bundle.yaml 238 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.8.0
  6. creationTimestamp: null
  7. name: clustersecretstores.external-secrets.io
  8. spec:
  9. group: external-secrets.io
  10. names:
  11. categories:
  12. - externalsecrets
  13. kind: ClusterSecretStore
  14. listKind: ClusterSecretStoreList
  15. plural: clustersecretstores
  16. shortNames:
  17. - css
  18. singular: clustersecretstore
  19. scope: Cluster
  20. versions:
  21. - additionalPrinterColumns:
  22. - jsonPath: .metadata.creationTimestamp
  23. name: AGE
  24. type: date
  25. name: v1alpha1
  26. schema:
  27. openAPIV3Schema:
  28. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  29. properties:
  30. apiVersion:
  31. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  32. type: string
  33. kind:
  34. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  35. type: string
  36. metadata:
  37. type: object
  38. spec:
  39. description: SecretStoreSpec defines the desired state of SecretStore.
  40. properties:
  41. controller:
  42. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  43. type: string
  44. provider:
  45. description: Used to configure the provider. Only one provider may be set
  46. maxProperties: 1
  47. minProperties: 1
  48. properties:
  49. akeyless:
  50. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  51. properties:
  52. akeylessGWApiURL:
  53. description: Akeyless GW API Url from which the secrets to be fetched from.
  54. type: string
  55. authSecretRef:
  56. description: Auth configures how the operator authenticates with Akeyless.
  57. properties:
  58. secretRef:
  59. description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
  60. properties:
  61. accessID:
  62. description: The SecretAccessID is used for authentication
  63. properties:
  64. key:
  65. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  66. type: string
  67. name:
  68. description: The name of the Secret resource being referred to.
  69. type: string
  70. namespace:
  71. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  72. type: string
  73. type: object
  74. accessType:
  75. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  76. properties:
  77. key:
  78. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  79. type: string
  80. name:
  81. description: The name of the Secret resource being referred to.
  82. type: string
  83. namespace:
  84. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  85. type: string
  86. type: object
  87. accessTypeParam:
  88. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  89. properties:
  90. key:
  91. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  92. type: string
  93. name:
  94. description: The name of the Secret resource being referred to.
  95. type: string
  96. namespace:
  97. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  98. type: string
  99. type: object
  100. type: object
  101. required:
  102. - secretRef
  103. type: object
  104. required:
  105. - akeylessGWApiURL
  106. - authSecretRef
  107. type: object
  108. alibaba:
  109. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  110. properties:
  111. auth:
  112. description: AlibabaAuth contains a secretRef for credentials.
  113. properties:
  114. secretRef:
  115. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  116. properties:
  117. accessKeyIDSecretRef:
  118. description: The AccessKeyID is used for authentication
  119. properties:
  120. key:
  121. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  122. type: string
  123. name:
  124. description: The name of the Secret resource being referred to.
  125. type: string
  126. namespace:
  127. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  128. type: string
  129. type: object
  130. accessKeySecretSecretRef:
  131. description: The AccessKeySecret is used for authentication
  132. properties:
  133. key:
  134. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  135. type: string
  136. name:
  137. description: The name of the Secret resource being referred to.
  138. type: string
  139. namespace:
  140. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  141. type: string
  142. type: object
  143. required:
  144. - accessKeyIDSecretRef
  145. - accessKeySecretSecretRef
  146. type: object
  147. required:
  148. - secretRef
  149. type: object
  150. endpoint:
  151. type: string
  152. regionID:
  153. description: Alibaba Region to be used for the provider
  154. type: string
  155. required:
  156. - auth
  157. - regionID
  158. type: object
  159. aws:
  160. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  161. properties:
  162. auth:
  163. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  164. properties:
  165. jwt:
  166. description: Authenticate against AWS using service account tokens.
  167. properties:
  168. serviceAccountRef:
  169. description: A reference to a ServiceAccount resource.
  170. properties:
  171. name:
  172. description: The name of the ServiceAccount resource being referred to.
  173. type: string
  174. namespace:
  175. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  176. type: string
  177. required:
  178. - name
  179. type: object
  180. type: object
  181. secretRef:
  182. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  183. properties:
  184. accessKeyIDSecretRef:
  185. description: The AccessKeyID is used for authentication
  186. properties:
  187. key:
  188. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  189. type: string
  190. name:
  191. description: The name of the Secret resource being referred to.
  192. type: string
  193. namespace:
  194. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  195. type: string
  196. type: object
  197. secretAccessKeySecretRef:
  198. description: The SecretAccessKey is used for authentication
  199. properties:
  200. key:
  201. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  202. type: string
  203. name:
  204. description: The name of the Secret resource being referred to.
  205. type: string
  206. namespace:
  207. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  208. type: string
  209. type: object
  210. type: object
  211. type: object
  212. region:
  213. description: AWS Region to be used for the provider
  214. type: string
  215. role:
  216. description: Role is a Role ARN which the SecretManager provider will assume
  217. type: string
  218. service:
  219. description: Service defines which service should be used to fetch the secrets
  220. enum:
  221. - SecretsManager
  222. - ParameterStore
  223. type: string
  224. required:
  225. - region
  226. - service
  227. type: object
  228. azurekv:
  229. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  230. properties:
  231. authSecretRef:
  232. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  233. properties:
  234. clientId:
  235. description: The Azure clientId of the service principle used for authentication.
  236. properties:
  237. key:
  238. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  239. type: string
  240. name:
  241. description: The name of the Secret resource being referred to.
  242. type: string
  243. namespace:
  244. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  245. type: string
  246. type: object
  247. clientSecret:
  248. description: The Azure ClientSecret of the service principle used for authentication.
  249. properties:
  250. key:
  251. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  252. type: string
  253. name:
  254. description: The name of the Secret resource being referred to.
  255. type: string
  256. namespace:
  257. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  258. type: string
  259. type: object
  260. required:
  261. - clientId
  262. - clientSecret
  263. type: object
  264. authType:
  265. default: ServicePrincipal
  266. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  267. enum:
  268. - ServicePrincipal
  269. - ManagedIdentity
  270. type: string
  271. identityId:
  272. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  273. type: string
  274. tenantId:
  275. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  276. type: string
  277. vaultUrl:
  278. description: Vault Url from which the secrets to be fetched from.
  279. type: string
  280. required:
  281. - vaultUrl
  282. type: object
  283. fake:
  284. description: Fake configures a store with static key/value pairs
  285. properties:
  286. data:
  287. items:
  288. properties:
  289. key:
  290. type: string
  291. value:
  292. type: string
  293. valueMap:
  294. additionalProperties:
  295. type: string
  296. type: object
  297. version:
  298. type: string
  299. required:
  300. - key
  301. type: object
  302. type: array
  303. required:
  304. - data
  305. type: object
  306. gcpsm:
  307. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  308. properties:
  309. auth:
  310. description: Auth defines the information necessary to authenticate against GCP
  311. properties:
  312. secretRef:
  313. properties:
  314. secretAccessKeySecretRef:
  315. description: The SecretAccessKey is used for authentication
  316. properties:
  317. key:
  318. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  319. type: string
  320. name:
  321. description: The name of the Secret resource being referred to.
  322. type: string
  323. namespace:
  324. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  325. type: string
  326. type: object
  327. type: object
  328. workloadIdentity:
  329. properties:
  330. clusterLocation:
  331. type: string
  332. clusterName:
  333. type: string
  334. serviceAccountRef:
  335. description: A reference to a ServiceAccount resource.
  336. properties:
  337. name:
  338. description: The name of the ServiceAccount resource being referred to.
  339. type: string
  340. namespace:
  341. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  342. type: string
  343. required:
  344. - name
  345. type: object
  346. required:
  347. - clusterLocation
  348. - clusterName
  349. - serviceAccountRef
  350. type: object
  351. type: object
  352. projectID:
  353. description: ProjectID project where secret is located
  354. type: string
  355. type: object
  356. gitlab:
  357. description: GItlab configures this store to sync secrets using Gitlab Variables provider
  358. properties:
  359. auth:
  360. description: Auth configures how secret-manager authenticates with a GitLab instance.
  361. properties:
  362. SecretRef:
  363. properties:
  364. accessToken:
  365. description: AccessToken is used for authentication.
  366. properties:
  367. key:
  368. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  369. type: string
  370. name:
  371. description: The name of the Secret resource being referred to.
  372. type: string
  373. namespace:
  374. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  375. type: string
  376. type: object
  377. type: object
  378. required:
  379. - SecretRef
  380. type: object
  381. projectID:
  382. description: ProjectID specifies a project where secrets are located.
  383. type: string
  384. url:
  385. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  386. type: string
  387. required:
  388. - auth
  389. type: object
  390. ibm:
  391. description: IBM configures this store to sync secrets using IBM Cloud provider
  392. properties:
  393. auth:
  394. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  395. properties:
  396. secretRef:
  397. properties:
  398. secretApiKeySecretRef:
  399. description: The SecretAccessKey is used for authentication
  400. properties:
  401. key:
  402. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  403. type: string
  404. name:
  405. description: The name of the Secret resource being referred to.
  406. type: string
  407. namespace:
  408. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  409. type: string
  410. type: object
  411. type: object
  412. required:
  413. - secretRef
  414. type: object
  415. serviceUrl:
  416. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  417. type: string
  418. required:
  419. - auth
  420. type: object
  421. oracle:
  422. description: Oracle configures this store to sync secrets using Oracle Vault provider
  423. properties:
  424. auth:
  425. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  426. properties:
  427. secretRef:
  428. description: SecretRef to pass through sensitive information.
  429. properties:
  430. fingerprint:
  431. description: Fingerprint is the fingerprint of the API private key.
  432. properties:
  433. key:
  434. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  435. type: string
  436. name:
  437. description: The name of the Secret resource being referred to.
  438. type: string
  439. namespace:
  440. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  441. type: string
  442. type: object
  443. privatekey:
  444. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  445. properties:
  446. key:
  447. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  448. type: string
  449. name:
  450. description: The name of the Secret resource being referred to.
  451. type: string
  452. namespace:
  453. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  454. type: string
  455. type: object
  456. required:
  457. - fingerprint
  458. - privatekey
  459. type: object
  460. tenancy:
  461. description: Tenancy is the tenancy OCID where user is located.
  462. type: string
  463. user:
  464. description: User is an access OCID specific to the account.
  465. type: string
  466. required:
  467. - secretRef
  468. - tenancy
  469. - user
  470. type: object
  471. region:
  472. description: Region is the region where vault is located.
  473. type: string
  474. vault:
  475. description: Vault is the vault's OCID of the specific vault where secret is located.
  476. type: string
  477. required:
  478. - region
  479. - vault
  480. type: object
  481. vault:
  482. description: Vault configures this store to sync secrets using Hashi provider
  483. properties:
  484. auth:
  485. description: Auth configures how secret-manager authenticates with the Vault server.
  486. properties:
  487. appRole:
  488. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  489. properties:
  490. path:
  491. default: approle
  492. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  493. type: string
  494. roleId:
  495. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  496. type: string
  497. secretRef:
  498. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  499. properties:
  500. key:
  501. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  502. type: string
  503. name:
  504. description: The name of the Secret resource being referred to.
  505. type: string
  506. namespace:
  507. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  508. type: string
  509. type: object
  510. required:
  511. - path
  512. - roleId
  513. - secretRef
  514. type: object
  515. cert:
  516. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  517. properties:
  518. clientCert:
  519. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  520. properties:
  521. key:
  522. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  523. type: string
  524. name:
  525. description: The name of the Secret resource being referred to.
  526. type: string
  527. namespace:
  528. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  529. type: string
  530. type: object
  531. secretRef:
  532. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  533. properties:
  534. key:
  535. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  536. type: string
  537. name:
  538. description: The name of the Secret resource being referred to.
  539. type: string
  540. namespace:
  541. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  542. type: string
  543. type: object
  544. type: object
  545. jwt:
  546. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  547. properties:
  548. path:
  549. default: jwt
  550. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  551. type: string
  552. role:
  553. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  554. type: string
  555. secretRef:
  556. description: SecretRef to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method
  557. properties:
  558. key:
  559. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  560. type: string
  561. name:
  562. description: The name of the Secret resource being referred to.
  563. type: string
  564. namespace:
  565. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  566. type: string
  567. type: object
  568. required:
  569. - path
  570. type: object
  571. kubernetes:
  572. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  573. properties:
  574. mountPath:
  575. default: kubernetes
  576. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  577. type: string
  578. role:
  579. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  580. type: string
  581. secretRef:
  582. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  583. properties:
  584. key:
  585. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  586. type: string
  587. name:
  588. description: The name of the Secret resource being referred to.
  589. type: string
  590. namespace:
  591. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  592. type: string
  593. type: object
  594. serviceAccountRef:
  595. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  596. properties:
  597. name:
  598. description: The name of the ServiceAccount resource being referred to.
  599. type: string
  600. namespace:
  601. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  602. type: string
  603. required:
  604. - name
  605. type: object
  606. required:
  607. - mountPath
  608. - role
  609. type: object
  610. ldap:
  611. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  612. properties:
  613. path:
  614. default: ldap
  615. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  616. type: string
  617. secretRef:
  618. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  619. properties:
  620. key:
  621. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  622. type: string
  623. name:
  624. description: The name of the Secret resource being referred to.
  625. type: string
  626. namespace:
  627. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  628. type: string
  629. type: object
  630. username:
  631. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  632. type: string
  633. required:
  634. - path
  635. - username
  636. type: object
  637. tokenSecretRef:
  638. description: TokenSecretRef authenticates with Vault by presenting a token.
  639. properties:
  640. key:
  641. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  642. type: string
  643. name:
  644. description: The name of the Secret resource being referred to.
  645. type: string
  646. namespace:
  647. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  648. type: string
  649. type: object
  650. type: object
  651. caBundle:
  652. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  653. format: byte
  654. type: string
  655. caProvider:
  656. description: The provider for the CA bundle to use to validate Vault server certificate.
  657. properties:
  658. key:
  659. description: The key the value inside of the provider type to use, only used with "Secret" type
  660. type: string
  661. name:
  662. description: The name of the object located at the provider type.
  663. type: string
  664. namespace:
  665. description: The namespace the Provider type is in.
  666. type: string
  667. type:
  668. description: The type of provider to use such as "Secret", or "ConfigMap".
  669. enum:
  670. - Secret
  671. - ConfigMap
  672. type: string
  673. required:
  674. - name
  675. - type
  676. type: object
  677. forwardInconsistent:
  678. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  679. type: boolean
  680. namespace:
  681. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  682. type: string
  683. path:
  684. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  685. type: string
  686. readYourWrites:
  687. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  688. type: boolean
  689. server:
  690. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  691. type: string
  692. version:
  693. default: v2
  694. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  695. enum:
  696. - v1
  697. - v2
  698. type: string
  699. required:
  700. - auth
  701. - server
  702. type: object
  703. webhook:
  704. description: Webhook configures this store to sync secrets using a generic templated webhook
  705. properties:
  706. body:
  707. description: Body
  708. type: string
  709. caBundle:
  710. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  711. format: byte
  712. type: string
  713. caProvider:
  714. description: The provider for the CA bundle to use to validate webhook server certificate.
  715. properties:
  716. key:
  717. description: The key the value inside of the provider type to use, only used with "Secret" type
  718. type: string
  719. name:
  720. description: The name of the object located at the provider type.
  721. type: string
  722. namespace:
  723. description: The namespace the Provider type is in.
  724. type: string
  725. type:
  726. description: The type of provider to use such as "Secret", or "ConfigMap".
  727. enum:
  728. - Secret
  729. - ConfigMap
  730. type: string
  731. required:
  732. - name
  733. - type
  734. type: object
  735. headers:
  736. additionalProperties:
  737. type: string
  738. description: Headers
  739. type: object
  740. method:
  741. description: Webhook Method
  742. type: string
  743. result:
  744. description: Result formatting
  745. properties:
  746. jsonPath:
  747. description: Json path of return value
  748. type: string
  749. type: object
  750. secrets:
  751. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  752. items:
  753. properties:
  754. name:
  755. description: Name of this secret in templates
  756. type: string
  757. secretRef:
  758. description: Secret ref to fill in credentials
  759. properties:
  760. key:
  761. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  762. type: string
  763. name:
  764. description: The name of the Secret resource being referred to.
  765. type: string
  766. namespace:
  767. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  768. type: string
  769. type: object
  770. required:
  771. - name
  772. - secretRef
  773. type: object
  774. type: array
  775. timeout:
  776. description: Timeout
  777. type: string
  778. url:
  779. description: Webhook url to call
  780. type: string
  781. required:
  782. - result
  783. - url
  784. type: object
  785. yandexlockbox:
  786. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  787. properties:
  788. apiEndpoint:
  789. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  790. type: string
  791. auth:
  792. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  793. properties:
  794. authorizedKeySecretRef:
  795. description: The authorized key used for authentication
  796. properties:
  797. key:
  798. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  799. type: string
  800. name:
  801. description: The name of the Secret resource being referred to.
  802. type: string
  803. namespace:
  804. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  805. type: string
  806. type: object
  807. type: object
  808. caProvider:
  809. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  810. properties:
  811. certSecretRef:
  812. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  813. properties:
  814. key:
  815. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  816. type: string
  817. name:
  818. description: The name of the Secret resource being referred to.
  819. type: string
  820. namespace:
  821. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  822. type: string
  823. type: object
  824. type: object
  825. required:
  826. - auth
  827. type: object
  828. type: object
  829. retrySettings:
  830. description: Used to configure http retries if failed
  831. properties:
  832. maxRetries:
  833. format: int32
  834. type: integer
  835. retryInterval:
  836. type: string
  837. type: object
  838. required:
  839. - provider
  840. type: object
  841. status:
  842. description: SecretStoreStatus defines the observed state of the SecretStore.
  843. properties:
  844. conditions:
  845. items:
  846. properties:
  847. lastTransitionTime:
  848. format: date-time
  849. type: string
  850. message:
  851. type: string
  852. reason:
  853. type: string
  854. status:
  855. type: string
  856. type:
  857. type: string
  858. required:
  859. - status
  860. - type
  861. type: object
  862. type: array
  863. type: object
  864. type: object
  865. served: true
  866. storage: false
  867. subresources:
  868. status: {}
  869. - additionalPrinterColumns:
  870. - jsonPath: .metadata.creationTimestamp
  871. name: AGE
  872. type: date
  873. name: v1beta1
  874. schema:
  875. openAPIV3Schema:
  876. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  877. properties:
  878. apiVersion:
  879. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  880. type: string
  881. kind:
  882. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  883. type: string
  884. metadata:
  885. type: object
  886. spec:
  887. description: SecretStoreSpec defines the desired state of SecretStore.
  888. properties:
  889. controller:
  890. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  891. type: string
  892. provider:
  893. description: Used to configure the provider. Only one provider may be set
  894. maxProperties: 1
  895. minProperties: 1
  896. properties:
  897. akeyless:
  898. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  899. properties:
  900. akeylessGWApiURL:
  901. description: Akeyless GW API Url from which the secrets to be fetched from.
  902. type: string
  903. authSecretRef:
  904. description: Auth configures how the operator authenticates with Akeyless.
  905. properties:
  906. secretRef:
  907. description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
  908. properties:
  909. accessID:
  910. description: The SecretAccessID is used for authentication
  911. properties:
  912. key:
  913. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  914. type: string
  915. name:
  916. description: The name of the Secret resource being referred to.
  917. type: string
  918. namespace:
  919. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  920. type: string
  921. type: object
  922. accessType:
  923. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  924. properties:
  925. key:
  926. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  927. type: string
  928. name:
  929. description: The name of the Secret resource being referred to.
  930. type: string
  931. namespace:
  932. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  933. type: string
  934. type: object
  935. accessTypeParam:
  936. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  937. properties:
  938. key:
  939. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  940. type: string
  941. name:
  942. description: The name of the Secret resource being referred to.
  943. type: string
  944. namespace:
  945. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  946. type: string
  947. type: object
  948. type: object
  949. required:
  950. - secretRef
  951. type: object
  952. required:
  953. - akeylessGWApiURL
  954. - authSecretRef
  955. type: object
  956. alibaba:
  957. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  958. properties:
  959. auth:
  960. description: AlibabaAuth contains a secretRef for credentials.
  961. properties:
  962. secretRef:
  963. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  964. properties:
  965. accessKeyIDSecretRef:
  966. description: The AccessKeyID is used for authentication
  967. properties:
  968. key:
  969. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  970. type: string
  971. name:
  972. description: The name of the Secret resource being referred to.
  973. type: string
  974. namespace:
  975. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  976. type: string
  977. type: object
  978. accessKeySecretSecretRef:
  979. description: The AccessKeySecret is used for authentication
  980. properties:
  981. key:
  982. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  983. type: string
  984. name:
  985. description: The name of the Secret resource being referred to.
  986. type: string
  987. namespace:
  988. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  989. type: string
  990. type: object
  991. required:
  992. - accessKeyIDSecretRef
  993. - accessKeySecretSecretRef
  994. type: object
  995. required:
  996. - secretRef
  997. type: object
  998. endpoint:
  999. type: string
  1000. regionID:
  1001. description: Alibaba Region to be used for the provider
  1002. type: string
  1003. required:
  1004. - auth
  1005. - regionID
  1006. type: object
  1007. aws:
  1008. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  1009. properties:
  1010. auth:
  1011. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  1012. properties:
  1013. jwt:
  1014. description: Authenticate against AWS using service account tokens.
  1015. properties:
  1016. serviceAccountRef:
  1017. description: A reference to a ServiceAccount resource.
  1018. properties:
  1019. name:
  1020. description: The name of the ServiceAccount resource being referred to.
  1021. type: string
  1022. namespace:
  1023. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1024. type: string
  1025. required:
  1026. - name
  1027. type: object
  1028. type: object
  1029. secretRef:
  1030. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  1031. properties:
  1032. accessKeyIDSecretRef:
  1033. description: The AccessKeyID is used for authentication
  1034. properties:
  1035. key:
  1036. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1037. type: string
  1038. name:
  1039. description: The name of the Secret resource being referred to.
  1040. type: string
  1041. namespace:
  1042. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1043. type: string
  1044. type: object
  1045. secretAccessKeySecretRef:
  1046. description: The SecretAccessKey is used for authentication
  1047. properties:
  1048. key:
  1049. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1050. type: string
  1051. name:
  1052. description: The name of the Secret resource being referred to.
  1053. type: string
  1054. namespace:
  1055. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1056. type: string
  1057. type: object
  1058. type: object
  1059. type: object
  1060. region:
  1061. description: AWS Region to be used for the provider
  1062. type: string
  1063. role:
  1064. description: Role is a Role ARN which the SecretManager provider will assume
  1065. type: string
  1066. service:
  1067. description: Service defines which service should be used to fetch the secrets
  1068. enum:
  1069. - SecretsManager
  1070. - ParameterStore
  1071. type: string
  1072. required:
  1073. - region
  1074. - service
  1075. type: object
  1076. azurekv:
  1077. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  1078. properties:
  1079. authSecretRef:
  1080. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  1081. properties:
  1082. clientId:
  1083. description: The Azure clientId of the service principle used for authentication.
  1084. properties:
  1085. key:
  1086. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1087. type: string
  1088. name:
  1089. description: The name of the Secret resource being referred to.
  1090. type: string
  1091. namespace:
  1092. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1093. type: string
  1094. type: object
  1095. clientSecret:
  1096. description: The Azure ClientSecret of the service principle used for authentication.
  1097. properties:
  1098. key:
  1099. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1100. type: string
  1101. name:
  1102. description: The name of the Secret resource being referred to.
  1103. type: string
  1104. namespace:
  1105. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1106. type: string
  1107. type: object
  1108. required:
  1109. - clientId
  1110. - clientSecret
  1111. type: object
  1112. authType:
  1113. default: ServicePrincipal
  1114. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  1115. enum:
  1116. - ServicePrincipal
  1117. - ManagedIdentity
  1118. type: string
  1119. identityId:
  1120. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  1121. type: string
  1122. tenantId:
  1123. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  1124. type: string
  1125. vaultUrl:
  1126. description: Vault Url from which the secrets to be fetched from.
  1127. type: string
  1128. required:
  1129. - vaultUrl
  1130. type: object
  1131. fake:
  1132. description: Fake configures a store with static key/value pairs
  1133. properties:
  1134. data:
  1135. items:
  1136. properties:
  1137. key:
  1138. type: string
  1139. value:
  1140. type: string
  1141. valueMap:
  1142. additionalProperties:
  1143. type: string
  1144. type: object
  1145. version:
  1146. type: string
  1147. required:
  1148. - key
  1149. type: object
  1150. type: array
  1151. required:
  1152. - data
  1153. type: object
  1154. gcpsm:
  1155. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  1156. properties:
  1157. auth:
  1158. description: Auth defines the information necessary to authenticate against GCP
  1159. properties:
  1160. secretRef:
  1161. properties:
  1162. secretAccessKeySecretRef:
  1163. description: The SecretAccessKey is used for authentication
  1164. properties:
  1165. key:
  1166. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1167. type: string
  1168. name:
  1169. description: The name of the Secret resource being referred to.
  1170. type: string
  1171. namespace:
  1172. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1173. type: string
  1174. type: object
  1175. type: object
  1176. workloadIdentity:
  1177. properties:
  1178. clusterLocation:
  1179. type: string
  1180. clusterName:
  1181. type: string
  1182. serviceAccountRef:
  1183. description: A reference to a ServiceAccount resource.
  1184. properties:
  1185. name:
  1186. description: The name of the ServiceAccount resource being referred to.
  1187. type: string
  1188. namespace:
  1189. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1190. type: string
  1191. required:
  1192. - name
  1193. type: object
  1194. required:
  1195. - clusterLocation
  1196. - clusterName
  1197. - serviceAccountRef
  1198. type: object
  1199. type: object
  1200. projectID:
  1201. description: ProjectID project where secret is located
  1202. type: string
  1203. type: object
  1204. gitlab:
  1205. description: GItlab configures this store to sync secrets using Gitlab Variables provider
  1206. properties:
  1207. auth:
  1208. description: Auth configures how secret-manager authenticates with a GitLab instance.
  1209. properties:
  1210. SecretRef:
  1211. properties:
  1212. accessToken:
  1213. description: AccessToken is used for authentication.
  1214. properties:
  1215. key:
  1216. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1217. type: string
  1218. name:
  1219. description: The name of the Secret resource being referred to.
  1220. type: string
  1221. namespace:
  1222. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1223. type: string
  1224. type: object
  1225. type: object
  1226. required:
  1227. - SecretRef
  1228. type: object
  1229. projectID:
  1230. description: ProjectID specifies a project where secrets are located.
  1231. type: string
  1232. url:
  1233. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  1234. type: string
  1235. required:
  1236. - auth
  1237. type: object
  1238. ibm:
  1239. description: IBM configures this store to sync secrets using IBM Cloud provider
  1240. properties:
  1241. auth:
  1242. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  1243. properties:
  1244. secretRef:
  1245. properties:
  1246. secretApiKeySecretRef:
  1247. description: The SecretAccessKey is used for authentication
  1248. properties:
  1249. key:
  1250. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1251. type: string
  1252. name:
  1253. description: The name of the Secret resource being referred to.
  1254. type: string
  1255. namespace:
  1256. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1257. type: string
  1258. type: object
  1259. type: object
  1260. required:
  1261. - secretRef
  1262. type: object
  1263. serviceUrl:
  1264. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  1265. type: string
  1266. required:
  1267. - auth
  1268. type: object
  1269. oracle:
  1270. description: Oracle configures this store to sync secrets using Oracle Vault provider
  1271. properties:
  1272. auth:
  1273. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  1274. properties:
  1275. secretRef:
  1276. description: SecretRef to pass through sensitive information.
  1277. properties:
  1278. fingerprint:
  1279. description: Fingerprint is the fingerprint of the API private key.
  1280. properties:
  1281. key:
  1282. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1283. type: string
  1284. name:
  1285. description: The name of the Secret resource being referred to.
  1286. type: string
  1287. namespace:
  1288. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1289. type: string
  1290. type: object
  1291. privatekey:
  1292. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  1293. properties:
  1294. key:
  1295. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1296. type: string
  1297. name:
  1298. description: The name of the Secret resource being referred to.
  1299. type: string
  1300. namespace:
  1301. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1302. type: string
  1303. type: object
  1304. required:
  1305. - fingerprint
  1306. - privatekey
  1307. type: object
  1308. tenancy:
  1309. description: Tenancy is the tenancy OCID where user is located.
  1310. type: string
  1311. user:
  1312. description: User is an access OCID specific to the account.
  1313. type: string
  1314. required:
  1315. - secretRef
  1316. - tenancy
  1317. - user
  1318. type: object
  1319. region:
  1320. description: Region is the region where vault is located.
  1321. type: string
  1322. vault:
  1323. description: Vault is the vault's OCID of the specific vault where secret is located.
  1324. type: string
  1325. required:
  1326. - region
  1327. - vault
  1328. type: object
  1329. vault:
  1330. description: Vault configures this store to sync secrets using Hashi provider
  1331. properties:
  1332. auth:
  1333. description: Auth configures how secret-manager authenticates with the Vault server.
  1334. properties:
  1335. appRole:
  1336. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  1337. properties:
  1338. path:
  1339. default: approle
  1340. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  1341. type: string
  1342. roleId:
  1343. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  1344. type: string
  1345. secretRef:
  1346. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  1347. properties:
  1348. key:
  1349. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1350. type: string
  1351. name:
  1352. description: The name of the Secret resource being referred to.
  1353. type: string
  1354. namespace:
  1355. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1356. type: string
  1357. type: object
  1358. required:
  1359. - path
  1360. - roleId
  1361. - secretRef
  1362. type: object
  1363. cert:
  1364. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  1365. properties:
  1366. clientCert:
  1367. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  1368. properties:
  1369. key:
  1370. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1371. type: string
  1372. name:
  1373. description: The name of the Secret resource being referred to.
  1374. type: string
  1375. namespace:
  1376. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1377. type: string
  1378. type: object
  1379. secretRef:
  1380. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  1381. properties:
  1382. key:
  1383. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1384. type: string
  1385. name:
  1386. description: The name of the Secret resource being referred to.
  1387. type: string
  1388. namespace:
  1389. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1390. type: string
  1391. type: object
  1392. type: object
  1393. jwt:
  1394. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  1395. properties:
  1396. path:
  1397. default: jwt
  1398. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  1399. type: string
  1400. role:
  1401. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  1402. type: string
  1403. secretRef:
  1404. description: SecretRef to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method
  1405. properties:
  1406. key:
  1407. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1408. type: string
  1409. name:
  1410. description: The name of the Secret resource being referred to.
  1411. type: string
  1412. namespace:
  1413. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1414. type: string
  1415. type: object
  1416. required:
  1417. - path
  1418. type: object
  1419. kubernetes:
  1420. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  1421. properties:
  1422. mountPath:
  1423. default: kubernetes
  1424. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  1425. type: string
  1426. role:
  1427. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  1428. type: string
  1429. secretRef:
  1430. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  1431. properties:
  1432. key:
  1433. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1434. type: string
  1435. name:
  1436. description: The name of the Secret resource being referred to.
  1437. type: string
  1438. namespace:
  1439. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1440. type: string
  1441. type: object
  1442. serviceAccountRef:
  1443. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  1444. properties:
  1445. name:
  1446. description: The name of the ServiceAccount resource being referred to.
  1447. type: string
  1448. namespace:
  1449. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1450. type: string
  1451. required:
  1452. - name
  1453. type: object
  1454. required:
  1455. - mountPath
  1456. - role
  1457. type: object
  1458. ldap:
  1459. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  1460. properties:
  1461. path:
  1462. default: ldap
  1463. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  1464. type: string
  1465. secretRef:
  1466. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  1467. properties:
  1468. key:
  1469. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1470. type: string
  1471. name:
  1472. description: The name of the Secret resource being referred to.
  1473. type: string
  1474. namespace:
  1475. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1476. type: string
  1477. type: object
  1478. username:
  1479. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  1480. type: string
  1481. required:
  1482. - path
  1483. - username
  1484. type: object
  1485. tokenSecretRef:
  1486. description: TokenSecretRef authenticates with Vault by presenting a token.
  1487. properties:
  1488. key:
  1489. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1490. type: string
  1491. name:
  1492. description: The name of the Secret resource being referred to.
  1493. type: string
  1494. namespace:
  1495. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1496. type: string
  1497. type: object
  1498. type: object
  1499. caBundle:
  1500. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  1501. format: byte
  1502. type: string
  1503. caProvider:
  1504. description: The provider for the CA bundle to use to validate Vault server certificate.
  1505. properties:
  1506. key:
  1507. description: The key the value inside of the provider type to use, only used with "Secret" type
  1508. type: string
  1509. name:
  1510. description: The name of the object located at the provider type.
  1511. type: string
  1512. namespace:
  1513. description: The namespace the Provider type is in.
  1514. type: string
  1515. type:
  1516. description: The type of provider to use such as "Secret", or "ConfigMap".
  1517. enum:
  1518. - Secret
  1519. - ConfigMap
  1520. type: string
  1521. required:
  1522. - name
  1523. - type
  1524. type: object
  1525. forwardInconsistent:
  1526. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  1527. type: boolean
  1528. namespace:
  1529. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  1530. type: string
  1531. path:
  1532. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  1533. type: string
  1534. readYourWrites:
  1535. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  1536. type: boolean
  1537. server:
  1538. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  1539. type: string
  1540. version:
  1541. default: v2
  1542. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  1543. enum:
  1544. - v1
  1545. - v2
  1546. type: string
  1547. required:
  1548. - auth
  1549. - server
  1550. type: object
  1551. webhook:
  1552. description: Webhook configures this store to sync secrets using a generic templated webhook
  1553. properties:
  1554. body:
  1555. description: Body
  1556. type: string
  1557. caBundle:
  1558. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  1559. format: byte
  1560. type: string
  1561. caProvider:
  1562. description: The provider for the CA bundle to use to validate webhook server certificate.
  1563. properties:
  1564. key:
  1565. description: The key the value inside of the provider type to use, only used with "Secret" type
  1566. type: string
  1567. name:
  1568. description: The name of the object located at the provider type.
  1569. type: string
  1570. namespace:
  1571. description: The namespace the Provider type is in.
  1572. type: string
  1573. type:
  1574. description: The type of provider to use such as "Secret", or "ConfigMap".
  1575. enum:
  1576. - Secret
  1577. - ConfigMap
  1578. type: string
  1579. required:
  1580. - name
  1581. - type
  1582. type: object
  1583. headers:
  1584. additionalProperties:
  1585. type: string
  1586. description: Headers
  1587. type: object
  1588. method:
  1589. description: Webhook Method
  1590. type: string
  1591. result:
  1592. description: Result formatting
  1593. properties:
  1594. jsonPath:
  1595. description: Json path of return value
  1596. type: string
  1597. type: object
  1598. secrets:
  1599. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  1600. items:
  1601. properties:
  1602. name:
  1603. description: Name of this secret in templates
  1604. type: string
  1605. secretRef:
  1606. description: Secret ref to fill in credentials
  1607. properties:
  1608. key:
  1609. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1610. type: string
  1611. name:
  1612. description: The name of the Secret resource being referred to.
  1613. type: string
  1614. namespace:
  1615. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1616. type: string
  1617. type: object
  1618. required:
  1619. - name
  1620. - secretRef
  1621. type: object
  1622. type: array
  1623. timeout:
  1624. description: Timeout
  1625. type: string
  1626. url:
  1627. description: Webhook url to call
  1628. type: string
  1629. required:
  1630. - result
  1631. - url
  1632. type: object
  1633. yandexlockbox:
  1634. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  1635. properties:
  1636. apiEndpoint:
  1637. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  1638. type: string
  1639. auth:
  1640. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  1641. properties:
  1642. authorizedKeySecretRef:
  1643. description: The authorized key used for authentication
  1644. properties:
  1645. key:
  1646. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1647. type: string
  1648. name:
  1649. description: The name of the Secret resource being referred to.
  1650. type: string
  1651. namespace:
  1652. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1653. type: string
  1654. type: object
  1655. type: object
  1656. caProvider:
  1657. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  1658. properties:
  1659. certSecretRef:
  1660. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1661. properties:
  1662. key:
  1663. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1664. type: string
  1665. name:
  1666. description: The name of the Secret resource being referred to.
  1667. type: string
  1668. namespace:
  1669. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1670. type: string
  1671. type: object
  1672. type: object
  1673. required:
  1674. - auth
  1675. type: object
  1676. type: object
  1677. retrySettings:
  1678. description: Used to configure http retries if failed
  1679. properties:
  1680. maxRetries:
  1681. format: int32
  1682. type: integer
  1683. retryInterval:
  1684. type: string
  1685. type: object
  1686. required:
  1687. - provider
  1688. type: object
  1689. status:
  1690. description: SecretStoreStatus defines the observed state of the SecretStore.
  1691. properties:
  1692. conditions:
  1693. items:
  1694. properties:
  1695. lastTransitionTime:
  1696. format: date-time
  1697. type: string
  1698. message:
  1699. type: string
  1700. reason:
  1701. type: string
  1702. status:
  1703. type: string
  1704. type:
  1705. type: string
  1706. required:
  1707. - status
  1708. - type
  1709. type: object
  1710. type: array
  1711. type: object
  1712. type: object
  1713. served: true
  1714. storage: true
  1715. subresources:
  1716. status: {}
  1717. conversion:
  1718. strategy: Webhook
  1719. webhook:
  1720. conversionReviewVersions:
  1721. - v1
  1722. clientConfig:
  1723. caBundle: Cg==
  1724. service:
  1725. name: kubernetes
  1726. namespace: default
  1727. path: /convert
  1728. status:
  1729. acceptedNames:
  1730. kind: ""
  1731. plural: ""
  1732. conditions: []
  1733. storedVersions: []
  1734. ---
  1735. apiVersion: apiextensions.k8s.io/v1
  1736. kind: CustomResourceDefinition
  1737. metadata:
  1738. annotations:
  1739. controller-gen.kubebuilder.io/version: v0.8.0
  1740. creationTimestamp: null
  1741. name: externalsecrets.external-secrets.io
  1742. spec:
  1743. group: external-secrets.io
  1744. names:
  1745. categories:
  1746. - externalsecrets
  1747. kind: ExternalSecret
  1748. listKind: ExternalSecretList
  1749. plural: externalsecrets
  1750. shortNames:
  1751. - es
  1752. singular: externalsecret
  1753. scope: Namespaced
  1754. versions:
  1755. - additionalPrinterColumns:
  1756. - jsonPath: .spec.secretStoreRef.name
  1757. name: Store
  1758. type: string
  1759. - jsonPath: .spec.refreshInterval
  1760. name: Refresh Interval
  1761. type: string
  1762. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  1763. name: Status
  1764. type: string
  1765. name: v1alpha1
  1766. schema:
  1767. openAPIV3Schema:
  1768. description: ExternalSecret is the Schema for the external-secrets API.
  1769. properties:
  1770. apiVersion:
  1771. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  1772. type: string
  1773. kind:
  1774. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  1775. type: string
  1776. metadata:
  1777. type: object
  1778. spec:
  1779. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  1780. properties:
  1781. data:
  1782. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  1783. items:
  1784. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  1785. properties:
  1786. remoteRef:
  1787. description: ExternalSecretDataRemoteRef defines Provider data location.
  1788. properties:
  1789. key:
  1790. description: Key is the key used in the Provider, mandatory
  1791. type: string
  1792. property:
  1793. description: Used to select a specific property of the Provider value (if a map), if supported
  1794. type: string
  1795. version:
  1796. description: Used to select a specific version of the Provider value, if supported
  1797. type: string
  1798. required:
  1799. - key
  1800. type: object
  1801. secretKey:
  1802. type: string
  1803. required:
  1804. - remoteRef
  1805. - secretKey
  1806. type: object
  1807. type: array
  1808. dataFrom:
  1809. description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
  1810. items:
  1811. description: ExternalSecretDataRemoteRef defines Provider data location.
  1812. properties:
  1813. key:
  1814. description: Key is the key used in the Provider, mandatory
  1815. type: string
  1816. property:
  1817. description: Used to select a specific property of the Provider value (if a map), if supported
  1818. type: string
  1819. version:
  1820. description: Used to select a specific version of the Provider value, if supported
  1821. type: string
  1822. required:
  1823. - key
  1824. type: object
  1825. type: array
  1826. refreshInterval:
  1827. default: 1h
  1828. description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
  1829. type: string
  1830. secretStoreRef:
  1831. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1832. properties:
  1833. kind:
  1834. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  1835. type: string
  1836. name:
  1837. description: Name of the SecretStore resource
  1838. type: string
  1839. required:
  1840. - name
  1841. type: object
  1842. target:
  1843. description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
  1844. properties:
  1845. creationPolicy:
  1846. default: Owner
  1847. description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
  1848. type: string
  1849. immutable:
  1850. description: Immutable defines if the final secret will be immutable
  1851. type: boolean
  1852. name:
  1853. description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
  1854. type: string
  1855. template:
  1856. description: Template defines a blueprint for the created Secret resource.
  1857. properties:
  1858. data:
  1859. additionalProperties:
  1860. type: string
  1861. type: object
  1862. engineVersion:
  1863. default: v1
  1864. description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
  1865. type: string
  1866. metadata:
  1867. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  1868. properties:
  1869. annotations:
  1870. additionalProperties:
  1871. type: string
  1872. type: object
  1873. labels:
  1874. additionalProperties:
  1875. type: string
  1876. type: object
  1877. type: object
  1878. templateFrom:
  1879. items:
  1880. maxProperties: 1
  1881. minProperties: 1
  1882. properties:
  1883. configMap:
  1884. properties:
  1885. items:
  1886. items:
  1887. properties:
  1888. key:
  1889. type: string
  1890. required:
  1891. - key
  1892. type: object
  1893. type: array
  1894. name:
  1895. type: string
  1896. required:
  1897. - items
  1898. - name
  1899. type: object
  1900. secret:
  1901. properties:
  1902. items:
  1903. items:
  1904. properties:
  1905. key:
  1906. type: string
  1907. required:
  1908. - key
  1909. type: object
  1910. type: array
  1911. name:
  1912. type: string
  1913. required:
  1914. - items
  1915. - name
  1916. type: object
  1917. type: object
  1918. type: array
  1919. type:
  1920. type: string
  1921. type: object
  1922. type: object
  1923. required:
  1924. - secretStoreRef
  1925. - target
  1926. type: object
  1927. status:
  1928. properties:
  1929. conditions:
  1930. items:
  1931. properties:
  1932. lastTransitionTime:
  1933. format: date-time
  1934. type: string
  1935. message:
  1936. type: string
  1937. reason:
  1938. type: string
  1939. status:
  1940. type: string
  1941. type:
  1942. type: string
  1943. required:
  1944. - status
  1945. - type
  1946. type: object
  1947. type: array
  1948. refreshTime:
  1949. description: refreshTime is the time and date the external secret was fetched and the target secret updated
  1950. format: date-time
  1951. nullable: true
  1952. type: string
  1953. syncedResourceVersion:
  1954. description: SyncedResourceVersion keeps track of the last synced version
  1955. type: string
  1956. type: object
  1957. type: object
  1958. served: true
  1959. storage: false
  1960. subresources:
  1961. status: {}
  1962. - additionalPrinterColumns:
  1963. - jsonPath: .spec.secretStoreRef.name
  1964. name: Store
  1965. type: string
  1966. - jsonPath: .spec.refreshInterval
  1967. name: Refresh Interval
  1968. type: string
  1969. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  1970. name: Status
  1971. type: string
  1972. name: v1beta1
  1973. schema:
  1974. openAPIV3Schema:
  1975. description: ExternalSecret is the Schema for the external-secrets API.
  1976. properties:
  1977. apiVersion:
  1978. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  1979. type: string
  1980. kind:
  1981. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  1982. type: string
  1983. metadata:
  1984. type: object
  1985. spec:
  1986. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  1987. properties:
  1988. data:
  1989. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  1990. items:
  1991. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  1992. properties:
  1993. remoteRef:
  1994. description: ExternalSecretDataRemoteRef defines Provider data location.
  1995. properties:
  1996. key:
  1997. description: Key is the key used in the Provider, mandatory
  1998. type: string
  1999. property:
  2000. description: Used to select a specific property of the Provider value (if a map), if supported
  2001. type: string
  2002. version:
  2003. description: Used to select a specific version of the Provider value, if supported
  2004. type: string
  2005. required:
  2006. - key
  2007. type: object
  2008. secretKey:
  2009. type: string
  2010. required:
  2011. - remoteRef
  2012. - secretKey
  2013. type: object
  2014. type: array
  2015. dataFrom:
  2016. description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
  2017. items:
  2018. properties:
  2019. extract:
  2020. description: Used to extract multiple key/value pairs from one secret
  2021. properties:
  2022. key:
  2023. description: Key is the key used in the Provider, mandatory
  2024. type: string
  2025. property:
  2026. description: Used to select a specific property of the Provider value (if a map), if supported
  2027. type: string
  2028. version:
  2029. description: Used to select a specific version of the Provider value, if supported
  2030. type: string
  2031. required:
  2032. - key
  2033. type: object
  2034. find:
  2035. description: Used to find secrets based on tags or regular expressions
  2036. properties:
  2037. name:
  2038. description: Finds secrets based on the name.
  2039. properties:
  2040. regexp:
  2041. description: Finds secrets base
  2042. type: string
  2043. type: object
  2044. tags:
  2045. additionalProperties:
  2046. type: string
  2047. description: Find secrets based on tags.
  2048. type: object
  2049. type: object
  2050. type: object
  2051. type: array
  2052. refreshInterval:
  2053. default: 1h
  2054. description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
  2055. type: string
  2056. secretStoreRef:
  2057. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  2058. properties:
  2059. kind:
  2060. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  2061. type: string
  2062. name:
  2063. description: Name of the SecretStore resource
  2064. type: string
  2065. required:
  2066. - name
  2067. type: object
  2068. target:
  2069. description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
  2070. properties:
  2071. creationPolicy:
  2072. default: Owner
  2073. description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
  2074. type: string
  2075. deletionPolicy:
  2076. default: None
  2077. description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'None'
  2078. type: string
  2079. immutable:
  2080. description: Immutable defines if the final secret will be immutable
  2081. type: boolean
  2082. name:
  2083. description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
  2084. type: string
  2085. template:
  2086. description: Template defines a blueprint for the created Secret resource.
  2087. properties:
  2088. data:
  2089. additionalProperties:
  2090. type: string
  2091. type: object
  2092. engineVersion:
  2093. default: v2
  2094. type: string
  2095. metadata:
  2096. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  2097. properties:
  2098. annotations:
  2099. additionalProperties:
  2100. type: string
  2101. type: object
  2102. labels:
  2103. additionalProperties:
  2104. type: string
  2105. type: object
  2106. type: object
  2107. templateFrom:
  2108. items:
  2109. maxProperties: 1
  2110. minProperties: 1
  2111. properties:
  2112. configMap:
  2113. properties:
  2114. items:
  2115. items:
  2116. properties:
  2117. key:
  2118. type: string
  2119. required:
  2120. - key
  2121. type: object
  2122. type: array
  2123. name:
  2124. type: string
  2125. required:
  2126. - items
  2127. - name
  2128. type: object
  2129. secret:
  2130. properties:
  2131. items:
  2132. items:
  2133. properties:
  2134. key:
  2135. type: string
  2136. required:
  2137. - key
  2138. type: object
  2139. type: array
  2140. name:
  2141. type: string
  2142. required:
  2143. - items
  2144. - name
  2145. type: object
  2146. type: object
  2147. type: array
  2148. type:
  2149. type: string
  2150. type: object
  2151. type: object
  2152. required:
  2153. - secretStoreRef
  2154. - target
  2155. type: object
  2156. status:
  2157. properties:
  2158. conditions:
  2159. items:
  2160. properties:
  2161. lastTransitionTime:
  2162. format: date-time
  2163. type: string
  2164. message:
  2165. type: string
  2166. reason:
  2167. type: string
  2168. status:
  2169. type: string
  2170. type:
  2171. type: string
  2172. required:
  2173. - status
  2174. - type
  2175. type: object
  2176. type: array
  2177. refreshTime:
  2178. description: refreshTime is the time and date the external secret was fetched and the target secret updated
  2179. format: date-time
  2180. nullable: true
  2181. type: string
  2182. syncedResourceVersion:
  2183. description: SyncedResourceVersion keeps track of the last synced version
  2184. type: string
  2185. type: object
  2186. type: object
  2187. served: true
  2188. storage: true
  2189. subresources:
  2190. status: {}
  2191. conversion:
  2192. strategy: Webhook
  2193. webhook:
  2194. conversionReviewVersions:
  2195. - v1
  2196. clientConfig:
  2197. caBundle: Cg==
  2198. service:
  2199. name: kubernetes
  2200. namespace: default
  2201. path: /convert
  2202. status:
  2203. acceptedNames:
  2204. kind: ""
  2205. plural: ""
  2206. conditions: []
  2207. storedVersions: []
  2208. ---
  2209. apiVersion: apiextensions.k8s.io/v1
  2210. kind: CustomResourceDefinition
  2211. metadata:
  2212. annotations:
  2213. controller-gen.kubebuilder.io/version: v0.8.0
  2214. creationTimestamp: null
  2215. name: secretstores.external-secrets.io
  2216. spec:
  2217. group: external-secrets.io
  2218. names:
  2219. categories:
  2220. - externalsecrets
  2221. kind: SecretStore
  2222. listKind: SecretStoreList
  2223. plural: secretstores
  2224. shortNames:
  2225. - ss
  2226. singular: secretstore
  2227. scope: Namespaced
  2228. versions:
  2229. - additionalPrinterColumns:
  2230. - jsonPath: .metadata.creationTimestamp
  2231. name: AGE
  2232. type: date
  2233. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2234. name: Status
  2235. type: string
  2236. name: v1alpha1
  2237. schema:
  2238. openAPIV3Schema:
  2239. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  2240. properties:
  2241. apiVersion:
  2242. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  2243. type: string
  2244. kind:
  2245. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  2246. type: string
  2247. metadata:
  2248. type: object
  2249. spec:
  2250. description: SecretStoreSpec defines the desired state of SecretStore.
  2251. properties:
  2252. controller:
  2253. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  2254. type: string
  2255. provider:
  2256. description: Used to configure the provider. Only one provider may be set
  2257. maxProperties: 1
  2258. minProperties: 1
  2259. properties:
  2260. akeyless:
  2261. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  2262. properties:
  2263. akeylessGWApiURL:
  2264. description: Akeyless GW API Url from which the secrets to be fetched from.
  2265. type: string
  2266. authSecretRef:
  2267. description: Auth configures how the operator authenticates with Akeyless.
  2268. properties:
  2269. secretRef:
  2270. description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
  2271. properties:
  2272. accessID:
  2273. description: The SecretAccessID is used for authentication
  2274. properties:
  2275. key:
  2276. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2277. type: string
  2278. name:
  2279. description: The name of the Secret resource being referred to.
  2280. type: string
  2281. namespace:
  2282. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2283. type: string
  2284. type: object
  2285. accessType:
  2286. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2287. properties:
  2288. key:
  2289. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2290. type: string
  2291. name:
  2292. description: The name of the Secret resource being referred to.
  2293. type: string
  2294. namespace:
  2295. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2296. type: string
  2297. type: object
  2298. accessTypeParam:
  2299. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2300. properties:
  2301. key:
  2302. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2303. type: string
  2304. name:
  2305. description: The name of the Secret resource being referred to.
  2306. type: string
  2307. namespace:
  2308. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2309. type: string
  2310. type: object
  2311. type: object
  2312. required:
  2313. - secretRef
  2314. type: object
  2315. required:
  2316. - akeylessGWApiURL
  2317. - authSecretRef
  2318. type: object
  2319. alibaba:
  2320. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  2321. properties:
  2322. auth:
  2323. description: AlibabaAuth contains a secretRef for credentials.
  2324. properties:
  2325. secretRef:
  2326. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  2327. properties:
  2328. accessKeyIDSecretRef:
  2329. description: The AccessKeyID is used for authentication
  2330. properties:
  2331. key:
  2332. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2333. type: string
  2334. name:
  2335. description: The name of the Secret resource being referred to.
  2336. type: string
  2337. namespace:
  2338. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2339. type: string
  2340. type: object
  2341. accessKeySecretSecretRef:
  2342. description: The AccessKeySecret is used for authentication
  2343. properties:
  2344. key:
  2345. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2346. type: string
  2347. name:
  2348. description: The name of the Secret resource being referred to.
  2349. type: string
  2350. namespace:
  2351. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2352. type: string
  2353. type: object
  2354. required:
  2355. - accessKeyIDSecretRef
  2356. - accessKeySecretSecretRef
  2357. type: object
  2358. required:
  2359. - secretRef
  2360. type: object
  2361. endpoint:
  2362. type: string
  2363. regionID:
  2364. description: Alibaba Region to be used for the provider
  2365. type: string
  2366. required:
  2367. - auth
  2368. - regionID
  2369. type: object
  2370. aws:
  2371. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  2372. properties:
  2373. auth:
  2374. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  2375. properties:
  2376. jwt:
  2377. description: Authenticate against AWS using service account tokens.
  2378. properties:
  2379. serviceAccountRef:
  2380. description: A reference to a ServiceAccount resource.
  2381. properties:
  2382. name:
  2383. description: The name of the ServiceAccount resource being referred to.
  2384. type: string
  2385. namespace:
  2386. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2387. type: string
  2388. required:
  2389. - name
  2390. type: object
  2391. type: object
  2392. secretRef:
  2393. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  2394. properties:
  2395. accessKeyIDSecretRef:
  2396. description: The AccessKeyID is used for authentication
  2397. properties:
  2398. key:
  2399. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2400. type: string
  2401. name:
  2402. description: The name of the Secret resource being referred to.
  2403. type: string
  2404. namespace:
  2405. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2406. type: string
  2407. type: object
  2408. secretAccessKeySecretRef:
  2409. description: The SecretAccessKey is used for authentication
  2410. properties:
  2411. key:
  2412. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2413. type: string
  2414. name:
  2415. description: The name of the Secret resource being referred to.
  2416. type: string
  2417. namespace:
  2418. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2419. type: string
  2420. type: object
  2421. type: object
  2422. type: object
  2423. region:
  2424. description: AWS Region to be used for the provider
  2425. type: string
  2426. role:
  2427. description: Role is a Role ARN which the SecretManager provider will assume
  2428. type: string
  2429. service:
  2430. description: Service defines which service should be used to fetch the secrets
  2431. enum:
  2432. - SecretsManager
  2433. - ParameterStore
  2434. type: string
  2435. required:
  2436. - region
  2437. - service
  2438. type: object
  2439. azurekv:
  2440. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  2441. properties:
  2442. authSecretRef:
  2443. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  2444. properties:
  2445. clientId:
  2446. description: The Azure clientId of the service principle used for authentication.
  2447. properties:
  2448. key:
  2449. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2450. type: string
  2451. name:
  2452. description: The name of the Secret resource being referred to.
  2453. type: string
  2454. namespace:
  2455. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2456. type: string
  2457. type: object
  2458. clientSecret:
  2459. description: The Azure ClientSecret of the service principle used for authentication.
  2460. properties:
  2461. key:
  2462. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2463. type: string
  2464. name:
  2465. description: The name of the Secret resource being referred to.
  2466. type: string
  2467. namespace:
  2468. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2469. type: string
  2470. type: object
  2471. required:
  2472. - clientId
  2473. - clientSecret
  2474. type: object
  2475. authType:
  2476. default: ServicePrincipal
  2477. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  2478. enum:
  2479. - ServicePrincipal
  2480. - ManagedIdentity
  2481. type: string
  2482. identityId:
  2483. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  2484. type: string
  2485. tenantId:
  2486. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  2487. type: string
  2488. vaultUrl:
  2489. description: Vault Url from which the secrets to be fetched from.
  2490. type: string
  2491. required:
  2492. - vaultUrl
  2493. type: object
  2494. fake:
  2495. description: Fake configures a store with static key/value pairs
  2496. properties:
  2497. data:
  2498. items:
  2499. properties:
  2500. key:
  2501. type: string
  2502. value:
  2503. type: string
  2504. valueMap:
  2505. additionalProperties:
  2506. type: string
  2507. type: object
  2508. version:
  2509. type: string
  2510. required:
  2511. - key
  2512. type: object
  2513. type: array
  2514. required:
  2515. - data
  2516. type: object
  2517. gcpsm:
  2518. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  2519. properties:
  2520. auth:
  2521. description: Auth defines the information necessary to authenticate against GCP
  2522. properties:
  2523. secretRef:
  2524. properties:
  2525. secretAccessKeySecretRef:
  2526. description: The SecretAccessKey is used for authentication
  2527. properties:
  2528. key:
  2529. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2530. type: string
  2531. name:
  2532. description: The name of the Secret resource being referred to.
  2533. type: string
  2534. namespace:
  2535. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2536. type: string
  2537. type: object
  2538. type: object
  2539. workloadIdentity:
  2540. properties:
  2541. clusterLocation:
  2542. type: string
  2543. clusterName:
  2544. type: string
  2545. serviceAccountRef:
  2546. description: A reference to a ServiceAccount resource.
  2547. properties:
  2548. name:
  2549. description: The name of the ServiceAccount resource being referred to.
  2550. type: string
  2551. namespace:
  2552. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2553. type: string
  2554. required:
  2555. - name
  2556. type: object
  2557. required:
  2558. - clusterLocation
  2559. - clusterName
  2560. - serviceAccountRef
  2561. type: object
  2562. type: object
  2563. projectID:
  2564. description: ProjectID project where secret is located
  2565. type: string
  2566. type: object
  2567. gitlab:
  2568. description: GItlab configures this store to sync secrets using Gitlab Variables provider
  2569. properties:
  2570. auth:
  2571. description: Auth configures how secret-manager authenticates with a GitLab instance.
  2572. properties:
  2573. SecretRef:
  2574. properties:
  2575. accessToken:
  2576. description: AccessToken is used for authentication.
  2577. properties:
  2578. key:
  2579. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2580. type: string
  2581. name:
  2582. description: The name of the Secret resource being referred to.
  2583. type: string
  2584. namespace:
  2585. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2586. type: string
  2587. type: object
  2588. type: object
  2589. required:
  2590. - SecretRef
  2591. type: object
  2592. projectID:
  2593. description: ProjectID specifies a project where secrets are located.
  2594. type: string
  2595. url:
  2596. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  2597. type: string
  2598. required:
  2599. - auth
  2600. type: object
  2601. ibm:
  2602. description: IBM configures this store to sync secrets using IBM Cloud provider
  2603. properties:
  2604. auth:
  2605. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  2606. properties:
  2607. secretRef:
  2608. properties:
  2609. secretApiKeySecretRef:
  2610. description: The SecretAccessKey is used for authentication
  2611. properties:
  2612. key:
  2613. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2614. type: string
  2615. name:
  2616. description: The name of the Secret resource being referred to.
  2617. type: string
  2618. namespace:
  2619. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2620. type: string
  2621. type: object
  2622. type: object
  2623. required:
  2624. - secretRef
  2625. type: object
  2626. serviceUrl:
  2627. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  2628. type: string
  2629. required:
  2630. - auth
  2631. type: object
  2632. oracle:
  2633. description: Oracle configures this store to sync secrets using Oracle Vault provider
  2634. properties:
  2635. auth:
  2636. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  2637. properties:
  2638. secretRef:
  2639. description: SecretRef to pass through sensitive information.
  2640. properties:
  2641. fingerprint:
  2642. description: Fingerprint is the fingerprint of the API private key.
  2643. properties:
  2644. key:
  2645. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2646. type: string
  2647. name:
  2648. description: The name of the Secret resource being referred to.
  2649. type: string
  2650. namespace:
  2651. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2652. type: string
  2653. type: object
  2654. privatekey:
  2655. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  2656. properties:
  2657. key:
  2658. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2659. type: string
  2660. name:
  2661. description: The name of the Secret resource being referred to.
  2662. type: string
  2663. namespace:
  2664. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2665. type: string
  2666. type: object
  2667. required:
  2668. - fingerprint
  2669. - privatekey
  2670. type: object
  2671. tenancy:
  2672. description: Tenancy is the tenancy OCID where user is located.
  2673. type: string
  2674. user:
  2675. description: User is an access OCID specific to the account.
  2676. type: string
  2677. required:
  2678. - secretRef
  2679. - tenancy
  2680. - user
  2681. type: object
  2682. region:
  2683. description: Region is the region where vault is located.
  2684. type: string
  2685. vault:
  2686. description: Vault is the vault's OCID of the specific vault where secret is located.
  2687. type: string
  2688. required:
  2689. - region
  2690. - vault
  2691. type: object
  2692. vault:
  2693. description: Vault configures this store to sync secrets using Hashi provider
  2694. properties:
  2695. auth:
  2696. description: Auth configures how secret-manager authenticates with the Vault server.
  2697. properties:
  2698. appRole:
  2699. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  2700. properties:
  2701. path:
  2702. default: approle
  2703. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  2704. type: string
  2705. roleId:
  2706. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  2707. type: string
  2708. secretRef:
  2709. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  2710. properties:
  2711. key:
  2712. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2713. type: string
  2714. name:
  2715. description: The name of the Secret resource being referred to.
  2716. type: string
  2717. namespace:
  2718. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2719. type: string
  2720. type: object
  2721. required:
  2722. - path
  2723. - roleId
  2724. - secretRef
  2725. type: object
  2726. cert:
  2727. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  2728. properties:
  2729. clientCert:
  2730. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  2731. properties:
  2732. key:
  2733. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2734. type: string
  2735. name:
  2736. description: The name of the Secret resource being referred to.
  2737. type: string
  2738. namespace:
  2739. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2740. type: string
  2741. type: object
  2742. secretRef:
  2743. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  2744. properties:
  2745. key:
  2746. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2747. type: string
  2748. name:
  2749. description: The name of the Secret resource being referred to.
  2750. type: string
  2751. namespace:
  2752. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2753. type: string
  2754. type: object
  2755. type: object
  2756. jwt:
  2757. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  2758. properties:
  2759. path:
  2760. default: jwt
  2761. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  2762. type: string
  2763. role:
  2764. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  2765. type: string
  2766. secretRef:
  2767. description: SecretRef to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method
  2768. properties:
  2769. key:
  2770. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2771. type: string
  2772. name:
  2773. description: The name of the Secret resource being referred to.
  2774. type: string
  2775. namespace:
  2776. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2777. type: string
  2778. type: object
  2779. required:
  2780. - path
  2781. type: object
  2782. kubernetes:
  2783. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  2784. properties:
  2785. mountPath:
  2786. default: kubernetes
  2787. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  2788. type: string
  2789. role:
  2790. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  2791. type: string
  2792. secretRef:
  2793. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  2794. properties:
  2795. key:
  2796. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2797. type: string
  2798. name:
  2799. description: The name of the Secret resource being referred to.
  2800. type: string
  2801. namespace:
  2802. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2803. type: string
  2804. type: object
  2805. serviceAccountRef:
  2806. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  2807. properties:
  2808. name:
  2809. description: The name of the ServiceAccount resource being referred to.
  2810. type: string
  2811. namespace:
  2812. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2813. type: string
  2814. required:
  2815. - name
  2816. type: object
  2817. required:
  2818. - mountPath
  2819. - role
  2820. type: object
  2821. ldap:
  2822. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  2823. properties:
  2824. path:
  2825. default: ldap
  2826. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  2827. type: string
  2828. secretRef:
  2829. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  2830. properties:
  2831. key:
  2832. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2833. type: string
  2834. name:
  2835. description: The name of the Secret resource being referred to.
  2836. type: string
  2837. namespace:
  2838. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2839. type: string
  2840. type: object
  2841. username:
  2842. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  2843. type: string
  2844. required:
  2845. - path
  2846. - username
  2847. type: object
  2848. tokenSecretRef:
  2849. description: TokenSecretRef authenticates with Vault by presenting a token.
  2850. properties:
  2851. key:
  2852. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2853. type: string
  2854. name:
  2855. description: The name of the Secret resource being referred to.
  2856. type: string
  2857. namespace:
  2858. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2859. type: string
  2860. type: object
  2861. type: object
  2862. caBundle:
  2863. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  2864. format: byte
  2865. type: string
  2866. caProvider:
  2867. description: The provider for the CA bundle to use to validate Vault server certificate.
  2868. properties:
  2869. key:
  2870. description: The key the value inside of the provider type to use, only used with "Secret" type
  2871. type: string
  2872. name:
  2873. description: The name of the object located at the provider type.
  2874. type: string
  2875. namespace:
  2876. description: The namespace the Provider type is in.
  2877. type: string
  2878. type:
  2879. description: The type of provider to use such as "Secret", or "ConfigMap".
  2880. enum:
  2881. - Secret
  2882. - ConfigMap
  2883. type: string
  2884. required:
  2885. - name
  2886. - type
  2887. type: object
  2888. forwardInconsistent:
  2889. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  2890. type: boolean
  2891. namespace:
  2892. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  2893. type: string
  2894. path:
  2895. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  2896. type: string
  2897. readYourWrites:
  2898. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  2899. type: boolean
  2900. server:
  2901. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  2902. type: string
  2903. version:
  2904. default: v2
  2905. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  2906. enum:
  2907. - v1
  2908. - v2
  2909. type: string
  2910. required:
  2911. - auth
  2912. - server
  2913. type: object
  2914. webhook:
  2915. description: Webhook configures this store to sync secrets using a generic templated webhook
  2916. properties:
  2917. body:
  2918. description: Body
  2919. type: string
  2920. caBundle:
  2921. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  2922. format: byte
  2923. type: string
  2924. caProvider:
  2925. description: The provider for the CA bundle to use to validate webhook server certificate.
  2926. properties:
  2927. key:
  2928. description: The key the value inside of the provider type to use, only used with "Secret" type
  2929. type: string
  2930. name:
  2931. description: The name of the object located at the provider type.
  2932. type: string
  2933. namespace:
  2934. description: The namespace the Provider type is in.
  2935. type: string
  2936. type:
  2937. description: The type of provider to use such as "Secret", or "ConfigMap".
  2938. enum:
  2939. - Secret
  2940. - ConfigMap
  2941. type: string
  2942. required:
  2943. - name
  2944. - type
  2945. type: object
  2946. headers:
  2947. additionalProperties:
  2948. type: string
  2949. description: Headers
  2950. type: object
  2951. method:
  2952. description: Webhook Method
  2953. type: string
  2954. result:
  2955. description: Result formatting
  2956. properties:
  2957. jsonPath:
  2958. description: Json path of return value
  2959. type: string
  2960. type: object
  2961. secrets:
  2962. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  2963. items:
  2964. properties:
  2965. name:
  2966. description: Name of this secret in templates
  2967. type: string
  2968. secretRef:
  2969. description: Secret ref to fill in credentials
  2970. properties:
  2971. key:
  2972. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2973. type: string
  2974. name:
  2975. description: The name of the Secret resource being referred to.
  2976. type: string
  2977. namespace:
  2978. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2979. type: string
  2980. type: object
  2981. required:
  2982. - name
  2983. - secretRef
  2984. type: object
  2985. type: array
  2986. timeout:
  2987. description: Timeout
  2988. type: string
  2989. url:
  2990. description: Webhook url to call
  2991. type: string
  2992. required:
  2993. - result
  2994. - url
  2995. type: object
  2996. yandexlockbox:
  2997. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  2998. properties:
  2999. apiEndpoint:
  3000. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  3001. type: string
  3002. auth:
  3003. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  3004. properties:
  3005. authorizedKeySecretRef:
  3006. description: The authorized key used for authentication
  3007. properties:
  3008. key:
  3009. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3010. type: string
  3011. name:
  3012. description: The name of the Secret resource being referred to.
  3013. type: string
  3014. namespace:
  3015. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3016. type: string
  3017. type: object
  3018. type: object
  3019. caProvider:
  3020. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  3021. properties:
  3022. certSecretRef:
  3023. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3024. properties:
  3025. key:
  3026. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3027. type: string
  3028. name:
  3029. description: The name of the Secret resource being referred to.
  3030. type: string
  3031. namespace:
  3032. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3033. type: string
  3034. type: object
  3035. type: object
  3036. required:
  3037. - auth
  3038. type: object
  3039. type: object
  3040. retrySettings:
  3041. description: Used to configure http retries if failed
  3042. properties:
  3043. maxRetries:
  3044. format: int32
  3045. type: integer
  3046. retryInterval:
  3047. type: string
  3048. type: object
  3049. required:
  3050. - provider
  3051. type: object
  3052. status:
  3053. description: SecretStoreStatus defines the observed state of the SecretStore.
  3054. properties:
  3055. conditions:
  3056. items:
  3057. properties:
  3058. lastTransitionTime:
  3059. format: date-time
  3060. type: string
  3061. message:
  3062. type: string
  3063. reason:
  3064. type: string
  3065. status:
  3066. type: string
  3067. type:
  3068. type: string
  3069. required:
  3070. - status
  3071. - type
  3072. type: object
  3073. type: array
  3074. type: object
  3075. type: object
  3076. served: true
  3077. storage: false
  3078. subresources:
  3079. status: {}
  3080. - additionalPrinterColumns:
  3081. - jsonPath: .metadata.creationTimestamp
  3082. name: AGE
  3083. type: date
  3084. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  3085. name: Status
  3086. type: string
  3087. name: v1beta1
  3088. schema:
  3089. openAPIV3Schema:
  3090. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  3091. properties:
  3092. apiVersion:
  3093. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  3094. type: string
  3095. kind:
  3096. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  3097. type: string
  3098. metadata:
  3099. type: object
  3100. spec:
  3101. description: SecretStoreSpec defines the desired state of SecretStore.
  3102. properties:
  3103. controller:
  3104. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  3105. type: string
  3106. provider:
  3107. description: Used to configure the provider. Only one provider may be set
  3108. maxProperties: 1
  3109. minProperties: 1
  3110. properties:
  3111. akeyless:
  3112. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  3113. properties:
  3114. akeylessGWApiURL:
  3115. description: Akeyless GW API Url from which the secrets to be fetched from.
  3116. type: string
  3117. authSecretRef:
  3118. description: Auth configures how the operator authenticates with Akeyless.
  3119. properties:
  3120. secretRef:
  3121. description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
  3122. properties:
  3123. accessID:
  3124. description: The SecretAccessID is used for authentication
  3125. properties:
  3126. key:
  3127. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3128. type: string
  3129. name:
  3130. description: The name of the Secret resource being referred to.
  3131. type: string
  3132. namespace:
  3133. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3134. type: string
  3135. type: object
  3136. accessType:
  3137. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3138. properties:
  3139. key:
  3140. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3141. type: string
  3142. name:
  3143. description: The name of the Secret resource being referred to.
  3144. type: string
  3145. namespace:
  3146. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3147. type: string
  3148. type: object
  3149. accessTypeParam:
  3150. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3151. properties:
  3152. key:
  3153. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3154. type: string
  3155. name:
  3156. description: The name of the Secret resource being referred to.
  3157. type: string
  3158. namespace:
  3159. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3160. type: string
  3161. type: object
  3162. type: object
  3163. required:
  3164. - secretRef
  3165. type: object
  3166. required:
  3167. - akeylessGWApiURL
  3168. - authSecretRef
  3169. type: object
  3170. alibaba:
  3171. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  3172. properties:
  3173. auth:
  3174. description: AlibabaAuth contains a secretRef for credentials.
  3175. properties:
  3176. secretRef:
  3177. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  3178. properties:
  3179. accessKeyIDSecretRef:
  3180. description: The AccessKeyID is used for authentication
  3181. properties:
  3182. key:
  3183. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3184. type: string
  3185. name:
  3186. description: The name of the Secret resource being referred to.
  3187. type: string
  3188. namespace:
  3189. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3190. type: string
  3191. type: object
  3192. accessKeySecretSecretRef:
  3193. description: The AccessKeySecret is used for authentication
  3194. properties:
  3195. key:
  3196. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3197. type: string
  3198. name:
  3199. description: The name of the Secret resource being referred to.
  3200. type: string
  3201. namespace:
  3202. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3203. type: string
  3204. type: object
  3205. required:
  3206. - accessKeyIDSecretRef
  3207. - accessKeySecretSecretRef
  3208. type: object
  3209. required:
  3210. - secretRef
  3211. type: object
  3212. endpoint:
  3213. type: string
  3214. regionID:
  3215. description: Alibaba Region to be used for the provider
  3216. type: string
  3217. required:
  3218. - auth
  3219. - regionID
  3220. type: object
  3221. aws:
  3222. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  3223. properties:
  3224. auth:
  3225. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  3226. properties:
  3227. jwt:
  3228. description: Authenticate against AWS using service account tokens.
  3229. properties:
  3230. serviceAccountRef:
  3231. description: A reference to a ServiceAccount resource.
  3232. properties:
  3233. name:
  3234. description: The name of the ServiceAccount resource being referred to.
  3235. type: string
  3236. namespace:
  3237. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3238. type: string
  3239. required:
  3240. - name
  3241. type: object
  3242. type: object
  3243. secretRef:
  3244. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  3245. properties:
  3246. accessKeyIDSecretRef:
  3247. description: The AccessKeyID is used for authentication
  3248. properties:
  3249. key:
  3250. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3251. type: string
  3252. name:
  3253. description: The name of the Secret resource being referred to.
  3254. type: string
  3255. namespace:
  3256. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3257. type: string
  3258. type: object
  3259. secretAccessKeySecretRef:
  3260. description: The SecretAccessKey is used for authentication
  3261. properties:
  3262. key:
  3263. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3264. type: string
  3265. name:
  3266. description: The name of the Secret resource being referred to.
  3267. type: string
  3268. namespace:
  3269. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3270. type: string
  3271. type: object
  3272. type: object
  3273. type: object
  3274. region:
  3275. description: AWS Region to be used for the provider
  3276. type: string
  3277. role:
  3278. description: Role is a Role ARN which the SecretManager provider will assume
  3279. type: string
  3280. service:
  3281. description: Service defines which service should be used to fetch the secrets
  3282. enum:
  3283. - SecretsManager
  3284. - ParameterStore
  3285. type: string
  3286. required:
  3287. - region
  3288. - service
  3289. type: object
  3290. azurekv:
  3291. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  3292. properties:
  3293. authSecretRef:
  3294. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  3295. properties:
  3296. clientId:
  3297. description: The Azure clientId of the service principle used for authentication.
  3298. properties:
  3299. key:
  3300. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3301. type: string
  3302. name:
  3303. description: The name of the Secret resource being referred to.
  3304. type: string
  3305. namespace:
  3306. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3307. type: string
  3308. type: object
  3309. clientSecret:
  3310. description: The Azure ClientSecret of the service principle used for authentication.
  3311. properties:
  3312. key:
  3313. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3314. type: string
  3315. name:
  3316. description: The name of the Secret resource being referred to.
  3317. type: string
  3318. namespace:
  3319. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3320. type: string
  3321. type: object
  3322. required:
  3323. - clientId
  3324. - clientSecret
  3325. type: object
  3326. authType:
  3327. default: ServicePrincipal
  3328. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  3329. enum:
  3330. - ServicePrincipal
  3331. - ManagedIdentity
  3332. type: string
  3333. identityId:
  3334. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  3335. type: string
  3336. tenantId:
  3337. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  3338. type: string
  3339. vaultUrl:
  3340. description: Vault Url from which the secrets to be fetched from.
  3341. type: string
  3342. required:
  3343. - vaultUrl
  3344. type: object
  3345. fake:
  3346. description: Fake configures a store with static key/value pairs
  3347. properties:
  3348. data:
  3349. items:
  3350. properties:
  3351. key:
  3352. type: string
  3353. value:
  3354. type: string
  3355. valueMap:
  3356. additionalProperties:
  3357. type: string
  3358. type: object
  3359. version:
  3360. type: string
  3361. required:
  3362. - key
  3363. type: object
  3364. type: array
  3365. required:
  3366. - data
  3367. type: object
  3368. gcpsm:
  3369. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  3370. properties:
  3371. auth:
  3372. description: Auth defines the information necessary to authenticate against GCP
  3373. properties:
  3374. secretRef:
  3375. properties:
  3376. secretAccessKeySecretRef:
  3377. description: The SecretAccessKey is used for authentication
  3378. properties:
  3379. key:
  3380. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3381. type: string
  3382. name:
  3383. description: The name of the Secret resource being referred to.
  3384. type: string
  3385. namespace:
  3386. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3387. type: string
  3388. type: object
  3389. type: object
  3390. workloadIdentity:
  3391. properties:
  3392. clusterLocation:
  3393. type: string
  3394. clusterName:
  3395. type: string
  3396. serviceAccountRef:
  3397. description: A reference to a ServiceAccount resource.
  3398. properties:
  3399. name:
  3400. description: The name of the ServiceAccount resource being referred to.
  3401. type: string
  3402. namespace:
  3403. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3404. type: string
  3405. required:
  3406. - name
  3407. type: object
  3408. required:
  3409. - clusterLocation
  3410. - clusterName
  3411. - serviceAccountRef
  3412. type: object
  3413. type: object
  3414. projectID:
  3415. description: ProjectID project where secret is located
  3416. type: string
  3417. type: object
  3418. gitlab:
  3419. description: GItlab configures this store to sync secrets using Gitlab Variables provider
  3420. properties:
  3421. auth:
  3422. description: Auth configures how secret-manager authenticates with a GitLab instance.
  3423. properties:
  3424. SecretRef:
  3425. properties:
  3426. accessToken:
  3427. description: AccessToken is used for authentication.
  3428. properties:
  3429. key:
  3430. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3431. type: string
  3432. name:
  3433. description: The name of the Secret resource being referred to.
  3434. type: string
  3435. namespace:
  3436. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3437. type: string
  3438. type: object
  3439. type: object
  3440. required:
  3441. - SecretRef
  3442. type: object
  3443. projectID:
  3444. description: ProjectID specifies a project where secrets are located.
  3445. type: string
  3446. url:
  3447. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  3448. type: string
  3449. required:
  3450. - auth
  3451. type: object
  3452. ibm:
  3453. description: IBM configures this store to sync secrets using IBM Cloud provider
  3454. properties:
  3455. auth:
  3456. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  3457. properties:
  3458. secretRef:
  3459. properties:
  3460. secretApiKeySecretRef:
  3461. description: The SecretAccessKey is used for authentication
  3462. properties:
  3463. key:
  3464. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3465. type: string
  3466. name:
  3467. description: The name of the Secret resource being referred to.
  3468. type: string
  3469. namespace:
  3470. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3471. type: string
  3472. type: object
  3473. type: object
  3474. required:
  3475. - secretRef
  3476. type: object
  3477. serviceUrl:
  3478. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  3479. type: string
  3480. required:
  3481. - auth
  3482. type: object
  3483. oracle:
  3484. description: Oracle configures this store to sync secrets using Oracle Vault provider
  3485. properties:
  3486. auth:
  3487. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  3488. properties:
  3489. secretRef:
  3490. description: SecretRef to pass through sensitive information.
  3491. properties:
  3492. fingerprint:
  3493. description: Fingerprint is the fingerprint of the API private key.
  3494. properties:
  3495. key:
  3496. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3497. type: string
  3498. name:
  3499. description: The name of the Secret resource being referred to.
  3500. type: string
  3501. namespace:
  3502. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3503. type: string
  3504. type: object
  3505. privatekey:
  3506. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  3507. properties:
  3508. key:
  3509. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3510. type: string
  3511. name:
  3512. description: The name of the Secret resource being referred to.
  3513. type: string
  3514. namespace:
  3515. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3516. type: string
  3517. type: object
  3518. required:
  3519. - fingerprint
  3520. - privatekey
  3521. type: object
  3522. tenancy:
  3523. description: Tenancy is the tenancy OCID where user is located.
  3524. type: string
  3525. user:
  3526. description: User is an access OCID specific to the account.
  3527. type: string
  3528. required:
  3529. - secretRef
  3530. - tenancy
  3531. - user
  3532. type: object
  3533. region:
  3534. description: Region is the region where vault is located.
  3535. type: string
  3536. vault:
  3537. description: Vault is the vault's OCID of the specific vault where secret is located.
  3538. type: string
  3539. required:
  3540. - region
  3541. - vault
  3542. type: object
  3543. vault:
  3544. description: Vault configures this store to sync secrets using Hashi provider
  3545. properties:
  3546. auth:
  3547. description: Auth configures how secret-manager authenticates with the Vault server.
  3548. properties:
  3549. appRole:
  3550. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  3551. properties:
  3552. path:
  3553. default: approle
  3554. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  3555. type: string
  3556. roleId:
  3557. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  3558. type: string
  3559. secretRef:
  3560. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  3561. properties:
  3562. key:
  3563. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3564. type: string
  3565. name:
  3566. description: The name of the Secret resource being referred to.
  3567. type: string
  3568. namespace:
  3569. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3570. type: string
  3571. type: object
  3572. required:
  3573. - path
  3574. - roleId
  3575. - secretRef
  3576. type: object
  3577. cert:
  3578. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  3579. properties:
  3580. clientCert:
  3581. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  3582. properties:
  3583. key:
  3584. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3585. type: string
  3586. name:
  3587. description: The name of the Secret resource being referred to.
  3588. type: string
  3589. namespace:
  3590. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3591. type: string
  3592. type: object
  3593. secretRef:
  3594. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  3595. properties:
  3596. key:
  3597. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3598. type: string
  3599. name:
  3600. description: The name of the Secret resource being referred to.
  3601. type: string
  3602. namespace:
  3603. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3604. type: string
  3605. type: object
  3606. type: object
  3607. jwt:
  3608. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  3609. properties:
  3610. path:
  3611. default: jwt
  3612. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  3613. type: string
  3614. role:
  3615. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  3616. type: string
  3617. secretRef:
  3618. description: SecretRef to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method
  3619. properties:
  3620. key:
  3621. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3622. type: string
  3623. name:
  3624. description: The name of the Secret resource being referred to.
  3625. type: string
  3626. namespace:
  3627. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3628. type: string
  3629. type: object
  3630. required:
  3631. - path
  3632. type: object
  3633. kubernetes:
  3634. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  3635. properties:
  3636. mountPath:
  3637. default: kubernetes
  3638. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  3639. type: string
  3640. role:
  3641. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  3642. type: string
  3643. secretRef:
  3644. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  3645. properties:
  3646. key:
  3647. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3648. type: string
  3649. name:
  3650. description: The name of the Secret resource being referred to.
  3651. type: string
  3652. namespace:
  3653. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3654. type: string
  3655. type: object
  3656. serviceAccountRef:
  3657. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  3658. properties:
  3659. name:
  3660. description: The name of the ServiceAccount resource being referred to.
  3661. type: string
  3662. namespace:
  3663. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3664. type: string
  3665. required:
  3666. - name
  3667. type: object
  3668. required:
  3669. - mountPath
  3670. - role
  3671. type: object
  3672. ldap:
  3673. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  3674. properties:
  3675. path:
  3676. default: ldap
  3677. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  3678. type: string
  3679. secretRef:
  3680. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  3681. properties:
  3682. key:
  3683. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3684. type: string
  3685. name:
  3686. description: The name of the Secret resource being referred to.
  3687. type: string
  3688. namespace:
  3689. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3690. type: string
  3691. type: object
  3692. username:
  3693. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  3694. type: string
  3695. required:
  3696. - path
  3697. - username
  3698. type: object
  3699. tokenSecretRef:
  3700. description: TokenSecretRef authenticates with Vault by presenting a token.
  3701. properties:
  3702. key:
  3703. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3704. type: string
  3705. name:
  3706. description: The name of the Secret resource being referred to.
  3707. type: string
  3708. namespace:
  3709. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3710. type: string
  3711. type: object
  3712. type: object
  3713. caBundle:
  3714. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  3715. format: byte
  3716. type: string
  3717. caProvider:
  3718. description: The provider for the CA bundle to use to validate Vault server certificate.
  3719. properties:
  3720. key:
  3721. description: The key the value inside of the provider type to use, only used with "Secret" type
  3722. type: string
  3723. name:
  3724. description: The name of the object located at the provider type.
  3725. type: string
  3726. namespace:
  3727. description: The namespace the Provider type is in.
  3728. type: string
  3729. type:
  3730. description: The type of provider to use such as "Secret", or "ConfigMap".
  3731. enum:
  3732. - Secret
  3733. - ConfigMap
  3734. type: string
  3735. required:
  3736. - name
  3737. - type
  3738. type: object
  3739. forwardInconsistent:
  3740. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  3741. type: boolean
  3742. namespace:
  3743. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  3744. type: string
  3745. path:
  3746. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  3747. type: string
  3748. readYourWrites:
  3749. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  3750. type: boolean
  3751. server:
  3752. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  3753. type: string
  3754. version:
  3755. default: v2
  3756. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  3757. enum:
  3758. - v1
  3759. - v2
  3760. type: string
  3761. required:
  3762. - auth
  3763. - server
  3764. type: object
  3765. webhook:
  3766. description: Webhook configures this store to sync secrets using a generic templated webhook
  3767. properties:
  3768. body:
  3769. description: Body
  3770. type: string
  3771. caBundle:
  3772. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  3773. format: byte
  3774. type: string
  3775. caProvider:
  3776. description: The provider for the CA bundle to use to validate webhook server certificate.
  3777. properties:
  3778. key:
  3779. description: The key the value inside of the provider type to use, only used with "Secret" type
  3780. type: string
  3781. name:
  3782. description: The name of the object located at the provider type.
  3783. type: string
  3784. namespace:
  3785. description: The namespace the Provider type is in.
  3786. type: string
  3787. type:
  3788. description: The type of provider to use such as "Secret", or "ConfigMap".
  3789. enum:
  3790. - Secret
  3791. - ConfigMap
  3792. type: string
  3793. required:
  3794. - name
  3795. - type
  3796. type: object
  3797. headers:
  3798. additionalProperties:
  3799. type: string
  3800. description: Headers
  3801. type: object
  3802. method:
  3803. description: Webhook Method
  3804. type: string
  3805. result:
  3806. description: Result formatting
  3807. properties:
  3808. jsonPath:
  3809. description: Json path of return value
  3810. type: string
  3811. type: object
  3812. secrets:
  3813. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  3814. items:
  3815. properties:
  3816. name:
  3817. description: Name of this secret in templates
  3818. type: string
  3819. secretRef:
  3820. description: Secret ref to fill in credentials
  3821. properties:
  3822. key:
  3823. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3824. type: string
  3825. name:
  3826. description: The name of the Secret resource being referred to.
  3827. type: string
  3828. namespace:
  3829. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3830. type: string
  3831. type: object
  3832. required:
  3833. - name
  3834. - secretRef
  3835. type: object
  3836. type: array
  3837. timeout:
  3838. description: Timeout
  3839. type: string
  3840. url:
  3841. description: Webhook url to call
  3842. type: string
  3843. required:
  3844. - result
  3845. - url
  3846. type: object
  3847. yandexlockbox:
  3848. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  3849. properties:
  3850. apiEndpoint:
  3851. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  3852. type: string
  3853. auth:
  3854. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  3855. properties:
  3856. authorizedKeySecretRef:
  3857. description: The authorized key used for authentication
  3858. properties:
  3859. key:
  3860. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3861. type: string
  3862. name:
  3863. description: The name of the Secret resource being referred to.
  3864. type: string
  3865. namespace:
  3866. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3867. type: string
  3868. type: object
  3869. type: object
  3870. caProvider:
  3871. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  3872. properties:
  3873. certSecretRef:
  3874. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3875. properties:
  3876. key:
  3877. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3878. type: string
  3879. name:
  3880. description: The name of the Secret resource being referred to.
  3881. type: string
  3882. namespace:
  3883. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3884. type: string
  3885. type: object
  3886. type: object
  3887. required:
  3888. - auth
  3889. type: object
  3890. type: object
  3891. retrySettings:
  3892. description: Used to configure http retries if failed
  3893. properties:
  3894. maxRetries:
  3895. format: int32
  3896. type: integer
  3897. retryInterval:
  3898. type: string
  3899. type: object
  3900. required:
  3901. - provider
  3902. type: object
  3903. status:
  3904. description: SecretStoreStatus defines the observed state of the SecretStore.
  3905. properties:
  3906. conditions:
  3907. items:
  3908. properties:
  3909. lastTransitionTime:
  3910. format: date-time
  3911. type: string
  3912. message:
  3913. type: string
  3914. reason:
  3915. type: string
  3916. status:
  3917. type: string
  3918. type:
  3919. type: string
  3920. required:
  3921. - status
  3922. - type
  3923. type: object
  3924. type: array
  3925. type: object
  3926. type: object
  3927. served: true
  3928. storage: true
  3929. subresources:
  3930. status: {}
  3931. conversion:
  3932. strategy: Webhook
  3933. webhook:
  3934. conversionReviewVersions:
  3935. - v1
  3936. clientConfig:
  3937. caBundle: Cg==
  3938. service:
  3939. name: kubernetes
  3940. namespace: default
  3941. path: /convert
  3942. status:
  3943. acceptedNames:
  3944. kind: ""
  3945. plural: ""
  3946. conditions: []
  3947. storedVersions: []