: object
  1584. required:
  1585. - path
  1586. - roleId
  1587. - secretRef
  1588. type: object
  1589. cert:
  1590. description: |-
  1591. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  1592. Cert authentication method
  1593. properties:
  1594. clientCert:
  1595. description: |-
  1596. ClientCert is a certificate to authenticate using the Cert Vault
  1597. authentication method
  1598. properties:
  1599. key:
  1600. description: |-
  1601. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1602. defaulted, in others it may be required.
  1603. type: string
  1604. name:
  1605. description: The name of the Secret resource being referred to.
  1606. type: string
  1607. namespace:
  1608. description: |-
  1609. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1610. to the namespace of the referent.
  1611. type: string
  1612. type: object
  1613. secretRef:
  1614. description: |-
  1615. SecretRef to a key in a Secret resource containing client private key to
  1616. authenticate with Vault using the Cert authentication method
  1617. properties:
  1618. key:
  1619. description: |-
  1620. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1621. defaulted, in others it may be required.
  1622. type: string
  1623. name:
  1624. description: The name of the Secret resource being referred to.
  1625. type: string
  1626. namespace:
  1627. description: |-
  1628. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1629. to the namespace of the referent.
  1630. type: string
  1631. type: object
  1632. type: object
  1633. jwt:
  1634. description: |-
  1635. Jwt authenticates with Vault by passing role and JWT token using the
  1636. JWT/OIDC authentication method
  1637. properties:
  1638. kubernetesServiceAccountToken:
  1639. description: |-
  1640. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  1641. a token for with the `TokenRequest` API.
  1642. properties:
  1643. audiences:
  1644. description: |-
  1645. Optional audiences field that will be used to request a temporary Kubernetes service
  1646. account token for the service account referenced by `serviceAccountRef`.
  1647. Defaults to a single audience `vault` it not specified.
  1648. items:
  1649. type: string
  1650. type: array
  1651. expirationSeconds:
  1652. description: |-
  1653. Optional expiration time in seconds that will be used to request a temporary
  1654. Kubernetes service account token for the service account referenced by
  1655. `serviceAccountRef`.
  1656. Defaults to 10 minutes.
  1657. format: int64
  1658. type: integer
  1659. serviceAccountRef:
  1660. description: Service account field containing the name of a kubernetes ServiceAccount.
  1661. properties:
  1662. audiences:
  1663. description: |-
  1664. Audience specifies the `aud` claim for the service account token
  1665. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1666. then this audiences will be appended to the list
  1667. items:
  1668. type: string
  1669. type: array
  1670. name:
  1671. description: The name of the ServiceAccount resource being referred to.
  1672. type: string
  1673. namespace:
  1674. description: |-
  1675. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1676. to the namespace of the referent.
  1677. type: string
  1678. required:
  1679. - name
  1680. type: object
  1681. required:
  1682. - serviceAccountRef
  1683. type: object
  1684. path:
  1685. default: jwt
  1686. description: |-
  1687. Path where the JWT authentication backend is mounted
  1688. in Vault, e.g: "jwt"
  1689. type: string
  1690. role:
  1691. description: |-
  1692. Role is a JWT role to authenticate using the JWT/OIDC Vault
  1693. authentication method
  1694. type: string
  1695. secretRef:
  1696. description: |-
  1697. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  1698. authenticate with Vault using the JWT/OIDC authentication method.
  1699. properties:
  1700. key:
  1701. description: |-
  1702. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1703. defaulted, in others it may be required.
  1704. type: string
  1705. name:
  1706. description: The name of the Secret resource being referred to.
  1707. type: string
  1708. namespace:
  1709. description: |-
  1710. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1711. to the namespace of the referent.
  1712. type: string
  1713. type: object
  1714. required:
  1715. - path
  1716. type: object
  1717. kubernetes:
  1718. description: |-
  1719. Kubernetes authenticates with Vault by passing the ServiceAccount
  1720. token stored in the named Secret resource to the Vault server.
  1721. properties:
  1722. mountPath:
  1723. default: kubernetes
  1724. description: |-
  1725. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  1726. "kubernetes"
  1727. type: string
  1728. role:
  1729. description: |-
  1730. A required field containing the Vault Role to assume. A Role binds a
  1731. Kubernetes ServiceAccount with a set of Vault policies.
  1732. type: string
  1733. secretRef:
  1734. description: |-
  1735. Optional secret field containing a Kubernetes ServiceAccount JWT used
  1736. for authenticating with Vault. If a name is specified without a key,
  1737. `token` is the default. If one is not specified, the one bound to
  1738. the controller will be used.
  1739. properties:
  1740. key:
  1741. description: |-
  1742. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1743. defaulted, in others it may be required.
  1744. type: string
  1745. name:
  1746. description: The name of the Secret resource being referred to.
  1747. type: string
  1748. namespace:
  1749. description: |-
  1750. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1751. to the namespace of the referent.
  1752. type: string
  1753. type: object
  1754. serviceAccountRef:
  1755. description: |-
  1756. Optional service account field containing the name of a kubernetes ServiceAccount.
  1757. If the service account is specified, the service account secret token JWT will be used
  1758. for authenticating with Vault. If the service account selector is not supplied,
  1759. the secretRef will be used instead.
  1760. properties:
  1761. audiences:
  1762. description: |-
  1763. Audience specifies the `aud` claim for the service account token
  1764. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1765. then this audiences will be appended to the list
  1766. items:
  1767. type: string
  1768. type: array
  1769. name:
  1770. description: The name of the ServiceAccount resource being referred to.
  1771. type: string
  1772. namespace:
  1773. description: |-
  1774. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1775. to the namespace of the referent.
  1776. type: string
  1777. required:
  1778. - name
  1779. type: object
  1780. required:
  1781. - mountPath
  1782. - role
  1783. type: object
  1784. ldap:
  1785. description: |-
  1786. Ldap authenticates with Vault by passing username/password pair using
  1787. the LDAP authentication method
  1788. properties:
  1789. path:
  1790. default: ldap
  1791. description: |-
  1792. Path where the LDAP authentication backend is mounted
  1793. in Vault, e.g: "ldap"
  1794. type: string
  1795. secretRef:
  1796. description: |-
  1797. SecretRef to a key in a Secret resource containing password for the LDAP
  1798. user used to authenticate with Vault using the LDAP authentication
  1799. method
  1800. properties:
  1801. key:
  1802. description: |-
  1803. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1804. defaulted, in others it may be required.
  1805. type: string
  1806. name:
  1807. description: The name of the Secret resource being referred to.
  1808. type: string
  1809. namespace:
  1810. description: |-
  1811. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1812. to the namespace of the referent.
  1813. type: string
  1814. type: object
  1815. username:
  1816. description: |-
  1817. Username is a LDAP user name used to authenticate using the LDAP Vault
  1818. authentication method
  1819. type: string
  1820. required:
  1821. - path
  1822. - username
  1823. type: object
  1824. tokenSecretRef:
  1825. description: TokenSecretRef authenticates with Vault by presenting a token.
  1826. properties:
  1827. key:
  1828. description: |-
  1829. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1830. defaulted, in others it may be required.
  1831. type: string
  1832. name:
  1833. description: The name of the Secret resource being referred to.
  1834. type: string
  1835. namespace:
  1836. description: |-
  1837. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1838. to the namespace of the referent.
  1839. type: string
  1840. type: object
  1841. type: object
  1842. caBundle:
  1843. description: |-
  1844. PEM encoded CA bundle used to validate Vault server certificate. Only used
  1845. if the Server URL is using HTTPS protocol. This parameter is ignored for
  1846. plain HTTP protocol connection. If not set the system root certificates
  1847. are used to validate the TLS connection.
  1848. format: byte
  1849. type: string
  1850. caProvider:
  1851. description: The provider for the CA bundle to use to validate Vault server certificate.
  1852. properties:
  1853. key:
  1854. description: The key the value inside of the provider type to use, only used with "Secret" type
  1855. type: string
  1856. name:
  1857. description: The name of the object located at the provider type.
  1858. type: string
  1859. namespace:
  1860. description: The namespace the Provider type is in.
  1861. type: string
  1862. type:
  1863. description: The type of provider to use such as "Secret", or "ConfigMap".
  1864. enum:
  1865. - Secret
  1866. - ConfigMap
  1867. type: string
  1868. required:
  1869. - name
  1870. - type
  1871. type: object
  1872. forwardInconsistent:
  1873. description: |-
  1874. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  1875. leader instead of simply retrying within a loop. This can increase performance if
  1876. the option is enabled serverside.
  1877. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  1878. type: boolean
  1879. namespace:
  1880. description: |-
  1881. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  1882. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  1883. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  1884. type: string
  1885. path:
  1886. description: |-
  1887. Path is the mount path of the Vault KV backend endpoint, e.g:
  1888. "secret". The v2 KV secret engine version specific "/data" path suffix
  1889. for fetching secrets from Vault is optional and will be appended
  1890. if not present in specified path.
  1891. type: string
  1892. readYourWrites:
  1893. description: |-
  1894. ReadYourWrites ensures isolated read-after-write semantics by
  1895. providing discovered cluster replication states in each request.
  1896. More information about eventual consistency in Vault can be found here
  1897. https://www.vaultproject.io/docs/enterprise/consistency
  1898. type: boolean
  1899. server:
  1900. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  1901. type: string
  1902. version:
  1903. default: v2
  1904. description: |-
  1905. Version is the Vault KV secret engine version. This can be either "v1" or
  1906. "v2". Version defaults to "v2".
  1907. enum:
  1908. - v1
  1909. - v2
  1910. type: string
  1911. required:
  1912. - auth
  1913. - server
  1914. type: object
  1915. webhook:
  1916. description: Webhook configures this store to sync secrets using a generic templated webhook
  1917. properties:
  1918. body:
  1919. description: Body
  1920. type: string
  1921. caBundle:
  1922. description: |-
  1923. PEM encoded CA bundle used to validate webhook server certificate. Only used
  1924. if the Server URL is using HTTPS protocol. This parameter is ignored for
  1925. plain HTTP protocol connection. If not set the system root certificates
  1926. are used to validate the TLS connection.
  1927. format: byte
  1928. type: string
  1929. caProvider:
  1930. description: The provider for the CA bundle to use to validate webhook server certificate.
  1931. properties:
  1932. key:
  1933. description: The key the value inside of the provider type to use, only used with "Secret" type
  1934. type: string
  1935. name:
  1936. description: The name of the object located at the provider type.
  1937. type: string
  1938. namespace:
  1939. description: The namespace the Provider type is in.
  1940. type: string
  1941. type:
  1942. description: The type of provider to use such as "Secret", or "ConfigMap".
  1943. enum:
  1944. - Secret
  1945. - ConfigMap
  1946. type: string
  1947. required:
  1948. - name
  1949. - type
  1950. type: object
  1951. headers:
  1952. additionalProperties:
  1953. type: string
  1954. description: Headers
  1955. type: object
  1956. method:
  1957. description: Webhook Method
  1958. type: string
  1959. result:
  1960. description: Result formatting
  1961. properties:
  1962. jsonPath:
  1963. description: Json path of return value
  1964. type: string
  1965. type: object
  1966. secrets:
  1967. description: |-
  1968. Secrets to fill in templates
  1969. These secrets will be passed to the templating function as key value pairs under the given name
  1970. items:
  1971. properties:
  1972. name:
  1973. description: Name of this secret in templates
  1974. type: string
  1975. secretRef:
  1976. description: Secret ref to fill in credentials
  1977. properties:
  1978. key:
  1979. description: |-
  1980. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1981. defaulted, in others it may be required.
  1982. type: string
  1983. name:
  1984. description: The name of the Secret resource being referred to.
  1985. type: string
  1986. namespace:
  1987. description: |-
  1988. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1989. to the namespace of the referent.
  1990. type: string
  1991. type: object
  1992. required:
  1993. - name
  1994. - secretRef
  1995. type: object
  1996. type: array
  1997. timeout:
  1998. description: Timeout
  1999. type: string
  2000. url:
  2001. description: Webhook url to call
  2002. type: string
  2003. required:
  2004. - result
  2005. - url
  2006. type: object
  2007. yandexlockbox:
  2008. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  2009. properties:
  2010. apiEndpoint:
  2011. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  2012. type: string
  2013. auth:
  2014. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  2015. properties:
  2016. authorizedKeySecretRef:
  2017. description: The authorized key used for authentication
  2018. properties:
  2019. key:
  2020. description: |-
  2021. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2022. defaulted, in others it may be required.
  2023. type: string
  2024. name:
  2025. description: The name of the Secret resource being referred to.
  2026. type: string
  2027. namespace:
  2028. description: |-
  2029. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2030. to the namespace of the referent.
  2031. type: string
  2032. type: object
  2033. type: object
  2034. caProvider:
  2035. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  2036. properties:
  2037. certSecretRef:
  2038. description: |-
  2039. A reference to a specific 'key' within a Secret resource,
  2040. In some instances, `key` is a required field.
  2041. properties:
  2042. key:
  2043. description: |-
  2044. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2045. defaulted, in others it may be required.
  2046. type: string
  2047. name:
  2048. description: The name of the Secret resource being referred to.
  2049. type: string
  2050. namespace:
  2051. description: |-
  2052. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2053. to the namespace of the referent.
  2054. type: string
  2055. type: object
  2056. type: object
  2057. required:
  2058. - auth
  2059. type: object
  2060. type: object
  2061. retrySettings:
  2062. description: Used to configure http retries if failed
  2063. properties:
  2064. maxRetries:
  2065. format: int32
  2066. type: integer
  2067. retryInterval:
  2068. type: string
  2069. type: object
  2070. required:
  2071. - provider
  2072. type: object
  2073. status:
  2074. description: SecretStoreStatus defines the observed state of the SecretStore.
  2075. properties:
  2076. conditions:
  2077. items:
  2078. properties:
  2079. lastTransitionTime:
  2080. format: date-time
  2081. type: string
  2082. message:
  2083. type: string
  2084. reason:
  2085. type: string
  2086. status:
  2087. type: string
  2088. type:
  2089. type: string
  2090. required:
  2091. - status
  2092. - type
  2093. type: object
  2094. type: array
  2095. type: object
  2096. type: object
  2097. served: true
  2098. storage: false
  2099. subresources:
  2100. status: {}
  2101. - additionalPrinterColumns:
  2102. - jsonPath: .metadata.creationTimestamp
  2103. name: AGE
  2104. type: date
  2105. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2106. name: Status
  2107. type: string
  2108. - jsonPath: .status.capabilities
  2109. name: Capabilities
  2110. type: string
  2111. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  2112. name: Ready
  2113. type: string
  2114. name: v1beta1
  2115. schema:
  2116. openAPIV3Schema:
  2117. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  2118. properties:
  2119. apiVersion:
  2120. description: |-
  2121. APIVersion defines the versioned schema of this representation of an object.
  2122. Servers should convert recognized schemas to the latest internal value, and
  2123. may reject unrecognized values.
  2124. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  2125. type: string
  2126. kind:
  2127. description: |-
  2128. Kind is a string value representing the REST resource this object represents.
  2129. Servers may infer this from the endpoint the client submits requests to.
  2130. Cannot be updated.
  2131. In CamelCase.
  2132. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  2133. type: string
  2134. metadata:
  2135. type: object
  2136. spec:
  2137. description: SecretStoreSpec defines the desired state of SecretStore.
  2138. properties:
  2139. conditions:
  2140. description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
  2141. items:
  2142. description: |-
  2143. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  2144. for a ClusterSecretStore instance.
  2145. properties:
  2146. namespaceSelector:
  2147. description: Choose namespace using a labelSelector
  2148. properties:
  2149. matchExpressions:
  2150. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2151. items:
  2152. description: |-
  2153. A label selector requirement is a selector that contains values, a key, and an operator that
  2154. relates the key and values.
  2155. properties:
  2156. key:
  2157. description: key is the label key that the selector applies to.
  2158. type: string
  2159. operator:
  2160. description: |-
  2161. operator represents a key's relationship to a set of values.
  2162. Valid operators are In, NotIn, Exists and DoesNotExist.
  2163. type: string
  2164. values:
  2165. description: |-
  2166. values is an array of string values. If the operator is In or NotIn,
  2167. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2168. the values array must be empty. This array is replaced during a strategic
  2169. merge patch.
  2170. items:
  2171. type: string
  2172. type: array
  2173. required:
  2174. - key
  2175. - operator
  2176. type: object
  2177. type: array
  2178. matchLabels:
  2179. additionalProperties:
  2180. type: string
  2181. description: |-
  2182. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2183. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2184. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2185. type: object
  2186. type: object
  2187. x-kubernetes-map-type: atomic
  2188. namespaces:
  2189. description: Choose namespaces by name
  2190. items:
  2191. type: string
  2192. type: array
  2193. type: object
  2194. type: array
  2195. controller:
  2196. description: |-
  2197. Used to select the correct ESO controller (think: ingress.ingressClassName)
  2198. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  2199. type: string
  2200. provider:
  2201. description: Used to configure the provider. Only one provider may be set
  2202. maxProperties: 1
  2203. minProperties: 1
  2204. properties:
  2205. akeyless:
  2206. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  2207. properties:
  2208. akeylessGWApiURL:
  2209. description: Akeyless GW API Url from which the secrets to be fetched from.
  2210. type: string
  2211. authSecretRef:
  2212. description: Auth configures how the operator authenticates with Akeyless.
  2213. properties:
  2214. kubernetesAuth:
  2215. description: |-
  2216. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  2217. token stored in the named Secret resource.
  2218. properties:
  2219. accessID:
  2220. description: the Akeyless Kubernetes auth-method access-id
  2221. type: string
  2222. k8sConfName:
  2223. description: Kubernetes-auth configuration name in Akeyless-Gateway
  2224. type: string
  2225. secretRef:
  2226. description: |-
  2227. Optional secret field containing a Kubernetes ServiceAccount JWT used
  2228. for authenticating with Akeyless. If a name is specified without a key,
  2229. `token` is the default. If one is not specified, the one bound to
  2230. the controller will be used.
  2231. properties:
  2232. key:
  2233. description: |-
  2234. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2235. defaulted, in others it may be required.
  2236. type: string
  2237. name:
  2238. description: The name of the Secret resource being referred to.
  2239. type: string
  2240. namespace:
  2241. description: |-
  2242. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2243. to the namespace of the referent.
  2244. type: string
  2245. type: object
  2246. serviceAccountRef:
  2247. description: |-
  2248. Optional service account field containing the name of a kubernetes ServiceAccount.
  2249. If the service account is specified, the service account secret token JWT will be used
  2250. for authenticating with Akeyless. If the service account selector is not supplied,
  2251. the secretRef will be used instead.
  2252. properties:
  2253. audiences:
  2254. description: |-
  2255. Audience specifies the `aud` claim for the service account token
  2256. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2257. then this audiences will be appended to the list
  2258. items:
  2259. type: string
  2260. type: array
  2261. name:
  2262. description: The name of the ServiceAccount resource being referred to.
  2263. type: string
  2264. namespace:
  2265. description: |-
  2266. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2267. to the namespace of the referent.
  2268. type: string
  2269. required:
  2270. - name
  2271. type: object
  2272. required:
  2273. - accessID
  2274. - k8sConfName
  2275. type: object
  2276. secretRef:
  2277. description: |-
  2278. Reference to a Secret that contains the details
  2279. to authenticate with Akeyless.
  2280. properties:
  2281. accessID:
  2282. description: The SecretAccessID is used for authentication
  2283. properties:
  2284. key:
  2285. description: |-
  2286. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2287. defaulted, in others it may be required.
  2288. type: string
  2289. name:
  2290. description: The name of the Secret resource being referred to.
  2291. type: string
  2292. namespace:
  2293. description: |-
  2294. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2295. to the namespace of the referent.
  2296. type: string
  2297. type: object
  2298. accessType:
  2299. description: |-
  2300. A reference to a specific 'key' within a Secret resource,
  2301. In some instances, `key` is a required field.
  2302. properties:
  2303. key:
  2304. description: |-
  2305. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2306. defaulted, in others it may be required.
  2307. type: string
  2308. name:
  2309. description: The name of the Secret resource being referred to.
  2310. type: string
  2311. namespace:
  2312. description: |-
  2313. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2314. to the namespace of the referent.
  2315. type: string
  2316. type: object
  2317. accessTypeParam:
  2318. description: |-
  2319. A reference to a specific 'key' within a Secret resource,
  2320. In some instances, `key` is a required field.
  2321. properties:
  2322. key:
  2323. description: |-
  2324. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2325. defaulted, in others it may be required.
  2326. type: string
  2327. name:
  2328. description: The name of the Secret resource being referred to.
  2329. type: string
  2330. namespace:
  2331. description: |-
  2332. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2333. to the namespace of the referent.
  2334. type: string
  2335. type: object
  2336. type: object
  2337. type: object
  2338. caBundle:
  2339. description: |-
  2340. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  2341. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  2342. are used to validate the TLS connection.
  2343. format: byte
  2344. type: string
  2345. caProvider:
  2346. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  2347. properties:
  2348. key:
  2349. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2350. type: string
  2351. name:
  2352. description: The name of the object located at the provider type.
  2353. type: string
  2354. namespace:
  2355. description: |-
  2356. The namespace the Provider type is in.
  2357. Can only be defined when used in a ClusterSecretStore.
  2358. type: string
  2359. type:
  2360. description: The type of provider to use such as "Secret", or "ConfigMap".
  2361. enum:
  2362. - Secret
  2363. - ConfigMap
  2364. type: string
  2365. required:
  2366. - name
  2367. - type
  2368. type: object
  2369. required:
  2370. - akeylessGWApiURL
  2371. - authSecretRef
  2372. type: object
  2373. alibaba:
  2374. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  2375. properties:
  2376. auth:
  2377. description: AlibabaAuth contains a secretRef for credentials.
  2378. properties:
  2379. rrsa:
  2380. description: Authenticate against Alibaba using RRSA.
  2381. properties:
  2382. oidcProviderArn:
  2383. type: string
  2384. oidcTokenFilePath:
  2385. type: string
  2386. roleArn:
  2387. type: string
  2388. sessionName:
  2389. type: string
  2390. required:
  2391. - oidcProviderArn
  2392. - oidcTokenFilePath
  2393. - roleArn
  2394. - sessionName
  2395. type: object
  2396. secretRef:
  2397. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  2398. properties:
  2399. accessKeyIDSecretRef:
  2400. description: The AccessKeyID is used for authentication
  2401. properties:
  2402. key:
  2403. description: |-
  2404. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2405. defaulted, in others it may be required.
  2406. type: string
  2407. name:
  2408. description: The name of the Secret resource being referred to.
  2409. type: string
  2410. namespace:
  2411. description: |-
  2412. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2413. to the namespace of the referent.
  2414. type: string
  2415. type: object
  2416. accessKeySecretSecretRef:
  2417. description: The AccessKeySecret is used for authentication
  2418. properties:
  2419. key:
  2420. description: |-
  2421. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2422. defaulted, in others it may be required.
  2423. type: string
  2424. name:
  2425. description: The name of the Secret resource being referred to.
  2426. type: string
  2427. namespace:
  2428. description: |-
  2429. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2430. to the namespace of the referent.
  2431. type: string
  2432. type: object
  2433. required:
  2434. - accessKeyIDSecretRef
  2435. - accessKeySecretSecretRef
  2436. type: object
  2437. type: object
  2438. regionID:
  2439. description: Alibaba Region to be used for the provider
  2440. type: string
  2441. required:
  2442. - auth
  2443. - regionID
  2444. type: object
  2445. aws:
  2446. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  2447. properties:
  2448. additionalRoles:
  2449. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  2450. items:
  2451. type: string
  2452. type: array
  2453. auth:
  2454. description: |-
  2455. Auth defines the information necessary to authenticate against AWS
  2456. if not set aws sdk will infer credentials from your environment
  2457. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  2458. properties:
  2459. jwt:
  2460. description: Authenticate against AWS using service account tokens.
  2461. properties:
  2462. serviceAccountRef:
  2463. description: A reference to a ServiceAccount resource.
  2464. properties:
  2465. audiences:
  2466. description: |-
  2467. Audience specifies the `aud` claim for the service account token
  2468. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2469. then this audiences will be appended to the list
  2470. items:
  2471. type: string
  2472. type: array
  2473. name:
  2474. description: The name of the ServiceAccount resource being referred to.
  2475. type: string
  2476. namespace:
  2477. description: |-
  2478. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2479. to the namespace of the referent.
  2480. type: string
  2481. required:
  2482. - name
  2483. type: object
  2484. type: object
  2485. secretRef:
  2486. description: |-
  2487. AWSAuthSecretRef holds secret references for AWS credentials
  2488. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  2489. properties:
  2490. accessKeyIDSecretRef:
  2491. description: The AccessKeyID is used for authentication
  2492. properties:
  2493. key:
  2494. description: |-
  2495. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2496. defaulted, in others it may be required.
  2497. type: string
  2498. name:
  2499. description: The name of the Secret resource being referred to.
  2500. type: string
  2501. namespace:
  2502. description: |-
  2503. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2504. to the namespace of the referent.
  2505. type: string
  2506. type: object
  2507. secretAccessKeySecretRef:
  2508. description: The SecretAccessKey is used for authentication
  2509. properties:
  2510. key:
  2511. description: |-
  2512. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2513. defaulted, in others it may be required.
  2514. type: string
  2515. name:
  2516. description: The name of the Secret resource being referred to.
  2517. type: string
  2518. namespace:
  2519. description: |-
  2520. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2521. to the namespace of the referent.
  2522. type: string
  2523. type: object
  2524. sessionTokenSecretRef:
  2525. description: |-
  2526. The SessionToken used for authentication
  2527. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  2528. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  2529. properties:
  2530. key:
  2531. description: |-
  2532. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2533. defaulted, in others it may be required.
  2534. type: string
  2535. name:
  2536. description: The name of the Secret resource being referred to.
  2537. type: string
  2538. namespace:
  2539. description: |-
  2540. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2541. to the namespace of the referent.
  2542. type: string
  2543. type: object
  2544. type: object
  2545. type: object
  2546. externalID:
  2547. description: AWS External ID set on assumed IAM roles
  2548. type: string
  2549. region:
  2550. description: AWS Region to be used for the provider
  2551. type: string
  2552. role:
  2553. description: Role is a Role ARN which the provider will assume
  2554. type: string
  2555. secretsManager:
  2556. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  2557. properties:
  2558. forceDeleteWithoutRecovery:
  2559. description: |-
  2560. Specifies whether to delete the secret without any recovery window. You
  2561. can't use both this parameter and RecoveryWindowInDays in the same call.
  2562. If you don't use either, then by default Secrets Manager uses a 30 day
  2563. recovery window.
  2564. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  2565. type: boolean
  2566. recoveryWindowInDays:
  2567. description: |-
  2568. The number of days from 7 to 30 that Secrets Manager waits before
  2569. permanently deleting the secret. You can't use both this parameter and
  2570. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  2571. then by default Secrets Manager uses a 30 day recovery window.
  2572. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  2573. format: int64
  2574. type: integer
  2575. type: object
  2576. service:
  2577. description: Service defines which service should be used to fetch the secrets
  2578. enum:
  2579. - SecretsManager
  2580. - ParameterStore
  2581. type: string
  2582. sessionTags:
  2583. description: AWS STS assume role session tags
  2584. items:
  2585. properties:
  2586. key:
  2587. type: string
  2588. value:
  2589. type: string
  2590. required:
  2591. - key
  2592. - value
  2593. type: object
  2594. type: array
  2595. transitiveTagKeys:
  2596. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  2597. items:
  2598. type: string
  2599. type: array
  2600. required:
  2601. - region
  2602. - service
  2603. type: object
  2604. azurekv:
  2605. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  2606. properties:
  2607. authSecretRef:
  2608. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  2609. properties:
  2610. clientId:
  2611. description: The Azure clientId of the service principle used for authentication.
  2612. properties:
  2613. key:
  2614. description: |-
  2615. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2616. defaulted, in others it may be required.
  2617. type: string
  2618. name:
  2619. description: The name of the Secret resource being referred to.
  2620. type: string
  2621. namespace:
  2622. description: |-
  2623. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2624. to the namespace of the referent.
  2625. type: string
  2626. type: object
  2627. clientSecret:
  2628. description: The Azure ClientSecret of the service principle used for authentication.
  2629. properties:
  2630. key:
  2631. description: |-
  2632. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2633. defaulted, in others it may be required.
  2634. type: string
  2635. name:
  2636. description: The name of the Secret resource being referred to.
  2637. type: string
  2638. namespace:
  2639. description: |-
  2640. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2641. to the namespace of the referent.
  2642. type: string
  2643. type: object
  2644. type: object
  2645. authType:
  2646. default: ServicePrincipal
  2647. description: |-
  2648. Auth type defines how to authenticate to the keyvault service.
  2649. Valid values are:
  2650. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  2651. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  2652. enum:
  2653. - ServicePrincipal
  2654. - ManagedIdentity
  2655. - WorkloadIdentity
  2656. type: string
  2657. environmentType:
  2658. default: PublicCloud
  2659. description: |-
  2660. EnvironmentType specifies the Azure cloud environment endpoints to use for
  2661. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  2662. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  2663. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  2664. enum:
  2665. - PublicCloud
  2666. - USGovernmentCloud
  2667. - ChinaCloud
  2668. - GermanCloud
  2669. type: string
  2670. identityId:
  2671. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  2672. type: string
  2673. serviceAccountRef:
  2674. description: |-
  2675. ServiceAccountRef specified the service account
  2676. that should be used when authenticating with WorkloadIdentity.
  2677. properties:
  2678. audiences:
  2679. description: |-
  2680. Audience specifies the `aud` claim for the service account token
  2681. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2682. then this audiences will be appended to the list
  2683. items:
  2684. type: string
  2685. type: array
  2686. name:
  2687. description: The name of the ServiceAccount resource being referred to.
  2688. type: string
  2689. namespace:
  2690. description: |-
  2691. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2692. to the namespace of the referent.
  2693. type: string
  2694. required:
  2695. - name
  2696. type: object
  2697. tenantId:
  2698. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  2699. type: string
  2700. vaultUrl:
  2701. description: Vault Url from which the secrets to be fetched from.
  2702. type: string
  2703. required:
  2704. - vaultUrl
  2705. type: object
  2706. chef:
  2707. description: Chef configures this store to sync secrets with chef server
  2708. properties:
  2709. auth:
  2710. description: Auth defines the information necessary to authenticate against chef Server
  2711. properties:
  2712. secretRef:
  2713. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  2714. properties:
  2715. privateKeySecretRef:
  2716. description: SecretKey is the Signing Key in PEM format, used for authentication.
  2717. properties:
  2718. key:
  2719. description: |-
  2720. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2721. defaulted, in others it may be required.
  2722. type: string
  2723. name:
  2724. description: The name of the Secret resource being referred to.
  2725. type: string
  2726. namespace:
  2727. description: |-
  2728. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2729. to the namespace of the referent.
  2730. type: string
  2731. type: object
  2732. required:
  2733. - privateKeySecretRef
  2734. type: object
  2735. required:
  2736. - secretRef
  2737. type: object
  2738. serverUrl:
  2739. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  2740. type: string
  2741. username:
  2742. description: UserName should be the user ID on the chef server
  2743. type: string
  2744. required:
  2745. - auth
  2746. - serverUrl
  2747. - username
  2748. type: object
  2749. conjur:
  2750. description: Conjur configures this store to sync secrets using conjur provider
  2751. properties:
  2752. auth:
  2753. properties:
  2754. apikey:
  2755. properties:
  2756. account:
  2757. type: string
  2758. apiKeyRef:
  2759. description: |-
  2760. A reference to a specific 'key' within a Secret resource,
  2761. In some instances, `key` is a required field.
  2762. properties:
  2763. key:
  2764. description: |-
  2765. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2766. defaulted, in others it may be required.
  2767. type: string
  2768. name:
  2769. description: The name of the Secret resource being referred to.
  2770. type: string
  2771. namespace:
  2772. description: |-
  2773. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2774. to the namespace of the referent.
  2775. type: string
  2776. type: object
  2777. userRef:
  2778. description: |-
  2779. A reference to a specific 'key' within a Secret resource,
  2780. In some instances, `key` is a required field.
  2781. properties:
  2782. key:
  2783. description: |-
  2784. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2785. defaulted, in others it may be required.
  2786. type: string
  2787. name:
  2788. description: The name of the Secret resource being referred to.
  2789. type: string
  2790. namespace:
  2791. description: |-
  2792. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2793. to the namespace of the referent.
  2794. type: string
  2795. type: object
  2796. required:
  2797. - account
  2798. - apiKeyRef
  2799. - userRef
  2800. type: object
  2801. jwt:
  2802. properties:
  2803. account:
  2804. type: string
  2805. hostId:
  2806. description: |-
  2807. Optional HostID for JWT authentication. This may be used depending
  2808. on how the Conjur JWT authenticator policy is configured.
  2809. type: string
  2810. secretRef:
  2811. description: |-
  2812. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  2813. authenticate with Conjur using the JWT authentication method.
  2814. properties:
  2815. key:
  2816. description: |-
  2817. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2818. defaulted, in others it may be required.
  2819. type: string
  2820. name:
  2821. description: The name of the Secret resource being referred to.
  2822. type: string
  2823. namespace:
  2824. description: |-
  2825. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2826. to the namespace of the referent.
  2827. type: string
  2828. type: object
  2829. serviceAccountRef:
  2830. description: |-
  2831. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  2832. a token for with the `TokenRequest` API.
  2833. properties:
  2834. audiences:
  2835. description: |-
  2836. Audience specifies the `aud` claim for the service account token
  2837. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2838. then this audiences will be appended to the list
  2839. items:
  2840. type: string
  2841. type: array
  2842. name:
  2843. description: The name of the ServiceAccount resource being referred to.
  2844. type: string
  2845. namespace:
  2846. description: |-
  2847. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2848. to the namespace of the referent.
  2849. type: string
  2850. required:
  2851. - name
  2852. type: object
  2853. serviceID:
  2854. description: The conjur authn jwt webservice id
  2855. type: string
  2856. required:
  2857. - account
  2858. - serviceID
  2859. type: object
  2860. type: object
  2861. caBundle:
  2862. type: string
  2863. caProvider:
  2864. description: |-
  2865. Used to provide custom certificate authority (CA) certificates
  2866. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  2867. that contains a PEM-encoded certificate.
  2868. properties:
  2869. key:
  2870. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2871. type: string
  2872. name:
  2873. description: The name of the object located at the provider type.
  2874. type: string
  2875. namespace:
  2876. description: |-
  2877. The namespace the Provider type is in.
  2878. Can only be defined when used in a ClusterSecretStore.
  2879. type: string
  2880. type:
  2881. description: The type of provider to use such as "Secret", or "ConfigMap".
  2882. enum:
  2883. - Secret
  2884. - ConfigMap
  2885. type: string
  2886. required:
  2887. - name
  2888. - type
  2889. type: object
  2890. url:
  2891. type: string
  2892. required:
  2893. - auth
  2894. - url
  2895. type: object
  2896. delinea:
  2897. description: |-
  2898. Delinea DevOps Secrets Vault
  2899. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  2900. properties:
  2901. clientId:
  2902. description: ClientID is the non-secret part of the credential.
  2903. properties:
  2904. secretRef:
  2905. description: SecretRef references a key in a secret that will be used as value.
  2906. properties:
  2907. key:
  2908. description: |-
  2909. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2910. defaulted, in others it may be required.
  2911. type: string
  2912. name:
  2913. description: The name of the Secret resource being referred to.
  2914. type: string
  2915. namespace:
  2916. description: |-
  2917. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2918. to the namespace of the referent.
  2919. type: string
  2920. type: object
  2921. value:
  2922. description: Value can be specified directly to set a value without using a secret.
  2923. type: string
  2924. type: object
  2925. clientSecret:
  2926. description: ClientSecret is the secret part of the credential.
  2927. properties:
  2928. secretRef:
  2929. description: SecretRef references a key in a secret that will be used as value.
  2930. properties:
  2931. key:
  2932. description: |-
  2933. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2934. defaulted, in others it may be required.
  2935. type: string
  2936. name:
  2937. description: The name of the Secret resource being referred to.
  2938. type: string
  2939. namespace:
  2940. description: |-
  2941. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2942. to the namespace of the referent.
  2943. type: string
  2944. type: object
  2945. value:
  2946. description: Value can be specified directly to set a value without using a secret.
  2947. type: string
  2948. type: object
  2949. tenant:
  2950. description: Tenant is the chosen hostname / site name.
  2951. type: string
  2952. tld:
  2953. description: |-
  2954. TLD is based on the server location that was chosen during provisioning.
  2955. If unset, defaults to "com".
  2956. type: string
  2957. urlTemplate:
  2958. description: |-
  2959. URLTemplate
  2960. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  2961. type: string
  2962. required:
  2963. - clientId
  2964. - clientSecret
  2965. - tenant
  2966. type: object
  2967. doppler:
  2968. description: Doppler configures this store to sync secrets using the Doppler provider
  2969. properties:
  2970. auth:
  2971. description: Auth configures how the Operator authenticates with the Doppler API
  2972. properties:
  2973. secretRef:
  2974. properties:
  2975. dopplerToken:
  2976. description: |-
  2977. The DopplerToken is used for authentication.
  2978. See https://docs.doppler.com/reference/api#authentication for auth token types.
  2979. The Key attribute defaults to dopplerToken if not specified.
  2980. properties:
  2981. key:
  2982. description: |-
  2983. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2984. defaulted, in others it may be required.
  2985. type: string
  2986. name:
  2987. description: The name of the Secret resource being referred to.
  2988. type: string
  2989. namespace:
  2990. description: |-
  2991. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2992. to the namespace of the referent.
  2993. type: string
  2994. type: object
  2995. required:
  2996. - dopplerToken
  2997. type: object
  2998. required:
  2999. - secretRef
  3000. type: object
  3001. config:
  3002. description: Doppler config (required if not using a Service Token)
  3003. type: string
  3004. format:
  3005. description: Format enables the downloading of secrets as a file (string)
  3006. enum:
  3007. - json
  3008. - dotnet-json
  3009. - env
  3010. - yaml
  3011. - docker
  3012. type: string
  3013. nameTransformer:
  3014. description: Environment variable compatible name transforms that change secret names to a different format
  3015. enum:
  3016. - upper-camel
  3017. - camel
  3018. - lower-snake
  3019. - tf-var
  3020. - dotnet-env
  3021. - lower-kebab
  3022. type: string
  3023. project:
  3024. description: Doppler project (required if not using a Service Token)
  3025. type: string
  3026. required:
  3027. - auth
  3028. type: object
  3029. fake:
  3030. description: Fake configures a store with static key/value pairs
  3031. properties:
  3032. data:
  3033. items:
  3034. properties:
  3035. key:
  3036. type: string
  3037. value:
  3038. type: string
  3039. valueMap:
  3040. additionalProperties:
  3041. type: string
  3042. description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
  3043. type: object
  3044. version:
  3045. type: string
  3046. required:
  3047. - key
  3048. type: object
  3049. type: array
  3050. required:
  3051. - data
  3052. type: object
  3053. fortanix:
  3054. description: Fortanix configures this store to sync secrets using the Fortanix provider
  3055. properties:
  3056. apiKey:
  3057. description: APIKey is the API token to access SDKMS Applications.
  3058. properties:
  3059. secretRef:
  3060. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  3061. properties:
  3062. key:
  3063. description: |-
  3064. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3065. defaulted, in others it may be required.
  3066. type: string
  3067. name:
  3068. description: The name of the Secret resource being referred to.
  3069. type: string
  3070. namespace:
  3071. description: |-
  3072. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3073. to the namespace of the referent.
  3074. type: string
  3075. type: object
  3076. type: object
  3077. apiUrl:
  3078. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  3079. type: string
  3080. type: object
  3081. gcpsm:
  3082. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  3083. properties:
  3084. auth:
  3085. description: Auth defines the information necessary to authenticate against GCP
  3086. properties:
  3087. secretRef:
  3088. properties:
  3089. secretAccessKeySecretRef:
  3090. description: The SecretAccessKey is used for authentication
  3091. properties:
  3092. key:
  3093. description: |-
  3094. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3095. defaulted, in others it may be required.
  3096. type: string
  3097. name:
  3098. description: The name of the Secret resource being referred to.
  3099. type: string
  3100. namespace:
  3101. description: |-
  3102. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3103. to the namespace of the referent.
  3104. type: string
  3105. type: object
  3106. type: object
  3107. workloadIdentity:
  3108. properties:
  3109. clusterLocation:
  3110. type: string
  3111. clusterName:
  3112. type: string
  3113. clusterProjectID:
  3114. type: string
  3115. serviceAccountRef:
  3116. description: A reference to a ServiceAccount resource.
  3117. properties:
  3118. audiences:
  3119. description: |-
  3120. Audience specifies the `aud` claim for the service account token
  3121. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3122. then this audiences will be appended to the list
  3123. items:
  3124. type: string
  3125. type: array
  3126. name:
  3127. description: The name of the ServiceAccount resource being referred to.
  3128. type: string
  3129. namespace:
  3130. description: |-
  3131. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3132. to the namespace of the referent.
  3133. type: string
  3134. required:
  3135. - name
  3136. type: object
  3137. required:
  3138. - clusterLocation
  3139. - clusterName
  3140. - serviceAccountRef
  3141. type: object
  3142. type: object
  3143. projectID:
  3144. description: ProjectID project where secret is located
  3145. type: string
  3146. type: object
  3147. gitlab:
  3148. description: GitLab configures this store to sync secrets using GitLab Variables provider
  3149. properties:
  3150. auth:
  3151. description: Auth configures how secret-manager authenticates with a GitLab instance.
  3152. properties:
  3153. SecretRef:
  3154. properties:
  3155. accessToken:
  3156. description: AccessToken is used for authentication.
  3157. properties:
  3158. key:
  3159. description: |-
  3160. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3161. defaulted, in others it may be required.
  3162. type: string
  3163. name:
  3164. description: The name of the Secret resource being referred to.
  3165. type: string
  3166. namespace:
  3167. description: |-
  3168. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3169. to the namespace of the referent.
  3170. type: string
  3171. type: object
  3172. type: object
  3173. required:
  3174. - SecretRef
  3175. type: object
  3176. environment:
  3177. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  3178. type: string
  3179. groupIDs:
  3180. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  3181. items:
  3182. type: string
  3183. type: array
  3184. inheritFromGroups:
  3185. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  3186. type: boolean
  3187. projectID:
  3188. description: ProjectID specifies a project where secrets are located.
  3189. type: string
  3190. url:
  3191. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  3192. type: string
  3193. required:
  3194. - auth
  3195. type: object
  3196. ibm:
  3197. description: IBM configures this store to sync secrets using IBM Cloud provider
  3198. properties:
  3199. auth:
  3200. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  3201. maxProperties: 1
  3202. minProperties: 1
  3203. properties:
  3204. containerAuth:
  3205. description: IBM Container-based auth with IAM Trusted Profile.
  3206. properties:
  3207. iamEndpoint:
  3208. type: string
  3209. profile:
  3210. description: the IBM Trusted Profile
  3211. type: string
  3212. tokenLocation:
  3213. description: Location the token is mounted on the pod
  3214. type: string
  3215. required:
  3216. - profile
  3217. type: object
  3218. secretRef:
  3219. properties:
  3220. secretApiKeySecretRef:
  3221. description: The SecretAccessKey is used for authentication
  3222. properties:
  3223. key:
  3224. description: |-
  3225. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3226. defaulted, in others it may be required.
  3227. type: string
  3228. name:
  3229. description: The name of the Secret resource being referred to.
  3230. type: string
  3231. namespace:
  3232. description: |-
  3233. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3234. to the namespace of the referent.
  3235. type: string
  3236. type: object
  3237. type: object
  3238. type: object
  3239. serviceUrl:
  3240. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  3241. type: string
  3242. required:
  3243. - auth
  3244. type: object
  3245. keepersecurity:
  3246. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  3247. properties:
  3248. authRef:
  3249. description: |-
  3250. A reference to a specific 'key' within a Secret resource,
  3251. In some instances, `key` is a required field.
  3252. properties:
  3253. key:
  3254. description: |-
  3255. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3256. defaulted, in others it may be required.
  3257. type: string
  3258. name:
  3259. description: The name of the Secret resource being referred to.
  3260. type: string
  3261. namespace:
  3262. description: |-
  3263. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3264. to the namespace of the referent.
  3265. type: string
  3266. type: object
  3267. folderID:
  3268. type: string
  3269. required:
  3270. - authRef
  3271. - folderID
  3272. type: object
  3273. kubernetes:
  3274. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  3275. properties:
  3276. auth:
  3277. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  3278. maxProperties: 1
  3279. minProperties: 1
  3280. properties:
  3281. cert:
  3282. description: has both clientCert and clientKey as secretKeySelector
  3283. properties:
  3284. clientCert:
  3285. description: |-
  3286. A reference to a specific 'key' within a Secret resource,
  3287. In some instances, `key` is a required field.
  3288. properties:
  3289. key:
  3290. description: |-
  3291. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3292. defaulted, in others it may be required.
  3293. type: string
  3294. name:
  3295. description: The name of the Secret resource being referred to.
  3296. type: string
  3297. namespace:
  3298. description: |-
  3299. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3300. to the namespace of the referent.
  3301. type: string
  3302. type: object
  3303. clientKey:
  3304. description: |-
  3305. A reference to a specific 'key' within a Secret resource,
  3306. In some instances, `key` is a required field.
  3307. properties:
  3308. key:
  3309. description: |-
  3310. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3311. defaulted, in others it may be required.
  3312. type: string
  3313. name:
  3314. description: The name of the Secret resource being referred to.
  3315. type: string
  3316. namespace:
  3317. description: |-
  3318. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3319. to the namespace of the referent.
  3320. type: string
  3321. type: object
  3322. type: object
  3323. serviceAccount:
  3324. description: points to a service account that should be used for authentication
  3325. properties:
  3326. audiences:
  3327. description: |-
  3328. Audience specifies the `aud` claim for the service account token
  3329. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3330. then this audiences will be appended to the list
  3331. items:
  3332. type: string
  3333. type: array
  3334. name:
  3335. description: The name of the ServiceAccount resource being referred to.
  3336. type: string
  3337. namespace:
  3338. description: |-
  3339. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3340. to the namespace of the referent.
  3341. type: string
  3342. required:
  3343. - name
  3344. type: object
  3345. token:
  3346. description: use static token to authenticate with
  3347. properties:
  3348. bearerToken:
  3349. description: |-
  3350. A reference to a specific 'key' within a Secret resource,
  3351. In some instances, `key` is a required field.
  3352. properties:
  3353. key:
  3354. description: |-
  3355. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3356. defaulted, in others it may be required.
  3357. type: string
  3358. name:
  3359. description: The name of the Secret resource being referred to.
  3360. type: string
  3361. namespace:
  3362. description: |-
  3363. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3364. to the namespace of the referent.
  3365. type: string
  3366. type: object
  3367. type: object
  3368. type: object
  3369. remoteNamespace:
  3370. default: default
  3371. description: Remote namespace to fetch the secrets from
  3372. type: string
  3373. server:
  3374. description: configures the Kubernetes server Address.
  3375. properties:
  3376. caBundle:
  3377. description: CABundle is a base64-encoded CA certificate
  3378. format: byte
  3379. type: string
  3380. caProvider:
  3381. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  3382. properties:
  3383. key:
  3384. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3385. type: string
  3386. name:
  3387. description: The name of the object located at the provider type.
  3388. type: string
  3389. namespace:
  3390. description: |-
  3391. The namespace the Provider type is in.
  3392. Can only be defined when used in a ClusterSecretStore.
  3393. type: string
  3394. type:
  3395. description: The type of provider to use such as "Secret", or "ConfigMap".
  3396. enum:
  3397. - Secret
  3398. - ConfigMap
  3399. type: string
  3400. required:
  3401. - name
  3402. - type
  3403. type: object
  3404. url:
  3405. default: kubernetes.default
  3406. description: configures the Kubernetes server Address.
  3407. type: string
  3408. type: object
  3409. required:
  3410. - auth
  3411. type: object
  3412. onboardbase:
  3413. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  3414. properties:
  3415. apiHost:
  3416. default: https://public.onboardbase.com/api/v1/
  3417. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  3418. type: string
  3419. auth:
  3420. description: Auth configures how the Operator authenticates with the Onboardbase API
  3421. properties:
  3422. apiKeyRef:
  3423. description: |-
  3424. OnboardbaseAPIKey is the APIKey generated by an admin account.
  3425. It is used to recognize and authorize access to a project and environment within onboardbase
  3426. properties:
  3427. key:
  3428. description: |-
  3429. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3430. defaulted, in others it may be required.
  3431. type: string
  3432. name:
  3433. description: The name of the Secret resource being referred to.
  3434. type: string
  3435. namespace:
  3436. description: |-
  3437. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3438. to the namespace of the referent.
  3439. type: string
  3440. type: object
  3441. passcodeRef:
  3442. description: OnboardbasePasscode is the passcode attached to the API Key
  3443. properties:
  3444. key:
  3445. description: |-
  3446. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3447. defaulted, in others it may be required.
  3448. type: string
  3449. name:
  3450. description: The name of the Secret resource being referred to.
  3451. type: string
  3452. namespace:
  3453. description: |-
  3454. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3455. to the namespace of the referent.
  3456. type: string
  3457. type: object
  3458. required:
  3459. - apiKeyRef
  3460. - passcodeRef
  3461. type: object
  3462. environment:
  3463. default: development
  3464. description: Environment is the name of an environmnent within a project to pull the secrets from
  3465. type: string
  3466. project:
  3467. default: development
  3468. description: Project is an onboardbase project that the secrets should be pulled from
  3469. type: string
  3470. required:
  3471. - apiHost
  3472. - auth
  3473. - environment
  3474. - project
  3475. type: object
  3476. onepassword:
  3477. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  3478. properties:
  3479. auth:
  3480. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  3481. properties:
  3482. secretRef:
  3483. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  3484. properties:
  3485. connectTokenSecretRef:
  3486. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  3487. properties:
  3488. key:
  3489. description: |-
  3490. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3491. defaulted, in others it may be required.
  3492. type: string
  3493. name:
  3494. description: The name of the Secret resource being referred to.
  3495. type: string
  3496. namespace:
  3497. description: |-
  3498. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3499. to the namespace of the referent.
  3500. type: string
  3501. type: object
  3502. required:
  3503. - connectTokenSecretRef
  3504. type: object
  3505. required:
  3506. - secretRef
  3507. type: object
  3508. connectHost:
  3509. description: ConnectHost defines the OnePassword Connect Server to connect to
  3510. type: string
  3511. vaults:
  3512. additionalProperties:
  3513. type: integer
  3514. description: Vaults defines which OnePassword vaults to search in which order
  3515. type: object
  3516. required:
  3517. - auth
  3518. - connectHost
  3519. - vaults
  3520. type: object
  3521. oracle:
  3522. description: Oracle configures this store to sync secrets using Oracle Vault provider
  3523. properties:
  3524. auth:
  3525. description: |-
  3526. Auth configures how secret-manager authenticates with the Oracle Vault.
  3527. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  3528. properties:
  3529. secretRef:
  3530. description: SecretRef to pass through sensitive information.
  3531. properties:
  3532. fingerprint:
  3533. description: Fingerprint is the fingerprint of the API private key.
  3534. properties:
  3535. key:
  3536. description: |-
  3537. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3538. defaulted, in others it may be required.
  3539. type: string
  3540. name:
  3541. description: The name of the Secret resource being referred to.
  3542. type: string
  3543. namespace:
  3544. description: |-
  3545. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3546. to the namespace of the referent.
  3547. type: string
  3548. type: object
  3549. privatekey:
  3550. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  3551. properties:
  3552. key:
  3553. description: |-
  3554. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3555. defaulted, in others it may be required.
  3556. type: string
  3557. name:
  3558. description: The name of the Secret resource being referred to.
  3559. type: string
  3560. namespace:
  3561. description: |-
  3562. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3563. to the namespace of the referent.
  3564. type: string
  3565. type: object
  3566. required:
  3567. - fingerprint
  3568. - privatekey
  3569. type: object
  3570. tenancy:
  3571. description: Tenancy is the tenancy OCID where user is located.
  3572. type: string
  3573. user:
  3574. description: User is an access OCID specific to the account.
  3575. type: string
  3576. required:
  3577. - secretRef
  3578. - tenancy
  3579. - user
  3580. type: object
  3581. compartment:
  3582. description: |-
  3583. Compartment is the vault compartment OCID.
  3584. Required for PushSecret
  3585. type: string
  3586. encryptionKey:
  3587. description: |-
  3588. EncryptionKey is the OCID of the encryption key within the vault.
  3589. Required for PushSecret
  3590. type: string
  3591. principalType:
  3592. description: |-
  3593. The type of principal to use for authentication. If left blank, the Auth struct will
  3594. determine the principal type. This optional field must be specified if using
  3595. workload identity.
  3596. enum:
  3597. - ""
  3598. - UserPrincipal
  3599. - InstancePrincipal
  3600. - Workload
  3601. type: string
  3602. region:
  3603. description: Region is the region where vault is located.
  3604. type: string
  3605. serviceAccountRef:
  3606. description: |-
  3607. ServiceAccountRef specified the service account
  3608. that should be used when authenticating with WorkloadIdentity.
  3609. properties:
  3610. audiences:
  3611. description: |-
  3612. Audience specifies the `aud` claim for the service account token
  3613. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3614. then this audiences will be appended to the list
  3615. items:
  3616. type: string
  3617. type: array
  3618. name:
  3619. description: The name of the ServiceAccount resource being referred to.
  3620. type: string
  3621. namespace:
  3622. description: |-
  3623. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3624. to the namespace of the referent.
  3625. type: string
  3626. required:
  3627. - name
  3628. type: object
  3629. vault:
  3630. description: Vault is the vault's OCID of the specific vault where secret is located.
  3631. type: string
  3632. required:
  3633. - region
  3634. - vault
  3635. type: object
  3636. passworddepot:
  3637. description: Configures a store to sync secrets with a Password Depot instance.
  3638. properties:
  3639. auth:
  3640. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  3641. properties:
  3642. secretRef:
  3643. properties:
  3644. credentials:
  3645. description: Username / Password is used for authentication.
  3646. properties:
  3647. key:
  3648. description: |-
  3649. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3650. defaulted, in others it may be required.
  3651. type: string
  3652. name:
  3653. description: The name of the Secret resource being referred to.
  3654. type: string
  3655. namespace:
  3656. description: |-
  3657. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3658. to the namespace of the referent.
  3659. type: string
  3660. type: object
  3661. type: object
  3662. required:
  3663. - secretRef
  3664. type: object
  3665. database:
  3666. description: Database to use as source
  3667. type: string
  3668. host:
  3669. description: URL configures the Password Depot instance URL.
  3670. type: string
  3671. required:
  3672. - auth
  3673. - database
  3674. - host
  3675. type: object
  3676. pulumi:
  3677. description: Pulumi configures this store to sync secrets using the Pulumi provider
  3678. properties:
  3679. accessToken:
  3680. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  3681. properties:
  3682. secretRef:
  3683. description: SecretRef is a reference to a secret containing the Pulumi API token.
  3684. properties:
  3685. key:
  3686. description: |-
  3687. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3688. defaulted, in others it may be required.
  3689. type: string
  3690. name:
  3691. description: The name of the Secret resource being referred to.
  3692. type: string
  3693. namespace:
  3694. description: |-
  3695. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3696. to the namespace of the referent.
  3697. type: string
  3698. type: object
  3699. type: object
  3700. apiUrl:
  3701. default: https://api.pulumi.com
  3702. description: APIURL is the URL of the Pulumi API.
  3703. type: string
  3704. environment:
  3705. description: |-
  3706. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  3707. dynamically retrieved values from supported providers including all major clouds,
  3708. and other Pulumi ESC environments.
  3709. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  3710. type: string
  3711. organization:
  3712. description: |-
  3713. Organization are a space to collaborate on shared projects and stacks.
  3714. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  3715. type: string
  3716. required:
  3717. - accessToken
  3718. - environment
  3719. - organization
  3720. type: object
  3721. scaleway:
  3722. description: Scaleway
  3723. properties:
  3724. accessKey:
  3725. description: AccessKey is the non-secret part of the api key.
  3726. properties:
  3727. secretRef:
  3728. description: SecretRef references a key in a secret that will be used as value.
  3729. properties:
  3730. key:
  3731. description: |-
  3732. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3733. defaulted, in others it may be required.
  3734. type: string
  3735. name:
  3736. description: The name of the Secret resource being referred to.
  3737. type: string
  3738. namespace:
  3739. description: |-
  3740. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3741. to the namespace of the referent.
  3742. type: string
  3743. type: object
  3744. value:
  3745. description: Value can be specified directly to set a value without using a secret.
  3746. type: string
  3747. type: object
  3748. apiUrl:
  3749. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  3750. type: string
  3751. projectId:
  3752. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  3753. type: string
  3754. region:
  3755. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  3756. type: string
  3757. secretKey:
  3758. description: SecretKey is the non-secret part of the api key.
  3759. properties:
  3760. secretRef:
  3761. description: SecretRef references a key in a secret that will be used as value.
  3762. properties:
  3763. key:
  3764. description: |-
  3765. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3766. defaulted, in others it may be required.
  3767. type: string
  3768. name:
  3769. description: The name of the Secret resource being referred to.
  3770. type: string
  3771. namespace:
  3772. description: |-
  3773. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3774. to the namespace of the referent.
  3775. type: string
  3776. type: object
  3777. value:
  3778. description: Value can be specified directly to set a value without using a secret.
  3779. type: string
  3780. type: object
  3781. required:
  3782. - accessKey
  3783. - projectId
  3784. - region
  3785. - secretKey
  3786. type: object
  3787. secretserver:
  3788. description: |-
  3789. SecretServer configures this store to sync secrets using SecretServer provider
  3790. https://docs.delinea.com/online-help/secret-server/start.htm
  3791. properties:
  3792. password:
  3793. description: Password is the secret server account password.
  3794. properties:
  3795. secretRef:
  3796. description: SecretRef references a key in a secret that will be used as value.
  3797. properties:
  3798. key:
  3799. description: |-
  3800. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3801. defaulted, in others it may be required.
  3802. type: string
  3803. name:
  3804. description: The name of the Secret resource being referred to.
  3805. type: string
  3806. namespace:
  3807. description: |-
  3808. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3809. to the namespace of the referent.
  3810. type: string
  3811. type: object
  3812. value:
  3813. description: Value can be specified directly to set a value without using a secret.
  3814. type: string
  3815. type: object
  3816. serverURL:
  3817. description: |-
  3818. ServerURL
  3819. URL to your secret server installation
  3820. type: string
  3821. username:
  3822. description: Username is the secret server account username.
  3823. properties:
  3824. secretRef:
  3825. description: SecretRef references a key in a secret that will be used as value.
  3826. properties:
  3827. key:
  3828. description: |-
  3829. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3830. defaulted, in others it may be required.
  3831. type: string
  3832. name:
  3833. description: The name of the Secret resource being referred to.
  3834. type: string
  3835. namespace:
  3836. description: |-
  3837. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3838. to the namespace of the referent.
  3839. type: string
  3840. type: object
  3841. value:
  3842. description: Value can be specified directly to set a value without using a secret.
  3843. type: string
  3844. type: object
  3845. required:
  3846. - password
  3847. - serverURL
  3848. - username
  3849. type: object
  3850. senhasegura:
  3851. description: Senhasegura configures this store to sync secrets using senhasegura provider
  3852. properties:
  3853. auth:
  3854. description: Auth defines parameters to authenticate in senhasegura
  3855. properties:
  3856. clientId:
  3857. type: string
  3858. clientSecretSecretRef:
  3859. description: |-
  3860. A reference to a specific 'key' within a Secret resource,
  3861. In some instances, `key` is a required field.
  3862. properties:
  3863. key:
  3864. description: |-
  3865. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3866. defaulted, in others it may be required.
  3867. type: string
  3868. name:
  3869. description: The name of the Secret resource being referred to.
  3870. type: string
  3871. namespace:
  3872. description: |-
  3873. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3874. to the namespace of the referent.
  3875. type: string
  3876. type: object
  3877. required:
  3878. - clientId
  3879. - clientSecretSecretRef
  3880. type: object
  3881. ignoreSslCertificate:
  3882. default: false
  3883. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  3884. type: boolean
  3885. module:
  3886. description: Module defines which senhasegura module should be used to get secrets
  3887. type: string
  3888. url:
  3889. description: URL of senhasegura
  3890. type: string
  3891. required:
  3892. - auth
  3893. - module
  3894. - url
  3895. type: object
  3896. vault:
  3897. description: Vault configures this store to sync secrets using Hashi provider
  3898. properties:
  3899. auth:
  3900. description: Auth configures how secret-manager authenticates with the Vault server.
  3901. properties:
  3902. appRole:
  3903. description: |-
  3904. AppRole authenticates with Vault using the App Role auth mechanism,
  3905. with the role and secret stored in a Kubernetes Secret resource.
  3906. properties:
  3907. path:
  3908. default: approle
  3909. description: |-
  3910. Path where the App Role authentication backend is mounted
  3911. in Vault, e.g: "approle"
  3912. type: string
  3913. roleId:
  3914. description: |-
  3915. RoleID configured in the App Role authentication backend when setting
  3916. up the authentication backend in Vault.
  3917. type: string
  3918. roleRef:
  3919. description: |-
  3920. Reference to a key in a Secret that contains the App Role ID used
  3921. to authenticate with Vault.
  3922. The `key` field must be specified and denotes which entry within the Secret
  3923. resource is used as the app role id.
  3924. properties:
  3925. key:
  3926. description: |-
  3927. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3928. defaulted, in others it may be required.
  3929. type: string
  3930. name:
  3931. description: The name of the Secret resource being referred to.
  3932. type: string
  3933. namespace:
  3934. description: |-
  3935. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3936. to the namespace of the referent.
  3937. type: string
  3938. type: object
  3939. secretRef:
  3940. description: |-
  3941. Reference to a key in a Secret that contains the App Role secret used
  3942. to authenticate with Vault.
  3943. The `key` field must be specified and denotes which entry within the Secret
  3944. resource is used as the app role secret.
  3945. properties:
  3946. key:
  3947. description: |-
  3948. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3949. defaulted, in others it may be required.
  3950. type: string
  3951. name:
  3952. description: The name of the Secret resource being referred to.
  3953. type: string
  3954. namespace:
  3955. description: |-
  3956. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3957. to the namespace of the referent.
  3958. type: string
  3959. type: object
  3960. required:
  3961. - path
  3962. - secretRef
  3963. type: object
  3964. cert:
  3965. description: |-
  3966. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  3967. Cert authentication method
  3968. properties:
  3969. clientCert:
  3970. description: |-
  3971. ClientCert is a certificate to authenticate using the Cert Vault
  3972. authentication method
  3973. properties:
  3974. key:
  3975. description: |-
  3976. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3977. defaulted, in others it may be required.
  3978. type: string
  3979. name:
  3980. description: The name of the Secret resource being referred to.
  3981. type: string
  3982. namespace:
  3983. description: |-
  3984. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3985. to the namespace of the referent.
  3986. type: string
  3987. type: object
  3988. secretRef:
  3989. description: |-
  3990. SecretRef to a key in a Secret resource containing client private key to
  3991. authenticate with Vault using the Cert authentication method
  3992. properties:
  3993. key:
  3994. description: |-
  3995. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3996. defaulted, in others it may be required.
  3997. type: string
  3998. name:
  3999. description: The name of the Secret resource being referred to.
  4000. type: string
  4001. namespace:
  4002. description: |-
  4003. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4004. to the namespace of the referent.
  4005. type: string
  4006. type: object
  4007. type: object
  4008. iam:
  4009. description: |-
  4010. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  4011. AWS IAM authentication method
  4012. properties:
  4013. externalID:
  4014. description: AWS External ID set on assumed IAM roles
  4015. type: string
  4016. jwt:
  4017. description: Specify a service account with IRSA enabled
  4018. properties:
  4019. serviceAccountRef:
  4020. description: A reference to a ServiceAccount resource.
  4021. properties:
  4022. audiences:
  4023. description: |-
  4024. Audience specifies the `aud` claim for the service account token
  4025. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4026. then this audiences will be appended to the list
  4027. items:
  4028. type: string
  4029. type: array
  4030. name:
  4031. description: The name of the ServiceAccount resource being referred to.
  4032. type: string
  4033. namespace:
  4034. description: |-
  4035. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4036. to the namespace of the referent.
  4037. type: string
  4038. required:
  4039. - name
  4040. type: object
  4041. type: object
  4042. path:
  4043. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  4044. type: string
  4045. region:
  4046. description: AWS region
  4047. type: string
  4048. role:
  4049. description: This is the AWS role to be assumed before talking to vault
  4050. type: string
  4051. secretRef:
  4052. description: Specify credentials in a Secret object
  4053. properties:
  4054. accessKeyIDSecretRef:
  4055. description: The AccessKeyID is used for authentication
  4056. properties:
  4057. key:
  4058. description: |-
  4059. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4060. defaulted, in others it may be required.
  4061. type: string
  4062. name:
  4063. description: The name of the Secret resource being referred to.
  4064. type: string
  4065. namespace:
  4066. description: |-
  4067. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4068. to the namespace of the referent.
  4069. type: string
  4070. type: object
  4071. secretAccessKeySecretRef:
  4072. description: The SecretAccessKey is used for authentication
  4073. properties:
  4074. key:
  4075. description: |-
  4076. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4077. defaulted, in others it may be required.
  4078. type: string
  4079. name:
  4080. description: The name of the Secret resource being referred to.
  4081. type: string
  4082. namespace:
  4083. description: |-
  4084. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4085. to the namespace of the referent.
  4086. type: string
  4087. type: object
  4088. sessionTokenSecretRef:
  4089. description: |-
  4090. The SessionToken used for authentication
  4091. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  4092. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  4093. properties:
  4094. key:
  4095. description: |-
  4096. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4097. defaulted, in others it may be required.
  4098. type: string
  4099. name:
  4100. description: The name of the Secret resource being referred to.
  4101. type: string
  4102. namespace:
  4103. description: |-
  4104. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4105. to the namespace of the referent.
  4106. type: string
  4107. type: object
  4108. type: object
  4109. vaultAwsIamServerID:
  4110. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  4111. type: string
  4112. vaultRole:
  4113. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  4114. type: string
  4115. required:
  4116. - vaultRole
  4117. type: object
  4118. jwt:
  4119. description: |-
  4120. Jwt authenticates with Vault by passing role and JWT token using the
  4121. JWT/OIDC authentication method
  4122. properties:
  4123. kubernetesServiceAccountToken:
  4124. description: |-
  4125. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  4126. a token for with the `TokenRequest` API.
  4127. properties:
  4128. audiences:
  4129. description: |-
  4130. Optional audiences field that will be used to request a temporary Kubernetes service
  4131. account token for the service account referenced by `serviceAccountRef`.
  4132. Defaults to a single audience `vault` it not specified.
  4133. Deprecated: use serviceAccountRef.Audiences instead
  4134. items:
  4135. type: string
  4136. type: array
  4137. expirationSeconds:
  4138. description: |-
  4139. Optional expiration time in seconds that will be used to request a temporary
  4140. Kubernetes service account token for the service account referenced by
  4141. `serviceAccountRef`.
  4142. Deprecated: this will be removed in the future.
  4143. Defaults to 10 minutes.
  4144. format: int64
  4145. type: integer
  4146. serviceAccountRef:
  4147. description: Service account field containing the name of a kubernetes ServiceAccount.
  4148. properties:
  4149. audiences:
  4150. description: |-
  4151. Audience specifies the `aud` claim for the service account token
  4152. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4153. then this audiences will be appended to the list
  4154. items:
  4155. type: string
  4156. type: array
  4157. name:
  4158. description: The name of the ServiceAccount resource being referred to.
  4159. type: string
  4160. namespace:
  4161. description: |-
  4162. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4163. to the namespace of the referent.
  4164. type: string
  4165. required:
  4166. - name
  4167. type: object
  4168. required:
  4169. - serviceAccountRef
  4170. type: object
  4171. path:
  4172. default: jwt
  4173. description: |-
  4174. Path where the JWT authentication backend is mounted
  4175. in Vault, e.g: "jwt"
  4176. type: string
  4177. role:
  4178. description: |-
  4179. Role is a JWT role to authenticate using the JWT/OIDC Vault
  4180. authentication method
  4181. type: string
  4182. secretRef:
  4183. description: |-
  4184. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  4185. authenticate with Vault using the JWT/OIDC authentication method.
  4186. properties:
  4187. key:
  4188. description: |-
  4189. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4190. defaulted, in others it may be required.
  4191. type: string
  4192. name:
  4193. description: The name of the Secret resource being referred to.
  4194. type: string
  4195. namespace:
  4196. description: |-
  4197. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4198. to the namespace of the referent.
  4199. type: string
  4200. type: object
  4201. required:
  4202. - path
  4203. type: object
  4204. kubernetes:
  4205. description: |-
  4206. Kubernetes authenticates with Vault by passing the ServiceAccount
  4207. token stored in the named Secret resource to the Vault server.
  4208. properties:
  4209. mountPath:
  4210. default: kubernetes
  4211. description: |-
  4212. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  4213. "kubernetes"
  4214. type: string
  4215. role:
  4216. description: |-
  4217. A required field containing the Vault Role to assume. A Role binds a
  4218. Kubernetes ServiceAccount with a set of Vault policies.
  4219. type: string
  4220. secretRef:
  4221. description: |-
  4222. Optional secret field containing a Kubernetes ServiceAccount JWT used
  4223. for authenticating with Vault. If a name is specified without a key,
  4224. `token` is the default. If one is not specified, the one bound to
  4225. the controller will be used.
  4226. properties:
  4227. key:
  4228. description: |-
  4229. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4230. defaulted, in others it may be required.
  4231. type: string
  4232. name:
  4233. description: The name of the Secret resource being referred to.
  4234. type: string
  4235. namespace:
  4236. description: |-
  4237. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4238. to the namespace of the referent.
  4239. type: string
  4240. type: object
  4241. serviceAccountRef:
  4242. description: |-
  4243. Optional service account field containing the name of a kubernetes ServiceAccount.
  4244. If the service account is specified, the service account secret token JWT will be used
  4245. for authenticating with Vault. If the service account selector is not supplied,
  4246. the secretRef will be used instead.
  4247. properties:
  4248. audiences:
  4249. description: |-
  4250. Audience specifies the `aud` claim for the service account token
  4251. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4252. then this audiences will be appended to the list
  4253. items:
  4254. type: string
  4255. type: array
  4256. name:
  4257. description: The name of the ServiceAccount resource being referred to.
  4258. type: string
  4259. namespace:
  4260. description: |-
  4261. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4262. to the namespace of the referent.
  4263. type: string
  4264. required:
  4265. - name
  4266. type: object
  4267. required:
  4268. - mountPath
  4269. - role
  4270. type: object
  4271. ldap:
  4272. description: |-
  4273. Ldap authenticates with Vault by passing username/password pair using
  4274. the LDAP authentication method
  4275. properties:
  4276. path:
  4277. default: ldap
  4278. description: |-
  4279. Path where the LDAP authentication backend is mounted
  4280. in Vault, e.g: "ldap"
  4281. type: string
  4282. secretRef:
  4283. description: |-
  4284. SecretRef to a key in a Secret resource containing password for the LDAP
  4285. user used to authenticate with Vault using the LDAP authentication
  4286. method
  4287. properties:
  4288. key:
  4289. description: |-
  4290. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4291. defaulted, in others it may be required.
  4292. type: string
  4293. name:
  4294. description: The name of the Secret resource being referred to.
  4295. type: string
  4296. namespace:
  4297. description: |-
  4298. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4299. to the namespace of the referent.
  4300. type: string
  4301. type: object
  4302. username:
  4303. description: |-
  4304. Username is a LDAP user name used to authenticate using the LDAP Vault
  4305. authentication method
  4306. type: string
  4307. required:
  4308. - path
  4309. - username
  4310. type: object
  4311. namespace:
  4312. description: |-
  4313. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  4314. Namespaces is a set of features within Vault Enterprise that allows
  4315. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  4316. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  4317. This will default to Vault.Namespace field if set, or empty otherwise
  4318. type: string
  4319. tokenSecretRef:
  4320. description: TokenSecretRef authenticates with Vault by presenting a token.
  4321. properties:
  4322. key:
  4323. description: |-
  4324. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4325. defaulted, in others it may be required.
  4326. type: string
  4327. name:
  4328. description: The name of the Secret resource being referred to.
  4329. type: string
  4330. namespace:
  4331. description: |-
  4332. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4333. to the namespace of the referent.
  4334. type: string
  4335. type: object
  4336. userPass:
  4337. description: UserPass authenticates with Vault by passing username/password pair
  4338. properties:
  4339. path:
  4340. default: user
  4341. description: |-
  4342. Path where the UserPassword authentication backend is mounted
  4343. in Vault, e.g: "user"
  4344. type: string
  4345. secretRef:
  4346. description: |-
  4347. SecretRef to a key in a Secret resource containing password for the
  4348. user used to authenticate with Vault using the UserPass authentication
  4349. method
  4350. properties:
  4351. key:
  4352. description: |-
  4353. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4354. defaulted, in others it may be required.
  4355. type: string
  4356. name:
  4357. description: The name of the Secret resource being referred to.
  4358. type: string
  4359. namespace:
  4360. description: |-
  4361. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4362. to the namespace of the referent.
  4363. type: string
  4364. type: object
  4365. username:
  4366. description: |-
  4367. Username is a user name used to authenticate using the UserPass Vault
  4368. authentication method
  4369. type: string
  4370. required:
  4371. - path
  4372. - username
  4373. type: object
  4374. type: object
  4375. caBundle:
  4376. description: |-
  4377. PEM encoded CA bundle used to validate Vault server certificate. Only used
  4378. if the Server URL is using HTTPS protocol. This parameter is ignored for
  4379. plain HTTP protocol connection. If not set the system root certificates
  4380. are used to validate the TLS connection.
  4381. format: byte
  4382. type: string
  4383. caProvider:
  4384. description: The provider for the CA bundle to use to validate Vault server certificate.
  4385. properties:
  4386. key:
  4387. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  4388. type: string
  4389. name:
  4390. description: The name of the object located at the provider type.
  4391. type: string
  4392. namespace:
  4393. description: |-
  4394. The namespace the Provider type is in.
  4395. Can only be defined when used in a ClusterSecretStore.
  4396. type: string
  4397. type:
  4398. description: The type of provider to use such as "Secret", or "ConfigMap".
  4399. enum:
  4400. - Secret
  4401. - ConfigMap
  4402. type: string
  4403. required:
  4404. - name
  4405. - type
  4406. type: object
  4407. forwardInconsistent:
  4408. description: |-
  4409. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  4410. leader instead of simply retrying within a loop. This can increase performance if
  4411. the option is enabled serverside.
  4412. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  4413. type: boolean
  4414. namespace:
  4415. description: |-
  4416. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  4417. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  4418. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  4419. type: string
  4420. path:
  4421. description: |-
  4422. Path is the mount path of the Vault KV backend endpoint, e.g:
  4423. "secret". The v2 KV secret engine version specific "/data" path suffix
  4424. for fetching secrets from Vault is optional and will be appended
  4425. if not present in specified path.
  4426. type: string
  4427. readYourWrites:
  4428. description: |-
  4429. ReadYourWrites ensures isolated read-after-write semantics by
  4430. providing discovered cluster replication states in each request.
  4431. More information about eventual consistency in Vault can be found here
  4432. https://www.vaultproject.io/docs/enterprise/consistency
  4433. type: boolean
  4434. server:
  4435. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  4436. type: string
  4437. tls:
  4438. description: |-
  4439. The configuration used for client side related TLS communication, when the Vault server
  4440. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  4441. This parameter is ignored for plain HTTP protocol connection.
  4442. It's worth noting this configuration is different from the "TLS certificates auth method",
  4443. which is available under the `auth.cert` section.
  4444. properties:
  4445. certSecretRef:
  4446. description: |-
  4447. CertSecretRef is a certificate added to the transport layer
  4448. when communicating with the Vault server.
  4449. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  4450. properties:
  4451. key:
  4452. description: |-
  4453. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4454. defaulted, in others it may be required.
  4455. type: string
  4456. name:
  4457. description: The name of the Secret resource being referred to.
  4458. type: string
  4459. namespace:
  4460. description: |-
  4461. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4462. to the namespace of the referent.
  4463. type: string
  4464. type: object
  4465. keySecretRef:
  4466. description: |-
  4467. KeySecretRef to a key in a Secret resource containing client private key
  4468. added to the transport layer when communicating with the Vault server.
  4469. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  4470. properties:
  4471. key:
  4472. description: |-
  4473. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4474. defaulted, in others it may be required.
  4475. type: string
  4476. name:
  4477. description: The name of the Secret resource being referred to.
  4478. type: string
  4479. namespace:
  4480. description: |-
  4481. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4482. to the namespace of the referent.
  4483. type: string
  4484. type: object
  4485. type: object
  4486. version:
  4487. default: v2
  4488. description: |-
  4489. Version is the Vault KV secret engine version. This can be either "v1" or
  4490. "v2". Version defaults to "v2".
  4491. enum:
  4492. - v1
  4493. - v2
  4494. type: string
  4495. required:
  4496. - auth
  4497. - server
  4498. type: object
  4499. webhook:
  4500. description: Webhook configures this store to sync secrets using a generic templated webhook
  4501. properties:
  4502. body:
  4503. description: Body
  4504. type: string
  4505. caBundle:
  4506. description: |-
  4507. PEM encoded CA bundle used to validate webhook server certificate. Only used
  4508. if the Server URL is using HTTPS protocol. This parameter is ignored for
  4509. plain HTTP protocol connection. If not set the system root certificates
  4510. are used to validate the TLS connection.
  4511. format: byte
  4512. type: string
  4513. caProvider:
  4514. description: The provider for the CA bundle to use to validate webhook server certificate.
  4515. properties:
  4516. key:
  4517. description: The key the value inside of the provider type to use, only used with "Secret" type
  4518. type: string
  4519. name:
  4520. description: The name of the object located at the provider type.
  4521. type: string
  4522. namespace:
  4523. description: The namespace the Provider type is in.
  4524. type: string
  4525. type:
  4526. description: The type of provider to use such as "Secret", or "ConfigMap".
  4527. enum:
  4528. - Secret
  4529. - ConfigMap
  4530. type: string
  4531. required:
  4532. - name
  4533. - type
  4534. type: object
  4535. headers:
  4536. additionalProperties:
  4537. type: string
  4538. description: Headers
  4539. type: object
  4540. method:
  4541. description: Webhook Method
  4542. type: string
  4543. result:
  4544. description: Result formatting
  4545. properties:
  4546. jsonPath:
  4547. description: Json path of return value
  4548. type: string
  4549. type: object
  4550. secrets:
  4551. description: |-
  4552. Secrets to fill in templates
  4553. These secrets will be passed to the templating function as key value pairs under the given name
  4554. items:
  4555. properties:
  4556. name:
  4557. description: Name of this secret in templates
  4558. type: string
  4559. secretRef:
  4560. description: Secret ref to fill in credentials
  4561. properties:
  4562. key:
  4563. description: |-
  4564. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4565. defaulted, in others it may be required.
  4566. type: string
  4567. name:
  4568. description: The name of the Secret resource being referred to.
  4569. type: string
  4570. namespace:
  4571. description: |-
  4572. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4573. to the namespace of the referent.
  4574. type: string
  4575. type: object
  4576. required:
  4577. - name
  4578. - secretRef
  4579. type: object
  4580. type: array
  4581. timeout:
  4582. description: Timeout
  4583. type: string
  4584. url:
  4585. description: Webhook url to call
  4586. type: string
  4587. required:
  4588. - result
  4589. - url
  4590. type: object
  4591. yandexcertificatemanager:
  4592. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  4593. properties:
  4594. apiEndpoint:
  4595. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  4596. type: string
  4597. auth:
  4598. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  4599. properties:
  4600. authorizedKeySecretRef:
  4601. description: The authorized key used for authentication
  4602. properties:
  4603. key:
  4604. description: |-
  4605. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4606. defaulted, in others it may be required.
  4607. type: string
  4608. name:
  4609. description: The name of the Secret resource being referred to.
  4610. type: string
  4611. namespace:
  4612. description: |-
  4613. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4614. to the namespace of the referent.
  4615. type: string
  4616. type: object
  4617. type: object
  4618. caProvider:
  4619. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  4620. properties:
  4621. certSecretRef:
  4622. description: |-
  4623. A reference to a specific 'key' within a Secret resource,
  4624. In some instances, `key` is a required field.
  4625. properties:
  4626. key:
  4627. description: |-
  4628. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4629. defaulted, in others it may be required.
  4630. type: string
  4631. name:
  4632. description: The name of the Secret resource being referred to.
  4633. type: string
  4634. namespace:
  4635. description: |-
  4636. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4637. to the namespace of the referent.
  4638. type: string
  4639. type: object
  4640. type: object
  4641. required:
  4642. - auth
  4643. type: object
  4644. yandexlockbox:
  4645. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  4646. properties:
  4647. apiEndpoint:
  4648. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  4649. type: string
  4650. auth:
  4651. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  4652. properties:
  4653. authorizedKeySecretRef:
  4654. description: The authorized key used for authentication
  4655. properties:
  4656. key:
  4657. description: |-
  4658. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4659. defaulted, in others it may be required.
  4660. type: string
  4661. name:
  4662. description: The name of the Secret resource being referred to.
  4663. type: string
  4664. namespace:
  4665. description: |-
  4666. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4667. to the namespace of the referent.
  4668. type: string
  4669. type: object
  4670. type: object
  4671. caProvider:
  4672. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  4673. properties:
  4674. certSecretRef:
  4675. description: |-
  4676. A reference to a specific 'key' within a Secret resource,
  4677. In some instances, `key` is a required field.
  4678. properties:
  4679. key:
  4680. description: |-
  4681. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4682. defaulted, in others it may be required.
  4683. type: string
  4684. name:
  4685. description: The name of the Secret resource being referred to.
  4686. type: string
  4687. namespace:
  4688. description: |-
  4689. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4690. to the namespace of the referent.
  4691. type: string
  4692. type: object
  4693. type: object
  4694. required:
  4695. - auth
  4696. type: object
  4697. type: object
  4698. refreshInterval:
  4699. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  4700. type: integer
  4701. retrySettings:
  4702. description: Used to configure http retries if failed
  4703. properties:
  4704. maxRetries:
  4705. format: int32
  4706. type: integer
  4707. retryInterval:
  4708. type: string
  4709. type: object
  4710. required:
  4711. - provider
  4712. type: object
  4713. status:
  4714. description: SecretStoreStatus defines the observed state of the SecretStore.
  4715. properties:
  4716. capabilities:
  4717. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  4718. type: string
  4719. conditions:
  4720. items:
  4721. properties:
  4722. lastTransitionTime:
  4723. format: date-time
  4724. type: string
  4725. message:
  4726. type: string
  4727. reason:
  4728. type: string
  4729. status:
  4730. type: string
  4731. type:
  4732. type: string
  4733. required:
  4734. - status
  4735. - type
  4736. type: object
  4737. type: array
  4738. type: object
  4739. type: object
  4740. served: true
  4741. storage: true
  4742. subresources:
  4743. status: {}
  4744. conversion:
  4745. strategy: Webhook
  4746. webhook:
  4747. conversionReviewVersions:
  4748. - v1
  4749. clientConfig:
  4750. service:
  4751. name: kubernetes
  4752. namespace: default
  4753. path: /convert
  4754. ---
  4755. apiVersion: apiextensions.k8s.io/v1
  4756. kind: CustomResourceDefinition
  4757. metadata:
  4758. annotations:
  4759. controller-gen.kubebuilder.io/version: v0.14.0
  4760. name: externalsecrets.external-secrets.io
  4761. spec:
  4762. group: external-secrets.io
  4763. names:
  4764. categories:
  4765. - externalsecrets
  4766. kind: ExternalSecret
  4767. listKind: ExternalSecretList
  4768. plural: externalsecrets
  4769. shortNames:
  4770. - es
  4771. singular: externalsecret
  4772. scope: Namespaced
  4773. versions:
  4774. - additionalPrinterColumns:
  4775. - jsonPath: .spec.secretStoreRef.name
  4776. name: Store
  4777. type: string
  4778. - jsonPath: .spec.refreshInterval
  4779. name: Refresh Interval
  4780. type: string
  4781. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  4782. name: Status
  4783. type: string
  4784. deprecated: true
  4785. name: v1alpha1
  4786. schema:
  4787. openAPIV3Schema:
  4788. description: ExternalSecret is the Schema for the external-secrets API.
  4789. properties:
  4790. apiVersion:
  4791. description: |-
  4792. APIVersion defines the versioned schema of this representation of an object.
  4793. Servers should convert recognized schemas to the latest internal value, and
  4794. may reject unrecognized values.
  4795. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  4796. type: string
  4797. kind:
  4798. description: |-
  4799. Kind is a string value representing the REST resource this object represents.
  4800. Servers may infer this from the endpoint the client submits requests to.
  4801. Cannot be updated.
  4802. In CamelCase.
  4803. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  4804. type: string
  4805. metadata:
  4806. type: object
  4807. spec:
  4808. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  4809. properties:
  4810. data:
  4811. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  4812. items:
  4813. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  4814. properties:
  4815. remoteRef:
  4816. description: ExternalSecretDataRemoteRef defines Provider data location.
  4817. properties:
  4818. conversionStrategy:
  4819. default: Default
  4820. description: Used to define a conversion Strategy
  4821. enum:
  4822. - Default
  4823. - Unicode
  4824. type: string
  4825. key:
  4826. description: Key is the key used in the Provider, mandatory
  4827. type: string
  4828. property:
  4829. description: Used to select a specific property of the Provider value (if a map), if supported
  4830. type: string
  4831. version:
  4832. description: Used to select a specific version of the Provider value, if supported
  4833. type: string
  4834. required:
  4835. - key
  4836. type: object
  4837. secretKey:
  4838. type: string
  4839. required:
  4840. - remoteRef
  4841. - secretKey
  4842. type: object
  4843. type: array
  4844. dataFrom:
  4845. description: |-
  4846. DataFrom is used to fetch all properties from a specific Provider data
  4847. If multiple entries are specified, the Secret keys are merged in the specified order
  4848. items:
  4849. description: ExternalSecretDataRemoteRef defines Provider data location.
  4850. properties:
  4851. conversionStrategy:
  4852. default: Default
  4853. description: Used to define a conversion Strategy
  4854. enum:
  4855. - Default
  4856. - Unicode
  4857. type: string
  4858. key:
  4859. description: Key is the key used in the Provider, mandatory
  4860. type: string
  4861. property:
  4862. description: Used to select a specific property of the Provider value (if a map), if supported
  4863. type: string
  4864. version:
  4865. description: Used to select a specific version of the Provider value, if supported
  4866. type: string
  4867. required:
  4868. - key
  4869. type: object
  4870. type: array
  4871. refreshInterval:
  4872. default: 1h
  4873. description: |-
  4874. RefreshInterval is the amount of time before the values are read again from the SecretStore provider
  4875. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  4876. May be set to zero to fetch and create it once. Defaults to 1h.
  4877. type: string
  4878. secretStoreRef:
  4879. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  4880. properties:
  4881. kind:
  4882. description: |-
  4883. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  4884. Defaults to `SecretStore`
  4885. type: string
  4886. name:
  4887. description: Name of the SecretStore resource
  4888. type: string
  4889. required:
  4890. - name
  4891. type: object
  4892. target:
  4893. description: |-
  4894. ExternalSecretTarget defines the Kubernetes Secret to be created
  4895. There can be only one target per ExternalSecret.
  4896. properties:
  4897. creationPolicy:
  4898. default: Owner
  4899. description: |-
  4900. CreationPolicy defines rules on how to create the resulting Secret
  4901. Defaults to 'Owner'
  4902. enum:
  4903. - Owner
  4904. - Merge
  4905. - None
  4906. type: string
  4907. immutable:
  4908. description: Immutable defines if the final secret will be immutable
  4909. type: boolean
  4910. name:
  4911. description: |-
  4912. Name defines the name of the Secret resource to be managed
  4913. This field is immutable
  4914. Defaults to the .metadata.name of the ExternalSecret resource
  4915. type: string
  4916. template:
  4917. description: Template defines a blueprint for the created Secret resource.
  4918. properties:
  4919. data:
  4920. additionalProperties:
  4921. type: string
  4922. type: object
  4923. engineVersion:
  4924. default: v1
  4925. description: |-
  4926. EngineVersion specifies the template engine version
  4927. that should be used to compile/execute the
  4928. template specified in .data and .templateFrom[].
  4929. enum:
  4930. - v1
  4931. - v2
  4932. type: string
  4933. metadata:
  4934. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  4935. properties:
  4936. annotations:
  4937. additionalProperties:
  4938. type: string
  4939. type: object
  4940. labels:
  4941. additionalProperties:
  4942. type: string
  4943. type: object
  4944. type: object
  4945. templateFrom:
  4946. items:
  4947. maxProperties: 1
  4948. minProperties: 1
  4949. properties:
  4950. configMap:
  4951. properties:
  4952. items:
  4953. items:
  4954. properties:
  4955. key:
  4956. type: string
  4957. required:
  4958. - key
  4959. type: object
  4960. type: array
  4961. name:
  4962. type: string
  4963. required:
  4964. - items
  4965. - name
  4966. type: object
  4967. secret:
  4968. properties:
  4969. items:
  4970. items:
  4971. properties:
  4972. key:
  4973. type: string
  4974. required:
  4975. - key
  4976. type: object
  4977. type: array
  4978. name:
  4979. type: string
  4980. required:
  4981. - items
  4982. - name
  4983. type: object
  4984. type: object
  4985. type: array
  4986. type:
  4987. type: string
  4988. type: object
  4989. type: object
  4990. required:
  4991. - secretStoreRef
  4992. - target
  4993. type: object
  4994. status:
  4995. properties:
  4996. binding:
  4997. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  4998. properties:
  4999. name:
  5000. description: |-
  5001. Name of the referent.
  5002. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5003. TODO: Add other useful fields. apiVersion, kind, uid?
  5004. type: string
  5005. type: object
  5006. x-kubernetes-map-type: atomic
  5007. conditions:
  5008. items:
  5009. properties:
  5010. lastTransitionTime:
  5011. format: date-time
  5012. type: string
  5013. message:
  5014. type: string
  5015. reason:
  5016. type: string
  5017. status:
  5018. type: string
  5019. type:
  5020. type: string
  5021. required:
  5022. - status
  5023. - type
  5024. type: object
  5025. type: array
  5026. refreshTime:
  5027. description: |-
  5028. refreshTime is the time and date the external secret was fetched and
  5029. the target secret updated
  5030. format: date-time
  5031. nullable: true
  5032. type: string
  5033. syncedResourceVersion:
  5034. description: SyncedResourceVersion keeps track of the last synced version
  5035. type: string
  5036. type: object
  5037. type: object
  5038. served: true
  5039. storage: false
  5040. subresources:
  5041. status: {}
  5042. - additionalPrinterColumns:
  5043. - jsonPath: .spec.secretStoreRef.name
  5044. name: Store
  5045. type: string
  5046. - jsonPath: .spec.refreshInterval
  5047. name: Refresh Interval
  5048. type: string
  5049. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  5050. name: Status
  5051. type: string
  5052. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  5053. name: Ready
  5054. type: string
  5055. name: v1beta1
  5056. schema:
  5057. openAPIV3Schema:
  5058. description: ExternalSecret is the Schema for the external-secrets API.
  5059. properties:
  5060. apiVersion:
  5061. description: |-
  5062. APIVersion defines the versioned schema of this representation of an object.
  5063. Servers should convert recognized schemas to the latest internal value, and
  5064. may reject unrecognized values.
  5065. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  5066. type: string
  5067. kind:
  5068. description: |-
  5069. Kind is a string value representing the REST resource this object represents.
  5070. Servers may infer this from the endpoint the client submits requests to.
  5071. Cannot be updated.
  5072. In CamelCase.
  5073. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  5074. type: string
  5075. metadata:
  5076. type: object
  5077. spec:
  5078. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  5079. properties:
  5080. data:
  5081. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  5082. items:
  5083. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  5084. properties:
  5085. remoteRef:
  5086. description: |-
  5087. RemoteRef points to the remote secret and defines
  5088. which secret (version/property/..) to fetch.
  5089. properties:
  5090. conversionStrategy:
  5091. default: Default
  5092. description: Used to define a conversion Strategy
  5093. enum:
  5094. - Default
  5095. - Unicode
  5096. type: string
  5097. decodingStrategy:
  5098. default: None
  5099. description: Used to define a decoding Strategy
  5100. enum:
  5101. - Auto
  5102. - Base64
  5103. - Base64URL
  5104. - None
  5105. type: string
  5106. key:
  5107. description: Key is the key used in the Provider, mandatory
  5108. type: string
  5109. metadataPolicy:
  5110. default: None
  5111. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  5112. enum:
  5113. - None
  5114. - Fetch
  5115. type: string
  5116. property:
  5117. description: Used to select a specific property of the Provider value (if a map), if supported
  5118. type: string
  5119. version:
  5120. description: Used to select a specific version of the Provider value, if supported
  5121. type: string
  5122. required:
  5123. - key
  5124. type: object
  5125. secretKey:
  5126. description: |-
  5127. SecretKey defines the key in which the controller stores
  5128. the value. This is the key in the Kind=Secret
  5129. type: string
  5130. sourceRef:
  5131. description: |-
  5132. SourceRef allows you to override the source
  5133. from which the value will pulled from.
  5134. maxProperties: 1
  5135. properties:
  5136. generatorRef:
  5137. description: |-
  5138. GeneratorRef points to a generator custom resource.
  5139. Deprecated: The generatorRef is not implemented in .data[].
  5140. this will be removed with v1.
  5141. properties:
  5142. apiVersion:
  5143. default: generators.external-secrets.io/v1alpha1
  5144. description: Specify the apiVersion of the generator resource
  5145. type: string
  5146. kind:
  5147. description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
  5148. type: string
  5149. name:
  5150. description: Specify the name of the generator resource
  5151. type: string
  5152. required:
  5153. - kind
  5154. - name
  5155. type: object
  5156. storeRef:
  5157. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  5158. properties:
  5159. kind:
  5160. description: |-
  5161. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  5162. Defaults to `SecretStore`
  5163. type: string
  5164. name:
  5165. description: Name of the SecretStore resource
  5166. type: string
  5167. required:
  5168. - name
  5169. type: object
  5170. type: object
  5171. required:
  5172. - remoteRef
  5173. - secretKey
  5174. type: object
  5175. type: array
  5176. dataFrom:
  5177. description: |-
  5178. DataFrom is used to fetch all properties from a specific Provider data
  5179. If multiple entries are specified, the Secret keys are merged in the specified order
  5180. items:
  5181. properties:
  5182. extract:
  5183. description: |-
  5184. Used to extract multiple key/value pairs from one secret
  5185. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  5186. properties:
  5187. conversionStrategy:
  5188. default: Default
  5189. description: Used to define a conversion Strategy
  5190. enum:
  5191. - Default
  5192. - Unicode
  5193. type: string
  5194. decodingStrategy:
  5195. default: None
  5196. description: Used to define a decoding Strategy
  5197. enum:
  5198. - Auto
  5199. - Base64
  5200. - Base64URL
  5201. - None
  5202. type: string
  5203. key:
  5204. description: Key is the key used in the Provider, mandatory
  5205. type: string
  5206. metadataPolicy:
  5207. default: None
  5208. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  5209. enum:
  5210. - None
  5211. - Fetch
  5212. type: string
  5213. property:
  5214. description: Used to select a specific property of the Provider value (if a map), if supported
  5215. type: string
  5216. version:
  5217. description: Used to select a specific version of the Provider value, if supported
  5218. type: string
  5219. required:
  5220. - key
  5221. type: object
  5222. find:
  5223. description: |-
  5224. Used to find secrets based on tags or regular expressions
  5225. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  5226. properties:
  5227. conversionStrategy:
  5228. default: Default
  5229. description: Used to define a conversion Strategy
  5230. enum:
  5231. - Default
  5232. - Unicode
  5233. type: string
  5234. decodingStrategy:
  5235. default: None
  5236. description: Used to define a decoding Strategy
  5237. enum:
  5238. - Auto
  5239. - Base64
  5240. - Base64URL
  5241. - None
  5242. type: string
  5243. name:
  5244. description: Finds secrets based on the name.
  5245. properties:
  5246. regexp:
  5247. description: Finds secrets base
  5248. type: string
  5249. type: object
  5250. path:
  5251. description: A root path to start the find operations.
  5252. type: string
  5253. tags:
  5254. additionalProperties:
  5255. type: string
  5256. description: Find secrets based on tags.
  5257. type: object
  5258. type: object
  5259. rewrite:
  5260. description: |-
  5261. Used to rewrite secret Keys after getting them from the secret Provider
  5262. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  5263. items:
  5264. properties:
  5265. regexp:
  5266. description: |-
  5267. Used to rewrite with regular expressions.
  5268. The resulting key will be the output of a regexp.ReplaceAll operation.
  5269. properties:
  5270. source:
  5271. description: Used to define the regular expression of a re.Compiler.
  5272. type: string
  5273. target:
  5274. description: Used to define the target pattern of a ReplaceAll operation.
  5275. type: string
  5276. required:
  5277. - source
  5278. - target
  5279. type: object
  5280. transform:
  5281. description: |-
  5282. Used to apply string transformation on the secrets.
  5283. The resulting key will be the output of the template applied by the operation.
  5284. properties:
  5285. template:
  5286. description: |-
  5287. Used to define the template to apply on the secret name.
  5288. `.value ` will specify the secret name in the template.
  5289. type: string
  5290. required:
  5291. - template
  5292. type: object
  5293. type: object
  5294. type: array
  5295. sourceRef:
  5296. description: |-
  5297. SourceRef points to a store or generator
  5298. which contains secret values ready to use.
  5299. Use this in combination with Extract or Find pull values out of
  5300. a specific SecretStore.
  5301. When sourceRef points to a generator Extract or Find is not supported.
  5302. The generator returns a static map of values
  5303. maxProperties: 1
  5304. properties:
  5305. generatorRef:
  5306. description: GeneratorRef points to a generator custom resource.
  5307. properties:
  5308. apiVersion:
  5309. default: generators.external-secrets.io/v1alpha1
  5310. description: Specify the apiVersion of the generator resource
  5311. type: string
  5312. kind:
  5313. description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
  5314. type: string
  5315. name:
  5316. description: Specify the name of the generator resource
  5317. type: string
  5318. required:
  5319. - kind
  5320. - name
  5321. type: object
  5322. storeRef:
  5323. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  5324. properties:
  5325. kind:
  5326. description: |-
  5327. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  5328. Defaults to `SecretStore`
  5329. type: string
  5330. name:
  5331. description: Name of the SecretStore resource
  5332. type: string
  5333. required:
  5334. - name
  5335. type: object
  5336. type: object
  5337. type: object
  5338. type: array
  5339. refreshInterval:
  5340. default: 1h
  5341. description: |-
  5342. RefreshInterval is the amount of time before the values are read again from the SecretStore provider
  5343. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  5344. May be set to zero to fetch and create it once. Defaults to 1h.
  5345. type: string
  5346. secretStoreRef:
  5347. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  5348. properties:
  5349. kind:
  5350. description: |-
  5351. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  5352. Defaults to `SecretStore`
  5353. type: string
  5354. name:
  5355. description: Name of the SecretStore resource
  5356. type: string
  5357. required:
  5358. - name
  5359. type: object
  5360. target:
  5361. default:
  5362. creationPolicy: Owner
  5363. deletionPolicy: Retain
  5364. description: |-
  5365. ExternalSecretTarget defines the Kubernetes Secret to be created
  5366. There can be only one target per ExternalSecret.
  5367. properties:
  5368. creationPolicy:
  5369. default: Owner
  5370. description: |-
  5371. CreationPolicy defines rules on how to create the resulting Secret
  5372. Defaults to 'Owner'
  5373. enum:
  5374. - Owner
  5375. - Orphan
  5376. - Merge
  5377. - None
  5378. type: string
  5379. deletionPolicy:
  5380. default: Retain
  5381. description: |-
  5382. DeletionPolicy defines rules on how to delete the resulting Secret
  5383. Defaults to 'Retain'
  5384. enum:
  5385. - Delete
  5386. - Merge
  5387. - Retain
  5388. type: string
  5389. immutable:
  5390. description: Immutable defines if the final secret will be immutable
  5391. type: boolean
  5392. name:
  5393. description: |-
  5394. Name defines the name of the Secret resource to be managed
  5395. This field is immutable
  5396. Defaults to the .metadata.name of the ExternalSecret resource
  5397. type: string
  5398. template:
  5399. description: Template defines a blueprint for the created Secret resource.
  5400. properties:
  5401. data:
  5402. additionalProperties:
  5403. type: string
  5404. type: object
  5405. engineVersion:
  5406. default: v2
  5407. description: |-
  5408. EngineVersion specifies the template engine version
  5409. that should be used to compile/execute the
  5410. template specified in .data and .templateFrom[].
  5411. enum:
  5412. - v1
  5413. - v2
  5414. type: string
  5415. mergePolicy:
  5416. default: Replace
  5417. enum:
  5418. - Replace
  5419. - Merge
  5420. type: string
  5421. metadata:
  5422. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  5423. properties:
  5424. annotations:
  5425. additionalProperties:
  5426. type: string
  5427. type: object
  5428. labels:
  5429. additionalProperties:
  5430. type: string
  5431. type: object
  5432. type: object
  5433. templateFrom:
  5434. items:
  5435. properties:
  5436. configMap:
  5437. properties:
  5438. items:
  5439. items:
  5440. properties:
  5441. key:
  5442. type: string
  5443. templateAs:
  5444. default: Values
  5445. enum:
  5446. - Values
  5447. - KeysAndValues
  5448. type: string
  5449. required:
  5450. - key
  5451. type: object
  5452. type: array
  5453. name:
  5454. type: string
  5455. required:
  5456. - items
  5457. - name
  5458. type: object
  5459. literal:
  5460. type: string
  5461. secret:
  5462. properties:
  5463. items:
  5464. items:
  5465. properties:
  5466. key:
  5467. type: string
  5468. templateAs:
  5469. default: Values
  5470. enum:
  5471. - Values
  5472. - KeysAndValues
  5473. type: string
  5474. required:
  5475. - key
  5476. type: object
  5477. type: array
  5478. name:
  5479. type: string
  5480. required:
  5481. - items
  5482. - name
  5483. type: object
  5484. target:
  5485. default: Data
  5486. enum:
  5487. - Data
  5488. - Annotations
  5489. - Labels
  5490. type: string
  5491. type: object
  5492. type: array
  5493. type:
  5494. type: string
  5495. type: object
  5496. type: object
  5497. type: object
  5498. status:
  5499. properties:
  5500. binding:
  5501. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  5502. properties:
  5503. name:
  5504. description: |-
  5505. Name of the referent.
  5506. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5507. TODO: Add other useful fields. apiVersion, kind, uid?
  5508. type: string
  5509. type: object
  5510. x-kubernetes-map-type: atomic
  5511. conditions:
  5512. items:
  5513. properties:
  5514. lastTransitionTime:
  5515. format: date-time
  5516. type: string
  5517. message:
  5518. type: string
  5519. reason:
  5520. type: string
  5521. status:
  5522. type: string
  5523. type:
  5524. type: string
  5525. required:
  5526. - status
  5527. - type
  5528. type: object
  5529. type: array
  5530. refreshTime:
  5531. description: |-
  5532. refreshTime is the time and date the external secret was fetched and
  5533. the target secret updated
  5534. format: date-time
  5535. nullable: true
  5536. type: string
  5537. syncedResourceVersion:
  5538. description: SyncedResourceVersion keeps track of the last synced version
  5539. type: string
  5540. type: object
  5541. type: object
  5542. served: true
  5543. storage: true
  5544. subresources:
  5545. status: {}
  5546. conversion:
  5547. strategy: Webhook
  5548. webhook:
  5549. conversionReviewVersions:
  5550. - v1
  5551. clientConfig:
  5552. service:
  5553. name: kubernetes
  5554. namespace: default
  5555. path: /convert
  5556. ---
  5557. apiVersion: apiextensions.k8s.io/v1
  5558. kind: CustomResourceDefinition
  5559. metadata:
  5560. annotations:
  5561. controller-gen.kubebuilder.io/version: v0.14.0
  5562. name: pushsecrets.external-secrets.io
  5563. spec:
  5564. group: external-secrets.io
  5565. names:
  5566. categories:
  5567. - pushsecrets
  5568. kind: PushSecret
  5569. listKind: PushSecretList
  5570. plural: pushsecrets
  5571. singular: pushsecret
  5572. scope: Namespaced
  5573. versions:
  5574. - additionalPrinterColumns:
  5575. - jsonPath: .metadata.creationTimestamp
  5576. name: AGE
  5577. type: date
  5578. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  5579. name: Status
  5580. type: string
  5581. name: v1alpha1
  5582. schema:
  5583. openAPIV3Schema:
  5584. properties:
  5585. apiVersion:
  5586. description: |-
  5587. APIVersion defines the versioned schema of this representation of an object.
  5588. Servers should convert recognized schemas to the latest internal value, and
  5589. may reject unrecognized values.
  5590. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  5591. type: string
  5592. kind:
  5593. description: |-
  5594. Kind is a string value representing the REST resource this object represents.
  5595. Servers may infer this from the endpoint the client submits requests to.
  5596. Cannot be updated.
  5597. In CamelCase.
  5598. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  5599. type: string
  5600. metadata:
  5601. type: object
  5602. spec:
  5603. description: PushSecretSpec configures the behavior of the PushSecret.
  5604. properties:
  5605. data:
  5606. description: Secret Data that should be pushed to providers
  5607. items:
  5608. properties:
  5609. conversionStrategy:
  5610. default: None
  5611. description: Used to define a conversion Strategy for the secret keys
  5612. enum:
  5613. - None
  5614. - ReverseUnicode
  5615. type: string
  5616. match:
  5617. description: Match a given Secret Key to be pushed to the provider.
  5618. properties:
  5619. remoteRef:
  5620. description: Remote Refs to push to providers.
  5621. properties:
  5622. property:
  5623. description: Name of the property in the resulting secret
  5624. type: string
  5625. remoteKey:
  5626. description: Name of the resulting provider secret.
  5627. type: string
  5628. required:
  5629. - remoteKey
  5630. type: object
  5631. secretKey:
  5632. description: Secret Key to be pushed
  5633. type: string
  5634. required:
  5635. - remoteRef
  5636. type: object
  5637. metadata:
  5638. description: |-
  5639. Metadata is metadata attached to the secret.
  5640. The structure of metadata is provider specific, please look it up in the provider documentation.
  5641. x-kubernetes-preserve-unknown-fields: true
  5642. required:
  5643. - match
  5644. type: object
  5645. type: array
  5646. deletionPolicy:
  5647. default: None
  5648. description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".'
  5649. enum:
  5650. - Delete
  5651. - None
  5652. type: string
  5653. refreshInterval:
  5654. description: The Interval to which External Secrets will try to push a secret definition
  5655. type: string
  5656. secretStoreRefs:
  5657. items:
  5658. properties:
  5659. kind:
  5660. default: SecretStore
  5661. description: |-
  5662. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  5663. Defaults to `SecretStore`
  5664. type: string
  5665. labelSelector:
  5666. description: Optionally, sync to secret stores with label selector
  5667. properties:
  5668. matchExpressions:
  5669. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  5670. items:
  5671. description: |-
  5672. A label selector requirement is a selector that contains values, a key, and an operator that
  5673. relates the key and values.
  5674. properties:
  5675. key:
  5676. description: key is the label key that the selector applies to.
  5677. type: string
  5678. operator:
  5679. description: |-
  5680. operator represents a key's relationship to a set of values.
  5681. Valid operators are In, NotIn, Exists and DoesNotExist.
  5682. type: string
  5683. values:
  5684. description: |-
  5685. values is an array of string values. If the operator is In or NotIn,
  5686. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  5687. the values array must be empty. This array is replaced during a strategic
  5688. merge patch.
  5689. items:
  5690. type: string
  5691. type: array
  5692. required:
  5693. - key
  5694. - operator
  5695. type: object
  5696. type: array
  5697. matchLabels:
  5698. additionalProperties:
  5699. type: string
  5700. description: |-
  5701. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  5702. map is equivalent to an element of matchExpressions, whose key field is "key", the
  5703. operator is "In", and the values array contains only "value". The requirements are ANDed.
  5704. type: object
  5705. type: object
  5706. x-kubernetes-map-type: atomic
  5707. name:
  5708. description: Optionally, sync to the SecretStore of the given name
  5709. type: string
  5710. type: object
  5711. type: array
  5712. selector:
  5713. description: The Secret Selector (k8s source) for the Push Secret
  5714. properties:
  5715. secret:
  5716. description: Select a Secret to Push.
  5717. properties:
  5718. name:
  5719. description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
  5720. type: string
  5721. required:
  5722. - name
  5723. type: object
  5724. required:
  5725. - secret
  5726. type: object
  5727. template:
  5728. description: Template defines a blueprint for the created Secret resource.
  5729. properties:
  5730. data:
  5731. additionalProperties:
  5732. type: string
  5733. type: object
  5734. engineVersion:
  5735. default: v2
  5736. description: |-
  5737. EngineVersion specifies the template engine version
  5738. that should be used to compile/execute the
  5739. template specified in .data and .templateFrom[].
  5740. enum:
  5741. - v1
  5742. - v2
  5743. type: string
  5744. mergePolicy:
  5745. default: Replace
  5746. enum:
  5747. - Replace
  5748. - Merge
  5749. type: string
  5750. metadata:
  5751. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  5752. properties:
  5753. annotations:
  5754. additionalProperties:
  5755. type: string
  5756. type: object
  5757. labels:
  5758. additionalProperties:
  5759. type: string
  5760. type: object
  5761. type: object
  5762. templateFrom:
  5763. items:
  5764. properties:
  5765. configMap:
  5766. properties:
  5767. items:
  5768. items:
  5769. properties:
  5770. key:
  5771. type: string
  5772. templateAs:
  5773. default: Values
  5774. enum:
  5775. - Values
  5776. - KeysAndValues
  5777. type: string
  5778. required:
  5779. - key
  5780. type: object
  5781. type: array
  5782. name:
  5783. type: string
  5784. required:
  5785. - items
  5786. - name
  5787. type: object
  5788. literal:
  5789. type: string
  5790. secret:
  5791. properties:
  5792. items:
  5793. items:
  5794. properties:
  5795. key:
  5796. type: string
  5797. templateAs:
  5798. default: Values
  5799. enum:
  5800. - Values
  5801. - KeysAndValues
  5802. type: string
  5803. required:
  5804. - key
  5805. type: object
  5806. type: array
  5807. name:
  5808. type: string
  5809. required:
  5810. - items
  5811. - name
  5812. type: object
  5813. target:
  5814. default: Data
  5815. enum:
  5816. - Data
  5817. - Annotations
  5818. - Labels
  5819. type: string
  5820. type: object
  5821. type: array
  5822. type:
  5823. type: string
  5824. type: object
  5825. updatePolicy:
  5826. default: Replace
  5827. description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".'
  5828. enum:
  5829. - Replace
  5830. - IfNotExists
  5831. type: string
  5832. required:
  5833. - secretStoreRefs
  5834. - selector
  5835. type: object
  5836. status:
  5837. description: PushSecretStatus indicates the history of the status of PushSecret.
  5838. properties:
  5839. conditions:
  5840. items:
  5841. description: PushSecretStatusCondition indicates the status of the PushSecret.
  5842. properties:
  5843. lastTransitionTime:
  5844. format: date-time
  5845. type: string
  5846. message:
  5847. type: string
  5848. reason:
  5849. type: string
  5850. status:
  5851. type: string
  5852. type:
  5853. description: PushSecretConditionType indicates the condition of the PushSecret.
  5854. type: string
  5855. required:
  5856. - status
  5857. - type
  5858. type: object
  5859. type: array
  5860. refreshTime:
  5861. description: |-
  5862. refreshTime is the time and date the external secret was fetched and
  5863. the target secret updated
  5864. format: date-time
  5865. nullable: true
  5866. type: string
  5867. syncedPushSecrets:
  5868. additionalProperties:
  5869. additionalProperties:
  5870. properties:
  5871. conversionStrategy:
  5872. default: None
  5873. description: Used to define a conversion Strategy for the secret keys
  5874. enum:
  5875. - None
  5876. - ReverseUnicode
  5877. type: string
  5878. match:
  5879. description: Match a given Secret Key to be pushed to the provider.
  5880. properties:
  5881. remoteRef:
  5882. description: Remote Refs to push to providers.
  5883. properties:
  5884. property:
  5885. description: Name of the property in the resulting secret
  5886. type: string
  5887. remoteKey:
  5888. description: Name of the resulting provider secret.
  5889. type: string
  5890. required:
  5891. - remoteKey
  5892. type: object
  5893. secretKey:
  5894. description: Secret Key to be pushed
  5895. type: string
  5896. required:
  5897. - remoteRef
  5898. type: object
  5899. metadata:
  5900. description: |-
  5901. Metadata is metadata attached to the secret.
  5902. The structure of metadata is provider specific, please look it up in the provider documentation.
  5903. x-kubernetes-preserve-unknown-fields: true
  5904. required:
  5905. - match
  5906. type: object
  5907. type: object
  5908. description: |-
  5909. Synced PushSecrets, including secrets that already exist in provider.
  5910. Matches secret stores to PushSecretData that was stored to that secret store.
  5911. type: object
  5912. syncedResourceVersion:
  5913. description: SyncedResourceVersion keeps track of the last synced version.
  5914. type: string
  5915. type: object
  5916. type: object
  5917. served: true
  5918. storage: true
  5919. subresources:
  5920. status: {}
  5921. conversion:
  5922. strategy: Webhook
  5923. webhook:
  5924. conversionReviewVersions:
  5925. - v1
  5926. clientConfig:
  5927. service:
  5928. name: kubernetes
  5929. namespace: default
  5930. path: /convert
  5931. ---
  5932. apiVersion: apiextensions.k8s.io/v1
  5933. kind: CustomResourceDefinition
  5934. metadata:
  5935. annotations:
  5936. controller-gen.kubebuilder.io/version: v0.14.0
  5937. name: secretstores.external-secrets.io
  5938. spec:
  5939. group: external-secrets.io
  5940. names:
  5941. categories:
  5942. - externalsecrets
  5943. kind: SecretStore
  5944. listKind: SecretStoreList
  5945. plural: secretstores
  5946. shortNames:
  5947. - ss
  5948. singular: secretstore
  5949. scope: Namespaced
  5950. versions:
  5951. - additionalPrinterColumns:
  5952. - jsonPath: .metadata.creationTimestamp
  5953. name: AGE
  5954. type: date
  5955. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  5956. name: Status
  5957. type: string
  5958. deprecated: true
  5959. name: v1alpha1
  5960. schema:
  5961. openAPIV3Schema:
  5962. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  5963. properties:
  5964. apiVersion:
  5965. description: |-
  5966. APIVersion defines the versioned schema of this representation of an object.
  5967. Servers should convert recognized schemas to the latest internal value, and
  5968. may reject unrecognized values.
  5969. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  5970. type: string
  5971. kind:
  5972. description: |-
  5973. Kind is a string value representing the REST resource this object represents.
  5974. Servers may infer this from the endpoint the client submits requests to.
  5975. Cannot be updated.
  5976. In CamelCase.
  5977. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  5978. type: string
  5979. metadata:
  5980. type: object
  5981. spec:
  5982. description: SecretStoreSpec defines the desired state of SecretStore.
  5983. properties:
  5984. controller:
  5985. description: |-
  5986. Used to select the correct ESO controller (think: ingress.ingressClassName)
  5987. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  5988. type: string
  5989. provider:
  5990. description: Used to configure the provider. Only one provider may be set
  5991. maxProperties: 1
  5992. minProperties: 1
  5993. properties:
  5994. akeyless:
  5995. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  5996. properties:
  5997. akeylessGWApiURL:
  5998. description: Akeyless GW API Url from which the secrets to be fetched from.
  5999. type: string
  6000. authSecretRef:
  6001. description: Auth configures how the operator authenticates with Akeyless.
  6002. properties:
  6003. kubernetesAuth:
  6004. description: |-
  6005. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  6006. token stored in the named Secret resource.
  6007. properties:
  6008. accessID:
  6009. description: the Akeyless Kubernetes auth-method access-id
  6010. type: string
  6011. k8sConfName:
  6012. description: Kubernetes-auth configuration name in Akeyless-Gateway
  6013. type: string
  6014. secretRef:
  6015. description: |-
  6016. Optional secret field containing a Kubernetes ServiceAccount JWT used
  6017. for authenticating with Akeyless. If a name is specified without a key,
  6018. `token` is the default. If one is not specified, the one bound to
  6019. the controller will be used.
  6020. properties:
  6021. key:
  6022. description: |-
  6023. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6024. defaulted, in others it may be required.
  6025. type: string
  6026. name:
  6027. description: The name of the Secret resource being referred to.
  6028. type: string
  6029. namespace:
  6030. description: |-
  6031. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6032. to the namespace of the referent.
  6033. type: string
  6034. type: object
  6035. serviceAccountRef:
  6036. description: |-
  6037. Optional service account field containing the name of a kubernetes ServiceAccount.
  6038. If the service account is specified, the service account secret token JWT will be used
  6039. for authenticating with Akeyless. If the service account selector is not supplied,
  6040. the secretRef will be used instead.
  6041. properties:
  6042. audiences:
  6043. description: |-
  6044. Audience specifies the `aud` claim for the service account token
  6045. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6046. then this audiences will be appended to the list
  6047. items:
  6048. type: string
  6049. type: array
  6050. name:
  6051. description: The name of the ServiceAccount resource being referred to.
  6052. type: string
  6053. namespace:
  6054. description: |-
  6055. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6056. to the namespace of the referent.
  6057. type: string
  6058. required:
  6059. - name
  6060. type: object
  6061. required:
  6062. - accessID
  6063. - k8sConfName
  6064. type: object
  6065. secretRef:
  6066. description: |-
  6067. Reference to a Secret that contains the details
  6068. to authenticate with Akeyless.
  6069. properties:
  6070. accessID:
  6071. description: The SecretAccessID is used for authentication
  6072. properties:
  6073. key:
  6074. description: |-
  6075. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6076. defaulted, in others it may be required.
  6077. type: string
  6078. name:
  6079. description: The name of the Secret resource being referred to.
  6080. type: string
  6081. namespace:
  6082. description: |-
  6083. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6084. to the namespace of the referent.
  6085. type: string
  6086. type: object
  6087. accessType:
  6088. description: |-
  6089. A reference to a specific 'key' within a Secret resource,
  6090. In some instances, `key` is a required field.
  6091. properties:
  6092. key:
  6093. description: |-
  6094. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6095. defaulted, in others it may be required.
  6096. type: string
  6097. name:
  6098. description: The name of the Secret resource being referred to.
  6099. type: string
  6100. namespace:
  6101. description: |-
  6102. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6103. to the namespace of the referent.
  6104. type: string
  6105. type: object
  6106. accessTypeParam:
  6107. description: |-
  6108. A reference to a specific 'key' within a Secret resource,
  6109. In some instances, `key` is a required field.
  6110. properties:
  6111. key:
  6112. description: |-
  6113. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6114. defaulted, in others it may be required.
  6115. type: string
  6116. name:
  6117. description: The name of the Secret resource being referred to.
  6118. type: string
  6119. namespace:
  6120. description: |-
  6121. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6122. to the namespace of the referent.
  6123. type: string
  6124. type: object
  6125. type: object
  6126. type: object
  6127. caBundle:
  6128. description: |-
  6129. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  6130. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  6131. are used to validate the TLS connection.
  6132. format: byte
  6133. type: string
  6134. caProvider:
  6135. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  6136. properties:
  6137. key:
  6138. description: The key the value inside of the provider type to use, only used with "Secret" type
  6139. type: string
  6140. name:
  6141. description: The name of the object located at the provider type.
  6142. type: string
  6143. namespace:
  6144. description: The namespace the Provider type is in.
  6145. type: string
  6146. type:
  6147. description: The type of provider to use such as "Secret", or "ConfigMap".
  6148. enum:
  6149. - Secret
  6150. - ConfigMap
  6151. type: string
  6152. required:
  6153. - name
  6154. - type
  6155. type: object
  6156. required:
  6157. - akeylessGWApiURL
  6158. - authSecretRef
  6159. type: object
  6160. alibaba:
  6161. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  6162. properties:
  6163. auth:
  6164. description: AlibabaAuth contains a secretRef for credentials.
  6165. properties:
  6166. rrsa:
  6167. description: Authenticate against Alibaba using RRSA.
  6168. properties:
  6169. oidcProviderArn:
  6170. type: string
  6171. oidcTokenFilePath:
  6172. type: string
  6173. roleArn:
  6174. type: string
  6175. sessionName:
  6176. type: string
  6177. required:
  6178. - oidcProviderArn
  6179. - oidcTokenFilePath
  6180. - roleArn
  6181. - sessionName
  6182. type: object
  6183. secretRef:
  6184. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  6185. properties:
  6186. accessKeyIDSecretRef:
  6187. description: The AccessKeyID is used for authentication
  6188. properties:
  6189. key:
  6190. description: |-
  6191. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6192. defaulted, in others it may be required.
  6193. type: string
  6194. name:
  6195. description: The name of the Secret resource being referred to.
  6196. type: string
  6197. namespace:
  6198. description: |-
  6199. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6200. to the namespace of the referent.
  6201. type: string
  6202. type: object
  6203. accessKeySecretSecretRef:
  6204. description: The AccessKeySecret is used for authentication
  6205. properties:
  6206. key:
  6207. description: |-
  6208. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6209. defaulted, in others it may be required.
  6210. type: string
  6211. name:
  6212. description: The name of the Secret resource being referred to.
  6213. type: string
  6214. namespace:
  6215. description: |-
  6216. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6217. to the namespace of the referent.
  6218. type: string
  6219. type: object
  6220. required:
  6221. - accessKeyIDSecretRef
  6222. - accessKeySecretSecretRef
  6223. type: object
  6224. type: object
  6225. regionID:
  6226. description: Alibaba Region to be used for the provider
  6227. type: string
  6228. required:
  6229. - auth
  6230. - regionID
  6231. type: object
  6232. aws:
  6233. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  6234. properties:
  6235. auth:
  6236. description: |-
  6237. Auth defines the information necessary to authenticate against AWS
  6238. if not set aws sdk will infer credentials from your environment
  6239. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  6240. properties:
  6241. jwt:
  6242. description: Authenticate against AWS using service account tokens.
  6243. properties:
  6244. serviceAccountRef:
  6245. description: A reference to a ServiceAccount resource.
  6246. properties:
  6247. audiences:
  6248. description: |-
  6249. Audience specifies the `aud` claim for the service account token
  6250. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6251. then this audiences will be appended to the list
  6252. items:
  6253. type: string
  6254. type: array
  6255. name:
  6256. description: The name of the ServiceAccount resource being referred to.
  6257. type: string
  6258. namespace:
  6259. description: |-
  6260. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6261. to the namespace of the referent.
  6262. type: string
  6263. required:
  6264. - name
  6265. type: object
  6266. type: object
  6267. secretRef:
  6268. description: |-
  6269. AWSAuthSecretRef holds secret references for AWS credentials
  6270. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  6271. properties:
  6272. accessKeyIDSecretRef:
  6273. description: The AccessKeyID is used for authentication
  6274. properties:
  6275. key:
  6276. description: |-
  6277. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6278. defaulted, in others it may be required.
  6279. type: string
  6280. name:
  6281. description: The name of the Secret resource being referred to.
  6282. type: string
  6283. namespace:
  6284. description: |-
  6285. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6286. to the namespace of the referent.
  6287. type: string
  6288. type: object
  6289. secretAccessKeySecretRef:
  6290. description: The SecretAccessKey is used for authentication
  6291. properties:
  6292. key:
  6293. description: |-
  6294. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6295. defaulted, in others it may be required.
  6296. type: string
  6297. name:
  6298. description: The name of the Secret resource being referred to.
  6299. type: string
  6300. namespace:
  6301. description: |-
  6302. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6303. to the namespace of the referent.
  6304. type: string
  6305. type: object
  6306. type: object
  6307. type: object
  6308. region:
  6309. description: AWS Region to be used for the provider
  6310. type: string
  6311. role:
  6312. description: Role is a Role ARN which the SecretManager provider will assume
  6313. type: string
  6314. service:
  6315. description: Service defines which service should be used to fetch the secrets
  6316. enum:
  6317. - SecretsManager
  6318. - ParameterStore
  6319. type: string
  6320. required:
  6321. - region
  6322. - service
  6323. type: object
  6324. azurekv:
  6325. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  6326. properties:
  6327. authSecretRef:
  6328. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  6329. properties:
  6330. clientId:
  6331. description: The Azure clientId of the service principle used for authentication.
  6332. properties:
  6333. key:
  6334. description: |-
  6335. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6336. defaulted, in others it may be required.
  6337. type: string
  6338. name:
  6339. description: The name of the Secret resource being referred to.
  6340. type: string
  6341. namespace:
  6342. description: |-
  6343. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6344. to the namespace of the referent.
  6345. type: string
  6346. type: object
  6347. clientSecret:
  6348. description: The Azure ClientSecret of the service principle used for authentication.
  6349. properties:
  6350. key:
  6351. description: |-
  6352. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6353. defaulted, in others it may be required.
  6354. type: string
  6355. name:
  6356. description: The name of the Secret resource being referred to.
  6357. type: string
  6358. namespace:
  6359. description: |-
  6360. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6361. to the namespace of the referent.
  6362. type: string
  6363. type: object
  6364. type: object
  6365. authType:
  6366. default: ServicePrincipal
  6367. description: |-
  6368. Auth type defines how to authenticate to the keyvault service.
  6369. Valid values are:
  6370. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  6371. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  6372. enum:
  6373. - ServicePrincipal
  6374. - ManagedIdentity
  6375. - WorkloadIdentity
  6376. type: string
  6377. identityId:
  6378. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  6379. type: string
  6380. serviceAccountRef:
  6381. description: |-
  6382. ServiceAccountRef specified the service account
  6383. that should be used when authenticating with WorkloadIdentity.
  6384. properties:
  6385. audiences:
  6386. description: |-
  6387. Audience specifies the `aud` claim for the service account token
  6388. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6389. then this audiences will be appended to the list
  6390. items:
  6391. type: string
  6392. type: array
  6393. name:
  6394. description: The name of the ServiceAccount resource being referred to.
  6395. type: string
  6396. namespace:
  6397. description: |-
  6398. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6399. to the namespace of the referent.
  6400. type: string
  6401. required:
  6402. - name
  6403. type: object
  6404. tenantId:
  6405. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  6406. type: string
  6407. vaultUrl:
  6408. description: Vault Url from which the secrets to be fetched from.
  6409. type: string
  6410. required:
  6411. - vaultUrl
  6412. type: object
  6413. fake:
  6414. description: Fake configures a store with static key/value pairs
  6415. properties:
  6416. data:
  6417. items:
  6418. properties:
  6419. key:
  6420. type: string
  6421. value:
  6422. type: string
  6423. valueMap:
  6424. additionalProperties:
  6425. type: string
  6426. type: object
  6427. version:
  6428. type: string
  6429. required:
  6430. - key
  6431. type: object
  6432. type: array
  6433. required:
  6434. - data
  6435. type: object
  6436. gcpsm:
  6437. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  6438. properties:
  6439. auth:
  6440. description: Auth defines the information necessary to authenticate against GCP
  6441. properties:
  6442. secretRef:
  6443. properties:
  6444. secretAccessKeySecretRef:
  6445. description: The SecretAccessKey is used for authentication
  6446. properties:
  6447. key:
  6448. description: |-
  6449. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6450. defaulted, in others it may be required.
  6451. type: string
  6452. name:
  6453. description: The name of the Secret resource being referred to.
  6454. type: string
  6455. namespace:
  6456. description: |-
  6457. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6458. to the namespace of the referent.
  6459. type: string
  6460. type: object
  6461. type: object
  6462. workloadIdentity:
  6463. properties:
  6464. clusterLocation:
  6465. type: string
  6466. clusterName:
  6467. type: string
  6468. clusterProjectID:
  6469. type: string
  6470. serviceAccountRef:
  6471. description: A reference to a ServiceAccount resource.
  6472. properties:
  6473. audiences:
  6474. description: |-
  6475. Audience specifies the `aud` claim for the service account token
  6476. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6477. then this audiences will be appended to the list
  6478. items:
  6479. type: string
  6480. type: array
  6481. name:
  6482. description: The name of the ServiceAccount resource being referred to.
  6483. type: string
  6484. namespace:
  6485. description: |-
  6486. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6487. to the namespace of the referent.
  6488. type: string
  6489. required:
  6490. - name
  6491. type: object
  6492. required:
  6493. - clusterLocation
  6494. - clusterName
  6495. - serviceAccountRef
  6496. type: object
  6497. type: object
  6498. projectID:
  6499. description: ProjectID project where secret is located
  6500. type: string
  6501. type: object
  6502. gitlab:
  6503. description: GitLab configures this store to sync secrets using GitLab Variables provider
  6504. properties:
  6505. auth:
  6506. description: Auth configures how secret-manager authenticates with a GitLab instance.
  6507. properties:
  6508. SecretRef:
  6509. properties:
  6510. accessToken:
  6511. description: AccessToken is used for authentication.
  6512. properties:
  6513. key:
  6514. description: |-
  6515. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6516. defaulted, in others it may be required.
  6517. type: string
  6518. name:
  6519. description: The name of the Secret resource being referred to.
  6520. type: string
  6521. namespace:
  6522. description: |-
  6523. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6524. to the namespace of the referent.
  6525. type: string
  6526. type: object
  6527. type: object
  6528. required:
  6529. - SecretRef
  6530. type: object
  6531. projectID:
  6532. description: ProjectID specifies a project where secrets are located.
  6533. type: string
  6534. url:
  6535. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  6536. type: string
  6537. required:
  6538. - auth
  6539. type: object
  6540. ibm:
  6541. description: IBM configures this store to sync secrets using IBM Cloud provider
  6542. properties:
  6543. auth:
  6544. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  6545. properties:
  6546. secretRef:
  6547. properties:
  6548. secretApiKeySecretRef:
  6549. description: The SecretAccessKey is used for authentication
  6550. properties:
  6551. key:
  6552. description: |-
  6553. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6554. defaulted, in others it may be required.
  6555. type: string
  6556. name:
  6557. description: The name of the Secret resource being referred to.
  6558. type: string
  6559. namespace:
  6560. description: |-
  6561. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6562. to the namespace of the referent.
  6563. type: string
  6564. type: object
  6565. type: object
  6566. required:
  6567. - secretRef
  6568. type: object
  6569. serviceUrl:
  6570. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  6571. type: string
  6572. required:
  6573. - auth
  6574. type: object
  6575. kubernetes:
  6576. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  6577. properties:
  6578. auth:
  6579. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  6580. maxProperties: 1
  6581. minProperties: 1
  6582. properties:
  6583. cert:
  6584. description: has both clientCert and clientKey as secretKeySelector
  6585. properties:
  6586. clientCert:
  6587. description: |-
  6588. A reference to a specific 'key' within a Secret resource,
  6589. In some instances, `key` is a required field.
  6590. properties:
  6591. key:
  6592. description: |-
  6593. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6594. defaulted, in others it may be required.
  6595. type: string
  6596. name:
  6597. description: The name of the Secret resource being referred to.
  6598. type: string
  6599. namespace:
  6600. description: |-
  6601. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6602. to the namespace of the referent.
  6603. type: string
  6604. type: object
  6605. clientKey:
  6606. description: |-
  6607. A reference to a specific 'key' within a Secret resource,
  6608. In some instances, `key` is a required field.
  6609. properties:
  6610. key:
  6611. description: |-
  6612. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6613. defaulted, in others it may be required.
  6614. type: string
  6615. name:
  6616. description: The name of the Secret resource being referred to.
  6617. type: string
  6618. namespace:
  6619. description: |-
  6620. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6621. to the namespace of the referent.
  6622. type: string
  6623. type: object
  6624. type: object
  6625. serviceAccount:
  6626. description: points to a service account that should be used for authentication
  6627. properties:
  6628. serviceAccount:
  6629. description: A reference to a ServiceAccount resource.
  6630. properties:
  6631. audiences:
  6632. description: |-
  6633. Audience specifies the `aud` claim for the service account token
  6634. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6635. then this audiences will be appended to the list
  6636. items:
  6637. type: string
  6638. type: array
  6639. name:
  6640. description: The name of the ServiceAccount resource being referred to.
  6641. type: string
  6642. namespace:
  6643. description: |-
  6644. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6645. to the namespace of the referent.
  6646. type: string
  6647. required:
  6648. - name
  6649. type: object
  6650. type: object
  6651. token:
  6652. description: use static token to authenticate with
  6653. properties:
  6654. bearerToken:
  6655. description: |-
  6656. A reference to a specific 'key' within a Secret resource,
  6657. In some instances, `key` is a required field.
  6658. properties:
  6659. key:
  6660. description: |-
  6661. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6662. defaulted, in others it may be required.
  6663. type: string
  6664. name:
  6665. description: The name of the Secret resource being referred to.
  6666. type: string
  6667. namespace:
  6668. description: |-
  6669. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6670. to the namespace of the referent.
  6671. type: string
  6672. type: object
  6673. type: object
  6674. type: object
  6675. remoteNamespace:
  6676. default: default
  6677. description: Remote namespace to fetch the secrets from
  6678. type: string
  6679. server:
  6680. description: configures the Kubernetes server Address.
  6681. properties:
  6682. caBundle:
  6683. description: CABundle is a base64-encoded CA certificate
  6684. format: byte
  6685. type: string
  6686. caProvider:
  6687. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  6688. properties:
  6689. key:
  6690. description: The key the value inside of the provider type to use, only used with "Secret" type
  6691. type: string
  6692. name:
  6693. description: The name of the object located at the provider type.
  6694. type: string
  6695. namespace:
  6696. description: The namespace the Provider type is in.
  6697. type: string
  6698. type:
  6699. description: The type of provider to use such as "Secret", or "ConfigMap".
  6700. enum:
  6701. - Secret
  6702. - ConfigMap
  6703. type: string
  6704. required:
  6705. - name
  6706. - type
  6707. type: object
  6708. url:
  6709. default: kubernetes.default
  6710. description: configures the Kubernetes server Address.
  6711. type: string
  6712. type: object
  6713. required:
  6714. - auth
  6715. type: object
  6716. oracle:
  6717. description: Oracle configures this store to sync secrets using Oracle Vault provider
  6718. properties:
  6719. auth:
  6720. description: |-
  6721. Auth configures how secret-manager authenticates with the Oracle Vault.
  6722. If empty, instance principal is used. Optionally, the authenticating principal type
  6723. and/or user data may be supplied for the use of workload identity and user principal.
  6724. properties:
  6725. secretRef:
  6726. description: SecretRef to pass through sensitive information.
  6727. properties:
  6728. fingerprint:
  6729. description: Fingerprint is the fingerprint of the API private key.
  6730. properties:
  6731. key:
  6732. description: |-
  6733. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6734. defaulted, in others it may be required.
  6735. type: string
  6736. name:
  6737. description: The name of the Secret resource being referred to.
  6738. type: string
  6739. namespace:
  6740. description: |-
  6741. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6742. to the namespace of the referent.
  6743. type: string
  6744. type: object
  6745. privatekey:
  6746. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  6747. properties:
  6748. key:
  6749. description: |-
  6750. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6751. defaulted, in others it may be required.
  6752. type: string
  6753. name:
  6754. description: The name of the Secret resource being referred to.
  6755. type: string
  6756. namespace:
  6757. description: |-
  6758. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6759. to the namespace of the referent.
  6760. type: string
  6761. type: object
  6762. required:
  6763. - fingerprint
  6764. - privatekey
  6765. type: object
  6766. tenancy:
  6767. description: Tenancy is the tenancy OCID where user is located.
  6768. type: string
  6769. user:
  6770. description: User is an access OCID specific to the account.
  6771. type: string
  6772. required:
  6773. - secretRef
  6774. - tenancy
  6775. - user
  6776. type: object
  6777. compartment:
  6778. description: |-
  6779. Compartment is the vault compartment OCID.
  6780. Required for PushSecret
  6781. type: string
  6782. encryptionKey:
  6783. description: |-
  6784. EncryptionKey is the OCID of the encryption key within the vault.
  6785. Required for PushSecret
  6786. type: string
  6787. principalType:
  6788. description: |-
  6789. The type of principal to use for authentication. If left blank, the Auth struct will
  6790. determine the principal type. This optional field must be specified if using
  6791. workload identity.
  6792. enum:
  6793. - ""
  6794. - UserPrincipal
  6795. - InstancePrincipal
  6796. - Workload
  6797. type: string
  6798. region:
  6799. description: Region is the region where vault is located.
  6800. type: string
  6801. serviceAccountRef:
  6802. description: |-
  6803. ServiceAccountRef specified the service account
  6804. that should be used when authenticating with WorkloadIdentity.
  6805. properties:
  6806. audiences:
  6807. description: |-
  6808. Audience specifies the `aud` claim for the service account token
  6809. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6810. then this audiences will be appended to the list
  6811. items:
  6812. type: string
  6813. type: array
  6814. name:
  6815. description: The name of the ServiceAccount resource being referred to.
  6816. type: string
  6817. namespace:
  6818. description: |-
  6819. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6820. to the namespace of the referent.
  6821. type: string
  6822. required:
  6823. - name
  6824. type: object
  6825. vault:
  6826. description: Vault is the vault's OCID of the specific vault where secret is located.
  6827. type: string
  6828. required:
  6829. - region
  6830. - vault
  6831. type: object
  6832. passworddepot:
  6833. description: Configures a store to sync secrets with a Password Depot instance.
  6834. properties:
  6835. auth:
  6836. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  6837. properties:
  6838. secretRef:
  6839. properties:
  6840. credentials:
  6841. description: Username / Password is used for authentication.
  6842. properties:
  6843. key:
  6844. description: |-
  6845. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6846. defaulted, in others it may be required.
  6847. type: string
  6848. name:
  6849. description: The name of the Secret resource being referred to.
  6850. type: string
  6851. namespace:
  6852. description: |-
  6853. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6854. to the namespace of the referent.
  6855. type: string
  6856. type: object
  6857. type: object
  6858. required:
  6859. - secretRef
  6860. type: object
  6861. database:
  6862. description: Database to use as source
  6863. type: string
  6864. host:
  6865. description: URL configures the Password Depot instance URL.
  6866. type: string
  6867. required:
  6868. - auth
  6869. - database
  6870. - host
  6871. type: object
  6872. vault:
  6873. description: Vault configures this store to sync secrets using Hashi provider
  6874. properties:
  6875. auth:
  6876. description: Auth configures how secret-manager authenticates with the Vault server.
  6877. properties:
  6878. appRole:
  6879. description: |-
  6880. AppRole authenticates with Vault using the App Role auth mechanism,
  6881. with the role and secret stored in a Kubernetes Secret resource.
  6882. properties:
  6883. path:
  6884. default: approle
  6885. description: |-
  6886. Path where the App Role authentication backend is mounted
  6887. in Vault, e.g: "approle"
  6888. type: string
  6889. roleId:
  6890. description: |-
  6891. RoleID configured in the App Role authentication backend when setting
  6892. up the authentication backend in Vault.
  6893. type: string
  6894. secretRef:
  6895. description: |-
  6896. Reference to a key in a Secret that contains the App Role secret used
  6897. to authenticate with Vault.
  6898. The `key` field must be specified and denotes which entry within the Secret
  6899. resource is used as the app role secret.
  6900. properties:
  6901. key:
  6902. description: |-
  6903. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6904. defaulted, in others it may be required.
  6905. type: string
  6906. name:
  6907. description: The name of the Secret resource being referred to.
  6908. type: string
  6909. namespace:
  6910. description: |-
  6911. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6912. to the namespace of the referent.
  6913. type: string
  6914. type: object
  6915. required:
  6916. - path
  6917. - roleId
  6918. - secretRef
  6919. type: object
  6920. cert:
  6921. description: |-
  6922. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  6923. Cert authentication method
  6924. properties:
  6925. clientCert:
  6926. description: |-
  6927. ClientCert is a certificate to authenticate using the Cert Vault
  6928. authentication method
  6929. properties:
  6930. key:
  6931. description: |-
  6932. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6933. defaulted, in others it may be required.
  6934. type: string
  6935. name:
  6936. description: The name of the Secret resource being referred to.
  6937. type: string
  6938. namespace:
  6939. description: |-
  6940. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6941. to the namespace of the referent.
  6942. type: string
  6943. type: object
  6944. secretRef:
  6945. description: |-
  6946. SecretRef to a key in a Secret resource containing client private key to
  6947. authenticate with Vault using the Cert authentication method
  6948. properties:
  6949. key:
  6950. description: |-
  6951. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6952. defaulted, in others it may be required.
  6953. type: string
  6954. name:
  6955. description: The name of the Secret resource being referred to.
  6956. type: string
  6957. namespace:
  6958. description: |-
  6959. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6960. to the namespace of the referent.
  6961. type: string
  6962. type: object
  6963. type: object
  6964. jwt:
  6965. description: |-
  6966. Jwt authenticates with Vault by passing role and JWT token using the
  6967. JWT/OIDC authentication method
  6968. properties:
  6969. kubernetesServiceAccountToken:
  6970. description: |-
  6971. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  6972. a token for with the `TokenRequest` API.
  6973. properties:
  6974. audiences:
  6975. description: |-
  6976. Optional audiences field that will be used to request a temporary Kubernetes service
  6977. account token for the service account referenced by `serviceAccountRef`.
  6978. Defaults to a single audience `vault` it not specified.
  6979. items:
  6980. type: string
  6981. type: array
  6982. expirationSeconds:
  6983. description: |-
  6984. Optional expiration time in seconds that will be used to request a temporary
  6985. Kubernetes service account token for the service account referenced by
  6986. `serviceAccountRef`.
  6987. Defaults to 10 minutes.
  6988. format: int64
  6989. type: integer
  6990. serviceAccountRef:
  6991. description: Service account field containing the name of a kubernetes ServiceAccount.
  6992. properties:
  6993. audiences:
  6994. description: |-
  6995. Audience specifies the `aud` claim for the service account token
  6996. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6997. then this audiences will be appended to the list
  6998. items:
  6999. type: string
  7000. type: array
  7001. name:
  7002. description: The name of the ServiceAccount resource being referred to.
  7003. type: string
  7004. namespace:
  7005. description: |-
  7006. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7007. to the namespace of the referent.
  7008. type: string
  7009. required:
  7010. - name
  7011. type: object
  7012. required:
  7013. - serviceAccountRef
  7014. type: object
  7015. path:
  7016. default: jwt
  7017. description: |-
  7018. Path where the JWT authentication backend is mounted
  7019. in Vault, e.g: "jwt"
  7020. type: string
  7021. role:
  7022. description: |-
  7023. Role is a JWT role to authenticate using the JWT/OIDC Vault
  7024. authentication method
  7025. type: string
  7026. secretRef:
  7027. description: |-
  7028. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  7029. authenticate with Vault using the JWT/OIDC authentication method.
  7030. properties:
  7031. key:
  7032. description: |-
  7033. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7034. defaulted, in others it may be required.
  7035. type: string
  7036. name:
  7037. description: The name of the Secret resource being referred to.
  7038. type: string
  7039. namespace:
  7040. description: |-
  7041. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7042. to the namespace of the referent.
  7043. type: string
  7044. type: object
  7045. required:
  7046. - path
  7047. type: object
  7048. kubernetes:
  7049. description: |-
  7050. Kubernetes authenticates with Vault by passing the ServiceAccount
  7051. token stored in the named Secret resource to the Vault server.
  7052. properties:
  7053. mountPath:
  7054. default: kubernetes
  7055. description: |-
  7056. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  7057. "kubernetes"
  7058. type: string
  7059. role:
  7060. description: |-
  7061. A required field containing the Vault Role to assume. A Role binds a
  7062. Kubernetes ServiceAccount with a set of Vault policies.
  7063. type: string
  7064. secretRef:
  7065. description: |-
  7066. Optional secret field containing a Kubernetes ServiceAccount JWT used
  7067. for authenticating with Vault. If a name is specified without a key,
  7068. `token` is the default. If one is not specified, the one bound to
  7069. the controller will be used.
  7070. properties:
  7071. key:
  7072. description: |-
  7073. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7074. defaulted, in others it may be required.
  7075. type: string
  7076. name:
  7077. description: The name of the Secret resource being referred to.
  7078. type: string
  7079. namespace:
  7080. description: |-
  7081. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7082. to the namespace of the referent.
  7083. type: string
  7084. type: object
  7085. serviceAccountRef:
  7086. description: |-
  7087. Optional service account field containing the name of a kubernetes ServiceAccount.
  7088. If the service account is specified, the service account secret token JWT will be used
  7089. for authenticating with Vault. If the service account selector is not supplied,
  7090. the secretRef will be used instead.
  7091. properties:
  7092. audiences:
  7093. description: |-
  7094. Audience specifies the `aud` claim for the service account token
  7095. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7096. then this audiences will be appended to the list
  7097. items:
  7098. type: string
  7099. type: array
  7100. name:
  7101. description: The name of the ServiceAccount resource being referred to.
  7102. type: string
  7103. namespace:
  7104. description: |-
  7105. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7106. to the namespace of the referent.
  7107. type: string
  7108. required:
  7109. - name
  7110. type: object
  7111. required:
  7112. - mountPath
  7113. - role
  7114. type: object
  7115. ldap:
  7116. description: |-
  7117. Ldap authenticates with Vault by passing username/password pair using
  7118. the LDAP authentication method
  7119. properties:
  7120. path:
  7121. default: ldap
  7122. description: |-
  7123. Path where the LDAP authentication backend is mounted
  7124. in Vault, e.g: "ldap"
  7125. type: string
  7126. secretRef:
  7127. description: |-
  7128. SecretRef to a key in a Secret resource containing password for the LDAP
  7129. user used to authenticate with Vault using the LDAP authentication
  7130. method
  7131. properties:
  7132. key:
  7133. description: |-
  7134. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7135. defaulted, in others it may be required.
  7136. type: string
  7137. name:
  7138. description: The name of the Secret resource being referred to.
  7139. type: string
  7140. namespace:
  7141. description: |-
  7142. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7143. to the namespace of the referent.
  7144. type: string
  7145. type: object
  7146. username:
  7147. description: |-
  7148. Username is a LDAP user name used to authenticate using the LDAP Vault
  7149. authentication method
  7150. type: string
  7151. required:
  7152. - path
  7153. - username
  7154. type: object
  7155. tokenSecretRef:
  7156. description: TokenSecretRef authenticates with Vault by presenting a token.
  7157. properties:
  7158. key:
  7159. description: |-
  7160. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7161. defaulted, in others it may be required.
  7162. type: string
  7163. name:
  7164. description: The name of the Secret resource being referred to.
  7165. type: string
  7166. namespace:
  7167. description: |-
  7168. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7169. to the namespace of the referent.
  7170. type: string
  7171. type: object
  7172. type: object
  7173. caBundle:
  7174. description: |-
  7175. PEM encoded CA bundle used to validate Vault server certificate. Only used
  7176. if the Server URL is using HTTPS protocol. This parameter is ignored for
  7177. plain HTTP protocol connection. If not set the system root certificates
  7178. are used to validate the TLS connection.
  7179. format: byte
  7180. type: string
  7181. caProvider:
  7182. description: The provider for the CA bundle to use to validate Vault server certificate.
  7183. properties:
  7184. key:
  7185. description: The key the value inside of the provider type to use, only used with "Secret" type
  7186. type: string
  7187. name:
  7188. description: The name of the object located at the provider type.
  7189. type: string
  7190. namespace:
  7191. description: The namespace the Provider type is in.
  7192. type: string
  7193. type:
  7194. description: The type of provider to use such as "Secret", or "ConfigMap".
  7195. enum:
  7196. - Secret
  7197. - ConfigMap
  7198. type: string
  7199. required:
  7200. - name
  7201. - type
  7202. type: object
  7203. forwardInconsistent:
  7204. description: |-
  7205. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  7206. leader instead of simply retrying within a loop. This can increase performance if
  7207. the option is enabled serverside.
  7208. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  7209. type: boolean
  7210. namespace:
  7211. description: |-
  7212. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  7213. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  7214. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  7215. type: string
  7216. path:
  7217. description: |-
  7218. Path is the mount path of the Vault KV backend endpoint, e.g:
  7219. "secret". The v2 KV secret engine version specific "/data" path suffix
  7220. for fetching secrets from Vault is optional and will be appended
  7221. if not present in specified path.
  7222. type: string
  7223. readYourWrites:
  7224. description: |-
  7225. ReadYourWrites ensures isolated read-after-write semantics by
  7226. providing discovered cluster replication states in each request.
  7227. More information about eventual consistency in Vault can be found here
  7228. https://www.vaultproject.io/docs/enterprise/consistency
  7229. type: boolean
  7230. server:
  7231. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  7232. type: string
  7233. version:
  7234. default: v2
  7235. description: |-
  7236. Version is the Vault KV secret engine version. This can be either "v1" or
  7237. "v2". Version defaults to "v2".
  7238. enum:
  7239. - v1
  7240. - v2
  7241. type: string
  7242. required:
  7243. - auth
  7244. - server
  7245. type: object
  7246. webhook:
  7247. description: Webhook configures this store to sync secrets using a generic templated webhook
  7248. properties:
  7249. body:
  7250. description: Body
  7251. type: string
  7252. caBundle:
  7253. description: |-
  7254. PEM encoded CA bundle used to validate webhook server certificate. Only used
  7255. if the Server URL is using HTTPS protocol. This parameter is ignored for
  7256. plain HTTP protocol connection. If not set the system root certificates
  7257. are used to validate the TLS connection.
  7258. format: byte
  7259. type: string
  7260. caProvider:
  7261. description: The provider for the CA bundle to use to validate webhook server certificate.
  7262. properties:
  7263. key:
  7264. description: The key the value inside of the provider type to use, only used with "Secret" type
  7265. type: string
  7266. name:
  7267. description: The name of the object located at the provider type.
  7268. type: string
  7269. namespace:
  7270. description: The namespace the Provider type is in.
  7271. type: string
  7272. type:
  7273. description: The type of provider to use such as "Secret", or "ConfigMap".
  7274. enum:
  7275. - Secret
  7276. - ConfigMap
  7277. type: string
  7278. required:
  7279. - name
  7280. - type
  7281. type: object
  7282. headers:
  7283. additionalProperties:
  7284. type: string
  7285. description: Headers
  7286. type: object
  7287. method:
  7288. description: Webhook Method
  7289. type: string
  7290. result:
  7291. description: Result formatting
  7292. properties:
  7293. jsonPath:
  7294. description: Json path of return value
  7295. type: string
  7296. type: object
  7297. secrets:
  7298. description: |-
  7299. Secrets to fill in templates
  7300. These secrets will be passed to the templating function as key value pairs under the given name
  7301. items:
  7302. properties:
  7303. name:
  7304. description: Name of this secret in templates
  7305. type: string
  7306. secretRef:
  7307. description: Secret ref to fill in credentials
  7308. properties:
  7309. key:
  7310. description: |-
  7311. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7312. defaulted, in others it may be required.
  7313. type: string
  7314. name:
  7315. description: The name of the Secret resource being referred to.
  7316. type: string
  7317. namespace:
  7318. description: |-
  7319. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7320. to the namespace of the referent.
  7321. type: string
  7322. type: object
  7323. required:
  7324. - name
  7325. - secretRef
  7326. type: object
  7327. type: array
  7328. timeout:
  7329. description: Timeout
  7330. type: string
  7331. url:
  7332. description: Webhook url to call
  7333. type: string
  7334. required:
  7335. - result
  7336. - url
  7337. type: object
  7338. yandexlockbox:
  7339. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  7340. properties:
  7341. apiEndpoint:
  7342. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  7343. type: string
  7344. auth:
  7345. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  7346. properties:
  7347. authorizedKeySecretRef:
  7348. description: The authorized key used for authentication
  7349. properties:
  7350. key:
  7351. description: |-
  7352. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7353. defaulted, in others it may be required.
  7354. type: string
  7355. name:
  7356. description: The name of the Secret resource being referred to.
  7357. type: string
  7358. namespace:
  7359. description: |-
  7360. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7361. to the namespace of the referent.
  7362. type: string
  7363. type: object
  7364. type: object
  7365. caProvider:
  7366. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  7367. properties:
  7368. certSecretRef:
  7369. description: |-
  7370. A reference to a specific 'key' within a Secret resource,
  7371. In some instances, `key` is a required field.
  7372. properties:
  7373. key:
  7374. description: |-
  7375. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7376. defaulted, in others it may be required.
  7377. type: string
  7378. name:
  7379. description: The name of the Secret resource being referred to.
  7380. type: string
  7381. namespace:
  7382. description: |-
  7383. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7384. to the namespace of the referent.
  7385. type: string
  7386. type: object
  7387. type: object
  7388. required:
  7389. - auth
  7390. type: object
  7391. type: object
  7392. retrySettings:
  7393. description: Used to configure http retries if failed
  7394. properties:
  7395. maxRetries:
  7396. format: int32
  7397. type: integer
  7398. retryInterval:
  7399. type: string
  7400. type: object
  7401. required:
  7402. - provider
  7403. type: object
  7404. status:
  7405. description: SecretStoreStatus defines the observed state of the SecretStore.
  7406. properties:
  7407. conditions:
  7408. items:
  7409. properties:
  7410. lastTransitionTime:
  7411. format: date-time
  7412. type: string
  7413. message:
  7414. type: string
  7415. reason:
  7416. type: string
  7417. status:
  7418. type: string
  7419. type:
  7420. type: string
  7421. required:
  7422. - status
  7423. - type
  7424. type: object
  7425. type: array
  7426. type: object
  7427. type: object
  7428. served: true
  7429. storage: false
  7430. subresources:
  7431. status: {}
  7432. - additionalPrinterColumns:
  7433. - jsonPath: .metadata.creationTimestamp
  7434. name: AGE
  7435. type: date
  7436. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  7437. name: Status
  7438. type: string
  7439. - jsonPath: .status.capabilities
  7440. name: Capabilities
  7441. type: string
  7442. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  7443. name: Ready
  7444. type: string
  7445. name: v1beta1
  7446. schema:
  7447. openAPIV3Schema:
  7448. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  7449. properties:
  7450. apiVersion:
  7451. description: |-
  7452. APIVersion defines the versioned schema of this representation of an object.
  7453. Servers should convert recognized schemas to the latest internal value, and
  7454. may reject unrecognized values.
  7455. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  7456. type: string
  7457. kind:
  7458. description: |-
  7459. Kind is a string value representing the REST resource this object represents.
  7460. Servers may infer this from the endpoint the client submits requests to.
  7461. Cannot be updated.
  7462. In CamelCase.
  7463. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  7464. type: string
  7465. metadata:
  7466. type: object
  7467. spec:
  7468. description: SecretStoreSpec defines the desired state of SecretStore.
  7469. properties:
  7470. conditions:
  7471. description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
  7472. items:
  7473. description: |-
  7474. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  7475. for a ClusterSecretStore instance.
  7476. properties:
  7477. namespaceSelector:
  7478. description: Choose namespace using a labelSelector
  7479. properties:
  7480. matchExpressions:
  7481. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  7482. items:
  7483. description: |-
  7484. A label selector requirement is a selector that contains values, a key, and an operator that
  7485. relates the key and values.
  7486. properties:
  7487. key:
  7488. description: key is the label key that the selector applies to.
  7489. type: string
  7490. operator:
  7491. description: |-
  7492. operator represents a key's relationship to a set of values.
  7493. Valid operators are In, NotIn, Exists and DoesNotExist.
  7494. type: string
  7495. values:
  7496. description: |-
  7497. values is an array of string values. If the operator is In or NotIn,
  7498. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  7499. the values array must be empty. This array is replaced during a strategic
  7500. merge patch.
  7501. items:
  7502. type: string
  7503. type: array
  7504. required:
  7505. - key
  7506. - operator
  7507. type: object
  7508. type: array
  7509. matchLabels:
  7510. additionalProperties:
  7511. type: string
  7512. description: |-
  7513. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  7514. map is equivalent to an element of matchExpressions, whose key field is "key", the
  7515. operator is "In", and the values array contains only "value". The requirements are ANDed.
  7516. type: object
  7517. type: object
  7518. x-kubernetes-map-type: atomic
  7519. namespaces:
  7520. description: Choose namespaces by name
  7521. items:
  7522. type: string
  7523. type: array
  7524. type: object
  7525. type: array
  7526. controller:
  7527. description: |-
  7528. Used to select the correct ESO controller (think: ingress.ingressClassName)
  7529. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  7530. type: string
  7531. provider:
  7532. description: Used to configure the provider. Only one provider may be set
  7533. maxProperties: 1
  7534. minProperties: 1
  7535. properties:
  7536. akeyless:
  7537. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  7538. properties:
  7539. akeylessGWApiURL:
  7540. description: Akeyless GW API Url from which the secrets to be fetched from.
  7541. type: string
  7542. authSecretRef:
  7543. description: Auth configures how the operator authenticates with Akeyless.
  7544. properties:
  7545. kubernetesAuth:
  7546. description: |-
  7547. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  7548. token stored in the named Secret resource.
  7549. properties:
  7550. accessID:
  7551. description: the Akeyless Kubernetes auth-method access-id
  7552. type: string
  7553. k8sConfName:
  7554. description: Kubernetes-auth configuration name in Akeyless-Gateway
  7555. type: string
  7556. secretRef:
  7557. description: |-
  7558. Optional secret field containing a Kubernetes ServiceAccount JWT used
  7559. for authenticating with Akeyless. If a name is specified without a key,
  7560. `token` is the default. If one is not specified, the one bound to
  7561. the controller will be used.
  7562. properties:
  7563. key:
  7564. description: |-
  7565. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7566. defaulted, in others it may be required.
  7567. type: string
  7568. name:
  7569. description: The name of the Secret resource being referred to.
  7570. type: string
  7571. namespace:
  7572. description: |-
  7573. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7574. to the namespace of the referent.
  7575. type: string
  7576. type: object
  7577. serviceAccountRef:
  7578. description: |-
  7579. Optional service account field containing the name of a kubernetes ServiceAccount.
  7580. If the service account is specified, the service account secret token JWT will be used
  7581. for authenticating with Akeyless. If the service account selector is not supplied,
  7582. the secretRef will be used instead.
  7583. properties:
  7584. audiences:
  7585. description: |-
  7586. Audience specifies the `aud` claim for the service account token
  7587. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7588. then this audiences will be appended to the list
  7589. items:
  7590. type: string
  7591. type: array
  7592. name:
  7593. description: The name of the ServiceAccount resource being referred to.
  7594. type: string
  7595. namespace:
  7596. description: |-
  7597. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7598. to the namespace of the referent.
  7599. type: string
  7600. required:
  7601. - name
  7602. type: object
  7603. required:
  7604. - accessID
  7605. - k8sConfName
  7606. type: object
  7607. secretRef:
  7608. description: |-
  7609. Reference to a Secret that contains the details
  7610. to authenticate with Akeyless.
  7611. properties:
  7612. accessID:
  7613. description: The SecretAccessID is used for authentication
  7614. properties:
  7615. key:
  7616. description: |-
  7617. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7618. defaulted, in others it may be required.
  7619. type: string
  7620. name:
  7621. description: The name of the Secret resource being referred to.
  7622. type: string
  7623. namespace:
  7624. description: |-
  7625. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7626. to the namespace of the referent.
  7627. type: string
  7628. type: object
  7629. accessType:
  7630. description: |-
  7631. A reference to a specific 'key' within a Secret resource,
  7632. In some instances, `key` is a required field.
  7633. properties:
  7634. key:
  7635. description: |-
  7636. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7637. defaulted, in others it may be required.
  7638. type: string
  7639. name:
  7640. description: The name of the Secret resource being referred to.
  7641. type: string
  7642. namespace:
  7643. description: |-
  7644. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7645. to the namespace of the referent.
  7646. type: string
  7647. type: object
  7648. accessTypeParam:
  7649. description: |-
  7650. A reference to a specific 'key' within a Secret resource,
  7651. In some instances, `key` is a required field.
  7652. properties:
  7653. key:
  7654. description: |-
  7655. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7656. defaulted, in others it may be required.
  7657. type: string
  7658. name:
  7659. description: The name of the Secret resource being referred to.
  7660. type: string
  7661. namespace:
  7662. description: |-
  7663. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7664. to the namespace of the referent.
  7665. type: string
  7666. type: object
  7667. type: object
  7668. type: object
  7669. caBundle:
  7670. description: |-
  7671. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  7672. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  7673. are used to validate the TLS connection.
  7674. format: byte
  7675. type: string
  7676. caProvider:
  7677. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  7678. properties:
  7679. key:
  7680. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  7681. type: string
  7682. name:
  7683. description: The name of the object located at the provider type.
  7684. type: string
  7685. namespace:
  7686. description: |-
  7687. The namespace the Provider type is in.
  7688. Can only be defined when used in a ClusterSecretStore.
  7689. type: string
  7690. type:
  7691. description: The type of provider to use such as "Secret", or "ConfigMap".
  7692. enum:
  7693. - Secret
  7694. - ConfigMap
  7695. type: string
  7696. required:
  7697. - name
  7698. - type
  7699. type: object
  7700. required:
  7701. - akeylessGWApiURL
  7702. - authSecretRef
  7703. type: object
  7704. alibaba:
  7705. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  7706. properties:
  7707. auth:
  7708. description: AlibabaAuth contains a secretRef for credentials.
  7709. properties:
  7710. rrsa:
  7711. description: Authenticate against Alibaba using RRSA.
  7712. properties:
  7713. oidcProviderArn:
  7714. type: string
  7715. oidcTokenFilePath:
  7716. type: string
  7717. roleArn:
  7718. type: string
  7719. sessionName:
  7720. type: string
  7721. required:
  7722. - oidcProviderArn
  7723. - oidcTokenFilePath
  7724. - roleArn
  7725. - sessionName
  7726. type: object
  7727. secretRef:
  7728. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  7729. properties:
  7730. accessKeyIDSecretRef:
  7731. description: The AccessKeyID is used for authentication
  7732. properties:
  7733. key:
  7734. description: |-
  7735. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7736. defaulted, in others it may be required.
  7737. type: string
  7738. name:
  7739. description: The name of the Secret resource being referred to.
  7740. type: string
  7741. namespace:
  7742. description: |-
  7743. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7744. to the namespace of the referent.
  7745. type: string
  7746. type: object
  7747. accessKeySecretSecretRef:
  7748. description: The AccessKeySecret is used for authentication
  7749. properties:
  7750. key:
  7751. description: |-
  7752. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7753. defaulted, in others it may be required.
  7754. type: string
  7755. name:
  7756. description: The name of the Secret resource being referred to.
  7757. type: string
  7758. namespace:
  7759. description: |-
  7760. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7761. to the namespace of the referent.
  7762. type: string
  7763. type: object
  7764. required:
  7765. - accessKeyIDSecretRef
  7766. - accessKeySecretSecretRef
  7767. type: object
  7768. type: object
  7769. regionID:
  7770. description: Alibaba Region to be used for the provider
  7771. type: string
  7772. required:
  7773. - auth
  7774. - regionID
  7775. type: object
  7776. aws:
  7777. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  7778. properties:
  7779. additionalRoles:
  7780. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  7781. items:
  7782. type: string
  7783. type: array
  7784. auth:
  7785. description: |-
  7786. Auth defines the information necessary to authenticate against AWS
  7787. if not set aws sdk will infer credentials from your environment
  7788. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  7789. properties:
  7790. jwt:
  7791. description: Authenticate against AWS using service account tokens.
  7792. properties:
  7793. serviceAccountRef:
  7794. description: A reference to a ServiceAccount resource.
  7795. properties:
  7796. audiences:
  7797. description: |-
  7798. Audience specifies the `aud` claim for the service account token
  7799. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7800. then this audiences will be appended to the list
  7801. items:
  7802. type: string
  7803. type: array
  7804. name:
  7805. description: The name of the ServiceAccount resource being referred to.
  7806. type: string
  7807. namespace:
  7808. description: |-
  7809. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7810. to the namespace of the referent.
  7811. type: string
  7812. required:
  7813. - name
  7814. type: object
  7815. type: object
  7816. secretRef:
  7817. description: |-
  7818. AWSAuthSecretRef holds secret references for AWS credentials
  7819. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  7820. properties:
  7821. accessKeyIDSecretRef:
  7822. description: The AccessKeyID is used for authentication
  7823. properties:
  7824. key:
  7825. description: |-
  7826. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7827. defaulted, in others it may be required.
  7828. type: string
  7829. name:
  7830. description: The name of the Secret resource being referred to.
  7831. type: string
  7832. namespace:
  7833. description: |-
  7834. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7835. to the namespace of the referent.
  7836. type: string
  7837. type: object
  7838. secretAccessKeySecretRef:
  7839. description: The SecretAccessKey is used for authentication
  7840. properties:
  7841. key:
  7842. description: |-
  7843. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7844. defaulted, in others it may be required.
  7845. type: string
  7846. name:
  7847. description: The name of the Secret resource being referred to.
  7848. type: string
  7849. namespace:
  7850. description: |-
  7851. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7852. to the namespace of the referent.
  7853. type: string
  7854. type: object
  7855. sessionTokenSecretRef:
  7856. description: |-
  7857. The SessionToken used for authentication
  7858. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  7859. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  7860. properties:
  7861. key:
  7862. description: |-
  7863. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7864. defaulted, in others it may be required.
  7865. type: string
  7866. name:
  7867. description: The name of the Secret resource being referred to.
  7868. type: string
  7869. namespace:
  7870. description: |-
  7871. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7872. to the namespace of the referent.
  7873. type: string
  7874. type: object
  7875. type: object
  7876. type: object
  7877. externalID:
  7878. description: AWS External ID set on assumed IAM roles
  7879. type: string
  7880. region:
  7881. description: AWS Region to be used for the provider
  7882. type: string
  7883. role:
  7884. description: Role is a Role ARN which the provider will assume
  7885. type: string
  7886. secretsManager:
  7887. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  7888. properties:
  7889. forceDeleteWithoutRecovery:
  7890. description: |-
  7891. Specifies whether to delete the secret without any recovery window. You
  7892. can't use both this parameter and RecoveryWindowInDays in the same call.
  7893. If you don't use either, then by default Secrets Manager uses a 30 day
  7894. recovery window.
  7895. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  7896. type: boolean
  7897. recoveryWindowInDays:
  7898. description: |-
  7899. The number of days from 7 to 30 that Secrets Manager waits before
  7900. permanently deleting the secret. You can't use both this parameter and
  7901. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  7902. then by default Secrets Manager uses a 30 day recovery window.
  7903. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  7904. format: int64
  7905. type: integer
  7906. type: object
  7907. service:
  7908. description: Service defines which service should be used to fetch the secrets
  7909. enum:
  7910. - SecretsManager
  7911. - ParameterStore
  7912. type: string
  7913. sessionTags:
  7914. description: AWS STS assume role session tags
  7915. items:
  7916. properties:
  7917. key:
  7918. type: string
  7919. value:
  7920. type: string
  7921. required:
  7922. - key
  7923. - value
  7924. type: object
  7925. type: array
  7926. transitiveTagKeys:
  7927. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  7928. items:
  7929. type: string
  7930. type: array
  7931. required:
  7932. - region
  7933. - service
  7934. type: object
  7935. azurekv:
  7936. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  7937. properties:
  7938. authSecretRef:
  7939. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  7940. properties:
  7941. clientId:
  7942. description: The Azure clientId of the service principle used for authentication.
  7943. properties:
  7944. key:
  7945. description: |-
  7946. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7947. defaulted, in others it may be required.
  7948. type: string
  7949. name:
  7950. description: The name of the Secret resource being referred to.
  7951. type: string
  7952. namespace:
  7953. description: |-
  7954. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7955. to the namespace of the referent.
  7956. type: string
  7957. type: object
  7958. clientSecret:
  7959. description: The Azure ClientSecret of the service principle used for authentication.
  7960. properties:
  7961. key:
  7962. description: |-
  7963. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7964. defaulted, in others it may be required.
  7965. type: string
  7966. name:
  7967. description: The name of the Secret resource being referred to.
  7968. type: string
  7969. namespace:
  7970. description: |-
  7971. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7972. to the namespace of the referent.
  7973. type: string
  7974. type: object
  7975. type: object
  7976. authType:
  7977. default: ServicePrincipal
  7978. description: |-
  7979. Auth type defines how to authenticate to the keyvault service.
  7980. Valid values are:
  7981. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  7982. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  7983. enum:
  7984. - ServicePrincipal
  7985. - ManagedIdentity
  7986. - WorkloadIdentity
  7987. type: string
  7988. environmentType:
  7989. default: PublicCloud
  7990. description: |-
  7991. EnvironmentType specifies the Azure cloud environment endpoints to use for
  7992. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  7993. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  7994. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  7995. enum:
  7996. - PublicCloud
  7997. - USGovernmentCloud
  7998. - ChinaCloud
  7999. - GermanCloud
  8000. type: string
  8001. identityId:
  8002. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  8003. type: string
  8004. serviceAccountRef:
  8005. description: |-
  8006. ServiceAccountRef specified the service account
  8007. that should be used when authenticating with WorkloadIdentity.
  8008. properties:
  8009. audiences:
  8010. description: |-
  8011. Audience specifies the `aud` claim for the service account token
  8012. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8013. then this audiences will be appended to the list
  8014. items:
  8015. type: string
  8016. type: array
  8017. name:
  8018. description: The name of the ServiceAccount resource being referred to.
  8019. type: string
  8020. namespace:
  8021. description: |-
  8022. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8023. to the namespace of the referent.
  8024. type: string
  8025. required:
  8026. - name
  8027. type: object
  8028. tenantId:
  8029. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  8030. type: string
  8031. vaultUrl:
  8032. description: Vault Url from which the secrets to be fetched from.
  8033. type: string
  8034. required:
  8035. - vaultUrl
  8036. type: object
  8037. chef:
  8038. description: Chef configures this store to sync secrets with chef server
  8039. properties:
  8040. auth:
  8041. description: Auth defines the information necessary to authenticate against chef Server
  8042. properties:
  8043. secretRef:
  8044. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  8045. properties:
  8046. privateKeySecretRef:
  8047. description: SecretKey is the Signing Key in PEM format, used for authentication.
  8048. properties:
  8049. key:
  8050. description: |-
  8051. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8052. defaulted, in others it may be required.
  8053. type: string
  8054. name:
  8055. description: The name of the Secret resource being referred to.
  8056. type: string
  8057. namespace:
  8058. description: |-
  8059. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8060. to the namespace of the referent.
  8061. type: string
  8062. type: object
  8063. required:
  8064. - privateKeySecretRef
  8065. type: object
  8066. required:
  8067. - secretRef
  8068. type: object
  8069. serverUrl:
  8070. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  8071. type: string
  8072. username:
  8073. description: UserName should be the user ID on the chef server
  8074. type: string
  8075. required:
  8076. - auth
  8077. - serverUrl
  8078. - username
  8079. type: object
  8080. conjur:
  8081. description: Conjur configures this store to sync secrets using conjur provider
  8082. properties:
  8083. auth:
  8084. properties:
  8085. apikey:
  8086. properties:
  8087. account:
  8088. type: string
  8089. apiKeyRef:
  8090. description: |-
  8091. A reference to a specific 'key' within a Secret resource,
  8092. In some instances, `key` is a required field.
  8093. properties:
  8094. key:
  8095. description: |-
  8096. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8097. defaulted, in others it may be required.
  8098. type: string
  8099. name:
  8100. description: The name of the Secret resource being referred to.
  8101. type: string
  8102. namespace:
  8103. description: |-
  8104. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8105. to the namespace of the referent.
  8106. type: string
  8107. type: object
  8108. userRef:
  8109. description: |-
  8110. A reference to a specific 'key' within a Secret resource,
  8111. In some instances, `key` is a required field.
  8112. properties:
  8113. key:
  8114. description: |-
  8115. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8116. defaulted, in others it may be required.
  8117. type: string
  8118. name:
  8119. description: The name of the Secret resource being referred to.
  8120. type: string
  8121. namespace:
  8122. description: |-
  8123. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8124. to the namespace of the referent.
  8125. type: string
  8126. type: object
  8127. required:
  8128. - account
  8129. - apiKeyRef
  8130. - userRef
  8131. type: object
  8132. jwt:
  8133. properties:
  8134. account:
  8135. type: string
  8136. hostId:
  8137. description: |-
  8138. Optional HostID for JWT authentication. This may be used depending
  8139. on how the Conjur JWT authenticator policy is configured.
  8140. type: string
  8141. secretRef:
  8142. description: |-
  8143. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  8144. authenticate with Conjur using the JWT authentication method.
  8145. properties:
  8146. key:
  8147. description: |-
  8148. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8149. defaulted, in others it may be required.
  8150. type: string
  8151. name:
  8152. description: The name of the Secret resource being referred to.
  8153. type: string
  8154. namespace:
  8155. description: |-
  8156. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8157. to the namespace of the referent.
  8158. type: string
  8159. type: object
  8160. serviceAccountRef:
  8161. description: |-
  8162. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  8163. a token for with the `TokenRequest` API.
  8164. properties:
  8165. audiences:
  8166. description: |-
  8167. Audience specifies the `aud` claim for the service account token
  8168. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8169. then this audiences will be appended to the list
  8170. items:
  8171. type: string
  8172. type: array
  8173. name:
  8174. description: The name of the ServiceAccount resource being referred to.
  8175. type: string
  8176. namespace:
  8177. description: |-
  8178. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8179. to the namespace of the referent.
  8180. type: string
  8181. required:
  8182. - name
  8183. type: object
  8184. serviceID:
  8185. description: The conjur authn jwt webservice id
  8186. type: string
  8187. required:
  8188. - account
  8189. - serviceID
  8190. type: object
  8191. type: object
  8192. caBundle:
  8193. type: string
  8194. caProvider:
  8195. description: |-
  8196. Used to provide custom certificate authority (CA) certificates
  8197. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  8198. that contains a PEM-encoded certificate.
  8199. properties:
  8200. key:
  8201. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8202. type: string
  8203. name:
  8204. description: The name of the object located at the provider type.
  8205. type: string
  8206. namespace:
  8207. description: |-
  8208. The namespace the Provider type is in.
  8209. Can only be defined when used in a ClusterSecretStore.
  8210. type: string
  8211. type:
  8212. description: The type of provider to use such as "Secret", or "ConfigMap".
  8213. enum:
  8214. - Secret
  8215. - ConfigMap
  8216. type: string
  8217. required:
  8218. - name
  8219. - type
  8220. type: object
  8221. url:
  8222. type: string
  8223. required:
  8224. - auth
  8225. - url
  8226. type: object
  8227. delinea:
  8228. description: |-
  8229. Delinea DevOps Secrets Vault
  8230. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  8231. properties:
  8232. clientId:
  8233. description: ClientID is the non-secret part of the credential.
  8234. properties:
  8235. secretRef:
  8236. description: SecretRef references a key in a secret that will be used as value.
  8237. properties:
  8238. key:
  8239. description: |-
  8240. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8241. defaulted, in others it may be required.
  8242. type: string
  8243. name:
  8244. description: The name of the Secret resource being referred to.
  8245. type: string
  8246. namespace:
  8247. description: |-
  8248. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8249. to the namespace of the referent.
  8250. type: string
  8251. type: object
  8252. value:
  8253. description: Value can be specified directly to set a value without using a secret.
  8254. type: string
  8255. type: object
  8256. clientSecret:
  8257. description: ClientSecret is the secret part of the credential.
  8258. properties:
  8259. secretRef:
  8260. description: SecretRef references a key in a secret that will be used as value.
  8261. properties:
  8262. key:
  8263. description: |-
  8264. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8265. defaulted, in others it may be required.
  8266. type: string
  8267. name:
  8268. description: The name of the Secret resource being referred to.
  8269. type: string
  8270. namespace:
  8271. description: |-
  8272. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8273. to the namespace of the referent.
  8274. type: string
  8275. type: object
  8276. value:
  8277. description: Value can be specified directly to set a value without using a secret.
  8278. type: string
  8279. type: object
  8280. tenant:
  8281. description: Tenant is the chosen hostname / site name.
  8282. type: string
  8283. tld:
  8284. description: |-
  8285. TLD is based on the server location that was chosen during provisioning.
  8286. If unset, defaults to "com".
  8287. type: string
  8288. urlTemplate:
  8289. description: |-
  8290. URLTemplate
  8291. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  8292. type: string
  8293. required:
  8294. - clientId
  8295. - clientSecret
  8296. - tenant
  8297. type: object
  8298. doppler:
  8299. description: Doppler configures this store to sync secrets using the Doppler provider
  8300. properties:
  8301. auth:
  8302. description: Auth configures how the Operator authenticates with the Doppler API
  8303. properties:
  8304. secretRef:
  8305. properties:
  8306. dopplerToken:
  8307. description: |-
  8308. The DopplerToken is used for authentication.
  8309. See https://docs.doppler.com/reference/api#authentication for auth token types.
  8310. The Key attribute defaults to dopplerToken if not specified.
  8311. properties:
  8312. key:
  8313. description: |-
  8314. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8315. defaulted, in others it may be required.
  8316. type: string
  8317. name:
  8318. description: The name of the Secret resource being referred to.
  8319. type: string
  8320. namespace:
  8321. description: |-
  8322. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8323. to the namespace of the referent.
  8324. type: string
  8325. type: object
  8326. required:
  8327. - dopplerToken
  8328. type: object
  8329. required:
  8330. - secretRef
  8331. type: object
  8332. config:
  8333. description: Doppler config (required if not using a Service Token)
  8334. type: string
  8335. format:
  8336. description: Format enables the downloading of secrets as a file (string)
  8337. enum:
  8338. - json
  8339. - dotnet-json
  8340. - env
  8341. - yaml
  8342. - docker
  8343. type: string
  8344. nameTransformer:
  8345. description: Environment variable compatible name transforms that change secret names to a different format
  8346. enum:
  8347. - upper-camel
  8348. - camel
  8349. - lower-snake
  8350. - tf-var
  8351. - dotnet-env
  8352. - lower-kebab
  8353. type: string
  8354. project:
  8355. description: Doppler project (required if not using a Service Token)
  8356. type: string
  8357. required:
  8358. - auth
  8359. type: object
  8360. fake:
  8361. description: Fake configures a store with static key/value pairs
  8362. properties:
  8363. data:
  8364. items:
  8365. properties:
  8366. key:
  8367. type: string
  8368. value:
  8369. type: string
  8370. valueMap:
  8371. additionalProperties:
  8372. type: string
  8373. description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
  8374. type: object
  8375. version:
  8376. type: string
  8377. required:
  8378. - key
  8379. type: object
  8380. type: array
  8381. required:
  8382. - data
  8383. type: object
  8384. fortanix:
  8385. description: Fortanix configures this store to sync secrets using the Fortanix provider
  8386. properties:
  8387. apiKey:
  8388. description: APIKey is the API token to access SDKMS Applications.
  8389. properties:
  8390. secretRef:
  8391. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  8392. properties:
  8393. key:
  8394. description: |-
  8395. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8396. defaulted, in others it may be required.
  8397. type: string
  8398. name:
  8399. description: The name of the Secret resource being referred to.
  8400. type: string
  8401. namespace:
  8402. description: |-
  8403. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8404. to the namespace of the referent.
  8405. type: string
  8406. type: object
  8407. type: object
  8408. apiUrl:
  8409. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  8410. type: string
  8411. type: object
  8412. gcpsm:
  8413. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  8414. properties:
  8415. auth:
  8416. description: Auth defines the information necessary to authenticate against GCP
  8417. properties:
  8418. secretRef:
  8419. properties:
  8420. secretAccessKeySecretRef:
  8421. description: The SecretAccessKey is used for authentication
  8422. properties:
  8423. key:
  8424. description: |-
  8425. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8426. defaulted, in others it may be required.
  8427. type: string
  8428. name:
  8429. description: The name of the Secret resource being referred to.
  8430. type: string
  8431. namespace:
  8432. description: |-
  8433. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8434. to the namespace of the referent.
  8435. type: string
  8436. type: object
  8437. type: object
  8438. workloadIdentity:
  8439. properties:
  8440. clusterLocation:
  8441. type: string
  8442. clusterName:
  8443. type: string
  8444. clusterProjectID:
  8445. type: string
  8446. serviceAccountRef:
  8447. description: A reference to a ServiceAccount resource.
  8448. properties:
  8449. audiences:
  8450. description: |-
  8451. Audience specifies the `aud` claim for the service account token
  8452. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8453. then this audiences will be appended to the list
  8454. items:
  8455. type: string
  8456. type: array
  8457. name:
  8458. description: The name of the ServiceAccount resource being referred to.
  8459. type: string
  8460. namespace:
  8461. description: |-
  8462. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8463. to the namespace of the referent.
  8464. type: string
  8465. required:
  8466. - name
  8467. type: object
  8468. required:
  8469. - clusterLocation
  8470. - clusterName
  8471. - serviceAccountRef
  8472. type: object
  8473. type: object
  8474. projectID:
  8475. description: ProjectID project where secret is located
  8476. type: string
  8477. type: object
  8478. gitlab:
  8479. description: GitLab configures this store to sync secrets using GitLab Variables provider
  8480. properties:
  8481. auth:
  8482. description: Auth configures how secret-manager authenticates with a GitLab instance.
  8483. properties:
  8484. SecretRef:
  8485. properties:
  8486. accessToken:
  8487. description: AccessToken is used for authentication.
  8488. properties:
  8489. key:
  8490. description: |-
  8491. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8492. defaulted, in others it may be required.
  8493. type: string
  8494. name:
  8495. description: The name of the Secret resource being referred to.
  8496. type: string
  8497. namespace:
  8498. description: |-
  8499. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8500. to the namespace of the referent.
  8501. type: string
  8502. type: object
  8503. type: object
  8504. required:
  8505. - SecretRef
  8506. type: object
  8507. environment:
  8508. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  8509. type: string
  8510. groupIDs:
  8511. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  8512. items:
  8513. type: string
  8514. type: array
  8515. inheritFromGroups:
  8516. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  8517. type: boolean
  8518. projectID:
  8519. description: ProjectID specifies a project where secrets are located.
  8520. type: string
  8521. url:
  8522. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  8523. type: string
  8524. required:
  8525. - auth
  8526. type: object
  8527. ibm:
  8528. description: IBM configures this store to sync secrets using IBM Cloud provider
  8529. properties:
  8530. auth:
  8531. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  8532. maxProperties: 1
  8533. minProperties: 1
  8534. properties:
  8535. containerAuth:
  8536. description: IBM Container-based auth with IAM Trusted Profile.
  8537. properties:
  8538. iamEndpoint:
  8539. type: string
  8540. profile:
  8541. description: the IBM Trusted Profile
  8542. type: string
  8543. tokenLocation:
  8544. description: Location the token is mounted on the pod
  8545. type: string
  8546. required:
  8547. - profile
  8548. type: object
  8549. secretRef:
  8550. properties:
  8551. secretApiKeySecretRef:
  8552. description: The SecretAccessKey is used for authentication
  8553. properties:
  8554. key:
  8555. description: |-
  8556. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8557. defaulted, in others it may be required.
  8558. type: string
  8559. name:
  8560. description: The name of the Secret resource being referred to.
  8561. type: string
  8562. namespace:
  8563. description: |-
  8564. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8565. to the namespace of the referent.
  8566. type: string
  8567. type: object
  8568. type: object
  8569. type: object
  8570. serviceUrl:
  8571. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  8572. type: string
  8573. required:
  8574. - auth
  8575. type: object
  8576. keepersecurity:
  8577. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  8578. properties:
  8579. authRef:
  8580. description: |-
  8581. A reference to a specific 'key' within a Secret resource,
  8582. In some instances, `key` is a required field.
  8583. properties:
  8584. key:
  8585. description: |-
  8586. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8587. defaulted, in others it may be required.
  8588. type: string
  8589. name:
  8590. description: The name of the Secret resource being referred to.
  8591. type: string
  8592. namespace:
  8593. description: |-
  8594. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8595. to the namespace of the referent.
  8596. type: string
  8597. type: object
  8598. folderID:
  8599. type: string
  8600. required:
  8601. - authRef
  8602. - folderID
  8603. type: object
  8604. kubernetes:
  8605. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  8606. properties:
  8607. auth:
  8608. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  8609. maxProperties: 1
  8610. minProperties: 1
  8611. properties:
  8612. cert:
  8613. description: has both clientCert and clientKey as secretKeySelector
  8614. properties:
  8615. clientCert:
  8616. description: |-
  8617. A reference to a specific 'key' within a Secret resource,
  8618. In some instances, `key` is a required field.
  8619. properties:
  8620. key:
  8621. description: |-
  8622. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8623. defaulted, in others it may be required.
  8624. type: string
  8625. name:
  8626. description: The name of the Secret resource being referred to.
  8627. type: string
  8628. namespace:
  8629. description: |-
  8630. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8631. to the namespace of the referent.
  8632. type: string
  8633. type: object
  8634. clientKey:
  8635. description: |-
  8636. A reference to a specific 'key' within a Secret resource,
  8637. In some instances, `key` is a required field.
  8638. properties:
  8639. key:
  8640. description: |-
  8641. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8642. defaulted, in others it may be required.
  8643. type: string
  8644. name:
  8645. description: The name of the Secret resource being referred to.
  8646. type: string
  8647. namespace:
  8648. description: |-
  8649. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8650. to the namespace of the referent.
  8651. type: string
  8652. type: object
  8653. type: object
  8654. serviceAccount:
  8655. description: points to a service account that should be used for authentication
  8656. properties:
  8657. audiences:
  8658. description: |-
  8659. Audience specifies the `aud` claim for the service account token
  8660. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8661. then this audiences will be appended to the list
  8662. items:
  8663. type: string
  8664. type: array
  8665. name:
  8666. description: The name of the ServiceAccount resource being referred to.
  8667. type: string
  8668. namespace:
  8669. description: |-
  8670. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8671. to the namespace of the referent.
  8672. type: string
  8673. required:
  8674. - name
  8675. type: object
  8676. token:
  8677. description: use static token to authenticate with
  8678. properties:
  8679. bearerToken:
  8680. description: |-
  8681. A reference to a specific 'key' within a Secret resource,
  8682. In some instances, `key` is a required field.
  8683. properties:
  8684. key:
  8685. description: |-
  8686. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8687. defaulted, in others it may be required.
  8688. type: string
  8689. name:
  8690. description: The name of the Secret resource being referred to.
  8691. type: string
  8692. namespace:
  8693. description: |-
  8694. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8695. to the namespace of the referent.
  8696. type: string
  8697. type: object
  8698. type: object
  8699. type: object
  8700. remoteNamespace:
  8701. default: default
  8702. description: Remote namespace to fetch the secrets from
  8703. type: string
  8704. server:
  8705. description: configures the Kubernetes server Address.
  8706. properties:
  8707. caBundle:
  8708. description: CABundle is a base64-encoded CA certificate
  8709. format: byte
  8710. type: string
  8711. caProvider:
  8712. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  8713. properties:
  8714. key:
  8715. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8716. type: string
  8717. name:
  8718. description: The name of the object located at the provider type.
  8719. type: string
  8720. namespace:
  8721. description: |-
  8722. The namespace the Provider type is in.
  8723. Can only be defined when used in a ClusterSecretStore.
  8724. type: string
  8725. type:
  8726. description: The type of provider to use such as "Secret", or "ConfigMap".
  8727. enum:
  8728. - Secret
  8729. - ConfigMap
  8730. type: string
  8731. required:
  8732. - name
  8733. - type
  8734. type: object
  8735. url:
  8736. default: kubernetes.default
  8737. description: configures the Kubernetes server Address.
  8738. type: string
  8739. type: object
  8740. required:
  8741. - auth
  8742. type: object
  8743. onboardbase:
  8744. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  8745. properties:
  8746. apiHost:
  8747. default: https://public.onboardbase.com/api/v1/
  8748. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  8749. type: string
  8750. auth:
  8751. description: Auth configures how the Operator authenticates with the Onboardbase API
  8752. properties:
  8753. apiKeyRef:
  8754. description: |-
  8755. OnboardbaseAPIKey is the APIKey generated by an admin account.
  8756. It is used to recognize and authorize access to a project and environment within onboardbase
  8757. properties:
  8758. key:
  8759. description: |-
  8760. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8761. defaulted, in others it may be required.
  8762. type: string
  8763. name:
  8764. description: The name of the Secret resource being referred to.
  8765. type: string
  8766. namespace:
  8767. description: |-
  8768. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8769. to the namespace of the referent.
  8770. type: string
  8771. type: object
  8772. passcodeRef:
  8773. description: OnboardbasePasscode is the passcode attached to the API Key
  8774. properties:
  8775. key:
  8776. description: |-
  8777. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8778. defaulted, in others it may be required.
  8779. type: string
  8780. name:
  8781. description: The name of the Secret resource being referred to.
  8782. type: string
  8783. namespace:
  8784. description: |-
  8785. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8786. to the namespace of the referent.
  8787. type: string
  8788. type: object
  8789. required:
  8790. - apiKeyRef
  8791. - passcodeRef
  8792. type: object
  8793. environment:
  8794. default: development
  8795. description: Environment is the name of an environmnent within a project to pull the secrets from
  8796. type: string
  8797. project:
  8798. default: development
  8799. description: Project is an onboardbase project that the secrets should be pulled from
  8800. type: string
  8801. required:
  8802. - apiHost
  8803. - auth
  8804. - environment
  8805. - project
  8806. type: object
  8807. onepassword:
  8808. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  8809. properties:
  8810. auth:
  8811. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  8812. properties:
  8813. secretRef:
  8814. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  8815. properties:
  8816. connectTokenSecretRef:
  8817. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  8818. properties:
  8819. key:
  8820. description: |-
  8821. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8822. defaulted, in others it may be required.
  8823. type: string
  8824. name:
  8825. description: The name of the Secret resource being referred to.
  8826. type: string
  8827. namespace:
  8828. description: |-
  8829. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8830. to the namespace of the referent.
  8831. type: string
  8832. type: object
  8833. required:
  8834. - connectTokenSecretRef
  8835. type: object
  8836. required:
  8837. - secretRef
  8838. type: object
  8839. connectHost:
  8840. description: ConnectHost defines the OnePassword Connect Server to connect to
  8841. type: string
  8842. vaults:
  8843. additionalProperties:
  8844. type: integer
  8845. description: Vaults defines which OnePassword vaults to search in which order
  8846. type: object
  8847. required:
  8848. - auth
  8849. - connectHost
  8850. - vaults
  8851. type: object
  8852. oracle:
  8853. description: Oracle configures this store to sync secrets using Oracle Vault provider
  8854. properties:
  8855. auth:
  8856. description: |-
  8857. Auth configures how secret-manager authenticates with the Oracle Vault.
  8858. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  8859. properties:
  8860. secretRef:
  8861. description: SecretRef to pass through sensitive information.
  8862. properties:
  8863. fingerprint:
  8864. description: Fingerprint is the fingerprint of the API private key.
  8865. properties:
  8866. key:
  8867. description: |-
  8868. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8869. defaulted, in others it may be required.
  8870. type: string
  8871. name:
  8872. description: The name of the Secret resource being referred to.
  8873. type: string
  8874. namespace:
  8875. description: |-
  8876. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8877. to the namespace of the referent.
  8878. type: string
  8879. type: object
  8880. privatekey:
  8881. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  8882. properties:
  8883. key:
  8884. description: |-
  8885. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8886. defaulted, in others it may be required.
  8887. type: string
  8888. name:
  8889. description: The name of the Secret resource being referred to.
  8890. type: string
  8891. namespace:
  8892. description: |-
  8893. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8894. to the namespace of the referent.
  8895. type: string
  8896. type: object
  8897. required:
  8898. - fingerprint
  8899. - privatekey
  8900. type: object
  8901. tenancy:
  8902. description: Tenancy is the tenancy OCID where user is located.
  8903. type: string
  8904. user:
  8905. description: User is an access OCID specific to the account.
  8906. type: string
  8907. required:
  8908. - secretRef
  8909. - tenancy
  8910. - user
  8911. type: object
  8912. compartment:
  8913. description: |-
  8914. Compartment is the vault compartment OCID.
  8915. Required for PushSecret
  8916. type: string
  8917. encryptionKey:
  8918. description: |-
  8919. EncryptionKey is the OCID of the encryption key within the vault.
  8920. Required for PushSecret
  8921. type: string
  8922. principalType:
  8923. description: |-
  8924. The type of principal to use for authentication. If left blank, the Auth struct will
  8925. determine the principal type. This optional field must be specified if using
  8926. workload identity.
  8927. enum:
  8928. - ""
  8929. - UserPrincipal
  8930. - InstancePrincipal
  8931. - Workload
  8932. type: string
  8933. region:
  8934. description: Region is the region where vault is located.
  8935. type: string
  8936. serviceAccountRef:
  8937. description: |-
  8938. ServiceAccountRef specified the service account
  8939. that should be used when authenticating with WorkloadIdentity.
  8940. properties:
  8941. audiences:
  8942. description: |-
  8943. Audience specifies the `aud` claim for the service account token
  8944. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8945. then this audiences will be appended to the list
  8946. items:
  8947. type: string
  8948. type: array
  8949. name:
  8950. description: The name of the ServiceAccount resource being referred to.
  8951. type: string
  8952. namespace:
  8953. description: |-
  8954. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8955. to the namespace of the referent.
  8956. type: string
  8957. required:
  8958. - name
  8959. type: object
  8960. vault:
  8961. description: Vault is the vault's OCID of the specific vault where secret is located.
  8962. type: string
  8963. required:
  8964. - region
  8965. - vault
  8966. type: object
  8967. passworddepot:
  8968. description: Configures a store to sync secrets with a Password Depot instance.
  8969. properties:
  8970. auth:
  8971. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  8972. properties:
  8973. secretRef:
  8974. properties:
  8975. credentials:
  8976. description: Username / Password is used for authentication.
  8977. properties:
  8978. key:
  8979. description: |-
  8980. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8981. defaulted, in others it may be required.
  8982. type: string
  8983. name:
  8984. description: The name of the Secret resource being referred to.
  8985. type: string
  8986. namespace:
  8987. description: |-
  8988. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8989. to the namespace of the referent.
  8990. type: string
  8991. type: object
  8992. type: object
  8993. required:
  8994. - secretRef
  8995. type: object
  8996. database:
  8997. description: Database to use as source
  8998. type: string
  8999. host:
  9000. description: URL configures the Password Depot instance URL.
  9001. type: string
  9002. required:
  9003. - auth
  9004. - database
  9005. - host
  9006. type: object
  9007. pulumi:
  9008. description: Pulumi configures this store to sync secrets using the Pulumi provider
  9009. properties:
  9010. accessToken:
  9011. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  9012. properties:
  9013. secretRef:
  9014. description: SecretRef is a reference to a secret containing the Pulumi API token.
  9015. properties:
  9016. key:
  9017. description: |-
  9018. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9019. defaulted, in others it may be required.
  9020. type: string
  9021. name:
  9022. description: The name of the Secret resource being referred to.
  9023. type: string
  9024. namespace:
  9025. description: |-
  9026. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9027. to the namespace of the referent.
  9028. type: string
  9029. type: object
  9030. type: object
  9031. apiUrl:
  9032. default: https://api.pulumi.com
  9033. description: APIURL is the URL of the Pulumi API.
  9034. type: string
  9035. environment:
  9036. description: |-
  9037. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  9038. dynamically retrieved values from supported providers including all major clouds,
  9039. and other Pulumi ESC environments.
  9040. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  9041. type: string
  9042. organization:
  9043. description: |-
  9044. Organization are a space to collaborate on shared projects and stacks.
  9045. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  9046. type: string
  9047. required:
  9048. - accessToken
  9049. - environment
  9050. - organization
  9051. type: object
  9052. scaleway:
  9053. description: Scaleway
  9054. properties:
  9055. accessKey:
  9056. description: AccessKey is the non-secret part of the api key.
  9057. properties:
  9058. secretRef:
  9059. description: SecretRef references a key in a secret that will be used as value.
  9060. properties:
  9061. key:
  9062. description: |-
  9063. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9064. defaulted, in others it may be required.
  9065. type: string
  9066. name:
  9067. description: The name of the Secret resource being referred to.
  9068. type: string
  9069. namespace:
  9070. description: |-
  9071. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9072. to the namespace of the referent.
  9073. type: string
  9074. type: object
  9075. value:
  9076. description: Value can be specified directly to set a value without using a secret.
  9077. type: string
  9078. type: object
  9079. apiUrl:
  9080. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  9081. type: string
  9082. projectId:
  9083. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  9084. type: string
  9085. region:
  9086. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  9087. type: string
  9088. secretKey:
  9089. description: SecretKey is the non-secret part of the api key.
  9090. properties:
  9091. secretRef:
  9092. description: SecretRef references a key in a secret that will be used as value.
  9093. properties:
  9094. key:
  9095. description: |-
  9096. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9097. defaulted, in others it may be required.
  9098. type: string
  9099. name:
  9100. description: The name of the Secret resource being referred to.
  9101. type: string
  9102. namespace:
  9103. description: |-
  9104. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9105. to the namespace of the referent.
  9106. type: string
  9107. type: object
  9108. value:
  9109. description: Value can be specified directly to set a value without using a secret.
  9110. type: string
  9111. type: object
  9112. required:
  9113. - accessKey
  9114. - projectId
  9115. - region
  9116. - secretKey
  9117. type: object
  9118. secretserver:
  9119. description: |-
  9120. SecretServer configures this store to sync secrets using SecretServer provider
  9121. https://docs.delinea.com/online-help/secret-server/start.htm
  9122. properties:
  9123. password:
  9124. description: Password is the secret server account password.
  9125. properties:
  9126. secretRef:
  9127. description: SecretRef references a key in a secret that will be used as value.
  9128. properties:
  9129. key:
  9130. description: |-
  9131. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9132. defaulted, in others it may be required.
  9133. type: string
  9134. name:
  9135. description: The name of the Secret resource being referred to.
  9136. type: string
  9137. namespace:
  9138. description: |-
  9139. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9140. to the namespace of the referent.
  9141. type: string
  9142. type: object
  9143. value:
  9144. description: Value can be specified directly to set a value without using a secret.
  9145. type: string
  9146. type: object
  9147. serverURL:
  9148. description: |-
  9149. ServerURL
  9150. URL to your secret server installation
  9151. type: string
  9152. username:
  9153. description: Username is the secret server account username.
  9154. properties:
  9155. secretRef:
  9156. description: SecretRef references a key in a secret that will be used as value.
  9157. properties:
  9158. key:
  9159. description: |-
  9160. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9161. defaulted, in others it may be required.
  9162. type: string
  9163. name:
  9164. description: The name of the Secret resource being referred to.
  9165. type: string
  9166. namespace:
  9167. description: |-
  9168. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9169. to the namespace of the referent.
  9170. type: string
  9171. type: object
  9172. value:
  9173. description: Value can be specified directly to set a value without using a secret.
  9174. type: string
  9175. type: object
  9176. required:
  9177. - password
  9178. - serverURL
  9179. - username
  9180. type: object
  9181. senhasegura:
  9182. description: Senhasegura configures this store to sync secrets using senhasegura provider
  9183. properties:
  9184. auth:
  9185. description: Auth defines parameters to authenticate in senhasegura
  9186. properties:
  9187. clientId:
  9188. type: string
  9189. clientSecretSecretRef:
  9190. description: |-
  9191. A reference to a specific 'key' within a Secret resource,
  9192. In some instances, `key` is a required field.
  9193. properties:
  9194. key:
  9195. description: |-
  9196. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9197. defaulted, in others it may be required.
  9198. type: string
  9199. name:
  9200. description: The name of the Secret resource being referred to.
  9201. type: string
  9202. namespace:
  9203. description: |-
  9204. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9205. to the namespace of the referent.
  9206. type: string
  9207. type: object
  9208. required:
  9209. - clientId
  9210. - clientSecretSecretRef
  9211. type: object
  9212. ignoreSslCertificate:
  9213. default: false
  9214. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  9215. type: boolean
  9216. module:
  9217. description: Module defines which senhasegura module should be used to get secrets
  9218. type: string
  9219. url:
  9220. description: URL of senhasegura
  9221. type: string
  9222. required:
  9223. - auth
  9224. - module
  9225. - url
  9226. type: object
  9227. vault:
  9228. description: Vault configures this store to sync secrets using Hashi provider
  9229. properties:
  9230. auth:
  9231. description: Auth configures how secret-manager authenticates with the Vault server.
  9232. properties:
  9233. appRole:
  9234. description: |-
  9235. AppRole authenticates with Vault using the App Role auth mechanism,
  9236. with the role and secret stored in a Kubernetes Secret resource.
  9237. properties:
  9238. path:
  9239. default: approle
  9240. description: |-
  9241. Path where the App Role authentication backend is mounted
  9242. in Vault, e.g: "approle"
  9243. type: string
  9244. roleId:
  9245. description: |-
  9246. RoleID configured in the App Role authentication backend when setting
  9247. up the authentication backend in Vault.
  9248. type: string
  9249. roleRef:
  9250. description: |-
  9251. Reference to a key in a Secret that contains the App Role ID used
  9252. to authenticate with Vault.
  9253. The `key` field must be specified and denotes which entry within the Secret
  9254. resource is used as the app role id.
  9255. properties:
  9256. key:
  9257. description: |-
  9258. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9259. defaulted, in others it may be required.
  9260. type: string
  9261. name:
  9262. description: The name of the Secret resource being referred to.
  9263. type: string
  9264. namespace:
  9265. description: |-
  9266. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9267. to the namespace of the referent.
  9268. type: string
  9269. type: object
  9270. secretRef:
  9271. description: |-
  9272. Reference to a key in a Secret that contains the App Role secret used
  9273. to authenticate with Vault.
  9274. The `key` field must be specified and denotes which entry within the Secret
  9275. resource is used as the app role secret.
  9276. properties:
  9277. key:
  9278. description: |-
  9279. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9280. defaulted, in others it may be required.
  9281. type: string
  9282. name:
  9283. description: The name of the Secret resource being referred to.
  9284. type: string
  9285. namespace:
  9286. description: |-
  9287. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9288. to the namespace of the referent.
  9289. type: string
  9290. type: object
  9291. required:
  9292. - path
  9293. - secretRef
  9294. type: object
  9295. cert:
  9296. description: |-
  9297. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  9298. Cert authentication method
  9299. properties:
  9300. clientCert:
  9301. description: |-
  9302. ClientCert is a certificate to authenticate using the Cert Vault
  9303. authentication method
  9304. properties:
  9305. key:
  9306. description: |-
  9307. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9308. defaulted, in others it may be required.
  9309. type: string
  9310. name:
  9311. description: The name of the Secret resource being referred to.
  9312. type: string
  9313. namespace:
  9314. description: |-
  9315. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9316. to the namespace of the referent.
  9317. type: string
  9318. type: object
  9319. secretRef:
  9320. description: |-
  9321. SecretRef to a key in a Secret resource containing client private key to
  9322. authenticate with Vault using the Cert authentication method
  9323. properties:
  9324. key:
  9325. description: |-
  9326. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9327. defaulted, in others it may be required.
  9328. type: string
  9329. name:
  9330. description: The name of the Secret resource being referred to.
  9331. type: string
  9332. namespace:
  9333. description: |-
  9334. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9335. to the namespace of the referent.
  9336. type: string
  9337. type: object
  9338. type: object
  9339. iam:
  9340. description: |-
  9341. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  9342. AWS IAM authentication method
  9343. properties:
  9344. externalID:
  9345. description: AWS External ID set on assumed IAM roles
  9346. type: string
  9347. jwt:
  9348. description: Specify a service account with IRSA enabled
  9349. properties:
  9350. serviceAccountRef:
  9351. description: A reference to a ServiceAccount resource.
  9352. properties:
  9353. audiences:
  9354. description: |-
  9355. Audience specifies the `aud` claim for the service account token
  9356. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9357. then this audiences will be appended to the list
  9358. items:
  9359. type: string
  9360. type: array
  9361. name:
  9362. description: The name of the ServiceAccount resource being referred to.
  9363. type: string
  9364. namespace:
  9365. description: |-
  9366. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9367. to the namespace of the referent.
  9368. type: string
  9369. required:
  9370. - name
  9371. type: object
  9372. type: object
  9373. path:
  9374. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  9375. type: string
  9376. region:
  9377. description: AWS region
  9378. type: string
  9379. role:
  9380. description: This is the AWS role to be assumed before talking to vault
  9381. type: string
  9382. secretRef:
  9383. description: Specify credentials in a Secret object
  9384. properties:
  9385. accessKeyIDSecretRef:
  9386. description: The AccessKeyID is used for authentication
  9387. properties:
  9388. key:
  9389. description: |-
  9390. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9391. defaulted, in others it may be required.
  9392. type: string
  9393. name:
  9394. description: The name of the Secret resource being referred to.
  9395. type: string
  9396. namespace:
  9397. description: |-
  9398. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9399. to the namespace of the referent.
  9400. type: string
  9401. type: object
  9402. secretAccessKeySecretRef:
  9403. description: The SecretAccessKey is used for authentication
  9404. properties:
  9405. key:
  9406. description: |-
  9407. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9408. defaulted, in others it may be required.
  9409. type: string
  9410. name:
  9411. description: The name of the Secret resource being referred to.
  9412. type: string
  9413. namespace:
  9414. description: |-
  9415. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9416. to the namespace of the referent.
  9417. type: string
  9418. type: object
  9419. sessionTokenSecretRef:
  9420. description: |-
  9421. The SessionToken used for authentication
  9422. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  9423. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  9424. properties:
  9425. key:
  9426. description: |-
  9427. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9428. defaulted, in others it may be required.
  9429. type: string
  9430. name:
  9431. description: The name of the Secret resource being referred to.
  9432. type: string
  9433. namespace:
  9434. description: |-
  9435. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9436. to the namespace of the referent.
  9437. type: string
  9438. type: object
  9439. type: object
  9440. vaultAwsIamServerID:
  9441. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  9442. type: string
  9443. vaultRole:
  9444. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  9445. type: string
  9446. required:
  9447. - vaultRole
  9448. type: object
  9449. jwt:
  9450. description: |-
  9451. Jwt authenticates with Vault by passing role and JWT token using the
  9452. JWT/OIDC authentication method
  9453. properties:
  9454. kubernetesServiceAccountToken:
  9455. description: |-
  9456. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  9457. a token for with the `TokenRequest` API.
  9458. properties:
  9459. audiences:
  9460. description: |-
  9461. Optional audiences field that will be used to request a temporary Kubernetes service
  9462. account token for the service account referenced by `serviceAccountRef`.
  9463. Defaults to a single audience `vault` it not specified.
  9464. Deprecated: use serviceAccountRef.Audiences instead
  9465. items:
  9466. type: string
  9467. type: array
  9468. expirationSeconds:
  9469. description: |-
  9470. Optional expiration time in seconds that will be used to request a temporary
  9471. Kubernetes service account token for the service account referenced by
  9472. `serviceAccountRef`.
  9473. Deprecated: this will be removed in the future.
  9474. Defaults to 10 minutes.
  9475. format: int64
  9476. type: integer
  9477. serviceAccountRef:
  9478. description: Service account field containing the name of a kubernetes ServiceAccount.
  9479. properties:
  9480. audiences:
  9481. description: |-
  9482. Audience specifies the `aud` claim for the service account token
  9483. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9484. then this audiences will be appended to the list
  9485. items:
  9486. type: string
  9487. type: array
  9488. name:
  9489. description: The name of the ServiceAccount resource being referred to.
  9490. type: string
  9491. namespace:
  9492. description: |-
  9493. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9494. to the namespace of the referent.
  9495. type: string
  9496. required:
  9497. - name
  9498. type: object
  9499. required:
  9500. - serviceAccountRef
  9501. type: object
  9502. path:
  9503. default: jwt
  9504. description: |-
  9505. Path where the JWT authentication backend is mounted
  9506. in Vault, e.g: "jwt"
  9507. type: string
  9508. role:
  9509. description: |-
  9510. Role is a JWT role to authenticate using the JWT/OIDC Vault
  9511. authentication method
  9512. type: string
  9513. secretRef:
  9514. description: |-
  9515. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  9516. authenticate with Vault using the JWT/OIDC authentication method.
  9517. properties:
  9518. key:
  9519. description: |-
  9520. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9521. defaulted, in others it may be required.
  9522. type: string
  9523. name:
  9524. description: The name of the Secret resource being referred to.
  9525. type: string
  9526. namespace:
  9527. description: |-
  9528. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9529. to the namespace of the referent.
  9530. type: string
  9531. type: object
  9532. required:
  9533. - path
  9534. type: object
  9535. kubernetes:
  9536. description: |-
  9537. Kubernetes authenticates with Vault by passing the ServiceAccount
  9538. token stored in the named Secret resource to the Vault server.
  9539. properties:
  9540. mountPath:
  9541. default: kubernetes
  9542. description: |-
  9543. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  9544. "kubernetes"
  9545. type: string
  9546. role:
  9547. description: |-
  9548. A required field containing the Vault Role to assume. A Role binds a
  9549. Kubernetes ServiceAccount with a set of Vault policies.
  9550. type: string
  9551. secretRef:
  9552. description: |-
  9553. Optional secret field containing a Kubernetes ServiceAccount JWT used
  9554. for authenticating with Vault. If a name is specified without a key,
  9555. `token` is the default. If one is not specified, the one bound to
  9556. the controller will be used.
  9557. properties:
  9558. key:
  9559. description: |-
  9560. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9561. defaulted, in others it may be required.
  9562. type: string
  9563. name:
  9564. description: The name of the Secret resource being referred to.
  9565. type: string
  9566. namespace:
  9567. description: |-
  9568. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9569. to the namespace of the referent.
  9570. type: string
  9571. type: object
  9572. serviceAccountRef:
  9573. description: |-
  9574. Optional service account field containing the name of a kubernetes ServiceAccount.
  9575. If the service account is specified, the service account secret token JWT will be used
  9576. for authenticating with Vault. If the service account selector is not supplied,
  9577. the secretRef will be used instead.
  9578. properties:
  9579. audiences:
  9580. description: |-
  9581. Audience specifies the `aud` claim for the service account token
  9582. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9583. then this audiences will be appended to the list
  9584. items:
  9585. type: string
  9586. type: array
  9587. name:
  9588. description: The name of the ServiceAccount resource being referred to.
  9589. type: string
  9590. namespace:
  9591. description: |-
  9592. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9593. to the namespace of the referent.
  9594. type: string
  9595. required:
  9596. - name
  9597. type: object
  9598. required:
  9599. - mountPath
  9600. - role
  9601. type: object
  9602. ldap:
  9603. description: |-
  9604. Ldap authenticates with Vault by passing username/password pair using
  9605. the LDAP authentication method
  9606. properties:
  9607. path:
  9608. default: ldap
  9609. description: |-
  9610. Path where the LDAP authentication backend is mounted
  9611. in Vault, e.g: "ldap"
  9612. type: string
  9613. secretRef:
  9614. description: |-
  9615. SecretRef to a key in a Secret resource containing password for the LDAP
  9616. user used to authenticate with Vault using the LDAP authentication
  9617. method
  9618. properties:
  9619. key:
  9620. description: |-
  9621. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9622. defaulted, in others it may be required.
  9623. type: string
  9624. name:
  9625. description: The name of the Secret resource being referred to.
  9626. type: string
  9627. namespace:
  9628. description: |-
  9629. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9630. to the namespace of the referent.
  9631. type: string
  9632. type: object
  9633. username:
  9634. description: |-
  9635. Username is a LDAP user name used to authenticate using the LDAP Vault
  9636. authentication method
  9637. type: string
  9638. required:
  9639. - path
  9640. - username
  9641. type: object
  9642. namespace:
  9643. description: |-
  9644. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  9645. Namespaces is a set of features within Vault Enterprise that allows
  9646. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  9647. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  9648. This will default to Vault.Namespace field if set, or empty otherwise
  9649. type: string
  9650. tokenSecretRef:
  9651. description: TokenSecretRef authenticates with Vault by presenting a token.
  9652. properties:
  9653. key:
  9654. description: |-
  9655. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9656. defaulted, in others it may be required.
  9657. type: string
  9658. name:
  9659. description: The name of the Secret resource being referred to.
  9660. type: string
  9661. namespace:
  9662. description: |-
  9663. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9664. to the namespace of the referent.
  9665. type: string
  9666. type: object
  9667. userPass:
  9668. description: UserPass authenticates with Vault by passing username/password pair
  9669. properties:
  9670. path:
  9671. default: user
  9672. description: |-
  9673. Path where the UserPassword authentication backend is mounted
  9674. in Vault, e.g: "user"
  9675. type: string
  9676. secretRef:
  9677. description: |-
  9678. SecretRef to a key in a Secret resource containing password for the
  9679. user used to authenticate with Vault using the UserPass authentication
  9680. method
  9681. properties:
  9682. key:
  9683. description: |-
  9684. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9685. defaulted, in others it may be required.
  9686. type: string
  9687. name:
  9688. description: The name of the Secret resource being referred to.
  9689. type: string
  9690. namespace:
  9691. description: |-
  9692. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9693. to the namespace of the referent.
  9694. type: string
  9695. type: object
  9696. username:
  9697. description: |-
  9698. Username is a user name used to authenticate using the UserPass Vault
  9699. authentication method
  9700. type: string
  9701. required:
  9702. - path
  9703. - username
  9704. type: object
  9705. type: object
  9706. caBundle:
  9707. description: |-
  9708. PEM encoded CA bundle used to validate Vault server certificate. Only used
  9709. if the Server URL is using HTTPS protocol. This parameter is ignored for
  9710. plain HTTP protocol connection. If not set the system root certificates
  9711. are used to validate the TLS connection.
  9712. format: byte
  9713. type: string
  9714. caProvider:
  9715. description: The provider for the CA bundle to use to validate Vault server certificate.
  9716. properties:
  9717. key:
  9718. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  9719. type: string
  9720. name:
  9721. description: The name of the object located at the provider type.
  9722. type: string
  9723. namespace:
  9724. description: |-
  9725. The namespace the Provider type is in.
  9726. Can only be defined when used in a ClusterSecretStore.
  9727. type: string
  9728. type:
  9729. description: The type of provider to use such as "Secret", or "ConfigMap".
  9730. enum:
  9731. - Secret
  9732. - ConfigMap
  9733. type: string
  9734. required:
  9735. - name
  9736. - type
  9737. type: object
  9738. forwardInconsistent:
  9739. description: |-
  9740. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  9741. leader instead of simply retrying within a loop. This can increase performance if
  9742. the option is enabled serverside.
  9743. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  9744. type: boolean
  9745. namespace:
  9746. description: |-
  9747. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  9748. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  9749. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  9750. type: string
  9751. path:
  9752. description: |-
  9753. Path is the mount path of the Vault KV backend endpoint, e.g:
  9754. "secret". The v2 KV secret engine version specific "/data" path suffix
  9755. for fetching secrets from Vault is optional and will be appended
  9756. if not present in specified path.
  9757. type: string
  9758. readYourWrites:
  9759. description: |-
  9760. ReadYourWrites ensures isolated read-after-write semantics by
  9761. providing discovered cluster replication states in each request.
  9762. More information about eventual consistency in Vault can be found here
  9763. https://www.vaultproject.io/docs/enterprise/consistency
  9764. type: boolean
  9765. server:
  9766. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  9767. type: string
  9768. tls:
  9769. description: |-
  9770. The configuration used for client side related TLS communication, when the Vault server
  9771. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  9772. This parameter is ignored for plain HTTP protocol connection.
  9773. It's worth noting this configuration is different from the "TLS certificates auth method",
  9774. which is available under the `auth.cert` section.
  9775. properties:
  9776. certSecretRef:
  9777. description: |-
  9778. CertSecretRef is a certificate added to the transport layer
  9779. when communicating with the Vault server.
  9780. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  9781. properties:
  9782. key:
  9783. description: |-
  9784. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9785. defaulted, in others it may be required.
  9786. type: string
  9787. name:
  9788. description: The name of the Secret resource being referred to.
  9789. type: string
  9790. namespace:
  9791. description: |-
  9792. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9793. to the namespace of the referent.
  9794. type: string
  9795. type: object
  9796. keySecretRef:
  9797. description: |-
  9798. KeySecretRef to a key in a Secret resource containing client private key
  9799. added to the transport layer when communicating with the Vault server.
  9800. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  9801. properties:
  9802. key:
  9803. description: |-
  9804. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9805. defaulted, in others it may be required.
  9806. type: string
  9807. name:
  9808. description: The name of the Secret resource being referred to.
  9809. type: string
  9810. namespace:
  9811. description: |-
  9812. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9813. to the namespace of the referent.
  9814. type: string
  9815. type: object
  9816. type: object
  9817. version:
  9818. default: v2
  9819. description: |-
  9820. Version is the Vault KV secret engine version. This can be either "v1" or
  9821. "v2". Version defaults to "v2".
  9822. enum:
  9823. - v1
  9824. - v2
  9825. type: string
  9826. required:
  9827. - auth
  9828. - server
  9829. type: object
  9830. webhook:
  9831. description: Webhook configures this store to sync secrets using a generic templated webhook
  9832. properties:
  9833. body:
  9834. description: Body
  9835. type: string
  9836. caBundle:
  9837. description: |-
  9838. PEM encoded CA bundle used to validate webhook server certificate. Only used
  9839. if the Server URL is using HTTPS protocol. This parameter is ignored for
  9840. plain HTTP protocol connection. If not set the system root certificates
  9841. are used to validate the TLS connection.
  9842. format: byte
  9843. type: string
  9844. caProvider:
  9845. description: The provider for the CA bundle to use to validate webhook server certificate.
  9846. properties:
  9847. key:
  9848. description: The key the value inside of the provider type to use, only used with "Secret" type
  9849. type: string
  9850. name:
  9851. description: The name of the object located at the provider type.
  9852. type: string
  9853. namespace:
  9854. description: The namespace the Provider type is in.
  9855. type: string
  9856. type:
  9857. description: The type of provider to use such as "Secret", or "ConfigMap".
  9858. enum:
  9859. - Secret
  9860. - ConfigMap
  9861. type: string
  9862. required:
  9863. - name
  9864. - type
  9865. type: object
  9866. headers:
  9867. additionalProperties:
  9868. type: string
  9869. description: Headers
  9870. type: object
  9871. method:
  9872. description: Webhook Method
  9873. type: string
  9874. result:
  9875. description: Result formatting
  9876. properties:
  9877. jsonPath:
  9878. description: Json path of return value
  9879. type: string
  9880. type: object
  9881. secrets:
  9882. description: |-
  9883. Secrets to fill in templates
  9884. These secrets will be passed to the templating function as key value pairs under the given name
  9885. items:
  9886. properties:
  9887. name:
  9888. description: Name of this secret in templates
  9889. type: string
  9890. secretRef:
  9891. description: Secret ref to fill in credentials
  9892. properties:
  9893. key:
  9894. description: |-
  9895. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9896. defaulted, in others it may be required.
  9897. type: string
  9898. name:
  9899. description: The name of the Secret resource being referred to.
  9900. type: string
  9901. namespace:
  9902. description: |-
  9903. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9904. to the namespace of the referent.
  9905. type: string
  9906. type: object
  9907. required:
  9908. - name
  9909. - secretRef
  9910. type: object
  9911. type: array
  9912. timeout:
  9913. description: Timeout
  9914. type: string
  9915. url:
  9916. description: Webhook url to call
  9917. type: string
  9918. required:
  9919. - result
  9920. - url
  9921. type: object
  9922. yandexcertificatemanager:
  9923. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  9924. properties:
  9925. apiEndpoint:
  9926. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  9927. type: string
  9928. auth:
  9929. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  9930. properties:
  9931. authorizedKeySecretRef:
  9932. description: The authorized key used for authentication
  9933. properties:
  9934. key:
  9935. description: |-
  9936. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9937. defaulted, in others it may be required.
  9938. type: string
  9939. name:
  9940. description: The name of the Secret resource being referred to.
  9941. type: string
  9942. namespace:
  9943. description: |-
  9944. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9945. to the namespace of the referent.
  9946. type: string
  9947. type: object
  9948. type: object
  9949. caProvider:
  9950. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  9951. properties:
  9952. certSecretRef:
  9953. description: |-
  9954. A reference to a specific 'key' within a Secret resource,
  9955. In some instances, `key` is a required field.
  9956. properties:
  9957. key:
  9958. description: |-
  9959. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9960. defaulted, in others it may be required.
  9961. type: string
  9962. name:
  9963. description: The name of the Secret resource being referred to.
  9964. type: string
  9965. namespace:
  9966. description: |-
  9967. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9968. to the namespace of the referent.
  9969. type: string
  9970. type: object
  9971. type: object
  9972. required:
  9973. - auth
  9974. type: object
  9975. yandexlockbox:
  9976. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  9977. properties:
  9978. apiEndpoint:
  9979. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  9980. type: string
  9981. auth:
  9982. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  9983. properties:
  9984. authorizedKeySecretRef:
  9985. description: The authorized key used for authentication
  9986. properties:
  9987. key:
  9988. description: |-
  9989. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9990. defaulted, in others it may be required.
  9991. type: string
  9992. name:
  9993. description: The name of the Secret resource being referred to.
  9994. type: string
  9995. namespace:
  9996. description: |-
  9997. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9998. to the namespace of the referent.
  9999. type: string
  10000. type: object
  10001. type: object
  10002. caProvider:
  10003. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  10004. properties:
  10005. certSecretRef:
  10006. description: |-
  10007. A reference to a specific 'key' within a Secret resource,
  10008. In some instances, `key` is a required field.
  10009. properties:
  10010. key:
  10011. description: |-
  10012. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10013. defaulted, in others it may be required.
  10014. type: string
  10015. name:
  10016. description: The name of the Secret resource being referred to.
  10017. type: string
  10018. namespace:
  10019. description: |-
  10020. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10021. to the namespace of the referent.
  10022. type: string
  10023. type: object
  10024. type: object
  10025. required:
  10026. - auth
  10027. type: object
  10028. type: object
  10029. refreshInterval:
  10030. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  10031. type: integer
  10032. retrySettings:
  10033. description: Used to configure http retries if failed
  10034. properties:
  10035. maxRetries:
  10036. format: int32
  10037. type: integer
  10038. retryInterval:
  10039. type: string
  10040. type: object
  10041. required:
  10042. - provider
  10043. type: object
  10044. status:
  10045. description: SecretStoreStatus defines the observed state of the SecretStore.
  10046. properties:
  10047. capabilities:
  10048. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  10049. type: string
  10050. conditions:
  10051. items:
  10052. properties:
  10053. lastTransitionTime:
  10054. format: date-time
  10055. type: string
  10056. message:
  10057. type: string
  10058. reason:
  10059. type: string
  10060. status:
  10061. type: string
  10062. type:
  10063. type: string
  10064. required:
  10065. - status
  10066. - type
  10067. type: object
  10068. type: array
  10069. type: object
  10070. type: object
  10071. served: true
  10072. storage: true
  10073. subresources:
  10074. status: {}
  10075. conversion:
  10076. strategy: Webhook
  10077. webhook:
  10078. conversionReviewVersions:
  10079. - v1
  10080. clientConfig:
  10081. service:
  10082. name: kubernetes
  10083. namespace: default
  10084. path: /convert
  10085. ---
  10086. apiVersion: apiextensions.k8s.io/v1
  10087. kind: CustomResourceDefinition
  10088. metadata:
  10089. annotations:
  10090. controller-gen.kubebuilder.io/version: v0.14.0
  10091. name: acraccesstokens.generators.external-secrets.io
  10092. spec:
  10093. group: generators.external-secrets.io
  10094. names:
  10095. categories:
  10096. - acraccesstoken
  10097. kind: ACRAccessToken
  10098. listKind: ACRAccessTokenList
  10099. plural: acraccesstokens
  10100. shortNames:
  10101. - acraccesstoken
  10102. singular: acraccesstoken
  10103. scope: Namespaced
  10104. versions:
  10105. - name: v1alpha1
  10106. schema:
  10107. openAPIV3Schema:
  10108. description: |-
  10109. ACRAccessToken returns a Azure Container Registry token
  10110. that can be used for pushing/pulling images.
  10111. Note: by default it will return an ACR Refresh Token with full access
  10112. (depending on the identity).
  10113. This can be scoped down to the repository level using .spec.scope.
  10114. In case scope is defined it will return an ACR Access Token.
  10115. See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
  10116. properties:
  10117. apiVersion:
  10118. description: |-
  10119. APIVersion defines the versioned schema of this representation of an object.
  10120. Servers should convert recognized schemas to the latest internal value, and
  10121. may reject unrecognized values.
  10122. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  10123. type: string
  10124. kind:
  10125. description: |-
  10126. Kind is a string value representing the REST resource this object represents.
  10127. Servers may infer this from the endpoint the client submits requests to.
  10128. Cannot be updated.
  10129. In CamelCase.
  10130. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  10131. type: string
  10132. metadata:
  10133. type: object
  10134. spec:
  10135. description: |-
  10136. ACRAccessTokenSpec defines how to generate the access token
  10137. e.g. how to authenticate and which registry to use.
  10138. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  10139. properties:
  10140. auth:
  10141. properties:
  10142. managedIdentity:
  10143. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  10144. properties:
  10145. identityId:
  10146. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  10147. type: string
  10148. type: object
  10149. servicePrincipal:
  10150. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  10151. properties:
  10152. secretRef:
  10153. description: |-
  10154. Configuration used to authenticate with Azure using static
  10155. credentials stored in a Kind=Secret.
  10156. properties:
  10157. clientId:
  10158. description: The Azure clientId of the service principle used for authentication.
  10159. properties:
  10160. key:
  10161. description: |-
  10162. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10163. defaulted, in others it may be required.
  10164. type: string
  10165. name:
  10166. description: The name of the Secret resource being referred to.
  10167. type: string
  10168. namespace:
  10169. description: |-
  10170. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10171. to the namespace of the referent.
  10172. type: string
  10173. type: object
  10174. clientSecret:
  10175. description: The Azure ClientSecret of the service principle used for authentication.
  10176. properties:
  10177. key:
  10178. description: |-
  10179. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10180. defaulted, in others it may be required.
  10181. type: string
  10182. name:
  10183. description: The name of the Secret resource being referred to.
  10184. type: string
  10185. namespace:
  10186. description: |-
  10187. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10188. to the namespace of the referent.
  10189. type: string
  10190. type: object
  10191. type: object
  10192. required:
  10193. - secretRef
  10194. type: object
  10195. workloadIdentity:
  10196. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  10197. properties:
  10198. serviceAccountRef:
  10199. description: |-
  10200. ServiceAccountRef specified the service account
  10201. that should be used when authenticating with WorkloadIdentity.
  10202. properties:
  10203. audiences:
  10204. description: |-
  10205. Audience specifies the `aud` claim for the service account token
  10206. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10207. then this audiences will be appended to the list
  10208. items:
  10209. type: string
  10210. type: array
  10211. name:
  10212. description: The name of the ServiceAccount resource being referred to.
  10213. type: string
  10214. namespace:
  10215. description: |-
  10216. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10217. to the namespace of the referent.
  10218. type: string
  10219. required:
  10220. - name
  10221. type: object
  10222. type: object
  10223. type: object
  10224. environmentType:
  10225. default: PublicCloud
  10226. description: |-
  10227. EnvironmentType specifies the Azure cloud environment endpoints to use for
  10228. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  10229. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  10230. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  10231. enum:
  10232. - PublicCloud
  10233. - USGovernmentCloud
  10234. - ChinaCloud
  10235. - GermanCloud
  10236. type: string
  10237. registry:
  10238. description: |-
  10239. the domain name of the ACR registry
  10240. e.g. foobarexample.azurecr.io
  10241. type: string
  10242. scope:
  10243. description: |-
  10244. Define the scope for the access token, e.g. pull/push access for a repository.
  10245. if not provided it will return a refresh token that has full scope.
  10246. Note: you need to pin it down to the repository level, there is no wildcard available.
  10247. examples:
  10248. repository:my-repository:pull,push
  10249. repository:my-repository:pull
  10250. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  10251. type: string
  10252. tenantId:
  10253. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  10254. type: string
  10255. required:
  10256. - auth
  10257. - registry
  10258. type: object
  10259. type: object
  10260. served: true
  10261. storage: true
  10262. subresources:
  10263. status: {}
  10264. conversion:
  10265. strategy: Webhook
  10266. webhook:
  10267. conversionReviewVersions:
  10268. - v1
  10269. clientConfig:
  10270. service:
  10271. name: kubernetes
  10272. namespace: default
  10273. path: /convert
  10274. ---
  10275. apiVersion: apiextensions.k8s.io/v1
  10276. kind: CustomResourceDefinition
  10277. metadata:
  10278. annotations:
  10279. controller-gen.kubebuilder.io/version: v0.14.0
  10280. name: ecrauthorizationtokens.generators.external-secrets.io
  10281. spec:
  10282. group: generators.external-secrets.io
  10283. names:
  10284. categories:
  10285. - ecrauthorizationtoken
  10286. kind: ECRAuthorizationToken
  10287. listKind: ECRAuthorizationTokenList
  10288. plural: ecrauthorizationtokens
  10289. shortNames:
  10290. - ecrauthorizationtoken
  10291. singular: ecrauthorizationtoken
  10292. scope: Namespaced
  10293. versions:
  10294. - name: v1alpha1
  10295. schema:
  10296. openAPIV3Schema:
  10297. description: |-
  10298. ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an
  10299. authorization token.
  10300. The authorization token is valid for 12 hours.
  10301. The authorizationToken returned is a base64 encoded string that can be decoded
  10302. and used in a docker login command to authenticate to a registry.
  10303. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
  10304. properties:
  10305. apiVersion:
  10306. description: |-
  10307. APIVersion defines the versioned schema of this representation of an object.
  10308. Servers should convert recognized schemas to the latest internal value, and
  10309. may reject unrecognized values.
  10310. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  10311. type: string
  10312. kind:
  10313. description: |-
  10314. Kind is a string value representing the REST resource this object represents.
  10315. Servers may infer this from the endpoint the client submits requests to.
  10316. Cannot be updated.
  10317. In CamelCase.
  10318. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  10319. type: string
  10320. metadata:
  10321. type: object
  10322. spec:
  10323. properties:
  10324. auth:
  10325. description: Auth defines how to authenticate with AWS
  10326. properties:
  10327. jwt:
  10328. description: Authenticate against AWS using service account tokens.
  10329. properties:
  10330. serviceAccountRef:
  10331. description: A reference to a ServiceAccount resource.
  10332. properties:
  10333. audiences:
  10334. description: |-
  10335. Audience specifies the `aud` claim for the service account token
  10336. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10337. then this audiences will be appended to the list
  10338. items:
  10339. type: string
  10340. type: array
  10341. name:
  10342. description: The name of the ServiceAccount resource being referred to.
  10343. type: string
  10344. namespace:
  10345. description: |-
  10346. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10347. to the namespace of the referent.
  10348. type: string
  10349. required:
  10350. - name
  10351. type: object
  10352. type: object
  10353. secretRef:
  10354. description: |-
  10355. AWSAuthSecretRef holds secret references for AWS credentials
  10356. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  10357. properties:
  10358. accessKeyIDSecretRef:
  10359. description: The AccessKeyID is used for authentication
  10360. properties:
  10361. key:
  10362. description: |-
  10363. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10364. defaulted, in others it may be required.
  10365. type: string
  10366. name:
  10367. description: The name of the Secret resource being referred to.
  10368. type: string
  10369. namespace:
  10370. description: |-
  10371. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10372. to the namespace of the referent.
  10373. type: string
  10374. type: object
  10375. secretAccessKeySecretRef:
  10376. description: The SecretAccessKey is used for authentication
  10377. properties:
  10378. key:
  10379. description: |-
  10380. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10381. defaulted, in others it may be required.
  10382. type: string
  10383. name:
  10384. description: The name of the Secret resource being referred to.
  10385. type: string
  10386. namespace:
  10387. description: |-
  10388. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10389. to the namespace of the referent.
  10390. type: string
  10391. type: object
  10392. sessionTokenSecretRef:
  10393. description: |-
  10394. The SessionToken used for authentication
  10395. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  10396. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  10397. properties:
  10398. key:
  10399. description: |-
  10400. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10401. defaulted, in others it may be required.
  10402. type: string
  10403. name:
  10404. description: The name of the Secret resource being referred to.
  10405. type: string
  10406. namespace:
  10407. description: |-
  10408. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10409. to the namespace of the referent.
  10410. type: string
  10411. type: object
  10412. type: object
  10413. type: object
  10414. region:
  10415. description: Region specifies the region to operate in.
  10416. type: string
  10417. role:
  10418. description: |-
  10419. You can assume a role before making calls to the
  10420. desired AWS service.
  10421. type: string
  10422. required:
  10423. - region
  10424. type: object
  10425. type: object
  10426. served: true
  10427. storage: true
  10428. subresources:
  10429. status: {}
  10430. conversion:
  10431. strategy: Webhook
  10432. webhook:
  10433. conversionReviewVersions:
  10434. - v1
  10435. clientConfig:
  10436. service:
  10437. name: kubernetes
  10438. namespace: default
  10439. path: /convert
  10440. ---
  10441. apiVersion: apiextensions.k8s.io/v1
  10442. kind: CustomResourceDefinition
  10443. metadata:
  10444. annotations:
  10445. controller-gen.kubebuilder.io/version: v0.14.0
  10446. name: fakes.generators.external-secrets.io
  10447. spec:
  10448. group: generators.external-secrets.io
  10449. names:
  10450. categories:
  10451. - fake
  10452. kind: Fake
  10453. listKind: FakeList
  10454. plural: fakes
  10455. shortNames:
  10456. - fake
  10457. singular: fake
  10458. scope: Namespaced
  10459. versions:
  10460. - name: v1alpha1
  10461. schema:
  10462. openAPIV3Schema:
  10463. description: |-
  10464. Fake generator is used for testing. It lets you define
  10465. a static set of credentials that is always returned.
  10466. properties:
  10467. apiVersion:
  10468. description: |-
  10469. APIVersion defines the versioned schema of this representation of an object.
  10470. Servers should convert recognized schemas to the latest internal value, and
  10471. may reject unrecognized values.
  10472. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  10473. type: string
  10474. kind:
  10475. description: |-
  10476. Kind is a string value representing the REST resource this object represents.
  10477. Servers may infer this from the endpoint the client submits requests to.
  10478. Cannot be updated.
  10479. In CamelCase.
  10480. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  10481. type: string
  10482. metadata:
  10483. type: object
  10484. spec:
  10485. description: FakeSpec contains the static data.
  10486. properties:
  10487. controller:
  10488. description: |-
  10489. Used to select the correct ESO controller (think: ingress.ingressClassName)
  10490. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  10491. type: string
  10492. data:
  10493. additionalProperties:
  10494. type: string
  10495. description: |-
  10496. Data defines the static data returned
  10497. by this generator.
  10498. type: object
  10499. type: object
  10500. type: object
  10501. served: true
  10502. storage: true
  10503. subresources:
  10504. status: {}
  10505. conversion:
  10506. strategy: Webhook
  10507. webhook:
  10508. conversionReviewVersions:
  10509. - v1
  10510. clientConfig:
  10511. service:
  10512. name: kubernetes
  10513. namespace: default
  10514. path: /convert
  10515. ---
  10516. apiVersion: apiextensions.k8s.io/v1
  10517. kind: CustomResourceDefinition
  10518. metadata:
  10519. annotations:
  10520. controller-gen.kubebuilder.io/version: v0.14.0
  10521. name: gcraccesstokens.generators.external-secrets.io
  10522. spec:
  10523. group: generators.external-secrets.io
  10524. names:
  10525. categories:
  10526. - gcraccesstoken
  10527. kind: GCRAccessToken
  10528. listKind: GCRAccessTokenList
  10529. plural: gcraccesstokens
  10530. shortNames:
  10531. - gcraccesstoken
  10532. singular: gcraccesstoken
  10533. scope: Namespaced
  10534. versions:
  10535. - name: v1alpha1
  10536. schema:
  10537. openAPIV3Schema:
  10538. description: |-
  10539. GCRAccessToken generates an GCP access token
  10540. that can be used to authenticate with GCR.
  10541. properties:
  10542. apiVersion:
  10543. description: |-
  10544. APIVersion defines the versioned schema of this representation of an object.
  10545. Servers should convert recognized schemas to the latest internal value, and
  10546. may reject unrecognized values.
  10547. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  10548. type: string
  10549. kind:
  10550. description: |-
  10551. Kind is a string value representing the REST resource this object represents.
  10552. Servers may infer this from the endpoint the client submits requests to.
  10553. Cannot be updated.
  10554. In CamelCase.
  10555. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  10556. type: string
  10557. metadata:
  10558. type: object
  10559. spec:
  10560. properties:
  10561. auth:
  10562. description: Auth defines the means for authenticating with GCP
  10563. properties:
  10564. secretRef:
  10565. properties:
  10566. secretAccessKeySecretRef:
  10567. description: The SecretAccessKey is used for authentication
  10568. properties:
  10569. key:
  10570. description: |-
  10571. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10572. defaulted, in others it may be required.
  10573. type: string
  10574. name:
  10575. description: The name of the Secret resource being referred to.
  10576. type: string
  10577. namespace:
  10578. description: |-
  10579. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10580. to the namespace of the referent.
  10581. type: string
  10582. type: object
  10583. type: object
  10584. workloadIdentity:
  10585. properties:
  10586. clusterLocation:
  10587. type: string
  10588. clusterName:
  10589. type: string
  10590. clusterProjectID:
  10591. type: string
  10592. serviceAccountRef:
  10593. description: A reference to a ServiceAccount resource.
  10594. properties:
  10595. audiences:
  10596. description: |-
  10597. Audience specifies the `aud` claim for the service account token
  10598. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10599. then this audiences will be appended to the list
  10600. items:
  10601. type: string
  10602. type: array
  10603. name:
  10604. description: The name of the ServiceAccount resource being referred to.
  10605. type: string
  10606. namespace:
  10607. description: |-
  10608. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10609. to the namespace of the referent.
  10610. type: string
  10611. required:
  10612. - name
  10613. type: object
  10614. required:
  10615. - clusterLocation
  10616. - clusterName
  10617. - serviceAccountRef
  10618. type: object
  10619. type: object
  10620. projectID:
  10621. description: ProjectID defines which project to use to authenticate with
  10622. type: string
  10623. required:
  10624. - auth
  10625. - projectID
  10626. type: object
  10627. type: object
  10628. served: true
  10629. storage: true
  10630. subresources:
  10631. status: {}
  10632. conversion:
  10633. strategy: Webhook
  10634. webhook:
  10635. conversionReviewVersions:
  10636. - v1
  10637. clientConfig:
  10638. service:
  10639. name: kubernetes
  10640. namespace: default
  10641. path: /convert
  10642. ---
  10643. apiVersion: apiextensions.k8s.io/v1
  10644. kind: CustomResourceDefinition
  10645. metadata:
  10646. annotations:
  10647. controller-gen.kubebuilder.io/version: v0.14.0
  10648. name: githubaccesstokens.generators.external-secrets.io
  10649. spec:
  10650. group: generators.external-secrets.io
  10651. names:
  10652. categories:
  10653. - githubaccesstoken
  10654. kind: GithubAccessToken
  10655. listKind: GithubAccessTokenList
  10656. plural: githubaccesstokens
  10657. shortNames:
  10658. - githubaccesstoken
  10659. singular: githubaccesstoken
  10660. scope: Namespaced
  10661. versions:
  10662. - name: v1alpha1
  10663. schema:
  10664. openAPIV3Schema:
  10665. description: GithubAccessToken generates ghs_ accessToken
  10666. properties:
  10667. apiVersion:
  10668. description: |-
  10669. APIVersion defines the versioned schema of this representation of an object.
  10670. Servers should convert recognized schemas to the latest internal value, and
  10671. may reject unrecognized values.
  10672. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  10673. type: string
  10674. kind:
  10675. description: |-
  10676. Kind is a string value representing the REST resource this object represents.
  10677. Servers may infer this from the endpoint the client submits requests to.
  10678. Cannot be updated.
  10679. In CamelCase.
  10680. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  10681. type: string
  10682. metadata:
  10683. type: object
  10684. spec:
  10685. properties:
  10686. appID:
  10687. type: string
  10688. auth:
  10689. description: Auth configures how ESO authenticates with a Github instance.
  10690. properties:
  10691. privatKey:
  10692. properties:
  10693. secretRef:
  10694. description: |-
  10695. A reference to a specific 'key' within a Secret resource,
  10696. In some instances, `key` is a required field.
  10697. properties:
  10698. key:
  10699. description: |-
  10700. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10701. defaulted, in others it may be required.
  10702. type: string
  10703. name:
  10704. description: The name of the Secret resource being referred to.
  10705. type: string
  10706. namespace:
  10707. description: |-
  10708. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10709. to the namespace of the referent.
  10710. type: string
  10711. type: object
  10712. required:
  10713. - secretRef
  10714. type: object
  10715. required:
  10716. - privatKey
  10717. type: object
  10718. installID:
  10719. type: string
  10720. url:
  10721. description: URL configures the Github instance URL. Defaults to https://github.com/.
  10722. type: string
  10723. required:
  10724. - appID
  10725. - auth
  10726. - installID
  10727. type: object
  10728. type: object
  10729. served: true
  10730. storage: true
  10731. subresources:
  10732. status: {}
  10733. conversion:
  10734. strategy: Webhook
  10735. webhook:
  10736. conversionReviewVersions:
  10737. - v1
  10738. clientConfig:
  10739. service:
  10740. name: kubernetes
  10741. namespace: default
  10742. path: /convert
  10743. ---
  10744. apiVersion: apiextensions.k8s.io/v1
  10745. kind: CustomResourceDefinition
  10746. metadata:
  10747. annotations:
  10748. controller-gen.kubebuilder.io/version: v0.14.0
  10749. name: passwords.generators.external-secrets.io
  10750. spec:
  10751. group: generators.external-secrets.io
  10752. names:
  10753. categories:
  10754. - password
  10755. kind: Password
  10756. listKind: PasswordList
  10757. plural: passwords
  10758. shortNames:
  10759. - password
  10760. singular: password
  10761. scope: Namespaced
  10762. versions:
  10763. - name: v1alpha1
  10764. schema:
  10765. openAPIV3Schema:
  10766. description: |-
  10767. Password generates a random password based on the
  10768. configuration parameters in spec.
  10769. You can specify the length, characterset and other attributes.
  10770. properties:
  10771. apiVersion:
  10772. description: |-
  10773. APIVersion defines the versioned schema of this representation of an object.
  10774. Servers should convert recognized schemas to the latest internal value, and
  10775. may reject unrecognized values.
  10776. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  10777. type: string
  10778. kind:
  10779. description: |-
  10780. Kind is a string value representing the REST resource this object represents.
  10781. Servers may infer this from the endpoint the client submits requests to.
  10782. Cannot be updated.
  10783. In CamelCase.
  10784. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  10785. type: string
  10786. metadata:
  10787. type: object
  10788. spec:
  10789. description: PasswordSpec controls the behavior of the password generator.
  10790. properties:
  10791. allowRepeat:
  10792. default: false
  10793. description: set AllowRepeat to true to allow repeating characters.
  10794. type: boolean
  10795. digits:
  10796. description: |-
  10797. Digits specifies the number of digits in the generated
  10798. password. If omitted it defaults to 25% of the length of the password
  10799. type: integer
  10800. length:
  10801. default: 24
  10802. description: |-
  10803. Length of the password to be generated.
  10804. Defaults to 24
  10805. type: integer
  10806. noUpper:
  10807. default: false
  10808. description: Set NoUpper to disable uppercase characters
  10809. type: boolean
  10810. symbolCharacters:
  10811. description: |-
  10812. SymbolCharacters specifies the special characters that should be used
  10813. in the generated password.
  10814. type: string
  10815. symbols:
  10816. description: |-
  10817. Symbols specifies the number of symbol characters in the generated
  10818. password. If omitted it defaults to 25% of the length of the password
  10819. type: integer
  10820. required:
  10821. - allowRepeat
  10822. - length
  10823. - noUpper
  10824. type: object
  10825. type: object
  10826. served: true
  10827. storage: true
  10828. subresources:
  10829. status: {}
  10830. conversion:
  10831. strategy: Webhook
  10832. webhook:
  10833. conversionReviewVersions:
  10834. - v1
  10835. clientConfig:
  10836. service:
  10837. name: kubernetes
  10838. namespace: default
  10839. path: /convert
  10840. ---
  10841. apiVersion: apiextensions.k8s.io/v1
  10842. kind: CustomResourceDefinition
  10843. metadata:
  10844. annotations:
  10845. controller-gen.kubebuilder.io/version: v0.14.0
  10846. name: vaultdynamicsecrets.generators.external-secrets.io
  10847. spec:
  10848. group: generators.external-secrets.io
  10849. names:
  10850. categories:
  10851. - vaultdynamicsecret
  10852. kind: VaultDynamicSecret
  10853. listKind: VaultDynamicSecretList
  10854. plural: vaultdynamicsecrets
  10855. shortNames:
  10856. - vaultdynamicsecret
  10857. singular: vaultdynamicsecret
  10858. scope: Namespaced
  10859. versions:
  10860. - name: v1alpha1
  10861. schema:
  10862. openAPIV3Schema:
  10863. properties:
  10864. apiVersion:
  10865. description: |-
  10866. APIVersion defines the versioned schema of this representation of an object.
  10867. Servers should convert recognized schemas to the latest internal value, and
  10868. may reject unrecognized values.
  10869. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  10870. type: string
  10871. kind:
  10872. description: |-
  10873. Kind is a string value representing the REST resource this object represents.
  10874. Servers may infer this from the endpoint the client submits requests to.
  10875. Cannot be updated.
  10876. In CamelCase.
  10877. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  10878. type: string
  10879. metadata:
  10880. type: object
  10881. spec:
  10882. properties:
  10883. controller:
  10884. description: |-
  10885. Used to select the correct ESO controller (think: ingress.ingressClassName)
  10886. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  10887. type: string
  10888. method:
  10889. description: Vault API method to use (GET/POST/other)
  10890. type: string
  10891. parameters:
  10892. description: Parameters to pass to Vault write (for non-GET methods)
  10893. x-kubernetes-preserve-unknown-fields: true
  10894. path:
  10895. description: Vault path to obtain the dynamic secret from
  10896. type: string
  10897. provider:
  10898. description: Vault provider common spec
  10899. properties:
  10900. auth:
  10901. description: Auth configures how secret-manager authenticates with the Vault server.
  10902. properties:
  10903. appRole:
  10904. description: |-
  10905. AppRole authenticates with Vault using the App Role auth mechanism,
  10906. with the role and secret stored in a Kubernetes Secret resource.
  10907. properties:
  10908. path:
  10909. default: approle
  10910. description: |-
  10911. Path where the App Role authentication backend is mounted
  10912. in Vault, e.g: "approle"
  10913. type: string
  10914. roleId:
  10915. description: |-
  10916. RoleID configured in the App Role authentication backend when setting
  10917. up the authentication backend in Vault.
  10918. type: string
  10919. roleRef:
  10920. description: |-
  10921. Reference to a key in a Secret that contains the App Role ID used
  10922. to authenticate with Vault.
  10923. The `key` field must be specified and denotes which entry within the Secret
  10924. resource is used as the app role id.
  10925. properties:
  10926. key:
  10927. description: |-
  10928. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10929. defaulted, in others it may be required.
  10930. type: string
  10931. name:
  10932. description: The name of the Secret resource being referred to.
  10933. type: string
  10934. namespace:
  10935. description: |-
  10936. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10937. to the namespace of the referent.
  10938. type: string
  10939. type: object
  10940. secretRef:
  10941. description: |-
  10942. Reference to a key in a Secret that contains the App Role secret used
  10943. to authenticate with Vault.
  10944. The `key` field must be specified and denotes which entry within the Secret
  10945. resource is used as the app role secret.
  10946. properties:
  10947. key:
  10948. description: |-
  10949. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10950. defaulted, in others it may be required.
  10951. type: string
  10952. name:
  10953. description: The name of the Secret resource being referred to.
  10954. type: string
  10955. namespace:
  10956. description: |-
  10957. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10958. to the namespace of the referent.
  10959. type: string
  10960. type: object
  10961. required:
  10962. - path
  10963. - secretRef
  10964. type: object
  10965. cert:
  10966. description: |-
  10967. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  10968. Cert authentication method
  10969. properties:
  10970. clientCert:
  10971. description: |-
  10972. ClientCert is a certificate to authenticate using the Cert Vault
  10973. authentication method
  10974. properties:
  10975. key:
  10976. description: |-
  10977. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10978. defaulted, in others it may be required.
  10979. type: string
  10980. name:
  10981. description: The name of the Secret resource being referred to.
  10982. type: string
  10983. namespace:
  10984. description: |-
  10985. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10986. to the namespace of the referent.
  10987. type: string
  10988. type: object
  10989. secretRef:
  10990. description: |-
  10991. SecretRef to a key in a Secret resource containing client private key to
  10992. authenticate with Vault using the Cert authentication method
  10993. properties:
  10994. key:
  10995. description: |-
  10996. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10997. defaulted, in others it may be required.
  10998. type: string
  10999. name:
  11000. description: The name of the Secret resource being referred to.
  11001. type: string
  11002. namespace:
  11003. description: |-
  11004. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11005. to the namespace of the referent.
  11006. type: string
  11007. type: object
  11008. type: object
  11009. iam:
  11010. description: |-
  11011. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  11012. AWS IAM authentication method
  11013. properties:
  11014. externalID:
  11015. description: AWS External ID set on assumed IAM roles
  11016. type: string
  11017. jwt:
  11018. description: Specify a service account with IRSA enabled
  11019. properties:
  11020. serviceAccountRef:
  11021. description: A reference to a ServiceAccount resource.
  11022. properties:
  11023. audiences:
  11024. description: |-
  11025. Audience specifies the `aud` claim for the service account token
  11026. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11027. then this audiences will be appended to the list
  11028. items:
  11029. type: string
  11030. type: array
  11031. name:
  11032. description: The name of the ServiceAccount resource being referred to.
  11033. type: string
  11034. namespace:
  11035. description: |-
  11036. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11037. to the namespace of the referent.
  11038. type: string
  11039. required:
  11040. - name
  11041. type: object
  11042. type: object
  11043. path:
  11044. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  11045. type: string
  11046. region:
  11047. description: AWS region
  11048. type: string
  11049. role:
  11050. description: This is the AWS role to be assumed before talking to vault
  11051. type: string
  11052. secretRef:
  11053. description: Specify credentials in a Secret object
  11054. properties:
  11055. accessKeyIDSecretRef:
  11056. description: The AccessKeyID is used for authentication
  11057. properties:
  11058. key:
  11059. description: |-
  11060. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11061. defaulted, in others it may be required.
  11062. type: string
  11063. name:
  11064. description: The name of the Secret resource being referred to.
  11065. type: string
  11066. namespace:
  11067. description: |-
  11068. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11069. to the namespace of the referent.
  11070. type: string
  11071. type: object
  11072. secretAccessKeySecretRef:
  11073. description: The SecretAccessKey is used for authentication
  11074. properties:
  11075. key:
  11076. description: |-
  11077. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11078. defaulted, in others it may be required.
  11079. type: string
  11080. name:
  11081. description: The name of the Secret resource being referred to.
  11082. type: string
  11083. namespace:
  11084. description: |-
  11085. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11086. to the namespace of the referent.
  11087. type: string
  11088. type: object
  11089. sessionTokenSecretRef:
  11090. description: |-
  11091. The SessionToken used for authentication
  11092. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  11093. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  11094. properties:
  11095. key:
  11096. description: |-
  11097. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11098. defaulted, in others it may be required.
  11099. type: string
  11100. name:
  11101. description: The name of the Secret resource being referred to.
  11102. type: string
  11103. namespace:
  11104. description: |-
  11105. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11106. to the namespace of the referent.
  11107. type: string
  11108. type: object
  11109. type: object
  11110. vaultAwsIamServerID:
  11111. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  11112. type: string
  11113. vaultRole:
  11114. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  11115. type: string
  11116. required:
  11117. - vaultRole
  11118. type: object
  11119. jwt:
  11120. description: |-
  11121. Jwt authenticates with Vault by passing role and JWT token using the
  11122. JWT/OIDC authentication method
  11123. properties:
  11124. kubernetesServiceAccountToken:
  11125. description: |-
  11126. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  11127. a token for with the `TokenRequest` API.
  11128. properties:
  11129. audiences:
  11130. description: |-
  11131. Optional audiences field that will be used to request a temporary Kubernetes service
  11132. account token for the service account referenced by `serviceAccountRef`.
  11133. Defaults to a single audience `vault` it not specified.
  11134. Deprecated: use serviceAccountRef.Audiences instead
  11135. items:
  11136. type: string
  11137. type: array
  11138. expirationSeconds:
  11139. description: |-
  11140. Optional expiration time in seconds that will be used to request a temporary
  11141. Kubernetes service account token for the service account referenced by
  11142. `serviceAccountRef`.
  11143. Deprecated: this will be removed in the future.
  11144. Defaults to 10 minutes.
  11145. format: int64
  11146. type: integer
  11147. serviceAccountRef:
  11148. description: Service account field containing the name of a kubernetes ServiceAccount.
  11149. properties:
  11150. audiences:
  11151. description: |-
  11152. Audience specifies the `aud` claim for the service account token
  11153. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11154. then this audiences will be appended to the list
  11155. items:
  11156. type: string
  11157. type: array
  11158. name:
  11159. description: The name of the ServiceAccount resource being referred to.
  11160. type: string
  11161. namespace:
  11162. description: |-
  11163. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11164. to the namespace of the referent.
  11165. type: string
  11166. required:
  11167. - name
  11168. type: object
  11169. required:
  11170. - serviceAccountRef
  11171. type: object
  11172. path:
  11173. default: jwt
  11174. description: |-
  11175. Path where the JWT authentication backend is mounted
  11176. in Vault, e.g: "jwt"
  11177. type: string
  11178. role:
  11179. description: |-
  11180. Role is a JWT role to authenticate using the JWT/OIDC Vault
  11181. authentication method
  11182. type: string
  11183. secretRef:
  11184. description: |-
  11185. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  11186. authenticate with Vault using the JWT/OIDC authentication method.
  11187. properties:
  11188. key:
  11189. description: |-
  11190. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11191. defaulted, in others it may be required.
  11192. type: string
  11193. name:
  11194. description: The name of the Secret resource being referred to.
  11195. type: string
  11196. namespace:
  11197. description: |-
  11198. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11199. to the namespace of the referent.
  11200. type: string
  11201. type: object
  11202. required:
  11203. - path
  11204. type: object
  11205. kubernetes:
  11206. description: |-
  11207. Kubernetes authenticates with Vault by passing the ServiceAccount
  11208. token stored in the named Secret resource to the Vault server.
  11209. properties:
  11210. mountPath:
  11211. default: kubernetes
  11212. description: |-
  11213. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  11214. "kubernetes"
  11215. type: string
  11216. role:
  11217. description: |-
  11218. A required field containing the Vault Role to assume. A Role binds a
  11219. Kubernetes ServiceAccount with a set of Vault policies.
  11220. type: string
  11221. secretRef:
  11222. description: |-
  11223. Optional secret field containing a Kubernetes ServiceAccount JWT used
  11224. for authenticating with Vault. If a name is specified without a key,
  11225. `token` is the default. If one is not specified, the one bound to
  11226. the controller will be used.
  11227. properties:
  11228. key:
  11229. description: |-
  11230. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11231. defaulted, in others it may be required.
  11232. type: string
  11233. name:
  11234. description: The name of the Secret resource being referred to.
  11235. type: string
  11236. namespace:
  11237. description: |-
  11238. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11239. to the namespace of the referent.
  11240. type: string
  11241. type: object
  11242. serviceAccountRef:
  11243. description: |-
  11244. Optional service account field containing the name of a kubernetes ServiceAccount.
  11245. If the service account is specified, the service account secret token JWT will be used
  11246. for authenticating with Vault. If the service account selector is not supplied,
  11247. the secretRef will be used instead.
  11248. properties:
  11249. audiences:
  11250. description: |-
  11251. Audience specifies the `aud` claim for the service account token
  11252. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11253. then this audiences will be appended to the list
  11254. items:
  11255. type: string
  11256. type: array
  11257. name:
  11258. description: The name of the ServiceAccount resource being referred to.
  11259. type: string
  11260. namespace:
  11261. description: |-
  11262. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11263. to the namespace of the referent.
  11264. type: string
  11265. required:
  11266. - name
  11267. type: object
  11268. required:
  11269. - mountPath
  11270. - role
  11271. type: object
  11272. ldap:
  11273. description: |-
  11274. Ldap authenticates with Vault by passing username/password pair using
  11275. the LDAP authentication method
  11276. properties:
  11277. path:
  11278. default: ldap
  11279. description: |-
  11280. Path where the LDAP authentication backend is mounted
  11281. in Vault, e.g: "ldap"
  11282. type: string
  11283. secretRef:
  11284. description: |-
  11285. SecretRef to a key in a Secret resource containing password for the LDAP
  11286. user used to authenticate with Vault using the LDAP authentication
  11287. method
  11288. properties:
  11289. key:
  11290. description: |-
  11291. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11292. defaulted, in others it may be required.
  11293. type: string
  11294. name:
  11295. description: The name of the Secret resource being referred to.
  11296. type: string
  11297. namespace:
  11298. description: |-
  11299. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11300. to the namespace of the referent.
  11301. type: string
  11302. type: object
  11303. username:
  11304. description: |-
  11305. Username is a LDAP user name used to authenticate using the LDAP Vault
  11306. authentication method
  11307. type: string
  11308. required:
  11309. - path
  11310. - username
  11311. type: object
  11312. namespace:
  11313. description: |-
  11314. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  11315. Namespaces is a set of features within Vault Enterprise that allows
  11316. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  11317. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  11318. This will default to Vault.Namespace field if set, or empty otherwise
  11319. type: string
  11320. tokenSecretRef:
  11321. description: TokenSecretRef authenticates with Vault by presenting a token.
  11322. properties:
  11323. key:
  11324. description: |-
  11325. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11326. defaulted, in others it may be required.
  11327. type: string
  11328. name:
  11329. description: The name of the Secret resource being referred to.
  11330. type: string
  11331. namespace:
  11332. description: |-
  11333. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11334. to the namespace of the referent.
  11335. type: string
  11336. type: object
  11337. userPass:
  11338. description: UserPass authenticates with Vault by passing username/password pair
  11339. properties:
  11340. path:
  11341. default: user
  11342. description: |-
  11343. Path where the UserPassword authentication backend is mounted
  11344. in Vault, e.g: "user"
  11345. type: string
  11346. secretRef:
  11347. description: |-
  11348. SecretRef to a key in a Secret resource containing password for the
  11349. user used to authenticate with Vault using the UserPass authentication
  11350. method
  11351. properties:
  11352. key:
  11353. description: |-
  11354. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11355. defaulted, in others it may be required.
  11356. type: string
  11357. name:
  11358. description: The name of the Secret resource being referred to.
  11359. type: string
  11360. namespace:
  11361. description: |-
  11362. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11363. to the namespace of the referent.
  11364. type: string
  11365. type: object
  11366. username:
  11367. description: |-
  11368. Username is a user name used to authenticate using the UserPass Vault
  11369. authentication method
  11370. type: string
  11371. required:
  11372. - path
  11373. - username
  11374. type: object
  11375. type: object
  11376. caBundle:
  11377. description: |-
  11378. PEM encoded CA bundle used to validate Vault server certificate. Only used
  11379. if the Server URL is using HTTPS protocol. This parameter is ignored for
  11380. plain HTTP protocol connection. If not set the system root certificates
  11381. are used to validate the TLS connection.
  11382. format: byte
  11383. type: string
  11384. caProvider:
  11385. description: The provider for the CA bundle to use to validate Vault server certificate.
  11386. properties:
  11387. key:
  11388. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  11389. type: string
  11390. name:
  11391. description: The name of the object located at the provider type.
  11392. type: string
  11393. namespace:
  11394. description: |-
  11395. The namespace the Provider type is in.
  11396. Can only be defined when used in a ClusterSecretStore.
  11397. type: string
  11398. type:
  11399. description: The type of provider to use such as "Secret", or "ConfigMap".
  11400. enum:
  11401. - Secret
  11402. - ConfigMap
  11403. type: string
  11404. required:
  11405. - name
  11406. - type
  11407. type: object
  11408. forwardInconsistent:
  11409. description: |-
  11410. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  11411. leader instead of simply retrying within a loop. This can increase performance if
  11412. the option is enabled serverside.
  11413. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  11414. type: boolean
  11415. namespace:
  11416. description: |-
  11417. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  11418. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  11419. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  11420. type: string
  11421. path:
  11422. description: |-
  11423. Path is the mount path of the Vault KV backend endpoint, e.g:
  11424. "secret". The v2 KV secret engine version specific "/data" path suffix
  11425. for fetching secrets from Vault is optional and will be appended
  11426. if not present in specified path.
  11427. type: string
  11428. readYourWrites:
  11429. description: |-
  11430. ReadYourWrites ensures isolated read-after-write semantics by
  11431. providing discovered cluster replication states in each request.
  11432. More information about eventual consistency in Vault can be found here
  11433. https://www.vaultproject.io/docs/enterprise/consistency
  11434. type: boolean
  11435. server:
  11436. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  11437. type: string
  11438. tls:
  11439. description: |-
  11440. The configuration used for client side related TLS communication, when the Vault server
  11441. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  11442. This parameter is ignored for plain HTTP protocol connection.
  11443. It's worth noting this configuration is different from the "TLS certificates auth method",
  11444. which is available under the `auth.cert` section.
  11445. properties:
  11446. certSecretRef:
  11447. description: |-
  11448. CertSecretRef is a certificate added to the transport layer
  11449. when communicating with the Vault server.
  11450. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  11451. properties:
  11452. key:
  11453. description: |-
  11454. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11455. defaulted, in others it may be required.
  11456. type: string
  11457. name:
  11458. description: The name of the Secret resource being referred to.
  11459. type: string
  11460. namespace:
  11461. description: |-
  11462. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11463. to the namespace of the referent.
  11464. type: string
  11465. type: object
  11466. keySecretRef:
  11467. description: |-
  11468. KeySecretRef to a key in a Secret resource containing client private key
  11469. added to the transport layer when communicating with the Vault server.
  11470. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  11471. properties:
  11472. key:
  11473. description: |-
  11474. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11475. defaulted, in others it may be required.
  11476. type: string
  11477. name:
  11478. description: The name of the Secret resource being referred to.
  11479. type: string
  11480. namespace:
  11481. description: |-
  11482. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11483. to the namespace of the referent.
  11484. type: string
  11485. type: object
  11486. type: object
  11487. version:
  11488. default: v2
  11489. description: |-
  11490. Version is the Vault KV secret engine version. This can be either "v1" or
  11491. "v2". Version defaults to "v2".
  11492. enum:
  11493. - v1
  11494. - v2
  11495. type: string
  11496. required:
  11497. - auth
  11498. - server
  11499. type: object
  11500. resultType:
  11501. default: Data
  11502. description: |-
  11503. Result type defines which data is returned from the generator.
  11504. By default it is the "data" section of the Vault API response.
  11505. When using e.g. /auth/token/create the "data" section is empty but
  11506. the "auth" section contains the generated token.
  11507. Please refer to the vault docs regarding the result data structure.
  11508. enum:
  11509. - Data
  11510. - Auth
  11511. type: string
  11512. required:
  11513. - path
  11514. - provider
  11515. type: object
  11516. type: object
  11517. served: true
  11518. storage: true
  11519. subresources:
  11520. status: {}
  11521. conversion:
  11522. strategy: Webhook
  11523. webhook:
  11524. conversionReviewVersions:
  11525. - v1
  11526. clientConfig:
  11527. service:
  11528. name: kubernetes
  11529. namespace: default
  11530. path: /convert
  11531. ---
  11532. apiVersion: apiextensions.k8s.io/v1
  11533. kind: CustomResourceDefinition
  11534. metadata:
  11535. annotations:
  11536. controller-gen.kubebuilder.io/version: v0.14.0
  11537. name: webhooks.generators.external-secrets.io
  11538. spec:
  11539. group: generators.external-secrets.io
  11540. names:
  11541. categories:
  11542. - webhook
  11543. kind: Webhook
  11544. listKind: WebhookList
  11545. plural: webhooks
  11546. shortNames:
  11547. - webhookl
  11548. singular: webhook
  11549. scope: Namespaced
  11550. versions:
  11551. - name: v1alpha1
  11552. schema:
  11553. openAPIV3Schema:
  11554. description: |-
  11555. Webhook connects to a third party API server to handle the secrets generation
  11556. configuration parameters in spec.
  11557. You can specify the server, the token, and additional body parameters.
  11558. See documentation for the full API specification for requests and responses.
  11559. properties:
  11560. apiVersion:
  11561. description: |-
  11562. APIVersion defines the versioned schema of this representation of an object.
  11563. Servers should convert recognized schemas to the latest internal value, and
  11564. may reject unrecognized values.
  11565. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  11566. type: string
  11567. kind:
  11568. description: |-
  11569. Kind is a string value representing the REST resource this object represents.
  11570. Servers may infer this from the endpoint the client submits requests to.
  11571. Cannot be updated.
  11572. In CamelCase.
  11573. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  11574. type: string
  11575. metadata:
  11576. type: object
  11577. spec:
  11578. description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
  11579. properties:
  11580. body:
  11581. description: Body
  11582. type: string
  11583. caBundle:
  11584. description: |-
  11585. PEM encoded CA bundle used to validate webhook server certificate. Only used
  11586. if the Server URL is using HTTPS protocol. This parameter is ignored for
  11587. plain HTTP protocol connection. If not set the system root certificates
  11588. are used to validate the TLS connection.
  11589. format: byte
  11590. type: string
  11591. caProvider:
  11592. description: The provider for the CA bundle to use to validate webhook server certificate.
  11593. properties:
  11594. key:
  11595. description: The key the value inside of the provider type to use, only used with "Secret" type
  11596. type: string
  11597. name:
  11598. description: The name of the object located at the provider type.
  11599. type: string
  11600. namespace:
  11601. description: The namespace the Provider type is in.
  11602. type: string
  11603. type:
  11604. description: The type of provider to use such as "Secret", or "ConfigMap".
  11605. enum:
  11606. - Secret
  11607. - ConfigMap
  11608. type: string
  11609. required:
  11610. - name
  11611. - type
  11612. type: object
  11613. headers:
  11614. additionalProperties:
  11615. type: string
  11616. description: Headers
  11617. type: object
  11618. method:
  11619. description: Webhook Method
  11620. type: string
  11621. result:
  11622. description: Result formatting
  11623. properties:
  11624. jsonPath:
  11625. description: Json path of return value
  11626. type: string
  11627. type: object
  11628. secrets:
  11629. description: |-
  11630. Secrets to fill in templates
  11631. These secrets will be passed to the templating function as key value pairs under the given name
  11632. items:
  11633. properties:
  11634. name:
  11635. description: Name of this secret in templates
  11636. type: string
  11637. secretRef:
  11638. description: Secret ref to fill in credentials
  11639. properties:
  11640. key:
  11641. description: The key where the token is found.
  11642. type: string
  11643. name:
  11644. description: The name of the Secret resource being referred to.
  11645. type: string
  11646. type: object
  11647. required:
  11648. - name
  11649. - secretRef
  11650. type: object
  11651. type: array
  11652. timeout:
  11653. description: Timeout
  11654. type: string
  11655. url:
  11656. description: Webhook url to call
  11657. type: string
  11658. required:
  11659. - result
  11660. - url
  11661. type: object
  11662. type: object
  11663. served: true
  11664. storage: true
  11665. subresources:
  11666. status: {}
  11667. conversion:
  11668. strategy: Webhook
  11669. webhook:
  11670. conversionReviewVersions:
  11671. - v1
  11672. clientConfig:
  11673. service:
  11674. name: kubernetes
  11675. namespace: default
  11676. path: /convert