| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312 |
- apiVersion: apiextensions.k8s.io/v1
- kind: CustomResourceDefinition
- metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.4.1
- creationTimestamp: null
- name: clustersecretstores.external-secrets.io
- spec:
- group: external-secrets.io
- names:
- categories:
- - externalsecrets
- kind: ClusterSecretStore
- listKind: ClusterSecretStoreList
- plural: clustersecretstores
- shortNames:
- - css
- singular: clustersecretstore
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: AGE
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- description: ClusterSecretStore represents a secure external location for
- storing secrets, which can be referenced as part of `storeRef` fields.
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: SecretStoreSpec defines the desired state of SecretStore.
- properties:
- controller:
- description: 'Used to select the correct KES controller (think: ingress.ingressClassName)
- The KES controller is instantiated with a specific controller name
- and filters ES based on this property'
- type: string
- provider:
- description: Used to configure the provider. Only one provider may
- be set
- maxProperties: 1
- minProperties: 1
- properties:
- aws:
- description: AWS configures this store to sync secrets using AWS
- Secret Manager provider
- properties:
- auth:
- description: 'Auth defines the information necessary to authenticate
- against AWS if not set aws sdk will infer credentials from
- your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- nullable: true
- properties:
- secretRef:
- description: AWSAuthSecretRef holds secret references
- for aws credentials both AccessKeyID and SecretAccessKey
- must be defined in order to properly authenticate.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- required:
- - name
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- required:
- - name
- type: object
- type: object
- required:
- - secretRef
- type: object
- region:
- description: AWS Region to be used for the provider
- type: string
- role:
- description: Role is a Role ARN which the SecretManager provider
- will assume
- type: string
- service:
- description: Service defines which service should be used
- to fetch the secrets
- enum:
- - SecretsManager
- - ParameterStore
- type: string
- required:
- - region
- - service
- type: object
- vault:
- description: Vault configures this store to sync secrets using
- Hashi provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates
- with the Vault server.
- properties:
- appRole:
- description: AppRole authenticates with Vault using the
- App Role auth mechanism, with the role and secret stored
- in a Kubernetes Secret resource.
- properties:
- path:
- default: approle
- description: 'Path where the App Role authentication
- backend is mounted in Vault, e.g: "approle"'
- type: string
- roleId:
- description: RoleID configured in the App Role authentication
- backend when setting up the authentication backend
- in Vault.
- type: string
- secretRef:
- description: Reference to a key in a Secret that contains
- the App Role secret used to authenticate with Vault.
- The `key` field must be specified and denotes which
- entry within the Secret resource is used as the
- app role secret.
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- required:
- - name
- type: object
- required:
- - path
- - roleId
- - secretRef
- type: object
- kubernetes:
- description: Kubernetes authenticates with Vault by passing
- the ServiceAccount token stored in the named Secret
- resource to the Vault server.
- properties:
- mountPath:
- default: kubernetes
- description: 'Path where the Kubernetes authentication
- backend is mounted in Vault, e.g: "kubernetes"'
- type: string
- role:
- description: A required field containing the Vault
- Role to assume. A Role binds a Kubernetes ServiceAccount
- with a set of Vault policies.
- type: string
- secretRef:
- description: Optional secret field containing a Kubernetes
- ServiceAccount JWT used for authenticating with
- Vault. If a name is specified without a key, `token`
- is the default. If one is not specified, the one
- bound to the controller will be used.
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- required:
- - name
- type: object
- required:
- - mountPath
- - role
- type: object
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by
- presenting a token.
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped. cluster-scoped
- defaults to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- type: object
- caBundle:
- description: PEM encoded CA bundle used to validate Vault
- server certificate. Only used if the Server URL is using
- HTTPS protocol. This parameter is ignored for plain HTTP
- protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- namespace:
- description: 'Name of the vault namespace. Namespaces is a
- set of features within Vault Enterprise that allows Vault
- environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
- type: string
- path:
- description: 'Path is the mount path of the Vault KV backend
- endpoint, e.g: "secret". The v2 KV secret engine version
- specific "/data" path suffix for fetching secrets from Vault
- is optional and will be appended if not present in specified
- path.'
- type: string
- server:
- description: 'Server is the connection address for the Vault
- server, e.g: "https://vault.example.com:8200".'
- type: string
- version:
- default: v2
- description: Version is the Vault KV secret engine version.
- This can be either "v1" or "v2". Version defaults to "v2".
- enum:
- - v1
- - v2
- type: string
- required:
- - auth
- - path
- - server
- - version
- type: object
- type: object
- required:
- - provider
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
|
