bundle.yaml 1.7 MB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439444044414442444344444445444644474448444944504451445244534454445544564457445844594460446144624463446444654466446744684469447044714472447344744475447644774478447944804481448244834484448544864487448844894490449144924493449444954496449744984499450045014502450345044505450645074508450945104511451245134514451545164517451845194520452145224523452445254526452745284529453045314532453345344535453645374538453945404541454245434544454545464547454845494550455145524553455445554556455745584559456045614562456345644565456645674568456945704571457245734574457545764577457845794580458145824583458445854586458745884589459045914592459345944595459645974598459946004601460246034604460546064607460846094610461146124613461446154616461746184619462046214622462346244625462646274628462946304631463246334634463546364637463846394640464146424643464446454646464746484649465046514652465346544655465646574658465946604661466246634664466546664667466846694670467146724673467446754676467746784679468046814682468346844685468646874688468946904691469246934694469546964697469846994700470147024703470447054706470747084709471047114712471347144715471647174718471947204721472247234724472547264727472847294730473147324733473447354736473747384739474047414742474347444745474647474748474947504751475247534754475547564757475847594760476147624763476447654766476747684769477047714772477347744775477647774778477947804781478247834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808480948104811481248134814481548164817481848194820482148224823482448254826482748284829483048314832483348344835483648374838483948404841484248434844484548464847484848494850485148524853485448554856485748584859486048614862486348644865486648674868486948704871487248734874487548764877487848794880488148824883488448854886488748884889489048914892489348944895489648974898489949004901490249034904490549064907490849094910491149124913491449154916491749184919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943494449454946494749484949495049514952495349544955495649574958495949604961496249634964496549664967496849694970497149724973497449754976497749784979498049814982498349844985498649874988498949904991499249934994499549964997499849995000500150025003500450055006500750085009501050115012501350145015501650175018501950205021502250235024502550265027502850295030503150325033503450355036503750385039504050415042504350445045504650475048504950505051505250535054505550565057505850595060506150625063506450655066506750685069507050715072507350745075507650775078507950805081508250835084508550865087508850895090509150925093509450955096509750985099510051015102510351045105510651075108510951105111511251135114511551165117511851195120512151225123512451255126512751285129513051315132513351345135513651375138513951405141514251435144514551465147514851495150515151525153515451555156515751585159516051615162516351645165516651675168516951705171517251735174517551765177517851795180518151825183518451855186518751885189519051915192519351945195519651975198519952005201520252035204520552065207520852095210521152125213521452155216521752185219522052215222522352245225522652275228522952305231523252335234523552365237523852395240524152425243524452455246524752485249525052515252525352545255525652575258525952605261526252635264526552665267526852695270527152725273527452755276527752785279528052815282528352845285528652875288528952905291529252935294529552965297529852995300530153025303530453055306530753085309531053115312531353145315531653175318531953205321532253235324532553265327532853295330533153325333533453355336533753385339534053415342534353445345534653475348534953505351535253535354535553565357535853595360536153625363536453655366536753685369537053715372537353745375537653775378537953805381538253835384538553865387538853895390539153925393539453955396539753985399540054015402540354045405540654075408540954105411541254135414541554165417541854195420542154225423542454255426542754285429543054315432543354345435543654375438543954405441544254435444544554465447544854495450545154525453545454555456545754585459546054615462546354645465546654675468546954705471547254735474547554765477547854795480548154825483548454855486548754885489549054915492549354945495549654975498549955005501550255035504550555065507550855095510551155125513551455155516551755185519552055215522552355245525552655275528552955305531553255335534553555365537553855395540554155425543554455455546554755485549555055515552555355545555555655575558555955605561556255635564556555665567556855695570557155725573557455755576557755785579558055815582558355845585558655875588558955905591559255935594559555965597559855995600560156025603560456055606560756085609561056115612561356145615561656175618561956205621562256235624562556265627562856295630563156325633563456355636563756385639564056415642564356445645564656475648564956505651565256535654565556565657565856595660566156625663566456655666566756685669567056715672567356745675567656775678567956805681568256835684568556865687568856895690569156925693569456955696569756985699570057015702570357045705570657075708570957105711571257135714571557165717571857195720572157225723572457255726572757285729573057315732573357345735573657375738573957405741574257435744574557465747574857495750575157525753575457555756575757585759576057615762576357645765576657675768576957705771577257735774577557765777577857795780578157825783578457855786578757885789579057915792579357945795579657975798579958005801580258035804580558065807580858095810581158125813581458155816581758185819582058215822582358245825582658275828582958305831583258335834583558365837583858395840584158425843584458455846584758485849585058515852585358545855585658575858585958605861586258635864586558665867586858695870587158725873587458755876587758785879588058815882588358845885588658875888588958905891589258935894589558965897589858995900590159025903590459055906590759085909591059115912591359145915591659175918591959205921592259235924592559265927592859295930593159325933593459355936593759385939594059415942594359445945594659475948594959505951595259535954595559565957595859595960596159625963596459655966596759685969597059715972597359745975597659775978597959805981598259835984598559865987598859895990599159925993599459955996599759985999600060016002600360046005600660076008600960106011601260136014601560166017601860196020602160226023602460256026602760286029603060316032603360346035603660376038603960406041604260436044604560466047604860496050605160526053605460556056605760586059606060616062606360646065606660676068606960706071607260736074607560766077607860796080608160826083608460856086608760886089609060916092609360946095609660976098609961006101610261036104610561066107610861096110611161126113611461156116611761186119612061216122612361246125612661276128612961306131613261336134613561366137613861396140614161426143614461456146614761486149615061516152615361546155615661576158615961606161616261636164616561666167616861696170617161726173617461756176617761786179618061816182618361846185618661876188618961906191619261936194619561966197619861996200620162026203620462056206620762086209621062116212621362146215621662176218621962206221622262236224622562266227622862296230623162326233623462356236623762386239624062416242624362446245624662476248624962506251625262536254625562566257625862596260626162626263626462656266626762686269627062716272627362746275627662776278627962806281628262836284628562866287628862896290629162926293629462956296629762986299630063016302630363046305630663076308630963106311631263136314631563166317631863196320632163226323632463256326632763286329633063316332633363346335633663376338633963406341634263436344634563466347634863496350635163526353635463556356635763586359636063616362636363646365636663676368636963706371637263736374637563766377637863796380638163826383638463856386638763886389639063916392639363946395639663976398639964006401640264036404640564066407640864096410641164126413641464156416641764186419642064216422642364246425642664276428642964306431643264336434643564366437643864396440644164426443644464456446644764486449645064516452645364546455645664576458645964606461646264636464646564666467646864696470647164726473647464756476647764786479648064816482648364846485648664876488648964906491649264936494649564966497649864996500650165026503650465056506650765086509651065116512651365146515651665176518651965206521652265236524652565266527652865296530653165326533653465356536653765386539654065416542654365446545654665476548654965506551655265536554655565566557655865596560656165626563656465656566656765686569657065716572657365746575657665776578657965806581658265836584658565866587658865896590659165926593659465956596659765986599660066016602660366046605660666076608660966106611661266136614661566166617661866196620662166226623662466256626662766286629663066316632663366346635663666376638663966406641664266436644664566466647664866496650665166526653665466556656665766586659666066616662666366646665666666676668666966706671667266736674667566766677667866796680668166826683668466856686668766886689669066916692669366946695669666976698669967006701670267036704670567066707670867096710671167126713671467156716671767186719672067216722672367246725672667276728672967306731673267336734673567366737673867396740674167426743674467456746674767486749675067516752675367546755675667576758675967606761676267636764676567666767676867696770677167726773677467756776677767786779678067816782678367846785678667876788678967906791679267936794679567966797679867996800680168026803680468056806680768086809681068116812681368146815681668176818681968206821682268236824682568266827682868296830683168326833683468356836683768386839684068416842684368446845684668476848684968506851685268536854685568566857685868596860686168626863686468656866686768686869687068716872687368746875687668776878687968806881688268836884688568866887688868896890689168926893689468956896689768986899690069016902690369046905690669076908690969106911691269136914691569166917691869196920692169226923692469256926692769286929693069316932693369346935693669376938693969406941694269436944694569466947694869496950695169526953695469556956695769586959696069616962696369646965696669676968696969706971697269736974697569766977697869796980698169826983698469856986698769886989699069916992699369946995699669976998699970007001700270037004700570067007700870097010701170127013701470157016701770187019702070217022702370247025702670277028702970307031703270337034703570367037703870397040704170427043704470457046704770487049705070517052705370547055705670577058705970607061706270637064706570667067706870697070707170727073707470757076707770787079708070817082708370847085708670877088708970907091709270937094709570967097709870997100710171027103710471057106710771087109711071117112711371147115711671177118711971207121712271237124712571267127712871297130713171327133713471357136713771387139714071417142714371447145714671477148714971507151715271537154715571567157715871597160716171627163716471657166716771687169717071717172717371747175717671777178717971807181718271837184718571867187718871897190719171927193719471957196719771987199720072017202720372047205720672077208720972107211721272137214721572167217721872197220722172227223722472257226722772287229723072317232723372347235723672377238723972407241724272437244724572467247724872497250725172527253725472557256725772587259726072617262726372647265726672677268726972707271727272737274727572767277727872797280728172827283728472857286728772887289729072917292729372947295729672977298729973007301730273037304730573067307730873097310731173127313731473157316731773187319732073217322732373247325732673277328732973307331733273337334733573367337733873397340734173427343734473457346734773487349735073517352735373547355735673577358735973607361736273637364736573667367736873697370737173727373737473757376737773787379738073817382738373847385738673877388738973907391739273937394739573967397739873997400740174027403740474057406740774087409741074117412741374147415741674177418741974207421742274237424742574267427742874297430743174327433743474357436743774387439744074417442744374447445744674477448744974507451745274537454745574567457745874597460746174627463746474657466746774687469747074717472747374747475747674777478747974807481748274837484748574867487748874897490749174927493749474957496749774987499750075017502750375047505750675077508750975107511751275137514751575167517751875197520752175227523752475257526752775287529753075317532753375347535753675377538753975407541754275437544754575467547754875497550755175527553755475557556755775587559756075617562756375647565756675677568756975707571757275737574757575767577757875797580758175827583758475857586758775887589759075917592759375947595759675977598759976007601760276037604760576067607760876097610761176127613761476157616761776187619762076217622762376247625762676277628762976307631763276337634763576367637763876397640764176427643764476457646764776487649765076517652765376547655765676577658765976607661766276637664766576667667766876697670767176727673767476757676767776787679768076817682768376847685768676877688768976907691769276937694769576967697769876997700770177027703770477057706770777087709771077117712771377147715771677177718771977207721772277237724772577267727772877297730773177327733773477357736773777387739774077417742774377447745774677477748774977507751775277537754775577567757775877597760776177627763776477657766776777687769777077717772777377747775777677777778777977807781778277837784778577867787778877897790779177927793779477957796779777987799780078017802780378047805780678077808780978107811781278137814781578167817781878197820782178227823782478257826782778287829783078317832783378347835783678377838783978407841784278437844784578467847784878497850785178527853785478557856785778587859786078617862786378647865786678677868786978707871787278737874787578767877787878797880788178827883788478857886788778887889789078917892789378947895789678977898789979007901790279037904790579067907790879097910791179127913791479157916791779187919792079217922792379247925792679277928792979307931793279337934793579367937793879397940794179427943794479457946794779487949795079517952795379547955795679577958795979607961796279637964796579667967796879697970797179727973797479757976797779787979798079817982798379847985798679877988798979907991799279937994799579967997799879998000800180028003800480058006800780088009801080118012801380148015801680178018801980208021802280238024802580268027802880298030803180328033803480358036803780388039804080418042804380448045804680478048804980508051805280538054805580568057805880598060806180628063806480658066806780688069807080718072807380748075807680778078807980808081808280838084808580868087808880898090809180928093809480958096809780988099810081018102810381048105810681078108810981108111811281138114811581168117811881198120812181228123812481258126812781288129813081318132813381348135813681378138813981408141814281438144814581468147814881498150815181528153815481558156815781588159816081618162816381648165816681678168816981708171817281738174817581768177817881798180818181828183818481858186818781888189819081918192819381948195819681978198819982008201820282038204820582068207820882098210821182128213821482158216821782188219822082218222822382248225822682278228822982308231823282338234823582368237823882398240824182428243824482458246824782488249825082518252825382548255825682578258825982608261826282638264826582668267826882698270827182728273827482758276827782788279828082818282828382848285828682878288828982908291829282938294829582968297829882998300830183028303830483058306830783088309831083118312831383148315831683178318831983208321832283238324832583268327832883298330833183328333833483358336833783388339834083418342834383448345834683478348834983508351835283538354835583568357835883598360836183628363836483658366836783688369837083718372837383748375837683778378837983808381838283838384838583868387838883898390839183928393839483958396839783988399840084018402840384048405840684078408840984108411841284138414841584168417841884198420842184228423842484258426842784288429843084318432843384348435843684378438843984408441844284438444844584468447844884498450845184528453845484558456845784588459846084618462846384648465846684678468846984708471847284738474847584768477847884798480848184828483848484858486848784888489849084918492849384948495849684978498849985008501850285038504850585068507850885098510851185128513851485158516851785188519852085218522852385248525852685278528852985308531853285338534853585368537853885398540854185428543854485458546854785488549855085518552855385548555855685578558855985608561856285638564856585668567856885698570857185728573857485758576857785788579858085818582858385848585858685878588858985908591859285938594859585968597859885998600860186028603860486058606860786088609861086118612861386148615861686178618861986208621862286238624862586268627862886298630863186328633863486358636863786388639864086418642864386448645864686478648864986508651865286538654865586568657865886598660866186628663866486658666866786688669867086718672867386748675867686778678867986808681868286838684868586868687868886898690869186928693869486958696869786988699870087018702870387048705870687078708870987108711871287138714871587168717871887198720872187228723872487258726872787288729873087318732873387348735873687378738873987408741874287438744874587468747874887498750875187528753875487558756875787588759876087618762876387648765876687678768876987708771877287738774877587768777877887798780878187828783878487858786878787888789879087918792879387948795879687978798879988008801880288038804880588068807880888098810881188128813881488158816881788188819882088218822882388248825882688278828882988308831883288338834883588368837883888398840884188428843884488458846884788488849885088518852885388548855885688578858885988608861886288638864886588668867886888698870887188728873887488758876887788788879888088818882888388848885888688878888888988908891889288938894889588968897889888998900890189028903890489058906890789088909891089118912891389148915891689178918891989208921892289238924892589268927892889298930893189328933893489358936893789388939894089418942894389448945894689478948894989508951895289538954895589568957895889598960896189628963896489658966896789688969897089718972897389748975897689778978897989808981898289838984898589868987898889898990899189928993899489958996899789988999900090019002900390049005900690079008900990109011901290139014901590169017901890199020902190229023902490259026902790289029903090319032903390349035903690379038903990409041904290439044904590469047904890499050905190529053905490559056905790589059906090619062906390649065906690679068906990709071907290739074907590769077907890799080908190829083908490859086908790889089909090919092909390949095909690979098909991009101910291039104910591069107910891099110911191129113911491159116911791189119912091219122912391249125912691279128912991309131913291339134913591369137913891399140914191429143914491459146914791489149915091519152915391549155915691579158915991609161916291639164916591669167916891699170917191729173917491759176917791789179918091819182918391849185918691879188918991909191919291939194919591969197919891999200920192029203920492059206920792089209921092119212921392149215921692179218921992209221922292239224922592269227922892299230923192329233923492359236923792389239924092419242924392449245924692479248924992509251925292539254925592569257925892599260926192629263926492659266926792689269927092719272927392749275927692779278927992809281928292839284928592869287928892899290929192929293929492959296929792989299930093019302930393049305930693079308930993109311931293139314931593169317931893199320932193229323932493259326932793289329933093319332933393349335933693379338933993409341934293439344934593469347934893499350935193529353935493559356935793589359936093619362936393649365936693679368936993709371937293739374937593769377937893799380938193829383938493859386938793889389939093919392939393949395939693979398939994009401940294039404940594069407940894099410941194129413941494159416941794189419942094219422942394249425942694279428942994309431943294339434943594369437943894399440944194429443944494459446944794489449945094519452945394549455945694579458945994609461946294639464946594669467946894699470947194729473947494759476947794789479948094819482948394849485948694879488948994909491949294939494949594969497949894999500950195029503950495059506950795089509951095119512951395149515951695179518951995209521952295239524952595269527952895299530953195329533953495359536953795389539954095419542954395449545954695479548954995509551955295539554955595569557955895599560956195629563956495659566956795689569957095719572957395749575957695779578957995809581958295839584958595869587958895899590959195929593959495959596959795989599960096019602960396049605960696079608960996109611961296139614961596169617961896199620962196229623962496259626962796289629963096319632963396349635963696379638963996409641964296439644964596469647964896499650965196529653965496559656965796589659966096619662966396649665966696679668966996709671967296739674967596769677967896799680968196829683968496859686968796889689969096919692969396949695969696979698969997009701970297039704970597069707970897099710971197129713971497159716971797189719972097219722972397249725972697279728972997309731973297339734973597369737973897399740974197429743974497459746974797489749975097519752975397549755975697579758975997609761976297639764976597669767976897699770977197729773977497759776977797789779978097819782978397849785978697879788978997909791979297939794979597969797979897999800980198029803980498059806980798089809981098119812981398149815981698179818981998209821982298239824982598269827982898299830983198329833983498359836983798389839984098419842984398449845984698479848984998509851985298539854985598569857985898599860986198629863986498659866986798689869987098719872987398749875987698779878987998809881988298839884988598869887988898899890989198929893989498959896989798989899990099019902990399049905990699079908990999109911991299139914991599169917991899199920992199229923992499259926992799289929993099319932993399349935993699379938993999409941994299439944994599469947994899499950995199529953995499559956995799589959996099619962996399649965996699679968996999709971997299739974997599769977997899799980998199829983998499859986998799889989999099919992999399949995999699979998999910000100011000210003100041000510006100071000810009100101001110012100131001410015100161001710018100191002010021100221002310024100251002610027100281002910030100311003210033100341003510036100371003810039100401004110042100431004410045100461004710048100491005010051100521005310054100551005610057100581005910060100611006210063100641006510066100671006810069100701007110072100731007410075100761007710078100791008010081100821008310084100851008610087100881008910090100911009210093100941009510096100971009810099101001010110102101031010410105101061010710108101091011010111101121011310114101151011610117101181011910120101211012210123101241012510126101271012810129101301013110132101331013410135101361013710138101391014010141101421014310144101451014610147101481014910150101511015210153101541015510156101571015810159101601016110162101631016410165101661016710168101691017010171101721017310174101751017610177101781017910180101811018210183101841018510186101871018810189101901019110192101931019410195101961019710198101991020010201102021020310204102051020610207102081020910210102111021210213102141021510216102171021810219102201022110222102231022410225102261022710228102291023010231102321023310234102351023610237102381023910240102411024210243102441024510246102471024810249102501025110252102531025410255102561025710258102591026010261102621026310264102651026610267102681026910270102711027210273102741027510276102771027810279102801028110282102831028410285102861028710288102891029010291102921029310294102951029610297102981029910300103011030210303103041030510306103071030810309103101031110312103131031410315103161031710318103191032010321103221032310324103251032610327103281032910330103311033210333103341033510336103371033810339103401034110342103431034410345103461034710348103491035010351103521035310354103551035610357103581035910360103611036210363103641036510366103671036810369103701037110372103731037410375103761037710378103791038010381103821038310384103851038610387103881038910390103911039210393103941039510396103971039810399104001040110402104031040410405104061040710408104091041010411104121041310414104151041610417104181041910420104211042210423104241042510426104271042810429104301043110432104331043410435104361043710438104391044010441104421044310444104451044610447104481044910450104511045210453104541045510456104571045810459104601046110462104631046410465104661046710468104691047010471104721047310474104751047610477104781047910480104811048210483104841048510486104871048810489104901049110492104931049410495104961049710498104991050010501105021050310504105051050610507105081050910510105111051210513105141051510516105171051810519105201052110522105231052410525105261052710528105291053010531105321053310534105351053610537105381053910540105411054210543105441054510546105471054810549105501055110552105531055410555105561055710558105591056010561105621056310564105651056610567105681056910570105711057210573105741057510576105771057810579105801058110582105831058410585105861058710588105891059010591105921059310594105951059610597105981059910600106011060210603106041060510606106071060810609106101061110612106131061410615106161061710618106191062010621106221062310624106251062610627106281062910630106311063210633106341063510636106371063810639106401064110642106431064410645106461064710648106491065010651106521065310654106551065610657106581065910660106611066210663106641066510666106671066810669106701067110672106731067410675106761067710678106791068010681106821068310684106851068610687106881068910690106911069210693106941069510696106971069810699107001070110702107031070410705107061070710708107091071010711107121071310714107151071610717107181071910720107211072210723107241072510726107271072810729107301073110732107331073410735107361073710738107391074010741107421074310744107451074610747107481074910750107511075210753107541075510756107571075810759107601076110762107631076410765107661076710768107691077010771107721077310774107751077610777107781077910780107811078210783107841078510786107871078810789107901079110792107931079410795107961079710798107991080010801108021080310804108051080610807108081080910810108111081210813108141081510816108171081810819108201082110822108231082410825108261082710828108291083010831108321083310834108351083610837108381083910840108411084210843108441084510846108471084810849108501085110852108531085410855108561085710858108591086010861108621086310864108651086610867108681086910870108711087210873108741087510876108771087810879108801088110882108831088410885108861088710888108891089010891108921089310894108951089610897108981089910900109011090210903109041090510906109071090810909109101091110912109131091410915109161091710918109191092010921109221092310924109251092610927109281092910930109311093210933109341093510936109371093810939109401094110942109431094410945109461094710948109491095010951109521095310954109551095610957109581095910960109611096210963109641096510966109671096810969109701097110972109731097410975109761097710978109791098010981109821098310984109851098610987109881098910990109911099210993109941099510996109971099810999110001100111002110031100411005110061100711008110091101011011110121101311014110151101611017110181101911020110211102211023110241102511026110271102811029110301103111032110331103411035110361103711038110391104011041110421104311044110451104611047110481104911050110511105211053110541105511056110571105811059110601106111062110631106411065110661106711068110691107011071110721107311074110751107611077110781107911080110811108211083110841108511086110871108811089110901109111092110931109411095110961109711098110991110011101111021110311104111051110611107111081110911110111111111211113111141111511116111171111811119111201112111122111231112411125111261112711128111291113011131111321113311134111351113611137111381113911140111411114211143111441114511146111471114811149111501115111152111531115411155111561115711158111591116011161111621116311164111651116611167111681116911170111711117211173111741117511176111771117811179111801118111182111831118411185111861118711188111891119011191111921119311194111951119611197111981119911200112011120211203112041120511206112071120811209112101121111212112131121411215112161121711218112191122011221112221122311224112251122611227112281122911230112311123211233112341123511236112371123811239112401124111242112431124411245112461124711248112491125011251112521125311254112551125611257112581125911260112611126211263112641126511266112671126811269112701127111272112731127411275112761127711278112791128011281112821128311284112851128611287112881128911290112911129211293112941129511296112971129811299113001130111302113031130411305113061130711308113091131011311113121131311314113151131611317113181131911320113211132211323113241132511326113271132811329113301133111332113331133411335113361133711338113391134011341113421134311344113451134611347113481134911350113511135211353113541135511356113571135811359113601136111362113631136411365113661136711368113691137011371113721137311374113751137611377113781137911380113811138211383113841138511386113871138811389113901139111392113931139411395113961139711398113991140011401114021140311404114051140611407114081140911410114111141211413114141141511416114171141811419114201142111422114231142411425114261142711428114291143011431114321143311434114351143611437114381143911440114411144211443114441144511446114471144811449114501145111452114531145411455114561145711458114591146011461114621146311464114651146611467114681146911470114711147211473114741147511476114771147811479114801148111482114831148411485114861148711488114891149011491114921149311494114951149611497114981149911500115011150211503115041150511506115071150811509115101151111512115131151411515115161151711518115191152011521115221152311524115251152611527115281152911530115311153211533115341153511536115371153811539115401154111542115431154411545115461154711548115491155011551115521155311554115551155611557115581155911560115611156211563115641156511566115671156811569115701157111572115731157411575115761157711578115791158011581115821158311584115851158611587115881158911590115911159211593115941159511596115971159811599116001160111602116031160411605116061160711608116091161011611116121161311614116151161611617116181161911620116211162211623116241162511626116271162811629116301163111632116331163411635116361163711638116391164011641116421164311644116451164611647116481164911650116511165211653116541165511656116571165811659116601166111662116631166411665116661166711668116691167011671116721167311674116751167611677116781167911680116811168211683116841168511686116871168811689116901169111692116931169411695116961169711698116991170011701117021170311704117051170611707117081170911710117111171211713117141171511716117171171811719117201172111722117231172411725117261172711728117291173011731117321173311734117351173611737117381173911740117411174211743117441174511746117471174811749117501175111752117531175411755117561175711758117591176011761117621176311764117651176611767117681176911770117711177211773117741177511776117771177811779117801178111782117831178411785117861178711788117891179011791117921179311794117951179611797117981179911800118011180211803118041180511806118071180811809118101181111812118131181411815118161181711818118191182011821118221182311824118251182611827118281182911830118311183211833118341183511836118371183811839118401184111842118431184411845118461184711848118491185011851118521185311854118551185611857118581185911860118611186211863118641186511866118671186811869118701187111872118731187411875118761187711878118791188011881118821188311884118851188611887118881188911890118911189211893118941189511896118971189811899119001190111902119031190411905119061190711908119091191011911119121191311914119151191611917119181191911920119211192211923119241192511926119271192811929119301193111932119331193411935119361193711938119391194011941119421194311944119451194611947119481194911950119511195211953119541195511956119571195811959119601196111962119631196411965119661196711968119691197011971119721197311974119751197611977119781197911980119811198211983119841198511986119871198811989119901199111992119931199411995119961199711998119991200012001120021200312004120051200612007120081200912010120111201212013120141201512016120171201812019120201202112022120231202412025120261202712028120291203012031120321203312034120351203612037120381203912040120411204212043120441204512046120471204812049120501205112052120531205412055120561205712058120591206012061120621206312064120651206612067120681206912070120711207212073120741207512076120771207812079120801208112082120831208412085120861208712088120891209012091120921209312094120951209612097120981209912100121011210212103121041210512106121071210812109121101211112112121131211412115121161211712118121191212012121121221212312124121251212612127121281212912130121311213212133121341213512136121371213812139121401214112142121431214412145121461214712148121491215012151121521215312154121551215612157121581215912160121611216212163121641216512166121671216812169121701217112172121731217412175121761217712178121791218012181121821218312184121851218612187121881218912190121911219212193121941219512196121971219812199122001220112202122031220412205122061220712208122091221012211122121221312214122151221612217122181221912220122211222212223122241222512226122271222812229122301223112232122331223412235122361223712238122391224012241122421224312244122451224612247122481224912250122511225212253122541225512256122571225812259122601226112262122631226412265122661226712268122691227012271122721227312274122751227612277122781227912280122811228212283122841228512286122871228812289122901229112292122931229412295122961229712298122991230012301123021230312304123051230612307123081230912310123111231212313123141231512316123171231812319123201232112322123231232412325123261232712328123291233012331123321233312334123351233612337123381233912340123411234212343123441234512346123471234812349123501235112352123531235412355123561235712358123591236012361123621236312364123651236612367123681236912370123711237212373123741237512376123771237812379123801238112382123831238412385123861238712388123891239012391123921239312394123951239612397123981239912400124011240212403124041240512406124071240812409124101241112412124131241412415124161241712418124191242012421124221242312424124251242612427124281242912430124311243212433124341243512436124371243812439124401244112442124431244412445124461244712448124491245012451124521245312454124551245612457124581245912460124611246212463124641246512466124671246812469124701247112472124731247412475124761247712478124791248012481124821248312484124851248612487124881248912490124911249212493124941249512496124971249812499125001250112502125031250412505125061250712508125091251012511125121251312514125151251612517125181251912520125211252212523125241252512526125271252812529125301253112532125331253412535125361253712538125391254012541125421254312544125451254612547125481254912550125511255212553125541255512556125571255812559125601256112562125631256412565125661256712568125691257012571125721257312574125751257612577125781257912580125811258212583125841258512586125871258812589125901259112592125931259412595125961259712598125991260012601126021260312604126051260612607126081260912610126111261212613126141261512616126171261812619126201262112622126231262412625126261262712628126291263012631126321263312634126351263612637126381263912640126411264212643126441264512646126471264812649126501265112652126531265412655126561265712658126591266012661126621266312664126651266612667126681266912670126711267212673126741267512676126771267812679126801268112682126831268412685126861268712688126891269012691126921269312694126951269612697126981269912700127011270212703127041270512706127071270812709127101271112712127131271412715127161271712718127191272012721127221272312724127251272612727127281272912730127311273212733127341273512736127371273812739127401274112742127431274412745127461274712748127491275012751127521275312754127551275612757127581275912760127611276212763127641276512766127671276812769127701277112772127731277412775127761277712778127791278012781127821278312784127851278612787127881278912790127911279212793127941279512796127971279812799128001280112802128031280412805128061280712808128091281012811128121281312814128151281612817128181281912820128211282212823128241282512826128271282812829128301283112832128331283412835128361283712838128391284012841128421284312844128451284612847128481284912850128511285212853128541285512856128571285812859128601286112862128631286412865128661286712868128691287012871128721287312874128751287612877128781287912880128811288212883128841288512886128871288812889128901289112892128931289412895128961289712898128991290012901129021290312904129051290612907129081290912910129111291212913129141291512916129171291812919129201292112922129231292412925129261292712928129291293012931129321293312934129351293612937129381293912940129411294212943129441294512946129471294812949129501295112952129531295412955129561295712958129591296012961129621296312964129651296612967129681296912970129711297212973129741297512976129771297812979129801298112982129831298412985129861298712988129891299012991129921299312994129951299612997129981299913000130011300213003130041300513006130071300813009130101301113012130131301413015130161301713018130191302013021130221302313024130251302613027130281302913030130311303213033130341303513036130371303813039130401304113042130431304413045130461304713048130491305013051130521305313054130551305613057130581305913060130611306213063130641306513066130671306813069130701307113072130731307413075130761307713078130791308013081130821308313084130851308613087130881308913090130911309213093130941309513096130971309813099131001310113102131031310413105131061310713108131091311013111131121311313114131151311613117131181311913120131211312213123131241312513126131271312813129131301313113132131331313413135131361313713138131391314013141131421314313144131451314613147131481314913150131511315213153131541315513156131571315813159131601316113162131631316413165131661316713168131691317013171131721317313174131751317613177131781317913180131811318213183131841318513186131871318813189131901319113192131931319413195131961319713198131991320013201132021320313204132051320613207132081320913210132111321213213132141321513216132171321813219132201322113222132231322413225132261322713228132291323013231132321323313234132351323613237132381323913240132411324213243132441324513246132471324813249132501325113252132531325413255132561325713258132591326013261132621326313264132651326613267132681326913270132711327213273132741327513276132771327813279132801328113282132831328413285132861328713288132891329013291132921329313294132951329613297132981329913300133011330213303133041330513306133071330813309133101331113312133131331413315133161331713318133191332013321133221332313324133251332613327133281332913330133311333213333133341333513336133371333813339133401334113342133431334413345133461334713348133491335013351133521335313354133551335613357133581335913360133611336213363133641336513366133671336813369133701337113372133731337413375133761337713378133791338013381133821338313384133851338613387133881338913390133911339213393133941339513396133971339813399134001340113402134031340413405134061340713408134091341013411134121341313414134151341613417134181341913420134211342213423134241342513426134271342813429134301343113432134331343413435134361343713438134391344013441134421344313444134451344613447134481344913450134511345213453134541345513456134571345813459134601346113462134631346413465134661346713468134691347013471134721347313474134751347613477134781347913480134811348213483134841348513486134871348813489134901349113492134931349413495134961349713498134991350013501135021350313504135051350613507135081350913510135111351213513135141351513516135171351813519135201352113522135231352413525135261352713528135291353013531135321353313534135351353613537135381353913540135411354213543135441354513546135471354813549135501355113552135531355413555135561355713558135591356013561135621356313564135651356613567135681356913570135711357213573135741357513576135771357813579135801358113582135831358413585135861358713588135891359013591135921359313594135951359613597135981359913600136011360213603136041360513606136071360813609136101361113612136131361413615136161361713618136191362013621136221362313624136251362613627136281362913630136311363213633136341363513636136371363813639136401364113642136431364413645136461364713648136491365013651136521365313654136551365613657136581365913660136611366213663136641366513666136671366813669136701367113672136731367413675136761367713678136791368013681136821368313684136851368613687136881368913690136911369213693136941369513696136971369813699137001370113702137031370413705137061370713708137091371013711137121371313714137151371613717137181371913720137211372213723137241372513726137271372813729137301373113732137331373413735137361373713738137391374013741137421374313744137451374613747137481374913750137511375213753137541375513756137571375813759137601376113762137631376413765137661376713768137691377013771137721377313774137751377613777137781377913780137811378213783137841378513786137871378813789137901379113792137931379413795137961379713798137991380013801138021380313804138051380613807138081380913810138111381213813138141381513816138171381813819138201382113822138231382413825138261382713828138291383013831138321383313834138351383613837138381383913840138411384213843138441384513846138471384813849138501385113852138531385413855138561385713858138591386013861138621386313864138651386613867138681386913870138711387213873138741387513876138771387813879138801388113882138831388413885138861388713888138891389013891138921389313894138951389613897138981389913900139011390213903139041390513906139071390813909139101391113912139131391413915139161391713918139191392013921139221392313924139251392613927139281392913930139311393213933139341393513936139371393813939139401394113942139431394413945139461394713948139491395013951139521395313954139551395613957139581395913960139611396213963139641396513966139671396813969139701397113972139731397413975139761397713978139791398013981139821398313984139851398613987139881398913990139911399213993139941399513996139971399813999140001400114002140031400414005140061400714008140091401014011140121401314014140151401614017140181401914020140211402214023140241402514026140271402814029140301403114032140331403414035140361403714038140391404014041140421404314044140451404614047140481404914050140511405214053140541405514056140571405814059140601406114062140631406414065140661406714068140691407014071140721407314074140751407614077140781407914080140811408214083140841408514086140871408814089140901409114092140931409414095140961409714098140991410014101141021410314104141051410614107141081410914110141111411214113141141411514116141171411814119141201412114122141231412414125141261412714128141291413014131141321413314134141351413614137141381413914140141411414214143141441414514146141471414814149141501415114152141531415414155141561415714158141591416014161141621416314164141651416614167141681416914170141711417214173141741417514176141771417814179141801418114182141831418414185141861418714188141891419014191141921419314194141951419614197141981419914200142011420214203142041420514206142071420814209142101421114212142131421414215142161421714218142191422014221142221422314224142251422614227142281422914230142311423214233142341423514236142371423814239142401424114242142431424414245142461424714248142491425014251142521425314254142551425614257142581425914260142611426214263142641426514266142671426814269142701427114272142731427414275142761427714278142791428014281142821428314284142851428614287142881428914290142911429214293142941429514296142971429814299143001430114302143031430414305143061430714308143091431014311143121431314314143151431614317143181431914320143211432214323143241432514326143271432814329143301433114332143331433414335143361433714338143391434014341143421434314344143451434614347143481434914350143511435214353143541435514356143571435814359143601436114362143631436414365143661436714368143691437014371143721437314374143751437614377143781437914380143811438214383143841438514386143871438814389143901439114392143931439414395143961439714398143991440014401144021440314404144051440614407144081440914410144111441214413144141441514416144171441814419144201442114422144231442414425144261442714428144291443014431144321443314434144351443614437144381443914440144411444214443144441444514446144471444814449144501445114452144531445414455144561445714458144591446014461144621446314464144651446614467144681446914470144711447214473144741447514476144771447814479144801448114482144831448414485144861448714488144891449014491144921449314494144951449614497144981449914500145011450214503145041450514506145071450814509145101451114512145131451414515145161451714518145191452014521145221452314524145251452614527145281452914530145311453214533145341453514536145371453814539145401454114542145431454414545145461454714548145491455014551145521455314554145551455614557145581455914560145611456214563145641456514566145671456814569145701457114572145731457414575145761457714578145791458014581145821458314584145851458614587145881458914590145911459214593145941459514596145971459814599146001460114602146031460414605146061460714608146091461014611146121461314614146151461614617146181461914620146211462214623146241462514626146271462814629146301463114632146331463414635146361463714638146391464014641146421464314644146451464614647146481464914650146511465214653146541465514656146571465814659146601466114662146631466414665146661466714668146691467014671146721467314674146751467614677146781467914680146811468214683146841468514686146871468814689146901469114692146931469414695146961469714698146991470014701147021470314704147051470614707147081470914710147111471214713147141471514716147171471814719147201472114722147231472414725147261472714728147291473014731147321473314734147351473614737147381473914740147411474214743147441474514746147471474814749147501475114752147531475414755147561475714758147591476014761147621476314764147651476614767147681476914770147711477214773147741477514776147771477814779147801478114782147831478414785147861478714788147891479014791147921479314794147951479614797147981479914800148011480214803148041480514806148071480814809148101481114812148131481414815148161481714818148191482014821148221482314824148251482614827148281482914830148311483214833148341483514836148371483814839148401484114842148431484414845148461484714848148491485014851148521485314854148551485614857148581485914860148611486214863148641486514866148671486814869148701487114872148731487414875148761487714878148791488014881148821488314884148851488614887148881488914890148911489214893148941489514896148971489814899149001490114902149031490414905149061490714908149091491014911149121491314914149151491614917149181491914920149211492214923149241492514926149271492814929149301493114932149331493414935149361493714938149391494014941149421494314944149451494614947149481494914950149511495214953149541495514956149571495814959149601496114962149631496414965149661496714968149691497014971149721497314974149751497614977149781497914980149811498214983149841498514986149871498814989149901499114992149931499414995149961499714998149991500015001150021500315004150051500615007150081500915010150111501215013150141501515016150171501815019150201502115022150231502415025150261502715028150291503015031150321503315034150351503615037150381503915040150411504215043150441504515046150471504815049150501505115052150531505415055150561505715058150591506015061150621506315064150651506615067150681506915070150711507215073150741507515076150771507815079150801508115082150831508415085150861508715088150891509015091150921509315094150951509615097150981509915100151011510215103151041510515106151071510815109151101511115112151131511415115151161511715118151191512015121151221512315124151251512615127151281512915130151311513215133151341513515136151371513815139151401514115142151431514415145151461514715148151491515015151151521515315154151551515615157151581515915160151611516215163151641516515166151671516815169151701517115172151731517415175151761517715178151791518015181151821518315184151851518615187151881518915190151911519215193151941519515196151971519815199152001520115202152031520415205152061520715208152091521015211152121521315214152151521615217152181521915220152211522215223152241522515226152271522815229152301523115232152331523415235152361523715238152391524015241152421524315244152451524615247152481524915250152511525215253152541525515256152571525815259152601526115262152631526415265152661526715268152691527015271152721527315274152751527615277152781527915280152811528215283152841528515286152871528815289152901529115292152931529415295152961529715298152991530015301153021530315304153051530615307153081530915310153111531215313153141531515316153171531815319153201532115322153231532415325153261532715328153291533015331153321533315334153351533615337153381533915340153411534215343153441534515346153471534815349153501535115352153531535415355153561535715358153591536015361153621536315364153651536615367153681536915370153711537215373153741537515376153771537815379153801538115382153831538415385153861538715388153891539015391153921539315394153951539615397153981539915400154011540215403154041540515406154071540815409154101541115412154131541415415154161541715418154191542015421154221542315424154251542615427154281542915430154311543215433154341543515436154371543815439154401544115442154431544415445154461544715448154491545015451154521545315454154551545615457154581545915460154611546215463154641546515466154671546815469154701547115472154731547415475154761547715478154791548015481154821548315484154851548615487154881548915490154911549215493154941549515496154971549815499155001550115502155031550415505155061550715508155091551015511155121551315514155151551615517155181551915520155211552215523155241552515526155271552815529155301553115532155331553415535155361553715538155391554015541155421554315544155451554615547155481554915550155511555215553155541555515556155571555815559155601556115562155631556415565155661556715568155691557015571155721557315574155751557615577155781557915580155811558215583155841558515586155871558815589155901559115592155931559415595155961559715598155991560015601156021560315604156051560615607156081560915610156111561215613156141561515616156171561815619156201562115622156231562415625156261562715628156291563015631156321563315634156351563615637156381563915640156411564215643156441564515646156471564815649156501565115652156531565415655156561565715658156591566015661156621566315664156651566615667156681566915670156711567215673156741567515676156771567815679156801568115682156831568415685156861568715688156891569015691156921569315694156951569615697156981569915700157011570215703157041570515706157071570815709157101571115712157131571415715157161571715718157191572015721157221572315724157251572615727157281572915730157311573215733157341573515736157371573815739157401574115742157431574415745157461574715748157491575015751157521575315754157551575615757157581575915760157611576215763157641576515766157671576815769157701577115772157731577415775157761577715778157791578015781157821578315784157851578615787157881578915790157911579215793157941579515796157971579815799158001580115802158031580415805158061580715808158091581015811158121581315814158151581615817158181581915820158211582215823158241582515826158271582815829158301583115832158331583415835158361583715838158391584015841158421584315844158451584615847158481584915850158511585215853158541585515856158571585815859158601586115862158631586415865158661586715868158691587015871158721587315874158751587615877158781587915880158811588215883158841588515886158871588815889158901589115892158931589415895158961589715898158991590015901159021590315904159051590615907159081590915910159111591215913159141591515916159171591815919159201592115922159231592415925159261592715928159291593015931159321593315934159351593615937159381593915940159411594215943159441594515946159471594815949159501595115952159531595415955159561595715958159591596015961159621596315964159651596615967159681596915970159711597215973159741597515976159771597815979159801598115982159831598415985159861598715988159891599015991159921599315994159951599615997159981599916000160011600216003160041600516006160071600816009160101601116012160131601416015160161601716018160191602016021160221602316024160251602616027160281602916030160311603216033160341603516036160371603816039160401604116042160431604416045160461604716048160491605016051160521605316054160551605616057160581605916060160611606216063160641606516066160671606816069160701607116072160731607416075160761607716078160791608016081160821608316084160851608616087160881608916090160911609216093160941609516096160971609816099161001610116102161031610416105161061610716108161091611016111161121611316114161151611616117161181611916120161211612216123161241612516126161271612816129161301613116132161331613416135161361613716138161391614016141161421614316144161451614616147161481614916150161511615216153161541615516156161571615816159161601616116162161631616416165161661616716168161691617016171161721617316174161751617616177161781617916180161811618216183161841618516186161871618816189161901619116192161931619416195161961619716198161991620016201162021620316204162051620616207162081620916210162111621216213162141621516216162171621816219162201622116222162231622416225162261622716228162291623016231162321623316234162351623616237162381623916240162411624216243162441624516246162471624816249162501625116252162531625416255162561625716258162591626016261162621626316264162651626616267162681626916270162711627216273162741627516276162771627816279162801628116282162831628416285162861628716288162891629016291162921629316294162951629616297162981629916300163011630216303163041630516306163071630816309163101631116312163131631416315163161631716318163191632016321163221632316324163251632616327163281632916330163311633216333163341633516336163371633816339163401634116342163431634416345163461634716348163491635016351163521635316354163551635616357163581635916360163611636216363163641636516366163671636816369163701637116372163731637416375163761637716378163791638016381163821638316384163851638616387163881638916390163911639216393163941639516396163971639816399164001640116402164031640416405164061640716408164091641016411164121641316414164151641616417164181641916420164211642216423164241642516426164271642816429164301643116432164331643416435164361643716438164391644016441164421644316444164451644616447164481644916450164511645216453164541645516456164571645816459164601646116462164631646416465164661646716468164691647016471164721647316474164751647616477164781647916480164811648216483164841648516486164871648816489164901649116492164931649416495164961649716498164991650016501165021650316504165051650616507165081650916510165111651216513165141651516516165171651816519165201652116522165231652416525165261652716528165291653016531165321653316534165351653616537165381653916540165411654216543165441654516546165471654816549165501655116552165531655416555165561655716558165591656016561165621656316564165651656616567165681656916570165711657216573165741657516576165771657816579165801658116582165831658416585165861658716588165891659016591165921659316594165951659616597165981659916600166011660216603166041660516606166071660816609166101661116612166131661416615166161661716618166191662016621166221662316624166251662616627166281662916630166311663216633166341663516636166371663816639166401664116642166431664416645166461664716648166491665016651166521665316654166551665616657166581665916660166611666216663166641666516666166671666816669166701667116672166731667416675166761667716678166791668016681166821668316684166851668616687166881668916690166911669216693166941669516696166971669816699167001670116702167031670416705167061670716708167091671016711167121671316714167151671616717167181671916720167211672216723167241672516726167271672816729167301673116732167331673416735167361673716738167391674016741167421674316744167451674616747167481674916750167511675216753167541675516756167571675816759167601676116762167631676416765167661676716768167691677016771167721677316774167751677616777167781677916780167811678216783167841678516786167871678816789167901679116792167931679416795167961679716798167991680016801168021680316804168051680616807168081680916810168111681216813168141681516816168171681816819168201682116822168231682416825168261682716828168291683016831168321683316834168351683616837168381683916840168411684216843168441684516846168471684816849168501685116852168531685416855168561685716858168591686016861168621686316864168651686616867168681686916870168711687216873168741687516876168771687816879168801688116882168831688416885168861688716888168891689016891168921689316894168951689616897168981689916900169011690216903169041690516906169071690816909169101691116912169131691416915169161691716918169191692016921169221692316924169251692616927169281692916930169311693216933169341693516936169371693816939169401694116942169431694416945169461694716948169491695016951169521695316954169551695616957169581695916960169611696216963169641696516966169671696816969169701697116972169731697416975169761697716978169791698016981169821698316984169851698616987169881698916990169911699216993169941699516996169971699816999170001700117002170031700417005170061700717008170091701017011170121701317014170151701617017170181701917020170211702217023170241702517026170271702817029170301703117032170331703417035170361703717038170391704017041170421704317044170451704617047170481704917050170511705217053170541705517056170571705817059170601706117062170631706417065170661706717068170691707017071170721707317074170751707617077170781707917080170811708217083170841708517086170871708817089170901709117092170931709417095170961709717098170991710017101171021710317104171051710617107171081710917110171111711217113171141711517116171171711817119171201712117122171231712417125171261712717128171291713017131171321713317134171351713617137171381713917140171411714217143171441714517146171471714817149171501715117152171531715417155171561715717158171591716017161171621716317164171651716617167171681716917170171711717217173171741717517176171771717817179171801718117182171831718417185171861718717188171891719017191171921719317194171951719617197171981719917200172011720217203172041720517206172071720817209172101721117212172131721417215172161721717218172191722017221172221722317224172251722617227172281722917230172311723217233172341723517236172371723817239172401724117242172431724417245172461724717248172491725017251172521725317254172551725617257172581725917260172611726217263172641726517266172671726817269172701727117272172731727417275172761727717278172791728017281172821728317284172851728617287172881728917290172911729217293172941729517296172971729817299173001730117302173031730417305173061730717308173091731017311173121731317314173151731617317173181731917320173211732217323173241732517326173271732817329173301733117332173331733417335173361733717338173391734017341173421734317344173451734617347173481734917350173511735217353173541735517356173571735817359173601736117362173631736417365173661736717368173691737017371173721737317374173751737617377173781737917380173811738217383173841738517386173871738817389173901739117392173931739417395173961739717398173991740017401174021740317404174051740617407174081740917410174111741217413174141741517416174171741817419174201742117422174231742417425174261742717428174291743017431174321743317434174351743617437174381743917440174411744217443174441744517446174471744817449174501745117452174531745417455174561745717458174591746017461174621746317464174651746617467174681746917470174711747217473174741747517476174771747817479174801748117482174831748417485174861748717488174891749017491174921749317494174951749617497174981749917500175011750217503175041750517506175071750817509175101751117512175131751417515175161751717518175191752017521175221752317524175251752617527175281752917530175311753217533175341753517536175371753817539175401754117542175431754417545175461754717548175491755017551175521755317554175551755617557175581755917560175611756217563175641756517566175671756817569175701757117572175731757417575175761757717578175791758017581175821758317584175851758617587175881758917590175911759217593175941759517596175971759817599176001760117602176031760417605176061760717608176091761017611176121761317614176151761617617176181761917620176211762217623176241762517626176271762817629176301763117632176331763417635176361763717638176391764017641176421764317644176451764617647176481764917650176511765217653176541765517656176571765817659176601766117662176631766417665176661766717668176691767017671176721767317674176751767617677176781767917680176811768217683176841768517686176871768817689176901769117692176931769417695176961769717698176991770017701177021770317704177051770617707177081770917710177111771217713177141771517716177171771817719177201772117722177231772417725177261772717728177291773017731177321773317734177351773617737177381773917740177411774217743177441774517746177471774817749177501775117752177531775417755177561775717758177591776017761177621776317764177651776617767177681776917770177711777217773177741777517776177771777817779177801778117782177831778417785177861778717788177891779017791177921779317794177951779617797177981779917800178011780217803178041780517806178071780817809178101781117812178131781417815178161781717818178191782017821178221782317824178251782617827178281782917830178311783217833178341783517836178371783817839178401784117842178431784417845178461784717848178491785017851178521785317854178551785617857178581785917860178611786217863178641786517866178671786817869178701787117872178731787417875178761787717878178791788017881178821788317884178851788617887178881788917890178911789217893178941789517896178971789817899179001790117902179031790417905179061790717908179091791017911179121791317914179151791617917179181791917920179211792217923179241792517926179271792817929179301793117932179331793417935179361793717938179391794017941179421794317944179451794617947179481794917950179511795217953179541795517956179571795817959179601796117962179631796417965179661796717968179691797017971179721797317974179751797617977179781797917980179811798217983179841798517986179871798817989179901799117992179931799417995179961799717998179991800018001180021800318004180051800618007180081800918010180111801218013180141801518016180171801818019180201802118022180231802418025180261802718028180291803018031180321803318034180351803618037180381803918040180411804218043180441804518046180471804818049180501805118052180531805418055180561805718058180591806018061180621806318064180651806618067180681806918070180711807218073180741807518076180771807818079180801808118082180831808418085180861808718088180891809018091180921809318094180951809618097180981809918100181011810218103181041810518106181071810818109181101811118112181131811418115181161811718118181191812018121181221812318124181251812618127181281812918130181311813218133181341813518136181371813818139181401814118142181431814418145181461814718148181491815018151181521815318154181551815618157181581815918160181611816218163181641816518166181671816818169181701817118172181731817418175181761817718178181791818018181181821818318184181851818618187181881818918190181911819218193181941819518196181971819818199182001820118202182031820418205182061820718208182091821018211182121821318214182151821618217182181821918220182211822218223182241822518226182271822818229182301823118232182331823418235182361823718238182391824018241182421824318244182451824618247182481824918250182511825218253182541825518256182571825818259182601826118262182631826418265182661826718268182691827018271182721827318274182751827618277182781827918280182811828218283182841828518286182871828818289182901829118292182931829418295182961829718298182991830018301183021830318304183051830618307183081830918310183111831218313183141831518316183171831818319183201832118322183231832418325183261832718328183291833018331183321833318334183351833618337183381833918340183411834218343183441834518346183471834818349183501835118352183531835418355183561835718358183591836018361183621836318364183651836618367183681836918370183711837218373183741837518376183771837818379183801838118382183831838418385183861838718388183891839018391183921839318394183951839618397183981839918400184011840218403184041840518406184071840818409184101841118412184131841418415184161841718418184191842018421184221842318424184251842618427184281842918430184311843218433184341843518436184371843818439184401844118442184431844418445184461844718448184491845018451184521845318454184551845618457184581845918460184611846218463184641846518466184671846818469184701847118472184731847418475184761847718478184791848018481184821848318484184851848618487184881848918490184911849218493184941849518496184971849818499185001850118502185031850418505185061850718508185091851018511185121851318514185151851618517185181851918520185211852218523185241852518526185271852818529185301853118532185331853418535185361853718538185391854018541185421854318544185451854618547185481854918550185511855218553185541855518556185571855818559185601856118562185631856418565185661856718568185691857018571185721857318574185751857618577185781857918580185811858218583185841858518586185871858818589185901859118592185931859418595185961859718598185991860018601186021860318604186051860618607186081860918610186111861218613186141861518616186171861818619186201862118622186231862418625186261862718628186291863018631186321863318634186351863618637186381863918640186411864218643186441864518646186471864818649186501865118652186531865418655186561865718658186591866018661186621866318664186651866618667186681866918670186711867218673186741867518676186771867818679186801868118682186831868418685186861868718688186891869018691186921869318694186951869618697186981869918700187011870218703187041870518706187071870818709187101871118712187131871418715187161871718718187191872018721187221872318724187251872618727187281872918730187311873218733187341873518736187371873818739187401874118742187431874418745187461874718748187491875018751187521875318754187551875618757187581875918760187611876218763187641876518766187671876818769187701877118772187731877418775187761877718778187791878018781187821878318784187851878618787187881878918790187911879218793187941879518796187971879818799188001880118802188031880418805188061880718808188091881018811188121881318814188151881618817188181881918820188211882218823188241882518826188271882818829188301883118832188331883418835188361883718838188391884018841188421884318844188451884618847188481884918850188511885218853188541885518856188571885818859188601886118862188631886418865188661886718868188691887018871188721887318874188751887618877188781887918880188811888218883188841888518886188871888818889188901889118892188931889418895188961889718898188991890018901189021890318904189051890618907189081890918910189111891218913189141891518916189171891818919189201892118922189231892418925189261892718928189291893018931189321893318934189351893618937189381893918940189411894218943189441894518946189471894818949189501895118952189531895418955189561895718958189591896018961189621896318964189651896618967189681896918970189711897218973189741897518976189771897818979189801898118982189831898418985189861898718988189891899018991189921899318994189951899618997189981899919000190011900219003190041900519006190071900819009190101901119012190131901419015190161901719018190191902019021190221902319024190251902619027190281902919030190311903219033190341903519036190371903819039190401904119042190431904419045190461904719048190491905019051190521905319054190551905619057190581905919060190611906219063190641906519066190671906819069190701907119072190731907419075190761907719078190791908019081190821908319084190851908619087190881908919090190911909219093190941909519096190971909819099191001910119102191031910419105191061910719108191091911019111191121911319114191151911619117191181911919120191211912219123191241912519126191271912819129191301913119132191331913419135191361913719138191391914019141191421914319144191451914619147191481914919150191511915219153191541915519156191571915819159191601916119162191631916419165191661916719168191691917019171191721917319174191751917619177191781917919180191811918219183191841918519186191871918819189191901919119192191931919419195191961919719198191991920019201192021920319204192051920619207192081920919210192111921219213192141921519216192171921819219192201922119222192231922419225192261922719228192291923019231192321923319234192351923619237192381923919240192411924219243192441924519246192471924819249192501925119252192531925419255192561925719258192591926019261192621926319264192651926619267192681926919270192711927219273192741927519276192771927819279192801928119282192831928419285192861928719288192891929019291192921929319294192951929619297192981929919300193011930219303193041930519306193071930819309193101931119312193131931419315193161931719318193191932019321193221932319324193251932619327193281932919330193311933219333193341933519336193371933819339193401934119342193431934419345193461934719348193491935019351193521935319354193551935619357193581935919360193611936219363193641936519366193671936819369193701937119372193731937419375193761937719378193791938019381193821938319384193851938619387193881938919390193911939219393193941939519396193971939819399194001940119402194031940419405194061940719408194091941019411194121941319414194151941619417194181941919420194211942219423194241942519426194271942819429194301943119432194331943419435194361943719438194391944019441194421944319444194451944619447194481944919450194511945219453194541945519456194571945819459194601946119462194631946419465194661946719468194691947019471194721947319474194751947619477194781947919480194811948219483194841948519486194871948819489194901949119492194931949419495194961949719498194991950019501195021950319504195051950619507195081950919510195111951219513195141951519516195171951819519195201952119522195231952419525195261952719528195291953019531195321953319534195351953619537195381953919540195411954219543195441954519546195471954819549195501955119552195531955419555195561955719558195591956019561195621956319564195651956619567195681956919570195711957219573195741957519576195771957819579195801958119582195831958419585195861958719588195891959019591195921959319594195951959619597195981959919600196011960219603196041960519606196071960819609196101961119612196131961419615196161961719618196191962019621196221962319624196251962619627196281962919630196311963219633196341963519636196371963819639196401964119642196431964419645196461964719648196491965019651196521965319654196551965619657196581965919660196611966219663196641966519666196671966819669196701967119672196731967419675196761967719678196791968019681196821968319684196851968619687196881968919690196911969219693196941969519696196971969819699197001970119702197031970419705197061970719708197091971019711197121971319714197151971619717197181971919720197211972219723197241972519726197271972819729197301973119732197331973419735197361973719738197391974019741197421974319744197451974619747197481974919750197511975219753197541975519756197571975819759197601976119762197631976419765197661976719768197691977019771197721977319774197751977619777197781977919780197811978219783197841978519786197871978819789197901979119792197931979419795197961979719798197991980019801198021980319804198051980619807198081980919810198111981219813198141981519816198171981819819198201982119822198231982419825198261982719828198291983019831198321983319834198351983619837198381983919840198411984219843198441984519846198471984819849198501985119852198531985419855198561985719858198591986019861198621986319864198651986619867198681986919870198711987219873198741987519876198771987819879198801988119882198831988419885198861988719888198891989019891198921989319894198951989619897198981989919900199011990219903199041990519906199071990819909199101991119912199131991419915199161991719918199191992019921199221992319924199251992619927199281992919930199311993219933199341993519936199371993819939199401994119942199431994419945199461994719948199491995019951199521995319954199551995619957199581995919960199611996219963199641996519966199671996819969199701997119972199731997419975199761997719978199791998019981199821998319984199851998619987199881998919990199911999219993199941999519996199971999819999200002000120002200032000420005200062000720008200092001020011200122001320014200152001620017200182001920020200212002220023200242002520026200272002820029200302003120032200332003420035200362003720038200392004020041200422004320044200452004620047200482004920050200512005220053200542005520056200572005820059200602006120062200632006420065200662006720068200692007020071200722007320074200752007620077200782007920080200812008220083200842008520086200872008820089200902009120092200932009420095200962009720098200992010020101201022010320104201052010620107201082010920110201112011220113201142011520116201172011820119201202012120122201232012420125201262012720128201292013020131201322013320134201352013620137201382013920140201412014220143201442014520146201472014820149201502015120152201532015420155201562015720158201592016020161201622016320164201652016620167201682016920170201712017220173201742017520176201772017820179201802018120182201832018420185201862018720188201892019020191201922019320194201952019620197201982019920200202012020220203202042020520206202072020820209202102021120212202132021420215202162021720218202192022020221202222022320224202252022620227202282022920230202312023220233202342023520236202372023820239202402024120242202432024420245202462024720248202492025020251202522025320254202552025620257202582025920260202612026220263202642026520266202672026820269202702027120272202732027420275202762027720278202792028020281202822028320284202852028620287202882028920290202912029220293202942029520296202972029820299203002030120302203032030420305203062030720308203092031020311203122031320314203152031620317203182031920320203212032220323203242032520326203272032820329203302033120332203332033420335203362033720338203392034020341203422034320344203452034620347203482034920350203512035220353203542035520356203572035820359203602036120362203632036420365203662036720368203692037020371203722037320374203752037620377203782037920380203812038220383203842038520386203872038820389203902039120392203932039420395203962039720398203992040020401204022040320404204052040620407204082040920410204112041220413204142041520416204172041820419204202042120422204232042420425204262042720428204292043020431204322043320434204352043620437204382043920440204412044220443204442044520446204472044820449204502045120452204532045420455204562045720458204592046020461204622046320464204652046620467204682046920470204712047220473204742047520476204772047820479204802048120482204832048420485204862048720488204892049020491204922049320494204952049620497204982049920500205012050220503205042050520506205072050820509205102051120512205132051420515205162051720518205192052020521205222052320524205252052620527205282052920530205312053220533205342053520536205372053820539205402054120542205432054420545205462054720548205492055020551205522055320554205552055620557205582055920560205612056220563205642056520566205672056820569205702057120572205732057420575205762057720578205792058020581205822058320584205852058620587205882058920590205912059220593205942059520596205972059820599206002060120602206032060420605206062060720608206092061020611206122061320614206152061620617206182061920620206212062220623206242062520626206272062820629206302063120632206332063420635206362063720638206392064020641206422064320644206452064620647206482064920650206512065220653206542065520656206572065820659206602066120662206632066420665206662066720668206692067020671206722067320674206752067620677206782067920680206812068220683206842068520686206872068820689206902069120692206932069420695206962069720698206992070020701207022070320704207052070620707207082070920710207112071220713207142071520716207172071820719207202072120722207232072420725207262072720728207292073020731207322073320734207352073620737207382073920740207412074220743207442074520746207472074820749207502075120752207532075420755207562075720758207592076020761207622076320764207652076620767207682076920770207712077220773207742077520776207772077820779207802078120782207832078420785207862078720788207892079020791207922079320794207952079620797207982079920800208012080220803208042080520806208072080820809208102081120812208132081420815208162081720818208192082020821208222082320824208252082620827208282082920830208312083220833208342083520836208372083820839208402084120842208432084420845208462084720848208492085020851208522085320854208552085620857208582085920860208612086220863208642086520866208672086820869208702087120872208732087420875208762087720878208792088020881208822088320884208852088620887208882088920890208912089220893208942089520896208972089820899209002090120902209032090420905209062090720908209092091020911209122091320914209152091620917209182091920920209212092220923209242092520926209272092820929209302093120932209332093420935209362093720938209392094020941209422094320944209452094620947209482094920950209512095220953209542095520956209572095820959209602096120962209632096420965209662096720968209692097020971209722097320974209752097620977209782097920980209812098220983209842098520986209872098820989209902099120992209932099420995209962099720998209992100021001210022100321004210052100621007210082100921010210112101221013210142101521016210172101821019210202102121022210232102421025210262102721028210292103021031210322103321034210352103621037210382103921040210412104221043210442104521046210472104821049210502105121052210532105421055210562105721058210592106021061210622106321064210652106621067210682106921070210712107221073210742107521076210772107821079210802108121082210832108421085210862108721088210892109021091210922109321094210952109621097210982109921100211012110221103211042110521106211072110821109211102111121112211132111421115211162111721118211192112021121211222112321124211252112621127211282112921130211312113221133211342113521136211372113821139211402114121142211432114421145211462114721148211492115021151211522115321154211552115621157211582115921160211612116221163211642116521166211672116821169211702117121172211732117421175211762117721178211792118021181211822118321184211852118621187211882118921190211912119221193211942119521196211972119821199212002120121202212032120421205212062120721208212092121021211212122121321214212152121621217212182121921220212212122221223212242122521226212272122821229212302123121232212332123421235212362123721238212392124021241212422124321244212452124621247212482124921250212512125221253212542125521256212572125821259212602126121262212632126421265212662126721268212692127021271212722127321274212752127621277212782127921280212812128221283212842128521286212872128821289212902129121292212932129421295212962129721298212992130021301213022130321304213052130621307213082130921310213112131221313213142131521316213172131821319213202132121322213232132421325213262132721328213292133021331213322133321334213352133621337213382133921340213412134221343213442134521346213472134821349213502135121352213532135421355213562135721358213592136021361213622136321364213652136621367213682136921370213712137221373213742137521376213772137821379213802138121382213832138421385213862138721388213892139021391213922139321394213952139621397213982139921400214012140221403214042140521406214072140821409214102141121412214132141421415214162141721418214192142021421214222142321424214252142621427214282142921430214312143221433214342143521436214372143821439214402144121442214432144421445214462144721448214492145021451214522145321454214552145621457214582145921460214612146221463214642146521466214672146821469214702147121472214732147421475214762147721478214792148021481214822148321484214852148621487214882148921490214912149221493214942149521496214972149821499215002150121502215032150421505215062150721508215092151021511215122151321514215152151621517215182151921520215212152221523215242152521526215272152821529215302153121532215332153421535215362153721538215392154021541215422154321544215452154621547215482154921550215512155221553215542155521556215572155821559215602156121562215632156421565215662156721568215692157021571215722157321574215752157621577215782157921580215812158221583215842158521586215872158821589215902159121592215932159421595215962159721598215992160021601216022160321604216052160621607216082160921610216112161221613216142161521616216172161821619216202162121622216232162421625216262162721628216292163021631216322163321634216352163621637216382163921640216412164221643216442164521646216472164821649216502165121652216532165421655216562165721658216592166021661216622166321664216652166621667216682166921670216712167221673216742167521676216772167821679216802168121682216832168421685216862168721688216892169021691216922169321694216952169621697216982169921700217012170221703217042170521706217072170821709217102171121712217132171421715217162171721718217192172021721217222172321724217252172621727217282172921730217312173221733217342173521736217372173821739217402174121742217432174421745217462174721748217492175021751217522175321754217552175621757217582175921760217612176221763217642176521766217672176821769217702177121772217732177421775217762177721778217792178021781217822178321784217852178621787217882178921790217912179221793217942179521796217972179821799218002180121802218032180421805218062180721808218092181021811218122181321814218152181621817218182181921820218212182221823218242182521826218272182821829218302183121832218332183421835218362183721838218392184021841218422184321844218452184621847218482184921850218512185221853218542185521856218572185821859218602186121862218632186421865218662186721868218692187021871218722187321874218752187621877218782187921880218812188221883218842188521886218872188821889218902189121892218932189421895218962189721898218992190021901219022190321904219052190621907219082190921910219112191221913219142191521916219172191821919219202192121922219232192421925219262192721928219292193021931219322193321934219352193621937219382193921940219412194221943219442194521946219472194821949219502195121952219532195421955219562195721958219592196021961219622196321964219652196621967219682196921970219712197221973219742197521976219772197821979219802198121982219832198421985219862198721988219892199021991219922199321994219952199621997219982199922000220012200222003220042200522006220072200822009220102201122012220132201422015220162201722018220192202022021220222202322024220252202622027220282202922030220312203222033220342203522036220372203822039220402204122042220432204422045220462204722048220492205022051220522205322054220552205622057220582205922060220612206222063220642206522066220672206822069220702207122072220732207422075220762207722078220792208022081220822208322084220852208622087220882208922090220912209222093220942209522096220972209822099221002210122102221032210422105221062210722108221092211022111221122211322114221152211622117221182211922120221212212222123221242212522126221272212822129221302213122132221332213422135221362213722138221392214022141221422214322144221452214622147221482214922150221512215222153221542215522156221572215822159221602216122162221632216422165221662216722168221692217022171221722217322174221752217622177221782217922180221812218222183221842218522186221872218822189221902219122192221932219422195221962219722198221992220022201222022220322204222052220622207222082220922210222112221222213222142221522216222172221822219222202222122222222232222422225222262222722228222292223022231222322223322234222352223622237222382223922240222412224222243222442224522246222472224822249222502225122252222532225422255222562225722258222592226022261222622226322264222652226622267222682226922270222712227222273222742227522276222772227822279222802228122282222832228422285222862228722288222892229022291222922229322294222952229622297222982229922300223012230222303223042230522306223072230822309223102231122312223132231422315223162231722318223192232022321223222232322324223252232622327223282232922330223312233222333223342233522336223372233822339223402234122342223432234422345223462234722348223492235022351223522235322354223552235622357223582235922360223612236222363223642236522366223672236822369223702237122372223732237422375223762237722378223792238022381223822238322384223852238622387223882238922390223912239222393223942239522396223972239822399224002240122402224032240422405224062240722408224092241022411224122241322414224152241622417224182241922420224212242222423224242242522426224272242822429224302243122432224332243422435224362243722438224392244022441224422244322444224452244622447224482244922450224512245222453224542245522456224572245822459224602246122462224632246422465224662246722468224692247022471224722247322474224752247622477224782247922480224812248222483224842248522486224872248822489224902249122492224932249422495224962249722498224992250022501225022250322504225052250622507225082250922510225112251222513225142251522516225172251822519225202252122522225232252422525225262252722528225292253022531225322253322534225352253622537225382253922540225412254222543225442254522546225472254822549225502255122552225532255422555225562255722558225592256022561225622256322564225652256622567225682256922570225712257222573225742257522576225772257822579225802258122582225832258422585225862258722588225892259022591225922259322594225952259622597225982259922600226012260222603226042260522606226072260822609226102261122612226132261422615226162261722618226192262022621226222262322624226252262622627226282262922630226312263222633226342263522636226372263822639226402264122642226432264422645226462264722648226492265022651226522265322654226552265622657226582265922660226612266222663226642266522666226672266822669226702267122672226732267422675226762267722678226792268022681226822268322684226852268622687226882268922690226912269222693226942269522696226972269822699227002270122702227032270422705227062270722708227092271022711227122271322714227152271622717227182271922720227212272222723227242272522726227272272822729227302273122732227332273422735227362273722738227392274022741227422274322744227452274622747227482274922750227512275222753227542275522756227572275822759227602276122762227632276422765227662276722768227692277022771227722277322774227752277622777227782277922780227812278222783227842278522786227872278822789227902279122792227932279422795227962279722798227992280022801228022280322804228052280622807228082280922810228112281222813228142281522816228172281822819228202282122822228232282422825228262282722828228292283022831228322283322834228352283622837228382283922840228412284222843228442284522846228472284822849228502285122852228532285422855228562285722858228592286022861228622286322864228652286622867228682286922870228712287222873228742287522876228772287822879228802288122882228832288422885228862288722888228892289022891228922289322894228952289622897228982289922900229012290222903229042290522906229072290822909229102291122912229132291422915229162291722918229192292022921229222292322924229252292622927229282292922930229312293222933229342293522936229372293822939229402294122942229432294422945229462294722948229492295022951229522295322954229552295622957229582295922960229612296222963229642296522966229672296822969229702297122972229732297422975229762297722978229792298022981229822298322984229852298622987229882298922990229912299222993229942299522996229972299822999230002300123002230032300423005230062300723008230092301023011230122301323014230152301623017230182301923020230212302223023230242302523026230272302823029230302303123032230332303423035230362303723038230392304023041230422304323044230452304623047230482304923050230512305223053230542305523056230572305823059230602306123062230632306423065230662306723068230692307023071230722307323074230752307623077230782307923080230812308223083230842308523086230872308823089230902309123092230932309423095230962309723098230992310023101231022310323104231052310623107231082310923110231112311223113231142311523116231172311823119231202312123122231232312423125231262312723128231292313023131231322313323134231352313623137231382313923140231412314223143231442314523146231472314823149231502315123152231532315423155231562315723158231592316023161231622316323164231652316623167231682316923170231712317223173231742317523176231772317823179231802318123182231832318423185231862318723188231892319023191231922319323194231952319623197231982319923200232012320223203232042320523206232072320823209232102321123212232132321423215232162321723218232192322023221232222322323224232252322623227232282322923230232312323223233232342323523236232372323823239232402324123242232432324423245232462324723248232492325023251232522325323254232552325623257232582325923260232612326223263232642326523266232672326823269232702327123272232732327423275232762327723278232792328023281232822328323284232852328623287232882328923290232912329223293232942329523296232972329823299233002330123302233032330423305233062330723308233092331023311233122331323314233152331623317233182331923320233212332223323233242332523326233272332823329233302333123332233332333423335233362333723338233392334023341233422334323344233452334623347233482334923350233512335223353233542335523356233572335823359233602336123362233632336423365233662336723368233692337023371233722337323374233752337623377233782337923380233812338223383233842338523386233872338823389233902339123392233932339423395233962339723398233992340023401234022340323404234052340623407234082340923410234112341223413234142341523416234172341823419234202342123422234232342423425234262342723428234292343023431234322343323434234352343623437234382343923440234412344223443234442344523446234472344823449234502345123452234532345423455234562345723458234592346023461234622346323464234652346623467234682346923470234712347223473234742347523476234772347823479234802348123482234832348423485234862348723488234892349023491234922349323494234952349623497234982349923500235012350223503235042350523506235072350823509235102351123512235132351423515235162351723518235192352023521235222352323524235252352623527235282352923530235312353223533235342353523536235372353823539235402354123542235432354423545235462354723548235492355023551235522355323554235552355623557235582355923560235612356223563235642356523566235672356823569235702357123572235732357423575235762357723578235792358023581235822358323584235852358623587235882358923590235912359223593235942359523596235972359823599236002360123602236032360423605236062360723608236092361023611236122361323614236152361623617236182361923620236212362223623236242362523626236272362823629236302363123632236332363423635236362363723638236392364023641236422364323644236452364623647236482364923650236512365223653236542365523656236572365823659236602366123662236632366423665236662366723668236692367023671236722367323674236752367623677236782367923680236812368223683236842368523686236872368823689236902369123692236932369423695236962369723698236992370023701237022370323704237052370623707237082370923710237112371223713237142371523716237172371823719237202372123722237232372423725237262372723728237292373023731237322373323734237352373623737237382373923740237412374223743237442374523746237472374823749237502375123752237532375423755237562375723758237592376023761237622376323764237652376623767237682376923770237712377223773237742377523776237772377823779237802378123782237832378423785237862378723788237892379023791237922379323794237952379623797237982379923800238012380223803238042380523806238072380823809238102381123812238132381423815238162381723818238192382023821238222382323824238252382623827238282382923830238312383223833238342383523836238372383823839238402384123842238432384423845238462384723848238492385023851238522385323854238552385623857238582385923860238612386223863238642386523866238672386823869238702387123872238732387423875238762387723878238792388023881238822388323884238852388623887238882388923890238912389223893238942389523896238972389823899239002390123902239032390423905239062390723908239092391023911239122391323914239152391623917239182391923920239212392223923239242392523926239272392823929239302393123932239332393423935239362393723938239392394023941239422394323944239452394623947239482394923950239512395223953239542395523956239572395823959239602396123962239632396423965239662396723968239692397023971239722397323974239752397623977239782397923980239812398223983239842398523986239872398823989239902399123992239932399423995239962399723998239992400024001240022400324004240052400624007240082400924010240112401224013240142401524016240172401824019240202402124022240232402424025240262402724028240292403024031240322403324034240352403624037240382403924040240412404224043240442404524046240472404824049240502405124052240532405424055240562405724058240592406024061240622406324064240652406624067240682406924070240712407224073240742407524076240772407824079240802408124082240832408424085240862408724088240892409024091240922409324094240952409624097240982409924100241012410224103241042410524106241072410824109241102411124112241132411424115241162411724118241192412024121241222412324124241252412624127241282412924130241312413224133241342413524136241372413824139241402414124142241432414424145241462414724148241492415024151241522415324154241552415624157241582415924160241612416224163241642416524166241672416824169241702417124172241732417424175241762417724178241792418024181241822418324184241852418624187241882418924190241912419224193241942419524196241972419824199242002420124202242032420424205242062420724208242092421024211242122421324214242152421624217242182421924220242212422224223242242422524226242272422824229242302423124232242332423424235242362423724238242392424024241242422424324244242452424624247242482424924250242512425224253242542425524256242572425824259242602426124262242632426424265242662426724268242692427024271242722427324274242752427624277242782427924280242812428224283242842428524286242872428824289242902429124292242932429424295242962429724298242992430024301243022430324304243052430624307243082430924310243112431224313243142431524316243172431824319243202432124322243232432424325243262432724328243292433024331243322433324334243352433624337243382433924340243412434224343243442434524346243472434824349243502435124352243532435424355243562435724358243592436024361243622436324364243652436624367243682436924370243712437224373243742437524376243772437824379243802438124382243832438424385243862438724388243892439024391243922439324394243952439624397243982439924400244012440224403244042440524406244072440824409244102441124412244132441424415244162441724418244192442024421244222442324424244252442624427244282442924430244312443224433244342443524436244372443824439244402444124442244432444424445244462444724448244492445024451244522445324454244552445624457244582445924460244612446224463244642446524466244672446824469244702447124472244732447424475244762447724478244792448024481244822448324484244852448624487244882448924490244912449224493244942449524496244972449824499245002450124502245032450424505245062450724508245092451024511245122451324514245152451624517245182451924520245212452224523245242452524526245272452824529245302453124532245332453424535245362453724538245392454024541245422454324544245452454624547245482454924550245512455224553245542455524556245572455824559245602456124562245632456424565245662456724568245692457024571245722457324574245752457624577245782457924580245812458224583245842458524586245872458824589245902459124592245932459424595245962459724598245992460024601246022460324604246052460624607246082460924610246112461224613246142461524616246172461824619246202462124622246232462424625246262462724628246292463024631246322463324634246352463624637246382463924640246412464224643246442464524646246472464824649246502465124652246532465424655246562465724658246592466024661246622466324664246652466624667246682466924670246712467224673246742467524676246772467824679246802468124682246832468424685246862468724688246892469024691246922469324694246952469624697246982469924700247012470224703247042470524706247072470824709247102471124712247132471424715247162471724718247192472024721247222472324724247252472624727247282472924730247312473224733247342473524736247372473824739247402474124742247432474424745247462474724748247492475024751247522475324754247552475624757247582475924760247612476224763247642476524766247672476824769247702477124772247732477424775247762477724778247792478024781247822478324784247852478624787247882478924790247912479224793247942479524796247972479824799248002480124802248032480424805248062480724808248092481024811248122481324814248152481624817248182481924820248212482224823248242482524826248272482824829248302483124832248332483424835248362483724838248392484024841248422484324844248452484624847248482484924850248512485224853248542485524856248572485824859248602486124862248632486424865248662486724868248692487024871248722487324874248752487624877248782487924880248812488224883248842488524886248872488824889248902489124892248932489424895248962489724898248992490024901249022490324904249052490624907249082490924910249112491224913249142491524916249172491824919249202492124922249232492424925249262492724928249292493024931249322493324934249352493624937249382493924940249412494224943249442494524946249472494824949249502495124952249532495424955249562495724958249592496024961249622496324964249652496624967249682496924970249712497224973249742497524976249772497824979249802498124982249832498424985249862498724988249892499024991249922499324994249952499624997249982499925000250012500225003250042500525006250072500825009250102501125012250132501425015250162501725018250192502025021250222502325024250252502625027250282502925030250312503225033250342503525036250372503825039250402504125042250432504425045250462504725048250492505025051250522505325054250552505625057250582505925060250612506225063250642506525066250672506825069250702507125072250732507425075250762507725078250792508025081250822508325084250852508625087250882508925090250912509225093250942509525096250972509825099251002510125102251032510425105251062510725108251092511025111251122511325114251152511625117251182511925120251212512225123251242512525126251272512825129251302513125132251332513425135251362513725138251392514025141251422514325144251452514625147251482514925150251512515225153251542515525156251572515825159251602516125162251632516425165251662516725168251692517025171251722517325174251752517625177251782517925180251812518225183251842518525186251872518825189251902519125192251932519425195251962519725198251992520025201252022520325204252052520625207252082520925210252112521225213252142521525216252172521825219252202522125222252232522425225252262522725228252292523025231252322523325234252352523625237252382523925240252412524225243252442524525246252472524825249252502525125252252532525425255252562525725258252592526025261252622526325264252652526625267252682526925270252712527225273252742527525276252772527825279252802528125282252832528425285252862528725288252892529025291252922529325294252952529625297252982529925300253012530225303253042530525306253072530825309253102531125312253132531425315253162531725318253192532025321253222532325324253252532625327253282532925330253312533225333253342533525336253372533825339253402534125342253432534425345253462534725348253492535025351253522535325354253552535625357253582535925360253612536225363253642536525366253672536825369253702537125372253732537425375253762537725378253792538025381253822538325384253852538625387253882538925390253912539225393253942539525396253972539825399254002540125402254032540425405254062540725408254092541025411254122541325414254152541625417254182541925420254212542225423254242542525426254272542825429254302543125432254332543425435254362543725438254392544025441254422544325444254452544625447254482544925450254512545225453254542545525456254572545825459254602546125462254632546425465254662546725468254692547025471254722547325474254752547625477254782547925480254812548225483254842548525486254872548825489254902549125492254932549425495254962549725498254992550025501255022550325504255052550625507255082550925510255112551225513255142551525516255172551825519255202552125522255232552425525255262552725528255292553025531255322553325534255352553625537255382553925540255412554225543255442554525546255472554825549255502555125552255532555425555255562555725558255592556025561255622556325564255652556625567255682556925570255712557225573255742557525576255772557825579255802558125582255832558425585255862558725588255892559025591255922559325594255952559625597255982559925600256012560225603256042560525606256072560825609256102561125612256132561425615256162561725618256192562025621256222562325624256252562625627256282562925630256312563225633256342563525636256372563825639256402564125642256432564425645256462564725648256492565025651256522565325654256552565625657256582565925660256612566225663256642566525666256672566825669256702567125672256732567425675256762567725678256792568025681256822568325684256852568625687256882568925690256912569225693256942569525696256972569825699257002570125702257032570425705257062570725708257092571025711257122571325714257152571625717257182571925720257212572225723257242572525726257272572825729257302573125732257332573425735257362573725738257392574025741257422574325744257452574625747257482574925750257512575225753257542575525756257572575825759257602576125762257632576425765257662576725768257692577025771257722577325774257752577625777257782577925780257812578225783257842578525786257872578825789257902579125792257932579425795257962579725798257992580025801258022580325804258052580625807258082580925810258112581225813258142581525816258172581825819258202582125822258232582425825258262582725828258292583025831258322583325834258352583625837258382583925840258412584225843258442584525846258472584825849258502585125852258532585425855258562585725858258592586025861258622586325864258652586625867258682586925870258712587225873258742587525876258772587825879258802588125882258832588425885258862588725888258892589025891258922589325894258952589625897258982589925900259012590225903259042590525906259072590825909259102591125912259132591425915259162591725918259192592025921259222592325924259252592625927259282592925930259312593225933259342593525936259372593825939259402594125942259432594425945259462594725948259492595025951259522595325954259552595625957259582595925960259612596225963259642596525966259672596825969259702597125972259732597425975259762597725978259792598025981259822598325984259852598625987259882598925990259912599225993259942599525996259972599825999260002600126002260032600426005260062600726008260092601026011260122601326014260152601626017260182601926020260212602226023260242602526026260272602826029260302603126032260332603426035260362603726038260392604026041260422604326044260452604626047260482604926050260512605226053260542605526056260572605826059260602606126062260632606426065260662606726068260692607026071260722607326074260752607626077260782607926080260812608226083260842608526086260872608826089260902609126092260932609426095260962609726098260992610026101261022610326104261052610626107261082610926110261112611226113261142611526116261172611826119261202612126122261232612426125261262612726128261292613026131261322613326134261352613626137261382613926140261412614226143261442614526146261472614826149261502615126152261532615426155261562615726158261592616026161261622616326164261652616626167261682616926170261712617226173261742617526176261772617826179261802618126182261832618426185261862618726188261892619026191261922619326194261952619626197261982619926200262012620226203262042620526206262072620826209262102621126212262132621426215262162621726218262192622026221262222622326224262252622626227262282622926230262312623226233262342623526236262372623826239262402624126242262432624426245262462624726248262492625026251262522625326254262552625626257262582625926260262612626226263262642626526266262672626826269262702627126272262732627426275262762627726278262792628026281262822628326284262852628626287262882628926290262912629226293262942629526296262972629826299263002630126302263032630426305263062630726308263092631026311263122631326314263152631626317263182631926320263212632226323263242632526326263272632826329263302633126332263332633426335263362633726338263392634026341263422634326344263452634626347263482634926350263512635226353263542635526356263572635826359263602636126362263632636426365263662636726368263692637026371263722637326374263752637626377263782637926380263812638226383263842638526386263872638826389263902639126392263932639426395263962639726398263992640026401264022640326404264052640626407264082640926410264112641226413264142641526416264172641826419264202642126422264232642426425264262642726428264292643026431264322643326434264352643626437264382643926440264412644226443264442644526446264472644826449264502645126452264532645426455264562645726458264592646026461264622646326464264652646626467264682646926470264712647226473264742647526476264772647826479264802648126482264832648426485264862648726488264892649026491264922649326494264952649626497264982649926500265012650226503265042650526506265072650826509265102651126512265132651426515265162651726518265192652026521265222652326524265252652626527265282652926530265312653226533265342653526536265372653826539265402654126542265432654426545265462654726548265492655026551265522655326554265552655626557265582655926560265612656226563265642656526566265672656826569265702657126572265732657426575265762657726578265792658026581265822658326584265852658626587265882658926590265912659226593265942659526596265972659826599266002660126602266032660426605266062660726608266092661026611266122661326614266152661626617266182661926620266212662226623266242662526626266272662826629266302663126632266332663426635266362663726638266392664026641266422664326644266452664626647266482664926650266512665226653266542665526656266572665826659266602666126662266632666426665266662666726668266692667026671266722667326674266752667626677266782667926680266812668226683266842668526686266872668826689266902669126692266932669426695266962669726698266992670026701267022670326704267052670626707267082670926710267112671226713267142671526716267172671826719267202672126722267232672426725267262672726728267292673026731267322673326734267352673626737267382673926740267412674226743267442674526746267472674826749267502675126752267532675426755267562675726758267592676026761267622676326764267652676626767267682676926770267712677226773267742677526776267772677826779267802678126782267832678426785267862678726788267892679026791267922679326794267952679626797267982679926800268012680226803268042680526806268072680826809268102681126812268132681426815268162681726818268192682026821268222682326824268252682626827268282682926830268312683226833268342683526836268372683826839268402684126842268432684426845268462684726848268492685026851268522685326854268552685626857268582685926860268612686226863268642686526866268672686826869268702687126872268732687426875268762687726878268792688026881268822688326884268852688626887268882688926890268912689226893268942689526896268972689826899269002690126902269032690426905269062690726908269092691026911269122691326914269152691626917269182691926920269212692226923269242692526926269272692826929269302693126932269332693426935269362693726938269392694026941269422694326944269452694626947269482694926950269512695226953269542695526956269572695826959269602696126962269632696426965269662696726968269692697026971269722697326974269752697626977269782697926980269812698226983269842698526986269872698826989269902699126992269932699426995269962699726998269992700027001270022700327004270052700627007270082700927010270112701227013270142701527016270172701827019270202702127022270232702427025270262702727028270292703027031270322703327034270352703627037270382703927040270412704227043270442704527046270472704827049270502705127052270532705427055270562705727058270592706027061270622706327064270652706627067270682706927070270712707227073270742707527076270772707827079270802708127082270832708427085270862708727088270892709027091270922709327094270952709627097270982709927100271012710227103271042710527106271072710827109271102711127112271132711427115271162711727118271192712027121271222712327124271252712627127271282712927130271312713227133271342713527136271372713827139271402714127142271432714427145271462714727148271492715027151271522715327154271552715627157271582715927160271612716227163271642716527166271672716827169271702717127172271732717427175271762717727178271792718027181271822718327184271852718627187271882718927190271912719227193271942719527196271972719827199272002720127202272032720427205272062720727208272092721027211272122721327214272152721627217272182721927220272212722227223272242722527226272272722827229272302723127232272332723427235272362723727238272392724027241272422724327244272452724627247272482724927250272512725227253272542725527256272572725827259272602726127262272632726427265272662726727268272692727027271272722727327274272752727627277272782727927280272812728227283272842728527286272872728827289272902729127292272932729427295272962729727298272992730027301273022730327304273052730627307273082730927310273112731227313273142731527316273172731827319273202732127322273232732427325273262732727328273292733027331273322733327334273352733627337273382733927340273412734227343273442734527346273472734827349273502735127352273532735427355273562735727358273592736027361273622736327364273652736627367273682736927370273712737227373273742737527376273772737827379273802738127382273832738427385273862738727388273892739027391273922739327394273952739627397273982739927400274012740227403274042740527406274072740827409274102741127412274132741427415274162741727418274192742027421274222742327424274252742627427274282742927430274312743227433274342743527436274372743827439274402744127442274432744427445274462744727448274492745027451274522745327454274552745627457274582745927460274612746227463274642746527466274672746827469274702747127472274732747427475274762747727478274792748027481274822748327484274852748627487274882748927490274912749227493274942749527496274972749827499275002750127502275032750427505275062750727508275092751027511275122751327514275152751627517275182751927520275212752227523275242752527526275272752827529275302753127532275332753427535275362753727538275392754027541275422754327544275452754627547275482754927550275512755227553275542755527556275572755827559275602756127562275632756427565275662756727568275692757027571275722757327574275752757627577275782757927580275812758227583275842758527586275872758827589275902759127592275932759427595275962759727598275992760027601276022760327604276052760627607276082760927610276112761227613276142761527616276172761827619276202762127622276232762427625276262762727628276292763027631276322763327634276352763627637276382763927640276412764227643276442764527646276472764827649276502765127652276532765427655276562765727658276592766027661276622766327664276652766627667276682766927670276712767227673276742767527676276772767827679276802768127682276832768427685276862768727688276892769027691276922769327694276952769627697276982769927700277012770227703277042770527706277072770827709277102771127712277132771427715277162771727718277192772027721277222772327724277252772627727277282772927730277312773227733277342773527736277372773827739277402774127742277432774427745277462774727748277492775027751277522775327754277552775627757277582775927760277612776227763277642776527766277672776827769277702777127772277732777427775277762777727778277792778027781277822778327784277852778627787277882778927790277912779227793277942779527796277972779827799278002780127802278032780427805278062780727808278092781027811278122781327814278152781627817278182781927820278212782227823278242782527826278272782827829278302783127832278332783427835278362783727838278392784027841278422784327844278452784627847278482784927850278512785227853278542785527856278572785827859278602786127862278632786427865278662786727868278692787027871278722787327874278752787627877278782787927880278812788227883278842788527886278872788827889278902789127892278932789427895278962789727898278992790027901279022790327904279052790627907279082790927910279112791227913279142791527916279172791827919279202792127922279232792427925279262792727928279292793027931279322793327934279352793627937279382793927940279412794227943279442794527946279472794827949279502795127952279532795427955279562795727958279592796027961279622796327964279652796627967279682796927970279712797227973279742797527976279772797827979279802798127982279832798427985279862798727988279892799027991279922799327994279952799627997279982799928000280012800228003280042800528006280072800828009280102801128012280132801428015280162801728018280192802028021280222802328024280252802628027280282802928030280312803228033280342803528036280372803828039280402804128042280432804428045280462804728048280492805028051280522805328054280552805628057280582805928060280612806228063280642806528066280672806828069280702807128072280732807428075280762807728078280792808028081280822808328084280852808628087280882808928090280912809228093280942809528096280972809828099281002810128102281032810428105281062810728108281092811028111281122811328114281152811628117281182811928120281212812228123281242812528126281272812828129281302813128132281332813428135281362813728138281392814028141281422814328144281452814628147281482814928150281512815228153281542815528156281572815828159281602816128162281632816428165281662816728168281692817028171281722817328174281752817628177281782817928180281812818228183281842818528186281872818828189281902819128192281932819428195281962819728198281992820028201282022820328204282052820628207282082820928210282112821228213282142821528216282172821828219282202822128222282232822428225282262822728228282292823028231282322823328234282352823628237282382823928240282412824228243282442824528246282472824828249282502825128252282532825428255282562825728258282592826028261282622826328264282652826628267282682826928270282712827228273282742827528276282772827828279282802828128282282832828428285282862828728288282892829028291282922829328294282952829628297282982829928300283012830228303283042830528306283072830828309283102831128312283132831428315283162831728318283192832028321283222832328324283252832628327283282832928330283312833228333283342833528336283372833828339283402834128342283432834428345283462834728348283492835028351283522835328354283552835628357283582835928360283612836228363283642836528366283672836828369283702837128372283732837428375283762837728378283792838028381283822838328384283852838628387283882838928390283912839228393283942839528396283972839828399284002840128402284032840428405284062840728408284092841028411284122841328414284152841628417284182841928420284212842228423284242842528426284272842828429284302843128432284332843428435284362843728438284392844028441284422844328444284452844628447284482844928450284512845228453284542845528456284572845828459284602846128462284632846428465284662846728468284692847028471284722847328474284752847628477284782847928480284812848228483284842848528486284872848828489284902849128492284932849428495284962849728498284992850028501285022850328504285052850628507285082850928510285112851228513285142851528516285172851828519285202852128522285232852428525285262852728528285292853028531285322853328534285352853628537285382853928540285412854228543285442854528546285472854828549285502855128552285532855428555285562855728558285592856028561285622856328564285652856628567285682856928570285712857228573285742857528576285772857828579285802858128582285832858428585285862858728588285892859028591285922859328594285952859628597285982859928600286012860228603286042860528606286072860828609286102861128612286132861428615286162861728618286192862028621286222862328624286252862628627286282862928630286312863228633286342863528636286372863828639286402864128642286432864428645286462864728648286492865028651286522865328654286552865628657286582865928660286612866228663286642866528666286672866828669286702867128672286732867428675286762867728678286792868028681286822868328684286852868628687286882868928690286912869228693286942869528696286972869828699287002870128702287032870428705287062870728708287092871028711287122871328714287152871628717287182871928720287212872228723287242872528726287272872828729287302873128732287332873428735287362873728738287392874028741287422874328744287452874628747287482874928750287512875228753287542875528756287572875828759287602876128762287632876428765287662876728768287692877028771287722877328774287752877628777287782877928780287812878228783287842878528786287872878828789287902879128792287932879428795287962879728798287992880028801288022880328804288052880628807288082880928810288112881228813288142881528816288172881828819288202882128822288232882428825288262882728828288292883028831288322883328834288352883628837288382883928840288412884228843288442884528846288472884828849288502885128852288532885428855288562885728858288592886028861288622886328864288652886628867288682886928870288712887228873288742887528876288772887828879288802888128882288832888428885288862888728888288892889028891288922889328894288952889628897288982889928900289012890228903289042890528906289072890828909289102891128912289132891428915289162891728918289192892028921289222892328924289252892628927289282892928930289312893228933289342893528936289372893828939289402894128942289432894428945289462894728948289492895028951289522895328954289552895628957289582895928960289612896228963289642896528966289672896828969289702897128972289732897428975289762897728978289792898028981289822898328984289852898628987289882898928990289912899228993289942899528996289972899828999290002900129002290032900429005290062900729008290092901029011290122901329014290152901629017290182901929020290212902229023290242902529026290272902829029290302903129032290332903429035290362903729038290392904029041290422904329044290452904629047290482904929050290512905229053290542905529056290572905829059290602906129062290632906429065290662906729068290692907029071290722907329074290752907629077290782907929080290812908229083290842908529086290872908829089290902909129092290932909429095290962909729098290992910029101291022910329104291052910629107291082910929110291112911229113291142911529116291172911829119291202912129122291232912429125291262912729128291292913029131291322913329134291352913629137291382913929140291412914229143291442914529146291472914829149291502915129152291532915429155291562915729158291592916029161291622916329164291652916629167291682916929170291712917229173291742917529176291772917829179291802918129182291832918429185291862918729188291892919029191291922919329194291952919629197291982919929200292012920229203292042920529206292072920829209292102921129212292132921429215292162921729218292192922029221292222922329224292252922629227292282922929230292312923229233292342923529236292372923829239292402924129242292432924429245292462924729248292492925029251292522925329254292552925629257292582925929260292612926229263292642926529266292672926829269292702927129272292732927429275292762927729278292792928029281292822928329284292852928629287292882928929290292912929229293292942929529296292972929829299293002930129302293032930429305293062930729308293092931029311293122931329314293152931629317293182931929320293212932229323293242932529326293272932829329293302933129332293332933429335293362933729338293392934029341293422934329344293452934629347293482934929350293512935229353293542935529356293572935829359293602936129362293632936429365293662936729368293692937029371293722937329374293752937629377293782937929380293812938229383293842938529386293872938829389293902939129392293932939429395293962939729398293992940029401294022940329404294052940629407294082940929410294112941229413294142941529416294172941829419294202942129422294232942429425294262942729428294292943029431294322943329434294352943629437294382943929440294412944229443294442944529446294472944829449294502945129452294532945429455294562945729458294592946029461294622946329464294652946629467294682946929470294712947229473294742947529476294772947829479294802948129482294832948429485294862948729488294892949029491294922949329494294952949629497294982949929500295012950229503295042950529506295072950829509295102951129512295132951429515295162951729518295192952029521295222952329524295252952629527295282952929530295312953229533295342953529536295372953829539295402954129542295432954429545295462954729548295492955029551295522955329554295552955629557295582955929560295612956229563295642956529566295672956829569295702957129572295732957429575295762957729578295792958029581295822958329584295852958629587295882958929590295912959229593295942959529596295972959829599296002960129602296032960429605296062960729608296092961029611296122961329614296152961629617296182961929620296212962229623296242962529626296272962829629296302963129632296332963429635296362963729638296392964029641296422964329644296452964629647296482964929650296512965229653296542965529656296572965829659296602966129662296632966429665296662966729668296692967029671296722967329674296752967629677296782967929680296812968229683296842968529686296872968829689296902969129692296932969429695296962969729698296992970029701297022970329704297052970629707297082970929710297112971229713297142971529716297172971829719297202972129722297232972429725297262972729728297292973029731297322973329734297352973629737297382973929740297412974229743297442974529746297472974829749297502975129752297532975429755297562975729758297592976029761297622976329764297652976629767297682976929770297712977229773297742977529776297772977829779297802978129782297832978429785297862978729788297892979029791297922979329794297952979629797297982979929800298012980229803298042980529806298072980829809298102981129812298132981429815298162981729818298192982029821298222982329824298252982629827298282982929830298312983229833298342983529836298372983829839298402984129842298432984429845298462984729848298492985029851298522985329854298552985629857298582985929860298612986229863298642986529866298672986829869298702987129872298732987429875298762987729878298792988029881298822988329884298852988629887298882988929890298912989229893298942989529896298972989829899299002990129902299032990429905299062990729908299092991029911299122991329914299152991629917299182991929920299212992229923299242992529926299272992829929299302993129932299332993429935299362993729938299392994029941299422994329944299452994629947299482994929950299512995229953299542995529956299572995829959299602996129962299632996429965299662996729968299692997029971299722997329974299752997629977299782997929980299812998229983299842998529986299872998829989299902999129992299932999429995299962999729998299993000030001300023000330004300053000630007300083000930010300113001230013300143001530016300173001830019300203002130022300233002430025300263002730028300293003030031300323003330034300353003630037300383003930040300413004230043300443004530046300473004830049300503005130052300533005430055300563005730058300593006030061300623006330064300653006630067300683006930070300713007230073300743007530076300773007830079300803008130082300833008430085300863008730088300893009030091300923009330094300953009630097300983009930100301013010230103301043010530106301073010830109301103011130112301133011430115301163011730118301193012030121301223012330124301253012630127301283012930130301313013230133301343013530136301373013830139301403014130142301433014430145301463014730148301493015030151301523015330154301553015630157301583015930160301613016230163301643016530166301673016830169301703017130172301733017430175301763017730178301793018030181301823018330184301853018630187301883018930190301913019230193301943019530196301973019830199302003020130202302033020430205302063020730208302093021030211302123021330214302153021630217302183021930220302213022230223302243022530226302273022830229302303023130232302333023430235302363023730238302393024030241302423024330244302453024630247302483024930250302513025230253302543025530256302573025830259302603026130262302633026430265302663026730268302693027030271302723027330274302753027630277302783027930280302813028230283302843028530286302873028830289302903029130292302933029430295302963029730298302993030030301303023030330304303053030630307303083030930310303113031230313303143031530316303173031830319303203032130322303233032430325303263032730328303293033030331303323033330334303353033630337303383033930340303413034230343303443034530346303473034830349303503035130352303533035430355303563035730358303593036030361303623036330364303653036630367303683036930370303713037230373303743037530376303773037830379303803038130382303833038430385303863038730388303893039030391303923039330394303953039630397303983039930400304013040230403304043040530406304073040830409304103041130412304133041430415304163041730418304193042030421304223042330424304253042630427304283042930430304313043230433304343043530436304373043830439304403044130442304433044430445304463044730448304493045030451304523045330454304553045630457304583045930460304613046230463304643046530466304673046830469304703047130472304733047430475304763047730478304793048030481304823048330484304853048630487304883048930490304913049230493304943049530496304973049830499305003050130502305033050430505305063050730508
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.19.0
  6. labels:
  7. external-secrets.io/component: controller
  8. name: clusterexternalsecrets.external-secrets.io
  9. spec:
  10. group: external-secrets.io
  11. names:
  12. categories:
  13. - external-secrets
  14. kind: ClusterExternalSecret
  15. listKind: ClusterExternalSecretList
  16. plural: clusterexternalsecrets
  17. shortNames:
  18. - ces
  19. singular: clusterexternalsecret
  20. scope: Cluster
  21. versions:
  22. - additionalPrinterColumns:
  23. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  24. name: Store
  25. type: string
  26. - jsonPath: .spec.refreshTime
  27. name: Refresh Interval
  28. type: string
  29. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  30. name: Ready
  31. type: string
  32. name: v1
  33. schema:
  34. openAPIV3Schema:
  35. description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
  36. properties:
  37. apiVersion:
  38. description: |-
  39. APIVersion defines the versioned schema of this representation of an object.
  40. Servers should convert recognized schemas to the latest internal value, and
  41. may reject unrecognized values.
  42. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  43. type: string
  44. kind:
  45. description: |-
  46. Kind is a string value representing the REST resource this object represents.
  47. Servers may infer this from the endpoint the client submits requests to.
  48. Cannot be updated.
  49. In CamelCase.
  50. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  51. type: string
  52. metadata:
  53. type: object
  54. spec:
  55. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  56. properties:
  57. externalSecretMetadata:
  58. description: The metadata of the external secrets to be created
  59. properties:
  60. annotations:
  61. additionalProperties:
  62. type: string
  63. type: object
  64. labels:
  65. additionalProperties:
  66. type: string
  67. type: object
  68. type: object
  69. externalSecretName:
  70. description: |-
  71. The name of the external secrets to be created.
  72. Defaults to the name of the ClusterExternalSecret
  73. maxLength: 253
  74. minLength: 1
  75. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  76. type: string
  77. externalSecretSpec:
  78. description: The spec for the ExternalSecrets to be created
  79. properties:
  80. data:
  81. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  82. items:
  83. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  84. properties:
  85. remoteRef:
  86. description: |-
  87. RemoteRef points to the remote secret and defines
  88. which secret (version/property/..) to fetch.
  89. properties:
  90. conversionStrategy:
  91. default: Default
  92. description: Used to define a conversion Strategy
  93. enum:
  94. - Default
  95. - Unicode
  96. type: string
  97. decodingStrategy:
  98. default: None
  99. description: Used to define a decoding Strategy
  100. enum:
  101. - Auto
  102. - Base64
  103. - Base64URL
  104. - None
  105. type: string
  106. key:
  107. description: Key is the key used in the Provider, mandatory
  108. type: string
  109. metadataPolicy:
  110. default: None
  111. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  112. enum:
  113. - None
  114. - Fetch
  115. type: string
  116. nullBytePolicy:
  117. default: Ignore
  118. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  119. enum:
  120. - Ignore
  121. - Fail
  122. type: string
  123. property:
  124. description: Used to select a specific property of the Provider value (if a map), if supported
  125. type: string
  126. version:
  127. description: Used to select a specific version of the Provider value, if supported
  128. type: string
  129. required:
  130. - key
  131. type: object
  132. secretKey:
  133. description: The key in the Kubernetes Secret to store the value.
  134. maxLength: 253
  135. minLength: 1
  136. pattern: ^[-._a-zA-Z0-9]+$
  137. type: string
  138. sourceRef:
  139. description: |-
  140. SourceRef allows you to override the source
  141. from which the value will be pulled.
  142. maxProperties: 1
  143. minProperties: 1
  144. properties:
  145. generatorRef:
  146. description: |-
  147. GeneratorRef points to a generator custom resource.
  148. Deprecated: The generatorRef is not implemented in .data[].
  149. this will be removed with v1.
  150. properties:
  151. apiVersion:
  152. default: generators.external-secrets.io/v1alpha1
  153. description: Specify the apiVersion of the generator resource
  154. type: string
  155. kind:
  156. description: Specify the Kind of the generator resource
  157. enum:
  158. - ACRAccessToken
  159. - ClusterGenerator
  160. - CloudsmithAccessToken
  161. - ECRAuthorizationToken
  162. - Fake
  163. - GCRAccessToken
  164. - GithubAccessToken
  165. - QuayAccessToken
  166. - Password
  167. - SSHKey
  168. - STSAssumeRoleToken
  169. - STSSessionToken
  170. - UUID
  171. - VaultDynamicSecret
  172. - Webhook
  173. - Grafana
  174. - MFA
  175. type: string
  176. name:
  177. description: Specify the name of the generator resource
  178. maxLength: 253
  179. minLength: 1
  180. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  181. type: string
  182. required:
  183. - kind
  184. - name
  185. type: object
  186. storeRef:
  187. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  188. properties:
  189. kind:
  190. description: |-
  191. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  192. Defaults to `SecretStore`
  193. enum:
  194. - SecretStore
  195. - ClusterSecretStore
  196. type: string
  197. name:
  198. description: Name of the SecretStore resource
  199. maxLength: 253
  200. minLength: 1
  201. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  202. type: string
  203. type: object
  204. type: object
  205. required:
  206. - remoteRef
  207. - secretKey
  208. type: object
  209. type: array
  210. dataFrom:
  211. description: |-
  212. DataFrom is used to fetch all properties from a specific Provider data
  213. If multiple entries are specified, the Secret keys are merged in the specified order
  214. items:
  215. description: |-
  216. ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data
  217. when using DataFrom to fetch multiple values from a Provider.
  218. properties:
  219. extract:
  220. description: |-
  221. Used to extract multiple key/value pairs from one secret
  222. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  223. properties:
  224. conversionStrategy:
  225. default: Default
  226. description: Used to define a conversion Strategy
  227. enum:
  228. - Default
  229. - Unicode
  230. type: string
  231. decodingStrategy:
  232. default: None
  233. description: Used to define a decoding Strategy
  234. enum:
  235. - Auto
  236. - Base64
  237. - Base64URL
  238. - None
  239. type: string
  240. key:
  241. description: Key is the key used in the Provider, mandatory
  242. type: string
  243. metadataPolicy:
  244. default: None
  245. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  246. enum:
  247. - None
  248. - Fetch
  249. type: string
  250. nullBytePolicy:
  251. default: Ignore
  252. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  253. enum:
  254. - Ignore
  255. - Fail
  256. type: string
  257. property:
  258. description: Used to select a specific property of the Provider value (if a map), if supported
  259. type: string
  260. version:
  261. description: Used to select a specific version of the Provider value, if supported
  262. type: string
  263. required:
  264. - key
  265. type: object
  266. find:
  267. description: |-
  268. Used to find secrets based on tags or regular expressions
  269. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  270. properties:
  271. conversionStrategy:
  272. default: Default
  273. description: Used to define a conversion Strategy
  274. enum:
  275. - Default
  276. - Unicode
  277. type: string
  278. decodingStrategy:
  279. default: None
  280. description: Used to define a decoding Strategy
  281. enum:
  282. - Auto
  283. - Base64
  284. - Base64URL
  285. - None
  286. type: string
  287. name:
  288. description: Finds secrets based on the name.
  289. properties:
  290. regexp:
  291. description: Finds secrets base
  292. type: string
  293. type: object
  294. nullBytePolicy:
  295. default: Ignore
  296. description: Controls how ESO handles fetched secret data containing NUL bytes for this find source.
  297. enum:
  298. - Ignore
  299. - Fail
  300. type: string
  301. path:
  302. description: A root path to start the find operations.
  303. type: string
  304. tags:
  305. additionalProperties:
  306. type: string
  307. description: Find secrets based on tags.
  308. type: object
  309. type: object
  310. rewrite:
  311. description: |-
  312. Used to rewrite secret Keys after getting them from the secret Provider
  313. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  314. items:
  315. description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret.
  316. maxProperties: 1
  317. minProperties: 1
  318. properties:
  319. merge:
  320. description: |-
  321. Used to merge key/values in one single Secret
  322. The resulting key will contain all values from the specified secrets
  323. properties:
  324. conflictPolicy:
  325. default: Error
  326. description: Used to define the policy to use in conflict resolution.
  327. enum:
  328. - Ignore
  329. - Error
  330. type: string
  331. into:
  332. default: ""
  333. description: |-
  334. Used to define the target key of the merge operation.
  335. Required if strategy is JSON. Ignored otherwise.
  336. type: string
  337. priority:
  338. description: Used to define key priority in conflict resolution.
  339. items:
  340. type: string
  341. type: array
  342. priorityPolicy:
  343. default: Strict
  344. description: Used to define the policy when a key in the priority list does not exist in the input.
  345. enum:
  346. - IgnoreNotFound
  347. - Strict
  348. type: string
  349. strategy:
  350. default: Extract
  351. description: Used to define the strategy to use in the merge operation.
  352. enum:
  353. - Extract
  354. - JSON
  355. type: string
  356. type: object
  357. regexp:
  358. description: |-
  359. Used to rewrite with regular expressions.
  360. The resulting key will be the output of a regexp.ReplaceAll operation.
  361. properties:
  362. source:
  363. description: Used to define the regular expression of a re.Compiler.
  364. type: string
  365. target:
  366. description: Used to define the target pattern of a ReplaceAll operation.
  367. type: string
  368. required:
  369. - source
  370. - target
  371. type: object
  372. transform:
  373. description: |-
  374. Used to apply string transformation on the secrets.
  375. The resulting key will be the output of the template applied by the operation.
  376. properties:
  377. template:
  378. description: |-
  379. Used to define the template to apply on the secret name.
  380. `.value ` will specify the secret name in the template.
  381. type: string
  382. required:
  383. - template
  384. type: object
  385. type: object
  386. type: array
  387. sourceRef:
  388. description: |-
  389. SourceRef points to a store or generator
  390. which contains secret values ready to use.
  391. Use this in combination with Extract or Find pull values out of
  392. a specific SecretStore.
  393. When sourceRef points to a generator Extract or Find is not supported.
  394. The generator returns a static map of values
  395. maxProperties: 1
  396. minProperties: 1
  397. properties:
  398. generatorRef:
  399. description: GeneratorRef points to a generator custom resource.
  400. properties:
  401. apiVersion:
  402. default: generators.external-secrets.io/v1alpha1
  403. description: Specify the apiVersion of the generator resource
  404. type: string
  405. kind:
  406. description: Specify the Kind of the generator resource
  407. enum:
  408. - ACRAccessToken
  409. - ClusterGenerator
  410. - CloudsmithAccessToken
  411. - ECRAuthorizationToken
  412. - Fake
  413. - GCRAccessToken
  414. - GithubAccessToken
  415. - QuayAccessToken
  416. - Password
  417. - SSHKey
  418. - STSAssumeRoleToken
  419. - STSSessionToken
  420. - UUID
  421. - VaultDynamicSecret
  422. - Webhook
  423. - Grafana
  424. - MFA
  425. type: string
  426. name:
  427. description: Specify the name of the generator resource
  428. maxLength: 253
  429. minLength: 1
  430. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  431. type: string
  432. required:
  433. - kind
  434. - name
  435. type: object
  436. storeRef:
  437. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  438. properties:
  439. kind:
  440. description: |-
  441. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  442. Defaults to `SecretStore`
  443. enum:
  444. - SecretStore
  445. - ClusterSecretStore
  446. type: string
  447. name:
  448. description: Name of the SecretStore resource
  449. maxLength: 253
  450. minLength: 1
  451. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  452. type: string
  453. type: object
  454. type: object
  455. type: object
  456. type: array
  457. refreshInterval:
  458. default: 1h0m0s
  459. description: |-
  460. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  461. specified as Golang Duration strings.
  462. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  463. Example values: "1h0m0s", "2h30m0s", "10m0s"
  464. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  465. type: string
  466. refreshPolicy:
  467. description: |-
  468. RefreshPolicy determines how the ExternalSecret should be refreshed:
  469. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  470. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  471. No periodic updates occur if refreshInterval is 0.
  472. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  473. enum:
  474. - CreatedOnce
  475. - Periodic
  476. - OnChange
  477. type: string
  478. secretStoreRef:
  479. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  480. properties:
  481. kind:
  482. description: |-
  483. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  484. Defaults to `SecretStore`
  485. enum:
  486. - SecretStore
  487. - ClusterSecretStore
  488. type: string
  489. name:
  490. description: Name of the SecretStore resource
  491. maxLength: 253
  492. minLength: 1
  493. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  494. type: string
  495. type: object
  496. target:
  497. default:
  498. creationPolicy: Owner
  499. deletionPolicy: Retain
  500. description: |-
  501. ExternalSecretTarget defines the Kubernetes Secret to be created,
  502. there can be only one target per ExternalSecret.
  503. properties:
  504. creationPolicy:
  505. default: Owner
  506. description: |-
  507. CreationPolicy defines rules on how to create the resulting Secret.
  508. Defaults to "Owner"
  509. enum:
  510. - Owner
  511. - Orphan
  512. - Merge
  513. - None
  514. type: string
  515. deletionPolicy:
  516. default: Retain
  517. description: |-
  518. DeletionPolicy defines rules on how to delete the resulting Secret.
  519. Defaults to "Retain"
  520. enum:
  521. - Delete
  522. - Merge
  523. - Retain
  524. type: string
  525. immutable:
  526. description: Immutable defines if the final secret will be immutable
  527. type: boolean
  528. manifest:
  529. description: |-
  530. Manifest defines a custom Kubernetes resource to create instead of a Secret.
  531. When specified, ExternalSecret will create the resource type defined here
  532. (e.g., ConfigMap, Custom Resource) instead of a Secret.
  533. Warning: Using Generic target. Make sure access policies and encryption are properly configured.
  534. properties:
  535. apiVersion:
  536. description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
  537. minLength: 1
  538. type: string
  539. kind:
  540. description: Kind of the target resource (e.g., "ConfigMap", "Application")
  541. minLength: 1
  542. type: string
  543. required:
  544. - apiVersion
  545. - kind
  546. type: object
  547. name:
  548. description: |-
  549. The name of the Secret resource to be managed.
  550. Defaults to the .metadata.name of the ExternalSecret resource
  551. maxLength: 253
  552. minLength: 1
  553. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  554. type: string
  555. template:
  556. description: Template defines a blueprint for the created Secret resource.
  557. properties:
  558. data:
  559. additionalProperties:
  560. type: string
  561. type: object
  562. engineVersion:
  563. default: v2
  564. description: |-
  565. EngineVersion specifies the template engine version
  566. that should be used to compile/execute the
  567. template specified in .data and .templateFrom[].
  568. enum:
  569. - v2
  570. type: string
  571. mergePolicy:
  572. default: Replace
  573. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  574. enum:
  575. - Replace
  576. - Merge
  577. type: string
  578. metadata:
  579. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  580. properties:
  581. annotations:
  582. additionalProperties:
  583. type: string
  584. type: object
  585. finalizers:
  586. items:
  587. type: string
  588. type: array
  589. labels:
  590. additionalProperties:
  591. type: string
  592. type: object
  593. type: object
  594. templateFrom:
  595. items:
  596. description: |-
  597. TemplateFrom specifies a source for templates.
  598. Each item in the list can either reference a ConfigMap or a Secret resource.
  599. properties:
  600. configMap:
  601. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  602. properties:
  603. items:
  604. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  605. items:
  606. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  607. properties:
  608. key:
  609. description: A key in the ConfigMap/Secret
  610. maxLength: 253
  611. minLength: 1
  612. pattern: ^[-._a-zA-Z0-9]+$
  613. type: string
  614. templateAs:
  615. default: Values
  616. description: TemplateScope specifies how the template keys should be interpreted.
  617. enum:
  618. - Values
  619. - KeysAndValues
  620. type: string
  621. required:
  622. - key
  623. type: object
  624. type: array
  625. name:
  626. description: The name of the ConfigMap/Secret resource
  627. maxLength: 253
  628. minLength: 1
  629. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  630. type: string
  631. required:
  632. - items
  633. - name
  634. type: object
  635. literal:
  636. type: string
  637. secret:
  638. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  639. properties:
  640. items:
  641. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  642. items:
  643. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  644. properties:
  645. key:
  646. description: A key in the ConfigMap/Secret
  647. maxLength: 253
  648. minLength: 1
  649. pattern: ^[-._a-zA-Z0-9]+$
  650. type: string
  651. templateAs:
  652. default: Values
  653. description: TemplateScope specifies how the template keys should be interpreted.
  654. enum:
  655. - Values
  656. - KeysAndValues
  657. type: string
  658. required:
  659. - key
  660. type: object
  661. type: array
  662. name:
  663. description: The name of the ConfigMap/Secret resource
  664. maxLength: 253
  665. minLength: 1
  666. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  667. type: string
  668. required:
  669. - items
  670. - name
  671. type: object
  672. target:
  673. default: Data
  674. description: |-
  675. Target specifies where to place the template result.
  676. For Secret resources, common values are: "Data", "Annotations", "Labels".
  677. For custom resources (when spec.target.manifest is set), this supports
  678. nested paths like "spec.database.config" or "data".
  679. type: string
  680. type: object
  681. type: array
  682. type:
  683. type: string
  684. type: object
  685. type: object
  686. type: object
  687. namespaceSelector:
  688. description: |-
  689. The labels to select by to find the Namespaces to create the ExternalSecrets in.
  690. Deprecated: Use NamespaceSelectors instead.
  691. properties:
  692. matchExpressions:
  693. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  694. items:
  695. description: |-
  696. A label selector requirement is a selector that contains values, a key, and an operator that
  697. relates the key and values.
  698. properties:
  699. key:
  700. description: key is the label key that the selector applies to.
  701. type: string
  702. operator:
  703. description: |-
  704. operator represents a key's relationship to a set of values.
  705. Valid operators are In, NotIn, Exists and DoesNotExist.
  706. type: string
  707. values:
  708. description: |-
  709. values is an array of string values. If the operator is In or NotIn,
  710. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  711. the values array must be empty. This array is replaced during a strategic
  712. merge patch.
  713. items:
  714. type: string
  715. type: array
  716. x-kubernetes-list-type: atomic
  717. required:
  718. - key
  719. - operator
  720. type: object
  721. type: array
  722. x-kubernetes-list-type: atomic
  723. matchLabels:
  724. additionalProperties:
  725. type: string
  726. description: |-
  727. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  728. map is equivalent to an element of matchExpressions, whose key field is "key", the
  729. operator is "In", and the values array contains only "value". The requirements are ANDed.
  730. type: object
  731. type: object
  732. x-kubernetes-map-type: atomic
  733. namespaceSelectors:
  734. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  735. items:
  736. description: |-
  737. A label selector is a label query over a set of resources. The result of matchLabels and
  738. matchExpressions are ANDed. An empty label selector matches all objects. A null
  739. label selector matches no objects.
  740. properties:
  741. matchExpressions:
  742. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  743. items:
  744. description: |-
  745. A label selector requirement is a selector that contains values, a key, and an operator that
  746. relates the key and values.
  747. properties:
  748. key:
  749. description: key is the label key that the selector applies to.
  750. type: string
  751. operator:
  752. description: |-
  753. operator represents a key's relationship to a set of values.
  754. Valid operators are In, NotIn, Exists and DoesNotExist.
  755. type: string
  756. values:
  757. description: |-
  758. values is an array of string values. If the operator is In or NotIn,
  759. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  760. the values array must be empty. This array is replaced during a strategic
  761. merge patch.
  762. items:
  763. type: string
  764. type: array
  765. x-kubernetes-list-type: atomic
  766. required:
  767. - key
  768. - operator
  769. type: object
  770. type: array
  771. x-kubernetes-list-type: atomic
  772. matchLabels:
  773. additionalProperties:
  774. type: string
  775. description: |-
  776. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  777. map is equivalent to an element of matchExpressions, whose key field is "key", the
  778. operator is "In", and the values array contains only "value". The requirements are ANDed.
  779. type: object
  780. type: object
  781. x-kubernetes-map-type: atomic
  782. type: array
  783. namespaces:
  784. description: |-
  785. Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
  786. Deprecated: Use NamespaceSelectors instead.
  787. items:
  788. maxLength: 63
  789. minLength: 1
  790. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  791. type: string
  792. type: array
  793. refreshTime:
  794. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  795. type: string
  796. required:
  797. - externalSecretSpec
  798. type: object
  799. status:
  800. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  801. properties:
  802. conditions:
  803. items:
  804. description: ClusterExternalSecretStatusCondition defines the observed state of a ClusterExternalSecret resource.
  805. properties:
  806. message:
  807. type: string
  808. status:
  809. type: string
  810. type:
  811. description: ClusterExternalSecretConditionType defines a value type for ClusterExternalSecret conditions.
  812. type: string
  813. required:
  814. - status
  815. - type
  816. type: object
  817. type: array
  818. externalSecretName:
  819. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  820. type: string
  821. failedNamespaces:
  822. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  823. items:
  824. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  825. properties:
  826. namespace:
  827. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  828. type: string
  829. reason:
  830. description: Reason is why the ExternalSecret failed to apply to the namespace
  831. type: string
  832. required:
  833. - namespace
  834. type: object
  835. type: array
  836. provisionedNamespaces:
  837. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  838. items:
  839. type: string
  840. type: array
  841. type: object
  842. type: object
  843. served: true
  844. storage: true
  845. subresources:
  846. status: {}
  847. - additionalPrinterColumns:
  848. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  849. name: Store
  850. type: string
  851. - jsonPath: .spec.refreshTime
  852. name: Refresh Interval
  853. type: string
  854. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  855. name: Ready
  856. type: string
  857. deprecated: true
  858. name: v1beta1
  859. schema:
  860. openAPIV3Schema:
  861. description: ClusterExternalSecret is the schema for the clusterexternalsecrets API.
  862. properties:
  863. apiVersion:
  864. description: |-
  865. APIVersion defines the versioned schema of this representation of an object.
  866. Servers should convert recognized schemas to the latest internal value, and
  867. may reject unrecognized values.
  868. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  869. type: string
  870. kind:
  871. description: |-
  872. Kind is a string value representing the REST resource this object represents.
  873. Servers may infer this from the endpoint the client submits requests to.
  874. Cannot be updated.
  875. In CamelCase.
  876. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  877. type: string
  878. metadata:
  879. type: object
  880. spec:
  881. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  882. properties:
  883. externalSecretMetadata:
  884. description: The metadata of the external secrets to be created
  885. properties:
  886. annotations:
  887. additionalProperties:
  888. type: string
  889. type: object
  890. labels:
  891. additionalProperties:
  892. type: string
  893. type: object
  894. type: object
  895. externalSecretName:
  896. description: |-
  897. The name of the external secrets to be created.
  898. Defaults to the name of the ClusterExternalSecret
  899. maxLength: 253
  900. minLength: 1
  901. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  902. type: string
  903. externalSecretSpec:
  904. description: The spec for the ExternalSecrets to be created
  905. properties:
  906. data:
  907. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  908. items:
  909. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  910. properties:
  911. remoteRef:
  912. description: |-
  913. RemoteRef points to the remote secret and defines
  914. which secret (version/property/..) to fetch.
  915. properties:
  916. conversionStrategy:
  917. default: Default
  918. description: Used to define a conversion Strategy
  919. enum:
  920. - Default
  921. - Unicode
  922. type: string
  923. decodingStrategy:
  924. default: None
  925. description: Used to define a decoding Strategy
  926. enum:
  927. - Auto
  928. - Base64
  929. - Base64URL
  930. - None
  931. type: string
  932. key:
  933. description: Key is the key used in the Provider, mandatory
  934. type: string
  935. metadataPolicy:
  936. default: None
  937. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  938. enum:
  939. - None
  940. - Fetch
  941. type: string
  942. property:
  943. description: Used to select a specific property of the Provider value (if a map), if supported
  944. type: string
  945. version:
  946. description: Used to select a specific version of the Provider value, if supported
  947. type: string
  948. required:
  949. - key
  950. type: object
  951. secretKey:
  952. description: The key in the Kubernetes Secret to store the value.
  953. maxLength: 253
  954. minLength: 1
  955. pattern: ^[-._a-zA-Z0-9]+$
  956. type: string
  957. sourceRef:
  958. description: |-
  959. SourceRef allows you to override the source
  960. from which the value will be pulled.
  961. maxProperties: 1
  962. minProperties: 1
  963. properties:
  964. generatorRef:
  965. description: |-
  966. GeneratorRef points to a generator custom resource.
  967. Deprecated: The generatorRef is not implemented in .data[].
  968. this will be removed with v1.
  969. properties:
  970. apiVersion:
  971. default: generators.external-secrets.io/v1alpha1
  972. description: Specify the apiVersion of the generator resource
  973. type: string
  974. kind:
  975. description: Specify the Kind of the generator resource
  976. enum:
  977. - ACRAccessToken
  978. - ClusterGenerator
  979. - ECRAuthorizationToken
  980. - Fake
  981. - GCRAccessToken
  982. - GithubAccessToken
  983. - QuayAccessToken
  984. - Password
  985. - SSHKey
  986. - STSAssumeRoleToken
  987. - STSSessionToken
  988. - UUID
  989. - VaultDynamicSecret
  990. - Webhook
  991. - Grafana
  992. type: string
  993. name:
  994. description: Specify the name of the generator resource
  995. maxLength: 253
  996. minLength: 1
  997. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  998. type: string
  999. required:
  1000. - kind
  1001. - name
  1002. type: object
  1003. storeRef:
  1004. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1005. properties:
  1006. kind:
  1007. description: |-
  1008. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1009. Defaults to `SecretStore`
  1010. enum:
  1011. - SecretStore
  1012. - ClusterSecretStore
  1013. type: string
  1014. name:
  1015. description: Name of the SecretStore resource
  1016. maxLength: 253
  1017. minLength: 1
  1018. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1019. type: string
  1020. type: object
  1021. type: object
  1022. required:
  1023. - remoteRef
  1024. - secretKey
  1025. type: object
  1026. type: array
  1027. dataFrom:
  1028. description: |-
  1029. DataFrom is used to fetch all properties from a specific Provider data
  1030. If multiple entries are specified, the Secret keys are merged in the specified order
  1031. items:
  1032. description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options.
  1033. properties:
  1034. extract:
  1035. description: |-
  1036. Used to extract multiple key/value pairs from one secret
  1037. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  1038. properties:
  1039. conversionStrategy:
  1040. default: Default
  1041. description: Used to define a conversion Strategy
  1042. enum:
  1043. - Default
  1044. - Unicode
  1045. type: string
  1046. decodingStrategy:
  1047. default: None
  1048. description: Used to define a decoding Strategy
  1049. enum:
  1050. - Auto
  1051. - Base64
  1052. - Base64URL
  1053. - None
  1054. type: string
  1055. key:
  1056. description: Key is the key used in the Provider, mandatory
  1057. type: string
  1058. metadataPolicy:
  1059. default: None
  1060. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  1061. enum:
  1062. - None
  1063. - Fetch
  1064. type: string
  1065. property:
  1066. description: Used to select a specific property of the Provider value (if a map), if supported
  1067. type: string
  1068. version:
  1069. description: Used to select a specific version of the Provider value, if supported
  1070. type: string
  1071. required:
  1072. - key
  1073. type: object
  1074. find:
  1075. description: |-
  1076. Used to find secrets based on tags or regular expressions
  1077. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  1078. properties:
  1079. conversionStrategy:
  1080. default: Default
  1081. description: Used to define a conversion Strategy
  1082. enum:
  1083. - Default
  1084. - Unicode
  1085. type: string
  1086. decodingStrategy:
  1087. default: None
  1088. description: Used to define a decoding Strategy
  1089. enum:
  1090. - Auto
  1091. - Base64
  1092. - Base64URL
  1093. - None
  1094. type: string
  1095. name:
  1096. description: Finds secrets based on the name.
  1097. properties:
  1098. regexp:
  1099. description: Finds secrets base
  1100. type: string
  1101. type: object
  1102. path:
  1103. description: A root path to start the find operations.
  1104. type: string
  1105. tags:
  1106. additionalProperties:
  1107. type: string
  1108. description: Find secrets based on tags.
  1109. type: object
  1110. type: object
  1111. rewrite:
  1112. description: |-
  1113. Used to rewrite secret Keys after getting them from the secret Provider
  1114. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  1115. items:
  1116. description: ExternalSecretRewrite defines rules on how to rewrite secret keys.
  1117. maxProperties: 1
  1118. minProperties: 1
  1119. properties:
  1120. regexp:
  1121. description: |-
  1122. Used to rewrite with regular expressions.
  1123. The resulting key will be the output of a regexp.ReplaceAll operation.
  1124. properties:
  1125. source:
  1126. description: Used to define the regular expression of a re.Compiler.
  1127. type: string
  1128. target:
  1129. description: Used to define the target pattern of a ReplaceAll operation.
  1130. type: string
  1131. required:
  1132. - source
  1133. - target
  1134. type: object
  1135. transform:
  1136. description: |-
  1137. Used to apply string transformation on the secrets.
  1138. The resulting key will be the output of the template applied by the operation.
  1139. properties:
  1140. template:
  1141. description: |-
  1142. Used to define the template to apply on the secret name.
  1143. `.value ` will specify the secret name in the template.
  1144. type: string
  1145. required:
  1146. - template
  1147. type: object
  1148. type: object
  1149. type: array
  1150. sourceRef:
  1151. description: |-
  1152. SourceRef points to a store or generator
  1153. which contains secret values ready to use.
  1154. Use this in combination with Extract or Find pull values out of
  1155. a specific SecretStore.
  1156. When sourceRef points to a generator Extract or Find is not supported.
  1157. The generator returns a static map of values
  1158. maxProperties: 1
  1159. minProperties: 1
  1160. properties:
  1161. generatorRef:
  1162. description: GeneratorRef points to a generator custom resource.
  1163. properties:
  1164. apiVersion:
  1165. default: generators.external-secrets.io/v1alpha1
  1166. description: Specify the apiVersion of the generator resource
  1167. type: string
  1168. kind:
  1169. description: Specify the Kind of the generator resource
  1170. enum:
  1171. - ACRAccessToken
  1172. - ClusterGenerator
  1173. - ECRAuthorizationToken
  1174. - Fake
  1175. - GCRAccessToken
  1176. - GithubAccessToken
  1177. - QuayAccessToken
  1178. - Password
  1179. - SSHKey
  1180. - STSAssumeRoleToken
  1181. - STSSessionToken
  1182. - UUID
  1183. - VaultDynamicSecret
  1184. - Webhook
  1185. - Grafana
  1186. type: string
  1187. name:
  1188. description: Specify the name of the generator resource
  1189. maxLength: 253
  1190. minLength: 1
  1191. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1192. type: string
  1193. required:
  1194. - kind
  1195. - name
  1196. type: object
  1197. storeRef:
  1198. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1199. properties:
  1200. kind:
  1201. description: |-
  1202. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1203. Defaults to `SecretStore`
  1204. enum:
  1205. - SecretStore
  1206. - ClusterSecretStore
  1207. type: string
  1208. name:
  1209. description: Name of the SecretStore resource
  1210. maxLength: 253
  1211. minLength: 1
  1212. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1213. type: string
  1214. type: object
  1215. type: object
  1216. type: object
  1217. type: array
  1218. refreshInterval:
  1219. default: 1h0m0s
  1220. description: |-
  1221. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  1222. specified as Golang Duration strings.
  1223. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  1224. Example values: "1h0m0s", "2h30m0s", "10m0s"
  1225. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  1226. type: string
  1227. refreshPolicy:
  1228. description: |-
  1229. RefreshPolicy determines how the ExternalSecret should be refreshed:
  1230. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  1231. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  1232. No periodic updates occur if refreshInterval is 0.
  1233. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  1234. enum:
  1235. - CreatedOnce
  1236. - Periodic
  1237. - OnChange
  1238. type: string
  1239. secretStoreRef:
  1240. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1241. properties:
  1242. kind:
  1243. description: |-
  1244. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1245. Defaults to `SecretStore`
  1246. enum:
  1247. - SecretStore
  1248. - ClusterSecretStore
  1249. type: string
  1250. name:
  1251. description: Name of the SecretStore resource
  1252. maxLength: 253
  1253. minLength: 1
  1254. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1255. type: string
  1256. type: object
  1257. target:
  1258. default:
  1259. creationPolicy: Owner
  1260. deletionPolicy: Retain
  1261. description: |-
  1262. ExternalSecretTarget defines the Kubernetes Secret to be created
  1263. There can be only one target per ExternalSecret.
  1264. properties:
  1265. creationPolicy:
  1266. default: Owner
  1267. description: |-
  1268. CreationPolicy defines rules on how to create the resulting Secret.
  1269. Defaults to "Owner"
  1270. enum:
  1271. - Owner
  1272. - Orphan
  1273. - Merge
  1274. - None
  1275. type: string
  1276. deletionPolicy:
  1277. default: Retain
  1278. description: |-
  1279. DeletionPolicy defines rules on how to delete the resulting Secret.
  1280. Defaults to "Retain"
  1281. enum:
  1282. - Delete
  1283. - Merge
  1284. - Retain
  1285. type: string
  1286. immutable:
  1287. description: Immutable defines if the final secret will be immutable
  1288. type: boolean
  1289. name:
  1290. description: |-
  1291. The name of the Secret resource to be managed.
  1292. Defaults to the .metadata.name of the ExternalSecret resource
  1293. maxLength: 253
  1294. minLength: 1
  1295. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1296. type: string
  1297. template:
  1298. description: Template defines a blueprint for the created Secret resource.
  1299. properties:
  1300. data:
  1301. additionalProperties:
  1302. type: string
  1303. type: object
  1304. engineVersion:
  1305. default: v2
  1306. description: |-
  1307. EngineVersion specifies the template engine version
  1308. that should be used to compile/execute the
  1309. template specified in .data and .templateFrom[].
  1310. enum:
  1311. - v2
  1312. type: string
  1313. mergePolicy:
  1314. default: Replace
  1315. description: TemplateMergePolicy defines how template values should be merged when generating a secret.
  1316. enum:
  1317. - Replace
  1318. - Merge
  1319. type: string
  1320. metadata:
  1321. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  1322. properties:
  1323. annotations:
  1324. additionalProperties:
  1325. type: string
  1326. type: object
  1327. labels:
  1328. additionalProperties:
  1329. type: string
  1330. type: object
  1331. type: object
  1332. templateFrom:
  1333. items:
  1334. description: TemplateFrom defines a source for template data.
  1335. properties:
  1336. configMap:
  1337. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  1338. properties:
  1339. items:
  1340. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  1341. items:
  1342. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  1343. properties:
  1344. key:
  1345. description: A key in the ConfigMap/Secret
  1346. maxLength: 253
  1347. minLength: 1
  1348. pattern: ^[-._a-zA-Z0-9]+$
  1349. type: string
  1350. templateAs:
  1351. default: Values
  1352. description: TemplateScope defines the scope of the template when processing template data.
  1353. enum:
  1354. - Values
  1355. - KeysAndValues
  1356. type: string
  1357. required:
  1358. - key
  1359. type: object
  1360. type: array
  1361. name:
  1362. description: The name of the ConfigMap/Secret resource
  1363. maxLength: 253
  1364. minLength: 1
  1365. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1366. type: string
  1367. required:
  1368. - items
  1369. - name
  1370. type: object
  1371. literal:
  1372. type: string
  1373. secret:
  1374. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  1375. properties:
  1376. items:
  1377. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  1378. items:
  1379. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  1380. properties:
  1381. key:
  1382. description: A key in the ConfigMap/Secret
  1383. maxLength: 253
  1384. minLength: 1
  1385. pattern: ^[-._a-zA-Z0-9]+$
  1386. type: string
  1387. templateAs:
  1388. default: Values
  1389. description: TemplateScope defines the scope of the template when processing template data.
  1390. enum:
  1391. - Values
  1392. - KeysAndValues
  1393. type: string
  1394. required:
  1395. - key
  1396. type: object
  1397. type: array
  1398. name:
  1399. description: The name of the ConfigMap/Secret resource
  1400. maxLength: 253
  1401. minLength: 1
  1402. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1403. type: string
  1404. required:
  1405. - items
  1406. - name
  1407. type: object
  1408. target:
  1409. default: Data
  1410. description: TemplateTarget defines the target field where the template result will be stored.
  1411. enum:
  1412. - Data
  1413. - Annotations
  1414. - Labels
  1415. type: string
  1416. type: object
  1417. type: array
  1418. type:
  1419. type: string
  1420. type: object
  1421. type: object
  1422. type: object
  1423. namespaceSelector:
  1424. description: The labels to select by to find the Namespaces to create the ExternalSecrets in
  1425. properties:
  1426. matchExpressions:
  1427. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1428. items:
  1429. description: |-
  1430. A label selector requirement is a selector that contains values, a key, and an operator that
  1431. relates the key and values.
  1432. properties:
  1433. key:
  1434. description: key is the label key that the selector applies to.
  1435. type: string
  1436. operator:
  1437. description: |-
  1438. operator represents a key's relationship to a set of values.
  1439. Valid operators are In, NotIn, Exists and DoesNotExist.
  1440. type: string
  1441. values:
  1442. description: |-
  1443. values is an array of string values. If the operator is In or NotIn,
  1444. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1445. the values array must be empty. This array is replaced during a strategic
  1446. merge patch.
  1447. items:
  1448. type: string
  1449. type: array
  1450. x-kubernetes-list-type: atomic
  1451. required:
  1452. - key
  1453. - operator
  1454. type: object
  1455. type: array
  1456. x-kubernetes-list-type: atomic
  1457. matchLabels:
  1458. additionalProperties:
  1459. type: string
  1460. description: |-
  1461. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1462. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1463. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1464. type: object
  1465. type: object
  1466. x-kubernetes-map-type: atomic
  1467. namespaceSelectors:
  1468. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  1469. items:
  1470. description: |-
  1471. A label selector is a label query over a set of resources. The result of matchLabels and
  1472. matchExpressions are ANDed. An empty label selector matches all objects. A null
  1473. label selector matches no objects.
  1474. properties:
  1475. matchExpressions:
  1476. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1477. items:
  1478. description: |-
  1479. A label selector requirement is a selector that contains values, a key, and an operator that
  1480. relates the key and values.
  1481. properties:
  1482. key:
  1483. description: key is the label key that the selector applies to.
  1484. type: string
  1485. operator:
  1486. description: |-
  1487. operator represents a key's relationship to a set of values.
  1488. Valid operators are In, NotIn, Exists and DoesNotExist.
  1489. type: string
  1490. values:
  1491. description: |-
  1492. values is an array of string values. If the operator is In or NotIn,
  1493. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1494. the values array must be empty. This array is replaced during a strategic
  1495. merge patch.
  1496. items:
  1497. type: string
  1498. type: array
  1499. x-kubernetes-list-type: atomic
  1500. required:
  1501. - key
  1502. - operator
  1503. type: object
  1504. type: array
  1505. x-kubernetes-list-type: atomic
  1506. matchLabels:
  1507. additionalProperties:
  1508. type: string
  1509. description: |-
  1510. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1511. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1512. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1513. type: object
  1514. type: object
  1515. x-kubernetes-map-type: atomic
  1516. type: array
  1517. namespaces:
  1518. description: |-
  1519. Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
  1520. Deprecated: Use NamespaceSelectors instead.
  1521. items:
  1522. maxLength: 63
  1523. minLength: 1
  1524. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1525. type: string
  1526. type: array
  1527. refreshTime:
  1528. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  1529. type: string
  1530. required:
  1531. - externalSecretSpec
  1532. type: object
  1533. status:
  1534. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  1535. properties:
  1536. conditions:
  1537. items:
  1538. description: ClusterExternalSecretStatusCondition indicates the status of the ClusterExternalSecret.
  1539. properties:
  1540. message:
  1541. type: string
  1542. status:
  1543. type: string
  1544. type:
  1545. description: ClusterExternalSecretConditionType indicates the condition of the ClusterExternalSecret.
  1546. type: string
  1547. required:
  1548. - status
  1549. - type
  1550. type: object
  1551. type: array
  1552. externalSecretName:
  1553. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  1554. type: string
  1555. failedNamespaces:
  1556. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  1557. items:
  1558. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  1559. properties:
  1560. namespace:
  1561. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  1562. type: string
  1563. reason:
  1564. description: Reason is why the ExternalSecret failed to apply to the namespace
  1565. type: string
  1566. required:
  1567. - namespace
  1568. type: object
  1569. type: array
  1570. provisionedNamespaces:
  1571. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  1572. items:
  1573. type: string
  1574. type: array
  1575. type: object
  1576. type: object
  1577. served: false
  1578. storage: false
  1579. subresources:
  1580. status: {}
  1581. ---
  1582. apiVersion: apiextensions.k8s.io/v1
  1583. kind: CustomResourceDefinition
  1584. metadata:
  1585. annotations:
  1586. controller-gen.kubebuilder.io/version: v0.19.0
  1587. labels:
  1588. external-secrets.io/component: controller
  1589. name: clusterpushsecrets.external-secrets.io
  1590. spec:
  1591. group: external-secrets.io
  1592. names:
  1593. categories:
  1594. - external-secrets
  1595. kind: ClusterPushSecret
  1596. listKind: ClusterPushSecretList
  1597. plural: clusterpushsecrets
  1598. singular: clusterpushsecret
  1599. scope: Cluster
  1600. versions:
  1601. - additionalPrinterColumns:
  1602. - jsonPath: .metadata.creationTimestamp
  1603. name: AGE
  1604. type: date
  1605. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  1606. name: Status
  1607. type: string
  1608. name: v1alpha1
  1609. schema:
  1610. openAPIV3Schema:
  1611. description: ClusterPushSecret is the Schema for the ClusterPushSecrets API that enables cluster-wide management of pushing Kubernetes secrets to external providers.
  1612. properties:
  1613. apiVersion:
  1614. description: |-
  1615. APIVersion defines the versioned schema of this representation of an object.
  1616. Servers should convert recognized schemas to the latest internal value, and
  1617. may reject unrecognized values.
  1618. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  1619. type: string
  1620. kind:
  1621. description: |-
  1622. Kind is a string value representing the REST resource this object represents.
  1623. Servers may infer this from the endpoint the client submits requests to.
  1624. Cannot be updated.
  1625. In CamelCase.
  1626. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  1627. type: string
  1628. metadata:
  1629. type: object
  1630. spec:
  1631. description: ClusterPushSecretSpec defines the configuration for a ClusterPushSecret resource.
  1632. properties:
  1633. namespaceSelectors:
  1634. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  1635. items:
  1636. description: |-
  1637. A label selector is a label query over a set of resources. The result of matchLabels and
  1638. matchExpressions are ANDed. An empty label selector matches all objects. A null
  1639. label selector matches no objects.
  1640. properties:
  1641. matchExpressions:
  1642. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1643. items:
  1644. description: |-
  1645. A label selector requirement is a selector that contains values, a key, and an operator that
  1646. relates the key and values.
  1647. properties:
  1648. key:
  1649. description: key is the label key that the selector applies to.
  1650. type: string
  1651. operator:
  1652. description: |-
  1653. operator represents a key's relationship to a set of values.
  1654. Valid operators are In, NotIn, Exists and DoesNotExist.
  1655. type: string
  1656. values:
  1657. description: |-
  1658. values is an array of string values. If the operator is In or NotIn,
  1659. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1660. the values array must be empty. This array is replaced during a strategic
  1661. merge patch.
  1662. items:
  1663. type: string
  1664. type: array
  1665. x-kubernetes-list-type: atomic
  1666. required:
  1667. - key
  1668. - operator
  1669. type: object
  1670. type: array
  1671. x-kubernetes-list-type: atomic
  1672. matchLabels:
  1673. additionalProperties:
  1674. type: string
  1675. description: |-
  1676. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1677. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1678. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1679. type: object
  1680. type: object
  1681. x-kubernetes-map-type: atomic
  1682. type: array
  1683. pushSecretMetadata:
  1684. description: The metadata of the external secrets to be created
  1685. properties:
  1686. annotations:
  1687. additionalProperties:
  1688. type: string
  1689. type: object
  1690. labels:
  1691. additionalProperties:
  1692. type: string
  1693. type: object
  1694. type: object
  1695. pushSecretName:
  1696. description: |-
  1697. The name of the push secrets to be created.
  1698. Defaults to the name of the ClusterPushSecret
  1699. maxLength: 253
  1700. minLength: 1
  1701. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1702. type: string
  1703. pushSecretSpec:
  1704. description: PushSecretSpec defines what to do with the secrets.
  1705. properties:
  1706. data:
  1707. description: Secret Data that should be pushed to providers
  1708. items:
  1709. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  1710. properties:
  1711. conversionStrategy:
  1712. default: None
  1713. description: Used to define a conversion Strategy for the secret keys
  1714. enum:
  1715. - None
  1716. - ReverseUnicode
  1717. type: string
  1718. match:
  1719. description: Match a given Secret Key to be pushed to the provider.
  1720. properties:
  1721. remoteRef:
  1722. description: Remote Refs to push to providers.
  1723. properties:
  1724. property:
  1725. description: Name of the property in the resulting secret
  1726. type: string
  1727. remoteKey:
  1728. description: Name of the resulting provider secret.
  1729. type: string
  1730. required:
  1731. - remoteKey
  1732. type: object
  1733. secretKey:
  1734. description: Secret Key to be pushed
  1735. type: string
  1736. required:
  1737. - remoteRef
  1738. type: object
  1739. metadata:
  1740. description: |-
  1741. Metadata is metadata attached to the secret.
  1742. The structure of metadata is provider specific, please look it up in the provider documentation.
  1743. x-kubernetes-preserve-unknown-fields: true
  1744. required:
  1745. - match
  1746. type: object
  1747. type: array
  1748. dataTo:
  1749. description: DataTo defines bulk push rules that expand source Secret keys into provider entries.
  1750. items:
  1751. description: PushSecretDataTo defines how to bulk-push secrets to providers without explicit per-key mappings.
  1752. properties:
  1753. conversionStrategy:
  1754. default: None
  1755. description: Used to define a conversion Strategy for the secret keys
  1756. enum:
  1757. - None
  1758. - ReverseUnicode
  1759. type: string
  1760. match:
  1761. description: |-
  1762. Match pattern for selecting keys from the source Secret.
  1763. If not specified, all keys are selected.
  1764. properties:
  1765. regexp:
  1766. description: |-
  1767. Regexp matches keys by regular expression.
  1768. If not specified, all keys are matched.
  1769. type: string
  1770. type: object
  1771. metadata:
  1772. description: |-
  1773. Metadata is metadata attached to the secret.
  1774. The structure of metadata is provider specific, please look it up in the provider documentation.
  1775. x-kubernetes-preserve-unknown-fields: true
  1776. remoteKey:
  1777. description: |-
  1778. RemoteKey is the name of the single provider secret that will receive ALL
  1779. matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}).
  1780. When set, per-key expansion is skipped and a single push is performed.
  1781. The provider's store prefix (if any) is still prepended to this value.
  1782. When not set, each matched key is pushed as its own individual provider secret.
  1783. type: string
  1784. rewrite:
  1785. description: |-
  1786. Rewrite operations to transform keys before pushing to the provider.
  1787. Operations are applied sequentially.
  1788. items:
  1789. description: PushSecretRewrite defines how to transform secret keys before pushing.
  1790. properties:
  1791. regexp:
  1792. description: Used to rewrite with regular expressions.
  1793. properties:
  1794. source:
  1795. description: Used to define the regular expression of a re.Compiler.
  1796. type: string
  1797. target:
  1798. description: Used to define the target pattern of a ReplaceAll operation.
  1799. type: string
  1800. required:
  1801. - source
  1802. - target
  1803. type: object
  1804. transform:
  1805. description: Used to apply string transformation on the secrets.
  1806. properties:
  1807. template:
  1808. description: |-
  1809. Used to define the template to apply on the secret name.
  1810. `.value ` will specify the secret name in the template.
  1811. type: string
  1812. required:
  1813. - template
  1814. type: object
  1815. type: object
  1816. x-kubernetes-validations:
  1817. - message: exactly one of regexp or transform must be set
  1818. rule: (has(self.regexp) && !has(self.transform)) || (!has(self.regexp) && has(self.transform))
  1819. type: array
  1820. storeRef:
  1821. description: StoreRef specifies which SecretStore to push to. Required.
  1822. properties:
  1823. kind:
  1824. default: SecretStore
  1825. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1826. enum:
  1827. - SecretStore
  1828. - ClusterSecretStore
  1829. type: string
  1830. labelSelector:
  1831. description: Optionally, sync to secret stores with label selector
  1832. properties:
  1833. matchExpressions:
  1834. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1835. items:
  1836. description: |-
  1837. A label selector requirement is a selector that contains values, a key, and an operator that
  1838. relates the key and values.
  1839. properties:
  1840. key:
  1841. description: key is the label key that the selector applies to.
  1842. type: string
  1843. operator:
  1844. description: |-
  1845. operator represents a key's relationship to a set of values.
  1846. Valid operators are In, NotIn, Exists and DoesNotExist.
  1847. type: string
  1848. values:
  1849. description: |-
  1850. values is an array of string values. If the operator is In or NotIn,
  1851. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1852. the values array must be empty. This array is replaced during a strategic
  1853. merge patch.
  1854. items:
  1855. type: string
  1856. type: array
  1857. x-kubernetes-list-type: atomic
  1858. required:
  1859. - key
  1860. - operator
  1861. type: object
  1862. type: array
  1863. x-kubernetes-list-type: atomic
  1864. matchLabels:
  1865. additionalProperties:
  1866. type: string
  1867. description: |-
  1868. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1869. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1870. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1871. type: object
  1872. type: object
  1873. x-kubernetes-map-type: atomic
  1874. name:
  1875. description: Optionally, sync to the SecretStore of the given name
  1876. maxLength: 253
  1877. minLength: 1
  1878. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1879. type: string
  1880. type: object
  1881. type: object
  1882. x-kubernetes-validations:
  1883. - message: storeRef must specify either name or labelSelector
  1884. rule: has(self.storeRef) && (has(self.storeRef.name) || has(self.storeRef.labelSelector))
  1885. - message: 'remoteKey and rewrite are mutually exclusive: rewrite is only supported in per-key mode (without remoteKey)'
  1886. rule: '!has(self.remoteKey) || !has(self.rewrite) || size(self.rewrite) == 0'
  1887. type: array
  1888. deletionPolicy:
  1889. default: None
  1890. description: Deletion Policy to handle Secrets in the provider.
  1891. enum:
  1892. - Delete
  1893. - None
  1894. type: string
  1895. refreshInterval:
  1896. default: 1h0m0s
  1897. description: The Interval to which External Secrets will try to push a secret definition
  1898. type: string
  1899. secretStoreRefs:
  1900. items:
  1901. description: PushSecretStoreRef contains a reference on how to sync to a SecretStore.
  1902. properties:
  1903. kind:
  1904. default: SecretStore
  1905. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1906. enum:
  1907. - SecretStore
  1908. - ClusterSecretStore
  1909. type: string
  1910. labelSelector:
  1911. description: Optionally, sync to secret stores with label selector
  1912. properties:
  1913. matchExpressions:
  1914. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1915. items:
  1916. description: |-
  1917. A label selector requirement is a selector that contains values, a key, and an operator that
  1918. relates the key and values.
  1919. properties:
  1920. key:
  1921. description: key is the label key that the selector applies to.
  1922. type: string
  1923. operator:
  1924. description: |-
  1925. operator represents a key's relationship to a set of values.
  1926. Valid operators are In, NotIn, Exists and DoesNotExist.
  1927. type: string
  1928. values:
  1929. description: |-
  1930. values is an array of string values. If the operator is In or NotIn,
  1931. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1932. the values array must be empty. This array is replaced during a strategic
  1933. merge patch.
  1934. items:
  1935. type: string
  1936. type: array
  1937. x-kubernetes-list-type: atomic
  1938. required:
  1939. - key
  1940. - operator
  1941. type: object
  1942. type: array
  1943. x-kubernetes-list-type: atomic
  1944. matchLabels:
  1945. additionalProperties:
  1946. type: string
  1947. description: |-
  1948. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1949. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1950. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1951. type: object
  1952. type: object
  1953. x-kubernetes-map-type: atomic
  1954. name:
  1955. description: Optionally, sync to the SecretStore of the given name
  1956. maxLength: 253
  1957. minLength: 1
  1958. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1959. type: string
  1960. type: object
  1961. type: array
  1962. selector:
  1963. description: The Secret Selector (k8s source) for the Push Secret
  1964. maxProperties: 1
  1965. minProperties: 1
  1966. properties:
  1967. generatorRef:
  1968. description: Point to a generator to create a Secret.
  1969. properties:
  1970. apiVersion:
  1971. default: generators.external-secrets.io/v1alpha1
  1972. description: Specify the apiVersion of the generator resource
  1973. type: string
  1974. kind:
  1975. description: Specify the Kind of the generator resource
  1976. enum:
  1977. - ACRAccessToken
  1978. - ClusterGenerator
  1979. - CloudsmithAccessToken
  1980. - ECRAuthorizationToken
  1981. - Fake
  1982. - GCRAccessToken
  1983. - GithubAccessToken
  1984. - QuayAccessToken
  1985. - Password
  1986. - SSHKey
  1987. - STSAssumeRoleToken
  1988. - STSSessionToken
  1989. - UUID
  1990. - VaultDynamicSecret
  1991. - Webhook
  1992. - Grafana
  1993. - MFA
  1994. type: string
  1995. name:
  1996. description: Specify the name of the generator resource
  1997. maxLength: 253
  1998. minLength: 1
  1999. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2000. type: string
  2001. required:
  2002. - kind
  2003. - name
  2004. type: object
  2005. secret:
  2006. description: Select a Secret to Push.
  2007. properties:
  2008. name:
  2009. description: |-
  2010. Name of the Secret.
  2011. The Secret must exist in the same namespace as the PushSecret manifest.
  2012. maxLength: 253
  2013. minLength: 1
  2014. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2015. type: string
  2016. selector:
  2017. description: Selector chooses secrets using a labelSelector.
  2018. properties:
  2019. matchExpressions:
  2020. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2021. items:
  2022. description: |-
  2023. A label selector requirement is a selector that contains values, a key, and an operator that
  2024. relates the key and values.
  2025. properties:
  2026. key:
  2027. description: key is the label key that the selector applies to.
  2028. type: string
  2029. operator:
  2030. description: |-
  2031. operator represents a key's relationship to a set of values.
  2032. Valid operators are In, NotIn, Exists and DoesNotExist.
  2033. type: string
  2034. values:
  2035. description: |-
  2036. values is an array of string values. If the operator is In or NotIn,
  2037. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2038. the values array must be empty. This array is replaced during a strategic
  2039. merge patch.
  2040. items:
  2041. type: string
  2042. type: array
  2043. x-kubernetes-list-type: atomic
  2044. required:
  2045. - key
  2046. - operator
  2047. type: object
  2048. type: array
  2049. x-kubernetes-list-type: atomic
  2050. matchLabels:
  2051. additionalProperties:
  2052. type: string
  2053. description: |-
  2054. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2055. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2056. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2057. type: object
  2058. type: object
  2059. x-kubernetes-map-type: atomic
  2060. type: object
  2061. type: object
  2062. template:
  2063. description: Template defines a blueprint for the created Secret resource.
  2064. properties:
  2065. data:
  2066. additionalProperties:
  2067. type: string
  2068. type: object
  2069. engineVersion:
  2070. default: v2
  2071. description: |-
  2072. EngineVersion specifies the template engine version
  2073. that should be used to compile/execute the
  2074. template specified in .data and .templateFrom[].
  2075. enum:
  2076. - v2
  2077. type: string
  2078. mergePolicy:
  2079. default: Replace
  2080. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  2081. enum:
  2082. - Replace
  2083. - Merge
  2084. type: string
  2085. metadata:
  2086. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  2087. properties:
  2088. annotations:
  2089. additionalProperties:
  2090. type: string
  2091. type: object
  2092. finalizers:
  2093. items:
  2094. type: string
  2095. type: array
  2096. labels:
  2097. additionalProperties:
  2098. type: string
  2099. type: object
  2100. type: object
  2101. templateFrom:
  2102. items:
  2103. description: |-
  2104. TemplateFrom specifies a source for templates.
  2105. Each item in the list can either reference a ConfigMap or a Secret resource.
  2106. properties:
  2107. configMap:
  2108. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  2109. properties:
  2110. items:
  2111. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  2112. items:
  2113. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  2114. properties:
  2115. key:
  2116. description: A key in the ConfigMap/Secret
  2117. maxLength: 253
  2118. minLength: 1
  2119. pattern: ^[-._a-zA-Z0-9]+$
  2120. type: string
  2121. templateAs:
  2122. default: Values
  2123. description: TemplateScope specifies how the template keys should be interpreted.
  2124. enum:
  2125. - Values
  2126. - KeysAndValues
  2127. type: string
  2128. required:
  2129. - key
  2130. type: object
  2131. type: array
  2132. name:
  2133. description: The name of the ConfigMap/Secret resource
  2134. maxLength: 253
  2135. minLength: 1
  2136. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2137. type: string
  2138. required:
  2139. - items
  2140. - name
  2141. type: object
  2142. literal:
  2143. type: string
  2144. secret:
  2145. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  2146. properties:
  2147. items:
  2148. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  2149. items:
  2150. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  2151. properties:
  2152. key:
  2153. description: A key in the ConfigMap/Secret
  2154. maxLength: 253
  2155. minLength: 1
  2156. pattern: ^[-._a-zA-Z0-9]+$
  2157. type: string
  2158. templateAs:
  2159. default: Values
  2160. description: TemplateScope specifies how the template keys should be interpreted.
  2161. enum:
  2162. - Values
  2163. - KeysAndValues
  2164. type: string
  2165. required:
  2166. - key
  2167. type: object
  2168. type: array
  2169. name:
  2170. description: The name of the ConfigMap/Secret resource
  2171. maxLength: 253
  2172. minLength: 1
  2173. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2174. type: string
  2175. required:
  2176. - items
  2177. - name
  2178. type: object
  2179. target:
  2180. default: Data
  2181. description: |-
  2182. Target specifies where to place the template result.
  2183. For Secret resources, common values are: "Data", "Annotations", "Labels".
  2184. For custom resources (when spec.target.manifest is set), this supports
  2185. nested paths like "spec.database.config" or "data".
  2186. type: string
  2187. type: object
  2188. type: array
  2189. type:
  2190. type: string
  2191. type: object
  2192. updatePolicy:
  2193. default: Replace
  2194. description: UpdatePolicy to handle Secrets in the provider.
  2195. enum:
  2196. - Replace
  2197. - IfNotExists
  2198. type: string
  2199. required:
  2200. - secretStoreRefs
  2201. - selector
  2202. type: object
  2203. refreshTime:
  2204. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  2205. type: string
  2206. required:
  2207. - pushSecretSpec
  2208. type: object
  2209. status:
  2210. description: ClusterPushSecretStatus contains the status information for the ClusterPushSecret resource.
  2211. properties:
  2212. conditions:
  2213. items:
  2214. description: PushSecretStatusCondition indicates the status of the PushSecret.
  2215. properties:
  2216. lastTransitionTime:
  2217. format: date-time
  2218. type: string
  2219. message:
  2220. type: string
  2221. reason:
  2222. type: string
  2223. status:
  2224. type: string
  2225. type:
  2226. description: PushSecretConditionType indicates the condition of the PushSecret.
  2227. type: string
  2228. required:
  2229. - status
  2230. - type
  2231. type: object
  2232. type: array
  2233. failedNamespaces:
  2234. description: Failed namespaces are the namespaces that failed to apply an PushSecret
  2235. items:
  2236. description: ClusterPushSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  2237. properties:
  2238. namespace:
  2239. description: Namespace is the namespace that failed when trying to apply an PushSecret
  2240. type: string
  2241. reason:
  2242. description: Reason is why the PushSecret failed to apply to the namespace
  2243. type: string
  2244. required:
  2245. - namespace
  2246. type: object
  2247. type: array
  2248. provisionedNamespaces:
  2249. description: ProvisionedNamespaces are the namespaces where the ClusterPushSecret has secrets
  2250. items:
  2251. type: string
  2252. type: array
  2253. pushSecretName:
  2254. type: string
  2255. type: object
  2256. type: object
  2257. served: true
  2258. storage: true
  2259. subresources:
  2260. status: {}
  2261. ---
  2262. apiVersion: apiextensions.k8s.io/v1
  2263. kind: CustomResourceDefinition
  2264. metadata:
  2265. annotations:
  2266. controller-gen.kubebuilder.io/version: v0.19.0
  2267. labels:
  2268. external-secrets.io/component: controller
  2269. name: clustersecretstores.external-secrets.io
  2270. spec:
  2271. group: external-secrets.io
  2272. names:
  2273. categories:
  2274. - external-secrets
  2275. kind: ClusterSecretStore
  2276. listKind: ClusterSecretStoreList
  2277. plural: clustersecretstores
  2278. shortNames:
  2279. - css
  2280. singular: clustersecretstore
  2281. scope: Cluster
  2282. versions:
  2283. - additionalPrinterColumns:
  2284. - jsonPath: .metadata.creationTimestamp
  2285. name: AGE
  2286. type: date
  2287. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2288. name: Status
  2289. type: string
  2290. - jsonPath: .status.capabilities
  2291. name: Capabilities
  2292. type: string
  2293. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  2294. name: Ready
  2295. type: string
  2296. name: v1
  2297. schema:
  2298. openAPIV3Schema:
  2299. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  2300. properties:
  2301. apiVersion:
  2302. description: |-
  2303. APIVersion defines the versioned schema of this representation of an object.
  2304. Servers should convert recognized schemas to the latest internal value, and
  2305. may reject unrecognized values.
  2306. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  2307. type: string
  2308. kind:
  2309. description: |-
  2310. Kind is a string value representing the REST resource this object represents.
  2311. Servers may infer this from the endpoint the client submits requests to.
  2312. Cannot be updated.
  2313. In CamelCase.
  2314. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  2315. type: string
  2316. metadata:
  2317. type: object
  2318. spec:
  2319. description: SecretStoreSpec defines the desired state of SecretStore.
  2320. properties:
  2321. conditions:
  2322. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  2323. items:
  2324. description: |-
  2325. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  2326. for a ClusterSecretStore instance.
  2327. properties:
  2328. namespaceRegexes:
  2329. description: Choose namespaces by using regex matching
  2330. items:
  2331. type: string
  2332. type: array
  2333. namespaceSelector:
  2334. description: Choose namespace using a labelSelector
  2335. properties:
  2336. matchExpressions:
  2337. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2338. items:
  2339. description: |-
  2340. A label selector requirement is a selector that contains values, a key, and an operator that
  2341. relates the key and values.
  2342. properties:
  2343. key:
  2344. description: key is the label key that the selector applies to.
  2345. type: string
  2346. operator:
  2347. description: |-
  2348. operator represents a key's relationship to a set of values.
  2349. Valid operators are In, NotIn, Exists and DoesNotExist.
  2350. type: string
  2351. values:
  2352. description: |-
  2353. values is an array of string values. If the operator is In or NotIn,
  2354. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2355. the values array must be empty. This array is replaced during a strategic
  2356. merge patch.
  2357. items:
  2358. type: string
  2359. type: array
  2360. x-kubernetes-list-type: atomic
  2361. required:
  2362. - key
  2363. - operator
  2364. type: object
  2365. type: array
  2366. x-kubernetes-list-type: atomic
  2367. matchLabels:
  2368. additionalProperties:
  2369. type: string
  2370. description: |-
  2371. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2372. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2373. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2374. type: object
  2375. type: object
  2376. x-kubernetes-map-type: atomic
  2377. namespaces:
  2378. description: Choose namespaces by name
  2379. items:
  2380. maxLength: 63
  2381. minLength: 1
  2382. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2383. type: string
  2384. type: array
  2385. type: object
  2386. type: array
  2387. controller:
  2388. description: |-
  2389. Used to select the correct ESO controller (think: ingress.ingressClassName)
  2390. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  2391. type: string
  2392. provider:
  2393. description: Used to configure the provider. Only one provider may be set
  2394. maxProperties: 1
  2395. minProperties: 1
  2396. properties:
  2397. akeyless:
  2398. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  2399. properties:
  2400. akeylessGWApiURL:
  2401. description: Akeyless GW API Url from which the secrets to be fetched from.
  2402. type: string
  2403. authSecretRef:
  2404. description: Auth configures how the operator authenticates with Akeyless.
  2405. properties:
  2406. kubernetesAuth:
  2407. description: |-
  2408. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  2409. token stored in the named Secret resource.
  2410. properties:
  2411. accessID:
  2412. description: the Akeyless Kubernetes auth-method access-id
  2413. type: string
  2414. k8sConfName:
  2415. description: Kubernetes-auth configuration name in Akeyless-Gateway
  2416. type: string
  2417. secretRef:
  2418. description: |-
  2419. Optional secret field containing a Kubernetes ServiceAccount JWT used
  2420. for authenticating with Akeyless. If a name is specified without a key,
  2421. `token` is the default. If one is not specified, the one bound to
  2422. the controller will be used.
  2423. properties:
  2424. key:
  2425. description: |-
  2426. A key in the referenced Secret.
  2427. Some instances of this field may be defaulted, in others it may be required.
  2428. maxLength: 253
  2429. minLength: 1
  2430. pattern: ^[-._a-zA-Z0-9]+$
  2431. type: string
  2432. name:
  2433. description: The name of the Secret resource being referred to.
  2434. maxLength: 253
  2435. minLength: 1
  2436. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2437. type: string
  2438. namespace:
  2439. description: |-
  2440. The namespace of the Secret resource being referred to.
  2441. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2442. maxLength: 63
  2443. minLength: 1
  2444. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2445. type: string
  2446. type: object
  2447. serviceAccountRef:
  2448. description: |-
  2449. Optional service account field containing the name of a kubernetes ServiceAccount.
  2450. If the service account is specified, the service account secret token JWT will be used
  2451. for authenticating with Akeyless. If the service account selector is not supplied,
  2452. the secretRef will be used instead.
  2453. properties:
  2454. audiences:
  2455. description: |-
  2456. Audience specifies the `aud` claim for the service account token
  2457. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2458. then this audiences will be appended to the list
  2459. items:
  2460. type: string
  2461. type: array
  2462. name:
  2463. description: The name of the ServiceAccount resource being referred to.
  2464. maxLength: 253
  2465. minLength: 1
  2466. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2467. type: string
  2468. namespace:
  2469. description: |-
  2470. Namespace of the resource being referred to.
  2471. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2472. maxLength: 63
  2473. minLength: 1
  2474. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2475. type: string
  2476. required:
  2477. - name
  2478. type: object
  2479. required:
  2480. - accessID
  2481. - k8sConfName
  2482. type: object
  2483. secretRef:
  2484. description: |-
  2485. Reference to a Secret that contains the details
  2486. to authenticate with Akeyless.
  2487. properties:
  2488. accessID:
  2489. description: The SecretAccessID is used for authentication
  2490. properties:
  2491. key:
  2492. description: |-
  2493. A key in the referenced Secret.
  2494. Some instances of this field may be defaulted, in others it may be required.
  2495. maxLength: 253
  2496. minLength: 1
  2497. pattern: ^[-._a-zA-Z0-9]+$
  2498. type: string
  2499. name:
  2500. description: The name of the Secret resource being referred to.
  2501. maxLength: 253
  2502. minLength: 1
  2503. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2504. type: string
  2505. namespace:
  2506. description: |-
  2507. The namespace of the Secret resource being referred to.
  2508. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2509. maxLength: 63
  2510. minLength: 1
  2511. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2512. type: string
  2513. type: object
  2514. accessType:
  2515. description: |-
  2516. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  2517. In some instances, `key` is a required field.
  2518. properties:
  2519. key:
  2520. description: |-
  2521. A key in the referenced Secret.
  2522. Some instances of this field may be defaulted, in others it may be required.
  2523. maxLength: 253
  2524. minLength: 1
  2525. pattern: ^[-._a-zA-Z0-9]+$
  2526. type: string
  2527. name:
  2528. description: The name of the Secret resource being referred to.
  2529. maxLength: 253
  2530. minLength: 1
  2531. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2532. type: string
  2533. namespace:
  2534. description: |-
  2535. The namespace of the Secret resource being referred to.
  2536. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2537. maxLength: 63
  2538. minLength: 1
  2539. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2540. type: string
  2541. type: object
  2542. accessTypeParam:
  2543. description: |-
  2544. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  2545. In some instances, `key` is a required field.
  2546. properties:
  2547. key:
  2548. description: |-
  2549. A key in the referenced Secret.
  2550. Some instances of this field may be defaulted, in others it may be required.
  2551. maxLength: 253
  2552. minLength: 1
  2553. pattern: ^[-._a-zA-Z0-9]+$
  2554. type: string
  2555. name:
  2556. description: The name of the Secret resource being referred to.
  2557. maxLength: 253
  2558. minLength: 1
  2559. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2560. type: string
  2561. namespace:
  2562. description: |-
  2563. The namespace of the Secret resource being referred to.
  2564. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2565. maxLength: 63
  2566. minLength: 1
  2567. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2568. type: string
  2569. type: object
  2570. type: object
  2571. type: object
  2572. caBundle:
  2573. description: |-
  2574. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  2575. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  2576. are used to validate the TLS connection.
  2577. format: byte
  2578. type: string
  2579. caProvider:
  2580. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  2581. properties:
  2582. key:
  2583. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2584. maxLength: 253
  2585. minLength: 1
  2586. pattern: ^[-._a-zA-Z0-9]+$
  2587. type: string
  2588. name:
  2589. description: The name of the object located at the provider type.
  2590. maxLength: 253
  2591. minLength: 1
  2592. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2593. type: string
  2594. namespace:
  2595. description: |-
  2596. The namespace the Provider type is in.
  2597. Can only be defined when used in a ClusterSecretStore.
  2598. maxLength: 63
  2599. minLength: 1
  2600. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2601. type: string
  2602. type:
  2603. description: The type of provider to use such as "Secret", or "ConfigMap".
  2604. enum:
  2605. - Secret
  2606. - ConfigMap
  2607. type: string
  2608. required:
  2609. - name
  2610. - type
  2611. type: object
  2612. required:
  2613. - akeylessGWApiURL
  2614. - authSecretRef
  2615. type: object
  2616. aws:
  2617. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  2618. properties:
  2619. additionalRoles:
  2620. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  2621. items:
  2622. type: string
  2623. type: array
  2624. auth:
  2625. description: |-
  2626. Auth defines the information necessary to authenticate against AWS
  2627. if not set aws sdk will infer credentials from your environment
  2628. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  2629. properties:
  2630. jwt:
  2631. description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.
  2632. properties:
  2633. serviceAccountRef:
  2634. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  2635. properties:
  2636. audiences:
  2637. description: |-
  2638. Audience specifies the `aud` claim for the service account token
  2639. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2640. then this audiences will be appended to the list
  2641. items:
  2642. type: string
  2643. type: array
  2644. name:
  2645. description: The name of the ServiceAccount resource being referred to.
  2646. maxLength: 253
  2647. minLength: 1
  2648. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2649. type: string
  2650. namespace:
  2651. description: |-
  2652. Namespace of the resource being referred to.
  2653. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2654. maxLength: 63
  2655. minLength: 1
  2656. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2657. type: string
  2658. required:
  2659. - name
  2660. type: object
  2661. type: object
  2662. secretRef:
  2663. description: |-
  2664. AWSAuthSecretRef holds secret references for AWS credentials
  2665. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  2666. properties:
  2667. accessKeyIDSecretRef:
  2668. description: The AccessKeyID is used for authentication
  2669. properties:
  2670. key:
  2671. description: |-
  2672. A key in the referenced Secret.
  2673. Some instances of this field may be defaulted, in others it may be required.
  2674. maxLength: 253
  2675. minLength: 1
  2676. pattern: ^[-._a-zA-Z0-9]+$
  2677. type: string
  2678. name:
  2679. description: The name of the Secret resource being referred to.
  2680. maxLength: 253
  2681. minLength: 1
  2682. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2683. type: string
  2684. namespace:
  2685. description: |-
  2686. The namespace of the Secret resource being referred to.
  2687. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2688. maxLength: 63
  2689. minLength: 1
  2690. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2691. type: string
  2692. type: object
  2693. secretAccessKeySecretRef:
  2694. description: The SecretAccessKey is used for authentication
  2695. properties:
  2696. key:
  2697. description: |-
  2698. A key in the referenced Secret.
  2699. Some instances of this field may be defaulted, in others it may be required.
  2700. maxLength: 253
  2701. minLength: 1
  2702. pattern: ^[-._a-zA-Z0-9]+$
  2703. type: string
  2704. name:
  2705. description: The name of the Secret resource being referred to.
  2706. maxLength: 253
  2707. minLength: 1
  2708. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2709. type: string
  2710. namespace:
  2711. description: |-
  2712. The namespace of the Secret resource being referred to.
  2713. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2714. maxLength: 63
  2715. minLength: 1
  2716. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2717. type: string
  2718. type: object
  2719. sessionTokenSecretRef:
  2720. description: |-
  2721. The SessionToken used for authentication
  2722. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  2723. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  2724. properties:
  2725. key:
  2726. description: |-
  2727. A key in the referenced Secret.
  2728. Some instances of this field may be defaulted, in others it may be required.
  2729. maxLength: 253
  2730. minLength: 1
  2731. pattern: ^[-._a-zA-Z0-9]+$
  2732. type: string
  2733. name:
  2734. description: The name of the Secret resource being referred to.
  2735. maxLength: 253
  2736. minLength: 1
  2737. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2738. type: string
  2739. namespace:
  2740. description: |-
  2741. The namespace of the Secret resource being referred to.
  2742. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2743. maxLength: 63
  2744. minLength: 1
  2745. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2746. type: string
  2747. type: object
  2748. type: object
  2749. type: object
  2750. customSessionTags:
  2751. additionalProperties:
  2752. type: string
  2753. description: |-
  2754. CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom.
  2755. These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags.
  2756. type: object
  2757. x-kubernetes-validations:
  2758. - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind'
  2759. rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)'
  2760. externalID:
  2761. description: AWS External ID set on assumed IAM roles
  2762. type: string
  2763. prefix:
  2764. description: Prefix adds a prefix to all retrieved values.
  2765. type: string
  2766. region:
  2767. description: AWS Region to be used for the provider
  2768. type: string
  2769. role:
  2770. description: Role is a Role ARN which the provider will assume
  2771. type: string
  2772. secretsManager:
  2773. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  2774. properties:
  2775. forceDeleteWithoutRecovery:
  2776. description: |-
  2777. Specifies whether to delete the secret without any recovery window. You
  2778. can't use both this parameter and RecoveryWindowInDays in the same call.
  2779. If you don't use either, then by default Secrets Manager uses a 30 day
  2780. recovery window.
  2781. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  2782. type: boolean
  2783. recoveryWindowInDays:
  2784. description: |-
  2785. The number of days from 7 to 30 that Secrets Manager waits before
  2786. permanently deleting the secret. You can't use both this parameter and
  2787. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  2788. then by default Secrets Manager uses a 30-day recovery window.
  2789. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  2790. format: int64
  2791. type: integer
  2792. type: object
  2793. service:
  2794. description: Service defines which service should be used to fetch the secrets
  2795. enum:
  2796. - SecretsManager
  2797. - ParameterStore
  2798. type: string
  2799. sessionTags:
  2800. description: AWS STS assume role session tags
  2801. items:
  2802. description: |-
  2803. Tag is a key-value pair that can be attached to an AWS resource.
  2804. see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
  2805. properties:
  2806. key:
  2807. type: string
  2808. value:
  2809. type: string
  2810. required:
  2811. - key
  2812. - value
  2813. type: object
  2814. type: array
  2815. sessionTagsPolicy:
  2816. default: None
  2817. description: |-
  2818. SessionTagsPolicy controls whether and how STS session tags are added when assuming roles.
  2819. None (default): no tags are added.
  2820. Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags.
  2821. Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags.
  2822. Note: the IAM role must have sts:TagSession permission when using Simple or Custom.
  2823. enum:
  2824. - None
  2825. - Simple
  2826. - Custom
  2827. type: string
  2828. transitiveTagKeys:
  2829. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  2830. items:
  2831. type: string
  2832. type: array
  2833. required:
  2834. - region
  2835. - service
  2836. type: object
  2837. azurekv:
  2838. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  2839. properties:
  2840. authSecretRef:
  2841. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  2842. properties:
  2843. clientCertificate:
  2844. description: The Azure ClientCertificate of the service principle used for authentication.
  2845. properties:
  2846. key:
  2847. description: |-
  2848. A key in the referenced Secret.
  2849. Some instances of this field may be defaulted, in others it may be required.
  2850. maxLength: 253
  2851. minLength: 1
  2852. pattern: ^[-._a-zA-Z0-9]+$
  2853. type: string
  2854. name:
  2855. description: The name of the Secret resource being referred to.
  2856. maxLength: 253
  2857. minLength: 1
  2858. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2859. type: string
  2860. namespace:
  2861. description: |-
  2862. The namespace of the Secret resource being referred to.
  2863. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2864. maxLength: 63
  2865. minLength: 1
  2866. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2867. type: string
  2868. type: object
  2869. clientId:
  2870. description: The Azure clientId of the service principle or managed identity used for authentication.
  2871. properties:
  2872. key:
  2873. description: |-
  2874. A key in the referenced Secret.
  2875. Some instances of this field may be defaulted, in others it may be required.
  2876. maxLength: 253
  2877. minLength: 1
  2878. pattern: ^[-._a-zA-Z0-9]+$
  2879. type: string
  2880. name:
  2881. description: The name of the Secret resource being referred to.
  2882. maxLength: 253
  2883. minLength: 1
  2884. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2885. type: string
  2886. namespace:
  2887. description: |-
  2888. The namespace of the Secret resource being referred to.
  2889. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2890. maxLength: 63
  2891. minLength: 1
  2892. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2893. type: string
  2894. type: object
  2895. clientSecret:
  2896. description: The Azure ClientSecret of the service principle used for authentication.
  2897. properties:
  2898. key:
  2899. description: |-
  2900. A key in the referenced Secret.
  2901. Some instances of this field may be defaulted, in others it may be required.
  2902. maxLength: 253
  2903. minLength: 1
  2904. pattern: ^[-._a-zA-Z0-9]+$
  2905. type: string
  2906. name:
  2907. description: The name of the Secret resource being referred to.
  2908. maxLength: 253
  2909. minLength: 1
  2910. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2911. type: string
  2912. namespace:
  2913. description: |-
  2914. The namespace of the Secret resource being referred to.
  2915. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2916. maxLength: 63
  2917. minLength: 1
  2918. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2919. type: string
  2920. type: object
  2921. tenantId:
  2922. description: The Azure tenantId of the managed identity used for authentication.
  2923. properties:
  2924. key:
  2925. description: |-
  2926. A key in the referenced Secret.
  2927. Some instances of this field may be defaulted, in others it may be required.
  2928. maxLength: 253
  2929. minLength: 1
  2930. pattern: ^[-._a-zA-Z0-9]+$
  2931. type: string
  2932. name:
  2933. description: The name of the Secret resource being referred to.
  2934. maxLength: 253
  2935. minLength: 1
  2936. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2937. type: string
  2938. namespace:
  2939. description: |-
  2940. The namespace of the Secret resource being referred to.
  2941. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2942. maxLength: 63
  2943. minLength: 1
  2944. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2945. type: string
  2946. type: object
  2947. type: object
  2948. authType:
  2949. default: ServicePrincipal
  2950. description: |-
  2951. Auth type defines how to authenticate to the keyvault service.
  2952. Valid values are:
  2953. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  2954. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  2955. enum:
  2956. - ServicePrincipal
  2957. - ManagedIdentity
  2958. - WorkloadIdentity
  2959. type: string
  2960. customCloudConfig:
  2961. description: |-
  2962. CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
  2963. Required when EnvironmentType is AzureStackCloud.
  2964. Optional for other environment types - useful for Azure China when using Workload Identity
  2965. with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
  2966. standard China Cloud endpoint (login.chinacloudapi.cn).
  2967. IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
  2968. configuration is not supported with the legacy go-autorest SDK.
  2969. properties:
  2970. activeDirectoryEndpoint:
  2971. description: |-
  2972. ActiveDirectoryEndpoint is the AAD endpoint for authentication
  2973. Required when using custom cloud configuration
  2974. type: string
  2975. keyVaultDNSSuffix:
  2976. description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
  2977. type: string
  2978. keyVaultEndpoint:
  2979. description: KeyVaultEndpoint is the Key Vault service endpoint
  2980. type: string
  2981. resourceManagerEndpoint:
  2982. description: ResourceManagerEndpoint is the Azure Resource Manager endpoint
  2983. type: string
  2984. required:
  2985. - activeDirectoryEndpoint
  2986. type: object
  2987. environmentType:
  2988. default: PublicCloud
  2989. description: |-
  2990. EnvironmentType specifies the Azure cloud environment endpoints to use for
  2991. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  2992. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  2993. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
  2994. Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
  2995. enum:
  2996. - PublicCloud
  2997. - USGovernmentCloud
  2998. - ChinaCloud
  2999. - GermanCloud
  3000. - AzureStackCloud
  3001. type: string
  3002. identityId:
  3003. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  3004. type: string
  3005. serviceAccountRef:
  3006. description: |-
  3007. ServiceAccountRef specified the service account
  3008. that should be used when authenticating with WorkloadIdentity.
  3009. properties:
  3010. audiences:
  3011. description: |-
  3012. Audience specifies the `aud` claim for the service account token
  3013. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3014. then this audiences will be appended to the list
  3015. items:
  3016. type: string
  3017. type: array
  3018. name:
  3019. description: The name of the ServiceAccount resource being referred to.
  3020. maxLength: 253
  3021. minLength: 1
  3022. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3023. type: string
  3024. namespace:
  3025. description: |-
  3026. Namespace of the resource being referred to.
  3027. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3028. maxLength: 63
  3029. minLength: 1
  3030. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3031. type: string
  3032. required:
  3033. - name
  3034. type: object
  3035. tenantId:
  3036. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  3037. type: string
  3038. useAzureSDK:
  3039. default: false
  3040. description: |-
  3041. UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
  3042. This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
  3043. type: boolean
  3044. vaultUrl:
  3045. description: Vault Url from which the secrets to be fetched from.
  3046. type: string
  3047. required:
  3048. - vaultUrl
  3049. type: object
  3050. barbican:
  3051. description: Barbican configures this store to sync secrets using the OpenStack Barbican provider
  3052. properties:
  3053. auth:
  3054. description: BarbicanAuth contains the authentication information for Barbican.
  3055. properties:
  3056. password:
  3057. description: BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
  3058. properties:
  3059. secretRef:
  3060. description: |-
  3061. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  3062. In some instances, `key` is a required field.
  3063. properties:
  3064. key:
  3065. description: |-
  3066. A key in the referenced Secret.
  3067. Some instances of this field may be defaulted, in others it may be required.
  3068. maxLength: 253
  3069. minLength: 1
  3070. pattern: ^[-._a-zA-Z0-9]+$
  3071. type: string
  3072. name:
  3073. description: The name of the Secret resource being referred to.
  3074. maxLength: 253
  3075. minLength: 1
  3076. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3077. type: string
  3078. namespace:
  3079. description: |-
  3080. The namespace of the Secret resource being referred to.
  3081. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3082. maxLength: 63
  3083. minLength: 1
  3084. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3085. type: string
  3086. type: object
  3087. required:
  3088. - secretRef
  3089. type: object
  3090. username:
  3091. description: BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
  3092. maxProperties: 1
  3093. minProperties: 1
  3094. properties:
  3095. secretRef:
  3096. description: |-
  3097. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  3098. In some instances, `key` is a required field.
  3099. properties:
  3100. key:
  3101. description: |-
  3102. A key in the referenced Secret.
  3103. Some instances of this field may be defaulted, in others it may be required.
  3104. maxLength: 253
  3105. minLength: 1
  3106. pattern: ^[-._a-zA-Z0-9]+$
  3107. type: string
  3108. name:
  3109. description: The name of the Secret resource being referred to.
  3110. maxLength: 253
  3111. minLength: 1
  3112. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3113. type: string
  3114. namespace:
  3115. description: |-
  3116. The namespace of the Secret resource being referred to.
  3117. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3118. maxLength: 63
  3119. minLength: 1
  3120. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3121. type: string
  3122. type: object
  3123. value:
  3124. type: string
  3125. type: object
  3126. required:
  3127. - password
  3128. - username
  3129. type: object
  3130. authURL:
  3131. type: string
  3132. domainName:
  3133. type: string
  3134. region:
  3135. type: string
  3136. tenantName:
  3137. type: string
  3138. required:
  3139. - auth
  3140. type: object
  3141. beyondtrust:
  3142. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  3143. properties:
  3144. auth:
  3145. description: Auth configures how the operator authenticates with Beyondtrust.
  3146. properties:
  3147. apiKey:
  3148. description: APIKey If not provided then ClientID/ClientSecret become required.
  3149. properties:
  3150. secretRef:
  3151. description: SecretRef references a key in a secret that will be used as value.
  3152. properties:
  3153. key:
  3154. description: |-
  3155. A key in the referenced Secret.
  3156. Some instances of this field may be defaulted, in others it may be required.
  3157. maxLength: 253
  3158. minLength: 1
  3159. pattern: ^[-._a-zA-Z0-9]+$
  3160. type: string
  3161. name:
  3162. description: The name of the Secret resource being referred to.
  3163. maxLength: 253
  3164. minLength: 1
  3165. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3166. type: string
  3167. namespace:
  3168. description: |-
  3169. The namespace of the Secret resource being referred to.
  3170. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3171. maxLength: 63
  3172. minLength: 1
  3173. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3174. type: string
  3175. type: object
  3176. value:
  3177. description: Value can be specified directly to set a value without using a secret.
  3178. type: string
  3179. type: object
  3180. certificate:
  3181. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  3182. properties:
  3183. secretRef:
  3184. description: SecretRef references a key in a secret that will be used as value.
  3185. properties:
  3186. key:
  3187. description: |-
  3188. A key in the referenced Secret.
  3189. Some instances of this field may be defaulted, in others it may be required.
  3190. maxLength: 253
  3191. minLength: 1
  3192. pattern: ^[-._a-zA-Z0-9]+$
  3193. type: string
  3194. name:
  3195. description: The name of the Secret resource being referred to.
  3196. maxLength: 253
  3197. minLength: 1
  3198. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3199. type: string
  3200. namespace:
  3201. description: |-
  3202. The namespace of the Secret resource being referred to.
  3203. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3204. maxLength: 63
  3205. minLength: 1
  3206. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3207. type: string
  3208. type: object
  3209. value:
  3210. description: Value can be specified directly to set a value without using a secret.
  3211. type: string
  3212. type: object
  3213. certificateKey:
  3214. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  3215. properties:
  3216. secretRef:
  3217. description: SecretRef references a key in a secret that will be used as value.
  3218. properties:
  3219. key:
  3220. description: |-
  3221. A key in the referenced Secret.
  3222. Some instances of this field may be defaulted, in others it may be required.
  3223. maxLength: 253
  3224. minLength: 1
  3225. pattern: ^[-._a-zA-Z0-9]+$
  3226. type: string
  3227. name:
  3228. description: The name of the Secret resource being referred to.
  3229. maxLength: 253
  3230. minLength: 1
  3231. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3232. type: string
  3233. namespace:
  3234. description: |-
  3235. The namespace of the Secret resource being referred to.
  3236. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3237. maxLength: 63
  3238. minLength: 1
  3239. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3240. type: string
  3241. type: object
  3242. value:
  3243. description: Value can be specified directly to set a value without using a secret.
  3244. type: string
  3245. type: object
  3246. clientId:
  3247. description: ClientID is the API OAuth Client ID.
  3248. properties:
  3249. secretRef:
  3250. description: SecretRef references a key in a secret that will be used as value.
  3251. properties:
  3252. key:
  3253. description: |-
  3254. A key in the referenced Secret.
  3255. Some instances of this field may be defaulted, in others it may be required.
  3256. maxLength: 253
  3257. minLength: 1
  3258. pattern: ^[-._a-zA-Z0-9]+$
  3259. type: string
  3260. name:
  3261. description: The name of the Secret resource being referred to.
  3262. maxLength: 253
  3263. minLength: 1
  3264. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3265. type: string
  3266. namespace:
  3267. description: |-
  3268. The namespace of the Secret resource being referred to.
  3269. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3270. maxLength: 63
  3271. minLength: 1
  3272. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3273. type: string
  3274. type: object
  3275. value:
  3276. description: Value can be specified directly to set a value without using a secret.
  3277. type: string
  3278. type: object
  3279. clientSecret:
  3280. description: ClientSecret is the API OAuth Client Secret.
  3281. properties:
  3282. secretRef:
  3283. description: SecretRef references a key in a secret that will be used as value.
  3284. properties:
  3285. key:
  3286. description: |-
  3287. A key in the referenced Secret.
  3288. Some instances of this field may be defaulted, in others it may be required.
  3289. maxLength: 253
  3290. minLength: 1
  3291. pattern: ^[-._a-zA-Z0-9]+$
  3292. type: string
  3293. name:
  3294. description: The name of the Secret resource being referred to.
  3295. maxLength: 253
  3296. minLength: 1
  3297. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3298. type: string
  3299. namespace:
  3300. description: |-
  3301. The namespace of the Secret resource being referred to.
  3302. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3303. maxLength: 63
  3304. minLength: 1
  3305. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3306. type: string
  3307. type: object
  3308. value:
  3309. description: Value can be specified directly to set a value without using a secret.
  3310. type: string
  3311. type: object
  3312. type: object
  3313. server:
  3314. description: Auth configures how API server works.
  3315. properties:
  3316. apiUrl:
  3317. type: string
  3318. apiVersion:
  3319. type: string
  3320. clientTimeOutSeconds:
  3321. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  3322. type: integer
  3323. decrypt:
  3324. default: true
  3325. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  3326. type: boolean
  3327. retrievalType:
  3328. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  3329. type: string
  3330. separator:
  3331. description: A character that separates the folder names.
  3332. type: string
  3333. verifyCA:
  3334. type: boolean
  3335. required:
  3336. - apiUrl
  3337. - verifyCA
  3338. type: object
  3339. required:
  3340. - auth
  3341. - server
  3342. type: object
  3343. bitwardensecretsmanager:
  3344. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  3345. properties:
  3346. apiURL:
  3347. type: string
  3348. auth:
  3349. description: |-
  3350. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  3351. Make sure that the token being used has permissions on the given secret.
  3352. properties:
  3353. secretRef:
  3354. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  3355. properties:
  3356. credentials:
  3357. description: AccessToken used for the bitwarden instance.
  3358. properties:
  3359. key:
  3360. description: |-
  3361. A key in the referenced Secret.
  3362. Some instances of this field may be defaulted, in others it may be required.
  3363. maxLength: 253
  3364. minLength: 1
  3365. pattern: ^[-._a-zA-Z0-9]+$
  3366. type: string
  3367. name:
  3368. description: The name of the Secret resource being referred to.
  3369. maxLength: 253
  3370. minLength: 1
  3371. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3372. type: string
  3373. namespace:
  3374. description: |-
  3375. The namespace of the Secret resource being referred to.
  3376. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3377. maxLength: 63
  3378. minLength: 1
  3379. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3380. type: string
  3381. type: object
  3382. required:
  3383. - credentials
  3384. type: object
  3385. required:
  3386. - secretRef
  3387. type: object
  3388. bitwardenServerSDKURL:
  3389. type: string
  3390. caBundle:
  3391. description: |-
  3392. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  3393. can be performed.
  3394. type: string
  3395. caProvider:
  3396. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  3397. properties:
  3398. key:
  3399. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3400. maxLength: 253
  3401. minLength: 1
  3402. pattern: ^[-._a-zA-Z0-9]+$
  3403. type: string
  3404. name:
  3405. description: The name of the object located at the provider type.
  3406. maxLength: 253
  3407. minLength: 1
  3408. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3409. type: string
  3410. namespace:
  3411. description: |-
  3412. The namespace the Provider type is in.
  3413. Can only be defined when used in a ClusterSecretStore.
  3414. maxLength: 63
  3415. minLength: 1
  3416. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3417. type: string
  3418. type:
  3419. description: The type of provider to use such as "Secret", or "ConfigMap".
  3420. enum:
  3421. - Secret
  3422. - ConfigMap
  3423. type: string
  3424. required:
  3425. - name
  3426. - type
  3427. type: object
  3428. identityURL:
  3429. type: string
  3430. organizationID:
  3431. description: OrganizationID determines which organization this secret store manages.
  3432. type: string
  3433. projectID:
  3434. description: ProjectID determines which project this secret store manages.
  3435. type: string
  3436. required:
  3437. - auth
  3438. - organizationID
  3439. - projectID
  3440. type: object
  3441. chef:
  3442. description: Chef configures this store to sync secrets with chef server
  3443. properties:
  3444. auth:
  3445. description: Auth defines the information necessary to authenticate against chef Server
  3446. properties:
  3447. secretRef:
  3448. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  3449. properties:
  3450. privateKeySecretRef:
  3451. description: SecretKey is the Signing Key in PEM format, used for authentication.
  3452. properties:
  3453. key:
  3454. description: |-
  3455. A key in the referenced Secret.
  3456. Some instances of this field may be defaulted, in others it may be required.
  3457. maxLength: 253
  3458. minLength: 1
  3459. pattern: ^[-._a-zA-Z0-9]+$
  3460. type: string
  3461. name:
  3462. description: The name of the Secret resource being referred to.
  3463. maxLength: 253
  3464. minLength: 1
  3465. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3466. type: string
  3467. namespace:
  3468. description: |-
  3469. The namespace of the Secret resource being referred to.
  3470. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3471. maxLength: 63
  3472. minLength: 1
  3473. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3474. type: string
  3475. type: object
  3476. required:
  3477. - privateKeySecretRef
  3478. type: object
  3479. required:
  3480. - secretRef
  3481. type: object
  3482. serverUrl:
  3483. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  3484. type: string
  3485. username:
  3486. description: UserName should be the user ID on the chef server
  3487. type: string
  3488. required:
  3489. - auth
  3490. - serverUrl
  3491. - username
  3492. type: object
  3493. cloudrusm:
  3494. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  3495. properties:
  3496. auth:
  3497. description: CSMAuth contains a secretRef for credentials.
  3498. properties:
  3499. secretRef:
  3500. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  3501. properties:
  3502. accessKeyIDSecretRef:
  3503. description: The AccessKeyID is used for authentication
  3504. properties:
  3505. key:
  3506. description: |-
  3507. A key in the referenced Secret.
  3508. Some instances of this field may be defaulted, in others it may be required.
  3509. maxLength: 253
  3510. minLength: 1
  3511. pattern: ^[-._a-zA-Z0-9]+$
  3512. type: string
  3513. name:
  3514. description: The name of the Secret resource being referred to.
  3515. maxLength: 253
  3516. minLength: 1
  3517. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3518. type: string
  3519. namespace:
  3520. description: |-
  3521. The namespace of the Secret resource being referred to.
  3522. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3523. maxLength: 63
  3524. minLength: 1
  3525. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3526. type: string
  3527. type: object
  3528. accessKeySecretSecretRef:
  3529. description: The AccessKeySecret is used for authentication
  3530. properties:
  3531. key:
  3532. description: |-
  3533. A key in the referenced Secret.
  3534. Some instances of this field may be defaulted, in others it may be required.
  3535. maxLength: 253
  3536. minLength: 1
  3537. pattern: ^[-._a-zA-Z0-9]+$
  3538. type: string
  3539. name:
  3540. description: The name of the Secret resource being referred to.
  3541. maxLength: 253
  3542. minLength: 1
  3543. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3544. type: string
  3545. namespace:
  3546. description: |-
  3547. The namespace of the Secret resource being referred to.
  3548. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3549. maxLength: 63
  3550. minLength: 1
  3551. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3552. type: string
  3553. type: object
  3554. required:
  3555. - accessKeyIDSecretRef
  3556. - accessKeySecretSecretRef
  3557. type: object
  3558. type: object
  3559. projectID:
  3560. description: ProjectID is the project, which the secrets are stored in.
  3561. type: string
  3562. required:
  3563. - auth
  3564. type: object
  3565. conjur:
  3566. description: Conjur configures this store to sync secrets using conjur provider
  3567. properties:
  3568. auth:
  3569. description: Defines authentication settings for connecting to Conjur.
  3570. properties:
  3571. apikey:
  3572. description: Authenticates with Conjur using an API key.
  3573. properties:
  3574. account:
  3575. description: Account is the Conjur organization account name.
  3576. type: string
  3577. apiKeyRef:
  3578. description: |-
  3579. A reference to a specific 'key' containing the Conjur API key
  3580. within a Secret resource. In some instances, `key` is a required field.
  3581. properties:
  3582. key:
  3583. description: |-
  3584. A key in the referenced Secret.
  3585. Some instances of this field may be defaulted, in others it may be required.
  3586. maxLength: 253
  3587. minLength: 1
  3588. pattern: ^[-._a-zA-Z0-9]+$
  3589. type: string
  3590. name:
  3591. description: The name of the Secret resource being referred to.
  3592. maxLength: 253
  3593. minLength: 1
  3594. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3595. type: string
  3596. namespace:
  3597. description: |-
  3598. The namespace of the Secret resource being referred to.
  3599. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3600. maxLength: 63
  3601. minLength: 1
  3602. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3603. type: string
  3604. type: object
  3605. userRef:
  3606. description: |-
  3607. A reference to a specific 'key' containing the Conjur username
  3608. within a Secret resource. In some instances, `key` is a required field.
  3609. properties:
  3610. key:
  3611. description: |-
  3612. A key in the referenced Secret.
  3613. Some instances of this field may be defaulted, in others it may be required.
  3614. maxLength: 253
  3615. minLength: 1
  3616. pattern: ^[-._a-zA-Z0-9]+$
  3617. type: string
  3618. name:
  3619. description: The name of the Secret resource being referred to.
  3620. maxLength: 253
  3621. minLength: 1
  3622. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3623. type: string
  3624. namespace:
  3625. description: |-
  3626. The namespace of the Secret resource being referred to.
  3627. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3628. maxLength: 63
  3629. minLength: 1
  3630. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3631. type: string
  3632. type: object
  3633. required:
  3634. - account
  3635. - apiKeyRef
  3636. - userRef
  3637. type: object
  3638. jwt:
  3639. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  3640. properties:
  3641. account:
  3642. description: Account is the Conjur organization account name.
  3643. type: string
  3644. hostId:
  3645. description: |-
  3646. Optional HostID for JWT authentication. This may be used depending
  3647. on how the Conjur JWT authenticator policy is configured.
  3648. type: string
  3649. secretRef:
  3650. description: |-
  3651. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  3652. authenticate with Conjur using the JWT authentication method.
  3653. properties:
  3654. key:
  3655. description: |-
  3656. A key in the referenced Secret.
  3657. Some instances of this field may be defaulted, in others it may be required.
  3658. maxLength: 253
  3659. minLength: 1
  3660. pattern: ^[-._a-zA-Z0-9]+$
  3661. type: string
  3662. name:
  3663. description: The name of the Secret resource being referred to.
  3664. maxLength: 253
  3665. minLength: 1
  3666. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3667. type: string
  3668. namespace:
  3669. description: |-
  3670. The namespace of the Secret resource being referred to.
  3671. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3672. maxLength: 63
  3673. minLength: 1
  3674. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3675. type: string
  3676. type: object
  3677. serviceAccountRef:
  3678. description: |-
  3679. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  3680. a token for with the `TokenRequest` API.
  3681. properties:
  3682. audiences:
  3683. description: |-
  3684. Audience specifies the `aud` claim for the service account token
  3685. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3686. then this audiences will be appended to the list
  3687. items:
  3688. type: string
  3689. type: array
  3690. name:
  3691. description: The name of the ServiceAccount resource being referred to.
  3692. maxLength: 253
  3693. minLength: 1
  3694. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3695. type: string
  3696. namespace:
  3697. description: |-
  3698. Namespace of the resource being referred to.
  3699. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3700. maxLength: 63
  3701. minLength: 1
  3702. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3703. type: string
  3704. required:
  3705. - name
  3706. type: object
  3707. serviceID:
  3708. description: The conjur authn jwt webservice id
  3709. type: string
  3710. required:
  3711. - account
  3712. - serviceID
  3713. type: object
  3714. type: object
  3715. caBundle:
  3716. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  3717. type: string
  3718. caProvider:
  3719. description: |-
  3720. Used to provide custom certificate authority (CA) certificates
  3721. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  3722. that contains a PEM-encoded certificate.
  3723. properties:
  3724. key:
  3725. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3726. maxLength: 253
  3727. minLength: 1
  3728. pattern: ^[-._a-zA-Z0-9]+$
  3729. type: string
  3730. name:
  3731. description: The name of the object located at the provider type.
  3732. maxLength: 253
  3733. minLength: 1
  3734. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3735. type: string
  3736. namespace:
  3737. description: |-
  3738. The namespace the Provider type is in.
  3739. Can only be defined when used in a ClusterSecretStore.
  3740. maxLength: 63
  3741. minLength: 1
  3742. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3743. type: string
  3744. type:
  3745. description: The type of provider to use such as "Secret", or "ConfigMap".
  3746. enum:
  3747. - Secret
  3748. - ConfigMap
  3749. type: string
  3750. required:
  3751. - name
  3752. - type
  3753. type: object
  3754. url:
  3755. description: URL is the endpoint of the Conjur instance.
  3756. type: string
  3757. required:
  3758. - auth
  3759. - url
  3760. type: object
  3761. delinea:
  3762. description: |-
  3763. Delinea DevOps Secrets Vault
  3764. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  3765. properties:
  3766. clientId:
  3767. description: ClientID is the non-secret part of the credential.
  3768. properties:
  3769. secretRef:
  3770. description: SecretRef references a key in a secret that will be used as value.
  3771. properties:
  3772. key:
  3773. description: |-
  3774. A key in the referenced Secret.
  3775. Some instances of this field may be defaulted, in others it may be required.
  3776. maxLength: 253
  3777. minLength: 1
  3778. pattern: ^[-._a-zA-Z0-9]+$
  3779. type: string
  3780. name:
  3781. description: The name of the Secret resource being referred to.
  3782. maxLength: 253
  3783. minLength: 1
  3784. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3785. type: string
  3786. namespace:
  3787. description: |-
  3788. The namespace of the Secret resource being referred to.
  3789. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3790. maxLength: 63
  3791. minLength: 1
  3792. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3793. type: string
  3794. type: object
  3795. value:
  3796. description: Value can be specified directly to set a value without using a secret.
  3797. type: string
  3798. type: object
  3799. clientSecret:
  3800. description: ClientSecret is the secret part of the credential.
  3801. properties:
  3802. secretRef:
  3803. description: SecretRef references a key in a secret that will be used as value.
  3804. properties:
  3805. key:
  3806. description: |-
  3807. A key in the referenced Secret.
  3808. Some instances of this field may be defaulted, in others it may be required.
  3809. maxLength: 253
  3810. minLength: 1
  3811. pattern: ^[-._a-zA-Z0-9]+$
  3812. type: string
  3813. name:
  3814. description: The name of the Secret resource being referred to.
  3815. maxLength: 253
  3816. minLength: 1
  3817. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3818. type: string
  3819. namespace:
  3820. description: |-
  3821. The namespace of the Secret resource being referred to.
  3822. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3823. maxLength: 63
  3824. minLength: 1
  3825. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3826. type: string
  3827. type: object
  3828. value:
  3829. description: Value can be specified directly to set a value without using a secret.
  3830. type: string
  3831. type: object
  3832. tenant:
  3833. description: Tenant is the chosen hostname / site name.
  3834. type: string
  3835. tld:
  3836. description: |-
  3837. TLD is based on the server location that was chosen during provisioning.
  3838. If unset, defaults to "com".
  3839. type: string
  3840. urlTemplate:
  3841. description: |-
  3842. URLTemplate
  3843. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  3844. type: string
  3845. required:
  3846. - clientId
  3847. - clientSecret
  3848. - tenant
  3849. type: object
  3850. doppler:
  3851. description: Doppler configures this store to sync secrets using the Doppler provider
  3852. properties:
  3853. auth:
  3854. description: Auth configures how the Operator authenticates with the Doppler API
  3855. properties:
  3856. oidcConfig:
  3857. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  3858. properties:
  3859. expirationSeconds:
  3860. default: 600
  3861. description: |-
  3862. ExpirationSeconds sets the ServiceAccount token validity duration.
  3863. Defaults to 10 minutes.
  3864. format: int64
  3865. type: integer
  3866. identity:
  3867. description: Identity is the Doppler Service Account Identity ID configured for OIDC authentication.
  3868. type: string
  3869. serviceAccountRef:
  3870. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  3871. properties:
  3872. audiences:
  3873. description: |-
  3874. Audience specifies the `aud` claim for the service account token
  3875. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3876. then this audiences will be appended to the list
  3877. items:
  3878. type: string
  3879. type: array
  3880. name:
  3881. description: The name of the ServiceAccount resource being referred to.
  3882. maxLength: 253
  3883. minLength: 1
  3884. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3885. type: string
  3886. namespace:
  3887. description: |-
  3888. Namespace of the resource being referred to.
  3889. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3890. maxLength: 63
  3891. minLength: 1
  3892. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3893. type: string
  3894. required:
  3895. - name
  3896. type: object
  3897. required:
  3898. - identity
  3899. - serviceAccountRef
  3900. type: object
  3901. secretRef:
  3902. description: SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.
  3903. properties:
  3904. dopplerToken:
  3905. description: |-
  3906. The DopplerToken is used for authentication.
  3907. See https://docs.doppler.com/reference/api#authentication for auth token types.
  3908. The Key attribute defaults to dopplerToken if not specified.
  3909. properties:
  3910. key:
  3911. description: |-
  3912. A key in the referenced Secret.
  3913. Some instances of this field may be defaulted, in others it may be required.
  3914. maxLength: 253
  3915. minLength: 1
  3916. pattern: ^[-._a-zA-Z0-9]+$
  3917. type: string
  3918. name:
  3919. description: The name of the Secret resource being referred to.
  3920. maxLength: 253
  3921. minLength: 1
  3922. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3923. type: string
  3924. namespace:
  3925. description: |-
  3926. The namespace of the Secret resource being referred to.
  3927. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3928. maxLength: 63
  3929. minLength: 1
  3930. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3931. type: string
  3932. type: object
  3933. required:
  3934. - dopplerToken
  3935. type: object
  3936. type: object
  3937. x-kubernetes-validations:
  3938. - message: Exactly one of 'secretRef' or 'oidcConfig' must be specified
  3939. rule: (has(self.secretRef) && !has(self.oidcConfig)) || (!has(self.secretRef) && has(self.oidcConfig))
  3940. config:
  3941. description: Doppler config (required if not using a Service Token)
  3942. type: string
  3943. format:
  3944. description: Format enables the downloading of secrets as a file (string)
  3945. enum:
  3946. - json
  3947. - dotnet-json
  3948. - env
  3949. - yaml
  3950. - docker
  3951. type: string
  3952. nameTransformer:
  3953. description: Environment variable compatible name transforms that change secret names to a different format
  3954. enum:
  3955. - upper-camel
  3956. - camel
  3957. - lower-snake
  3958. - tf-var
  3959. - dotnet-env
  3960. - lower-kebab
  3961. type: string
  3962. project:
  3963. description: Doppler project (required if not using a Service Token)
  3964. type: string
  3965. required:
  3966. - auth
  3967. type: object
  3968. dvls:
  3969. description: DVLS configures this store to sync secrets using Devolutions Server provider
  3970. properties:
  3971. auth:
  3972. description: Auth defines the authentication method to use.
  3973. properties:
  3974. secretRef:
  3975. description: SecretRef contains the Application ID and Application Secret for authentication.
  3976. properties:
  3977. appId:
  3978. description: AppID is the reference to the secret containing the Application ID.
  3979. properties:
  3980. key:
  3981. description: |-
  3982. A key in the referenced Secret.
  3983. Some instances of this field may be defaulted, in others it may be required.
  3984. maxLength: 253
  3985. minLength: 1
  3986. pattern: ^[-._a-zA-Z0-9]+$
  3987. type: string
  3988. name:
  3989. description: The name of the Secret resource being referred to.
  3990. maxLength: 253
  3991. minLength: 1
  3992. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3993. type: string
  3994. namespace:
  3995. description: |-
  3996. The namespace of the Secret resource being referred to.
  3997. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3998. maxLength: 63
  3999. minLength: 1
  4000. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4001. type: string
  4002. type: object
  4003. appSecret:
  4004. description: AppSecret is the reference to the secret containing the Application Secret.
  4005. properties:
  4006. key:
  4007. description: |-
  4008. A key in the referenced Secret.
  4009. Some instances of this field may be defaulted, in others it may be required.
  4010. maxLength: 253
  4011. minLength: 1
  4012. pattern: ^[-._a-zA-Z0-9]+$
  4013. type: string
  4014. name:
  4015. description: The name of the Secret resource being referred to.
  4016. maxLength: 253
  4017. minLength: 1
  4018. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4019. type: string
  4020. namespace:
  4021. description: |-
  4022. The namespace of the Secret resource being referred to.
  4023. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4024. maxLength: 63
  4025. minLength: 1
  4026. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4027. type: string
  4028. type: object
  4029. required:
  4030. - appId
  4031. - appSecret
  4032. type: object
  4033. required:
  4034. - secretRef
  4035. type: object
  4036. insecure:
  4037. description: |-
  4038. Insecure allows connecting to DVLS over plain HTTP.
  4039. This is NOT RECOMMENDED for production use.
  4040. Set to true only if you understand the security implications.
  4041. type: boolean
  4042. serverUrl:
  4043. description: ServerURL is the DVLS instance URL (e.g., https://dvls.example.com).
  4044. type: string
  4045. vault:
  4046. description: |-
  4047. Vault is the name or UUID of the vault to fetch secrets from.
  4048. When omitted, the vault must be specified in the secret key using the legacy format "<vault-id>/<entry-id>".
  4049. type: string
  4050. required:
  4051. - auth
  4052. - serverUrl
  4053. type: object
  4054. fake:
  4055. description: Fake configures a store with static key/value pairs
  4056. properties:
  4057. data:
  4058. items:
  4059. description: FakeProviderData defines a key-value pair with optional version for the fake provider.
  4060. properties:
  4061. key:
  4062. type: string
  4063. value:
  4064. type: string
  4065. version:
  4066. type: string
  4067. required:
  4068. - key
  4069. - value
  4070. type: object
  4071. type: array
  4072. validationResult:
  4073. description: ValidationResult is defined type for the number of validation results.
  4074. type: integer
  4075. required:
  4076. - data
  4077. type: object
  4078. fortanix:
  4079. description: Fortanix configures this store to sync secrets using the Fortanix provider
  4080. properties:
  4081. apiKey:
  4082. description: APIKey is the API token to access SDKMS Applications.
  4083. properties:
  4084. secretRef:
  4085. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  4086. properties:
  4087. key:
  4088. description: |-
  4089. A key in the referenced Secret.
  4090. Some instances of this field may be defaulted, in others it may be required.
  4091. maxLength: 253
  4092. minLength: 1
  4093. pattern: ^[-._a-zA-Z0-9]+$
  4094. type: string
  4095. name:
  4096. description: The name of the Secret resource being referred to.
  4097. maxLength: 253
  4098. minLength: 1
  4099. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4100. type: string
  4101. namespace:
  4102. description: |-
  4103. The namespace of the Secret resource being referred to.
  4104. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4105. maxLength: 63
  4106. minLength: 1
  4107. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4108. type: string
  4109. type: object
  4110. type: object
  4111. apiUrl:
  4112. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  4113. type: string
  4114. type: object
  4115. gcpsm:
  4116. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  4117. properties:
  4118. auth:
  4119. description: Auth defines the information necessary to authenticate against GCP
  4120. properties:
  4121. secretRef:
  4122. description: GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication.
  4123. properties:
  4124. secretAccessKeySecretRef:
  4125. description: The SecretAccessKey is used for authentication
  4126. properties:
  4127. key:
  4128. description: |-
  4129. A key in the referenced Secret.
  4130. Some instances of this field may be defaulted, in others it may be required.
  4131. maxLength: 253
  4132. minLength: 1
  4133. pattern: ^[-._a-zA-Z0-9]+$
  4134. type: string
  4135. name:
  4136. description: The name of the Secret resource being referred to.
  4137. maxLength: 253
  4138. minLength: 1
  4139. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4140. type: string
  4141. namespace:
  4142. description: |-
  4143. The namespace of the Secret resource being referred to.
  4144. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4145. maxLength: 63
  4146. minLength: 1
  4147. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4148. type: string
  4149. type: object
  4150. type: object
  4151. workloadIdentity:
  4152. description: GCPWorkloadIdentity defines configuration for workload identity authentication to GCP.
  4153. properties:
  4154. clusterLocation:
  4155. description: |-
  4156. ClusterLocation is the location of the cluster
  4157. If not specified, it fetches information from the metadata server
  4158. type: string
  4159. clusterName:
  4160. description: |-
  4161. ClusterName is the name of the cluster
  4162. If not specified, it fetches information from the metadata server
  4163. type: string
  4164. clusterProjectID:
  4165. description: |-
  4166. ClusterProjectID is the project ID of the cluster
  4167. If not specified, it fetches information from the metadata server
  4168. type: string
  4169. serviceAccountRef:
  4170. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  4171. properties:
  4172. audiences:
  4173. description: |-
  4174. Audience specifies the `aud` claim for the service account token
  4175. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4176. then this audiences will be appended to the list
  4177. items:
  4178. type: string
  4179. type: array
  4180. name:
  4181. description: The name of the ServiceAccount resource being referred to.
  4182. maxLength: 253
  4183. minLength: 1
  4184. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4185. type: string
  4186. namespace:
  4187. description: |-
  4188. Namespace of the resource being referred to.
  4189. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4190. maxLength: 63
  4191. minLength: 1
  4192. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4193. type: string
  4194. required:
  4195. - name
  4196. type: object
  4197. required:
  4198. - serviceAccountRef
  4199. type: object
  4200. workloadIdentityFederation:
  4201. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  4202. properties:
  4203. audience:
  4204. description: |-
  4205. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  4206. If specified, Audience found in the external account credential config will be overridden with the configured value.
  4207. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  4208. type: string
  4209. awsSecurityCredentials:
  4210. description: |-
  4211. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  4212. when using the AWS metadata server is not an option.
  4213. properties:
  4214. awsCredentialsSecretRef:
  4215. description: |-
  4216. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  4217. Secret should be created with below names for keys
  4218. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  4219. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  4220. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  4221. properties:
  4222. name:
  4223. description: name of the secret.
  4224. maxLength: 253
  4225. minLength: 1
  4226. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4227. type: string
  4228. namespace:
  4229. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  4230. maxLength: 63
  4231. minLength: 1
  4232. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4233. type: string
  4234. required:
  4235. - name
  4236. type: object
  4237. region:
  4238. description: region is for configuring the AWS region to be used.
  4239. example: ap-south-1
  4240. maxLength: 50
  4241. minLength: 1
  4242. pattern: ^[a-z0-9-]+$
  4243. type: string
  4244. required:
  4245. - awsCredentialsSecretRef
  4246. - region
  4247. type: object
  4248. credConfig:
  4249. description: |-
  4250. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  4251. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  4252. serviceAccountRef must be used by providing operators service account details.
  4253. properties:
  4254. key:
  4255. description: key name holding the external account credential config.
  4256. maxLength: 253
  4257. minLength: 1
  4258. pattern: ^[-._a-zA-Z0-9]+$
  4259. type: string
  4260. name:
  4261. description: name of the configmap.
  4262. maxLength: 253
  4263. minLength: 1
  4264. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4265. type: string
  4266. namespace:
  4267. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  4268. maxLength: 63
  4269. minLength: 1
  4270. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4271. type: string
  4272. required:
  4273. - key
  4274. - name
  4275. type: object
  4276. externalTokenEndpoint:
  4277. description: |-
  4278. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  4279. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  4280. URL is having the expected value.
  4281. type: string
  4282. gcpServiceAccountEmail:
  4283. description: |-
  4284. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  4285. after Workload Identity Federation. Use this to grant access through the service account's
  4286. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  4287. service_account_impersonation_url in the external account JSON from credConfig;
  4288. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  4289. on that ServiceAccount.
  4290. example: my-gsa@my-project.iam.gserviceaccount.com
  4291. minLength: 1
  4292. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  4293. type: string
  4294. serviceAccountRef:
  4295. description: |-
  4296. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  4297. when Kubernetes is configured as provider in workload identity pool.
  4298. properties:
  4299. audiences:
  4300. description: |-
  4301. Audience specifies the `aud` claim for the service account token
  4302. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4303. then this audiences will be appended to the list
  4304. items:
  4305. type: string
  4306. type: array
  4307. name:
  4308. description: The name of the ServiceAccount resource being referred to.
  4309. maxLength: 253
  4310. minLength: 1
  4311. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4312. type: string
  4313. namespace:
  4314. description: |-
  4315. Namespace of the resource being referred to.
  4316. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4317. maxLength: 63
  4318. minLength: 1
  4319. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4320. type: string
  4321. required:
  4322. - name
  4323. type: object
  4324. type: object
  4325. type: object
  4326. location:
  4327. description: Location optionally defines a location for a secret
  4328. type: string
  4329. projectID:
  4330. description: ProjectID project where secret is located
  4331. type: string
  4332. secretVersionSelectionPolicy:
  4333. default: LatestOrFail
  4334. description: |-
  4335. SecretVersionSelectionPolicy specifies how the provider selects a secret version
  4336. when "latest" is disabled or destroyed.
  4337. Possible values are:
  4338. - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed.
  4339. - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED
  4340. type: string
  4341. type: object
  4342. github:
  4343. description: |-
  4344. Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  4345. Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
  4346. properties:
  4347. appID:
  4348. description: appID specifies the Github APP that will be used to authenticate the client
  4349. format: int64
  4350. type: integer
  4351. auth:
  4352. description: auth configures how secret-manager authenticates with a Github instance.
  4353. properties:
  4354. privateKey:
  4355. description: |-
  4356. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4357. In some instances, `key` is a required field.
  4358. properties:
  4359. key:
  4360. description: |-
  4361. A key in the referenced Secret.
  4362. Some instances of this field may be defaulted, in others it may be required.
  4363. maxLength: 253
  4364. minLength: 1
  4365. pattern: ^[-._a-zA-Z0-9]+$
  4366. type: string
  4367. name:
  4368. description: The name of the Secret resource being referred to.
  4369. maxLength: 253
  4370. minLength: 1
  4371. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4372. type: string
  4373. namespace:
  4374. description: |-
  4375. The namespace of the Secret resource being referred to.
  4376. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4377. maxLength: 63
  4378. minLength: 1
  4379. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4380. type: string
  4381. type: object
  4382. required:
  4383. - privateKey
  4384. type: object
  4385. environment:
  4386. description: environment will be used to fetch secrets from a particular environment within a github repository
  4387. type: string
  4388. installationID:
  4389. description: installationID specifies the Github APP installation that will be used to authenticate the client
  4390. format: int64
  4391. type: integer
  4392. orgSecretVisibility:
  4393. description: |-
  4394. orgSecretVisibility controls the visibility of organization secrets pushed via PushSecret.
  4395. Valid values are "all" or "private".
  4396. When unset, new secrets are created with visibility "all" and existing secrets preserve
  4397. whatever visibility they already have in GitHub.
  4398. enum:
  4399. - all
  4400. - private
  4401. type: string
  4402. organization:
  4403. description: organization will be used to fetch secrets from the Github organization
  4404. type: string
  4405. repository:
  4406. description: repository will be used to fetch secrets from the Github repository within an organization
  4407. type: string
  4408. uploadURL:
  4409. description: Upload URL for enterprise instances. Default to URL.
  4410. type: string
  4411. url:
  4412. default: https://github.com/
  4413. description: URL configures the Github instance URL. Defaults to https://github.com/.
  4414. type: string
  4415. required:
  4416. - appID
  4417. - auth
  4418. - installationID
  4419. - organization
  4420. type: object
  4421. gitlab:
  4422. description: GitLab configures this store to sync secrets using GitLab Variables provider
  4423. properties:
  4424. auth:
  4425. description: Auth configures how secret-manager authenticates with a GitLab instance.
  4426. properties:
  4427. SecretRef:
  4428. description: GitlabSecretRef contains the secret reference for GitLab authentication credentials.
  4429. properties:
  4430. accessToken:
  4431. description: AccessToken is used for authentication.
  4432. properties:
  4433. key:
  4434. description: |-
  4435. A key in the referenced Secret.
  4436. Some instances of this field may be defaulted, in others it may be required.
  4437. maxLength: 253
  4438. minLength: 1
  4439. pattern: ^[-._a-zA-Z0-9]+$
  4440. type: string
  4441. name:
  4442. description: The name of the Secret resource being referred to.
  4443. maxLength: 253
  4444. minLength: 1
  4445. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4446. type: string
  4447. namespace:
  4448. description: |-
  4449. The namespace of the Secret resource being referred to.
  4450. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4451. maxLength: 63
  4452. minLength: 1
  4453. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4454. type: string
  4455. type: object
  4456. type: object
  4457. required:
  4458. - SecretRef
  4459. type: object
  4460. caBundle:
  4461. description: |-
  4462. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  4463. can be performed.
  4464. format: byte
  4465. type: string
  4466. caProvider:
  4467. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  4468. properties:
  4469. key:
  4470. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  4471. maxLength: 253
  4472. minLength: 1
  4473. pattern: ^[-._a-zA-Z0-9]+$
  4474. type: string
  4475. name:
  4476. description: The name of the object located at the provider type.
  4477. maxLength: 253
  4478. minLength: 1
  4479. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4480. type: string
  4481. namespace:
  4482. description: |-
  4483. The namespace the Provider type is in.
  4484. Can only be defined when used in a ClusterSecretStore.
  4485. maxLength: 63
  4486. minLength: 1
  4487. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4488. type: string
  4489. type:
  4490. description: The type of provider to use such as "Secret", or "ConfigMap".
  4491. enum:
  4492. - Secret
  4493. - ConfigMap
  4494. type: string
  4495. required:
  4496. - name
  4497. - type
  4498. type: object
  4499. environment:
  4500. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  4501. type: string
  4502. groupIDs:
  4503. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  4504. items:
  4505. type: string
  4506. type: array
  4507. inheritFromGroups:
  4508. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  4509. type: boolean
  4510. projectID:
  4511. description: ProjectID specifies a project where secrets are located.
  4512. type: string
  4513. url:
  4514. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  4515. type: string
  4516. required:
  4517. - auth
  4518. type: object
  4519. ibm:
  4520. description: IBM configures this store to sync secrets using IBM Cloud provider
  4521. properties:
  4522. auth:
  4523. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  4524. maxProperties: 1
  4525. minProperties: 1
  4526. properties:
  4527. containerAuth:
  4528. description: IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile.
  4529. properties:
  4530. iamEndpoint:
  4531. type: string
  4532. profile:
  4533. description: the IBM Trusted Profile
  4534. type: string
  4535. tokenLocation:
  4536. description: Location the token is mounted on the pod
  4537. type: string
  4538. required:
  4539. - profile
  4540. type: object
  4541. secretRef:
  4542. description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
  4543. properties:
  4544. iamEndpoint:
  4545. description: The IAM endpoint used to obain a token
  4546. type: string
  4547. secretApiKeySecretRef:
  4548. description: The SecretAccessKey is used for authentication
  4549. properties:
  4550. key:
  4551. description: |-
  4552. A key in the referenced Secret.
  4553. Some instances of this field may be defaulted, in others it may be required.
  4554. maxLength: 253
  4555. minLength: 1
  4556. pattern: ^[-._a-zA-Z0-9]+$
  4557. type: string
  4558. name:
  4559. description: The name of the Secret resource being referred to.
  4560. maxLength: 253
  4561. minLength: 1
  4562. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4563. type: string
  4564. namespace:
  4565. description: |-
  4566. The namespace of the Secret resource being referred to.
  4567. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4568. maxLength: 63
  4569. minLength: 1
  4570. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4571. type: string
  4572. type: object
  4573. type: object
  4574. type: object
  4575. serviceUrl:
  4576. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  4577. type: string
  4578. required:
  4579. - auth
  4580. type: object
  4581. infisical:
  4582. description: Infisical configures this store to sync secrets using the Infisical provider
  4583. properties:
  4584. auth:
  4585. description: Auth configures how the Operator authenticates with the Infisical API
  4586. properties:
  4587. awsAuthCredentials:
  4588. description: AwsAuthCredentials represents the credentials for AWS authentication.
  4589. properties:
  4590. identityId:
  4591. description: |-
  4592. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4593. In some instances, `key` is a required field.
  4594. properties:
  4595. key:
  4596. description: |-
  4597. A key in the referenced Secret.
  4598. Some instances of this field may be defaulted, in others it may be required.
  4599. maxLength: 253
  4600. minLength: 1
  4601. pattern: ^[-._a-zA-Z0-9]+$
  4602. type: string
  4603. name:
  4604. description: The name of the Secret resource being referred to.
  4605. maxLength: 253
  4606. minLength: 1
  4607. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4608. type: string
  4609. namespace:
  4610. description: |-
  4611. The namespace of the Secret resource being referred to.
  4612. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4613. maxLength: 63
  4614. minLength: 1
  4615. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4616. type: string
  4617. type: object
  4618. required:
  4619. - identityId
  4620. type: object
  4621. azureAuthCredentials:
  4622. description: AzureAuthCredentials represents the credentials for Azure authentication.
  4623. properties:
  4624. identityId:
  4625. description: |-
  4626. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4627. In some instances, `key` is a required field.
  4628. properties:
  4629. key:
  4630. description: |-
  4631. A key in the referenced Secret.
  4632. Some instances of this field may be defaulted, in others it may be required.
  4633. maxLength: 253
  4634. minLength: 1
  4635. pattern: ^[-._a-zA-Z0-9]+$
  4636. type: string
  4637. name:
  4638. description: The name of the Secret resource being referred to.
  4639. maxLength: 253
  4640. minLength: 1
  4641. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4642. type: string
  4643. namespace:
  4644. description: |-
  4645. The namespace of the Secret resource being referred to.
  4646. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4647. maxLength: 63
  4648. minLength: 1
  4649. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4650. type: string
  4651. type: object
  4652. resource:
  4653. description: |-
  4654. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4655. In some instances, `key` is a required field.
  4656. properties:
  4657. key:
  4658. description: |-
  4659. A key in the referenced Secret.
  4660. Some instances of this field may be defaulted, in others it may be required.
  4661. maxLength: 253
  4662. minLength: 1
  4663. pattern: ^[-._a-zA-Z0-9]+$
  4664. type: string
  4665. name:
  4666. description: The name of the Secret resource being referred to.
  4667. maxLength: 253
  4668. minLength: 1
  4669. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4670. type: string
  4671. namespace:
  4672. description: |-
  4673. The namespace of the Secret resource being referred to.
  4674. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4675. maxLength: 63
  4676. minLength: 1
  4677. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4678. type: string
  4679. type: object
  4680. required:
  4681. - identityId
  4682. type: object
  4683. gcpIamAuthCredentials:
  4684. description: GcpIamAuthCredentials represents the credentials for GCP IAM authentication.
  4685. properties:
  4686. identityId:
  4687. description: |-
  4688. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4689. In some instances, `key` is a required field.
  4690. properties:
  4691. key:
  4692. description: |-
  4693. A key in the referenced Secret.
  4694. Some instances of this field may be defaulted, in others it may be required.
  4695. maxLength: 253
  4696. minLength: 1
  4697. pattern: ^[-._a-zA-Z0-9]+$
  4698. type: string
  4699. name:
  4700. description: The name of the Secret resource being referred to.
  4701. maxLength: 253
  4702. minLength: 1
  4703. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4704. type: string
  4705. namespace:
  4706. description: |-
  4707. The namespace of the Secret resource being referred to.
  4708. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4709. maxLength: 63
  4710. minLength: 1
  4711. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4712. type: string
  4713. type: object
  4714. serviceAccountKeyFilePath:
  4715. description: |-
  4716. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4717. In some instances, `key` is a required field.
  4718. properties:
  4719. key:
  4720. description: |-
  4721. A key in the referenced Secret.
  4722. Some instances of this field may be defaulted, in others it may be required.
  4723. maxLength: 253
  4724. minLength: 1
  4725. pattern: ^[-._a-zA-Z0-9]+$
  4726. type: string
  4727. name:
  4728. description: The name of the Secret resource being referred to.
  4729. maxLength: 253
  4730. minLength: 1
  4731. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4732. type: string
  4733. namespace:
  4734. description: |-
  4735. The namespace of the Secret resource being referred to.
  4736. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4737. maxLength: 63
  4738. minLength: 1
  4739. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4740. type: string
  4741. type: object
  4742. required:
  4743. - identityId
  4744. - serviceAccountKeyFilePath
  4745. type: object
  4746. gcpIdTokenAuthCredentials:
  4747. description: GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication.
  4748. properties:
  4749. identityId:
  4750. description: |-
  4751. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4752. In some instances, `key` is a required field.
  4753. properties:
  4754. key:
  4755. description: |-
  4756. A key in the referenced Secret.
  4757. Some instances of this field may be defaulted, in others it may be required.
  4758. maxLength: 253
  4759. minLength: 1
  4760. pattern: ^[-._a-zA-Z0-9]+$
  4761. type: string
  4762. name:
  4763. description: The name of the Secret resource being referred to.
  4764. maxLength: 253
  4765. minLength: 1
  4766. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4767. type: string
  4768. namespace:
  4769. description: |-
  4770. The namespace of the Secret resource being referred to.
  4771. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4772. maxLength: 63
  4773. minLength: 1
  4774. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4775. type: string
  4776. type: object
  4777. required:
  4778. - identityId
  4779. type: object
  4780. jwtAuthCredentials:
  4781. description: JwtAuthCredentials represents the credentials for JWT authentication.
  4782. properties:
  4783. identityId:
  4784. description: |-
  4785. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4786. In some instances, `key` is a required field.
  4787. properties:
  4788. key:
  4789. description: |-
  4790. A key in the referenced Secret.
  4791. Some instances of this field may be defaulted, in others it may be required.
  4792. maxLength: 253
  4793. minLength: 1
  4794. pattern: ^[-._a-zA-Z0-9]+$
  4795. type: string
  4796. name:
  4797. description: The name of the Secret resource being referred to.
  4798. maxLength: 253
  4799. minLength: 1
  4800. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4801. type: string
  4802. namespace:
  4803. description: |-
  4804. The namespace of the Secret resource being referred to.
  4805. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4806. maxLength: 63
  4807. minLength: 1
  4808. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4809. type: string
  4810. type: object
  4811. jwt:
  4812. description: |-
  4813. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4814. In some instances, `key` is a required field.
  4815. properties:
  4816. key:
  4817. description: |-
  4818. A key in the referenced Secret.
  4819. Some instances of this field may be defaulted, in others it may be required.
  4820. maxLength: 253
  4821. minLength: 1
  4822. pattern: ^[-._a-zA-Z0-9]+$
  4823. type: string
  4824. name:
  4825. description: The name of the Secret resource being referred to.
  4826. maxLength: 253
  4827. minLength: 1
  4828. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4829. type: string
  4830. namespace:
  4831. description: |-
  4832. The namespace of the Secret resource being referred to.
  4833. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4834. maxLength: 63
  4835. minLength: 1
  4836. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4837. type: string
  4838. type: object
  4839. required:
  4840. - identityId
  4841. - jwt
  4842. type: object
  4843. kubernetesAuthCredentials:
  4844. description: KubernetesAuthCredentials represents the credentials for Kubernetes authentication.
  4845. properties:
  4846. identityId:
  4847. description: |-
  4848. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4849. In some instances, `key` is a required field.
  4850. properties:
  4851. key:
  4852. description: |-
  4853. A key in the referenced Secret.
  4854. Some instances of this field may be defaulted, in others it may be required.
  4855. maxLength: 253
  4856. minLength: 1
  4857. pattern: ^[-._a-zA-Z0-9]+$
  4858. type: string
  4859. name:
  4860. description: The name of the Secret resource being referred to.
  4861. maxLength: 253
  4862. minLength: 1
  4863. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4864. type: string
  4865. namespace:
  4866. description: |-
  4867. The namespace of the Secret resource being referred to.
  4868. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4869. maxLength: 63
  4870. minLength: 1
  4871. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4872. type: string
  4873. type: object
  4874. serviceAccountTokenPath:
  4875. description: |-
  4876. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4877. In some instances, `key` is a required field.
  4878. properties:
  4879. key:
  4880. description: |-
  4881. A key in the referenced Secret.
  4882. Some instances of this field may be defaulted, in others it may be required.
  4883. maxLength: 253
  4884. minLength: 1
  4885. pattern: ^[-._a-zA-Z0-9]+$
  4886. type: string
  4887. name:
  4888. description: The name of the Secret resource being referred to.
  4889. maxLength: 253
  4890. minLength: 1
  4891. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4892. type: string
  4893. namespace:
  4894. description: |-
  4895. The namespace of the Secret resource being referred to.
  4896. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4897. maxLength: 63
  4898. minLength: 1
  4899. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4900. type: string
  4901. type: object
  4902. required:
  4903. - identityId
  4904. type: object
  4905. ldapAuthCredentials:
  4906. description: LdapAuthCredentials represents the credentials for LDAP authentication.
  4907. properties:
  4908. identityId:
  4909. description: |-
  4910. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4911. In some instances, `key` is a required field.
  4912. properties:
  4913. key:
  4914. description: |-
  4915. A key in the referenced Secret.
  4916. Some instances of this field may be defaulted, in others it may be required.
  4917. maxLength: 253
  4918. minLength: 1
  4919. pattern: ^[-._a-zA-Z0-9]+$
  4920. type: string
  4921. name:
  4922. description: The name of the Secret resource being referred to.
  4923. maxLength: 253
  4924. minLength: 1
  4925. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4926. type: string
  4927. namespace:
  4928. description: |-
  4929. The namespace of the Secret resource being referred to.
  4930. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4931. maxLength: 63
  4932. minLength: 1
  4933. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4934. type: string
  4935. type: object
  4936. ldapPassword:
  4937. description: |-
  4938. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4939. In some instances, `key` is a required field.
  4940. properties:
  4941. key:
  4942. description: |-
  4943. A key in the referenced Secret.
  4944. Some instances of this field may be defaulted, in others it may be required.
  4945. maxLength: 253
  4946. minLength: 1
  4947. pattern: ^[-._a-zA-Z0-9]+$
  4948. type: string
  4949. name:
  4950. description: The name of the Secret resource being referred to.
  4951. maxLength: 253
  4952. minLength: 1
  4953. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4954. type: string
  4955. namespace:
  4956. description: |-
  4957. The namespace of the Secret resource being referred to.
  4958. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4959. maxLength: 63
  4960. minLength: 1
  4961. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4962. type: string
  4963. type: object
  4964. ldapUsername:
  4965. description: |-
  4966. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4967. In some instances, `key` is a required field.
  4968. properties:
  4969. key:
  4970. description: |-
  4971. A key in the referenced Secret.
  4972. Some instances of this field may be defaulted, in others it may be required.
  4973. maxLength: 253
  4974. minLength: 1
  4975. pattern: ^[-._a-zA-Z0-9]+$
  4976. type: string
  4977. name:
  4978. description: The name of the Secret resource being referred to.
  4979. maxLength: 253
  4980. minLength: 1
  4981. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4982. type: string
  4983. namespace:
  4984. description: |-
  4985. The namespace of the Secret resource being referred to.
  4986. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4987. maxLength: 63
  4988. minLength: 1
  4989. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4990. type: string
  4991. type: object
  4992. required:
  4993. - identityId
  4994. - ldapPassword
  4995. - ldapUsername
  4996. type: object
  4997. ociAuthCredentials:
  4998. description: OciAuthCredentials represents the credentials for OCI authentication.
  4999. properties:
  5000. fingerprint:
  5001. description: |-
  5002. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5003. In some instances, `key` is a required field.
  5004. properties:
  5005. key:
  5006. description: |-
  5007. A key in the referenced Secret.
  5008. Some instances of this field may be defaulted, in others it may be required.
  5009. maxLength: 253
  5010. minLength: 1
  5011. pattern: ^[-._a-zA-Z0-9]+$
  5012. type: string
  5013. name:
  5014. description: The name of the Secret resource being referred to.
  5015. maxLength: 253
  5016. minLength: 1
  5017. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5018. type: string
  5019. namespace:
  5020. description: |-
  5021. The namespace of the Secret resource being referred to.
  5022. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5023. maxLength: 63
  5024. minLength: 1
  5025. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5026. type: string
  5027. type: object
  5028. identityId:
  5029. description: |-
  5030. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5031. In some instances, `key` is a required field.
  5032. properties:
  5033. key:
  5034. description: |-
  5035. A key in the referenced Secret.
  5036. Some instances of this field may be defaulted, in others it may be required.
  5037. maxLength: 253
  5038. minLength: 1
  5039. pattern: ^[-._a-zA-Z0-9]+$
  5040. type: string
  5041. name:
  5042. description: The name of the Secret resource being referred to.
  5043. maxLength: 253
  5044. minLength: 1
  5045. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5046. type: string
  5047. namespace:
  5048. description: |-
  5049. The namespace of the Secret resource being referred to.
  5050. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5051. maxLength: 63
  5052. minLength: 1
  5053. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5054. type: string
  5055. type: object
  5056. privateKey:
  5057. description: |-
  5058. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5059. In some instances, `key` is a required field.
  5060. properties:
  5061. key:
  5062. description: |-
  5063. A key in the referenced Secret.
  5064. Some instances of this field may be defaulted, in others it may be required.
  5065. maxLength: 253
  5066. minLength: 1
  5067. pattern: ^[-._a-zA-Z0-9]+$
  5068. type: string
  5069. name:
  5070. description: The name of the Secret resource being referred to.
  5071. maxLength: 253
  5072. minLength: 1
  5073. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5074. type: string
  5075. namespace:
  5076. description: |-
  5077. The namespace of the Secret resource being referred to.
  5078. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5079. maxLength: 63
  5080. minLength: 1
  5081. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5082. type: string
  5083. type: object
  5084. privateKeyPassphrase:
  5085. description: |-
  5086. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5087. In some instances, `key` is a required field.
  5088. properties:
  5089. key:
  5090. description: |-
  5091. A key in the referenced Secret.
  5092. Some instances of this field may be defaulted, in others it may be required.
  5093. maxLength: 253
  5094. minLength: 1
  5095. pattern: ^[-._a-zA-Z0-9]+$
  5096. type: string
  5097. name:
  5098. description: The name of the Secret resource being referred to.
  5099. maxLength: 253
  5100. minLength: 1
  5101. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5102. type: string
  5103. namespace:
  5104. description: |-
  5105. The namespace of the Secret resource being referred to.
  5106. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5107. maxLength: 63
  5108. minLength: 1
  5109. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5110. type: string
  5111. type: object
  5112. region:
  5113. description: |-
  5114. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5115. In some instances, `key` is a required field.
  5116. properties:
  5117. key:
  5118. description: |-
  5119. A key in the referenced Secret.
  5120. Some instances of this field may be defaulted, in others it may be required.
  5121. maxLength: 253
  5122. minLength: 1
  5123. pattern: ^[-._a-zA-Z0-9]+$
  5124. type: string
  5125. name:
  5126. description: The name of the Secret resource being referred to.
  5127. maxLength: 253
  5128. minLength: 1
  5129. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5130. type: string
  5131. namespace:
  5132. description: |-
  5133. The namespace of the Secret resource being referred to.
  5134. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5135. maxLength: 63
  5136. minLength: 1
  5137. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5138. type: string
  5139. type: object
  5140. tenancyId:
  5141. description: |-
  5142. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5143. In some instances, `key` is a required field.
  5144. properties:
  5145. key:
  5146. description: |-
  5147. A key in the referenced Secret.
  5148. Some instances of this field may be defaulted, in others it may be required.
  5149. maxLength: 253
  5150. minLength: 1
  5151. pattern: ^[-._a-zA-Z0-9]+$
  5152. type: string
  5153. name:
  5154. description: The name of the Secret resource being referred to.
  5155. maxLength: 253
  5156. minLength: 1
  5157. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5158. type: string
  5159. namespace:
  5160. description: |-
  5161. The namespace of the Secret resource being referred to.
  5162. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5163. maxLength: 63
  5164. minLength: 1
  5165. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5166. type: string
  5167. type: object
  5168. userId:
  5169. description: |-
  5170. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5171. In some instances, `key` is a required field.
  5172. properties:
  5173. key:
  5174. description: |-
  5175. A key in the referenced Secret.
  5176. Some instances of this field may be defaulted, in others it may be required.
  5177. maxLength: 253
  5178. minLength: 1
  5179. pattern: ^[-._a-zA-Z0-9]+$
  5180. type: string
  5181. name:
  5182. description: The name of the Secret resource being referred to.
  5183. maxLength: 253
  5184. minLength: 1
  5185. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5186. type: string
  5187. namespace:
  5188. description: |-
  5189. The namespace of the Secret resource being referred to.
  5190. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5191. maxLength: 63
  5192. minLength: 1
  5193. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5194. type: string
  5195. type: object
  5196. required:
  5197. - fingerprint
  5198. - identityId
  5199. - privateKey
  5200. - region
  5201. - tenancyId
  5202. - userId
  5203. type: object
  5204. tokenAuthCredentials:
  5205. description: TokenAuthCredentials represents the credentials for access token-based authentication.
  5206. properties:
  5207. accessToken:
  5208. description: |-
  5209. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5210. In some instances, `key` is a required field.
  5211. properties:
  5212. key:
  5213. description: |-
  5214. A key in the referenced Secret.
  5215. Some instances of this field may be defaulted, in others it may be required.
  5216. maxLength: 253
  5217. minLength: 1
  5218. pattern: ^[-._a-zA-Z0-9]+$
  5219. type: string
  5220. name:
  5221. description: The name of the Secret resource being referred to.
  5222. maxLength: 253
  5223. minLength: 1
  5224. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5225. type: string
  5226. namespace:
  5227. description: |-
  5228. The namespace of the Secret resource being referred to.
  5229. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5230. maxLength: 63
  5231. minLength: 1
  5232. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5233. type: string
  5234. type: object
  5235. required:
  5236. - accessToken
  5237. type: object
  5238. universalAuthCredentials:
  5239. description: UniversalAuthCredentials represents the client credentials for universal authentication.
  5240. properties:
  5241. clientId:
  5242. description: |-
  5243. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5244. In some instances, `key` is a required field.
  5245. properties:
  5246. key:
  5247. description: |-
  5248. A key in the referenced Secret.
  5249. Some instances of this field may be defaulted, in others it may be required.
  5250. maxLength: 253
  5251. minLength: 1
  5252. pattern: ^[-._a-zA-Z0-9]+$
  5253. type: string
  5254. name:
  5255. description: The name of the Secret resource being referred to.
  5256. maxLength: 253
  5257. minLength: 1
  5258. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5259. type: string
  5260. namespace:
  5261. description: |-
  5262. The namespace of the Secret resource being referred to.
  5263. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5264. maxLength: 63
  5265. minLength: 1
  5266. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5267. type: string
  5268. type: object
  5269. clientSecret:
  5270. description: |-
  5271. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5272. In some instances, `key` is a required field.
  5273. properties:
  5274. key:
  5275. description: |-
  5276. A key in the referenced Secret.
  5277. Some instances of this field may be defaulted, in others it may be required.
  5278. maxLength: 253
  5279. minLength: 1
  5280. pattern: ^[-._a-zA-Z0-9]+$
  5281. type: string
  5282. name:
  5283. description: The name of the Secret resource being referred to.
  5284. maxLength: 253
  5285. minLength: 1
  5286. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5287. type: string
  5288. namespace:
  5289. description: |-
  5290. The namespace of the Secret resource being referred to.
  5291. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5292. maxLength: 63
  5293. minLength: 1
  5294. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5295. type: string
  5296. type: object
  5297. required:
  5298. - clientId
  5299. - clientSecret
  5300. type: object
  5301. type: object
  5302. caBundle:
  5303. description: |-
  5304. CABundle is a PEM-encoded CA certificate bundle used to validate
  5305. the Infisical server's TLS certificate. Mutually exclusive with CAProvider.
  5306. format: byte
  5307. type: string
  5308. caProvider:
  5309. description: |-
  5310. CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
  5311. The certificate is used to validate the Infisical server's TLS certificate.
  5312. Mutually exclusive with CABundle.
  5313. properties:
  5314. key:
  5315. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5316. maxLength: 253
  5317. minLength: 1
  5318. pattern: ^[-._a-zA-Z0-9]+$
  5319. type: string
  5320. name:
  5321. description: The name of the object located at the provider type.
  5322. maxLength: 253
  5323. minLength: 1
  5324. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5325. type: string
  5326. namespace:
  5327. description: |-
  5328. The namespace the Provider type is in.
  5329. Can only be defined when used in a ClusterSecretStore.
  5330. maxLength: 63
  5331. minLength: 1
  5332. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5333. type: string
  5334. type:
  5335. description: The type of provider to use such as "Secret", or "ConfigMap".
  5336. enum:
  5337. - Secret
  5338. - ConfigMap
  5339. type: string
  5340. required:
  5341. - name
  5342. - type
  5343. type: object
  5344. hostAPI:
  5345. default: https://app.infisical.com/api
  5346. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  5347. type: string
  5348. secretsScope:
  5349. description: SecretsScope defines the scope of the secrets within the workspace
  5350. properties:
  5351. environmentSlug:
  5352. description: EnvironmentSlug is the required slug identifier for the environment.
  5353. type: string
  5354. expandSecretReferences:
  5355. default: true
  5356. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  5357. type: boolean
  5358. projectSlug:
  5359. description: ProjectSlug is the required slug identifier for the project.
  5360. type: string
  5361. recursive:
  5362. default: false
  5363. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  5364. type: boolean
  5365. secretsPath:
  5366. default: /
  5367. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  5368. type: string
  5369. required:
  5370. - environmentSlug
  5371. - projectSlug
  5372. type: object
  5373. required:
  5374. - auth
  5375. - secretsScope
  5376. type: object
  5377. keepersecurity:
  5378. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  5379. properties:
  5380. authRef:
  5381. description: |-
  5382. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5383. In some instances, `key` is a required field.
  5384. properties:
  5385. key:
  5386. description: |-
  5387. A key in the referenced Secret.
  5388. Some instances of this field may be defaulted, in others it may be required.
  5389. maxLength: 253
  5390. minLength: 1
  5391. pattern: ^[-._a-zA-Z0-9]+$
  5392. type: string
  5393. name:
  5394. description: The name of the Secret resource being referred to.
  5395. maxLength: 253
  5396. minLength: 1
  5397. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5398. type: string
  5399. namespace:
  5400. description: |-
  5401. The namespace of the Secret resource being referred to.
  5402. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5403. maxLength: 63
  5404. minLength: 1
  5405. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5406. type: string
  5407. type: object
  5408. folderID:
  5409. type: string
  5410. getByTitleFallback:
  5411. type: boolean
  5412. required:
  5413. - authRef
  5414. - folderID
  5415. type: object
  5416. kubernetes:
  5417. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  5418. properties:
  5419. auth:
  5420. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  5421. maxProperties: 1
  5422. minProperties: 1
  5423. properties:
  5424. cert:
  5425. description: has both clientCert and clientKey as secretKeySelector
  5426. properties:
  5427. clientCert:
  5428. description: |-
  5429. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5430. In some instances, `key` is a required field.
  5431. properties:
  5432. key:
  5433. description: |-
  5434. A key in the referenced Secret.
  5435. Some instances of this field may be defaulted, in others it may be required.
  5436. maxLength: 253
  5437. minLength: 1
  5438. pattern: ^[-._a-zA-Z0-9]+$
  5439. type: string
  5440. name:
  5441. description: The name of the Secret resource being referred to.
  5442. maxLength: 253
  5443. minLength: 1
  5444. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5445. type: string
  5446. namespace:
  5447. description: |-
  5448. The namespace of the Secret resource being referred to.
  5449. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5450. maxLength: 63
  5451. minLength: 1
  5452. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5453. type: string
  5454. type: object
  5455. clientKey:
  5456. description: |-
  5457. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5458. In some instances, `key` is a required field.
  5459. properties:
  5460. key:
  5461. description: |-
  5462. A key in the referenced Secret.
  5463. Some instances of this field may be defaulted, in others it may be required.
  5464. maxLength: 253
  5465. minLength: 1
  5466. pattern: ^[-._a-zA-Z0-9]+$
  5467. type: string
  5468. name:
  5469. description: The name of the Secret resource being referred to.
  5470. maxLength: 253
  5471. minLength: 1
  5472. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5473. type: string
  5474. namespace:
  5475. description: |-
  5476. The namespace of the Secret resource being referred to.
  5477. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5478. maxLength: 63
  5479. minLength: 1
  5480. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5481. type: string
  5482. type: object
  5483. type: object
  5484. serviceAccount:
  5485. description: points to a service account that should be used for authentication
  5486. properties:
  5487. audiences:
  5488. description: |-
  5489. Audience specifies the `aud` claim for the service account token
  5490. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  5491. then this audiences will be appended to the list
  5492. items:
  5493. type: string
  5494. type: array
  5495. name:
  5496. description: The name of the ServiceAccount resource being referred to.
  5497. maxLength: 253
  5498. minLength: 1
  5499. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5500. type: string
  5501. namespace:
  5502. description: |-
  5503. Namespace of the resource being referred to.
  5504. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5505. maxLength: 63
  5506. minLength: 1
  5507. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5508. type: string
  5509. required:
  5510. - name
  5511. type: object
  5512. token:
  5513. description: use static token to authenticate with
  5514. properties:
  5515. bearerToken:
  5516. description: |-
  5517. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5518. In some instances, `key` is a required field.
  5519. properties:
  5520. key:
  5521. description: |-
  5522. A key in the referenced Secret.
  5523. Some instances of this field may be defaulted, in others it may be required.
  5524. maxLength: 253
  5525. minLength: 1
  5526. pattern: ^[-._a-zA-Z0-9]+$
  5527. type: string
  5528. name:
  5529. description: The name of the Secret resource being referred to.
  5530. maxLength: 253
  5531. minLength: 1
  5532. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5533. type: string
  5534. namespace:
  5535. description: |-
  5536. The namespace of the Secret resource being referred to.
  5537. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5538. maxLength: 63
  5539. minLength: 1
  5540. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5541. type: string
  5542. type: object
  5543. type: object
  5544. type: object
  5545. authRef:
  5546. description: A reference to a secret that contains the auth information.
  5547. properties:
  5548. key:
  5549. description: |-
  5550. A key in the referenced Secret.
  5551. Some instances of this field may be defaulted, in others it may be required.
  5552. maxLength: 253
  5553. minLength: 1
  5554. pattern: ^[-._a-zA-Z0-9]+$
  5555. type: string
  5556. name:
  5557. description: The name of the Secret resource being referred to.
  5558. maxLength: 253
  5559. minLength: 1
  5560. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5561. type: string
  5562. namespace:
  5563. description: |-
  5564. The namespace of the Secret resource being referred to.
  5565. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5566. maxLength: 63
  5567. minLength: 1
  5568. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5569. type: string
  5570. type: object
  5571. remoteNamespace:
  5572. default: default
  5573. description: Remote namespace to fetch the secrets from
  5574. maxLength: 63
  5575. minLength: 1
  5576. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5577. type: string
  5578. server:
  5579. description: configures the Kubernetes server Address.
  5580. properties:
  5581. caBundle:
  5582. description: CABundle is a base64-encoded CA certificate
  5583. format: byte
  5584. type: string
  5585. caProvider:
  5586. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  5587. properties:
  5588. key:
  5589. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5590. maxLength: 253
  5591. minLength: 1
  5592. pattern: ^[-._a-zA-Z0-9]+$
  5593. type: string
  5594. name:
  5595. description: The name of the object located at the provider type.
  5596. maxLength: 253
  5597. minLength: 1
  5598. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5599. type: string
  5600. namespace:
  5601. description: |-
  5602. The namespace the Provider type is in.
  5603. Can only be defined when used in a ClusterSecretStore.
  5604. maxLength: 63
  5605. minLength: 1
  5606. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5607. type: string
  5608. type:
  5609. description: The type of provider to use such as "Secret", or "ConfigMap".
  5610. enum:
  5611. - Secret
  5612. - ConfigMap
  5613. type: string
  5614. required:
  5615. - name
  5616. - type
  5617. type: object
  5618. url:
  5619. default: kubernetes.default
  5620. description: configures the Kubernetes server Address.
  5621. type: string
  5622. type: object
  5623. type: object
  5624. nebiusmysterybox:
  5625. description: NebiusMysterybox configures this store to sync secrets using NebiusMysterybox provider
  5626. properties:
  5627. apiDomain:
  5628. description: NebiusMysterybox API endpoint
  5629. type: string
  5630. auth:
  5631. description: Auth defines parameters to authenticate in MysteryBox
  5632. properties:
  5633. serviceAccountCredsSecretRef:
  5634. description: |-
  5635. ServiceAccountCreds references a Kubernetes Secret key that contains a JSON
  5636. document with service account credentials used to get an IAM token.
  5637. Expected JSON structure:
  5638. {
  5639. "subject-credentials": {
  5640. "alg": "RS256",
  5641. "private-key": "-----BEGIN PRIVATE KEY-----\n<private-key>\n-----END PRIVATE KEY-----\n",
  5642. "kid": "<public-key-id>",
  5643. "iss": "<issuer-service-account-id>",
  5644. "sub": "<subject-service-account-id>"
  5645. }
  5646. }
  5647. properties:
  5648. key:
  5649. description: |-
  5650. A key in the referenced Secret.
  5651. Some instances of this field may be defaulted, in others it may be required.
  5652. maxLength: 253
  5653. minLength: 1
  5654. pattern: ^[-._a-zA-Z0-9]+$
  5655. type: string
  5656. name:
  5657. description: The name of the Secret resource being referred to.
  5658. maxLength: 253
  5659. minLength: 1
  5660. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5661. type: string
  5662. namespace:
  5663. description: |-
  5664. The namespace of the Secret resource being referred to.
  5665. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5666. maxLength: 63
  5667. minLength: 1
  5668. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5669. type: string
  5670. type: object
  5671. tokenSecretRef:
  5672. description: Token authenticates with Nebius Mysterybox by presenting a token.
  5673. properties:
  5674. key:
  5675. description: |-
  5676. A key in the referenced Secret.
  5677. Some instances of this field may be defaulted, in others it may be required.
  5678. maxLength: 253
  5679. minLength: 1
  5680. pattern: ^[-._a-zA-Z0-9]+$
  5681. type: string
  5682. name:
  5683. description: The name of the Secret resource being referred to.
  5684. maxLength: 253
  5685. minLength: 1
  5686. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5687. type: string
  5688. namespace:
  5689. description: |-
  5690. The namespace of the Secret resource being referred to.
  5691. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5692. maxLength: 63
  5693. minLength: 1
  5694. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5695. type: string
  5696. type: object
  5697. type: object
  5698. x-kubernetes-validations:
  5699. - message: either serviceAccountCredsSecretRef or tokenSecretRef must be set
  5700. rule: has(self.serviceAccountCredsSecretRef) || has(self.tokenSecretRef)
  5701. caProvider:
  5702. description: The provider for the CA bundle to use to validate NebiusMysterybox server certificate.
  5703. properties:
  5704. certSecretRef:
  5705. description: |-
  5706. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5707. In some instances, `key` is a required field.
  5708. properties:
  5709. key:
  5710. description: |-
  5711. A key in the referenced Secret.
  5712. Some instances of this field may be defaulted, in others it may be required.
  5713. maxLength: 253
  5714. minLength: 1
  5715. pattern: ^[-._a-zA-Z0-9]+$
  5716. type: string
  5717. name:
  5718. description: The name of the Secret resource being referred to.
  5719. maxLength: 253
  5720. minLength: 1
  5721. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5722. type: string
  5723. namespace:
  5724. description: |-
  5725. The namespace of the Secret resource being referred to.
  5726. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5727. maxLength: 63
  5728. minLength: 1
  5729. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5730. type: string
  5731. type: object
  5732. type: object
  5733. required:
  5734. - apiDomain
  5735. - auth
  5736. type: object
  5737. ngrok:
  5738. description: Ngrok configures this store to sync secrets using the ngrok provider.
  5739. properties:
  5740. apiUrl:
  5741. default: https://api.ngrok.com
  5742. description: APIURL is the URL of the ngrok API.
  5743. type: string
  5744. auth:
  5745. description: Auth configures how the ngrok provider authenticates with the ngrok API.
  5746. maxProperties: 1
  5747. minProperties: 1
  5748. properties:
  5749. apiKey:
  5750. description: APIKey is the API Key used to authenticate with ngrok. See https://ngrok.com/docs/api/#authentication
  5751. properties:
  5752. secretRef:
  5753. description: SecretRef is a reference to a secret containing the ngrok API key.
  5754. properties:
  5755. key:
  5756. description: |-
  5757. A key in the referenced Secret.
  5758. Some instances of this field may be defaulted, in others it may be required.
  5759. maxLength: 253
  5760. minLength: 1
  5761. pattern: ^[-._a-zA-Z0-9]+$
  5762. type: string
  5763. name:
  5764. description: The name of the Secret resource being referred to.
  5765. maxLength: 253
  5766. minLength: 1
  5767. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5768. type: string
  5769. namespace:
  5770. description: |-
  5771. The namespace of the Secret resource being referred to.
  5772. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5773. maxLength: 63
  5774. minLength: 1
  5775. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5776. type: string
  5777. type: object
  5778. type: object
  5779. type: object
  5780. vault:
  5781. description: Vault configures the ngrok vault to sync secrets with.
  5782. properties:
  5783. name:
  5784. description: Name is the name of the ngrok vault to sync secrets with.
  5785. type: string
  5786. required:
  5787. - name
  5788. type: object
  5789. required:
  5790. - auth
  5791. - vault
  5792. type: object
  5793. onboardbase:
  5794. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  5795. properties:
  5796. apiHost:
  5797. default: https://public.onboardbase.com/api/v1/
  5798. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  5799. type: string
  5800. auth:
  5801. description: Auth configures how the Operator authenticates with the Onboardbase API
  5802. properties:
  5803. apiKeyRef:
  5804. description: |-
  5805. OnboardbaseAPIKey is the APIKey generated by an admin account.
  5806. It is used to recognize and authorize access to a project and environment within onboardbase
  5807. properties:
  5808. key:
  5809. description: |-
  5810. A key in the referenced Secret.
  5811. Some instances of this field may be defaulted, in others it may be required.
  5812. maxLength: 253
  5813. minLength: 1
  5814. pattern: ^[-._a-zA-Z0-9]+$
  5815. type: string
  5816. name:
  5817. description: The name of the Secret resource being referred to.
  5818. maxLength: 253
  5819. minLength: 1
  5820. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5821. type: string
  5822. namespace:
  5823. description: |-
  5824. The namespace of the Secret resource being referred to.
  5825. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5826. maxLength: 63
  5827. minLength: 1
  5828. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5829. type: string
  5830. type: object
  5831. passcodeRef:
  5832. description: OnboardbasePasscode is the passcode attached to the API Key
  5833. properties:
  5834. key:
  5835. description: |-
  5836. A key in the referenced Secret.
  5837. Some instances of this field may be defaulted, in others it may be required.
  5838. maxLength: 253
  5839. minLength: 1
  5840. pattern: ^[-._a-zA-Z0-9]+$
  5841. type: string
  5842. name:
  5843. description: The name of the Secret resource being referred to.
  5844. maxLength: 253
  5845. minLength: 1
  5846. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5847. type: string
  5848. namespace:
  5849. description: |-
  5850. The namespace of the Secret resource being referred to.
  5851. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5852. maxLength: 63
  5853. minLength: 1
  5854. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5855. type: string
  5856. type: object
  5857. required:
  5858. - apiKeyRef
  5859. - passcodeRef
  5860. type: object
  5861. environment:
  5862. default: development
  5863. description: Environment is the name of an environmnent within a project to pull the secrets from
  5864. type: string
  5865. project:
  5866. default: development
  5867. description: Project is an onboardbase project that the secrets should be pulled from
  5868. type: string
  5869. required:
  5870. - apiHost
  5871. - auth
  5872. - environment
  5873. - project
  5874. type: object
  5875. onepassword:
  5876. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  5877. properties:
  5878. auth:
  5879. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  5880. properties:
  5881. secretRef:
  5882. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  5883. properties:
  5884. connectTokenSecretRef:
  5885. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  5886. properties:
  5887. key:
  5888. description: |-
  5889. A key in the referenced Secret.
  5890. Some instances of this field may be defaulted, in others it may be required.
  5891. maxLength: 253
  5892. minLength: 1
  5893. pattern: ^[-._a-zA-Z0-9]+$
  5894. type: string
  5895. name:
  5896. description: The name of the Secret resource being referred to.
  5897. maxLength: 253
  5898. minLength: 1
  5899. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5900. type: string
  5901. namespace:
  5902. description: |-
  5903. The namespace of the Secret resource being referred to.
  5904. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5905. maxLength: 63
  5906. minLength: 1
  5907. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5908. type: string
  5909. type: object
  5910. required:
  5911. - connectTokenSecretRef
  5912. type: object
  5913. required:
  5914. - secretRef
  5915. type: object
  5916. connectHost:
  5917. description: ConnectHost defines the OnePassword Connect Server to connect to
  5918. type: string
  5919. vaults:
  5920. additionalProperties:
  5921. type: integer
  5922. description: Vaults defines which OnePassword vaults to search in which order
  5923. type: object
  5924. required:
  5925. - auth
  5926. - connectHost
  5927. - vaults
  5928. type: object
  5929. onepasswordSDK:
  5930. description: OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets.
  5931. properties:
  5932. auth:
  5933. description: Auth defines the information necessary to authenticate against OnePassword API.
  5934. properties:
  5935. serviceAccountSecretRef:
  5936. description: ServiceAccountSecretRef points to the secret containing the token to access 1Password vault.
  5937. properties:
  5938. key:
  5939. description: |-
  5940. A key in the referenced Secret.
  5941. Some instances of this field may be defaulted, in others it may be required.
  5942. maxLength: 253
  5943. minLength: 1
  5944. pattern: ^[-._a-zA-Z0-9]+$
  5945. type: string
  5946. name:
  5947. description: The name of the Secret resource being referred to.
  5948. maxLength: 253
  5949. minLength: 1
  5950. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5951. type: string
  5952. namespace:
  5953. description: |-
  5954. The namespace of the Secret resource being referred to.
  5955. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5956. maxLength: 63
  5957. minLength: 1
  5958. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5959. type: string
  5960. type: object
  5961. required:
  5962. - serviceAccountSecretRef
  5963. type: object
  5964. cache:
  5965. description: |-
  5966. Cache configures client-side caching for read operations (GetSecret, GetSecretMap).
  5967. When enabled, secrets are cached with the specified TTL.
  5968. Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.
  5969. If omitted, caching is disabled (default).
  5970. cache: {} is a valid option to set.
  5971. properties:
  5972. maxSize:
  5973. default: 100
  5974. description: |-
  5975. MaxSize is the maximum number of secrets to cache.
  5976. When the cache is full, least-recently-used entries are evicted.
  5977. minimum: 1
  5978. type: integer
  5979. ttl:
  5980. default: 5m
  5981. description: |-
  5982. TTL is the time-to-live for cached secrets.
  5983. Format: duration string (e.g., "5m", "1h", "30s")
  5984. type: string
  5985. type: object
  5986. integrationInfo:
  5987. description: |-
  5988. IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
  5989. If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively.
  5990. properties:
  5991. name:
  5992. default: 1Password SDK
  5993. description: Name defaults to "1Password SDK".
  5994. type: string
  5995. version:
  5996. default: v1.0.0
  5997. description: Version defaults to "v1.0.0".
  5998. type: string
  5999. type: object
  6000. vault:
  6001. description: Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically.
  6002. type: string
  6003. required:
  6004. - auth
  6005. - vault
  6006. type: object
  6007. oracle:
  6008. description: Oracle configures this store to sync secrets using Oracle Vault provider
  6009. properties:
  6010. auth:
  6011. description: |-
  6012. Auth configures how secret-manager authenticates with the Oracle Vault.
  6013. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  6014. properties:
  6015. secretRef:
  6016. description: SecretRef to pass through sensitive information.
  6017. properties:
  6018. fingerprint:
  6019. description: Fingerprint is the fingerprint of the API private key.
  6020. properties:
  6021. key:
  6022. description: |-
  6023. A key in the referenced Secret.
  6024. Some instances of this field may be defaulted, in others it may be required.
  6025. maxLength: 253
  6026. minLength: 1
  6027. pattern: ^[-._a-zA-Z0-9]+$
  6028. type: string
  6029. name:
  6030. description: The name of the Secret resource being referred to.
  6031. maxLength: 253
  6032. minLength: 1
  6033. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6034. type: string
  6035. namespace:
  6036. description: |-
  6037. The namespace of the Secret resource being referred to.
  6038. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6039. maxLength: 63
  6040. minLength: 1
  6041. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6042. type: string
  6043. type: object
  6044. privatekey:
  6045. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  6046. properties:
  6047. key:
  6048. description: |-
  6049. A key in the referenced Secret.
  6050. Some instances of this field may be defaulted, in others it may be required.
  6051. maxLength: 253
  6052. minLength: 1
  6053. pattern: ^[-._a-zA-Z0-9]+$
  6054. type: string
  6055. name:
  6056. description: The name of the Secret resource being referred to.
  6057. maxLength: 253
  6058. minLength: 1
  6059. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6060. type: string
  6061. namespace:
  6062. description: |-
  6063. The namespace of the Secret resource being referred to.
  6064. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6065. maxLength: 63
  6066. minLength: 1
  6067. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6068. type: string
  6069. type: object
  6070. required:
  6071. - fingerprint
  6072. - privatekey
  6073. type: object
  6074. tenancy:
  6075. description: Tenancy is the tenancy OCID where user is located.
  6076. type: string
  6077. user:
  6078. description: User is an access OCID specific to the account.
  6079. type: string
  6080. required:
  6081. - secretRef
  6082. - tenancy
  6083. - user
  6084. type: object
  6085. compartment:
  6086. description: |-
  6087. Compartment is the vault compartment OCID.
  6088. Required for PushSecret
  6089. type: string
  6090. encryptionKey:
  6091. description: |-
  6092. EncryptionKey is the OCID of the encryption key within the vault.
  6093. Required for PushSecret
  6094. type: string
  6095. principalType:
  6096. description: |-
  6097. The type of principal to use for authentication. If left blank, the Auth struct will
  6098. determine the principal type. This optional field must be specified if using
  6099. workload identity.
  6100. enum:
  6101. - ""
  6102. - UserPrincipal
  6103. - InstancePrincipal
  6104. - Workload
  6105. type: string
  6106. region:
  6107. description: Region is the region where vault is located.
  6108. type: string
  6109. serviceAccountRef:
  6110. description: |-
  6111. ServiceAccountRef specified the service account
  6112. that should be used when authenticating with WorkloadIdentity.
  6113. properties:
  6114. audiences:
  6115. description: |-
  6116. Audience specifies the `aud` claim for the service account token
  6117. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6118. then this audiences will be appended to the list
  6119. items:
  6120. type: string
  6121. type: array
  6122. name:
  6123. description: The name of the ServiceAccount resource being referred to.
  6124. maxLength: 253
  6125. minLength: 1
  6126. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6127. type: string
  6128. namespace:
  6129. description: |-
  6130. Namespace of the resource being referred to.
  6131. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6132. maxLength: 63
  6133. minLength: 1
  6134. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6135. type: string
  6136. required:
  6137. - name
  6138. type: object
  6139. vault:
  6140. description: Vault is the vault's OCID of the specific vault where secret is located.
  6141. type: string
  6142. required:
  6143. - region
  6144. - vault
  6145. type: object
  6146. ovh:
  6147. description: OVHcloud configures this store to sync secrets using the OVHcloud provider.
  6148. properties:
  6149. auth:
  6150. description: Authentication method (mtls or token).
  6151. properties:
  6152. mtls:
  6153. description: OvhClientMTLS defines the configuration required to authenticate to OVHcloud's Secret Manager using mTLS.
  6154. properties:
  6155. caBundle:
  6156. format: byte
  6157. type: string
  6158. caProvider:
  6159. description: |-
  6160. CAProvider provides a custom certificate authority for accessing the provider's store.
  6161. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
  6162. properties:
  6163. key:
  6164. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6165. maxLength: 253
  6166. minLength: 1
  6167. pattern: ^[-._a-zA-Z0-9]+$
  6168. type: string
  6169. name:
  6170. description: The name of the object located at the provider type.
  6171. maxLength: 253
  6172. minLength: 1
  6173. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6174. type: string
  6175. namespace:
  6176. description: |-
  6177. The namespace the Provider type is in.
  6178. Can only be defined when used in a ClusterSecretStore.
  6179. maxLength: 63
  6180. minLength: 1
  6181. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6182. type: string
  6183. type:
  6184. description: The type of provider to use such as "Secret", or "ConfigMap".
  6185. enum:
  6186. - Secret
  6187. - ConfigMap
  6188. type: string
  6189. required:
  6190. - name
  6191. - type
  6192. type: object
  6193. certSecretRef:
  6194. description: |-
  6195. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6196. In some instances, `key` is a required field.
  6197. properties:
  6198. key:
  6199. description: |-
  6200. A key in the referenced Secret.
  6201. Some instances of this field may be defaulted, in others it may be required.
  6202. maxLength: 253
  6203. minLength: 1
  6204. pattern: ^[-._a-zA-Z0-9]+$
  6205. type: string
  6206. name:
  6207. description: The name of the Secret resource being referred to.
  6208. maxLength: 253
  6209. minLength: 1
  6210. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6211. type: string
  6212. namespace:
  6213. description: |-
  6214. The namespace of the Secret resource being referred to.
  6215. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6216. maxLength: 63
  6217. minLength: 1
  6218. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6219. type: string
  6220. type: object
  6221. keySecretRef:
  6222. description: |-
  6223. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6224. In some instances, `key` is a required field.
  6225. properties:
  6226. key:
  6227. description: |-
  6228. A key in the referenced Secret.
  6229. Some instances of this field may be defaulted, in others it may be required.
  6230. maxLength: 253
  6231. minLength: 1
  6232. pattern: ^[-._a-zA-Z0-9]+$
  6233. type: string
  6234. name:
  6235. description: The name of the Secret resource being referred to.
  6236. maxLength: 253
  6237. minLength: 1
  6238. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6239. type: string
  6240. namespace:
  6241. description: |-
  6242. The namespace of the Secret resource being referred to.
  6243. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6244. maxLength: 63
  6245. minLength: 1
  6246. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6247. type: string
  6248. type: object
  6249. required:
  6250. - certSecretRef
  6251. - keySecretRef
  6252. type: object
  6253. token:
  6254. description: OvhClientToken defines the configuration required to authenticate to OVHcloud's Secret Manager using a token.
  6255. properties:
  6256. tokenSecretRef:
  6257. description: |-
  6258. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6259. In some instances, `key` is a required field.
  6260. properties:
  6261. key:
  6262. description: |-
  6263. A key in the referenced Secret.
  6264. Some instances of this field may be defaulted, in others it may be required.
  6265. maxLength: 253
  6266. minLength: 1
  6267. pattern: ^[-._a-zA-Z0-9]+$
  6268. type: string
  6269. name:
  6270. description: The name of the Secret resource being referred to.
  6271. maxLength: 253
  6272. minLength: 1
  6273. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6274. type: string
  6275. namespace:
  6276. description: |-
  6277. The namespace of the Secret resource being referred to.
  6278. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6279. maxLength: 63
  6280. minLength: 1
  6281. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6282. type: string
  6283. type: object
  6284. required:
  6285. - tokenSecretRef
  6286. type: object
  6287. type: object
  6288. casRequired:
  6289. description: 'Enables or disables check-and-set (CAS) (default: false).'
  6290. type: boolean
  6291. okmsTimeout:
  6292. default: 30
  6293. description: 'Setup a timeout in seconds when requests to the KMS are made (default: 30).'
  6294. format: int32
  6295. minimum: 1
  6296. type: integer
  6297. okmsid:
  6298. description: specifies the OKMS ID.
  6299. type: string
  6300. server:
  6301. description: specifies the OKMS server endpoint.
  6302. type: string
  6303. required:
  6304. - auth
  6305. - okmsid
  6306. - server
  6307. type: object
  6308. passbolt:
  6309. description: |-
  6310. PassboltProvider provides access to Passbolt secrets manager.
  6311. See: https://www.passbolt.com.
  6312. properties:
  6313. auth:
  6314. description: Auth defines the information necessary to authenticate against Passbolt Server
  6315. properties:
  6316. passwordSecretRef:
  6317. description: |-
  6318. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6319. In some instances, `key` is a required field.
  6320. properties:
  6321. key:
  6322. description: |-
  6323. A key in the referenced Secret.
  6324. Some instances of this field may be defaulted, in others it may be required.
  6325. maxLength: 253
  6326. minLength: 1
  6327. pattern: ^[-._a-zA-Z0-9]+$
  6328. type: string
  6329. name:
  6330. description: The name of the Secret resource being referred to.
  6331. maxLength: 253
  6332. minLength: 1
  6333. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6334. type: string
  6335. namespace:
  6336. description: |-
  6337. The namespace of the Secret resource being referred to.
  6338. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6339. maxLength: 63
  6340. minLength: 1
  6341. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6342. type: string
  6343. type: object
  6344. privateKeySecretRef:
  6345. description: |-
  6346. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6347. In some instances, `key` is a required field.
  6348. properties:
  6349. key:
  6350. description: |-
  6351. A key in the referenced Secret.
  6352. Some instances of this field may be defaulted, in others it may be required.
  6353. maxLength: 253
  6354. minLength: 1
  6355. pattern: ^[-._a-zA-Z0-9]+$
  6356. type: string
  6357. name:
  6358. description: The name of the Secret resource being referred to.
  6359. maxLength: 253
  6360. minLength: 1
  6361. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6362. type: string
  6363. namespace:
  6364. description: |-
  6365. The namespace of the Secret resource being referred to.
  6366. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6367. maxLength: 63
  6368. minLength: 1
  6369. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6370. type: string
  6371. type: object
  6372. required:
  6373. - passwordSecretRef
  6374. - privateKeySecretRef
  6375. type: object
  6376. caBundle:
  6377. description: |-
  6378. PEM encoded CA bundle used to validate Passbolt server certificate. Only used
  6379. if the Host URL is using HTTPS protocol. If not set the system root certificates
  6380. are used to validate the TLS connection.
  6381. format: byte
  6382. type: string
  6383. caProvider:
  6384. description: The provider for the CA bundle to use to validate Passbolt server certificate.
  6385. properties:
  6386. key:
  6387. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6388. maxLength: 253
  6389. minLength: 1
  6390. pattern: ^[-._a-zA-Z0-9]+$
  6391. type: string
  6392. name:
  6393. description: The name of the object located at the provider type.
  6394. maxLength: 253
  6395. minLength: 1
  6396. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6397. type: string
  6398. namespace:
  6399. description: |-
  6400. The namespace the Provider type is in.
  6401. Can only be defined when used in a ClusterSecretStore.
  6402. maxLength: 63
  6403. minLength: 1
  6404. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6405. type: string
  6406. type:
  6407. description: The type of provider to use such as "Secret", or "ConfigMap".
  6408. enum:
  6409. - Secret
  6410. - ConfigMap
  6411. type: string
  6412. required:
  6413. - name
  6414. - type
  6415. type: object
  6416. host:
  6417. description: Host defines the Passbolt Server to connect to
  6418. type: string
  6419. required:
  6420. - auth
  6421. - host
  6422. type: object
  6423. passworddepot:
  6424. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  6425. properties:
  6426. auth:
  6427. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  6428. properties:
  6429. secretRef:
  6430. description: PasswordDepotSecretRef contains the secret reference for Password Depot authentication.
  6431. properties:
  6432. credentials:
  6433. description: Username / Password is used for authentication.
  6434. properties:
  6435. key:
  6436. description: |-
  6437. A key in the referenced Secret.
  6438. Some instances of this field may be defaulted, in others it may be required.
  6439. maxLength: 253
  6440. minLength: 1
  6441. pattern: ^[-._a-zA-Z0-9]+$
  6442. type: string
  6443. name:
  6444. description: The name of the Secret resource being referred to.
  6445. maxLength: 253
  6446. minLength: 1
  6447. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6448. type: string
  6449. namespace:
  6450. description: |-
  6451. The namespace of the Secret resource being referred to.
  6452. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6453. maxLength: 63
  6454. minLength: 1
  6455. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6456. type: string
  6457. type: object
  6458. type: object
  6459. required:
  6460. - secretRef
  6461. type: object
  6462. database:
  6463. description: Database to use as source
  6464. type: string
  6465. host:
  6466. description: URL configures the Password Depot instance URL.
  6467. type: string
  6468. required:
  6469. - auth
  6470. - database
  6471. - host
  6472. type: object
  6473. previder:
  6474. description: Previder configures this store to sync secrets using the Previder provider
  6475. properties:
  6476. auth:
  6477. description: PreviderAuth contains a secretRef for credentials.
  6478. properties:
  6479. secretRef:
  6480. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  6481. properties:
  6482. accessToken:
  6483. description: The AccessToken is used for authentication
  6484. properties:
  6485. key:
  6486. description: |-
  6487. A key in the referenced Secret.
  6488. Some instances of this field may be defaulted, in others it may be required.
  6489. maxLength: 253
  6490. minLength: 1
  6491. pattern: ^[-._a-zA-Z0-9]+$
  6492. type: string
  6493. name:
  6494. description: The name of the Secret resource being referred to.
  6495. maxLength: 253
  6496. minLength: 1
  6497. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6498. type: string
  6499. namespace:
  6500. description: |-
  6501. The namespace of the Secret resource being referred to.
  6502. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6503. maxLength: 63
  6504. minLength: 1
  6505. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6506. type: string
  6507. type: object
  6508. required:
  6509. - accessToken
  6510. type: object
  6511. type: object
  6512. baseUri:
  6513. type: string
  6514. required:
  6515. - auth
  6516. type: object
  6517. pulumi:
  6518. description: Pulumi configures this store to sync secrets using the Pulumi provider
  6519. properties:
  6520. accessToken:
  6521. description: |-
  6522. AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  6523. Deprecated: Use auth.accessToken instead.
  6524. properties:
  6525. secretRef:
  6526. description: SecretRef is a reference to a secret containing the Pulumi API token.
  6527. properties:
  6528. key:
  6529. description: |-
  6530. A key in the referenced Secret.
  6531. Some instances of this field may be defaulted, in others it may be required.
  6532. maxLength: 253
  6533. minLength: 1
  6534. pattern: ^[-._a-zA-Z0-9]+$
  6535. type: string
  6536. name:
  6537. description: The name of the Secret resource being referred to.
  6538. maxLength: 253
  6539. minLength: 1
  6540. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6541. type: string
  6542. namespace:
  6543. description: |-
  6544. The namespace of the Secret resource being referred to.
  6545. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6546. maxLength: 63
  6547. minLength: 1
  6548. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6549. type: string
  6550. type: object
  6551. type: object
  6552. apiUrl:
  6553. default: https://api.pulumi.com/api/esc
  6554. description: APIURL is the URL of the Pulumi API.
  6555. type: string
  6556. auth:
  6557. description: |-
  6558. Auth configures how the Operator authenticates with the Pulumi API.
  6559. Either auth or the deprecated accessToken field must be specified.
  6560. properties:
  6561. accessToken:
  6562. description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret.
  6563. properties:
  6564. secretRef:
  6565. description: SecretRef is a reference to a secret containing the Pulumi API token.
  6566. properties:
  6567. key:
  6568. description: |-
  6569. A key in the referenced Secret.
  6570. Some instances of this field may be defaulted, in others it may be required.
  6571. maxLength: 253
  6572. minLength: 1
  6573. pattern: ^[-._a-zA-Z0-9]+$
  6574. type: string
  6575. name:
  6576. description: The name of the Secret resource being referred to.
  6577. maxLength: 253
  6578. minLength: 1
  6579. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6580. type: string
  6581. namespace:
  6582. description: |-
  6583. The namespace of the Secret resource being referred to.
  6584. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6585. maxLength: 63
  6586. minLength: 1
  6587. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6588. type: string
  6589. type: object
  6590. type: object
  6591. oidcConfig:
  6592. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  6593. properties:
  6594. expirationSeconds:
  6595. default: 600
  6596. description: |-
  6597. ExpirationSeconds sets the token validity duration for service account and OIDC token.
  6598. Defaults to 10 minutes.
  6599. format: int64
  6600. minimum: 600
  6601. type: integer
  6602. organization:
  6603. description: Organization is the name of the Pulumi organization configured for OIDC authentication.
  6604. type: string
  6605. serviceAccountRef:
  6606. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  6607. properties:
  6608. audiences:
  6609. description: |-
  6610. Audience specifies the `aud` claim for the service account token
  6611. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6612. then this audiences will be appended to the list
  6613. items:
  6614. type: string
  6615. type: array
  6616. name:
  6617. description: The name of the ServiceAccount resource being referred to.
  6618. maxLength: 253
  6619. minLength: 1
  6620. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6621. type: string
  6622. namespace:
  6623. description: |-
  6624. Namespace of the resource being referred to.
  6625. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6626. maxLength: 63
  6627. minLength: 1
  6628. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6629. type: string
  6630. required:
  6631. - name
  6632. type: object
  6633. required:
  6634. - organization
  6635. - serviceAccountRef
  6636. type: object
  6637. type: object
  6638. x-kubernetes-validations:
  6639. - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified
  6640. rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig))
  6641. environment:
  6642. description: |-
  6643. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  6644. dynamically retrieved values from supported providers including all major clouds,
  6645. and other Pulumi ESC environments.
  6646. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  6647. type: string
  6648. organization:
  6649. description: |-
  6650. Organization are a space to collaborate on shared projects and stacks.
  6651. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  6652. type: string
  6653. project:
  6654. description: Project is the name of the Pulumi ESC project the environment belongs to.
  6655. type: string
  6656. required:
  6657. - environment
  6658. - organization
  6659. - project
  6660. type: object
  6661. x-kubernetes-validations:
  6662. - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified
  6663. rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken))
  6664. scaleway:
  6665. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  6666. properties:
  6667. accessKey:
  6668. description: AccessKey is the non-secret part of the api key.
  6669. properties:
  6670. secretRef:
  6671. description: SecretRef references a key in a secret that will be used as value.
  6672. properties:
  6673. key:
  6674. description: |-
  6675. A key in the referenced Secret.
  6676. Some instances of this field may be defaulted, in others it may be required.
  6677. maxLength: 253
  6678. minLength: 1
  6679. pattern: ^[-._a-zA-Z0-9]+$
  6680. type: string
  6681. name:
  6682. description: The name of the Secret resource being referred to.
  6683. maxLength: 253
  6684. minLength: 1
  6685. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6686. type: string
  6687. namespace:
  6688. description: |-
  6689. The namespace of the Secret resource being referred to.
  6690. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6691. maxLength: 63
  6692. minLength: 1
  6693. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6694. type: string
  6695. type: object
  6696. value:
  6697. description: Value can be specified directly to set a value without using a secret.
  6698. type: string
  6699. type: object
  6700. apiUrl:
  6701. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  6702. type: string
  6703. projectId:
  6704. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  6705. type: string
  6706. region:
  6707. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  6708. type: string
  6709. secretKey:
  6710. description: SecretKey is the non-secret part of the api key.
  6711. properties:
  6712. secretRef:
  6713. description: SecretRef references a key in a secret that will be used as value.
  6714. properties:
  6715. key:
  6716. description: |-
  6717. A key in the referenced Secret.
  6718. Some instances of this field may be defaulted, in others it may be required.
  6719. maxLength: 253
  6720. minLength: 1
  6721. pattern: ^[-._a-zA-Z0-9]+$
  6722. type: string
  6723. name:
  6724. description: The name of the Secret resource being referred to.
  6725. maxLength: 253
  6726. minLength: 1
  6727. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6728. type: string
  6729. namespace:
  6730. description: |-
  6731. The namespace of the Secret resource being referred to.
  6732. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6733. maxLength: 63
  6734. minLength: 1
  6735. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6736. type: string
  6737. type: object
  6738. value:
  6739. description: Value can be specified directly to set a value without using a secret.
  6740. type: string
  6741. type: object
  6742. required:
  6743. - accessKey
  6744. - projectId
  6745. - region
  6746. - secretKey
  6747. type: object
  6748. secretserver:
  6749. description: |-
  6750. SecretServer configures this store to sync secrets using SecretServer provider
  6751. https://docs.delinea.com/online-help/secret-server/start.htm
  6752. properties:
  6753. caBundle:
  6754. description: |-
  6755. PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used
  6756. if the ServerURL URL is using HTTPS protocol. If not set the system root certificates
  6757. are used to validate the TLS connection.
  6758. format: byte
  6759. type: string
  6760. caProvider:
  6761. description: The provider for the CA bundle to use to validate Secret ServerURL certificate.
  6762. properties:
  6763. key:
  6764. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6765. maxLength: 253
  6766. minLength: 1
  6767. pattern: ^[-._a-zA-Z0-9]+$
  6768. type: string
  6769. name:
  6770. description: The name of the object located at the provider type.
  6771. maxLength: 253
  6772. minLength: 1
  6773. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6774. type: string
  6775. namespace:
  6776. description: |-
  6777. The namespace the Provider type is in.
  6778. Can only be defined when used in a ClusterSecretStore.
  6779. maxLength: 63
  6780. minLength: 1
  6781. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6782. type: string
  6783. type:
  6784. description: The type of provider to use such as "Secret", or "ConfigMap".
  6785. enum:
  6786. - Secret
  6787. - ConfigMap
  6788. type: string
  6789. required:
  6790. - name
  6791. - type
  6792. type: object
  6793. domain:
  6794. description: Domain is the secret server domain.
  6795. type: string
  6796. password:
  6797. description: Password is the secret server account password.
  6798. properties:
  6799. secretRef:
  6800. description: SecretRef references a key in a secret that will be used as value.
  6801. properties:
  6802. key:
  6803. description: |-
  6804. A key in the referenced Secret.
  6805. Some instances of this field may be defaulted, in others it may be required.
  6806. maxLength: 253
  6807. minLength: 1
  6808. pattern: ^[-._a-zA-Z0-9]+$
  6809. type: string
  6810. name:
  6811. description: The name of the Secret resource being referred to.
  6812. maxLength: 253
  6813. minLength: 1
  6814. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6815. type: string
  6816. namespace:
  6817. description: |-
  6818. The namespace of the Secret resource being referred to.
  6819. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6820. maxLength: 63
  6821. minLength: 1
  6822. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6823. type: string
  6824. type: object
  6825. value:
  6826. description: Value can be specified directly to set a value without using a secret.
  6827. type: string
  6828. type: object
  6829. serverURL:
  6830. description: |-
  6831. ServerURL
  6832. URL to your secret server installation
  6833. type: string
  6834. username:
  6835. description: Username is the secret server account username.
  6836. properties:
  6837. secretRef:
  6838. description: SecretRef references a key in a secret that will be used as value.
  6839. properties:
  6840. key:
  6841. description: |-
  6842. A key in the referenced Secret.
  6843. Some instances of this field may be defaulted, in others it may be required.
  6844. maxLength: 253
  6845. minLength: 1
  6846. pattern: ^[-._a-zA-Z0-9]+$
  6847. type: string
  6848. name:
  6849. description: The name of the Secret resource being referred to.
  6850. maxLength: 253
  6851. minLength: 1
  6852. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6853. type: string
  6854. namespace:
  6855. description: |-
  6856. The namespace of the Secret resource being referred to.
  6857. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6858. maxLength: 63
  6859. minLength: 1
  6860. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6861. type: string
  6862. type: object
  6863. value:
  6864. description: Value can be specified directly to set a value without using a secret.
  6865. type: string
  6866. type: object
  6867. required:
  6868. - password
  6869. - serverURL
  6870. - username
  6871. type: object
  6872. senhasegura:
  6873. description: Senhasegura configures this store to sync secrets using senhasegura provider
  6874. properties:
  6875. auth:
  6876. description: Auth defines parameters to authenticate in senhasegura
  6877. properties:
  6878. clientId:
  6879. type: string
  6880. clientSecretSecretRef:
  6881. description: |-
  6882. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6883. In some instances, `key` is a required field.
  6884. properties:
  6885. key:
  6886. description: |-
  6887. A key in the referenced Secret.
  6888. Some instances of this field may be defaulted, in others it may be required.
  6889. maxLength: 253
  6890. minLength: 1
  6891. pattern: ^[-._a-zA-Z0-9]+$
  6892. type: string
  6893. name:
  6894. description: The name of the Secret resource being referred to.
  6895. maxLength: 253
  6896. minLength: 1
  6897. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6898. type: string
  6899. namespace:
  6900. description: |-
  6901. The namespace of the Secret resource being referred to.
  6902. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6903. maxLength: 63
  6904. minLength: 1
  6905. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6906. type: string
  6907. type: object
  6908. required:
  6909. - clientId
  6910. - clientSecretSecretRef
  6911. type: object
  6912. ignoreSslCertificate:
  6913. default: false
  6914. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  6915. type: boolean
  6916. module:
  6917. description: Module defines which senhasegura module should be used to get secrets
  6918. type: string
  6919. url:
  6920. description: URL of senhasegura
  6921. type: string
  6922. required:
  6923. - auth
  6924. - module
  6925. - url
  6926. type: object
  6927. vault:
  6928. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  6929. properties:
  6930. auth:
  6931. description: Auth configures how secret-manager authenticates with the Vault server.
  6932. properties:
  6933. appRole:
  6934. description: |-
  6935. AppRole authenticates with Vault using the App Role auth mechanism,
  6936. with the role and secret stored in a Kubernetes Secret resource.
  6937. properties:
  6938. path:
  6939. default: approle
  6940. description: |-
  6941. Path where the App Role authentication backend is mounted
  6942. in Vault, e.g: "approle"
  6943. type: string
  6944. roleId:
  6945. description: |-
  6946. RoleID configured in the App Role authentication backend when setting
  6947. up the authentication backend in Vault.
  6948. type: string
  6949. roleRef:
  6950. description: |-
  6951. Reference to a key in a Secret that contains the App Role ID used
  6952. to authenticate with Vault.
  6953. The `key` field must be specified and denotes which entry within the Secret
  6954. resource is used as the app role id.
  6955. properties:
  6956. key:
  6957. description: |-
  6958. A key in the referenced Secret.
  6959. Some instances of this field may be defaulted, in others it may be required.
  6960. maxLength: 253
  6961. minLength: 1
  6962. pattern: ^[-._a-zA-Z0-9]+$
  6963. type: string
  6964. name:
  6965. description: The name of the Secret resource being referred to.
  6966. maxLength: 253
  6967. minLength: 1
  6968. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6969. type: string
  6970. namespace:
  6971. description: |-
  6972. The namespace of the Secret resource being referred to.
  6973. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6974. maxLength: 63
  6975. minLength: 1
  6976. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6977. type: string
  6978. type: object
  6979. secretRef:
  6980. description: |-
  6981. Reference to a key in a Secret that contains the App Role secret used
  6982. to authenticate with Vault.
  6983. The `key` field must be specified and denotes which entry within the Secret
  6984. resource is used as the app role secret.
  6985. properties:
  6986. key:
  6987. description: |-
  6988. A key in the referenced Secret.
  6989. Some instances of this field may be defaulted, in others it may be required.
  6990. maxLength: 253
  6991. minLength: 1
  6992. pattern: ^[-._a-zA-Z0-9]+$
  6993. type: string
  6994. name:
  6995. description: The name of the Secret resource being referred to.
  6996. maxLength: 253
  6997. minLength: 1
  6998. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6999. type: string
  7000. namespace:
  7001. description: |-
  7002. The namespace of the Secret resource being referred to.
  7003. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7004. maxLength: 63
  7005. minLength: 1
  7006. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7007. type: string
  7008. type: object
  7009. required:
  7010. - path
  7011. - secretRef
  7012. type: object
  7013. cert:
  7014. description: |-
  7015. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  7016. Cert authentication method
  7017. properties:
  7018. clientCert:
  7019. description: |-
  7020. ClientCert is a certificate to authenticate using the Cert Vault
  7021. authentication method
  7022. properties:
  7023. key:
  7024. description: |-
  7025. A key in the referenced Secret.
  7026. Some instances of this field may be defaulted, in others it may be required.
  7027. maxLength: 253
  7028. minLength: 1
  7029. pattern: ^[-._a-zA-Z0-9]+$
  7030. type: string
  7031. name:
  7032. description: The name of the Secret resource being referred to.
  7033. maxLength: 253
  7034. minLength: 1
  7035. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7036. type: string
  7037. namespace:
  7038. description: |-
  7039. The namespace of the Secret resource being referred to.
  7040. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7041. maxLength: 63
  7042. minLength: 1
  7043. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7044. type: string
  7045. type: object
  7046. path:
  7047. default: cert
  7048. description: |-
  7049. Path where the Certificate authentication backend is mounted
  7050. in Vault, e.g: "cert"
  7051. type: string
  7052. secretRef:
  7053. description: |-
  7054. SecretRef to a key in a Secret resource containing client private key to
  7055. authenticate with Vault using the Cert authentication method
  7056. properties:
  7057. key:
  7058. description: |-
  7059. A key in the referenced Secret.
  7060. Some instances of this field may be defaulted, in others it may be required.
  7061. maxLength: 253
  7062. minLength: 1
  7063. pattern: ^[-._a-zA-Z0-9]+$
  7064. type: string
  7065. name:
  7066. description: The name of the Secret resource being referred to.
  7067. maxLength: 253
  7068. minLength: 1
  7069. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7070. type: string
  7071. namespace:
  7072. description: |-
  7073. The namespace of the Secret resource being referred to.
  7074. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7075. maxLength: 63
  7076. minLength: 1
  7077. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7078. type: string
  7079. type: object
  7080. vaultRole:
  7081. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  7082. type: string
  7083. type: object
  7084. gcp:
  7085. description: |-
  7086. Gcp authenticates with Vault using Google Cloud Platform authentication method
  7087. GCP authentication method
  7088. properties:
  7089. location:
  7090. description: Location optionally defines a location/region for the secret
  7091. type: string
  7092. path:
  7093. default: gcp
  7094. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  7095. type: string
  7096. projectID:
  7097. description: Project ID of the Google Cloud Platform project
  7098. type: string
  7099. role:
  7100. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  7101. type: string
  7102. secretRef:
  7103. description: Specify credentials in a Secret object
  7104. properties:
  7105. secretAccessKeySecretRef:
  7106. description: The SecretAccessKey is used for authentication
  7107. properties:
  7108. key:
  7109. description: |-
  7110. A key in the referenced Secret.
  7111. Some instances of this field may be defaulted, in others it may be required.
  7112. maxLength: 253
  7113. minLength: 1
  7114. pattern: ^[-._a-zA-Z0-9]+$
  7115. type: string
  7116. name:
  7117. description: The name of the Secret resource being referred to.
  7118. maxLength: 253
  7119. minLength: 1
  7120. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7121. type: string
  7122. namespace:
  7123. description: |-
  7124. The namespace of the Secret resource being referred to.
  7125. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7126. maxLength: 63
  7127. minLength: 1
  7128. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7129. type: string
  7130. type: object
  7131. type: object
  7132. serviceAccountRef:
  7133. description: ServiceAccountRef to a service account for impersonation
  7134. properties:
  7135. audiences:
  7136. description: |-
  7137. Audience specifies the `aud` claim for the service account token
  7138. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7139. then this audiences will be appended to the list
  7140. items:
  7141. type: string
  7142. type: array
  7143. name:
  7144. description: The name of the ServiceAccount resource being referred to.
  7145. maxLength: 253
  7146. minLength: 1
  7147. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7148. type: string
  7149. namespace:
  7150. description: |-
  7151. Namespace of the resource being referred to.
  7152. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7153. maxLength: 63
  7154. minLength: 1
  7155. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7156. type: string
  7157. required:
  7158. - name
  7159. type: object
  7160. workloadIdentity:
  7161. description: Specify a service account with Workload Identity
  7162. properties:
  7163. clusterLocation:
  7164. description: |-
  7165. ClusterLocation is the location of the cluster
  7166. If not specified, it fetches information from the metadata server
  7167. type: string
  7168. clusterName:
  7169. description: |-
  7170. ClusterName is the name of the cluster
  7171. If not specified, it fetches information from the metadata server
  7172. type: string
  7173. clusterProjectID:
  7174. description: |-
  7175. ClusterProjectID is the project ID of the cluster
  7176. If not specified, it fetches information from the metadata server
  7177. type: string
  7178. serviceAccountRef:
  7179. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  7180. properties:
  7181. audiences:
  7182. description: |-
  7183. Audience specifies the `aud` claim for the service account token
  7184. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7185. then this audiences will be appended to the list
  7186. items:
  7187. type: string
  7188. type: array
  7189. name:
  7190. description: The name of the ServiceAccount resource being referred to.
  7191. maxLength: 253
  7192. minLength: 1
  7193. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7194. type: string
  7195. namespace:
  7196. description: |-
  7197. Namespace of the resource being referred to.
  7198. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7199. maxLength: 63
  7200. minLength: 1
  7201. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7202. type: string
  7203. required:
  7204. - name
  7205. type: object
  7206. required:
  7207. - serviceAccountRef
  7208. type: object
  7209. required:
  7210. - role
  7211. type: object
  7212. iam:
  7213. description: |-
  7214. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  7215. AWS IAM authentication method
  7216. properties:
  7217. externalID:
  7218. description: AWS External ID set on assumed IAM roles
  7219. type: string
  7220. jwt:
  7221. description: Specify a service account with IRSA enabled
  7222. properties:
  7223. serviceAccountRef:
  7224. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  7225. properties:
  7226. audiences:
  7227. description: |-
  7228. Audience specifies the `aud` claim for the service account token
  7229. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7230. then this audiences will be appended to the list
  7231. items:
  7232. type: string
  7233. type: array
  7234. name:
  7235. description: The name of the ServiceAccount resource being referred to.
  7236. maxLength: 253
  7237. minLength: 1
  7238. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7239. type: string
  7240. namespace:
  7241. description: |-
  7242. Namespace of the resource being referred to.
  7243. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7244. maxLength: 63
  7245. minLength: 1
  7246. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7247. type: string
  7248. required:
  7249. - name
  7250. type: object
  7251. type: object
  7252. path:
  7253. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  7254. type: string
  7255. region:
  7256. description: AWS region
  7257. type: string
  7258. role:
  7259. description: This is the AWS role to be assumed before talking to vault
  7260. type: string
  7261. secretRef:
  7262. description: Specify credentials in a Secret object
  7263. properties:
  7264. accessKeyIDSecretRef:
  7265. description: The AccessKeyID is used for authentication
  7266. properties:
  7267. key:
  7268. description: |-
  7269. A key in the referenced Secret.
  7270. Some instances of this field may be defaulted, in others it may be required.
  7271. maxLength: 253
  7272. minLength: 1
  7273. pattern: ^[-._a-zA-Z0-9]+$
  7274. type: string
  7275. name:
  7276. description: The name of the Secret resource being referred to.
  7277. maxLength: 253
  7278. minLength: 1
  7279. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7280. type: string
  7281. namespace:
  7282. description: |-
  7283. The namespace of the Secret resource being referred to.
  7284. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7285. maxLength: 63
  7286. minLength: 1
  7287. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7288. type: string
  7289. type: object
  7290. secretAccessKeySecretRef:
  7291. description: The SecretAccessKey is used for authentication
  7292. properties:
  7293. key:
  7294. description: |-
  7295. A key in the referenced Secret.
  7296. Some instances of this field may be defaulted, in others it may be required.
  7297. maxLength: 253
  7298. minLength: 1
  7299. pattern: ^[-._a-zA-Z0-9]+$
  7300. type: string
  7301. name:
  7302. description: The name of the Secret resource being referred to.
  7303. maxLength: 253
  7304. minLength: 1
  7305. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7306. type: string
  7307. namespace:
  7308. description: |-
  7309. The namespace of the Secret resource being referred to.
  7310. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7311. maxLength: 63
  7312. minLength: 1
  7313. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7314. type: string
  7315. type: object
  7316. sessionTokenSecretRef:
  7317. description: |-
  7318. The SessionToken used for authentication
  7319. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  7320. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  7321. properties:
  7322. key:
  7323. description: |-
  7324. A key in the referenced Secret.
  7325. Some instances of this field may be defaulted, in others it may be required.
  7326. maxLength: 253
  7327. minLength: 1
  7328. pattern: ^[-._a-zA-Z0-9]+$
  7329. type: string
  7330. name:
  7331. description: The name of the Secret resource being referred to.
  7332. maxLength: 253
  7333. minLength: 1
  7334. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7335. type: string
  7336. namespace:
  7337. description: |-
  7338. The namespace of the Secret resource being referred to.
  7339. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7340. maxLength: 63
  7341. minLength: 1
  7342. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7343. type: string
  7344. type: object
  7345. type: object
  7346. vaultAwsIamServerID:
  7347. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  7348. type: string
  7349. vaultRole:
  7350. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  7351. type: string
  7352. required:
  7353. - vaultRole
  7354. type: object
  7355. jwt:
  7356. description: |-
  7357. Jwt authenticates with Vault by passing role and JWT token using the
  7358. JWT/OIDC authentication method
  7359. properties:
  7360. kubernetesServiceAccountToken:
  7361. description: |-
  7362. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  7363. a token for with the `TokenRequest` API.
  7364. properties:
  7365. audiences:
  7366. description: |-
  7367. Optional audiences field that will be used to request a temporary Kubernetes service
  7368. account token for the service account referenced by `serviceAccountRef`.
  7369. Defaults to a single audience `vault` it not specified.
  7370. Deprecated: use serviceAccountRef.Audiences instead
  7371. items:
  7372. type: string
  7373. type: array
  7374. expirationSeconds:
  7375. description: |-
  7376. Optional expiration time in seconds that will be used to request a temporary
  7377. Kubernetes service account token for the service account referenced by
  7378. `serviceAccountRef`.
  7379. Deprecated: this will be removed in the future.
  7380. Defaults to 10 minutes.
  7381. format: int64
  7382. type: integer
  7383. serviceAccountRef:
  7384. description: Service account field containing the name of a kubernetes ServiceAccount.
  7385. properties:
  7386. audiences:
  7387. description: |-
  7388. Audience specifies the `aud` claim for the service account token
  7389. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7390. then this audiences will be appended to the list
  7391. items:
  7392. type: string
  7393. type: array
  7394. name:
  7395. description: The name of the ServiceAccount resource being referred to.
  7396. maxLength: 253
  7397. minLength: 1
  7398. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7399. type: string
  7400. namespace:
  7401. description: |-
  7402. Namespace of the resource being referred to.
  7403. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7404. maxLength: 63
  7405. minLength: 1
  7406. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7407. type: string
  7408. required:
  7409. - name
  7410. type: object
  7411. required:
  7412. - serviceAccountRef
  7413. type: object
  7414. path:
  7415. default: jwt
  7416. description: |-
  7417. Path where the JWT authentication backend is mounted
  7418. in Vault, e.g: "jwt"
  7419. type: string
  7420. role:
  7421. description: |-
  7422. Role is a JWT role to authenticate using the JWT/OIDC Vault
  7423. authentication method
  7424. type: string
  7425. secretRef:
  7426. description: |-
  7427. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  7428. authenticate with Vault using the JWT/OIDC authentication method.
  7429. properties:
  7430. key:
  7431. description: |-
  7432. A key in the referenced Secret.
  7433. Some instances of this field may be defaulted, in others it may be required.
  7434. maxLength: 253
  7435. minLength: 1
  7436. pattern: ^[-._a-zA-Z0-9]+$
  7437. type: string
  7438. name:
  7439. description: The name of the Secret resource being referred to.
  7440. maxLength: 253
  7441. minLength: 1
  7442. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7443. type: string
  7444. namespace:
  7445. description: |-
  7446. The namespace of the Secret resource being referred to.
  7447. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7448. maxLength: 63
  7449. minLength: 1
  7450. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7451. type: string
  7452. type: object
  7453. required:
  7454. - path
  7455. type: object
  7456. kubernetes:
  7457. description: |-
  7458. Kubernetes authenticates with Vault by passing the ServiceAccount
  7459. token stored in the named Secret resource to the Vault server.
  7460. properties:
  7461. mountPath:
  7462. default: kubernetes
  7463. description: |-
  7464. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  7465. "kubernetes"
  7466. type: string
  7467. role:
  7468. description: |-
  7469. A required field containing the Vault Role to assume. A Role binds a
  7470. Kubernetes ServiceAccount with a set of Vault policies.
  7471. type: string
  7472. secretRef:
  7473. description: |-
  7474. Optional secret field containing a Kubernetes ServiceAccount JWT used
  7475. for authenticating with Vault. If a name is specified without a key,
  7476. `token` is the default. If one is not specified, the one bound to
  7477. the controller will be used.
  7478. properties:
  7479. key:
  7480. description: |-
  7481. A key in the referenced Secret.
  7482. Some instances of this field may be defaulted, in others it may be required.
  7483. maxLength: 253
  7484. minLength: 1
  7485. pattern: ^[-._a-zA-Z0-9]+$
  7486. type: string
  7487. name:
  7488. description: The name of the Secret resource being referred to.
  7489. maxLength: 253
  7490. minLength: 1
  7491. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7492. type: string
  7493. namespace:
  7494. description: |-
  7495. The namespace of the Secret resource being referred to.
  7496. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7497. maxLength: 63
  7498. minLength: 1
  7499. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7500. type: string
  7501. type: object
  7502. serviceAccountRef:
  7503. description: |-
  7504. Optional service account field containing the name of a kubernetes ServiceAccount.
  7505. If the service account is specified, the service account secret token JWT will be used
  7506. for authenticating with Vault. If the service account selector is not supplied,
  7507. the secretRef will be used instead.
  7508. properties:
  7509. audiences:
  7510. description: |-
  7511. Audience specifies the `aud` claim for the service account token
  7512. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7513. then this audiences will be appended to the list
  7514. items:
  7515. type: string
  7516. type: array
  7517. name:
  7518. description: The name of the ServiceAccount resource being referred to.
  7519. maxLength: 253
  7520. minLength: 1
  7521. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7522. type: string
  7523. namespace:
  7524. description: |-
  7525. Namespace of the resource being referred to.
  7526. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7527. maxLength: 63
  7528. minLength: 1
  7529. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7530. type: string
  7531. required:
  7532. - name
  7533. type: object
  7534. required:
  7535. - mountPath
  7536. - role
  7537. type: object
  7538. ldap:
  7539. description: |-
  7540. Ldap authenticates with Vault by passing username/password pair using
  7541. the LDAP authentication method
  7542. properties:
  7543. path:
  7544. default: ldap
  7545. description: |-
  7546. Path where the LDAP authentication backend is mounted
  7547. in Vault, e.g: "ldap"
  7548. type: string
  7549. secretRef:
  7550. description: |-
  7551. SecretRef to a key in a Secret resource containing password for the LDAP
  7552. user used to authenticate with Vault using the LDAP authentication
  7553. method
  7554. properties:
  7555. key:
  7556. description: |-
  7557. A key in the referenced Secret.
  7558. Some instances of this field may be defaulted, in others it may be required.
  7559. maxLength: 253
  7560. minLength: 1
  7561. pattern: ^[-._a-zA-Z0-9]+$
  7562. type: string
  7563. name:
  7564. description: The name of the Secret resource being referred to.
  7565. maxLength: 253
  7566. minLength: 1
  7567. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7568. type: string
  7569. namespace:
  7570. description: |-
  7571. The namespace of the Secret resource being referred to.
  7572. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7573. maxLength: 63
  7574. minLength: 1
  7575. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7576. type: string
  7577. type: object
  7578. username:
  7579. description: |-
  7580. Username is an LDAP username used to authenticate using the LDAP Vault
  7581. authentication method
  7582. type: string
  7583. required:
  7584. - path
  7585. - username
  7586. type: object
  7587. namespace:
  7588. description: |-
  7589. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  7590. Namespaces is a set of features within Vault Enterprise that allows
  7591. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  7592. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  7593. This will default to Vault.Namespace field if set, or empty otherwise
  7594. type: string
  7595. tokenSecretRef:
  7596. description: TokenSecretRef authenticates with Vault by presenting a token.
  7597. properties:
  7598. key:
  7599. description: |-
  7600. A key in the referenced Secret.
  7601. Some instances of this field may be defaulted, in others it may be required.
  7602. maxLength: 253
  7603. minLength: 1
  7604. pattern: ^[-._a-zA-Z0-9]+$
  7605. type: string
  7606. name:
  7607. description: The name of the Secret resource being referred to.
  7608. maxLength: 253
  7609. minLength: 1
  7610. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7611. type: string
  7612. namespace:
  7613. description: |-
  7614. The namespace of the Secret resource being referred to.
  7615. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7616. maxLength: 63
  7617. minLength: 1
  7618. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7619. type: string
  7620. type: object
  7621. userPass:
  7622. description: UserPass authenticates with Vault by passing username/password pair
  7623. properties:
  7624. path:
  7625. default: userpass
  7626. description: |-
  7627. Path where the UserPassword authentication backend is mounted
  7628. in Vault, e.g: "userpass"
  7629. type: string
  7630. secretRef:
  7631. description: |-
  7632. SecretRef to a key in a Secret resource containing password for the
  7633. user used to authenticate with Vault using the UserPass authentication
  7634. method
  7635. properties:
  7636. key:
  7637. description: |-
  7638. A key in the referenced Secret.
  7639. Some instances of this field may be defaulted, in others it may be required.
  7640. maxLength: 253
  7641. minLength: 1
  7642. pattern: ^[-._a-zA-Z0-9]+$
  7643. type: string
  7644. name:
  7645. description: The name of the Secret resource being referred to.
  7646. maxLength: 253
  7647. minLength: 1
  7648. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7649. type: string
  7650. namespace:
  7651. description: |-
  7652. The namespace of the Secret resource being referred to.
  7653. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7654. maxLength: 63
  7655. minLength: 1
  7656. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7657. type: string
  7658. type: object
  7659. username:
  7660. description: |-
  7661. Username is a username used to authenticate using the UserPass Vault
  7662. authentication method
  7663. type: string
  7664. required:
  7665. - path
  7666. - username
  7667. type: object
  7668. type: object
  7669. caBundle:
  7670. description: |-
  7671. PEM encoded CA bundle used to validate Vault server certificate. Only used
  7672. if the Server URL is using HTTPS protocol. This parameter is ignored for
  7673. plain HTTP protocol connection. If not set the system root certificates
  7674. are used to validate the TLS connection.
  7675. format: byte
  7676. type: string
  7677. caProvider:
  7678. description: The provider for the CA bundle to use to validate Vault server certificate.
  7679. properties:
  7680. key:
  7681. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  7682. maxLength: 253
  7683. minLength: 1
  7684. pattern: ^[-._a-zA-Z0-9]+$
  7685. type: string
  7686. name:
  7687. description: The name of the object located at the provider type.
  7688. maxLength: 253
  7689. minLength: 1
  7690. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7691. type: string
  7692. namespace:
  7693. description: |-
  7694. The namespace the Provider type is in.
  7695. Can only be defined when used in a ClusterSecretStore.
  7696. maxLength: 63
  7697. minLength: 1
  7698. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7699. type: string
  7700. type:
  7701. description: The type of provider to use such as "Secret", or "ConfigMap".
  7702. enum:
  7703. - Secret
  7704. - ConfigMap
  7705. type: string
  7706. required:
  7707. - name
  7708. - type
  7709. type: object
  7710. checkAndSet:
  7711. description: |-
  7712. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  7713. Only applies to Vault KV v2 stores. When enabled, write operations must include
  7714. the current version of the secret to prevent unintentional overwrites.
  7715. properties:
  7716. required:
  7717. description: |-
  7718. Required when true, all write operations must include a check-and-set parameter.
  7719. This helps prevent unintentional overwrites of secrets.
  7720. type: boolean
  7721. type: object
  7722. forwardInconsistent:
  7723. description: |-
  7724. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  7725. leader instead of simply retrying within a loop. This can increase performance if
  7726. the option is enabled serverside.
  7727. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  7728. type: boolean
  7729. headers:
  7730. additionalProperties:
  7731. type: string
  7732. description: Headers to be added in Vault request
  7733. type: object
  7734. namespace:
  7735. description: |-
  7736. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  7737. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  7738. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  7739. type: string
  7740. path:
  7741. description: |-
  7742. Path is the mount path of the Vault KV backend endpoint, e.g:
  7743. "secret". The v2 KV secret engine version specific "/data" path suffix
  7744. for fetching secrets from Vault is optional and will be appended
  7745. if not present in specified path.
  7746. type: string
  7747. readYourWrites:
  7748. description: |-
  7749. ReadYourWrites ensures isolated read-after-write semantics by
  7750. providing discovered cluster replication states in each request.
  7751. More information about eventual consistency in Vault can be found here
  7752. https://www.vaultproject.io/docs/enterprise/consistency
  7753. type: boolean
  7754. server:
  7755. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  7756. type: string
  7757. tls:
  7758. description: |-
  7759. The configuration used for client side related TLS communication, when the Vault server
  7760. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  7761. This parameter is ignored for plain HTTP protocol connection.
  7762. It's worth noting this configuration is different from the "TLS certificates auth method",
  7763. which is available under the `auth.cert` section.
  7764. properties:
  7765. certSecretRef:
  7766. description: |-
  7767. CertSecretRef is a certificate added to the transport layer
  7768. when communicating with the Vault server.
  7769. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  7770. properties:
  7771. key:
  7772. description: |-
  7773. A key in the referenced Secret.
  7774. Some instances of this field may be defaulted, in others it may be required.
  7775. maxLength: 253
  7776. minLength: 1
  7777. pattern: ^[-._a-zA-Z0-9]+$
  7778. type: string
  7779. name:
  7780. description: The name of the Secret resource being referred to.
  7781. maxLength: 253
  7782. minLength: 1
  7783. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7784. type: string
  7785. namespace:
  7786. description: |-
  7787. The namespace of the Secret resource being referred to.
  7788. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7789. maxLength: 63
  7790. minLength: 1
  7791. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7792. type: string
  7793. type: object
  7794. keySecretRef:
  7795. description: |-
  7796. KeySecretRef to a key in a Secret resource containing client private key
  7797. added to the transport layer when communicating with the Vault server.
  7798. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  7799. properties:
  7800. key:
  7801. description: |-
  7802. A key in the referenced Secret.
  7803. Some instances of this field may be defaulted, in others it may be required.
  7804. maxLength: 253
  7805. minLength: 1
  7806. pattern: ^[-._a-zA-Z0-9]+$
  7807. type: string
  7808. name:
  7809. description: The name of the Secret resource being referred to.
  7810. maxLength: 253
  7811. minLength: 1
  7812. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7813. type: string
  7814. namespace:
  7815. description: |-
  7816. The namespace of the Secret resource being referred to.
  7817. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7818. maxLength: 63
  7819. minLength: 1
  7820. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7821. type: string
  7822. type: object
  7823. type: object
  7824. version:
  7825. default: v2
  7826. description: |-
  7827. Version is the Vault KV secret engine version. This can be either "v1" or
  7828. "v2". Version defaults to "v2".
  7829. enum:
  7830. - v1
  7831. - v2
  7832. type: string
  7833. required:
  7834. - server
  7835. type: object
  7836. volcengine:
  7837. description: Volcengine configures this store to sync secrets using the Volcengine provider
  7838. properties:
  7839. auth:
  7840. description: |-
  7841. Auth defines the authentication method to use.
  7842. If not specified, the provider will try to use IRSA (IAM Role for Service Account).
  7843. properties:
  7844. secretRef:
  7845. description: |-
  7846. SecretRef defines the static credentials to use for authentication.
  7847. If not set, IRSA is used.
  7848. properties:
  7849. accessKeyID:
  7850. description: AccessKeyID is the reference to the secret containing the Access Key ID.
  7851. properties:
  7852. key:
  7853. description: |-
  7854. A key in the referenced Secret.
  7855. Some instances of this field may be defaulted, in others it may be required.
  7856. maxLength: 253
  7857. minLength: 1
  7858. pattern: ^[-._a-zA-Z0-9]+$
  7859. type: string
  7860. name:
  7861. description: The name of the Secret resource being referred to.
  7862. maxLength: 253
  7863. minLength: 1
  7864. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7865. type: string
  7866. namespace:
  7867. description: |-
  7868. The namespace of the Secret resource being referred to.
  7869. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7870. maxLength: 63
  7871. minLength: 1
  7872. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7873. type: string
  7874. type: object
  7875. secretAccessKey:
  7876. description: SecretAccessKey is the reference to the secret containing the Secret Access Key.
  7877. properties:
  7878. key:
  7879. description: |-
  7880. A key in the referenced Secret.
  7881. Some instances of this field may be defaulted, in others it may be required.
  7882. maxLength: 253
  7883. minLength: 1
  7884. pattern: ^[-._a-zA-Z0-9]+$
  7885. type: string
  7886. name:
  7887. description: The name of the Secret resource being referred to.
  7888. maxLength: 253
  7889. minLength: 1
  7890. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7891. type: string
  7892. namespace:
  7893. description: |-
  7894. The namespace of the Secret resource being referred to.
  7895. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7896. maxLength: 63
  7897. minLength: 1
  7898. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7899. type: string
  7900. type: object
  7901. token:
  7902. description: Token is the reference to the secret containing the STS(Security Token Service) Token.
  7903. properties:
  7904. key:
  7905. description: |-
  7906. A key in the referenced Secret.
  7907. Some instances of this field may be defaulted, in others it may be required.
  7908. maxLength: 253
  7909. minLength: 1
  7910. pattern: ^[-._a-zA-Z0-9]+$
  7911. type: string
  7912. name:
  7913. description: The name of the Secret resource being referred to.
  7914. maxLength: 253
  7915. minLength: 1
  7916. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7917. type: string
  7918. namespace:
  7919. description: |-
  7920. The namespace of the Secret resource being referred to.
  7921. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7922. maxLength: 63
  7923. minLength: 1
  7924. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7925. type: string
  7926. type: object
  7927. required:
  7928. - accessKeyID
  7929. - secretAccessKey
  7930. type: object
  7931. type: object
  7932. region:
  7933. description: Region specifies the Volcengine region to connect to.
  7934. type: string
  7935. required:
  7936. - region
  7937. type: object
  7938. webhook:
  7939. description: Webhook configures this store to sync secrets using a generic templated webhook
  7940. properties:
  7941. auth:
  7942. description: Auth specifies a authorization protocol. Only one protocol may be set.
  7943. maxProperties: 1
  7944. minProperties: 1
  7945. properties:
  7946. ntlm:
  7947. description: NTLMProtocol configures the store to use NTLM for auth
  7948. properties:
  7949. passwordSecret:
  7950. description: |-
  7951. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  7952. In some instances, `key` is a required field.
  7953. properties:
  7954. key:
  7955. description: |-
  7956. A key in the referenced Secret.
  7957. Some instances of this field may be defaulted, in others it may be required.
  7958. maxLength: 253
  7959. minLength: 1
  7960. pattern: ^[-._a-zA-Z0-9]+$
  7961. type: string
  7962. name:
  7963. description: The name of the Secret resource being referred to.
  7964. maxLength: 253
  7965. minLength: 1
  7966. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7967. type: string
  7968. namespace:
  7969. description: |-
  7970. The namespace of the Secret resource being referred to.
  7971. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7972. maxLength: 63
  7973. minLength: 1
  7974. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7975. type: string
  7976. type: object
  7977. usernameSecret:
  7978. description: |-
  7979. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  7980. In some instances, `key` is a required field.
  7981. properties:
  7982. key:
  7983. description: |-
  7984. A key in the referenced Secret.
  7985. Some instances of this field may be defaulted, in others it may be required.
  7986. maxLength: 253
  7987. minLength: 1
  7988. pattern: ^[-._a-zA-Z0-9]+$
  7989. type: string
  7990. name:
  7991. description: The name of the Secret resource being referred to.
  7992. maxLength: 253
  7993. minLength: 1
  7994. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7995. type: string
  7996. namespace:
  7997. description: |-
  7998. The namespace of the Secret resource being referred to.
  7999. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8000. maxLength: 63
  8001. minLength: 1
  8002. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8003. type: string
  8004. type: object
  8005. required:
  8006. - passwordSecret
  8007. - usernameSecret
  8008. type: object
  8009. type: object
  8010. body:
  8011. description: Body
  8012. type: string
  8013. caBundle:
  8014. description: |-
  8015. PEM encoded CA bundle used to validate webhook server certificate. Only used
  8016. if the Server URL is using HTTPS protocol. This parameter is ignored for
  8017. plain HTTP protocol connection. If not set the system root certificates
  8018. are used to validate the TLS connection.
  8019. format: byte
  8020. type: string
  8021. caProvider:
  8022. description: The provider for the CA bundle to use to validate webhook server certificate.
  8023. properties:
  8024. key:
  8025. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8026. maxLength: 253
  8027. minLength: 1
  8028. pattern: ^[-._a-zA-Z0-9]+$
  8029. type: string
  8030. name:
  8031. description: The name of the object located at the provider type.
  8032. maxLength: 253
  8033. minLength: 1
  8034. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8035. type: string
  8036. namespace:
  8037. description: The namespace the Provider type is in.
  8038. maxLength: 63
  8039. minLength: 1
  8040. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8041. type: string
  8042. type:
  8043. description: The type of provider to use such as "Secret", or "ConfigMap".
  8044. enum:
  8045. - Secret
  8046. - ConfigMap
  8047. type: string
  8048. required:
  8049. - name
  8050. - type
  8051. type: object
  8052. headers:
  8053. additionalProperties:
  8054. type: string
  8055. description: Headers
  8056. type: object
  8057. method:
  8058. description: Webhook Method
  8059. type: string
  8060. result:
  8061. description: Result formatting
  8062. properties:
  8063. jsonPath:
  8064. description: Json path of return value
  8065. type: string
  8066. type: object
  8067. secrets:
  8068. description: |-
  8069. Secrets to fill in templates
  8070. These secrets will be passed to the templating function as key value pairs under the given name
  8071. items:
  8072. description: WebhookSecret defines a secret that will be passed to the webhook request.
  8073. properties:
  8074. name:
  8075. description: Name of this secret in templates
  8076. type: string
  8077. secretRef:
  8078. description: Secret ref to fill in credentials
  8079. properties:
  8080. key:
  8081. description: |-
  8082. A key in the referenced Secret.
  8083. Some instances of this field may be defaulted, in others it may be required.
  8084. maxLength: 253
  8085. minLength: 1
  8086. pattern: ^[-._a-zA-Z0-9]+$
  8087. type: string
  8088. name:
  8089. description: The name of the Secret resource being referred to.
  8090. maxLength: 253
  8091. minLength: 1
  8092. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8093. type: string
  8094. namespace:
  8095. description: |-
  8096. The namespace of the Secret resource being referred to.
  8097. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8098. maxLength: 63
  8099. minLength: 1
  8100. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8101. type: string
  8102. type: object
  8103. required:
  8104. - name
  8105. - secretRef
  8106. type: object
  8107. type: array
  8108. timeout:
  8109. description: Timeout
  8110. type: string
  8111. url:
  8112. description: Webhook url to call
  8113. type: string
  8114. required:
  8115. - url
  8116. type: object
  8117. yandexcertificatemanager:
  8118. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  8119. properties:
  8120. apiEndpoint:
  8121. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  8122. type: string
  8123. auth:
  8124. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  8125. properties:
  8126. authorizedKeySecretRef:
  8127. description: The authorized key used for authentication
  8128. properties:
  8129. key:
  8130. description: |-
  8131. A key in the referenced Secret.
  8132. Some instances of this field may be defaulted, in others it may be required.
  8133. maxLength: 253
  8134. minLength: 1
  8135. pattern: ^[-._a-zA-Z0-9]+$
  8136. type: string
  8137. name:
  8138. description: The name of the Secret resource being referred to.
  8139. maxLength: 253
  8140. minLength: 1
  8141. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8142. type: string
  8143. namespace:
  8144. description: |-
  8145. The namespace of the Secret resource being referred to.
  8146. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8147. maxLength: 63
  8148. minLength: 1
  8149. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8150. type: string
  8151. type: object
  8152. type: object
  8153. caProvider:
  8154. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  8155. properties:
  8156. certSecretRef:
  8157. description: |-
  8158. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8159. In some instances, `key` is a required field.
  8160. properties:
  8161. key:
  8162. description: |-
  8163. A key in the referenced Secret.
  8164. Some instances of this field may be defaulted, in others it may be required.
  8165. maxLength: 253
  8166. minLength: 1
  8167. pattern: ^[-._a-zA-Z0-9]+$
  8168. type: string
  8169. name:
  8170. description: The name of the Secret resource being referred to.
  8171. maxLength: 253
  8172. minLength: 1
  8173. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8174. type: string
  8175. namespace:
  8176. description: |-
  8177. The namespace of the Secret resource being referred to.
  8178. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8179. maxLength: 63
  8180. minLength: 1
  8181. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8182. type: string
  8183. type: object
  8184. type: object
  8185. fetching:
  8186. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name
  8187. maxProperties: 1
  8188. minProperties: 1
  8189. properties:
  8190. byID:
  8191. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  8192. type: object
  8193. byName:
  8194. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  8195. properties:
  8196. folderID:
  8197. description: The folder to fetch secrets from
  8198. type: string
  8199. required:
  8200. - folderID
  8201. type: object
  8202. type: object
  8203. required:
  8204. - auth
  8205. type: object
  8206. yandexlockbox:
  8207. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  8208. properties:
  8209. apiEndpoint:
  8210. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  8211. type: string
  8212. auth:
  8213. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  8214. properties:
  8215. authorizedKeySecretRef:
  8216. description: The authorized key used for authentication
  8217. properties:
  8218. key:
  8219. description: |-
  8220. A key in the referenced Secret.
  8221. Some instances of this field may be defaulted, in others it may be required.
  8222. maxLength: 253
  8223. minLength: 1
  8224. pattern: ^[-._a-zA-Z0-9]+$
  8225. type: string
  8226. name:
  8227. description: The name of the Secret resource being referred to.
  8228. maxLength: 253
  8229. minLength: 1
  8230. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8231. type: string
  8232. namespace:
  8233. description: |-
  8234. The namespace of the Secret resource being referred to.
  8235. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8236. maxLength: 63
  8237. minLength: 1
  8238. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8239. type: string
  8240. type: object
  8241. type: object
  8242. caProvider:
  8243. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  8244. properties:
  8245. certSecretRef:
  8246. description: |-
  8247. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8248. In some instances, `key` is a required field.
  8249. properties:
  8250. key:
  8251. description: |-
  8252. A key in the referenced Secret.
  8253. Some instances of this field may be defaulted, in others it may be required.
  8254. maxLength: 253
  8255. minLength: 1
  8256. pattern: ^[-._a-zA-Z0-9]+$
  8257. type: string
  8258. name:
  8259. description: The name of the Secret resource being referred to.
  8260. maxLength: 253
  8261. minLength: 1
  8262. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8263. type: string
  8264. namespace:
  8265. description: |-
  8266. The namespace of the Secret resource being referred to.
  8267. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8268. maxLength: 63
  8269. minLength: 1
  8270. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8271. type: string
  8272. type: object
  8273. type: object
  8274. fetching:
  8275. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name
  8276. maxProperties: 1
  8277. minProperties: 1
  8278. properties:
  8279. byID:
  8280. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  8281. type: object
  8282. byName:
  8283. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  8284. properties:
  8285. folderID:
  8286. description: The folder to fetch secrets from
  8287. type: string
  8288. required:
  8289. - folderID
  8290. type: object
  8291. type: object
  8292. required:
  8293. - auth
  8294. type: object
  8295. type: object
  8296. refreshInterval:
  8297. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  8298. type: integer
  8299. retrySettings:
  8300. description: Used to configure HTTP retries on failures.
  8301. properties:
  8302. maxRetries:
  8303. format: int32
  8304. type: integer
  8305. retryInterval:
  8306. type: string
  8307. type: object
  8308. required:
  8309. - provider
  8310. type: object
  8311. status:
  8312. description: SecretStoreStatus defines the observed state of the SecretStore.
  8313. properties:
  8314. capabilities:
  8315. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  8316. type: string
  8317. conditions:
  8318. items:
  8319. description: SecretStoreStatusCondition contains condition information for a SecretStore.
  8320. properties:
  8321. lastTransitionTime:
  8322. format: date-time
  8323. type: string
  8324. message:
  8325. type: string
  8326. reason:
  8327. type: string
  8328. status:
  8329. type: string
  8330. type:
  8331. description: SecretStoreConditionType represents the condition of the SecretStore.
  8332. type: string
  8333. required:
  8334. - status
  8335. - type
  8336. type: object
  8337. type: array
  8338. type: object
  8339. type: object
  8340. served: true
  8341. storage: true
  8342. subresources:
  8343. status: {}
  8344. - additionalPrinterColumns:
  8345. - jsonPath: .metadata.creationTimestamp
  8346. name: AGE
  8347. type: date
  8348. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  8349. name: Status
  8350. type: string
  8351. - jsonPath: .status.capabilities
  8352. name: Capabilities
  8353. type: string
  8354. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  8355. name: Ready
  8356. type: string
  8357. deprecated: true
  8358. name: v1beta1
  8359. schema:
  8360. openAPIV3Schema:
  8361. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  8362. properties:
  8363. apiVersion:
  8364. description: |-
  8365. APIVersion defines the versioned schema of this representation of an object.
  8366. Servers should convert recognized schemas to the latest internal value, and
  8367. may reject unrecognized values.
  8368. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  8369. type: string
  8370. kind:
  8371. description: |-
  8372. Kind is a string value representing the REST resource this object represents.
  8373. Servers may infer this from the endpoint the client submits requests to.
  8374. Cannot be updated.
  8375. In CamelCase.
  8376. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  8377. type: string
  8378. metadata:
  8379. type: object
  8380. spec:
  8381. description: SecretStoreSpec defines the desired state of SecretStore.
  8382. properties:
  8383. conditions:
  8384. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  8385. items:
  8386. description: |-
  8387. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  8388. for a ClusterSecretStore instance.
  8389. properties:
  8390. namespaceRegexes:
  8391. description: Choose namespaces by using regex matching
  8392. items:
  8393. type: string
  8394. type: array
  8395. namespaceSelector:
  8396. description: Choose namespace using a labelSelector
  8397. properties:
  8398. matchExpressions:
  8399. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  8400. items:
  8401. description: |-
  8402. A label selector requirement is a selector that contains values, a key, and an operator that
  8403. relates the key and values.
  8404. properties:
  8405. key:
  8406. description: key is the label key that the selector applies to.
  8407. type: string
  8408. operator:
  8409. description: |-
  8410. operator represents a key's relationship to a set of values.
  8411. Valid operators are In, NotIn, Exists and DoesNotExist.
  8412. type: string
  8413. values:
  8414. description: |-
  8415. values is an array of string values. If the operator is In or NotIn,
  8416. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  8417. the values array must be empty. This array is replaced during a strategic
  8418. merge patch.
  8419. items:
  8420. type: string
  8421. type: array
  8422. x-kubernetes-list-type: atomic
  8423. required:
  8424. - key
  8425. - operator
  8426. type: object
  8427. type: array
  8428. x-kubernetes-list-type: atomic
  8429. matchLabels:
  8430. additionalProperties:
  8431. type: string
  8432. description: |-
  8433. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  8434. map is equivalent to an element of matchExpressions, whose key field is "key", the
  8435. operator is "In", and the values array contains only "value". The requirements are ANDed.
  8436. type: object
  8437. type: object
  8438. x-kubernetes-map-type: atomic
  8439. namespaces:
  8440. description: Choose namespaces by name
  8441. items:
  8442. maxLength: 63
  8443. minLength: 1
  8444. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8445. type: string
  8446. type: array
  8447. type: object
  8448. type: array
  8449. controller:
  8450. description: |-
  8451. Used to select the correct ESO controller (think: ingress.ingressClassName)
  8452. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  8453. type: string
  8454. provider:
  8455. description: Used to configure the provider. Only one provider may be set
  8456. maxProperties: 1
  8457. minProperties: 1
  8458. properties:
  8459. akeyless:
  8460. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  8461. properties:
  8462. akeylessGWApiURL:
  8463. description: Akeyless GW API Url from which the secrets to be fetched from.
  8464. type: string
  8465. authSecretRef:
  8466. description: Auth configures how the operator authenticates with Akeyless.
  8467. properties:
  8468. kubernetesAuth:
  8469. description: |-
  8470. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  8471. token stored in the named Secret resource.
  8472. properties:
  8473. accessID:
  8474. description: the Akeyless Kubernetes auth-method access-id
  8475. type: string
  8476. k8sConfName:
  8477. description: Kubernetes-auth configuration name in Akeyless-Gateway
  8478. type: string
  8479. secretRef:
  8480. description: |-
  8481. Optional secret field containing a Kubernetes ServiceAccount JWT used
  8482. for authenticating with Akeyless. If a name is specified without a key,
  8483. `token` is the default. If one is not specified, the one bound to
  8484. the controller will be used.
  8485. properties:
  8486. key:
  8487. description: |-
  8488. A key in the referenced Secret.
  8489. Some instances of this field may be defaulted, in others it may be required.
  8490. maxLength: 253
  8491. minLength: 1
  8492. pattern: ^[-._a-zA-Z0-9]+$
  8493. type: string
  8494. name:
  8495. description: The name of the Secret resource being referred to.
  8496. maxLength: 253
  8497. minLength: 1
  8498. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8499. type: string
  8500. namespace:
  8501. description: |-
  8502. The namespace of the Secret resource being referred to.
  8503. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8504. maxLength: 63
  8505. minLength: 1
  8506. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8507. type: string
  8508. type: object
  8509. serviceAccountRef:
  8510. description: |-
  8511. Optional service account field containing the name of a kubernetes ServiceAccount.
  8512. If the service account is specified, the service account secret token JWT will be used
  8513. for authenticating with Akeyless. If the service account selector is not supplied,
  8514. the secretRef will be used instead.
  8515. properties:
  8516. audiences:
  8517. description: |-
  8518. Audience specifies the `aud` claim for the service account token
  8519. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8520. then this audiences will be appended to the list
  8521. items:
  8522. type: string
  8523. type: array
  8524. name:
  8525. description: The name of the ServiceAccount resource being referred to.
  8526. maxLength: 253
  8527. minLength: 1
  8528. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8529. type: string
  8530. namespace:
  8531. description: |-
  8532. Namespace of the resource being referred to.
  8533. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8534. maxLength: 63
  8535. minLength: 1
  8536. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8537. type: string
  8538. required:
  8539. - name
  8540. type: object
  8541. required:
  8542. - accessID
  8543. - k8sConfName
  8544. type: object
  8545. secretRef:
  8546. description: |-
  8547. Reference to a Secret that contains the details
  8548. to authenticate with Akeyless.
  8549. properties:
  8550. accessID:
  8551. description: The SecretAccessID is used for authentication
  8552. properties:
  8553. key:
  8554. description: |-
  8555. A key in the referenced Secret.
  8556. Some instances of this field may be defaulted, in others it may be required.
  8557. maxLength: 253
  8558. minLength: 1
  8559. pattern: ^[-._a-zA-Z0-9]+$
  8560. type: string
  8561. name:
  8562. description: The name of the Secret resource being referred to.
  8563. maxLength: 253
  8564. minLength: 1
  8565. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8566. type: string
  8567. namespace:
  8568. description: |-
  8569. The namespace of the Secret resource being referred to.
  8570. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8571. maxLength: 63
  8572. minLength: 1
  8573. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8574. type: string
  8575. type: object
  8576. accessType:
  8577. description: |-
  8578. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8579. In some instances, `key` is a required field.
  8580. properties:
  8581. key:
  8582. description: |-
  8583. A key in the referenced Secret.
  8584. Some instances of this field may be defaulted, in others it may be required.
  8585. maxLength: 253
  8586. minLength: 1
  8587. pattern: ^[-._a-zA-Z0-9]+$
  8588. type: string
  8589. name:
  8590. description: The name of the Secret resource being referred to.
  8591. maxLength: 253
  8592. minLength: 1
  8593. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8594. type: string
  8595. namespace:
  8596. description: |-
  8597. The namespace of the Secret resource being referred to.
  8598. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8599. maxLength: 63
  8600. minLength: 1
  8601. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8602. type: string
  8603. type: object
  8604. accessTypeParam:
  8605. description: |-
  8606. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8607. In some instances, `key` is a required field.
  8608. properties:
  8609. key:
  8610. description: |-
  8611. A key in the referenced Secret.
  8612. Some instances of this field may be defaulted, in others it may be required.
  8613. maxLength: 253
  8614. minLength: 1
  8615. pattern: ^[-._a-zA-Z0-9]+$
  8616. type: string
  8617. name:
  8618. description: The name of the Secret resource being referred to.
  8619. maxLength: 253
  8620. minLength: 1
  8621. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8622. type: string
  8623. namespace:
  8624. description: |-
  8625. The namespace of the Secret resource being referred to.
  8626. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8627. maxLength: 63
  8628. minLength: 1
  8629. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8630. type: string
  8631. type: object
  8632. type: object
  8633. type: object
  8634. caBundle:
  8635. description: |-
  8636. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  8637. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  8638. are used to validate the TLS connection.
  8639. format: byte
  8640. type: string
  8641. caProvider:
  8642. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  8643. properties:
  8644. key:
  8645. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8646. maxLength: 253
  8647. minLength: 1
  8648. pattern: ^[-._a-zA-Z0-9]+$
  8649. type: string
  8650. name:
  8651. description: The name of the object located at the provider type.
  8652. maxLength: 253
  8653. minLength: 1
  8654. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8655. type: string
  8656. namespace:
  8657. description: |-
  8658. The namespace the Provider type is in.
  8659. Can only be defined when used in a ClusterSecretStore.
  8660. maxLength: 63
  8661. minLength: 1
  8662. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8663. type: string
  8664. type:
  8665. description: The type of provider to use such as "Secret", or "ConfigMap".
  8666. enum:
  8667. - Secret
  8668. - ConfigMap
  8669. type: string
  8670. required:
  8671. - name
  8672. - type
  8673. type: object
  8674. required:
  8675. - akeylessGWApiURL
  8676. - authSecretRef
  8677. type: object
  8678. alibaba:
  8679. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  8680. properties:
  8681. auth:
  8682. description: AlibabaAuth contains a secretRef for credentials.
  8683. properties:
  8684. rrsa:
  8685. description: AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication).
  8686. properties:
  8687. oidcProviderArn:
  8688. type: string
  8689. oidcTokenFilePath:
  8690. type: string
  8691. roleArn:
  8692. type: string
  8693. sessionName:
  8694. type: string
  8695. required:
  8696. - oidcProviderArn
  8697. - oidcTokenFilePath
  8698. - roleArn
  8699. - sessionName
  8700. type: object
  8701. secretRef:
  8702. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  8703. properties:
  8704. accessKeyIDSecretRef:
  8705. description: The AccessKeyID is used for authentication
  8706. properties:
  8707. key:
  8708. description: |-
  8709. A key in the referenced Secret.
  8710. Some instances of this field may be defaulted, in others it may be required.
  8711. maxLength: 253
  8712. minLength: 1
  8713. pattern: ^[-._a-zA-Z0-9]+$
  8714. type: string
  8715. name:
  8716. description: The name of the Secret resource being referred to.
  8717. maxLength: 253
  8718. minLength: 1
  8719. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8720. type: string
  8721. namespace:
  8722. description: |-
  8723. The namespace of the Secret resource being referred to.
  8724. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8725. maxLength: 63
  8726. minLength: 1
  8727. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8728. type: string
  8729. type: object
  8730. accessKeySecretSecretRef:
  8731. description: The AccessKeySecret is used for authentication
  8732. properties:
  8733. key:
  8734. description: |-
  8735. A key in the referenced Secret.
  8736. Some instances of this field may be defaulted, in others it may be required.
  8737. maxLength: 253
  8738. minLength: 1
  8739. pattern: ^[-._a-zA-Z0-9]+$
  8740. type: string
  8741. name:
  8742. description: The name of the Secret resource being referred to.
  8743. maxLength: 253
  8744. minLength: 1
  8745. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8746. type: string
  8747. namespace:
  8748. description: |-
  8749. The namespace of the Secret resource being referred to.
  8750. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8751. maxLength: 63
  8752. minLength: 1
  8753. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8754. type: string
  8755. type: object
  8756. required:
  8757. - accessKeyIDSecretRef
  8758. - accessKeySecretSecretRef
  8759. type: object
  8760. type: object
  8761. regionID:
  8762. description: Alibaba Region to be used for the provider
  8763. type: string
  8764. required:
  8765. - auth
  8766. - regionID
  8767. type: object
  8768. aws:
  8769. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  8770. properties:
  8771. additionalRoles:
  8772. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  8773. items:
  8774. type: string
  8775. type: array
  8776. auth:
  8777. description: |-
  8778. Auth defines the information necessary to authenticate against AWS
  8779. if not set aws sdk will infer credentials from your environment
  8780. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  8781. properties:
  8782. jwt:
  8783. description: AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster.
  8784. properties:
  8785. serviceAccountRef:
  8786. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  8787. properties:
  8788. audiences:
  8789. description: |-
  8790. Audience specifies the `aud` claim for the service account token
  8791. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8792. then this audiences will be appended to the list
  8793. items:
  8794. type: string
  8795. type: array
  8796. name:
  8797. description: The name of the ServiceAccount resource being referred to.
  8798. maxLength: 253
  8799. minLength: 1
  8800. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8801. type: string
  8802. namespace:
  8803. description: |-
  8804. Namespace of the resource being referred to.
  8805. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8806. maxLength: 63
  8807. minLength: 1
  8808. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8809. type: string
  8810. required:
  8811. - name
  8812. type: object
  8813. type: object
  8814. secretRef:
  8815. description: |-
  8816. AWSAuthSecretRef holds secret references for AWS credentials
  8817. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  8818. properties:
  8819. accessKeyIDSecretRef:
  8820. description: The AccessKeyID is used for authentication
  8821. properties:
  8822. key:
  8823. description: |-
  8824. A key in the referenced Secret.
  8825. Some instances of this field may be defaulted, in others it may be required.
  8826. maxLength: 253
  8827. minLength: 1
  8828. pattern: ^[-._a-zA-Z0-9]+$
  8829. type: string
  8830. name:
  8831. description: The name of the Secret resource being referred to.
  8832. maxLength: 253
  8833. minLength: 1
  8834. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8835. type: string
  8836. namespace:
  8837. description: |-
  8838. The namespace of the Secret resource being referred to.
  8839. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8840. maxLength: 63
  8841. minLength: 1
  8842. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8843. type: string
  8844. type: object
  8845. secretAccessKeySecretRef:
  8846. description: The SecretAccessKey is used for authentication
  8847. properties:
  8848. key:
  8849. description: |-
  8850. A key in the referenced Secret.
  8851. Some instances of this field may be defaulted, in others it may be required.
  8852. maxLength: 253
  8853. minLength: 1
  8854. pattern: ^[-._a-zA-Z0-9]+$
  8855. type: string
  8856. name:
  8857. description: The name of the Secret resource being referred to.
  8858. maxLength: 253
  8859. minLength: 1
  8860. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8861. type: string
  8862. namespace:
  8863. description: |-
  8864. The namespace of the Secret resource being referred to.
  8865. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8866. maxLength: 63
  8867. minLength: 1
  8868. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8869. type: string
  8870. type: object
  8871. sessionTokenSecretRef:
  8872. description: |-
  8873. The SessionToken used for authentication
  8874. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  8875. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  8876. properties:
  8877. key:
  8878. description: |-
  8879. A key in the referenced Secret.
  8880. Some instances of this field may be defaulted, in others it may be required.
  8881. maxLength: 253
  8882. minLength: 1
  8883. pattern: ^[-._a-zA-Z0-9]+$
  8884. type: string
  8885. name:
  8886. description: The name of the Secret resource being referred to.
  8887. maxLength: 253
  8888. minLength: 1
  8889. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8890. type: string
  8891. namespace:
  8892. description: |-
  8893. The namespace of the Secret resource being referred to.
  8894. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8895. maxLength: 63
  8896. minLength: 1
  8897. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8898. type: string
  8899. type: object
  8900. type: object
  8901. type: object
  8902. externalID:
  8903. description: AWS External ID set on assumed IAM roles
  8904. type: string
  8905. prefix:
  8906. description: Prefix adds a prefix to all retrieved values.
  8907. type: string
  8908. region:
  8909. description: AWS Region to be used for the provider
  8910. type: string
  8911. role:
  8912. description: Role is a Role ARN which the provider will assume
  8913. type: string
  8914. secretsManager:
  8915. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  8916. properties:
  8917. forceDeleteWithoutRecovery:
  8918. description: |-
  8919. Specifies whether to delete the secret without any recovery window. You
  8920. can't use both this parameter and RecoveryWindowInDays in the same call.
  8921. If you don't use either, then by default Secrets Manager uses a 30 day
  8922. recovery window.
  8923. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  8924. type: boolean
  8925. recoveryWindowInDays:
  8926. description: |-
  8927. The number of days from 7 to 30 that Secrets Manager waits before
  8928. permanently deleting the secret. You can't use both this parameter and
  8929. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  8930. then by default Secrets Manager uses a 30 day recovery window.
  8931. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  8932. format: int64
  8933. type: integer
  8934. type: object
  8935. service:
  8936. description: Service defines which service should be used to fetch the secrets
  8937. enum:
  8938. - SecretsManager
  8939. - ParameterStore
  8940. type: string
  8941. sessionTags:
  8942. description: AWS STS assume role session tags
  8943. items:
  8944. description: Tag defines a tag key and value for AWS resources.
  8945. properties:
  8946. key:
  8947. type: string
  8948. value:
  8949. type: string
  8950. required:
  8951. - key
  8952. - value
  8953. type: object
  8954. type: array
  8955. transitiveTagKeys:
  8956. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  8957. items:
  8958. type: string
  8959. type: array
  8960. required:
  8961. - region
  8962. - service
  8963. type: object
  8964. azurekv:
  8965. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  8966. properties:
  8967. authSecretRef:
  8968. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  8969. properties:
  8970. clientCertificate:
  8971. description: The Azure ClientCertificate of the service principle used for authentication.
  8972. properties:
  8973. key:
  8974. description: |-
  8975. A key in the referenced Secret.
  8976. Some instances of this field may be defaulted, in others it may be required.
  8977. maxLength: 253
  8978. minLength: 1
  8979. pattern: ^[-._a-zA-Z0-9]+$
  8980. type: string
  8981. name:
  8982. description: The name of the Secret resource being referred to.
  8983. maxLength: 253
  8984. minLength: 1
  8985. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8986. type: string
  8987. namespace:
  8988. description: |-
  8989. The namespace of the Secret resource being referred to.
  8990. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8991. maxLength: 63
  8992. minLength: 1
  8993. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8994. type: string
  8995. type: object
  8996. clientId:
  8997. description: The Azure clientId of the service principle or managed identity used for authentication.
  8998. properties:
  8999. key:
  9000. description: |-
  9001. A key in the referenced Secret.
  9002. Some instances of this field may be defaulted, in others it may be required.
  9003. maxLength: 253
  9004. minLength: 1
  9005. pattern: ^[-._a-zA-Z0-9]+$
  9006. type: string
  9007. name:
  9008. description: The name of the Secret resource being referred to.
  9009. maxLength: 253
  9010. minLength: 1
  9011. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9012. type: string
  9013. namespace:
  9014. description: |-
  9015. The namespace of the Secret resource being referred to.
  9016. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9017. maxLength: 63
  9018. minLength: 1
  9019. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9020. type: string
  9021. type: object
  9022. clientSecret:
  9023. description: The Azure ClientSecret of the service principle used for authentication.
  9024. properties:
  9025. key:
  9026. description: |-
  9027. A key in the referenced Secret.
  9028. Some instances of this field may be defaulted, in others it may be required.
  9029. maxLength: 253
  9030. minLength: 1
  9031. pattern: ^[-._a-zA-Z0-9]+$
  9032. type: string
  9033. name:
  9034. description: The name of the Secret resource being referred to.
  9035. maxLength: 253
  9036. minLength: 1
  9037. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9038. type: string
  9039. namespace:
  9040. description: |-
  9041. The namespace of the Secret resource being referred to.
  9042. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9043. maxLength: 63
  9044. minLength: 1
  9045. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9046. type: string
  9047. type: object
  9048. tenantId:
  9049. description: The Azure tenantId of the managed identity used for authentication.
  9050. properties:
  9051. key:
  9052. description: |-
  9053. A key in the referenced Secret.
  9054. Some instances of this field may be defaulted, in others it may be required.
  9055. maxLength: 253
  9056. minLength: 1
  9057. pattern: ^[-._a-zA-Z0-9]+$
  9058. type: string
  9059. name:
  9060. description: The name of the Secret resource being referred to.
  9061. maxLength: 253
  9062. minLength: 1
  9063. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9064. type: string
  9065. namespace:
  9066. description: |-
  9067. The namespace of the Secret resource being referred to.
  9068. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9069. maxLength: 63
  9070. minLength: 1
  9071. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9072. type: string
  9073. type: object
  9074. type: object
  9075. authType:
  9076. default: ServicePrincipal
  9077. description: |-
  9078. Auth type defines how to authenticate to the keyvault service.
  9079. Valid values are:
  9080. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  9081. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  9082. enum:
  9083. - ServicePrincipal
  9084. - ManagedIdentity
  9085. - WorkloadIdentity
  9086. type: string
  9087. environmentType:
  9088. default: PublicCloud
  9089. description: |-
  9090. EnvironmentType specifies the Azure cloud environment endpoints to use for
  9091. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  9092. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  9093. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  9094. enum:
  9095. - PublicCloud
  9096. - USGovernmentCloud
  9097. - ChinaCloud
  9098. - GermanCloud
  9099. type: string
  9100. identityId:
  9101. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  9102. type: string
  9103. serviceAccountRef:
  9104. description: |-
  9105. ServiceAccountRef specified the service account
  9106. that should be used when authenticating with WorkloadIdentity.
  9107. properties:
  9108. audiences:
  9109. description: |-
  9110. Audience specifies the `aud` claim for the service account token
  9111. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9112. then this audiences will be appended to the list
  9113. items:
  9114. type: string
  9115. type: array
  9116. name:
  9117. description: The name of the ServiceAccount resource being referred to.
  9118. maxLength: 253
  9119. minLength: 1
  9120. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9121. type: string
  9122. namespace:
  9123. description: |-
  9124. Namespace of the resource being referred to.
  9125. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9126. maxLength: 63
  9127. minLength: 1
  9128. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9129. type: string
  9130. required:
  9131. - name
  9132. type: object
  9133. tenantId:
  9134. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  9135. type: string
  9136. vaultUrl:
  9137. description: Vault Url from which the secrets to be fetched from.
  9138. type: string
  9139. required:
  9140. - vaultUrl
  9141. type: object
  9142. beyondtrust:
  9143. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  9144. properties:
  9145. auth:
  9146. description: Auth configures how the operator authenticates with Beyondtrust.
  9147. properties:
  9148. apiKey:
  9149. description: APIKey If not provided then ClientID/ClientSecret become required.
  9150. properties:
  9151. secretRef:
  9152. description: SecretRef references a key in a secret that will be used as value.
  9153. properties:
  9154. key:
  9155. description: |-
  9156. A key in the referenced Secret.
  9157. Some instances of this field may be defaulted, in others it may be required.
  9158. maxLength: 253
  9159. minLength: 1
  9160. pattern: ^[-._a-zA-Z0-9]+$
  9161. type: string
  9162. name:
  9163. description: The name of the Secret resource being referred to.
  9164. maxLength: 253
  9165. minLength: 1
  9166. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9167. type: string
  9168. namespace:
  9169. description: |-
  9170. The namespace of the Secret resource being referred to.
  9171. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9172. maxLength: 63
  9173. minLength: 1
  9174. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9175. type: string
  9176. type: object
  9177. value:
  9178. description: Value can be specified directly to set a value without using a secret.
  9179. type: string
  9180. type: object
  9181. certificate:
  9182. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  9183. properties:
  9184. secretRef:
  9185. description: SecretRef references a key in a secret that will be used as value.
  9186. properties:
  9187. key:
  9188. description: |-
  9189. A key in the referenced Secret.
  9190. Some instances of this field may be defaulted, in others it may be required.
  9191. maxLength: 253
  9192. minLength: 1
  9193. pattern: ^[-._a-zA-Z0-9]+$
  9194. type: string
  9195. name:
  9196. description: The name of the Secret resource being referred to.
  9197. maxLength: 253
  9198. minLength: 1
  9199. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9200. type: string
  9201. namespace:
  9202. description: |-
  9203. The namespace of the Secret resource being referred to.
  9204. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9205. maxLength: 63
  9206. minLength: 1
  9207. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9208. type: string
  9209. type: object
  9210. value:
  9211. description: Value can be specified directly to set a value without using a secret.
  9212. type: string
  9213. type: object
  9214. certificateKey:
  9215. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  9216. properties:
  9217. secretRef:
  9218. description: SecretRef references a key in a secret that will be used as value.
  9219. properties:
  9220. key:
  9221. description: |-
  9222. A key in the referenced Secret.
  9223. Some instances of this field may be defaulted, in others it may be required.
  9224. maxLength: 253
  9225. minLength: 1
  9226. pattern: ^[-._a-zA-Z0-9]+$
  9227. type: string
  9228. name:
  9229. description: The name of the Secret resource being referred to.
  9230. maxLength: 253
  9231. minLength: 1
  9232. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9233. type: string
  9234. namespace:
  9235. description: |-
  9236. The namespace of the Secret resource being referred to.
  9237. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9238. maxLength: 63
  9239. minLength: 1
  9240. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9241. type: string
  9242. type: object
  9243. value:
  9244. description: Value can be specified directly to set a value without using a secret.
  9245. type: string
  9246. type: object
  9247. clientId:
  9248. description: ClientID is the API OAuth Client ID.
  9249. properties:
  9250. secretRef:
  9251. description: SecretRef references a key in a secret that will be used as value.
  9252. properties:
  9253. key:
  9254. description: |-
  9255. A key in the referenced Secret.
  9256. Some instances of this field may be defaulted, in others it may be required.
  9257. maxLength: 253
  9258. minLength: 1
  9259. pattern: ^[-._a-zA-Z0-9]+$
  9260. type: string
  9261. name:
  9262. description: The name of the Secret resource being referred to.
  9263. maxLength: 253
  9264. minLength: 1
  9265. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9266. type: string
  9267. namespace:
  9268. description: |-
  9269. The namespace of the Secret resource being referred to.
  9270. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9271. maxLength: 63
  9272. minLength: 1
  9273. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9274. type: string
  9275. type: object
  9276. value:
  9277. description: Value can be specified directly to set a value without using a secret.
  9278. type: string
  9279. type: object
  9280. clientSecret:
  9281. description: ClientSecret is the API OAuth Client Secret.
  9282. properties:
  9283. secretRef:
  9284. description: SecretRef references a key in a secret that will be used as value.
  9285. properties:
  9286. key:
  9287. description: |-
  9288. A key in the referenced Secret.
  9289. Some instances of this field may be defaulted, in others it may be required.
  9290. maxLength: 253
  9291. minLength: 1
  9292. pattern: ^[-._a-zA-Z0-9]+$
  9293. type: string
  9294. name:
  9295. description: The name of the Secret resource being referred to.
  9296. maxLength: 253
  9297. minLength: 1
  9298. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9299. type: string
  9300. namespace:
  9301. description: |-
  9302. The namespace of the Secret resource being referred to.
  9303. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9304. maxLength: 63
  9305. minLength: 1
  9306. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9307. type: string
  9308. type: object
  9309. value:
  9310. description: Value can be specified directly to set a value without using a secret.
  9311. type: string
  9312. type: object
  9313. type: object
  9314. server:
  9315. description: Auth configures how API server works.
  9316. properties:
  9317. apiUrl:
  9318. type: string
  9319. apiVersion:
  9320. type: string
  9321. clientTimeOutSeconds:
  9322. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  9323. type: integer
  9324. decrypt:
  9325. default: true
  9326. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  9327. type: boolean
  9328. retrievalType:
  9329. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  9330. type: string
  9331. separator:
  9332. description: A character that separates the folder names.
  9333. type: string
  9334. verifyCA:
  9335. type: boolean
  9336. required:
  9337. - apiUrl
  9338. - verifyCA
  9339. type: object
  9340. required:
  9341. - auth
  9342. - server
  9343. type: object
  9344. bitwardensecretsmanager:
  9345. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  9346. properties:
  9347. apiURL:
  9348. type: string
  9349. auth:
  9350. description: |-
  9351. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  9352. Make sure that the token being used has permissions on the given secret.
  9353. properties:
  9354. secretRef:
  9355. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  9356. properties:
  9357. credentials:
  9358. description: AccessToken used for the bitwarden instance.
  9359. properties:
  9360. key:
  9361. description: |-
  9362. A key in the referenced Secret.
  9363. Some instances of this field may be defaulted, in others it may be required.
  9364. maxLength: 253
  9365. minLength: 1
  9366. pattern: ^[-._a-zA-Z0-9]+$
  9367. type: string
  9368. name:
  9369. description: The name of the Secret resource being referred to.
  9370. maxLength: 253
  9371. minLength: 1
  9372. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9373. type: string
  9374. namespace:
  9375. description: |-
  9376. The namespace of the Secret resource being referred to.
  9377. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9378. maxLength: 63
  9379. minLength: 1
  9380. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9381. type: string
  9382. type: object
  9383. required:
  9384. - credentials
  9385. type: object
  9386. required:
  9387. - secretRef
  9388. type: object
  9389. bitwardenServerSDKURL:
  9390. type: string
  9391. caBundle:
  9392. description: |-
  9393. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  9394. can be performed.
  9395. type: string
  9396. caProvider:
  9397. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  9398. properties:
  9399. key:
  9400. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  9401. maxLength: 253
  9402. minLength: 1
  9403. pattern: ^[-._a-zA-Z0-9]+$
  9404. type: string
  9405. name:
  9406. description: The name of the object located at the provider type.
  9407. maxLength: 253
  9408. minLength: 1
  9409. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9410. type: string
  9411. namespace:
  9412. description: |-
  9413. The namespace the Provider type is in.
  9414. Can only be defined when used in a ClusterSecretStore.
  9415. maxLength: 63
  9416. minLength: 1
  9417. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9418. type: string
  9419. type:
  9420. description: The type of provider to use such as "Secret", or "ConfigMap".
  9421. enum:
  9422. - Secret
  9423. - ConfigMap
  9424. type: string
  9425. required:
  9426. - name
  9427. - type
  9428. type: object
  9429. identityURL:
  9430. type: string
  9431. organizationID:
  9432. description: OrganizationID determines which organization this secret store manages.
  9433. type: string
  9434. projectID:
  9435. description: ProjectID determines which project this secret store manages.
  9436. type: string
  9437. required:
  9438. - auth
  9439. - organizationID
  9440. - projectID
  9441. type: object
  9442. chef:
  9443. description: Chef configures this store to sync secrets with chef server
  9444. properties:
  9445. auth:
  9446. description: Auth defines the information necessary to authenticate against chef Server
  9447. properties:
  9448. secretRef:
  9449. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  9450. properties:
  9451. privateKeySecretRef:
  9452. description: SecretKey is the Signing Key in PEM format, used for authentication.
  9453. properties:
  9454. key:
  9455. description: |-
  9456. A key in the referenced Secret.
  9457. Some instances of this field may be defaulted, in others it may be required.
  9458. maxLength: 253
  9459. minLength: 1
  9460. pattern: ^[-._a-zA-Z0-9]+$
  9461. type: string
  9462. name:
  9463. description: The name of the Secret resource being referred to.
  9464. maxLength: 253
  9465. minLength: 1
  9466. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9467. type: string
  9468. namespace:
  9469. description: |-
  9470. The namespace of the Secret resource being referred to.
  9471. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9472. maxLength: 63
  9473. minLength: 1
  9474. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9475. type: string
  9476. type: object
  9477. required:
  9478. - privateKeySecretRef
  9479. type: object
  9480. required:
  9481. - secretRef
  9482. type: object
  9483. serverUrl:
  9484. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  9485. type: string
  9486. username:
  9487. description: UserName should be the user ID on the chef server
  9488. type: string
  9489. required:
  9490. - auth
  9491. - serverUrl
  9492. - username
  9493. type: object
  9494. cloudrusm:
  9495. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  9496. properties:
  9497. auth:
  9498. description: CSMAuth contains a secretRef for credentials.
  9499. properties:
  9500. secretRef:
  9501. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  9502. properties:
  9503. accessKeyIDSecretRef:
  9504. description: The AccessKeyID is used for authentication
  9505. properties:
  9506. key:
  9507. description: |-
  9508. A key in the referenced Secret.
  9509. Some instances of this field may be defaulted, in others it may be required.
  9510. maxLength: 253
  9511. minLength: 1
  9512. pattern: ^[-._a-zA-Z0-9]+$
  9513. type: string
  9514. name:
  9515. description: The name of the Secret resource being referred to.
  9516. maxLength: 253
  9517. minLength: 1
  9518. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9519. type: string
  9520. namespace:
  9521. description: |-
  9522. The namespace of the Secret resource being referred to.
  9523. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9524. maxLength: 63
  9525. minLength: 1
  9526. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9527. type: string
  9528. type: object
  9529. accessKeySecretSecretRef:
  9530. description: The AccessKeySecret is used for authentication
  9531. properties:
  9532. key:
  9533. description: |-
  9534. A key in the referenced Secret.
  9535. Some instances of this field may be defaulted, in others it may be required.
  9536. maxLength: 253
  9537. minLength: 1
  9538. pattern: ^[-._a-zA-Z0-9]+$
  9539. type: string
  9540. name:
  9541. description: The name of the Secret resource being referred to.
  9542. maxLength: 253
  9543. minLength: 1
  9544. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9545. type: string
  9546. namespace:
  9547. description: |-
  9548. The namespace of the Secret resource being referred to.
  9549. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9550. maxLength: 63
  9551. minLength: 1
  9552. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9553. type: string
  9554. type: object
  9555. required:
  9556. - accessKeyIDSecretRef
  9557. - accessKeySecretSecretRef
  9558. type: object
  9559. type: object
  9560. projectID:
  9561. description: ProjectID is the project, which the secrets are stored in.
  9562. type: string
  9563. required:
  9564. - auth
  9565. type: object
  9566. conjur:
  9567. description: Conjur configures this store to sync secrets using conjur provider
  9568. properties:
  9569. auth:
  9570. description: Defines authentication settings for connecting to Conjur.
  9571. properties:
  9572. apikey:
  9573. description: Authenticates with Conjur using an API key.
  9574. properties:
  9575. account:
  9576. description: Account is the Conjur organization account name.
  9577. type: string
  9578. apiKeyRef:
  9579. description: |-
  9580. A reference to a specific 'key' containing the Conjur API key
  9581. within a Secret resource. In some instances, `key` is a required field.
  9582. properties:
  9583. key:
  9584. description: |-
  9585. A key in the referenced Secret.
  9586. Some instances of this field may be defaulted, in others it may be required.
  9587. maxLength: 253
  9588. minLength: 1
  9589. pattern: ^[-._a-zA-Z0-9]+$
  9590. type: string
  9591. name:
  9592. description: The name of the Secret resource being referred to.
  9593. maxLength: 253
  9594. minLength: 1
  9595. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9596. type: string
  9597. namespace:
  9598. description: |-
  9599. The namespace of the Secret resource being referred to.
  9600. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9601. maxLength: 63
  9602. minLength: 1
  9603. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9604. type: string
  9605. type: object
  9606. userRef:
  9607. description: |-
  9608. A reference to a specific 'key' containing the Conjur username
  9609. within a Secret resource. In some instances, `key` is a required field.
  9610. properties:
  9611. key:
  9612. description: |-
  9613. A key in the referenced Secret.
  9614. Some instances of this field may be defaulted, in others it may be required.
  9615. maxLength: 253
  9616. minLength: 1
  9617. pattern: ^[-._a-zA-Z0-9]+$
  9618. type: string
  9619. name:
  9620. description: The name of the Secret resource being referred to.
  9621. maxLength: 253
  9622. minLength: 1
  9623. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9624. type: string
  9625. namespace:
  9626. description: |-
  9627. The namespace of the Secret resource being referred to.
  9628. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9629. maxLength: 63
  9630. minLength: 1
  9631. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9632. type: string
  9633. type: object
  9634. required:
  9635. - account
  9636. - apiKeyRef
  9637. - userRef
  9638. type: object
  9639. jwt:
  9640. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  9641. properties:
  9642. account:
  9643. description: Account is the Conjur organization account name.
  9644. type: string
  9645. hostId:
  9646. description: |-
  9647. Optional HostID for JWT authentication. This may be used depending
  9648. on how the Conjur JWT authenticator policy is configured.
  9649. type: string
  9650. secretRef:
  9651. description: |-
  9652. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  9653. authenticate with Conjur using the JWT authentication method.
  9654. properties:
  9655. key:
  9656. description: |-
  9657. A key in the referenced Secret.
  9658. Some instances of this field may be defaulted, in others it may be required.
  9659. maxLength: 253
  9660. minLength: 1
  9661. pattern: ^[-._a-zA-Z0-9]+$
  9662. type: string
  9663. name:
  9664. description: The name of the Secret resource being referred to.
  9665. maxLength: 253
  9666. minLength: 1
  9667. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9668. type: string
  9669. namespace:
  9670. description: |-
  9671. The namespace of the Secret resource being referred to.
  9672. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9673. maxLength: 63
  9674. minLength: 1
  9675. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9676. type: string
  9677. type: object
  9678. serviceAccountRef:
  9679. description: |-
  9680. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  9681. a token for with the `TokenRequest` API.
  9682. properties:
  9683. audiences:
  9684. description: |-
  9685. Audience specifies the `aud` claim for the service account token
  9686. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9687. then this audiences will be appended to the list
  9688. items:
  9689. type: string
  9690. type: array
  9691. name:
  9692. description: The name of the ServiceAccount resource being referred to.
  9693. maxLength: 253
  9694. minLength: 1
  9695. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9696. type: string
  9697. namespace:
  9698. description: |-
  9699. Namespace of the resource being referred to.
  9700. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9701. maxLength: 63
  9702. minLength: 1
  9703. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9704. type: string
  9705. required:
  9706. - name
  9707. type: object
  9708. serviceID:
  9709. description: The conjur authn jwt webservice id
  9710. type: string
  9711. required:
  9712. - account
  9713. - serviceID
  9714. type: object
  9715. type: object
  9716. caBundle:
  9717. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  9718. type: string
  9719. caProvider:
  9720. description: |-
  9721. Used to provide custom certificate authority (CA) certificates
  9722. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  9723. that contains a PEM-encoded certificate.
  9724. properties:
  9725. key:
  9726. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  9727. maxLength: 253
  9728. minLength: 1
  9729. pattern: ^[-._a-zA-Z0-9]+$
  9730. type: string
  9731. name:
  9732. description: The name of the object located at the provider type.
  9733. maxLength: 253
  9734. minLength: 1
  9735. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9736. type: string
  9737. namespace:
  9738. description: |-
  9739. The namespace the Provider type is in.
  9740. Can only be defined when used in a ClusterSecretStore.
  9741. maxLength: 63
  9742. minLength: 1
  9743. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9744. type: string
  9745. type:
  9746. description: The type of provider to use such as "Secret", or "ConfigMap".
  9747. enum:
  9748. - Secret
  9749. - ConfigMap
  9750. type: string
  9751. required:
  9752. - name
  9753. - type
  9754. type: object
  9755. url:
  9756. description: URL is the endpoint of the Conjur instance.
  9757. type: string
  9758. required:
  9759. - auth
  9760. - url
  9761. type: object
  9762. delinea:
  9763. description: |-
  9764. Delinea DevOps Secrets Vault
  9765. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  9766. properties:
  9767. clientId:
  9768. description: ClientID is the non-secret part of the credential.
  9769. properties:
  9770. secretRef:
  9771. description: SecretRef references a key in a secret that will be used as value.
  9772. properties:
  9773. key:
  9774. description: |-
  9775. A key in the referenced Secret.
  9776. Some instances of this field may be defaulted, in others it may be required.
  9777. maxLength: 253
  9778. minLength: 1
  9779. pattern: ^[-._a-zA-Z0-9]+$
  9780. type: string
  9781. name:
  9782. description: The name of the Secret resource being referred to.
  9783. maxLength: 253
  9784. minLength: 1
  9785. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9786. type: string
  9787. namespace:
  9788. description: |-
  9789. The namespace of the Secret resource being referred to.
  9790. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9791. maxLength: 63
  9792. minLength: 1
  9793. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9794. type: string
  9795. type: object
  9796. value:
  9797. description: Value can be specified directly to set a value without using a secret.
  9798. type: string
  9799. type: object
  9800. clientSecret:
  9801. description: ClientSecret is the secret part of the credential.
  9802. properties:
  9803. secretRef:
  9804. description: SecretRef references a key in a secret that will be used as value.
  9805. properties:
  9806. key:
  9807. description: |-
  9808. A key in the referenced Secret.
  9809. Some instances of this field may be defaulted, in others it may be required.
  9810. maxLength: 253
  9811. minLength: 1
  9812. pattern: ^[-._a-zA-Z0-9]+$
  9813. type: string
  9814. name:
  9815. description: The name of the Secret resource being referred to.
  9816. maxLength: 253
  9817. minLength: 1
  9818. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9819. type: string
  9820. namespace:
  9821. description: |-
  9822. The namespace of the Secret resource being referred to.
  9823. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9824. maxLength: 63
  9825. minLength: 1
  9826. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9827. type: string
  9828. type: object
  9829. value:
  9830. description: Value can be specified directly to set a value without using a secret.
  9831. type: string
  9832. type: object
  9833. tenant:
  9834. description: Tenant is the chosen hostname / site name.
  9835. type: string
  9836. tld:
  9837. description: |-
  9838. TLD is based on the server location that was chosen during provisioning.
  9839. If unset, defaults to "com".
  9840. type: string
  9841. urlTemplate:
  9842. description: |-
  9843. URLTemplate
  9844. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  9845. type: string
  9846. required:
  9847. - clientId
  9848. - clientSecret
  9849. - tenant
  9850. type: object
  9851. device42:
  9852. description: Device42 configures this store to sync secrets using the Device42 provider
  9853. properties:
  9854. auth:
  9855. description: Auth configures how secret-manager authenticates with a Device42 instance.
  9856. properties:
  9857. secretRef:
  9858. description: Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider.
  9859. properties:
  9860. credentials:
  9861. description: Username / Password is used for authentication.
  9862. properties:
  9863. key:
  9864. description: |-
  9865. A key in the referenced Secret.
  9866. Some instances of this field may be defaulted, in others it may be required.
  9867. maxLength: 253
  9868. minLength: 1
  9869. pattern: ^[-._a-zA-Z0-9]+$
  9870. type: string
  9871. name:
  9872. description: The name of the Secret resource being referred to.
  9873. maxLength: 253
  9874. minLength: 1
  9875. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9876. type: string
  9877. namespace:
  9878. description: |-
  9879. The namespace of the Secret resource being referred to.
  9880. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9881. maxLength: 63
  9882. minLength: 1
  9883. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9884. type: string
  9885. type: object
  9886. type: object
  9887. required:
  9888. - secretRef
  9889. type: object
  9890. host:
  9891. description: URL configures the Device42 instance URL.
  9892. type: string
  9893. required:
  9894. - auth
  9895. - host
  9896. type: object
  9897. doppler:
  9898. description: Doppler configures this store to sync secrets using the Doppler provider
  9899. properties:
  9900. auth:
  9901. description: Auth configures how the Operator authenticates with the Doppler API
  9902. properties:
  9903. secretRef:
  9904. description: DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider.
  9905. properties:
  9906. dopplerToken:
  9907. description: |-
  9908. The DopplerToken is used for authentication.
  9909. See https://docs.doppler.com/reference/api#authentication for auth token types.
  9910. The Key attribute defaults to dopplerToken if not specified.
  9911. properties:
  9912. key:
  9913. description: |-
  9914. A key in the referenced Secret.
  9915. Some instances of this field may be defaulted, in others it may be required.
  9916. maxLength: 253
  9917. minLength: 1
  9918. pattern: ^[-._a-zA-Z0-9]+$
  9919. type: string
  9920. name:
  9921. description: The name of the Secret resource being referred to.
  9922. maxLength: 253
  9923. minLength: 1
  9924. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9925. type: string
  9926. namespace:
  9927. description: |-
  9928. The namespace of the Secret resource being referred to.
  9929. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9930. maxLength: 63
  9931. minLength: 1
  9932. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9933. type: string
  9934. type: object
  9935. required:
  9936. - dopplerToken
  9937. type: object
  9938. required:
  9939. - secretRef
  9940. type: object
  9941. config:
  9942. description: Doppler config (required if not using a Service Token)
  9943. type: string
  9944. format:
  9945. description: Format enables the downloading of secrets as a file (string)
  9946. enum:
  9947. - json
  9948. - dotnet-json
  9949. - env
  9950. - yaml
  9951. - docker
  9952. type: string
  9953. nameTransformer:
  9954. description: Environment variable compatible name transforms that change secret names to a different format
  9955. enum:
  9956. - upper-camel
  9957. - camel
  9958. - lower-snake
  9959. - tf-var
  9960. - dotnet-env
  9961. - lower-kebab
  9962. type: string
  9963. project:
  9964. description: Doppler project (required if not using a Service Token)
  9965. type: string
  9966. required:
  9967. - auth
  9968. type: object
  9969. fake:
  9970. description: Fake configures a store with static key/value pairs
  9971. properties:
  9972. data:
  9973. items:
  9974. description: FakeProviderData defines a key-value pair for the fake provider used in testing.
  9975. properties:
  9976. key:
  9977. type: string
  9978. value:
  9979. type: string
  9980. version:
  9981. type: string
  9982. required:
  9983. - key
  9984. - value
  9985. type: object
  9986. type: array
  9987. required:
  9988. - data
  9989. type: object
  9990. fortanix:
  9991. description: Fortanix configures this store to sync secrets using the Fortanix provider
  9992. properties:
  9993. apiKey:
  9994. description: APIKey is the API token to access SDKMS Applications.
  9995. properties:
  9996. secretRef:
  9997. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  9998. properties:
  9999. key:
  10000. description: |-
  10001. A key in the referenced Secret.
  10002. Some instances of this field may be defaulted, in others it may be required.
  10003. maxLength: 253
  10004. minLength: 1
  10005. pattern: ^[-._a-zA-Z0-9]+$
  10006. type: string
  10007. name:
  10008. description: The name of the Secret resource being referred to.
  10009. maxLength: 253
  10010. minLength: 1
  10011. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10012. type: string
  10013. namespace:
  10014. description: |-
  10015. The namespace of the Secret resource being referred to.
  10016. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10017. maxLength: 63
  10018. minLength: 1
  10019. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10020. type: string
  10021. type: object
  10022. type: object
  10023. apiUrl:
  10024. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  10025. type: string
  10026. type: object
  10027. gcpsm:
  10028. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  10029. properties:
  10030. auth:
  10031. description: Auth defines the information necessary to authenticate against GCP
  10032. properties:
  10033. secretRef:
  10034. description: GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider.
  10035. properties:
  10036. secretAccessKeySecretRef:
  10037. description: The SecretAccessKey is used for authentication
  10038. properties:
  10039. key:
  10040. description: |-
  10041. A key in the referenced Secret.
  10042. Some instances of this field may be defaulted, in others it may be required.
  10043. maxLength: 253
  10044. minLength: 1
  10045. pattern: ^[-._a-zA-Z0-9]+$
  10046. type: string
  10047. name:
  10048. description: The name of the Secret resource being referred to.
  10049. maxLength: 253
  10050. minLength: 1
  10051. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10052. type: string
  10053. namespace:
  10054. description: |-
  10055. The namespace of the Secret resource being referred to.
  10056. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10057. maxLength: 63
  10058. minLength: 1
  10059. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10060. type: string
  10061. type: object
  10062. type: object
  10063. workloadIdentity:
  10064. description: GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication.
  10065. properties:
  10066. clusterLocation:
  10067. description: |-
  10068. ClusterLocation is the location of the cluster
  10069. If not specified, it fetches information from the metadata server
  10070. type: string
  10071. clusterName:
  10072. description: |-
  10073. ClusterName is the name of the cluster
  10074. If not specified, it fetches information from the metadata server
  10075. type: string
  10076. clusterProjectID:
  10077. description: |-
  10078. ClusterProjectID is the project ID of the cluster
  10079. If not specified, it fetches information from the metadata server
  10080. type: string
  10081. serviceAccountRef:
  10082. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  10083. properties:
  10084. audiences:
  10085. description: |-
  10086. Audience specifies the `aud` claim for the service account token
  10087. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10088. then this audiences will be appended to the list
  10089. items:
  10090. type: string
  10091. type: array
  10092. name:
  10093. description: The name of the ServiceAccount resource being referred to.
  10094. maxLength: 253
  10095. minLength: 1
  10096. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10097. type: string
  10098. namespace:
  10099. description: |-
  10100. Namespace of the resource being referred to.
  10101. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10102. maxLength: 63
  10103. minLength: 1
  10104. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10105. type: string
  10106. required:
  10107. - name
  10108. type: object
  10109. required:
  10110. - serviceAccountRef
  10111. type: object
  10112. type: object
  10113. location:
  10114. description: Location optionally defines a location for a secret
  10115. type: string
  10116. projectID:
  10117. description: ProjectID project where secret is located
  10118. type: string
  10119. type: object
  10120. github:
  10121. description: Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  10122. properties:
  10123. appID:
  10124. description: appID specifies the Github APP that will be used to authenticate the client
  10125. format: int64
  10126. type: integer
  10127. auth:
  10128. description: auth configures how secret-manager authenticates with a Github instance.
  10129. properties:
  10130. privateKey:
  10131. description: |-
  10132. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10133. In some instances, `key` is a required field.
  10134. properties:
  10135. key:
  10136. description: |-
  10137. A key in the referenced Secret.
  10138. Some instances of this field may be defaulted, in others it may be required.
  10139. maxLength: 253
  10140. minLength: 1
  10141. pattern: ^[-._a-zA-Z0-9]+$
  10142. type: string
  10143. name:
  10144. description: The name of the Secret resource being referred to.
  10145. maxLength: 253
  10146. minLength: 1
  10147. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10148. type: string
  10149. namespace:
  10150. description: |-
  10151. The namespace of the Secret resource being referred to.
  10152. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10153. maxLength: 63
  10154. minLength: 1
  10155. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10156. type: string
  10157. type: object
  10158. required:
  10159. - privateKey
  10160. type: object
  10161. environment:
  10162. description: environment will be used to fetch secrets from a particular environment within a github repository
  10163. type: string
  10164. installationID:
  10165. description: installationID specifies the Github APP installation that will be used to authenticate the client
  10166. format: int64
  10167. type: integer
  10168. organization:
  10169. description: organization will be used to fetch secrets from the Github organization
  10170. type: string
  10171. repository:
  10172. description: repository will be used to fetch secrets from the Github repository within an organization
  10173. type: string
  10174. uploadURL:
  10175. description: Upload URL for enterprise instances. Default to URL.
  10176. type: string
  10177. url:
  10178. default: https://github.com/
  10179. description: URL configures the Github instance URL. Defaults to https://github.com/.
  10180. type: string
  10181. required:
  10182. - appID
  10183. - auth
  10184. - installationID
  10185. - organization
  10186. type: object
  10187. gitlab:
  10188. description: GitLab configures this store to sync secrets using GitLab Variables provider
  10189. properties:
  10190. auth:
  10191. description: Auth configures how secret-manager authenticates with a GitLab instance.
  10192. properties:
  10193. SecretRef:
  10194. description: GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider.
  10195. properties:
  10196. accessToken:
  10197. description: AccessToken is used for authentication.
  10198. properties:
  10199. key:
  10200. description: |-
  10201. A key in the referenced Secret.
  10202. Some instances of this field may be defaulted, in others it may be required.
  10203. maxLength: 253
  10204. minLength: 1
  10205. pattern: ^[-._a-zA-Z0-9]+$
  10206. type: string
  10207. name:
  10208. description: The name of the Secret resource being referred to.
  10209. maxLength: 253
  10210. minLength: 1
  10211. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10212. type: string
  10213. namespace:
  10214. description: |-
  10215. The namespace of the Secret resource being referred to.
  10216. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10217. maxLength: 63
  10218. minLength: 1
  10219. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10220. type: string
  10221. type: object
  10222. type: object
  10223. required:
  10224. - SecretRef
  10225. type: object
  10226. caBundle:
  10227. description: |-
  10228. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  10229. can be performed.
  10230. format: byte
  10231. type: string
  10232. caProvider:
  10233. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  10234. properties:
  10235. key:
  10236. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  10237. maxLength: 253
  10238. minLength: 1
  10239. pattern: ^[-._a-zA-Z0-9]+$
  10240. type: string
  10241. name:
  10242. description: The name of the object located at the provider type.
  10243. maxLength: 253
  10244. minLength: 1
  10245. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10246. type: string
  10247. namespace:
  10248. description: |-
  10249. The namespace the Provider type is in.
  10250. Can only be defined when used in a ClusterSecretStore.
  10251. maxLength: 63
  10252. minLength: 1
  10253. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10254. type: string
  10255. type:
  10256. description: The type of provider to use such as "Secret", or "ConfigMap".
  10257. enum:
  10258. - Secret
  10259. - ConfigMap
  10260. type: string
  10261. required:
  10262. - name
  10263. - type
  10264. type: object
  10265. environment:
  10266. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  10267. type: string
  10268. groupIDs:
  10269. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  10270. items:
  10271. type: string
  10272. type: array
  10273. inheritFromGroups:
  10274. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  10275. type: boolean
  10276. projectID:
  10277. description: ProjectID specifies a project where secrets are located.
  10278. type: string
  10279. url:
  10280. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  10281. type: string
  10282. required:
  10283. - auth
  10284. type: object
  10285. ibm:
  10286. description: IBM configures this store to sync secrets using IBM Cloud provider
  10287. properties:
  10288. auth:
  10289. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  10290. maxProperties: 1
  10291. minProperties: 1
  10292. properties:
  10293. containerAuth:
  10294. description: IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile.
  10295. properties:
  10296. iamEndpoint:
  10297. type: string
  10298. profile:
  10299. description: the IBM Trusted Profile
  10300. type: string
  10301. tokenLocation:
  10302. description: Location the token is mounted on the pod
  10303. type: string
  10304. required:
  10305. - profile
  10306. type: object
  10307. secretRef:
  10308. description: IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider.
  10309. properties:
  10310. secretApiKeySecretRef:
  10311. description: The SecretAccessKey is used for authentication
  10312. properties:
  10313. key:
  10314. description: |-
  10315. A key in the referenced Secret.
  10316. Some instances of this field may be defaulted, in others it may be required.
  10317. maxLength: 253
  10318. minLength: 1
  10319. pattern: ^[-._a-zA-Z0-9]+$
  10320. type: string
  10321. name:
  10322. description: The name of the Secret resource being referred to.
  10323. maxLength: 253
  10324. minLength: 1
  10325. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10326. type: string
  10327. namespace:
  10328. description: |-
  10329. The namespace of the Secret resource being referred to.
  10330. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10331. maxLength: 63
  10332. minLength: 1
  10333. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10334. type: string
  10335. type: object
  10336. type: object
  10337. type: object
  10338. serviceUrl:
  10339. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  10340. type: string
  10341. required:
  10342. - auth
  10343. type: object
  10344. infisical:
  10345. description: Infisical configures this store to sync secrets using the Infisical provider
  10346. properties:
  10347. auth:
  10348. description: Auth configures how the Operator authenticates with the Infisical API
  10349. properties:
  10350. universalAuthCredentials:
  10351. description: UniversalAuthCredentials defines the credentials for Infisical Universal Auth.
  10352. properties:
  10353. clientId:
  10354. description: |-
  10355. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10356. In some instances, `key` is a required field.
  10357. properties:
  10358. key:
  10359. description: |-
  10360. A key in the referenced Secret.
  10361. Some instances of this field may be defaulted, in others it may be required.
  10362. maxLength: 253
  10363. minLength: 1
  10364. pattern: ^[-._a-zA-Z0-9]+$
  10365. type: string
  10366. name:
  10367. description: The name of the Secret resource being referred to.
  10368. maxLength: 253
  10369. minLength: 1
  10370. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10371. type: string
  10372. namespace:
  10373. description: |-
  10374. The namespace of the Secret resource being referred to.
  10375. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10376. maxLength: 63
  10377. minLength: 1
  10378. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10379. type: string
  10380. type: object
  10381. clientSecret:
  10382. description: |-
  10383. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10384. In some instances, `key` is a required field.
  10385. properties:
  10386. key:
  10387. description: |-
  10388. A key in the referenced Secret.
  10389. Some instances of this field may be defaulted, in others it may be required.
  10390. maxLength: 253
  10391. minLength: 1
  10392. pattern: ^[-._a-zA-Z0-9]+$
  10393. type: string
  10394. name:
  10395. description: The name of the Secret resource being referred to.
  10396. maxLength: 253
  10397. minLength: 1
  10398. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10399. type: string
  10400. namespace:
  10401. description: |-
  10402. The namespace of the Secret resource being referred to.
  10403. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10404. maxLength: 63
  10405. minLength: 1
  10406. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10407. type: string
  10408. type: object
  10409. required:
  10410. - clientId
  10411. - clientSecret
  10412. type: object
  10413. type: object
  10414. hostAPI:
  10415. default: https://app.infisical.com/api
  10416. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  10417. type: string
  10418. secretsScope:
  10419. description: SecretsScope defines the scope of the secrets within the workspace
  10420. properties:
  10421. environmentSlug:
  10422. description: EnvironmentSlug is the required slug identifier for the environment.
  10423. type: string
  10424. expandSecretReferences:
  10425. default: true
  10426. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  10427. type: boolean
  10428. projectSlug:
  10429. description: ProjectSlug is the required slug identifier for the project.
  10430. type: string
  10431. recursive:
  10432. default: false
  10433. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  10434. type: boolean
  10435. secretsPath:
  10436. default: /
  10437. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  10438. type: string
  10439. required:
  10440. - environmentSlug
  10441. - projectSlug
  10442. type: object
  10443. required:
  10444. - auth
  10445. - secretsScope
  10446. type: object
  10447. keepersecurity:
  10448. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  10449. properties:
  10450. authRef:
  10451. description: |-
  10452. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10453. In some instances, `key` is a required field.
  10454. properties:
  10455. key:
  10456. description: |-
  10457. A key in the referenced Secret.
  10458. Some instances of this field may be defaulted, in others it may be required.
  10459. maxLength: 253
  10460. minLength: 1
  10461. pattern: ^[-._a-zA-Z0-9]+$
  10462. type: string
  10463. name:
  10464. description: The name of the Secret resource being referred to.
  10465. maxLength: 253
  10466. minLength: 1
  10467. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10468. type: string
  10469. namespace:
  10470. description: |-
  10471. The namespace of the Secret resource being referred to.
  10472. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10473. maxLength: 63
  10474. minLength: 1
  10475. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10476. type: string
  10477. type: object
  10478. folderID:
  10479. type: string
  10480. required:
  10481. - authRef
  10482. - folderID
  10483. type: object
  10484. kubernetes:
  10485. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  10486. properties:
  10487. auth:
  10488. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  10489. maxProperties: 1
  10490. minProperties: 1
  10491. properties:
  10492. cert:
  10493. description: has both clientCert and clientKey as secretKeySelector
  10494. properties:
  10495. clientCert:
  10496. description: |-
  10497. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10498. In some instances, `key` is a required field.
  10499. properties:
  10500. key:
  10501. description: |-
  10502. A key in the referenced Secret.
  10503. Some instances of this field may be defaulted, in others it may be required.
  10504. maxLength: 253
  10505. minLength: 1
  10506. pattern: ^[-._a-zA-Z0-9]+$
  10507. type: string
  10508. name:
  10509. description: The name of the Secret resource being referred to.
  10510. maxLength: 253
  10511. minLength: 1
  10512. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10513. type: string
  10514. namespace:
  10515. description: |-
  10516. The namespace of the Secret resource being referred to.
  10517. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10518. maxLength: 63
  10519. minLength: 1
  10520. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10521. type: string
  10522. type: object
  10523. clientKey:
  10524. description: |-
  10525. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10526. In some instances, `key` is a required field.
  10527. properties:
  10528. key:
  10529. description: |-
  10530. A key in the referenced Secret.
  10531. Some instances of this field may be defaulted, in others it may be required.
  10532. maxLength: 253
  10533. minLength: 1
  10534. pattern: ^[-._a-zA-Z0-9]+$
  10535. type: string
  10536. name:
  10537. description: The name of the Secret resource being referred to.
  10538. maxLength: 253
  10539. minLength: 1
  10540. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10541. type: string
  10542. namespace:
  10543. description: |-
  10544. The namespace of the Secret resource being referred to.
  10545. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10546. maxLength: 63
  10547. minLength: 1
  10548. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10549. type: string
  10550. type: object
  10551. type: object
  10552. serviceAccount:
  10553. description: points to a service account that should be used for authentication
  10554. properties:
  10555. audiences:
  10556. description: |-
  10557. Audience specifies the `aud` claim for the service account token
  10558. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10559. then this audiences will be appended to the list
  10560. items:
  10561. type: string
  10562. type: array
  10563. name:
  10564. description: The name of the ServiceAccount resource being referred to.
  10565. maxLength: 253
  10566. minLength: 1
  10567. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10568. type: string
  10569. namespace:
  10570. description: |-
  10571. Namespace of the resource being referred to.
  10572. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10573. maxLength: 63
  10574. minLength: 1
  10575. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10576. type: string
  10577. required:
  10578. - name
  10579. type: object
  10580. token:
  10581. description: use static token to authenticate with
  10582. properties:
  10583. bearerToken:
  10584. description: |-
  10585. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10586. In some instances, `key` is a required field.
  10587. properties:
  10588. key:
  10589. description: |-
  10590. A key in the referenced Secret.
  10591. Some instances of this field may be defaulted, in others it may be required.
  10592. maxLength: 253
  10593. minLength: 1
  10594. pattern: ^[-._a-zA-Z0-9]+$
  10595. type: string
  10596. name:
  10597. description: The name of the Secret resource being referred to.
  10598. maxLength: 253
  10599. minLength: 1
  10600. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10601. type: string
  10602. namespace:
  10603. description: |-
  10604. The namespace of the Secret resource being referred to.
  10605. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10606. maxLength: 63
  10607. minLength: 1
  10608. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10609. type: string
  10610. type: object
  10611. type: object
  10612. type: object
  10613. authRef:
  10614. description: A reference to a secret that contains the auth information.
  10615. properties:
  10616. key:
  10617. description: |-
  10618. A key in the referenced Secret.
  10619. Some instances of this field may be defaulted, in others it may be required.
  10620. maxLength: 253
  10621. minLength: 1
  10622. pattern: ^[-._a-zA-Z0-9]+$
  10623. type: string
  10624. name:
  10625. description: The name of the Secret resource being referred to.
  10626. maxLength: 253
  10627. minLength: 1
  10628. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10629. type: string
  10630. namespace:
  10631. description: |-
  10632. The namespace of the Secret resource being referred to.
  10633. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10634. maxLength: 63
  10635. minLength: 1
  10636. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10637. type: string
  10638. type: object
  10639. remoteNamespace:
  10640. default: default
  10641. description: Remote namespace to fetch the secrets from
  10642. maxLength: 63
  10643. minLength: 1
  10644. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10645. type: string
  10646. server:
  10647. description: configures the Kubernetes server Address.
  10648. properties:
  10649. caBundle:
  10650. description: CABundle is a base64-encoded CA certificate
  10651. format: byte
  10652. type: string
  10653. caProvider:
  10654. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  10655. properties:
  10656. key:
  10657. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  10658. maxLength: 253
  10659. minLength: 1
  10660. pattern: ^[-._a-zA-Z0-9]+$
  10661. type: string
  10662. name:
  10663. description: The name of the object located at the provider type.
  10664. maxLength: 253
  10665. minLength: 1
  10666. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10667. type: string
  10668. namespace:
  10669. description: |-
  10670. The namespace the Provider type is in.
  10671. Can only be defined when used in a ClusterSecretStore.
  10672. maxLength: 63
  10673. minLength: 1
  10674. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10675. type: string
  10676. type:
  10677. description: The type of provider to use such as "Secret", or "ConfigMap".
  10678. enum:
  10679. - Secret
  10680. - ConfigMap
  10681. type: string
  10682. required:
  10683. - name
  10684. - type
  10685. type: object
  10686. url:
  10687. default: kubernetes.default
  10688. description: configures the Kubernetes server Address.
  10689. type: string
  10690. type: object
  10691. type: object
  10692. onboardbase:
  10693. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  10694. properties:
  10695. apiHost:
  10696. default: https://public.onboardbase.com/api/v1/
  10697. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  10698. type: string
  10699. auth:
  10700. description: Auth configures how the Operator authenticates with the Onboardbase API
  10701. properties:
  10702. apiKeyRef:
  10703. description: |-
  10704. OnboardbaseAPIKey is the APIKey generated by an admin account.
  10705. It is used to recognize and authorize access to a project and environment within onboardbase
  10706. properties:
  10707. key:
  10708. description: |-
  10709. A key in the referenced Secret.
  10710. Some instances of this field may be defaulted, in others it may be required.
  10711. maxLength: 253
  10712. minLength: 1
  10713. pattern: ^[-._a-zA-Z0-9]+$
  10714. type: string
  10715. name:
  10716. description: The name of the Secret resource being referred to.
  10717. maxLength: 253
  10718. minLength: 1
  10719. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10720. type: string
  10721. namespace:
  10722. description: |-
  10723. The namespace of the Secret resource being referred to.
  10724. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10725. maxLength: 63
  10726. minLength: 1
  10727. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10728. type: string
  10729. type: object
  10730. passcodeRef:
  10731. description: OnboardbasePasscode is the passcode attached to the API Key
  10732. properties:
  10733. key:
  10734. description: |-
  10735. A key in the referenced Secret.
  10736. Some instances of this field may be defaulted, in others it may be required.
  10737. maxLength: 253
  10738. minLength: 1
  10739. pattern: ^[-._a-zA-Z0-9]+$
  10740. type: string
  10741. name:
  10742. description: The name of the Secret resource being referred to.
  10743. maxLength: 253
  10744. minLength: 1
  10745. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10746. type: string
  10747. namespace:
  10748. description: |-
  10749. The namespace of the Secret resource being referred to.
  10750. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10751. maxLength: 63
  10752. minLength: 1
  10753. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10754. type: string
  10755. type: object
  10756. required:
  10757. - apiKeyRef
  10758. - passcodeRef
  10759. type: object
  10760. environment:
  10761. default: development
  10762. description: Environment is the name of an environmnent within a project to pull the secrets from
  10763. type: string
  10764. project:
  10765. default: development
  10766. description: Project is an onboardbase project that the secrets should be pulled from
  10767. type: string
  10768. required:
  10769. - apiHost
  10770. - auth
  10771. - environment
  10772. - project
  10773. type: object
  10774. onepassword:
  10775. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  10776. properties:
  10777. auth:
  10778. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  10779. properties:
  10780. secretRef:
  10781. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  10782. properties:
  10783. connectTokenSecretRef:
  10784. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  10785. properties:
  10786. key:
  10787. description: |-
  10788. A key in the referenced Secret.
  10789. Some instances of this field may be defaulted, in others it may be required.
  10790. maxLength: 253
  10791. minLength: 1
  10792. pattern: ^[-._a-zA-Z0-9]+$
  10793. type: string
  10794. name:
  10795. description: The name of the Secret resource being referred to.
  10796. maxLength: 253
  10797. minLength: 1
  10798. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10799. type: string
  10800. namespace:
  10801. description: |-
  10802. The namespace of the Secret resource being referred to.
  10803. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10804. maxLength: 63
  10805. minLength: 1
  10806. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10807. type: string
  10808. type: object
  10809. required:
  10810. - connectTokenSecretRef
  10811. type: object
  10812. required:
  10813. - secretRef
  10814. type: object
  10815. connectHost:
  10816. description: ConnectHost defines the OnePassword Connect Server to connect to
  10817. type: string
  10818. vaults:
  10819. additionalProperties:
  10820. type: integer
  10821. description: Vaults defines which OnePassword vaults to search in which order
  10822. type: object
  10823. required:
  10824. - auth
  10825. - connectHost
  10826. - vaults
  10827. type: object
  10828. oracle:
  10829. description: Oracle configures this store to sync secrets using Oracle Vault provider
  10830. properties:
  10831. auth:
  10832. description: |-
  10833. Auth configures how secret-manager authenticates with the Oracle Vault.
  10834. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  10835. properties:
  10836. secretRef:
  10837. description: SecretRef to pass through sensitive information.
  10838. properties:
  10839. fingerprint:
  10840. description: Fingerprint is the fingerprint of the API private key.
  10841. properties:
  10842. key:
  10843. description: |-
  10844. A key in the referenced Secret.
  10845. Some instances of this field may be defaulted, in others it may be required.
  10846. maxLength: 253
  10847. minLength: 1
  10848. pattern: ^[-._a-zA-Z0-9]+$
  10849. type: string
  10850. name:
  10851. description: The name of the Secret resource being referred to.
  10852. maxLength: 253
  10853. minLength: 1
  10854. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10855. type: string
  10856. namespace:
  10857. description: |-
  10858. The namespace of the Secret resource being referred to.
  10859. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10860. maxLength: 63
  10861. minLength: 1
  10862. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10863. type: string
  10864. type: object
  10865. privatekey:
  10866. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  10867. properties:
  10868. key:
  10869. description: |-
  10870. A key in the referenced Secret.
  10871. Some instances of this field may be defaulted, in others it may be required.
  10872. maxLength: 253
  10873. minLength: 1
  10874. pattern: ^[-._a-zA-Z0-9]+$
  10875. type: string
  10876. name:
  10877. description: The name of the Secret resource being referred to.
  10878. maxLength: 253
  10879. minLength: 1
  10880. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10881. type: string
  10882. namespace:
  10883. description: |-
  10884. The namespace of the Secret resource being referred to.
  10885. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10886. maxLength: 63
  10887. minLength: 1
  10888. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10889. type: string
  10890. type: object
  10891. required:
  10892. - fingerprint
  10893. - privatekey
  10894. type: object
  10895. tenancy:
  10896. description: Tenancy is the tenancy OCID where user is located.
  10897. type: string
  10898. user:
  10899. description: User is an access OCID specific to the account.
  10900. type: string
  10901. required:
  10902. - secretRef
  10903. - tenancy
  10904. - user
  10905. type: object
  10906. compartment:
  10907. description: |-
  10908. Compartment is the vault compartment OCID.
  10909. Required for PushSecret
  10910. type: string
  10911. encryptionKey:
  10912. description: |-
  10913. EncryptionKey is the OCID of the encryption key within the vault.
  10914. Required for PushSecret
  10915. type: string
  10916. principalType:
  10917. description: |-
  10918. The type of principal to use for authentication. If left blank, the Auth struct will
  10919. determine the principal type. This optional field must be specified if using
  10920. workload identity.
  10921. enum:
  10922. - ""
  10923. - UserPrincipal
  10924. - InstancePrincipal
  10925. - Workload
  10926. type: string
  10927. region:
  10928. description: Region is the region where vault is located.
  10929. type: string
  10930. serviceAccountRef:
  10931. description: |-
  10932. ServiceAccountRef specified the service account
  10933. that should be used when authenticating with WorkloadIdentity.
  10934. properties:
  10935. audiences:
  10936. description: |-
  10937. Audience specifies the `aud` claim for the service account token
  10938. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10939. then this audiences will be appended to the list
  10940. items:
  10941. type: string
  10942. type: array
  10943. name:
  10944. description: The name of the ServiceAccount resource being referred to.
  10945. maxLength: 253
  10946. minLength: 1
  10947. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10948. type: string
  10949. namespace:
  10950. description: |-
  10951. Namespace of the resource being referred to.
  10952. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10953. maxLength: 63
  10954. minLength: 1
  10955. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10956. type: string
  10957. required:
  10958. - name
  10959. type: object
  10960. vault:
  10961. description: Vault is the vault's OCID of the specific vault where secret is located.
  10962. type: string
  10963. required:
  10964. - region
  10965. - vault
  10966. type: object
  10967. passbolt:
  10968. description: PassboltProvider defines configuration for the Passbolt provider.
  10969. properties:
  10970. auth:
  10971. description: Auth defines the information necessary to authenticate against Passbolt Server
  10972. properties:
  10973. passwordSecretRef:
  10974. description: PasswordSecretRef is a reference to the secret containing the Passbolt password
  10975. properties:
  10976. key:
  10977. description: |-
  10978. A key in the referenced Secret.
  10979. Some instances of this field may be defaulted, in others it may be required.
  10980. maxLength: 253
  10981. minLength: 1
  10982. pattern: ^[-._a-zA-Z0-9]+$
  10983. type: string
  10984. name:
  10985. description: The name of the Secret resource being referred to.
  10986. maxLength: 253
  10987. minLength: 1
  10988. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10989. type: string
  10990. namespace:
  10991. description: |-
  10992. The namespace of the Secret resource being referred to.
  10993. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10994. maxLength: 63
  10995. minLength: 1
  10996. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10997. type: string
  10998. type: object
  10999. privateKeySecretRef:
  11000. description: PrivateKeySecretRef is a reference to the secret containing the Passbolt private key
  11001. properties:
  11002. key:
  11003. description: |-
  11004. A key in the referenced Secret.
  11005. Some instances of this field may be defaulted, in others it may be required.
  11006. maxLength: 253
  11007. minLength: 1
  11008. pattern: ^[-._a-zA-Z0-9]+$
  11009. type: string
  11010. name:
  11011. description: The name of the Secret resource being referred to.
  11012. maxLength: 253
  11013. minLength: 1
  11014. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11015. type: string
  11016. namespace:
  11017. description: |-
  11018. The namespace of the Secret resource being referred to.
  11019. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11020. maxLength: 63
  11021. minLength: 1
  11022. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11023. type: string
  11024. type: object
  11025. required:
  11026. - passwordSecretRef
  11027. - privateKeySecretRef
  11028. type: object
  11029. host:
  11030. description: Host defines the Passbolt Server to connect to
  11031. type: string
  11032. required:
  11033. - auth
  11034. - host
  11035. type: object
  11036. passworddepot:
  11037. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  11038. properties:
  11039. auth:
  11040. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  11041. properties:
  11042. secretRef:
  11043. description: PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider.
  11044. properties:
  11045. credentials:
  11046. description: Username / Password is used for authentication.
  11047. properties:
  11048. key:
  11049. description: |-
  11050. A key in the referenced Secret.
  11051. Some instances of this field may be defaulted, in others it may be required.
  11052. maxLength: 253
  11053. minLength: 1
  11054. pattern: ^[-._a-zA-Z0-9]+$
  11055. type: string
  11056. name:
  11057. description: The name of the Secret resource being referred to.
  11058. maxLength: 253
  11059. minLength: 1
  11060. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11061. type: string
  11062. namespace:
  11063. description: |-
  11064. The namespace of the Secret resource being referred to.
  11065. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11066. maxLength: 63
  11067. minLength: 1
  11068. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11069. type: string
  11070. type: object
  11071. type: object
  11072. required:
  11073. - secretRef
  11074. type: object
  11075. database:
  11076. description: Database to use as source
  11077. type: string
  11078. host:
  11079. description: URL configures the Password Depot instance URL.
  11080. type: string
  11081. required:
  11082. - auth
  11083. - database
  11084. - host
  11085. type: object
  11086. previder:
  11087. description: Previder configures this store to sync secrets using the Previder provider
  11088. properties:
  11089. auth:
  11090. description: PreviderAuth contains a secretRef for credentials.
  11091. properties:
  11092. secretRef:
  11093. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  11094. properties:
  11095. accessToken:
  11096. description: The AccessToken is used for authentication
  11097. properties:
  11098. key:
  11099. description: |-
  11100. A key in the referenced Secret.
  11101. Some instances of this field may be defaulted, in others it may be required.
  11102. maxLength: 253
  11103. minLength: 1
  11104. pattern: ^[-._a-zA-Z0-9]+$
  11105. type: string
  11106. name:
  11107. description: The name of the Secret resource being referred to.
  11108. maxLength: 253
  11109. minLength: 1
  11110. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11111. type: string
  11112. namespace:
  11113. description: |-
  11114. The namespace of the Secret resource being referred to.
  11115. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11116. maxLength: 63
  11117. minLength: 1
  11118. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11119. type: string
  11120. type: object
  11121. required:
  11122. - accessToken
  11123. type: object
  11124. type: object
  11125. baseUri:
  11126. type: string
  11127. required:
  11128. - auth
  11129. type: object
  11130. pulumi:
  11131. description: Pulumi configures this store to sync secrets using the Pulumi provider
  11132. properties:
  11133. accessToken:
  11134. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  11135. properties:
  11136. secretRef:
  11137. description: SecretRef is a reference to a secret containing the Pulumi API token.
  11138. properties:
  11139. key:
  11140. description: |-
  11141. A key in the referenced Secret.
  11142. Some instances of this field may be defaulted, in others it may be required.
  11143. maxLength: 253
  11144. minLength: 1
  11145. pattern: ^[-._a-zA-Z0-9]+$
  11146. type: string
  11147. name:
  11148. description: The name of the Secret resource being referred to.
  11149. maxLength: 253
  11150. minLength: 1
  11151. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11152. type: string
  11153. namespace:
  11154. description: |-
  11155. The namespace of the Secret resource being referred to.
  11156. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11157. maxLength: 63
  11158. minLength: 1
  11159. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11160. type: string
  11161. type: object
  11162. type: object
  11163. apiUrl:
  11164. default: https://api.pulumi.com/api/esc
  11165. description: APIURL is the URL of the Pulumi API.
  11166. type: string
  11167. environment:
  11168. description: |-
  11169. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  11170. dynamically retrieved values from supported providers including all major clouds,
  11171. and other Pulumi ESC environments.
  11172. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  11173. type: string
  11174. organization:
  11175. description: |-
  11176. Organization are a space to collaborate on shared projects and stacks.
  11177. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  11178. type: string
  11179. project:
  11180. description: Project is the name of the Pulumi ESC project the environment belongs to.
  11181. type: string
  11182. required:
  11183. - accessToken
  11184. - environment
  11185. - organization
  11186. - project
  11187. type: object
  11188. scaleway:
  11189. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  11190. properties:
  11191. accessKey:
  11192. description: AccessKey is the non-secret part of the api key.
  11193. properties:
  11194. secretRef:
  11195. description: SecretRef references a key in a secret that will be used as value.
  11196. properties:
  11197. key:
  11198. description: |-
  11199. A key in the referenced Secret.
  11200. Some instances of this field may be defaulted, in others it may be required.
  11201. maxLength: 253
  11202. minLength: 1
  11203. pattern: ^[-._a-zA-Z0-9]+$
  11204. type: string
  11205. name:
  11206. description: The name of the Secret resource being referred to.
  11207. maxLength: 253
  11208. minLength: 1
  11209. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11210. type: string
  11211. namespace:
  11212. description: |-
  11213. The namespace of the Secret resource being referred to.
  11214. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11215. maxLength: 63
  11216. minLength: 1
  11217. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11218. type: string
  11219. type: object
  11220. value:
  11221. description: Value can be specified directly to set a value without using a secret.
  11222. type: string
  11223. type: object
  11224. apiUrl:
  11225. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  11226. type: string
  11227. projectId:
  11228. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  11229. type: string
  11230. region:
  11231. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  11232. type: string
  11233. secretKey:
  11234. description: SecretKey is the non-secret part of the api key.
  11235. properties:
  11236. secretRef:
  11237. description: SecretRef references a key in a secret that will be used as value.
  11238. properties:
  11239. key:
  11240. description: |-
  11241. A key in the referenced Secret.
  11242. Some instances of this field may be defaulted, in others it may be required.
  11243. maxLength: 253
  11244. minLength: 1
  11245. pattern: ^[-._a-zA-Z0-9]+$
  11246. type: string
  11247. name:
  11248. description: The name of the Secret resource being referred to.
  11249. maxLength: 253
  11250. minLength: 1
  11251. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11252. type: string
  11253. namespace:
  11254. description: |-
  11255. The namespace of the Secret resource being referred to.
  11256. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11257. maxLength: 63
  11258. minLength: 1
  11259. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11260. type: string
  11261. type: object
  11262. value:
  11263. description: Value can be specified directly to set a value without using a secret.
  11264. type: string
  11265. type: object
  11266. required:
  11267. - accessKey
  11268. - projectId
  11269. - region
  11270. - secretKey
  11271. type: object
  11272. secretserver:
  11273. description: |-
  11274. SecretServer configures this store to sync secrets using SecretServer provider
  11275. https://docs.delinea.com/online-help/secret-server/start.htm
  11276. properties:
  11277. password:
  11278. description: Password is the secret server account password.
  11279. properties:
  11280. secretRef:
  11281. description: SecretRef references a key in a secret that will be used as value.
  11282. properties:
  11283. key:
  11284. description: |-
  11285. A key in the referenced Secret.
  11286. Some instances of this field may be defaulted, in others it may be required.
  11287. maxLength: 253
  11288. minLength: 1
  11289. pattern: ^[-._a-zA-Z0-9]+$
  11290. type: string
  11291. name:
  11292. description: The name of the Secret resource being referred to.
  11293. maxLength: 253
  11294. minLength: 1
  11295. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11296. type: string
  11297. namespace:
  11298. description: |-
  11299. The namespace of the Secret resource being referred to.
  11300. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11301. maxLength: 63
  11302. minLength: 1
  11303. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11304. type: string
  11305. type: object
  11306. value:
  11307. description: Value can be specified directly to set a value without using a secret.
  11308. type: string
  11309. type: object
  11310. serverURL:
  11311. description: |-
  11312. ServerURL
  11313. URL to your secret server installation
  11314. type: string
  11315. username:
  11316. description: Username is the secret server account username.
  11317. properties:
  11318. secretRef:
  11319. description: SecretRef references a key in a secret that will be used as value.
  11320. properties:
  11321. key:
  11322. description: |-
  11323. A key in the referenced Secret.
  11324. Some instances of this field may be defaulted, in others it may be required.
  11325. maxLength: 253
  11326. minLength: 1
  11327. pattern: ^[-._a-zA-Z0-9]+$
  11328. type: string
  11329. name:
  11330. description: The name of the Secret resource being referred to.
  11331. maxLength: 253
  11332. minLength: 1
  11333. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11334. type: string
  11335. namespace:
  11336. description: |-
  11337. The namespace of the Secret resource being referred to.
  11338. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11339. maxLength: 63
  11340. minLength: 1
  11341. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11342. type: string
  11343. type: object
  11344. value:
  11345. description: Value can be specified directly to set a value without using a secret.
  11346. type: string
  11347. type: object
  11348. required:
  11349. - password
  11350. - serverURL
  11351. - username
  11352. type: object
  11353. senhasegura:
  11354. description: Senhasegura configures this store to sync secrets using senhasegura provider
  11355. properties:
  11356. auth:
  11357. description: Auth defines parameters to authenticate in senhasegura
  11358. properties:
  11359. clientId:
  11360. type: string
  11361. clientSecretSecretRef:
  11362. description: |-
  11363. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  11364. In some instances, `key` is a required field.
  11365. properties:
  11366. key:
  11367. description: |-
  11368. A key in the referenced Secret.
  11369. Some instances of this field may be defaulted, in others it may be required.
  11370. maxLength: 253
  11371. minLength: 1
  11372. pattern: ^[-._a-zA-Z0-9]+$
  11373. type: string
  11374. name:
  11375. description: The name of the Secret resource being referred to.
  11376. maxLength: 253
  11377. minLength: 1
  11378. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11379. type: string
  11380. namespace:
  11381. description: |-
  11382. The namespace of the Secret resource being referred to.
  11383. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11384. maxLength: 63
  11385. minLength: 1
  11386. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11387. type: string
  11388. type: object
  11389. required:
  11390. - clientId
  11391. - clientSecretSecretRef
  11392. type: object
  11393. ignoreSslCertificate:
  11394. default: false
  11395. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  11396. type: boolean
  11397. module:
  11398. description: Module defines which senhasegura module should be used to get secrets
  11399. type: string
  11400. url:
  11401. description: URL of senhasegura
  11402. type: string
  11403. required:
  11404. - auth
  11405. - module
  11406. - url
  11407. type: object
  11408. vault:
  11409. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  11410. properties:
  11411. auth:
  11412. description: Auth configures how secret-manager authenticates with the Vault server.
  11413. properties:
  11414. appRole:
  11415. description: |-
  11416. AppRole authenticates with Vault using the App Role auth mechanism,
  11417. with the role and secret stored in a Kubernetes Secret resource.
  11418. properties:
  11419. path:
  11420. default: approle
  11421. description: |-
  11422. Path where the App Role authentication backend is mounted
  11423. in Vault, e.g: "approle"
  11424. type: string
  11425. roleId:
  11426. description: |-
  11427. RoleID configured in the App Role authentication backend when setting
  11428. up the authentication backend in Vault.
  11429. type: string
  11430. roleRef:
  11431. description: |-
  11432. Reference to a key in a Secret that contains the App Role ID used
  11433. to authenticate with Vault.
  11434. The `key` field must be specified and denotes which entry within the Secret
  11435. resource is used as the app role id.
  11436. properties:
  11437. key:
  11438. description: |-
  11439. A key in the referenced Secret.
  11440. Some instances of this field may be defaulted, in others it may be required.
  11441. maxLength: 253
  11442. minLength: 1
  11443. pattern: ^[-._a-zA-Z0-9]+$
  11444. type: string
  11445. name:
  11446. description: The name of the Secret resource being referred to.
  11447. maxLength: 253
  11448. minLength: 1
  11449. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11450. type: string
  11451. namespace:
  11452. description: |-
  11453. The namespace of the Secret resource being referred to.
  11454. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11455. maxLength: 63
  11456. minLength: 1
  11457. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11458. type: string
  11459. type: object
  11460. secretRef:
  11461. description: |-
  11462. Reference to a key in a Secret that contains the App Role secret used
  11463. to authenticate with Vault.
  11464. The `key` field must be specified and denotes which entry within the Secret
  11465. resource is used as the app role secret.
  11466. properties:
  11467. key:
  11468. description: |-
  11469. A key in the referenced Secret.
  11470. Some instances of this field may be defaulted, in others it may be required.
  11471. maxLength: 253
  11472. minLength: 1
  11473. pattern: ^[-._a-zA-Z0-9]+$
  11474. type: string
  11475. name:
  11476. description: The name of the Secret resource being referred to.
  11477. maxLength: 253
  11478. minLength: 1
  11479. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11480. type: string
  11481. namespace:
  11482. description: |-
  11483. The namespace of the Secret resource being referred to.
  11484. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11485. maxLength: 63
  11486. minLength: 1
  11487. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11488. type: string
  11489. type: object
  11490. required:
  11491. - path
  11492. - secretRef
  11493. type: object
  11494. cert:
  11495. description: |-
  11496. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  11497. Cert authentication method
  11498. properties:
  11499. clientCert:
  11500. description: |-
  11501. ClientCert is a certificate to authenticate using the Cert Vault
  11502. authentication method
  11503. properties:
  11504. key:
  11505. description: |-
  11506. A key in the referenced Secret.
  11507. Some instances of this field may be defaulted, in others it may be required.
  11508. maxLength: 253
  11509. minLength: 1
  11510. pattern: ^[-._a-zA-Z0-9]+$
  11511. type: string
  11512. name:
  11513. description: The name of the Secret resource being referred to.
  11514. maxLength: 253
  11515. minLength: 1
  11516. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11517. type: string
  11518. namespace:
  11519. description: |-
  11520. The namespace of the Secret resource being referred to.
  11521. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11522. maxLength: 63
  11523. minLength: 1
  11524. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11525. type: string
  11526. type: object
  11527. secretRef:
  11528. description: |-
  11529. SecretRef to a key in a Secret resource containing client private key to
  11530. authenticate with Vault using the Cert authentication method
  11531. properties:
  11532. key:
  11533. description: |-
  11534. A key in the referenced Secret.
  11535. Some instances of this field may be defaulted, in others it may be required.
  11536. maxLength: 253
  11537. minLength: 1
  11538. pattern: ^[-._a-zA-Z0-9]+$
  11539. type: string
  11540. name:
  11541. description: The name of the Secret resource being referred to.
  11542. maxLength: 253
  11543. minLength: 1
  11544. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11545. type: string
  11546. namespace:
  11547. description: |-
  11548. The namespace of the Secret resource being referred to.
  11549. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11550. maxLength: 63
  11551. minLength: 1
  11552. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11553. type: string
  11554. type: object
  11555. type: object
  11556. iam:
  11557. description: |-
  11558. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  11559. AWS IAM authentication method
  11560. properties:
  11561. externalID:
  11562. description: AWS External ID set on assumed IAM roles
  11563. type: string
  11564. jwt:
  11565. description: Specify a service account with IRSA enabled
  11566. properties:
  11567. serviceAccountRef:
  11568. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  11569. properties:
  11570. audiences:
  11571. description: |-
  11572. Audience specifies the `aud` claim for the service account token
  11573. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11574. then this audiences will be appended to the list
  11575. items:
  11576. type: string
  11577. type: array
  11578. name:
  11579. description: The name of the ServiceAccount resource being referred to.
  11580. maxLength: 253
  11581. minLength: 1
  11582. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11583. type: string
  11584. namespace:
  11585. description: |-
  11586. Namespace of the resource being referred to.
  11587. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11588. maxLength: 63
  11589. minLength: 1
  11590. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11591. type: string
  11592. required:
  11593. - name
  11594. type: object
  11595. type: object
  11596. path:
  11597. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  11598. type: string
  11599. region:
  11600. description: AWS region
  11601. type: string
  11602. role:
  11603. description: This is the AWS role to be assumed before talking to vault
  11604. type: string
  11605. secretRef:
  11606. description: Specify credentials in a Secret object
  11607. properties:
  11608. accessKeyIDSecretRef:
  11609. description: The AccessKeyID is used for authentication
  11610. properties:
  11611. key:
  11612. description: |-
  11613. A key in the referenced Secret.
  11614. Some instances of this field may be defaulted, in others it may be required.
  11615. maxLength: 253
  11616. minLength: 1
  11617. pattern: ^[-._a-zA-Z0-9]+$
  11618. type: string
  11619. name:
  11620. description: The name of the Secret resource being referred to.
  11621. maxLength: 253
  11622. minLength: 1
  11623. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11624. type: string
  11625. namespace:
  11626. description: |-
  11627. The namespace of the Secret resource being referred to.
  11628. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11629. maxLength: 63
  11630. minLength: 1
  11631. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11632. type: string
  11633. type: object
  11634. secretAccessKeySecretRef:
  11635. description: The SecretAccessKey is used for authentication
  11636. properties:
  11637. key:
  11638. description: |-
  11639. A key in the referenced Secret.
  11640. Some instances of this field may be defaulted, in others it may be required.
  11641. maxLength: 253
  11642. minLength: 1
  11643. pattern: ^[-._a-zA-Z0-9]+$
  11644. type: string
  11645. name:
  11646. description: The name of the Secret resource being referred to.
  11647. maxLength: 253
  11648. minLength: 1
  11649. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11650. type: string
  11651. namespace:
  11652. description: |-
  11653. The namespace of the Secret resource being referred to.
  11654. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11655. maxLength: 63
  11656. minLength: 1
  11657. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11658. type: string
  11659. type: object
  11660. sessionTokenSecretRef:
  11661. description: |-
  11662. The SessionToken used for authentication
  11663. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  11664. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  11665. properties:
  11666. key:
  11667. description: |-
  11668. A key in the referenced Secret.
  11669. Some instances of this field may be defaulted, in others it may be required.
  11670. maxLength: 253
  11671. minLength: 1
  11672. pattern: ^[-._a-zA-Z0-9]+$
  11673. type: string
  11674. name:
  11675. description: The name of the Secret resource being referred to.
  11676. maxLength: 253
  11677. minLength: 1
  11678. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11679. type: string
  11680. namespace:
  11681. description: |-
  11682. The namespace of the Secret resource being referred to.
  11683. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11684. maxLength: 63
  11685. minLength: 1
  11686. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11687. type: string
  11688. type: object
  11689. type: object
  11690. vaultAwsIamServerID:
  11691. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  11692. type: string
  11693. vaultRole:
  11694. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  11695. type: string
  11696. required:
  11697. - vaultRole
  11698. type: object
  11699. jwt:
  11700. description: |-
  11701. Jwt authenticates with Vault by passing role and JWT token using the
  11702. JWT/OIDC authentication method
  11703. properties:
  11704. kubernetesServiceAccountToken:
  11705. description: |-
  11706. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  11707. a token for with the `TokenRequest` API.
  11708. properties:
  11709. audiences:
  11710. description: |-
  11711. Optional audiences field that will be used to request a temporary Kubernetes service
  11712. account token for the service account referenced by `serviceAccountRef`.
  11713. Defaults to a single audience `vault` it not specified.
  11714. Deprecated: use serviceAccountRef.Audiences instead
  11715. items:
  11716. type: string
  11717. type: array
  11718. expirationSeconds:
  11719. description: |-
  11720. Optional expiration time in seconds that will be used to request a temporary
  11721. Kubernetes service account token for the service account referenced by
  11722. `serviceAccountRef`.
  11723. Deprecated: this will be removed in the future.
  11724. Defaults to 10 minutes.
  11725. format: int64
  11726. type: integer
  11727. serviceAccountRef:
  11728. description: Service account field containing the name of a kubernetes ServiceAccount.
  11729. properties:
  11730. audiences:
  11731. description: |-
  11732. Audience specifies the `aud` claim for the service account token
  11733. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11734. then this audiences will be appended to the list
  11735. items:
  11736. type: string
  11737. type: array
  11738. name:
  11739. description: The name of the ServiceAccount resource being referred to.
  11740. maxLength: 253
  11741. minLength: 1
  11742. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11743. type: string
  11744. namespace:
  11745. description: |-
  11746. Namespace of the resource being referred to.
  11747. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11748. maxLength: 63
  11749. minLength: 1
  11750. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11751. type: string
  11752. required:
  11753. - name
  11754. type: object
  11755. required:
  11756. - serviceAccountRef
  11757. type: object
  11758. path:
  11759. default: jwt
  11760. description: |-
  11761. Path where the JWT authentication backend is mounted
  11762. in Vault, e.g: "jwt"
  11763. type: string
  11764. role:
  11765. description: |-
  11766. Role is a JWT role to authenticate using the JWT/OIDC Vault
  11767. authentication method
  11768. type: string
  11769. secretRef:
  11770. description: |-
  11771. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  11772. authenticate with Vault using the JWT/OIDC authentication method.
  11773. properties:
  11774. key:
  11775. description: |-
  11776. A key in the referenced Secret.
  11777. Some instances of this field may be defaulted, in others it may be required.
  11778. maxLength: 253
  11779. minLength: 1
  11780. pattern: ^[-._a-zA-Z0-9]+$
  11781. type: string
  11782. name:
  11783. description: The name of the Secret resource being referred to.
  11784. maxLength: 253
  11785. minLength: 1
  11786. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11787. type: string
  11788. namespace:
  11789. description: |-
  11790. The namespace of the Secret resource being referred to.
  11791. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11792. maxLength: 63
  11793. minLength: 1
  11794. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11795. type: string
  11796. type: object
  11797. required:
  11798. - path
  11799. type: object
  11800. kubernetes:
  11801. description: |-
  11802. Kubernetes authenticates with Vault by passing the ServiceAccount
  11803. token stored in the named Secret resource to the Vault server.
  11804. properties:
  11805. mountPath:
  11806. default: kubernetes
  11807. description: |-
  11808. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  11809. "kubernetes"
  11810. type: string
  11811. role:
  11812. description: |-
  11813. A required field containing the Vault Role to assume. A Role binds a
  11814. Kubernetes ServiceAccount with a set of Vault policies.
  11815. type: string
  11816. secretRef:
  11817. description: |-
  11818. Optional secret field containing a Kubernetes ServiceAccount JWT used
  11819. for authenticating with Vault. If a name is specified without a key,
  11820. `token` is the default. If one is not specified, the one bound to
  11821. the controller will be used.
  11822. properties:
  11823. key:
  11824. description: |-
  11825. A key in the referenced Secret.
  11826. Some instances of this field may be defaulted, in others it may be required.
  11827. maxLength: 253
  11828. minLength: 1
  11829. pattern: ^[-._a-zA-Z0-9]+$
  11830. type: string
  11831. name:
  11832. description: The name of the Secret resource being referred to.
  11833. maxLength: 253
  11834. minLength: 1
  11835. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11836. type: string
  11837. namespace:
  11838. description: |-
  11839. The namespace of the Secret resource being referred to.
  11840. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11841. maxLength: 63
  11842. minLength: 1
  11843. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11844. type: string
  11845. type: object
  11846. serviceAccountRef:
  11847. description: |-
  11848. Optional service account field containing the name of a kubernetes ServiceAccount.
  11849. If the service account is specified, the service account secret token JWT will be used
  11850. for authenticating with Vault. If the service account selector is not supplied,
  11851. the secretRef will be used instead.
  11852. properties:
  11853. audiences:
  11854. description: |-
  11855. Audience specifies the `aud` claim for the service account token
  11856. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11857. then this audiences will be appended to the list
  11858. items:
  11859. type: string
  11860. type: array
  11861. name:
  11862. description: The name of the ServiceAccount resource being referred to.
  11863. maxLength: 253
  11864. minLength: 1
  11865. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11866. type: string
  11867. namespace:
  11868. description: |-
  11869. Namespace of the resource being referred to.
  11870. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11871. maxLength: 63
  11872. minLength: 1
  11873. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11874. type: string
  11875. required:
  11876. - name
  11877. type: object
  11878. required:
  11879. - mountPath
  11880. - role
  11881. type: object
  11882. ldap:
  11883. description: |-
  11884. Ldap authenticates with Vault by passing username/password pair using
  11885. the LDAP authentication method
  11886. properties:
  11887. path:
  11888. default: ldap
  11889. description: |-
  11890. Path where the LDAP authentication backend is mounted
  11891. in Vault, e.g: "ldap"
  11892. type: string
  11893. secretRef:
  11894. description: |-
  11895. SecretRef to a key in a Secret resource containing password for the LDAP
  11896. user used to authenticate with Vault using the LDAP authentication
  11897. method
  11898. properties:
  11899. key:
  11900. description: |-
  11901. A key in the referenced Secret.
  11902. Some instances of this field may be defaulted, in others it may be required.
  11903. maxLength: 253
  11904. minLength: 1
  11905. pattern: ^[-._a-zA-Z0-9]+$
  11906. type: string
  11907. name:
  11908. description: The name of the Secret resource being referred to.
  11909. maxLength: 253
  11910. minLength: 1
  11911. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11912. type: string
  11913. namespace:
  11914. description: |-
  11915. The namespace of the Secret resource being referred to.
  11916. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11917. maxLength: 63
  11918. minLength: 1
  11919. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11920. type: string
  11921. type: object
  11922. username:
  11923. description: |-
  11924. Username is an LDAP username used to authenticate using the LDAP Vault
  11925. authentication method
  11926. type: string
  11927. required:
  11928. - path
  11929. - username
  11930. type: object
  11931. namespace:
  11932. description: |-
  11933. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  11934. Namespaces is a set of features within Vault Enterprise that allows
  11935. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  11936. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  11937. This will default to Vault.Namespace field if set, or empty otherwise
  11938. type: string
  11939. tokenSecretRef:
  11940. description: TokenSecretRef authenticates with Vault by presenting a token.
  11941. properties:
  11942. key:
  11943. description: |-
  11944. A key in the referenced Secret.
  11945. Some instances of this field may be defaulted, in others it may be required.
  11946. maxLength: 253
  11947. minLength: 1
  11948. pattern: ^[-._a-zA-Z0-9]+$
  11949. type: string
  11950. name:
  11951. description: The name of the Secret resource being referred to.
  11952. maxLength: 253
  11953. minLength: 1
  11954. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11955. type: string
  11956. namespace:
  11957. description: |-
  11958. The namespace of the Secret resource being referred to.
  11959. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11960. maxLength: 63
  11961. minLength: 1
  11962. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11963. type: string
  11964. type: object
  11965. userPass:
  11966. description: UserPass authenticates with Vault by passing username/password pair
  11967. properties:
  11968. path:
  11969. default: userpass
  11970. description: |-
  11971. Path where the UserPassword authentication backend is mounted
  11972. in Vault, e.g: "userpass"
  11973. type: string
  11974. secretRef:
  11975. description: |-
  11976. SecretRef to a key in a Secret resource containing password for the
  11977. user used to authenticate with Vault using the UserPass authentication
  11978. method
  11979. properties:
  11980. key:
  11981. description: |-
  11982. A key in the referenced Secret.
  11983. Some instances of this field may be defaulted, in others it may be required.
  11984. maxLength: 253
  11985. minLength: 1
  11986. pattern: ^[-._a-zA-Z0-9]+$
  11987. type: string
  11988. name:
  11989. description: The name of the Secret resource being referred to.
  11990. maxLength: 253
  11991. minLength: 1
  11992. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11993. type: string
  11994. namespace:
  11995. description: |-
  11996. The namespace of the Secret resource being referred to.
  11997. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11998. maxLength: 63
  11999. minLength: 1
  12000. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12001. type: string
  12002. type: object
  12003. username:
  12004. description: |-
  12005. Username is a username used to authenticate using the UserPass Vault
  12006. authentication method
  12007. type: string
  12008. required:
  12009. - path
  12010. - username
  12011. type: object
  12012. type: object
  12013. caBundle:
  12014. description: |-
  12015. PEM encoded CA bundle used to validate Vault server certificate. Only used
  12016. if the Server URL is using HTTPS protocol. This parameter is ignored for
  12017. plain HTTP protocol connection. If not set the system root certificates
  12018. are used to validate the TLS connection.
  12019. format: byte
  12020. type: string
  12021. caProvider:
  12022. description: The provider for the CA bundle to use to validate Vault server certificate.
  12023. properties:
  12024. key:
  12025. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  12026. maxLength: 253
  12027. minLength: 1
  12028. pattern: ^[-._a-zA-Z0-9]+$
  12029. type: string
  12030. name:
  12031. description: The name of the object located at the provider type.
  12032. maxLength: 253
  12033. minLength: 1
  12034. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12035. type: string
  12036. namespace:
  12037. description: |-
  12038. The namespace the Provider type is in.
  12039. Can only be defined when used in a ClusterSecretStore.
  12040. maxLength: 63
  12041. minLength: 1
  12042. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12043. type: string
  12044. type:
  12045. description: The type of provider to use such as "Secret", or "ConfigMap".
  12046. enum:
  12047. - Secret
  12048. - ConfigMap
  12049. type: string
  12050. required:
  12051. - name
  12052. - type
  12053. type: object
  12054. forwardInconsistent:
  12055. description: |-
  12056. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  12057. leader instead of simply retrying within a loop. This can increase performance if
  12058. the option is enabled serverside.
  12059. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  12060. type: boolean
  12061. headers:
  12062. additionalProperties:
  12063. type: string
  12064. description: Headers to be added in Vault request
  12065. type: object
  12066. namespace:
  12067. description: |-
  12068. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  12069. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  12070. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  12071. type: string
  12072. path:
  12073. description: |-
  12074. Path is the mount path of the Vault KV backend endpoint, e.g:
  12075. "secret". The v2 KV secret engine version specific "/data" path suffix
  12076. for fetching secrets from Vault is optional and will be appended
  12077. if not present in specified path.
  12078. type: string
  12079. readYourWrites:
  12080. description: |-
  12081. ReadYourWrites ensures isolated read-after-write semantics by
  12082. providing discovered cluster replication states in each request.
  12083. More information about eventual consistency in Vault can be found here
  12084. https://www.vaultproject.io/docs/enterprise/consistency
  12085. type: boolean
  12086. server:
  12087. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  12088. type: string
  12089. tls:
  12090. description: |-
  12091. The configuration used for client side related TLS communication, when the Vault server
  12092. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  12093. This parameter is ignored for plain HTTP protocol connection.
  12094. It's worth noting this configuration is different from the "TLS certificates auth method",
  12095. which is available under the `auth.cert` section.
  12096. properties:
  12097. certSecretRef:
  12098. description: |-
  12099. CertSecretRef is a certificate added to the transport layer
  12100. when communicating with the Vault server.
  12101. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  12102. properties:
  12103. key:
  12104. description: |-
  12105. A key in the referenced Secret.
  12106. Some instances of this field may be defaulted, in others it may be required.
  12107. maxLength: 253
  12108. minLength: 1
  12109. pattern: ^[-._a-zA-Z0-9]+$
  12110. type: string
  12111. name:
  12112. description: The name of the Secret resource being referred to.
  12113. maxLength: 253
  12114. minLength: 1
  12115. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12116. type: string
  12117. namespace:
  12118. description: |-
  12119. The namespace of the Secret resource being referred to.
  12120. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12121. maxLength: 63
  12122. minLength: 1
  12123. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12124. type: string
  12125. type: object
  12126. keySecretRef:
  12127. description: |-
  12128. KeySecretRef to a key in a Secret resource containing client private key
  12129. added to the transport layer when communicating with the Vault server.
  12130. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  12131. properties:
  12132. key:
  12133. description: |-
  12134. A key in the referenced Secret.
  12135. Some instances of this field may be defaulted, in others it may be required.
  12136. maxLength: 253
  12137. minLength: 1
  12138. pattern: ^[-._a-zA-Z0-9]+$
  12139. type: string
  12140. name:
  12141. description: The name of the Secret resource being referred to.
  12142. maxLength: 253
  12143. minLength: 1
  12144. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12145. type: string
  12146. namespace:
  12147. description: |-
  12148. The namespace of the Secret resource being referred to.
  12149. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12150. maxLength: 63
  12151. minLength: 1
  12152. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12153. type: string
  12154. type: object
  12155. type: object
  12156. version:
  12157. default: v2
  12158. description: |-
  12159. Version is the Vault KV secret engine version. This can be either "v1" or
  12160. "v2". Version defaults to "v2".
  12161. enum:
  12162. - v1
  12163. - v2
  12164. type: string
  12165. required:
  12166. - server
  12167. type: object
  12168. webhook:
  12169. description: Webhook configures this store to sync secrets using a generic templated webhook
  12170. properties:
  12171. auth:
  12172. description: Auth specifies a authorization protocol. Only one protocol may be set.
  12173. maxProperties: 1
  12174. minProperties: 1
  12175. properties:
  12176. ntlm:
  12177. description: NTLMProtocol configures the store to use NTLM for auth
  12178. properties:
  12179. passwordSecret:
  12180. description: |-
  12181. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12182. In some instances, `key` is a required field.
  12183. properties:
  12184. key:
  12185. description: |-
  12186. A key in the referenced Secret.
  12187. Some instances of this field may be defaulted, in others it may be required.
  12188. maxLength: 253
  12189. minLength: 1
  12190. pattern: ^[-._a-zA-Z0-9]+$
  12191. type: string
  12192. name:
  12193. description: The name of the Secret resource being referred to.
  12194. maxLength: 253
  12195. minLength: 1
  12196. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12197. type: string
  12198. namespace:
  12199. description: |-
  12200. The namespace of the Secret resource being referred to.
  12201. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12202. maxLength: 63
  12203. minLength: 1
  12204. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12205. type: string
  12206. type: object
  12207. usernameSecret:
  12208. description: |-
  12209. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12210. In some instances, `key` is a required field.
  12211. properties:
  12212. key:
  12213. description: |-
  12214. A key in the referenced Secret.
  12215. Some instances of this field may be defaulted, in others it may be required.
  12216. maxLength: 253
  12217. minLength: 1
  12218. pattern: ^[-._a-zA-Z0-9]+$
  12219. type: string
  12220. name:
  12221. description: The name of the Secret resource being referred to.
  12222. maxLength: 253
  12223. minLength: 1
  12224. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12225. type: string
  12226. namespace:
  12227. description: |-
  12228. The namespace of the Secret resource being referred to.
  12229. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12230. maxLength: 63
  12231. minLength: 1
  12232. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12233. type: string
  12234. type: object
  12235. required:
  12236. - passwordSecret
  12237. - usernameSecret
  12238. type: object
  12239. type: object
  12240. body:
  12241. description: Body
  12242. type: string
  12243. caBundle:
  12244. description: |-
  12245. PEM encoded CA bundle used to validate webhook server certificate. Only used
  12246. if the Server URL is using HTTPS protocol. This parameter is ignored for
  12247. plain HTTP protocol connection. If not set the system root certificates
  12248. are used to validate the TLS connection.
  12249. format: byte
  12250. type: string
  12251. caProvider:
  12252. description: The provider for the CA bundle to use to validate webhook server certificate.
  12253. properties:
  12254. key:
  12255. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  12256. maxLength: 253
  12257. minLength: 1
  12258. pattern: ^[-._a-zA-Z0-9]+$
  12259. type: string
  12260. name:
  12261. description: The name of the object located at the provider type.
  12262. maxLength: 253
  12263. minLength: 1
  12264. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12265. type: string
  12266. namespace:
  12267. description: The namespace the Provider type is in.
  12268. maxLength: 63
  12269. minLength: 1
  12270. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12271. type: string
  12272. type:
  12273. description: The type of provider to use such as "Secret", or "ConfigMap".
  12274. enum:
  12275. - Secret
  12276. - ConfigMap
  12277. type: string
  12278. required:
  12279. - name
  12280. - type
  12281. type: object
  12282. headers:
  12283. additionalProperties:
  12284. type: string
  12285. description: Headers
  12286. type: object
  12287. method:
  12288. description: Webhook Method
  12289. type: string
  12290. result:
  12291. description: Result formatting
  12292. properties:
  12293. jsonPath:
  12294. description: Json path of return value
  12295. type: string
  12296. type: object
  12297. secrets:
  12298. description: |-
  12299. Secrets to fill in templates
  12300. These secrets will be passed to the templating function as key value pairs under the given name
  12301. items:
  12302. description: WebhookSecret defines a secret to be used in webhook templates.
  12303. properties:
  12304. name:
  12305. description: Name of this secret in templates
  12306. type: string
  12307. secretRef:
  12308. description: Secret ref to fill in credentials
  12309. properties:
  12310. key:
  12311. description: |-
  12312. A key in the referenced Secret.
  12313. Some instances of this field may be defaulted, in others it may be required.
  12314. maxLength: 253
  12315. minLength: 1
  12316. pattern: ^[-._a-zA-Z0-9]+$
  12317. type: string
  12318. name:
  12319. description: The name of the Secret resource being referred to.
  12320. maxLength: 253
  12321. minLength: 1
  12322. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12323. type: string
  12324. namespace:
  12325. description: |-
  12326. The namespace of the Secret resource being referred to.
  12327. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12328. maxLength: 63
  12329. minLength: 1
  12330. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12331. type: string
  12332. type: object
  12333. required:
  12334. - name
  12335. - secretRef
  12336. type: object
  12337. type: array
  12338. timeout:
  12339. description: Timeout
  12340. type: string
  12341. url:
  12342. description: Webhook url to call
  12343. type: string
  12344. required:
  12345. - result
  12346. - url
  12347. type: object
  12348. yandexcertificatemanager:
  12349. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  12350. properties:
  12351. apiEndpoint:
  12352. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  12353. type: string
  12354. auth:
  12355. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  12356. properties:
  12357. authorizedKeySecretRef:
  12358. description: The authorized key used for authentication
  12359. properties:
  12360. key:
  12361. description: |-
  12362. A key in the referenced Secret.
  12363. Some instances of this field may be defaulted, in others it may be required.
  12364. maxLength: 253
  12365. minLength: 1
  12366. pattern: ^[-._a-zA-Z0-9]+$
  12367. type: string
  12368. name:
  12369. description: The name of the Secret resource being referred to.
  12370. maxLength: 253
  12371. minLength: 1
  12372. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12373. type: string
  12374. namespace:
  12375. description: |-
  12376. The namespace of the Secret resource being referred to.
  12377. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12378. maxLength: 63
  12379. minLength: 1
  12380. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12381. type: string
  12382. type: object
  12383. type: object
  12384. caProvider:
  12385. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  12386. properties:
  12387. certSecretRef:
  12388. description: |-
  12389. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12390. In some instances, `key` is a required field.
  12391. properties:
  12392. key:
  12393. description: |-
  12394. A key in the referenced Secret.
  12395. Some instances of this field may be defaulted, in others it may be required.
  12396. maxLength: 253
  12397. minLength: 1
  12398. pattern: ^[-._a-zA-Z0-9]+$
  12399. type: string
  12400. name:
  12401. description: The name of the Secret resource being referred to.
  12402. maxLength: 253
  12403. minLength: 1
  12404. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12405. type: string
  12406. namespace:
  12407. description: |-
  12408. The namespace of the Secret resource being referred to.
  12409. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12410. maxLength: 63
  12411. minLength: 1
  12412. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12413. type: string
  12414. type: object
  12415. type: object
  12416. required:
  12417. - auth
  12418. type: object
  12419. yandexlockbox:
  12420. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  12421. properties:
  12422. apiEndpoint:
  12423. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  12424. type: string
  12425. auth:
  12426. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  12427. properties:
  12428. authorizedKeySecretRef:
  12429. description: The authorized key used for authentication
  12430. properties:
  12431. key:
  12432. description: |-
  12433. A key in the referenced Secret.
  12434. Some instances of this field may be defaulted, in others it may be required.
  12435. maxLength: 253
  12436. minLength: 1
  12437. pattern: ^[-._a-zA-Z0-9]+$
  12438. type: string
  12439. name:
  12440. description: The name of the Secret resource being referred to.
  12441. maxLength: 253
  12442. minLength: 1
  12443. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12444. type: string
  12445. namespace:
  12446. description: |-
  12447. The namespace of the Secret resource being referred to.
  12448. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12449. maxLength: 63
  12450. minLength: 1
  12451. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12452. type: string
  12453. type: object
  12454. type: object
  12455. caProvider:
  12456. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  12457. properties:
  12458. certSecretRef:
  12459. description: |-
  12460. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12461. In some instances, `key` is a required field.
  12462. properties:
  12463. key:
  12464. description: |-
  12465. A key in the referenced Secret.
  12466. Some instances of this field may be defaulted, in others it may be required.
  12467. maxLength: 253
  12468. minLength: 1
  12469. pattern: ^[-._a-zA-Z0-9]+$
  12470. type: string
  12471. name:
  12472. description: The name of the Secret resource being referred to.
  12473. maxLength: 253
  12474. minLength: 1
  12475. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12476. type: string
  12477. namespace:
  12478. description: |-
  12479. The namespace of the Secret resource being referred to.
  12480. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12481. maxLength: 63
  12482. minLength: 1
  12483. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12484. type: string
  12485. type: object
  12486. type: object
  12487. required:
  12488. - auth
  12489. type: object
  12490. type: object
  12491. refreshInterval:
  12492. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  12493. type: integer
  12494. retrySettings:
  12495. description: Used to configure HTTP retries on failures.
  12496. properties:
  12497. maxRetries:
  12498. description: MaxRetries is the maximum number of retry attempts.
  12499. format: int32
  12500. type: integer
  12501. retryInterval:
  12502. description: RetryInterval is the interval between retry attempts.
  12503. type: string
  12504. type: object
  12505. required:
  12506. - provider
  12507. type: object
  12508. status:
  12509. description: SecretStoreStatus defines the observed state of the SecretStore.
  12510. properties:
  12511. capabilities:
  12512. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  12513. type: string
  12514. conditions:
  12515. items:
  12516. description: SecretStoreStatusCondition defines the observed condition of the SecretStore.
  12517. properties:
  12518. lastTransitionTime:
  12519. format: date-time
  12520. type: string
  12521. message:
  12522. type: string
  12523. reason:
  12524. type: string
  12525. status:
  12526. type: string
  12527. type:
  12528. description: SecretStoreConditionType represents the condition type of the SecretStore.
  12529. type: string
  12530. required:
  12531. - status
  12532. - type
  12533. type: object
  12534. type: array
  12535. type: object
  12536. type: object
  12537. served: false
  12538. storage: false
  12539. subresources:
  12540. status: {}
  12541. ---
  12542. apiVersion: apiextensions.k8s.io/v1
  12543. kind: CustomResourceDefinition
  12544. metadata:
  12545. annotations:
  12546. controller-gen.kubebuilder.io/version: v0.19.0
  12547. labels:
  12548. external-secrets.io/component: controller
  12549. name: externalsecrets.external-secrets.io
  12550. spec:
  12551. group: external-secrets.io
  12552. names:
  12553. categories:
  12554. - external-secrets
  12555. kind: ExternalSecret
  12556. listKind: ExternalSecretList
  12557. plural: externalsecrets
  12558. shortNames:
  12559. - es
  12560. singular: externalsecret
  12561. scope: Namespaced
  12562. versions:
  12563. - additionalPrinterColumns:
  12564. - jsonPath: .spec.secretStoreRef.kind
  12565. name: StoreType
  12566. type: string
  12567. - jsonPath: .spec.secretStoreRef.name
  12568. name: Store
  12569. type: string
  12570. - jsonPath: .spec.refreshInterval
  12571. name: Refresh Interval
  12572. type: string
  12573. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  12574. name: Status
  12575. type: string
  12576. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  12577. name: Ready
  12578. type: string
  12579. - jsonPath: .status.refreshTime
  12580. name: Last Sync
  12581. type: date
  12582. name: v1
  12583. schema:
  12584. openAPIV3Schema:
  12585. description: |-
  12586. ExternalSecret is the Schema for the external-secrets API.
  12587. It defines how to fetch data from external APIs and make it available as Kubernetes Secrets.
  12588. properties:
  12589. apiVersion:
  12590. description: |-
  12591. APIVersion defines the versioned schema of this representation of an object.
  12592. Servers should convert recognized schemas to the latest internal value, and
  12593. may reject unrecognized values.
  12594. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  12595. type: string
  12596. kind:
  12597. description: |-
  12598. Kind is a string value representing the REST resource this object represents.
  12599. Servers may infer this from the endpoint the client submits requests to.
  12600. Cannot be updated.
  12601. In CamelCase.
  12602. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  12603. type: string
  12604. metadata:
  12605. type: object
  12606. spec:
  12607. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  12608. properties:
  12609. data:
  12610. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  12611. items:
  12612. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  12613. properties:
  12614. remoteRef:
  12615. description: |-
  12616. RemoteRef points to the remote secret and defines
  12617. which secret (version/property/..) to fetch.
  12618. properties:
  12619. conversionStrategy:
  12620. default: Default
  12621. description: Used to define a conversion Strategy
  12622. enum:
  12623. - Default
  12624. - Unicode
  12625. type: string
  12626. decodingStrategy:
  12627. default: None
  12628. description: Used to define a decoding Strategy
  12629. enum:
  12630. - Auto
  12631. - Base64
  12632. - Base64URL
  12633. - None
  12634. type: string
  12635. key:
  12636. description: Key is the key used in the Provider, mandatory
  12637. type: string
  12638. metadataPolicy:
  12639. default: None
  12640. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  12641. enum:
  12642. - None
  12643. - Fetch
  12644. type: string
  12645. nullBytePolicy:
  12646. default: Ignore
  12647. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  12648. enum:
  12649. - Ignore
  12650. - Fail
  12651. type: string
  12652. property:
  12653. description: Used to select a specific property of the Provider value (if a map), if supported
  12654. type: string
  12655. version:
  12656. description: Used to select a specific version of the Provider value, if supported
  12657. type: string
  12658. required:
  12659. - key
  12660. type: object
  12661. secretKey:
  12662. description: The key in the Kubernetes Secret to store the value.
  12663. maxLength: 253
  12664. minLength: 1
  12665. pattern: ^[-._a-zA-Z0-9]+$
  12666. type: string
  12667. sourceRef:
  12668. description: |-
  12669. SourceRef allows you to override the source
  12670. from which the value will be pulled.
  12671. maxProperties: 1
  12672. minProperties: 1
  12673. properties:
  12674. generatorRef:
  12675. description: |-
  12676. GeneratorRef points to a generator custom resource.
  12677. Deprecated: The generatorRef is not implemented in .data[].
  12678. this will be removed with v1.
  12679. properties:
  12680. apiVersion:
  12681. default: generators.external-secrets.io/v1alpha1
  12682. description: Specify the apiVersion of the generator resource
  12683. type: string
  12684. kind:
  12685. description: Specify the Kind of the generator resource
  12686. enum:
  12687. - ACRAccessToken
  12688. - ClusterGenerator
  12689. - CloudsmithAccessToken
  12690. - ECRAuthorizationToken
  12691. - Fake
  12692. - GCRAccessToken
  12693. - GithubAccessToken
  12694. - QuayAccessToken
  12695. - Password
  12696. - SSHKey
  12697. - STSAssumeRoleToken
  12698. - STSSessionToken
  12699. - UUID
  12700. - VaultDynamicSecret
  12701. - Webhook
  12702. - Grafana
  12703. - MFA
  12704. type: string
  12705. name:
  12706. description: Specify the name of the generator resource
  12707. maxLength: 253
  12708. minLength: 1
  12709. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12710. type: string
  12711. required:
  12712. - kind
  12713. - name
  12714. type: object
  12715. storeRef:
  12716. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  12717. properties:
  12718. kind:
  12719. description: |-
  12720. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  12721. Defaults to `SecretStore`
  12722. enum:
  12723. - SecretStore
  12724. - ClusterSecretStore
  12725. type: string
  12726. name:
  12727. description: Name of the SecretStore resource
  12728. maxLength: 253
  12729. minLength: 1
  12730. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12731. type: string
  12732. type: object
  12733. type: object
  12734. required:
  12735. - remoteRef
  12736. - secretKey
  12737. type: object
  12738. type: array
  12739. dataFrom:
  12740. description: |-
  12741. DataFrom is used to fetch all properties from a specific Provider data
  12742. If multiple entries are specified, the Secret keys are merged in the specified order
  12743. items:
  12744. description: |-
  12745. ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data
  12746. when using DataFrom to fetch multiple values from a Provider.
  12747. properties:
  12748. extract:
  12749. description: |-
  12750. Used to extract multiple key/value pairs from one secret
  12751. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  12752. properties:
  12753. conversionStrategy:
  12754. default: Default
  12755. description: Used to define a conversion Strategy
  12756. enum:
  12757. - Default
  12758. - Unicode
  12759. type: string
  12760. decodingStrategy:
  12761. default: None
  12762. description: Used to define a decoding Strategy
  12763. enum:
  12764. - Auto
  12765. - Base64
  12766. - Base64URL
  12767. - None
  12768. type: string
  12769. key:
  12770. description: Key is the key used in the Provider, mandatory
  12771. type: string
  12772. metadataPolicy:
  12773. default: None
  12774. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  12775. enum:
  12776. - None
  12777. - Fetch
  12778. type: string
  12779. nullBytePolicy:
  12780. default: Ignore
  12781. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  12782. enum:
  12783. - Ignore
  12784. - Fail
  12785. type: string
  12786. property:
  12787. description: Used to select a specific property of the Provider value (if a map), if supported
  12788. type: string
  12789. version:
  12790. description: Used to select a specific version of the Provider value, if supported
  12791. type: string
  12792. required:
  12793. - key
  12794. type: object
  12795. find:
  12796. description: |-
  12797. Used to find secrets based on tags or regular expressions
  12798. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  12799. properties:
  12800. conversionStrategy:
  12801. default: Default
  12802. description: Used to define a conversion Strategy
  12803. enum:
  12804. - Default
  12805. - Unicode
  12806. type: string
  12807. decodingStrategy:
  12808. default: None
  12809. description: Used to define a decoding Strategy
  12810. enum:
  12811. - Auto
  12812. - Base64
  12813. - Base64URL
  12814. - None
  12815. type: string
  12816. name:
  12817. description: Finds secrets based on the name.
  12818. properties:
  12819. regexp:
  12820. description: Finds secrets base
  12821. type: string
  12822. type: object
  12823. nullBytePolicy:
  12824. default: Ignore
  12825. description: Controls how ESO handles fetched secret data containing NUL bytes for this find source.
  12826. enum:
  12827. - Ignore
  12828. - Fail
  12829. type: string
  12830. path:
  12831. description: A root path to start the find operations.
  12832. type: string
  12833. tags:
  12834. additionalProperties:
  12835. type: string
  12836. description: Find secrets based on tags.
  12837. type: object
  12838. type: object
  12839. rewrite:
  12840. description: |-
  12841. Used to rewrite secret Keys after getting them from the secret Provider
  12842. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  12843. items:
  12844. description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret.
  12845. maxProperties: 1
  12846. minProperties: 1
  12847. properties:
  12848. merge:
  12849. description: |-
  12850. Used to merge key/values in one single Secret
  12851. The resulting key will contain all values from the specified secrets
  12852. properties:
  12853. conflictPolicy:
  12854. default: Error
  12855. description: Used to define the policy to use in conflict resolution.
  12856. enum:
  12857. - Ignore
  12858. - Error
  12859. type: string
  12860. into:
  12861. default: ""
  12862. description: |-
  12863. Used to define the target key of the merge operation.
  12864. Required if strategy is JSON. Ignored otherwise.
  12865. type: string
  12866. priority:
  12867. description: Used to define key priority in conflict resolution.
  12868. items:
  12869. type: string
  12870. type: array
  12871. priorityPolicy:
  12872. default: Strict
  12873. description: Used to define the policy when a key in the priority list does not exist in the input.
  12874. enum:
  12875. - IgnoreNotFound
  12876. - Strict
  12877. type: string
  12878. strategy:
  12879. default: Extract
  12880. description: Used to define the strategy to use in the merge operation.
  12881. enum:
  12882. - Extract
  12883. - JSON
  12884. type: string
  12885. type: object
  12886. regexp:
  12887. description: |-
  12888. Used to rewrite with regular expressions.
  12889. The resulting key will be the output of a regexp.ReplaceAll operation.
  12890. properties:
  12891. source:
  12892. description: Used to define the regular expression of a re.Compiler.
  12893. type: string
  12894. target:
  12895. description: Used to define the target pattern of a ReplaceAll operation.
  12896. type: string
  12897. required:
  12898. - source
  12899. - target
  12900. type: object
  12901. transform:
  12902. description: |-
  12903. Used to apply string transformation on the secrets.
  12904. The resulting key will be the output of the template applied by the operation.
  12905. properties:
  12906. template:
  12907. description: |-
  12908. Used to define the template to apply on the secret name.
  12909. `.value ` will specify the secret name in the template.
  12910. type: string
  12911. required:
  12912. - template
  12913. type: object
  12914. type: object
  12915. type: array
  12916. sourceRef:
  12917. description: |-
  12918. SourceRef points to a store or generator
  12919. which contains secret values ready to use.
  12920. Use this in combination with Extract or Find pull values out of
  12921. a specific SecretStore.
  12922. When sourceRef points to a generator Extract or Find is not supported.
  12923. The generator returns a static map of values
  12924. maxProperties: 1
  12925. minProperties: 1
  12926. properties:
  12927. generatorRef:
  12928. description: GeneratorRef points to a generator custom resource.
  12929. properties:
  12930. apiVersion:
  12931. default: generators.external-secrets.io/v1alpha1
  12932. description: Specify the apiVersion of the generator resource
  12933. type: string
  12934. kind:
  12935. description: Specify the Kind of the generator resource
  12936. enum:
  12937. - ACRAccessToken
  12938. - ClusterGenerator
  12939. - CloudsmithAccessToken
  12940. - ECRAuthorizationToken
  12941. - Fake
  12942. - GCRAccessToken
  12943. - GithubAccessToken
  12944. - QuayAccessToken
  12945. - Password
  12946. - SSHKey
  12947. - STSAssumeRoleToken
  12948. - STSSessionToken
  12949. - UUID
  12950. - VaultDynamicSecret
  12951. - Webhook
  12952. - Grafana
  12953. - MFA
  12954. type: string
  12955. name:
  12956. description: Specify the name of the generator resource
  12957. maxLength: 253
  12958. minLength: 1
  12959. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12960. type: string
  12961. required:
  12962. - kind
  12963. - name
  12964. type: object
  12965. storeRef:
  12966. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  12967. properties:
  12968. kind:
  12969. description: |-
  12970. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  12971. Defaults to `SecretStore`
  12972. enum:
  12973. - SecretStore
  12974. - ClusterSecretStore
  12975. type: string
  12976. name:
  12977. description: Name of the SecretStore resource
  12978. maxLength: 253
  12979. minLength: 1
  12980. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12981. type: string
  12982. type: object
  12983. type: object
  12984. type: object
  12985. type: array
  12986. refreshInterval:
  12987. default: 1h0m0s
  12988. description: |-
  12989. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  12990. specified as Golang Duration strings.
  12991. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  12992. Example values: "1h0m0s", "2h30m0s", "10m0s"
  12993. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  12994. type: string
  12995. refreshPolicy:
  12996. description: |-
  12997. RefreshPolicy determines how the ExternalSecret should be refreshed:
  12998. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  12999. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  13000. No periodic updates occur if refreshInterval is 0.
  13001. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  13002. enum:
  13003. - CreatedOnce
  13004. - Periodic
  13005. - OnChange
  13006. type: string
  13007. secretStoreRef:
  13008. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13009. properties:
  13010. kind:
  13011. description: |-
  13012. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13013. Defaults to `SecretStore`
  13014. enum:
  13015. - SecretStore
  13016. - ClusterSecretStore
  13017. type: string
  13018. name:
  13019. description: Name of the SecretStore resource
  13020. maxLength: 253
  13021. minLength: 1
  13022. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13023. type: string
  13024. type: object
  13025. target:
  13026. default:
  13027. creationPolicy: Owner
  13028. deletionPolicy: Retain
  13029. description: |-
  13030. ExternalSecretTarget defines the Kubernetes Secret to be created,
  13031. there can be only one target per ExternalSecret.
  13032. properties:
  13033. creationPolicy:
  13034. default: Owner
  13035. description: |-
  13036. CreationPolicy defines rules on how to create the resulting Secret.
  13037. Defaults to "Owner"
  13038. enum:
  13039. - Owner
  13040. - Orphan
  13041. - Merge
  13042. - None
  13043. type: string
  13044. deletionPolicy:
  13045. default: Retain
  13046. description: |-
  13047. DeletionPolicy defines rules on how to delete the resulting Secret.
  13048. Defaults to "Retain"
  13049. enum:
  13050. - Delete
  13051. - Merge
  13052. - Retain
  13053. type: string
  13054. immutable:
  13055. description: Immutable defines if the final secret will be immutable
  13056. type: boolean
  13057. manifest:
  13058. description: |-
  13059. Manifest defines a custom Kubernetes resource to create instead of a Secret.
  13060. When specified, ExternalSecret will create the resource type defined here
  13061. (e.g., ConfigMap, Custom Resource) instead of a Secret.
  13062. Warning: Using Generic target. Make sure access policies and encryption are properly configured.
  13063. properties:
  13064. apiVersion:
  13065. description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
  13066. minLength: 1
  13067. type: string
  13068. kind:
  13069. description: Kind of the target resource (e.g., "ConfigMap", "Application")
  13070. minLength: 1
  13071. type: string
  13072. required:
  13073. - apiVersion
  13074. - kind
  13075. type: object
  13076. name:
  13077. description: |-
  13078. The name of the Secret resource to be managed.
  13079. Defaults to the .metadata.name of the ExternalSecret resource
  13080. maxLength: 253
  13081. minLength: 1
  13082. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13083. type: string
  13084. template:
  13085. description: Template defines a blueprint for the created Secret resource.
  13086. properties:
  13087. data:
  13088. additionalProperties:
  13089. type: string
  13090. type: object
  13091. engineVersion:
  13092. default: v2
  13093. description: |-
  13094. EngineVersion specifies the template engine version
  13095. that should be used to compile/execute the
  13096. template specified in .data and .templateFrom[].
  13097. enum:
  13098. - v2
  13099. type: string
  13100. mergePolicy:
  13101. default: Replace
  13102. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  13103. enum:
  13104. - Replace
  13105. - Merge
  13106. type: string
  13107. metadata:
  13108. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  13109. properties:
  13110. annotations:
  13111. additionalProperties:
  13112. type: string
  13113. type: object
  13114. finalizers:
  13115. items:
  13116. type: string
  13117. type: array
  13118. labels:
  13119. additionalProperties:
  13120. type: string
  13121. type: object
  13122. type: object
  13123. templateFrom:
  13124. items:
  13125. description: |-
  13126. TemplateFrom specifies a source for templates.
  13127. Each item in the list can either reference a ConfigMap or a Secret resource.
  13128. properties:
  13129. configMap:
  13130. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  13131. properties:
  13132. items:
  13133. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13134. items:
  13135. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  13136. properties:
  13137. key:
  13138. description: A key in the ConfigMap/Secret
  13139. maxLength: 253
  13140. minLength: 1
  13141. pattern: ^[-._a-zA-Z0-9]+$
  13142. type: string
  13143. templateAs:
  13144. default: Values
  13145. description: TemplateScope specifies how the template keys should be interpreted.
  13146. enum:
  13147. - Values
  13148. - KeysAndValues
  13149. type: string
  13150. required:
  13151. - key
  13152. type: object
  13153. type: array
  13154. name:
  13155. description: The name of the ConfigMap/Secret resource
  13156. maxLength: 253
  13157. minLength: 1
  13158. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13159. type: string
  13160. required:
  13161. - items
  13162. - name
  13163. type: object
  13164. literal:
  13165. type: string
  13166. secret:
  13167. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  13168. properties:
  13169. items:
  13170. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13171. items:
  13172. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  13173. properties:
  13174. key:
  13175. description: A key in the ConfigMap/Secret
  13176. maxLength: 253
  13177. minLength: 1
  13178. pattern: ^[-._a-zA-Z0-9]+$
  13179. type: string
  13180. templateAs:
  13181. default: Values
  13182. description: TemplateScope specifies how the template keys should be interpreted.
  13183. enum:
  13184. - Values
  13185. - KeysAndValues
  13186. type: string
  13187. required:
  13188. - key
  13189. type: object
  13190. type: array
  13191. name:
  13192. description: The name of the ConfigMap/Secret resource
  13193. maxLength: 253
  13194. minLength: 1
  13195. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13196. type: string
  13197. required:
  13198. - items
  13199. - name
  13200. type: object
  13201. target:
  13202. default: Data
  13203. description: |-
  13204. Target specifies where to place the template result.
  13205. For Secret resources, common values are: "Data", "Annotations", "Labels".
  13206. For custom resources (when spec.target.manifest is set), this supports
  13207. nested paths like "spec.database.config" or "data".
  13208. type: string
  13209. type: object
  13210. type: array
  13211. type:
  13212. type: string
  13213. type: object
  13214. type: object
  13215. type: object
  13216. status:
  13217. description: ExternalSecretStatus defines the observed state of ExternalSecret.
  13218. properties:
  13219. binding:
  13220. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  13221. properties:
  13222. name:
  13223. default: ""
  13224. description: |-
  13225. Name of the referent.
  13226. This field is effectively required, but due to backwards compatibility is
  13227. allowed to be empty. Instances of this type with an empty value here are
  13228. almost certainly wrong.
  13229. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  13230. type: string
  13231. type: object
  13232. x-kubernetes-map-type: atomic
  13233. conditions:
  13234. items:
  13235. description: ExternalSecretStatusCondition defines a status condition of an ExternalSecret resource.
  13236. properties:
  13237. lastTransitionTime:
  13238. format: date-time
  13239. type: string
  13240. message:
  13241. type: string
  13242. reason:
  13243. type: string
  13244. status:
  13245. type: string
  13246. type:
  13247. description: ExternalSecretConditionType defines a value type for ExternalSecret conditions.
  13248. enum:
  13249. - Ready
  13250. - Deleted
  13251. type: string
  13252. required:
  13253. - status
  13254. - type
  13255. type: object
  13256. type: array
  13257. refreshTime:
  13258. description: |-
  13259. refreshTime is the time and date the external secret was fetched and
  13260. the target secret updated
  13261. format: date-time
  13262. nullable: true
  13263. type: string
  13264. syncedResourceVersion:
  13265. description: SyncedResourceVersion keeps track of the last synced version
  13266. type: string
  13267. type: object
  13268. type: object
  13269. selectableFields:
  13270. - jsonPath: .spec.secretStoreRef.name
  13271. - jsonPath: .spec.secretStoreRef.kind
  13272. - jsonPath: .spec.target.name
  13273. - jsonPath: .spec.refreshInterval
  13274. served: true
  13275. storage: true
  13276. subresources:
  13277. status: {}
  13278. - additionalPrinterColumns:
  13279. - jsonPath: .spec.secretStoreRef.kind
  13280. name: StoreType
  13281. type: string
  13282. - jsonPath: .spec.secretStoreRef.name
  13283. name: Store
  13284. type: string
  13285. - jsonPath: .spec.refreshInterval
  13286. name: Refresh Interval
  13287. type: string
  13288. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  13289. name: Status
  13290. type: string
  13291. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  13292. name: Ready
  13293. type: string
  13294. - jsonPath: .status.refreshTime
  13295. name: Last Sync
  13296. type: date
  13297. deprecated: true
  13298. name: v1beta1
  13299. schema:
  13300. openAPIV3Schema:
  13301. description: ExternalSecret is the schema for the external-secrets API.
  13302. properties:
  13303. apiVersion:
  13304. description: |-
  13305. APIVersion defines the versioned schema of this representation of an object.
  13306. Servers should convert recognized schemas to the latest internal value, and
  13307. may reject unrecognized values.
  13308. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  13309. type: string
  13310. kind:
  13311. description: |-
  13312. Kind is a string value representing the REST resource this object represents.
  13313. Servers may infer this from the endpoint the client submits requests to.
  13314. Cannot be updated.
  13315. In CamelCase.
  13316. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  13317. type: string
  13318. metadata:
  13319. type: object
  13320. spec:
  13321. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  13322. properties:
  13323. data:
  13324. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  13325. items:
  13326. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  13327. properties:
  13328. remoteRef:
  13329. description: |-
  13330. RemoteRef points to the remote secret and defines
  13331. which secret (version/property/..) to fetch.
  13332. properties:
  13333. conversionStrategy:
  13334. default: Default
  13335. description: Used to define a conversion Strategy
  13336. enum:
  13337. - Default
  13338. - Unicode
  13339. type: string
  13340. decodingStrategy:
  13341. default: None
  13342. description: Used to define a decoding Strategy
  13343. enum:
  13344. - Auto
  13345. - Base64
  13346. - Base64URL
  13347. - None
  13348. type: string
  13349. key:
  13350. description: Key is the key used in the Provider, mandatory
  13351. type: string
  13352. metadataPolicy:
  13353. default: None
  13354. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13355. enum:
  13356. - None
  13357. - Fetch
  13358. type: string
  13359. property:
  13360. description: Used to select a specific property of the Provider value (if a map), if supported
  13361. type: string
  13362. version:
  13363. description: Used to select a specific version of the Provider value, if supported
  13364. type: string
  13365. required:
  13366. - key
  13367. type: object
  13368. secretKey:
  13369. description: The key in the Kubernetes Secret to store the value.
  13370. maxLength: 253
  13371. minLength: 1
  13372. pattern: ^[-._a-zA-Z0-9]+$
  13373. type: string
  13374. sourceRef:
  13375. description: |-
  13376. SourceRef allows you to override the source
  13377. from which the value will be pulled.
  13378. maxProperties: 1
  13379. minProperties: 1
  13380. properties:
  13381. generatorRef:
  13382. description: |-
  13383. GeneratorRef points to a generator custom resource.
  13384. Deprecated: The generatorRef is not implemented in .data[].
  13385. this will be removed with v1.
  13386. properties:
  13387. apiVersion:
  13388. default: generators.external-secrets.io/v1alpha1
  13389. description: Specify the apiVersion of the generator resource
  13390. type: string
  13391. kind:
  13392. description: Specify the Kind of the generator resource
  13393. enum:
  13394. - ACRAccessToken
  13395. - ClusterGenerator
  13396. - ECRAuthorizationToken
  13397. - Fake
  13398. - GCRAccessToken
  13399. - GithubAccessToken
  13400. - QuayAccessToken
  13401. - Password
  13402. - SSHKey
  13403. - STSAssumeRoleToken
  13404. - STSSessionToken
  13405. - UUID
  13406. - VaultDynamicSecret
  13407. - Webhook
  13408. - Grafana
  13409. type: string
  13410. name:
  13411. description: Specify the name of the generator resource
  13412. maxLength: 253
  13413. minLength: 1
  13414. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13415. type: string
  13416. required:
  13417. - kind
  13418. - name
  13419. type: object
  13420. storeRef:
  13421. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13422. properties:
  13423. kind:
  13424. description: |-
  13425. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13426. Defaults to `SecretStore`
  13427. enum:
  13428. - SecretStore
  13429. - ClusterSecretStore
  13430. type: string
  13431. name:
  13432. description: Name of the SecretStore resource
  13433. maxLength: 253
  13434. minLength: 1
  13435. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13436. type: string
  13437. type: object
  13438. type: object
  13439. required:
  13440. - remoteRef
  13441. - secretKey
  13442. type: object
  13443. type: array
  13444. dataFrom:
  13445. description: |-
  13446. DataFrom is used to fetch all properties from a specific Provider data
  13447. If multiple entries are specified, the Secret keys are merged in the specified order
  13448. items:
  13449. description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options.
  13450. properties:
  13451. extract:
  13452. description: |-
  13453. Used to extract multiple key/value pairs from one secret
  13454. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13455. properties:
  13456. conversionStrategy:
  13457. default: Default
  13458. description: Used to define a conversion Strategy
  13459. enum:
  13460. - Default
  13461. - Unicode
  13462. type: string
  13463. decodingStrategy:
  13464. default: None
  13465. description: Used to define a decoding Strategy
  13466. enum:
  13467. - Auto
  13468. - Base64
  13469. - Base64URL
  13470. - None
  13471. type: string
  13472. key:
  13473. description: Key is the key used in the Provider, mandatory
  13474. type: string
  13475. metadataPolicy:
  13476. default: None
  13477. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13478. enum:
  13479. - None
  13480. - Fetch
  13481. type: string
  13482. property:
  13483. description: Used to select a specific property of the Provider value (if a map), if supported
  13484. type: string
  13485. version:
  13486. description: Used to select a specific version of the Provider value, if supported
  13487. type: string
  13488. required:
  13489. - key
  13490. type: object
  13491. find:
  13492. description: |-
  13493. Used to find secrets based on tags or regular expressions
  13494. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13495. properties:
  13496. conversionStrategy:
  13497. default: Default
  13498. description: Used to define a conversion Strategy
  13499. enum:
  13500. - Default
  13501. - Unicode
  13502. type: string
  13503. decodingStrategy:
  13504. default: None
  13505. description: Used to define a decoding Strategy
  13506. enum:
  13507. - Auto
  13508. - Base64
  13509. - Base64URL
  13510. - None
  13511. type: string
  13512. name:
  13513. description: Finds secrets based on the name.
  13514. properties:
  13515. regexp:
  13516. description: Finds secrets base
  13517. type: string
  13518. type: object
  13519. path:
  13520. description: A root path to start the find operations.
  13521. type: string
  13522. tags:
  13523. additionalProperties:
  13524. type: string
  13525. description: Find secrets based on tags.
  13526. type: object
  13527. type: object
  13528. rewrite:
  13529. description: |-
  13530. Used to rewrite secret Keys after getting them from the secret Provider
  13531. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  13532. items:
  13533. description: ExternalSecretRewrite defines rules on how to rewrite secret keys.
  13534. maxProperties: 1
  13535. minProperties: 1
  13536. properties:
  13537. regexp:
  13538. description: |-
  13539. Used to rewrite with regular expressions.
  13540. The resulting key will be the output of a regexp.ReplaceAll operation.
  13541. properties:
  13542. source:
  13543. description: Used to define the regular expression of a re.Compiler.
  13544. type: string
  13545. target:
  13546. description: Used to define the target pattern of a ReplaceAll operation.
  13547. type: string
  13548. required:
  13549. - source
  13550. - target
  13551. type: object
  13552. transform:
  13553. description: |-
  13554. Used to apply string transformation on the secrets.
  13555. The resulting key will be the output of the template applied by the operation.
  13556. properties:
  13557. template:
  13558. description: |-
  13559. Used to define the template to apply on the secret name.
  13560. `.value ` will specify the secret name in the template.
  13561. type: string
  13562. required:
  13563. - template
  13564. type: object
  13565. type: object
  13566. type: array
  13567. sourceRef:
  13568. description: |-
  13569. SourceRef points to a store or generator
  13570. which contains secret values ready to use.
  13571. Use this in combination with Extract or Find pull values out of
  13572. a specific SecretStore.
  13573. When sourceRef points to a generator Extract or Find is not supported.
  13574. The generator returns a static map of values
  13575. maxProperties: 1
  13576. minProperties: 1
  13577. properties:
  13578. generatorRef:
  13579. description: GeneratorRef points to a generator custom resource.
  13580. properties:
  13581. apiVersion:
  13582. default: generators.external-secrets.io/v1alpha1
  13583. description: Specify the apiVersion of the generator resource
  13584. type: string
  13585. kind:
  13586. description: Specify the Kind of the generator resource
  13587. enum:
  13588. - ACRAccessToken
  13589. - ClusterGenerator
  13590. - ECRAuthorizationToken
  13591. - Fake
  13592. - GCRAccessToken
  13593. - GithubAccessToken
  13594. - QuayAccessToken
  13595. - Password
  13596. - SSHKey
  13597. - STSAssumeRoleToken
  13598. - STSSessionToken
  13599. - UUID
  13600. - VaultDynamicSecret
  13601. - Webhook
  13602. - Grafana
  13603. type: string
  13604. name:
  13605. description: Specify the name of the generator resource
  13606. maxLength: 253
  13607. minLength: 1
  13608. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13609. type: string
  13610. required:
  13611. - kind
  13612. - name
  13613. type: object
  13614. storeRef:
  13615. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13616. properties:
  13617. kind:
  13618. description: |-
  13619. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13620. Defaults to `SecretStore`
  13621. enum:
  13622. - SecretStore
  13623. - ClusterSecretStore
  13624. type: string
  13625. name:
  13626. description: Name of the SecretStore resource
  13627. maxLength: 253
  13628. minLength: 1
  13629. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13630. type: string
  13631. type: object
  13632. type: object
  13633. type: object
  13634. type: array
  13635. refreshInterval:
  13636. default: 1h0m0s
  13637. description: |-
  13638. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  13639. specified as Golang Duration strings.
  13640. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  13641. Example values: "1h0m0s", "2h30m0s", "10m0s"
  13642. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  13643. type: string
  13644. refreshPolicy:
  13645. description: |-
  13646. RefreshPolicy determines how the ExternalSecret should be refreshed:
  13647. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  13648. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  13649. No periodic updates occur if refreshInterval is 0.
  13650. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  13651. enum:
  13652. - CreatedOnce
  13653. - Periodic
  13654. - OnChange
  13655. type: string
  13656. secretStoreRef:
  13657. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13658. properties:
  13659. kind:
  13660. description: |-
  13661. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13662. Defaults to `SecretStore`
  13663. enum:
  13664. - SecretStore
  13665. - ClusterSecretStore
  13666. type: string
  13667. name:
  13668. description: Name of the SecretStore resource
  13669. maxLength: 253
  13670. minLength: 1
  13671. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13672. type: string
  13673. type: object
  13674. target:
  13675. default:
  13676. creationPolicy: Owner
  13677. deletionPolicy: Retain
  13678. description: |-
  13679. ExternalSecretTarget defines the Kubernetes Secret to be created
  13680. There can be only one target per ExternalSecret.
  13681. properties:
  13682. creationPolicy:
  13683. default: Owner
  13684. description: |-
  13685. CreationPolicy defines rules on how to create the resulting Secret.
  13686. Defaults to "Owner"
  13687. enum:
  13688. - Owner
  13689. - Orphan
  13690. - Merge
  13691. - None
  13692. type: string
  13693. deletionPolicy:
  13694. default: Retain
  13695. description: |-
  13696. DeletionPolicy defines rules on how to delete the resulting Secret.
  13697. Defaults to "Retain"
  13698. enum:
  13699. - Delete
  13700. - Merge
  13701. - Retain
  13702. type: string
  13703. immutable:
  13704. description: Immutable defines if the final secret will be immutable
  13705. type: boolean
  13706. name:
  13707. description: |-
  13708. The name of the Secret resource to be managed.
  13709. Defaults to the .metadata.name of the ExternalSecret resource
  13710. maxLength: 253
  13711. minLength: 1
  13712. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13713. type: string
  13714. template:
  13715. description: Template defines a blueprint for the created Secret resource.
  13716. properties:
  13717. data:
  13718. additionalProperties:
  13719. type: string
  13720. type: object
  13721. engineVersion:
  13722. default: v2
  13723. description: |-
  13724. EngineVersion specifies the template engine version
  13725. that should be used to compile/execute the
  13726. template specified in .data and .templateFrom[].
  13727. enum:
  13728. - v2
  13729. type: string
  13730. mergePolicy:
  13731. default: Replace
  13732. description: TemplateMergePolicy defines how template values should be merged when generating a secret.
  13733. enum:
  13734. - Replace
  13735. - Merge
  13736. type: string
  13737. metadata:
  13738. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  13739. properties:
  13740. annotations:
  13741. additionalProperties:
  13742. type: string
  13743. type: object
  13744. labels:
  13745. additionalProperties:
  13746. type: string
  13747. type: object
  13748. type: object
  13749. templateFrom:
  13750. items:
  13751. description: TemplateFrom defines a source for template data.
  13752. properties:
  13753. configMap:
  13754. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  13755. properties:
  13756. items:
  13757. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13758. items:
  13759. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  13760. properties:
  13761. key:
  13762. description: A key in the ConfigMap/Secret
  13763. maxLength: 253
  13764. minLength: 1
  13765. pattern: ^[-._a-zA-Z0-9]+$
  13766. type: string
  13767. templateAs:
  13768. default: Values
  13769. description: TemplateScope defines the scope of the template when processing template data.
  13770. enum:
  13771. - Values
  13772. - KeysAndValues
  13773. type: string
  13774. required:
  13775. - key
  13776. type: object
  13777. type: array
  13778. name:
  13779. description: The name of the ConfigMap/Secret resource
  13780. maxLength: 253
  13781. minLength: 1
  13782. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13783. type: string
  13784. required:
  13785. - items
  13786. - name
  13787. type: object
  13788. literal:
  13789. type: string
  13790. secret:
  13791. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  13792. properties:
  13793. items:
  13794. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13795. items:
  13796. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  13797. properties:
  13798. key:
  13799. description: A key in the ConfigMap/Secret
  13800. maxLength: 253
  13801. minLength: 1
  13802. pattern: ^[-._a-zA-Z0-9]+$
  13803. type: string
  13804. templateAs:
  13805. default: Values
  13806. description: TemplateScope defines the scope of the template when processing template data.
  13807. enum:
  13808. - Values
  13809. - KeysAndValues
  13810. type: string
  13811. required:
  13812. - key
  13813. type: object
  13814. type: array
  13815. name:
  13816. description: The name of the ConfigMap/Secret resource
  13817. maxLength: 253
  13818. minLength: 1
  13819. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13820. type: string
  13821. required:
  13822. - items
  13823. - name
  13824. type: object
  13825. target:
  13826. default: Data
  13827. description: TemplateTarget defines the target field where the template result will be stored.
  13828. enum:
  13829. - Data
  13830. - Annotations
  13831. - Labels
  13832. type: string
  13833. type: object
  13834. type: array
  13835. type:
  13836. type: string
  13837. type: object
  13838. type: object
  13839. type: object
  13840. status:
  13841. description: ExternalSecretStatus defines the observed state of ExternalSecret.
  13842. properties:
  13843. binding:
  13844. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  13845. properties:
  13846. name:
  13847. default: ""
  13848. description: |-
  13849. Name of the referent.
  13850. This field is effectively required, but due to backwards compatibility is
  13851. allowed to be empty. Instances of this type with an empty value here are
  13852. almost certainly wrong.
  13853. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  13854. type: string
  13855. type: object
  13856. x-kubernetes-map-type: atomic
  13857. conditions:
  13858. items:
  13859. description: ExternalSecretStatusCondition contains condition information for an ExternalSecret.
  13860. properties:
  13861. lastTransitionTime:
  13862. format: date-time
  13863. type: string
  13864. message:
  13865. type: string
  13866. reason:
  13867. type: string
  13868. status:
  13869. type: string
  13870. type:
  13871. description: ExternalSecretConditionType defines the condition type for an ExternalSecret.
  13872. type: string
  13873. required:
  13874. - status
  13875. - type
  13876. type: object
  13877. type: array
  13878. refreshTime:
  13879. description: |-
  13880. refreshTime is the time and date the external secret was fetched and
  13881. the target secret updated
  13882. format: date-time
  13883. nullable: true
  13884. type: string
  13885. syncedResourceVersion:
  13886. description: SyncedResourceVersion keeps track of the last synced version
  13887. type: string
  13888. type: object
  13889. type: object
  13890. served: false
  13891. storage: false
  13892. subresources:
  13893. status: {}
  13894. ---
  13895. apiVersion: apiextensions.k8s.io/v1
  13896. kind: CustomResourceDefinition
  13897. metadata:
  13898. annotations:
  13899. controller-gen.kubebuilder.io/version: v0.19.0
  13900. labels:
  13901. external-secrets.io/component: controller
  13902. name: pushsecrets.external-secrets.io
  13903. spec:
  13904. group: external-secrets.io
  13905. names:
  13906. categories:
  13907. - external-secrets
  13908. kind: PushSecret
  13909. listKind: PushSecretList
  13910. plural: pushsecrets
  13911. shortNames:
  13912. - ps
  13913. singular: pushsecret
  13914. scope: Namespaced
  13915. versions:
  13916. - additionalPrinterColumns:
  13917. - jsonPath: .metadata.creationTimestamp
  13918. name: AGE
  13919. type: date
  13920. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  13921. name: Status
  13922. type: string
  13923. - jsonPath: .status.refreshTime
  13924. name: Last Sync
  13925. type: date
  13926. name: v1alpha1
  13927. schema:
  13928. openAPIV3Schema:
  13929. description: PushSecret is the Schema for the PushSecrets API that enables pushing Kubernetes secrets to external secret providers.
  13930. properties:
  13931. apiVersion:
  13932. description: |-
  13933. APIVersion defines the versioned schema of this representation of an object.
  13934. Servers should convert recognized schemas to the latest internal value, and
  13935. may reject unrecognized values.
  13936. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  13937. type: string
  13938. kind:
  13939. description: |-
  13940. Kind is a string value representing the REST resource this object represents.
  13941. Servers may infer this from the endpoint the client submits requests to.
  13942. Cannot be updated.
  13943. In CamelCase.
  13944. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  13945. type: string
  13946. metadata:
  13947. type: object
  13948. spec:
  13949. description: PushSecretSpec configures the behavior of the PushSecret.
  13950. properties:
  13951. data:
  13952. description: Secret Data that should be pushed to providers
  13953. items:
  13954. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  13955. properties:
  13956. conversionStrategy:
  13957. default: None
  13958. description: Used to define a conversion Strategy for the secret keys
  13959. enum:
  13960. - None
  13961. - ReverseUnicode
  13962. type: string
  13963. match:
  13964. description: Match a given Secret Key to be pushed to the provider.
  13965. properties:
  13966. remoteRef:
  13967. description: Remote Refs to push to providers.
  13968. properties:
  13969. property:
  13970. description: Name of the property in the resulting secret
  13971. type: string
  13972. remoteKey:
  13973. description: Name of the resulting provider secret.
  13974. type: string
  13975. required:
  13976. - remoteKey
  13977. type: object
  13978. secretKey:
  13979. description: Secret Key to be pushed
  13980. type: string
  13981. required:
  13982. - remoteRef
  13983. type: object
  13984. metadata:
  13985. description: |-
  13986. Metadata is metadata attached to the secret.
  13987. The structure of metadata is provider specific, please look it up in the provider documentation.
  13988. x-kubernetes-preserve-unknown-fields: true
  13989. required:
  13990. - match
  13991. type: object
  13992. type: array
  13993. dataTo:
  13994. description: DataTo defines bulk push rules that expand source Secret keys into provider entries.
  13995. items:
  13996. description: PushSecretDataTo defines how to bulk-push secrets to providers without explicit per-key mappings.
  13997. properties:
  13998. conversionStrategy:
  13999. default: None
  14000. description: Used to define a conversion Strategy for the secret keys
  14001. enum:
  14002. - None
  14003. - ReverseUnicode
  14004. type: string
  14005. match:
  14006. description: |-
  14007. Match pattern for selecting keys from the source Secret.
  14008. If not specified, all keys are selected.
  14009. properties:
  14010. regexp:
  14011. description: |-
  14012. Regexp matches keys by regular expression.
  14013. If not specified, all keys are matched.
  14014. type: string
  14015. type: object
  14016. metadata:
  14017. description: |-
  14018. Metadata is metadata attached to the secret.
  14019. The structure of metadata is provider specific, please look it up in the provider documentation.
  14020. x-kubernetes-preserve-unknown-fields: true
  14021. remoteKey:
  14022. description: |-
  14023. RemoteKey is the name of the single provider secret that will receive ALL
  14024. matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}).
  14025. When set, per-key expansion is skipped and a single push is performed.
  14026. The provider's store prefix (if any) is still prepended to this value.
  14027. When not set, each matched key is pushed as its own individual provider secret.
  14028. type: string
  14029. rewrite:
  14030. description: |-
  14031. Rewrite operations to transform keys before pushing to the provider.
  14032. Operations are applied sequentially.
  14033. items:
  14034. description: PushSecretRewrite defines how to transform secret keys before pushing.
  14035. properties:
  14036. regexp:
  14037. description: Used to rewrite with regular expressions.
  14038. properties:
  14039. source:
  14040. description: Used to define the regular expression of a re.Compiler.
  14041. type: string
  14042. target:
  14043. description: Used to define the target pattern of a ReplaceAll operation.
  14044. type: string
  14045. required:
  14046. - source
  14047. - target
  14048. type: object
  14049. transform:
  14050. description: Used to apply string transformation on the secrets.
  14051. properties:
  14052. template:
  14053. description: |-
  14054. Used to define the template to apply on the secret name.
  14055. `.value ` will specify the secret name in the template.
  14056. type: string
  14057. required:
  14058. - template
  14059. type: object
  14060. type: object
  14061. x-kubernetes-validations:
  14062. - message: exactly one of regexp or transform must be set
  14063. rule: (has(self.regexp) && !has(self.transform)) || (!has(self.regexp) && has(self.transform))
  14064. type: array
  14065. storeRef:
  14066. description: StoreRef specifies which SecretStore to push to. Required.
  14067. properties:
  14068. kind:
  14069. default: SecretStore
  14070. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  14071. enum:
  14072. - SecretStore
  14073. - ClusterSecretStore
  14074. type: string
  14075. labelSelector:
  14076. description: Optionally, sync to secret stores with label selector
  14077. properties:
  14078. matchExpressions:
  14079. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14080. items:
  14081. description: |-
  14082. A label selector requirement is a selector that contains values, a key, and an operator that
  14083. relates the key and values.
  14084. properties:
  14085. key:
  14086. description: key is the label key that the selector applies to.
  14087. type: string
  14088. operator:
  14089. description: |-
  14090. operator represents a key's relationship to a set of values.
  14091. Valid operators are In, NotIn, Exists and DoesNotExist.
  14092. type: string
  14093. values:
  14094. description: |-
  14095. values is an array of string values. If the operator is In or NotIn,
  14096. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14097. the values array must be empty. This array is replaced during a strategic
  14098. merge patch.
  14099. items:
  14100. type: string
  14101. type: array
  14102. x-kubernetes-list-type: atomic
  14103. required:
  14104. - key
  14105. - operator
  14106. type: object
  14107. type: array
  14108. x-kubernetes-list-type: atomic
  14109. matchLabels:
  14110. additionalProperties:
  14111. type: string
  14112. description: |-
  14113. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14114. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14115. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14116. type: object
  14117. type: object
  14118. x-kubernetes-map-type: atomic
  14119. name:
  14120. description: Optionally, sync to the SecretStore of the given name
  14121. maxLength: 253
  14122. minLength: 1
  14123. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14124. type: string
  14125. type: object
  14126. type: object
  14127. x-kubernetes-validations:
  14128. - message: storeRef must specify either name or labelSelector
  14129. rule: has(self.storeRef) && (has(self.storeRef.name) || has(self.storeRef.labelSelector))
  14130. - message: 'remoteKey and rewrite are mutually exclusive: rewrite is only supported in per-key mode (without remoteKey)'
  14131. rule: '!has(self.remoteKey) || !has(self.rewrite) || size(self.rewrite) == 0'
  14132. type: array
  14133. deletionPolicy:
  14134. default: None
  14135. description: Deletion Policy to handle Secrets in the provider.
  14136. enum:
  14137. - Delete
  14138. - None
  14139. type: string
  14140. refreshInterval:
  14141. default: 1h0m0s
  14142. description: The Interval to which External Secrets will try to push a secret definition
  14143. type: string
  14144. secretStoreRefs:
  14145. items:
  14146. description: PushSecretStoreRef contains a reference on how to sync to a SecretStore.
  14147. properties:
  14148. kind:
  14149. default: SecretStore
  14150. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  14151. enum:
  14152. - SecretStore
  14153. - ClusterSecretStore
  14154. type: string
  14155. labelSelector:
  14156. description: Optionally, sync to secret stores with label selector
  14157. properties:
  14158. matchExpressions:
  14159. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14160. items:
  14161. description: |-
  14162. A label selector requirement is a selector that contains values, a key, and an operator that
  14163. relates the key and values.
  14164. properties:
  14165. key:
  14166. description: key is the label key that the selector applies to.
  14167. type: string
  14168. operator:
  14169. description: |-
  14170. operator represents a key's relationship to a set of values.
  14171. Valid operators are In, NotIn, Exists and DoesNotExist.
  14172. type: string
  14173. values:
  14174. description: |-
  14175. values is an array of string values. If the operator is In or NotIn,
  14176. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14177. the values array must be empty. This array is replaced during a strategic
  14178. merge patch.
  14179. items:
  14180. type: string
  14181. type: array
  14182. x-kubernetes-list-type: atomic
  14183. required:
  14184. - key
  14185. - operator
  14186. type: object
  14187. type: array
  14188. x-kubernetes-list-type: atomic
  14189. matchLabels:
  14190. additionalProperties:
  14191. type: string
  14192. description: |-
  14193. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14194. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14195. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14196. type: object
  14197. type: object
  14198. x-kubernetes-map-type: atomic
  14199. name:
  14200. description: Optionally, sync to the SecretStore of the given name
  14201. maxLength: 253
  14202. minLength: 1
  14203. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14204. type: string
  14205. type: object
  14206. type: array
  14207. selector:
  14208. description: The Secret Selector (k8s source) for the Push Secret
  14209. maxProperties: 1
  14210. minProperties: 1
  14211. properties:
  14212. generatorRef:
  14213. description: Point to a generator to create a Secret.
  14214. properties:
  14215. apiVersion:
  14216. default: generators.external-secrets.io/v1alpha1
  14217. description: Specify the apiVersion of the generator resource
  14218. type: string
  14219. kind:
  14220. description: Specify the Kind of the generator resource
  14221. enum:
  14222. - ACRAccessToken
  14223. - ClusterGenerator
  14224. - CloudsmithAccessToken
  14225. - ECRAuthorizationToken
  14226. - Fake
  14227. - GCRAccessToken
  14228. - GithubAccessToken
  14229. - QuayAccessToken
  14230. - Password
  14231. - SSHKey
  14232. - STSAssumeRoleToken
  14233. - STSSessionToken
  14234. - UUID
  14235. - VaultDynamicSecret
  14236. - Webhook
  14237. - Grafana
  14238. - MFA
  14239. type: string
  14240. name:
  14241. description: Specify the name of the generator resource
  14242. maxLength: 253
  14243. minLength: 1
  14244. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14245. type: string
  14246. required:
  14247. - kind
  14248. - name
  14249. type: object
  14250. secret:
  14251. description: Select a Secret to Push.
  14252. properties:
  14253. name:
  14254. description: |-
  14255. Name of the Secret.
  14256. The Secret must exist in the same namespace as the PushSecret manifest.
  14257. maxLength: 253
  14258. minLength: 1
  14259. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14260. type: string
  14261. selector:
  14262. description: Selector chooses secrets using a labelSelector.
  14263. properties:
  14264. matchExpressions:
  14265. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14266. items:
  14267. description: |-
  14268. A label selector requirement is a selector that contains values, a key, and an operator that
  14269. relates the key and values.
  14270. properties:
  14271. key:
  14272. description: key is the label key that the selector applies to.
  14273. type: string
  14274. operator:
  14275. description: |-
  14276. operator represents a key's relationship to a set of values.
  14277. Valid operators are In, NotIn, Exists and DoesNotExist.
  14278. type: string
  14279. values:
  14280. description: |-
  14281. values is an array of string values. If the operator is In or NotIn,
  14282. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14283. the values array must be empty. This array is replaced during a strategic
  14284. merge patch.
  14285. items:
  14286. type: string
  14287. type: array
  14288. x-kubernetes-list-type: atomic
  14289. required:
  14290. - key
  14291. - operator
  14292. type: object
  14293. type: array
  14294. x-kubernetes-list-type: atomic
  14295. matchLabels:
  14296. additionalProperties:
  14297. type: string
  14298. description: |-
  14299. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14300. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14301. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14302. type: object
  14303. type: object
  14304. x-kubernetes-map-type: atomic
  14305. type: object
  14306. type: object
  14307. template:
  14308. description: Template defines a blueprint for the created Secret resource.
  14309. properties:
  14310. data:
  14311. additionalProperties:
  14312. type: string
  14313. type: object
  14314. engineVersion:
  14315. default: v2
  14316. description: |-
  14317. EngineVersion specifies the template engine version
  14318. that should be used to compile/execute the
  14319. template specified in .data and .templateFrom[].
  14320. enum:
  14321. - v2
  14322. type: string
  14323. mergePolicy:
  14324. default: Replace
  14325. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  14326. enum:
  14327. - Replace
  14328. - Merge
  14329. type: string
  14330. metadata:
  14331. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  14332. properties:
  14333. annotations:
  14334. additionalProperties:
  14335. type: string
  14336. type: object
  14337. finalizers:
  14338. items:
  14339. type: string
  14340. type: array
  14341. labels:
  14342. additionalProperties:
  14343. type: string
  14344. type: object
  14345. type: object
  14346. templateFrom:
  14347. items:
  14348. description: |-
  14349. TemplateFrom specifies a source for templates.
  14350. Each item in the list can either reference a ConfigMap or a Secret resource.
  14351. properties:
  14352. configMap:
  14353. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  14354. properties:
  14355. items:
  14356. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14357. items:
  14358. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  14359. properties:
  14360. key:
  14361. description: A key in the ConfigMap/Secret
  14362. maxLength: 253
  14363. minLength: 1
  14364. pattern: ^[-._a-zA-Z0-9]+$
  14365. type: string
  14366. templateAs:
  14367. default: Values
  14368. description: TemplateScope specifies how the template keys should be interpreted.
  14369. enum:
  14370. - Values
  14371. - KeysAndValues
  14372. type: string
  14373. required:
  14374. - key
  14375. type: object
  14376. type: array
  14377. name:
  14378. description: The name of the ConfigMap/Secret resource
  14379. maxLength: 253
  14380. minLength: 1
  14381. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14382. type: string
  14383. required:
  14384. - items
  14385. - name
  14386. type: object
  14387. literal:
  14388. type: string
  14389. secret:
  14390. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  14391. properties:
  14392. items:
  14393. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14394. items:
  14395. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  14396. properties:
  14397. key:
  14398. description: A key in the ConfigMap/Secret
  14399. maxLength: 253
  14400. minLength: 1
  14401. pattern: ^[-._a-zA-Z0-9]+$
  14402. type: string
  14403. templateAs:
  14404. default: Values
  14405. description: TemplateScope specifies how the template keys should be interpreted.
  14406. enum:
  14407. - Values
  14408. - KeysAndValues
  14409. type: string
  14410. required:
  14411. - key
  14412. type: object
  14413. type: array
  14414. name:
  14415. description: The name of the ConfigMap/Secret resource
  14416. maxLength: 253
  14417. minLength: 1
  14418. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14419. type: string
  14420. required:
  14421. - items
  14422. - name
  14423. type: object
  14424. target:
  14425. default: Data
  14426. description: |-
  14427. Target specifies where to place the template result.
  14428. For Secret resources, common values are: "Data", "Annotations", "Labels".
  14429. For custom resources (when spec.target.manifest is set), this supports
  14430. nested paths like "spec.database.config" or "data".
  14431. type: string
  14432. type: object
  14433. type: array
  14434. type:
  14435. type: string
  14436. type: object
  14437. updatePolicy:
  14438. default: Replace
  14439. description: UpdatePolicy to handle Secrets in the provider.
  14440. enum:
  14441. - Replace
  14442. - IfNotExists
  14443. type: string
  14444. required:
  14445. - secretStoreRefs
  14446. - selector
  14447. type: object
  14448. status:
  14449. description: PushSecretStatus indicates the history of the status of PushSecret.
  14450. properties:
  14451. conditions:
  14452. items:
  14453. description: PushSecretStatusCondition indicates the status of the PushSecret.
  14454. properties:
  14455. lastTransitionTime:
  14456. format: date-time
  14457. type: string
  14458. message:
  14459. type: string
  14460. reason:
  14461. type: string
  14462. status:
  14463. type: string
  14464. type:
  14465. description: PushSecretConditionType indicates the condition of the PushSecret.
  14466. type: string
  14467. required:
  14468. - status
  14469. - type
  14470. type: object
  14471. type: array
  14472. refreshTime:
  14473. description: |-
  14474. refreshTime is the time and date the external secret was fetched and
  14475. the target secret updated
  14476. format: date-time
  14477. nullable: true
  14478. type: string
  14479. syncedPushSecrets:
  14480. additionalProperties:
  14481. additionalProperties:
  14482. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  14483. properties:
  14484. conversionStrategy:
  14485. default: None
  14486. description: Used to define a conversion Strategy for the secret keys
  14487. enum:
  14488. - None
  14489. - ReverseUnicode
  14490. type: string
  14491. match:
  14492. description: Match a given Secret Key to be pushed to the provider.
  14493. properties:
  14494. remoteRef:
  14495. description: Remote Refs to push to providers.
  14496. properties:
  14497. property:
  14498. description: Name of the property in the resulting secret
  14499. type: string
  14500. remoteKey:
  14501. description: Name of the resulting provider secret.
  14502. type: string
  14503. required:
  14504. - remoteKey
  14505. type: object
  14506. secretKey:
  14507. description: Secret Key to be pushed
  14508. type: string
  14509. required:
  14510. - remoteRef
  14511. type: object
  14512. metadata:
  14513. description: |-
  14514. Metadata is metadata attached to the secret.
  14515. The structure of metadata is provider specific, please look it up in the provider documentation.
  14516. x-kubernetes-preserve-unknown-fields: true
  14517. required:
  14518. - match
  14519. type: object
  14520. type: object
  14521. description: |-
  14522. Synced PushSecrets, including secrets that already exist in provider.
  14523. Matches secret stores to PushSecretData that was stored to that secret store.
  14524. type: object
  14525. syncedResourceVersion:
  14526. description: SyncedResourceVersion keeps track of the last synced version.
  14527. type: string
  14528. type: object
  14529. type: object
  14530. served: true
  14531. storage: true
  14532. subresources:
  14533. status: {}
  14534. ---
  14535. apiVersion: apiextensions.k8s.io/v1
  14536. kind: CustomResourceDefinition
  14537. metadata:
  14538. annotations:
  14539. controller-gen.kubebuilder.io/version: v0.19.0
  14540. labels:
  14541. external-secrets.io/component: controller
  14542. name: secretstores.external-secrets.io
  14543. spec:
  14544. group: external-secrets.io
  14545. names:
  14546. categories:
  14547. - external-secrets
  14548. kind: SecretStore
  14549. listKind: SecretStoreList
  14550. plural: secretstores
  14551. shortNames:
  14552. - ss
  14553. singular: secretstore
  14554. scope: Namespaced
  14555. versions:
  14556. - additionalPrinterColumns:
  14557. - jsonPath: .metadata.creationTimestamp
  14558. name: AGE
  14559. type: date
  14560. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  14561. name: Status
  14562. type: string
  14563. - jsonPath: .status.capabilities
  14564. name: Capabilities
  14565. type: string
  14566. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  14567. name: Ready
  14568. type: string
  14569. name: v1
  14570. schema:
  14571. openAPIV3Schema:
  14572. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  14573. properties:
  14574. apiVersion:
  14575. description: |-
  14576. APIVersion defines the versioned schema of this representation of an object.
  14577. Servers should convert recognized schemas to the latest internal value, and
  14578. may reject unrecognized values.
  14579. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  14580. type: string
  14581. kind:
  14582. description: |-
  14583. Kind is a string value representing the REST resource this object represents.
  14584. Servers may infer this from the endpoint the client submits requests to.
  14585. Cannot be updated.
  14586. In CamelCase.
  14587. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  14588. type: string
  14589. metadata:
  14590. type: object
  14591. spec:
  14592. description: SecretStoreSpec defines the desired state of SecretStore.
  14593. properties:
  14594. conditions:
  14595. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  14596. items:
  14597. description: |-
  14598. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  14599. for a ClusterSecretStore instance.
  14600. properties:
  14601. namespaceRegexes:
  14602. description: Choose namespaces by using regex matching
  14603. items:
  14604. type: string
  14605. type: array
  14606. namespaceSelector:
  14607. description: Choose namespace using a labelSelector
  14608. properties:
  14609. matchExpressions:
  14610. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14611. items:
  14612. description: |-
  14613. A label selector requirement is a selector that contains values, a key, and an operator that
  14614. relates the key and values.
  14615. properties:
  14616. key:
  14617. description: key is the label key that the selector applies to.
  14618. type: string
  14619. operator:
  14620. description: |-
  14621. operator represents a key's relationship to a set of values.
  14622. Valid operators are In, NotIn, Exists and DoesNotExist.
  14623. type: string
  14624. values:
  14625. description: |-
  14626. values is an array of string values. If the operator is In or NotIn,
  14627. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14628. the values array must be empty. This array is replaced during a strategic
  14629. merge patch.
  14630. items:
  14631. type: string
  14632. type: array
  14633. x-kubernetes-list-type: atomic
  14634. required:
  14635. - key
  14636. - operator
  14637. type: object
  14638. type: array
  14639. x-kubernetes-list-type: atomic
  14640. matchLabels:
  14641. additionalProperties:
  14642. type: string
  14643. description: |-
  14644. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14645. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14646. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14647. type: object
  14648. type: object
  14649. x-kubernetes-map-type: atomic
  14650. namespaces:
  14651. description: Choose namespaces by name
  14652. items:
  14653. maxLength: 63
  14654. minLength: 1
  14655. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14656. type: string
  14657. type: array
  14658. type: object
  14659. type: array
  14660. controller:
  14661. description: |-
  14662. Used to select the correct ESO controller (think: ingress.ingressClassName)
  14663. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  14664. type: string
  14665. provider:
  14666. description: Used to configure the provider. Only one provider may be set
  14667. maxProperties: 1
  14668. minProperties: 1
  14669. properties:
  14670. akeyless:
  14671. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  14672. properties:
  14673. akeylessGWApiURL:
  14674. description: Akeyless GW API Url from which the secrets to be fetched from.
  14675. type: string
  14676. authSecretRef:
  14677. description: Auth configures how the operator authenticates with Akeyless.
  14678. properties:
  14679. kubernetesAuth:
  14680. description: |-
  14681. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  14682. token stored in the named Secret resource.
  14683. properties:
  14684. accessID:
  14685. description: the Akeyless Kubernetes auth-method access-id
  14686. type: string
  14687. k8sConfName:
  14688. description: Kubernetes-auth configuration name in Akeyless-Gateway
  14689. type: string
  14690. secretRef:
  14691. description: |-
  14692. Optional secret field containing a Kubernetes ServiceAccount JWT used
  14693. for authenticating with Akeyless. If a name is specified without a key,
  14694. `token` is the default. If one is not specified, the one bound to
  14695. the controller will be used.
  14696. properties:
  14697. key:
  14698. description: |-
  14699. A key in the referenced Secret.
  14700. Some instances of this field may be defaulted, in others it may be required.
  14701. maxLength: 253
  14702. minLength: 1
  14703. pattern: ^[-._a-zA-Z0-9]+$
  14704. type: string
  14705. name:
  14706. description: The name of the Secret resource being referred to.
  14707. maxLength: 253
  14708. minLength: 1
  14709. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14710. type: string
  14711. namespace:
  14712. description: |-
  14713. The namespace of the Secret resource being referred to.
  14714. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14715. maxLength: 63
  14716. minLength: 1
  14717. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14718. type: string
  14719. type: object
  14720. serviceAccountRef:
  14721. description: |-
  14722. Optional service account field containing the name of a kubernetes ServiceAccount.
  14723. If the service account is specified, the service account secret token JWT will be used
  14724. for authenticating with Akeyless. If the service account selector is not supplied,
  14725. the secretRef will be used instead.
  14726. properties:
  14727. audiences:
  14728. description: |-
  14729. Audience specifies the `aud` claim for the service account token
  14730. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  14731. then this audiences will be appended to the list
  14732. items:
  14733. type: string
  14734. type: array
  14735. name:
  14736. description: The name of the ServiceAccount resource being referred to.
  14737. maxLength: 253
  14738. minLength: 1
  14739. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14740. type: string
  14741. namespace:
  14742. description: |-
  14743. Namespace of the resource being referred to.
  14744. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14745. maxLength: 63
  14746. minLength: 1
  14747. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14748. type: string
  14749. required:
  14750. - name
  14751. type: object
  14752. required:
  14753. - accessID
  14754. - k8sConfName
  14755. type: object
  14756. secretRef:
  14757. description: |-
  14758. Reference to a Secret that contains the details
  14759. to authenticate with Akeyless.
  14760. properties:
  14761. accessID:
  14762. description: The SecretAccessID is used for authentication
  14763. properties:
  14764. key:
  14765. description: |-
  14766. A key in the referenced Secret.
  14767. Some instances of this field may be defaulted, in others it may be required.
  14768. maxLength: 253
  14769. minLength: 1
  14770. pattern: ^[-._a-zA-Z0-9]+$
  14771. type: string
  14772. name:
  14773. description: The name of the Secret resource being referred to.
  14774. maxLength: 253
  14775. minLength: 1
  14776. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14777. type: string
  14778. namespace:
  14779. description: |-
  14780. The namespace of the Secret resource being referred to.
  14781. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14782. maxLength: 63
  14783. minLength: 1
  14784. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14785. type: string
  14786. type: object
  14787. accessType:
  14788. description: |-
  14789. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  14790. In some instances, `key` is a required field.
  14791. properties:
  14792. key:
  14793. description: |-
  14794. A key in the referenced Secret.
  14795. Some instances of this field may be defaulted, in others it may be required.
  14796. maxLength: 253
  14797. minLength: 1
  14798. pattern: ^[-._a-zA-Z0-9]+$
  14799. type: string
  14800. name:
  14801. description: The name of the Secret resource being referred to.
  14802. maxLength: 253
  14803. minLength: 1
  14804. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14805. type: string
  14806. namespace:
  14807. description: |-
  14808. The namespace of the Secret resource being referred to.
  14809. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14810. maxLength: 63
  14811. minLength: 1
  14812. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14813. type: string
  14814. type: object
  14815. accessTypeParam:
  14816. description: |-
  14817. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  14818. In some instances, `key` is a required field.
  14819. properties:
  14820. key:
  14821. description: |-
  14822. A key in the referenced Secret.
  14823. Some instances of this field may be defaulted, in others it may be required.
  14824. maxLength: 253
  14825. minLength: 1
  14826. pattern: ^[-._a-zA-Z0-9]+$
  14827. type: string
  14828. name:
  14829. description: The name of the Secret resource being referred to.
  14830. maxLength: 253
  14831. minLength: 1
  14832. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14833. type: string
  14834. namespace:
  14835. description: |-
  14836. The namespace of the Secret resource being referred to.
  14837. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14838. maxLength: 63
  14839. minLength: 1
  14840. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14841. type: string
  14842. type: object
  14843. type: object
  14844. type: object
  14845. caBundle:
  14846. description: |-
  14847. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  14848. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  14849. are used to validate the TLS connection.
  14850. format: byte
  14851. type: string
  14852. caProvider:
  14853. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  14854. properties:
  14855. key:
  14856. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  14857. maxLength: 253
  14858. minLength: 1
  14859. pattern: ^[-._a-zA-Z0-9]+$
  14860. type: string
  14861. name:
  14862. description: The name of the object located at the provider type.
  14863. maxLength: 253
  14864. minLength: 1
  14865. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14866. type: string
  14867. namespace:
  14868. description: |-
  14869. The namespace the Provider type is in.
  14870. Can only be defined when used in a ClusterSecretStore.
  14871. maxLength: 63
  14872. minLength: 1
  14873. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14874. type: string
  14875. type:
  14876. description: The type of provider to use such as "Secret", or "ConfigMap".
  14877. enum:
  14878. - Secret
  14879. - ConfigMap
  14880. type: string
  14881. required:
  14882. - name
  14883. - type
  14884. type: object
  14885. required:
  14886. - akeylessGWApiURL
  14887. - authSecretRef
  14888. type: object
  14889. aws:
  14890. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  14891. properties:
  14892. additionalRoles:
  14893. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  14894. items:
  14895. type: string
  14896. type: array
  14897. auth:
  14898. description: |-
  14899. Auth defines the information necessary to authenticate against AWS
  14900. if not set aws sdk will infer credentials from your environment
  14901. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  14902. properties:
  14903. jwt:
  14904. description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.
  14905. properties:
  14906. serviceAccountRef:
  14907. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  14908. properties:
  14909. audiences:
  14910. description: |-
  14911. Audience specifies the `aud` claim for the service account token
  14912. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  14913. then this audiences will be appended to the list
  14914. items:
  14915. type: string
  14916. type: array
  14917. name:
  14918. description: The name of the ServiceAccount resource being referred to.
  14919. maxLength: 253
  14920. minLength: 1
  14921. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14922. type: string
  14923. namespace:
  14924. description: |-
  14925. Namespace of the resource being referred to.
  14926. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14927. maxLength: 63
  14928. minLength: 1
  14929. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14930. type: string
  14931. required:
  14932. - name
  14933. type: object
  14934. type: object
  14935. secretRef:
  14936. description: |-
  14937. AWSAuthSecretRef holds secret references for AWS credentials
  14938. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  14939. properties:
  14940. accessKeyIDSecretRef:
  14941. description: The AccessKeyID is used for authentication
  14942. properties:
  14943. key:
  14944. description: |-
  14945. A key in the referenced Secret.
  14946. Some instances of this field may be defaulted, in others it may be required.
  14947. maxLength: 253
  14948. minLength: 1
  14949. pattern: ^[-._a-zA-Z0-9]+$
  14950. type: string
  14951. name:
  14952. description: The name of the Secret resource being referred to.
  14953. maxLength: 253
  14954. minLength: 1
  14955. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14956. type: string
  14957. namespace:
  14958. description: |-
  14959. The namespace of the Secret resource being referred to.
  14960. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14961. maxLength: 63
  14962. minLength: 1
  14963. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14964. type: string
  14965. type: object
  14966. secretAccessKeySecretRef:
  14967. description: The SecretAccessKey is used for authentication
  14968. properties:
  14969. key:
  14970. description: |-
  14971. A key in the referenced Secret.
  14972. Some instances of this field may be defaulted, in others it may be required.
  14973. maxLength: 253
  14974. minLength: 1
  14975. pattern: ^[-._a-zA-Z0-9]+$
  14976. type: string
  14977. name:
  14978. description: The name of the Secret resource being referred to.
  14979. maxLength: 253
  14980. minLength: 1
  14981. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14982. type: string
  14983. namespace:
  14984. description: |-
  14985. The namespace of the Secret resource being referred to.
  14986. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14987. maxLength: 63
  14988. minLength: 1
  14989. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14990. type: string
  14991. type: object
  14992. sessionTokenSecretRef:
  14993. description: |-
  14994. The SessionToken used for authentication
  14995. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  14996. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  14997. properties:
  14998. key:
  14999. description: |-
  15000. A key in the referenced Secret.
  15001. Some instances of this field may be defaulted, in others it may be required.
  15002. maxLength: 253
  15003. minLength: 1
  15004. pattern: ^[-._a-zA-Z0-9]+$
  15005. type: string
  15006. name:
  15007. description: The name of the Secret resource being referred to.
  15008. maxLength: 253
  15009. minLength: 1
  15010. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15011. type: string
  15012. namespace:
  15013. description: |-
  15014. The namespace of the Secret resource being referred to.
  15015. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15016. maxLength: 63
  15017. minLength: 1
  15018. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15019. type: string
  15020. type: object
  15021. type: object
  15022. type: object
  15023. customSessionTags:
  15024. additionalProperties:
  15025. type: string
  15026. description: |-
  15027. CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom.
  15028. These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags.
  15029. type: object
  15030. x-kubernetes-validations:
  15031. - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind'
  15032. rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)'
  15033. externalID:
  15034. description: AWS External ID set on assumed IAM roles
  15035. type: string
  15036. prefix:
  15037. description: Prefix adds a prefix to all retrieved values.
  15038. type: string
  15039. region:
  15040. description: AWS Region to be used for the provider
  15041. type: string
  15042. role:
  15043. description: Role is a Role ARN which the provider will assume
  15044. type: string
  15045. secretsManager:
  15046. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  15047. properties:
  15048. forceDeleteWithoutRecovery:
  15049. description: |-
  15050. Specifies whether to delete the secret without any recovery window. You
  15051. can't use both this parameter and RecoveryWindowInDays in the same call.
  15052. If you don't use either, then by default Secrets Manager uses a 30 day
  15053. recovery window.
  15054. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  15055. type: boolean
  15056. recoveryWindowInDays:
  15057. description: |-
  15058. The number of days from 7 to 30 that Secrets Manager waits before
  15059. permanently deleting the secret. You can't use both this parameter and
  15060. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  15061. then by default Secrets Manager uses a 30-day recovery window.
  15062. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  15063. format: int64
  15064. type: integer
  15065. type: object
  15066. service:
  15067. description: Service defines which service should be used to fetch the secrets
  15068. enum:
  15069. - SecretsManager
  15070. - ParameterStore
  15071. type: string
  15072. sessionTags:
  15073. description: AWS STS assume role session tags
  15074. items:
  15075. description: |-
  15076. Tag is a key-value pair that can be attached to an AWS resource.
  15077. see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
  15078. properties:
  15079. key:
  15080. type: string
  15081. value:
  15082. type: string
  15083. required:
  15084. - key
  15085. - value
  15086. type: object
  15087. type: array
  15088. sessionTagsPolicy:
  15089. default: None
  15090. description: |-
  15091. SessionTagsPolicy controls whether and how STS session tags are added when assuming roles.
  15092. None (default): no tags are added.
  15093. Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags.
  15094. Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags.
  15095. Note: the IAM role must have sts:TagSession permission when using Simple or Custom.
  15096. enum:
  15097. - None
  15098. - Simple
  15099. - Custom
  15100. type: string
  15101. transitiveTagKeys:
  15102. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  15103. items:
  15104. type: string
  15105. type: array
  15106. required:
  15107. - region
  15108. - service
  15109. type: object
  15110. azurekv:
  15111. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  15112. properties:
  15113. authSecretRef:
  15114. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  15115. properties:
  15116. clientCertificate:
  15117. description: The Azure ClientCertificate of the service principle used for authentication.
  15118. properties:
  15119. key:
  15120. description: |-
  15121. A key in the referenced Secret.
  15122. Some instances of this field may be defaulted, in others it may be required.
  15123. maxLength: 253
  15124. minLength: 1
  15125. pattern: ^[-._a-zA-Z0-9]+$
  15126. type: string
  15127. name:
  15128. description: The name of the Secret resource being referred to.
  15129. maxLength: 253
  15130. minLength: 1
  15131. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15132. type: string
  15133. namespace:
  15134. description: |-
  15135. The namespace of the Secret resource being referred to.
  15136. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15137. maxLength: 63
  15138. minLength: 1
  15139. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15140. type: string
  15141. type: object
  15142. clientId:
  15143. description: The Azure clientId of the service principle or managed identity used for authentication.
  15144. properties:
  15145. key:
  15146. description: |-
  15147. A key in the referenced Secret.
  15148. Some instances of this field may be defaulted, in others it may be required.
  15149. maxLength: 253
  15150. minLength: 1
  15151. pattern: ^[-._a-zA-Z0-9]+$
  15152. type: string
  15153. name:
  15154. description: The name of the Secret resource being referred to.
  15155. maxLength: 253
  15156. minLength: 1
  15157. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15158. type: string
  15159. namespace:
  15160. description: |-
  15161. The namespace of the Secret resource being referred to.
  15162. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15163. maxLength: 63
  15164. minLength: 1
  15165. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15166. type: string
  15167. type: object
  15168. clientSecret:
  15169. description: The Azure ClientSecret of the service principle used for authentication.
  15170. properties:
  15171. key:
  15172. description: |-
  15173. A key in the referenced Secret.
  15174. Some instances of this field may be defaulted, in others it may be required.
  15175. maxLength: 253
  15176. minLength: 1
  15177. pattern: ^[-._a-zA-Z0-9]+$
  15178. type: string
  15179. name:
  15180. description: The name of the Secret resource being referred to.
  15181. maxLength: 253
  15182. minLength: 1
  15183. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15184. type: string
  15185. namespace:
  15186. description: |-
  15187. The namespace of the Secret resource being referred to.
  15188. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15189. maxLength: 63
  15190. minLength: 1
  15191. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15192. type: string
  15193. type: object
  15194. tenantId:
  15195. description: The Azure tenantId of the managed identity used for authentication.
  15196. properties:
  15197. key:
  15198. description: |-
  15199. A key in the referenced Secret.
  15200. Some instances of this field may be defaulted, in others it may be required.
  15201. maxLength: 253
  15202. minLength: 1
  15203. pattern: ^[-._a-zA-Z0-9]+$
  15204. type: string
  15205. name:
  15206. description: The name of the Secret resource being referred to.
  15207. maxLength: 253
  15208. minLength: 1
  15209. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15210. type: string
  15211. namespace:
  15212. description: |-
  15213. The namespace of the Secret resource being referred to.
  15214. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15215. maxLength: 63
  15216. minLength: 1
  15217. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15218. type: string
  15219. type: object
  15220. type: object
  15221. authType:
  15222. default: ServicePrincipal
  15223. description: |-
  15224. Auth type defines how to authenticate to the keyvault service.
  15225. Valid values are:
  15226. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  15227. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  15228. enum:
  15229. - ServicePrincipal
  15230. - ManagedIdentity
  15231. - WorkloadIdentity
  15232. type: string
  15233. customCloudConfig:
  15234. description: |-
  15235. CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
  15236. Required when EnvironmentType is AzureStackCloud.
  15237. Optional for other environment types - useful for Azure China when using Workload Identity
  15238. with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
  15239. standard China Cloud endpoint (login.chinacloudapi.cn).
  15240. IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
  15241. configuration is not supported with the legacy go-autorest SDK.
  15242. properties:
  15243. activeDirectoryEndpoint:
  15244. description: |-
  15245. ActiveDirectoryEndpoint is the AAD endpoint for authentication
  15246. Required when using custom cloud configuration
  15247. type: string
  15248. keyVaultDNSSuffix:
  15249. description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
  15250. type: string
  15251. keyVaultEndpoint:
  15252. description: KeyVaultEndpoint is the Key Vault service endpoint
  15253. type: string
  15254. resourceManagerEndpoint:
  15255. description: ResourceManagerEndpoint is the Azure Resource Manager endpoint
  15256. type: string
  15257. required:
  15258. - activeDirectoryEndpoint
  15259. type: object
  15260. environmentType:
  15261. default: PublicCloud
  15262. description: |-
  15263. EnvironmentType specifies the Azure cloud environment endpoints to use for
  15264. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  15265. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  15266. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
  15267. Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
  15268. enum:
  15269. - PublicCloud
  15270. - USGovernmentCloud
  15271. - ChinaCloud
  15272. - GermanCloud
  15273. - AzureStackCloud
  15274. type: string
  15275. identityId:
  15276. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  15277. type: string
  15278. serviceAccountRef:
  15279. description: |-
  15280. ServiceAccountRef specified the service account
  15281. that should be used when authenticating with WorkloadIdentity.
  15282. properties:
  15283. audiences:
  15284. description: |-
  15285. Audience specifies the `aud` claim for the service account token
  15286. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15287. then this audiences will be appended to the list
  15288. items:
  15289. type: string
  15290. type: array
  15291. name:
  15292. description: The name of the ServiceAccount resource being referred to.
  15293. maxLength: 253
  15294. minLength: 1
  15295. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15296. type: string
  15297. namespace:
  15298. description: |-
  15299. Namespace of the resource being referred to.
  15300. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15301. maxLength: 63
  15302. minLength: 1
  15303. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15304. type: string
  15305. required:
  15306. - name
  15307. type: object
  15308. tenantId:
  15309. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  15310. type: string
  15311. useAzureSDK:
  15312. default: false
  15313. description: |-
  15314. UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
  15315. This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
  15316. type: boolean
  15317. vaultUrl:
  15318. description: Vault Url from which the secrets to be fetched from.
  15319. type: string
  15320. required:
  15321. - vaultUrl
  15322. type: object
  15323. barbican:
  15324. description: Barbican configures this store to sync secrets using the OpenStack Barbican provider
  15325. properties:
  15326. auth:
  15327. description: BarbicanAuth contains the authentication information for Barbican.
  15328. properties:
  15329. password:
  15330. description: BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
  15331. properties:
  15332. secretRef:
  15333. description: |-
  15334. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15335. In some instances, `key` is a required field.
  15336. properties:
  15337. key:
  15338. description: |-
  15339. A key in the referenced Secret.
  15340. Some instances of this field may be defaulted, in others it may be required.
  15341. maxLength: 253
  15342. minLength: 1
  15343. pattern: ^[-._a-zA-Z0-9]+$
  15344. type: string
  15345. name:
  15346. description: The name of the Secret resource being referred to.
  15347. maxLength: 253
  15348. minLength: 1
  15349. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15350. type: string
  15351. namespace:
  15352. description: |-
  15353. The namespace of the Secret resource being referred to.
  15354. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15355. maxLength: 63
  15356. minLength: 1
  15357. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15358. type: string
  15359. type: object
  15360. required:
  15361. - secretRef
  15362. type: object
  15363. username:
  15364. description: BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
  15365. maxProperties: 1
  15366. minProperties: 1
  15367. properties:
  15368. secretRef:
  15369. description: |-
  15370. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15371. In some instances, `key` is a required field.
  15372. properties:
  15373. key:
  15374. description: |-
  15375. A key in the referenced Secret.
  15376. Some instances of this field may be defaulted, in others it may be required.
  15377. maxLength: 253
  15378. minLength: 1
  15379. pattern: ^[-._a-zA-Z0-9]+$
  15380. type: string
  15381. name:
  15382. description: The name of the Secret resource being referred to.
  15383. maxLength: 253
  15384. minLength: 1
  15385. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15386. type: string
  15387. namespace:
  15388. description: |-
  15389. The namespace of the Secret resource being referred to.
  15390. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15391. maxLength: 63
  15392. minLength: 1
  15393. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15394. type: string
  15395. type: object
  15396. value:
  15397. type: string
  15398. type: object
  15399. required:
  15400. - password
  15401. - username
  15402. type: object
  15403. authURL:
  15404. type: string
  15405. domainName:
  15406. type: string
  15407. region:
  15408. type: string
  15409. tenantName:
  15410. type: string
  15411. required:
  15412. - auth
  15413. type: object
  15414. beyondtrust:
  15415. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  15416. properties:
  15417. auth:
  15418. description: Auth configures how the operator authenticates with Beyondtrust.
  15419. properties:
  15420. apiKey:
  15421. description: APIKey If not provided then ClientID/ClientSecret become required.
  15422. properties:
  15423. secretRef:
  15424. description: SecretRef references a key in a secret that will be used as value.
  15425. properties:
  15426. key:
  15427. description: |-
  15428. A key in the referenced Secret.
  15429. Some instances of this field may be defaulted, in others it may be required.
  15430. maxLength: 253
  15431. minLength: 1
  15432. pattern: ^[-._a-zA-Z0-9]+$
  15433. type: string
  15434. name:
  15435. description: The name of the Secret resource being referred to.
  15436. maxLength: 253
  15437. minLength: 1
  15438. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15439. type: string
  15440. namespace:
  15441. description: |-
  15442. The namespace of the Secret resource being referred to.
  15443. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15444. maxLength: 63
  15445. minLength: 1
  15446. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15447. type: string
  15448. type: object
  15449. value:
  15450. description: Value can be specified directly to set a value without using a secret.
  15451. type: string
  15452. type: object
  15453. certificate:
  15454. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  15455. properties:
  15456. secretRef:
  15457. description: SecretRef references a key in a secret that will be used as value.
  15458. properties:
  15459. key:
  15460. description: |-
  15461. A key in the referenced Secret.
  15462. Some instances of this field may be defaulted, in others it may be required.
  15463. maxLength: 253
  15464. minLength: 1
  15465. pattern: ^[-._a-zA-Z0-9]+$
  15466. type: string
  15467. name:
  15468. description: The name of the Secret resource being referred to.
  15469. maxLength: 253
  15470. minLength: 1
  15471. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15472. type: string
  15473. namespace:
  15474. description: |-
  15475. The namespace of the Secret resource being referred to.
  15476. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15477. maxLength: 63
  15478. minLength: 1
  15479. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15480. type: string
  15481. type: object
  15482. value:
  15483. description: Value can be specified directly to set a value without using a secret.
  15484. type: string
  15485. type: object
  15486. certificateKey:
  15487. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  15488. properties:
  15489. secretRef:
  15490. description: SecretRef references a key in a secret that will be used as value.
  15491. properties:
  15492. key:
  15493. description: |-
  15494. A key in the referenced Secret.
  15495. Some instances of this field may be defaulted, in others it may be required.
  15496. maxLength: 253
  15497. minLength: 1
  15498. pattern: ^[-._a-zA-Z0-9]+$
  15499. type: string
  15500. name:
  15501. description: The name of the Secret resource being referred to.
  15502. maxLength: 253
  15503. minLength: 1
  15504. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15505. type: string
  15506. namespace:
  15507. description: |-
  15508. The namespace of the Secret resource being referred to.
  15509. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15510. maxLength: 63
  15511. minLength: 1
  15512. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15513. type: string
  15514. type: object
  15515. value:
  15516. description: Value can be specified directly to set a value without using a secret.
  15517. type: string
  15518. type: object
  15519. clientId:
  15520. description: ClientID is the API OAuth Client ID.
  15521. properties:
  15522. secretRef:
  15523. description: SecretRef references a key in a secret that will be used as value.
  15524. properties:
  15525. key:
  15526. description: |-
  15527. A key in the referenced Secret.
  15528. Some instances of this field may be defaulted, in others it may be required.
  15529. maxLength: 253
  15530. minLength: 1
  15531. pattern: ^[-._a-zA-Z0-9]+$
  15532. type: string
  15533. name:
  15534. description: The name of the Secret resource being referred to.
  15535. maxLength: 253
  15536. minLength: 1
  15537. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15538. type: string
  15539. namespace:
  15540. description: |-
  15541. The namespace of the Secret resource being referred to.
  15542. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15543. maxLength: 63
  15544. minLength: 1
  15545. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15546. type: string
  15547. type: object
  15548. value:
  15549. description: Value can be specified directly to set a value without using a secret.
  15550. type: string
  15551. type: object
  15552. clientSecret:
  15553. description: ClientSecret is the API OAuth Client Secret.
  15554. properties:
  15555. secretRef:
  15556. description: SecretRef references a key in a secret that will be used as value.
  15557. properties:
  15558. key:
  15559. description: |-
  15560. A key in the referenced Secret.
  15561. Some instances of this field may be defaulted, in others it may be required.
  15562. maxLength: 253
  15563. minLength: 1
  15564. pattern: ^[-._a-zA-Z0-9]+$
  15565. type: string
  15566. name:
  15567. description: The name of the Secret resource being referred to.
  15568. maxLength: 253
  15569. minLength: 1
  15570. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15571. type: string
  15572. namespace:
  15573. description: |-
  15574. The namespace of the Secret resource being referred to.
  15575. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15576. maxLength: 63
  15577. minLength: 1
  15578. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15579. type: string
  15580. type: object
  15581. value:
  15582. description: Value can be specified directly to set a value without using a secret.
  15583. type: string
  15584. type: object
  15585. type: object
  15586. server:
  15587. description: Auth configures how API server works.
  15588. properties:
  15589. apiUrl:
  15590. type: string
  15591. apiVersion:
  15592. type: string
  15593. clientTimeOutSeconds:
  15594. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  15595. type: integer
  15596. decrypt:
  15597. default: true
  15598. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  15599. type: boolean
  15600. retrievalType:
  15601. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  15602. type: string
  15603. separator:
  15604. description: A character that separates the folder names.
  15605. type: string
  15606. verifyCA:
  15607. type: boolean
  15608. required:
  15609. - apiUrl
  15610. - verifyCA
  15611. type: object
  15612. required:
  15613. - auth
  15614. - server
  15615. type: object
  15616. bitwardensecretsmanager:
  15617. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  15618. properties:
  15619. apiURL:
  15620. type: string
  15621. auth:
  15622. description: |-
  15623. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  15624. Make sure that the token being used has permissions on the given secret.
  15625. properties:
  15626. secretRef:
  15627. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  15628. properties:
  15629. credentials:
  15630. description: AccessToken used for the bitwarden instance.
  15631. properties:
  15632. key:
  15633. description: |-
  15634. A key in the referenced Secret.
  15635. Some instances of this field may be defaulted, in others it may be required.
  15636. maxLength: 253
  15637. minLength: 1
  15638. pattern: ^[-._a-zA-Z0-9]+$
  15639. type: string
  15640. name:
  15641. description: The name of the Secret resource being referred to.
  15642. maxLength: 253
  15643. minLength: 1
  15644. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15645. type: string
  15646. namespace:
  15647. description: |-
  15648. The namespace of the Secret resource being referred to.
  15649. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15650. maxLength: 63
  15651. minLength: 1
  15652. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15653. type: string
  15654. type: object
  15655. required:
  15656. - credentials
  15657. type: object
  15658. required:
  15659. - secretRef
  15660. type: object
  15661. bitwardenServerSDKURL:
  15662. type: string
  15663. caBundle:
  15664. description: |-
  15665. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  15666. can be performed.
  15667. type: string
  15668. caProvider:
  15669. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  15670. properties:
  15671. key:
  15672. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  15673. maxLength: 253
  15674. minLength: 1
  15675. pattern: ^[-._a-zA-Z0-9]+$
  15676. type: string
  15677. name:
  15678. description: The name of the object located at the provider type.
  15679. maxLength: 253
  15680. minLength: 1
  15681. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15682. type: string
  15683. namespace:
  15684. description: |-
  15685. The namespace the Provider type is in.
  15686. Can only be defined when used in a ClusterSecretStore.
  15687. maxLength: 63
  15688. minLength: 1
  15689. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15690. type: string
  15691. type:
  15692. description: The type of provider to use such as "Secret", or "ConfigMap".
  15693. enum:
  15694. - Secret
  15695. - ConfigMap
  15696. type: string
  15697. required:
  15698. - name
  15699. - type
  15700. type: object
  15701. identityURL:
  15702. type: string
  15703. organizationID:
  15704. description: OrganizationID determines which organization this secret store manages.
  15705. type: string
  15706. projectID:
  15707. description: ProjectID determines which project this secret store manages.
  15708. type: string
  15709. required:
  15710. - auth
  15711. - organizationID
  15712. - projectID
  15713. type: object
  15714. chef:
  15715. description: Chef configures this store to sync secrets with chef server
  15716. properties:
  15717. auth:
  15718. description: Auth defines the information necessary to authenticate against chef Server
  15719. properties:
  15720. secretRef:
  15721. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  15722. properties:
  15723. privateKeySecretRef:
  15724. description: SecretKey is the Signing Key in PEM format, used for authentication.
  15725. properties:
  15726. key:
  15727. description: |-
  15728. A key in the referenced Secret.
  15729. Some instances of this field may be defaulted, in others it may be required.
  15730. maxLength: 253
  15731. minLength: 1
  15732. pattern: ^[-._a-zA-Z0-9]+$
  15733. type: string
  15734. name:
  15735. description: The name of the Secret resource being referred to.
  15736. maxLength: 253
  15737. minLength: 1
  15738. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15739. type: string
  15740. namespace:
  15741. description: |-
  15742. The namespace of the Secret resource being referred to.
  15743. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15744. maxLength: 63
  15745. minLength: 1
  15746. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15747. type: string
  15748. type: object
  15749. required:
  15750. - privateKeySecretRef
  15751. type: object
  15752. required:
  15753. - secretRef
  15754. type: object
  15755. serverUrl:
  15756. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  15757. type: string
  15758. username:
  15759. description: UserName should be the user ID on the chef server
  15760. type: string
  15761. required:
  15762. - auth
  15763. - serverUrl
  15764. - username
  15765. type: object
  15766. cloudrusm:
  15767. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  15768. properties:
  15769. auth:
  15770. description: CSMAuth contains a secretRef for credentials.
  15771. properties:
  15772. secretRef:
  15773. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  15774. properties:
  15775. accessKeyIDSecretRef:
  15776. description: The AccessKeyID is used for authentication
  15777. properties:
  15778. key:
  15779. description: |-
  15780. A key in the referenced Secret.
  15781. Some instances of this field may be defaulted, in others it may be required.
  15782. maxLength: 253
  15783. minLength: 1
  15784. pattern: ^[-._a-zA-Z0-9]+$
  15785. type: string
  15786. name:
  15787. description: The name of the Secret resource being referred to.
  15788. maxLength: 253
  15789. minLength: 1
  15790. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15791. type: string
  15792. namespace:
  15793. description: |-
  15794. The namespace of the Secret resource being referred to.
  15795. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15796. maxLength: 63
  15797. minLength: 1
  15798. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15799. type: string
  15800. type: object
  15801. accessKeySecretSecretRef:
  15802. description: The AccessKeySecret is used for authentication
  15803. properties:
  15804. key:
  15805. description: |-
  15806. A key in the referenced Secret.
  15807. Some instances of this field may be defaulted, in others it may be required.
  15808. maxLength: 253
  15809. minLength: 1
  15810. pattern: ^[-._a-zA-Z0-9]+$
  15811. type: string
  15812. name:
  15813. description: The name of the Secret resource being referred to.
  15814. maxLength: 253
  15815. minLength: 1
  15816. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15817. type: string
  15818. namespace:
  15819. description: |-
  15820. The namespace of the Secret resource being referred to.
  15821. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15822. maxLength: 63
  15823. minLength: 1
  15824. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15825. type: string
  15826. type: object
  15827. required:
  15828. - accessKeyIDSecretRef
  15829. - accessKeySecretSecretRef
  15830. type: object
  15831. type: object
  15832. projectID:
  15833. description: ProjectID is the project, which the secrets are stored in.
  15834. type: string
  15835. required:
  15836. - auth
  15837. type: object
  15838. conjur:
  15839. description: Conjur configures this store to sync secrets using conjur provider
  15840. properties:
  15841. auth:
  15842. description: Defines authentication settings for connecting to Conjur.
  15843. properties:
  15844. apikey:
  15845. description: Authenticates with Conjur using an API key.
  15846. properties:
  15847. account:
  15848. description: Account is the Conjur organization account name.
  15849. type: string
  15850. apiKeyRef:
  15851. description: |-
  15852. A reference to a specific 'key' containing the Conjur API key
  15853. within a Secret resource. In some instances, `key` is a required field.
  15854. properties:
  15855. key:
  15856. description: |-
  15857. A key in the referenced Secret.
  15858. Some instances of this field may be defaulted, in others it may be required.
  15859. maxLength: 253
  15860. minLength: 1
  15861. pattern: ^[-._a-zA-Z0-9]+$
  15862. type: string
  15863. name:
  15864. description: The name of the Secret resource being referred to.
  15865. maxLength: 253
  15866. minLength: 1
  15867. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15868. type: string
  15869. namespace:
  15870. description: |-
  15871. The namespace of the Secret resource being referred to.
  15872. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15873. maxLength: 63
  15874. minLength: 1
  15875. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15876. type: string
  15877. type: object
  15878. userRef:
  15879. description: |-
  15880. A reference to a specific 'key' containing the Conjur username
  15881. within a Secret resource. In some instances, `key` is a required field.
  15882. properties:
  15883. key:
  15884. description: |-
  15885. A key in the referenced Secret.
  15886. Some instances of this field may be defaulted, in others it may be required.
  15887. maxLength: 253
  15888. minLength: 1
  15889. pattern: ^[-._a-zA-Z0-9]+$
  15890. type: string
  15891. name:
  15892. description: The name of the Secret resource being referred to.
  15893. maxLength: 253
  15894. minLength: 1
  15895. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15896. type: string
  15897. namespace:
  15898. description: |-
  15899. The namespace of the Secret resource being referred to.
  15900. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15901. maxLength: 63
  15902. minLength: 1
  15903. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15904. type: string
  15905. type: object
  15906. required:
  15907. - account
  15908. - apiKeyRef
  15909. - userRef
  15910. type: object
  15911. jwt:
  15912. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  15913. properties:
  15914. account:
  15915. description: Account is the Conjur organization account name.
  15916. type: string
  15917. hostId:
  15918. description: |-
  15919. Optional HostID for JWT authentication. This may be used depending
  15920. on how the Conjur JWT authenticator policy is configured.
  15921. type: string
  15922. secretRef:
  15923. description: |-
  15924. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  15925. authenticate with Conjur using the JWT authentication method.
  15926. properties:
  15927. key:
  15928. description: |-
  15929. A key in the referenced Secret.
  15930. Some instances of this field may be defaulted, in others it may be required.
  15931. maxLength: 253
  15932. minLength: 1
  15933. pattern: ^[-._a-zA-Z0-9]+$
  15934. type: string
  15935. name:
  15936. description: The name of the Secret resource being referred to.
  15937. maxLength: 253
  15938. minLength: 1
  15939. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15940. type: string
  15941. namespace:
  15942. description: |-
  15943. The namespace of the Secret resource being referred to.
  15944. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15945. maxLength: 63
  15946. minLength: 1
  15947. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15948. type: string
  15949. type: object
  15950. serviceAccountRef:
  15951. description: |-
  15952. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  15953. a token for with the `TokenRequest` API.
  15954. properties:
  15955. audiences:
  15956. description: |-
  15957. Audience specifies the `aud` claim for the service account token
  15958. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15959. then this audiences will be appended to the list
  15960. items:
  15961. type: string
  15962. type: array
  15963. name:
  15964. description: The name of the ServiceAccount resource being referred to.
  15965. maxLength: 253
  15966. minLength: 1
  15967. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15968. type: string
  15969. namespace:
  15970. description: |-
  15971. Namespace of the resource being referred to.
  15972. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15973. maxLength: 63
  15974. minLength: 1
  15975. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15976. type: string
  15977. required:
  15978. - name
  15979. type: object
  15980. serviceID:
  15981. description: The conjur authn jwt webservice id
  15982. type: string
  15983. required:
  15984. - account
  15985. - serviceID
  15986. type: object
  15987. type: object
  15988. caBundle:
  15989. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  15990. type: string
  15991. caProvider:
  15992. description: |-
  15993. Used to provide custom certificate authority (CA) certificates
  15994. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  15995. that contains a PEM-encoded certificate.
  15996. properties:
  15997. key:
  15998. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  15999. maxLength: 253
  16000. minLength: 1
  16001. pattern: ^[-._a-zA-Z0-9]+$
  16002. type: string
  16003. name:
  16004. description: The name of the object located at the provider type.
  16005. maxLength: 253
  16006. minLength: 1
  16007. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16008. type: string
  16009. namespace:
  16010. description: |-
  16011. The namespace the Provider type is in.
  16012. Can only be defined when used in a ClusterSecretStore.
  16013. maxLength: 63
  16014. minLength: 1
  16015. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16016. type: string
  16017. type:
  16018. description: The type of provider to use such as "Secret", or "ConfigMap".
  16019. enum:
  16020. - Secret
  16021. - ConfigMap
  16022. type: string
  16023. required:
  16024. - name
  16025. - type
  16026. type: object
  16027. url:
  16028. description: URL is the endpoint of the Conjur instance.
  16029. type: string
  16030. required:
  16031. - auth
  16032. - url
  16033. type: object
  16034. delinea:
  16035. description: |-
  16036. Delinea DevOps Secrets Vault
  16037. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  16038. properties:
  16039. clientId:
  16040. description: ClientID is the non-secret part of the credential.
  16041. properties:
  16042. secretRef:
  16043. description: SecretRef references a key in a secret that will be used as value.
  16044. properties:
  16045. key:
  16046. description: |-
  16047. A key in the referenced Secret.
  16048. Some instances of this field may be defaulted, in others it may be required.
  16049. maxLength: 253
  16050. minLength: 1
  16051. pattern: ^[-._a-zA-Z0-9]+$
  16052. type: string
  16053. name:
  16054. description: The name of the Secret resource being referred to.
  16055. maxLength: 253
  16056. minLength: 1
  16057. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16058. type: string
  16059. namespace:
  16060. description: |-
  16061. The namespace of the Secret resource being referred to.
  16062. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16063. maxLength: 63
  16064. minLength: 1
  16065. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16066. type: string
  16067. type: object
  16068. value:
  16069. description: Value can be specified directly to set a value without using a secret.
  16070. type: string
  16071. type: object
  16072. clientSecret:
  16073. description: ClientSecret is the secret part of the credential.
  16074. properties:
  16075. secretRef:
  16076. description: SecretRef references a key in a secret that will be used as value.
  16077. properties:
  16078. key:
  16079. description: |-
  16080. A key in the referenced Secret.
  16081. Some instances of this field may be defaulted, in others it may be required.
  16082. maxLength: 253
  16083. minLength: 1
  16084. pattern: ^[-._a-zA-Z0-9]+$
  16085. type: string
  16086. name:
  16087. description: The name of the Secret resource being referred to.
  16088. maxLength: 253
  16089. minLength: 1
  16090. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16091. type: string
  16092. namespace:
  16093. description: |-
  16094. The namespace of the Secret resource being referred to.
  16095. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16096. maxLength: 63
  16097. minLength: 1
  16098. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16099. type: string
  16100. type: object
  16101. value:
  16102. description: Value can be specified directly to set a value without using a secret.
  16103. type: string
  16104. type: object
  16105. tenant:
  16106. description: Tenant is the chosen hostname / site name.
  16107. type: string
  16108. tld:
  16109. description: |-
  16110. TLD is based on the server location that was chosen during provisioning.
  16111. If unset, defaults to "com".
  16112. type: string
  16113. urlTemplate:
  16114. description: |-
  16115. URLTemplate
  16116. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  16117. type: string
  16118. required:
  16119. - clientId
  16120. - clientSecret
  16121. - tenant
  16122. type: object
  16123. doppler:
  16124. description: Doppler configures this store to sync secrets using the Doppler provider
  16125. properties:
  16126. auth:
  16127. description: Auth configures how the Operator authenticates with the Doppler API
  16128. properties:
  16129. oidcConfig:
  16130. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  16131. properties:
  16132. expirationSeconds:
  16133. default: 600
  16134. description: |-
  16135. ExpirationSeconds sets the ServiceAccount token validity duration.
  16136. Defaults to 10 minutes.
  16137. format: int64
  16138. type: integer
  16139. identity:
  16140. description: Identity is the Doppler Service Account Identity ID configured for OIDC authentication.
  16141. type: string
  16142. serviceAccountRef:
  16143. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  16144. properties:
  16145. audiences:
  16146. description: |-
  16147. Audience specifies the `aud` claim for the service account token
  16148. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16149. then this audiences will be appended to the list
  16150. items:
  16151. type: string
  16152. type: array
  16153. name:
  16154. description: The name of the ServiceAccount resource being referred to.
  16155. maxLength: 253
  16156. minLength: 1
  16157. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16158. type: string
  16159. namespace:
  16160. description: |-
  16161. Namespace of the resource being referred to.
  16162. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16163. maxLength: 63
  16164. minLength: 1
  16165. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16166. type: string
  16167. required:
  16168. - name
  16169. type: object
  16170. required:
  16171. - identity
  16172. - serviceAccountRef
  16173. type: object
  16174. secretRef:
  16175. description: SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.
  16176. properties:
  16177. dopplerToken:
  16178. description: |-
  16179. The DopplerToken is used for authentication.
  16180. See https://docs.doppler.com/reference/api#authentication for auth token types.
  16181. The Key attribute defaults to dopplerToken if not specified.
  16182. properties:
  16183. key:
  16184. description: |-
  16185. A key in the referenced Secret.
  16186. Some instances of this field may be defaulted, in others it may be required.
  16187. maxLength: 253
  16188. minLength: 1
  16189. pattern: ^[-._a-zA-Z0-9]+$
  16190. type: string
  16191. name:
  16192. description: The name of the Secret resource being referred to.
  16193. maxLength: 253
  16194. minLength: 1
  16195. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16196. type: string
  16197. namespace:
  16198. description: |-
  16199. The namespace of the Secret resource being referred to.
  16200. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16201. maxLength: 63
  16202. minLength: 1
  16203. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16204. type: string
  16205. type: object
  16206. required:
  16207. - dopplerToken
  16208. type: object
  16209. type: object
  16210. x-kubernetes-validations:
  16211. - message: Exactly one of 'secretRef' or 'oidcConfig' must be specified
  16212. rule: (has(self.secretRef) && !has(self.oidcConfig)) || (!has(self.secretRef) && has(self.oidcConfig))
  16213. config:
  16214. description: Doppler config (required if not using a Service Token)
  16215. type: string
  16216. format:
  16217. description: Format enables the downloading of secrets as a file (string)
  16218. enum:
  16219. - json
  16220. - dotnet-json
  16221. - env
  16222. - yaml
  16223. - docker
  16224. type: string
  16225. nameTransformer:
  16226. description: Environment variable compatible name transforms that change secret names to a different format
  16227. enum:
  16228. - upper-camel
  16229. - camel
  16230. - lower-snake
  16231. - tf-var
  16232. - dotnet-env
  16233. - lower-kebab
  16234. type: string
  16235. project:
  16236. description: Doppler project (required if not using a Service Token)
  16237. type: string
  16238. required:
  16239. - auth
  16240. type: object
  16241. dvls:
  16242. description: DVLS configures this store to sync secrets using Devolutions Server provider
  16243. properties:
  16244. auth:
  16245. description: Auth defines the authentication method to use.
  16246. properties:
  16247. secretRef:
  16248. description: SecretRef contains the Application ID and Application Secret for authentication.
  16249. properties:
  16250. appId:
  16251. description: AppID is the reference to the secret containing the Application ID.
  16252. properties:
  16253. key:
  16254. description: |-
  16255. A key in the referenced Secret.
  16256. Some instances of this field may be defaulted, in others it may be required.
  16257. maxLength: 253
  16258. minLength: 1
  16259. pattern: ^[-._a-zA-Z0-9]+$
  16260. type: string
  16261. name:
  16262. description: The name of the Secret resource being referred to.
  16263. maxLength: 253
  16264. minLength: 1
  16265. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16266. type: string
  16267. namespace:
  16268. description: |-
  16269. The namespace of the Secret resource being referred to.
  16270. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16271. maxLength: 63
  16272. minLength: 1
  16273. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16274. type: string
  16275. type: object
  16276. appSecret:
  16277. description: AppSecret is the reference to the secret containing the Application Secret.
  16278. properties:
  16279. key:
  16280. description: |-
  16281. A key in the referenced Secret.
  16282. Some instances of this field may be defaulted, in others it may be required.
  16283. maxLength: 253
  16284. minLength: 1
  16285. pattern: ^[-._a-zA-Z0-9]+$
  16286. type: string
  16287. name:
  16288. description: The name of the Secret resource being referred to.
  16289. maxLength: 253
  16290. minLength: 1
  16291. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16292. type: string
  16293. namespace:
  16294. description: |-
  16295. The namespace of the Secret resource being referred to.
  16296. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16297. maxLength: 63
  16298. minLength: 1
  16299. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16300. type: string
  16301. type: object
  16302. required:
  16303. - appId
  16304. - appSecret
  16305. type: object
  16306. required:
  16307. - secretRef
  16308. type: object
  16309. insecure:
  16310. description: |-
  16311. Insecure allows connecting to DVLS over plain HTTP.
  16312. This is NOT RECOMMENDED for production use.
  16313. Set to true only if you understand the security implications.
  16314. type: boolean
  16315. serverUrl:
  16316. description: ServerURL is the DVLS instance URL (e.g., https://dvls.example.com).
  16317. type: string
  16318. vault:
  16319. description: |-
  16320. Vault is the name or UUID of the vault to fetch secrets from.
  16321. When omitted, the vault must be specified in the secret key using the legacy format "<vault-id>/<entry-id>".
  16322. type: string
  16323. required:
  16324. - auth
  16325. - serverUrl
  16326. type: object
  16327. fake:
  16328. description: Fake configures a store with static key/value pairs
  16329. properties:
  16330. data:
  16331. items:
  16332. description: FakeProviderData defines a key-value pair with optional version for the fake provider.
  16333. properties:
  16334. key:
  16335. type: string
  16336. value:
  16337. type: string
  16338. version:
  16339. type: string
  16340. required:
  16341. - key
  16342. - value
  16343. type: object
  16344. type: array
  16345. validationResult:
  16346. description: ValidationResult is defined type for the number of validation results.
  16347. type: integer
  16348. required:
  16349. - data
  16350. type: object
  16351. fortanix:
  16352. description: Fortanix configures this store to sync secrets using the Fortanix provider
  16353. properties:
  16354. apiKey:
  16355. description: APIKey is the API token to access SDKMS Applications.
  16356. properties:
  16357. secretRef:
  16358. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  16359. properties:
  16360. key:
  16361. description: |-
  16362. A key in the referenced Secret.
  16363. Some instances of this field may be defaulted, in others it may be required.
  16364. maxLength: 253
  16365. minLength: 1
  16366. pattern: ^[-._a-zA-Z0-9]+$
  16367. type: string
  16368. name:
  16369. description: The name of the Secret resource being referred to.
  16370. maxLength: 253
  16371. minLength: 1
  16372. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16373. type: string
  16374. namespace:
  16375. description: |-
  16376. The namespace of the Secret resource being referred to.
  16377. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16378. maxLength: 63
  16379. minLength: 1
  16380. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16381. type: string
  16382. type: object
  16383. type: object
  16384. apiUrl:
  16385. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  16386. type: string
  16387. type: object
  16388. gcpsm:
  16389. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  16390. properties:
  16391. auth:
  16392. description: Auth defines the information necessary to authenticate against GCP
  16393. properties:
  16394. secretRef:
  16395. description: GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication.
  16396. properties:
  16397. secretAccessKeySecretRef:
  16398. description: The SecretAccessKey is used for authentication
  16399. properties:
  16400. key:
  16401. description: |-
  16402. A key in the referenced Secret.
  16403. Some instances of this field may be defaulted, in others it may be required.
  16404. maxLength: 253
  16405. minLength: 1
  16406. pattern: ^[-._a-zA-Z0-9]+$
  16407. type: string
  16408. name:
  16409. description: The name of the Secret resource being referred to.
  16410. maxLength: 253
  16411. minLength: 1
  16412. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16413. type: string
  16414. namespace:
  16415. description: |-
  16416. The namespace of the Secret resource being referred to.
  16417. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16418. maxLength: 63
  16419. minLength: 1
  16420. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16421. type: string
  16422. type: object
  16423. type: object
  16424. workloadIdentity:
  16425. description: GCPWorkloadIdentity defines configuration for workload identity authentication to GCP.
  16426. properties:
  16427. clusterLocation:
  16428. description: |-
  16429. ClusterLocation is the location of the cluster
  16430. If not specified, it fetches information from the metadata server
  16431. type: string
  16432. clusterName:
  16433. description: |-
  16434. ClusterName is the name of the cluster
  16435. If not specified, it fetches information from the metadata server
  16436. type: string
  16437. clusterProjectID:
  16438. description: |-
  16439. ClusterProjectID is the project ID of the cluster
  16440. If not specified, it fetches information from the metadata server
  16441. type: string
  16442. serviceAccountRef:
  16443. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  16444. properties:
  16445. audiences:
  16446. description: |-
  16447. Audience specifies the `aud` claim for the service account token
  16448. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16449. then this audiences will be appended to the list
  16450. items:
  16451. type: string
  16452. type: array
  16453. name:
  16454. description: The name of the ServiceAccount resource being referred to.
  16455. maxLength: 253
  16456. minLength: 1
  16457. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16458. type: string
  16459. namespace:
  16460. description: |-
  16461. Namespace of the resource being referred to.
  16462. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16463. maxLength: 63
  16464. minLength: 1
  16465. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16466. type: string
  16467. required:
  16468. - name
  16469. type: object
  16470. required:
  16471. - serviceAccountRef
  16472. type: object
  16473. workloadIdentityFederation:
  16474. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  16475. properties:
  16476. audience:
  16477. description: |-
  16478. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  16479. If specified, Audience found in the external account credential config will be overridden with the configured value.
  16480. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  16481. type: string
  16482. awsSecurityCredentials:
  16483. description: |-
  16484. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  16485. when using the AWS metadata server is not an option.
  16486. properties:
  16487. awsCredentialsSecretRef:
  16488. description: |-
  16489. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  16490. Secret should be created with below names for keys
  16491. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  16492. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  16493. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  16494. properties:
  16495. name:
  16496. description: name of the secret.
  16497. maxLength: 253
  16498. minLength: 1
  16499. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16500. type: string
  16501. namespace:
  16502. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  16503. maxLength: 63
  16504. minLength: 1
  16505. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16506. type: string
  16507. required:
  16508. - name
  16509. type: object
  16510. region:
  16511. description: region is for configuring the AWS region to be used.
  16512. example: ap-south-1
  16513. maxLength: 50
  16514. minLength: 1
  16515. pattern: ^[a-z0-9-]+$
  16516. type: string
  16517. required:
  16518. - awsCredentialsSecretRef
  16519. - region
  16520. type: object
  16521. credConfig:
  16522. description: |-
  16523. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  16524. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  16525. serviceAccountRef must be used by providing operators service account details.
  16526. properties:
  16527. key:
  16528. description: key name holding the external account credential config.
  16529. maxLength: 253
  16530. minLength: 1
  16531. pattern: ^[-._a-zA-Z0-9]+$
  16532. type: string
  16533. name:
  16534. description: name of the configmap.
  16535. maxLength: 253
  16536. minLength: 1
  16537. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16538. type: string
  16539. namespace:
  16540. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  16541. maxLength: 63
  16542. minLength: 1
  16543. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16544. type: string
  16545. required:
  16546. - key
  16547. - name
  16548. type: object
  16549. externalTokenEndpoint:
  16550. description: |-
  16551. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  16552. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  16553. URL is having the expected value.
  16554. type: string
  16555. gcpServiceAccountEmail:
  16556. description: |-
  16557. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  16558. after Workload Identity Federation. Use this to grant access through the service account's
  16559. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  16560. service_account_impersonation_url in the external account JSON from credConfig;
  16561. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  16562. on that ServiceAccount.
  16563. example: my-gsa@my-project.iam.gserviceaccount.com
  16564. minLength: 1
  16565. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  16566. type: string
  16567. serviceAccountRef:
  16568. description: |-
  16569. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  16570. when Kubernetes is configured as provider in workload identity pool.
  16571. properties:
  16572. audiences:
  16573. description: |-
  16574. Audience specifies the `aud` claim for the service account token
  16575. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16576. then this audiences will be appended to the list
  16577. items:
  16578. type: string
  16579. type: array
  16580. name:
  16581. description: The name of the ServiceAccount resource being referred to.
  16582. maxLength: 253
  16583. minLength: 1
  16584. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16585. type: string
  16586. namespace:
  16587. description: |-
  16588. Namespace of the resource being referred to.
  16589. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16590. maxLength: 63
  16591. minLength: 1
  16592. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16593. type: string
  16594. required:
  16595. - name
  16596. type: object
  16597. type: object
  16598. type: object
  16599. location:
  16600. description: Location optionally defines a location for a secret
  16601. type: string
  16602. projectID:
  16603. description: ProjectID project where secret is located
  16604. type: string
  16605. secretVersionSelectionPolicy:
  16606. default: LatestOrFail
  16607. description: |-
  16608. SecretVersionSelectionPolicy specifies how the provider selects a secret version
  16609. when "latest" is disabled or destroyed.
  16610. Possible values are:
  16611. - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed.
  16612. - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED
  16613. type: string
  16614. type: object
  16615. github:
  16616. description: |-
  16617. Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  16618. Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
  16619. properties:
  16620. appID:
  16621. description: appID specifies the Github APP that will be used to authenticate the client
  16622. format: int64
  16623. type: integer
  16624. auth:
  16625. description: auth configures how secret-manager authenticates with a Github instance.
  16626. properties:
  16627. privateKey:
  16628. description: |-
  16629. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  16630. In some instances, `key` is a required field.
  16631. properties:
  16632. key:
  16633. description: |-
  16634. A key in the referenced Secret.
  16635. Some instances of this field may be defaulted, in others it may be required.
  16636. maxLength: 253
  16637. minLength: 1
  16638. pattern: ^[-._a-zA-Z0-9]+$
  16639. type: string
  16640. name:
  16641. description: The name of the Secret resource being referred to.
  16642. maxLength: 253
  16643. minLength: 1
  16644. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16645. type: string
  16646. namespace:
  16647. description: |-
  16648. The namespace of the Secret resource being referred to.
  16649. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16650. maxLength: 63
  16651. minLength: 1
  16652. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16653. type: string
  16654. type: object
  16655. required:
  16656. - privateKey
  16657. type: object
  16658. environment:
  16659. description: environment will be used to fetch secrets from a particular environment within a github repository
  16660. type: string
  16661. installationID:
  16662. description: installationID specifies the Github APP installation that will be used to authenticate the client
  16663. format: int64
  16664. type: integer
  16665. orgSecretVisibility:
  16666. description: |-
  16667. orgSecretVisibility controls the visibility of organization secrets pushed via PushSecret.
  16668. Valid values are "all" or "private".
  16669. When unset, new secrets are created with visibility "all" and existing secrets preserve
  16670. whatever visibility they already have in GitHub.
  16671. enum:
  16672. - all
  16673. - private
  16674. type: string
  16675. organization:
  16676. description: organization will be used to fetch secrets from the Github organization
  16677. type: string
  16678. repository:
  16679. description: repository will be used to fetch secrets from the Github repository within an organization
  16680. type: string
  16681. uploadURL:
  16682. description: Upload URL for enterprise instances. Default to URL.
  16683. type: string
  16684. url:
  16685. default: https://github.com/
  16686. description: URL configures the Github instance URL. Defaults to https://github.com/.
  16687. type: string
  16688. required:
  16689. - appID
  16690. - auth
  16691. - installationID
  16692. - organization
  16693. type: object
  16694. gitlab:
  16695. description: GitLab configures this store to sync secrets using GitLab Variables provider
  16696. properties:
  16697. auth:
  16698. description: Auth configures how secret-manager authenticates with a GitLab instance.
  16699. properties:
  16700. SecretRef:
  16701. description: GitlabSecretRef contains the secret reference for GitLab authentication credentials.
  16702. properties:
  16703. accessToken:
  16704. description: AccessToken is used for authentication.
  16705. properties:
  16706. key:
  16707. description: |-
  16708. A key in the referenced Secret.
  16709. Some instances of this field may be defaulted, in others it may be required.
  16710. maxLength: 253
  16711. minLength: 1
  16712. pattern: ^[-._a-zA-Z0-9]+$
  16713. type: string
  16714. name:
  16715. description: The name of the Secret resource being referred to.
  16716. maxLength: 253
  16717. minLength: 1
  16718. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16719. type: string
  16720. namespace:
  16721. description: |-
  16722. The namespace of the Secret resource being referred to.
  16723. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16724. maxLength: 63
  16725. minLength: 1
  16726. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16727. type: string
  16728. type: object
  16729. type: object
  16730. required:
  16731. - SecretRef
  16732. type: object
  16733. caBundle:
  16734. description: |-
  16735. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  16736. can be performed.
  16737. format: byte
  16738. type: string
  16739. caProvider:
  16740. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  16741. properties:
  16742. key:
  16743. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  16744. maxLength: 253
  16745. minLength: 1
  16746. pattern: ^[-._a-zA-Z0-9]+$
  16747. type: string
  16748. name:
  16749. description: The name of the object located at the provider type.
  16750. maxLength: 253
  16751. minLength: 1
  16752. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16753. type: string
  16754. namespace:
  16755. description: |-
  16756. The namespace the Provider type is in.
  16757. Can only be defined when used in a ClusterSecretStore.
  16758. maxLength: 63
  16759. minLength: 1
  16760. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16761. type: string
  16762. type:
  16763. description: The type of provider to use such as "Secret", or "ConfigMap".
  16764. enum:
  16765. - Secret
  16766. - ConfigMap
  16767. type: string
  16768. required:
  16769. - name
  16770. - type
  16771. type: object
  16772. environment:
  16773. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  16774. type: string
  16775. groupIDs:
  16776. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  16777. items:
  16778. type: string
  16779. type: array
  16780. inheritFromGroups:
  16781. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  16782. type: boolean
  16783. projectID:
  16784. description: ProjectID specifies a project where secrets are located.
  16785. type: string
  16786. url:
  16787. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  16788. type: string
  16789. required:
  16790. - auth
  16791. type: object
  16792. ibm:
  16793. description: IBM configures this store to sync secrets using IBM Cloud provider
  16794. properties:
  16795. auth:
  16796. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  16797. maxProperties: 1
  16798. minProperties: 1
  16799. properties:
  16800. containerAuth:
  16801. description: IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile.
  16802. properties:
  16803. iamEndpoint:
  16804. type: string
  16805. profile:
  16806. description: the IBM Trusted Profile
  16807. type: string
  16808. tokenLocation:
  16809. description: Location the token is mounted on the pod
  16810. type: string
  16811. required:
  16812. - profile
  16813. type: object
  16814. secretRef:
  16815. description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
  16816. properties:
  16817. iamEndpoint:
  16818. description: The IAM endpoint used to obain a token
  16819. type: string
  16820. secretApiKeySecretRef:
  16821. description: The SecretAccessKey is used for authentication
  16822. properties:
  16823. key:
  16824. description: |-
  16825. A key in the referenced Secret.
  16826. Some instances of this field may be defaulted, in others it may be required.
  16827. maxLength: 253
  16828. minLength: 1
  16829. pattern: ^[-._a-zA-Z0-9]+$
  16830. type: string
  16831. name:
  16832. description: The name of the Secret resource being referred to.
  16833. maxLength: 253
  16834. minLength: 1
  16835. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16836. type: string
  16837. namespace:
  16838. description: |-
  16839. The namespace of the Secret resource being referred to.
  16840. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16841. maxLength: 63
  16842. minLength: 1
  16843. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16844. type: string
  16845. type: object
  16846. type: object
  16847. type: object
  16848. serviceUrl:
  16849. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  16850. type: string
  16851. required:
  16852. - auth
  16853. type: object
  16854. infisical:
  16855. description: Infisical configures this store to sync secrets using the Infisical provider
  16856. properties:
  16857. auth:
  16858. description: Auth configures how the Operator authenticates with the Infisical API
  16859. properties:
  16860. awsAuthCredentials:
  16861. description: AwsAuthCredentials represents the credentials for AWS authentication.
  16862. properties:
  16863. identityId:
  16864. description: |-
  16865. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  16866. In some instances, `key` is a required field.
  16867. properties:
  16868. key:
  16869. description: |-
  16870. A key in the referenced Secret.
  16871. Some instances of this field may be defaulted, in others it may be required.
  16872. maxLength: 253
  16873. minLength: 1
  16874. pattern: ^[-._a-zA-Z0-9]+$
  16875. type: string
  16876. name:
  16877. description: The name of the Secret resource being referred to.
  16878. maxLength: 253
  16879. minLength: 1
  16880. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16881. type: string
  16882. namespace:
  16883. description: |-
  16884. The namespace of the Secret resource being referred to.
  16885. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16886. maxLength: 63
  16887. minLength: 1
  16888. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16889. type: string
  16890. type: object
  16891. required:
  16892. - identityId
  16893. type: object
  16894. azureAuthCredentials:
  16895. description: AzureAuthCredentials represents the credentials for Azure authentication.
  16896. properties:
  16897. identityId:
  16898. description: |-
  16899. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  16900. In some instances, `key` is a required field.
  16901. properties:
  16902. key:
  16903. description: |-
  16904. A key in the referenced Secret.
  16905. Some instances of this field may be defaulted, in others it may be required.
  16906. maxLength: 253
  16907. minLength: 1
  16908. pattern: ^[-._a-zA-Z0-9]+$
  16909. type: string
  16910. name:
  16911. description: The name of the Secret resource being referred to.
  16912. maxLength: 253
  16913. minLength: 1
  16914. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16915. type: string
  16916. namespace:
  16917. description: |-
  16918. The namespace of the Secret resource being referred to.
  16919. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16920. maxLength: 63
  16921. minLength: 1
  16922. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16923. type: string
  16924. type: object
  16925. resource:
  16926. description: |-
  16927. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  16928. In some instances, `key` is a required field.
  16929. properties:
  16930. key:
  16931. description: |-
  16932. A key in the referenced Secret.
  16933. Some instances of this field may be defaulted, in others it may be required.
  16934. maxLength: 253
  16935. minLength: 1
  16936. pattern: ^[-._a-zA-Z0-9]+$
  16937. type: string
  16938. name:
  16939. description: The name of the Secret resource being referred to.
  16940. maxLength: 253
  16941. minLength: 1
  16942. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16943. type: string
  16944. namespace:
  16945. description: |-
  16946. The namespace of the Secret resource being referred to.
  16947. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16948. maxLength: 63
  16949. minLength: 1
  16950. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16951. type: string
  16952. type: object
  16953. required:
  16954. - identityId
  16955. type: object
  16956. gcpIamAuthCredentials:
  16957. description: GcpIamAuthCredentials represents the credentials for GCP IAM authentication.
  16958. properties:
  16959. identityId:
  16960. description: |-
  16961. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  16962. In some instances, `key` is a required field.
  16963. properties:
  16964. key:
  16965. description: |-
  16966. A key in the referenced Secret.
  16967. Some instances of this field may be defaulted, in others it may be required.
  16968. maxLength: 253
  16969. minLength: 1
  16970. pattern: ^[-._a-zA-Z0-9]+$
  16971. type: string
  16972. name:
  16973. description: The name of the Secret resource being referred to.
  16974. maxLength: 253
  16975. minLength: 1
  16976. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16977. type: string
  16978. namespace:
  16979. description: |-
  16980. The namespace of the Secret resource being referred to.
  16981. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16982. maxLength: 63
  16983. minLength: 1
  16984. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16985. type: string
  16986. type: object
  16987. serviceAccountKeyFilePath:
  16988. description: |-
  16989. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  16990. In some instances, `key` is a required field.
  16991. properties:
  16992. key:
  16993. description: |-
  16994. A key in the referenced Secret.
  16995. Some instances of this field may be defaulted, in others it may be required.
  16996. maxLength: 253
  16997. minLength: 1
  16998. pattern: ^[-._a-zA-Z0-9]+$
  16999. type: string
  17000. name:
  17001. description: The name of the Secret resource being referred to.
  17002. maxLength: 253
  17003. minLength: 1
  17004. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17005. type: string
  17006. namespace:
  17007. description: |-
  17008. The namespace of the Secret resource being referred to.
  17009. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17010. maxLength: 63
  17011. minLength: 1
  17012. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17013. type: string
  17014. type: object
  17015. required:
  17016. - identityId
  17017. - serviceAccountKeyFilePath
  17018. type: object
  17019. gcpIdTokenAuthCredentials:
  17020. description: GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication.
  17021. properties:
  17022. identityId:
  17023. description: |-
  17024. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17025. In some instances, `key` is a required field.
  17026. properties:
  17027. key:
  17028. description: |-
  17029. A key in the referenced Secret.
  17030. Some instances of this field may be defaulted, in others it may be required.
  17031. maxLength: 253
  17032. minLength: 1
  17033. pattern: ^[-._a-zA-Z0-9]+$
  17034. type: string
  17035. name:
  17036. description: The name of the Secret resource being referred to.
  17037. maxLength: 253
  17038. minLength: 1
  17039. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17040. type: string
  17041. namespace:
  17042. description: |-
  17043. The namespace of the Secret resource being referred to.
  17044. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17045. maxLength: 63
  17046. minLength: 1
  17047. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17048. type: string
  17049. type: object
  17050. required:
  17051. - identityId
  17052. type: object
  17053. jwtAuthCredentials:
  17054. description: JwtAuthCredentials represents the credentials for JWT authentication.
  17055. properties:
  17056. identityId:
  17057. description: |-
  17058. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17059. In some instances, `key` is a required field.
  17060. properties:
  17061. key:
  17062. description: |-
  17063. A key in the referenced Secret.
  17064. Some instances of this field may be defaulted, in others it may be required.
  17065. maxLength: 253
  17066. minLength: 1
  17067. pattern: ^[-._a-zA-Z0-9]+$
  17068. type: string
  17069. name:
  17070. description: The name of the Secret resource being referred to.
  17071. maxLength: 253
  17072. minLength: 1
  17073. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17074. type: string
  17075. namespace:
  17076. description: |-
  17077. The namespace of the Secret resource being referred to.
  17078. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17079. maxLength: 63
  17080. minLength: 1
  17081. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17082. type: string
  17083. type: object
  17084. jwt:
  17085. description: |-
  17086. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17087. In some instances, `key` is a required field.
  17088. properties:
  17089. key:
  17090. description: |-
  17091. A key in the referenced Secret.
  17092. Some instances of this field may be defaulted, in others it may be required.
  17093. maxLength: 253
  17094. minLength: 1
  17095. pattern: ^[-._a-zA-Z0-9]+$
  17096. type: string
  17097. name:
  17098. description: The name of the Secret resource being referred to.
  17099. maxLength: 253
  17100. minLength: 1
  17101. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17102. type: string
  17103. namespace:
  17104. description: |-
  17105. The namespace of the Secret resource being referred to.
  17106. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17107. maxLength: 63
  17108. minLength: 1
  17109. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17110. type: string
  17111. type: object
  17112. required:
  17113. - identityId
  17114. - jwt
  17115. type: object
  17116. kubernetesAuthCredentials:
  17117. description: KubernetesAuthCredentials represents the credentials for Kubernetes authentication.
  17118. properties:
  17119. identityId:
  17120. description: |-
  17121. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17122. In some instances, `key` is a required field.
  17123. properties:
  17124. key:
  17125. description: |-
  17126. A key in the referenced Secret.
  17127. Some instances of this field may be defaulted, in others it may be required.
  17128. maxLength: 253
  17129. minLength: 1
  17130. pattern: ^[-._a-zA-Z0-9]+$
  17131. type: string
  17132. name:
  17133. description: The name of the Secret resource being referred to.
  17134. maxLength: 253
  17135. minLength: 1
  17136. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17137. type: string
  17138. namespace:
  17139. description: |-
  17140. The namespace of the Secret resource being referred to.
  17141. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17142. maxLength: 63
  17143. minLength: 1
  17144. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17145. type: string
  17146. type: object
  17147. serviceAccountTokenPath:
  17148. description: |-
  17149. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17150. In some instances, `key` is a required field.
  17151. properties:
  17152. key:
  17153. description: |-
  17154. A key in the referenced Secret.
  17155. Some instances of this field may be defaulted, in others it may be required.
  17156. maxLength: 253
  17157. minLength: 1
  17158. pattern: ^[-._a-zA-Z0-9]+$
  17159. type: string
  17160. name:
  17161. description: The name of the Secret resource being referred to.
  17162. maxLength: 253
  17163. minLength: 1
  17164. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17165. type: string
  17166. namespace:
  17167. description: |-
  17168. The namespace of the Secret resource being referred to.
  17169. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17170. maxLength: 63
  17171. minLength: 1
  17172. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17173. type: string
  17174. type: object
  17175. required:
  17176. - identityId
  17177. type: object
  17178. ldapAuthCredentials:
  17179. description: LdapAuthCredentials represents the credentials for LDAP authentication.
  17180. properties:
  17181. identityId:
  17182. description: |-
  17183. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17184. In some instances, `key` is a required field.
  17185. properties:
  17186. key:
  17187. description: |-
  17188. A key in the referenced Secret.
  17189. Some instances of this field may be defaulted, in others it may be required.
  17190. maxLength: 253
  17191. minLength: 1
  17192. pattern: ^[-._a-zA-Z0-9]+$
  17193. type: string
  17194. name:
  17195. description: The name of the Secret resource being referred to.
  17196. maxLength: 253
  17197. minLength: 1
  17198. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17199. type: string
  17200. namespace:
  17201. description: |-
  17202. The namespace of the Secret resource being referred to.
  17203. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17204. maxLength: 63
  17205. minLength: 1
  17206. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17207. type: string
  17208. type: object
  17209. ldapPassword:
  17210. description: |-
  17211. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17212. In some instances, `key` is a required field.
  17213. properties:
  17214. key:
  17215. description: |-
  17216. A key in the referenced Secret.
  17217. Some instances of this field may be defaulted, in others it may be required.
  17218. maxLength: 253
  17219. minLength: 1
  17220. pattern: ^[-._a-zA-Z0-9]+$
  17221. type: string
  17222. name:
  17223. description: The name of the Secret resource being referred to.
  17224. maxLength: 253
  17225. minLength: 1
  17226. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17227. type: string
  17228. namespace:
  17229. description: |-
  17230. The namespace of the Secret resource being referred to.
  17231. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17232. maxLength: 63
  17233. minLength: 1
  17234. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17235. type: string
  17236. type: object
  17237. ldapUsername:
  17238. description: |-
  17239. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17240. In some instances, `key` is a required field.
  17241. properties:
  17242. key:
  17243. description: |-
  17244. A key in the referenced Secret.
  17245. Some instances of this field may be defaulted, in others it may be required.
  17246. maxLength: 253
  17247. minLength: 1
  17248. pattern: ^[-._a-zA-Z0-9]+$
  17249. type: string
  17250. name:
  17251. description: The name of the Secret resource being referred to.
  17252. maxLength: 253
  17253. minLength: 1
  17254. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17255. type: string
  17256. namespace:
  17257. description: |-
  17258. The namespace of the Secret resource being referred to.
  17259. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17260. maxLength: 63
  17261. minLength: 1
  17262. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17263. type: string
  17264. type: object
  17265. required:
  17266. - identityId
  17267. - ldapPassword
  17268. - ldapUsername
  17269. type: object
  17270. ociAuthCredentials:
  17271. description: OciAuthCredentials represents the credentials for OCI authentication.
  17272. properties:
  17273. fingerprint:
  17274. description: |-
  17275. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17276. In some instances, `key` is a required field.
  17277. properties:
  17278. key:
  17279. description: |-
  17280. A key in the referenced Secret.
  17281. Some instances of this field may be defaulted, in others it may be required.
  17282. maxLength: 253
  17283. minLength: 1
  17284. pattern: ^[-._a-zA-Z0-9]+$
  17285. type: string
  17286. name:
  17287. description: The name of the Secret resource being referred to.
  17288. maxLength: 253
  17289. minLength: 1
  17290. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17291. type: string
  17292. namespace:
  17293. description: |-
  17294. The namespace of the Secret resource being referred to.
  17295. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17296. maxLength: 63
  17297. minLength: 1
  17298. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17299. type: string
  17300. type: object
  17301. identityId:
  17302. description: |-
  17303. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17304. In some instances, `key` is a required field.
  17305. properties:
  17306. key:
  17307. description: |-
  17308. A key in the referenced Secret.
  17309. Some instances of this field may be defaulted, in others it may be required.
  17310. maxLength: 253
  17311. minLength: 1
  17312. pattern: ^[-._a-zA-Z0-9]+$
  17313. type: string
  17314. name:
  17315. description: The name of the Secret resource being referred to.
  17316. maxLength: 253
  17317. minLength: 1
  17318. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17319. type: string
  17320. namespace:
  17321. description: |-
  17322. The namespace of the Secret resource being referred to.
  17323. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17324. maxLength: 63
  17325. minLength: 1
  17326. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17327. type: string
  17328. type: object
  17329. privateKey:
  17330. description: |-
  17331. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17332. In some instances, `key` is a required field.
  17333. properties:
  17334. key:
  17335. description: |-
  17336. A key in the referenced Secret.
  17337. Some instances of this field may be defaulted, in others it may be required.
  17338. maxLength: 253
  17339. minLength: 1
  17340. pattern: ^[-._a-zA-Z0-9]+$
  17341. type: string
  17342. name:
  17343. description: The name of the Secret resource being referred to.
  17344. maxLength: 253
  17345. minLength: 1
  17346. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17347. type: string
  17348. namespace:
  17349. description: |-
  17350. The namespace of the Secret resource being referred to.
  17351. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17352. maxLength: 63
  17353. minLength: 1
  17354. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17355. type: string
  17356. type: object
  17357. privateKeyPassphrase:
  17358. description: |-
  17359. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17360. In some instances, `key` is a required field.
  17361. properties:
  17362. key:
  17363. description: |-
  17364. A key in the referenced Secret.
  17365. Some instances of this field may be defaulted, in others it may be required.
  17366. maxLength: 253
  17367. minLength: 1
  17368. pattern: ^[-._a-zA-Z0-9]+$
  17369. type: string
  17370. name:
  17371. description: The name of the Secret resource being referred to.
  17372. maxLength: 253
  17373. minLength: 1
  17374. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17375. type: string
  17376. namespace:
  17377. description: |-
  17378. The namespace of the Secret resource being referred to.
  17379. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17380. maxLength: 63
  17381. minLength: 1
  17382. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17383. type: string
  17384. type: object
  17385. region:
  17386. description: |-
  17387. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17388. In some instances, `key` is a required field.
  17389. properties:
  17390. key:
  17391. description: |-
  17392. A key in the referenced Secret.
  17393. Some instances of this field may be defaulted, in others it may be required.
  17394. maxLength: 253
  17395. minLength: 1
  17396. pattern: ^[-._a-zA-Z0-9]+$
  17397. type: string
  17398. name:
  17399. description: The name of the Secret resource being referred to.
  17400. maxLength: 253
  17401. minLength: 1
  17402. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17403. type: string
  17404. namespace:
  17405. description: |-
  17406. The namespace of the Secret resource being referred to.
  17407. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17408. maxLength: 63
  17409. minLength: 1
  17410. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17411. type: string
  17412. type: object
  17413. tenancyId:
  17414. description: |-
  17415. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17416. In some instances, `key` is a required field.
  17417. properties:
  17418. key:
  17419. description: |-
  17420. A key in the referenced Secret.
  17421. Some instances of this field may be defaulted, in others it may be required.
  17422. maxLength: 253
  17423. minLength: 1
  17424. pattern: ^[-._a-zA-Z0-9]+$
  17425. type: string
  17426. name:
  17427. description: The name of the Secret resource being referred to.
  17428. maxLength: 253
  17429. minLength: 1
  17430. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17431. type: string
  17432. namespace:
  17433. description: |-
  17434. The namespace of the Secret resource being referred to.
  17435. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17436. maxLength: 63
  17437. minLength: 1
  17438. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17439. type: string
  17440. type: object
  17441. userId:
  17442. description: |-
  17443. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17444. In some instances, `key` is a required field.
  17445. properties:
  17446. key:
  17447. description: |-
  17448. A key in the referenced Secret.
  17449. Some instances of this field may be defaulted, in others it may be required.
  17450. maxLength: 253
  17451. minLength: 1
  17452. pattern: ^[-._a-zA-Z0-9]+$
  17453. type: string
  17454. name:
  17455. description: The name of the Secret resource being referred to.
  17456. maxLength: 253
  17457. minLength: 1
  17458. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17459. type: string
  17460. namespace:
  17461. description: |-
  17462. The namespace of the Secret resource being referred to.
  17463. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17464. maxLength: 63
  17465. minLength: 1
  17466. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17467. type: string
  17468. type: object
  17469. required:
  17470. - fingerprint
  17471. - identityId
  17472. - privateKey
  17473. - region
  17474. - tenancyId
  17475. - userId
  17476. type: object
  17477. tokenAuthCredentials:
  17478. description: TokenAuthCredentials represents the credentials for access token-based authentication.
  17479. properties:
  17480. accessToken:
  17481. description: |-
  17482. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17483. In some instances, `key` is a required field.
  17484. properties:
  17485. key:
  17486. description: |-
  17487. A key in the referenced Secret.
  17488. Some instances of this field may be defaulted, in others it may be required.
  17489. maxLength: 253
  17490. minLength: 1
  17491. pattern: ^[-._a-zA-Z0-9]+$
  17492. type: string
  17493. name:
  17494. description: The name of the Secret resource being referred to.
  17495. maxLength: 253
  17496. minLength: 1
  17497. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17498. type: string
  17499. namespace:
  17500. description: |-
  17501. The namespace of the Secret resource being referred to.
  17502. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17503. maxLength: 63
  17504. minLength: 1
  17505. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17506. type: string
  17507. type: object
  17508. required:
  17509. - accessToken
  17510. type: object
  17511. universalAuthCredentials:
  17512. description: UniversalAuthCredentials represents the client credentials for universal authentication.
  17513. properties:
  17514. clientId:
  17515. description: |-
  17516. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17517. In some instances, `key` is a required field.
  17518. properties:
  17519. key:
  17520. description: |-
  17521. A key in the referenced Secret.
  17522. Some instances of this field may be defaulted, in others it may be required.
  17523. maxLength: 253
  17524. minLength: 1
  17525. pattern: ^[-._a-zA-Z0-9]+$
  17526. type: string
  17527. name:
  17528. description: The name of the Secret resource being referred to.
  17529. maxLength: 253
  17530. minLength: 1
  17531. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17532. type: string
  17533. namespace:
  17534. description: |-
  17535. The namespace of the Secret resource being referred to.
  17536. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17537. maxLength: 63
  17538. minLength: 1
  17539. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17540. type: string
  17541. type: object
  17542. clientSecret:
  17543. description: |-
  17544. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17545. In some instances, `key` is a required field.
  17546. properties:
  17547. key:
  17548. description: |-
  17549. A key in the referenced Secret.
  17550. Some instances of this field may be defaulted, in others it may be required.
  17551. maxLength: 253
  17552. minLength: 1
  17553. pattern: ^[-._a-zA-Z0-9]+$
  17554. type: string
  17555. name:
  17556. description: The name of the Secret resource being referred to.
  17557. maxLength: 253
  17558. minLength: 1
  17559. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17560. type: string
  17561. namespace:
  17562. description: |-
  17563. The namespace of the Secret resource being referred to.
  17564. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17565. maxLength: 63
  17566. minLength: 1
  17567. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17568. type: string
  17569. type: object
  17570. required:
  17571. - clientId
  17572. - clientSecret
  17573. type: object
  17574. type: object
  17575. caBundle:
  17576. description: |-
  17577. CABundle is a PEM-encoded CA certificate bundle used to validate
  17578. the Infisical server's TLS certificate. Mutually exclusive with CAProvider.
  17579. format: byte
  17580. type: string
  17581. caProvider:
  17582. description: |-
  17583. CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
  17584. The certificate is used to validate the Infisical server's TLS certificate.
  17585. Mutually exclusive with CABundle.
  17586. properties:
  17587. key:
  17588. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  17589. maxLength: 253
  17590. minLength: 1
  17591. pattern: ^[-._a-zA-Z0-9]+$
  17592. type: string
  17593. name:
  17594. description: The name of the object located at the provider type.
  17595. maxLength: 253
  17596. minLength: 1
  17597. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17598. type: string
  17599. namespace:
  17600. description: |-
  17601. The namespace the Provider type is in.
  17602. Can only be defined when used in a ClusterSecretStore.
  17603. maxLength: 63
  17604. minLength: 1
  17605. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17606. type: string
  17607. type:
  17608. description: The type of provider to use such as "Secret", or "ConfigMap".
  17609. enum:
  17610. - Secret
  17611. - ConfigMap
  17612. type: string
  17613. required:
  17614. - name
  17615. - type
  17616. type: object
  17617. hostAPI:
  17618. default: https://app.infisical.com/api
  17619. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  17620. type: string
  17621. secretsScope:
  17622. description: SecretsScope defines the scope of the secrets within the workspace
  17623. properties:
  17624. environmentSlug:
  17625. description: EnvironmentSlug is the required slug identifier for the environment.
  17626. type: string
  17627. expandSecretReferences:
  17628. default: true
  17629. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  17630. type: boolean
  17631. projectSlug:
  17632. description: ProjectSlug is the required slug identifier for the project.
  17633. type: string
  17634. recursive:
  17635. default: false
  17636. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  17637. type: boolean
  17638. secretsPath:
  17639. default: /
  17640. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  17641. type: string
  17642. required:
  17643. - environmentSlug
  17644. - projectSlug
  17645. type: object
  17646. required:
  17647. - auth
  17648. - secretsScope
  17649. type: object
  17650. keepersecurity:
  17651. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  17652. properties:
  17653. authRef:
  17654. description: |-
  17655. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17656. In some instances, `key` is a required field.
  17657. properties:
  17658. key:
  17659. description: |-
  17660. A key in the referenced Secret.
  17661. Some instances of this field may be defaulted, in others it may be required.
  17662. maxLength: 253
  17663. minLength: 1
  17664. pattern: ^[-._a-zA-Z0-9]+$
  17665. type: string
  17666. name:
  17667. description: The name of the Secret resource being referred to.
  17668. maxLength: 253
  17669. minLength: 1
  17670. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17671. type: string
  17672. namespace:
  17673. description: |-
  17674. The namespace of the Secret resource being referred to.
  17675. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17676. maxLength: 63
  17677. minLength: 1
  17678. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17679. type: string
  17680. type: object
  17681. folderID:
  17682. type: string
  17683. getByTitleFallback:
  17684. type: boolean
  17685. required:
  17686. - authRef
  17687. - folderID
  17688. type: object
  17689. kubernetes:
  17690. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  17691. properties:
  17692. auth:
  17693. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  17694. maxProperties: 1
  17695. minProperties: 1
  17696. properties:
  17697. cert:
  17698. description: has both clientCert and clientKey as secretKeySelector
  17699. properties:
  17700. clientCert:
  17701. description: |-
  17702. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17703. In some instances, `key` is a required field.
  17704. properties:
  17705. key:
  17706. description: |-
  17707. A key in the referenced Secret.
  17708. Some instances of this field may be defaulted, in others it may be required.
  17709. maxLength: 253
  17710. minLength: 1
  17711. pattern: ^[-._a-zA-Z0-9]+$
  17712. type: string
  17713. name:
  17714. description: The name of the Secret resource being referred to.
  17715. maxLength: 253
  17716. minLength: 1
  17717. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17718. type: string
  17719. namespace:
  17720. description: |-
  17721. The namespace of the Secret resource being referred to.
  17722. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17723. maxLength: 63
  17724. minLength: 1
  17725. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17726. type: string
  17727. type: object
  17728. clientKey:
  17729. description: |-
  17730. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17731. In some instances, `key` is a required field.
  17732. properties:
  17733. key:
  17734. description: |-
  17735. A key in the referenced Secret.
  17736. Some instances of this field may be defaulted, in others it may be required.
  17737. maxLength: 253
  17738. minLength: 1
  17739. pattern: ^[-._a-zA-Z0-9]+$
  17740. type: string
  17741. name:
  17742. description: The name of the Secret resource being referred to.
  17743. maxLength: 253
  17744. minLength: 1
  17745. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17746. type: string
  17747. namespace:
  17748. description: |-
  17749. The namespace of the Secret resource being referred to.
  17750. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17751. maxLength: 63
  17752. minLength: 1
  17753. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17754. type: string
  17755. type: object
  17756. type: object
  17757. serviceAccount:
  17758. description: points to a service account that should be used for authentication
  17759. properties:
  17760. audiences:
  17761. description: |-
  17762. Audience specifies the `aud` claim for the service account token
  17763. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  17764. then this audiences will be appended to the list
  17765. items:
  17766. type: string
  17767. type: array
  17768. name:
  17769. description: The name of the ServiceAccount resource being referred to.
  17770. maxLength: 253
  17771. minLength: 1
  17772. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17773. type: string
  17774. namespace:
  17775. description: |-
  17776. Namespace of the resource being referred to.
  17777. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17778. maxLength: 63
  17779. minLength: 1
  17780. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17781. type: string
  17782. required:
  17783. - name
  17784. type: object
  17785. token:
  17786. description: use static token to authenticate with
  17787. properties:
  17788. bearerToken:
  17789. description: |-
  17790. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17791. In some instances, `key` is a required field.
  17792. properties:
  17793. key:
  17794. description: |-
  17795. A key in the referenced Secret.
  17796. Some instances of this field may be defaulted, in others it may be required.
  17797. maxLength: 253
  17798. minLength: 1
  17799. pattern: ^[-._a-zA-Z0-9]+$
  17800. type: string
  17801. name:
  17802. description: The name of the Secret resource being referred to.
  17803. maxLength: 253
  17804. minLength: 1
  17805. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17806. type: string
  17807. namespace:
  17808. description: |-
  17809. The namespace of the Secret resource being referred to.
  17810. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17811. maxLength: 63
  17812. minLength: 1
  17813. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17814. type: string
  17815. type: object
  17816. type: object
  17817. type: object
  17818. authRef:
  17819. description: A reference to a secret that contains the auth information.
  17820. properties:
  17821. key:
  17822. description: |-
  17823. A key in the referenced Secret.
  17824. Some instances of this field may be defaulted, in others it may be required.
  17825. maxLength: 253
  17826. minLength: 1
  17827. pattern: ^[-._a-zA-Z0-9]+$
  17828. type: string
  17829. name:
  17830. description: The name of the Secret resource being referred to.
  17831. maxLength: 253
  17832. minLength: 1
  17833. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17834. type: string
  17835. namespace:
  17836. description: |-
  17837. The namespace of the Secret resource being referred to.
  17838. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17839. maxLength: 63
  17840. minLength: 1
  17841. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17842. type: string
  17843. type: object
  17844. remoteNamespace:
  17845. default: default
  17846. description: Remote namespace to fetch the secrets from
  17847. maxLength: 63
  17848. minLength: 1
  17849. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17850. type: string
  17851. server:
  17852. description: configures the Kubernetes server Address.
  17853. properties:
  17854. caBundle:
  17855. description: CABundle is a base64-encoded CA certificate
  17856. format: byte
  17857. type: string
  17858. caProvider:
  17859. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  17860. properties:
  17861. key:
  17862. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  17863. maxLength: 253
  17864. minLength: 1
  17865. pattern: ^[-._a-zA-Z0-9]+$
  17866. type: string
  17867. name:
  17868. description: The name of the object located at the provider type.
  17869. maxLength: 253
  17870. minLength: 1
  17871. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17872. type: string
  17873. namespace:
  17874. description: |-
  17875. The namespace the Provider type is in.
  17876. Can only be defined when used in a ClusterSecretStore.
  17877. maxLength: 63
  17878. minLength: 1
  17879. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17880. type: string
  17881. type:
  17882. description: The type of provider to use such as "Secret", or "ConfigMap".
  17883. enum:
  17884. - Secret
  17885. - ConfigMap
  17886. type: string
  17887. required:
  17888. - name
  17889. - type
  17890. type: object
  17891. url:
  17892. default: kubernetes.default
  17893. description: configures the Kubernetes server Address.
  17894. type: string
  17895. type: object
  17896. type: object
  17897. nebiusmysterybox:
  17898. description: NebiusMysterybox configures this store to sync secrets using NebiusMysterybox provider
  17899. properties:
  17900. apiDomain:
  17901. description: NebiusMysterybox API endpoint
  17902. type: string
  17903. auth:
  17904. description: Auth defines parameters to authenticate in MysteryBox
  17905. properties:
  17906. serviceAccountCredsSecretRef:
  17907. description: |-
  17908. ServiceAccountCreds references a Kubernetes Secret key that contains a JSON
  17909. document with service account credentials used to get an IAM token.
  17910. Expected JSON structure:
  17911. {
  17912. "subject-credentials": {
  17913. "alg": "RS256",
  17914. "private-key": "-----BEGIN PRIVATE KEY-----\n<private-key>\n-----END PRIVATE KEY-----\n",
  17915. "kid": "<public-key-id>",
  17916. "iss": "<issuer-service-account-id>",
  17917. "sub": "<subject-service-account-id>"
  17918. }
  17919. }
  17920. properties:
  17921. key:
  17922. description: |-
  17923. A key in the referenced Secret.
  17924. Some instances of this field may be defaulted, in others it may be required.
  17925. maxLength: 253
  17926. minLength: 1
  17927. pattern: ^[-._a-zA-Z0-9]+$
  17928. type: string
  17929. name:
  17930. description: The name of the Secret resource being referred to.
  17931. maxLength: 253
  17932. minLength: 1
  17933. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17934. type: string
  17935. namespace:
  17936. description: |-
  17937. The namespace of the Secret resource being referred to.
  17938. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17939. maxLength: 63
  17940. minLength: 1
  17941. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17942. type: string
  17943. type: object
  17944. tokenSecretRef:
  17945. description: Token authenticates with Nebius Mysterybox by presenting a token.
  17946. properties:
  17947. key:
  17948. description: |-
  17949. A key in the referenced Secret.
  17950. Some instances of this field may be defaulted, in others it may be required.
  17951. maxLength: 253
  17952. minLength: 1
  17953. pattern: ^[-._a-zA-Z0-9]+$
  17954. type: string
  17955. name:
  17956. description: The name of the Secret resource being referred to.
  17957. maxLength: 253
  17958. minLength: 1
  17959. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17960. type: string
  17961. namespace:
  17962. description: |-
  17963. The namespace of the Secret resource being referred to.
  17964. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17965. maxLength: 63
  17966. minLength: 1
  17967. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17968. type: string
  17969. type: object
  17970. type: object
  17971. x-kubernetes-validations:
  17972. - message: either serviceAccountCredsSecretRef or tokenSecretRef must be set
  17973. rule: has(self.serviceAccountCredsSecretRef) || has(self.tokenSecretRef)
  17974. caProvider:
  17975. description: The provider for the CA bundle to use to validate NebiusMysterybox server certificate.
  17976. properties:
  17977. certSecretRef:
  17978. description: |-
  17979. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17980. In some instances, `key` is a required field.
  17981. properties:
  17982. key:
  17983. description: |-
  17984. A key in the referenced Secret.
  17985. Some instances of this field may be defaulted, in others it may be required.
  17986. maxLength: 253
  17987. minLength: 1
  17988. pattern: ^[-._a-zA-Z0-9]+$
  17989. type: string
  17990. name:
  17991. description: The name of the Secret resource being referred to.
  17992. maxLength: 253
  17993. minLength: 1
  17994. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17995. type: string
  17996. namespace:
  17997. description: |-
  17998. The namespace of the Secret resource being referred to.
  17999. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18000. maxLength: 63
  18001. minLength: 1
  18002. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18003. type: string
  18004. type: object
  18005. type: object
  18006. required:
  18007. - apiDomain
  18008. - auth
  18009. type: object
  18010. ngrok:
  18011. description: Ngrok configures this store to sync secrets using the ngrok provider.
  18012. properties:
  18013. apiUrl:
  18014. default: https://api.ngrok.com
  18015. description: APIURL is the URL of the ngrok API.
  18016. type: string
  18017. auth:
  18018. description: Auth configures how the ngrok provider authenticates with the ngrok API.
  18019. maxProperties: 1
  18020. minProperties: 1
  18021. properties:
  18022. apiKey:
  18023. description: APIKey is the API Key used to authenticate with ngrok. See https://ngrok.com/docs/api/#authentication
  18024. properties:
  18025. secretRef:
  18026. description: SecretRef is a reference to a secret containing the ngrok API key.
  18027. properties:
  18028. key:
  18029. description: |-
  18030. A key in the referenced Secret.
  18031. Some instances of this field may be defaulted, in others it may be required.
  18032. maxLength: 253
  18033. minLength: 1
  18034. pattern: ^[-._a-zA-Z0-9]+$
  18035. type: string
  18036. name:
  18037. description: The name of the Secret resource being referred to.
  18038. maxLength: 253
  18039. minLength: 1
  18040. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18041. type: string
  18042. namespace:
  18043. description: |-
  18044. The namespace of the Secret resource being referred to.
  18045. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18046. maxLength: 63
  18047. minLength: 1
  18048. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18049. type: string
  18050. type: object
  18051. type: object
  18052. type: object
  18053. vault:
  18054. description: Vault configures the ngrok vault to sync secrets with.
  18055. properties:
  18056. name:
  18057. description: Name is the name of the ngrok vault to sync secrets with.
  18058. type: string
  18059. required:
  18060. - name
  18061. type: object
  18062. required:
  18063. - auth
  18064. - vault
  18065. type: object
  18066. onboardbase:
  18067. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  18068. properties:
  18069. apiHost:
  18070. default: https://public.onboardbase.com/api/v1/
  18071. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  18072. type: string
  18073. auth:
  18074. description: Auth configures how the Operator authenticates with the Onboardbase API
  18075. properties:
  18076. apiKeyRef:
  18077. description: |-
  18078. OnboardbaseAPIKey is the APIKey generated by an admin account.
  18079. It is used to recognize and authorize access to a project and environment within onboardbase
  18080. properties:
  18081. key:
  18082. description: |-
  18083. A key in the referenced Secret.
  18084. Some instances of this field may be defaulted, in others it may be required.
  18085. maxLength: 253
  18086. minLength: 1
  18087. pattern: ^[-._a-zA-Z0-9]+$
  18088. type: string
  18089. name:
  18090. description: The name of the Secret resource being referred to.
  18091. maxLength: 253
  18092. minLength: 1
  18093. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18094. type: string
  18095. namespace:
  18096. description: |-
  18097. The namespace of the Secret resource being referred to.
  18098. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18099. maxLength: 63
  18100. minLength: 1
  18101. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18102. type: string
  18103. type: object
  18104. passcodeRef:
  18105. description: OnboardbasePasscode is the passcode attached to the API Key
  18106. properties:
  18107. key:
  18108. description: |-
  18109. A key in the referenced Secret.
  18110. Some instances of this field may be defaulted, in others it may be required.
  18111. maxLength: 253
  18112. minLength: 1
  18113. pattern: ^[-._a-zA-Z0-9]+$
  18114. type: string
  18115. name:
  18116. description: The name of the Secret resource being referred to.
  18117. maxLength: 253
  18118. minLength: 1
  18119. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18120. type: string
  18121. namespace:
  18122. description: |-
  18123. The namespace of the Secret resource being referred to.
  18124. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18125. maxLength: 63
  18126. minLength: 1
  18127. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18128. type: string
  18129. type: object
  18130. required:
  18131. - apiKeyRef
  18132. - passcodeRef
  18133. type: object
  18134. environment:
  18135. default: development
  18136. description: Environment is the name of an environmnent within a project to pull the secrets from
  18137. type: string
  18138. project:
  18139. default: development
  18140. description: Project is an onboardbase project that the secrets should be pulled from
  18141. type: string
  18142. required:
  18143. - apiHost
  18144. - auth
  18145. - environment
  18146. - project
  18147. type: object
  18148. onepassword:
  18149. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  18150. properties:
  18151. auth:
  18152. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  18153. properties:
  18154. secretRef:
  18155. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  18156. properties:
  18157. connectTokenSecretRef:
  18158. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  18159. properties:
  18160. key:
  18161. description: |-
  18162. A key in the referenced Secret.
  18163. Some instances of this field may be defaulted, in others it may be required.
  18164. maxLength: 253
  18165. minLength: 1
  18166. pattern: ^[-._a-zA-Z0-9]+$
  18167. type: string
  18168. name:
  18169. description: The name of the Secret resource being referred to.
  18170. maxLength: 253
  18171. minLength: 1
  18172. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18173. type: string
  18174. namespace:
  18175. description: |-
  18176. The namespace of the Secret resource being referred to.
  18177. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18178. maxLength: 63
  18179. minLength: 1
  18180. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18181. type: string
  18182. type: object
  18183. required:
  18184. - connectTokenSecretRef
  18185. type: object
  18186. required:
  18187. - secretRef
  18188. type: object
  18189. connectHost:
  18190. description: ConnectHost defines the OnePassword Connect Server to connect to
  18191. type: string
  18192. vaults:
  18193. additionalProperties:
  18194. type: integer
  18195. description: Vaults defines which OnePassword vaults to search in which order
  18196. type: object
  18197. required:
  18198. - auth
  18199. - connectHost
  18200. - vaults
  18201. type: object
  18202. onepasswordSDK:
  18203. description: OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets.
  18204. properties:
  18205. auth:
  18206. description: Auth defines the information necessary to authenticate against OnePassword API.
  18207. properties:
  18208. serviceAccountSecretRef:
  18209. description: ServiceAccountSecretRef points to the secret containing the token to access 1Password vault.
  18210. properties:
  18211. key:
  18212. description: |-
  18213. A key in the referenced Secret.
  18214. Some instances of this field may be defaulted, in others it may be required.
  18215. maxLength: 253
  18216. minLength: 1
  18217. pattern: ^[-._a-zA-Z0-9]+$
  18218. type: string
  18219. name:
  18220. description: The name of the Secret resource being referred to.
  18221. maxLength: 253
  18222. minLength: 1
  18223. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18224. type: string
  18225. namespace:
  18226. description: |-
  18227. The namespace of the Secret resource being referred to.
  18228. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18229. maxLength: 63
  18230. minLength: 1
  18231. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18232. type: string
  18233. type: object
  18234. required:
  18235. - serviceAccountSecretRef
  18236. type: object
  18237. cache:
  18238. description: |-
  18239. Cache configures client-side caching for read operations (GetSecret, GetSecretMap).
  18240. When enabled, secrets are cached with the specified TTL.
  18241. Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.
  18242. If omitted, caching is disabled (default).
  18243. cache: {} is a valid option to set.
  18244. properties:
  18245. maxSize:
  18246. default: 100
  18247. description: |-
  18248. MaxSize is the maximum number of secrets to cache.
  18249. When the cache is full, least-recently-used entries are evicted.
  18250. minimum: 1
  18251. type: integer
  18252. ttl:
  18253. default: 5m
  18254. description: |-
  18255. TTL is the time-to-live for cached secrets.
  18256. Format: duration string (e.g., "5m", "1h", "30s")
  18257. type: string
  18258. type: object
  18259. integrationInfo:
  18260. description: |-
  18261. IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
  18262. If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively.
  18263. properties:
  18264. name:
  18265. default: 1Password SDK
  18266. description: Name defaults to "1Password SDK".
  18267. type: string
  18268. version:
  18269. default: v1.0.0
  18270. description: Version defaults to "v1.0.0".
  18271. type: string
  18272. type: object
  18273. vault:
  18274. description: Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically.
  18275. type: string
  18276. required:
  18277. - auth
  18278. - vault
  18279. type: object
  18280. oracle:
  18281. description: Oracle configures this store to sync secrets using Oracle Vault provider
  18282. properties:
  18283. auth:
  18284. description: |-
  18285. Auth configures how secret-manager authenticates with the Oracle Vault.
  18286. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  18287. properties:
  18288. secretRef:
  18289. description: SecretRef to pass through sensitive information.
  18290. properties:
  18291. fingerprint:
  18292. description: Fingerprint is the fingerprint of the API private key.
  18293. properties:
  18294. key:
  18295. description: |-
  18296. A key in the referenced Secret.
  18297. Some instances of this field may be defaulted, in others it may be required.
  18298. maxLength: 253
  18299. minLength: 1
  18300. pattern: ^[-._a-zA-Z0-9]+$
  18301. type: string
  18302. name:
  18303. description: The name of the Secret resource being referred to.
  18304. maxLength: 253
  18305. minLength: 1
  18306. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18307. type: string
  18308. namespace:
  18309. description: |-
  18310. The namespace of the Secret resource being referred to.
  18311. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18312. maxLength: 63
  18313. minLength: 1
  18314. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18315. type: string
  18316. type: object
  18317. privatekey:
  18318. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  18319. properties:
  18320. key:
  18321. description: |-
  18322. A key in the referenced Secret.
  18323. Some instances of this field may be defaulted, in others it may be required.
  18324. maxLength: 253
  18325. minLength: 1
  18326. pattern: ^[-._a-zA-Z0-9]+$
  18327. type: string
  18328. name:
  18329. description: The name of the Secret resource being referred to.
  18330. maxLength: 253
  18331. minLength: 1
  18332. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18333. type: string
  18334. namespace:
  18335. description: |-
  18336. The namespace of the Secret resource being referred to.
  18337. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18338. maxLength: 63
  18339. minLength: 1
  18340. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18341. type: string
  18342. type: object
  18343. required:
  18344. - fingerprint
  18345. - privatekey
  18346. type: object
  18347. tenancy:
  18348. description: Tenancy is the tenancy OCID where user is located.
  18349. type: string
  18350. user:
  18351. description: User is an access OCID specific to the account.
  18352. type: string
  18353. required:
  18354. - secretRef
  18355. - tenancy
  18356. - user
  18357. type: object
  18358. compartment:
  18359. description: |-
  18360. Compartment is the vault compartment OCID.
  18361. Required for PushSecret
  18362. type: string
  18363. encryptionKey:
  18364. description: |-
  18365. EncryptionKey is the OCID of the encryption key within the vault.
  18366. Required for PushSecret
  18367. type: string
  18368. principalType:
  18369. description: |-
  18370. The type of principal to use for authentication. If left blank, the Auth struct will
  18371. determine the principal type. This optional field must be specified if using
  18372. workload identity.
  18373. enum:
  18374. - ""
  18375. - UserPrincipal
  18376. - InstancePrincipal
  18377. - Workload
  18378. type: string
  18379. region:
  18380. description: Region is the region where vault is located.
  18381. type: string
  18382. serviceAccountRef:
  18383. description: |-
  18384. ServiceAccountRef specified the service account
  18385. that should be used when authenticating with WorkloadIdentity.
  18386. properties:
  18387. audiences:
  18388. description: |-
  18389. Audience specifies the `aud` claim for the service account token
  18390. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  18391. then this audiences will be appended to the list
  18392. items:
  18393. type: string
  18394. type: array
  18395. name:
  18396. description: The name of the ServiceAccount resource being referred to.
  18397. maxLength: 253
  18398. minLength: 1
  18399. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18400. type: string
  18401. namespace:
  18402. description: |-
  18403. Namespace of the resource being referred to.
  18404. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18405. maxLength: 63
  18406. minLength: 1
  18407. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18408. type: string
  18409. required:
  18410. - name
  18411. type: object
  18412. vault:
  18413. description: Vault is the vault's OCID of the specific vault where secret is located.
  18414. type: string
  18415. required:
  18416. - region
  18417. - vault
  18418. type: object
  18419. ovh:
  18420. description: OVHcloud configures this store to sync secrets using the OVHcloud provider.
  18421. properties:
  18422. auth:
  18423. description: Authentication method (mtls or token).
  18424. properties:
  18425. mtls:
  18426. description: OvhClientMTLS defines the configuration required to authenticate to OVHcloud's Secret Manager using mTLS.
  18427. properties:
  18428. caBundle:
  18429. format: byte
  18430. type: string
  18431. caProvider:
  18432. description: |-
  18433. CAProvider provides a custom certificate authority for accessing the provider's store.
  18434. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
  18435. properties:
  18436. key:
  18437. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  18438. maxLength: 253
  18439. minLength: 1
  18440. pattern: ^[-._a-zA-Z0-9]+$
  18441. type: string
  18442. name:
  18443. description: The name of the object located at the provider type.
  18444. maxLength: 253
  18445. minLength: 1
  18446. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18447. type: string
  18448. namespace:
  18449. description: |-
  18450. The namespace the Provider type is in.
  18451. Can only be defined when used in a ClusterSecretStore.
  18452. maxLength: 63
  18453. minLength: 1
  18454. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18455. type: string
  18456. type:
  18457. description: The type of provider to use such as "Secret", or "ConfigMap".
  18458. enum:
  18459. - Secret
  18460. - ConfigMap
  18461. type: string
  18462. required:
  18463. - name
  18464. - type
  18465. type: object
  18466. certSecretRef:
  18467. description: |-
  18468. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18469. In some instances, `key` is a required field.
  18470. properties:
  18471. key:
  18472. description: |-
  18473. A key in the referenced Secret.
  18474. Some instances of this field may be defaulted, in others it may be required.
  18475. maxLength: 253
  18476. minLength: 1
  18477. pattern: ^[-._a-zA-Z0-9]+$
  18478. type: string
  18479. name:
  18480. description: The name of the Secret resource being referred to.
  18481. maxLength: 253
  18482. minLength: 1
  18483. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18484. type: string
  18485. namespace:
  18486. description: |-
  18487. The namespace of the Secret resource being referred to.
  18488. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18489. maxLength: 63
  18490. minLength: 1
  18491. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18492. type: string
  18493. type: object
  18494. keySecretRef:
  18495. description: |-
  18496. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18497. In some instances, `key` is a required field.
  18498. properties:
  18499. key:
  18500. description: |-
  18501. A key in the referenced Secret.
  18502. Some instances of this field may be defaulted, in others it may be required.
  18503. maxLength: 253
  18504. minLength: 1
  18505. pattern: ^[-._a-zA-Z0-9]+$
  18506. type: string
  18507. name:
  18508. description: The name of the Secret resource being referred to.
  18509. maxLength: 253
  18510. minLength: 1
  18511. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18512. type: string
  18513. namespace:
  18514. description: |-
  18515. The namespace of the Secret resource being referred to.
  18516. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18517. maxLength: 63
  18518. minLength: 1
  18519. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18520. type: string
  18521. type: object
  18522. required:
  18523. - certSecretRef
  18524. - keySecretRef
  18525. type: object
  18526. token:
  18527. description: OvhClientToken defines the configuration required to authenticate to OVHcloud's Secret Manager using a token.
  18528. properties:
  18529. tokenSecretRef:
  18530. description: |-
  18531. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18532. In some instances, `key` is a required field.
  18533. properties:
  18534. key:
  18535. description: |-
  18536. A key in the referenced Secret.
  18537. Some instances of this field may be defaulted, in others it may be required.
  18538. maxLength: 253
  18539. minLength: 1
  18540. pattern: ^[-._a-zA-Z0-9]+$
  18541. type: string
  18542. name:
  18543. description: The name of the Secret resource being referred to.
  18544. maxLength: 253
  18545. minLength: 1
  18546. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18547. type: string
  18548. namespace:
  18549. description: |-
  18550. The namespace of the Secret resource being referred to.
  18551. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18552. maxLength: 63
  18553. minLength: 1
  18554. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18555. type: string
  18556. type: object
  18557. required:
  18558. - tokenSecretRef
  18559. type: object
  18560. type: object
  18561. casRequired:
  18562. description: 'Enables or disables check-and-set (CAS) (default: false).'
  18563. type: boolean
  18564. okmsTimeout:
  18565. default: 30
  18566. description: 'Setup a timeout in seconds when requests to the KMS are made (default: 30).'
  18567. format: int32
  18568. minimum: 1
  18569. type: integer
  18570. okmsid:
  18571. description: specifies the OKMS ID.
  18572. type: string
  18573. server:
  18574. description: specifies the OKMS server endpoint.
  18575. type: string
  18576. required:
  18577. - auth
  18578. - okmsid
  18579. - server
  18580. type: object
  18581. passbolt:
  18582. description: |-
  18583. PassboltProvider provides access to Passbolt secrets manager.
  18584. See: https://www.passbolt.com.
  18585. properties:
  18586. auth:
  18587. description: Auth defines the information necessary to authenticate against Passbolt Server
  18588. properties:
  18589. passwordSecretRef:
  18590. description: |-
  18591. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18592. In some instances, `key` is a required field.
  18593. properties:
  18594. key:
  18595. description: |-
  18596. A key in the referenced Secret.
  18597. Some instances of this field may be defaulted, in others it may be required.
  18598. maxLength: 253
  18599. minLength: 1
  18600. pattern: ^[-._a-zA-Z0-9]+$
  18601. type: string
  18602. name:
  18603. description: The name of the Secret resource being referred to.
  18604. maxLength: 253
  18605. minLength: 1
  18606. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18607. type: string
  18608. namespace:
  18609. description: |-
  18610. The namespace of the Secret resource being referred to.
  18611. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18612. maxLength: 63
  18613. minLength: 1
  18614. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18615. type: string
  18616. type: object
  18617. privateKeySecretRef:
  18618. description: |-
  18619. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18620. In some instances, `key` is a required field.
  18621. properties:
  18622. key:
  18623. description: |-
  18624. A key in the referenced Secret.
  18625. Some instances of this field may be defaulted, in others it may be required.
  18626. maxLength: 253
  18627. minLength: 1
  18628. pattern: ^[-._a-zA-Z0-9]+$
  18629. type: string
  18630. name:
  18631. description: The name of the Secret resource being referred to.
  18632. maxLength: 253
  18633. minLength: 1
  18634. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18635. type: string
  18636. namespace:
  18637. description: |-
  18638. The namespace of the Secret resource being referred to.
  18639. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18640. maxLength: 63
  18641. minLength: 1
  18642. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18643. type: string
  18644. type: object
  18645. required:
  18646. - passwordSecretRef
  18647. - privateKeySecretRef
  18648. type: object
  18649. caBundle:
  18650. description: |-
  18651. PEM encoded CA bundle used to validate Passbolt server certificate. Only used
  18652. if the Host URL is using HTTPS protocol. If not set the system root certificates
  18653. are used to validate the TLS connection.
  18654. format: byte
  18655. type: string
  18656. caProvider:
  18657. description: The provider for the CA bundle to use to validate Passbolt server certificate.
  18658. properties:
  18659. key:
  18660. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  18661. maxLength: 253
  18662. minLength: 1
  18663. pattern: ^[-._a-zA-Z0-9]+$
  18664. type: string
  18665. name:
  18666. description: The name of the object located at the provider type.
  18667. maxLength: 253
  18668. minLength: 1
  18669. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18670. type: string
  18671. namespace:
  18672. description: |-
  18673. The namespace the Provider type is in.
  18674. Can only be defined when used in a ClusterSecretStore.
  18675. maxLength: 63
  18676. minLength: 1
  18677. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18678. type: string
  18679. type:
  18680. description: The type of provider to use such as "Secret", or "ConfigMap".
  18681. enum:
  18682. - Secret
  18683. - ConfigMap
  18684. type: string
  18685. required:
  18686. - name
  18687. - type
  18688. type: object
  18689. host:
  18690. description: Host defines the Passbolt Server to connect to
  18691. type: string
  18692. required:
  18693. - auth
  18694. - host
  18695. type: object
  18696. passworddepot:
  18697. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  18698. properties:
  18699. auth:
  18700. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  18701. properties:
  18702. secretRef:
  18703. description: PasswordDepotSecretRef contains the secret reference for Password Depot authentication.
  18704. properties:
  18705. credentials:
  18706. description: Username / Password is used for authentication.
  18707. properties:
  18708. key:
  18709. description: |-
  18710. A key in the referenced Secret.
  18711. Some instances of this field may be defaulted, in others it may be required.
  18712. maxLength: 253
  18713. minLength: 1
  18714. pattern: ^[-._a-zA-Z0-9]+$
  18715. type: string
  18716. name:
  18717. description: The name of the Secret resource being referred to.
  18718. maxLength: 253
  18719. minLength: 1
  18720. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18721. type: string
  18722. namespace:
  18723. description: |-
  18724. The namespace of the Secret resource being referred to.
  18725. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18726. maxLength: 63
  18727. minLength: 1
  18728. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18729. type: string
  18730. type: object
  18731. type: object
  18732. required:
  18733. - secretRef
  18734. type: object
  18735. database:
  18736. description: Database to use as source
  18737. type: string
  18738. host:
  18739. description: URL configures the Password Depot instance URL.
  18740. type: string
  18741. required:
  18742. - auth
  18743. - database
  18744. - host
  18745. type: object
  18746. previder:
  18747. description: Previder configures this store to sync secrets using the Previder provider
  18748. properties:
  18749. auth:
  18750. description: PreviderAuth contains a secretRef for credentials.
  18751. properties:
  18752. secretRef:
  18753. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  18754. properties:
  18755. accessToken:
  18756. description: The AccessToken is used for authentication
  18757. properties:
  18758. key:
  18759. description: |-
  18760. A key in the referenced Secret.
  18761. Some instances of this field may be defaulted, in others it may be required.
  18762. maxLength: 253
  18763. minLength: 1
  18764. pattern: ^[-._a-zA-Z0-9]+$
  18765. type: string
  18766. name:
  18767. description: The name of the Secret resource being referred to.
  18768. maxLength: 253
  18769. minLength: 1
  18770. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18771. type: string
  18772. namespace:
  18773. description: |-
  18774. The namespace of the Secret resource being referred to.
  18775. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18776. maxLength: 63
  18777. minLength: 1
  18778. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18779. type: string
  18780. type: object
  18781. required:
  18782. - accessToken
  18783. type: object
  18784. type: object
  18785. baseUri:
  18786. type: string
  18787. required:
  18788. - auth
  18789. type: object
  18790. pulumi:
  18791. description: Pulumi configures this store to sync secrets using the Pulumi provider
  18792. properties:
  18793. accessToken:
  18794. description: |-
  18795. AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  18796. Deprecated: Use auth.accessToken instead.
  18797. properties:
  18798. secretRef:
  18799. description: SecretRef is a reference to a secret containing the Pulumi API token.
  18800. properties:
  18801. key:
  18802. description: |-
  18803. A key in the referenced Secret.
  18804. Some instances of this field may be defaulted, in others it may be required.
  18805. maxLength: 253
  18806. minLength: 1
  18807. pattern: ^[-._a-zA-Z0-9]+$
  18808. type: string
  18809. name:
  18810. description: The name of the Secret resource being referred to.
  18811. maxLength: 253
  18812. minLength: 1
  18813. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18814. type: string
  18815. namespace:
  18816. description: |-
  18817. The namespace of the Secret resource being referred to.
  18818. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18819. maxLength: 63
  18820. minLength: 1
  18821. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18822. type: string
  18823. type: object
  18824. type: object
  18825. apiUrl:
  18826. default: https://api.pulumi.com/api/esc
  18827. description: APIURL is the URL of the Pulumi API.
  18828. type: string
  18829. auth:
  18830. description: |-
  18831. Auth configures how the Operator authenticates with the Pulumi API.
  18832. Either auth or the deprecated accessToken field must be specified.
  18833. properties:
  18834. accessToken:
  18835. description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret.
  18836. properties:
  18837. secretRef:
  18838. description: SecretRef is a reference to a secret containing the Pulumi API token.
  18839. properties:
  18840. key:
  18841. description: |-
  18842. A key in the referenced Secret.
  18843. Some instances of this field may be defaulted, in others it may be required.
  18844. maxLength: 253
  18845. minLength: 1
  18846. pattern: ^[-._a-zA-Z0-9]+$
  18847. type: string
  18848. name:
  18849. description: The name of the Secret resource being referred to.
  18850. maxLength: 253
  18851. minLength: 1
  18852. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18853. type: string
  18854. namespace:
  18855. description: |-
  18856. The namespace of the Secret resource being referred to.
  18857. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18858. maxLength: 63
  18859. minLength: 1
  18860. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18861. type: string
  18862. type: object
  18863. type: object
  18864. oidcConfig:
  18865. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  18866. properties:
  18867. expirationSeconds:
  18868. default: 600
  18869. description: |-
  18870. ExpirationSeconds sets the token validity duration for service account and OIDC token.
  18871. Defaults to 10 minutes.
  18872. format: int64
  18873. minimum: 600
  18874. type: integer
  18875. organization:
  18876. description: Organization is the name of the Pulumi organization configured for OIDC authentication.
  18877. type: string
  18878. serviceAccountRef:
  18879. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  18880. properties:
  18881. audiences:
  18882. description: |-
  18883. Audience specifies the `aud` claim for the service account token
  18884. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  18885. then this audiences will be appended to the list
  18886. items:
  18887. type: string
  18888. type: array
  18889. name:
  18890. description: The name of the ServiceAccount resource being referred to.
  18891. maxLength: 253
  18892. minLength: 1
  18893. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18894. type: string
  18895. namespace:
  18896. description: |-
  18897. Namespace of the resource being referred to.
  18898. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18899. maxLength: 63
  18900. minLength: 1
  18901. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18902. type: string
  18903. required:
  18904. - name
  18905. type: object
  18906. required:
  18907. - organization
  18908. - serviceAccountRef
  18909. type: object
  18910. type: object
  18911. x-kubernetes-validations:
  18912. - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified
  18913. rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig))
  18914. environment:
  18915. description: |-
  18916. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  18917. dynamically retrieved values from supported providers including all major clouds,
  18918. and other Pulumi ESC environments.
  18919. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  18920. type: string
  18921. organization:
  18922. description: |-
  18923. Organization are a space to collaborate on shared projects and stacks.
  18924. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  18925. type: string
  18926. project:
  18927. description: Project is the name of the Pulumi ESC project the environment belongs to.
  18928. type: string
  18929. required:
  18930. - environment
  18931. - organization
  18932. - project
  18933. type: object
  18934. x-kubernetes-validations:
  18935. - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified
  18936. rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken))
  18937. scaleway:
  18938. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  18939. properties:
  18940. accessKey:
  18941. description: AccessKey is the non-secret part of the api key.
  18942. properties:
  18943. secretRef:
  18944. description: SecretRef references a key in a secret that will be used as value.
  18945. properties:
  18946. key:
  18947. description: |-
  18948. A key in the referenced Secret.
  18949. Some instances of this field may be defaulted, in others it may be required.
  18950. maxLength: 253
  18951. minLength: 1
  18952. pattern: ^[-._a-zA-Z0-9]+$
  18953. type: string
  18954. name:
  18955. description: The name of the Secret resource being referred to.
  18956. maxLength: 253
  18957. minLength: 1
  18958. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18959. type: string
  18960. namespace:
  18961. description: |-
  18962. The namespace of the Secret resource being referred to.
  18963. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18964. maxLength: 63
  18965. minLength: 1
  18966. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18967. type: string
  18968. type: object
  18969. value:
  18970. description: Value can be specified directly to set a value without using a secret.
  18971. type: string
  18972. type: object
  18973. apiUrl:
  18974. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  18975. type: string
  18976. projectId:
  18977. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  18978. type: string
  18979. region:
  18980. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  18981. type: string
  18982. secretKey:
  18983. description: SecretKey is the non-secret part of the api key.
  18984. properties:
  18985. secretRef:
  18986. description: SecretRef references a key in a secret that will be used as value.
  18987. properties:
  18988. key:
  18989. description: |-
  18990. A key in the referenced Secret.
  18991. Some instances of this field may be defaulted, in others it may be required.
  18992. maxLength: 253
  18993. minLength: 1
  18994. pattern: ^[-._a-zA-Z0-9]+$
  18995. type: string
  18996. name:
  18997. description: The name of the Secret resource being referred to.
  18998. maxLength: 253
  18999. minLength: 1
  19000. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19001. type: string
  19002. namespace:
  19003. description: |-
  19004. The namespace of the Secret resource being referred to.
  19005. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19006. maxLength: 63
  19007. minLength: 1
  19008. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19009. type: string
  19010. type: object
  19011. value:
  19012. description: Value can be specified directly to set a value without using a secret.
  19013. type: string
  19014. type: object
  19015. required:
  19016. - accessKey
  19017. - projectId
  19018. - region
  19019. - secretKey
  19020. type: object
  19021. secretserver:
  19022. description: |-
  19023. SecretServer configures this store to sync secrets using SecretServer provider
  19024. https://docs.delinea.com/online-help/secret-server/start.htm
  19025. properties:
  19026. caBundle:
  19027. description: |-
  19028. PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used
  19029. if the ServerURL URL is using HTTPS protocol. If not set the system root certificates
  19030. are used to validate the TLS connection.
  19031. format: byte
  19032. type: string
  19033. caProvider:
  19034. description: The provider for the CA bundle to use to validate Secret ServerURL certificate.
  19035. properties:
  19036. key:
  19037. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19038. maxLength: 253
  19039. minLength: 1
  19040. pattern: ^[-._a-zA-Z0-9]+$
  19041. type: string
  19042. name:
  19043. description: The name of the object located at the provider type.
  19044. maxLength: 253
  19045. minLength: 1
  19046. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19047. type: string
  19048. namespace:
  19049. description: |-
  19050. The namespace the Provider type is in.
  19051. Can only be defined when used in a ClusterSecretStore.
  19052. maxLength: 63
  19053. minLength: 1
  19054. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19055. type: string
  19056. type:
  19057. description: The type of provider to use such as "Secret", or "ConfigMap".
  19058. enum:
  19059. - Secret
  19060. - ConfigMap
  19061. type: string
  19062. required:
  19063. - name
  19064. - type
  19065. type: object
  19066. domain:
  19067. description: Domain is the secret server domain.
  19068. type: string
  19069. password:
  19070. description: Password is the secret server account password.
  19071. properties:
  19072. secretRef:
  19073. description: SecretRef references a key in a secret that will be used as value.
  19074. properties:
  19075. key:
  19076. description: |-
  19077. A key in the referenced Secret.
  19078. Some instances of this field may be defaulted, in others it may be required.
  19079. maxLength: 253
  19080. minLength: 1
  19081. pattern: ^[-._a-zA-Z0-9]+$
  19082. type: string
  19083. name:
  19084. description: The name of the Secret resource being referred to.
  19085. maxLength: 253
  19086. minLength: 1
  19087. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19088. type: string
  19089. namespace:
  19090. description: |-
  19091. The namespace of the Secret resource being referred to.
  19092. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19093. maxLength: 63
  19094. minLength: 1
  19095. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19096. type: string
  19097. type: object
  19098. value:
  19099. description: Value can be specified directly to set a value without using a secret.
  19100. type: string
  19101. type: object
  19102. serverURL:
  19103. description: |-
  19104. ServerURL
  19105. URL to your secret server installation
  19106. type: string
  19107. username:
  19108. description: Username is the secret server account username.
  19109. properties:
  19110. secretRef:
  19111. description: SecretRef references a key in a secret that will be used as value.
  19112. properties:
  19113. key:
  19114. description: |-
  19115. A key in the referenced Secret.
  19116. Some instances of this field may be defaulted, in others it may be required.
  19117. maxLength: 253
  19118. minLength: 1
  19119. pattern: ^[-._a-zA-Z0-9]+$
  19120. type: string
  19121. name:
  19122. description: The name of the Secret resource being referred to.
  19123. maxLength: 253
  19124. minLength: 1
  19125. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19126. type: string
  19127. namespace:
  19128. description: |-
  19129. The namespace of the Secret resource being referred to.
  19130. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19131. maxLength: 63
  19132. minLength: 1
  19133. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19134. type: string
  19135. type: object
  19136. value:
  19137. description: Value can be specified directly to set a value without using a secret.
  19138. type: string
  19139. type: object
  19140. required:
  19141. - password
  19142. - serverURL
  19143. - username
  19144. type: object
  19145. senhasegura:
  19146. description: Senhasegura configures this store to sync secrets using senhasegura provider
  19147. properties:
  19148. auth:
  19149. description: Auth defines parameters to authenticate in senhasegura
  19150. properties:
  19151. clientId:
  19152. type: string
  19153. clientSecretSecretRef:
  19154. description: |-
  19155. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19156. In some instances, `key` is a required field.
  19157. properties:
  19158. key:
  19159. description: |-
  19160. A key in the referenced Secret.
  19161. Some instances of this field may be defaulted, in others it may be required.
  19162. maxLength: 253
  19163. minLength: 1
  19164. pattern: ^[-._a-zA-Z0-9]+$
  19165. type: string
  19166. name:
  19167. description: The name of the Secret resource being referred to.
  19168. maxLength: 253
  19169. minLength: 1
  19170. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19171. type: string
  19172. namespace:
  19173. description: |-
  19174. The namespace of the Secret resource being referred to.
  19175. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19176. maxLength: 63
  19177. minLength: 1
  19178. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19179. type: string
  19180. type: object
  19181. required:
  19182. - clientId
  19183. - clientSecretSecretRef
  19184. type: object
  19185. ignoreSslCertificate:
  19186. default: false
  19187. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  19188. type: boolean
  19189. module:
  19190. description: Module defines which senhasegura module should be used to get secrets
  19191. type: string
  19192. url:
  19193. description: URL of senhasegura
  19194. type: string
  19195. required:
  19196. - auth
  19197. - module
  19198. - url
  19199. type: object
  19200. vault:
  19201. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  19202. properties:
  19203. auth:
  19204. description: Auth configures how secret-manager authenticates with the Vault server.
  19205. properties:
  19206. appRole:
  19207. description: |-
  19208. AppRole authenticates with Vault using the App Role auth mechanism,
  19209. with the role and secret stored in a Kubernetes Secret resource.
  19210. properties:
  19211. path:
  19212. default: approle
  19213. description: |-
  19214. Path where the App Role authentication backend is mounted
  19215. in Vault, e.g: "approle"
  19216. type: string
  19217. roleId:
  19218. description: |-
  19219. RoleID configured in the App Role authentication backend when setting
  19220. up the authentication backend in Vault.
  19221. type: string
  19222. roleRef:
  19223. description: |-
  19224. Reference to a key in a Secret that contains the App Role ID used
  19225. to authenticate with Vault.
  19226. The `key` field must be specified and denotes which entry within the Secret
  19227. resource is used as the app role id.
  19228. properties:
  19229. key:
  19230. description: |-
  19231. A key in the referenced Secret.
  19232. Some instances of this field may be defaulted, in others it may be required.
  19233. maxLength: 253
  19234. minLength: 1
  19235. pattern: ^[-._a-zA-Z0-9]+$
  19236. type: string
  19237. name:
  19238. description: The name of the Secret resource being referred to.
  19239. maxLength: 253
  19240. minLength: 1
  19241. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19242. type: string
  19243. namespace:
  19244. description: |-
  19245. The namespace of the Secret resource being referred to.
  19246. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19247. maxLength: 63
  19248. minLength: 1
  19249. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19250. type: string
  19251. type: object
  19252. secretRef:
  19253. description: |-
  19254. Reference to a key in a Secret that contains the App Role secret used
  19255. to authenticate with Vault.
  19256. The `key` field must be specified and denotes which entry within the Secret
  19257. resource is used as the app role secret.
  19258. properties:
  19259. key:
  19260. description: |-
  19261. A key in the referenced Secret.
  19262. Some instances of this field may be defaulted, in others it may be required.
  19263. maxLength: 253
  19264. minLength: 1
  19265. pattern: ^[-._a-zA-Z0-9]+$
  19266. type: string
  19267. name:
  19268. description: The name of the Secret resource being referred to.
  19269. maxLength: 253
  19270. minLength: 1
  19271. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19272. type: string
  19273. namespace:
  19274. description: |-
  19275. The namespace of the Secret resource being referred to.
  19276. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19277. maxLength: 63
  19278. minLength: 1
  19279. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19280. type: string
  19281. type: object
  19282. required:
  19283. - path
  19284. - secretRef
  19285. type: object
  19286. cert:
  19287. description: |-
  19288. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  19289. Cert authentication method
  19290. properties:
  19291. clientCert:
  19292. description: |-
  19293. ClientCert is a certificate to authenticate using the Cert Vault
  19294. authentication method
  19295. properties:
  19296. key:
  19297. description: |-
  19298. A key in the referenced Secret.
  19299. Some instances of this field may be defaulted, in others it may be required.
  19300. maxLength: 253
  19301. minLength: 1
  19302. pattern: ^[-._a-zA-Z0-9]+$
  19303. type: string
  19304. name:
  19305. description: The name of the Secret resource being referred to.
  19306. maxLength: 253
  19307. minLength: 1
  19308. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19309. type: string
  19310. namespace:
  19311. description: |-
  19312. The namespace of the Secret resource being referred to.
  19313. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19314. maxLength: 63
  19315. minLength: 1
  19316. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19317. type: string
  19318. type: object
  19319. path:
  19320. default: cert
  19321. description: |-
  19322. Path where the Certificate authentication backend is mounted
  19323. in Vault, e.g: "cert"
  19324. type: string
  19325. secretRef:
  19326. description: |-
  19327. SecretRef to a key in a Secret resource containing client private key to
  19328. authenticate with Vault using the Cert authentication method
  19329. properties:
  19330. key:
  19331. description: |-
  19332. A key in the referenced Secret.
  19333. Some instances of this field may be defaulted, in others it may be required.
  19334. maxLength: 253
  19335. minLength: 1
  19336. pattern: ^[-._a-zA-Z0-9]+$
  19337. type: string
  19338. name:
  19339. description: The name of the Secret resource being referred to.
  19340. maxLength: 253
  19341. minLength: 1
  19342. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19343. type: string
  19344. namespace:
  19345. description: |-
  19346. The namespace of the Secret resource being referred to.
  19347. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19348. maxLength: 63
  19349. minLength: 1
  19350. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19351. type: string
  19352. type: object
  19353. vaultRole:
  19354. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  19355. type: string
  19356. type: object
  19357. gcp:
  19358. description: |-
  19359. Gcp authenticates with Vault using Google Cloud Platform authentication method
  19360. GCP authentication method
  19361. properties:
  19362. location:
  19363. description: Location optionally defines a location/region for the secret
  19364. type: string
  19365. path:
  19366. default: gcp
  19367. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  19368. type: string
  19369. projectID:
  19370. description: Project ID of the Google Cloud Platform project
  19371. type: string
  19372. role:
  19373. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  19374. type: string
  19375. secretRef:
  19376. description: Specify credentials in a Secret object
  19377. properties:
  19378. secretAccessKeySecretRef:
  19379. description: The SecretAccessKey is used for authentication
  19380. properties:
  19381. key:
  19382. description: |-
  19383. A key in the referenced Secret.
  19384. Some instances of this field may be defaulted, in others it may be required.
  19385. maxLength: 253
  19386. minLength: 1
  19387. pattern: ^[-._a-zA-Z0-9]+$
  19388. type: string
  19389. name:
  19390. description: The name of the Secret resource being referred to.
  19391. maxLength: 253
  19392. minLength: 1
  19393. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19394. type: string
  19395. namespace:
  19396. description: |-
  19397. The namespace of the Secret resource being referred to.
  19398. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19399. maxLength: 63
  19400. minLength: 1
  19401. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19402. type: string
  19403. type: object
  19404. type: object
  19405. serviceAccountRef:
  19406. description: ServiceAccountRef to a service account for impersonation
  19407. properties:
  19408. audiences:
  19409. description: |-
  19410. Audience specifies the `aud` claim for the service account token
  19411. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19412. then this audiences will be appended to the list
  19413. items:
  19414. type: string
  19415. type: array
  19416. name:
  19417. description: The name of the ServiceAccount resource being referred to.
  19418. maxLength: 253
  19419. minLength: 1
  19420. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19421. type: string
  19422. namespace:
  19423. description: |-
  19424. Namespace of the resource being referred to.
  19425. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19426. maxLength: 63
  19427. minLength: 1
  19428. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19429. type: string
  19430. required:
  19431. - name
  19432. type: object
  19433. workloadIdentity:
  19434. description: Specify a service account with Workload Identity
  19435. properties:
  19436. clusterLocation:
  19437. description: |-
  19438. ClusterLocation is the location of the cluster
  19439. If not specified, it fetches information from the metadata server
  19440. type: string
  19441. clusterName:
  19442. description: |-
  19443. ClusterName is the name of the cluster
  19444. If not specified, it fetches information from the metadata server
  19445. type: string
  19446. clusterProjectID:
  19447. description: |-
  19448. ClusterProjectID is the project ID of the cluster
  19449. If not specified, it fetches information from the metadata server
  19450. type: string
  19451. serviceAccountRef:
  19452. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  19453. properties:
  19454. audiences:
  19455. description: |-
  19456. Audience specifies the `aud` claim for the service account token
  19457. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19458. then this audiences will be appended to the list
  19459. items:
  19460. type: string
  19461. type: array
  19462. name:
  19463. description: The name of the ServiceAccount resource being referred to.
  19464. maxLength: 253
  19465. minLength: 1
  19466. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19467. type: string
  19468. namespace:
  19469. description: |-
  19470. Namespace of the resource being referred to.
  19471. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19472. maxLength: 63
  19473. minLength: 1
  19474. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19475. type: string
  19476. required:
  19477. - name
  19478. type: object
  19479. required:
  19480. - serviceAccountRef
  19481. type: object
  19482. required:
  19483. - role
  19484. type: object
  19485. iam:
  19486. description: |-
  19487. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  19488. AWS IAM authentication method
  19489. properties:
  19490. externalID:
  19491. description: AWS External ID set on assumed IAM roles
  19492. type: string
  19493. jwt:
  19494. description: Specify a service account with IRSA enabled
  19495. properties:
  19496. serviceAccountRef:
  19497. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  19498. properties:
  19499. audiences:
  19500. description: |-
  19501. Audience specifies the `aud` claim for the service account token
  19502. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19503. then this audiences will be appended to the list
  19504. items:
  19505. type: string
  19506. type: array
  19507. name:
  19508. description: The name of the ServiceAccount resource being referred to.
  19509. maxLength: 253
  19510. minLength: 1
  19511. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19512. type: string
  19513. namespace:
  19514. description: |-
  19515. Namespace of the resource being referred to.
  19516. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19517. maxLength: 63
  19518. minLength: 1
  19519. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19520. type: string
  19521. required:
  19522. - name
  19523. type: object
  19524. type: object
  19525. path:
  19526. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  19527. type: string
  19528. region:
  19529. description: AWS region
  19530. type: string
  19531. role:
  19532. description: This is the AWS role to be assumed before talking to vault
  19533. type: string
  19534. secretRef:
  19535. description: Specify credentials in a Secret object
  19536. properties:
  19537. accessKeyIDSecretRef:
  19538. description: The AccessKeyID is used for authentication
  19539. properties:
  19540. key:
  19541. description: |-
  19542. A key in the referenced Secret.
  19543. Some instances of this field may be defaulted, in others it may be required.
  19544. maxLength: 253
  19545. minLength: 1
  19546. pattern: ^[-._a-zA-Z0-9]+$
  19547. type: string
  19548. name:
  19549. description: The name of the Secret resource being referred to.
  19550. maxLength: 253
  19551. minLength: 1
  19552. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19553. type: string
  19554. namespace:
  19555. description: |-
  19556. The namespace of the Secret resource being referred to.
  19557. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19558. maxLength: 63
  19559. minLength: 1
  19560. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19561. type: string
  19562. type: object
  19563. secretAccessKeySecretRef:
  19564. description: The SecretAccessKey is used for authentication
  19565. properties:
  19566. key:
  19567. description: |-
  19568. A key in the referenced Secret.
  19569. Some instances of this field may be defaulted, in others it may be required.
  19570. maxLength: 253
  19571. minLength: 1
  19572. pattern: ^[-._a-zA-Z0-9]+$
  19573. type: string
  19574. name:
  19575. description: The name of the Secret resource being referred to.
  19576. maxLength: 253
  19577. minLength: 1
  19578. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19579. type: string
  19580. namespace:
  19581. description: |-
  19582. The namespace of the Secret resource being referred to.
  19583. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19584. maxLength: 63
  19585. minLength: 1
  19586. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19587. type: string
  19588. type: object
  19589. sessionTokenSecretRef:
  19590. description: |-
  19591. The SessionToken used for authentication
  19592. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  19593. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  19594. properties:
  19595. key:
  19596. description: |-
  19597. A key in the referenced Secret.
  19598. Some instances of this field may be defaulted, in others it may be required.
  19599. maxLength: 253
  19600. minLength: 1
  19601. pattern: ^[-._a-zA-Z0-9]+$
  19602. type: string
  19603. name:
  19604. description: The name of the Secret resource being referred to.
  19605. maxLength: 253
  19606. minLength: 1
  19607. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19608. type: string
  19609. namespace:
  19610. description: |-
  19611. The namespace of the Secret resource being referred to.
  19612. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19613. maxLength: 63
  19614. minLength: 1
  19615. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19616. type: string
  19617. type: object
  19618. type: object
  19619. vaultAwsIamServerID:
  19620. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  19621. type: string
  19622. vaultRole:
  19623. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  19624. type: string
  19625. required:
  19626. - vaultRole
  19627. type: object
  19628. jwt:
  19629. description: |-
  19630. Jwt authenticates with Vault by passing role and JWT token using the
  19631. JWT/OIDC authentication method
  19632. properties:
  19633. kubernetesServiceAccountToken:
  19634. description: |-
  19635. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  19636. a token for with the `TokenRequest` API.
  19637. properties:
  19638. audiences:
  19639. description: |-
  19640. Optional audiences field that will be used to request a temporary Kubernetes service
  19641. account token for the service account referenced by `serviceAccountRef`.
  19642. Defaults to a single audience `vault` it not specified.
  19643. Deprecated: use serviceAccountRef.Audiences instead
  19644. items:
  19645. type: string
  19646. type: array
  19647. expirationSeconds:
  19648. description: |-
  19649. Optional expiration time in seconds that will be used to request a temporary
  19650. Kubernetes service account token for the service account referenced by
  19651. `serviceAccountRef`.
  19652. Deprecated: this will be removed in the future.
  19653. Defaults to 10 minutes.
  19654. format: int64
  19655. type: integer
  19656. serviceAccountRef:
  19657. description: Service account field containing the name of a kubernetes ServiceAccount.
  19658. properties:
  19659. audiences:
  19660. description: |-
  19661. Audience specifies the `aud` claim for the service account token
  19662. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19663. then this audiences will be appended to the list
  19664. items:
  19665. type: string
  19666. type: array
  19667. name:
  19668. description: The name of the ServiceAccount resource being referred to.
  19669. maxLength: 253
  19670. minLength: 1
  19671. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19672. type: string
  19673. namespace:
  19674. description: |-
  19675. Namespace of the resource being referred to.
  19676. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19677. maxLength: 63
  19678. minLength: 1
  19679. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19680. type: string
  19681. required:
  19682. - name
  19683. type: object
  19684. required:
  19685. - serviceAccountRef
  19686. type: object
  19687. path:
  19688. default: jwt
  19689. description: |-
  19690. Path where the JWT authentication backend is mounted
  19691. in Vault, e.g: "jwt"
  19692. type: string
  19693. role:
  19694. description: |-
  19695. Role is a JWT role to authenticate using the JWT/OIDC Vault
  19696. authentication method
  19697. type: string
  19698. secretRef:
  19699. description: |-
  19700. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  19701. authenticate with Vault using the JWT/OIDC authentication method.
  19702. properties:
  19703. key:
  19704. description: |-
  19705. A key in the referenced Secret.
  19706. Some instances of this field may be defaulted, in others it may be required.
  19707. maxLength: 253
  19708. minLength: 1
  19709. pattern: ^[-._a-zA-Z0-9]+$
  19710. type: string
  19711. name:
  19712. description: The name of the Secret resource being referred to.
  19713. maxLength: 253
  19714. minLength: 1
  19715. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19716. type: string
  19717. namespace:
  19718. description: |-
  19719. The namespace of the Secret resource being referred to.
  19720. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19721. maxLength: 63
  19722. minLength: 1
  19723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19724. type: string
  19725. type: object
  19726. required:
  19727. - path
  19728. type: object
  19729. kubernetes:
  19730. description: |-
  19731. Kubernetes authenticates with Vault by passing the ServiceAccount
  19732. token stored in the named Secret resource to the Vault server.
  19733. properties:
  19734. mountPath:
  19735. default: kubernetes
  19736. description: |-
  19737. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  19738. "kubernetes"
  19739. type: string
  19740. role:
  19741. description: |-
  19742. A required field containing the Vault Role to assume. A Role binds a
  19743. Kubernetes ServiceAccount with a set of Vault policies.
  19744. type: string
  19745. secretRef:
  19746. description: |-
  19747. Optional secret field containing a Kubernetes ServiceAccount JWT used
  19748. for authenticating with Vault. If a name is specified without a key,
  19749. `token` is the default. If one is not specified, the one bound to
  19750. the controller will be used.
  19751. properties:
  19752. key:
  19753. description: |-
  19754. A key in the referenced Secret.
  19755. Some instances of this field may be defaulted, in others it may be required.
  19756. maxLength: 253
  19757. minLength: 1
  19758. pattern: ^[-._a-zA-Z0-9]+$
  19759. type: string
  19760. name:
  19761. description: The name of the Secret resource being referred to.
  19762. maxLength: 253
  19763. minLength: 1
  19764. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19765. type: string
  19766. namespace:
  19767. description: |-
  19768. The namespace of the Secret resource being referred to.
  19769. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19770. maxLength: 63
  19771. minLength: 1
  19772. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19773. type: string
  19774. type: object
  19775. serviceAccountRef:
  19776. description: |-
  19777. Optional service account field containing the name of a kubernetes ServiceAccount.
  19778. If the service account is specified, the service account secret token JWT will be used
  19779. for authenticating with Vault. If the service account selector is not supplied,
  19780. the secretRef will be used instead.
  19781. properties:
  19782. audiences:
  19783. description: |-
  19784. Audience specifies the `aud` claim for the service account token
  19785. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19786. then this audiences will be appended to the list
  19787. items:
  19788. type: string
  19789. type: array
  19790. name:
  19791. description: The name of the ServiceAccount resource being referred to.
  19792. maxLength: 253
  19793. minLength: 1
  19794. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19795. type: string
  19796. namespace:
  19797. description: |-
  19798. Namespace of the resource being referred to.
  19799. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19800. maxLength: 63
  19801. minLength: 1
  19802. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19803. type: string
  19804. required:
  19805. - name
  19806. type: object
  19807. required:
  19808. - mountPath
  19809. - role
  19810. type: object
  19811. ldap:
  19812. description: |-
  19813. Ldap authenticates with Vault by passing username/password pair using
  19814. the LDAP authentication method
  19815. properties:
  19816. path:
  19817. default: ldap
  19818. description: |-
  19819. Path where the LDAP authentication backend is mounted
  19820. in Vault, e.g: "ldap"
  19821. type: string
  19822. secretRef:
  19823. description: |-
  19824. SecretRef to a key in a Secret resource containing password for the LDAP
  19825. user used to authenticate with Vault using the LDAP authentication
  19826. method
  19827. properties:
  19828. key:
  19829. description: |-
  19830. A key in the referenced Secret.
  19831. Some instances of this field may be defaulted, in others it may be required.
  19832. maxLength: 253
  19833. minLength: 1
  19834. pattern: ^[-._a-zA-Z0-9]+$
  19835. type: string
  19836. name:
  19837. description: The name of the Secret resource being referred to.
  19838. maxLength: 253
  19839. minLength: 1
  19840. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19841. type: string
  19842. namespace:
  19843. description: |-
  19844. The namespace of the Secret resource being referred to.
  19845. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19846. maxLength: 63
  19847. minLength: 1
  19848. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19849. type: string
  19850. type: object
  19851. username:
  19852. description: |-
  19853. Username is an LDAP username used to authenticate using the LDAP Vault
  19854. authentication method
  19855. type: string
  19856. required:
  19857. - path
  19858. - username
  19859. type: object
  19860. namespace:
  19861. description: |-
  19862. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  19863. Namespaces is a set of features within Vault Enterprise that allows
  19864. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  19865. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  19866. This will default to Vault.Namespace field if set, or empty otherwise
  19867. type: string
  19868. tokenSecretRef:
  19869. description: TokenSecretRef authenticates with Vault by presenting a token.
  19870. properties:
  19871. key:
  19872. description: |-
  19873. A key in the referenced Secret.
  19874. Some instances of this field may be defaulted, in others it may be required.
  19875. maxLength: 253
  19876. minLength: 1
  19877. pattern: ^[-._a-zA-Z0-9]+$
  19878. type: string
  19879. name:
  19880. description: The name of the Secret resource being referred to.
  19881. maxLength: 253
  19882. minLength: 1
  19883. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19884. type: string
  19885. namespace:
  19886. description: |-
  19887. The namespace of the Secret resource being referred to.
  19888. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19889. maxLength: 63
  19890. minLength: 1
  19891. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19892. type: string
  19893. type: object
  19894. userPass:
  19895. description: UserPass authenticates with Vault by passing username/password pair
  19896. properties:
  19897. path:
  19898. default: userpass
  19899. description: |-
  19900. Path where the UserPassword authentication backend is mounted
  19901. in Vault, e.g: "userpass"
  19902. type: string
  19903. secretRef:
  19904. description: |-
  19905. SecretRef to a key in a Secret resource containing password for the
  19906. user used to authenticate with Vault using the UserPass authentication
  19907. method
  19908. properties:
  19909. key:
  19910. description: |-
  19911. A key in the referenced Secret.
  19912. Some instances of this field may be defaulted, in others it may be required.
  19913. maxLength: 253
  19914. minLength: 1
  19915. pattern: ^[-._a-zA-Z0-9]+$
  19916. type: string
  19917. name:
  19918. description: The name of the Secret resource being referred to.
  19919. maxLength: 253
  19920. minLength: 1
  19921. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19922. type: string
  19923. namespace:
  19924. description: |-
  19925. The namespace of the Secret resource being referred to.
  19926. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19927. maxLength: 63
  19928. minLength: 1
  19929. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19930. type: string
  19931. type: object
  19932. username:
  19933. description: |-
  19934. Username is a username used to authenticate using the UserPass Vault
  19935. authentication method
  19936. type: string
  19937. required:
  19938. - path
  19939. - username
  19940. type: object
  19941. type: object
  19942. caBundle:
  19943. description: |-
  19944. PEM encoded CA bundle used to validate Vault server certificate. Only used
  19945. if the Server URL is using HTTPS protocol. This parameter is ignored for
  19946. plain HTTP protocol connection. If not set the system root certificates
  19947. are used to validate the TLS connection.
  19948. format: byte
  19949. type: string
  19950. caProvider:
  19951. description: The provider for the CA bundle to use to validate Vault server certificate.
  19952. properties:
  19953. key:
  19954. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19955. maxLength: 253
  19956. minLength: 1
  19957. pattern: ^[-._a-zA-Z0-9]+$
  19958. type: string
  19959. name:
  19960. description: The name of the object located at the provider type.
  19961. maxLength: 253
  19962. minLength: 1
  19963. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19964. type: string
  19965. namespace:
  19966. description: |-
  19967. The namespace the Provider type is in.
  19968. Can only be defined when used in a ClusterSecretStore.
  19969. maxLength: 63
  19970. minLength: 1
  19971. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19972. type: string
  19973. type:
  19974. description: The type of provider to use such as "Secret", or "ConfigMap".
  19975. enum:
  19976. - Secret
  19977. - ConfigMap
  19978. type: string
  19979. required:
  19980. - name
  19981. - type
  19982. type: object
  19983. checkAndSet:
  19984. description: |-
  19985. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  19986. Only applies to Vault KV v2 stores. When enabled, write operations must include
  19987. the current version of the secret to prevent unintentional overwrites.
  19988. properties:
  19989. required:
  19990. description: |-
  19991. Required when true, all write operations must include a check-and-set parameter.
  19992. This helps prevent unintentional overwrites of secrets.
  19993. type: boolean
  19994. type: object
  19995. forwardInconsistent:
  19996. description: |-
  19997. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  19998. leader instead of simply retrying within a loop. This can increase performance if
  19999. the option is enabled serverside.
  20000. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  20001. type: boolean
  20002. headers:
  20003. additionalProperties:
  20004. type: string
  20005. description: Headers to be added in Vault request
  20006. type: object
  20007. namespace:
  20008. description: |-
  20009. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  20010. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  20011. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  20012. type: string
  20013. path:
  20014. description: |-
  20015. Path is the mount path of the Vault KV backend endpoint, e.g:
  20016. "secret". The v2 KV secret engine version specific "/data" path suffix
  20017. for fetching secrets from Vault is optional and will be appended
  20018. if not present in specified path.
  20019. type: string
  20020. readYourWrites:
  20021. description: |-
  20022. ReadYourWrites ensures isolated read-after-write semantics by
  20023. providing discovered cluster replication states in each request.
  20024. More information about eventual consistency in Vault can be found here
  20025. https://www.vaultproject.io/docs/enterprise/consistency
  20026. type: boolean
  20027. server:
  20028. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  20029. type: string
  20030. tls:
  20031. description: |-
  20032. The configuration used for client side related TLS communication, when the Vault server
  20033. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  20034. This parameter is ignored for plain HTTP protocol connection.
  20035. It's worth noting this configuration is different from the "TLS certificates auth method",
  20036. which is available under the `auth.cert` section.
  20037. properties:
  20038. certSecretRef:
  20039. description: |-
  20040. CertSecretRef is a certificate added to the transport layer
  20041. when communicating with the Vault server.
  20042. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  20043. properties:
  20044. key:
  20045. description: |-
  20046. A key in the referenced Secret.
  20047. Some instances of this field may be defaulted, in others it may be required.
  20048. maxLength: 253
  20049. minLength: 1
  20050. pattern: ^[-._a-zA-Z0-9]+$
  20051. type: string
  20052. name:
  20053. description: The name of the Secret resource being referred to.
  20054. maxLength: 253
  20055. minLength: 1
  20056. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20057. type: string
  20058. namespace:
  20059. description: |-
  20060. The namespace of the Secret resource being referred to.
  20061. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20062. maxLength: 63
  20063. minLength: 1
  20064. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20065. type: string
  20066. type: object
  20067. keySecretRef:
  20068. description: |-
  20069. KeySecretRef to a key in a Secret resource containing client private key
  20070. added to the transport layer when communicating with the Vault server.
  20071. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  20072. properties:
  20073. key:
  20074. description: |-
  20075. A key in the referenced Secret.
  20076. Some instances of this field may be defaulted, in others it may be required.
  20077. maxLength: 253
  20078. minLength: 1
  20079. pattern: ^[-._a-zA-Z0-9]+$
  20080. type: string
  20081. name:
  20082. description: The name of the Secret resource being referred to.
  20083. maxLength: 253
  20084. minLength: 1
  20085. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20086. type: string
  20087. namespace:
  20088. description: |-
  20089. The namespace of the Secret resource being referred to.
  20090. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20091. maxLength: 63
  20092. minLength: 1
  20093. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20094. type: string
  20095. type: object
  20096. type: object
  20097. version:
  20098. default: v2
  20099. description: |-
  20100. Version is the Vault KV secret engine version. This can be either "v1" or
  20101. "v2". Version defaults to "v2".
  20102. enum:
  20103. - v1
  20104. - v2
  20105. type: string
  20106. required:
  20107. - server
  20108. type: object
  20109. volcengine:
  20110. description: Volcengine configures this store to sync secrets using the Volcengine provider
  20111. properties:
  20112. auth:
  20113. description: |-
  20114. Auth defines the authentication method to use.
  20115. If not specified, the provider will try to use IRSA (IAM Role for Service Account).
  20116. properties:
  20117. secretRef:
  20118. description: |-
  20119. SecretRef defines the static credentials to use for authentication.
  20120. If not set, IRSA is used.
  20121. properties:
  20122. accessKeyID:
  20123. description: AccessKeyID is the reference to the secret containing the Access Key ID.
  20124. properties:
  20125. key:
  20126. description: |-
  20127. A key in the referenced Secret.
  20128. Some instances of this field may be defaulted, in others it may be required.
  20129. maxLength: 253
  20130. minLength: 1
  20131. pattern: ^[-._a-zA-Z0-9]+$
  20132. type: string
  20133. name:
  20134. description: The name of the Secret resource being referred to.
  20135. maxLength: 253
  20136. minLength: 1
  20137. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20138. type: string
  20139. namespace:
  20140. description: |-
  20141. The namespace of the Secret resource being referred to.
  20142. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20143. maxLength: 63
  20144. minLength: 1
  20145. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20146. type: string
  20147. type: object
  20148. secretAccessKey:
  20149. description: SecretAccessKey is the reference to the secret containing the Secret Access Key.
  20150. properties:
  20151. key:
  20152. description: |-
  20153. A key in the referenced Secret.
  20154. Some instances of this field may be defaulted, in others it may be required.
  20155. maxLength: 253
  20156. minLength: 1
  20157. pattern: ^[-._a-zA-Z0-9]+$
  20158. type: string
  20159. name:
  20160. description: The name of the Secret resource being referred to.
  20161. maxLength: 253
  20162. minLength: 1
  20163. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20164. type: string
  20165. namespace:
  20166. description: |-
  20167. The namespace of the Secret resource being referred to.
  20168. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20169. maxLength: 63
  20170. minLength: 1
  20171. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20172. type: string
  20173. type: object
  20174. token:
  20175. description: Token is the reference to the secret containing the STS(Security Token Service) Token.
  20176. properties:
  20177. key:
  20178. description: |-
  20179. A key in the referenced Secret.
  20180. Some instances of this field may be defaulted, in others it may be required.
  20181. maxLength: 253
  20182. minLength: 1
  20183. pattern: ^[-._a-zA-Z0-9]+$
  20184. type: string
  20185. name:
  20186. description: The name of the Secret resource being referred to.
  20187. maxLength: 253
  20188. minLength: 1
  20189. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20190. type: string
  20191. namespace:
  20192. description: |-
  20193. The namespace of the Secret resource being referred to.
  20194. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20195. maxLength: 63
  20196. minLength: 1
  20197. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20198. type: string
  20199. type: object
  20200. required:
  20201. - accessKeyID
  20202. - secretAccessKey
  20203. type: object
  20204. type: object
  20205. region:
  20206. description: Region specifies the Volcengine region to connect to.
  20207. type: string
  20208. required:
  20209. - region
  20210. type: object
  20211. webhook:
  20212. description: Webhook configures this store to sync secrets using a generic templated webhook
  20213. properties:
  20214. auth:
  20215. description: Auth specifies a authorization protocol. Only one protocol may be set.
  20216. maxProperties: 1
  20217. minProperties: 1
  20218. properties:
  20219. ntlm:
  20220. description: NTLMProtocol configures the store to use NTLM for auth
  20221. properties:
  20222. passwordSecret:
  20223. description: |-
  20224. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20225. In some instances, `key` is a required field.
  20226. properties:
  20227. key:
  20228. description: |-
  20229. A key in the referenced Secret.
  20230. Some instances of this field may be defaulted, in others it may be required.
  20231. maxLength: 253
  20232. minLength: 1
  20233. pattern: ^[-._a-zA-Z0-9]+$
  20234. type: string
  20235. name:
  20236. description: The name of the Secret resource being referred to.
  20237. maxLength: 253
  20238. minLength: 1
  20239. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20240. type: string
  20241. namespace:
  20242. description: |-
  20243. The namespace of the Secret resource being referred to.
  20244. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20245. maxLength: 63
  20246. minLength: 1
  20247. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20248. type: string
  20249. type: object
  20250. usernameSecret:
  20251. description: |-
  20252. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20253. In some instances, `key` is a required field.
  20254. properties:
  20255. key:
  20256. description: |-
  20257. A key in the referenced Secret.
  20258. Some instances of this field may be defaulted, in others it may be required.
  20259. maxLength: 253
  20260. minLength: 1
  20261. pattern: ^[-._a-zA-Z0-9]+$
  20262. type: string
  20263. name:
  20264. description: The name of the Secret resource being referred to.
  20265. maxLength: 253
  20266. minLength: 1
  20267. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20268. type: string
  20269. namespace:
  20270. description: |-
  20271. The namespace of the Secret resource being referred to.
  20272. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20273. maxLength: 63
  20274. minLength: 1
  20275. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20276. type: string
  20277. type: object
  20278. required:
  20279. - passwordSecret
  20280. - usernameSecret
  20281. type: object
  20282. type: object
  20283. body:
  20284. description: Body
  20285. type: string
  20286. caBundle:
  20287. description: |-
  20288. PEM encoded CA bundle used to validate webhook server certificate. Only used
  20289. if the Server URL is using HTTPS protocol. This parameter is ignored for
  20290. plain HTTP protocol connection. If not set the system root certificates
  20291. are used to validate the TLS connection.
  20292. format: byte
  20293. type: string
  20294. caProvider:
  20295. description: The provider for the CA bundle to use to validate webhook server certificate.
  20296. properties:
  20297. key:
  20298. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  20299. maxLength: 253
  20300. minLength: 1
  20301. pattern: ^[-._a-zA-Z0-9]+$
  20302. type: string
  20303. name:
  20304. description: The name of the object located at the provider type.
  20305. maxLength: 253
  20306. minLength: 1
  20307. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20308. type: string
  20309. namespace:
  20310. description: The namespace the Provider type is in.
  20311. maxLength: 63
  20312. minLength: 1
  20313. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20314. type: string
  20315. type:
  20316. description: The type of provider to use such as "Secret", or "ConfigMap".
  20317. enum:
  20318. - Secret
  20319. - ConfigMap
  20320. type: string
  20321. required:
  20322. - name
  20323. - type
  20324. type: object
  20325. headers:
  20326. additionalProperties:
  20327. type: string
  20328. description: Headers
  20329. type: object
  20330. method:
  20331. description: Webhook Method
  20332. type: string
  20333. result:
  20334. description: Result formatting
  20335. properties:
  20336. jsonPath:
  20337. description: Json path of return value
  20338. type: string
  20339. type: object
  20340. secrets:
  20341. description: |-
  20342. Secrets to fill in templates
  20343. These secrets will be passed to the templating function as key value pairs under the given name
  20344. items:
  20345. description: WebhookSecret defines a secret that will be passed to the webhook request.
  20346. properties:
  20347. name:
  20348. description: Name of this secret in templates
  20349. type: string
  20350. secretRef:
  20351. description: Secret ref to fill in credentials
  20352. properties:
  20353. key:
  20354. description: |-
  20355. A key in the referenced Secret.
  20356. Some instances of this field may be defaulted, in others it may be required.
  20357. maxLength: 253
  20358. minLength: 1
  20359. pattern: ^[-._a-zA-Z0-9]+$
  20360. type: string
  20361. name:
  20362. description: The name of the Secret resource being referred to.
  20363. maxLength: 253
  20364. minLength: 1
  20365. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20366. type: string
  20367. namespace:
  20368. description: |-
  20369. The namespace of the Secret resource being referred to.
  20370. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20371. maxLength: 63
  20372. minLength: 1
  20373. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20374. type: string
  20375. type: object
  20376. required:
  20377. - name
  20378. - secretRef
  20379. type: object
  20380. type: array
  20381. timeout:
  20382. description: Timeout
  20383. type: string
  20384. url:
  20385. description: Webhook url to call
  20386. type: string
  20387. required:
  20388. - url
  20389. type: object
  20390. yandexcertificatemanager:
  20391. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  20392. properties:
  20393. apiEndpoint:
  20394. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  20395. type: string
  20396. auth:
  20397. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  20398. properties:
  20399. authorizedKeySecretRef:
  20400. description: The authorized key used for authentication
  20401. properties:
  20402. key:
  20403. description: |-
  20404. A key in the referenced Secret.
  20405. Some instances of this field may be defaulted, in others it may be required.
  20406. maxLength: 253
  20407. minLength: 1
  20408. pattern: ^[-._a-zA-Z0-9]+$
  20409. type: string
  20410. name:
  20411. description: The name of the Secret resource being referred to.
  20412. maxLength: 253
  20413. minLength: 1
  20414. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20415. type: string
  20416. namespace:
  20417. description: |-
  20418. The namespace of the Secret resource being referred to.
  20419. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20420. maxLength: 63
  20421. minLength: 1
  20422. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20423. type: string
  20424. type: object
  20425. type: object
  20426. caProvider:
  20427. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  20428. properties:
  20429. certSecretRef:
  20430. description: |-
  20431. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20432. In some instances, `key` is a required field.
  20433. properties:
  20434. key:
  20435. description: |-
  20436. A key in the referenced Secret.
  20437. Some instances of this field may be defaulted, in others it may be required.
  20438. maxLength: 253
  20439. minLength: 1
  20440. pattern: ^[-._a-zA-Z0-9]+$
  20441. type: string
  20442. name:
  20443. description: The name of the Secret resource being referred to.
  20444. maxLength: 253
  20445. minLength: 1
  20446. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20447. type: string
  20448. namespace:
  20449. description: |-
  20450. The namespace of the Secret resource being referred to.
  20451. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20452. maxLength: 63
  20453. minLength: 1
  20454. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20455. type: string
  20456. type: object
  20457. type: object
  20458. fetching:
  20459. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name
  20460. maxProperties: 1
  20461. minProperties: 1
  20462. properties:
  20463. byID:
  20464. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  20465. type: object
  20466. byName:
  20467. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  20468. properties:
  20469. folderID:
  20470. description: The folder to fetch secrets from
  20471. type: string
  20472. required:
  20473. - folderID
  20474. type: object
  20475. type: object
  20476. required:
  20477. - auth
  20478. type: object
  20479. yandexlockbox:
  20480. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  20481. properties:
  20482. apiEndpoint:
  20483. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  20484. type: string
  20485. auth:
  20486. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  20487. properties:
  20488. authorizedKeySecretRef:
  20489. description: The authorized key used for authentication
  20490. properties:
  20491. key:
  20492. description: |-
  20493. A key in the referenced Secret.
  20494. Some instances of this field may be defaulted, in others it may be required.
  20495. maxLength: 253
  20496. minLength: 1
  20497. pattern: ^[-._a-zA-Z0-9]+$
  20498. type: string
  20499. name:
  20500. description: The name of the Secret resource being referred to.
  20501. maxLength: 253
  20502. minLength: 1
  20503. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20504. type: string
  20505. namespace:
  20506. description: |-
  20507. The namespace of the Secret resource being referred to.
  20508. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20509. maxLength: 63
  20510. minLength: 1
  20511. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20512. type: string
  20513. type: object
  20514. type: object
  20515. caProvider:
  20516. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  20517. properties:
  20518. certSecretRef:
  20519. description: |-
  20520. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20521. In some instances, `key` is a required field.
  20522. properties:
  20523. key:
  20524. description: |-
  20525. A key in the referenced Secret.
  20526. Some instances of this field may be defaulted, in others it may be required.
  20527. maxLength: 253
  20528. minLength: 1
  20529. pattern: ^[-._a-zA-Z0-9]+$
  20530. type: string
  20531. name:
  20532. description: The name of the Secret resource being referred to.
  20533. maxLength: 253
  20534. minLength: 1
  20535. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20536. type: string
  20537. namespace:
  20538. description: |-
  20539. The namespace of the Secret resource being referred to.
  20540. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20541. maxLength: 63
  20542. minLength: 1
  20543. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20544. type: string
  20545. type: object
  20546. type: object
  20547. fetching:
  20548. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name
  20549. maxProperties: 1
  20550. minProperties: 1
  20551. properties:
  20552. byID:
  20553. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  20554. type: object
  20555. byName:
  20556. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  20557. properties:
  20558. folderID:
  20559. description: The folder to fetch secrets from
  20560. type: string
  20561. required:
  20562. - folderID
  20563. type: object
  20564. type: object
  20565. required:
  20566. - auth
  20567. type: object
  20568. type: object
  20569. refreshInterval:
  20570. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  20571. type: integer
  20572. retrySettings:
  20573. description: Used to configure HTTP retries on failures.
  20574. properties:
  20575. maxRetries:
  20576. format: int32
  20577. type: integer
  20578. retryInterval:
  20579. type: string
  20580. type: object
  20581. required:
  20582. - provider
  20583. type: object
  20584. status:
  20585. description: SecretStoreStatus defines the observed state of the SecretStore.
  20586. properties:
  20587. capabilities:
  20588. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  20589. type: string
  20590. conditions:
  20591. items:
  20592. description: SecretStoreStatusCondition contains condition information for a SecretStore.
  20593. properties:
  20594. lastTransitionTime:
  20595. format: date-time
  20596. type: string
  20597. message:
  20598. type: string
  20599. reason:
  20600. type: string
  20601. status:
  20602. type: string
  20603. type:
  20604. description: SecretStoreConditionType represents the condition of the SecretStore.
  20605. type: string
  20606. required:
  20607. - status
  20608. - type
  20609. type: object
  20610. type: array
  20611. type: object
  20612. type: object
  20613. served: true
  20614. storage: true
  20615. subresources:
  20616. status: {}
  20617. - additionalPrinterColumns:
  20618. - jsonPath: .metadata.creationTimestamp
  20619. name: AGE
  20620. type: date
  20621. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  20622. name: Status
  20623. type: string
  20624. - jsonPath: .status.capabilities
  20625. name: Capabilities
  20626. type: string
  20627. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  20628. name: Ready
  20629. type: string
  20630. deprecated: true
  20631. name: v1beta1
  20632. schema:
  20633. openAPIV3Schema:
  20634. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  20635. properties:
  20636. apiVersion:
  20637. description: |-
  20638. APIVersion defines the versioned schema of this representation of an object.
  20639. Servers should convert recognized schemas to the latest internal value, and
  20640. may reject unrecognized values.
  20641. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  20642. type: string
  20643. kind:
  20644. description: |-
  20645. Kind is a string value representing the REST resource this object represents.
  20646. Servers may infer this from the endpoint the client submits requests to.
  20647. Cannot be updated.
  20648. In CamelCase.
  20649. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  20650. type: string
  20651. metadata:
  20652. type: object
  20653. spec:
  20654. description: SecretStoreSpec defines the desired state of SecretStore.
  20655. properties:
  20656. conditions:
  20657. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  20658. items:
  20659. description: |-
  20660. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  20661. for a ClusterSecretStore instance.
  20662. properties:
  20663. namespaceRegexes:
  20664. description: Choose namespaces by using regex matching
  20665. items:
  20666. type: string
  20667. type: array
  20668. namespaceSelector:
  20669. description: Choose namespace using a labelSelector
  20670. properties:
  20671. matchExpressions:
  20672. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  20673. items:
  20674. description: |-
  20675. A label selector requirement is a selector that contains values, a key, and an operator that
  20676. relates the key and values.
  20677. properties:
  20678. key:
  20679. description: key is the label key that the selector applies to.
  20680. type: string
  20681. operator:
  20682. description: |-
  20683. operator represents a key's relationship to a set of values.
  20684. Valid operators are In, NotIn, Exists and DoesNotExist.
  20685. type: string
  20686. values:
  20687. description: |-
  20688. values is an array of string values. If the operator is In or NotIn,
  20689. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  20690. the values array must be empty. This array is replaced during a strategic
  20691. merge patch.
  20692. items:
  20693. type: string
  20694. type: array
  20695. x-kubernetes-list-type: atomic
  20696. required:
  20697. - key
  20698. - operator
  20699. type: object
  20700. type: array
  20701. x-kubernetes-list-type: atomic
  20702. matchLabels:
  20703. additionalProperties:
  20704. type: string
  20705. description: |-
  20706. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  20707. map is equivalent to an element of matchExpressions, whose key field is "key", the
  20708. operator is "In", and the values array contains only "value". The requirements are ANDed.
  20709. type: object
  20710. type: object
  20711. x-kubernetes-map-type: atomic
  20712. namespaces:
  20713. description: Choose namespaces by name
  20714. items:
  20715. maxLength: 63
  20716. minLength: 1
  20717. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20718. type: string
  20719. type: array
  20720. type: object
  20721. type: array
  20722. controller:
  20723. description: |-
  20724. Used to select the correct ESO controller (think: ingress.ingressClassName)
  20725. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  20726. type: string
  20727. provider:
  20728. description: Used to configure the provider. Only one provider may be set
  20729. maxProperties: 1
  20730. minProperties: 1
  20731. properties:
  20732. akeyless:
  20733. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  20734. properties:
  20735. akeylessGWApiURL:
  20736. description: Akeyless GW API Url from which the secrets to be fetched from.
  20737. type: string
  20738. authSecretRef:
  20739. description: Auth configures how the operator authenticates with Akeyless.
  20740. properties:
  20741. kubernetesAuth:
  20742. description: |-
  20743. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  20744. token stored in the named Secret resource.
  20745. properties:
  20746. accessID:
  20747. description: the Akeyless Kubernetes auth-method access-id
  20748. type: string
  20749. k8sConfName:
  20750. description: Kubernetes-auth configuration name in Akeyless-Gateway
  20751. type: string
  20752. secretRef:
  20753. description: |-
  20754. Optional secret field containing a Kubernetes ServiceAccount JWT used
  20755. for authenticating with Akeyless. If a name is specified without a key,
  20756. `token` is the default. If one is not specified, the one bound to
  20757. the controller will be used.
  20758. properties:
  20759. key:
  20760. description: |-
  20761. A key in the referenced Secret.
  20762. Some instances of this field may be defaulted, in others it may be required.
  20763. maxLength: 253
  20764. minLength: 1
  20765. pattern: ^[-._a-zA-Z0-9]+$
  20766. type: string
  20767. name:
  20768. description: The name of the Secret resource being referred to.
  20769. maxLength: 253
  20770. minLength: 1
  20771. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20772. type: string
  20773. namespace:
  20774. description: |-
  20775. The namespace of the Secret resource being referred to.
  20776. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20777. maxLength: 63
  20778. minLength: 1
  20779. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20780. type: string
  20781. type: object
  20782. serviceAccountRef:
  20783. description: |-
  20784. Optional service account field containing the name of a kubernetes ServiceAccount.
  20785. If the service account is specified, the service account secret token JWT will be used
  20786. for authenticating with Akeyless. If the service account selector is not supplied,
  20787. the secretRef will be used instead.
  20788. properties:
  20789. audiences:
  20790. description: |-
  20791. Audience specifies the `aud` claim for the service account token
  20792. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20793. then this audiences will be appended to the list
  20794. items:
  20795. type: string
  20796. type: array
  20797. name:
  20798. description: The name of the ServiceAccount resource being referred to.
  20799. maxLength: 253
  20800. minLength: 1
  20801. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20802. type: string
  20803. namespace:
  20804. description: |-
  20805. Namespace of the resource being referred to.
  20806. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20807. maxLength: 63
  20808. minLength: 1
  20809. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20810. type: string
  20811. required:
  20812. - name
  20813. type: object
  20814. required:
  20815. - accessID
  20816. - k8sConfName
  20817. type: object
  20818. secretRef:
  20819. description: |-
  20820. Reference to a Secret that contains the details
  20821. to authenticate with Akeyless.
  20822. properties:
  20823. accessID:
  20824. description: The SecretAccessID is used for authentication
  20825. properties:
  20826. key:
  20827. description: |-
  20828. A key in the referenced Secret.
  20829. Some instances of this field may be defaulted, in others it may be required.
  20830. maxLength: 253
  20831. minLength: 1
  20832. pattern: ^[-._a-zA-Z0-9]+$
  20833. type: string
  20834. name:
  20835. description: The name of the Secret resource being referred to.
  20836. maxLength: 253
  20837. minLength: 1
  20838. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20839. type: string
  20840. namespace:
  20841. description: |-
  20842. The namespace of the Secret resource being referred to.
  20843. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20844. maxLength: 63
  20845. minLength: 1
  20846. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20847. type: string
  20848. type: object
  20849. accessType:
  20850. description: |-
  20851. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20852. In some instances, `key` is a required field.
  20853. properties:
  20854. key:
  20855. description: |-
  20856. A key in the referenced Secret.
  20857. Some instances of this field may be defaulted, in others it may be required.
  20858. maxLength: 253
  20859. minLength: 1
  20860. pattern: ^[-._a-zA-Z0-9]+$
  20861. type: string
  20862. name:
  20863. description: The name of the Secret resource being referred to.
  20864. maxLength: 253
  20865. minLength: 1
  20866. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20867. type: string
  20868. namespace:
  20869. description: |-
  20870. The namespace of the Secret resource being referred to.
  20871. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20872. maxLength: 63
  20873. minLength: 1
  20874. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20875. type: string
  20876. type: object
  20877. accessTypeParam:
  20878. description: |-
  20879. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20880. In some instances, `key` is a required field.
  20881. properties:
  20882. key:
  20883. description: |-
  20884. A key in the referenced Secret.
  20885. Some instances of this field may be defaulted, in others it may be required.
  20886. maxLength: 253
  20887. minLength: 1
  20888. pattern: ^[-._a-zA-Z0-9]+$
  20889. type: string
  20890. name:
  20891. description: The name of the Secret resource being referred to.
  20892. maxLength: 253
  20893. minLength: 1
  20894. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20895. type: string
  20896. namespace:
  20897. description: |-
  20898. The namespace of the Secret resource being referred to.
  20899. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20900. maxLength: 63
  20901. minLength: 1
  20902. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20903. type: string
  20904. type: object
  20905. type: object
  20906. type: object
  20907. caBundle:
  20908. description: |-
  20909. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  20910. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  20911. are used to validate the TLS connection.
  20912. format: byte
  20913. type: string
  20914. caProvider:
  20915. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  20916. properties:
  20917. key:
  20918. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  20919. maxLength: 253
  20920. minLength: 1
  20921. pattern: ^[-._a-zA-Z0-9]+$
  20922. type: string
  20923. name:
  20924. description: The name of the object located at the provider type.
  20925. maxLength: 253
  20926. minLength: 1
  20927. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20928. type: string
  20929. namespace:
  20930. description: |-
  20931. The namespace the Provider type is in.
  20932. Can only be defined when used in a ClusterSecretStore.
  20933. maxLength: 63
  20934. minLength: 1
  20935. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20936. type: string
  20937. type:
  20938. description: The type of provider to use such as "Secret", or "ConfigMap".
  20939. enum:
  20940. - Secret
  20941. - ConfigMap
  20942. type: string
  20943. required:
  20944. - name
  20945. - type
  20946. type: object
  20947. required:
  20948. - akeylessGWApiURL
  20949. - authSecretRef
  20950. type: object
  20951. alibaba:
  20952. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  20953. properties:
  20954. auth:
  20955. description: AlibabaAuth contains a secretRef for credentials.
  20956. properties:
  20957. rrsa:
  20958. description: AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication).
  20959. properties:
  20960. oidcProviderArn:
  20961. type: string
  20962. oidcTokenFilePath:
  20963. type: string
  20964. roleArn:
  20965. type: string
  20966. sessionName:
  20967. type: string
  20968. required:
  20969. - oidcProviderArn
  20970. - oidcTokenFilePath
  20971. - roleArn
  20972. - sessionName
  20973. type: object
  20974. secretRef:
  20975. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  20976. properties:
  20977. accessKeyIDSecretRef:
  20978. description: The AccessKeyID is used for authentication
  20979. properties:
  20980. key:
  20981. description: |-
  20982. A key in the referenced Secret.
  20983. Some instances of this field may be defaulted, in others it may be required.
  20984. maxLength: 253
  20985. minLength: 1
  20986. pattern: ^[-._a-zA-Z0-9]+$
  20987. type: string
  20988. name:
  20989. description: The name of the Secret resource being referred to.
  20990. maxLength: 253
  20991. minLength: 1
  20992. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20993. type: string
  20994. namespace:
  20995. description: |-
  20996. The namespace of the Secret resource being referred to.
  20997. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20998. maxLength: 63
  20999. minLength: 1
  21000. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21001. type: string
  21002. type: object
  21003. accessKeySecretSecretRef:
  21004. description: The AccessKeySecret is used for authentication
  21005. properties:
  21006. key:
  21007. description: |-
  21008. A key in the referenced Secret.
  21009. Some instances of this field may be defaulted, in others it may be required.
  21010. maxLength: 253
  21011. minLength: 1
  21012. pattern: ^[-._a-zA-Z0-9]+$
  21013. type: string
  21014. name:
  21015. description: The name of the Secret resource being referred to.
  21016. maxLength: 253
  21017. minLength: 1
  21018. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21019. type: string
  21020. namespace:
  21021. description: |-
  21022. The namespace of the Secret resource being referred to.
  21023. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21024. maxLength: 63
  21025. minLength: 1
  21026. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21027. type: string
  21028. type: object
  21029. required:
  21030. - accessKeyIDSecretRef
  21031. - accessKeySecretSecretRef
  21032. type: object
  21033. type: object
  21034. regionID:
  21035. description: Alibaba Region to be used for the provider
  21036. type: string
  21037. required:
  21038. - auth
  21039. - regionID
  21040. type: object
  21041. aws:
  21042. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  21043. properties:
  21044. additionalRoles:
  21045. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  21046. items:
  21047. type: string
  21048. type: array
  21049. auth:
  21050. description: |-
  21051. Auth defines the information necessary to authenticate against AWS
  21052. if not set aws sdk will infer credentials from your environment
  21053. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  21054. properties:
  21055. jwt:
  21056. description: AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster.
  21057. properties:
  21058. serviceAccountRef:
  21059. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  21060. properties:
  21061. audiences:
  21062. description: |-
  21063. Audience specifies the `aud` claim for the service account token
  21064. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  21065. then this audiences will be appended to the list
  21066. items:
  21067. type: string
  21068. type: array
  21069. name:
  21070. description: The name of the ServiceAccount resource being referred to.
  21071. maxLength: 253
  21072. minLength: 1
  21073. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21074. type: string
  21075. namespace:
  21076. description: |-
  21077. Namespace of the resource being referred to.
  21078. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21079. maxLength: 63
  21080. minLength: 1
  21081. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21082. type: string
  21083. required:
  21084. - name
  21085. type: object
  21086. type: object
  21087. secretRef:
  21088. description: |-
  21089. AWSAuthSecretRef holds secret references for AWS credentials
  21090. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  21091. properties:
  21092. accessKeyIDSecretRef:
  21093. description: The AccessKeyID is used for authentication
  21094. properties:
  21095. key:
  21096. description: |-
  21097. A key in the referenced Secret.
  21098. Some instances of this field may be defaulted, in others it may be required.
  21099. maxLength: 253
  21100. minLength: 1
  21101. pattern: ^[-._a-zA-Z0-9]+$
  21102. type: string
  21103. name:
  21104. description: The name of the Secret resource being referred to.
  21105. maxLength: 253
  21106. minLength: 1
  21107. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21108. type: string
  21109. namespace:
  21110. description: |-
  21111. The namespace of the Secret resource being referred to.
  21112. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21113. maxLength: 63
  21114. minLength: 1
  21115. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21116. type: string
  21117. type: object
  21118. secretAccessKeySecretRef:
  21119. description: The SecretAccessKey is used for authentication
  21120. properties:
  21121. key:
  21122. description: |-
  21123. A key in the referenced Secret.
  21124. Some instances of this field may be defaulted, in others it may be required.
  21125. maxLength: 253
  21126. minLength: 1
  21127. pattern: ^[-._a-zA-Z0-9]+$
  21128. type: string
  21129. name:
  21130. description: The name of the Secret resource being referred to.
  21131. maxLength: 253
  21132. minLength: 1
  21133. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21134. type: string
  21135. namespace:
  21136. description: |-
  21137. The namespace of the Secret resource being referred to.
  21138. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21139. maxLength: 63
  21140. minLength: 1
  21141. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21142. type: string
  21143. type: object
  21144. sessionTokenSecretRef:
  21145. description: |-
  21146. The SessionToken used for authentication
  21147. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  21148. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  21149. properties:
  21150. key:
  21151. description: |-
  21152. A key in the referenced Secret.
  21153. Some instances of this field may be defaulted, in others it may be required.
  21154. maxLength: 253
  21155. minLength: 1
  21156. pattern: ^[-._a-zA-Z0-9]+$
  21157. type: string
  21158. name:
  21159. description: The name of the Secret resource being referred to.
  21160. maxLength: 253
  21161. minLength: 1
  21162. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21163. type: string
  21164. namespace:
  21165. description: |-
  21166. The namespace of the Secret resource being referred to.
  21167. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21168. maxLength: 63
  21169. minLength: 1
  21170. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21171. type: string
  21172. type: object
  21173. type: object
  21174. type: object
  21175. externalID:
  21176. description: AWS External ID set on assumed IAM roles
  21177. type: string
  21178. prefix:
  21179. description: Prefix adds a prefix to all retrieved values.
  21180. type: string
  21181. region:
  21182. description: AWS Region to be used for the provider
  21183. type: string
  21184. role:
  21185. description: Role is a Role ARN which the provider will assume
  21186. type: string
  21187. secretsManager:
  21188. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  21189. properties:
  21190. forceDeleteWithoutRecovery:
  21191. description: |-
  21192. Specifies whether to delete the secret without any recovery window. You
  21193. can't use both this parameter and RecoveryWindowInDays in the same call.
  21194. If you don't use either, then by default Secrets Manager uses a 30 day
  21195. recovery window.
  21196. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  21197. type: boolean
  21198. recoveryWindowInDays:
  21199. description: |-
  21200. The number of days from 7 to 30 that Secrets Manager waits before
  21201. permanently deleting the secret. You can't use both this parameter and
  21202. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  21203. then by default Secrets Manager uses a 30 day recovery window.
  21204. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  21205. format: int64
  21206. type: integer
  21207. type: object
  21208. service:
  21209. description: Service defines which service should be used to fetch the secrets
  21210. enum:
  21211. - SecretsManager
  21212. - ParameterStore
  21213. type: string
  21214. sessionTags:
  21215. description: AWS STS assume role session tags
  21216. items:
  21217. description: Tag defines a tag key and value for AWS resources.
  21218. properties:
  21219. key:
  21220. type: string
  21221. value:
  21222. type: string
  21223. required:
  21224. - key
  21225. - value
  21226. type: object
  21227. type: array
  21228. transitiveTagKeys:
  21229. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  21230. items:
  21231. type: string
  21232. type: array
  21233. required:
  21234. - region
  21235. - service
  21236. type: object
  21237. azurekv:
  21238. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  21239. properties:
  21240. authSecretRef:
  21241. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  21242. properties:
  21243. clientCertificate:
  21244. description: The Azure ClientCertificate of the service principle used for authentication.
  21245. properties:
  21246. key:
  21247. description: |-
  21248. A key in the referenced Secret.
  21249. Some instances of this field may be defaulted, in others it may be required.
  21250. maxLength: 253
  21251. minLength: 1
  21252. pattern: ^[-._a-zA-Z0-9]+$
  21253. type: string
  21254. name:
  21255. description: The name of the Secret resource being referred to.
  21256. maxLength: 253
  21257. minLength: 1
  21258. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21259. type: string
  21260. namespace:
  21261. description: |-
  21262. The namespace of the Secret resource being referred to.
  21263. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21264. maxLength: 63
  21265. minLength: 1
  21266. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21267. type: string
  21268. type: object
  21269. clientId:
  21270. description: The Azure clientId of the service principle or managed identity used for authentication.
  21271. properties:
  21272. key:
  21273. description: |-
  21274. A key in the referenced Secret.
  21275. Some instances of this field may be defaulted, in others it may be required.
  21276. maxLength: 253
  21277. minLength: 1
  21278. pattern: ^[-._a-zA-Z0-9]+$
  21279. type: string
  21280. name:
  21281. description: The name of the Secret resource being referred to.
  21282. maxLength: 253
  21283. minLength: 1
  21284. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21285. type: string
  21286. namespace:
  21287. description: |-
  21288. The namespace of the Secret resource being referred to.
  21289. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21290. maxLength: 63
  21291. minLength: 1
  21292. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21293. type: string
  21294. type: object
  21295. clientSecret:
  21296. description: The Azure ClientSecret of the service principle used for authentication.
  21297. properties:
  21298. key:
  21299. description: |-
  21300. A key in the referenced Secret.
  21301. Some instances of this field may be defaulted, in others it may be required.
  21302. maxLength: 253
  21303. minLength: 1
  21304. pattern: ^[-._a-zA-Z0-9]+$
  21305. type: string
  21306. name:
  21307. description: The name of the Secret resource being referred to.
  21308. maxLength: 253
  21309. minLength: 1
  21310. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21311. type: string
  21312. namespace:
  21313. description: |-
  21314. The namespace of the Secret resource being referred to.
  21315. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21316. maxLength: 63
  21317. minLength: 1
  21318. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21319. type: string
  21320. type: object
  21321. tenantId:
  21322. description: The Azure tenantId of the managed identity used for authentication.
  21323. properties:
  21324. key:
  21325. description: |-
  21326. A key in the referenced Secret.
  21327. Some instances of this field may be defaulted, in others it may be required.
  21328. maxLength: 253
  21329. minLength: 1
  21330. pattern: ^[-._a-zA-Z0-9]+$
  21331. type: string
  21332. name:
  21333. description: The name of the Secret resource being referred to.
  21334. maxLength: 253
  21335. minLength: 1
  21336. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21337. type: string
  21338. namespace:
  21339. description: |-
  21340. The namespace of the Secret resource being referred to.
  21341. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21342. maxLength: 63
  21343. minLength: 1
  21344. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21345. type: string
  21346. type: object
  21347. type: object
  21348. authType:
  21349. default: ServicePrincipal
  21350. description: |-
  21351. Auth type defines how to authenticate to the keyvault service.
  21352. Valid values are:
  21353. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  21354. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  21355. enum:
  21356. - ServicePrincipal
  21357. - ManagedIdentity
  21358. - WorkloadIdentity
  21359. type: string
  21360. environmentType:
  21361. default: PublicCloud
  21362. description: |-
  21363. EnvironmentType specifies the Azure cloud environment endpoints to use for
  21364. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  21365. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  21366. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  21367. enum:
  21368. - PublicCloud
  21369. - USGovernmentCloud
  21370. - ChinaCloud
  21371. - GermanCloud
  21372. type: string
  21373. identityId:
  21374. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  21375. type: string
  21376. serviceAccountRef:
  21377. description: |-
  21378. ServiceAccountRef specified the service account
  21379. that should be used when authenticating with WorkloadIdentity.
  21380. properties:
  21381. audiences:
  21382. description: |-
  21383. Audience specifies the `aud` claim for the service account token
  21384. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  21385. then this audiences will be appended to the list
  21386. items:
  21387. type: string
  21388. type: array
  21389. name:
  21390. description: The name of the ServiceAccount resource being referred to.
  21391. maxLength: 253
  21392. minLength: 1
  21393. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21394. type: string
  21395. namespace:
  21396. description: |-
  21397. Namespace of the resource being referred to.
  21398. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21399. maxLength: 63
  21400. minLength: 1
  21401. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21402. type: string
  21403. required:
  21404. - name
  21405. type: object
  21406. tenantId:
  21407. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  21408. type: string
  21409. vaultUrl:
  21410. description: Vault Url from which the secrets to be fetched from.
  21411. type: string
  21412. required:
  21413. - vaultUrl
  21414. type: object
  21415. beyondtrust:
  21416. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  21417. properties:
  21418. auth:
  21419. description: Auth configures how the operator authenticates with Beyondtrust.
  21420. properties:
  21421. apiKey:
  21422. description: APIKey If not provided then ClientID/ClientSecret become required.
  21423. properties:
  21424. secretRef:
  21425. description: SecretRef references a key in a secret that will be used as value.
  21426. properties:
  21427. key:
  21428. description: |-
  21429. A key in the referenced Secret.
  21430. Some instances of this field may be defaulted, in others it may be required.
  21431. maxLength: 253
  21432. minLength: 1
  21433. pattern: ^[-._a-zA-Z0-9]+$
  21434. type: string
  21435. name:
  21436. description: The name of the Secret resource being referred to.
  21437. maxLength: 253
  21438. minLength: 1
  21439. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21440. type: string
  21441. namespace:
  21442. description: |-
  21443. The namespace of the Secret resource being referred to.
  21444. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21445. maxLength: 63
  21446. minLength: 1
  21447. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21448. type: string
  21449. type: object
  21450. value:
  21451. description: Value can be specified directly to set a value without using a secret.
  21452. type: string
  21453. type: object
  21454. certificate:
  21455. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  21456. properties:
  21457. secretRef:
  21458. description: SecretRef references a key in a secret that will be used as value.
  21459. properties:
  21460. key:
  21461. description: |-
  21462. A key in the referenced Secret.
  21463. Some instances of this field may be defaulted, in others it may be required.
  21464. maxLength: 253
  21465. minLength: 1
  21466. pattern: ^[-._a-zA-Z0-9]+$
  21467. type: string
  21468. name:
  21469. description: The name of the Secret resource being referred to.
  21470. maxLength: 253
  21471. minLength: 1
  21472. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21473. type: string
  21474. namespace:
  21475. description: |-
  21476. The namespace of the Secret resource being referred to.
  21477. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21478. maxLength: 63
  21479. minLength: 1
  21480. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21481. type: string
  21482. type: object
  21483. value:
  21484. description: Value can be specified directly to set a value without using a secret.
  21485. type: string
  21486. type: object
  21487. certificateKey:
  21488. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  21489. properties:
  21490. secretRef:
  21491. description: SecretRef references a key in a secret that will be used as value.
  21492. properties:
  21493. key:
  21494. description: |-
  21495. A key in the referenced Secret.
  21496. Some instances of this field may be defaulted, in others it may be required.
  21497. maxLength: 253
  21498. minLength: 1
  21499. pattern: ^[-._a-zA-Z0-9]+$
  21500. type: string
  21501. name:
  21502. description: The name of the Secret resource being referred to.
  21503. maxLength: 253
  21504. minLength: 1
  21505. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21506. type: string
  21507. namespace:
  21508. description: |-
  21509. The namespace of the Secret resource being referred to.
  21510. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21511. maxLength: 63
  21512. minLength: 1
  21513. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21514. type: string
  21515. type: object
  21516. value:
  21517. description: Value can be specified directly to set a value without using a secret.
  21518. type: string
  21519. type: object
  21520. clientId:
  21521. description: ClientID is the API OAuth Client ID.
  21522. properties:
  21523. secretRef:
  21524. description: SecretRef references a key in a secret that will be used as value.
  21525. properties:
  21526. key:
  21527. description: |-
  21528. A key in the referenced Secret.
  21529. Some instances of this field may be defaulted, in others it may be required.
  21530. maxLength: 253
  21531. minLength: 1
  21532. pattern: ^[-._a-zA-Z0-9]+$
  21533. type: string
  21534. name:
  21535. description: The name of the Secret resource being referred to.
  21536. maxLength: 253
  21537. minLength: 1
  21538. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21539. type: string
  21540. namespace:
  21541. description: |-
  21542. The namespace of the Secret resource being referred to.
  21543. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21544. maxLength: 63
  21545. minLength: 1
  21546. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21547. type: string
  21548. type: object
  21549. value:
  21550. description: Value can be specified directly to set a value without using a secret.
  21551. type: string
  21552. type: object
  21553. clientSecret:
  21554. description: ClientSecret is the API OAuth Client Secret.
  21555. properties:
  21556. secretRef:
  21557. description: SecretRef references a key in a secret that will be used as value.
  21558. properties:
  21559. key:
  21560. description: |-
  21561. A key in the referenced Secret.
  21562. Some instances of this field may be defaulted, in others it may be required.
  21563. maxLength: 253
  21564. minLength: 1
  21565. pattern: ^[-._a-zA-Z0-9]+$
  21566. type: string
  21567. name:
  21568. description: The name of the Secret resource being referred to.
  21569. maxLength: 253
  21570. minLength: 1
  21571. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21572. type: string
  21573. namespace:
  21574. description: |-
  21575. The namespace of the Secret resource being referred to.
  21576. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21577. maxLength: 63
  21578. minLength: 1
  21579. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21580. type: string
  21581. type: object
  21582. value:
  21583. description: Value can be specified directly to set a value without using a secret.
  21584. type: string
  21585. type: object
  21586. type: object
  21587. server:
  21588. description: Auth configures how API server works.
  21589. properties:
  21590. apiUrl:
  21591. type: string
  21592. apiVersion:
  21593. type: string
  21594. clientTimeOutSeconds:
  21595. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  21596. type: integer
  21597. decrypt:
  21598. default: true
  21599. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  21600. type: boolean
  21601. retrievalType:
  21602. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  21603. type: string
  21604. separator:
  21605. description: A character that separates the folder names.
  21606. type: string
  21607. verifyCA:
  21608. type: boolean
  21609. required:
  21610. - apiUrl
  21611. - verifyCA
  21612. type: object
  21613. required:
  21614. - auth
  21615. - server
  21616. type: object
  21617. bitwardensecretsmanager:
  21618. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  21619. properties:
  21620. apiURL:
  21621. type: string
  21622. auth:
  21623. description: |-
  21624. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  21625. Make sure that the token being used has permissions on the given secret.
  21626. properties:
  21627. secretRef:
  21628. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  21629. properties:
  21630. credentials:
  21631. description: AccessToken used for the bitwarden instance.
  21632. properties:
  21633. key:
  21634. description: |-
  21635. A key in the referenced Secret.
  21636. Some instances of this field may be defaulted, in others it may be required.
  21637. maxLength: 253
  21638. minLength: 1
  21639. pattern: ^[-._a-zA-Z0-9]+$
  21640. type: string
  21641. name:
  21642. description: The name of the Secret resource being referred to.
  21643. maxLength: 253
  21644. minLength: 1
  21645. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21646. type: string
  21647. namespace:
  21648. description: |-
  21649. The namespace of the Secret resource being referred to.
  21650. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21651. maxLength: 63
  21652. minLength: 1
  21653. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21654. type: string
  21655. type: object
  21656. required:
  21657. - credentials
  21658. type: object
  21659. required:
  21660. - secretRef
  21661. type: object
  21662. bitwardenServerSDKURL:
  21663. type: string
  21664. caBundle:
  21665. description: |-
  21666. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  21667. can be performed.
  21668. type: string
  21669. caProvider:
  21670. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  21671. properties:
  21672. key:
  21673. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  21674. maxLength: 253
  21675. minLength: 1
  21676. pattern: ^[-._a-zA-Z0-9]+$
  21677. type: string
  21678. name:
  21679. description: The name of the object located at the provider type.
  21680. maxLength: 253
  21681. minLength: 1
  21682. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21683. type: string
  21684. namespace:
  21685. description: |-
  21686. The namespace the Provider type is in.
  21687. Can only be defined when used in a ClusterSecretStore.
  21688. maxLength: 63
  21689. minLength: 1
  21690. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21691. type: string
  21692. type:
  21693. description: The type of provider to use such as "Secret", or "ConfigMap".
  21694. enum:
  21695. - Secret
  21696. - ConfigMap
  21697. type: string
  21698. required:
  21699. - name
  21700. - type
  21701. type: object
  21702. identityURL:
  21703. type: string
  21704. organizationID:
  21705. description: OrganizationID determines which organization this secret store manages.
  21706. type: string
  21707. projectID:
  21708. description: ProjectID determines which project this secret store manages.
  21709. type: string
  21710. required:
  21711. - auth
  21712. - organizationID
  21713. - projectID
  21714. type: object
  21715. chef:
  21716. description: Chef configures this store to sync secrets with chef server
  21717. properties:
  21718. auth:
  21719. description: Auth defines the information necessary to authenticate against chef Server
  21720. properties:
  21721. secretRef:
  21722. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  21723. properties:
  21724. privateKeySecretRef:
  21725. description: SecretKey is the Signing Key in PEM format, used for authentication.
  21726. properties:
  21727. key:
  21728. description: |-
  21729. A key in the referenced Secret.
  21730. Some instances of this field may be defaulted, in others it may be required.
  21731. maxLength: 253
  21732. minLength: 1
  21733. pattern: ^[-._a-zA-Z0-9]+$
  21734. type: string
  21735. name:
  21736. description: The name of the Secret resource being referred to.
  21737. maxLength: 253
  21738. minLength: 1
  21739. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21740. type: string
  21741. namespace:
  21742. description: |-
  21743. The namespace of the Secret resource being referred to.
  21744. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21745. maxLength: 63
  21746. minLength: 1
  21747. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21748. type: string
  21749. type: object
  21750. required:
  21751. - privateKeySecretRef
  21752. type: object
  21753. required:
  21754. - secretRef
  21755. type: object
  21756. serverUrl:
  21757. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  21758. type: string
  21759. username:
  21760. description: UserName should be the user ID on the chef server
  21761. type: string
  21762. required:
  21763. - auth
  21764. - serverUrl
  21765. - username
  21766. type: object
  21767. cloudrusm:
  21768. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  21769. properties:
  21770. auth:
  21771. description: CSMAuth contains a secretRef for credentials.
  21772. properties:
  21773. secretRef:
  21774. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  21775. properties:
  21776. accessKeyIDSecretRef:
  21777. description: The AccessKeyID is used for authentication
  21778. properties:
  21779. key:
  21780. description: |-
  21781. A key in the referenced Secret.
  21782. Some instances of this field may be defaulted, in others it may be required.
  21783. maxLength: 253
  21784. minLength: 1
  21785. pattern: ^[-._a-zA-Z0-9]+$
  21786. type: string
  21787. name:
  21788. description: The name of the Secret resource being referred to.
  21789. maxLength: 253
  21790. minLength: 1
  21791. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21792. type: string
  21793. namespace:
  21794. description: |-
  21795. The namespace of the Secret resource being referred to.
  21796. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21797. maxLength: 63
  21798. minLength: 1
  21799. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21800. type: string
  21801. type: object
  21802. accessKeySecretSecretRef:
  21803. description: The AccessKeySecret is used for authentication
  21804. properties:
  21805. key:
  21806. description: |-
  21807. A key in the referenced Secret.
  21808. Some instances of this field may be defaulted, in others it may be required.
  21809. maxLength: 253
  21810. minLength: 1
  21811. pattern: ^[-._a-zA-Z0-9]+$
  21812. type: string
  21813. name:
  21814. description: The name of the Secret resource being referred to.
  21815. maxLength: 253
  21816. minLength: 1
  21817. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21818. type: string
  21819. namespace:
  21820. description: |-
  21821. The namespace of the Secret resource being referred to.
  21822. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21823. maxLength: 63
  21824. minLength: 1
  21825. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21826. type: string
  21827. type: object
  21828. required:
  21829. - accessKeyIDSecretRef
  21830. - accessKeySecretSecretRef
  21831. type: object
  21832. type: object
  21833. projectID:
  21834. description: ProjectID is the project, which the secrets are stored in.
  21835. type: string
  21836. required:
  21837. - auth
  21838. type: object
  21839. conjur:
  21840. description: Conjur configures this store to sync secrets using conjur provider
  21841. properties:
  21842. auth:
  21843. description: Defines authentication settings for connecting to Conjur.
  21844. properties:
  21845. apikey:
  21846. description: Authenticates with Conjur using an API key.
  21847. properties:
  21848. account:
  21849. description: Account is the Conjur organization account name.
  21850. type: string
  21851. apiKeyRef:
  21852. description: |-
  21853. A reference to a specific 'key' containing the Conjur API key
  21854. within a Secret resource. In some instances, `key` is a required field.
  21855. properties:
  21856. key:
  21857. description: |-
  21858. A key in the referenced Secret.
  21859. Some instances of this field may be defaulted, in others it may be required.
  21860. maxLength: 253
  21861. minLength: 1
  21862. pattern: ^[-._a-zA-Z0-9]+$
  21863. type: string
  21864. name:
  21865. description: The name of the Secret resource being referred to.
  21866. maxLength: 253
  21867. minLength: 1
  21868. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21869. type: string
  21870. namespace:
  21871. description: |-
  21872. The namespace of the Secret resource being referred to.
  21873. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21874. maxLength: 63
  21875. minLength: 1
  21876. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21877. type: string
  21878. type: object
  21879. userRef:
  21880. description: |-
  21881. A reference to a specific 'key' containing the Conjur username
  21882. within a Secret resource. In some instances, `key` is a required field.
  21883. properties:
  21884. key:
  21885. description: |-
  21886. A key in the referenced Secret.
  21887. Some instances of this field may be defaulted, in others it may be required.
  21888. maxLength: 253
  21889. minLength: 1
  21890. pattern: ^[-._a-zA-Z0-9]+$
  21891. type: string
  21892. name:
  21893. description: The name of the Secret resource being referred to.
  21894. maxLength: 253
  21895. minLength: 1
  21896. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21897. type: string
  21898. namespace:
  21899. description: |-
  21900. The namespace of the Secret resource being referred to.
  21901. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21902. maxLength: 63
  21903. minLength: 1
  21904. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21905. type: string
  21906. type: object
  21907. required:
  21908. - account
  21909. - apiKeyRef
  21910. - userRef
  21911. type: object
  21912. jwt:
  21913. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  21914. properties:
  21915. account:
  21916. description: Account is the Conjur organization account name.
  21917. type: string
  21918. hostId:
  21919. description: |-
  21920. Optional HostID for JWT authentication. This may be used depending
  21921. on how the Conjur JWT authenticator policy is configured.
  21922. type: string
  21923. secretRef:
  21924. description: |-
  21925. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  21926. authenticate with Conjur using the JWT authentication method.
  21927. properties:
  21928. key:
  21929. description: |-
  21930. A key in the referenced Secret.
  21931. Some instances of this field may be defaulted, in others it may be required.
  21932. maxLength: 253
  21933. minLength: 1
  21934. pattern: ^[-._a-zA-Z0-9]+$
  21935. type: string
  21936. name:
  21937. description: The name of the Secret resource being referred to.
  21938. maxLength: 253
  21939. minLength: 1
  21940. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21941. type: string
  21942. namespace:
  21943. description: |-
  21944. The namespace of the Secret resource being referred to.
  21945. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21946. maxLength: 63
  21947. minLength: 1
  21948. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21949. type: string
  21950. type: object
  21951. serviceAccountRef:
  21952. description: |-
  21953. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  21954. a token for with the `TokenRequest` API.
  21955. properties:
  21956. audiences:
  21957. description: |-
  21958. Audience specifies the `aud` claim for the service account token
  21959. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  21960. then this audiences will be appended to the list
  21961. items:
  21962. type: string
  21963. type: array
  21964. name:
  21965. description: The name of the ServiceAccount resource being referred to.
  21966. maxLength: 253
  21967. minLength: 1
  21968. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21969. type: string
  21970. namespace:
  21971. description: |-
  21972. Namespace of the resource being referred to.
  21973. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21974. maxLength: 63
  21975. minLength: 1
  21976. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21977. type: string
  21978. required:
  21979. - name
  21980. type: object
  21981. serviceID:
  21982. description: The conjur authn jwt webservice id
  21983. type: string
  21984. required:
  21985. - account
  21986. - serviceID
  21987. type: object
  21988. type: object
  21989. caBundle:
  21990. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  21991. type: string
  21992. caProvider:
  21993. description: |-
  21994. Used to provide custom certificate authority (CA) certificates
  21995. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  21996. that contains a PEM-encoded certificate.
  21997. properties:
  21998. key:
  21999. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  22000. maxLength: 253
  22001. minLength: 1
  22002. pattern: ^[-._a-zA-Z0-9]+$
  22003. type: string
  22004. name:
  22005. description: The name of the object located at the provider type.
  22006. maxLength: 253
  22007. minLength: 1
  22008. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22009. type: string
  22010. namespace:
  22011. description: |-
  22012. The namespace the Provider type is in.
  22013. Can only be defined when used in a ClusterSecretStore.
  22014. maxLength: 63
  22015. minLength: 1
  22016. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22017. type: string
  22018. type:
  22019. description: The type of provider to use such as "Secret", or "ConfigMap".
  22020. enum:
  22021. - Secret
  22022. - ConfigMap
  22023. type: string
  22024. required:
  22025. - name
  22026. - type
  22027. type: object
  22028. url:
  22029. description: URL is the endpoint of the Conjur instance.
  22030. type: string
  22031. required:
  22032. - auth
  22033. - url
  22034. type: object
  22035. delinea:
  22036. description: |-
  22037. Delinea DevOps Secrets Vault
  22038. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  22039. properties:
  22040. clientId:
  22041. description: ClientID is the non-secret part of the credential.
  22042. properties:
  22043. secretRef:
  22044. description: SecretRef references a key in a secret that will be used as value.
  22045. properties:
  22046. key:
  22047. description: |-
  22048. A key in the referenced Secret.
  22049. Some instances of this field may be defaulted, in others it may be required.
  22050. maxLength: 253
  22051. minLength: 1
  22052. pattern: ^[-._a-zA-Z0-9]+$
  22053. type: string
  22054. name:
  22055. description: The name of the Secret resource being referred to.
  22056. maxLength: 253
  22057. minLength: 1
  22058. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22059. type: string
  22060. namespace:
  22061. description: |-
  22062. The namespace of the Secret resource being referred to.
  22063. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22064. maxLength: 63
  22065. minLength: 1
  22066. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22067. type: string
  22068. type: object
  22069. value:
  22070. description: Value can be specified directly to set a value without using a secret.
  22071. type: string
  22072. type: object
  22073. clientSecret:
  22074. description: ClientSecret is the secret part of the credential.
  22075. properties:
  22076. secretRef:
  22077. description: SecretRef references a key in a secret that will be used as value.
  22078. properties:
  22079. key:
  22080. description: |-
  22081. A key in the referenced Secret.
  22082. Some instances of this field may be defaulted, in others it may be required.
  22083. maxLength: 253
  22084. minLength: 1
  22085. pattern: ^[-._a-zA-Z0-9]+$
  22086. type: string
  22087. name:
  22088. description: The name of the Secret resource being referred to.
  22089. maxLength: 253
  22090. minLength: 1
  22091. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22092. type: string
  22093. namespace:
  22094. description: |-
  22095. The namespace of the Secret resource being referred to.
  22096. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22097. maxLength: 63
  22098. minLength: 1
  22099. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22100. type: string
  22101. type: object
  22102. value:
  22103. description: Value can be specified directly to set a value without using a secret.
  22104. type: string
  22105. type: object
  22106. tenant:
  22107. description: Tenant is the chosen hostname / site name.
  22108. type: string
  22109. tld:
  22110. description: |-
  22111. TLD is based on the server location that was chosen during provisioning.
  22112. If unset, defaults to "com".
  22113. type: string
  22114. urlTemplate:
  22115. description: |-
  22116. URLTemplate
  22117. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  22118. type: string
  22119. required:
  22120. - clientId
  22121. - clientSecret
  22122. - tenant
  22123. type: object
  22124. device42:
  22125. description: Device42 configures this store to sync secrets using the Device42 provider
  22126. properties:
  22127. auth:
  22128. description: Auth configures how secret-manager authenticates with a Device42 instance.
  22129. properties:
  22130. secretRef:
  22131. description: Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider.
  22132. properties:
  22133. credentials:
  22134. description: Username / Password is used for authentication.
  22135. properties:
  22136. key:
  22137. description: |-
  22138. A key in the referenced Secret.
  22139. Some instances of this field may be defaulted, in others it may be required.
  22140. maxLength: 253
  22141. minLength: 1
  22142. pattern: ^[-._a-zA-Z0-9]+$
  22143. type: string
  22144. name:
  22145. description: The name of the Secret resource being referred to.
  22146. maxLength: 253
  22147. minLength: 1
  22148. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22149. type: string
  22150. namespace:
  22151. description: |-
  22152. The namespace of the Secret resource being referred to.
  22153. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22154. maxLength: 63
  22155. minLength: 1
  22156. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22157. type: string
  22158. type: object
  22159. type: object
  22160. required:
  22161. - secretRef
  22162. type: object
  22163. host:
  22164. description: URL configures the Device42 instance URL.
  22165. type: string
  22166. required:
  22167. - auth
  22168. - host
  22169. type: object
  22170. doppler:
  22171. description: Doppler configures this store to sync secrets using the Doppler provider
  22172. properties:
  22173. auth:
  22174. description: Auth configures how the Operator authenticates with the Doppler API
  22175. properties:
  22176. secretRef:
  22177. description: DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider.
  22178. properties:
  22179. dopplerToken:
  22180. description: |-
  22181. The DopplerToken is used for authentication.
  22182. See https://docs.doppler.com/reference/api#authentication for auth token types.
  22183. The Key attribute defaults to dopplerToken if not specified.
  22184. properties:
  22185. key:
  22186. description: |-
  22187. A key in the referenced Secret.
  22188. Some instances of this field may be defaulted, in others it may be required.
  22189. maxLength: 253
  22190. minLength: 1
  22191. pattern: ^[-._a-zA-Z0-9]+$
  22192. type: string
  22193. name:
  22194. description: The name of the Secret resource being referred to.
  22195. maxLength: 253
  22196. minLength: 1
  22197. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22198. type: string
  22199. namespace:
  22200. description: |-
  22201. The namespace of the Secret resource being referred to.
  22202. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22203. maxLength: 63
  22204. minLength: 1
  22205. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22206. type: string
  22207. type: object
  22208. required:
  22209. - dopplerToken
  22210. type: object
  22211. required:
  22212. - secretRef
  22213. type: object
  22214. config:
  22215. description: Doppler config (required if not using a Service Token)
  22216. type: string
  22217. format:
  22218. description: Format enables the downloading of secrets as a file (string)
  22219. enum:
  22220. - json
  22221. - dotnet-json
  22222. - env
  22223. - yaml
  22224. - docker
  22225. type: string
  22226. nameTransformer:
  22227. description: Environment variable compatible name transforms that change secret names to a different format
  22228. enum:
  22229. - upper-camel
  22230. - camel
  22231. - lower-snake
  22232. - tf-var
  22233. - dotnet-env
  22234. - lower-kebab
  22235. type: string
  22236. project:
  22237. description: Doppler project (required if not using a Service Token)
  22238. type: string
  22239. required:
  22240. - auth
  22241. type: object
  22242. fake:
  22243. description: Fake configures a store with static key/value pairs
  22244. properties:
  22245. data:
  22246. items:
  22247. description: FakeProviderData defines a key-value pair for the fake provider used in testing.
  22248. properties:
  22249. key:
  22250. type: string
  22251. value:
  22252. type: string
  22253. version:
  22254. type: string
  22255. required:
  22256. - key
  22257. - value
  22258. type: object
  22259. type: array
  22260. required:
  22261. - data
  22262. type: object
  22263. fortanix:
  22264. description: Fortanix configures this store to sync secrets using the Fortanix provider
  22265. properties:
  22266. apiKey:
  22267. description: APIKey is the API token to access SDKMS Applications.
  22268. properties:
  22269. secretRef:
  22270. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  22271. properties:
  22272. key:
  22273. description: |-
  22274. A key in the referenced Secret.
  22275. Some instances of this field may be defaulted, in others it may be required.
  22276. maxLength: 253
  22277. minLength: 1
  22278. pattern: ^[-._a-zA-Z0-9]+$
  22279. type: string
  22280. name:
  22281. description: The name of the Secret resource being referred to.
  22282. maxLength: 253
  22283. minLength: 1
  22284. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22285. type: string
  22286. namespace:
  22287. description: |-
  22288. The namespace of the Secret resource being referred to.
  22289. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22290. maxLength: 63
  22291. minLength: 1
  22292. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22293. type: string
  22294. type: object
  22295. type: object
  22296. apiUrl:
  22297. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  22298. type: string
  22299. type: object
  22300. gcpsm:
  22301. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  22302. properties:
  22303. auth:
  22304. description: Auth defines the information necessary to authenticate against GCP
  22305. properties:
  22306. secretRef:
  22307. description: GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider.
  22308. properties:
  22309. secretAccessKeySecretRef:
  22310. description: The SecretAccessKey is used for authentication
  22311. properties:
  22312. key:
  22313. description: |-
  22314. A key in the referenced Secret.
  22315. Some instances of this field may be defaulted, in others it may be required.
  22316. maxLength: 253
  22317. minLength: 1
  22318. pattern: ^[-._a-zA-Z0-9]+$
  22319. type: string
  22320. name:
  22321. description: The name of the Secret resource being referred to.
  22322. maxLength: 253
  22323. minLength: 1
  22324. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22325. type: string
  22326. namespace:
  22327. description: |-
  22328. The namespace of the Secret resource being referred to.
  22329. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22330. maxLength: 63
  22331. minLength: 1
  22332. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22333. type: string
  22334. type: object
  22335. type: object
  22336. workloadIdentity:
  22337. description: GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication.
  22338. properties:
  22339. clusterLocation:
  22340. description: |-
  22341. ClusterLocation is the location of the cluster
  22342. If not specified, it fetches information from the metadata server
  22343. type: string
  22344. clusterName:
  22345. description: |-
  22346. ClusterName is the name of the cluster
  22347. If not specified, it fetches information from the metadata server
  22348. type: string
  22349. clusterProjectID:
  22350. description: |-
  22351. ClusterProjectID is the project ID of the cluster
  22352. If not specified, it fetches information from the metadata server
  22353. type: string
  22354. serviceAccountRef:
  22355. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  22356. properties:
  22357. audiences:
  22358. description: |-
  22359. Audience specifies the `aud` claim for the service account token
  22360. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22361. then this audiences will be appended to the list
  22362. items:
  22363. type: string
  22364. type: array
  22365. name:
  22366. description: The name of the ServiceAccount resource being referred to.
  22367. maxLength: 253
  22368. minLength: 1
  22369. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22370. type: string
  22371. namespace:
  22372. description: |-
  22373. Namespace of the resource being referred to.
  22374. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22375. maxLength: 63
  22376. minLength: 1
  22377. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22378. type: string
  22379. required:
  22380. - name
  22381. type: object
  22382. required:
  22383. - serviceAccountRef
  22384. type: object
  22385. type: object
  22386. location:
  22387. description: Location optionally defines a location for a secret
  22388. type: string
  22389. projectID:
  22390. description: ProjectID project where secret is located
  22391. type: string
  22392. type: object
  22393. github:
  22394. description: Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  22395. properties:
  22396. appID:
  22397. description: appID specifies the Github APP that will be used to authenticate the client
  22398. format: int64
  22399. type: integer
  22400. auth:
  22401. description: auth configures how secret-manager authenticates with a Github instance.
  22402. properties:
  22403. privateKey:
  22404. description: |-
  22405. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  22406. In some instances, `key` is a required field.
  22407. properties:
  22408. key:
  22409. description: |-
  22410. A key in the referenced Secret.
  22411. Some instances of this field may be defaulted, in others it may be required.
  22412. maxLength: 253
  22413. minLength: 1
  22414. pattern: ^[-._a-zA-Z0-9]+$
  22415. type: string
  22416. name:
  22417. description: The name of the Secret resource being referred to.
  22418. maxLength: 253
  22419. minLength: 1
  22420. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22421. type: string
  22422. namespace:
  22423. description: |-
  22424. The namespace of the Secret resource being referred to.
  22425. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22426. maxLength: 63
  22427. minLength: 1
  22428. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22429. type: string
  22430. type: object
  22431. required:
  22432. - privateKey
  22433. type: object
  22434. environment:
  22435. description: environment will be used to fetch secrets from a particular environment within a github repository
  22436. type: string
  22437. installationID:
  22438. description: installationID specifies the Github APP installation that will be used to authenticate the client
  22439. format: int64
  22440. type: integer
  22441. organization:
  22442. description: organization will be used to fetch secrets from the Github organization
  22443. type: string
  22444. repository:
  22445. description: repository will be used to fetch secrets from the Github repository within an organization
  22446. type: string
  22447. uploadURL:
  22448. description: Upload URL for enterprise instances. Default to URL.
  22449. type: string
  22450. url:
  22451. default: https://github.com/
  22452. description: URL configures the Github instance URL. Defaults to https://github.com/.
  22453. type: string
  22454. required:
  22455. - appID
  22456. - auth
  22457. - installationID
  22458. - organization
  22459. type: object
  22460. gitlab:
  22461. description: GitLab configures this store to sync secrets using GitLab Variables provider
  22462. properties:
  22463. auth:
  22464. description: Auth configures how secret-manager authenticates with a GitLab instance.
  22465. properties:
  22466. SecretRef:
  22467. description: GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider.
  22468. properties:
  22469. accessToken:
  22470. description: AccessToken is used for authentication.
  22471. properties:
  22472. key:
  22473. description: |-
  22474. A key in the referenced Secret.
  22475. Some instances of this field may be defaulted, in others it may be required.
  22476. maxLength: 253
  22477. minLength: 1
  22478. pattern: ^[-._a-zA-Z0-9]+$
  22479. type: string
  22480. name:
  22481. description: The name of the Secret resource being referred to.
  22482. maxLength: 253
  22483. minLength: 1
  22484. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22485. type: string
  22486. namespace:
  22487. description: |-
  22488. The namespace of the Secret resource being referred to.
  22489. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22490. maxLength: 63
  22491. minLength: 1
  22492. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22493. type: string
  22494. type: object
  22495. type: object
  22496. required:
  22497. - SecretRef
  22498. type: object
  22499. caBundle:
  22500. description: |-
  22501. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  22502. can be performed.
  22503. format: byte
  22504. type: string
  22505. caProvider:
  22506. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  22507. properties:
  22508. key:
  22509. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  22510. maxLength: 253
  22511. minLength: 1
  22512. pattern: ^[-._a-zA-Z0-9]+$
  22513. type: string
  22514. name:
  22515. description: The name of the object located at the provider type.
  22516. maxLength: 253
  22517. minLength: 1
  22518. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22519. type: string
  22520. namespace:
  22521. description: |-
  22522. The namespace the Provider type is in.
  22523. Can only be defined when used in a ClusterSecretStore.
  22524. maxLength: 63
  22525. minLength: 1
  22526. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22527. type: string
  22528. type:
  22529. description: The type of provider to use such as "Secret", or "ConfigMap".
  22530. enum:
  22531. - Secret
  22532. - ConfigMap
  22533. type: string
  22534. required:
  22535. - name
  22536. - type
  22537. type: object
  22538. environment:
  22539. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  22540. type: string
  22541. groupIDs:
  22542. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  22543. items:
  22544. type: string
  22545. type: array
  22546. inheritFromGroups:
  22547. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  22548. type: boolean
  22549. projectID:
  22550. description: ProjectID specifies a project where secrets are located.
  22551. type: string
  22552. url:
  22553. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  22554. type: string
  22555. required:
  22556. - auth
  22557. type: object
  22558. ibm:
  22559. description: IBM configures this store to sync secrets using IBM Cloud provider
  22560. properties:
  22561. auth:
  22562. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  22563. maxProperties: 1
  22564. minProperties: 1
  22565. properties:
  22566. containerAuth:
  22567. description: IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile.
  22568. properties:
  22569. iamEndpoint:
  22570. type: string
  22571. profile:
  22572. description: the IBM Trusted Profile
  22573. type: string
  22574. tokenLocation:
  22575. description: Location the token is mounted on the pod
  22576. type: string
  22577. required:
  22578. - profile
  22579. type: object
  22580. secretRef:
  22581. description: IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider.
  22582. properties:
  22583. secretApiKeySecretRef:
  22584. description: The SecretAccessKey is used for authentication
  22585. properties:
  22586. key:
  22587. description: |-
  22588. A key in the referenced Secret.
  22589. Some instances of this field may be defaulted, in others it may be required.
  22590. maxLength: 253
  22591. minLength: 1
  22592. pattern: ^[-._a-zA-Z0-9]+$
  22593. type: string
  22594. name:
  22595. description: The name of the Secret resource being referred to.
  22596. maxLength: 253
  22597. minLength: 1
  22598. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22599. type: string
  22600. namespace:
  22601. description: |-
  22602. The namespace of the Secret resource being referred to.
  22603. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22604. maxLength: 63
  22605. minLength: 1
  22606. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22607. type: string
  22608. type: object
  22609. type: object
  22610. type: object
  22611. serviceUrl:
  22612. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  22613. type: string
  22614. required:
  22615. - auth
  22616. type: object
  22617. infisical:
  22618. description: Infisical configures this store to sync secrets using the Infisical provider
  22619. properties:
  22620. auth:
  22621. description: Auth configures how the Operator authenticates with the Infisical API
  22622. properties:
  22623. universalAuthCredentials:
  22624. description: UniversalAuthCredentials defines the credentials for Infisical Universal Auth.
  22625. properties:
  22626. clientId:
  22627. description: |-
  22628. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  22629. In some instances, `key` is a required field.
  22630. properties:
  22631. key:
  22632. description: |-
  22633. A key in the referenced Secret.
  22634. Some instances of this field may be defaulted, in others it may be required.
  22635. maxLength: 253
  22636. minLength: 1
  22637. pattern: ^[-._a-zA-Z0-9]+$
  22638. type: string
  22639. name:
  22640. description: The name of the Secret resource being referred to.
  22641. maxLength: 253
  22642. minLength: 1
  22643. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22644. type: string
  22645. namespace:
  22646. description: |-
  22647. The namespace of the Secret resource being referred to.
  22648. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22649. maxLength: 63
  22650. minLength: 1
  22651. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22652. type: string
  22653. type: object
  22654. clientSecret:
  22655. description: |-
  22656. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  22657. In some instances, `key` is a required field.
  22658. properties:
  22659. key:
  22660. description: |-
  22661. A key in the referenced Secret.
  22662. Some instances of this field may be defaulted, in others it may be required.
  22663. maxLength: 253
  22664. minLength: 1
  22665. pattern: ^[-._a-zA-Z0-9]+$
  22666. type: string
  22667. name:
  22668. description: The name of the Secret resource being referred to.
  22669. maxLength: 253
  22670. minLength: 1
  22671. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22672. type: string
  22673. namespace:
  22674. description: |-
  22675. The namespace of the Secret resource being referred to.
  22676. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22677. maxLength: 63
  22678. minLength: 1
  22679. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22680. type: string
  22681. type: object
  22682. required:
  22683. - clientId
  22684. - clientSecret
  22685. type: object
  22686. type: object
  22687. hostAPI:
  22688. default: https://app.infisical.com/api
  22689. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  22690. type: string
  22691. secretsScope:
  22692. description: SecretsScope defines the scope of the secrets within the workspace
  22693. properties:
  22694. environmentSlug:
  22695. description: EnvironmentSlug is the required slug identifier for the environment.
  22696. type: string
  22697. expandSecretReferences:
  22698. default: true
  22699. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  22700. type: boolean
  22701. projectSlug:
  22702. description: ProjectSlug is the required slug identifier for the project.
  22703. type: string
  22704. recursive:
  22705. default: false
  22706. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  22707. type: boolean
  22708. secretsPath:
  22709. default: /
  22710. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  22711. type: string
  22712. required:
  22713. - environmentSlug
  22714. - projectSlug
  22715. type: object
  22716. required:
  22717. - auth
  22718. - secretsScope
  22719. type: object
  22720. keepersecurity:
  22721. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  22722. properties:
  22723. authRef:
  22724. description: |-
  22725. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  22726. In some instances, `key` is a required field.
  22727. properties:
  22728. key:
  22729. description: |-
  22730. A key in the referenced Secret.
  22731. Some instances of this field may be defaulted, in others it may be required.
  22732. maxLength: 253
  22733. minLength: 1
  22734. pattern: ^[-._a-zA-Z0-9]+$
  22735. type: string
  22736. name:
  22737. description: The name of the Secret resource being referred to.
  22738. maxLength: 253
  22739. minLength: 1
  22740. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22741. type: string
  22742. namespace:
  22743. description: |-
  22744. The namespace of the Secret resource being referred to.
  22745. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22746. maxLength: 63
  22747. minLength: 1
  22748. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22749. type: string
  22750. type: object
  22751. folderID:
  22752. type: string
  22753. required:
  22754. - authRef
  22755. - folderID
  22756. type: object
  22757. kubernetes:
  22758. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  22759. properties:
  22760. auth:
  22761. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  22762. maxProperties: 1
  22763. minProperties: 1
  22764. properties:
  22765. cert:
  22766. description: has both clientCert and clientKey as secretKeySelector
  22767. properties:
  22768. clientCert:
  22769. description: |-
  22770. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  22771. In some instances, `key` is a required field.
  22772. properties:
  22773. key:
  22774. description: |-
  22775. A key in the referenced Secret.
  22776. Some instances of this field may be defaulted, in others it may be required.
  22777. maxLength: 253
  22778. minLength: 1
  22779. pattern: ^[-._a-zA-Z0-9]+$
  22780. type: string
  22781. name:
  22782. description: The name of the Secret resource being referred to.
  22783. maxLength: 253
  22784. minLength: 1
  22785. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22786. type: string
  22787. namespace:
  22788. description: |-
  22789. The namespace of the Secret resource being referred to.
  22790. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22791. maxLength: 63
  22792. minLength: 1
  22793. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22794. type: string
  22795. type: object
  22796. clientKey:
  22797. description: |-
  22798. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  22799. In some instances, `key` is a required field.
  22800. properties:
  22801. key:
  22802. description: |-
  22803. A key in the referenced Secret.
  22804. Some instances of this field may be defaulted, in others it may be required.
  22805. maxLength: 253
  22806. minLength: 1
  22807. pattern: ^[-._a-zA-Z0-9]+$
  22808. type: string
  22809. name:
  22810. description: The name of the Secret resource being referred to.
  22811. maxLength: 253
  22812. minLength: 1
  22813. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22814. type: string
  22815. namespace:
  22816. description: |-
  22817. The namespace of the Secret resource being referred to.
  22818. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22819. maxLength: 63
  22820. minLength: 1
  22821. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22822. type: string
  22823. type: object
  22824. type: object
  22825. serviceAccount:
  22826. description: points to a service account that should be used for authentication
  22827. properties:
  22828. audiences:
  22829. description: |-
  22830. Audience specifies the `aud` claim for the service account token
  22831. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22832. then this audiences will be appended to the list
  22833. items:
  22834. type: string
  22835. type: array
  22836. name:
  22837. description: The name of the ServiceAccount resource being referred to.
  22838. maxLength: 253
  22839. minLength: 1
  22840. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22841. type: string
  22842. namespace:
  22843. description: |-
  22844. Namespace of the resource being referred to.
  22845. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22846. maxLength: 63
  22847. minLength: 1
  22848. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22849. type: string
  22850. required:
  22851. - name
  22852. type: object
  22853. token:
  22854. description: use static token to authenticate with
  22855. properties:
  22856. bearerToken:
  22857. description: |-
  22858. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  22859. In some instances, `key` is a required field.
  22860. properties:
  22861. key:
  22862. description: |-
  22863. A key in the referenced Secret.
  22864. Some instances of this field may be defaulted, in others it may be required.
  22865. maxLength: 253
  22866. minLength: 1
  22867. pattern: ^[-._a-zA-Z0-9]+$
  22868. type: string
  22869. name:
  22870. description: The name of the Secret resource being referred to.
  22871. maxLength: 253
  22872. minLength: 1
  22873. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22874. type: string
  22875. namespace:
  22876. description: |-
  22877. The namespace of the Secret resource being referred to.
  22878. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22879. maxLength: 63
  22880. minLength: 1
  22881. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22882. type: string
  22883. type: object
  22884. type: object
  22885. type: object
  22886. authRef:
  22887. description: A reference to a secret that contains the auth information.
  22888. properties:
  22889. key:
  22890. description: |-
  22891. A key in the referenced Secret.
  22892. Some instances of this field may be defaulted, in others it may be required.
  22893. maxLength: 253
  22894. minLength: 1
  22895. pattern: ^[-._a-zA-Z0-9]+$
  22896. type: string
  22897. name:
  22898. description: The name of the Secret resource being referred to.
  22899. maxLength: 253
  22900. minLength: 1
  22901. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22902. type: string
  22903. namespace:
  22904. description: |-
  22905. The namespace of the Secret resource being referred to.
  22906. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22907. maxLength: 63
  22908. minLength: 1
  22909. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22910. type: string
  22911. type: object
  22912. remoteNamespace:
  22913. default: default
  22914. description: Remote namespace to fetch the secrets from
  22915. maxLength: 63
  22916. minLength: 1
  22917. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22918. type: string
  22919. server:
  22920. description: configures the Kubernetes server Address.
  22921. properties:
  22922. caBundle:
  22923. description: CABundle is a base64-encoded CA certificate
  22924. format: byte
  22925. type: string
  22926. caProvider:
  22927. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  22928. properties:
  22929. key:
  22930. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  22931. maxLength: 253
  22932. minLength: 1
  22933. pattern: ^[-._a-zA-Z0-9]+$
  22934. type: string
  22935. name:
  22936. description: The name of the object located at the provider type.
  22937. maxLength: 253
  22938. minLength: 1
  22939. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22940. type: string
  22941. namespace:
  22942. description: |-
  22943. The namespace the Provider type is in.
  22944. Can only be defined when used in a ClusterSecretStore.
  22945. maxLength: 63
  22946. minLength: 1
  22947. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22948. type: string
  22949. type:
  22950. description: The type of provider to use such as "Secret", or "ConfigMap".
  22951. enum:
  22952. - Secret
  22953. - ConfigMap
  22954. type: string
  22955. required:
  22956. - name
  22957. - type
  22958. type: object
  22959. url:
  22960. default: kubernetes.default
  22961. description: configures the Kubernetes server Address.
  22962. type: string
  22963. type: object
  22964. type: object
  22965. onboardbase:
  22966. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  22967. properties:
  22968. apiHost:
  22969. default: https://public.onboardbase.com/api/v1/
  22970. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  22971. type: string
  22972. auth:
  22973. description: Auth configures how the Operator authenticates with the Onboardbase API
  22974. properties:
  22975. apiKeyRef:
  22976. description: |-
  22977. OnboardbaseAPIKey is the APIKey generated by an admin account.
  22978. It is used to recognize and authorize access to a project and environment within onboardbase
  22979. properties:
  22980. key:
  22981. description: |-
  22982. A key in the referenced Secret.
  22983. Some instances of this field may be defaulted, in others it may be required.
  22984. maxLength: 253
  22985. minLength: 1
  22986. pattern: ^[-._a-zA-Z0-9]+$
  22987. type: string
  22988. name:
  22989. description: The name of the Secret resource being referred to.
  22990. maxLength: 253
  22991. minLength: 1
  22992. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22993. type: string
  22994. namespace:
  22995. description: |-
  22996. The namespace of the Secret resource being referred to.
  22997. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22998. maxLength: 63
  22999. minLength: 1
  23000. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23001. type: string
  23002. type: object
  23003. passcodeRef:
  23004. description: OnboardbasePasscode is the passcode attached to the API Key
  23005. properties:
  23006. key:
  23007. description: |-
  23008. A key in the referenced Secret.
  23009. Some instances of this field may be defaulted, in others it may be required.
  23010. maxLength: 253
  23011. minLength: 1
  23012. pattern: ^[-._a-zA-Z0-9]+$
  23013. type: string
  23014. name:
  23015. description: The name of the Secret resource being referred to.
  23016. maxLength: 253
  23017. minLength: 1
  23018. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23019. type: string
  23020. namespace:
  23021. description: |-
  23022. The namespace of the Secret resource being referred to.
  23023. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23024. maxLength: 63
  23025. minLength: 1
  23026. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23027. type: string
  23028. type: object
  23029. required:
  23030. - apiKeyRef
  23031. - passcodeRef
  23032. type: object
  23033. environment:
  23034. default: development
  23035. description: Environment is the name of an environmnent within a project to pull the secrets from
  23036. type: string
  23037. project:
  23038. default: development
  23039. description: Project is an onboardbase project that the secrets should be pulled from
  23040. type: string
  23041. required:
  23042. - apiHost
  23043. - auth
  23044. - environment
  23045. - project
  23046. type: object
  23047. onepassword:
  23048. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  23049. properties:
  23050. auth:
  23051. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  23052. properties:
  23053. secretRef:
  23054. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  23055. properties:
  23056. connectTokenSecretRef:
  23057. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  23058. properties:
  23059. key:
  23060. description: |-
  23061. A key in the referenced Secret.
  23062. Some instances of this field may be defaulted, in others it may be required.
  23063. maxLength: 253
  23064. minLength: 1
  23065. pattern: ^[-._a-zA-Z0-9]+$
  23066. type: string
  23067. name:
  23068. description: The name of the Secret resource being referred to.
  23069. maxLength: 253
  23070. minLength: 1
  23071. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23072. type: string
  23073. namespace:
  23074. description: |-
  23075. The namespace of the Secret resource being referred to.
  23076. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23077. maxLength: 63
  23078. minLength: 1
  23079. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23080. type: string
  23081. type: object
  23082. required:
  23083. - connectTokenSecretRef
  23084. type: object
  23085. required:
  23086. - secretRef
  23087. type: object
  23088. connectHost:
  23089. description: ConnectHost defines the OnePassword Connect Server to connect to
  23090. type: string
  23091. vaults:
  23092. additionalProperties:
  23093. type: integer
  23094. description: Vaults defines which OnePassword vaults to search in which order
  23095. type: object
  23096. required:
  23097. - auth
  23098. - connectHost
  23099. - vaults
  23100. type: object
  23101. oracle:
  23102. description: Oracle configures this store to sync secrets using Oracle Vault provider
  23103. properties:
  23104. auth:
  23105. description: |-
  23106. Auth configures how secret-manager authenticates with the Oracle Vault.
  23107. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  23108. properties:
  23109. secretRef:
  23110. description: SecretRef to pass through sensitive information.
  23111. properties:
  23112. fingerprint:
  23113. description: Fingerprint is the fingerprint of the API private key.
  23114. properties:
  23115. key:
  23116. description: |-
  23117. A key in the referenced Secret.
  23118. Some instances of this field may be defaulted, in others it may be required.
  23119. maxLength: 253
  23120. minLength: 1
  23121. pattern: ^[-._a-zA-Z0-9]+$
  23122. type: string
  23123. name:
  23124. description: The name of the Secret resource being referred to.
  23125. maxLength: 253
  23126. minLength: 1
  23127. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23128. type: string
  23129. namespace:
  23130. description: |-
  23131. The namespace of the Secret resource being referred to.
  23132. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23133. maxLength: 63
  23134. minLength: 1
  23135. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23136. type: string
  23137. type: object
  23138. privatekey:
  23139. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  23140. properties:
  23141. key:
  23142. description: |-
  23143. A key in the referenced Secret.
  23144. Some instances of this field may be defaulted, in others it may be required.
  23145. maxLength: 253
  23146. minLength: 1
  23147. pattern: ^[-._a-zA-Z0-9]+$
  23148. type: string
  23149. name:
  23150. description: The name of the Secret resource being referred to.
  23151. maxLength: 253
  23152. minLength: 1
  23153. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23154. type: string
  23155. namespace:
  23156. description: |-
  23157. The namespace of the Secret resource being referred to.
  23158. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23159. maxLength: 63
  23160. minLength: 1
  23161. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23162. type: string
  23163. type: object
  23164. required:
  23165. - fingerprint
  23166. - privatekey
  23167. type: object
  23168. tenancy:
  23169. description: Tenancy is the tenancy OCID where user is located.
  23170. type: string
  23171. user:
  23172. description: User is an access OCID specific to the account.
  23173. type: string
  23174. required:
  23175. - secretRef
  23176. - tenancy
  23177. - user
  23178. type: object
  23179. compartment:
  23180. description: |-
  23181. Compartment is the vault compartment OCID.
  23182. Required for PushSecret
  23183. type: string
  23184. encryptionKey:
  23185. description: |-
  23186. EncryptionKey is the OCID of the encryption key within the vault.
  23187. Required for PushSecret
  23188. type: string
  23189. principalType:
  23190. description: |-
  23191. The type of principal to use for authentication. If left blank, the Auth struct will
  23192. determine the principal type. This optional field must be specified if using
  23193. workload identity.
  23194. enum:
  23195. - ""
  23196. - UserPrincipal
  23197. - InstancePrincipal
  23198. - Workload
  23199. type: string
  23200. region:
  23201. description: Region is the region where vault is located.
  23202. type: string
  23203. serviceAccountRef:
  23204. description: |-
  23205. ServiceAccountRef specified the service account
  23206. that should be used when authenticating with WorkloadIdentity.
  23207. properties:
  23208. audiences:
  23209. description: |-
  23210. Audience specifies the `aud` claim for the service account token
  23211. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  23212. then this audiences will be appended to the list
  23213. items:
  23214. type: string
  23215. type: array
  23216. name:
  23217. description: The name of the ServiceAccount resource being referred to.
  23218. maxLength: 253
  23219. minLength: 1
  23220. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23221. type: string
  23222. namespace:
  23223. description: |-
  23224. Namespace of the resource being referred to.
  23225. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23226. maxLength: 63
  23227. minLength: 1
  23228. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23229. type: string
  23230. required:
  23231. - name
  23232. type: object
  23233. vault:
  23234. description: Vault is the vault's OCID of the specific vault where secret is located.
  23235. type: string
  23236. required:
  23237. - region
  23238. - vault
  23239. type: object
  23240. passbolt:
  23241. description: PassboltProvider defines configuration for the Passbolt provider.
  23242. properties:
  23243. auth:
  23244. description: Auth defines the information necessary to authenticate against Passbolt Server
  23245. properties:
  23246. passwordSecretRef:
  23247. description: PasswordSecretRef is a reference to the secret containing the Passbolt password
  23248. properties:
  23249. key:
  23250. description: |-
  23251. A key in the referenced Secret.
  23252. Some instances of this field may be defaulted, in others it may be required.
  23253. maxLength: 253
  23254. minLength: 1
  23255. pattern: ^[-._a-zA-Z0-9]+$
  23256. type: string
  23257. name:
  23258. description: The name of the Secret resource being referred to.
  23259. maxLength: 253
  23260. minLength: 1
  23261. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23262. type: string
  23263. namespace:
  23264. description: |-
  23265. The namespace of the Secret resource being referred to.
  23266. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23267. maxLength: 63
  23268. minLength: 1
  23269. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23270. type: string
  23271. type: object
  23272. privateKeySecretRef:
  23273. description: PrivateKeySecretRef is a reference to the secret containing the Passbolt private key
  23274. properties:
  23275. key:
  23276. description: |-
  23277. A key in the referenced Secret.
  23278. Some instances of this field may be defaulted, in others it may be required.
  23279. maxLength: 253
  23280. minLength: 1
  23281. pattern: ^[-._a-zA-Z0-9]+$
  23282. type: string
  23283. name:
  23284. description: The name of the Secret resource being referred to.
  23285. maxLength: 253
  23286. minLength: 1
  23287. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23288. type: string
  23289. namespace:
  23290. description: |-
  23291. The namespace of the Secret resource being referred to.
  23292. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23293. maxLength: 63
  23294. minLength: 1
  23295. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23296. type: string
  23297. type: object
  23298. required:
  23299. - passwordSecretRef
  23300. - privateKeySecretRef
  23301. type: object
  23302. host:
  23303. description: Host defines the Passbolt Server to connect to
  23304. type: string
  23305. required:
  23306. - auth
  23307. - host
  23308. type: object
  23309. passworddepot:
  23310. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  23311. properties:
  23312. auth:
  23313. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  23314. properties:
  23315. secretRef:
  23316. description: PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider.
  23317. properties:
  23318. credentials:
  23319. description: Username / Password is used for authentication.
  23320. properties:
  23321. key:
  23322. description: |-
  23323. A key in the referenced Secret.
  23324. Some instances of this field may be defaulted, in others it may be required.
  23325. maxLength: 253
  23326. minLength: 1
  23327. pattern: ^[-._a-zA-Z0-9]+$
  23328. type: string
  23329. name:
  23330. description: The name of the Secret resource being referred to.
  23331. maxLength: 253
  23332. minLength: 1
  23333. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23334. type: string
  23335. namespace:
  23336. description: |-
  23337. The namespace of the Secret resource being referred to.
  23338. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23339. maxLength: 63
  23340. minLength: 1
  23341. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23342. type: string
  23343. type: object
  23344. type: object
  23345. required:
  23346. - secretRef
  23347. type: object
  23348. database:
  23349. description: Database to use as source
  23350. type: string
  23351. host:
  23352. description: URL configures the Password Depot instance URL.
  23353. type: string
  23354. required:
  23355. - auth
  23356. - database
  23357. - host
  23358. type: object
  23359. previder:
  23360. description: Previder configures this store to sync secrets using the Previder provider
  23361. properties:
  23362. auth:
  23363. description: PreviderAuth contains a secretRef for credentials.
  23364. properties:
  23365. secretRef:
  23366. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  23367. properties:
  23368. accessToken:
  23369. description: The AccessToken is used for authentication
  23370. properties:
  23371. key:
  23372. description: |-
  23373. A key in the referenced Secret.
  23374. Some instances of this field may be defaulted, in others it may be required.
  23375. maxLength: 253
  23376. minLength: 1
  23377. pattern: ^[-._a-zA-Z0-9]+$
  23378. type: string
  23379. name:
  23380. description: The name of the Secret resource being referred to.
  23381. maxLength: 253
  23382. minLength: 1
  23383. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23384. type: string
  23385. namespace:
  23386. description: |-
  23387. The namespace of the Secret resource being referred to.
  23388. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23389. maxLength: 63
  23390. minLength: 1
  23391. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23392. type: string
  23393. type: object
  23394. required:
  23395. - accessToken
  23396. type: object
  23397. type: object
  23398. baseUri:
  23399. type: string
  23400. required:
  23401. - auth
  23402. type: object
  23403. pulumi:
  23404. description: Pulumi configures this store to sync secrets using the Pulumi provider
  23405. properties:
  23406. accessToken:
  23407. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  23408. properties:
  23409. secretRef:
  23410. description: SecretRef is a reference to a secret containing the Pulumi API token.
  23411. properties:
  23412. key:
  23413. description: |-
  23414. A key in the referenced Secret.
  23415. Some instances of this field may be defaulted, in others it may be required.
  23416. maxLength: 253
  23417. minLength: 1
  23418. pattern: ^[-._a-zA-Z0-9]+$
  23419. type: string
  23420. name:
  23421. description: The name of the Secret resource being referred to.
  23422. maxLength: 253
  23423. minLength: 1
  23424. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23425. type: string
  23426. namespace:
  23427. description: |-
  23428. The namespace of the Secret resource being referred to.
  23429. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23430. maxLength: 63
  23431. minLength: 1
  23432. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23433. type: string
  23434. type: object
  23435. type: object
  23436. apiUrl:
  23437. default: https://api.pulumi.com/api/esc
  23438. description: APIURL is the URL of the Pulumi API.
  23439. type: string
  23440. environment:
  23441. description: |-
  23442. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  23443. dynamically retrieved values from supported providers including all major clouds,
  23444. and other Pulumi ESC environments.
  23445. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  23446. type: string
  23447. organization:
  23448. description: |-
  23449. Organization are a space to collaborate on shared projects and stacks.
  23450. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  23451. type: string
  23452. project:
  23453. description: Project is the name of the Pulumi ESC project the environment belongs to.
  23454. type: string
  23455. required:
  23456. - accessToken
  23457. - environment
  23458. - organization
  23459. - project
  23460. type: object
  23461. scaleway:
  23462. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  23463. properties:
  23464. accessKey:
  23465. description: AccessKey is the non-secret part of the api key.
  23466. properties:
  23467. secretRef:
  23468. description: SecretRef references a key in a secret that will be used as value.
  23469. properties:
  23470. key:
  23471. description: |-
  23472. A key in the referenced Secret.
  23473. Some instances of this field may be defaulted, in others it may be required.
  23474. maxLength: 253
  23475. minLength: 1
  23476. pattern: ^[-._a-zA-Z0-9]+$
  23477. type: string
  23478. name:
  23479. description: The name of the Secret resource being referred to.
  23480. maxLength: 253
  23481. minLength: 1
  23482. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23483. type: string
  23484. namespace:
  23485. description: |-
  23486. The namespace of the Secret resource being referred to.
  23487. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23488. maxLength: 63
  23489. minLength: 1
  23490. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23491. type: string
  23492. type: object
  23493. value:
  23494. description: Value can be specified directly to set a value without using a secret.
  23495. type: string
  23496. type: object
  23497. apiUrl:
  23498. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  23499. type: string
  23500. projectId:
  23501. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  23502. type: string
  23503. region:
  23504. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  23505. type: string
  23506. secretKey:
  23507. description: SecretKey is the non-secret part of the api key.
  23508. properties:
  23509. secretRef:
  23510. description: SecretRef references a key in a secret that will be used as value.
  23511. properties:
  23512. key:
  23513. description: |-
  23514. A key in the referenced Secret.
  23515. Some instances of this field may be defaulted, in others it may be required.
  23516. maxLength: 253
  23517. minLength: 1
  23518. pattern: ^[-._a-zA-Z0-9]+$
  23519. type: string
  23520. name:
  23521. description: The name of the Secret resource being referred to.
  23522. maxLength: 253
  23523. minLength: 1
  23524. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23525. type: string
  23526. namespace:
  23527. description: |-
  23528. The namespace of the Secret resource being referred to.
  23529. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23530. maxLength: 63
  23531. minLength: 1
  23532. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23533. type: string
  23534. type: object
  23535. value:
  23536. description: Value can be specified directly to set a value without using a secret.
  23537. type: string
  23538. type: object
  23539. required:
  23540. - accessKey
  23541. - projectId
  23542. - region
  23543. - secretKey
  23544. type: object
  23545. secretserver:
  23546. description: |-
  23547. SecretServer configures this store to sync secrets using SecretServer provider
  23548. https://docs.delinea.com/online-help/secret-server/start.htm
  23549. properties:
  23550. password:
  23551. description: Password is the secret server account password.
  23552. properties:
  23553. secretRef:
  23554. description: SecretRef references a key in a secret that will be used as value.
  23555. properties:
  23556. key:
  23557. description: |-
  23558. A key in the referenced Secret.
  23559. Some instances of this field may be defaulted, in others it may be required.
  23560. maxLength: 253
  23561. minLength: 1
  23562. pattern: ^[-._a-zA-Z0-9]+$
  23563. type: string
  23564. name:
  23565. description: The name of the Secret resource being referred to.
  23566. maxLength: 253
  23567. minLength: 1
  23568. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23569. type: string
  23570. namespace:
  23571. description: |-
  23572. The namespace of the Secret resource being referred to.
  23573. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23574. maxLength: 63
  23575. minLength: 1
  23576. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23577. type: string
  23578. type: object
  23579. value:
  23580. description: Value can be specified directly to set a value without using a secret.
  23581. type: string
  23582. type: object
  23583. serverURL:
  23584. description: |-
  23585. ServerURL
  23586. URL to your secret server installation
  23587. type: string
  23588. username:
  23589. description: Username is the secret server account username.
  23590. properties:
  23591. secretRef:
  23592. description: SecretRef references a key in a secret that will be used as value.
  23593. properties:
  23594. key:
  23595. description: |-
  23596. A key in the referenced Secret.
  23597. Some instances of this field may be defaulted, in others it may be required.
  23598. maxLength: 253
  23599. minLength: 1
  23600. pattern: ^[-._a-zA-Z0-9]+$
  23601. type: string
  23602. name:
  23603. description: The name of the Secret resource being referred to.
  23604. maxLength: 253
  23605. minLength: 1
  23606. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23607. type: string
  23608. namespace:
  23609. description: |-
  23610. The namespace of the Secret resource being referred to.
  23611. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23612. maxLength: 63
  23613. minLength: 1
  23614. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23615. type: string
  23616. type: object
  23617. value:
  23618. description: Value can be specified directly to set a value without using a secret.
  23619. type: string
  23620. type: object
  23621. required:
  23622. - password
  23623. - serverURL
  23624. - username
  23625. type: object
  23626. senhasegura:
  23627. description: Senhasegura configures this store to sync secrets using senhasegura provider
  23628. properties:
  23629. auth:
  23630. description: Auth defines parameters to authenticate in senhasegura
  23631. properties:
  23632. clientId:
  23633. type: string
  23634. clientSecretSecretRef:
  23635. description: |-
  23636. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23637. In some instances, `key` is a required field.
  23638. properties:
  23639. key:
  23640. description: |-
  23641. A key in the referenced Secret.
  23642. Some instances of this field may be defaulted, in others it may be required.
  23643. maxLength: 253
  23644. minLength: 1
  23645. pattern: ^[-._a-zA-Z0-9]+$
  23646. type: string
  23647. name:
  23648. description: The name of the Secret resource being referred to.
  23649. maxLength: 253
  23650. minLength: 1
  23651. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23652. type: string
  23653. namespace:
  23654. description: |-
  23655. The namespace of the Secret resource being referred to.
  23656. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23657. maxLength: 63
  23658. minLength: 1
  23659. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23660. type: string
  23661. type: object
  23662. required:
  23663. - clientId
  23664. - clientSecretSecretRef
  23665. type: object
  23666. ignoreSslCertificate:
  23667. default: false
  23668. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  23669. type: boolean
  23670. module:
  23671. description: Module defines which senhasegura module should be used to get secrets
  23672. type: string
  23673. url:
  23674. description: URL of senhasegura
  23675. type: string
  23676. required:
  23677. - auth
  23678. - module
  23679. - url
  23680. type: object
  23681. vault:
  23682. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  23683. properties:
  23684. auth:
  23685. description: Auth configures how secret-manager authenticates with the Vault server.
  23686. properties:
  23687. appRole:
  23688. description: |-
  23689. AppRole authenticates with Vault using the App Role auth mechanism,
  23690. with the role and secret stored in a Kubernetes Secret resource.
  23691. properties:
  23692. path:
  23693. default: approle
  23694. description: |-
  23695. Path where the App Role authentication backend is mounted
  23696. in Vault, e.g: "approle"
  23697. type: string
  23698. roleId:
  23699. description: |-
  23700. RoleID configured in the App Role authentication backend when setting
  23701. up the authentication backend in Vault.
  23702. type: string
  23703. roleRef:
  23704. description: |-
  23705. Reference to a key in a Secret that contains the App Role ID used
  23706. to authenticate with Vault.
  23707. The `key` field must be specified and denotes which entry within the Secret
  23708. resource is used as the app role id.
  23709. properties:
  23710. key:
  23711. description: |-
  23712. A key in the referenced Secret.
  23713. Some instances of this field may be defaulted, in others it may be required.
  23714. maxLength: 253
  23715. minLength: 1
  23716. pattern: ^[-._a-zA-Z0-9]+$
  23717. type: string
  23718. name:
  23719. description: The name of the Secret resource being referred to.
  23720. maxLength: 253
  23721. minLength: 1
  23722. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23723. type: string
  23724. namespace:
  23725. description: |-
  23726. The namespace of the Secret resource being referred to.
  23727. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23728. maxLength: 63
  23729. minLength: 1
  23730. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23731. type: string
  23732. type: object
  23733. secretRef:
  23734. description: |-
  23735. Reference to a key in a Secret that contains the App Role secret used
  23736. to authenticate with Vault.
  23737. The `key` field must be specified and denotes which entry within the Secret
  23738. resource is used as the app role secret.
  23739. properties:
  23740. key:
  23741. description: |-
  23742. A key in the referenced Secret.
  23743. Some instances of this field may be defaulted, in others it may be required.
  23744. maxLength: 253
  23745. minLength: 1
  23746. pattern: ^[-._a-zA-Z0-9]+$
  23747. type: string
  23748. name:
  23749. description: The name of the Secret resource being referred to.
  23750. maxLength: 253
  23751. minLength: 1
  23752. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23753. type: string
  23754. namespace:
  23755. description: |-
  23756. The namespace of the Secret resource being referred to.
  23757. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23758. maxLength: 63
  23759. minLength: 1
  23760. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23761. type: string
  23762. type: object
  23763. required:
  23764. - path
  23765. - secretRef
  23766. type: object
  23767. cert:
  23768. description: |-
  23769. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  23770. Cert authentication method
  23771. properties:
  23772. clientCert:
  23773. description: |-
  23774. ClientCert is a certificate to authenticate using the Cert Vault
  23775. authentication method
  23776. properties:
  23777. key:
  23778. description: |-
  23779. A key in the referenced Secret.
  23780. Some instances of this field may be defaulted, in others it may be required.
  23781. maxLength: 253
  23782. minLength: 1
  23783. pattern: ^[-._a-zA-Z0-9]+$
  23784. type: string
  23785. name:
  23786. description: The name of the Secret resource being referred to.
  23787. maxLength: 253
  23788. minLength: 1
  23789. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23790. type: string
  23791. namespace:
  23792. description: |-
  23793. The namespace of the Secret resource being referred to.
  23794. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23795. maxLength: 63
  23796. minLength: 1
  23797. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23798. type: string
  23799. type: object
  23800. secretRef:
  23801. description: |-
  23802. SecretRef to a key in a Secret resource containing client private key to
  23803. authenticate with Vault using the Cert authentication method
  23804. properties:
  23805. key:
  23806. description: |-
  23807. A key in the referenced Secret.
  23808. Some instances of this field may be defaulted, in others it may be required.
  23809. maxLength: 253
  23810. minLength: 1
  23811. pattern: ^[-._a-zA-Z0-9]+$
  23812. type: string
  23813. name:
  23814. description: The name of the Secret resource being referred to.
  23815. maxLength: 253
  23816. minLength: 1
  23817. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23818. type: string
  23819. namespace:
  23820. description: |-
  23821. The namespace of the Secret resource being referred to.
  23822. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23823. maxLength: 63
  23824. minLength: 1
  23825. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23826. type: string
  23827. type: object
  23828. type: object
  23829. iam:
  23830. description: |-
  23831. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  23832. AWS IAM authentication method
  23833. properties:
  23834. externalID:
  23835. description: AWS External ID set on assumed IAM roles
  23836. type: string
  23837. jwt:
  23838. description: Specify a service account with IRSA enabled
  23839. properties:
  23840. serviceAccountRef:
  23841. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  23842. properties:
  23843. audiences:
  23844. description: |-
  23845. Audience specifies the `aud` claim for the service account token
  23846. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  23847. then this audiences will be appended to the list
  23848. items:
  23849. type: string
  23850. type: array
  23851. name:
  23852. description: The name of the ServiceAccount resource being referred to.
  23853. maxLength: 253
  23854. minLength: 1
  23855. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23856. type: string
  23857. namespace:
  23858. description: |-
  23859. Namespace of the resource being referred to.
  23860. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23861. maxLength: 63
  23862. minLength: 1
  23863. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23864. type: string
  23865. required:
  23866. - name
  23867. type: object
  23868. type: object
  23869. path:
  23870. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  23871. type: string
  23872. region:
  23873. description: AWS region
  23874. type: string
  23875. role:
  23876. description: This is the AWS role to be assumed before talking to vault
  23877. type: string
  23878. secretRef:
  23879. description: Specify credentials in a Secret object
  23880. properties:
  23881. accessKeyIDSecretRef:
  23882. description: The AccessKeyID is used for authentication
  23883. properties:
  23884. key:
  23885. description: |-
  23886. A key in the referenced Secret.
  23887. Some instances of this field may be defaulted, in others it may be required.
  23888. maxLength: 253
  23889. minLength: 1
  23890. pattern: ^[-._a-zA-Z0-9]+$
  23891. type: string
  23892. name:
  23893. description: The name of the Secret resource being referred to.
  23894. maxLength: 253
  23895. minLength: 1
  23896. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23897. type: string
  23898. namespace:
  23899. description: |-
  23900. The namespace of the Secret resource being referred to.
  23901. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23902. maxLength: 63
  23903. minLength: 1
  23904. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23905. type: string
  23906. type: object
  23907. secretAccessKeySecretRef:
  23908. description: The SecretAccessKey is used for authentication
  23909. properties:
  23910. key:
  23911. description: |-
  23912. A key in the referenced Secret.
  23913. Some instances of this field may be defaulted, in others it may be required.
  23914. maxLength: 253
  23915. minLength: 1
  23916. pattern: ^[-._a-zA-Z0-9]+$
  23917. type: string
  23918. name:
  23919. description: The name of the Secret resource being referred to.
  23920. maxLength: 253
  23921. minLength: 1
  23922. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23923. type: string
  23924. namespace:
  23925. description: |-
  23926. The namespace of the Secret resource being referred to.
  23927. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23928. maxLength: 63
  23929. minLength: 1
  23930. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23931. type: string
  23932. type: object
  23933. sessionTokenSecretRef:
  23934. description: |-
  23935. The SessionToken used for authentication
  23936. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  23937. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  23938. properties:
  23939. key:
  23940. description: |-
  23941. A key in the referenced Secret.
  23942. Some instances of this field may be defaulted, in others it may be required.
  23943. maxLength: 253
  23944. minLength: 1
  23945. pattern: ^[-._a-zA-Z0-9]+$
  23946. type: string
  23947. name:
  23948. description: The name of the Secret resource being referred to.
  23949. maxLength: 253
  23950. minLength: 1
  23951. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23952. type: string
  23953. namespace:
  23954. description: |-
  23955. The namespace of the Secret resource being referred to.
  23956. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23957. maxLength: 63
  23958. minLength: 1
  23959. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23960. type: string
  23961. type: object
  23962. type: object
  23963. vaultAwsIamServerID:
  23964. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  23965. type: string
  23966. vaultRole:
  23967. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  23968. type: string
  23969. required:
  23970. - vaultRole
  23971. type: object
  23972. jwt:
  23973. description: |-
  23974. Jwt authenticates with Vault by passing role and JWT token using the
  23975. JWT/OIDC authentication method
  23976. properties:
  23977. kubernetesServiceAccountToken:
  23978. description: |-
  23979. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  23980. a token for with the `TokenRequest` API.
  23981. properties:
  23982. audiences:
  23983. description: |-
  23984. Optional audiences field that will be used to request a temporary Kubernetes service
  23985. account token for the service account referenced by `serviceAccountRef`.
  23986. Defaults to a single audience `vault` it not specified.
  23987. Deprecated: use serviceAccountRef.Audiences instead
  23988. items:
  23989. type: string
  23990. type: array
  23991. expirationSeconds:
  23992. description: |-
  23993. Optional expiration time in seconds that will be used to request a temporary
  23994. Kubernetes service account token for the service account referenced by
  23995. `serviceAccountRef`.
  23996. Deprecated: this will be removed in the future.
  23997. Defaults to 10 minutes.
  23998. format: int64
  23999. type: integer
  24000. serviceAccountRef:
  24001. description: Service account field containing the name of a kubernetes ServiceAccount.
  24002. properties:
  24003. audiences:
  24004. description: |-
  24005. Audience specifies the `aud` claim for the service account token
  24006. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24007. then this audiences will be appended to the list
  24008. items:
  24009. type: string
  24010. type: array
  24011. name:
  24012. description: The name of the ServiceAccount resource being referred to.
  24013. maxLength: 253
  24014. minLength: 1
  24015. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24016. type: string
  24017. namespace:
  24018. description: |-
  24019. Namespace of the resource being referred to.
  24020. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24021. maxLength: 63
  24022. minLength: 1
  24023. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24024. type: string
  24025. required:
  24026. - name
  24027. type: object
  24028. required:
  24029. - serviceAccountRef
  24030. type: object
  24031. path:
  24032. default: jwt
  24033. description: |-
  24034. Path where the JWT authentication backend is mounted
  24035. in Vault, e.g: "jwt"
  24036. type: string
  24037. role:
  24038. description: |-
  24039. Role is a JWT role to authenticate using the JWT/OIDC Vault
  24040. authentication method
  24041. type: string
  24042. secretRef:
  24043. description: |-
  24044. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  24045. authenticate with Vault using the JWT/OIDC authentication method.
  24046. properties:
  24047. key:
  24048. description: |-
  24049. A key in the referenced Secret.
  24050. Some instances of this field may be defaulted, in others it may be required.
  24051. maxLength: 253
  24052. minLength: 1
  24053. pattern: ^[-._a-zA-Z0-9]+$
  24054. type: string
  24055. name:
  24056. description: The name of the Secret resource being referred to.
  24057. maxLength: 253
  24058. minLength: 1
  24059. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24060. type: string
  24061. namespace:
  24062. description: |-
  24063. The namespace of the Secret resource being referred to.
  24064. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24065. maxLength: 63
  24066. minLength: 1
  24067. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24068. type: string
  24069. type: object
  24070. required:
  24071. - path
  24072. type: object
  24073. kubernetes:
  24074. description: |-
  24075. Kubernetes authenticates with Vault by passing the ServiceAccount
  24076. token stored in the named Secret resource to the Vault server.
  24077. properties:
  24078. mountPath:
  24079. default: kubernetes
  24080. description: |-
  24081. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  24082. "kubernetes"
  24083. type: string
  24084. role:
  24085. description: |-
  24086. A required field containing the Vault Role to assume. A Role binds a
  24087. Kubernetes ServiceAccount with a set of Vault policies.
  24088. type: string
  24089. secretRef:
  24090. description: |-
  24091. Optional secret field containing a Kubernetes ServiceAccount JWT used
  24092. for authenticating with Vault. If a name is specified without a key,
  24093. `token` is the default. If one is not specified, the one bound to
  24094. the controller will be used.
  24095. properties:
  24096. key:
  24097. description: |-
  24098. A key in the referenced Secret.
  24099. Some instances of this field may be defaulted, in others it may be required.
  24100. maxLength: 253
  24101. minLength: 1
  24102. pattern: ^[-._a-zA-Z0-9]+$
  24103. type: string
  24104. name:
  24105. description: The name of the Secret resource being referred to.
  24106. maxLength: 253
  24107. minLength: 1
  24108. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24109. type: string
  24110. namespace:
  24111. description: |-
  24112. The namespace of the Secret resource being referred to.
  24113. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24114. maxLength: 63
  24115. minLength: 1
  24116. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24117. type: string
  24118. type: object
  24119. serviceAccountRef:
  24120. description: |-
  24121. Optional service account field containing the name of a kubernetes ServiceAccount.
  24122. If the service account is specified, the service account secret token JWT will be used
  24123. for authenticating with Vault. If the service account selector is not supplied,
  24124. the secretRef will be used instead.
  24125. properties:
  24126. audiences:
  24127. description: |-
  24128. Audience specifies the `aud` claim for the service account token
  24129. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24130. then this audiences will be appended to the list
  24131. items:
  24132. type: string
  24133. type: array
  24134. name:
  24135. description: The name of the ServiceAccount resource being referred to.
  24136. maxLength: 253
  24137. minLength: 1
  24138. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24139. type: string
  24140. namespace:
  24141. description: |-
  24142. Namespace of the resource being referred to.
  24143. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24144. maxLength: 63
  24145. minLength: 1
  24146. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24147. type: string
  24148. required:
  24149. - name
  24150. type: object
  24151. required:
  24152. - mountPath
  24153. - role
  24154. type: object
  24155. ldap:
  24156. description: |-
  24157. Ldap authenticates with Vault by passing username/password pair using
  24158. the LDAP authentication method
  24159. properties:
  24160. path:
  24161. default: ldap
  24162. description: |-
  24163. Path where the LDAP authentication backend is mounted
  24164. in Vault, e.g: "ldap"
  24165. type: string
  24166. secretRef:
  24167. description: |-
  24168. SecretRef to a key in a Secret resource containing password for the LDAP
  24169. user used to authenticate with Vault using the LDAP authentication
  24170. method
  24171. properties:
  24172. key:
  24173. description: |-
  24174. A key in the referenced Secret.
  24175. Some instances of this field may be defaulted, in others it may be required.
  24176. maxLength: 253
  24177. minLength: 1
  24178. pattern: ^[-._a-zA-Z0-9]+$
  24179. type: string
  24180. name:
  24181. description: The name of the Secret resource being referred to.
  24182. maxLength: 253
  24183. minLength: 1
  24184. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24185. type: string
  24186. namespace:
  24187. description: |-
  24188. The namespace of the Secret resource being referred to.
  24189. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24190. maxLength: 63
  24191. minLength: 1
  24192. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24193. type: string
  24194. type: object
  24195. username:
  24196. description: |-
  24197. Username is an LDAP username used to authenticate using the LDAP Vault
  24198. authentication method
  24199. type: string
  24200. required:
  24201. - path
  24202. - username
  24203. type: object
  24204. namespace:
  24205. description: |-
  24206. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  24207. Namespaces is a set of features within Vault Enterprise that allows
  24208. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  24209. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  24210. This will default to Vault.Namespace field if set, or empty otherwise
  24211. type: string
  24212. tokenSecretRef:
  24213. description: TokenSecretRef authenticates with Vault by presenting a token.
  24214. properties:
  24215. key:
  24216. description: |-
  24217. A key in the referenced Secret.
  24218. Some instances of this field may be defaulted, in others it may be required.
  24219. maxLength: 253
  24220. minLength: 1
  24221. pattern: ^[-._a-zA-Z0-9]+$
  24222. type: string
  24223. name:
  24224. description: The name of the Secret resource being referred to.
  24225. maxLength: 253
  24226. minLength: 1
  24227. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24228. type: string
  24229. namespace:
  24230. description: |-
  24231. The namespace of the Secret resource being referred to.
  24232. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24233. maxLength: 63
  24234. minLength: 1
  24235. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24236. type: string
  24237. type: object
  24238. userPass:
  24239. description: UserPass authenticates with Vault by passing username/password pair
  24240. properties:
  24241. path:
  24242. default: userpass
  24243. description: |-
  24244. Path where the UserPassword authentication backend is mounted
  24245. in Vault, e.g: "userpass"
  24246. type: string
  24247. secretRef:
  24248. description: |-
  24249. SecretRef to a key in a Secret resource containing password for the
  24250. user used to authenticate with Vault using the UserPass authentication
  24251. method
  24252. properties:
  24253. key:
  24254. description: |-
  24255. A key in the referenced Secret.
  24256. Some instances of this field may be defaulted, in others it may be required.
  24257. maxLength: 253
  24258. minLength: 1
  24259. pattern: ^[-._a-zA-Z0-9]+$
  24260. type: string
  24261. name:
  24262. description: The name of the Secret resource being referred to.
  24263. maxLength: 253
  24264. minLength: 1
  24265. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24266. type: string
  24267. namespace:
  24268. description: |-
  24269. The namespace of the Secret resource being referred to.
  24270. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24271. maxLength: 63
  24272. minLength: 1
  24273. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24274. type: string
  24275. type: object
  24276. username:
  24277. description: |-
  24278. Username is a username used to authenticate using the UserPass Vault
  24279. authentication method
  24280. type: string
  24281. required:
  24282. - path
  24283. - username
  24284. type: object
  24285. type: object
  24286. caBundle:
  24287. description: |-
  24288. PEM encoded CA bundle used to validate Vault server certificate. Only used
  24289. if the Server URL is using HTTPS protocol. This parameter is ignored for
  24290. plain HTTP protocol connection. If not set the system root certificates
  24291. are used to validate the TLS connection.
  24292. format: byte
  24293. type: string
  24294. caProvider:
  24295. description: The provider for the CA bundle to use to validate Vault server certificate.
  24296. properties:
  24297. key:
  24298. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  24299. maxLength: 253
  24300. minLength: 1
  24301. pattern: ^[-._a-zA-Z0-9]+$
  24302. type: string
  24303. name:
  24304. description: The name of the object located at the provider type.
  24305. maxLength: 253
  24306. minLength: 1
  24307. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24308. type: string
  24309. namespace:
  24310. description: |-
  24311. The namespace the Provider type is in.
  24312. Can only be defined when used in a ClusterSecretStore.
  24313. maxLength: 63
  24314. minLength: 1
  24315. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24316. type: string
  24317. type:
  24318. description: The type of provider to use such as "Secret", or "ConfigMap".
  24319. enum:
  24320. - Secret
  24321. - ConfigMap
  24322. type: string
  24323. required:
  24324. - name
  24325. - type
  24326. type: object
  24327. forwardInconsistent:
  24328. description: |-
  24329. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  24330. leader instead of simply retrying within a loop. This can increase performance if
  24331. the option is enabled serverside.
  24332. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  24333. type: boolean
  24334. headers:
  24335. additionalProperties:
  24336. type: string
  24337. description: Headers to be added in Vault request
  24338. type: object
  24339. namespace:
  24340. description: |-
  24341. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  24342. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  24343. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  24344. type: string
  24345. path:
  24346. description: |-
  24347. Path is the mount path of the Vault KV backend endpoint, e.g:
  24348. "secret". The v2 KV secret engine version specific "/data" path suffix
  24349. for fetching secrets from Vault is optional and will be appended
  24350. if not present in specified path.
  24351. type: string
  24352. readYourWrites:
  24353. description: |-
  24354. ReadYourWrites ensures isolated read-after-write semantics by
  24355. providing discovered cluster replication states in each request.
  24356. More information about eventual consistency in Vault can be found here
  24357. https://www.vaultproject.io/docs/enterprise/consistency
  24358. type: boolean
  24359. server:
  24360. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  24361. type: string
  24362. tls:
  24363. description: |-
  24364. The configuration used for client side related TLS communication, when the Vault server
  24365. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  24366. This parameter is ignored for plain HTTP protocol connection.
  24367. It's worth noting this configuration is different from the "TLS certificates auth method",
  24368. which is available under the `auth.cert` section.
  24369. properties:
  24370. certSecretRef:
  24371. description: |-
  24372. CertSecretRef is a certificate added to the transport layer
  24373. when communicating with the Vault server.
  24374. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  24375. properties:
  24376. key:
  24377. description: |-
  24378. A key in the referenced Secret.
  24379. Some instances of this field may be defaulted, in others it may be required.
  24380. maxLength: 253
  24381. minLength: 1
  24382. pattern: ^[-._a-zA-Z0-9]+$
  24383. type: string
  24384. name:
  24385. description: The name of the Secret resource being referred to.
  24386. maxLength: 253
  24387. minLength: 1
  24388. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24389. type: string
  24390. namespace:
  24391. description: |-
  24392. The namespace of the Secret resource being referred to.
  24393. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24394. maxLength: 63
  24395. minLength: 1
  24396. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24397. type: string
  24398. type: object
  24399. keySecretRef:
  24400. description: |-
  24401. KeySecretRef to a key in a Secret resource containing client private key
  24402. added to the transport layer when communicating with the Vault server.
  24403. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  24404. properties:
  24405. key:
  24406. description: |-
  24407. A key in the referenced Secret.
  24408. Some instances of this field may be defaulted, in others it may be required.
  24409. maxLength: 253
  24410. minLength: 1
  24411. pattern: ^[-._a-zA-Z0-9]+$
  24412. type: string
  24413. name:
  24414. description: The name of the Secret resource being referred to.
  24415. maxLength: 253
  24416. minLength: 1
  24417. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24418. type: string
  24419. namespace:
  24420. description: |-
  24421. The namespace of the Secret resource being referred to.
  24422. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24423. maxLength: 63
  24424. minLength: 1
  24425. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24426. type: string
  24427. type: object
  24428. type: object
  24429. version:
  24430. default: v2
  24431. description: |-
  24432. Version is the Vault KV secret engine version. This can be either "v1" or
  24433. "v2". Version defaults to "v2".
  24434. enum:
  24435. - v1
  24436. - v2
  24437. type: string
  24438. required:
  24439. - server
  24440. type: object
  24441. webhook:
  24442. description: Webhook configures this store to sync secrets using a generic templated webhook
  24443. properties:
  24444. auth:
  24445. description: Auth specifies a authorization protocol. Only one protocol may be set.
  24446. maxProperties: 1
  24447. minProperties: 1
  24448. properties:
  24449. ntlm:
  24450. description: NTLMProtocol configures the store to use NTLM for auth
  24451. properties:
  24452. passwordSecret:
  24453. description: |-
  24454. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  24455. In some instances, `key` is a required field.
  24456. properties:
  24457. key:
  24458. description: |-
  24459. A key in the referenced Secret.
  24460. Some instances of this field may be defaulted, in others it may be required.
  24461. maxLength: 253
  24462. minLength: 1
  24463. pattern: ^[-._a-zA-Z0-9]+$
  24464. type: string
  24465. name:
  24466. description: The name of the Secret resource being referred to.
  24467. maxLength: 253
  24468. minLength: 1
  24469. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24470. type: string
  24471. namespace:
  24472. description: |-
  24473. The namespace of the Secret resource being referred to.
  24474. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24475. maxLength: 63
  24476. minLength: 1
  24477. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24478. type: string
  24479. type: object
  24480. usernameSecret:
  24481. description: |-
  24482. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  24483. In some instances, `key` is a required field.
  24484. properties:
  24485. key:
  24486. description: |-
  24487. A key in the referenced Secret.
  24488. Some instances of this field may be defaulted, in others it may be required.
  24489. maxLength: 253
  24490. minLength: 1
  24491. pattern: ^[-._a-zA-Z0-9]+$
  24492. type: string
  24493. name:
  24494. description: The name of the Secret resource being referred to.
  24495. maxLength: 253
  24496. minLength: 1
  24497. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24498. type: string
  24499. namespace:
  24500. description: |-
  24501. The namespace of the Secret resource being referred to.
  24502. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24503. maxLength: 63
  24504. minLength: 1
  24505. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24506. type: string
  24507. type: object
  24508. required:
  24509. - passwordSecret
  24510. - usernameSecret
  24511. type: object
  24512. type: object
  24513. body:
  24514. description: Body
  24515. type: string
  24516. caBundle:
  24517. description: |-
  24518. PEM encoded CA bundle used to validate webhook server certificate. Only used
  24519. if the Server URL is using HTTPS protocol. This parameter is ignored for
  24520. plain HTTP protocol connection. If not set the system root certificates
  24521. are used to validate the TLS connection.
  24522. format: byte
  24523. type: string
  24524. caProvider:
  24525. description: The provider for the CA bundle to use to validate webhook server certificate.
  24526. properties:
  24527. key:
  24528. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  24529. maxLength: 253
  24530. minLength: 1
  24531. pattern: ^[-._a-zA-Z0-9]+$
  24532. type: string
  24533. name:
  24534. description: The name of the object located at the provider type.
  24535. maxLength: 253
  24536. minLength: 1
  24537. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24538. type: string
  24539. namespace:
  24540. description: The namespace the Provider type is in.
  24541. maxLength: 63
  24542. minLength: 1
  24543. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24544. type: string
  24545. type:
  24546. description: The type of provider to use such as "Secret", or "ConfigMap".
  24547. enum:
  24548. - Secret
  24549. - ConfigMap
  24550. type: string
  24551. required:
  24552. - name
  24553. - type
  24554. type: object
  24555. headers:
  24556. additionalProperties:
  24557. type: string
  24558. description: Headers
  24559. type: object
  24560. method:
  24561. description: Webhook Method
  24562. type: string
  24563. result:
  24564. description: Result formatting
  24565. properties:
  24566. jsonPath:
  24567. description: Json path of return value
  24568. type: string
  24569. type: object
  24570. secrets:
  24571. description: |-
  24572. Secrets to fill in templates
  24573. These secrets will be passed to the templating function as key value pairs under the given name
  24574. items:
  24575. description: WebhookSecret defines a secret to be used in webhook templates.
  24576. properties:
  24577. name:
  24578. description: Name of this secret in templates
  24579. type: string
  24580. secretRef:
  24581. description: Secret ref to fill in credentials
  24582. properties:
  24583. key:
  24584. description: |-
  24585. A key in the referenced Secret.
  24586. Some instances of this field may be defaulted, in others it may be required.
  24587. maxLength: 253
  24588. minLength: 1
  24589. pattern: ^[-._a-zA-Z0-9]+$
  24590. type: string
  24591. name:
  24592. description: The name of the Secret resource being referred to.
  24593. maxLength: 253
  24594. minLength: 1
  24595. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24596. type: string
  24597. namespace:
  24598. description: |-
  24599. The namespace of the Secret resource being referred to.
  24600. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24601. maxLength: 63
  24602. minLength: 1
  24603. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24604. type: string
  24605. type: object
  24606. required:
  24607. - name
  24608. - secretRef
  24609. type: object
  24610. type: array
  24611. timeout:
  24612. description: Timeout
  24613. type: string
  24614. url:
  24615. description: Webhook url to call
  24616. type: string
  24617. required:
  24618. - result
  24619. - url
  24620. type: object
  24621. yandexcertificatemanager:
  24622. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  24623. properties:
  24624. apiEndpoint:
  24625. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  24626. type: string
  24627. auth:
  24628. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  24629. properties:
  24630. authorizedKeySecretRef:
  24631. description: The authorized key used for authentication
  24632. properties:
  24633. key:
  24634. description: |-
  24635. A key in the referenced Secret.
  24636. Some instances of this field may be defaulted, in others it may be required.
  24637. maxLength: 253
  24638. minLength: 1
  24639. pattern: ^[-._a-zA-Z0-9]+$
  24640. type: string
  24641. name:
  24642. description: The name of the Secret resource being referred to.
  24643. maxLength: 253
  24644. minLength: 1
  24645. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24646. type: string
  24647. namespace:
  24648. description: |-
  24649. The namespace of the Secret resource being referred to.
  24650. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24651. maxLength: 63
  24652. minLength: 1
  24653. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24654. type: string
  24655. type: object
  24656. type: object
  24657. caProvider:
  24658. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  24659. properties:
  24660. certSecretRef:
  24661. description: |-
  24662. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  24663. In some instances, `key` is a required field.
  24664. properties:
  24665. key:
  24666. description: |-
  24667. A key in the referenced Secret.
  24668. Some instances of this field may be defaulted, in others it may be required.
  24669. maxLength: 253
  24670. minLength: 1
  24671. pattern: ^[-._a-zA-Z0-9]+$
  24672. type: string
  24673. name:
  24674. description: The name of the Secret resource being referred to.
  24675. maxLength: 253
  24676. minLength: 1
  24677. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24678. type: string
  24679. namespace:
  24680. description: |-
  24681. The namespace of the Secret resource being referred to.
  24682. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24683. maxLength: 63
  24684. minLength: 1
  24685. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24686. type: string
  24687. type: object
  24688. type: object
  24689. required:
  24690. - auth
  24691. type: object
  24692. yandexlockbox:
  24693. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  24694. properties:
  24695. apiEndpoint:
  24696. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  24697. type: string
  24698. auth:
  24699. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  24700. properties:
  24701. authorizedKeySecretRef:
  24702. description: The authorized key used for authentication
  24703. properties:
  24704. key:
  24705. description: |-
  24706. A key in the referenced Secret.
  24707. Some instances of this field may be defaulted, in others it may be required.
  24708. maxLength: 253
  24709. minLength: 1
  24710. pattern: ^[-._a-zA-Z0-9]+$
  24711. type: string
  24712. name:
  24713. description: The name of the Secret resource being referred to.
  24714. maxLength: 253
  24715. minLength: 1
  24716. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24717. type: string
  24718. namespace:
  24719. description: |-
  24720. The namespace of the Secret resource being referred to.
  24721. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24722. maxLength: 63
  24723. minLength: 1
  24724. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24725. type: string
  24726. type: object
  24727. type: object
  24728. caProvider:
  24729. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  24730. properties:
  24731. certSecretRef:
  24732. description: |-
  24733. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  24734. In some instances, `key` is a required field.
  24735. properties:
  24736. key:
  24737. description: |-
  24738. A key in the referenced Secret.
  24739. Some instances of this field may be defaulted, in others it may be required.
  24740. maxLength: 253
  24741. minLength: 1
  24742. pattern: ^[-._a-zA-Z0-9]+$
  24743. type: string
  24744. name:
  24745. description: The name of the Secret resource being referred to.
  24746. maxLength: 253
  24747. minLength: 1
  24748. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24749. type: string
  24750. namespace:
  24751. description: |-
  24752. The namespace of the Secret resource being referred to.
  24753. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24754. maxLength: 63
  24755. minLength: 1
  24756. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24757. type: string
  24758. type: object
  24759. type: object
  24760. required:
  24761. - auth
  24762. type: object
  24763. type: object
  24764. refreshInterval:
  24765. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  24766. type: integer
  24767. retrySettings:
  24768. description: Used to configure HTTP retries on failures.
  24769. properties:
  24770. maxRetries:
  24771. description: MaxRetries is the maximum number of retry attempts.
  24772. format: int32
  24773. type: integer
  24774. retryInterval:
  24775. description: RetryInterval is the interval between retry attempts.
  24776. type: string
  24777. type: object
  24778. required:
  24779. - provider
  24780. type: object
  24781. status:
  24782. description: SecretStoreStatus defines the observed state of the SecretStore.
  24783. properties:
  24784. capabilities:
  24785. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  24786. type: string
  24787. conditions:
  24788. items:
  24789. description: SecretStoreStatusCondition defines the observed condition of the SecretStore.
  24790. properties:
  24791. lastTransitionTime:
  24792. format: date-time
  24793. type: string
  24794. message:
  24795. type: string
  24796. reason:
  24797. type: string
  24798. status:
  24799. type: string
  24800. type:
  24801. description: SecretStoreConditionType represents the condition type of the SecretStore.
  24802. type: string
  24803. required:
  24804. - status
  24805. - type
  24806. type: object
  24807. type: array
  24808. type: object
  24809. type: object
  24810. served: false
  24811. storage: false
  24812. subresources:
  24813. status: {}
  24814. ---
  24815. apiVersion: apiextensions.k8s.io/v1
  24816. kind: CustomResourceDefinition
  24817. metadata:
  24818. annotations:
  24819. controller-gen.kubebuilder.io/version: v0.19.0
  24820. labels:
  24821. external-secrets.io/component: controller
  24822. name: acraccesstokens.generators.external-secrets.io
  24823. spec:
  24824. group: generators.external-secrets.io
  24825. names:
  24826. categories:
  24827. - external-secrets
  24828. - external-secrets-generators
  24829. kind: ACRAccessToken
  24830. listKind: ACRAccessTokenList
  24831. plural: acraccesstokens
  24832. singular: acraccesstoken
  24833. scope: Namespaced
  24834. versions:
  24835. - name: v1alpha1
  24836. schema:
  24837. openAPIV3Schema:
  24838. description: |-
  24839. ACRAccessToken returns an Azure Container Registry token
  24840. that can be used for pushing/pulling images.
  24841. Note: by default it will return an ACR Refresh Token with full access
  24842. (depending on the identity).
  24843. This can be scoped down to the repository level using .spec.scope.
  24844. In case scope is defined it will return an ACR Access Token.
  24845. See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
  24846. properties:
  24847. apiVersion:
  24848. description: |-
  24849. APIVersion defines the versioned schema of this representation of an object.
  24850. Servers should convert recognized schemas to the latest internal value, and
  24851. may reject unrecognized values.
  24852. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  24853. type: string
  24854. kind:
  24855. description: |-
  24856. Kind is a string value representing the REST resource this object represents.
  24857. Servers may infer this from the endpoint the client submits requests to.
  24858. Cannot be updated.
  24859. In CamelCase.
  24860. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  24861. type: string
  24862. metadata:
  24863. type: object
  24864. spec:
  24865. description: |-
  24866. ACRAccessTokenSpec defines how to generate the access token
  24867. e.g. how to authenticate and which registry to use.
  24868. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  24869. properties:
  24870. auth:
  24871. description: ACRAuth defines the authentication methods for Azure Container Registry.
  24872. properties:
  24873. managedIdentity:
  24874. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  24875. properties:
  24876. identityId:
  24877. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  24878. type: string
  24879. type: object
  24880. servicePrincipal:
  24881. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  24882. properties:
  24883. secretRef:
  24884. description: |-
  24885. AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.
  24886. It uses static credentials stored in a Kind=Secret.
  24887. properties:
  24888. clientId:
  24889. description: The Azure clientId of the service principle used for authentication.
  24890. properties:
  24891. key:
  24892. description: |-
  24893. A key in the referenced Secret.
  24894. Some instances of this field may be defaulted, in others it may be required.
  24895. maxLength: 253
  24896. minLength: 1
  24897. pattern: ^[-._a-zA-Z0-9]+$
  24898. type: string
  24899. name:
  24900. description: The name of the Secret resource being referred to.
  24901. maxLength: 253
  24902. minLength: 1
  24903. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24904. type: string
  24905. namespace:
  24906. description: |-
  24907. The namespace of the Secret resource being referred to.
  24908. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24909. maxLength: 63
  24910. minLength: 1
  24911. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24912. type: string
  24913. type: object
  24914. clientSecret:
  24915. description: The Azure ClientSecret of the service principle used for authentication.
  24916. properties:
  24917. key:
  24918. description: |-
  24919. A key in the referenced Secret.
  24920. Some instances of this field may be defaulted, in others it may be required.
  24921. maxLength: 253
  24922. minLength: 1
  24923. pattern: ^[-._a-zA-Z0-9]+$
  24924. type: string
  24925. name:
  24926. description: The name of the Secret resource being referred to.
  24927. maxLength: 253
  24928. minLength: 1
  24929. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24930. type: string
  24931. namespace:
  24932. description: |-
  24933. The namespace of the Secret resource being referred to.
  24934. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24935. maxLength: 63
  24936. minLength: 1
  24937. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24938. type: string
  24939. type: object
  24940. type: object
  24941. required:
  24942. - secretRef
  24943. type: object
  24944. workloadIdentity:
  24945. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  24946. properties:
  24947. serviceAccountRef:
  24948. description: |-
  24949. ServiceAccountRef specified the service account
  24950. that should be used when authenticating with WorkloadIdentity.
  24951. properties:
  24952. audiences:
  24953. description: |-
  24954. Audience specifies the `aud` claim for the service account token
  24955. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24956. then this audiences will be appended to the list
  24957. items:
  24958. type: string
  24959. type: array
  24960. name:
  24961. description: The name of the ServiceAccount resource being referred to.
  24962. maxLength: 253
  24963. minLength: 1
  24964. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24965. type: string
  24966. namespace:
  24967. description: |-
  24968. Namespace of the resource being referred to.
  24969. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24970. maxLength: 63
  24971. minLength: 1
  24972. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24973. type: string
  24974. required:
  24975. - name
  24976. type: object
  24977. type: object
  24978. type: object
  24979. environmentType:
  24980. default: PublicCloud
  24981. description: |-
  24982. EnvironmentType specifies the Azure cloud environment endpoints to use for
  24983. connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.
  24984. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  24985. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  24986. enum:
  24987. - PublicCloud
  24988. - USGovernmentCloud
  24989. - ChinaCloud
  24990. - GermanCloud
  24991. - AzureStackCloud
  24992. type: string
  24993. registry:
  24994. description: |-
  24995. the domain name of the ACR registry
  24996. e.g. foobarexample.azurecr.io
  24997. type: string
  24998. scope:
  24999. description: |-
  25000. Define the scope for the access token, e.g. pull/push access for a repository.
  25001. if not provided it will return a refresh token that has full scope.
  25002. Note: you need to pin it down to the repository level, there is no wildcard available.
  25003. examples:
  25004. repository:my-repository:pull,push
  25005. repository:my-repository:pull
  25006. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  25007. type: string
  25008. tenantId:
  25009. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  25010. type: string
  25011. required:
  25012. - auth
  25013. - registry
  25014. type: object
  25015. type: object
  25016. served: true
  25017. storage: true
  25018. subresources:
  25019. status: {}
  25020. ---
  25021. apiVersion: apiextensions.k8s.io/v1
  25022. kind: CustomResourceDefinition
  25023. metadata:
  25024. annotations:
  25025. controller-gen.kubebuilder.io/version: v0.19.0
  25026. labels:
  25027. external-secrets.io/component: controller
  25028. name: cloudsmithaccesstokens.generators.external-secrets.io
  25029. spec:
  25030. group: generators.external-secrets.io
  25031. names:
  25032. categories:
  25033. - external-secrets
  25034. - external-secrets-generators
  25035. kind: CloudsmithAccessToken
  25036. listKind: CloudsmithAccessTokenList
  25037. plural: cloudsmithaccesstokens
  25038. singular: cloudsmithaccesstoken
  25039. scope: Namespaced
  25040. versions:
  25041. - name: v1alpha1
  25042. schema:
  25043. openAPIV3Schema:
  25044. description: CloudsmithAccessToken generates Cloudsmith access token using OIDC authentication
  25045. properties:
  25046. apiVersion:
  25047. description: |-
  25048. APIVersion defines the versioned schema of this representation of an object.
  25049. Servers should convert recognized schemas to the latest internal value, and
  25050. may reject unrecognized values.
  25051. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  25052. type: string
  25053. kind:
  25054. description: |-
  25055. Kind is a string value representing the REST resource this object represents.
  25056. Servers may infer this from the endpoint the client submits requests to.
  25057. Cannot be updated.
  25058. In CamelCase.
  25059. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  25060. type: string
  25061. metadata:
  25062. type: object
  25063. spec:
  25064. description: CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication.
  25065. properties:
  25066. apiUrl:
  25067. description: APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io.
  25068. type: string
  25069. orgSlug:
  25070. description: OrgSlug is the organization slug in Cloudsmith
  25071. type: string
  25072. serviceAccountRef:
  25073. description: Name of the service account you are federating with
  25074. properties:
  25075. audiences:
  25076. description: |-
  25077. Audience specifies the `aud` claim for the service account token
  25078. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25079. then this audiences will be appended to the list
  25080. items:
  25081. type: string
  25082. type: array
  25083. name:
  25084. description: The name of the ServiceAccount resource being referred to.
  25085. maxLength: 253
  25086. minLength: 1
  25087. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25088. type: string
  25089. namespace:
  25090. description: |-
  25091. Namespace of the resource being referred to.
  25092. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25093. maxLength: 63
  25094. minLength: 1
  25095. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25096. type: string
  25097. required:
  25098. - name
  25099. type: object
  25100. serviceSlug:
  25101. description: ServiceSlug is the service slug in Cloudsmith for OIDC authentication
  25102. type: string
  25103. required:
  25104. - orgSlug
  25105. - serviceAccountRef
  25106. - serviceSlug
  25107. type: object
  25108. type: object
  25109. served: true
  25110. storage: true
  25111. subresources:
  25112. status: {}
  25113. ---
  25114. apiVersion: apiextensions.k8s.io/v1
  25115. kind: CustomResourceDefinition
  25116. metadata:
  25117. annotations:
  25118. controller-gen.kubebuilder.io/version: v0.19.0
  25119. labels:
  25120. external-secrets.io/component: controller
  25121. name: clustergenerators.generators.external-secrets.io
  25122. spec:
  25123. group: generators.external-secrets.io
  25124. names:
  25125. categories:
  25126. - external-secrets
  25127. - external-secrets-generators
  25128. kind: ClusterGenerator
  25129. listKind: ClusterGeneratorList
  25130. plural: clustergenerators
  25131. singular: clustergenerator
  25132. scope: Cluster
  25133. versions:
  25134. - name: v1alpha1
  25135. schema:
  25136. openAPIV3Schema:
  25137. description: ClusterGenerator represents a cluster-wide generator which can be referenced as part of `generatorRef` fields.
  25138. properties:
  25139. apiVersion:
  25140. description: |-
  25141. APIVersion defines the versioned schema of this representation of an object.
  25142. Servers should convert recognized schemas to the latest internal value, and
  25143. may reject unrecognized values.
  25144. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  25145. type: string
  25146. kind:
  25147. description: |-
  25148. Kind is a string value representing the REST resource this object represents.
  25149. Servers may infer this from the endpoint the client submits requests to.
  25150. Cannot be updated.
  25151. In CamelCase.
  25152. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  25153. type: string
  25154. metadata:
  25155. type: object
  25156. spec:
  25157. description: ClusterGeneratorSpec defines the desired state of a ClusterGenerator.
  25158. properties:
  25159. generator:
  25160. description: Generator the spec for this generator, must match the kind.
  25161. maxProperties: 1
  25162. minProperties: 1
  25163. properties:
  25164. acrAccessTokenSpec:
  25165. description: |-
  25166. ACRAccessTokenSpec defines how to generate the access token
  25167. e.g. how to authenticate and which registry to use.
  25168. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  25169. properties:
  25170. auth:
  25171. description: ACRAuth defines the authentication methods for Azure Container Registry.
  25172. properties:
  25173. managedIdentity:
  25174. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  25175. properties:
  25176. identityId:
  25177. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  25178. type: string
  25179. type: object
  25180. servicePrincipal:
  25181. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  25182. properties:
  25183. secretRef:
  25184. description: |-
  25185. AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.
  25186. It uses static credentials stored in a Kind=Secret.
  25187. properties:
  25188. clientId:
  25189. description: The Azure clientId of the service principle used for authentication.
  25190. properties:
  25191. key:
  25192. description: |-
  25193. A key in the referenced Secret.
  25194. Some instances of this field may be defaulted, in others it may be required.
  25195. maxLength: 253
  25196. minLength: 1
  25197. pattern: ^[-._a-zA-Z0-9]+$
  25198. type: string
  25199. name:
  25200. description: The name of the Secret resource being referred to.
  25201. maxLength: 253
  25202. minLength: 1
  25203. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25204. type: string
  25205. namespace:
  25206. description: |-
  25207. The namespace of the Secret resource being referred to.
  25208. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25209. maxLength: 63
  25210. minLength: 1
  25211. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25212. type: string
  25213. type: object
  25214. clientSecret:
  25215. description: The Azure ClientSecret of the service principle used for authentication.
  25216. properties:
  25217. key:
  25218. description: |-
  25219. A key in the referenced Secret.
  25220. Some instances of this field may be defaulted, in others it may be required.
  25221. maxLength: 253
  25222. minLength: 1
  25223. pattern: ^[-._a-zA-Z0-9]+$
  25224. type: string
  25225. name:
  25226. description: The name of the Secret resource being referred to.
  25227. maxLength: 253
  25228. minLength: 1
  25229. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25230. type: string
  25231. namespace:
  25232. description: |-
  25233. The namespace of the Secret resource being referred to.
  25234. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25235. maxLength: 63
  25236. minLength: 1
  25237. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25238. type: string
  25239. type: object
  25240. type: object
  25241. required:
  25242. - secretRef
  25243. type: object
  25244. workloadIdentity:
  25245. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  25246. properties:
  25247. serviceAccountRef:
  25248. description: |-
  25249. ServiceAccountRef specified the service account
  25250. that should be used when authenticating with WorkloadIdentity.
  25251. properties:
  25252. audiences:
  25253. description: |-
  25254. Audience specifies the `aud` claim for the service account token
  25255. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25256. then this audiences will be appended to the list
  25257. items:
  25258. type: string
  25259. type: array
  25260. name:
  25261. description: The name of the ServiceAccount resource being referred to.
  25262. maxLength: 253
  25263. minLength: 1
  25264. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25265. type: string
  25266. namespace:
  25267. description: |-
  25268. Namespace of the resource being referred to.
  25269. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25270. maxLength: 63
  25271. minLength: 1
  25272. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25273. type: string
  25274. required:
  25275. - name
  25276. type: object
  25277. type: object
  25278. type: object
  25279. environmentType:
  25280. default: PublicCloud
  25281. description: |-
  25282. EnvironmentType specifies the Azure cloud environment endpoints to use for
  25283. connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.
  25284. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  25285. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  25286. enum:
  25287. - PublicCloud
  25288. - USGovernmentCloud
  25289. - ChinaCloud
  25290. - GermanCloud
  25291. - AzureStackCloud
  25292. type: string
  25293. registry:
  25294. description: |-
  25295. the domain name of the ACR registry
  25296. e.g. foobarexample.azurecr.io
  25297. type: string
  25298. scope:
  25299. description: |-
  25300. Define the scope for the access token, e.g. pull/push access for a repository.
  25301. if not provided it will return a refresh token that has full scope.
  25302. Note: you need to pin it down to the repository level, there is no wildcard available.
  25303. examples:
  25304. repository:my-repository:pull,push
  25305. repository:my-repository:pull
  25306. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  25307. type: string
  25308. tenantId:
  25309. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  25310. type: string
  25311. required:
  25312. - auth
  25313. - registry
  25314. type: object
  25315. cloudsmithAccessTokenSpec:
  25316. description: CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication.
  25317. properties:
  25318. apiUrl:
  25319. description: APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io.
  25320. type: string
  25321. orgSlug:
  25322. description: OrgSlug is the organization slug in Cloudsmith
  25323. type: string
  25324. serviceAccountRef:
  25325. description: Name of the service account you are federating with
  25326. properties:
  25327. audiences:
  25328. description: |-
  25329. Audience specifies the `aud` claim for the service account token
  25330. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25331. then this audiences will be appended to the list
  25332. items:
  25333. type: string
  25334. type: array
  25335. name:
  25336. description: The name of the ServiceAccount resource being referred to.
  25337. maxLength: 253
  25338. minLength: 1
  25339. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25340. type: string
  25341. namespace:
  25342. description: |-
  25343. Namespace of the resource being referred to.
  25344. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25345. maxLength: 63
  25346. minLength: 1
  25347. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25348. type: string
  25349. required:
  25350. - name
  25351. type: object
  25352. serviceSlug:
  25353. description: ServiceSlug is the service slug in Cloudsmith for OIDC authentication
  25354. type: string
  25355. required:
  25356. - orgSlug
  25357. - serviceAccountRef
  25358. - serviceSlug
  25359. type: object
  25360. ecrAuthorizationTokenSpec:
  25361. description: ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token.
  25362. properties:
  25363. auth:
  25364. description: Auth defines how to authenticate with AWS
  25365. properties:
  25366. jwt:
  25367. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  25368. properties:
  25369. serviceAccountRef:
  25370. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  25371. properties:
  25372. audiences:
  25373. description: |-
  25374. Audience specifies the `aud` claim for the service account token
  25375. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25376. then this audiences will be appended to the list
  25377. items:
  25378. type: string
  25379. type: array
  25380. name:
  25381. description: The name of the ServiceAccount resource being referred to.
  25382. maxLength: 253
  25383. minLength: 1
  25384. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25385. type: string
  25386. namespace:
  25387. description: |-
  25388. Namespace of the resource being referred to.
  25389. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25390. maxLength: 63
  25391. minLength: 1
  25392. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25393. type: string
  25394. required:
  25395. - name
  25396. type: object
  25397. type: object
  25398. secretRef:
  25399. description: |-
  25400. AWSAuthSecretRef holds secret references for AWS credentials
  25401. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  25402. properties:
  25403. accessKeyIDSecretRef:
  25404. description: The AccessKeyID is used for authentication
  25405. properties:
  25406. key:
  25407. description: |-
  25408. A key in the referenced Secret.
  25409. Some instances of this field may be defaulted, in others it may be required.
  25410. maxLength: 253
  25411. minLength: 1
  25412. pattern: ^[-._a-zA-Z0-9]+$
  25413. type: string
  25414. name:
  25415. description: The name of the Secret resource being referred to.
  25416. maxLength: 253
  25417. minLength: 1
  25418. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25419. type: string
  25420. namespace:
  25421. description: |-
  25422. The namespace of the Secret resource being referred to.
  25423. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25424. maxLength: 63
  25425. minLength: 1
  25426. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25427. type: string
  25428. type: object
  25429. secretAccessKeySecretRef:
  25430. description: The SecretAccessKey is used for authentication
  25431. properties:
  25432. key:
  25433. description: |-
  25434. A key in the referenced Secret.
  25435. Some instances of this field may be defaulted, in others it may be required.
  25436. maxLength: 253
  25437. minLength: 1
  25438. pattern: ^[-._a-zA-Z0-9]+$
  25439. type: string
  25440. name:
  25441. description: The name of the Secret resource being referred to.
  25442. maxLength: 253
  25443. minLength: 1
  25444. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25445. type: string
  25446. namespace:
  25447. description: |-
  25448. The namespace of the Secret resource being referred to.
  25449. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25450. maxLength: 63
  25451. minLength: 1
  25452. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25453. type: string
  25454. type: object
  25455. sessionTokenSecretRef:
  25456. description: |-
  25457. The SessionToken used for authentication
  25458. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  25459. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  25460. properties:
  25461. key:
  25462. description: |-
  25463. A key in the referenced Secret.
  25464. Some instances of this field may be defaulted, in others it may be required.
  25465. maxLength: 253
  25466. minLength: 1
  25467. pattern: ^[-._a-zA-Z0-9]+$
  25468. type: string
  25469. name:
  25470. description: The name of the Secret resource being referred to.
  25471. maxLength: 253
  25472. minLength: 1
  25473. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25474. type: string
  25475. namespace:
  25476. description: |-
  25477. The namespace of the Secret resource being referred to.
  25478. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25479. maxLength: 63
  25480. minLength: 1
  25481. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25482. type: string
  25483. type: object
  25484. type: object
  25485. type: object
  25486. region:
  25487. description: Region specifies the region to operate in.
  25488. type: string
  25489. role:
  25490. description: |-
  25491. You can assume a role before making calls to the
  25492. desired AWS service.
  25493. type: string
  25494. scope:
  25495. description: |-
  25496. Scope specifies the ECR service scope.
  25497. Valid options are private and public.
  25498. type: string
  25499. required:
  25500. - region
  25501. type: object
  25502. fakeSpec:
  25503. description: FakeSpec contains the static data.
  25504. properties:
  25505. controller:
  25506. description: |-
  25507. Used to select the correct ESO controller (think: ingress.ingressClassName)
  25508. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  25509. type: string
  25510. data:
  25511. additionalProperties:
  25512. type: string
  25513. description: |-
  25514. Data defines the static data returned
  25515. by this generator.
  25516. type: object
  25517. type: object
  25518. gcrAccessTokenSpec:
  25519. description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.
  25520. properties:
  25521. auth:
  25522. description: Auth defines the means for authenticating with GCP
  25523. properties:
  25524. secretRef:
  25525. description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.
  25526. properties:
  25527. secretAccessKeySecretRef:
  25528. description: The SecretAccessKey is used for authentication
  25529. properties:
  25530. key:
  25531. description: |-
  25532. A key in the referenced Secret.
  25533. Some instances of this field may be defaulted, in others it may be required.
  25534. maxLength: 253
  25535. minLength: 1
  25536. pattern: ^[-._a-zA-Z0-9]+$
  25537. type: string
  25538. name:
  25539. description: The name of the Secret resource being referred to.
  25540. maxLength: 253
  25541. minLength: 1
  25542. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25543. type: string
  25544. namespace:
  25545. description: |-
  25546. The namespace of the Secret resource being referred to.
  25547. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25548. maxLength: 63
  25549. minLength: 1
  25550. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25551. type: string
  25552. type: object
  25553. type: object
  25554. workloadIdentity:
  25555. description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.
  25556. properties:
  25557. clusterLocation:
  25558. type: string
  25559. clusterName:
  25560. type: string
  25561. clusterProjectID:
  25562. type: string
  25563. serviceAccountRef:
  25564. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  25565. properties:
  25566. audiences:
  25567. description: |-
  25568. Audience specifies the `aud` claim for the service account token
  25569. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25570. then this audiences will be appended to the list
  25571. items:
  25572. type: string
  25573. type: array
  25574. name:
  25575. description: The name of the ServiceAccount resource being referred to.
  25576. maxLength: 253
  25577. minLength: 1
  25578. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25579. type: string
  25580. namespace:
  25581. description: |-
  25582. Namespace of the resource being referred to.
  25583. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25584. maxLength: 63
  25585. minLength: 1
  25586. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25587. type: string
  25588. required:
  25589. - name
  25590. type: object
  25591. required:
  25592. - clusterLocation
  25593. - clusterName
  25594. - serviceAccountRef
  25595. type: object
  25596. workloadIdentityFederation:
  25597. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  25598. properties:
  25599. audience:
  25600. description: |-
  25601. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  25602. If specified, Audience found in the external account credential config will be overridden with the configured value.
  25603. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  25604. type: string
  25605. awsSecurityCredentials:
  25606. description: |-
  25607. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  25608. when using the AWS metadata server is not an option.
  25609. properties:
  25610. awsCredentialsSecretRef:
  25611. description: |-
  25612. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  25613. Secret should be created with below names for keys
  25614. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  25615. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  25616. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  25617. properties:
  25618. name:
  25619. description: name of the secret.
  25620. maxLength: 253
  25621. minLength: 1
  25622. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25623. type: string
  25624. namespace:
  25625. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  25626. maxLength: 63
  25627. minLength: 1
  25628. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25629. type: string
  25630. required:
  25631. - name
  25632. type: object
  25633. region:
  25634. description: region is for configuring the AWS region to be used.
  25635. example: ap-south-1
  25636. maxLength: 50
  25637. minLength: 1
  25638. pattern: ^[a-z0-9-]+$
  25639. type: string
  25640. required:
  25641. - awsCredentialsSecretRef
  25642. - region
  25643. type: object
  25644. credConfig:
  25645. description: |-
  25646. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  25647. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  25648. serviceAccountRef must be used by providing operators service account details.
  25649. properties:
  25650. key:
  25651. description: key name holding the external account credential config.
  25652. maxLength: 253
  25653. minLength: 1
  25654. pattern: ^[-._a-zA-Z0-9]+$
  25655. type: string
  25656. name:
  25657. description: name of the configmap.
  25658. maxLength: 253
  25659. minLength: 1
  25660. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25661. type: string
  25662. namespace:
  25663. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  25664. maxLength: 63
  25665. minLength: 1
  25666. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25667. type: string
  25668. required:
  25669. - key
  25670. - name
  25671. type: object
  25672. externalTokenEndpoint:
  25673. description: |-
  25674. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  25675. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  25676. URL is having the expected value.
  25677. type: string
  25678. gcpServiceAccountEmail:
  25679. description: |-
  25680. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  25681. after Workload Identity Federation. Use this to grant access through the service account's
  25682. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  25683. service_account_impersonation_url in the external account JSON from credConfig;
  25684. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  25685. on that ServiceAccount.
  25686. example: my-gsa@my-project.iam.gserviceaccount.com
  25687. minLength: 1
  25688. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  25689. type: string
  25690. serviceAccountRef:
  25691. description: |-
  25692. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  25693. when Kubernetes is configured as provider in workload identity pool.
  25694. properties:
  25695. audiences:
  25696. description: |-
  25697. Audience specifies the `aud` claim for the service account token
  25698. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25699. then this audiences will be appended to the list
  25700. items:
  25701. type: string
  25702. type: array
  25703. name:
  25704. description: The name of the ServiceAccount resource being referred to.
  25705. maxLength: 253
  25706. minLength: 1
  25707. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25708. type: string
  25709. namespace:
  25710. description: |-
  25711. Namespace of the resource being referred to.
  25712. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25713. maxLength: 63
  25714. minLength: 1
  25715. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25716. type: string
  25717. required:
  25718. - name
  25719. type: object
  25720. type: object
  25721. type: object
  25722. projectID:
  25723. description: ProjectID defines which project to use to authenticate with
  25724. type: string
  25725. required:
  25726. - auth
  25727. - projectID
  25728. type: object
  25729. githubAccessTokenSpec:
  25730. description: GithubAccessTokenSpec defines the desired state to generate a GitHub access token.
  25731. properties:
  25732. appID:
  25733. type: string
  25734. auth:
  25735. description: Auth configures how ESO authenticates with a Github instance.
  25736. properties:
  25737. privateKey:
  25738. description: GithubSecretRef references a secret containing GitHub credentials.
  25739. properties:
  25740. secretRef:
  25741. description: |-
  25742. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25743. In some instances, `key` is a required field.
  25744. properties:
  25745. key:
  25746. description: |-
  25747. A key in the referenced Secret.
  25748. Some instances of this field may be defaulted, in others it may be required.
  25749. maxLength: 253
  25750. minLength: 1
  25751. pattern: ^[-._a-zA-Z0-9]+$
  25752. type: string
  25753. name:
  25754. description: The name of the Secret resource being referred to.
  25755. maxLength: 253
  25756. minLength: 1
  25757. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25758. type: string
  25759. namespace:
  25760. description: |-
  25761. The namespace of the Secret resource being referred to.
  25762. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25763. maxLength: 63
  25764. minLength: 1
  25765. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25766. type: string
  25767. type: object
  25768. required:
  25769. - secretRef
  25770. type: object
  25771. required:
  25772. - privateKey
  25773. type: object
  25774. installID:
  25775. type: string
  25776. permissions:
  25777. additionalProperties:
  25778. type: string
  25779. description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
  25780. type: object
  25781. repositories:
  25782. description: |-
  25783. List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
  25784. is installed to.
  25785. items:
  25786. type: string
  25787. type: array
  25788. url:
  25789. description: URL configures the GitHub instance URL. Defaults to https://github.com/.
  25790. type: string
  25791. required:
  25792. - appID
  25793. - auth
  25794. - installID
  25795. type: object
  25796. grafanaSpec:
  25797. description: GrafanaSpec controls the behavior of the grafana generator.
  25798. properties:
  25799. auth:
  25800. description: |-
  25801. Auth is the authentication configuration to authenticate
  25802. against the Grafana instance.
  25803. properties:
  25804. basic:
  25805. description: |-
  25806. Basic auth credentials used to authenticate against the Grafana instance.
  25807. Note: you need a token which has elevated permissions to create service accounts.
  25808. See here for the documentation on basic roles offered by Grafana:
  25809. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  25810. properties:
  25811. password:
  25812. description: A basic auth password used to authenticate against the Grafana instance.
  25813. properties:
  25814. key:
  25815. description: The key where the token is found.
  25816. maxLength: 253
  25817. minLength: 1
  25818. pattern: ^[-._a-zA-Z0-9]+$
  25819. type: string
  25820. name:
  25821. description: The name of the Secret resource being referred to.
  25822. maxLength: 253
  25823. minLength: 1
  25824. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25825. type: string
  25826. type: object
  25827. username:
  25828. description: A basic auth username used to authenticate against the Grafana instance.
  25829. type: string
  25830. required:
  25831. - password
  25832. - username
  25833. type: object
  25834. token:
  25835. description: |-
  25836. A service account token used to authenticate against the Grafana instance.
  25837. Note: you need a token which has elevated permissions to create service accounts.
  25838. See here for the documentation on basic roles offered by Grafana:
  25839. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  25840. properties:
  25841. key:
  25842. description: The key where the token is found.
  25843. maxLength: 253
  25844. minLength: 1
  25845. pattern: ^[-._a-zA-Z0-9]+$
  25846. type: string
  25847. name:
  25848. description: The name of the Secret resource being referred to.
  25849. maxLength: 253
  25850. minLength: 1
  25851. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25852. type: string
  25853. type: object
  25854. type: object
  25855. serviceAccount:
  25856. description: |-
  25857. ServiceAccount is the configuration for the service account that
  25858. is supposed to be generated by the generator.
  25859. properties:
  25860. name:
  25861. description: Name is the name of the service account that will be created by ESO.
  25862. type: string
  25863. role:
  25864. description: |-
  25865. Role is the role of the service account.
  25866. See here for the documentation on basic roles offered by Grafana:
  25867. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  25868. type: string
  25869. required:
  25870. - name
  25871. - role
  25872. type: object
  25873. url:
  25874. description: URL is the URL of the Grafana instance.
  25875. type: string
  25876. required:
  25877. - auth
  25878. - serviceAccount
  25879. - url
  25880. type: object
  25881. mfaSpec:
  25882. description: MFASpec controls the behavior of the mfa generator.
  25883. properties:
  25884. algorithm:
  25885. description: Algorithm to use for encoding. Defaults to SHA1 as per the RFC.
  25886. type: string
  25887. length:
  25888. description: Length defines the token length. Defaults to 6 characters.
  25889. type: integer
  25890. secret:
  25891. description: Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from.
  25892. properties:
  25893. key:
  25894. description: |-
  25895. A key in the referenced Secret.
  25896. Some instances of this field may be defaulted, in others it may be required.
  25897. maxLength: 253
  25898. minLength: 1
  25899. pattern: ^[-._a-zA-Z0-9]+$
  25900. type: string
  25901. name:
  25902. description: The name of the Secret resource being referred to.
  25903. maxLength: 253
  25904. minLength: 1
  25905. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25906. type: string
  25907. namespace:
  25908. description: |-
  25909. The namespace of the Secret resource being referred to.
  25910. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25911. maxLength: 63
  25912. minLength: 1
  25913. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25914. type: string
  25915. type: object
  25916. timePeriod:
  25917. description: TimePeriod defines how long the token can be active. Defaults to 30 seconds.
  25918. type: integer
  25919. when:
  25920. description: When defines a time parameter that can be used to pin the origin time of the generated token.
  25921. format: date-time
  25922. type: string
  25923. required:
  25924. - secret
  25925. type: object
  25926. passwordSpec:
  25927. description: PasswordSpec controls the behavior of the password generator.
  25928. properties:
  25929. allowRepeat:
  25930. default: false
  25931. description: set AllowRepeat to true to allow repeating characters.
  25932. type: boolean
  25933. digits:
  25934. description: |-
  25935. Digits specifies the number of digits in the generated
  25936. password. If omitted it defaults to 25% of the length of the password
  25937. type: integer
  25938. encoding:
  25939. default: raw
  25940. description: |-
  25941. Encoding specifies the encoding of the generated password.
  25942. Valid values are:
  25943. - "raw" (default): no encoding
  25944. - "base64": standard base64 encoding
  25945. - "base64url": base64url encoding
  25946. - "base32": base32 encoding
  25947. - "hex": hexadecimal encoding
  25948. enum:
  25949. - base64
  25950. - base64url
  25951. - base32
  25952. - hex
  25953. - raw
  25954. type: string
  25955. length:
  25956. default: 24
  25957. description: |-
  25958. Length of the password to be generated.
  25959. Defaults to 24
  25960. type: integer
  25961. noUpper:
  25962. default: false
  25963. description: Set NoUpper to disable uppercase characters
  25964. type: boolean
  25965. secretKeys:
  25966. description: |-
  25967. SecretKeys defines the keys that will be populated with generated passwords.
  25968. Defaults to "password" when not set.
  25969. items:
  25970. type: string
  25971. minItems: 1
  25972. type: array
  25973. symbolCharacters:
  25974. description: |-
  25975. SymbolCharacters specifies the special characters that should be used
  25976. in the generated password.
  25977. type: string
  25978. symbols:
  25979. description: |-
  25980. Symbols specifies the number of symbol characters in the generated
  25981. password. If omitted it defaults to 25% of the length of the password
  25982. type: integer
  25983. required:
  25984. - allowRepeat
  25985. - length
  25986. - noUpper
  25987. type: object
  25988. quayAccessTokenSpec:
  25989. description: QuayAccessTokenSpec defines the desired state to generate a Quay access token.
  25990. properties:
  25991. robotAccount:
  25992. description: Name of the robot account you are federating with
  25993. type: string
  25994. serviceAccountRef:
  25995. description: Name of the service account you are federating with
  25996. properties:
  25997. audiences:
  25998. description: |-
  25999. Audience specifies the `aud` claim for the service account token
  26000. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26001. then this audiences will be appended to the list
  26002. items:
  26003. type: string
  26004. type: array
  26005. name:
  26006. description: The name of the ServiceAccount resource being referred to.
  26007. maxLength: 253
  26008. minLength: 1
  26009. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26010. type: string
  26011. namespace:
  26012. description: |-
  26013. Namespace of the resource being referred to.
  26014. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26015. maxLength: 63
  26016. minLength: 1
  26017. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26018. type: string
  26019. required:
  26020. - name
  26021. type: object
  26022. url:
  26023. description: URL configures the Quay instance URL. Defaults to quay.io.
  26024. type: string
  26025. required:
  26026. - robotAccount
  26027. - serviceAccountRef
  26028. type: object
  26029. sshKeySpec:
  26030. description: SSHKeySpec controls the behavior of the ssh key generator.
  26031. properties:
  26032. comment:
  26033. description: Comment specifies an optional comment for the SSH key
  26034. type: string
  26035. keySize:
  26036. description: |-
  26037. KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
  26038. For RSA keys: 2048, 3072, 4096
  26039. For ECDSA keys: 256, 384, 521
  26040. Ignored for ed25519 keys
  26041. maximum: 8192
  26042. minimum: 256
  26043. type: integer
  26044. keyType:
  26045. default: rsa
  26046. description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
  26047. enum:
  26048. - rsa
  26049. - ecdsa
  26050. - ed25519
  26051. type: string
  26052. type: object
  26053. stsAssumeRoleTokenSpec:
  26054. description: |-
  26055. STSAssumeRoleTokenSpec defines the desired state to generate temporary AWS credentials
  26056. via sts:AssumeRole. Unlike STSSessionToken, this generator works with both long-term
  26057. credentials and temporary credentials (e.g. IRSA / pod identity).
  26058. properties:
  26059. auth:
  26060. description: Auth defines how to authenticate with AWS.
  26061. properties:
  26062. jwt:
  26063. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  26064. properties:
  26065. serviceAccountRef:
  26066. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  26067. properties:
  26068. audiences:
  26069. description: |-
  26070. Audience specifies the `aud` claim for the service account token
  26071. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26072. then this audiences will be appended to the list
  26073. items:
  26074. type: string
  26075. type: array
  26076. name:
  26077. description: The name of the ServiceAccount resource being referred to.
  26078. maxLength: 253
  26079. minLength: 1
  26080. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26081. type: string
  26082. namespace:
  26083. description: |-
  26084. Namespace of the resource being referred to.
  26085. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26086. maxLength: 63
  26087. minLength: 1
  26088. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26089. type: string
  26090. required:
  26091. - name
  26092. type: object
  26093. type: object
  26094. secretRef:
  26095. description: |-
  26096. AWSAuthSecretRef holds secret references for AWS credentials
  26097. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  26098. properties:
  26099. accessKeyIDSecretRef:
  26100. description: The AccessKeyID is used for authentication
  26101. properties:
  26102. key:
  26103. description: |-
  26104. A key in the referenced Secret.
  26105. Some instances of this field may be defaulted, in others it may be required.
  26106. maxLength: 253
  26107. minLength: 1
  26108. pattern: ^[-._a-zA-Z0-9]+$
  26109. type: string
  26110. name:
  26111. description: The name of the Secret resource being referred to.
  26112. maxLength: 253
  26113. minLength: 1
  26114. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26115. type: string
  26116. namespace:
  26117. description: |-
  26118. The namespace of the Secret resource being referred to.
  26119. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26120. maxLength: 63
  26121. minLength: 1
  26122. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26123. type: string
  26124. type: object
  26125. secretAccessKeySecretRef:
  26126. description: The SecretAccessKey is used for authentication
  26127. properties:
  26128. key:
  26129. description: |-
  26130. A key in the referenced Secret.
  26131. Some instances of this field may be defaulted, in others it may be required.
  26132. maxLength: 253
  26133. minLength: 1
  26134. pattern: ^[-._a-zA-Z0-9]+$
  26135. type: string
  26136. name:
  26137. description: The name of the Secret resource being referred to.
  26138. maxLength: 253
  26139. minLength: 1
  26140. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26141. type: string
  26142. namespace:
  26143. description: |-
  26144. The namespace of the Secret resource being referred to.
  26145. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26146. maxLength: 63
  26147. minLength: 1
  26148. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26149. type: string
  26150. type: object
  26151. sessionTokenSecretRef:
  26152. description: |-
  26153. The SessionToken used for authentication
  26154. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  26155. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  26156. properties:
  26157. key:
  26158. description: |-
  26159. A key in the referenced Secret.
  26160. Some instances of this field may be defaulted, in others it may be required.
  26161. maxLength: 253
  26162. minLength: 1
  26163. pattern: ^[-._a-zA-Z0-9]+$
  26164. type: string
  26165. name:
  26166. description: The name of the Secret resource being referred to.
  26167. maxLength: 253
  26168. minLength: 1
  26169. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26170. type: string
  26171. namespace:
  26172. description: |-
  26173. The namespace of the Secret resource being referred to.
  26174. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26175. maxLength: 63
  26176. minLength: 1
  26177. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26178. type: string
  26179. type: object
  26180. type: object
  26181. type: object
  26182. region:
  26183. description: Region specifies the AWS region to operate in.
  26184. type: string
  26185. requestParameters:
  26186. description: RequestParameters contains optional parameters for the AssumeRole call.
  26187. properties:
  26188. externalID:
  26189. description: |-
  26190. ExternalID is a unique identifier that might be required when you assume a
  26191. role in another account. If the administrator of the account to which the
  26192. role belongs provided you with an external ID, then provide that value.
  26193. type: string
  26194. sessionDuration:
  26195. description: |-
  26196. SessionDuration The duration, in seconds, of the role session.
  26197. The value can range from 900 seconds (15 minutes) to the maximum session
  26198. duration setting for the role. If not specified, the default is 1 hour.
  26199. format: int32
  26200. type: integer
  26201. type: object
  26202. role:
  26203. description: Role is the ARN of the IAM role to assume.
  26204. minLength: 1
  26205. type: string
  26206. required:
  26207. - region
  26208. - role
  26209. type: object
  26210. stsSessionTokenSpec:
  26211. description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token.
  26212. properties:
  26213. auth:
  26214. description: Auth defines how to authenticate with AWS
  26215. properties:
  26216. jwt:
  26217. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  26218. properties:
  26219. serviceAccountRef:
  26220. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  26221. properties:
  26222. audiences:
  26223. description: |-
  26224. Audience specifies the `aud` claim for the service account token
  26225. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26226. then this audiences will be appended to the list
  26227. items:
  26228. type: string
  26229. type: array
  26230. name:
  26231. description: The name of the ServiceAccount resource being referred to.
  26232. maxLength: 253
  26233. minLength: 1
  26234. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26235. type: string
  26236. namespace:
  26237. description: |-
  26238. Namespace of the resource being referred to.
  26239. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26240. maxLength: 63
  26241. minLength: 1
  26242. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26243. type: string
  26244. required:
  26245. - name
  26246. type: object
  26247. type: object
  26248. secretRef:
  26249. description: |-
  26250. AWSAuthSecretRef holds secret references for AWS credentials
  26251. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  26252. properties:
  26253. accessKeyIDSecretRef:
  26254. description: The AccessKeyID is used for authentication
  26255. properties:
  26256. key:
  26257. description: |-
  26258. A key in the referenced Secret.
  26259. Some instances of this field may be defaulted, in others it may be required.
  26260. maxLength: 253
  26261. minLength: 1
  26262. pattern: ^[-._a-zA-Z0-9]+$
  26263. type: string
  26264. name:
  26265. description: The name of the Secret resource being referred to.
  26266. maxLength: 253
  26267. minLength: 1
  26268. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26269. type: string
  26270. namespace:
  26271. description: |-
  26272. The namespace of the Secret resource being referred to.
  26273. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26274. maxLength: 63
  26275. minLength: 1
  26276. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26277. type: string
  26278. type: object
  26279. secretAccessKeySecretRef:
  26280. description: The SecretAccessKey is used for authentication
  26281. properties:
  26282. key:
  26283. description: |-
  26284. A key in the referenced Secret.
  26285. Some instances of this field may be defaulted, in others it may be required.
  26286. maxLength: 253
  26287. minLength: 1
  26288. pattern: ^[-._a-zA-Z0-9]+$
  26289. type: string
  26290. name:
  26291. description: The name of the Secret resource being referred to.
  26292. maxLength: 253
  26293. minLength: 1
  26294. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26295. type: string
  26296. namespace:
  26297. description: |-
  26298. The namespace of the Secret resource being referred to.
  26299. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26300. maxLength: 63
  26301. minLength: 1
  26302. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26303. type: string
  26304. type: object
  26305. sessionTokenSecretRef:
  26306. description: |-
  26307. The SessionToken used for authentication
  26308. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  26309. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  26310. properties:
  26311. key:
  26312. description: |-
  26313. A key in the referenced Secret.
  26314. Some instances of this field may be defaulted, in others it may be required.
  26315. maxLength: 253
  26316. minLength: 1
  26317. pattern: ^[-._a-zA-Z0-9]+$
  26318. type: string
  26319. name:
  26320. description: The name of the Secret resource being referred to.
  26321. maxLength: 253
  26322. minLength: 1
  26323. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26324. type: string
  26325. namespace:
  26326. description: |-
  26327. The namespace of the Secret resource being referred to.
  26328. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26329. maxLength: 63
  26330. minLength: 1
  26331. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26332. type: string
  26333. type: object
  26334. type: object
  26335. type: object
  26336. region:
  26337. description: Region specifies the region to operate in.
  26338. type: string
  26339. requestParameters:
  26340. description: RequestParameters contains parameters that can be passed to the STS service.
  26341. properties:
  26342. serialNumber:
  26343. description: |-
  26344. SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
  26345. the GetSessionToken call.
  26346. Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
  26347. (such as arn:aws:iam::123456789012:mfa/user)
  26348. type: string
  26349. sessionDuration:
  26350. format: int32
  26351. type: integer
  26352. tokenCode:
  26353. description: TokenCode is the value provided by the MFA device, if MFA is required.
  26354. type: string
  26355. type: object
  26356. role:
  26357. description: |-
  26358. You can assume a role before making calls to the
  26359. desired AWS service.
  26360. type: string
  26361. required:
  26362. - region
  26363. type: object
  26364. uuidSpec:
  26365. description: UUIDSpec controls the behavior of the uuid generator.
  26366. type: object
  26367. vaultDynamicSecretSpec:
  26368. description: VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret.
  26369. properties:
  26370. allowEmptyResponse:
  26371. default: false
  26372. description: Do not fail if no secrets are found. Useful for requests where no data is expected.
  26373. type: boolean
  26374. controller:
  26375. description: |-
  26376. Used to select the correct ESO controller (think: ingress.ingressClassName)
  26377. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  26378. type: string
  26379. getParameters:
  26380. additionalProperties:
  26381. items:
  26382. type: string
  26383. type: array
  26384. description: |-
  26385. GetParameters are query-string parameters passed to Vault on GET calls.
  26386. Each key may map to multiple values, matching HTTP query-string semantics.
  26387. Ignored for non-GET methods; use Parameters for write bodies.
  26388. type: object
  26389. method:
  26390. description: Vault API method to use (GET/POST/other)
  26391. type: string
  26392. parameters:
  26393. description: Parameters to pass to Vault write (for non-GET methods)
  26394. x-kubernetes-preserve-unknown-fields: true
  26395. path:
  26396. description: Vault path to obtain the dynamic secret from
  26397. type: string
  26398. provider:
  26399. description: Vault provider common spec
  26400. properties:
  26401. auth:
  26402. description: Auth configures how secret-manager authenticates with the Vault server.
  26403. properties:
  26404. appRole:
  26405. description: |-
  26406. AppRole authenticates with Vault using the App Role auth mechanism,
  26407. with the role and secret stored in a Kubernetes Secret resource.
  26408. properties:
  26409. path:
  26410. default: approle
  26411. description: |-
  26412. Path where the App Role authentication backend is mounted
  26413. in Vault, e.g: "approle"
  26414. type: string
  26415. roleId:
  26416. description: |-
  26417. RoleID configured in the App Role authentication backend when setting
  26418. up the authentication backend in Vault.
  26419. type: string
  26420. roleRef:
  26421. description: |-
  26422. Reference to a key in a Secret that contains the App Role ID used
  26423. to authenticate with Vault.
  26424. The `key` field must be specified and denotes which entry within the Secret
  26425. resource is used as the app role id.
  26426. properties:
  26427. key:
  26428. description: |-
  26429. A key in the referenced Secret.
  26430. Some instances of this field may be defaulted, in others it may be required.
  26431. maxLength: 253
  26432. minLength: 1
  26433. pattern: ^[-._a-zA-Z0-9]+$
  26434. type: string
  26435. name:
  26436. description: The name of the Secret resource being referred to.
  26437. maxLength: 253
  26438. minLength: 1
  26439. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26440. type: string
  26441. namespace:
  26442. description: |-
  26443. The namespace of the Secret resource being referred to.
  26444. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26445. maxLength: 63
  26446. minLength: 1
  26447. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26448. type: string
  26449. type: object
  26450. secretRef:
  26451. description: |-
  26452. Reference to a key in a Secret that contains the App Role secret used
  26453. to authenticate with Vault.
  26454. The `key` field must be specified and denotes which entry within the Secret
  26455. resource is used as the app role secret.
  26456. properties:
  26457. key:
  26458. description: |-
  26459. A key in the referenced Secret.
  26460. Some instances of this field may be defaulted, in others it may be required.
  26461. maxLength: 253
  26462. minLength: 1
  26463. pattern: ^[-._a-zA-Z0-9]+$
  26464. type: string
  26465. name:
  26466. description: The name of the Secret resource being referred to.
  26467. maxLength: 253
  26468. minLength: 1
  26469. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26470. type: string
  26471. namespace:
  26472. description: |-
  26473. The namespace of the Secret resource being referred to.
  26474. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26475. maxLength: 63
  26476. minLength: 1
  26477. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26478. type: string
  26479. type: object
  26480. required:
  26481. - path
  26482. - secretRef
  26483. type: object
  26484. cert:
  26485. description: |-
  26486. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  26487. Cert authentication method
  26488. properties:
  26489. clientCert:
  26490. description: |-
  26491. ClientCert is a certificate to authenticate using the Cert Vault
  26492. authentication method
  26493. properties:
  26494. key:
  26495. description: |-
  26496. A key in the referenced Secret.
  26497. Some instances of this field may be defaulted, in others it may be required.
  26498. maxLength: 253
  26499. minLength: 1
  26500. pattern: ^[-._a-zA-Z0-9]+$
  26501. type: string
  26502. name:
  26503. description: The name of the Secret resource being referred to.
  26504. maxLength: 253
  26505. minLength: 1
  26506. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26507. type: string
  26508. namespace:
  26509. description: |-
  26510. The namespace of the Secret resource being referred to.
  26511. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26512. maxLength: 63
  26513. minLength: 1
  26514. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26515. type: string
  26516. type: object
  26517. path:
  26518. default: cert
  26519. description: |-
  26520. Path where the Certificate authentication backend is mounted
  26521. in Vault, e.g: "cert"
  26522. type: string
  26523. secretRef:
  26524. description: |-
  26525. SecretRef to a key in a Secret resource containing client private key to
  26526. authenticate with Vault using the Cert authentication method
  26527. properties:
  26528. key:
  26529. description: |-
  26530. A key in the referenced Secret.
  26531. Some instances of this field may be defaulted, in others it may be required.
  26532. maxLength: 253
  26533. minLength: 1
  26534. pattern: ^[-._a-zA-Z0-9]+$
  26535. type: string
  26536. name:
  26537. description: The name of the Secret resource being referred to.
  26538. maxLength: 253
  26539. minLength: 1
  26540. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26541. type: string
  26542. namespace:
  26543. description: |-
  26544. The namespace of the Secret resource being referred to.
  26545. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26546. maxLength: 63
  26547. minLength: 1
  26548. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26549. type: string
  26550. type: object
  26551. vaultRole:
  26552. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  26553. type: string
  26554. type: object
  26555. gcp:
  26556. description: |-
  26557. Gcp authenticates with Vault using Google Cloud Platform authentication method
  26558. GCP authentication method
  26559. properties:
  26560. location:
  26561. description: Location optionally defines a location/region for the secret
  26562. type: string
  26563. path:
  26564. default: gcp
  26565. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  26566. type: string
  26567. projectID:
  26568. description: Project ID of the Google Cloud Platform project
  26569. type: string
  26570. role:
  26571. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  26572. type: string
  26573. secretRef:
  26574. description: Specify credentials in a Secret object
  26575. properties:
  26576. secretAccessKeySecretRef:
  26577. description: The SecretAccessKey is used for authentication
  26578. properties:
  26579. key:
  26580. description: |-
  26581. A key in the referenced Secret.
  26582. Some instances of this field may be defaulted, in others it may be required.
  26583. maxLength: 253
  26584. minLength: 1
  26585. pattern: ^[-._a-zA-Z0-9]+$
  26586. type: string
  26587. name:
  26588. description: The name of the Secret resource being referred to.
  26589. maxLength: 253
  26590. minLength: 1
  26591. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26592. type: string
  26593. namespace:
  26594. description: |-
  26595. The namespace of the Secret resource being referred to.
  26596. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26597. maxLength: 63
  26598. minLength: 1
  26599. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26600. type: string
  26601. type: object
  26602. type: object
  26603. serviceAccountRef:
  26604. description: ServiceAccountRef to a service account for impersonation
  26605. properties:
  26606. audiences:
  26607. description: |-
  26608. Audience specifies the `aud` claim for the service account token
  26609. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26610. then this audiences will be appended to the list
  26611. items:
  26612. type: string
  26613. type: array
  26614. name:
  26615. description: The name of the ServiceAccount resource being referred to.
  26616. maxLength: 253
  26617. minLength: 1
  26618. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26619. type: string
  26620. namespace:
  26621. description: |-
  26622. Namespace of the resource being referred to.
  26623. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26624. maxLength: 63
  26625. minLength: 1
  26626. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26627. type: string
  26628. required:
  26629. - name
  26630. type: object
  26631. workloadIdentity:
  26632. description: Specify a service account with Workload Identity
  26633. properties:
  26634. clusterLocation:
  26635. description: |-
  26636. ClusterLocation is the location of the cluster
  26637. If not specified, it fetches information from the metadata server
  26638. type: string
  26639. clusterName:
  26640. description: |-
  26641. ClusterName is the name of the cluster
  26642. If not specified, it fetches information from the metadata server
  26643. type: string
  26644. clusterProjectID:
  26645. description: |-
  26646. ClusterProjectID is the project ID of the cluster
  26647. If not specified, it fetches information from the metadata server
  26648. type: string
  26649. serviceAccountRef:
  26650. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  26651. properties:
  26652. audiences:
  26653. description: |-
  26654. Audience specifies the `aud` claim for the service account token
  26655. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26656. then this audiences will be appended to the list
  26657. items:
  26658. type: string
  26659. type: array
  26660. name:
  26661. description: The name of the ServiceAccount resource being referred to.
  26662. maxLength: 253
  26663. minLength: 1
  26664. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26665. type: string
  26666. namespace:
  26667. description: |-
  26668. Namespace of the resource being referred to.
  26669. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26670. maxLength: 63
  26671. minLength: 1
  26672. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26673. type: string
  26674. required:
  26675. - name
  26676. type: object
  26677. required:
  26678. - serviceAccountRef
  26679. type: object
  26680. required:
  26681. - role
  26682. type: object
  26683. iam:
  26684. description: |-
  26685. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  26686. AWS IAM authentication method
  26687. properties:
  26688. externalID:
  26689. description: AWS External ID set on assumed IAM roles
  26690. type: string
  26691. jwt:
  26692. description: Specify a service account with IRSA enabled
  26693. properties:
  26694. serviceAccountRef:
  26695. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  26696. properties:
  26697. audiences:
  26698. description: |-
  26699. Audience specifies the `aud` claim for the service account token
  26700. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26701. then this audiences will be appended to the list
  26702. items:
  26703. type: string
  26704. type: array
  26705. name:
  26706. description: The name of the ServiceAccount resource being referred to.
  26707. maxLength: 253
  26708. minLength: 1
  26709. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26710. type: string
  26711. namespace:
  26712. description: |-
  26713. Namespace of the resource being referred to.
  26714. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26715. maxLength: 63
  26716. minLength: 1
  26717. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26718. type: string
  26719. required:
  26720. - name
  26721. type: object
  26722. type: object
  26723. path:
  26724. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  26725. type: string
  26726. region:
  26727. description: AWS region
  26728. type: string
  26729. role:
  26730. description: This is the AWS role to be assumed before talking to vault
  26731. type: string
  26732. secretRef:
  26733. description: Specify credentials in a Secret object
  26734. properties:
  26735. accessKeyIDSecretRef:
  26736. description: The AccessKeyID is used for authentication
  26737. properties:
  26738. key:
  26739. description: |-
  26740. A key in the referenced Secret.
  26741. Some instances of this field may be defaulted, in others it may be required.
  26742. maxLength: 253
  26743. minLength: 1
  26744. pattern: ^[-._a-zA-Z0-9]+$
  26745. type: string
  26746. name:
  26747. description: The name of the Secret resource being referred to.
  26748. maxLength: 253
  26749. minLength: 1
  26750. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26751. type: string
  26752. namespace:
  26753. description: |-
  26754. The namespace of the Secret resource being referred to.
  26755. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26756. maxLength: 63
  26757. minLength: 1
  26758. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26759. type: string
  26760. type: object
  26761. secretAccessKeySecretRef:
  26762. description: The SecretAccessKey is used for authentication
  26763. properties:
  26764. key:
  26765. description: |-
  26766. A key in the referenced Secret.
  26767. Some instances of this field may be defaulted, in others it may be required.
  26768. maxLength: 253
  26769. minLength: 1
  26770. pattern: ^[-._a-zA-Z0-9]+$
  26771. type: string
  26772. name:
  26773. description: The name of the Secret resource being referred to.
  26774. maxLength: 253
  26775. minLength: 1
  26776. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26777. type: string
  26778. namespace:
  26779. description: |-
  26780. The namespace of the Secret resource being referred to.
  26781. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26782. maxLength: 63
  26783. minLength: 1
  26784. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26785. type: string
  26786. type: object
  26787. sessionTokenSecretRef:
  26788. description: |-
  26789. The SessionToken used for authentication
  26790. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  26791. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  26792. properties:
  26793. key:
  26794. description: |-
  26795. A key in the referenced Secret.
  26796. Some instances of this field may be defaulted, in others it may be required.
  26797. maxLength: 253
  26798. minLength: 1
  26799. pattern: ^[-._a-zA-Z0-9]+$
  26800. type: string
  26801. name:
  26802. description: The name of the Secret resource being referred to.
  26803. maxLength: 253
  26804. minLength: 1
  26805. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26806. type: string
  26807. namespace:
  26808. description: |-
  26809. The namespace of the Secret resource being referred to.
  26810. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26811. maxLength: 63
  26812. minLength: 1
  26813. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26814. type: string
  26815. type: object
  26816. type: object
  26817. vaultAwsIamServerID:
  26818. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  26819. type: string
  26820. vaultRole:
  26821. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  26822. type: string
  26823. required:
  26824. - vaultRole
  26825. type: object
  26826. jwt:
  26827. description: |-
  26828. Jwt authenticates with Vault by passing role and JWT token using the
  26829. JWT/OIDC authentication method
  26830. properties:
  26831. kubernetesServiceAccountToken:
  26832. description: |-
  26833. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  26834. a token for with the `TokenRequest` API.
  26835. properties:
  26836. audiences:
  26837. description: |-
  26838. Optional audiences field that will be used to request a temporary Kubernetes service
  26839. account token for the service account referenced by `serviceAccountRef`.
  26840. Defaults to a single audience `vault` it not specified.
  26841. Deprecated: use serviceAccountRef.Audiences instead
  26842. items:
  26843. type: string
  26844. type: array
  26845. expirationSeconds:
  26846. description: |-
  26847. Optional expiration time in seconds that will be used to request a temporary
  26848. Kubernetes service account token for the service account referenced by
  26849. `serviceAccountRef`.
  26850. Deprecated: this will be removed in the future.
  26851. Defaults to 10 minutes.
  26852. format: int64
  26853. type: integer
  26854. serviceAccountRef:
  26855. description: Service account field containing the name of a kubernetes ServiceAccount.
  26856. properties:
  26857. audiences:
  26858. description: |-
  26859. Audience specifies the `aud` claim for the service account token
  26860. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26861. then this audiences will be appended to the list
  26862. items:
  26863. type: string
  26864. type: array
  26865. name:
  26866. description: The name of the ServiceAccount resource being referred to.
  26867. maxLength: 253
  26868. minLength: 1
  26869. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26870. type: string
  26871. namespace:
  26872. description: |-
  26873. Namespace of the resource being referred to.
  26874. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26875. maxLength: 63
  26876. minLength: 1
  26877. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26878. type: string
  26879. required:
  26880. - name
  26881. type: object
  26882. required:
  26883. - serviceAccountRef
  26884. type: object
  26885. path:
  26886. default: jwt
  26887. description: |-
  26888. Path where the JWT authentication backend is mounted
  26889. in Vault, e.g: "jwt"
  26890. type: string
  26891. role:
  26892. description: |-
  26893. Role is a JWT role to authenticate using the JWT/OIDC Vault
  26894. authentication method
  26895. type: string
  26896. secretRef:
  26897. description: |-
  26898. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  26899. authenticate with Vault using the JWT/OIDC authentication method.
  26900. properties:
  26901. key:
  26902. description: |-
  26903. A key in the referenced Secret.
  26904. Some instances of this field may be defaulted, in others it may be required.
  26905. maxLength: 253
  26906. minLength: 1
  26907. pattern: ^[-._a-zA-Z0-9]+$
  26908. type: string
  26909. name:
  26910. description: The name of the Secret resource being referred to.
  26911. maxLength: 253
  26912. minLength: 1
  26913. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26914. type: string
  26915. namespace:
  26916. description: |-
  26917. The namespace of the Secret resource being referred to.
  26918. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26919. maxLength: 63
  26920. minLength: 1
  26921. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26922. type: string
  26923. type: object
  26924. required:
  26925. - path
  26926. type: object
  26927. kubernetes:
  26928. description: |-
  26929. Kubernetes authenticates with Vault by passing the ServiceAccount
  26930. token stored in the named Secret resource to the Vault server.
  26931. properties:
  26932. mountPath:
  26933. default: kubernetes
  26934. description: |-
  26935. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  26936. "kubernetes"
  26937. type: string
  26938. role:
  26939. description: |-
  26940. A required field containing the Vault Role to assume. A Role binds a
  26941. Kubernetes ServiceAccount with a set of Vault policies.
  26942. type: string
  26943. secretRef:
  26944. description: |-
  26945. Optional secret field containing a Kubernetes ServiceAccount JWT used
  26946. for authenticating with Vault. If a name is specified without a key,
  26947. `token` is the default. If one is not specified, the one bound to
  26948. the controller will be used.
  26949. properties:
  26950. key:
  26951. description: |-
  26952. A key in the referenced Secret.
  26953. Some instances of this field may be defaulted, in others it may be required.
  26954. maxLength: 253
  26955. minLength: 1
  26956. pattern: ^[-._a-zA-Z0-9]+$
  26957. type: string
  26958. name:
  26959. description: The name of the Secret resource being referred to.
  26960. maxLength: 253
  26961. minLength: 1
  26962. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26963. type: string
  26964. namespace:
  26965. description: |-
  26966. The namespace of the Secret resource being referred to.
  26967. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26968. maxLength: 63
  26969. minLength: 1
  26970. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26971. type: string
  26972. type: object
  26973. serviceAccountRef:
  26974. description: |-
  26975. Optional service account field containing the name of a kubernetes ServiceAccount.
  26976. If the service account is specified, the service account secret token JWT will be used
  26977. for authenticating with Vault. If the service account selector is not supplied,
  26978. the secretRef will be used instead.
  26979. properties:
  26980. audiences:
  26981. description: |-
  26982. Audience specifies the `aud` claim for the service account token
  26983. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26984. then this audiences will be appended to the list
  26985. items:
  26986. type: string
  26987. type: array
  26988. name:
  26989. description: The name of the ServiceAccount resource being referred to.
  26990. maxLength: 253
  26991. minLength: 1
  26992. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26993. type: string
  26994. namespace:
  26995. description: |-
  26996. Namespace of the resource being referred to.
  26997. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26998. maxLength: 63
  26999. minLength: 1
  27000. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27001. type: string
  27002. required:
  27003. - name
  27004. type: object
  27005. required:
  27006. - mountPath
  27007. - role
  27008. type: object
  27009. ldap:
  27010. description: |-
  27011. Ldap authenticates with Vault by passing username/password pair using
  27012. the LDAP authentication method
  27013. properties:
  27014. path:
  27015. default: ldap
  27016. description: |-
  27017. Path where the LDAP authentication backend is mounted
  27018. in Vault, e.g: "ldap"
  27019. type: string
  27020. secretRef:
  27021. description: |-
  27022. SecretRef to a key in a Secret resource containing password for the LDAP
  27023. user used to authenticate with Vault using the LDAP authentication
  27024. method
  27025. properties:
  27026. key:
  27027. description: |-
  27028. A key in the referenced Secret.
  27029. Some instances of this field may be defaulted, in others it may be required.
  27030. maxLength: 253
  27031. minLength: 1
  27032. pattern: ^[-._a-zA-Z0-9]+$
  27033. type: string
  27034. name:
  27035. description: The name of the Secret resource being referred to.
  27036. maxLength: 253
  27037. minLength: 1
  27038. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27039. type: string
  27040. namespace:
  27041. description: |-
  27042. The namespace of the Secret resource being referred to.
  27043. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27044. maxLength: 63
  27045. minLength: 1
  27046. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27047. type: string
  27048. type: object
  27049. username:
  27050. description: |-
  27051. Username is an LDAP username used to authenticate using the LDAP Vault
  27052. authentication method
  27053. type: string
  27054. required:
  27055. - path
  27056. - username
  27057. type: object
  27058. namespace:
  27059. description: |-
  27060. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  27061. Namespaces is a set of features within Vault Enterprise that allows
  27062. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  27063. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  27064. This will default to Vault.Namespace field if set, or empty otherwise
  27065. type: string
  27066. tokenSecretRef:
  27067. description: TokenSecretRef authenticates with Vault by presenting a token.
  27068. properties:
  27069. key:
  27070. description: |-
  27071. A key in the referenced Secret.
  27072. Some instances of this field may be defaulted, in others it may be required.
  27073. maxLength: 253
  27074. minLength: 1
  27075. pattern: ^[-._a-zA-Z0-9]+$
  27076. type: string
  27077. name:
  27078. description: The name of the Secret resource being referred to.
  27079. maxLength: 253
  27080. minLength: 1
  27081. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27082. type: string
  27083. namespace:
  27084. description: |-
  27085. The namespace of the Secret resource being referred to.
  27086. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27087. maxLength: 63
  27088. minLength: 1
  27089. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27090. type: string
  27091. type: object
  27092. userPass:
  27093. description: UserPass authenticates with Vault by passing username/password pair
  27094. properties:
  27095. path:
  27096. default: userpass
  27097. description: |-
  27098. Path where the UserPassword authentication backend is mounted
  27099. in Vault, e.g: "userpass"
  27100. type: string
  27101. secretRef:
  27102. description: |-
  27103. SecretRef to a key in a Secret resource containing password for the
  27104. user used to authenticate with Vault using the UserPass authentication
  27105. method
  27106. properties:
  27107. key:
  27108. description: |-
  27109. A key in the referenced Secret.
  27110. Some instances of this field may be defaulted, in others it may be required.
  27111. maxLength: 253
  27112. minLength: 1
  27113. pattern: ^[-._a-zA-Z0-9]+$
  27114. type: string
  27115. name:
  27116. description: The name of the Secret resource being referred to.
  27117. maxLength: 253
  27118. minLength: 1
  27119. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27120. type: string
  27121. namespace:
  27122. description: |-
  27123. The namespace of the Secret resource being referred to.
  27124. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27125. maxLength: 63
  27126. minLength: 1
  27127. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27128. type: string
  27129. type: object
  27130. username:
  27131. description: |-
  27132. Username is a username used to authenticate using the UserPass Vault
  27133. authentication method
  27134. type: string
  27135. required:
  27136. - path
  27137. - username
  27138. type: object
  27139. type: object
  27140. caBundle:
  27141. description: |-
  27142. PEM encoded CA bundle used to validate Vault server certificate. Only used
  27143. if the Server URL is using HTTPS protocol. This parameter is ignored for
  27144. plain HTTP protocol connection. If not set the system root certificates
  27145. are used to validate the TLS connection.
  27146. format: byte
  27147. type: string
  27148. caProvider:
  27149. description: The provider for the CA bundle to use to validate Vault server certificate.
  27150. properties:
  27151. key:
  27152. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  27153. maxLength: 253
  27154. minLength: 1
  27155. pattern: ^[-._a-zA-Z0-9]+$
  27156. type: string
  27157. name:
  27158. description: The name of the object located at the provider type.
  27159. maxLength: 253
  27160. minLength: 1
  27161. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27162. type: string
  27163. namespace:
  27164. description: |-
  27165. The namespace the Provider type is in.
  27166. Can only be defined when used in a ClusterSecretStore.
  27167. maxLength: 63
  27168. minLength: 1
  27169. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27170. type: string
  27171. type:
  27172. description: The type of provider to use such as "Secret", or "ConfigMap".
  27173. enum:
  27174. - Secret
  27175. - ConfigMap
  27176. type: string
  27177. required:
  27178. - name
  27179. - type
  27180. type: object
  27181. checkAndSet:
  27182. description: |-
  27183. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  27184. Only applies to Vault KV v2 stores. When enabled, write operations must include
  27185. the current version of the secret to prevent unintentional overwrites.
  27186. properties:
  27187. required:
  27188. description: |-
  27189. Required when true, all write operations must include a check-and-set parameter.
  27190. This helps prevent unintentional overwrites of secrets.
  27191. type: boolean
  27192. type: object
  27193. forwardInconsistent:
  27194. description: |-
  27195. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  27196. leader instead of simply retrying within a loop. This can increase performance if
  27197. the option is enabled serverside.
  27198. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  27199. type: boolean
  27200. headers:
  27201. additionalProperties:
  27202. type: string
  27203. description: Headers to be added in Vault request
  27204. type: object
  27205. namespace:
  27206. description: |-
  27207. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  27208. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  27209. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  27210. type: string
  27211. path:
  27212. description: |-
  27213. Path is the mount path of the Vault KV backend endpoint, e.g:
  27214. "secret". The v2 KV secret engine version specific "/data" path suffix
  27215. for fetching secrets from Vault is optional and will be appended
  27216. if not present in specified path.
  27217. type: string
  27218. readYourWrites:
  27219. description: |-
  27220. ReadYourWrites ensures isolated read-after-write semantics by
  27221. providing discovered cluster replication states in each request.
  27222. More information about eventual consistency in Vault can be found here
  27223. https://www.vaultproject.io/docs/enterprise/consistency
  27224. type: boolean
  27225. server:
  27226. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  27227. type: string
  27228. tls:
  27229. description: |-
  27230. The configuration used for client side related TLS communication, when the Vault server
  27231. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  27232. This parameter is ignored for plain HTTP protocol connection.
  27233. It's worth noting this configuration is different from the "TLS certificates auth method",
  27234. which is available under the `auth.cert` section.
  27235. properties:
  27236. certSecretRef:
  27237. description: |-
  27238. CertSecretRef is a certificate added to the transport layer
  27239. when communicating with the Vault server.
  27240. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  27241. properties:
  27242. key:
  27243. description: |-
  27244. A key in the referenced Secret.
  27245. Some instances of this field may be defaulted, in others it may be required.
  27246. maxLength: 253
  27247. minLength: 1
  27248. pattern: ^[-._a-zA-Z0-9]+$
  27249. type: string
  27250. name:
  27251. description: The name of the Secret resource being referred to.
  27252. maxLength: 253
  27253. minLength: 1
  27254. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27255. type: string
  27256. namespace:
  27257. description: |-
  27258. The namespace of the Secret resource being referred to.
  27259. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27260. maxLength: 63
  27261. minLength: 1
  27262. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27263. type: string
  27264. type: object
  27265. keySecretRef:
  27266. description: |-
  27267. KeySecretRef to a key in a Secret resource containing client private key
  27268. added to the transport layer when communicating with the Vault server.
  27269. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  27270. properties:
  27271. key:
  27272. description: |-
  27273. A key in the referenced Secret.
  27274. Some instances of this field may be defaulted, in others it may be required.
  27275. maxLength: 253
  27276. minLength: 1
  27277. pattern: ^[-._a-zA-Z0-9]+$
  27278. type: string
  27279. name:
  27280. description: The name of the Secret resource being referred to.
  27281. maxLength: 253
  27282. minLength: 1
  27283. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27284. type: string
  27285. namespace:
  27286. description: |-
  27287. The namespace of the Secret resource being referred to.
  27288. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27289. maxLength: 63
  27290. minLength: 1
  27291. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27292. type: string
  27293. type: object
  27294. type: object
  27295. version:
  27296. default: v2
  27297. description: |-
  27298. Version is the Vault KV secret engine version. This can be either "v1" or
  27299. "v2". Version defaults to "v2".
  27300. enum:
  27301. - v1
  27302. - v2
  27303. type: string
  27304. required:
  27305. - server
  27306. type: object
  27307. resultType:
  27308. default: Data
  27309. description: |-
  27310. Result type defines which data is returned from the generator.
  27311. By default, it is the "data" section of the Vault API response.
  27312. When using e.g. /auth/token/create the "data" section is empty but
  27313. the "auth" section contains the generated token.
  27314. Please refer to the vault docs regarding the result data structure.
  27315. Additionally, accessing the raw response is possibly by using "Raw" result type.
  27316. enum:
  27317. - Data
  27318. - Auth
  27319. - Raw
  27320. type: string
  27321. retrySettings:
  27322. description: Used to configure http retries if failed
  27323. properties:
  27324. maxRetries:
  27325. format: int32
  27326. type: integer
  27327. retryInterval:
  27328. type: string
  27329. type: object
  27330. required:
  27331. - path
  27332. - provider
  27333. type: object
  27334. webhookSpec:
  27335. description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
  27336. properties:
  27337. auth:
  27338. description: Auth specifies a authorization protocol. Only one protocol may be set.
  27339. maxProperties: 1
  27340. minProperties: 1
  27341. properties:
  27342. ntlm:
  27343. description: NTLMProtocol configures the store to use NTLM for auth
  27344. properties:
  27345. passwordSecret:
  27346. description: |-
  27347. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  27348. In some instances, `key` is a required field.
  27349. properties:
  27350. key:
  27351. description: |-
  27352. A key in the referenced Secret.
  27353. Some instances of this field may be defaulted, in others it may be required.
  27354. maxLength: 253
  27355. minLength: 1
  27356. pattern: ^[-._a-zA-Z0-9]+$
  27357. type: string
  27358. name:
  27359. description: The name of the Secret resource being referred to.
  27360. maxLength: 253
  27361. minLength: 1
  27362. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27363. type: string
  27364. namespace:
  27365. description: |-
  27366. The namespace of the Secret resource being referred to.
  27367. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27368. maxLength: 63
  27369. minLength: 1
  27370. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27371. type: string
  27372. type: object
  27373. usernameSecret:
  27374. description: |-
  27375. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  27376. In some instances, `key` is a required field.
  27377. properties:
  27378. key:
  27379. description: |-
  27380. A key in the referenced Secret.
  27381. Some instances of this field may be defaulted, in others it may be required.
  27382. maxLength: 253
  27383. minLength: 1
  27384. pattern: ^[-._a-zA-Z0-9]+$
  27385. type: string
  27386. name:
  27387. description: The name of the Secret resource being referred to.
  27388. maxLength: 253
  27389. minLength: 1
  27390. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27391. type: string
  27392. namespace:
  27393. description: |-
  27394. The namespace of the Secret resource being referred to.
  27395. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27396. maxLength: 63
  27397. minLength: 1
  27398. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27399. type: string
  27400. type: object
  27401. required:
  27402. - passwordSecret
  27403. - usernameSecret
  27404. type: object
  27405. type: object
  27406. body:
  27407. description: Body
  27408. type: string
  27409. caBundle:
  27410. description: |-
  27411. PEM encoded CA bundle used to validate webhook server certificate. Only used
  27412. if the Server URL is using HTTPS protocol. This parameter is ignored for
  27413. plain HTTP protocol connection. If not set the system root certificates
  27414. are used to validate the TLS connection.
  27415. format: byte
  27416. type: string
  27417. caProvider:
  27418. description: The provider for the CA bundle to use to validate webhook server certificate.
  27419. properties:
  27420. key:
  27421. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  27422. maxLength: 253
  27423. minLength: 1
  27424. pattern: ^[-._a-zA-Z0-9]+$
  27425. type: string
  27426. name:
  27427. description: The name of the object located at the provider type.
  27428. maxLength: 253
  27429. minLength: 1
  27430. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27431. type: string
  27432. namespace:
  27433. description: The namespace the Provider type is in.
  27434. maxLength: 63
  27435. minLength: 1
  27436. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27437. type: string
  27438. type:
  27439. description: The type of provider to use such as "Secret", or "ConfigMap".
  27440. enum:
  27441. - Secret
  27442. - ConfigMap
  27443. type: string
  27444. required:
  27445. - name
  27446. - type
  27447. type: object
  27448. headers:
  27449. additionalProperties:
  27450. type: string
  27451. description: Headers
  27452. type: object
  27453. method:
  27454. description: Webhook Method
  27455. type: string
  27456. result:
  27457. description: Result formatting
  27458. properties:
  27459. jsonPath:
  27460. description: Json path of return value
  27461. type: string
  27462. type: object
  27463. secrets:
  27464. description: |-
  27465. Secrets to fill in templates
  27466. These secrets will be passed to the templating function as key value pairs under the given name
  27467. items:
  27468. description: WebhookSecret defines a secret reference that will be used in webhook templates.
  27469. properties:
  27470. name:
  27471. description: Name of this secret in templates
  27472. type: string
  27473. secretRef:
  27474. description: Secret ref to fill in credentials
  27475. properties:
  27476. key:
  27477. description: The key where the token is found.
  27478. maxLength: 253
  27479. minLength: 1
  27480. pattern: ^[-._a-zA-Z0-9]+$
  27481. type: string
  27482. name:
  27483. description: The name of the Secret resource being referred to.
  27484. maxLength: 253
  27485. minLength: 1
  27486. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27487. type: string
  27488. type: object
  27489. required:
  27490. - name
  27491. - secretRef
  27492. type: object
  27493. type: array
  27494. timeout:
  27495. description: Timeout
  27496. type: string
  27497. url:
  27498. description: Webhook url to call
  27499. type: string
  27500. required:
  27501. - result
  27502. - url
  27503. type: object
  27504. type: object
  27505. kind:
  27506. description: Kind the kind of this generator.
  27507. enum:
  27508. - ACRAccessToken
  27509. - CloudsmithAccessToken
  27510. - ECRAuthorizationToken
  27511. - Fake
  27512. - GCRAccessToken
  27513. - GithubAccessToken
  27514. - QuayAccessToken
  27515. - Password
  27516. - SSHKey
  27517. - STSAssumeRoleToken
  27518. - STSSessionToken
  27519. - UUID
  27520. - VaultDynamicSecret
  27521. - Webhook
  27522. - Grafana
  27523. type: string
  27524. required:
  27525. - generator
  27526. - kind
  27527. type: object
  27528. type: object
  27529. served: true
  27530. storage: true
  27531. subresources:
  27532. status: {}
  27533. ---
  27534. apiVersion: apiextensions.k8s.io/v1
  27535. kind: CustomResourceDefinition
  27536. metadata:
  27537. annotations:
  27538. controller-gen.kubebuilder.io/version: v0.19.0
  27539. labels:
  27540. external-secrets.io/component: controller
  27541. name: ecrauthorizationtokens.generators.external-secrets.io
  27542. spec:
  27543. group: generators.external-secrets.io
  27544. names:
  27545. categories:
  27546. - external-secrets
  27547. - external-secrets-generators
  27548. kind: ECRAuthorizationToken
  27549. listKind: ECRAuthorizationTokenList
  27550. plural: ecrauthorizationtokens
  27551. singular: ecrauthorizationtoken
  27552. scope: Namespaced
  27553. versions:
  27554. - name: v1alpha1
  27555. schema:
  27556. openAPIV3Schema:
  27557. description: |-
  27558. ECRAuthorizationToken uses the GetAuthorizationToken API to retrieve an authorization token.
  27559. The authorization token is valid for 12 hours.
  27560. The authorizationToken returned is a base64 encoded string that can be decoded
  27561. and used in a docker login command to authenticate to a registry.
  27562. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
  27563. properties:
  27564. apiVersion:
  27565. description: |-
  27566. APIVersion defines the versioned schema of this representation of an object.
  27567. Servers should convert recognized schemas to the latest internal value, and
  27568. may reject unrecognized values.
  27569. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  27570. type: string
  27571. kind:
  27572. description: |-
  27573. Kind is a string value representing the REST resource this object represents.
  27574. Servers may infer this from the endpoint the client submits requests to.
  27575. Cannot be updated.
  27576. In CamelCase.
  27577. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  27578. type: string
  27579. metadata:
  27580. type: object
  27581. spec:
  27582. description: ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token.
  27583. properties:
  27584. auth:
  27585. description: Auth defines how to authenticate with AWS
  27586. properties:
  27587. jwt:
  27588. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  27589. properties:
  27590. serviceAccountRef:
  27591. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  27592. properties:
  27593. audiences:
  27594. description: |-
  27595. Audience specifies the `aud` claim for the service account token
  27596. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27597. then this audiences will be appended to the list
  27598. items:
  27599. type: string
  27600. type: array
  27601. name:
  27602. description: The name of the ServiceAccount resource being referred to.
  27603. maxLength: 253
  27604. minLength: 1
  27605. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27606. type: string
  27607. namespace:
  27608. description: |-
  27609. Namespace of the resource being referred to.
  27610. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27611. maxLength: 63
  27612. minLength: 1
  27613. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27614. type: string
  27615. required:
  27616. - name
  27617. type: object
  27618. type: object
  27619. secretRef:
  27620. description: |-
  27621. AWSAuthSecretRef holds secret references for AWS credentials
  27622. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  27623. properties:
  27624. accessKeyIDSecretRef:
  27625. description: The AccessKeyID is used for authentication
  27626. properties:
  27627. key:
  27628. description: |-
  27629. A key in the referenced Secret.
  27630. Some instances of this field may be defaulted, in others it may be required.
  27631. maxLength: 253
  27632. minLength: 1
  27633. pattern: ^[-._a-zA-Z0-9]+$
  27634. type: string
  27635. name:
  27636. description: The name of the Secret resource being referred to.
  27637. maxLength: 253
  27638. minLength: 1
  27639. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27640. type: string
  27641. namespace:
  27642. description: |-
  27643. The namespace of the Secret resource being referred to.
  27644. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27645. maxLength: 63
  27646. minLength: 1
  27647. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27648. type: string
  27649. type: object
  27650. secretAccessKeySecretRef:
  27651. description: The SecretAccessKey is used for authentication
  27652. properties:
  27653. key:
  27654. description: |-
  27655. A key in the referenced Secret.
  27656. Some instances of this field may be defaulted, in others it may be required.
  27657. maxLength: 253
  27658. minLength: 1
  27659. pattern: ^[-._a-zA-Z0-9]+$
  27660. type: string
  27661. name:
  27662. description: The name of the Secret resource being referred to.
  27663. maxLength: 253
  27664. minLength: 1
  27665. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27666. type: string
  27667. namespace:
  27668. description: |-
  27669. The namespace of the Secret resource being referred to.
  27670. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27671. maxLength: 63
  27672. minLength: 1
  27673. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27674. type: string
  27675. type: object
  27676. sessionTokenSecretRef:
  27677. description: |-
  27678. The SessionToken used for authentication
  27679. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  27680. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  27681. properties:
  27682. key:
  27683. description: |-
  27684. A key in the referenced Secret.
  27685. Some instances of this field may be defaulted, in others it may be required.
  27686. maxLength: 253
  27687. minLength: 1
  27688. pattern: ^[-._a-zA-Z0-9]+$
  27689. type: string
  27690. name:
  27691. description: The name of the Secret resource being referred to.
  27692. maxLength: 253
  27693. minLength: 1
  27694. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27695. type: string
  27696. namespace:
  27697. description: |-
  27698. The namespace of the Secret resource being referred to.
  27699. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27700. maxLength: 63
  27701. minLength: 1
  27702. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27703. type: string
  27704. type: object
  27705. type: object
  27706. type: object
  27707. region:
  27708. description: Region specifies the region to operate in.
  27709. type: string
  27710. role:
  27711. description: |-
  27712. You can assume a role before making calls to the
  27713. desired AWS service.
  27714. type: string
  27715. scope:
  27716. description: |-
  27717. Scope specifies the ECR service scope.
  27718. Valid options are private and public.
  27719. type: string
  27720. required:
  27721. - region
  27722. type: object
  27723. type: object
  27724. served: true
  27725. storage: true
  27726. subresources:
  27727. status: {}
  27728. ---
  27729. apiVersion: apiextensions.k8s.io/v1
  27730. kind: CustomResourceDefinition
  27731. metadata:
  27732. annotations:
  27733. controller-gen.kubebuilder.io/version: v0.19.0
  27734. labels:
  27735. external-secrets.io/component: controller
  27736. name: fakes.generators.external-secrets.io
  27737. spec:
  27738. group: generators.external-secrets.io
  27739. names:
  27740. categories:
  27741. - external-secrets
  27742. - external-secrets-generators
  27743. kind: Fake
  27744. listKind: FakeList
  27745. plural: fakes
  27746. singular: fake
  27747. scope: Namespaced
  27748. versions:
  27749. - name: v1alpha1
  27750. schema:
  27751. openAPIV3Schema:
  27752. description: |-
  27753. Fake generator is used for testing. It lets you define
  27754. a static set of credentials that is always returned.
  27755. properties:
  27756. apiVersion:
  27757. description: |-
  27758. APIVersion defines the versioned schema of this representation of an object.
  27759. Servers should convert recognized schemas to the latest internal value, and
  27760. may reject unrecognized values.
  27761. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  27762. type: string
  27763. kind:
  27764. description: |-
  27765. Kind is a string value representing the REST resource this object represents.
  27766. Servers may infer this from the endpoint the client submits requests to.
  27767. Cannot be updated.
  27768. In CamelCase.
  27769. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  27770. type: string
  27771. metadata:
  27772. type: object
  27773. spec:
  27774. description: FakeSpec contains the static data.
  27775. properties:
  27776. controller:
  27777. description: |-
  27778. Used to select the correct ESO controller (think: ingress.ingressClassName)
  27779. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  27780. type: string
  27781. data:
  27782. additionalProperties:
  27783. type: string
  27784. description: |-
  27785. Data defines the static data returned
  27786. by this generator.
  27787. type: object
  27788. type: object
  27789. type: object
  27790. served: true
  27791. storage: true
  27792. subresources:
  27793. status: {}
  27794. ---
  27795. apiVersion: apiextensions.k8s.io/v1
  27796. kind: CustomResourceDefinition
  27797. metadata:
  27798. annotations:
  27799. controller-gen.kubebuilder.io/version: v0.19.0
  27800. labels:
  27801. external-secrets.io/component: controller
  27802. name: gcraccesstokens.generators.external-secrets.io
  27803. spec:
  27804. group: generators.external-secrets.io
  27805. names:
  27806. categories:
  27807. - external-secrets
  27808. - external-secrets-generators
  27809. kind: GCRAccessToken
  27810. listKind: GCRAccessTokenList
  27811. plural: gcraccesstokens
  27812. singular: gcraccesstoken
  27813. scope: Namespaced
  27814. versions:
  27815. - name: v1alpha1
  27816. schema:
  27817. openAPIV3Schema:
  27818. description: |-
  27819. GCRAccessToken generates an GCP access token
  27820. that can be used to authenticate with GCR.
  27821. properties:
  27822. apiVersion:
  27823. description: |-
  27824. APIVersion defines the versioned schema of this representation of an object.
  27825. Servers should convert recognized schemas to the latest internal value, and
  27826. may reject unrecognized values.
  27827. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  27828. type: string
  27829. kind:
  27830. description: |-
  27831. Kind is a string value representing the REST resource this object represents.
  27832. Servers may infer this from the endpoint the client submits requests to.
  27833. Cannot be updated.
  27834. In CamelCase.
  27835. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  27836. type: string
  27837. metadata:
  27838. type: object
  27839. spec:
  27840. description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.
  27841. properties:
  27842. auth:
  27843. description: Auth defines the means for authenticating with GCP
  27844. properties:
  27845. secretRef:
  27846. description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.
  27847. properties:
  27848. secretAccessKeySecretRef:
  27849. description: The SecretAccessKey is used for authentication
  27850. properties:
  27851. key:
  27852. description: |-
  27853. A key in the referenced Secret.
  27854. Some instances of this field may be defaulted, in others it may be required.
  27855. maxLength: 253
  27856. minLength: 1
  27857. pattern: ^[-._a-zA-Z0-9]+$
  27858. type: string
  27859. name:
  27860. description: The name of the Secret resource being referred to.
  27861. maxLength: 253
  27862. minLength: 1
  27863. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27864. type: string
  27865. namespace:
  27866. description: |-
  27867. The namespace of the Secret resource being referred to.
  27868. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27869. maxLength: 63
  27870. minLength: 1
  27871. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27872. type: string
  27873. type: object
  27874. type: object
  27875. workloadIdentity:
  27876. description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.
  27877. properties:
  27878. clusterLocation:
  27879. type: string
  27880. clusterName:
  27881. type: string
  27882. clusterProjectID:
  27883. type: string
  27884. serviceAccountRef:
  27885. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  27886. properties:
  27887. audiences:
  27888. description: |-
  27889. Audience specifies the `aud` claim for the service account token
  27890. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27891. then this audiences will be appended to the list
  27892. items:
  27893. type: string
  27894. type: array
  27895. name:
  27896. description: The name of the ServiceAccount resource being referred to.
  27897. maxLength: 253
  27898. minLength: 1
  27899. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27900. type: string
  27901. namespace:
  27902. description: |-
  27903. Namespace of the resource being referred to.
  27904. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27905. maxLength: 63
  27906. minLength: 1
  27907. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27908. type: string
  27909. required:
  27910. - name
  27911. type: object
  27912. required:
  27913. - clusterLocation
  27914. - clusterName
  27915. - serviceAccountRef
  27916. type: object
  27917. workloadIdentityFederation:
  27918. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  27919. properties:
  27920. audience:
  27921. description: |-
  27922. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  27923. If specified, Audience found in the external account credential config will be overridden with the configured value.
  27924. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  27925. type: string
  27926. awsSecurityCredentials:
  27927. description: |-
  27928. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  27929. when using the AWS metadata server is not an option.
  27930. properties:
  27931. awsCredentialsSecretRef:
  27932. description: |-
  27933. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  27934. Secret should be created with below names for keys
  27935. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  27936. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  27937. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  27938. properties:
  27939. name:
  27940. description: name of the secret.
  27941. maxLength: 253
  27942. minLength: 1
  27943. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27944. type: string
  27945. namespace:
  27946. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  27947. maxLength: 63
  27948. minLength: 1
  27949. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27950. type: string
  27951. required:
  27952. - name
  27953. type: object
  27954. region:
  27955. description: region is for configuring the AWS region to be used.
  27956. example: ap-south-1
  27957. maxLength: 50
  27958. minLength: 1
  27959. pattern: ^[a-z0-9-]+$
  27960. type: string
  27961. required:
  27962. - awsCredentialsSecretRef
  27963. - region
  27964. type: object
  27965. credConfig:
  27966. description: |-
  27967. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  27968. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  27969. serviceAccountRef must be used by providing operators service account details.
  27970. properties:
  27971. key:
  27972. description: key name holding the external account credential config.
  27973. maxLength: 253
  27974. minLength: 1
  27975. pattern: ^[-._a-zA-Z0-9]+$
  27976. type: string
  27977. name:
  27978. description: name of the configmap.
  27979. maxLength: 253
  27980. minLength: 1
  27981. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27982. type: string
  27983. namespace:
  27984. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  27985. maxLength: 63
  27986. minLength: 1
  27987. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27988. type: string
  27989. required:
  27990. - key
  27991. - name
  27992. type: object
  27993. externalTokenEndpoint:
  27994. description: |-
  27995. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  27996. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  27997. URL is having the expected value.
  27998. type: string
  27999. gcpServiceAccountEmail:
  28000. description: |-
  28001. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  28002. after Workload Identity Federation. Use this to grant access through the service account's
  28003. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  28004. service_account_impersonation_url in the external account JSON from credConfig;
  28005. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  28006. on that ServiceAccount.
  28007. example: my-gsa@my-project.iam.gserviceaccount.com
  28008. minLength: 1
  28009. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  28010. type: string
  28011. serviceAccountRef:
  28012. description: |-
  28013. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  28014. when Kubernetes is configured as provider in workload identity pool.
  28015. properties:
  28016. audiences:
  28017. description: |-
  28018. Audience specifies the `aud` claim for the service account token
  28019. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28020. then this audiences will be appended to the list
  28021. items:
  28022. type: string
  28023. type: array
  28024. name:
  28025. description: The name of the ServiceAccount resource being referred to.
  28026. maxLength: 253
  28027. minLength: 1
  28028. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28029. type: string
  28030. namespace:
  28031. description: |-
  28032. Namespace of the resource being referred to.
  28033. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28034. maxLength: 63
  28035. minLength: 1
  28036. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28037. type: string
  28038. required:
  28039. - name
  28040. type: object
  28041. type: object
  28042. type: object
  28043. projectID:
  28044. description: ProjectID defines which project to use to authenticate with
  28045. type: string
  28046. required:
  28047. - auth
  28048. - projectID
  28049. type: object
  28050. type: object
  28051. served: true
  28052. storage: true
  28053. subresources:
  28054. status: {}
  28055. ---
  28056. apiVersion: apiextensions.k8s.io/v1
  28057. kind: CustomResourceDefinition
  28058. metadata:
  28059. annotations:
  28060. controller-gen.kubebuilder.io/version: v0.19.0
  28061. labels:
  28062. external-secrets.io/component: controller
  28063. name: generatorstates.generators.external-secrets.io
  28064. spec:
  28065. group: generators.external-secrets.io
  28066. names:
  28067. categories:
  28068. - external-secrets
  28069. - external-secrets-generators
  28070. kind: GeneratorState
  28071. listKind: GeneratorStateList
  28072. plural: generatorstates
  28073. shortNames:
  28074. - gs
  28075. singular: generatorstate
  28076. scope: Namespaced
  28077. versions:
  28078. - additionalPrinterColumns:
  28079. - jsonPath: .spec.garbageCollectionDeadline
  28080. name: GC Deadline
  28081. type: string
  28082. - jsonPath: .metadata.creationTimestamp
  28083. name: Age
  28084. type: date
  28085. name: v1alpha1
  28086. schema:
  28087. openAPIV3Schema:
  28088. description: GeneratorState represents the state created and managed by a generator resource.
  28089. properties:
  28090. apiVersion:
  28091. description: |-
  28092. APIVersion defines the versioned schema of this representation of an object.
  28093. Servers should convert recognized schemas to the latest internal value, and
  28094. may reject unrecognized values.
  28095. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28096. type: string
  28097. kind:
  28098. description: |-
  28099. Kind is a string value representing the REST resource this object represents.
  28100. Servers may infer this from the endpoint the client submits requests to.
  28101. Cannot be updated.
  28102. In CamelCase.
  28103. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28104. type: string
  28105. metadata:
  28106. type: object
  28107. spec:
  28108. description: GeneratorStateSpec defines the desired state of a generator state resource.
  28109. properties:
  28110. garbageCollectionDeadline:
  28111. description: |-
  28112. GarbageCollectionDeadline is the time after which the generator state
  28113. will be deleted.
  28114. It is set by the controller which creates the generator state and
  28115. can be set configured by the user.
  28116. If the garbage collection deadline is not set the generator state will not be deleted.
  28117. format: date-time
  28118. type: string
  28119. resource:
  28120. description: |-
  28121. Resource is the generator manifest that produced the state.
  28122. It is a snapshot of the generator manifest at the time the state was produced.
  28123. This manifest will be used to delete the resource. Any configuration that is referenced
  28124. in the manifest should be available at the time of garbage collection. If that is not the case deletion will
  28125. be blocked by a finalizer.
  28126. x-kubernetes-preserve-unknown-fields: true
  28127. state:
  28128. description: State is the state that was produced by the generator implementation.
  28129. x-kubernetes-preserve-unknown-fields: true
  28130. required:
  28131. - resource
  28132. - state
  28133. type: object
  28134. status:
  28135. description: GeneratorStateStatus defines the observed state of a generator state resource.
  28136. properties:
  28137. conditions:
  28138. items:
  28139. description: GeneratorStateStatusCondition represents the observed condition of a generator state.
  28140. properties:
  28141. lastTransitionTime:
  28142. format: date-time
  28143. type: string
  28144. message:
  28145. type: string
  28146. reason:
  28147. type: string
  28148. status:
  28149. type: string
  28150. type:
  28151. description: GeneratorStateConditionType represents the type of condition for a generator state.
  28152. type: string
  28153. required:
  28154. - status
  28155. - type
  28156. type: object
  28157. type: array
  28158. type: object
  28159. type: object
  28160. served: true
  28161. storage: true
  28162. subresources: {}
  28163. ---
  28164. apiVersion: apiextensions.k8s.io/v1
  28165. kind: CustomResourceDefinition
  28166. metadata:
  28167. annotations:
  28168. controller-gen.kubebuilder.io/version: v0.19.0
  28169. labels:
  28170. external-secrets.io/component: controller
  28171. name: githubaccesstokens.generators.external-secrets.io
  28172. spec:
  28173. group: generators.external-secrets.io
  28174. names:
  28175. categories:
  28176. - external-secrets
  28177. - external-secrets-generators
  28178. kind: GithubAccessToken
  28179. listKind: GithubAccessTokenList
  28180. plural: githubaccesstokens
  28181. singular: githubaccesstoken
  28182. scope: Namespaced
  28183. versions:
  28184. - name: v1alpha1
  28185. schema:
  28186. openAPIV3Schema:
  28187. description: GithubAccessToken generates ghs_ accessToken
  28188. properties:
  28189. apiVersion:
  28190. description: |-
  28191. APIVersion defines the versioned schema of this representation of an object.
  28192. Servers should convert recognized schemas to the latest internal value, and
  28193. may reject unrecognized values.
  28194. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28195. type: string
  28196. kind:
  28197. description: |-
  28198. Kind is a string value representing the REST resource this object represents.
  28199. Servers may infer this from the endpoint the client submits requests to.
  28200. Cannot be updated.
  28201. In CamelCase.
  28202. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28203. type: string
  28204. metadata:
  28205. type: object
  28206. spec:
  28207. description: GithubAccessTokenSpec defines the desired state to generate a GitHub access token.
  28208. properties:
  28209. appID:
  28210. type: string
  28211. auth:
  28212. description: Auth configures how ESO authenticates with a Github instance.
  28213. properties:
  28214. privateKey:
  28215. description: GithubSecretRef references a secret containing GitHub credentials.
  28216. properties:
  28217. secretRef:
  28218. description: |-
  28219. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  28220. In some instances, `key` is a required field.
  28221. properties:
  28222. key:
  28223. description: |-
  28224. A key in the referenced Secret.
  28225. Some instances of this field may be defaulted, in others it may be required.
  28226. maxLength: 253
  28227. minLength: 1
  28228. pattern: ^[-._a-zA-Z0-9]+$
  28229. type: string
  28230. name:
  28231. description: The name of the Secret resource being referred to.
  28232. maxLength: 253
  28233. minLength: 1
  28234. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28235. type: string
  28236. namespace:
  28237. description: |-
  28238. The namespace of the Secret resource being referred to.
  28239. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28240. maxLength: 63
  28241. minLength: 1
  28242. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28243. type: string
  28244. type: object
  28245. required:
  28246. - secretRef
  28247. type: object
  28248. required:
  28249. - privateKey
  28250. type: object
  28251. installID:
  28252. type: string
  28253. permissions:
  28254. additionalProperties:
  28255. type: string
  28256. description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
  28257. type: object
  28258. repositories:
  28259. description: |-
  28260. List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
  28261. is installed to.
  28262. items:
  28263. type: string
  28264. type: array
  28265. url:
  28266. description: URL configures the GitHub instance URL. Defaults to https://github.com/.
  28267. type: string
  28268. required:
  28269. - appID
  28270. - auth
  28271. - installID
  28272. type: object
  28273. type: object
  28274. served: true
  28275. storage: true
  28276. subresources:
  28277. status: {}
  28278. ---
  28279. apiVersion: apiextensions.k8s.io/v1
  28280. kind: CustomResourceDefinition
  28281. metadata:
  28282. annotations:
  28283. controller-gen.kubebuilder.io/version: v0.19.0
  28284. labels:
  28285. external-secrets.io/component: controller
  28286. name: grafanas.generators.external-secrets.io
  28287. spec:
  28288. group: generators.external-secrets.io
  28289. names:
  28290. categories:
  28291. - external-secrets
  28292. - external-secrets-generators
  28293. kind: Grafana
  28294. listKind: GrafanaList
  28295. plural: grafanas
  28296. singular: grafana
  28297. scope: Namespaced
  28298. versions:
  28299. - name: v1alpha1
  28300. schema:
  28301. openAPIV3Schema:
  28302. description: Grafana represents a generator for Grafana service account tokens.
  28303. properties:
  28304. apiVersion:
  28305. description: |-
  28306. APIVersion defines the versioned schema of this representation of an object.
  28307. Servers should convert recognized schemas to the latest internal value, and
  28308. may reject unrecognized values.
  28309. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28310. type: string
  28311. kind:
  28312. description: |-
  28313. Kind is a string value representing the REST resource this object represents.
  28314. Servers may infer this from the endpoint the client submits requests to.
  28315. Cannot be updated.
  28316. In CamelCase.
  28317. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28318. type: string
  28319. metadata:
  28320. type: object
  28321. spec:
  28322. description: GrafanaSpec controls the behavior of the grafana generator.
  28323. properties:
  28324. auth:
  28325. description: |-
  28326. Auth is the authentication configuration to authenticate
  28327. against the Grafana instance.
  28328. properties:
  28329. basic:
  28330. description: |-
  28331. Basic auth credentials used to authenticate against the Grafana instance.
  28332. Note: you need a token which has elevated permissions to create service accounts.
  28333. See here for the documentation on basic roles offered by Grafana:
  28334. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  28335. properties:
  28336. password:
  28337. description: A basic auth password used to authenticate against the Grafana instance.
  28338. properties:
  28339. key:
  28340. description: The key where the token is found.
  28341. maxLength: 253
  28342. minLength: 1
  28343. pattern: ^[-._a-zA-Z0-9]+$
  28344. type: string
  28345. name:
  28346. description: The name of the Secret resource being referred to.
  28347. maxLength: 253
  28348. minLength: 1
  28349. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28350. type: string
  28351. type: object
  28352. username:
  28353. description: A basic auth username used to authenticate against the Grafana instance.
  28354. type: string
  28355. required:
  28356. - password
  28357. - username
  28358. type: object
  28359. token:
  28360. description: |-
  28361. A service account token used to authenticate against the Grafana instance.
  28362. Note: you need a token which has elevated permissions to create service accounts.
  28363. See here for the documentation on basic roles offered by Grafana:
  28364. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  28365. properties:
  28366. key:
  28367. description: The key where the token is found.
  28368. maxLength: 253
  28369. minLength: 1
  28370. pattern: ^[-._a-zA-Z0-9]+$
  28371. type: string
  28372. name:
  28373. description: The name of the Secret resource being referred to.
  28374. maxLength: 253
  28375. minLength: 1
  28376. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28377. type: string
  28378. type: object
  28379. type: object
  28380. serviceAccount:
  28381. description: |-
  28382. ServiceAccount is the configuration for the service account that
  28383. is supposed to be generated by the generator.
  28384. properties:
  28385. name:
  28386. description: Name is the name of the service account that will be created by ESO.
  28387. type: string
  28388. role:
  28389. description: |-
  28390. Role is the role of the service account.
  28391. See here for the documentation on basic roles offered by Grafana:
  28392. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  28393. type: string
  28394. required:
  28395. - name
  28396. - role
  28397. type: object
  28398. url:
  28399. description: URL is the URL of the Grafana instance.
  28400. type: string
  28401. required:
  28402. - auth
  28403. - serviceAccount
  28404. - url
  28405. type: object
  28406. type: object
  28407. served: true
  28408. storage: true
  28409. subresources:
  28410. status: {}
  28411. ---
  28412. apiVersion: apiextensions.k8s.io/v1
  28413. kind: CustomResourceDefinition
  28414. metadata:
  28415. annotations:
  28416. controller-gen.kubebuilder.io/version: v0.19.0
  28417. labels:
  28418. external-secrets.io/component: controller
  28419. name: mfas.generators.external-secrets.io
  28420. spec:
  28421. group: generators.external-secrets.io
  28422. names:
  28423. categories:
  28424. - external-secrets
  28425. - external-secrets-generators
  28426. kind: MFA
  28427. listKind: MFAList
  28428. plural: mfas
  28429. singular: mfa
  28430. scope: Namespaced
  28431. versions:
  28432. - name: v1alpha1
  28433. schema:
  28434. openAPIV3Schema:
  28435. description: MFA generates a new TOTP token that is compliant with RFC 6238.
  28436. properties:
  28437. apiVersion:
  28438. description: |-
  28439. APIVersion defines the versioned schema of this representation of an object.
  28440. Servers should convert recognized schemas to the latest internal value, and
  28441. may reject unrecognized values.
  28442. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28443. type: string
  28444. kind:
  28445. description: |-
  28446. Kind is a string value representing the REST resource this object represents.
  28447. Servers may infer this from the endpoint the client submits requests to.
  28448. Cannot be updated.
  28449. In CamelCase.
  28450. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28451. type: string
  28452. metadata:
  28453. type: object
  28454. spec:
  28455. description: MFASpec controls the behavior of the mfa generator.
  28456. properties:
  28457. algorithm:
  28458. description: Algorithm to use for encoding. Defaults to SHA1 as per the RFC.
  28459. type: string
  28460. length:
  28461. description: Length defines the token length. Defaults to 6 characters.
  28462. type: integer
  28463. secret:
  28464. description: Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from.
  28465. properties:
  28466. key:
  28467. description: |-
  28468. A key in the referenced Secret.
  28469. Some instances of this field may be defaulted, in others it may be required.
  28470. maxLength: 253
  28471. minLength: 1
  28472. pattern: ^[-._a-zA-Z0-9]+$
  28473. type: string
  28474. name:
  28475. description: The name of the Secret resource being referred to.
  28476. maxLength: 253
  28477. minLength: 1
  28478. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28479. type: string
  28480. namespace:
  28481. description: |-
  28482. The namespace of the Secret resource being referred to.
  28483. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28484. maxLength: 63
  28485. minLength: 1
  28486. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28487. type: string
  28488. type: object
  28489. timePeriod:
  28490. description: TimePeriod defines how long the token can be active. Defaults to 30 seconds.
  28491. type: integer
  28492. when:
  28493. description: When defines a time parameter that can be used to pin the origin time of the generated token.
  28494. format: date-time
  28495. type: string
  28496. required:
  28497. - secret
  28498. type: object
  28499. type: object
  28500. served: true
  28501. storage: true
  28502. subresources:
  28503. status: {}
  28504. ---
  28505. apiVersion: apiextensions.k8s.io/v1
  28506. kind: CustomResourceDefinition
  28507. metadata:
  28508. annotations:
  28509. controller-gen.kubebuilder.io/version: v0.19.0
  28510. labels:
  28511. external-secrets.io/component: controller
  28512. name: passwords.generators.external-secrets.io
  28513. spec:
  28514. group: generators.external-secrets.io
  28515. names:
  28516. categories:
  28517. - external-secrets
  28518. - external-secrets-generators
  28519. kind: Password
  28520. listKind: PasswordList
  28521. plural: passwords
  28522. singular: password
  28523. scope: Namespaced
  28524. versions:
  28525. - name: v1alpha1
  28526. schema:
  28527. openAPIV3Schema:
  28528. description: |-
  28529. Password generates a random password based on the
  28530. configuration parameters in spec.
  28531. You can specify the length, characterset and other attributes.
  28532. properties:
  28533. apiVersion:
  28534. description: |-
  28535. APIVersion defines the versioned schema of this representation of an object.
  28536. Servers should convert recognized schemas to the latest internal value, and
  28537. may reject unrecognized values.
  28538. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28539. type: string
  28540. kind:
  28541. description: |-
  28542. Kind is a string value representing the REST resource this object represents.
  28543. Servers may infer this from the endpoint the client submits requests to.
  28544. Cannot be updated.
  28545. In CamelCase.
  28546. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28547. type: string
  28548. metadata:
  28549. type: object
  28550. spec:
  28551. description: PasswordSpec controls the behavior of the password generator.
  28552. properties:
  28553. allowRepeat:
  28554. default: false
  28555. description: set AllowRepeat to true to allow repeating characters.
  28556. type: boolean
  28557. digits:
  28558. description: |-
  28559. Digits specifies the number of digits in the generated
  28560. password. If omitted it defaults to 25% of the length of the password
  28561. type: integer
  28562. encoding:
  28563. default: raw
  28564. description: |-
  28565. Encoding specifies the encoding of the generated password.
  28566. Valid values are:
  28567. - "raw" (default): no encoding
  28568. - "base64": standard base64 encoding
  28569. - "base64url": base64url encoding
  28570. - "base32": base32 encoding
  28571. - "hex": hexadecimal encoding
  28572. enum:
  28573. - base64
  28574. - base64url
  28575. - base32
  28576. - hex
  28577. - raw
  28578. type: string
  28579. length:
  28580. default: 24
  28581. description: |-
  28582. Length of the password to be generated.
  28583. Defaults to 24
  28584. type: integer
  28585. noUpper:
  28586. default: false
  28587. description: Set NoUpper to disable uppercase characters
  28588. type: boolean
  28589. secretKeys:
  28590. description: |-
  28591. SecretKeys defines the keys that will be populated with generated passwords.
  28592. Defaults to "password" when not set.
  28593. items:
  28594. type: string
  28595. minItems: 1
  28596. type: array
  28597. symbolCharacters:
  28598. description: |-
  28599. SymbolCharacters specifies the special characters that should be used
  28600. in the generated password.
  28601. type: string
  28602. symbols:
  28603. description: |-
  28604. Symbols specifies the number of symbol characters in the generated
  28605. password. If omitted it defaults to 25% of the length of the password
  28606. type: integer
  28607. required:
  28608. - allowRepeat
  28609. - length
  28610. - noUpper
  28611. type: object
  28612. type: object
  28613. served: true
  28614. storage: true
  28615. subresources:
  28616. status: {}
  28617. ---
  28618. apiVersion: apiextensions.k8s.io/v1
  28619. kind: CustomResourceDefinition
  28620. metadata:
  28621. annotations:
  28622. controller-gen.kubebuilder.io/version: v0.19.0
  28623. labels:
  28624. external-secrets.io/component: controller
  28625. name: quayaccesstokens.generators.external-secrets.io
  28626. spec:
  28627. group: generators.external-secrets.io
  28628. names:
  28629. categories:
  28630. - external-secrets
  28631. - external-secrets-generators
  28632. kind: QuayAccessToken
  28633. listKind: QuayAccessTokenList
  28634. plural: quayaccesstokens
  28635. singular: quayaccesstoken
  28636. scope: Namespaced
  28637. versions:
  28638. - name: v1alpha1
  28639. schema:
  28640. openAPIV3Schema:
  28641. description: QuayAccessToken generates Quay oauth token for pulling/pushing images
  28642. properties:
  28643. apiVersion:
  28644. description: |-
  28645. APIVersion defines the versioned schema of this representation of an object.
  28646. Servers should convert recognized schemas to the latest internal value, and
  28647. may reject unrecognized values.
  28648. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28649. type: string
  28650. kind:
  28651. description: |-
  28652. Kind is a string value representing the REST resource this object represents.
  28653. Servers may infer this from the endpoint the client submits requests to.
  28654. Cannot be updated.
  28655. In CamelCase.
  28656. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28657. type: string
  28658. metadata:
  28659. type: object
  28660. spec:
  28661. description: QuayAccessTokenSpec defines the desired state to generate a Quay access token.
  28662. properties:
  28663. robotAccount:
  28664. description: Name of the robot account you are federating with
  28665. type: string
  28666. serviceAccountRef:
  28667. description: Name of the service account you are federating with
  28668. properties:
  28669. audiences:
  28670. description: |-
  28671. Audience specifies the `aud` claim for the service account token
  28672. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28673. then this audiences will be appended to the list
  28674. items:
  28675. type: string
  28676. type: array
  28677. name:
  28678. description: The name of the ServiceAccount resource being referred to.
  28679. maxLength: 253
  28680. minLength: 1
  28681. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28682. type: string
  28683. namespace:
  28684. description: |-
  28685. Namespace of the resource being referred to.
  28686. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28687. maxLength: 63
  28688. minLength: 1
  28689. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28690. type: string
  28691. required:
  28692. - name
  28693. type: object
  28694. url:
  28695. description: URL configures the Quay instance URL. Defaults to quay.io.
  28696. type: string
  28697. required:
  28698. - robotAccount
  28699. - serviceAccountRef
  28700. type: object
  28701. type: object
  28702. served: true
  28703. storage: true
  28704. subresources:
  28705. status: {}
  28706. ---
  28707. apiVersion: apiextensions.k8s.io/v1
  28708. kind: CustomResourceDefinition
  28709. metadata:
  28710. annotations:
  28711. controller-gen.kubebuilder.io/version: v0.19.0
  28712. labels:
  28713. external-secrets.io/component: controller
  28714. name: sshkeys.generators.external-secrets.io
  28715. spec:
  28716. group: generators.external-secrets.io
  28717. names:
  28718. categories:
  28719. - external-secrets
  28720. - external-secrets-generators
  28721. kind: SSHKey
  28722. listKind: SSHKeyList
  28723. plural: sshkeys
  28724. singular: sshkey
  28725. scope: Namespaced
  28726. versions:
  28727. - name: v1alpha1
  28728. schema:
  28729. openAPIV3Schema:
  28730. description: SSHKey generates SSH key pairs.
  28731. properties:
  28732. apiVersion:
  28733. description: |-
  28734. APIVersion defines the versioned schema of this representation of an object.
  28735. Servers should convert recognized schemas to the latest internal value, and
  28736. may reject unrecognized values.
  28737. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28738. type: string
  28739. kind:
  28740. description: |-
  28741. Kind is a string value representing the REST resource this object represents.
  28742. Servers may infer this from the endpoint the client submits requests to.
  28743. Cannot be updated.
  28744. In CamelCase.
  28745. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28746. type: string
  28747. metadata:
  28748. type: object
  28749. spec:
  28750. description: SSHKeySpec controls the behavior of the ssh key generator.
  28751. properties:
  28752. comment:
  28753. description: Comment specifies an optional comment for the SSH key
  28754. type: string
  28755. keySize:
  28756. description: |-
  28757. KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
  28758. For RSA keys: 2048, 3072, 4096
  28759. For ECDSA keys: 256, 384, 521
  28760. Ignored for ed25519 keys
  28761. maximum: 8192
  28762. minimum: 256
  28763. type: integer
  28764. keyType:
  28765. default: rsa
  28766. description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
  28767. enum:
  28768. - rsa
  28769. - ecdsa
  28770. - ed25519
  28771. type: string
  28772. type: object
  28773. type: object
  28774. served: true
  28775. storage: true
  28776. subresources:
  28777. status: {}
  28778. ---
  28779. apiVersion: apiextensions.k8s.io/v1
  28780. kind: CustomResourceDefinition
  28781. metadata:
  28782. annotations:
  28783. controller-gen.kubebuilder.io/version: v0.19.0
  28784. labels:
  28785. external-secrets.io/component: controller
  28786. name: stsassumeroletokens.generators.external-secrets.io
  28787. spec:
  28788. group: generators.external-secrets.io
  28789. names:
  28790. categories:
  28791. - external-secrets
  28792. - external-secrets-generators
  28793. kind: STSAssumeRoleToken
  28794. listKind: STSAssumeRoleTokenList
  28795. plural: stsassumeroletokens
  28796. singular: stsassumeroletoken
  28797. scope: Namespaced
  28798. versions:
  28799. - name: v1alpha1
  28800. schema:
  28801. openAPIV3Schema:
  28802. description: |-
  28803. STSAssumeRoleToken uses sts:AssumeRole to obtain temporary AWS credentials.
  28804. Unlike STSSessionToken (which calls GetSessionToken), this generator works with
  28805. both long-term IAM credentials and temporary credentials such as IRSA pod identity,
  28806. making it suitable for any environment including on-premises clusters.
  28807. properties:
  28808. apiVersion:
  28809. description: |-
  28810. APIVersion defines the versioned schema of this representation of an object.
  28811. Servers should convert recognized schemas to the latest internal value, and
  28812. may reject unrecognized values.
  28813. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28814. type: string
  28815. kind:
  28816. description: |-
  28817. Kind is a string value representing the REST resource this object represents.
  28818. Servers may infer this from the endpoint the client submits requests to.
  28819. Cannot be updated.
  28820. In CamelCase.
  28821. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28822. type: string
  28823. metadata:
  28824. type: object
  28825. spec:
  28826. description: |-
  28827. STSAssumeRoleTokenSpec defines the desired state to generate temporary AWS credentials
  28828. via sts:AssumeRole. Unlike STSSessionToken, this generator works with both long-term
  28829. credentials and temporary credentials (e.g. IRSA / pod identity).
  28830. properties:
  28831. auth:
  28832. description: Auth defines how to authenticate with AWS.
  28833. properties:
  28834. jwt:
  28835. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  28836. properties:
  28837. serviceAccountRef:
  28838. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  28839. properties:
  28840. audiences:
  28841. description: |-
  28842. Audience specifies the `aud` claim for the service account token
  28843. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28844. then this audiences will be appended to the list
  28845. items:
  28846. type: string
  28847. type: array
  28848. name:
  28849. description: The name of the ServiceAccount resource being referred to.
  28850. maxLength: 253
  28851. minLength: 1
  28852. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28853. type: string
  28854. namespace:
  28855. description: |-
  28856. Namespace of the resource being referred to.
  28857. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28858. maxLength: 63
  28859. minLength: 1
  28860. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28861. type: string
  28862. required:
  28863. - name
  28864. type: object
  28865. type: object
  28866. secretRef:
  28867. description: |-
  28868. AWSAuthSecretRef holds secret references for AWS credentials
  28869. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  28870. properties:
  28871. accessKeyIDSecretRef:
  28872. description: The AccessKeyID is used for authentication
  28873. properties:
  28874. key:
  28875. description: |-
  28876. A key in the referenced Secret.
  28877. Some instances of this field may be defaulted, in others it may be required.
  28878. maxLength: 253
  28879. minLength: 1
  28880. pattern: ^[-._a-zA-Z0-9]+$
  28881. type: string
  28882. name:
  28883. description: The name of the Secret resource being referred to.
  28884. maxLength: 253
  28885. minLength: 1
  28886. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28887. type: string
  28888. namespace:
  28889. description: |-
  28890. The namespace of the Secret resource being referred to.
  28891. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28892. maxLength: 63
  28893. minLength: 1
  28894. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28895. type: string
  28896. type: object
  28897. secretAccessKeySecretRef:
  28898. description: The SecretAccessKey is used for authentication
  28899. properties:
  28900. key:
  28901. description: |-
  28902. A key in the referenced Secret.
  28903. Some instances of this field may be defaulted, in others it may be required.
  28904. maxLength: 253
  28905. minLength: 1
  28906. pattern: ^[-._a-zA-Z0-9]+$
  28907. type: string
  28908. name:
  28909. description: The name of the Secret resource being referred to.
  28910. maxLength: 253
  28911. minLength: 1
  28912. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28913. type: string
  28914. namespace:
  28915. description: |-
  28916. The namespace of the Secret resource being referred to.
  28917. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28918. maxLength: 63
  28919. minLength: 1
  28920. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28921. type: string
  28922. type: object
  28923. sessionTokenSecretRef:
  28924. description: |-
  28925. The SessionToken used for authentication
  28926. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  28927. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  28928. properties:
  28929. key:
  28930. description: |-
  28931. A key in the referenced Secret.
  28932. Some instances of this field may be defaulted, in others it may be required.
  28933. maxLength: 253
  28934. minLength: 1
  28935. pattern: ^[-._a-zA-Z0-9]+$
  28936. type: string
  28937. name:
  28938. description: The name of the Secret resource being referred to.
  28939. maxLength: 253
  28940. minLength: 1
  28941. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28942. type: string
  28943. namespace:
  28944. description: |-
  28945. The namespace of the Secret resource being referred to.
  28946. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28947. maxLength: 63
  28948. minLength: 1
  28949. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28950. type: string
  28951. type: object
  28952. type: object
  28953. type: object
  28954. region:
  28955. description: Region specifies the AWS region to operate in.
  28956. type: string
  28957. requestParameters:
  28958. description: RequestParameters contains optional parameters for the AssumeRole call.
  28959. properties:
  28960. externalID:
  28961. description: |-
  28962. ExternalID is a unique identifier that might be required when you assume a
  28963. role in another account. If the administrator of the account to which the
  28964. role belongs provided you with an external ID, then provide that value.
  28965. type: string
  28966. sessionDuration:
  28967. description: |-
  28968. SessionDuration The duration, in seconds, of the role session.
  28969. The value can range from 900 seconds (15 minutes) to the maximum session
  28970. duration setting for the role. If not specified, the default is 1 hour.
  28971. format: int32
  28972. type: integer
  28973. type: object
  28974. role:
  28975. description: Role is the ARN of the IAM role to assume.
  28976. minLength: 1
  28977. type: string
  28978. required:
  28979. - region
  28980. - role
  28981. type: object
  28982. type: object
  28983. served: true
  28984. storage: true
  28985. subresources:
  28986. status: {}
  28987. ---
  28988. apiVersion: apiextensions.k8s.io/v1
  28989. kind: CustomResourceDefinition
  28990. metadata:
  28991. annotations:
  28992. controller-gen.kubebuilder.io/version: v0.19.0
  28993. labels:
  28994. external-secrets.io/component: controller
  28995. name: stssessiontokens.generators.external-secrets.io
  28996. spec:
  28997. group: generators.external-secrets.io
  28998. names:
  28999. categories:
  29000. - external-secrets
  29001. - external-secrets-generators
  29002. kind: STSSessionToken
  29003. listKind: STSSessionTokenList
  29004. plural: stssessiontokens
  29005. singular: stssessiontoken
  29006. scope: Namespaced
  29007. versions:
  29008. - name: v1alpha1
  29009. schema:
  29010. openAPIV3Schema:
  29011. description: |-
  29012. STSSessionToken uses the GetSessionToken API to retrieve an authorization token.
  29013. The authorization token is valid for 12 hours.
  29014. The authorizationToken returned is a base64 encoded string that can be decoded.
  29015. For more information, see GetSessionToken (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html).
  29016. properties:
  29017. apiVersion:
  29018. description: |-
  29019. APIVersion defines the versioned schema of this representation of an object.
  29020. Servers should convert recognized schemas to the latest internal value, and
  29021. may reject unrecognized values.
  29022. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29023. type: string
  29024. kind:
  29025. description: |-
  29026. Kind is a string value representing the REST resource this object represents.
  29027. Servers may infer this from the endpoint the client submits requests to.
  29028. Cannot be updated.
  29029. In CamelCase.
  29030. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29031. type: string
  29032. metadata:
  29033. type: object
  29034. spec:
  29035. description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token.
  29036. properties:
  29037. auth:
  29038. description: Auth defines how to authenticate with AWS
  29039. properties:
  29040. jwt:
  29041. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  29042. properties:
  29043. serviceAccountRef:
  29044. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  29045. properties:
  29046. audiences:
  29047. description: |-
  29048. Audience specifies the `aud` claim for the service account token
  29049. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29050. then this audiences will be appended to the list
  29051. items:
  29052. type: string
  29053. type: array
  29054. name:
  29055. description: The name of the ServiceAccount resource being referred to.
  29056. maxLength: 253
  29057. minLength: 1
  29058. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29059. type: string
  29060. namespace:
  29061. description: |-
  29062. Namespace of the resource being referred to.
  29063. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29064. maxLength: 63
  29065. minLength: 1
  29066. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29067. type: string
  29068. required:
  29069. - name
  29070. type: object
  29071. type: object
  29072. secretRef:
  29073. description: |-
  29074. AWSAuthSecretRef holds secret references for AWS credentials
  29075. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  29076. properties:
  29077. accessKeyIDSecretRef:
  29078. description: The AccessKeyID is used for authentication
  29079. properties:
  29080. key:
  29081. description: |-
  29082. A key in the referenced Secret.
  29083. Some instances of this field may be defaulted, in others it may be required.
  29084. maxLength: 253
  29085. minLength: 1
  29086. pattern: ^[-._a-zA-Z0-9]+$
  29087. type: string
  29088. name:
  29089. description: The name of the Secret resource being referred to.
  29090. maxLength: 253
  29091. minLength: 1
  29092. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29093. type: string
  29094. namespace:
  29095. description: |-
  29096. The namespace of the Secret resource being referred to.
  29097. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29098. maxLength: 63
  29099. minLength: 1
  29100. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29101. type: string
  29102. type: object
  29103. secretAccessKeySecretRef:
  29104. description: The SecretAccessKey is used for authentication
  29105. properties:
  29106. key:
  29107. description: |-
  29108. A key in the referenced Secret.
  29109. Some instances of this field may be defaulted, in others it may be required.
  29110. maxLength: 253
  29111. minLength: 1
  29112. pattern: ^[-._a-zA-Z0-9]+$
  29113. type: string
  29114. name:
  29115. description: The name of the Secret resource being referred to.
  29116. maxLength: 253
  29117. minLength: 1
  29118. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29119. type: string
  29120. namespace:
  29121. description: |-
  29122. The namespace of the Secret resource being referred to.
  29123. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29124. maxLength: 63
  29125. minLength: 1
  29126. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29127. type: string
  29128. type: object
  29129. sessionTokenSecretRef:
  29130. description: |-
  29131. The SessionToken used for authentication
  29132. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  29133. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  29134. properties:
  29135. key:
  29136. description: |-
  29137. A key in the referenced Secret.
  29138. Some instances of this field may be defaulted, in others it may be required.
  29139. maxLength: 253
  29140. minLength: 1
  29141. pattern: ^[-._a-zA-Z0-9]+$
  29142. type: string
  29143. name:
  29144. description: The name of the Secret resource being referred to.
  29145. maxLength: 253
  29146. minLength: 1
  29147. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29148. type: string
  29149. namespace:
  29150. description: |-
  29151. The namespace of the Secret resource being referred to.
  29152. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29153. maxLength: 63
  29154. minLength: 1
  29155. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29156. type: string
  29157. type: object
  29158. type: object
  29159. type: object
  29160. region:
  29161. description: Region specifies the region to operate in.
  29162. type: string
  29163. requestParameters:
  29164. description: RequestParameters contains parameters that can be passed to the STS service.
  29165. properties:
  29166. serialNumber:
  29167. description: |-
  29168. SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
  29169. the GetSessionToken call.
  29170. Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
  29171. (such as arn:aws:iam::123456789012:mfa/user)
  29172. type: string
  29173. sessionDuration:
  29174. format: int32
  29175. type: integer
  29176. tokenCode:
  29177. description: TokenCode is the value provided by the MFA device, if MFA is required.
  29178. type: string
  29179. type: object
  29180. role:
  29181. description: |-
  29182. You can assume a role before making calls to the
  29183. desired AWS service.
  29184. type: string
  29185. required:
  29186. - region
  29187. type: object
  29188. type: object
  29189. served: true
  29190. storage: true
  29191. subresources:
  29192. status: {}
  29193. ---
  29194. apiVersion: apiextensions.k8s.io/v1
  29195. kind: CustomResourceDefinition
  29196. metadata:
  29197. annotations:
  29198. controller-gen.kubebuilder.io/version: v0.19.0
  29199. labels:
  29200. external-secrets.io/component: controller
  29201. name: uuids.generators.external-secrets.io
  29202. spec:
  29203. group: generators.external-secrets.io
  29204. names:
  29205. categories:
  29206. - external-secrets
  29207. - external-secrets-generators
  29208. kind: UUID
  29209. listKind: UUIDList
  29210. plural: uuids
  29211. singular: uuid
  29212. scope: Namespaced
  29213. versions:
  29214. - name: v1alpha1
  29215. schema:
  29216. openAPIV3Schema:
  29217. description: UUID generates a version 1 UUID (e56657e3-764f-11ef-a397-65231a88c216).
  29218. properties:
  29219. apiVersion:
  29220. description: |-
  29221. APIVersion defines the versioned schema of this representation of an object.
  29222. Servers should convert recognized schemas to the latest internal value, and
  29223. may reject unrecognized values.
  29224. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29225. type: string
  29226. kind:
  29227. description: |-
  29228. Kind is a string value representing the REST resource this object represents.
  29229. Servers may infer this from the endpoint the client submits requests to.
  29230. Cannot be updated.
  29231. In CamelCase.
  29232. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29233. type: string
  29234. metadata:
  29235. type: object
  29236. spec:
  29237. description: UUIDSpec controls the behavior of the uuid generator.
  29238. type: object
  29239. type: object
  29240. served: true
  29241. storage: true
  29242. subresources:
  29243. status: {}
  29244. ---
  29245. apiVersion: apiextensions.k8s.io/v1
  29246. kind: CustomResourceDefinition
  29247. metadata:
  29248. annotations:
  29249. controller-gen.kubebuilder.io/version: v0.19.0
  29250. labels:
  29251. external-secrets.io/component: controller
  29252. name: vaultdynamicsecrets.generators.external-secrets.io
  29253. spec:
  29254. group: generators.external-secrets.io
  29255. names:
  29256. categories:
  29257. - external-secrets
  29258. - external-secrets-generators
  29259. kind: VaultDynamicSecret
  29260. listKind: VaultDynamicSecretList
  29261. plural: vaultdynamicsecrets
  29262. singular: vaultdynamicsecret
  29263. scope: Namespaced
  29264. versions:
  29265. - name: v1alpha1
  29266. schema:
  29267. openAPIV3Schema:
  29268. description: VaultDynamicSecret represents a generator that can create dynamic secrets from HashiCorp Vault.
  29269. properties:
  29270. apiVersion:
  29271. description: |-
  29272. APIVersion defines the versioned schema of this representation of an object.
  29273. Servers should convert recognized schemas to the latest internal value, and
  29274. may reject unrecognized values.
  29275. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29276. type: string
  29277. kind:
  29278. description: |-
  29279. Kind is a string value representing the REST resource this object represents.
  29280. Servers may infer this from the endpoint the client submits requests to.
  29281. Cannot be updated.
  29282. In CamelCase.
  29283. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29284. type: string
  29285. metadata:
  29286. type: object
  29287. spec:
  29288. description: VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret.
  29289. properties:
  29290. allowEmptyResponse:
  29291. default: false
  29292. description: Do not fail if no secrets are found. Useful for requests where no data is expected.
  29293. type: boolean
  29294. controller:
  29295. description: |-
  29296. Used to select the correct ESO controller (think: ingress.ingressClassName)
  29297. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  29298. type: string
  29299. getParameters:
  29300. additionalProperties:
  29301. items:
  29302. type: string
  29303. type: array
  29304. description: |-
  29305. GetParameters are query-string parameters passed to Vault on GET calls.
  29306. Each key may map to multiple values, matching HTTP query-string semantics.
  29307. Ignored for non-GET methods; use Parameters for write bodies.
  29308. type: object
  29309. method:
  29310. description: Vault API method to use (GET/POST/other)
  29311. type: string
  29312. parameters:
  29313. description: Parameters to pass to Vault write (for non-GET methods)
  29314. x-kubernetes-preserve-unknown-fields: true
  29315. path:
  29316. description: Vault path to obtain the dynamic secret from
  29317. type: string
  29318. provider:
  29319. description: Vault provider common spec
  29320. properties:
  29321. auth:
  29322. description: Auth configures how secret-manager authenticates with the Vault server.
  29323. properties:
  29324. appRole:
  29325. description: |-
  29326. AppRole authenticates with Vault using the App Role auth mechanism,
  29327. with the role and secret stored in a Kubernetes Secret resource.
  29328. properties:
  29329. path:
  29330. default: approle
  29331. description: |-
  29332. Path where the App Role authentication backend is mounted
  29333. in Vault, e.g: "approle"
  29334. type: string
  29335. roleId:
  29336. description: |-
  29337. RoleID configured in the App Role authentication backend when setting
  29338. up the authentication backend in Vault.
  29339. type: string
  29340. roleRef:
  29341. description: |-
  29342. Reference to a key in a Secret that contains the App Role ID used
  29343. to authenticate with Vault.
  29344. The `key` field must be specified and denotes which entry within the Secret
  29345. resource is used as the app role id.
  29346. properties:
  29347. key:
  29348. description: |-
  29349. A key in the referenced Secret.
  29350. Some instances of this field may be defaulted, in others it may be required.
  29351. maxLength: 253
  29352. minLength: 1
  29353. pattern: ^[-._a-zA-Z0-9]+$
  29354. type: string
  29355. name:
  29356. description: The name of the Secret resource being referred to.
  29357. maxLength: 253
  29358. minLength: 1
  29359. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29360. type: string
  29361. namespace:
  29362. description: |-
  29363. The namespace of the Secret resource being referred to.
  29364. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29365. maxLength: 63
  29366. minLength: 1
  29367. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29368. type: string
  29369. type: object
  29370. secretRef:
  29371. description: |-
  29372. Reference to a key in a Secret that contains the App Role secret used
  29373. to authenticate with Vault.
  29374. The `key` field must be specified and denotes which entry within the Secret
  29375. resource is used as the app role secret.
  29376. properties:
  29377. key:
  29378. description: |-
  29379. A key in the referenced Secret.
  29380. Some instances of this field may be defaulted, in others it may be required.
  29381. maxLength: 253
  29382. minLength: 1
  29383. pattern: ^[-._a-zA-Z0-9]+$
  29384. type: string
  29385. name:
  29386. description: The name of the Secret resource being referred to.
  29387. maxLength: 253
  29388. minLength: 1
  29389. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29390. type: string
  29391. namespace:
  29392. description: |-
  29393. The namespace of the Secret resource being referred to.
  29394. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29395. maxLength: 63
  29396. minLength: 1
  29397. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29398. type: string
  29399. type: object
  29400. required:
  29401. - path
  29402. - secretRef
  29403. type: object
  29404. cert:
  29405. description: |-
  29406. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  29407. Cert authentication method
  29408. properties:
  29409. clientCert:
  29410. description: |-
  29411. ClientCert is a certificate to authenticate using the Cert Vault
  29412. authentication method
  29413. properties:
  29414. key:
  29415. description: |-
  29416. A key in the referenced Secret.
  29417. Some instances of this field may be defaulted, in others it may be required.
  29418. maxLength: 253
  29419. minLength: 1
  29420. pattern: ^[-._a-zA-Z0-9]+$
  29421. type: string
  29422. name:
  29423. description: The name of the Secret resource being referred to.
  29424. maxLength: 253
  29425. minLength: 1
  29426. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29427. type: string
  29428. namespace:
  29429. description: |-
  29430. The namespace of the Secret resource being referred to.
  29431. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29432. maxLength: 63
  29433. minLength: 1
  29434. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29435. type: string
  29436. type: object
  29437. path:
  29438. default: cert
  29439. description: |-
  29440. Path where the Certificate authentication backend is mounted
  29441. in Vault, e.g: "cert"
  29442. type: string
  29443. secretRef:
  29444. description: |-
  29445. SecretRef to a key in a Secret resource containing client private key to
  29446. authenticate with Vault using the Cert authentication method
  29447. properties:
  29448. key:
  29449. description: |-
  29450. A key in the referenced Secret.
  29451. Some instances of this field may be defaulted, in others it may be required.
  29452. maxLength: 253
  29453. minLength: 1
  29454. pattern: ^[-._a-zA-Z0-9]+$
  29455. type: string
  29456. name:
  29457. description: The name of the Secret resource being referred to.
  29458. maxLength: 253
  29459. minLength: 1
  29460. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29461. type: string
  29462. namespace:
  29463. description: |-
  29464. The namespace of the Secret resource being referred to.
  29465. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29466. maxLength: 63
  29467. minLength: 1
  29468. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29469. type: string
  29470. type: object
  29471. vaultRole:
  29472. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  29473. type: string
  29474. type: object
  29475. gcp:
  29476. description: |-
  29477. Gcp authenticates with Vault using Google Cloud Platform authentication method
  29478. GCP authentication method
  29479. properties:
  29480. location:
  29481. description: Location optionally defines a location/region for the secret
  29482. type: string
  29483. path:
  29484. default: gcp
  29485. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  29486. type: string
  29487. projectID:
  29488. description: Project ID of the Google Cloud Platform project
  29489. type: string
  29490. role:
  29491. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  29492. type: string
  29493. secretRef:
  29494. description: Specify credentials in a Secret object
  29495. properties:
  29496. secretAccessKeySecretRef:
  29497. description: The SecretAccessKey is used for authentication
  29498. properties:
  29499. key:
  29500. description: |-
  29501. A key in the referenced Secret.
  29502. Some instances of this field may be defaulted, in others it may be required.
  29503. maxLength: 253
  29504. minLength: 1
  29505. pattern: ^[-._a-zA-Z0-9]+$
  29506. type: string
  29507. name:
  29508. description: The name of the Secret resource being referred to.
  29509. maxLength: 253
  29510. minLength: 1
  29511. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29512. type: string
  29513. namespace:
  29514. description: |-
  29515. The namespace of the Secret resource being referred to.
  29516. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29517. maxLength: 63
  29518. minLength: 1
  29519. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29520. type: string
  29521. type: object
  29522. type: object
  29523. serviceAccountRef:
  29524. description: ServiceAccountRef to a service account for impersonation
  29525. properties:
  29526. audiences:
  29527. description: |-
  29528. Audience specifies the `aud` claim for the service account token
  29529. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29530. then this audiences will be appended to the list
  29531. items:
  29532. type: string
  29533. type: array
  29534. name:
  29535. description: The name of the ServiceAccount resource being referred to.
  29536. maxLength: 253
  29537. minLength: 1
  29538. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29539. type: string
  29540. namespace:
  29541. description: |-
  29542. Namespace of the resource being referred to.
  29543. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29544. maxLength: 63
  29545. minLength: 1
  29546. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29547. type: string
  29548. required:
  29549. - name
  29550. type: object
  29551. workloadIdentity:
  29552. description: Specify a service account with Workload Identity
  29553. properties:
  29554. clusterLocation:
  29555. description: |-
  29556. ClusterLocation is the location of the cluster
  29557. If not specified, it fetches information from the metadata server
  29558. type: string
  29559. clusterName:
  29560. description: |-
  29561. ClusterName is the name of the cluster
  29562. If not specified, it fetches information from the metadata server
  29563. type: string
  29564. clusterProjectID:
  29565. description: |-
  29566. ClusterProjectID is the project ID of the cluster
  29567. If not specified, it fetches information from the metadata server
  29568. type: string
  29569. serviceAccountRef:
  29570. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  29571. properties:
  29572. audiences:
  29573. description: |-
  29574. Audience specifies the `aud` claim for the service account token
  29575. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29576. then this audiences will be appended to the list
  29577. items:
  29578. type: string
  29579. type: array
  29580. name:
  29581. description: The name of the ServiceAccount resource being referred to.
  29582. maxLength: 253
  29583. minLength: 1
  29584. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29585. type: string
  29586. namespace:
  29587. description: |-
  29588. Namespace of the resource being referred to.
  29589. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29590. maxLength: 63
  29591. minLength: 1
  29592. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29593. type: string
  29594. required:
  29595. - name
  29596. type: object
  29597. required:
  29598. - serviceAccountRef
  29599. type: object
  29600. required:
  29601. - role
  29602. type: object
  29603. iam:
  29604. description: |-
  29605. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  29606. AWS IAM authentication method
  29607. properties:
  29608. externalID:
  29609. description: AWS External ID set on assumed IAM roles
  29610. type: string
  29611. jwt:
  29612. description: Specify a service account with IRSA enabled
  29613. properties:
  29614. serviceAccountRef:
  29615. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  29616. properties:
  29617. audiences:
  29618. description: |-
  29619. Audience specifies the `aud` claim for the service account token
  29620. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29621. then this audiences will be appended to the list
  29622. items:
  29623. type: string
  29624. type: array
  29625. name:
  29626. description: The name of the ServiceAccount resource being referred to.
  29627. maxLength: 253
  29628. minLength: 1
  29629. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29630. type: string
  29631. namespace:
  29632. description: |-
  29633. Namespace of the resource being referred to.
  29634. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29635. maxLength: 63
  29636. minLength: 1
  29637. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29638. type: string
  29639. required:
  29640. - name
  29641. type: object
  29642. type: object
  29643. path:
  29644. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  29645. type: string
  29646. region:
  29647. description: AWS region
  29648. type: string
  29649. role:
  29650. description: This is the AWS role to be assumed before talking to vault
  29651. type: string
  29652. secretRef:
  29653. description: Specify credentials in a Secret object
  29654. properties:
  29655. accessKeyIDSecretRef:
  29656. description: The AccessKeyID is used for authentication
  29657. properties:
  29658. key:
  29659. description: |-
  29660. A key in the referenced Secret.
  29661. Some instances of this field may be defaulted, in others it may be required.
  29662. maxLength: 253
  29663. minLength: 1
  29664. pattern: ^[-._a-zA-Z0-9]+$
  29665. type: string
  29666. name:
  29667. description: The name of the Secret resource being referred to.
  29668. maxLength: 253
  29669. minLength: 1
  29670. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29671. type: string
  29672. namespace:
  29673. description: |-
  29674. The namespace of the Secret resource being referred to.
  29675. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29676. maxLength: 63
  29677. minLength: 1
  29678. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29679. type: string
  29680. type: object
  29681. secretAccessKeySecretRef:
  29682. description: The SecretAccessKey is used for authentication
  29683. properties:
  29684. key:
  29685. description: |-
  29686. A key in the referenced Secret.
  29687. Some instances of this field may be defaulted, in others it may be required.
  29688. maxLength: 253
  29689. minLength: 1
  29690. pattern: ^[-._a-zA-Z0-9]+$
  29691. type: string
  29692. name:
  29693. description: The name of the Secret resource being referred to.
  29694. maxLength: 253
  29695. minLength: 1
  29696. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29697. type: string
  29698. namespace:
  29699. description: |-
  29700. The namespace of the Secret resource being referred to.
  29701. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29702. maxLength: 63
  29703. minLength: 1
  29704. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29705. type: string
  29706. type: object
  29707. sessionTokenSecretRef:
  29708. description: |-
  29709. The SessionToken used for authentication
  29710. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  29711. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  29712. properties:
  29713. key:
  29714. description: |-
  29715. A key in the referenced Secret.
  29716. Some instances of this field may be defaulted, in others it may be required.
  29717. maxLength: 253
  29718. minLength: 1
  29719. pattern: ^[-._a-zA-Z0-9]+$
  29720. type: string
  29721. name:
  29722. description: The name of the Secret resource being referred to.
  29723. maxLength: 253
  29724. minLength: 1
  29725. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29726. type: string
  29727. namespace:
  29728. description: |-
  29729. The namespace of the Secret resource being referred to.
  29730. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29731. maxLength: 63
  29732. minLength: 1
  29733. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29734. type: string
  29735. type: object
  29736. type: object
  29737. vaultAwsIamServerID:
  29738. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  29739. type: string
  29740. vaultRole:
  29741. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  29742. type: string
  29743. required:
  29744. - vaultRole
  29745. type: object
  29746. jwt:
  29747. description: |-
  29748. Jwt authenticates with Vault by passing role and JWT token using the
  29749. JWT/OIDC authentication method
  29750. properties:
  29751. kubernetesServiceAccountToken:
  29752. description: |-
  29753. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  29754. a token for with the `TokenRequest` API.
  29755. properties:
  29756. audiences:
  29757. description: |-
  29758. Optional audiences field that will be used to request a temporary Kubernetes service
  29759. account token for the service account referenced by `serviceAccountRef`.
  29760. Defaults to a single audience `vault` it not specified.
  29761. Deprecated: use serviceAccountRef.Audiences instead
  29762. items:
  29763. type: string
  29764. type: array
  29765. expirationSeconds:
  29766. description: |-
  29767. Optional expiration time in seconds that will be used to request a temporary
  29768. Kubernetes service account token for the service account referenced by
  29769. `serviceAccountRef`.
  29770. Deprecated: this will be removed in the future.
  29771. Defaults to 10 minutes.
  29772. format: int64
  29773. type: integer
  29774. serviceAccountRef:
  29775. description: Service account field containing the name of a kubernetes ServiceAccount.
  29776. properties:
  29777. audiences:
  29778. description: |-
  29779. Audience specifies the `aud` claim for the service account token
  29780. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29781. then this audiences will be appended to the list
  29782. items:
  29783. type: string
  29784. type: array
  29785. name:
  29786. description: The name of the ServiceAccount resource being referred to.
  29787. maxLength: 253
  29788. minLength: 1
  29789. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29790. type: string
  29791. namespace:
  29792. description: |-
  29793. Namespace of the resource being referred to.
  29794. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29795. maxLength: 63
  29796. minLength: 1
  29797. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29798. type: string
  29799. required:
  29800. - name
  29801. type: object
  29802. required:
  29803. - serviceAccountRef
  29804. type: object
  29805. path:
  29806. default: jwt
  29807. description: |-
  29808. Path where the JWT authentication backend is mounted
  29809. in Vault, e.g: "jwt"
  29810. type: string
  29811. role:
  29812. description: |-
  29813. Role is a JWT role to authenticate using the JWT/OIDC Vault
  29814. authentication method
  29815. type: string
  29816. secretRef:
  29817. description: |-
  29818. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  29819. authenticate with Vault using the JWT/OIDC authentication method.
  29820. properties:
  29821. key:
  29822. description: |-
  29823. A key in the referenced Secret.
  29824. Some instances of this field may be defaulted, in others it may be required.
  29825. maxLength: 253
  29826. minLength: 1
  29827. pattern: ^[-._a-zA-Z0-9]+$
  29828. type: string
  29829. name:
  29830. description: The name of the Secret resource being referred to.
  29831. maxLength: 253
  29832. minLength: 1
  29833. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29834. type: string
  29835. namespace:
  29836. description: |-
  29837. The namespace of the Secret resource being referred to.
  29838. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29839. maxLength: 63
  29840. minLength: 1
  29841. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29842. type: string
  29843. type: object
  29844. required:
  29845. - path
  29846. type: object
  29847. kubernetes:
  29848. description: |-
  29849. Kubernetes authenticates with Vault by passing the ServiceAccount
  29850. token stored in the named Secret resource to the Vault server.
  29851. properties:
  29852. mountPath:
  29853. default: kubernetes
  29854. description: |-
  29855. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  29856. "kubernetes"
  29857. type: string
  29858. role:
  29859. description: |-
  29860. A required field containing the Vault Role to assume. A Role binds a
  29861. Kubernetes ServiceAccount with a set of Vault policies.
  29862. type: string
  29863. secretRef:
  29864. description: |-
  29865. Optional secret field containing a Kubernetes ServiceAccount JWT used
  29866. for authenticating with Vault. If a name is specified without a key,
  29867. `token` is the default. If one is not specified, the one bound to
  29868. the controller will be used.
  29869. properties:
  29870. key:
  29871. description: |-
  29872. A key in the referenced Secret.
  29873. Some instances of this field may be defaulted, in others it may be required.
  29874. maxLength: 253
  29875. minLength: 1
  29876. pattern: ^[-._a-zA-Z0-9]+$
  29877. type: string
  29878. name:
  29879. description: The name of the Secret resource being referred to.
  29880. maxLength: 253
  29881. minLength: 1
  29882. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29883. type: string
  29884. namespace:
  29885. description: |-
  29886. The namespace of the Secret resource being referred to.
  29887. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29888. maxLength: 63
  29889. minLength: 1
  29890. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29891. type: string
  29892. type: object
  29893. serviceAccountRef:
  29894. description: |-
  29895. Optional service account field containing the name of a kubernetes ServiceAccount.
  29896. If the service account is specified, the service account secret token JWT will be used
  29897. for authenticating with Vault. If the service account selector is not supplied,
  29898. the secretRef will be used instead.
  29899. properties:
  29900. audiences:
  29901. description: |-
  29902. Audience specifies the `aud` claim for the service account token
  29903. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29904. then this audiences will be appended to the list
  29905. items:
  29906. type: string
  29907. type: array
  29908. name:
  29909. description: The name of the ServiceAccount resource being referred to.
  29910. maxLength: 253
  29911. minLength: 1
  29912. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29913. type: string
  29914. namespace:
  29915. description: |-
  29916. Namespace of the resource being referred to.
  29917. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29918. maxLength: 63
  29919. minLength: 1
  29920. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29921. type: string
  29922. required:
  29923. - name
  29924. type: object
  29925. required:
  29926. - mountPath
  29927. - role
  29928. type: object
  29929. ldap:
  29930. description: |-
  29931. Ldap authenticates with Vault by passing username/password pair using
  29932. the LDAP authentication method
  29933. properties:
  29934. path:
  29935. default: ldap
  29936. description: |-
  29937. Path where the LDAP authentication backend is mounted
  29938. in Vault, e.g: "ldap"
  29939. type: string
  29940. secretRef:
  29941. description: |-
  29942. SecretRef to a key in a Secret resource containing password for the LDAP
  29943. user used to authenticate with Vault using the LDAP authentication
  29944. method
  29945. properties:
  29946. key:
  29947. description: |-
  29948. A key in the referenced Secret.
  29949. Some instances of this field may be defaulted, in others it may be required.
  29950. maxLength: 253
  29951. minLength: 1
  29952. pattern: ^[-._a-zA-Z0-9]+$
  29953. type: string
  29954. name:
  29955. description: The name of the Secret resource being referred to.
  29956. maxLength: 253
  29957. minLength: 1
  29958. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29959. type: string
  29960. namespace:
  29961. description: |-
  29962. The namespace of the Secret resource being referred to.
  29963. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29964. maxLength: 63
  29965. minLength: 1
  29966. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29967. type: string
  29968. type: object
  29969. username:
  29970. description: |-
  29971. Username is an LDAP username used to authenticate using the LDAP Vault
  29972. authentication method
  29973. type: string
  29974. required:
  29975. - path
  29976. - username
  29977. type: object
  29978. namespace:
  29979. description: |-
  29980. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  29981. Namespaces is a set of features within Vault Enterprise that allows
  29982. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  29983. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  29984. This will default to Vault.Namespace field if set, or empty otherwise
  29985. type: string
  29986. tokenSecretRef:
  29987. description: TokenSecretRef authenticates with Vault by presenting a token.
  29988. properties:
  29989. key:
  29990. description: |-
  29991. A key in the referenced Secret.
  29992. Some instances of this field may be defaulted, in others it may be required.
  29993. maxLength: 253
  29994. minLength: 1
  29995. pattern: ^[-._a-zA-Z0-9]+$
  29996. type: string
  29997. name:
  29998. description: The name of the Secret resource being referred to.
  29999. maxLength: 253
  30000. minLength: 1
  30001. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30002. type: string
  30003. namespace:
  30004. description: |-
  30005. The namespace of the Secret resource being referred to.
  30006. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30007. maxLength: 63
  30008. minLength: 1
  30009. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30010. type: string
  30011. type: object
  30012. userPass:
  30013. description: UserPass authenticates with Vault by passing username/password pair
  30014. properties:
  30015. path:
  30016. default: userpass
  30017. description: |-
  30018. Path where the UserPassword authentication backend is mounted
  30019. in Vault, e.g: "userpass"
  30020. type: string
  30021. secretRef:
  30022. description: |-
  30023. SecretRef to a key in a Secret resource containing password for the
  30024. user used to authenticate with Vault using the UserPass authentication
  30025. method
  30026. properties:
  30027. key:
  30028. description: |-
  30029. A key in the referenced Secret.
  30030. Some instances of this field may be defaulted, in others it may be required.
  30031. maxLength: 253
  30032. minLength: 1
  30033. pattern: ^[-._a-zA-Z0-9]+$
  30034. type: string
  30035. name:
  30036. description: The name of the Secret resource being referred to.
  30037. maxLength: 253
  30038. minLength: 1
  30039. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30040. type: string
  30041. namespace:
  30042. description: |-
  30043. The namespace of the Secret resource being referred to.
  30044. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30045. maxLength: 63
  30046. minLength: 1
  30047. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30048. type: string
  30049. type: object
  30050. username:
  30051. description: |-
  30052. Username is a username used to authenticate using the UserPass Vault
  30053. authentication method
  30054. type: string
  30055. required:
  30056. - path
  30057. - username
  30058. type: object
  30059. type: object
  30060. caBundle:
  30061. description: |-
  30062. PEM encoded CA bundle used to validate Vault server certificate. Only used
  30063. if the Server URL is using HTTPS protocol. This parameter is ignored for
  30064. plain HTTP protocol connection. If not set the system root certificates
  30065. are used to validate the TLS connection.
  30066. format: byte
  30067. type: string
  30068. caProvider:
  30069. description: The provider for the CA bundle to use to validate Vault server certificate.
  30070. properties:
  30071. key:
  30072. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  30073. maxLength: 253
  30074. minLength: 1
  30075. pattern: ^[-._a-zA-Z0-9]+$
  30076. type: string
  30077. name:
  30078. description: The name of the object located at the provider type.
  30079. maxLength: 253
  30080. minLength: 1
  30081. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30082. type: string
  30083. namespace:
  30084. description: |-
  30085. The namespace the Provider type is in.
  30086. Can only be defined when used in a ClusterSecretStore.
  30087. maxLength: 63
  30088. minLength: 1
  30089. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30090. type: string
  30091. type:
  30092. description: The type of provider to use such as "Secret", or "ConfigMap".
  30093. enum:
  30094. - Secret
  30095. - ConfigMap
  30096. type: string
  30097. required:
  30098. - name
  30099. - type
  30100. type: object
  30101. checkAndSet:
  30102. description: |-
  30103. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  30104. Only applies to Vault KV v2 stores. When enabled, write operations must include
  30105. the current version of the secret to prevent unintentional overwrites.
  30106. properties:
  30107. required:
  30108. description: |-
  30109. Required when true, all write operations must include a check-and-set parameter.
  30110. This helps prevent unintentional overwrites of secrets.
  30111. type: boolean
  30112. type: object
  30113. forwardInconsistent:
  30114. description: |-
  30115. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  30116. leader instead of simply retrying within a loop. This can increase performance if
  30117. the option is enabled serverside.
  30118. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  30119. type: boolean
  30120. headers:
  30121. additionalProperties:
  30122. type: string
  30123. description: Headers to be added in Vault request
  30124. type: object
  30125. namespace:
  30126. description: |-
  30127. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  30128. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  30129. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  30130. type: string
  30131. path:
  30132. description: |-
  30133. Path is the mount path of the Vault KV backend endpoint, e.g:
  30134. "secret". The v2 KV secret engine version specific "/data" path suffix
  30135. for fetching secrets from Vault is optional and will be appended
  30136. if not present in specified path.
  30137. type: string
  30138. readYourWrites:
  30139. description: |-
  30140. ReadYourWrites ensures isolated read-after-write semantics by
  30141. providing discovered cluster replication states in each request.
  30142. More information about eventual consistency in Vault can be found here
  30143. https://www.vaultproject.io/docs/enterprise/consistency
  30144. type: boolean
  30145. server:
  30146. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  30147. type: string
  30148. tls:
  30149. description: |-
  30150. The configuration used for client side related TLS communication, when the Vault server
  30151. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  30152. This parameter is ignored for plain HTTP protocol connection.
  30153. It's worth noting this configuration is different from the "TLS certificates auth method",
  30154. which is available under the `auth.cert` section.
  30155. properties:
  30156. certSecretRef:
  30157. description: |-
  30158. CertSecretRef is a certificate added to the transport layer
  30159. when communicating with the Vault server.
  30160. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  30161. properties:
  30162. key:
  30163. description: |-
  30164. A key in the referenced Secret.
  30165. Some instances of this field may be defaulted, in others it may be required.
  30166. maxLength: 253
  30167. minLength: 1
  30168. pattern: ^[-._a-zA-Z0-9]+$
  30169. type: string
  30170. name:
  30171. description: The name of the Secret resource being referred to.
  30172. maxLength: 253
  30173. minLength: 1
  30174. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30175. type: string
  30176. namespace:
  30177. description: |-
  30178. The namespace of the Secret resource being referred to.
  30179. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30180. maxLength: 63
  30181. minLength: 1
  30182. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30183. type: string
  30184. type: object
  30185. keySecretRef:
  30186. description: |-
  30187. KeySecretRef to a key in a Secret resource containing client private key
  30188. added to the transport layer when communicating with the Vault server.
  30189. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  30190. properties:
  30191. key:
  30192. description: |-
  30193. A key in the referenced Secret.
  30194. Some instances of this field may be defaulted, in others it may be required.
  30195. maxLength: 253
  30196. minLength: 1
  30197. pattern: ^[-._a-zA-Z0-9]+$
  30198. type: string
  30199. name:
  30200. description: The name of the Secret resource being referred to.
  30201. maxLength: 253
  30202. minLength: 1
  30203. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30204. type: string
  30205. namespace:
  30206. description: |-
  30207. The namespace of the Secret resource being referred to.
  30208. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30209. maxLength: 63
  30210. minLength: 1
  30211. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30212. type: string
  30213. type: object
  30214. type: object
  30215. version:
  30216. default: v2
  30217. description: |-
  30218. Version is the Vault KV secret engine version. This can be either "v1" or
  30219. "v2". Version defaults to "v2".
  30220. enum:
  30221. - v1
  30222. - v2
  30223. type: string
  30224. required:
  30225. - server
  30226. type: object
  30227. resultType:
  30228. default: Data
  30229. description: |-
  30230. Result type defines which data is returned from the generator.
  30231. By default, it is the "data" section of the Vault API response.
  30232. When using e.g. /auth/token/create the "data" section is empty but
  30233. the "auth" section contains the generated token.
  30234. Please refer to the vault docs regarding the result data structure.
  30235. Additionally, accessing the raw response is possibly by using "Raw" result type.
  30236. enum:
  30237. - Data
  30238. - Auth
  30239. - Raw
  30240. type: string
  30241. retrySettings:
  30242. description: Used to configure http retries if failed
  30243. properties:
  30244. maxRetries:
  30245. format: int32
  30246. type: integer
  30247. retryInterval:
  30248. type: string
  30249. type: object
  30250. required:
  30251. - path
  30252. - provider
  30253. type: object
  30254. type: object
  30255. served: true
  30256. storage: true
  30257. subresources:
  30258. status: {}
  30259. ---
  30260. apiVersion: apiextensions.k8s.io/v1
  30261. kind: CustomResourceDefinition
  30262. metadata:
  30263. annotations:
  30264. controller-gen.kubebuilder.io/version: v0.19.0
  30265. labels:
  30266. external-secrets.io/component: controller
  30267. name: webhooks.generators.external-secrets.io
  30268. spec:
  30269. group: generators.external-secrets.io
  30270. names:
  30271. categories:
  30272. - external-secrets
  30273. - external-secrets-generators
  30274. kind: Webhook
  30275. listKind: WebhookList
  30276. plural: webhooks
  30277. singular: webhook
  30278. scope: Namespaced
  30279. versions:
  30280. - name: v1alpha1
  30281. schema:
  30282. openAPIV3Schema:
  30283. description: |-
  30284. Webhook connects to a third party API server to handle the secrets generation
  30285. configuration parameters in spec.
  30286. You can specify the server, the token, and additional body parameters.
  30287. See documentation for the full API specification for requests and responses.
  30288. properties:
  30289. apiVersion:
  30290. description: |-
  30291. APIVersion defines the versioned schema of this representation of an object.
  30292. Servers should convert recognized schemas to the latest internal value, and
  30293. may reject unrecognized values.
  30294. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  30295. type: string
  30296. kind:
  30297. description: |-
  30298. Kind is a string value representing the REST resource this object represents.
  30299. Servers may infer this from the endpoint the client submits requests to.
  30300. Cannot be updated.
  30301. In CamelCase.
  30302. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30303. type: string
  30304. metadata:
  30305. type: object
  30306. spec:
  30307. description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
  30308. properties:
  30309. auth:
  30310. description: Auth specifies a authorization protocol. Only one protocol may be set.
  30311. maxProperties: 1
  30312. minProperties: 1
  30313. properties:
  30314. ntlm:
  30315. description: NTLMProtocol configures the store to use NTLM for auth
  30316. properties:
  30317. passwordSecret:
  30318. description: |-
  30319. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  30320. In some instances, `key` is a required field.
  30321. properties:
  30322. key:
  30323. description: |-
  30324. A key in the referenced Secret.
  30325. Some instances of this field may be defaulted, in others it may be required.
  30326. maxLength: 253
  30327. minLength: 1
  30328. pattern: ^[-._a-zA-Z0-9]+$
  30329. type: string
  30330. name:
  30331. description: The name of the Secret resource being referred to.
  30332. maxLength: 253
  30333. minLength: 1
  30334. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30335. type: string
  30336. namespace:
  30337. description: |-
  30338. The namespace of the Secret resource being referred to.
  30339. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30340. maxLength: 63
  30341. minLength: 1
  30342. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30343. type: string
  30344. type: object
  30345. usernameSecret:
  30346. description: |-
  30347. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  30348. In some instances, `key` is a required field.
  30349. properties:
  30350. key:
  30351. description: |-
  30352. A key in the referenced Secret.
  30353. Some instances of this field may be defaulted, in others it may be required.
  30354. maxLength: 253
  30355. minLength: 1
  30356. pattern: ^[-._a-zA-Z0-9]+$
  30357. type: string
  30358. name:
  30359. description: The name of the Secret resource being referred to.
  30360. maxLength: 253
  30361. minLength: 1
  30362. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30363. type: string
  30364. namespace:
  30365. description: |-
  30366. The namespace of the Secret resource being referred to.
  30367. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30368. maxLength: 63
  30369. minLength: 1
  30370. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30371. type: string
  30372. type: object
  30373. required:
  30374. - passwordSecret
  30375. - usernameSecret
  30376. type: object
  30377. type: object
  30378. body:
  30379. description: Body
  30380. type: string
  30381. caBundle:
  30382. description: |-
  30383. PEM encoded CA bundle used to validate webhook server certificate. Only used
  30384. if the Server URL is using HTTPS protocol. This parameter is ignored for
  30385. plain HTTP protocol connection. If not set the system root certificates
  30386. are used to validate the TLS connection.
  30387. format: byte
  30388. type: string
  30389. caProvider:
  30390. description: The provider for the CA bundle to use to validate webhook server certificate.
  30391. properties:
  30392. key:
  30393. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  30394. maxLength: 253
  30395. minLength: 1
  30396. pattern: ^[-._a-zA-Z0-9]+$
  30397. type: string
  30398. name:
  30399. description: The name of the object located at the provider type.
  30400. maxLength: 253
  30401. minLength: 1
  30402. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30403. type: string
  30404. namespace:
  30405. description: The namespace the Provider type is in.
  30406. maxLength: 63
  30407. minLength: 1
  30408. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30409. type: string
  30410. type:
  30411. description: The type of provider to use such as "Secret", or "ConfigMap".
  30412. enum:
  30413. - Secret
  30414. - ConfigMap
  30415. type: string
  30416. required:
  30417. - name
  30418. - type
  30419. type: object
  30420. headers:
  30421. additionalProperties:
  30422. type: string
  30423. description: Headers
  30424. type: object
  30425. method:
  30426. description: Webhook Method
  30427. type: string
  30428. result:
  30429. description: Result formatting
  30430. properties:
  30431. jsonPath:
  30432. description: Json path of return value
  30433. type: string
  30434. type: object
  30435. secrets:
  30436. description: |-
  30437. Secrets to fill in templates
  30438. These secrets will be passed to the templating function as key value pairs under the given name
  30439. items:
  30440. description: WebhookSecret defines a secret reference that will be used in webhook templates.
  30441. properties:
  30442. name:
  30443. description: Name of this secret in templates
  30444. type: string
  30445. secretRef:
  30446. description: Secret ref to fill in credentials
  30447. properties:
  30448. key:
  30449. description: The key where the token is found.
  30450. maxLength: 253
  30451. minLength: 1
  30452. pattern: ^[-._a-zA-Z0-9]+$
  30453. type: string
  30454. name:
  30455. description: The name of the Secret resource being referred to.
  30456. maxLength: 253
  30457. minLength: 1
  30458. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30459. type: string
  30460. type: object
  30461. required:
  30462. - name
  30463. - secretRef
  30464. type: object
  30465. type: array
  30466. timeout:
  30467. description: Timeout
  30468. type: string
  30469. url:
  30470. description: Webhook url to call
  30471. type: string
  30472. required:
  30473. - result
  30474. - url
  30475. type: object
  30476. type: object
  30477. served: true
  30478. storage: true
  30479. subresources:
  30480. status: {}