bundle.yaml 518 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534353535363537353835393540354135423543354435453546354735483549355035513552355335543555355635573558355935603561356235633564356535663567356835693570357135723573357435753576357735783579358035813582358335843585358635873588358935903591359235933594359535963597359835993600360136023603360436053606360736083609361036113612361336143615361636173618361936203621362236233624362536263627362836293630363136323633363436353636363736383639364036413642364336443645364636473648364936503651365236533654365536563657365836593660366136623663366436653666366736683669367036713672367336743675367636773678367936803681368236833684368536863687368836893690369136923693369436953696369736983699370037013702370337043705370637073708370937103711371237133714371537163717371837193720372137223723372437253726372737283729373037313732373337343735373637373738373937403741374237433744374537463747374837493750375137523753375437553756375737583759376037613762376337643765376637673768376937703771377237733774377537763777377837793780378137823783378437853786378737883789379037913792379337943795379637973798379938003801380238033804380538063807380838093810381138123813381438153816381738183819382038213822382338243825382638273828382938303831383238333834383538363837383838393840384138423843384438453846384738483849385038513852385338543855385638573858385938603861386238633864386538663867386838693870387138723873387438753876387738783879388038813882388338843885388638873888388938903891389238933894389538963897389838993900390139023903390439053906390739083909391039113912391339143915391639173918391939203921392239233924392539263927392839293930393139323933393439353936393739383939394039413942394339443945394639473948394939503951395239533954395539563957395839593960396139623963396439653966396739683969397039713972397339743975397639773978397939803981398239833984398539863987398839893990399139923993399439953996399739983999400040014002400340044005400640074008400940104011401240134014401540164017401840194020402140224023402440254026402740284029403040314032403340344035403640374038403940404041404240434044404540464047404840494050405140524053405440554056405740584059406040614062406340644065406640674068406940704071407240734074407540764077407840794080408140824083408440854086408740884089409040914092409340944095409640974098409941004101410241034104410541064107410841094110411141124113411441154116411741184119412041214122412341244125412641274128412941304131413241334134413541364137413841394140414141424143414441454146414741484149415041514152415341544155415641574158415941604161416241634164416541664167416841694170417141724173417441754176417741784179418041814182418341844185418641874188418941904191419241934194419541964197419841994200420142024203420442054206420742084209421042114212421342144215421642174218421942204221422242234224422542264227422842294230423142324233423442354236423742384239424042414242424342444245424642474248424942504251425242534254425542564257425842594260426142624263426442654266426742684269427042714272427342744275427642774278427942804281428242834284428542864287428842894290429142924293429442954296429742984299430043014302430343044305430643074308430943104311431243134314431543164317431843194320432143224323432443254326432743284329433043314332433343344335433643374338433943404341434243434344434543464347434843494350435143524353435443554356435743584359436043614362436343644365436643674368436943704371437243734374437543764377437843794380438143824383438443854386438743884389439043914392439343944395439643974398439944004401440244034404440544064407440844094410441144124413441444154416441744184419442044214422442344244425442644274428442944304431443244334434443544364437443844394440444144424443444444454446444744484449445044514452445344544455445644574458445944604461446244634464446544664467446844694470447144724473447444754476447744784479448044814482448344844485448644874488448944904491449244934494449544964497449844994500450145024503450445054506450745084509451045114512451345144515451645174518451945204521452245234524452545264527452845294530453145324533453445354536453745384539454045414542454345444545454645474548454945504551455245534554455545564557455845594560456145624563456445654566456745684569457045714572457345744575457645774578457945804581458245834584458545864587458845894590459145924593459445954596459745984599460046014602460346044605460646074608460946104611461246134614461546164617461846194620462146224623462446254626462746284629463046314632463346344635463646374638463946404641464246434644464546464647464846494650465146524653465446554656465746584659466046614662466346644665466646674668466946704671467246734674467546764677467846794680468146824683468446854686468746884689469046914692469346944695469646974698469947004701470247034704470547064707470847094710471147124713471447154716471747184719472047214722472347244725472647274728472947304731473247334734473547364737473847394740474147424743474447454746474747484749475047514752475347544755475647574758475947604761476247634764476547664767476847694770477147724773477447754776477747784779478047814782478347844785478647874788478947904791479247934794479547964797479847994800480148024803480448054806480748084809481048114812481348144815481648174818481948204821482248234824482548264827482848294830483148324833483448354836483748384839484048414842484348444845484648474848484948504851485248534854485548564857485848594860486148624863486448654866486748684869487048714872487348744875487648774878487948804881488248834884488548864887488848894890489148924893489448954896489748984899490049014902490349044905490649074908490949104911491249134914491549164917491849194920492149224923492449254926492749284929493049314932493349344935493649374938493949404941494249434944494549464947494849494950495149524953495449554956495749584959496049614962496349644965496649674968496949704971497249734974497549764977497849794980498149824983498449854986498749884989499049914992499349944995499649974998499950005001500250035004500550065007500850095010501150125013501450155016501750185019502050215022502350245025502650275028502950305031503250335034503550365037503850395040504150425043504450455046504750485049505050515052505350545055505650575058505950605061506250635064506550665067506850695070507150725073507450755076507750785079508050815082508350845085508650875088508950905091509250935094509550965097509850995100510151025103510451055106510751085109511051115112511351145115511651175118511951205121512251235124512551265127512851295130513151325133513451355136513751385139514051415142514351445145514651475148514951505151515251535154515551565157515851595160516151625163516451655166516751685169517051715172517351745175517651775178517951805181518251835184518551865187518851895190519151925193519451955196519751985199520052015202520352045205520652075208520952105211521252135214521552165217521852195220522152225223522452255226522752285229523052315232523352345235523652375238523952405241524252435244524552465247524852495250525152525253525452555256525752585259526052615262526352645265526652675268526952705271527252735274527552765277527852795280528152825283528452855286528752885289529052915292529352945295529652975298529953005301530253035304530553065307530853095310531153125313531453155316531753185319532053215322532353245325532653275328532953305331533253335334533553365337533853395340534153425343534453455346534753485349535053515352535353545355535653575358535953605361536253635364536553665367536853695370537153725373537453755376537753785379538053815382538353845385538653875388538953905391539253935394539553965397539853995400540154025403540454055406540754085409541054115412541354145415541654175418541954205421542254235424542554265427542854295430543154325433543454355436543754385439544054415442544354445445544654475448544954505451545254535454545554565457545854595460546154625463546454655466546754685469547054715472547354745475547654775478547954805481548254835484548554865487548854895490549154925493549454955496549754985499550055015502550355045505550655075508550955105511551255135514551555165517551855195520552155225523552455255526552755285529553055315532553355345535553655375538553955405541554255435544554555465547554855495550555155525553555455555556555755585559556055615562556355645565556655675568556955705571557255735574557555765577557855795580558155825583558455855586558755885589559055915592559355945595559655975598559956005601560256035604560556065607560856095610561156125613561456155616561756185619562056215622562356245625562656275628562956305631563256335634563556365637563856395640564156425643564456455646564756485649565056515652565356545655565656575658565956605661566256635664566556665667566856695670567156725673567456755676567756785679568056815682568356845685568656875688568956905691569256935694569556965697569856995700570157025703570457055706570757085709571057115712571357145715571657175718571957205721572257235724572557265727572857295730573157325733573457355736573757385739574057415742574357445745574657475748574957505751575257535754575557565757575857595760576157625763576457655766576757685769577057715772577357745775577657775778577957805781578257835784578557865787578857895790579157925793579457955796579757985799580058015802580358045805580658075808580958105811581258135814581558165817581858195820582158225823582458255826582758285829583058315832583358345835583658375838583958405841584258435844584558465847584858495850585158525853585458555856585758585859586058615862586358645865586658675868586958705871587258735874587558765877587858795880588158825883588458855886588758885889589058915892589358945895589658975898589959005901590259035904590559065907590859095910591159125913591459155916591759185919592059215922592359245925592659275928592959305931593259335934593559365937593859395940594159425943594459455946594759485949595059515952595359545955595659575958595959605961596259635964596559665967596859695970597159725973597459755976597759785979598059815982598359845985598659875988598959905991599259935994599559965997599859996000600160026003600460056006600760086009601060116012601360146015601660176018601960206021602260236024602560266027602860296030603160326033603460356036603760386039604060416042604360446045604660476048604960506051605260536054605560566057605860596060606160626063606460656066606760686069607060716072607360746075607660776078607960806081608260836084608560866087608860896090609160926093609460956096609760986099610061016102610361046105610661076108610961106111611261136114611561166117611861196120612161226123612461256126612761286129613061316132613361346135613661376138613961406141614261436144614561466147614861496150615161526153615461556156615761586159616061616162616361646165616661676168616961706171617261736174617561766177617861796180618161826183618461856186618761886189619061916192619361946195619661976198619962006201620262036204620562066207620862096210621162126213621462156216621762186219622062216222622362246225622662276228622962306231623262336234623562366237623862396240624162426243624462456246624762486249625062516252625362546255625662576258625962606261626262636264626562666267626862696270627162726273627462756276627762786279628062816282628362846285628662876288628962906291629262936294629562966297629862996300630163026303630463056306630763086309631063116312631363146315631663176318631963206321632263236324632563266327632863296330633163326333633463356336633763386339634063416342634363446345634663476348634963506351635263536354635563566357635863596360636163626363636463656366636763686369637063716372637363746375637663776378637963806381638263836384638563866387638863896390639163926393639463956396639763986399640064016402640364046405640664076408640964106411641264136414641564166417641864196420642164226423642464256426642764286429643064316432643364346435643664376438643964406441644264436444644564466447644864496450645164526453645464556456645764586459646064616462646364646465646664676468646964706471647264736474647564766477647864796480648164826483648464856486648764886489649064916492649364946495649664976498649965006501650265036504650565066507650865096510651165126513651465156516651765186519652065216522652365246525652665276528652965306531653265336534653565366537653865396540654165426543654465456546654765486549655065516552655365546555655665576558655965606561656265636564656565666567656865696570657165726573657465756576657765786579658065816582658365846585658665876588658965906591659265936594659565966597659865996600660166026603660466056606660766086609661066116612661366146615661666176618661966206621662266236624662566266627662866296630663166326633663466356636663766386639664066416642664366446645664666476648664966506651665266536654665566566657665866596660666166626663666466656666666766686669667066716672667366746675667666776678667966806681668266836684668566866687668866896690669166926693669466956696669766986699670067016702670367046705670667076708670967106711671267136714671567166717671867196720672167226723672467256726672767286729673067316732673367346735673667376738673967406741674267436744674567466747674867496750675167526753675467556756675767586759676067616762676367646765676667676768676967706771677267736774677567766777677867796780678167826783678467856786678767886789679067916792679367946795679667976798679968006801680268036804680568066807680868096810681168126813681468156816681768186819682068216822682368246825682668276828682968306831683268336834683568366837683868396840684168426843684468456846684768486849685068516852685368546855685668576858685968606861686268636864686568666867686868696870687168726873687468756876687768786879688068816882688368846885688668876888688968906891689268936894689568966897689868996900690169026903690469056906690769086909691069116912691369146915691669176918691969206921692269236924692569266927692869296930693169326933693469356936693769386939694069416942694369446945694669476948694969506951695269536954695569566957695869596960696169626963696469656966696769686969697069716972697369746975697669776978697969806981698269836984698569866987698869896990699169926993699469956996699769986999700070017002700370047005700670077008700970107011701270137014701570167017701870197020702170227023702470257026702770287029703070317032703370347035703670377038703970407041704270437044704570467047704870497050705170527053705470557056705770587059706070617062706370647065706670677068706970707071707270737074707570767077707870797080708170827083708470857086708770887089709070917092709370947095709670977098709971007101710271037104710571067107710871097110711171127113711471157116711771187119712071217122712371247125712671277128712971307131713271337134713571367137713871397140714171427143714471457146714771487149715071517152715371547155715671577158715971607161716271637164716571667167716871697170717171727173717471757176717771787179718071817182718371847185718671877188718971907191719271937194719571967197719871997200720172027203720472057206720772087209721072117212721372147215721672177218721972207221722272237224722572267227722872297230723172327233723472357236723772387239724072417242724372447245724672477248724972507251725272537254725572567257725872597260726172627263726472657266726772687269727072717272727372747275727672777278727972807281728272837284728572867287728872897290729172927293729472957296729772987299730073017302730373047305730673077308730973107311731273137314731573167317731873197320732173227323732473257326732773287329733073317332733373347335733673377338733973407341734273437344734573467347734873497350735173527353735473557356735773587359736073617362736373647365736673677368736973707371737273737374737573767377737873797380738173827383738473857386738773887389739073917392739373947395739673977398739974007401740274037404740574067407740874097410741174127413741474157416741774187419742074217422742374247425742674277428742974307431743274337434743574367437743874397440744174427443744474457446744774487449745074517452745374547455745674577458745974607461746274637464746574667467746874697470747174727473747474757476747774787479748074817482748374847485748674877488748974907491749274937494749574967497749874997500750175027503750475057506750775087509751075117512751375147515751675177518751975207521752275237524752575267527752875297530753175327533753475357536753775387539754075417542754375447545754675477548754975507551755275537554755575567557755875597560756175627563756475657566756775687569757075717572757375747575757675777578757975807581758275837584758575867587758875897590759175927593759475957596759775987599760076017602760376047605760676077608760976107611761276137614761576167617761876197620762176227623762476257626762776287629763076317632763376347635763676377638763976407641764276437644764576467647764876497650765176527653765476557656765776587659766076617662766376647665766676677668766976707671767276737674767576767677767876797680768176827683768476857686768776887689769076917692769376947695769676977698769977007701770277037704770577067707770877097710771177127713771477157716771777187719772077217722772377247725772677277728772977307731773277337734773577367737773877397740774177427743774477457746774777487749775077517752775377547755775677577758775977607761776277637764776577667767776877697770777177727773777477757776777777787779778077817782778377847785778677877788778977907791779277937794779577967797779877997800780178027803780478057806780778087809781078117812781378147815781678177818781978207821782278237824782578267827782878297830783178327833783478357836783778387839784078417842784378447845784678477848784978507851785278537854785578567857785878597860786178627863786478657866786778687869787078717872787378747875787678777878787978807881788278837884788578867887788878897890789178927893789478957896789778987899790079017902790379047905790679077908790979107911791279137914791579167917791879197920792179227923792479257926792779287929793079317932793379347935793679377938793979407941794279437944794579467947794879497950795179527953795479557956795779587959796079617962796379647965796679677968796979707971797279737974797579767977797879797980798179827983798479857986798779887989799079917992799379947995799679977998799980008001800280038004800580068007800880098010801180128013801480158016801780188019802080218022802380248025802680278028802980308031803280338034803580368037803880398040804180428043804480458046804780488049805080518052805380548055805680578058805980608061806280638064806580668067806880698070807180728073807480758076807780788079808080818082808380848085808680878088808980908091809280938094809580968097809880998100810181028103810481058106810781088109811081118112811381148115811681178118811981208121812281238124812581268127812881298130813181328133813481358136813781388139814081418142814381448145814681478148814981508151815281538154815581568157815881598160816181628163816481658166816781688169817081718172817381748175817681778178817981808181818281838184818581868187818881898190819181928193819481958196819781988199820082018202820382048205820682078208820982108211821282138214821582168217821882198220822182228223822482258226822782288229823082318232823382348235823682378238823982408241824282438244824582468247824882498250825182528253825482558256825782588259826082618262826382648265826682678268826982708271827282738274827582768277827882798280828182828283828482858286828782888289829082918292829382948295829682978298829983008301830283038304830583068307830883098310831183128313831483158316831783188319832083218322832383248325832683278328832983308331833283338334833583368337833883398340834183428343834483458346834783488349835083518352835383548355835683578358835983608361836283638364836583668367836883698370837183728373837483758376837783788379838083818382838383848385838683878388838983908391839283938394839583968397839883998400840184028403840484058406840784088409841084118412841384148415841684178418841984208421842284238424842584268427842884298430843184328433843484358436843784388439844084418442844384448445844684478448844984508451
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.13.0
  6. name: clusterexternalsecrets.external-secrets.io
  7. spec:
  8. group: external-secrets.io
  9. names:
  10. categories:
  11. - externalsecrets
  12. kind: ClusterExternalSecret
  13. listKind: ClusterExternalSecretList
  14. plural: clusterexternalsecrets
  15. shortNames:
  16. - ces
  17. singular: clusterexternalsecret
  18. scope: Cluster
  19. versions:
  20. - additionalPrinterColumns:
  21. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  22. name: Store
  23. type: string
  24. - jsonPath: .spec.refreshTime
  25. name: Refresh Interval
  26. type: string
  27. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  28. name: Ready
  29. type: string
  30. name: v1beta1
  31. schema:
  32. openAPIV3Schema:
  33. description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
  34. properties:
  35. apiVersion:
  36. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  37. type: string
  38. kind:
  39. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  40. type: string
  41. metadata:
  42. type: object
  43. spec:
  44. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  45. properties:
  46. externalSecretMetadata:
  47. description: The metadata of the external secrets to be created
  48. properties:
  49. annotations:
  50. additionalProperties:
  51. type: string
  52. type: object
  53. labels:
  54. additionalProperties:
  55. type: string
  56. type: object
  57. type: object
  58. externalSecretName:
  59. description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
  60. type: string
  61. externalSecretSpec:
  62. description: The spec for the ExternalSecrets to be created
  63. properties:
  64. data:
  65. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  66. items:
  67. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  68. properties:
  69. remoteRef:
  70. description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch.
  71. properties:
  72. conversionStrategy:
  73. default: Default
  74. description: Used to define a conversion Strategy
  75. enum:
  76. - Default
  77. - Unicode
  78. type: string
  79. decodingStrategy:
  80. default: None
  81. description: Used to define a decoding Strategy
  82. enum:
  83. - Auto
  84. - Base64
  85. - Base64URL
  86. - None
  87. type: string
  88. key:
  89. description: Key is the key used in the Provider, mandatory
  90. type: string
  91. metadataPolicy:
  92. default: None
  93. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  94. enum:
  95. - None
  96. - Fetch
  97. type: string
  98. property:
  99. description: Used to select a specific property of the Provider value (if a map), if supported
  100. type: string
  101. version:
  102. description: Used to select a specific version of the Provider value, if supported
  103. type: string
  104. required:
  105. - key
  106. type: object
  107. secretKey:
  108. description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret
  109. type: string
  110. sourceRef:
  111. description: SourceRef allows you to override the source from which the value will pulled from.
  112. maxProperties: 1
  113. properties:
  114. generatorRef:
  115. description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1."
  116. properties:
  117. apiVersion:
  118. default: generators.external-secrets.io/v1alpha1
  119. description: Specify the apiVersion of the generator resource
  120. type: string
  121. kind:
  122. description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
  123. type: string
  124. name:
  125. description: Specify the name of the generator resource
  126. type: string
  127. required:
  128. - kind
  129. - name
  130. type: object
  131. storeRef:
  132. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  133. properties:
  134. kind:
  135. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  136. type: string
  137. name:
  138. description: Name of the SecretStore resource
  139. type: string
  140. required:
  141. - name
  142. type: object
  143. type: object
  144. required:
  145. - remoteRef
  146. - secretKey
  147. type: object
  148. type: array
  149. dataFrom:
  150. description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
  151. items:
  152. properties:
  153. extract:
  154. description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.'
  155. properties:
  156. conversionStrategy:
  157. default: Default
  158. description: Used to define a conversion Strategy
  159. enum:
  160. - Default
  161. - Unicode
  162. type: string
  163. decodingStrategy:
  164. default: None
  165. description: Used to define a decoding Strategy
  166. enum:
  167. - Auto
  168. - Base64
  169. - Base64URL
  170. - None
  171. type: string
  172. key:
  173. description: Key is the key used in the Provider, mandatory
  174. type: string
  175. metadataPolicy:
  176. default: None
  177. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  178. enum:
  179. - None
  180. - Fetch
  181. type: string
  182. property:
  183. description: Used to select a specific property of the Provider value (if a map), if supported
  184. type: string
  185. version:
  186. description: Used to select a specific version of the Provider value, if supported
  187. type: string
  188. required:
  189. - key
  190. type: object
  191. find:
  192. description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.'
  193. properties:
  194. conversionStrategy:
  195. default: Default
  196. description: Used to define a conversion Strategy
  197. enum:
  198. - Default
  199. - Unicode
  200. type: string
  201. decodingStrategy:
  202. default: None
  203. description: Used to define a decoding Strategy
  204. enum:
  205. - Auto
  206. - Base64
  207. - Base64URL
  208. - None
  209. type: string
  210. name:
  211. description: Finds secrets based on the name.
  212. properties:
  213. regexp:
  214. description: Finds secrets base
  215. type: string
  216. type: object
  217. path:
  218. description: A root path to start the find operations.
  219. type: string
  220. tags:
  221. additionalProperties:
  222. type: string
  223. description: Find secrets based on tags.
  224. type: object
  225. type: object
  226. rewrite:
  227. description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  228. items:
  229. properties:
  230. regexp:
  231. description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
  232. properties:
  233. source:
  234. description: Used to define the regular expression of a re.Compiler.
  235. type: string
  236. target:
  237. description: Used to define the target pattern of a ReplaceAll operation.
  238. type: string
  239. required:
  240. - source
  241. - target
  242. type: object
  243. transform:
  244. description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation.
  245. properties:
  246. template:
  247. description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template.
  248. type: string
  249. required:
  250. - template
  251. type: object
  252. type: object
  253. type: array
  254. sourceRef:
  255. description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values
  256. maxProperties: 1
  257. properties:
  258. generatorRef:
  259. description: GeneratorRef points to a generator custom resource.
  260. properties:
  261. apiVersion:
  262. default: generators.external-secrets.io/v1alpha1
  263. description: Specify the apiVersion of the generator resource
  264. type: string
  265. kind:
  266. description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
  267. type: string
  268. name:
  269. description: Specify the name of the generator resource
  270. type: string
  271. required:
  272. - kind
  273. - name
  274. type: object
  275. storeRef:
  276. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  277. properties:
  278. kind:
  279. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  280. type: string
  281. name:
  282. description: Name of the SecretStore resource
  283. type: string
  284. required:
  285. - name
  286. type: object
  287. type: object
  288. type: object
  289. type: array
  290. refreshInterval:
  291. default: 1h
  292. description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
  293. type: string
  294. secretStoreRef:
  295. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  296. properties:
  297. kind:
  298. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  299. type: string
  300. name:
  301. description: Name of the SecretStore resource
  302. type: string
  303. required:
  304. - name
  305. type: object
  306. target:
  307. default:
  308. creationPolicy: Owner
  309. deletionPolicy: Retain
  310. description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
  311. properties:
  312. creationPolicy:
  313. default: Owner
  314. description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
  315. enum:
  316. - Owner
  317. - Orphan
  318. - Merge
  319. - None
  320. type: string
  321. deletionPolicy:
  322. default: Retain
  323. description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
  324. enum:
  325. - Delete
  326. - Merge
  327. - Retain
  328. type: string
  329. immutable:
  330. description: Immutable defines if the final secret will be immutable
  331. type: boolean
  332. name:
  333. description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
  334. type: string
  335. template:
  336. description: Template defines a blueprint for the created Secret resource.
  337. properties:
  338. data:
  339. additionalProperties:
  340. type: string
  341. type: object
  342. engineVersion:
  343. default: v2
  344. description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
  345. enum:
  346. - v1
  347. - v2
  348. type: string
  349. mergePolicy:
  350. default: Replace
  351. enum:
  352. - Replace
  353. - Merge
  354. type: string
  355. metadata:
  356. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  357. properties:
  358. annotations:
  359. additionalProperties:
  360. type: string
  361. type: object
  362. labels:
  363. additionalProperties:
  364. type: string
  365. type: object
  366. type: object
  367. templateFrom:
  368. items:
  369. properties:
  370. configMap:
  371. properties:
  372. items:
  373. items:
  374. properties:
  375. key:
  376. type: string
  377. templateAs:
  378. default: Values
  379. enum:
  380. - Values
  381. - KeysAndValues
  382. type: string
  383. required:
  384. - key
  385. type: object
  386. type: array
  387. name:
  388. type: string
  389. required:
  390. - items
  391. - name
  392. type: object
  393. literal:
  394. type: string
  395. secret:
  396. properties:
  397. items:
  398. items:
  399. properties:
  400. key:
  401. type: string
  402. templateAs:
  403. default: Values
  404. enum:
  405. - Values
  406. - KeysAndValues
  407. type: string
  408. required:
  409. - key
  410. type: object
  411. type: array
  412. name:
  413. type: string
  414. required:
  415. - items
  416. - name
  417. type: object
  418. target:
  419. default: Data
  420. enum:
  421. - Data
  422. - Annotations
  423. - Labels
  424. type: string
  425. type: object
  426. type: array
  427. type:
  428. type: string
  429. type: object
  430. type: object
  431. type: object
  432. namespaceSelector:
  433. description: The labels to select by to find the Namespaces to create the ExternalSecrets in.
  434. properties:
  435. matchExpressions:
  436. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  437. items:
  438. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  439. properties:
  440. key:
  441. description: key is the label key that the selector applies to.
  442. type: string
  443. operator:
  444. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  445. type: string
  446. values:
  447. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  448. items:
  449. type: string
  450. type: array
  451. required:
  452. - key
  453. - operator
  454. type: object
  455. type: array
  456. matchLabels:
  457. additionalProperties:
  458. type: string
  459. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  460. type: object
  461. type: object
  462. x-kubernetes-map-type: atomic
  463. namespaces:
  464. description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing.
  465. items:
  466. type: string
  467. type: array
  468. refreshTime:
  469. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  470. type: string
  471. required:
  472. - externalSecretSpec
  473. type: object
  474. status:
  475. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  476. properties:
  477. conditions:
  478. items:
  479. properties:
  480. message:
  481. type: string
  482. status:
  483. type: string
  484. type:
  485. type: string
  486. required:
  487. - status
  488. - type
  489. type: object
  490. type: array
  491. externalSecretName:
  492. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  493. type: string
  494. failedNamespaces:
  495. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  496. items:
  497. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  498. properties:
  499. namespace:
  500. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  501. type: string
  502. reason:
  503. description: Reason is why the ExternalSecret failed to apply to the namespace
  504. type: string
  505. required:
  506. - namespace
  507. type: object
  508. type: array
  509. provisionedNamespaces:
  510. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  511. items:
  512. type: string
  513. type: array
  514. type: object
  515. type: object
  516. served: true
  517. storage: true
  518. subresources:
  519. status: {}
  520. conversion:
  521. strategy: Webhook
  522. webhook:
  523. conversionReviewVersions:
  524. - v1
  525. clientConfig:
  526. service:
  527. name: kubernetes
  528. namespace: default
  529. path: /convert
  530. ---
  531. apiVersion: apiextensions.k8s.io/v1
  532. kind: CustomResourceDefinition
  533. metadata:
  534. annotations:
  535. controller-gen.kubebuilder.io/version: v0.13.0
  536. name: clustersecretstores.external-secrets.io
  537. spec:
  538. group: external-secrets.io
  539. names:
  540. categories:
  541. - externalsecrets
  542. kind: ClusterSecretStore
  543. listKind: ClusterSecretStoreList
  544. plural: clustersecretstores
  545. shortNames:
  546. - css
  547. singular: clustersecretstore
  548. scope: Cluster
  549. versions:
  550. - additionalPrinterColumns:
  551. - jsonPath: .metadata.creationTimestamp
  552. name: AGE
  553. type: date
  554. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  555. name: Status
  556. type: string
  557. deprecated: true
  558. name: v1alpha1
  559. schema:
  560. openAPIV3Schema:
  561. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  562. properties:
  563. apiVersion:
  564. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  565. type: string
  566. kind:
  567. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  568. type: string
  569. metadata:
  570. type: object
  571. spec:
  572. description: SecretStoreSpec defines the desired state of SecretStore.
  573. properties:
  574. controller:
  575. description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
  576. type: string
  577. provider:
  578. description: Used to configure the provider. Only one provider may be set
  579. maxProperties: 1
  580. minProperties: 1
  581. properties:
  582. akeyless:
  583. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  584. properties:
  585. akeylessGWApiURL:
  586. description: Akeyless GW API Url from which the secrets to be fetched from.
  587. type: string
  588. authSecretRef:
  589. description: Auth configures how the operator authenticates with Akeyless.
  590. properties:
  591. kubernetesAuth:
  592. description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
  593. properties:
  594. accessID:
  595. description: the Akeyless Kubernetes auth-method access-id
  596. type: string
  597. k8sConfName:
  598. description: Kubernetes-auth configuration name in Akeyless-Gateway
  599. type: string
  600. secretRef:
  601. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  602. properties:
  603. key:
  604. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  605. type: string
  606. name:
  607. description: The name of the Secret resource being referred to.
  608. type: string
  609. namespace:
  610. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  611. type: string
  612. type: object
  613. serviceAccountRef:
  614. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
  615. properties:
  616. audiences:
  617. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  618. items:
  619. type: string
  620. type: array
  621. name:
  622. description: The name of the ServiceAccount resource being referred to.
  623. type: string
  624. namespace:
  625. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  626. type: string
  627. required:
  628. - name
  629. type: object
  630. required:
  631. - accessID
  632. - k8sConfName
  633. type: object
  634. secretRef:
  635. description: Reference to a Secret that contains the details to authenticate with Akeyless.
  636. properties:
  637. accessID:
  638. description: The SecretAccessID is used for authentication
  639. properties:
  640. key:
  641. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  642. type: string
  643. name:
  644. description: The name of the Secret resource being referred to.
  645. type: string
  646. namespace:
  647. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  648. type: string
  649. type: object
  650. accessType:
  651. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  652. properties:
  653. key:
  654. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  655. type: string
  656. name:
  657. description: The name of the Secret resource being referred to.
  658. type: string
  659. namespace:
  660. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  661. type: string
  662. type: object
  663. accessTypeParam:
  664. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  665. properties:
  666. key:
  667. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  668. type: string
  669. name:
  670. description: The name of the Secret resource being referred to.
  671. type: string
  672. namespace:
  673. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  674. type: string
  675. type: object
  676. type: object
  677. type: object
  678. caBundle:
  679. description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
  680. format: byte
  681. type: string
  682. caProvider:
  683. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  684. properties:
  685. key:
  686. description: The key the value inside of the provider type to use, only used with "Secret" type
  687. type: string
  688. name:
  689. description: The name of the object located at the provider type.
  690. type: string
  691. namespace:
  692. description: The namespace the Provider type is in.
  693. type: string
  694. type:
  695. description: The type of provider to use such as "Secret", or "ConfigMap".
  696. enum:
  697. - Secret
  698. - ConfigMap
  699. type: string
  700. required:
  701. - name
  702. - type
  703. type: object
  704. required:
  705. - akeylessGWApiURL
  706. - authSecretRef
  707. type: object
  708. alibaba:
  709. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  710. properties:
  711. auth:
  712. description: AlibabaAuth contains a secretRef for credentials.
  713. properties:
  714. rrsa:
  715. description: Authenticate against Alibaba using RRSA.
  716. properties:
  717. oidcProviderArn:
  718. type: string
  719. oidcTokenFilePath:
  720. type: string
  721. roleArn:
  722. type: string
  723. sessionName:
  724. type: string
  725. required:
  726. - oidcProviderArn
  727. - oidcTokenFilePath
  728. - roleArn
  729. - sessionName
  730. type: object
  731. secretRef:
  732. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  733. properties:
  734. accessKeyIDSecretRef:
  735. description: The AccessKeyID is used for authentication
  736. properties:
  737. key:
  738. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  739. type: string
  740. name:
  741. description: The name of the Secret resource being referred to.
  742. type: string
  743. namespace:
  744. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  745. type: string
  746. type: object
  747. accessKeySecretSecretRef:
  748. description: The AccessKeySecret is used for authentication
  749. properties:
  750. key:
  751. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  752. type: string
  753. name:
  754. description: The name of the Secret resource being referred to.
  755. type: string
  756. namespace:
  757. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  758. type: string
  759. type: object
  760. required:
  761. - accessKeyIDSecretRef
  762. - accessKeySecretSecretRef
  763. type: object
  764. type: object
  765. regionID:
  766. description: Alibaba Region to be used for the provider
  767. type: string
  768. required:
  769. - auth
  770. - regionID
  771. type: object
  772. aws:
  773. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  774. properties:
  775. auth:
  776. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  777. properties:
  778. jwt:
  779. description: Authenticate against AWS using service account tokens.
  780. properties:
  781. serviceAccountRef:
  782. description: A reference to a ServiceAccount resource.
  783. properties:
  784. audiences:
  785. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  786. items:
  787. type: string
  788. type: array
  789. name:
  790. description: The name of the ServiceAccount resource being referred to.
  791. type: string
  792. namespace:
  793. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  794. type: string
  795. required:
  796. - name
  797. type: object
  798. type: object
  799. secretRef:
  800. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  801. properties:
  802. accessKeyIDSecretRef:
  803. description: The AccessKeyID is used for authentication
  804. properties:
  805. key:
  806. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  807. type: string
  808. name:
  809. description: The name of the Secret resource being referred to.
  810. type: string
  811. namespace:
  812. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  813. type: string
  814. type: object
  815. secretAccessKeySecretRef:
  816. description: The SecretAccessKey is used for authentication
  817. properties:
  818. key:
  819. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  820. type: string
  821. name:
  822. description: The name of the Secret resource being referred to.
  823. type: string
  824. namespace:
  825. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  826. type: string
  827. type: object
  828. type: object
  829. type: object
  830. region:
  831. description: AWS Region to be used for the provider
  832. type: string
  833. role:
  834. description: Role is a Role ARN which the SecretManager provider will assume
  835. type: string
  836. service:
  837. description: Service defines which service should be used to fetch the secrets
  838. enum:
  839. - SecretsManager
  840. - ParameterStore
  841. type: string
  842. required:
  843. - region
  844. - service
  845. type: object
  846. azurekv:
  847. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  848. properties:
  849. authSecretRef:
  850. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  851. properties:
  852. clientId:
  853. description: The Azure clientId of the service principle used for authentication.
  854. properties:
  855. key:
  856. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  857. type: string
  858. name:
  859. description: The name of the Secret resource being referred to.
  860. type: string
  861. namespace:
  862. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  863. type: string
  864. type: object
  865. clientSecret:
  866. description: The Azure ClientSecret of the service principle used for authentication.
  867. properties:
  868. key:
  869. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  870. type: string
  871. name:
  872. description: The name of the Secret resource being referred to.
  873. type: string
  874. namespace:
  875. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  876. type: string
  877. type: object
  878. type: object
  879. authType:
  880. default: ServicePrincipal
  881. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  882. enum:
  883. - ServicePrincipal
  884. - ManagedIdentity
  885. - WorkloadIdentity
  886. type: string
  887. identityId:
  888. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  889. type: string
  890. serviceAccountRef:
  891. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  892. properties:
  893. audiences:
  894. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  895. items:
  896. type: string
  897. type: array
  898. name:
  899. description: The name of the ServiceAccount resource being referred to.
  900. type: string
  901. namespace:
  902. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  903. type: string
  904. required:
  905. - name
  906. type: object
  907. tenantId:
  908. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  909. type: string
  910. vaultUrl:
  911. description: Vault Url from which the secrets to be fetched from.
  912. type: string
  913. required:
  914. - vaultUrl
  915. type: object
  916. fake:
  917. description: Fake configures a store with static key/value pairs
  918. properties:
  919. data:
  920. items:
  921. properties:
  922. key:
  923. type: string
  924. value:
  925. type: string
  926. valueMap:
  927. additionalProperties:
  928. type: string
  929. type: object
  930. version:
  931. type: string
  932. required:
  933. - key
  934. type: object
  935. type: array
  936. required:
  937. - data
  938. type: object
  939. gcpsm:
  940. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  941. properties:
  942. auth:
  943. description: Auth defines the information necessary to authenticate against GCP
  944. properties:
  945. secretRef:
  946. properties:
  947. secretAccessKeySecretRef:
  948. description: The SecretAccessKey is used for authentication
  949. properties:
  950. key:
  951. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  952. type: string
  953. name:
  954. description: The name of the Secret resource being referred to.
  955. type: string
  956. namespace:
  957. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  958. type: string
  959. type: object
  960. type: object
  961. workloadIdentity:
  962. properties:
  963. clusterLocation:
  964. type: string
  965. clusterName:
  966. type: string
  967. clusterProjectID:
  968. type: string
  969. serviceAccountRef:
  970. description: A reference to a ServiceAccount resource.
  971. properties:
  972. audiences:
  973. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  974. items:
  975. type: string
  976. type: array
  977. name:
  978. description: The name of the ServiceAccount resource being referred to.
  979. type: string
  980. namespace:
  981. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  982. type: string
  983. required:
  984. - name
  985. type: object
  986. required:
  987. - clusterLocation
  988. - clusterName
  989. - serviceAccountRef
  990. type: object
  991. type: object
  992. projectID:
  993. description: ProjectID project where secret is located
  994. type: string
  995. type: object
  996. gitlab:
  997. description: GitLab configures this store to sync secrets using GitLab Variables provider
  998. properties:
  999. auth:
  1000. description: Auth configures how secret-manager authenticates with a GitLab instance.
  1001. properties:
  1002. SecretRef:
  1003. properties:
  1004. accessToken:
  1005. description: AccessToken is used for authentication.
  1006. properties:
  1007. key:
  1008. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1009. type: string
  1010. name:
  1011. description: The name of the Secret resource being referred to.
  1012. type: string
  1013. namespace:
  1014. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1015. type: string
  1016. type: object
  1017. type: object
  1018. required:
  1019. - SecretRef
  1020. type: object
  1021. projectID:
  1022. description: ProjectID specifies a project where secrets are located.
  1023. type: string
  1024. url:
  1025. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  1026. type: string
  1027. required:
  1028. - auth
  1029. type: object
  1030. ibm:
  1031. description: IBM configures this store to sync secrets using IBM Cloud provider
  1032. properties:
  1033. auth:
  1034. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  1035. properties:
  1036. secretRef:
  1037. properties:
  1038. secretApiKeySecretRef:
  1039. description: The SecretAccessKey is used for authentication
  1040. properties:
  1041. key:
  1042. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1043. type: string
  1044. name:
  1045. description: The name of the Secret resource being referred to.
  1046. type: string
  1047. namespace:
  1048. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1049. type: string
  1050. type: object
  1051. type: object
  1052. required:
  1053. - secretRef
  1054. type: object
  1055. serviceUrl:
  1056. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  1057. type: string
  1058. required:
  1059. - auth
  1060. type: object
  1061. kubernetes:
  1062. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  1063. properties:
  1064. auth:
  1065. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  1066. maxProperties: 1
  1067. minProperties: 1
  1068. properties:
  1069. cert:
  1070. description: has both clientCert and clientKey as secretKeySelector
  1071. properties:
  1072. clientCert:
  1073. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1074. properties:
  1075. key:
  1076. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1077. type: string
  1078. name:
  1079. description: The name of the Secret resource being referred to.
  1080. type: string
  1081. namespace:
  1082. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1083. type: string
  1084. type: object
  1085. clientKey:
  1086. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1087. properties:
  1088. key:
  1089. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1090. type: string
  1091. name:
  1092. description: The name of the Secret resource being referred to.
  1093. type: string
  1094. namespace:
  1095. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1096. type: string
  1097. type: object
  1098. type: object
  1099. serviceAccount:
  1100. description: points to a service account that should be used for authentication
  1101. properties:
  1102. serviceAccount:
  1103. description: A reference to a ServiceAccount resource.
  1104. properties:
  1105. audiences:
  1106. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  1107. items:
  1108. type: string
  1109. type: array
  1110. name:
  1111. description: The name of the ServiceAccount resource being referred to.
  1112. type: string
  1113. namespace:
  1114. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1115. type: string
  1116. required:
  1117. - name
  1118. type: object
  1119. type: object
  1120. token:
  1121. description: use static token to authenticate with
  1122. properties:
  1123. bearerToken:
  1124. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1125. properties:
  1126. key:
  1127. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1128. type: string
  1129. name:
  1130. description: The name of the Secret resource being referred to.
  1131. type: string
  1132. namespace:
  1133. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1134. type: string
  1135. type: object
  1136. type: object
  1137. type: object
  1138. remoteNamespace:
  1139. default: default
  1140. description: Remote namespace to fetch the secrets from
  1141. type: string
  1142. server:
  1143. description: configures the Kubernetes server Address.
  1144. properties:
  1145. caBundle:
  1146. description: CABundle is a base64-encoded CA certificate
  1147. format: byte
  1148. type: string
  1149. caProvider:
  1150. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  1151. properties:
  1152. key:
  1153. description: The key the value inside of the provider type to use, only used with "Secret" type
  1154. type: string
  1155. name:
  1156. description: The name of the object located at the provider type.
  1157. type: string
  1158. namespace:
  1159. description: The namespace the Provider type is in.
  1160. type: string
  1161. type:
  1162. description: The type of provider to use such as "Secret", or "ConfigMap".
  1163. enum:
  1164. - Secret
  1165. - ConfigMap
  1166. type: string
  1167. required:
  1168. - name
  1169. - type
  1170. type: object
  1171. url:
  1172. default: kubernetes.default
  1173. description: configures the Kubernetes server Address.
  1174. type: string
  1175. type: object
  1176. required:
  1177. - auth
  1178. type: object
  1179. oracle:
  1180. description: Oracle configures this store to sync secrets using Oracle Vault provider
  1181. properties:
  1182. auth:
  1183. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal.
  1184. properties:
  1185. secretRef:
  1186. description: SecretRef to pass through sensitive information.
  1187. properties:
  1188. fingerprint:
  1189. description: Fingerprint is the fingerprint of the API private key.
  1190. properties:
  1191. key:
  1192. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1193. type: string
  1194. name:
  1195. description: The name of the Secret resource being referred to.
  1196. type: string
  1197. namespace:
  1198. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1199. type: string
  1200. type: object
  1201. privatekey:
  1202. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  1203. properties:
  1204. key:
  1205. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1206. type: string
  1207. name:
  1208. description: The name of the Secret resource being referred to.
  1209. type: string
  1210. namespace:
  1211. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1212. type: string
  1213. type: object
  1214. required:
  1215. - fingerprint
  1216. - privatekey
  1217. type: object
  1218. tenancy:
  1219. description: Tenancy is the tenancy OCID where user is located.
  1220. type: string
  1221. user:
  1222. description: User is an access OCID specific to the account.
  1223. type: string
  1224. required:
  1225. - secretRef
  1226. - tenancy
  1227. - user
  1228. type: object
  1229. compartment:
  1230. description: Compartment is the vault compartment OCID. Required for PushSecret
  1231. type: string
  1232. encryptionKey:
  1233. description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret
  1234. type: string
  1235. principalType:
  1236. description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity.
  1237. enum:
  1238. - ""
  1239. - UserPrincipal
  1240. - InstancePrincipal
  1241. - Workload
  1242. type: string
  1243. region:
  1244. description: Region is the region where vault is located.
  1245. type: string
  1246. serviceAccountRef:
  1247. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  1248. properties:
  1249. audiences:
  1250. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  1251. items:
  1252. type: string
  1253. type: array
  1254. name:
  1255. description: The name of the ServiceAccount resource being referred to.
  1256. type: string
  1257. namespace:
  1258. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1259. type: string
  1260. required:
  1261. - name
  1262. type: object
  1263. vault:
  1264. description: Vault is the vault's OCID of the specific vault where secret is located.
  1265. type: string
  1266. required:
  1267. - region
  1268. - vault
  1269. type: object
  1270. vault:
  1271. description: Vault configures this store to sync secrets using Hashi provider
  1272. properties:
  1273. auth:
  1274. description: Auth configures how secret-manager authenticates with the Vault server.
  1275. properties:
  1276. appRole:
  1277. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  1278. properties:
  1279. path:
  1280. default: approle
  1281. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  1282. type: string
  1283. roleId:
  1284. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  1285. type: string
  1286. secretRef:
  1287. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  1288. properties:
  1289. key:
  1290. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1291. type: string
  1292. name:
  1293. description: The name of the Secret resource being referred to.
  1294. type: string
  1295. namespace:
  1296. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1297. type: string
  1298. type: object
  1299. required:
  1300. - path
  1301. - roleId
  1302. - secretRef
  1303. type: object
  1304. cert:
  1305. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  1306. properties:
  1307. clientCert:
  1308. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  1309. properties:
  1310. key:
  1311. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1312. type: string
  1313. name:
  1314. description: The name of the Secret resource being referred to.
  1315. type: string
  1316. namespace:
  1317. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1318. type: string
  1319. type: object
  1320. secretRef:
  1321. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  1322. properties:
  1323. key:
  1324. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1325. type: string
  1326. name:
  1327. description: The name of the Secret resource being referred to.
  1328. type: string
  1329. namespace:
  1330. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1331. type: string
  1332. type: object
  1333. type: object
  1334. jwt:
  1335. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  1336. properties:
  1337. kubernetesServiceAccountToken:
  1338. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  1339. properties:
  1340. audiences:
  1341. description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
  1342. items:
  1343. type: string
  1344. type: array
  1345. expirationSeconds:
  1346. description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
  1347. format: int64
  1348. type: integer
  1349. serviceAccountRef:
  1350. description: Service account field containing the name of a kubernetes ServiceAccount.
  1351. properties:
  1352. audiences:
  1353. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  1354. items:
  1355. type: string
  1356. type: array
  1357. name:
  1358. description: The name of the ServiceAccount resource being referred to.
  1359. type: string
  1360. namespace:
  1361. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1362. type: string
  1363. required:
  1364. - name
  1365. type: object
  1366. required:
  1367. - serviceAccountRef
  1368. type: object
  1369. path:
  1370. default: jwt
  1371. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  1372. type: string
  1373. role:
  1374. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  1375. type: string
  1376. secretRef:
  1377. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  1378. properties:
  1379. key:
  1380. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1381. type: string
  1382. name:
  1383. description: The name of the Secret resource being referred to.
  1384. type: string
  1385. namespace:
  1386. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1387. type: string
  1388. type: object
  1389. required:
  1390. - path
  1391. type: object
  1392. kubernetes:
  1393. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  1394. properties:
  1395. mountPath:
  1396. default: kubernetes
  1397. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  1398. type: string
  1399. role:
  1400. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  1401. type: string
  1402. secretRef:
  1403. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  1404. properties:
  1405. key:
  1406. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1407. type: string
  1408. name:
  1409. description: The name of the Secret resource being referred to.
  1410. type: string
  1411. namespace:
  1412. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1413. type: string
  1414. type: object
  1415. serviceAccountRef:
  1416. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  1417. properties:
  1418. audiences:
  1419. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  1420. items:
  1421. type: string
  1422. type: array
  1423. name:
  1424. description: The name of the ServiceAccount resource being referred to.
  1425. type: string
  1426. namespace:
  1427. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1428. type: string
  1429. required:
  1430. - name
  1431. type: object
  1432. required:
  1433. - mountPath
  1434. - role
  1435. type: object
  1436. ldap:
  1437. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  1438. properties:
  1439. path:
  1440. default: ldap
  1441. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  1442. type: string
  1443. secretRef:
  1444. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  1445. properties:
  1446. key:
  1447. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1448. type: string
  1449. name:
  1450. description: The name of the Secret resource being referred to.
  1451. type: string
  1452. namespace:
  1453. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1454. type: string
  1455. type: object
  1456. username:
  1457. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  1458. type: string
  1459. required:
  1460. - path
  1461. - username
  1462. type: object
  1463. tokenSecretRef:
  1464. description: TokenSecretRef authenticates with Vault by presenting a token.
  1465. properties:
  1466. key:
  1467. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1468. type: string
  1469. name:
  1470. description: The name of the Secret resource being referred to.
  1471. type: string
  1472. namespace:
  1473. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1474. type: string
  1475. type: object
  1476. type: object
  1477. caBundle:
  1478. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  1479. format: byte
  1480. type: string
  1481. caProvider:
  1482. description: The provider for the CA bundle to use to validate Vault server certificate.
  1483. properties:
  1484. key:
  1485. description: The key the value inside of the provider type to use, only used with "Secret" type
  1486. type: string
  1487. name:
  1488. description: The name of the object located at the provider type.
  1489. type: string
  1490. namespace:
  1491. description: The namespace the Provider type is in.
  1492. type: string
  1493. type:
  1494. description: The type of provider to use such as "Secret", or "ConfigMap".
  1495. enum:
  1496. - Secret
  1497. - ConfigMap
  1498. type: string
  1499. required:
  1500. - name
  1501. - type
  1502. type: object
  1503. forwardInconsistent:
  1504. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  1505. type: boolean
  1506. namespace:
  1507. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  1508. type: string
  1509. path:
  1510. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  1511. type: string
  1512. readYourWrites:
  1513. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  1514. type: boolean
  1515. server:
  1516. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  1517. type: string
  1518. version:
  1519. default: v2
  1520. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  1521. enum:
  1522. - v1
  1523. - v2
  1524. type: string
  1525. required:
  1526. - auth
  1527. - server
  1528. type: object
  1529. webhook:
  1530. description: Webhook configures this store to sync secrets using a generic templated webhook
  1531. properties:
  1532. body:
  1533. description: Body
  1534. type: string
  1535. caBundle:
  1536. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  1537. format: byte
  1538. type: string
  1539. caProvider:
  1540. description: The provider for the CA bundle to use to validate webhook server certificate.
  1541. properties:
  1542. key:
  1543. description: The key the value inside of the provider type to use, only used with "Secret" type
  1544. type: string
  1545. name:
  1546. description: The name of the object located at the provider type.
  1547. type: string
  1548. namespace:
  1549. description: The namespace the Provider type is in.
  1550. type: string
  1551. type:
  1552. description: The type of provider to use such as "Secret", or "ConfigMap".
  1553. enum:
  1554. - Secret
  1555. - ConfigMap
  1556. type: string
  1557. required:
  1558. - name
  1559. - type
  1560. type: object
  1561. headers:
  1562. additionalProperties:
  1563. type: string
  1564. description: Headers
  1565. type: object
  1566. method:
  1567. description: Webhook Method
  1568. type: string
  1569. result:
  1570. description: Result formatting
  1571. properties:
  1572. jsonPath:
  1573. description: Json path of return value
  1574. type: string
  1575. type: object
  1576. secrets:
  1577. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  1578. items:
  1579. properties:
  1580. name:
  1581. description: Name of this secret in templates
  1582. type: string
  1583. secretRef:
  1584. description: Secret ref to fill in credentials
  1585. properties:
  1586. key:
  1587. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1588. type: string
  1589. name:
  1590. description: The name of the Secret resource being referred to.
  1591. type: string
  1592. namespace:
  1593. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1594. type: string
  1595. type: object
  1596. required:
  1597. - name
  1598. - secretRef
  1599. type: object
  1600. type: array
  1601. timeout:
  1602. description: Timeout
  1603. type: string
  1604. url:
  1605. description: Webhook url to call
  1606. type: string
  1607. required:
  1608. - result
  1609. - url
  1610. type: object
  1611. yandexlockbox:
  1612. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  1613. properties:
  1614. apiEndpoint:
  1615. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  1616. type: string
  1617. auth:
  1618. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  1619. properties:
  1620. authorizedKeySecretRef:
  1621. description: The authorized key used for authentication
  1622. properties:
  1623. key:
  1624. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1625. type: string
  1626. name:
  1627. description: The name of the Secret resource being referred to.
  1628. type: string
  1629. namespace:
  1630. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1631. type: string
  1632. type: object
  1633. type: object
  1634. caProvider:
  1635. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  1636. properties:
  1637. certSecretRef:
  1638. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1639. properties:
  1640. key:
  1641. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1642. type: string
  1643. name:
  1644. description: The name of the Secret resource being referred to.
  1645. type: string
  1646. namespace:
  1647. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1648. type: string
  1649. type: object
  1650. type: object
  1651. required:
  1652. - auth
  1653. type: object
  1654. type: object
  1655. retrySettings:
  1656. description: Used to configure http retries if failed
  1657. properties:
  1658. maxRetries:
  1659. format: int32
  1660. type: integer
  1661. retryInterval:
  1662. type: string
  1663. type: object
  1664. required:
  1665. - provider
  1666. type: object
  1667. status:
  1668. description: SecretStoreStatus defines the observed state of the SecretStore.
  1669. properties:
  1670. conditions:
  1671. items:
  1672. properties:
  1673. lastTransitionTime:
  1674. format: date-time
  1675. type: string
  1676. message:
  1677. type: string
  1678. reason:
  1679. type: string
  1680. status:
  1681. type: string
  1682. type:
  1683. type: string
  1684. required:
  1685. - status
  1686. - type
  1687. type: object
  1688. type: array
  1689. type: object
  1690. type: object
  1691. served: true
  1692. storage: false
  1693. subresources:
  1694. status: {}
  1695. - additionalPrinterColumns:
  1696. - jsonPath: .metadata.creationTimestamp
  1697. name: AGE
  1698. type: date
  1699. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  1700. name: Status
  1701. type: string
  1702. - jsonPath: .status.capabilities
  1703. name: Capabilities
  1704. type: string
  1705. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  1706. name: Ready
  1707. type: string
  1708. name: v1beta1
  1709. schema:
  1710. openAPIV3Schema:
  1711. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  1712. properties:
  1713. apiVersion:
  1714. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  1715. type: string
  1716. kind:
  1717. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  1718. type: string
  1719. metadata:
  1720. type: object
  1721. spec:
  1722. description: SecretStoreSpec defines the desired state of SecretStore.
  1723. properties:
  1724. conditions:
  1725. description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
  1726. items:
  1727. description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance.
  1728. properties:
  1729. namespaceSelector:
  1730. description: Choose namespace using a labelSelector
  1731. properties:
  1732. matchExpressions:
  1733. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1734. items:
  1735. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  1736. properties:
  1737. key:
  1738. description: key is the label key that the selector applies to.
  1739. type: string
  1740. operator:
  1741. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  1742. type: string
  1743. values:
  1744. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  1745. items:
  1746. type: string
  1747. type: array
  1748. required:
  1749. - key
  1750. - operator
  1751. type: object
  1752. type: array
  1753. matchLabels:
  1754. additionalProperties:
  1755. type: string
  1756. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  1757. type: object
  1758. type: object
  1759. x-kubernetes-map-type: atomic
  1760. namespaces:
  1761. description: Choose namespaces by name
  1762. items:
  1763. type: string
  1764. type: array
  1765. type: object
  1766. type: array
  1767. controller:
  1768. description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
  1769. type: string
  1770. provider:
  1771. description: Used to configure the provider. Only one provider may be set
  1772. maxProperties: 1
  1773. minProperties: 1
  1774. properties:
  1775. akeyless:
  1776. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  1777. properties:
  1778. akeylessGWApiURL:
  1779. description: Akeyless GW API Url from which the secrets to be fetched from.
  1780. type: string
  1781. authSecretRef:
  1782. description: Auth configures how the operator authenticates with Akeyless.
  1783. properties:
  1784. kubernetesAuth:
  1785. description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
  1786. properties:
  1787. accessID:
  1788. description: the Akeyless Kubernetes auth-method access-id
  1789. type: string
  1790. k8sConfName:
  1791. description: Kubernetes-auth configuration name in Akeyless-Gateway
  1792. type: string
  1793. secretRef:
  1794. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  1795. properties:
  1796. key:
  1797. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1798. type: string
  1799. name:
  1800. description: The name of the Secret resource being referred to.
  1801. type: string
  1802. namespace:
  1803. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1804. type: string
  1805. type: object
  1806. serviceAccountRef:
  1807. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
  1808. properties:
  1809. audiences:
  1810. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  1811. items:
  1812. type: string
  1813. type: array
  1814. name:
  1815. description: The name of the ServiceAccount resource being referred to.
  1816. type: string
  1817. namespace:
  1818. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1819. type: string
  1820. required:
  1821. - name
  1822. type: object
  1823. required:
  1824. - accessID
  1825. - k8sConfName
  1826. type: object
  1827. secretRef:
  1828. description: Reference to a Secret that contains the details to authenticate with Akeyless.
  1829. properties:
  1830. accessID:
  1831. description: The SecretAccessID is used for authentication
  1832. properties:
  1833. key:
  1834. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1835. type: string
  1836. name:
  1837. description: The name of the Secret resource being referred to.
  1838. type: string
  1839. namespace:
  1840. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1841. type: string
  1842. type: object
  1843. accessType:
  1844. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1845. properties:
  1846. key:
  1847. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1848. type: string
  1849. name:
  1850. description: The name of the Secret resource being referred to.
  1851. type: string
  1852. namespace:
  1853. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1854. type: string
  1855. type: object
  1856. accessTypeParam:
  1857. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1858. properties:
  1859. key:
  1860. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1861. type: string
  1862. name:
  1863. description: The name of the Secret resource being referred to.
  1864. type: string
  1865. namespace:
  1866. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1867. type: string
  1868. type: object
  1869. type: object
  1870. type: object
  1871. caBundle:
  1872. description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
  1873. format: byte
  1874. type: string
  1875. caProvider:
  1876. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  1877. properties:
  1878. key:
  1879. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  1880. type: string
  1881. name:
  1882. description: The name of the object located at the provider type.
  1883. type: string
  1884. namespace:
  1885. description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
  1886. type: string
  1887. type:
  1888. description: The type of provider to use such as "Secret", or "ConfigMap".
  1889. enum:
  1890. - Secret
  1891. - ConfigMap
  1892. type: string
  1893. required:
  1894. - name
  1895. - type
  1896. type: object
  1897. required:
  1898. - akeylessGWApiURL
  1899. - authSecretRef
  1900. type: object
  1901. alibaba:
  1902. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  1903. properties:
  1904. auth:
  1905. description: AlibabaAuth contains a secretRef for credentials.
  1906. properties:
  1907. rrsa:
  1908. description: Authenticate against Alibaba using RRSA.
  1909. properties:
  1910. oidcProviderArn:
  1911. type: string
  1912. oidcTokenFilePath:
  1913. type: string
  1914. roleArn:
  1915. type: string
  1916. sessionName:
  1917. type: string
  1918. required:
  1919. - oidcProviderArn
  1920. - oidcTokenFilePath
  1921. - roleArn
  1922. - sessionName
  1923. type: object
  1924. secretRef:
  1925. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  1926. properties:
  1927. accessKeyIDSecretRef:
  1928. description: The AccessKeyID is used for authentication
  1929. properties:
  1930. key:
  1931. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1932. type: string
  1933. name:
  1934. description: The name of the Secret resource being referred to.
  1935. type: string
  1936. namespace:
  1937. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1938. type: string
  1939. type: object
  1940. accessKeySecretSecretRef:
  1941. description: The AccessKeySecret is used for authentication
  1942. properties:
  1943. key:
  1944. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1945. type: string
  1946. name:
  1947. description: The name of the Secret resource being referred to.
  1948. type: string
  1949. namespace:
  1950. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1951. type: string
  1952. type: object
  1953. required:
  1954. - accessKeyIDSecretRef
  1955. - accessKeySecretSecretRef
  1956. type: object
  1957. type: object
  1958. regionID:
  1959. description: Alibaba Region to be used for the provider
  1960. type: string
  1961. required:
  1962. - auth
  1963. - regionID
  1964. type: object
  1965. aws:
  1966. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  1967. properties:
  1968. additionalRoles:
  1969. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  1970. items:
  1971. type: string
  1972. type: array
  1973. auth:
  1974. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  1975. properties:
  1976. jwt:
  1977. description: Authenticate against AWS using service account tokens.
  1978. properties:
  1979. serviceAccountRef:
  1980. description: A reference to a ServiceAccount resource.
  1981. properties:
  1982. audiences:
  1983. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  1984. items:
  1985. type: string
  1986. type: array
  1987. name:
  1988. description: The name of the ServiceAccount resource being referred to.
  1989. type: string
  1990. namespace:
  1991. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1992. type: string
  1993. required:
  1994. - name
  1995. type: object
  1996. type: object
  1997. secretRef:
  1998. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  1999. properties:
  2000. accessKeyIDSecretRef:
  2001. description: The AccessKeyID is used for authentication
  2002. properties:
  2003. key:
  2004. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2005. type: string
  2006. name:
  2007. description: The name of the Secret resource being referred to.
  2008. type: string
  2009. namespace:
  2010. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2011. type: string
  2012. type: object
  2013. secretAccessKeySecretRef:
  2014. description: The SecretAccessKey is used for authentication
  2015. properties:
  2016. key:
  2017. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2018. type: string
  2019. name:
  2020. description: The name of the Secret resource being referred to.
  2021. type: string
  2022. namespace:
  2023. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2024. type: string
  2025. type: object
  2026. sessionTokenSecretRef:
  2027. description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
  2028. properties:
  2029. key:
  2030. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2031. type: string
  2032. name:
  2033. description: The name of the Secret resource being referred to.
  2034. type: string
  2035. namespace:
  2036. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2037. type: string
  2038. type: object
  2039. type: object
  2040. type: object
  2041. externalID:
  2042. description: AWS External ID set on assumed IAM roles
  2043. type: string
  2044. region:
  2045. description: AWS Region to be used for the provider
  2046. type: string
  2047. role:
  2048. description: Role is a Role ARN which the provider will assume
  2049. type: string
  2050. secretsManager:
  2051. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  2052. properties:
  2053. forceDeleteWithoutRecovery:
  2054. description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery'
  2055. type: boolean
  2056. recoveryWindowInDays:
  2057. description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays'
  2058. format: int64
  2059. type: integer
  2060. type: object
  2061. service:
  2062. description: Service defines which service should be used to fetch the secrets
  2063. enum:
  2064. - SecretsManager
  2065. - ParameterStore
  2066. type: string
  2067. sessionTags:
  2068. description: AWS STS assume role session tags
  2069. items:
  2070. properties:
  2071. key:
  2072. type: string
  2073. value:
  2074. type: string
  2075. required:
  2076. - key
  2077. - value
  2078. type: object
  2079. type: array
  2080. transitiveTagKeys:
  2081. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  2082. items:
  2083. type: string
  2084. type: array
  2085. required:
  2086. - region
  2087. - service
  2088. type: object
  2089. azurekv:
  2090. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  2091. properties:
  2092. authSecretRef:
  2093. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  2094. properties:
  2095. clientId:
  2096. description: The Azure clientId of the service principle used for authentication.
  2097. properties:
  2098. key:
  2099. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2100. type: string
  2101. name:
  2102. description: The name of the Secret resource being referred to.
  2103. type: string
  2104. namespace:
  2105. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2106. type: string
  2107. type: object
  2108. clientSecret:
  2109. description: The Azure ClientSecret of the service principle used for authentication.
  2110. properties:
  2111. key:
  2112. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2113. type: string
  2114. name:
  2115. description: The name of the Secret resource being referred to.
  2116. type: string
  2117. namespace:
  2118. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2119. type: string
  2120. type: object
  2121. type: object
  2122. authType:
  2123. default: ServicePrincipal
  2124. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  2125. enum:
  2126. - ServicePrincipal
  2127. - ManagedIdentity
  2128. - WorkloadIdentity
  2129. type: string
  2130. environmentType:
  2131. default: PublicCloud
  2132. description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
  2133. enum:
  2134. - PublicCloud
  2135. - USGovernmentCloud
  2136. - ChinaCloud
  2137. - GermanCloud
  2138. type: string
  2139. identityId:
  2140. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  2141. type: string
  2142. serviceAccountRef:
  2143. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  2144. properties:
  2145. audiences:
  2146. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  2147. items:
  2148. type: string
  2149. type: array
  2150. name:
  2151. description: The name of the ServiceAccount resource being referred to.
  2152. type: string
  2153. namespace:
  2154. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2155. type: string
  2156. required:
  2157. - name
  2158. type: object
  2159. tenantId:
  2160. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  2161. type: string
  2162. vaultUrl:
  2163. description: Vault Url from which the secrets to be fetched from.
  2164. type: string
  2165. required:
  2166. - vaultUrl
  2167. type: object
  2168. conjur:
  2169. description: Conjur configures this store to sync secrets using conjur provider
  2170. properties:
  2171. auth:
  2172. properties:
  2173. apikey:
  2174. properties:
  2175. account:
  2176. type: string
  2177. apiKeyRef:
  2178. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2179. properties:
  2180. key:
  2181. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2182. type: string
  2183. name:
  2184. description: The name of the Secret resource being referred to.
  2185. type: string
  2186. namespace:
  2187. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2188. type: string
  2189. type: object
  2190. userRef:
  2191. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2192. properties:
  2193. key:
  2194. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2195. type: string
  2196. name:
  2197. description: The name of the Secret resource being referred to.
  2198. type: string
  2199. namespace:
  2200. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2201. type: string
  2202. type: object
  2203. required:
  2204. - account
  2205. - apiKeyRef
  2206. - userRef
  2207. type: object
  2208. jwt:
  2209. properties:
  2210. account:
  2211. type: string
  2212. secretRef:
  2213. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method.
  2214. properties:
  2215. key:
  2216. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2217. type: string
  2218. name:
  2219. description: The name of the Secret resource being referred to.
  2220. type: string
  2221. namespace:
  2222. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2223. type: string
  2224. type: object
  2225. serviceAccountRef:
  2226. description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  2227. properties:
  2228. audiences:
  2229. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  2230. items:
  2231. type: string
  2232. type: array
  2233. name:
  2234. description: The name of the ServiceAccount resource being referred to.
  2235. type: string
  2236. namespace:
  2237. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2238. type: string
  2239. required:
  2240. - name
  2241. type: object
  2242. serviceID:
  2243. description: The conjur authn jwt webservice id
  2244. type: string
  2245. required:
  2246. - account
  2247. - serviceID
  2248. type: object
  2249. type: object
  2250. caBundle:
  2251. type: string
  2252. caProvider:
  2253. description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
  2254. properties:
  2255. key:
  2256. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2257. type: string
  2258. name:
  2259. description: The name of the object located at the provider type.
  2260. type: string
  2261. namespace:
  2262. description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
  2263. type: string
  2264. type:
  2265. description: The type of provider to use such as "Secret", or "ConfigMap".
  2266. enum:
  2267. - Secret
  2268. - ConfigMap
  2269. type: string
  2270. required:
  2271. - name
  2272. - type
  2273. type: object
  2274. url:
  2275. type: string
  2276. required:
  2277. - auth
  2278. - url
  2279. type: object
  2280. delinea:
  2281. description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  2282. properties:
  2283. clientId:
  2284. description: ClientID is the non-secret part of the credential.
  2285. properties:
  2286. secretRef:
  2287. description: SecretRef references a key in a secret that will be used as value.
  2288. properties:
  2289. key:
  2290. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2291. type: string
  2292. name:
  2293. description: The name of the Secret resource being referred to.
  2294. type: string
  2295. namespace:
  2296. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2297. type: string
  2298. type: object
  2299. value:
  2300. description: Value can be specified directly to set a value without using a secret.
  2301. type: string
  2302. type: object
  2303. clientSecret:
  2304. description: ClientSecret is the secret part of the credential.
  2305. properties:
  2306. secretRef:
  2307. description: SecretRef references a key in a secret that will be used as value.
  2308. properties:
  2309. key:
  2310. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2311. type: string
  2312. name:
  2313. description: The name of the Secret resource being referred to.
  2314. type: string
  2315. namespace:
  2316. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2317. type: string
  2318. type: object
  2319. value:
  2320. description: Value can be specified directly to set a value without using a secret.
  2321. type: string
  2322. type: object
  2323. tenant:
  2324. description: Tenant is the chosen hostname / site name.
  2325. type: string
  2326. tld:
  2327. description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com".
  2328. type: string
  2329. urlTemplate:
  2330. description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  2331. type: string
  2332. required:
  2333. - clientId
  2334. - clientSecret
  2335. - tenant
  2336. type: object
  2337. doppler:
  2338. description: Doppler configures this store to sync secrets using the Doppler provider
  2339. properties:
  2340. auth:
  2341. description: Auth configures how the Operator authenticates with the Doppler API
  2342. properties:
  2343. secretRef:
  2344. properties:
  2345. dopplerToken:
  2346. description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified.
  2347. properties:
  2348. key:
  2349. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2350. type: string
  2351. name:
  2352. description: The name of the Secret resource being referred to.
  2353. type: string
  2354. namespace:
  2355. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2356. type: string
  2357. type: object
  2358. required:
  2359. - dopplerToken
  2360. type: object
  2361. required:
  2362. - secretRef
  2363. type: object
  2364. config:
  2365. description: Doppler config (required if not using a Service Token)
  2366. type: string
  2367. format:
  2368. description: Format enables the downloading of secrets as a file (string)
  2369. enum:
  2370. - json
  2371. - dotnet-json
  2372. - env
  2373. - yaml
  2374. - docker
  2375. type: string
  2376. nameTransformer:
  2377. description: Environment variable compatible name transforms that change secret names to a different format
  2378. enum:
  2379. - upper-camel
  2380. - camel
  2381. - lower-snake
  2382. - tf-var
  2383. - dotnet-env
  2384. - lower-kebab
  2385. type: string
  2386. project:
  2387. description: Doppler project (required if not using a Service Token)
  2388. type: string
  2389. required:
  2390. - auth
  2391. type: object
  2392. fake:
  2393. description: Fake configures a store with static key/value pairs
  2394. properties:
  2395. data:
  2396. items:
  2397. properties:
  2398. key:
  2399. type: string
  2400. value:
  2401. type: string
  2402. valueMap:
  2403. additionalProperties:
  2404. type: string
  2405. type: object
  2406. version:
  2407. type: string
  2408. required:
  2409. - key
  2410. type: object
  2411. type: array
  2412. required:
  2413. - data
  2414. type: object
  2415. gcpsm:
  2416. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  2417. properties:
  2418. auth:
  2419. description: Auth defines the information necessary to authenticate against GCP
  2420. properties:
  2421. secretRef:
  2422. properties:
  2423. secretAccessKeySecretRef:
  2424. description: The SecretAccessKey is used for authentication
  2425. properties:
  2426. key:
  2427. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2428. type: string
  2429. name:
  2430. description: The name of the Secret resource being referred to.
  2431. type: string
  2432. namespace:
  2433. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2434. type: string
  2435. type: object
  2436. type: object
  2437. workloadIdentity:
  2438. properties:
  2439. clusterLocation:
  2440. type: string
  2441. clusterName:
  2442. type: string
  2443. clusterProjectID:
  2444. type: string
  2445. serviceAccountRef:
  2446. description: A reference to a ServiceAccount resource.
  2447. properties:
  2448. audiences:
  2449. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  2450. items:
  2451. type: string
  2452. type: array
  2453. name:
  2454. description: The name of the ServiceAccount resource being referred to.
  2455. type: string
  2456. namespace:
  2457. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2458. type: string
  2459. required:
  2460. - name
  2461. type: object
  2462. required:
  2463. - clusterLocation
  2464. - clusterName
  2465. - serviceAccountRef
  2466. type: object
  2467. type: object
  2468. projectID:
  2469. description: ProjectID project where secret is located
  2470. type: string
  2471. type: object
  2472. gitlab:
  2473. description: GitLab configures this store to sync secrets using GitLab Variables provider
  2474. properties:
  2475. auth:
  2476. description: Auth configures how secret-manager authenticates with a GitLab instance.
  2477. properties:
  2478. SecretRef:
  2479. properties:
  2480. accessToken:
  2481. description: AccessToken is used for authentication.
  2482. properties:
  2483. key:
  2484. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2485. type: string
  2486. name:
  2487. description: The name of the Secret resource being referred to.
  2488. type: string
  2489. namespace:
  2490. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2491. type: string
  2492. type: object
  2493. type: object
  2494. required:
  2495. - SecretRef
  2496. type: object
  2497. environment:
  2498. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  2499. type: string
  2500. groupIDs:
  2501. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  2502. items:
  2503. type: string
  2504. type: array
  2505. inheritFromGroups:
  2506. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  2507. type: boolean
  2508. projectID:
  2509. description: ProjectID specifies a project where secrets are located.
  2510. type: string
  2511. url:
  2512. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  2513. type: string
  2514. required:
  2515. - auth
  2516. type: object
  2517. ibm:
  2518. description: IBM configures this store to sync secrets using IBM Cloud provider
  2519. properties:
  2520. auth:
  2521. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  2522. maxProperties: 1
  2523. minProperties: 1
  2524. properties:
  2525. containerAuth:
  2526. description: IBM Container-based auth with IAM Trusted Profile.
  2527. properties:
  2528. iamEndpoint:
  2529. type: string
  2530. profile:
  2531. description: the IBM Trusted Profile
  2532. type: string
  2533. tokenLocation:
  2534. description: Location the token is mounted on the pod
  2535. type: string
  2536. required:
  2537. - profile
  2538. type: object
  2539. secretRef:
  2540. properties:
  2541. secretApiKeySecretRef:
  2542. description: The SecretAccessKey is used for authentication
  2543. properties:
  2544. key:
  2545. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2546. type: string
  2547. name:
  2548. description: The name of the Secret resource being referred to.
  2549. type: string
  2550. namespace:
  2551. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2552. type: string
  2553. type: object
  2554. type: object
  2555. type: object
  2556. serviceUrl:
  2557. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  2558. type: string
  2559. required:
  2560. - auth
  2561. type: object
  2562. keepersecurity:
  2563. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  2564. properties:
  2565. authRef:
  2566. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2567. properties:
  2568. key:
  2569. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2570. type: string
  2571. name:
  2572. description: The name of the Secret resource being referred to.
  2573. type: string
  2574. namespace:
  2575. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2576. type: string
  2577. type: object
  2578. folderID:
  2579. type: string
  2580. required:
  2581. - authRef
  2582. - folderID
  2583. type: object
  2584. kubernetes:
  2585. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  2586. properties:
  2587. auth:
  2588. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  2589. maxProperties: 1
  2590. minProperties: 1
  2591. properties:
  2592. cert:
  2593. description: has both clientCert and clientKey as secretKeySelector
  2594. properties:
  2595. clientCert:
  2596. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2597. properties:
  2598. key:
  2599. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2600. type: string
  2601. name:
  2602. description: The name of the Secret resource being referred to.
  2603. type: string
  2604. namespace:
  2605. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2606. type: string
  2607. type: object
  2608. clientKey:
  2609. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2610. properties:
  2611. key:
  2612. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2613. type: string
  2614. name:
  2615. description: The name of the Secret resource being referred to.
  2616. type: string
  2617. namespace:
  2618. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2619. type: string
  2620. type: object
  2621. type: object
  2622. serviceAccount:
  2623. description: points to a service account that should be used for authentication
  2624. properties:
  2625. audiences:
  2626. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  2627. items:
  2628. type: string
  2629. type: array
  2630. name:
  2631. description: The name of the ServiceAccount resource being referred to.
  2632. type: string
  2633. namespace:
  2634. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2635. type: string
  2636. required:
  2637. - name
  2638. type: object
  2639. token:
  2640. description: use static token to authenticate with
  2641. properties:
  2642. bearerToken:
  2643. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2644. properties:
  2645. key:
  2646. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2647. type: string
  2648. name:
  2649. description: The name of the Secret resource being referred to.
  2650. type: string
  2651. namespace:
  2652. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2653. type: string
  2654. type: object
  2655. type: object
  2656. type: object
  2657. remoteNamespace:
  2658. default: default
  2659. description: Remote namespace to fetch the secrets from
  2660. type: string
  2661. server:
  2662. description: configures the Kubernetes server Address.
  2663. properties:
  2664. caBundle:
  2665. description: CABundle is a base64-encoded CA certificate
  2666. format: byte
  2667. type: string
  2668. caProvider:
  2669. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  2670. properties:
  2671. key:
  2672. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2673. type: string
  2674. name:
  2675. description: The name of the object located at the provider type.
  2676. type: string
  2677. namespace:
  2678. description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
  2679. type: string
  2680. type:
  2681. description: The type of provider to use such as "Secret", or "ConfigMap".
  2682. enum:
  2683. - Secret
  2684. - ConfigMap
  2685. type: string
  2686. required:
  2687. - name
  2688. - type
  2689. type: object
  2690. url:
  2691. default: kubernetes.default
  2692. description: configures the Kubernetes server Address.
  2693. type: string
  2694. type: object
  2695. required:
  2696. - auth
  2697. type: object
  2698. onepassword:
  2699. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  2700. properties:
  2701. auth:
  2702. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  2703. properties:
  2704. secretRef:
  2705. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  2706. properties:
  2707. connectTokenSecretRef:
  2708. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  2709. properties:
  2710. key:
  2711. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2712. type: string
  2713. name:
  2714. description: The name of the Secret resource being referred to.
  2715. type: string
  2716. namespace:
  2717. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2718. type: string
  2719. type: object
  2720. required:
  2721. - connectTokenSecretRef
  2722. type: object
  2723. required:
  2724. - secretRef
  2725. type: object
  2726. connectHost:
  2727. description: ConnectHost defines the OnePassword Connect Server to connect to
  2728. type: string
  2729. vaults:
  2730. additionalProperties:
  2731. type: integer
  2732. description: Vaults defines which OnePassword vaults to search in which order
  2733. type: object
  2734. required:
  2735. - auth
  2736. - connectHost
  2737. - vaults
  2738. type: object
  2739. oracle:
  2740. description: Oracle configures this store to sync secrets using Oracle Vault provider
  2741. properties:
  2742. auth:
  2743. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  2744. properties:
  2745. secretRef:
  2746. description: SecretRef to pass through sensitive information.
  2747. properties:
  2748. fingerprint:
  2749. description: Fingerprint is the fingerprint of the API private key.
  2750. properties:
  2751. key:
  2752. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2753. type: string
  2754. name:
  2755. description: The name of the Secret resource being referred to.
  2756. type: string
  2757. namespace:
  2758. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2759. type: string
  2760. type: object
  2761. privatekey:
  2762. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  2763. properties:
  2764. key:
  2765. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2766. type: string
  2767. name:
  2768. description: The name of the Secret resource being referred to.
  2769. type: string
  2770. namespace:
  2771. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2772. type: string
  2773. type: object
  2774. required:
  2775. - fingerprint
  2776. - privatekey
  2777. type: object
  2778. tenancy:
  2779. description: Tenancy is the tenancy OCID where user is located.
  2780. type: string
  2781. user:
  2782. description: User is an access OCID specific to the account.
  2783. type: string
  2784. required:
  2785. - secretRef
  2786. - tenancy
  2787. - user
  2788. type: object
  2789. compartment:
  2790. description: Compartment is the vault compartment OCID. Required for PushSecret
  2791. type: string
  2792. encryptionKey:
  2793. description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret
  2794. type: string
  2795. principalType:
  2796. description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity.
  2797. enum:
  2798. - ""
  2799. - UserPrincipal
  2800. - InstancePrincipal
  2801. - Workload
  2802. type: string
  2803. region:
  2804. description: Region is the region where vault is located.
  2805. type: string
  2806. serviceAccountRef:
  2807. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  2808. properties:
  2809. audiences:
  2810. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  2811. items:
  2812. type: string
  2813. type: array
  2814. name:
  2815. description: The name of the ServiceAccount resource being referred to.
  2816. type: string
  2817. namespace:
  2818. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2819. type: string
  2820. required:
  2821. - name
  2822. type: object
  2823. vault:
  2824. description: Vault is the vault's OCID of the specific vault where secret is located.
  2825. type: string
  2826. required:
  2827. - region
  2828. - vault
  2829. type: object
  2830. scaleway:
  2831. description: Scaleway
  2832. properties:
  2833. accessKey:
  2834. description: AccessKey is the non-secret part of the api key.
  2835. properties:
  2836. secretRef:
  2837. description: SecretRef references a key in a secret that will be used as value.
  2838. properties:
  2839. key:
  2840. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2841. type: string
  2842. name:
  2843. description: The name of the Secret resource being referred to.
  2844. type: string
  2845. namespace:
  2846. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2847. type: string
  2848. type: object
  2849. value:
  2850. description: Value can be specified directly to set a value without using a secret.
  2851. type: string
  2852. type: object
  2853. apiUrl:
  2854. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  2855. type: string
  2856. projectId:
  2857. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  2858. type: string
  2859. region:
  2860. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  2861. type: string
  2862. secretKey:
  2863. description: SecretKey is the non-secret part of the api key.
  2864. properties:
  2865. secretRef:
  2866. description: SecretRef references a key in a secret that will be used as value.
  2867. properties:
  2868. key:
  2869. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2870. type: string
  2871. name:
  2872. description: The name of the Secret resource being referred to.
  2873. type: string
  2874. namespace:
  2875. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2876. type: string
  2877. type: object
  2878. value:
  2879. description: Value can be specified directly to set a value without using a secret.
  2880. type: string
  2881. type: object
  2882. required:
  2883. - accessKey
  2884. - projectId
  2885. - region
  2886. - secretKey
  2887. type: object
  2888. senhasegura:
  2889. description: Senhasegura configures this store to sync secrets using senhasegura provider
  2890. properties:
  2891. auth:
  2892. description: Auth defines parameters to authenticate in senhasegura
  2893. properties:
  2894. clientId:
  2895. type: string
  2896. clientSecretSecretRef:
  2897. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2898. properties:
  2899. key:
  2900. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2901. type: string
  2902. name:
  2903. description: The name of the Secret resource being referred to.
  2904. type: string
  2905. namespace:
  2906. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2907. type: string
  2908. type: object
  2909. required:
  2910. - clientId
  2911. - clientSecretSecretRef
  2912. type: object
  2913. ignoreSslCertificate:
  2914. default: false
  2915. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  2916. type: boolean
  2917. module:
  2918. description: Module defines which senhasegura module should be used to get secrets
  2919. type: string
  2920. url:
  2921. description: URL of senhasegura
  2922. type: string
  2923. required:
  2924. - auth
  2925. - module
  2926. - url
  2927. type: object
  2928. vault:
  2929. description: Vault configures this store to sync secrets using Hashi provider
  2930. properties:
  2931. auth:
  2932. description: Auth configures how secret-manager authenticates with the Vault server.
  2933. properties:
  2934. appRole:
  2935. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  2936. properties:
  2937. path:
  2938. default: approle
  2939. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  2940. type: string
  2941. roleId:
  2942. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  2943. type: string
  2944. roleRef:
  2945. description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
  2946. properties:
  2947. key:
  2948. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2949. type: string
  2950. name:
  2951. description: The name of the Secret resource being referred to.
  2952. type: string
  2953. namespace:
  2954. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2955. type: string
  2956. type: object
  2957. secretRef:
  2958. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  2959. properties:
  2960. key:
  2961. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2962. type: string
  2963. name:
  2964. description: The name of the Secret resource being referred to.
  2965. type: string
  2966. namespace:
  2967. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2968. type: string
  2969. type: object
  2970. required:
  2971. - path
  2972. - secretRef
  2973. type: object
  2974. cert:
  2975. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  2976. properties:
  2977. clientCert:
  2978. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  2979. properties:
  2980. key:
  2981. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2982. type: string
  2983. name:
  2984. description: The name of the Secret resource being referred to.
  2985. type: string
  2986. namespace:
  2987. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2988. type: string
  2989. type: object
  2990. secretRef:
  2991. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  2992. properties:
  2993. key:
  2994. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2995. type: string
  2996. name:
  2997. description: The name of the Secret resource being referred to.
  2998. type: string
  2999. namespace:
  3000. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3001. type: string
  3002. type: object
  3003. type: object
  3004. iam:
  3005. description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
  3006. properties:
  3007. externalID:
  3008. description: AWS External ID set on assumed IAM roles
  3009. type: string
  3010. jwt:
  3011. description: Specify a service account with IRSA enabled
  3012. properties:
  3013. serviceAccountRef:
  3014. description: A reference to a ServiceAccount resource.
  3015. properties:
  3016. audiences:
  3017. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  3018. items:
  3019. type: string
  3020. type: array
  3021. name:
  3022. description: The name of the ServiceAccount resource being referred to.
  3023. type: string
  3024. namespace:
  3025. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3026. type: string
  3027. required:
  3028. - name
  3029. type: object
  3030. type: object
  3031. path:
  3032. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  3033. type: string
  3034. region:
  3035. description: AWS region
  3036. type: string
  3037. role:
  3038. description: This is the AWS role to be assumed before talking to vault
  3039. type: string
  3040. secretRef:
  3041. description: Specify credentials in a Secret object
  3042. properties:
  3043. accessKeyIDSecretRef:
  3044. description: The AccessKeyID is used for authentication
  3045. properties:
  3046. key:
  3047. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3048. type: string
  3049. name:
  3050. description: The name of the Secret resource being referred to.
  3051. type: string
  3052. namespace:
  3053. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3054. type: string
  3055. type: object
  3056. secretAccessKeySecretRef:
  3057. description: The SecretAccessKey is used for authentication
  3058. properties:
  3059. key:
  3060. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3061. type: string
  3062. name:
  3063. description: The name of the Secret resource being referred to.
  3064. type: string
  3065. namespace:
  3066. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3067. type: string
  3068. type: object
  3069. sessionTokenSecretRef:
  3070. description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
  3071. properties:
  3072. key:
  3073. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3074. type: string
  3075. name:
  3076. description: The name of the Secret resource being referred to.
  3077. type: string
  3078. namespace:
  3079. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3080. type: string
  3081. type: object
  3082. type: object
  3083. vaultAwsIamServerID:
  3084. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  3085. type: string
  3086. vaultRole:
  3087. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  3088. type: string
  3089. required:
  3090. - vaultRole
  3091. type: object
  3092. jwt:
  3093. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  3094. properties:
  3095. kubernetesServiceAccountToken:
  3096. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  3097. properties:
  3098. audiences:
  3099. description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
  3100. items:
  3101. type: string
  3102. type: array
  3103. expirationSeconds:
  3104. description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
  3105. format: int64
  3106. type: integer
  3107. serviceAccountRef:
  3108. description: Service account field containing the name of a kubernetes ServiceAccount.
  3109. properties:
  3110. audiences:
  3111. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  3112. items:
  3113. type: string
  3114. type: array
  3115. name:
  3116. description: The name of the ServiceAccount resource being referred to.
  3117. type: string
  3118. namespace:
  3119. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3120. type: string
  3121. required:
  3122. - name
  3123. type: object
  3124. required:
  3125. - serviceAccountRef
  3126. type: object
  3127. path:
  3128. default: jwt
  3129. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  3130. type: string
  3131. role:
  3132. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  3133. type: string
  3134. secretRef:
  3135. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  3136. properties:
  3137. key:
  3138. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3139. type: string
  3140. name:
  3141. description: The name of the Secret resource being referred to.
  3142. type: string
  3143. namespace:
  3144. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3145. type: string
  3146. type: object
  3147. required:
  3148. - path
  3149. type: object
  3150. kubernetes:
  3151. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  3152. properties:
  3153. mountPath:
  3154. default: kubernetes
  3155. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  3156. type: string
  3157. role:
  3158. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  3159. type: string
  3160. secretRef:
  3161. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  3162. properties:
  3163. key:
  3164. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3165. type: string
  3166. name:
  3167. description: The name of the Secret resource being referred to.
  3168. type: string
  3169. namespace:
  3170. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3171. type: string
  3172. type: object
  3173. serviceAccountRef:
  3174. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  3175. properties:
  3176. audiences:
  3177. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  3178. items:
  3179. type: string
  3180. type: array
  3181. name:
  3182. description: The name of the ServiceAccount resource being referred to.
  3183. type: string
  3184. namespace:
  3185. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3186. type: string
  3187. required:
  3188. - name
  3189. type: object
  3190. required:
  3191. - mountPath
  3192. - role
  3193. type: object
  3194. ldap:
  3195. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  3196. properties:
  3197. path:
  3198. default: ldap
  3199. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  3200. type: string
  3201. secretRef:
  3202. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  3203. properties:
  3204. key:
  3205. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3206. type: string
  3207. name:
  3208. description: The name of the Secret resource being referred to.
  3209. type: string
  3210. namespace:
  3211. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3212. type: string
  3213. type: object
  3214. username:
  3215. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  3216. type: string
  3217. required:
  3218. - path
  3219. - username
  3220. type: object
  3221. tokenSecretRef:
  3222. description: TokenSecretRef authenticates with Vault by presenting a token.
  3223. properties:
  3224. key:
  3225. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3226. type: string
  3227. name:
  3228. description: The name of the Secret resource being referred to.
  3229. type: string
  3230. namespace:
  3231. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3232. type: string
  3233. type: object
  3234. userPass:
  3235. description: UserPass authenticates with Vault by passing username/password pair
  3236. properties:
  3237. path:
  3238. default: user
  3239. description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"'
  3240. type: string
  3241. secretRef:
  3242. description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method
  3243. properties:
  3244. key:
  3245. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3246. type: string
  3247. name:
  3248. description: The name of the Secret resource being referred to.
  3249. type: string
  3250. namespace:
  3251. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3252. type: string
  3253. type: object
  3254. username:
  3255. description: Username is a user name used to authenticate using the UserPass Vault authentication method
  3256. type: string
  3257. required:
  3258. - path
  3259. - username
  3260. type: object
  3261. type: object
  3262. caBundle:
  3263. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  3264. format: byte
  3265. type: string
  3266. caProvider:
  3267. description: The provider for the CA bundle to use to validate Vault server certificate.
  3268. properties:
  3269. key:
  3270. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3271. type: string
  3272. name:
  3273. description: The name of the object located at the provider type.
  3274. type: string
  3275. namespace:
  3276. description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
  3277. type: string
  3278. type:
  3279. description: The type of provider to use such as "Secret", or "ConfigMap".
  3280. enum:
  3281. - Secret
  3282. - ConfigMap
  3283. type: string
  3284. required:
  3285. - name
  3286. - type
  3287. type: object
  3288. forwardInconsistent:
  3289. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  3290. type: boolean
  3291. namespace:
  3292. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  3293. type: string
  3294. path:
  3295. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  3296. type: string
  3297. readYourWrites:
  3298. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  3299. type: boolean
  3300. server:
  3301. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  3302. type: string
  3303. version:
  3304. default: v2
  3305. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  3306. enum:
  3307. - v1
  3308. - v2
  3309. type: string
  3310. required:
  3311. - auth
  3312. - server
  3313. type: object
  3314. webhook:
  3315. description: Webhook configures this store to sync secrets using a generic templated webhook
  3316. properties:
  3317. body:
  3318. description: Body
  3319. type: string
  3320. caBundle:
  3321. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  3322. format: byte
  3323. type: string
  3324. caProvider:
  3325. description: The provider for the CA bundle to use to validate webhook server certificate.
  3326. properties:
  3327. key:
  3328. description: The key the value inside of the provider type to use, only used with "Secret" type
  3329. type: string
  3330. name:
  3331. description: The name of the object located at the provider type.
  3332. type: string
  3333. namespace:
  3334. description: The namespace the Provider type is in.
  3335. type: string
  3336. type:
  3337. description: The type of provider to use such as "Secret", or "ConfigMap".
  3338. enum:
  3339. - Secret
  3340. - ConfigMap
  3341. type: string
  3342. required:
  3343. - name
  3344. - type
  3345. type: object
  3346. headers:
  3347. additionalProperties:
  3348. type: string
  3349. description: Headers
  3350. type: object
  3351. method:
  3352. description: Webhook Method
  3353. type: string
  3354. result:
  3355. description: Result formatting
  3356. properties:
  3357. jsonPath:
  3358. description: Json path of return value
  3359. type: string
  3360. type: object
  3361. secrets:
  3362. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  3363. items:
  3364. properties:
  3365. name:
  3366. description: Name of this secret in templates
  3367. type: string
  3368. secretRef:
  3369. description: Secret ref to fill in credentials
  3370. properties:
  3371. key:
  3372. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3373. type: string
  3374. name:
  3375. description: The name of the Secret resource being referred to.
  3376. type: string
  3377. namespace:
  3378. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3379. type: string
  3380. type: object
  3381. required:
  3382. - name
  3383. - secretRef
  3384. type: object
  3385. type: array
  3386. timeout:
  3387. description: Timeout
  3388. type: string
  3389. url:
  3390. description: Webhook url to call
  3391. type: string
  3392. required:
  3393. - result
  3394. - url
  3395. type: object
  3396. yandexcertificatemanager:
  3397. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  3398. properties:
  3399. apiEndpoint:
  3400. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  3401. type: string
  3402. auth:
  3403. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  3404. properties:
  3405. authorizedKeySecretRef:
  3406. description: The authorized key used for authentication
  3407. properties:
  3408. key:
  3409. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3410. type: string
  3411. name:
  3412. description: The name of the Secret resource being referred to.
  3413. type: string
  3414. namespace:
  3415. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3416. type: string
  3417. type: object
  3418. type: object
  3419. caProvider:
  3420. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  3421. properties:
  3422. certSecretRef:
  3423. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3424. properties:
  3425. key:
  3426. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3427. type: string
  3428. name:
  3429. description: The name of the Secret resource being referred to.
  3430. type: string
  3431. namespace:
  3432. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3433. type: string
  3434. type: object
  3435. type: object
  3436. required:
  3437. - auth
  3438. type: object
  3439. yandexlockbox:
  3440. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  3441. properties:
  3442. apiEndpoint:
  3443. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  3444. type: string
  3445. auth:
  3446. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  3447. properties:
  3448. authorizedKeySecretRef:
  3449. description: The authorized key used for authentication
  3450. properties:
  3451. key:
  3452. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3453. type: string
  3454. name:
  3455. description: The name of the Secret resource being referred to.
  3456. type: string
  3457. namespace:
  3458. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3459. type: string
  3460. type: object
  3461. type: object
  3462. caProvider:
  3463. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  3464. properties:
  3465. certSecretRef:
  3466. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3467. properties:
  3468. key:
  3469. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3470. type: string
  3471. name:
  3472. description: The name of the Secret resource being referred to.
  3473. type: string
  3474. namespace:
  3475. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3476. type: string
  3477. type: object
  3478. type: object
  3479. required:
  3480. - auth
  3481. type: object
  3482. type: object
  3483. refreshInterval:
  3484. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  3485. type: integer
  3486. retrySettings:
  3487. description: Used to configure http retries if failed
  3488. properties:
  3489. maxRetries:
  3490. format: int32
  3491. type: integer
  3492. retryInterval:
  3493. type: string
  3494. type: object
  3495. required:
  3496. - provider
  3497. type: object
  3498. status:
  3499. description: SecretStoreStatus defines the observed state of the SecretStore.
  3500. properties:
  3501. capabilities:
  3502. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  3503. type: string
  3504. conditions:
  3505. items:
  3506. properties:
  3507. lastTransitionTime:
  3508. format: date-time
  3509. type: string
  3510. message:
  3511. type: string
  3512. reason:
  3513. type: string
  3514. status:
  3515. type: string
  3516. type:
  3517. type: string
  3518. required:
  3519. - status
  3520. - type
  3521. type: object
  3522. type: array
  3523. type: object
  3524. type: object
  3525. served: true
  3526. storage: true
  3527. subresources:
  3528. status: {}
  3529. conversion:
  3530. strategy: Webhook
  3531. webhook:
  3532. conversionReviewVersions:
  3533. - v1
  3534. clientConfig:
  3535. service:
  3536. name: kubernetes
  3537. namespace: default
  3538. path: /convert
  3539. ---
  3540. apiVersion: apiextensions.k8s.io/v1
  3541. kind: CustomResourceDefinition
  3542. metadata:
  3543. annotations:
  3544. controller-gen.kubebuilder.io/version: v0.13.0
  3545. name: externalsecrets.external-secrets.io
  3546. spec:
  3547. group: external-secrets.io
  3548. names:
  3549. categories:
  3550. - externalsecrets
  3551. kind: ExternalSecret
  3552. listKind: ExternalSecretList
  3553. plural: externalsecrets
  3554. shortNames:
  3555. - es
  3556. singular: externalsecret
  3557. scope: Namespaced
  3558. versions:
  3559. - additionalPrinterColumns:
  3560. - jsonPath: .spec.secretStoreRef.name
  3561. name: Store
  3562. type: string
  3563. - jsonPath: .spec.refreshInterval
  3564. name: Refresh Interval
  3565. type: string
  3566. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  3567. name: Status
  3568. type: string
  3569. deprecated: true
  3570. name: v1alpha1
  3571. schema:
  3572. openAPIV3Schema:
  3573. description: ExternalSecret is the Schema for the external-secrets API.
  3574. properties:
  3575. apiVersion:
  3576. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  3577. type: string
  3578. kind:
  3579. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  3580. type: string
  3581. metadata:
  3582. type: object
  3583. spec:
  3584. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  3585. properties:
  3586. data:
  3587. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  3588. items:
  3589. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  3590. properties:
  3591. remoteRef:
  3592. description: ExternalSecretDataRemoteRef defines Provider data location.
  3593. properties:
  3594. conversionStrategy:
  3595. default: Default
  3596. description: Used to define a conversion Strategy
  3597. enum:
  3598. - Default
  3599. - Unicode
  3600. type: string
  3601. key:
  3602. description: Key is the key used in the Provider, mandatory
  3603. type: string
  3604. property:
  3605. description: Used to select a specific property of the Provider value (if a map), if supported
  3606. type: string
  3607. version:
  3608. description: Used to select a specific version of the Provider value, if supported
  3609. type: string
  3610. required:
  3611. - key
  3612. type: object
  3613. secretKey:
  3614. type: string
  3615. required:
  3616. - remoteRef
  3617. - secretKey
  3618. type: object
  3619. type: array
  3620. dataFrom:
  3621. description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
  3622. items:
  3623. description: ExternalSecretDataRemoteRef defines Provider data location.
  3624. properties:
  3625. conversionStrategy:
  3626. default: Default
  3627. description: Used to define a conversion Strategy
  3628. enum:
  3629. - Default
  3630. - Unicode
  3631. type: string
  3632. key:
  3633. description: Key is the key used in the Provider, mandatory
  3634. type: string
  3635. property:
  3636. description: Used to select a specific property of the Provider value (if a map), if supported
  3637. type: string
  3638. version:
  3639. description: Used to select a specific version of the Provider value, if supported
  3640. type: string
  3641. required:
  3642. - key
  3643. type: object
  3644. type: array
  3645. refreshInterval:
  3646. default: 1h
  3647. description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
  3648. type: string
  3649. secretStoreRef:
  3650. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  3651. properties:
  3652. kind:
  3653. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  3654. type: string
  3655. name:
  3656. description: Name of the SecretStore resource
  3657. type: string
  3658. required:
  3659. - name
  3660. type: object
  3661. target:
  3662. description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
  3663. properties:
  3664. creationPolicy:
  3665. default: Owner
  3666. description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
  3667. enum:
  3668. - Owner
  3669. - Merge
  3670. - None
  3671. type: string
  3672. immutable:
  3673. description: Immutable defines if the final secret will be immutable
  3674. type: boolean
  3675. name:
  3676. description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
  3677. type: string
  3678. template:
  3679. description: Template defines a blueprint for the created Secret resource.
  3680. properties:
  3681. data:
  3682. additionalProperties:
  3683. type: string
  3684. type: object
  3685. engineVersion:
  3686. default: v1
  3687. description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
  3688. enum:
  3689. - v1
  3690. - v2
  3691. type: string
  3692. metadata:
  3693. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  3694. properties:
  3695. annotations:
  3696. additionalProperties:
  3697. type: string
  3698. type: object
  3699. labels:
  3700. additionalProperties:
  3701. type: string
  3702. type: object
  3703. type: object
  3704. templateFrom:
  3705. items:
  3706. maxProperties: 1
  3707. minProperties: 1
  3708. properties:
  3709. configMap:
  3710. properties:
  3711. items:
  3712. items:
  3713. properties:
  3714. key:
  3715. type: string
  3716. required:
  3717. - key
  3718. type: object
  3719. type: array
  3720. name:
  3721. type: string
  3722. required:
  3723. - items
  3724. - name
  3725. type: object
  3726. secret:
  3727. properties:
  3728. items:
  3729. items:
  3730. properties:
  3731. key:
  3732. type: string
  3733. required:
  3734. - key
  3735. type: object
  3736. type: array
  3737. name:
  3738. type: string
  3739. required:
  3740. - items
  3741. - name
  3742. type: object
  3743. type: object
  3744. type: array
  3745. type:
  3746. type: string
  3747. type: object
  3748. type: object
  3749. required:
  3750. - secretStoreRef
  3751. - target
  3752. type: object
  3753. status:
  3754. properties:
  3755. binding:
  3756. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  3757. properties:
  3758. name:
  3759. description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
  3760. type: string
  3761. type: object
  3762. x-kubernetes-map-type: atomic
  3763. conditions:
  3764. items:
  3765. properties:
  3766. lastTransitionTime:
  3767. format: date-time
  3768. type: string
  3769. message:
  3770. type: string
  3771. reason:
  3772. type: string
  3773. status:
  3774. type: string
  3775. type:
  3776. type: string
  3777. required:
  3778. - status
  3779. - type
  3780. type: object
  3781. type: array
  3782. refreshTime:
  3783. description: refreshTime is the time and date the external secret was fetched and the target secret updated
  3784. format: date-time
  3785. nullable: true
  3786. type: string
  3787. syncedResourceVersion:
  3788. description: SyncedResourceVersion keeps track of the last synced version
  3789. type: string
  3790. type: object
  3791. type: object
  3792. served: true
  3793. storage: false
  3794. subresources:
  3795. status: {}
  3796. - additionalPrinterColumns:
  3797. - jsonPath: .spec.secretStoreRef.name
  3798. name: Store
  3799. type: string
  3800. - jsonPath: .spec.refreshInterval
  3801. name: Refresh Interval
  3802. type: string
  3803. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  3804. name: Status
  3805. type: string
  3806. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  3807. name: Ready
  3808. type: string
  3809. name: v1beta1
  3810. schema:
  3811. openAPIV3Schema:
  3812. description: ExternalSecret is the Schema for the external-secrets API.
  3813. properties:
  3814. apiVersion:
  3815. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  3816. type: string
  3817. kind:
  3818. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  3819. type: string
  3820. metadata:
  3821. type: object
  3822. spec:
  3823. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  3824. properties:
  3825. data:
  3826. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  3827. items:
  3828. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  3829. properties:
  3830. remoteRef:
  3831. description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch.
  3832. properties:
  3833. conversionStrategy:
  3834. default: Default
  3835. description: Used to define a conversion Strategy
  3836. enum:
  3837. - Default
  3838. - Unicode
  3839. type: string
  3840. decodingStrategy:
  3841. default: None
  3842. description: Used to define a decoding Strategy
  3843. enum:
  3844. - Auto
  3845. - Base64
  3846. - Base64URL
  3847. - None
  3848. type: string
  3849. key:
  3850. description: Key is the key used in the Provider, mandatory
  3851. type: string
  3852. metadataPolicy:
  3853. default: None
  3854. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  3855. enum:
  3856. - None
  3857. - Fetch
  3858. type: string
  3859. property:
  3860. description: Used to select a specific property of the Provider value (if a map), if supported
  3861. type: string
  3862. version:
  3863. description: Used to select a specific version of the Provider value, if supported
  3864. type: string
  3865. required:
  3866. - key
  3867. type: object
  3868. secretKey:
  3869. description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret
  3870. type: string
  3871. sourceRef:
  3872. description: SourceRef allows you to override the source from which the value will pulled from.
  3873. maxProperties: 1
  3874. properties:
  3875. generatorRef:
  3876. description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1."
  3877. properties:
  3878. apiVersion:
  3879. default: generators.external-secrets.io/v1alpha1
  3880. description: Specify the apiVersion of the generator resource
  3881. type: string
  3882. kind:
  3883. description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
  3884. type: string
  3885. name:
  3886. description: Specify the name of the generator resource
  3887. type: string
  3888. required:
  3889. - kind
  3890. - name
  3891. type: object
  3892. storeRef:
  3893. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  3894. properties:
  3895. kind:
  3896. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  3897. type: string
  3898. name:
  3899. description: Name of the SecretStore resource
  3900. type: string
  3901. required:
  3902. - name
  3903. type: object
  3904. type: object
  3905. required:
  3906. - remoteRef
  3907. - secretKey
  3908. type: object
  3909. type: array
  3910. dataFrom:
  3911. description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
  3912. items:
  3913. properties:
  3914. extract:
  3915. description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.'
  3916. properties:
  3917. conversionStrategy:
  3918. default: Default
  3919. description: Used to define a conversion Strategy
  3920. enum:
  3921. - Default
  3922. - Unicode
  3923. type: string
  3924. decodingStrategy:
  3925. default: None
  3926. description: Used to define a decoding Strategy
  3927. enum:
  3928. - Auto
  3929. - Base64
  3930. - Base64URL
  3931. - None
  3932. type: string
  3933. key:
  3934. description: Key is the key used in the Provider, mandatory
  3935. type: string
  3936. metadataPolicy:
  3937. default: None
  3938. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  3939. enum:
  3940. - None
  3941. - Fetch
  3942. type: string
  3943. property:
  3944. description: Used to select a specific property of the Provider value (if a map), if supported
  3945. type: string
  3946. version:
  3947. description: Used to select a specific version of the Provider value, if supported
  3948. type: string
  3949. required:
  3950. - key
  3951. type: object
  3952. find:
  3953. description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.'
  3954. properties:
  3955. conversionStrategy:
  3956. default: Default
  3957. description: Used to define a conversion Strategy
  3958. enum:
  3959. - Default
  3960. - Unicode
  3961. type: string
  3962. decodingStrategy:
  3963. default: None
  3964. description: Used to define a decoding Strategy
  3965. enum:
  3966. - Auto
  3967. - Base64
  3968. - Base64URL
  3969. - None
  3970. type: string
  3971. name:
  3972. description: Finds secrets based on the name.
  3973. properties:
  3974. regexp:
  3975. description: Finds secrets base
  3976. type: string
  3977. type: object
  3978. path:
  3979. description: A root path to start the find operations.
  3980. type: string
  3981. tags:
  3982. additionalProperties:
  3983. type: string
  3984. description: Find secrets based on tags.
  3985. type: object
  3986. type: object
  3987. rewrite:
  3988. description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  3989. items:
  3990. properties:
  3991. regexp:
  3992. description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
  3993. properties:
  3994. source:
  3995. description: Used to define the regular expression of a re.Compiler.
  3996. type: string
  3997. target:
  3998. description: Used to define the target pattern of a ReplaceAll operation.
  3999. type: string
  4000. required:
  4001. - source
  4002. - target
  4003. type: object
  4004. transform:
  4005. description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation.
  4006. properties:
  4007. template:
  4008. description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template.
  4009. type: string
  4010. required:
  4011. - template
  4012. type: object
  4013. type: object
  4014. type: array
  4015. sourceRef:
  4016. description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values
  4017. maxProperties: 1
  4018. properties:
  4019. generatorRef:
  4020. description: GeneratorRef points to a generator custom resource.
  4021. properties:
  4022. apiVersion:
  4023. default: generators.external-secrets.io/v1alpha1
  4024. description: Specify the apiVersion of the generator resource
  4025. type: string
  4026. kind:
  4027. description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
  4028. type: string
  4029. name:
  4030. description: Specify the name of the generator resource
  4031. type: string
  4032. required:
  4033. - kind
  4034. - name
  4035. type: object
  4036. storeRef:
  4037. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  4038. properties:
  4039. kind:
  4040. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  4041. type: string
  4042. name:
  4043. description: Name of the SecretStore resource
  4044. type: string
  4045. required:
  4046. - name
  4047. type: object
  4048. type: object
  4049. type: object
  4050. type: array
  4051. refreshInterval:
  4052. default: 1h
  4053. description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
  4054. type: string
  4055. secretStoreRef:
  4056. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  4057. properties:
  4058. kind:
  4059. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  4060. type: string
  4061. name:
  4062. description: Name of the SecretStore resource
  4063. type: string
  4064. required:
  4065. - name
  4066. type: object
  4067. target:
  4068. default:
  4069. creationPolicy: Owner
  4070. deletionPolicy: Retain
  4071. description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
  4072. properties:
  4073. creationPolicy:
  4074. default: Owner
  4075. description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
  4076. enum:
  4077. - Owner
  4078. - Orphan
  4079. - Merge
  4080. - None
  4081. type: string
  4082. deletionPolicy:
  4083. default: Retain
  4084. description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
  4085. enum:
  4086. - Delete
  4087. - Merge
  4088. - Retain
  4089. type: string
  4090. immutable:
  4091. description: Immutable defines if the final secret will be immutable
  4092. type: boolean
  4093. name:
  4094. description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
  4095. type: string
  4096. template:
  4097. description: Template defines a blueprint for the created Secret resource.
  4098. properties:
  4099. data:
  4100. additionalProperties:
  4101. type: string
  4102. type: object
  4103. engineVersion:
  4104. default: v2
  4105. description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
  4106. enum:
  4107. - v1
  4108. - v2
  4109. type: string
  4110. mergePolicy:
  4111. default: Replace
  4112. enum:
  4113. - Replace
  4114. - Merge
  4115. type: string
  4116. metadata:
  4117. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  4118. properties:
  4119. annotations:
  4120. additionalProperties:
  4121. type: string
  4122. type: object
  4123. labels:
  4124. additionalProperties:
  4125. type: string
  4126. type: object
  4127. type: object
  4128. templateFrom:
  4129. items:
  4130. properties:
  4131. configMap:
  4132. properties:
  4133. items:
  4134. items:
  4135. properties:
  4136. key:
  4137. type: string
  4138. templateAs:
  4139. default: Values
  4140. enum:
  4141. - Values
  4142. - KeysAndValues
  4143. type: string
  4144. required:
  4145. - key
  4146. type: object
  4147. type: array
  4148. name:
  4149. type: string
  4150. required:
  4151. - items
  4152. - name
  4153. type: object
  4154. literal:
  4155. type: string
  4156. secret:
  4157. properties:
  4158. items:
  4159. items:
  4160. properties:
  4161. key:
  4162. type: string
  4163. templateAs:
  4164. default: Values
  4165. enum:
  4166. - Values
  4167. - KeysAndValues
  4168. type: string
  4169. required:
  4170. - key
  4171. type: object
  4172. type: array
  4173. name:
  4174. type: string
  4175. required:
  4176. - items
  4177. - name
  4178. type: object
  4179. target:
  4180. default: Data
  4181. enum:
  4182. - Data
  4183. - Annotations
  4184. - Labels
  4185. type: string
  4186. type: object
  4187. type: array
  4188. type:
  4189. type: string
  4190. type: object
  4191. type: object
  4192. type: object
  4193. status:
  4194. properties:
  4195. binding:
  4196. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  4197. properties:
  4198. name:
  4199. description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
  4200. type: string
  4201. type: object
  4202. x-kubernetes-map-type: atomic
  4203. conditions:
  4204. items:
  4205. properties:
  4206. lastTransitionTime:
  4207. format: date-time
  4208. type: string
  4209. message:
  4210. type: string
  4211. reason:
  4212. type: string
  4213. status:
  4214. type: string
  4215. type:
  4216. type: string
  4217. required:
  4218. - status
  4219. - type
  4220. type: object
  4221. type: array
  4222. refreshTime:
  4223. description: refreshTime is the time and date the external secret was fetched and the target secret updated
  4224. format: date-time
  4225. nullable: true
  4226. type: string
  4227. syncedResourceVersion:
  4228. description: SyncedResourceVersion keeps track of the last synced version
  4229. type: string
  4230. type: object
  4231. type: object
  4232. served: true
  4233. storage: true
  4234. subresources:
  4235. status: {}
  4236. conversion:
  4237. strategy: Webhook
  4238. webhook:
  4239. conversionReviewVersions:
  4240. - v1
  4241. clientConfig:
  4242. service:
  4243. name: kubernetes
  4244. namespace: default
  4245. path: /convert
  4246. ---
  4247. apiVersion: apiextensions.k8s.io/v1
  4248. kind: CustomResourceDefinition
  4249. metadata:
  4250. annotations:
  4251. controller-gen.kubebuilder.io/version: v0.13.0
  4252. name: pushsecrets.external-secrets.io
  4253. spec:
  4254. group: external-secrets.io
  4255. names:
  4256. categories:
  4257. - pushsecrets
  4258. kind: PushSecret
  4259. listKind: PushSecretList
  4260. plural: pushsecrets
  4261. singular: pushsecret
  4262. scope: Namespaced
  4263. versions:
  4264. - additionalPrinterColumns:
  4265. - jsonPath: .metadata.creationTimestamp
  4266. name: AGE
  4267. type: date
  4268. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  4269. name: Status
  4270. type: string
  4271. name: v1alpha1
  4272. schema:
  4273. openAPIV3Schema:
  4274. properties:
  4275. apiVersion:
  4276. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  4277. type: string
  4278. kind:
  4279. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  4280. type: string
  4281. metadata:
  4282. type: object
  4283. spec:
  4284. description: PushSecretSpec configures the behavior of the PushSecret.
  4285. properties:
  4286. data:
  4287. description: Secret Data that should be pushed to providers
  4288. items:
  4289. properties:
  4290. match:
  4291. description: Match a given Secret Key to be pushed to the provider.
  4292. properties:
  4293. remoteRef:
  4294. description: Remote Refs to push to providers.
  4295. properties:
  4296. property:
  4297. description: Name of the property in the resulting secret
  4298. type: string
  4299. remoteKey:
  4300. description: Name of the resulting provider secret.
  4301. type: string
  4302. required:
  4303. - remoteKey
  4304. type: object
  4305. secretKey:
  4306. description: Secret Key to be pushed
  4307. type: string
  4308. required:
  4309. - remoteRef
  4310. - secretKey
  4311. type: object
  4312. metadata:
  4313. description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation.
  4314. x-kubernetes-preserve-unknown-fields: true
  4315. required:
  4316. - match
  4317. type: object
  4318. type: array
  4319. deletionPolicy:
  4320. default: None
  4321. description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".'
  4322. enum:
  4323. - Delete
  4324. - None
  4325. type: string
  4326. refreshInterval:
  4327. description: The Interval to which External Secrets will try to push a secret definition
  4328. type: string
  4329. secretStoreRefs:
  4330. items:
  4331. properties:
  4332. kind:
  4333. default: SecretStore
  4334. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  4335. type: string
  4336. labelSelector:
  4337. description: Optionally, sync to secret stores with label selector
  4338. properties:
  4339. matchExpressions:
  4340. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  4341. items:
  4342. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  4343. properties:
  4344. key:
  4345. description: key is the label key that the selector applies to.
  4346. type: string
  4347. operator:
  4348. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  4349. type: string
  4350. values:
  4351. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  4352. items:
  4353. type: string
  4354. type: array
  4355. required:
  4356. - key
  4357. - operator
  4358. type: object
  4359. type: array
  4360. matchLabels:
  4361. additionalProperties:
  4362. type: string
  4363. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  4364. type: object
  4365. type: object
  4366. x-kubernetes-map-type: atomic
  4367. name:
  4368. description: Optionally, sync to the SecretStore of the given name
  4369. type: string
  4370. type: object
  4371. type: array
  4372. selector:
  4373. description: The Secret Selector (k8s source) for the Push Secret
  4374. properties:
  4375. secret:
  4376. description: Select a Secret to Push.
  4377. properties:
  4378. name:
  4379. description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
  4380. type: string
  4381. required:
  4382. - name
  4383. type: object
  4384. required:
  4385. - secret
  4386. type: object
  4387. required:
  4388. - secretStoreRefs
  4389. - selector
  4390. type: object
  4391. status:
  4392. description: PushSecretStatus indicates the history of the status of PushSecret.
  4393. properties:
  4394. conditions:
  4395. items:
  4396. description: PushSecretStatusCondition indicates the status of the PushSecret.
  4397. properties:
  4398. lastTransitionTime:
  4399. format: date-time
  4400. type: string
  4401. message:
  4402. type: string
  4403. reason:
  4404. type: string
  4405. status:
  4406. type: string
  4407. type:
  4408. description: PushSecretConditionType indicates the condition of the PushSecret.
  4409. type: string
  4410. required:
  4411. - status
  4412. - type
  4413. type: object
  4414. type: array
  4415. refreshTime:
  4416. description: refreshTime is the time and date the external secret was fetched and the target secret updated
  4417. format: date-time
  4418. nullable: true
  4419. type: string
  4420. syncedPushSecrets:
  4421. additionalProperties:
  4422. additionalProperties:
  4423. properties:
  4424. match:
  4425. description: Match a given Secret Key to be pushed to the provider.
  4426. properties:
  4427. remoteRef:
  4428. description: Remote Refs to push to providers.
  4429. properties:
  4430. property:
  4431. description: Name of the property in the resulting secret
  4432. type: string
  4433. remoteKey:
  4434. description: Name of the resulting provider secret.
  4435. type: string
  4436. required:
  4437. - remoteKey
  4438. type: object
  4439. secretKey:
  4440. description: Secret Key to be pushed
  4441. type: string
  4442. required:
  4443. - remoteRef
  4444. - secretKey
  4445. type: object
  4446. metadata:
  4447. description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation.
  4448. x-kubernetes-preserve-unknown-fields: true
  4449. required:
  4450. - match
  4451. type: object
  4452. type: object
  4453. description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore.
  4454. type: object
  4455. syncedResourceVersion:
  4456. description: SyncedResourceVersion keeps track of the last synced version.
  4457. type: string
  4458. type: object
  4459. type: object
  4460. served: true
  4461. storage: true
  4462. subresources:
  4463. status: {}
  4464. conversion:
  4465. strategy: Webhook
  4466. webhook:
  4467. conversionReviewVersions:
  4468. - v1
  4469. clientConfig:
  4470. service:
  4471. name: kubernetes
  4472. namespace: default
  4473. path: /convert
  4474. ---
  4475. apiVersion: apiextensions.k8s.io/v1
  4476. kind: CustomResourceDefinition
  4477. metadata:
  4478. annotations:
  4479. controller-gen.kubebuilder.io/version: v0.13.0
  4480. name: secretstores.external-secrets.io
  4481. spec:
  4482. group: external-secrets.io
  4483. names:
  4484. categories:
  4485. - externalsecrets
  4486. kind: SecretStore
  4487. listKind: SecretStoreList
  4488. plural: secretstores
  4489. shortNames:
  4490. - ss
  4491. singular: secretstore
  4492. scope: Namespaced
  4493. versions:
  4494. - additionalPrinterColumns:
  4495. - jsonPath: .metadata.creationTimestamp
  4496. name: AGE
  4497. type: date
  4498. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  4499. name: Status
  4500. type: string
  4501. deprecated: true
  4502. name: v1alpha1
  4503. schema:
  4504. openAPIV3Schema:
  4505. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  4506. properties:
  4507. apiVersion:
  4508. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  4509. type: string
  4510. kind:
  4511. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  4512. type: string
  4513. metadata:
  4514. type: object
  4515. spec:
  4516. description: SecretStoreSpec defines the desired state of SecretStore.
  4517. properties:
  4518. controller:
  4519. description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
  4520. type: string
  4521. provider:
  4522. description: Used to configure the provider. Only one provider may be set
  4523. maxProperties: 1
  4524. minProperties: 1
  4525. properties:
  4526. akeyless:
  4527. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  4528. properties:
  4529. akeylessGWApiURL:
  4530. description: Akeyless GW API Url from which the secrets to be fetched from.
  4531. type: string
  4532. authSecretRef:
  4533. description: Auth configures how the operator authenticates with Akeyless.
  4534. properties:
  4535. kubernetesAuth:
  4536. description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
  4537. properties:
  4538. accessID:
  4539. description: the Akeyless Kubernetes auth-method access-id
  4540. type: string
  4541. k8sConfName:
  4542. description: Kubernetes-auth configuration name in Akeyless-Gateway
  4543. type: string
  4544. secretRef:
  4545. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  4546. properties:
  4547. key:
  4548. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4549. type: string
  4550. name:
  4551. description: The name of the Secret resource being referred to.
  4552. type: string
  4553. namespace:
  4554. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4555. type: string
  4556. type: object
  4557. serviceAccountRef:
  4558. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
  4559. properties:
  4560. audiences:
  4561. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  4562. items:
  4563. type: string
  4564. type: array
  4565. name:
  4566. description: The name of the ServiceAccount resource being referred to.
  4567. type: string
  4568. namespace:
  4569. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4570. type: string
  4571. required:
  4572. - name
  4573. type: object
  4574. required:
  4575. - accessID
  4576. - k8sConfName
  4577. type: object
  4578. secretRef:
  4579. description: Reference to a Secret that contains the details to authenticate with Akeyless.
  4580. properties:
  4581. accessID:
  4582. description: The SecretAccessID is used for authentication
  4583. properties:
  4584. key:
  4585. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4586. type: string
  4587. name:
  4588. description: The name of the Secret resource being referred to.
  4589. type: string
  4590. namespace:
  4591. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4592. type: string
  4593. type: object
  4594. accessType:
  4595. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4596. properties:
  4597. key:
  4598. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4599. type: string
  4600. name:
  4601. description: The name of the Secret resource being referred to.
  4602. type: string
  4603. namespace:
  4604. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4605. type: string
  4606. type: object
  4607. accessTypeParam:
  4608. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4609. properties:
  4610. key:
  4611. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4612. type: string
  4613. name:
  4614. description: The name of the Secret resource being referred to.
  4615. type: string
  4616. namespace:
  4617. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4618. type: string
  4619. type: object
  4620. type: object
  4621. type: object
  4622. caBundle:
  4623. description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
  4624. format: byte
  4625. type: string
  4626. caProvider:
  4627. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  4628. properties:
  4629. key:
  4630. description: The key the value inside of the provider type to use, only used with "Secret" type
  4631. type: string
  4632. name:
  4633. description: The name of the object located at the provider type.
  4634. type: string
  4635. namespace:
  4636. description: The namespace the Provider type is in.
  4637. type: string
  4638. type:
  4639. description: The type of provider to use such as "Secret", or "ConfigMap".
  4640. enum:
  4641. - Secret
  4642. - ConfigMap
  4643. type: string
  4644. required:
  4645. - name
  4646. - type
  4647. type: object
  4648. required:
  4649. - akeylessGWApiURL
  4650. - authSecretRef
  4651. type: object
  4652. alibaba:
  4653. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  4654. properties:
  4655. auth:
  4656. description: AlibabaAuth contains a secretRef for credentials.
  4657. properties:
  4658. rrsa:
  4659. description: Authenticate against Alibaba using RRSA.
  4660. properties:
  4661. oidcProviderArn:
  4662. type: string
  4663. oidcTokenFilePath:
  4664. type: string
  4665. roleArn:
  4666. type: string
  4667. sessionName:
  4668. type: string
  4669. required:
  4670. - oidcProviderArn
  4671. - oidcTokenFilePath
  4672. - roleArn
  4673. - sessionName
  4674. type: object
  4675. secretRef:
  4676. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  4677. properties:
  4678. accessKeyIDSecretRef:
  4679. description: The AccessKeyID is used for authentication
  4680. properties:
  4681. key:
  4682. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4683. type: string
  4684. name:
  4685. description: The name of the Secret resource being referred to.
  4686. type: string
  4687. namespace:
  4688. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4689. type: string
  4690. type: object
  4691. accessKeySecretSecretRef:
  4692. description: The AccessKeySecret is used for authentication
  4693. properties:
  4694. key:
  4695. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4696. type: string
  4697. name:
  4698. description: The name of the Secret resource being referred to.
  4699. type: string
  4700. namespace:
  4701. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4702. type: string
  4703. type: object
  4704. required:
  4705. - accessKeyIDSecretRef
  4706. - accessKeySecretSecretRef
  4707. type: object
  4708. type: object
  4709. regionID:
  4710. description: Alibaba Region to be used for the provider
  4711. type: string
  4712. required:
  4713. - auth
  4714. - regionID
  4715. type: object
  4716. aws:
  4717. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  4718. properties:
  4719. auth:
  4720. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  4721. properties:
  4722. jwt:
  4723. description: Authenticate against AWS using service account tokens.
  4724. properties:
  4725. serviceAccountRef:
  4726. description: A reference to a ServiceAccount resource.
  4727. properties:
  4728. audiences:
  4729. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  4730. items:
  4731. type: string
  4732. type: array
  4733. name:
  4734. description: The name of the ServiceAccount resource being referred to.
  4735. type: string
  4736. namespace:
  4737. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4738. type: string
  4739. required:
  4740. - name
  4741. type: object
  4742. type: object
  4743. secretRef:
  4744. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  4745. properties:
  4746. accessKeyIDSecretRef:
  4747. description: The AccessKeyID is used for authentication
  4748. properties:
  4749. key:
  4750. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4751. type: string
  4752. name:
  4753. description: The name of the Secret resource being referred to.
  4754. type: string
  4755. namespace:
  4756. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4757. type: string
  4758. type: object
  4759. secretAccessKeySecretRef:
  4760. description: The SecretAccessKey is used for authentication
  4761. properties:
  4762. key:
  4763. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4764. type: string
  4765. name:
  4766. description: The name of the Secret resource being referred to.
  4767. type: string
  4768. namespace:
  4769. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4770. type: string
  4771. type: object
  4772. type: object
  4773. type: object
  4774. region:
  4775. description: AWS Region to be used for the provider
  4776. type: string
  4777. role:
  4778. description: Role is a Role ARN which the SecretManager provider will assume
  4779. type: string
  4780. service:
  4781. description: Service defines which service should be used to fetch the secrets
  4782. enum:
  4783. - SecretsManager
  4784. - ParameterStore
  4785. type: string
  4786. required:
  4787. - region
  4788. - service
  4789. type: object
  4790. azurekv:
  4791. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  4792. properties:
  4793. authSecretRef:
  4794. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  4795. properties:
  4796. clientId:
  4797. description: The Azure clientId of the service principle used for authentication.
  4798. properties:
  4799. key:
  4800. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4801. type: string
  4802. name:
  4803. description: The name of the Secret resource being referred to.
  4804. type: string
  4805. namespace:
  4806. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4807. type: string
  4808. type: object
  4809. clientSecret:
  4810. description: The Azure ClientSecret of the service principle used for authentication.
  4811. properties:
  4812. key:
  4813. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4814. type: string
  4815. name:
  4816. description: The name of the Secret resource being referred to.
  4817. type: string
  4818. namespace:
  4819. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4820. type: string
  4821. type: object
  4822. type: object
  4823. authType:
  4824. default: ServicePrincipal
  4825. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  4826. enum:
  4827. - ServicePrincipal
  4828. - ManagedIdentity
  4829. - WorkloadIdentity
  4830. type: string
  4831. identityId:
  4832. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  4833. type: string
  4834. serviceAccountRef:
  4835. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  4836. properties:
  4837. audiences:
  4838. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  4839. items:
  4840. type: string
  4841. type: array
  4842. name:
  4843. description: The name of the ServiceAccount resource being referred to.
  4844. type: string
  4845. namespace:
  4846. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4847. type: string
  4848. required:
  4849. - name
  4850. type: object
  4851. tenantId:
  4852. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  4853. type: string
  4854. vaultUrl:
  4855. description: Vault Url from which the secrets to be fetched from.
  4856. type: string
  4857. required:
  4858. - vaultUrl
  4859. type: object
  4860. fake:
  4861. description: Fake configures a store with static key/value pairs
  4862. properties:
  4863. data:
  4864. items:
  4865. properties:
  4866. key:
  4867. type: string
  4868. value:
  4869. type: string
  4870. valueMap:
  4871. additionalProperties:
  4872. type: string
  4873. type: object
  4874. version:
  4875. type: string
  4876. required:
  4877. - key
  4878. type: object
  4879. type: array
  4880. required:
  4881. - data
  4882. type: object
  4883. gcpsm:
  4884. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  4885. properties:
  4886. auth:
  4887. description: Auth defines the information necessary to authenticate against GCP
  4888. properties:
  4889. secretRef:
  4890. properties:
  4891. secretAccessKeySecretRef:
  4892. description: The SecretAccessKey is used for authentication
  4893. properties:
  4894. key:
  4895. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4896. type: string
  4897. name:
  4898. description: The name of the Secret resource being referred to.
  4899. type: string
  4900. namespace:
  4901. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4902. type: string
  4903. type: object
  4904. type: object
  4905. workloadIdentity:
  4906. properties:
  4907. clusterLocation:
  4908. type: string
  4909. clusterName:
  4910. type: string
  4911. clusterProjectID:
  4912. type: string
  4913. serviceAccountRef:
  4914. description: A reference to a ServiceAccount resource.
  4915. properties:
  4916. audiences:
  4917. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  4918. items:
  4919. type: string
  4920. type: array
  4921. name:
  4922. description: The name of the ServiceAccount resource being referred to.
  4923. type: string
  4924. namespace:
  4925. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4926. type: string
  4927. required:
  4928. - name
  4929. type: object
  4930. required:
  4931. - clusterLocation
  4932. - clusterName
  4933. - serviceAccountRef
  4934. type: object
  4935. type: object
  4936. projectID:
  4937. description: ProjectID project where secret is located
  4938. type: string
  4939. type: object
  4940. gitlab:
  4941. description: GitLab configures this store to sync secrets using GitLab Variables provider
  4942. properties:
  4943. auth:
  4944. description: Auth configures how secret-manager authenticates with a GitLab instance.
  4945. properties:
  4946. SecretRef:
  4947. properties:
  4948. accessToken:
  4949. description: AccessToken is used for authentication.
  4950. properties:
  4951. key:
  4952. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4953. type: string
  4954. name:
  4955. description: The name of the Secret resource being referred to.
  4956. type: string
  4957. namespace:
  4958. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4959. type: string
  4960. type: object
  4961. type: object
  4962. required:
  4963. - SecretRef
  4964. type: object
  4965. projectID:
  4966. description: ProjectID specifies a project where secrets are located.
  4967. type: string
  4968. url:
  4969. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  4970. type: string
  4971. required:
  4972. - auth
  4973. type: object
  4974. ibm:
  4975. description: IBM configures this store to sync secrets using IBM Cloud provider
  4976. properties:
  4977. auth:
  4978. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  4979. properties:
  4980. secretRef:
  4981. properties:
  4982. secretApiKeySecretRef:
  4983. description: The SecretAccessKey is used for authentication
  4984. properties:
  4985. key:
  4986. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4987. type: string
  4988. name:
  4989. description: The name of the Secret resource being referred to.
  4990. type: string
  4991. namespace:
  4992. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4993. type: string
  4994. type: object
  4995. type: object
  4996. required:
  4997. - secretRef
  4998. type: object
  4999. serviceUrl:
  5000. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  5001. type: string
  5002. required:
  5003. - auth
  5004. type: object
  5005. kubernetes:
  5006. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  5007. properties:
  5008. auth:
  5009. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  5010. maxProperties: 1
  5011. minProperties: 1
  5012. properties:
  5013. cert:
  5014. description: has both clientCert and clientKey as secretKeySelector
  5015. properties:
  5016. clientCert:
  5017. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  5018. properties:
  5019. key:
  5020. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5021. type: string
  5022. name:
  5023. description: The name of the Secret resource being referred to.
  5024. type: string
  5025. namespace:
  5026. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5027. type: string
  5028. type: object
  5029. clientKey:
  5030. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  5031. properties:
  5032. key:
  5033. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5034. type: string
  5035. name:
  5036. description: The name of the Secret resource being referred to.
  5037. type: string
  5038. namespace:
  5039. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5040. type: string
  5041. type: object
  5042. type: object
  5043. serviceAccount:
  5044. description: points to a service account that should be used for authentication
  5045. properties:
  5046. serviceAccount:
  5047. description: A reference to a ServiceAccount resource.
  5048. properties:
  5049. audiences:
  5050. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  5051. items:
  5052. type: string
  5053. type: array
  5054. name:
  5055. description: The name of the ServiceAccount resource being referred to.
  5056. type: string
  5057. namespace:
  5058. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5059. type: string
  5060. required:
  5061. - name
  5062. type: object
  5063. type: object
  5064. token:
  5065. description: use static token to authenticate with
  5066. properties:
  5067. bearerToken:
  5068. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  5069. properties:
  5070. key:
  5071. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5072. type: string
  5073. name:
  5074. description: The name of the Secret resource being referred to.
  5075. type: string
  5076. namespace:
  5077. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5078. type: string
  5079. type: object
  5080. type: object
  5081. type: object
  5082. remoteNamespace:
  5083. default: default
  5084. description: Remote namespace to fetch the secrets from
  5085. type: string
  5086. server:
  5087. description: configures the Kubernetes server Address.
  5088. properties:
  5089. caBundle:
  5090. description: CABundle is a base64-encoded CA certificate
  5091. format: byte
  5092. type: string
  5093. caProvider:
  5094. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  5095. properties:
  5096. key:
  5097. description: The key the value inside of the provider type to use, only used with "Secret" type
  5098. type: string
  5099. name:
  5100. description: The name of the object located at the provider type.
  5101. type: string
  5102. namespace:
  5103. description: The namespace the Provider type is in.
  5104. type: string
  5105. type:
  5106. description: The type of provider to use such as "Secret", or "ConfigMap".
  5107. enum:
  5108. - Secret
  5109. - ConfigMap
  5110. type: string
  5111. required:
  5112. - name
  5113. - type
  5114. type: object
  5115. url:
  5116. default: kubernetes.default
  5117. description: configures the Kubernetes server Address.
  5118. type: string
  5119. type: object
  5120. required:
  5121. - auth
  5122. type: object
  5123. oracle:
  5124. description: Oracle configures this store to sync secrets using Oracle Vault provider
  5125. properties:
  5126. auth:
  5127. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal.
  5128. properties:
  5129. secretRef:
  5130. description: SecretRef to pass through sensitive information.
  5131. properties:
  5132. fingerprint:
  5133. description: Fingerprint is the fingerprint of the API private key.
  5134. properties:
  5135. key:
  5136. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5137. type: string
  5138. name:
  5139. description: The name of the Secret resource being referred to.
  5140. type: string
  5141. namespace:
  5142. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5143. type: string
  5144. type: object
  5145. privatekey:
  5146. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  5147. properties:
  5148. key:
  5149. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5150. type: string
  5151. name:
  5152. description: The name of the Secret resource being referred to.
  5153. type: string
  5154. namespace:
  5155. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5156. type: string
  5157. type: object
  5158. required:
  5159. - fingerprint
  5160. - privatekey
  5161. type: object
  5162. tenancy:
  5163. description: Tenancy is the tenancy OCID where user is located.
  5164. type: string
  5165. user:
  5166. description: User is an access OCID specific to the account.
  5167. type: string
  5168. required:
  5169. - secretRef
  5170. - tenancy
  5171. - user
  5172. type: object
  5173. compartment:
  5174. description: Compartment is the vault compartment OCID. Required for PushSecret
  5175. type: string
  5176. encryptionKey:
  5177. description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret
  5178. type: string
  5179. principalType:
  5180. description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity.
  5181. enum:
  5182. - ""
  5183. - UserPrincipal
  5184. - InstancePrincipal
  5185. - Workload
  5186. type: string
  5187. region:
  5188. description: Region is the region where vault is located.
  5189. type: string
  5190. serviceAccountRef:
  5191. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  5192. properties:
  5193. audiences:
  5194. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  5195. items:
  5196. type: string
  5197. type: array
  5198. name:
  5199. description: The name of the ServiceAccount resource being referred to.
  5200. type: string
  5201. namespace:
  5202. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5203. type: string
  5204. required:
  5205. - name
  5206. type: object
  5207. vault:
  5208. description: Vault is the vault's OCID of the specific vault where secret is located.
  5209. type: string
  5210. required:
  5211. - region
  5212. - vault
  5213. type: object
  5214. vault:
  5215. description: Vault configures this store to sync secrets using Hashi provider
  5216. properties:
  5217. auth:
  5218. description: Auth configures how secret-manager authenticates with the Vault server.
  5219. properties:
  5220. appRole:
  5221. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  5222. properties:
  5223. path:
  5224. default: approle
  5225. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  5226. type: string
  5227. roleId:
  5228. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  5229. type: string
  5230. secretRef:
  5231. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  5232. properties:
  5233. key:
  5234. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5235. type: string
  5236. name:
  5237. description: The name of the Secret resource being referred to.
  5238. type: string
  5239. namespace:
  5240. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5241. type: string
  5242. type: object
  5243. required:
  5244. - path
  5245. - roleId
  5246. - secretRef
  5247. type: object
  5248. cert:
  5249. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  5250. properties:
  5251. clientCert:
  5252. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  5253. properties:
  5254. key:
  5255. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5256. type: string
  5257. name:
  5258. description: The name of the Secret resource being referred to.
  5259. type: string
  5260. namespace:
  5261. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5262. type: string
  5263. type: object
  5264. secretRef:
  5265. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  5266. properties:
  5267. key:
  5268. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5269. type: string
  5270. name:
  5271. description: The name of the Secret resource being referred to.
  5272. type: string
  5273. namespace:
  5274. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5275. type: string
  5276. type: object
  5277. type: object
  5278. jwt:
  5279. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  5280. properties:
  5281. kubernetesServiceAccountToken:
  5282. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  5283. properties:
  5284. audiences:
  5285. description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
  5286. items:
  5287. type: string
  5288. type: array
  5289. expirationSeconds:
  5290. description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
  5291. format: int64
  5292. type: integer
  5293. serviceAccountRef:
  5294. description: Service account field containing the name of a kubernetes ServiceAccount.
  5295. properties:
  5296. audiences:
  5297. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  5298. items:
  5299. type: string
  5300. type: array
  5301. name:
  5302. description: The name of the ServiceAccount resource being referred to.
  5303. type: string
  5304. namespace:
  5305. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5306. type: string
  5307. required:
  5308. - name
  5309. type: object
  5310. required:
  5311. - serviceAccountRef
  5312. type: object
  5313. path:
  5314. default: jwt
  5315. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  5316. type: string
  5317. role:
  5318. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  5319. type: string
  5320. secretRef:
  5321. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  5322. properties:
  5323. key:
  5324. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5325. type: string
  5326. name:
  5327. description: The name of the Secret resource being referred to.
  5328. type: string
  5329. namespace:
  5330. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5331. type: string
  5332. type: object
  5333. required:
  5334. - path
  5335. type: object
  5336. kubernetes:
  5337. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  5338. properties:
  5339. mountPath:
  5340. default: kubernetes
  5341. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  5342. type: string
  5343. role:
  5344. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  5345. type: string
  5346. secretRef:
  5347. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  5348. properties:
  5349. key:
  5350. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5351. type: string
  5352. name:
  5353. description: The name of the Secret resource being referred to.
  5354. type: string
  5355. namespace:
  5356. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5357. type: string
  5358. type: object
  5359. serviceAccountRef:
  5360. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  5361. properties:
  5362. audiences:
  5363. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  5364. items:
  5365. type: string
  5366. type: array
  5367. name:
  5368. description: The name of the ServiceAccount resource being referred to.
  5369. type: string
  5370. namespace:
  5371. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5372. type: string
  5373. required:
  5374. - name
  5375. type: object
  5376. required:
  5377. - mountPath
  5378. - role
  5379. type: object
  5380. ldap:
  5381. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  5382. properties:
  5383. path:
  5384. default: ldap
  5385. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  5386. type: string
  5387. secretRef:
  5388. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  5389. properties:
  5390. key:
  5391. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5392. type: string
  5393. name:
  5394. description: The name of the Secret resource being referred to.
  5395. type: string
  5396. namespace:
  5397. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5398. type: string
  5399. type: object
  5400. username:
  5401. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  5402. type: string
  5403. required:
  5404. - path
  5405. - username
  5406. type: object
  5407. tokenSecretRef:
  5408. description: TokenSecretRef authenticates with Vault by presenting a token.
  5409. properties:
  5410. key:
  5411. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5412. type: string
  5413. name:
  5414. description: The name of the Secret resource being referred to.
  5415. type: string
  5416. namespace:
  5417. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5418. type: string
  5419. type: object
  5420. type: object
  5421. caBundle:
  5422. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  5423. format: byte
  5424. type: string
  5425. caProvider:
  5426. description: The provider for the CA bundle to use to validate Vault server certificate.
  5427. properties:
  5428. key:
  5429. description: The key the value inside of the provider type to use, only used with "Secret" type
  5430. type: string
  5431. name:
  5432. description: The name of the object located at the provider type.
  5433. type: string
  5434. namespace:
  5435. description: The namespace the Provider type is in.
  5436. type: string
  5437. type:
  5438. description: The type of provider to use such as "Secret", or "ConfigMap".
  5439. enum:
  5440. - Secret
  5441. - ConfigMap
  5442. type: string
  5443. required:
  5444. - name
  5445. - type
  5446. type: object
  5447. forwardInconsistent:
  5448. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  5449. type: boolean
  5450. namespace:
  5451. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  5452. type: string
  5453. path:
  5454. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  5455. type: string
  5456. readYourWrites:
  5457. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  5458. type: boolean
  5459. server:
  5460. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  5461. type: string
  5462. version:
  5463. default: v2
  5464. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  5465. enum:
  5466. - v1
  5467. - v2
  5468. type: string
  5469. required:
  5470. - auth
  5471. - server
  5472. type: object
  5473. webhook:
  5474. description: Webhook configures this store to sync secrets using a generic templated webhook
  5475. properties:
  5476. body:
  5477. description: Body
  5478. type: string
  5479. caBundle:
  5480. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  5481. format: byte
  5482. type: string
  5483. caProvider:
  5484. description: The provider for the CA bundle to use to validate webhook server certificate.
  5485. properties:
  5486. key:
  5487. description: The key the value inside of the provider type to use, only used with "Secret" type
  5488. type: string
  5489. name:
  5490. description: The name of the object located at the provider type.
  5491. type: string
  5492. namespace:
  5493. description: The namespace the Provider type is in.
  5494. type: string
  5495. type:
  5496. description: The type of provider to use such as "Secret", or "ConfigMap".
  5497. enum:
  5498. - Secret
  5499. - ConfigMap
  5500. type: string
  5501. required:
  5502. - name
  5503. - type
  5504. type: object
  5505. headers:
  5506. additionalProperties:
  5507. type: string
  5508. description: Headers
  5509. type: object
  5510. method:
  5511. description: Webhook Method
  5512. type: string
  5513. result:
  5514. description: Result formatting
  5515. properties:
  5516. jsonPath:
  5517. description: Json path of return value
  5518. type: string
  5519. type: object
  5520. secrets:
  5521. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  5522. items:
  5523. properties:
  5524. name:
  5525. description: Name of this secret in templates
  5526. type: string
  5527. secretRef:
  5528. description: Secret ref to fill in credentials
  5529. properties:
  5530. key:
  5531. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5532. type: string
  5533. name:
  5534. description: The name of the Secret resource being referred to.
  5535. type: string
  5536. namespace:
  5537. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5538. type: string
  5539. type: object
  5540. required:
  5541. - name
  5542. - secretRef
  5543. type: object
  5544. type: array
  5545. timeout:
  5546. description: Timeout
  5547. type: string
  5548. url:
  5549. description: Webhook url to call
  5550. type: string
  5551. required:
  5552. - result
  5553. - url
  5554. type: object
  5555. yandexlockbox:
  5556. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  5557. properties:
  5558. apiEndpoint:
  5559. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  5560. type: string
  5561. auth:
  5562. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  5563. properties:
  5564. authorizedKeySecretRef:
  5565. description: The authorized key used for authentication
  5566. properties:
  5567. key:
  5568. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5569. type: string
  5570. name:
  5571. description: The name of the Secret resource being referred to.
  5572. type: string
  5573. namespace:
  5574. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5575. type: string
  5576. type: object
  5577. type: object
  5578. caProvider:
  5579. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  5580. properties:
  5581. certSecretRef:
  5582. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  5583. properties:
  5584. key:
  5585. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5586. type: string
  5587. name:
  5588. description: The name of the Secret resource being referred to.
  5589. type: string
  5590. namespace:
  5591. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5592. type: string
  5593. type: object
  5594. type: object
  5595. required:
  5596. - auth
  5597. type: object
  5598. type: object
  5599. retrySettings:
  5600. description: Used to configure http retries if failed
  5601. properties:
  5602. maxRetries:
  5603. format: int32
  5604. type: integer
  5605. retryInterval:
  5606. type: string
  5607. type: object
  5608. required:
  5609. - provider
  5610. type: object
  5611. status:
  5612. description: SecretStoreStatus defines the observed state of the SecretStore.
  5613. properties:
  5614. conditions:
  5615. items:
  5616. properties:
  5617. lastTransitionTime:
  5618. format: date-time
  5619. type: string
  5620. message:
  5621. type: string
  5622. reason:
  5623. type: string
  5624. status:
  5625. type: string
  5626. type:
  5627. type: string
  5628. required:
  5629. - status
  5630. - type
  5631. type: object
  5632. type: array
  5633. type: object
  5634. type: object
  5635. served: true
  5636. storage: false
  5637. subresources:
  5638. status: {}
  5639. - additionalPrinterColumns:
  5640. - jsonPath: .metadata.creationTimestamp
  5641. name: AGE
  5642. type: date
  5643. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  5644. name: Status
  5645. type: string
  5646. - jsonPath: .status.capabilities
  5647. name: Capabilities
  5648. type: string
  5649. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  5650. name: Ready
  5651. type: string
  5652. name: v1beta1
  5653. schema:
  5654. openAPIV3Schema:
  5655. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  5656. properties:
  5657. apiVersion:
  5658. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  5659. type: string
  5660. kind:
  5661. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  5662. type: string
  5663. metadata:
  5664. type: object
  5665. spec:
  5666. description: SecretStoreSpec defines the desired state of SecretStore.
  5667. properties:
  5668. conditions:
  5669. description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
  5670. items:
  5671. description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance.
  5672. properties:
  5673. namespaceSelector:
  5674. description: Choose namespace using a labelSelector
  5675. properties:
  5676. matchExpressions:
  5677. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  5678. items:
  5679. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  5680. properties:
  5681. key:
  5682. description: key is the label key that the selector applies to.
  5683. type: string
  5684. operator:
  5685. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  5686. type: string
  5687. values:
  5688. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  5689. items:
  5690. type: string
  5691. type: array
  5692. required:
  5693. - key
  5694. - operator
  5695. type: object
  5696. type: array
  5697. matchLabels:
  5698. additionalProperties:
  5699. type: string
  5700. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  5701. type: object
  5702. type: object
  5703. x-kubernetes-map-type: atomic
  5704. namespaces:
  5705. description: Choose namespaces by name
  5706. items:
  5707. type: string
  5708. type: array
  5709. type: object
  5710. type: array
  5711. controller:
  5712. description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
  5713. type: string
  5714. provider:
  5715. description: Used to configure the provider. Only one provider may be set
  5716. maxProperties: 1
  5717. minProperties: 1
  5718. properties:
  5719. akeyless:
  5720. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  5721. properties:
  5722. akeylessGWApiURL:
  5723. description: Akeyless GW API Url from which the secrets to be fetched from.
  5724. type: string
  5725. authSecretRef:
  5726. description: Auth configures how the operator authenticates with Akeyless.
  5727. properties:
  5728. kubernetesAuth:
  5729. description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
  5730. properties:
  5731. accessID:
  5732. description: the Akeyless Kubernetes auth-method access-id
  5733. type: string
  5734. k8sConfName:
  5735. description: Kubernetes-auth configuration name in Akeyless-Gateway
  5736. type: string
  5737. secretRef:
  5738. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  5739. properties:
  5740. key:
  5741. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5742. type: string
  5743. name:
  5744. description: The name of the Secret resource being referred to.
  5745. type: string
  5746. namespace:
  5747. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5748. type: string
  5749. type: object
  5750. serviceAccountRef:
  5751. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
  5752. properties:
  5753. audiences:
  5754. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  5755. items:
  5756. type: string
  5757. type: array
  5758. name:
  5759. description: The name of the ServiceAccount resource being referred to.
  5760. type: string
  5761. namespace:
  5762. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5763. type: string
  5764. required:
  5765. - name
  5766. type: object
  5767. required:
  5768. - accessID
  5769. - k8sConfName
  5770. type: object
  5771. secretRef:
  5772. description: Reference to a Secret that contains the details to authenticate with Akeyless.
  5773. properties:
  5774. accessID:
  5775. description: The SecretAccessID is used for authentication
  5776. properties:
  5777. key:
  5778. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5779. type: string
  5780. name:
  5781. description: The name of the Secret resource being referred to.
  5782. type: string
  5783. namespace:
  5784. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5785. type: string
  5786. type: object
  5787. accessType:
  5788. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  5789. properties:
  5790. key:
  5791. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5792. type: string
  5793. name:
  5794. description: The name of the Secret resource being referred to.
  5795. type: string
  5796. namespace:
  5797. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5798. type: string
  5799. type: object
  5800. accessTypeParam:
  5801. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  5802. properties:
  5803. key:
  5804. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5805. type: string
  5806. name:
  5807. description: The name of the Secret resource being referred to.
  5808. type: string
  5809. namespace:
  5810. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5811. type: string
  5812. type: object
  5813. type: object
  5814. type: object
  5815. caBundle:
  5816. description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
  5817. format: byte
  5818. type: string
  5819. caProvider:
  5820. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  5821. properties:
  5822. key:
  5823. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5824. type: string
  5825. name:
  5826. description: The name of the object located at the provider type.
  5827. type: string
  5828. namespace:
  5829. description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
  5830. type: string
  5831. type:
  5832. description: The type of provider to use such as "Secret", or "ConfigMap".
  5833. enum:
  5834. - Secret
  5835. - ConfigMap
  5836. type: string
  5837. required:
  5838. - name
  5839. - type
  5840. type: object
  5841. required:
  5842. - akeylessGWApiURL
  5843. - authSecretRef
  5844. type: object
  5845. alibaba:
  5846. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  5847. properties:
  5848. auth:
  5849. description: AlibabaAuth contains a secretRef for credentials.
  5850. properties:
  5851. rrsa:
  5852. description: Authenticate against Alibaba using RRSA.
  5853. properties:
  5854. oidcProviderArn:
  5855. type: string
  5856. oidcTokenFilePath:
  5857. type: string
  5858. roleArn:
  5859. type: string
  5860. sessionName:
  5861. type: string
  5862. required:
  5863. - oidcProviderArn
  5864. - oidcTokenFilePath
  5865. - roleArn
  5866. - sessionName
  5867. type: object
  5868. secretRef:
  5869. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  5870. properties:
  5871. accessKeyIDSecretRef:
  5872. description: The AccessKeyID is used for authentication
  5873. properties:
  5874. key:
  5875. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5876. type: string
  5877. name:
  5878. description: The name of the Secret resource being referred to.
  5879. type: string
  5880. namespace:
  5881. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5882. type: string
  5883. type: object
  5884. accessKeySecretSecretRef:
  5885. description: The AccessKeySecret is used for authentication
  5886. properties:
  5887. key:
  5888. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5889. type: string
  5890. name:
  5891. description: The name of the Secret resource being referred to.
  5892. type: string
  5893. namespace:
  5894. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5895. type: string
  5896. type: object
  5897. required:
  5898. - accessKeyIDSecretRef
  5899. - accessKeySecretSecretRef
  5900. type: object
  5901. type: object
  5902. regionID:
  5903. description: Alibaba Region to be used for the provider
  5904. type: string
  5905. required:
  5906. - auth
  5907. - regionID
  5908. type: object
  5909. aws:
  5910. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  5911. properties:
  5912. additionalRoles:
  5913. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  5914. items:
  5915. type: string
  5916. type: array
  5917. auth:
  5918. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  5919. properties:
  5920. jwt:
  5921. description: Authenticate against AWS using service account tokens.
  5922. properties:
  5923. serviceAccountRef:
  5924. description: A reference to a ServiceAccount resource.
  5925. properties:
  5926. audiences:
  5927. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  5928. items:
  5929. type: string
  5930. type: array
  5931. name:
  5932. description: The name of the ServiceAccount resource being referred to.
  5933. type: string
  5934. namespace:
  5935. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5936. type: string
  5937. required:
  5938. - name
  5939. type: object
  5940. type: object
  5941. secretRef:
  5942. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  5943. properties:
  5944. accessKeyIDSecretRef:
  5945. description: The AccessKeyID is used for authentication
  5946. properties:
  5947. key:
  5948. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5949. type: string
  5950. name:
  5951. description: The name of the Secret resource being referred to.
  5952. type: string
  5953. namespace:
  5954. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5955. type: string
  5956. type: object
  5957. secretAccessKeySecretRef:
  5958. description: The SecretAccessKey is used for authentication
  5959. properties:
  5960. key:
  5961. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5962. type: string
  5963. name:
  5964. description: The name of the Secret resource being referred to.
  5965. type: string
  5966. namespace:
  5967. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5968. type: string
  5969. type: object
  5970. sessionTokenSecretRef:
  5971. description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
  5972. properties:
  5973. key:
  5974. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5975. type: string
  5976. name:
  5977. description: The name of the Secret resource being referred to.
  5978. type: string
  5979. namespace:
  5980. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5981. type: string
  5982. type: object
  5983. type: object
  5984. type: object
  5985. externalID:
  5986. description: AWS External ID set on assumed IAM roles
  5987. type: string
  5988. region:
  5989. description: AWS Region to be used for the provider
  5990. type: string
  5991. role:
  5992. description: Role is a Role ARN which the provider will assume
  5993. type: string
  5994. secretsManager:
  5995. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  5996. properties:
  5997. forceDeleteWithoutRecovery:
  5998. description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery'
  5999. type: boolean
  6000. recoveryWindowInDays:
  6001. description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays'
  6002. format: int64
  6003. type: integer
  6004. type: object
  6005. service:
  6006. description: Service defines which service should be used to fetch the secrets
  6007. enum:
  6008. - SecretsManager
  6009. - ParameterStore
  6010. type: string
  6011. sessionTags:
  6012. description: AWS STS assume role session tags
  6013. items:
  6014. properties:
  6015. key:
  6016. type: string
  6017. value:
  6018. type: string
  6019. required:
  6020. - key
  6021. - value
  6022. type: object
  6023. type: array
  6024. transitiveTagKeys:
  6025. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  6026. items:
  6027. type: string
  6028. type: array
  6029. required:
  6030. - region
  6031. - service
  6032. type: object
  6033. azurekv:
  6034. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  6035. properties:
  6036. authSecretRef:
  6037. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  6038. properties:
  6039. clientId:
  6040. description: The Azure clientId of the service principle used for authentication.
  6041. properties:
  6042. key:
  6043. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6044. type: string
  6045. name:
  6046. description: The name of the Secret resource being referred to.
  6047. type: string
  6048. namespace:
  6049. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6050. type: string
  6051. type: object
  6052. clientSecret:
  6053. description: The Azure ClientSecret of the service principle used for authentication.
  6054. properties:
  6055. key:
  6056. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6057. type: string
  6058. name:
  6059. description: The name of the Secret resource being referred to.
  6060. type: string
  6061. namespace:
  6062. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6063. type: string
  6064. type: object
  6065. type: object
  6066. authType:
  6067. default: ServicePrincipal
  6068. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  6069. enum:
  6070. - ServicePrincipal
  6071. - ManagedIdentity
  6072. - WorkloadIdentity
  6073. type: string
  6074. environmentType:
  6075. default: PublicCloud
  6076. description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
  6077. enum:
  6078. - PublicCloud
  6079. - USGovernmentCloud
  6080. - ChinaCloud
  6081. - GermanCloud
  6082. type: string
  6083. identityId:
  6084. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  6085. type: string
  6086. serviceAccountRef:
  6087. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  6088. properties:
  6089. audiences:
  6090. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  6091. items:
  6092. type: string
  6093. type: array
  6094. name:
  6095. description: The name of the ServiceAccount resource being referred to.
  6096. type: string
  6097. namespace:
  6098. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6099. type: string
  6100. required:
  6101. - name
  6102. type: object
  6103. tenantId:
  6104. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  6105. type: string
  6106. vaultUrl:
  6107. description: Vault Url from which the secrets to be fetched from.
  6108. type: string
  6109. required:
  6110. - vaultUrl
  6111. type: object
  6112. conjur:
  6113. description: Conjur configures this store to sync secrets using conjur provider
  6114. properties:
  6115. auth:
  6116. properties:
  6117. apikey:
  6118. properties:
  6119. account:
  6120. type: string
  6121. apiKeyRef:
  6122. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  6123. properties:
  6124. key:
  6125. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6126. type: string
  6127. name:
  6128. description: The name of the Secret resource being referred to.
  6129. type: string
  6130. namespace:
  6131. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6132. type: string
  6133. type: object
  6134. userRef:
  6135. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  6136. properties:
  6137. key:
  6138. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6139. type: string
  6140. name:
  6141. description: The name of the Secret resource being referred to.
  6142. type: string
  6143. namespace:
  6144. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6145. type: string
  6146. type: object
  6147. required:
  6148. - account
  6149. - apiKeyRef
  6150. - userRef
  6151. type: object
  6152. jwt:
  6153. properties:
  6154. account:
  6155. type: string
  6156. secretRef:
  6157. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method.
  6158. properties:
  6159. key:
  6160. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6161. type: string
  6162. name:
  6163. description: The name of the Secret resource being referred to.
  6164. type: string
  6165. namespace:
  6166. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6167. type: string
  6168. type: object
  6169. serviceAccountRef:
  6170. description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  6171. properties:
  6172. audiences:
  6173. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  6174. items:
  6175. type: string
  6176. type: array
  6177. name:
  6178. description: The name of the ServiceAccount resource being referred to.
  6179. type: string
  6180. namespace:
  6181. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6182. type: string
  6183. required:
  6184. - name
  6185. type: object
  6186. serviceID:
  6187. description: The conjur authn jwt webservice id
  6188. type: string
  6189. required:
  6190. - account
  6191. - serviceID
  6192. type: object
  6193. type: object
  6194. caBundle:
  6195. type: string
  6196. caProvider:
  6197. description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
  6198. properties:
  6199. key:
  6200. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6201. type: string
  6202. name:
  6203. description: The name of the object located at the provider type.
  6204. type: string
  6205. namespace:
  6206. description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
  6207. type: string
  6208. type:
  6209. description: The type of provider to use such as "Secret", or "ConfigMap".
  6210. enum:
  6211. - Secret
  6212. - ConfigMap
  6213. type: string
  6214. required:
  6215. - name
  6216. - type
  6217. type: object
  6218. url:
  6219. type: string
  6220. required:
  6221. - auth
  6222. - url
  6223. type: object
  6224. delinea:
  6225. description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  6226. properties:
  6227. clientId:
  6228. description: ClientID is the non-secret part of the credential.
  6229. properties:
  6230. secretRef:
  6231. description: SecretRef references a key in a secret that will be used as value.
  6232. properties:
  6233. key:
  6234. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6235. type: string
  6236. name:
  6237. description: The name of the Secret resource being referred to.
  6238. type: string
  6239. namespace:
  6240. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6241. type: string
  6242. type: object
  6243. value:
  6244. description: Value can be specified directly to set a value without using a secret.
  6245. type: string
  6246. type: object
  6247. clientSecret:
  6248. description: ClientSecret is the secret part of the credential.
  6249. properties:
  6250. secretRef:
  6251. description: SecretRef references a key in a secret that will be used as value.
  6252. properties:
  6253. key:
  6254. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6255. type: string
  6256. name:
  6257. description: The name of the Secret resource being referred to.
  6258. type: string
  6259. namespace:
  6260. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6261. type: string
  6262. type: object
  6263. value:
  6264. description: Value can be specified directly to set a value without using a secret.
  6265. type: string
  6266. type: object
  6267. tenant:
  6268. description: Tenant is the chosen hostname / site name.
  6269. type: string
  6270. tld:
  6271. description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com".
  6272. type: string
  6273. urlTemplate:
  6274. description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  6275. type: string
  6276. required:
  6277. - clientId
  6278. - clientSecret
  6279. - tenant
  6280. type: object
  6281. doppler:
  6282. description: Doppler configures this store to sync secrets using the Doppler provider
  6283. properties:
  6284. auth:
  6285. description: Auth configures how the Operator authenticates with the Doppler API
  6286. properties:
  6287. secretRef:
  6288. properties:
  6289. dopplerToken:
  6290. description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified.
  6291. properties:
  6292. key:
  6293. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6294. type: string
  6295. name:
  6296. description: The name of the Secret resource being referred to.
  6297. type: string
  6298. namespace:
  6299. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6300. type: string
  6301. type: object
  6302. required:
  6303. - dopplerToken
  6304. type: object
  6305. required:
  6306. - secretRef
  6307. type: object
  6308. config:
  6309. description: Doppler config (required if not using a Service Token)
  6310. type: string
  6311. format:
  6312. description: Format enables the downloading of secrets as a file (string)
  6313. enum:
  6314. - json
  6315. - dotnet-json
  6316. - env
  6317. - yaml
  6318. - docker
  6319. type: string
  6320. nameTransformer:
  6321. description: Environment variable compatible name transforms that change secret names to a different format
  6322. enum:
  6323. - upper-camel
  6324. - camel
  6325. - lower-snake
  6326. - tf-var
  6327. - dotnet-env
  6328. - lower-kebab
  6329. type: string
  6330. project:
  6331. description: Doppler project (required if not using a Service Token)
  6332. type: string
  6333. required:
  6334. - auth
  6335. type: object
  6336. fake:
  6337. description: Fake configures a store with static key/value pairs
  6338. properties:
  6339. data:
  6340. items:
  6341. properties:
  6342. key:
  6343. type: string
  6344. value:
  6345. type: string
  6346. valueMap:
  6347. additionalProperties:
  6348. type: string
  6349. type: object
  6350. version:
  6351. type: string
  6352. required:
  6353. - key
  6354. type: object
  6355. type: array
  6356. required:
  6357. - data
  6358. type: object
  6359. gcpsm:
  6360. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  6361. properties:
  6362. auth:
  6363. description: Auth defines the information necessary to authenticate against GCP
  6364. properties:
  6365. secretRef:
  6366. properties:
  6367. secretAccessKeySecretRef:
  6368. description: The SecretAccessKey is used for authentication
  6369. properties:
  6370. key:
  6371. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6372. type: string
  6373. name:
  6374. description: The name of the Secret resource being referred to.
  6375. type: string
  6376. namespace:
  6377. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6378. type: string
  6379. type: object
  6380. type: object
  6381. workloadIdentity:
  6382. properties:
  6383. clusterLocation:
  6384. type: string
  6385. clusterName:
  6386. type: string
  6387. clusterProjectID:
  6388. type: string
  6389. serviceAccountRef:
  6390. description: A reference to a ServiceAccount resource.
  6391. properties:
  6392. audiences:
  6393. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  6394. items:
  6395. type: string
  6396. type: array
  6397. name:
  6398. description: The name of the ServiceAccount resource being referred to.
  6399. type: string
  6400. namespace:
  6401. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6402. type: string
  6403. required:
  6404. - name
  6405. type: object
  6406. required:
  6407. - clusterLocation
  6408. - clusterName
  6409. - serviceAccountRef
  6410. type: object
  6411. type: object
  6412. projectID:
  6413. description: ProjectID project where secret is located
  6414. type: string
  6415. type: object
  6416. gitlab:
  6417. description: GitLab configures this store to sync secrets using GitLab Variables provider
  6418. properties:
  6419. auth:
  6420. description: Auth configures how secret-manager authenticates with a GitLab instance.
  6421. properties:
  6422. SecretRef:
  6423. properties:
  6424. accessToken:
  6425. description: AccessToken is used for authentication.
  6426. properties:
  6427. key:
  6428. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6429. type: string
  6430. name:
  6431. description: The name of the Secret resource being referred to.
  6432. type: string
  6433. namespace:
  6434. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6435. type: string
  6436. type: object
  6437. type: object
  6438. required:
  6439. - SecretRef
  6440. type: object
  6441. environment:
  6442. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  6443. type: string
  6444. groupIDs:
  6445. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  6446. items:
  6447. type: string
  6448. type: array
  6449. inheritFromGroups:
  6450. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  6451. type: boolean
  6452. projectID:
  6453. description: ProjectID specifies a project where secrets are located.
  6454. type: string
  6455. url:
  6456. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  6457. type: string
  6458. required:
  6459. - auth
  6460. type: object
  6461. ibm:
  6462. description: IBM configures this store to sync secrets using IBM Cloud provider
  6463. properties:
  6464. auth:
  6465. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  6466. maxProperties: 1
  6467. minProperties: 1
  6468. properties:
  6469. containerAuth:
  6470. description: IBM Container-based auth with IAM Trusted Profile.
  6471. properties:
  6472. iamEndpoint:
  6473. type: string
  6474. profile:
  6475. description: the IBM Trusted Profile
  6476. type: string
  6477. tokenLocation:
  6478. description: Location the token is mounted on the pod
  6479. type: string
  6480. required:
  6481. - profile
  6482. type: object
  6483. secretRef:
  6484. properties:
  6485. secretApiKeySecretRef:
  6486. description: The SecretAccessKey is used for authentication
  6487. properties:
  6488. key:
  6489. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6490. type: string
  6491. name:
  6492. description: The name of the Secret resource being referred to.
  6493. type: string
  6494. namespace:
  6495. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6496. type: string
  6497. type: object
  6498. type: object
  6499. type: object
  6500. serviceUrl:
  6501. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  6502. type: string
  6503. required:
  6504. - auth
  6505. type: object
  6506. keepersecurity:
  6507. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  6508. properties:
  6509. authRef:
  6510. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  6511. properties:
  6512. key:
  6513. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6514. type: string
  6515. name:
  6516. description: The name of the Secret resource being referred to.
  6517. type: string
  6518. namespace:
  6519. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6520. type: string
  6521. type: object
  6522. folderID:
  6523. type: string
  6524. required:
  6525. - authRef
  6526. - folderID
  6527. type: object
  6528. kubernetes:
  6529. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  6530. properties:
  6531. auth:
  6532. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  6533. maxProperties: 1
  6534. minProperties: 1
  6535. properties:
  6536. cert:
  6537. description: has both clientCert and clientKey as secretKeySelector
  6538. properties:
  6539. clientCert:
  6540. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  6541. properties:
  6542. key:
  6543. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6544. type: string
  6545. name:
  6546. description: The name of the Secret resource being referred to.
  6547. type: string
  6548. namespace:
  6549. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6550. type: string
  6551. type: object
  6552. clientKey:
  6553. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  6554. properties:
  6555. key:
  6556. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6557. type: string
  6558. name:
  6559. description: The name of the Secret resource being referred to.
  6560. type: string
  6561. namespace:
  6562. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6563. type: string
  6564. type: object
  6565. type: object
  6566. serviceAccount:
  6567. description: points to a service account that should be used for authentication
  6568. properties:
  6569. audiences:
  6570. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  6571. items:
  6572. type: string
  6573. type: array
  6574. name:
  6575. description: The name of the ServiceAccount resource being referred to.
  6576. type: string
  6577. namespace:
  6578. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6579. type: string
  6580. required:
  6581. - name
  6582. type: object
  6583. token:
  6584. description: use static token to authenticate with
  6585. properties:
  6586. bearerToken:
  6587. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  6588. properties:
  6589. key:
  6590. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6591. type: string
  6592. name:
  6593. description: The name of the Secret resource being referred to.
  6594. type: string
  6595. namespace:
  6596. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6597. type: string
  6598. type: object
  6599. type: object
  6600. type: object
  6601. remoteNamespace:
  6602. default: default
  6603. description: Remote namespace to fetch the secrets from
  6604. type: string
  6605. server:
  6606. description: configures the Kubernetes server Address.
  6607. properties:
  6608. caBundle:
  6609. description: CABundle is a base64-encoded CA certificate
  6610. format: byte
  6611. type: string
  6612. caProvider:
  6613. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  6614. properties:
  6615. key:
  6616. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6617. type: string
  6618. name:
  6619. description: The name of the object located at the provider type.
  6620. type: string
  6621. namespace:
  6622. description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
  6623. type: string
  6624. type:
  6625. description: The type of provider to use such as "Secret", or "ConfigMap".
  6626. enum:
  6627. - Secret
  6628. - ConfigMap
  6629. type: string
  6630. required:
  6631. - name
  6632. - type
  6633. type: object
  6634. url:
  6635. default: kubernetes.default
  6636. description: configures the Kubernetes server Address.
  6637. type: string
  6638. type: object
  6639. required:
  6640. - auth
  6641. type: object
  6642. onepassword:
  6643. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  6644. properties:
  6645. auth:
  6646. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  6647. properties:
  6648. secretRef:
  6649. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  6650. properties:
  6651. connectTokenSecretRef:
  6652. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  6653. properties:
  6654. key:
  6655. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6656. type: string
  6657. name:
  6658. description: The name of the Secret resource being referred to.
  6659. type: string
  6660. namespace:
  6661. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6662. type: string
  6663. type: object
  6664. required:
  6665. - connectTokenSecretRef
  6666. type: object
  6667. required:
  6668. - secretRef
  6669. type: object
  6670. connectHost:
  6671. description: ConnectHost defines the OnePassword Connect Server to connect to
  6672. type: string
  6673. vaults:
  6674. additionalProperties:
  6675. type: integer
  6676. description: Vaults defines which OnePassword vaults to search in which order
  6677. type: object
  6678. required:
  6679. - auth
  6680. - connectHost
  6681. - vaults
  6682. type: object
  6683. oracle:
  6684. description: Oracle configures this store to sync secrets using Oracle Vault provider
  6685. properties:
  6686. auth:
  6687. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  6688. properties:
  6689. secretRef:
  6690. description: SecretRef to pass through sensitive information.
  6691. properties:
  6692. fingerprint:
  6693. description: Fingerprint is the fingerprint of the API private key.
  6694. properties:
  6695. key:
  6696. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6697. type: string
  6698. name:
  6699. description: The name of the Secret resource being referred to.
  6700. type: string
  6701. namespace:
  6702. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6703. type: string
  6704. type: object
  6705. privatekey:
  6706. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  6707. properties:
  6708. key:
  6709. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6710. type: string
  6711. name:
  6712. description: The name of the Secret resource being referred to.
  6713. type: string
  6714. namespace:
  6715. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6716. type: string
  6717. type: object
  6718. required:
  6719. - fingerprint
  6720. - privatekey
  6721. type: object
  6722. tenancy:
  6723. description: Tenancy is the tenancy OCID where user is located.
  6724. type: string
  6725. user:
  6726. description: User is an access OCID specific to the account.
  6727. type: string
  6728. required:
  6729. - secretRef
  6730. - tenancy
  6731. - user
  6732. type: object
  6733. compartment:
  6734. description: Compartment is the vault compartment OCID. Required for PushSecret
  6735. type: string
  6736. encryptionKey:
  6737. description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret
  6738. type: string
  6739. principalType:
  6740. description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity.
  6741. enum:
  6742. - ""
  6743. - UserPrincipal
  6744. - InstancePrincipal
  6745. - Workload
  6746. type: string
  6747. region:
  6748. description: Region is the region where vault is located.
  6749. type: string
  6750. serviceAccountRef:
  6751. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  6752. properties:
  6753. audiences:
  6754. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  6755. items:
  6756. type: string
  6757. type: array
  6758. name:
  6759. description: The name of the ServiceAccount resource being referred to.
  6760. type: string
  6761. namespace:
  6762. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6763. type: string
  6764. required:
  6765. - name
  6766. type: object
  6767. vault:
  6768. description: Vault is the vault's OCID of the specific vault where secret is located.
  6769. type: string
  6770. required:
  6771. - region
  6772. - vault
  6773. type: object
  6774. scaleway:
  6775. description: Scaleway
  6776. properties:
  6777. accessKey:
  6778. description: AccessKey is the non-secret part of the api key.
  6779. properties:
  6780. secretRef:
  6781. description: SecretRef references a key in a secret that will be used as value.
  6782. properties:
  6783. key:
  6784. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6785. type: string
  6786. name:
  6787. description: The name of the Secret resource being referred to.
  6788. type: string
  6789. namespace:
  6790. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6791. type: string
  6792. type: object
  6793. value:
  6794. description: Value can be specified directly to set a value without using a secret.
  6795. type: string
  6796. type: object
  6797. apiUrl:
  6798. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  6799. type: string
  6800. projectId:
  6801. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  6802. type: string
  6803. region:
  6804. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  6805. type: string
  6806. secretKey:
  6807. description: SecretKey is the non-secret part of the api key.
  6808. properties:
  6809. secretRef:
  6810. description: SecretRef references a key in a secret that will be used as value.
  6811. properties:
  6812. key:
  6813. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6814. type: string
  6815. name:
  6816. description: The name of the Secret resource being referred to.
  6817. type: string
  6818. namespace:
  6819. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6820. type: string
  6821. type: object
  6822. value:
  6823. description: Value can be specified directly to set a value without using a secret.
  6824. type: string
  6825. type: object
  6826. required:
  6827. - accessKey
  6828. - projectId
  6829. - region
  6830. - secretKey
  6831. type: object
  6832. senhasegura:
  6833. description: Senhasegura configures this store to sync secrets using senhasegura provider
  6834. properties:
  6835. auth:
  6836. description: Auth defines parameters to authenticate in senhasegura
  6837. properties:
  6838. clientId:
  6839. type: string
  6840. clientSecretSecretRef:
  6841. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  6842. properties:
  6843. key:
  6844. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6845. type: string
  6846. name:
  6847. description: The name of the Secret resource being referred to.
  6848. type: string
  6849. namespace:
  6850. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6851. type: string
  6852. type: object
  6853. required:
  6854. - clientId
  6855. - clientSecretSecretRef
  6856. type: object
  6857. ignoreSslCertificate:
  6858. default: false
  6859. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  6860. type: boolean
  6861. module:
  6862. description: Module defines which senhasegura module should be used to get secrets
  6863. type: string
  6864. url:
  6865. description: URL of senhasegura
  6866. type: string
  6867. required:
  6868. - auth
  6869. - module
  6870. - url
  6871. type: object
  6872. vault:
  6873. description: Vault configures this store to sync secrets using Hashi provider
  6874. properties:
  6875. auth:
  6876. description: Auth configures how secret-manager authenticates with the Vault server.
  6877. properties:
  6878. appRole:
  6879. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  6880. properties:
  6881. path:
  6882. default: approle
  6883. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  6884. type: string
  6885. roleId:
  6886. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  6887. type: string
  6888. roleRef:
  6889. description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
  6890. properties:
  6891. key:
  6892. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6893. type: string
  6894. name:
  6895. description: The name of the Secret resource being referred to.
  6896. type: string
  6897. namespace:
  6898. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6899. type: string
  6900. type: object
  6901. secretRef:
  6902. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  6903. properties:
  6904. key:
  6905. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6906. type: string
  6907. name:
  6908. description: The name of the Secret resource being referred to.
  6909. type: string
  6910. namespace:
  6911. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6912. type: string
  6913. type: object
  6914. required:
  6915. - path
  6916. - secretRef
  6917. type: object
  6918. cert:
  6919. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  6920. properties:
  6921. clientCert:
  6922. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  6923. properties:
  6924. key:
  6925. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6926. type: string
  6927. name:
  6928. description: The name of the Secret resource being referred to.
  6929. type: string
  6930. namespace:
  6931. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6932. type: string
  6933. type: object
  6934. secretRef:
  6935. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  6936. properties:
  6937. key:
  6938. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6939. type: string
  6940. name:
  6941. description: The name of the Secret resource being referred to.
  6942. type: string
  6943. namespace:
  6944. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6945. type: string
  6946. type: object
  6947. type: object
  6948. iam:
  6949. description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
  6950. properties:
  6951. externalID:
  6952. description: AWS External ID set on assumed IAM roles
  6953. type: string
  6954. jwt:
  6955. description: Specify a service account with IRSA enabled
  6956. properties:
  6957. serviceAccountRef:
  6958. description: A reference to a ServiceAccount resource.
  6959. properties:
  6960. audiences:
  6961. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  6962. items:
  6963. type: string
  6964. type: array
  6965. name:
  6966. description: The name of the ServiceAccount resource being referred to.
  6967. type: string
  6968. namespace:
  6969. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6970. type: string
  6971. required:
  6972. - name
  6973. type: object
  6974. type: object
  6975. path:
  6976. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  6977. type: string
  6978. region:
  6979. description: AWS region
  6980. type: string
  6981. role:
  6982. description: This is the AWS role to be assumed before talking to vault
  6983. type: string
  6984. secretRef:
  6985. description: Specify credentials in a Secret object
  6986. properties:
  6987. accessKeyIDSecretRef:
  6988. description: The AccessKeyID is used for authentication
  6989. properties:
  6990. key:
  6991. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  6992. type: string
  6993. name:
  6994. description: The name of the Secret resource being referred to.
  6995. type: string
  6996. namespace:
  6997. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  6998. type: string
  6999. type: object
  7000. secretAccessKeySecretRef:
  7001. description: The SecretAccessKey is used for authentication
  7002. properties:
  7003. key:
  7004. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  7005. type: string
  7006. name:
  7007. description: The name of the Secret resource being referred to.
  7008. type: string
  7009. namespace:
  7010. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7011. type: string
  7012. type: object
  7013. sessionTokenSecretRef:
  7014. description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
  7015. properties:
  7016. key:
  7017. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  7018. type: string
  7019. name:
  7020. description: The name of the Secret resource being referred to.
  7021. type: string
  7022. namespace:
  7023. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7024. type: string
  7025. type: object
  7026. type: object
  7027. vaultAwsIamServerID:
  7028. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  7029. type: string
  7030. vaultRole:
  7031. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  7032. type: string
  7033. required:
  7034. - vaultRole
  7035. type: object
  7036. jwt:
  7037. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  7038. properties:
  7039. kubernetesServiceAccountToken:
  7040. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  7041. properties:
  7042. audiences:
  7043. description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
  7044. items:
  7045. type: string
  7046. type: array
  7047. expirationSeconds:
  7048. description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
  7049. format: int64
  7050. type: integer
  7051. serviceAccountRef:
  7052. description: Service account field containing the name of a kubernetes ServiceAccount.
  7053. properties:
  7054. audiences:
  7055. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  7056. items:
  7057. type: string
  7058. type: array
  7059. name:
  7060. description: The name of the ServiceAccount resource being referred to.
  7061. type: string
  7062. namespace:
  7063. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7064. type: string
  7065. required:
  7066. - name
  7067. type: object
  7068. required:
  7069. - serviceAccountRef
  7070. type: object
  7071. path:
  7072. default: jwt
  7073. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  7074. type: string
  7075. role:
  7076. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  7077. type: string
  7078. secretRef:
  7079. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  7080. properties:
  7081. key:
  7082. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  7083. type: string
  7084. name:
  7085. description: The name of the Secret resource being referred to.
  7086. type: string
  7087. namespace:
  7088. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7089. type: string
  7090. type: object
  7091. required:
  7092. - path
  7093. type: object
  7094. kubernetes:
  7095. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  7096. properties:
  7097. mountPath:
  7098. default: kubernetes
  7099. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  7100. type: string
  7101. role:
  7102. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  7103. type: string
  7104. secretRef:
  7105. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  7106. properties:
  7107. key:
  7108. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  7109. type: string
  7110. name:
  7111. description: The name of the Secret resource being referred to.
  7112. type: string
  7113. namespace:
  7114. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7115. type: string
  7116. type: object
  7117. serviceAccountRef:
  7118. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  7119. properties:
  7120. audiences:
  7121. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  7122. items:
  7123. type: string
  7124. type: array
  7125. name:
  7126. description: The name of the ServiceAccount resource being referred to.
  7127. type: string
  7128. namespace:
  7129. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7130. type: string
  7131. required:
  7132. - name
  7133. type: object
  7134. required:
  7135. - mountPath
  7136. - role
  7137. type: object
  7138. ldap:
  7139. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  7140. properties:
  7141. path:
  7142. default: ldap
  7143. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  7144. type: string
  7145. secretRef:
  7146. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  7147. properties:
  7148. key:
  7149. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  7150. type: string
  7151. name:
  7152. description: The name of the Secret resource being referred to.
  7153. type: string
  7154. namespace:
  7155. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7156. type: string
  7157. type: object
  7158. username:
  7159. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  7160. type: string
  7161. required:
  7162. - path
  7163. - username
  7164. type: object
  7165. tokenSecretRef:
  7166. description: TokenSecretRef authenticates with Vault by presenting a token.
  7167. properties:
  7168. key:
  7169. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  7170. type: string
  7171. name:
  7172. description: The name of the Secret resource being referred to.
  7173. type: string
  7174. namespace:
  7175. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7176. type: string
  7177. type: object
  7178. userPass:
  7179. description: UserPass authenticates with Vault by passing username/password pair
  7180. properties:
  7181. path:
  7182. default: user
  7183. description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"'
  7184. type: string
  7185. secretRef:
  7186. description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method
  7187. properties:
  7188. key:
  7189. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  7190. type: string
  7191. name:
  7192. description: The name of the Secret resource being referred to.
  7193. type: string
  7194. namespace:
  7195. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7196. type: string
  7197. type: object
  7198. username:
  7199. description: Username is a user name used to authenticate using the UserPass Vault authentication method
  7200. type: string
  7201. required:
  7202. - path
  7203. - username
  7204. type: object
  7205. type: object
  7206. caBundle:
  7207. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  7208. format: byte
  7209. type: string
  7210. caProvider:
  7211. description: The provider for the CA bundle to use to validate Vault server certificate.
  7212. properties:
  7213. key:
  7214. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  7215. type: string
  7216. name:
  7217. description: The name of the object located at the provider type.
  7218. type: string
  7219. namespace:
  7220. description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
  7221. type: string
  7222. type:
  7223. description: The type of provider to use such as "Secret", or "ConfigMap".
  7224. enum:
  7225. - Secret
  7226. - ConfigMap
  7227. type: string
  7228. required:
  7229. - name
  7230. - type
  7231. type: object
  7232. forwardInconsistent:
  7233. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  7234. type: boolean
  7235. namespace:
  7236. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  7237. type: string
  7238. path:
  7239. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  7240. type: string
  7241. readYourWrites:
  7242. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  7243. type: boolean
  7244. server:
  7245. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  7246. type: string
  7247. version:
  7248. default: v2
  7249. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  7250. enum:
  7251. - v1
  7252. - v2
  7253. type: string
  7254. required:
  7255. - auth
  7256. - server
  7257. type: object
  7258. webhook:
  7259. description: Webhook configures this store to sync secrets using a generic templated webhook
  7260. properties:
  7261. body:
  7262. description: Body
  7263. type: string
  7264. caBundle:
  7265. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  7266. format: byte
  7267. type: string
  7268. caProvider:
  7269. description: The provider for the CA bundle to use to validate webhook server certificate.
  7270. properties:
  7271. key:
  7272. description: The key the value inside of the provider type to use, only used with "Secret" type
  7273. type: string
  7274. name:
  7275. description: The name of the object located at the provider type.
  7276. type: string
  7277. namespace:
  7278. description: The namespace the Provider type is in.
  7279. type: string
  7280. type:
  7281. description: The type of provider to use such as "Secret", or "ConfigMap".
  7282. enum:
  7283. - Secret
  7284. - ConfigMap
  7285. type: string
  7286. required:
  7287. - name
  7288. - type
  7289. type: object
  7290. headers:
  7291. additionalProperties:
  7292. type: string
  7293. description: Headers
  7294. type: object
  7295. method:
  7296. description: Webhook Method
  7297. type: string
  7298. result:
  7299. description: Result formatting
  7300. properties:
  7301. jsonPath:
  7302. description: Json path of return value
  7303. type: string
  7304. type: object
  7305. secrets:
  7306. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  7307. items:
  7308. properties:
  7309. name:
  7310. description: Name of this secret in templates
  7311. type: string
  7312. secretRef:
  7313. description: Secret ref to fill in credentials
  7314. properties:
  7315. key:
  7316. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  7317. type: string
  7318. name:
  7319. description: The name of the Secret resource being referred to.
  7320. type: string
  7321. namespace:
  7322. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7323. type: string
  7324. type: object
  7325. required:
  7326. - name
  7327. - secretRef
  7328. type: object
  7329. type: array
  7330. timeout:
  7331. description: Timeout
  7332. type: string
  7333. url:
  7334. description: Webhook url to call
  7335. type: string
  7336. required:
  7337. - result
  7338. - url
  7339. type: object
  7340. yandexcertificatemanager:
  7341. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  7342. properties:
  7343. apiEndpoint:
  7344. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  7345. type: string
  7346. auth:
  7347. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  7348. properties:
  7349. authorizedKeySecretRef:
  7350. description: The authorized key used for authentication
  7351. properties:
  7352. key:
  7353. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  7354. type: string
  7355. name:
  7356. description: The name of the Secret resource being referred to.
  7357. type: string
  7358. namespace:
  7359. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7360. type: string
  7361. type: object
  7362. type: object
  7363. caProvider:
  7364. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  7365. properties:
  7366. certSecretRef:
  7367. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  7368. properties:
  7369. key:
  7370. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  7371. type: string
  7372. name:
  7373. description: The name of the Secret resource being referred to.
  7374. type: string
  7375. namespace:
  7376. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7377. type: string
  7378. type: object
  7379. type: object
  7380. required:
  7381. - auth
  7382. type: object
  7383. yandexlockbox:
  7384. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  7385. properties:
  7386. apiEndpoint:
  7387. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  7388. type: string
  7389. auth:
  7390. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  7391. properties:
  7392. authorizedKeySecretRef:
  7393. description: The authorized key used for authentication
  7394. properties:
  7395. key:
  7396. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  7397. type: string
  7398. name:
  7399. description: The name of the Secret resource being referred to.
  7400. type: string
  7401. namespace:
  7402. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7403. type: string
  7404. type: object
  7405. type: object
  7406. caProvider:
  7407. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  7408. properties:
  7409. certSecretRef:
  7410. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  7411. properties:
  7412. key:
  7413. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  7414. type: string
  7415. name:
  7416. description: The name of the Secret resource being referred to.
  7417. type: string
  7418. namespace:
  7419. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7420. type: string
  7421. type: object
  7422. type: object
  7423. required:
  7424. - auth
  7425. type: object
  7426. type: object
  7427. refreshInterval:
  7428. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  7429. type: integer
  7430. retrySettings:
  7431. description: Used to configure http retries if failed
  7432. properties:
  7433. maxRetries:
  7434. format: int32
  7435. type: integer
  7436. retryInterval:
  7437. type: string
  7438. type: object
  7439. required:
  7440. - provider
  7441. type: object
  7442. status:
  7443. description: SecretStoreStatus defines the observed state of the SecretStore.
  7444. properties:
  7445. capabilities:
  7446. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  7447. type: string
  7448. conditions:
  7449. items:
  7450. properties:
  7451. lastTransitionTime:
  7452. format: date-time
  7453. type: string
  7454. message:
  7455. type: string
  7456. reason:
  7457. type: string
  7458. status:
  7459. type: string
  7460. type:
  7461. type: string
  7462. required:
  7463. - status
  7464. - type
  7465. type: object
  7466. type: array
  7467. type: object
  7468. type: object
  7469. served: true
  7470. storage: true
  7471. subresources:
  7472. status: {}
  7473. conversion:
  7474. strategy: Webhook
  7475. webhook:
  7476. conversionReviewVersions:
  7477. - v1
  7478. clientConfig:
  7479. service:
  7480. name: kubernetes
  7481. namespace: default
  7482. path: /convert
  7483. ---
  7484. apiVersion: apiextensions.k8s.io/v1
  7485. kind: CustomResourceDefinition
  7486. metadata:
  7487. annotations:
  7488. controller-gen.kubebuilder.io/version: v0.13.0
  7489. name: acraccesstokens.generators.external-secrets.io
  7490. spec:
  7491. group: generators.external-secrets.io
  7492. names:
  7493. categories:
  7494. - acraccesstoken
  7495. kind: ACRAccessToken
  7496. listKind: ACRAccessTokenList
  7497. plural: acraccesstokens
  7498. shortNames:
  7499. - acraccesstoken
  7500. singular: acraccesstoken
  7501. scope: Namespaced
  7502. versions:
  7503. - name: v1alpha1
  7504. schema:
  7505. openAPIV3Schema:
  7506. description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md"
  7507. properties:
  7508. apiVersion:
  7509. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  7510. type: string
  7511. kind:
  7512. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  7513. type: string
  7514. metadata:
  7515. type: object
  7516. spec:
  7517. description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview'
  7518. properties:
  7519. auth:
  7520. properties:
  7521. managedIdentity:
  7522. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  7523. properties:
  7524. identityId:
  7525. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  7526. type: string
  7527. type: object
  7528. servicePrincipal:
  7529. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  7530. properties:
  7531. secretRef:
  7532. description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret.
  7533. properties:
  7534. clientId:
  7535. description: The Azure clientId of the service principle used for authentication.
  7536. properties:
  7537. key:
  7538. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  7539. type: string
  7540. name:
  7541. description: The name of the Secret resource being referred to.
  7542. type: string
  7543. namespace:
  7544. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7545. type: string
  7546. type: object
  7547. clientSecret:
  7548. description: The Azure ClientSecret of the service principle used for authentication.
  7549. properties:
  7550. key:
  7551. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  7552. type: string
  7553. name:
  7554. description: The name of the Secret resource being referred to.
  7555. type: string
  7556. namespace:
  7557. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7558. type: string
  7559. type: object
  7560. type: object
  7561. required:
  7562. - secretRef
  7563. type: object
  7564. workloadIdentity:
  7565. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  7566. properties:
  7567. serviceAccountRef:
  7568. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  7569. properties:
  7570. audiences:
  7571. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  7572. items:
  7573. type: string
  7574. type: array
  7575. name:
  7576. description: The name of the ServiceAccount resource being referred to.
  7577. type: string
  7578. namespace:
  7579. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7580. type: string
  7581. required:
  7582. - name
  7583. type: object
  7584. type: object
  7585. type: object
  7586. environmentType:
  7587. default: PublicCloud
  7588. description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
  7589. enum:
  7590. - PublicCloud
  7591. - USGovernmentCloud
  7592. - ChinaCloud
  7593. - GermanCloud
  7594. type: string
  7595. registry:
  7596. description: the domain name of the ACR registry e.g. foobarexample.azurecr.io
  7597. type: string
  7598. scope:
  7599. description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/"
  7600. type: string
  7601. tenantId:
  7602. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  7603. type: string
  7604. required:
  7605. - auth
  7606. - registry
  7607. type: object
  7608. type: object
  7609. served: true
  7610. storage: true
  7611. subresources:
  7612. status: {}
  7613. conversion:
  7614. strategy: Webhook
  7615. webhook:
  7616. conversionReviewVersions:
  7617. - v1
  7618. clientConfig:
  7619. service:
  7620. name: kubernetes
  7621. namespace: default
  7622. path: /convert
  7623. ---
  7624. apiVersion: apiextensions.k8s.io/v1
  7625. kind: CustomResourceDefinition
  7626. metadata:
  7627. annotations:
  7628. controller-gen.kubebuilder.io/version: v0.13.0
  7629. name: ecrauthorizationtokens.generators.external-secrets.io
  7630. spec:
  7631. group: generators.external-secrets.io
  7632. names:
  7633. categories:
  7634. - ecrauthorizationtoken
  7635. kind: ECRAuthorizationToken
  7636. listKind: ECRAuthorizationTokenList
  7637. plural: ecrauthorizationtokens
  7638. shortNames:
  7639. - ecrauthorizationtoken
  7640. singular: ecrauthorizationtoken
  7641. scope: Namespaced
  7642. versions:
  7643. - name: v1alpha1
  7644. schema:
  7645. openAPIV3Schema:
  7646. description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
  7647. properties:
  7648. apiVersion:
  7649. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  7650. type: string
  7651. kind:
  7652. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  7653. type: string
  7654. metadata:
  7655. type: object
  7656. spec:
  7657. properties:
  7658. auth:
  7659. description: Auth defines how to authenticate with AWS
  7660. properties:
  7661. jwt:
  7662. description: Authenticate against AWS using service account tokens.
  7663. properties:
  7664. serviceAccountRef:
  7665. description: A reference to a ServiceAccount resource.
  7666. properties:
  7667. audiences:
  7668. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  7669. items:
  7670. type: string
  7671. type: array
  7672. name:
  7673. description: The name of the ServiceAccount resource being referred to.
  7674. type: string
  7675. namespace:
  7676. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7677. type: string
  7678. required:
  7679. - name
  7680. type: object
  7681. type: object
  7682. secretRef:
  7683. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  7684. properties:
  7685. accessKeyIDSecretRef:
  7686. description: The AccessKeyID is used for authentication
  7687. properties:
  7688. key:
  7689. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  7690. type: string
  7691. name:
  7692. description: The name of the Secret resource being referred to.
  7693. type: string
  7694. namespace:
  7695. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7696. type: string
  7697. type: object
  7698. secretAccessKeySecretRef:
  7699. description: The SecretAccessKey is used for authentication
  7700. properties:
  7701. key:
  7702. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  7703. type: string
  7704. name:
  7705. description: The name of the Secret resource being referred to.
  7706. type: string
  7707. namespace:
  7708. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7709. type: string
  7710. type: object
  7711. sessionTokenSecretRef:
  7712. description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
  7713. properties:
  7714. key:
  7715. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  7716. type: string
  7717. name:
  7718. description: The name of the Secret resource being referred to.
  7719. type: string
  7720. namespace:
  7721. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7722. type: string
  7723. type: object
  7724. type: object
  7725. type: object
  7726. region:
  7727. description: Region specifies the region to operate in.
  7728. type: string
  7729. role:
  7730. description: You can assume a role before making calls to the desired AWS service.
  7731. type: string
  7732. required:
  7733. - region
  7734. type: object
  7735. type: object
  7736. served: true
  7737. storage: true
  7738. subresources:
  7739. status: {}
  7740. conversion:
  7741. strategy: Webhook
  7742. webhook:
  7743. conversionReviewVersions:
  7744. - v1
  7745. clientConfig:
  7746. service:
  7747. name: kubernetes
  7748. namespace: default
  7749. path: /convert
  7750. ---
  7751. apiVersion: apiextensions.k8s.io/v1
  7752. kind: CustomResourceDefinition
  7753. metadata:
  7754. annotations:
  7755. controller-gen.kubebuilder.io/version: v0.13.0
  7756. name: fakes.generators.external-secrets.io
  7757. spec:
  7758. group: generators.external-secrets.io
  7759. names:
  7760. categories:
  7761. - fake
  7762. kind: Fake
  7763. listKind: FakeList
  7764. plural: fakes
  7765. shortNames:
  7766. - fake
  7767. singular: fake
  7768. scope: Namespaced
  7769. versions:
  7770. - name: v1alpha1
  7771. schema:
  7772. openAPIV3Schema:
  7773. description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned.
  7774. properties:
  7775. apiVersion:
  7776. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  7777. type: string
  7778. kind:
  7779. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  7780. type: string
  7781. metadata:
  7782. type: object
  7783. spec:
  7784. description: FakeSpec contains the static data.
  7785. properties:
  7786. controller:
  7787. description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property'
  7788. type: string
  7789. data:
  7790. additionalProperties:
  7791. type: string
  7792. description: Data defines the static data returned by this generator.
  7793. type: object
  7794. type: object
  7795. type: object
  7796. served: true
  7797. storage: true
  7798. subresources:
  7799. status: {}
  7800. conversion:
  7801. strategy: Webhook
  7802. webhook:
  7803. conversionReviewVersions:
  7804. - v1
  7805. clientConfig:
  7806. service:
  7807. name: kubernetes
  7808. namespace: default
  7809. path: /convert
  7810. ---
  7811. apiVersion: apiextensions.k8s.io/v1
  7812. kind: CustomResourceDefinition
  7813. metadata:
  7814. annotations:
  7815. controller-gen.kubebuilder.io/version: v0.13.0
  7816. name: gcraccesstokens.generators.external-secrets.io
  7817. spec:
  7818. group: generators.external-secrets.io
  7819. names:
  7820. categories:
  7821. - gcraccesstoken
  7822. kind: GCRAccessToken
  7823. listKind: GCRAccessTokenList
  7824. plural: gcraccesstokens
  7825. shortNames:
  7826. - gcraccesstoken
  7827. singular: gcraccesstoken
  7828. scope: Namespaced
  7829. versions:
  7830. - name: v1alpha1
  7831. schema:
  7832. openAPIV3Schema:
  7833. description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR.
  7834. properties:
  7835. apiVersion:
  7836. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  7837. type: string
  7838. kind:
  7839. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  7840. type: string
  7841. metadata:
  7842. type: object
  7843. spec:
  7844. properties:
  7845. auth:
  7846. description: Auth defines the means for authenticating with GCP
  7847. properties:
  7848. secretRef:
  7849. properties:
  7850. secretAccessKeySecretRef:
  7851. description: The SecretAccessKey is used for authentication
  7852. properties:
  7853. key:
  7854. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  7855. type: string
  7856. name:
  7857. description: The name of the Secret resource being referred to.
  7858. type: string
  7859. namespace:
  7860. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7861. type: string
  7862. type: object
  7863. type: object
  7864. workloadIdentity:
  7865. properties:
  7866. clusterLocation:
  7867. type: string
  7868. clusterName:
  7869. type: string
  7870. clusterProjectID:
  7871. type: string
  7872. serviceAccountRef:
  7873. description: A reference to a ServiceAccount resource.
  7874. properties:
  7875. audiences:
  7876. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  7877. items:
  7878. type: string
  7879. type: array
  7880. name:
  7881. description: The name of the ServiceAccount resource being referred to.
  7882. type: string
  7883. namespace:
  7884. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  7885. type: string
  7886. required:
  7887. - name
  7888. type: object
  7889. required:
  7890. - clusterLocation
  7891. - clusterName
  7892. - serviceAccountRef
  7893. type: object
  7894. type: object
  7895. projectID:
  7896. description: ProjectID defines which project to use to authenticate with
  7897. type: string
  7898. required:
  7899. - auth
  7900. - projectID
  7901. type: object
  7902. type: object
  7903. served: true
  7904. storage: true
  7905. subresources:
  7906. status: {}
  7907. conversion:
  7908. strategy: Webhook
  7909. webhook:
  7910. conversionReviewVersions:
  7911. - v1
  7912. clientConfig:
  7913. service:
  7914. name: kubernetes
  7915. namespace: default
  7916. path: /convert
  7917. ---
  7918. apiVersion: apiextensions.k8s.io/v1
  7919. kind: CustomResourceDefinition
  7920. metadata:
  7921. annotations:
  7922. controller-gen.kubebuilder.io/version: v0.13.0
  7923. name: passwords.generators.external-secrets.io
  7924. spec:
  7925. group: generators.external-secrets.io
  7926. names:
  7927. categories:
  7928. - password
  7929. kind: Password
  7930. listKind: PasswordList
  7931. plural: passwords
  7932. shortNames:
  7933. - password
  7934. singular: password
  7935. scope: Namespaced
  7936. versions:
  7937. - name: v1alpha1
  7938. schema:
  7939. openAPIV3Schema:
  7940. description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes.
  7941. properties:
  7942. apiVersion:
  7943. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  7944. type: string
  7945. kind:
  7946. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  7947. type: string
  7948. metadata:
  7949. type: object
  7950. spec:
  7951. description: PasswordSpec controls the behavior of the password generator.
  7952. properties:
  7953. allowRepeat:
  7954. default: false
  7955. description: set AllowRepeat to true to allow repeating characters.
  7956. type: boolean
  7957. digits:
  7958. description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password
  7959. type: integer
  7960. length:
  7961. default: 24
  7962. description: Length of the password to be generated. Defaults to 24
  7963. type: integer
  7964. noUpper:
  7965. default: false
  7966. description: Set NoUpper to disable uppercase characters
  7967. type: boolean
  7968. symbolCharacters:
  7969. description: SymbolCharacters specifies the special characters that should be used in the generated password.
  7970. type: string
  7971. symbols:
  7972. description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password
  7973. type: integer
  7974. required:
  7975. - allowRepeat
  7976. - length
  7977. - noUpper
  7978. type: object
  7979. type: object
  7980. served: true
  7981. storage: true
  7982. subresources:
  7983. status: {}
  7984. conversion:
  7985. strategy: Webhook
  7986. webhook:
  7987. conversionReviewVersions:
  7988. - v1
  7989. clientConfig:
  7990. service:
  7991. name: kubernetes
  7992. namespace: default
  7993. path: /convert
  7994. ---
  7995. apiVersion: apiextensions.k8s.io/v1
  7996. kind: CustomResourceDefinition
  7997. metadata:
  7998. annotations:
  7999. controller-gen.kubebuilder.io/version: v0.13.0
  8000. name: vaultdynamicsecrets.generators.external-secrets.io
  8001. spec:
  8002. group: generators.external-secrets.io
  8003. names:
  8004. categories:
  8005. - vaultdynamicsecret
  8006. kind: VaultDynamicSecret
  8007. listKind: VaultDynamicSecretList
  8008. plural: vaultdynamicsecrets
  8009. shortNames:
  8010. - vaultdynamicsecret
  8011. singular: vaultdynamicsecret
  8012. scope: Namespaced
  8013. versions:
  8014. - name: v1alpha1
  8015. schema:
  8016. openAPIV3Schema:
  8017. properties:
  8018. apiVersion:
  8019. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  8020. type: string
  8021. kind:
  8022. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  8023. type: string
  8024. metadata:
  8025. type: object
  8026. spec:
  8027. properties:
  8028. controller:
  8029. description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property'
  8030. type: string
  8031. method:
  8032. description: Vault API method to use (GET/POST/other)
  8033. type: string
  8034. parameters:
  8035. description: Parameters to pass to Vault write (for non-GET methods)
  8036. x-kubernetes-preserve-unknown-fields: true
  8037. path:
  8038. description: Vault path to obtain the dynamic secret from
  8039. type: string
  8040. provider:
  8041. description: Vault provider common spec
  8042. properties:
  8043. auth:
  8044. description: Auth configures how secret-manager authenticates with the Vault server.
  8045. properties:
  8046. appRole:
  8047. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  8048. properties:
  8049. path:
  8050. default: approle
  8051. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  8052. type: string
  8053. roleId:
  8054. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  8055. type: string
  8056. roleRef:
  8057. description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
  8058. properties:
  8059. key:
  8060. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  8061. type: string
  8062. name:
  8063. description: The name of the Secret resource being referred to.
  8064. type: string
  8065. namespace:
  8066. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  8067. type: string
  8068. type: object
  8069. secretRef:
  8070. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  8071. properties:
  8072. key:
  8073. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  8074. type: string
  8075. name:
  8076. description: The name of the Secret resource being referred to.
  8077. type: string
  8078. namespace:
  8079. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  8080. type: string
  8081. type: object
  8082. required:
  8083. - path
  8084. - secretRef
  8085. type: object
  8086. cert:
  8087. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  8088. properties:
  8089. clientCert:
  8090. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  8091. properties:
  8092. key:
  8093. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  8094. type: string
  8095. name:
  8096. description: The name of the Secret resource being referred to.
  8097. type: string
  8098. namespace:
  8099. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  8100. type: string
  8101. type: object
  8102. secretRef:
  8103. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  8104. properties:
  8105. key:
  8106. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  8107. type: string
  8108. name:
  8109. description: The name of the Secret resource being referred to.
  8110. type: string
  8111. namespace:
  8112. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  8113. type: string
  8114. type: object
  8115. type: object
  8116. iam:
  8117. description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
  8118. properties:
  8119. externalID:
  8120. description: AWS External ID set on assumed IAM roles
  8121. type: string
  8122. jwt:
  8123. description: Specify a service account with IRSA enabled
  8124. properties:
  8125. serviceAccountRef:
  8126. description: A reference to a ServiceAccount resource.
  8127. properties:
  8128. audiences:
  8129. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  8130. items:
  8131. type: string
  8132. type: array
  8133. name:
  8134. description: The name of the ServiceAccount resource being referred to.
  8135. type: string
  8136. namespace:
  8137. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  8138. type: string
  8139. required:
  8140. - name
  8141. type: object
  8142. type: object
  8143. path:
  8144. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  8145. type: string
  8146. region:
  8147. description: AWS region
  8148. type: string
  8149. role:
  8150. description: This is the AWS role to be assumed before talking to vault
  8151. type: string
  8152. secretRef:
  8153. description: Specify credentials in a Secret object
  8154. properties:
  8155. accessKeyIDSecretRef:
  8156. description: The AccessKeyID is used for authentication
  8157. properties:
  8158. key:
  8159. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  8160. type: string
  8161. name:
  8162. description: The name of the Secret resource being referred to.
  8163. type: string
  8164. namespace:
  8165. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  8166. type: string
  8167. type: object
  8168. secretAccessKeySecretRef:
  8169. description: The SecretAccessKey is used for authentication
  8170. properties:
  8171. key:
  8172. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  8173. type: string
  8174. name:
  8175. description: The name of the Secret resource being referred to.
  8176. type: string
  8177. namespace:
  8178. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  8179. type: string
  8180. type: object
  8181. sessionTokenSecretRef:
  8182. description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
  8183. properties:
  8184. key:
  8185. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  8186. type: string
  8187. name:
  8188. description: The name of the Secret resource being referred to.
  8189. type: string
  8190. namespace:
  8191. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  8192. type: string
  8193. type: object
  8194. type: object
  8195. vaultAwsIamServerID:
  8196. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  8197. type: string
  8198. vaultRole:
  8199. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  8200. type: string
  8201. required:
  8202. - vaultRole
  8203. type: object
  8204. jwt:
  8205. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  8206. properties:
  8207. kubernetesServiceAccountToken:
  8208. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  8209. properties:
  8210. audiences:
  8211. description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
  8212. items:
  8213. type: string
  8214. type: array
  8215. expirationSeconds:
  8216. description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
  8217. format: int64
  8218. type: integer
  8219. serviceAccountRef:
  8220. description: Service account field containing the name of a kubernetes ServiceAccount.
  8221. properties:
  8222. audiences:
  8223. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  8224. items:
  8225. type: string
  8226. type: array
  8227. name:
  8228. description: The name of the ServiceAccount resource being referred to.
  8229. type: string
  8230. namespace:
  8231. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  8232. type: string
  8233. required:
  8234. - name
  8235. type: object
  8236. required:
  8237. - serviceAccountRef
  8238. type: object
  8239. path:
  8240. default: jwt
  8241. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  8242. type: string
  8243. role:
  8244. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  8245. type: string
  8246. secretRef:
  8247. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  8248. properties:
  8249. key:
  8250. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  8251. type: string
  8252. name:
  8253. description: The name of the Secret resource being referred to.
  8254. type: string
  8255. namespace:
  8256. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  8257. type: string
  8258. type: object
  8259. required:
  8260. - path
  8261. type: object
  8262. kubernetes:
  8263. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  8264. properties:
  8265. mountPath:
  8266. default: kubernetes
  8267. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  8268. type: string
  8269. role:
  8270. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  8271. type: string
  8272. secretRef:
  8273. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  8274. properties:
  8275. key:
  8276. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  8277. type: string
  8278. name:
  8279. description: The name of the Secret resource being referred to.
  8280. type: string
  8281. namespace:
  8282. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  8283. type: string
  8284. type: object
  8285. serviceAccountRef:
  8286. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  8287. properties:
  8288. audiences:
  8289. description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
  8290. items:
  8291. type: string
  8292. type: array
  8293. name:
  8294. description: The name of the ServiceAccount resource being referred to.
  8295. type: string
  8296. namespace:
  8297. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  8298. type: string
  8299. required:
  8300. - name
  8301. type: object
  8302. required:
  8303. - mountPath
  8304. - role
  8305. type: object
  8306. ldap:
  8307. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  8308. properties:
  8309. path:
  8310. default: ldap
  8311. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  8312. type: string
  8313. secretRef:
  8314. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  8315. properties:
  8316. key:
  8317. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  8318. type: string
  8319. name:
  8320. description: The name of the Secret resource being referred to.
  8321. type: string
  8322. namespace:
  8323. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  8324. type: string
  8325. type: object
  8326. username:
  8327. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  8328. type: string
  8329. required:
  8330. - path
  8331. - username
  8332. type: object
  8333. tokenSecretRef:
  8334. description: TokenSecretRef authenticates with Vault by presenting a token.
  8335. properties:
  8336. key:
  8337. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  8338. type: string
  8339. name:
  8340. description: The name of the Secret resource being referred to.
  8341. type: string
  8342. namespace:
  8343. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  8344. type: string
  8345. type: object
  8346. userPass:
  8347. description: UserPass authenticates with Vault by passing username/password pair
  8348. properties:
  8349. path:
  8350. default: user
  8351. description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"'
  8352. type: string
  8353. secretRef:
  8354. description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method
  8355. properties:
  8356. key:
  8357. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  8358. type: string
  8359. name:
  8360. description: The name of the Secret resource being referred to.
  8361. type: string
  8362. namespace:
  8363. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  8364. type: string
  8365. type: object
  8366. username:
  8367. description: Username is a user name used to authenticate using the UserPass Vault authentication method
  8368. type: string
  8369. required:
  8370. - path
  8371. - username
  8372. type: object
  8373. type: object
  8374. caBundle:
  8375. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  8376. format: byte
  8377. type: string
  8378. caProvider:
  8379. description: The provider for the CA bundle to use to validate Vault server certificate.
  8380. properties:
  8381. key:
  8382. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8383. type: string
  8384. name:
  8385. description: The name of the object located at the provider type.
  8386. type: string
  8387. namespace:
  8388. description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
  8389. type: string
  8390. type:
  8391. description: The type of provider to use such as "Secret", or "ConfigMap".
  8392. enum:
  8393. - Secret
  8394. - ConfigMap
  8395. type: string
  8396. required:
  8397. - name
  8398. - type
  8399. type: object
  8400. forwardInconsistent:
  8401. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  8402. type: boolean
  8403. namespace:
  8404. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  8405. type: string
  8406. path:
  8407. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  8408. type: string
  8409. readYourWrites:
  8410. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  8411. type: boolean
  8412. server:
  8413. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  8414. type: string
  8415. version:
  8416. default: v2
  8417. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  8418. enum:
  8419. - v1
  8420. - v2
  8421. type: string
  8422. required:
  8423. - auth
  8424. - server
  8425. type: object
  8426. resultType:
  8427. default: Data
  8428. description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure.
  8429. enum:
  8430. - Data
  8431. - Auth
  8432. type: string
  8433. required:
  8434. - path
  8435. - provider
  8436. type: object
  8437. type: object
  8438. served: true
  8439. storage: true
  8440. subresources:
  8441. status: {}
  8442. conversion:
  8443. strategy: Webhook
  8444. webhook:
  8445. conversionReviewVersions:
  8446. - v1
  8447. clientConfig:
  8448. service:
  8449. name: kubernetes
  8450. namespace: default
  8451. path: /convert