| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303 |
- apiVersion: apiextensions.k8s.io/v1
- kind: CustomResourceDefinition
- metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.19.0
- labels:
- external-secrets.io/component: controller
- name: externalsecrets.external-secrets.io
- spec:
- group: external-secrets.io
- names:
- categories:
- - external-secrets
- kind: ExternalSecret
- listKind: ExternalSecretList
- plural: externalsecrets
- shortNames:
- - es
- singular: externalsecret
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .spec.secretStoreRef.kind
- name: StoreType
- type: string
- - jsonPath: .spec.secretStoreRef.name
- name: Store
- type: string
- - jsonPath: .spec.refreshInterval
- name: Refresh Interval
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].reason
- name: Status
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- name: v1
- schema:
- openAPIV3Schema:
- description: ExternalSecret is the Schema for the external-secrets API.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: ExternalSecretSpec defines the desired state of ExternalSecret.
- properties:
- data:
- description: Data defines the connection between the Kubernetes Secret
- keys and the Provider data
- items:
- description: ExternalSecretData defines the connection between the
- Kubernetes Secret key (spec.data.<key>) and the Provider data.
- properties:
- remoteRef:
- description: |-
- RemoteRef points to the remote secret and defines
- which secret (version/property/..) to fetch.
- properties:
- conversionStrategy:
- default: Default
- description: Used to define a conversion Strategy
- enum:
- - Default
- - Unicode
- type: string
- decodingStrategy:
- default: None
- description: Used to define a decoding Strategy
- enum:
- - Auto
- - Base64
- - Base64URL
- - None
- type: string
- key:
- description: Key is the key used in the Provider, mandatory
- type: string
- metadataPolicy:
- default: None
- description: Policy for fetching tags/labels from provider
- secrets, possible options are Fetch, None. Defaults to
- None
- enum:
- - None
- - Fetch
- type: string
- property:
- description: Used to select a specific property of the Provider
- value (if a map), if supported
- type: string
- version:
- description: Used to select a specific version of the Provider
- value, if supported
- type: string
- required:
- - key
- type: object
- secretKey:
- description: The key in the Kubernetes Secret to store the value.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- sourceRef:
- description: |-
- SourceRef allows you to override the source
- from which the value will be pulled.
- maxProperties: 1
- minProperties: 1
- properties:
- generatorRef:
- description: |-
- GeneratorRef points to a generator custom resource.
- Deprecated: The generatorRef is not implemented in .data[].
- this will be removed with v1.
- properties:
- apiVersion:
- default: generators.external-secrets.io/v1alpha1
- description: Specify the apiVersion of the generator
- resource
- type: string
- kind:
- description: Specify the Kind of the generator resource
- enum:
- - ACRAccessToken
- - ClusterGenerator
- - CloudsmithAccessToken
- - ECRAuthorizationToken
- - Fake
- - GCRAccessToken
- - GithubAccessToken
- - QuayAccessToken
- - Password
- - SSHKey
- - STSSessionToken
- - UUID
- - VaultDynamicSecret
- - Webhook
- - Grafana
- - MFA
- type: string
- name:
- description: Specify the name of the generator resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - kind
- - name
- type: object
- storeRef:
- description: SecretStoreRef defines which SecretStore to
- fetch the ExternalSecret data.
- properties:
- kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
- type: string
- name:
- description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- type: object
- required:
- - remoteRef
- - secretKey
- type: object
- type: array
- dataFrom:
- description: |-
- DataFrom is used to fetch all properties from a specific Provider data
- If multiple entries are specified, the Secret keys are merged in the specified order
- items:
- properties:
- extract:
- description: |-
- Used to extract multiple key/value pairs from one secret
- Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
- properties:
- conversionStrategy:
- default: Default
- description: Used to define a conversion Strategy
- enum:
- - Default
- - Unicode
- type: string
- decodingStrategy:
- default: None
- description: Used to define a decoding Strategy
- enum:
- - Auto
- - Base64
- - Base64URL
- - None
- type: string
- key:
- description: Key is the key used in the Provider, mandatory
- type: string
- metadataPolicy:
- default: None
- description: Policy for fetching tags/labels from provider
- secrets, possible options are Fetch, None. Defaults to
- None
- enum:
- - None
- - Fetch
- type: string
- property:
- description: Used to select a specific property of the Provider
- value (if a map), if supported
- type: string
- version:
- description: Used to select a specific version of the Provider
- value, if supported
- type: string
- required:
- - key
- type: object
- find:
- description: |-
- Used to find secrets based on tags or regular expressions
- Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
- properties:
- conversionStrategy:
- default: Default
- description: Used to define a conversion Strategy
- enum:
- - Default
- - Unicode
- type: string
- decodingStrategy:
- default: None
- description: Used to define a decoding Strategy
- enum:
- - Auto
- - Base64
- - Base64URL
- - None
- type: string
- name:
- description: Finds secrets based on the name.
- properties:
- regexp:
- description: Finds secrets base
- type: string
- type: object
- path:
- description: A root path to start the find operations.
- type: string
- tags:
- additionalProperties:
- type: string
- description: Find secrets based on tags.
- type: object
- type: object
- rewrite:
- description: |-
- Used to rewrite secret Keys after getting them from the secret Provider
- Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
- items:
- maxProperties: 1
- minProperties: 1
- properties:
- merge:
- description: |-
- Used to merge key/values in one single Secret
- The resulting key will contain all values from the specified secrets
- properties:
- conflictPolicy:
- default: Error
- description: Used to define the policy to use in conflict
- resolution.
- type: string
- into:
- default: ""
- description: |-
- Used to define the target key of the merge operation.
- Required if strategy is JSON. Ignored otherwise.
- type: string
- priority:
- description: Used to define key priority in conflict
- resolution.
- items:
- type: string
- type: array
- strategy:
- default: Extract
- description: Used to define the strategy to use in
- the merge operation.
- type: string
- type: object
- regexp:
- description: |-
- Used to rewrite with regular expressions.
- The resulting key will be the output of a regexp.ReplaceAll operation.
- properties:
- source:
- description: Used to define the regular expression
- of a re.Compiler.
- type: string
- target:
- description: Used to define the target pattern of
- a ReplaceAll operation.
- type: string
- required:
- - source
- - target
- type: object
- transform:
- description: |-
- Used to apply string transformation on the secrets.
- The resulting key will be the output of the template applied by the operation.
- properties:
- template:
- description: |-
- Used to define the template to apply on the secret name.
- `.value ` will specify the secret name in the template.
- type: string
- required:
- - template
- type: object
- type: object
- type: array
- sourceRef:
- description: |-
- SourceRef points to a store or generator
- which contains secret values ready to use.
- Use this in combination with Extract or Find pull values out of
- a specific SecretStore.
- When sourceRef points to a generator Extract or Find is not supported.
- The generator returns a static map of values
- maxProperties: 1
- minProperties: 1
- properties:
- generatorRef:
- description: GeneratorRef points to a generator custom resource.
- properties:
- apiVersion:
- default: generators.external-secrets.io/v1alpha1
- description: Specify the apiVersion of the generator
- resource
- type: string
- kind:
- description: Specify the Kind of the generator resource
- enum:
- - ACRAccessToken
- - ClusterGenerator
- - CloudsmithAccessToken
- - ECRAuthorizationToken
- - Fake
- - GCRAccessToken
- - GithubAccessToken
- - QuayAccessToken
- - Password
- - SSHKey
- - STSSessionToken
- - UUID
- - VaultDynamicSecret
- - Webhook
- - Grafana
- - MFA
- type: string
- name:
- description: Specify the name of the generator resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - kind
- - name
- type: object
- storeRef:
- description: SecretStoreRef defines which SecretStore to
- fetch the ExternalSecret data.
- properties:
- kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
- type: string
- name:
- description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- type: object
- type: object
- type: array
- refreshInterval:
- default: 1h
- description: |-
- RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
- specified as Golang Duration strings.
- Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
- Example values: "1h", "2h30m", "10s"
- May be set to zero to fetch and create it once. Defaults to 1h.
- type: string
- refreshPolicy:
- description: |-
- RefreshPolicy determines how the ExternalSecret should be refreshed:
- - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
- - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
- No periodic updates occur if refreshInterval is 0.
- - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
- enum:
- - CreatedOnce
- - Periodic
- - OnChange
- type: string
- secretStoreRef:
- description: SecretStoreRef defines which SecretStore to fetch the
- ExternalSecret data.
- properties:
- kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
- type: string
- name:
- description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- target:
- default:
- creationPolicy: Owner
- deletionPolicy: Retain
- description: |-
- ExternalSecretTarget defines the Kubernetes Secret to be created
- There can be only one target per ExternalSecret.
- properties:
- creationPolicy:
- default: Owner
- description: |-
- CreationPolicy defines rules on how to create the resulting Secret.
- Defaults to "Owner"
- enum:
- - Owner
- - Orphan
- - Merge
- - None
- type: string
- deletionPolicy:
- default: Retain
- description: |-
- DeletionPolicy defines rules on how to delete the resulting Secret.
- Defaults to "Retain"
- enum:
- - Delete
- - Merge
- - Retain
- type: string
- immutable:
- description: Immutable defines if the final secret will be immutable
- type: boolean
- name:
- description: |-
- The name of the Secret resource to be managed.
- Defaults to the .metadata.name of the ExternalSecret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- template:
- description: Template defines a blueprint for the created Secret
- resource.
- properties:
- data:
- additionalProperties:
- type: string
- type: object
- engineVersion:
- default: v2
- description: |-
- EngineVersion specifies the template engine version
- that should be used to compile/execute the
- template specified in .data and .templateFrom[].
- enum:
- - v2
- type: string
- mergePolicy:
- default: Replace
- enum:
- - Replace
- - Merge
- type: string
- metadata:
- description: ExternalSecretTemplateMetadata defines metadata
- fields for the Secret blueprint.
- properties:
- annotations:
- additionalProperties:
- type: string
- type: object
- finalizers:
- items:
- type: string
- type: array
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- templateFrom:
- items:
- properties:
- configMap:
- properties:
- items:
- description: A list of keys in the ConfigMap/Secret
- to use as templates for Secret data
- items:
- properties:
- key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- templateAs:
- default: Values
- enum:
- - Values
- - KeysAndValues
- type: string
- required:
- - key
- type: object
- type: array
- name:
- description: The name of the ConfigMap/Secret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - items
- - name
- type: object
- literal:
- type: string
- secret:
- properties:
- items:
- description: A list of keys in the ConfigMap/Secret
- to use as templates for Secret data
- items:
- properties:
- key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- templateAs:
- default: Values
- enum:
- - Values
- - KeysAndValues
- type: string
- required:
- - key
- type: object
- type: array
- name:
- description: The name of the ConfigMap/Secret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - items
- - name
- type: object
- target:
- default: Data
- enum:
- - Data
- - Annotations
- - Labels
- type: string
- type: object
- type: array
- type:
- type: string
- type: object
- type: object
- type: object
- status:
- properties:
- binding:
- description: Binding represents a servicebinding.io Provisioned Service
- reference to the secret
- properties:
- name:
- default: ""
- description: |-
- Name of the referent.
- This field is effectively required, but due to backwards compatibility is
- allowed to be empty. Instances of this type with an empty value here are
- almost certainly wrong.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- type: string
- type: object
- x-kubernetes-map-type: atomic
- conditions:
- items:
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- type: string
- reason:
- type: string
- status:
- type: string
- type:
- type: string
- required:
- - status
- - type
- type: object
- type: array
- refreshTime:
- description: |-
- refreshTime is the time and date the external secret was fetched and
- the target secret updated
- format: date-time
- nullable: true
- type: string
- syncedResourceVersion:
- description: SyncedResourceVersion keeps track of the last synced
- version
- type: string
- type: object
- type: object
- selectableFields:
- - jsonPath: .spec.secretStoreRef.name
- - jsonPath: .spec.secretStoreRef.kind
- - jsonPath: .spec.target.name
- - jsonPath: .spec.refreshInterval
- served: true
- storage: true
- subresources:
- status: {}
- - additionalPrinterColumns:
- - jsonPath: .spec.secretStoreRef.kind
- name: StoreType
- type: string
- - jsonPath: .spec.secretStoreRef.name
- name: Store
- type: string
- - jsonPath: .spec.refreshInterval
- name: Refresh Interval
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].reason
- name: Status
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- deprecated: true
- name: v1beta1
- schema:
- openAPIV3Schema:
- description: ExternalSecret is the Schema for the external-secrets API.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: ExternalSecretSpec defines the desired state of ExternalSecret.
- properties:
- data:
- description: Data defines the connection between the Kubernetes Secret
- keys and the Provider data
- items:
- description: ExternalSecretData defines the connection between the
- Kubernetes Secret key (spec.data.<key>) and the Provider data.
- properties:
- remoteRef:
- description: |-
- RemoteRef points to the remote secret and defines
- which secret (version/property/..) to fetch.
- properties:
- conversionStrategy:
- default: Default
- description: Used to define a conversion Strategy
- enum:
- - Default
- - Unicode
- type: string
- decodingStrategy:
- default: None
- description: Used to define a decoding Strategy
- enum:
- - Auto
- - Base64
- - Base64URL
- - None
- type: string
- key:
- description: Key is the key used in the Provider, mandatory
- type: string
- metadataPolicy:
- default: None
- description: Policy for fetching tags/labels from provider
- secrets, possible options are Fetch, None. Defaults to
- None
- enum:
- - None
- - Fetch
- type: string
- property:
- description: Used to select a specific property of the Provider
- value (if a map), if supported
- type: string
- version:
- description: Used to select a specific version of the Provider
- value, if supported
- type: string
- required:
- - key
- type: object
- secretKey:
- description: The key in the Kubernetes Secret to store the value.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- sourceRef:
- description: |-
- SourceRef allows you to override the source
- from which the value will be pulled.
- maxProperties: 1
- minProperties: 1
- properties:
- generatorRef:
- description: |-
- GeneratorRef points to a generator custom resource.
- Deprecated: The generatorRef is not implemented in .data[].
- this will be removed with v1.
- properties:
- apiVersion:
- default: generators.external-secrets.io/v1alpha1
- description: Specify the apiVersion of the generator
- resource
- type: string
- kind:
- description: Specify the Kind of the generator resource
- enum:
- - ACRAccessToken
- - ClusterGenerator
- - ECRAuthorizationToken
- - Fake
- - GCRAccessToken
- - GithubAccessToken
- - QuayAccessToken
- - Password
- - SSHKey
- - STSSessionToken
- - UUID
- - VaultDynamicSecret
- - Webhook
- - Grafana
- type: string
- name:
- description: Specify the name of the generator resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - kind
- - name
- type: object
- storeRef:
- description: SecretStoreRef defines which SecretStore to
- fetch the ExternalSecret data.
- properties:
- kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
- type: string
- name:
- description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- type: object
- required:
- - remoteRef
- - secretKey
- type: object
- type: array
- dataFrom:
- description: |-
- DataFrom is used to fetch all properties from a specific Provider data
- If multiple entries are specified, the Secret keys are merged in the specified order
- items:
- properties:
- extract:
- description: |-
- Used to extract multiple key/value pairs from one secret
- Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
- properties:
- conversionStrategy:
- default: Default
- description: Used to define a conversion Strategy
- enum:
- - Default
- - Unicode
- type: string
- decodingStrategy:
- default: None
- description: Used to define a decoding Strategy
- enum:
- - Auto
- - Base64
- - Base64URL
- - None
- type: string
- key:
- description: Key is the key used in the Provider, mandatory
- type: string
- metadataPolicy:
- default: None
- description: Policy for fetching tags/labels from provider
- secrets, possible options are Fetch, None. Defaults to
- None
- enum:
- - None
- - Fetch
- type: string
- property:
- description: Used to select a specific property of the Provider
- value (if a map), if supported
- type: string
- version:
- description: Used to select a specific version of the Provider
- value, if supported
- type: string
- required:
- - key
- type: object
- find:
- description: |-
- Used to find secrets based on tags or regular expressions
- Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
- properties:
- conversionStrategy:
- default: Default
- description: Used to define a conversion Strategy
- enum:
- - Default
- - Unicode
- type: string
- decodingStrategy:
- default: None
- description: Used to define a decoding Strategy
- enum:
- - Auto
- - Base64
- - Base64URL
- - None
- type: string
- name:
- description: Finds secrets based on the name.
- properties:
- regexp:
- description: Finds secrets base
- type: string
- type: object
- path:
- description: A root path to start the find operations.
- type: string
- tags:
- additionalProperties:
- type: string
- description: Find secrets based on tags.
- type: object
- type: object
- rewrite:
- description: |-
- Used to rewrite secret Keys after getting them from the secret Provider
- Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
- items:
- maxProperties: 1
- minProperties: 1
- properties:
- regexp:
- description: |-
- Used to rewrite with regular expressions.
- The resulting key will be the output of a regexp.ReplaceAll operation.
- properties:
- source:
- description: Used to define the regular expression
- of a re.Compiler.
- type: string
- target:
- description: Used to define the target pattern of
- a ReplaceAll operation.
- type: string
- required:
- - source
- - target
- type: object
- transform:
- description: |-
- Used to apply string transformation on the secrets.
- The resulting key will be the output of the template applied by the operation.
- properties:
- template:
- description: |-
- Used to define the template to apply on the secret name.
- `.value ` will specify the secret name in the template.
- type: string
- required:
- - template
- type: object
- type: object
- type: array
- sourceRef:
- description: |-
- SourceRef points to a store or generator
- which contains secret values ready to use.
- Use this in combination with Extract or Find pull values out of
- a specific SecretStore.
- When sourceRef points to a generator Extract or Find is not supported.
- The generator returns a static map of values
- maxProperties: 1
- minProperties: 1
- properties:
- generatorRef:
- description: GeneratorRef points to a generator custom resource.
- properties:
- apiVersion:
- default: generators.external-secrets.io/v1alpha1
- description: Specify the apiVersion of the generator
- resource
- type: string
- kind:
- description: Specify the Kind of the generator resource
- enum:
- - ACRAccessToken
- - ClusterGenerator
- - ECRAuthorizationToken
- - Fake
- - GCRAccessToken
- - GithubAccessToken
- - QuayAccessToken
- - Password
- - SSHKey
- - STSSessionToken
- - UUID
- - VaultDynamicSecret
- - Webhook
- - Grafana
- type: string
- name:
- description: Specify the name of the generator resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - kind
- - name
- type: object
- storeRef:
- description: SecretStoreRef defines which SecretStore to
- fetch the ExternalSecret data.
- properties:
- kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
- type: string
- name:
- description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- type: object
- type: object
- type: array
- refreshInterval:
- default: 1h
- description: |-
- RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
- specified as Golang Duration strings.
- Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
- Example values: "1h", "2h30m", "10s"
- May be set to zero to fetch and create it once. Defaults to 1h.
- type: string
- refreshPolicy:
- description: |-
- RefreshPolicy determines how the ExternalSecret should be refreshed:
- - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
- - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
- No periodic updates occur if refreshInterval is 0.
- - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
- enum:
- - CreatedOnce
- - Periodic
- - OnChange
- type: string
- secretStoreRef:
- description: SecretStoreRef defines which SecretStore to fetch the
- ExternalSecret data.
- properties:
- kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
- type: string
- name:
- description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- target:
- default:
- creationPolicy: Owner
- deletionPolicy: Retain
- description: |-
- ExternalSecretTarget defines the Kubernetes Secret to be created
- There can be only one target per ExternalSecret.
- properties:
- creationPolicy:
- default: Owner
- description: |-
- CreationPolicy defines rules on how to create the resulting Secret.
- Defaults to "Owner"
- enum:
- - Owner
- - Orphan
- - Merge
- - None
- type: string
- deletionPolicy:
- default: Retain
- description: |-
- DeletionPolicy defines rules on how to delete the resulting Secret.
- Defaults to "Retain"
- enum:
- - Delete
- - Merge
- - Retain
- type: string
- immutable:
- description: Immutable defines if the final secret will be immutable
- type: boolean
- name:
- description: |-
- The name of the Secret resource to be managed.
- Defaults to the .metadata.name of the ExternalSecret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- template:
- description: Template defines a blueprint for the created Secret
- resource.
- properties:
- data:
- additionalProperties:
- type: string
- type: object
- engineVersion:
- default: v2
- description: |-
- EngineVersion specifies the template engine version
- that should be used to compile/execute the
- template specified in .data and .templateFrom[].
- enum:
- - v2
- type: string
- mergePolicy:
- default: Replace
- enum:
- - Replace
- - Merge
- type: string
- metadata:
- description: ExternalSecretTemplateMetadata defines metadata
- fields for the Secret blueprint.
- properties:
- annotations:
- additionalProperties:
- type: string
- type: object
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- templateFrom:
- items:
- properties:
- configMap:
- properties:
- items:
- description: A list of keys in the ConfigMap/Secret
- to use as templates for Secret data
- items:
- properties:
- key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- templateAs:
- default: Values
- enum:
- - Values
- - KeysAndValues
- type: string
- required:
- - key
- type: object
- type: array
- name:
- description: The name of the ConfigMap/Secret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - items
- - name
- type: object
- literal:
- type: string
- secret:
- properties:
- items:
- description: A list of keys in the ConfigMap/Secret
- to use as templates for Secret data
- items:
- properties:
- key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- templateAs:
- default: Values
- enum:
- - Values
- - KeysAndValues
- type: string
- required:
- - key
- type: object
- type: array
- name:
- description: The name of the ConfigMap/Secret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - items
- - name
- type: object
- target:
- default: Data
- enum:
- - Data
- - Annotations
- - Labels
- type: string
- type: object
- type: array
- type:
- type: string
- type: object
- type: object
- type: object
- status:
- properties:
- binding:
- description: Binding represents a servicebinding.io Provisioned Service
- reference to the secret
- properties:
- name:
- default: ""
- description: |-
- Name of the referent.
- This field is effectively required, but due to backwards compatibility is
- allowed to be empty. Instances of this type with an empty value here are
- almost certainly wrong.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- type: string
- type: object
- x-kubernetes-map-type: atomic
- conditions:
- items:
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- type: string
- reason:
- type: string
- status:
- type: string
- type:
- type: string
- required:
- - status
- - type
- type: object
- type: array
- refreshTime:
- description: |-
- refreshTime is the time and date the external secret was fetched and
- the target secret updated
- format: date-time
- nullable: true
- type: string
- syncedResourceVersion:
- description: SyncedResourceVersion keeps track of the last synced
- version
- type: string
- type: object
- type: object
- served: false
- storage: false
- subresources:
- status: {}
|
