bundle.yaml 1.3 MB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439444044414442444344444445444644474448444944504451445244534454445544564457445844594460446144624463446444654466446744684469447044714472447344744475447644774478447944804481448244834484448544864487448844894490449144924493449444954496449744984499450045014502450345044505450645074508450945104511451245134514451545164517451845194520452145224523452445254526452745284529453045314532453345344535453645374538453945404541454245434544454545464547454845494550455145524553455445554556455745584559456045614562456345644565456645674568456945704571457245734574457545764577457845794580458145824583458445854586458745884589459045914592459345944595459645974598459946004601460246034604460546064607460846094610461146124613461446154616461746184619462046214622462346244625462646274628462946304631463246334634463546364637463846394640464146424643464446454646464746484649465046514652465346544655465646574658465946604661466246634664466546664667466846694670467146724673467446754676467746784679468046814682468346844685468646874688468946904691469246934694469546964697469846994700470147024703470447054706470747084709471047114712471347144715471647174718471947204721472247234724472547264727472847294730473147324733473447354736473747384739474047414742474347444745474647474748474947504751475247534754475547564757475847594760476147624763476447654766476747684769477047714772477347744775477647774778477947804781478247834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808480948104811481248134814481548164817481848194820482148224823482448254826482748284829483048314832483348344835483648374838483948404841484248434844484548464847484848494850485148524853485448554856485748584859486048614862486348644865486648674868486948704871487248734874487548764877487848794880488148824883488448854886488748884889489048914892489348944895489648974898489949004901490249034904490549064907490849094910491149124913491449154916491749184919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943494449454946494749484949495049514952495349544955495649574958495949604961496249634964496549664967496849694970497149724973497449754976497749784979498049814982498349844985498649874988498949904991499249934994499549964997499849995000500150025003500450055006500750085009501050115012501350145015501650175018501950205021502250235024502550265027502850295030503150325033503450355036503750385039504050415042504350445045504650475048504950505051505250535054505550565057505850595060506150625063506450655066506750685069507050715072507350745075507650775078507950805081508250835084508550865087508850895090509150925093509450955096509750985099510051015102510351045105510651075108510951105111511251135114511551165117511851195120512151225123512451255126512751285129513051315132513351345135513651375138513951405141514251435144514551465147514851495150515151525153515451555156515751585159516051615162516351645165516651675168516951705171517251735174517551765177517851795180518151825183518451855186518751885189519051915192519351945195519651975198519952005201520252035204520552065207520852095210521152125213521452155216521752185219522052215222522352245225522652275228522952305231523252335234523552365237523852395240524152425243524452455246524752485249525052515252525352545255525652575258525952605261526252635264526552665267526852695270527152725273527452755276527752785279528052815282528352845285528652875288528952905291529252935294529552965297529852995300530153025303530453055306530753085309531053115312531353145315531653175318531953205321532253235324532553265327532853295330533153325333533453355336533753385339534053415342534353445345534653475348534953505351535253535354535553565357535853595360536153625363536453655366536753685369537053715372537353745375537653775378537953805381538253835384538553865387538853895390539153925393539453955396539753985399540054015402540354045405540654075408540954105411541254135414541554165417541854195420542154225423542454255426542754285429543054315432543354345435543654375438543954405441544254435444544554465447544854495450545154525453545454555456545754585459546054615462546354645465546654675468546954705471547254735474547554765477547854795480548154825483548454855486548754885489549054915492549354945495549654975498549955005501550255035504550555065507550855095510551155125513551455155516551755185519552055215522552355245525552655275528552955305531553255335534553555365537553855395540554155425543554455455546554755485549555055515552555355545555555655575558555955605561556255635564556555665567556855695570557155725573557455755576557755785579558055815582558355845585558655875588558955905591559255935594559555965597559855995600560156025603560456055606560756085609561056115612561356145615561656175618561956205621562256235624562556265627562856295630563156325633563456355636563756385639564056415642564356445645564656475648564956505651565256535654565556565657565856595660566156625663566456655666566756685669567056715672567356745675567656775678567956805681568256835684568556865687568856895690569156925693569456955696569756985699570057015702570357045705570657075708570957105711571257135714571557165717571857195720572157225723572457255726572757285729573057315732573357345735573657375738573957405741574257435744574557465747574857495750575157525753575457555756575757585759576057615762576357645765576657675768576957705771577257735774577557765777577857795780578157825783578457855786578757885789579057915792579357945795579657975798579958005801580258035804580558065807580858095810581158125813581458155816581758185819582058215822582358245825582658275828582958305831583258335834583558365837583858395840584158425843584458455846584758485849585058515852585358545855585658575858585958605861586258635864586558665867586858695870587158725873587458755876587758785879588058815882588358845885588658875888588958905891589258935894589558965897589858995900590159025903590459055906590759085909591059115912591359145915591659175918591959205921592259235924592559265927592859295930593159325933593459355936593759385939594059415942594359445945594659475948594959505951595259535954595559565957595859595960596159625963596459655966596759685969597059715972597359745975597659775978597959805981598259835984598559865987598859895990599159925993599459955996599759985999600060016002600360046005600660076008600960106011601260136014601560166017601860196020602160226023602460256026602760286029603060316032603360346035603660376038603960406041604260436044604560466047604860496050605160526053605460556056605760586059606060616062606360646065606660676068606960706071607260736074607560766077607860796080608160826083608460856086608760886089609060916092609360946095609660976098609961006101610261036104610561066107610861096110611161126113611461156116611761186119612061216122612361246125612661276128612961306131613261336134613561366137613861396140614161426143614461456146614761486149615061516152615361546155615661576158615961606161616261636164616561666167616861696170617161726173617461756176617761786179618061816182618361846185618661876188618961906191619261936194619561966197619861996200620162026203620462056206620762086209621062116212621362146215621662176218621962206221622262236224622562266227622862296230623162326233623462356236623762386239624062416242624362446245624662476248624962506251625262536254625562566257625862596260626162626263626462656266626762686269627062716272627362746275627662776278627962806281628262836284628562866287628862896290629162926293629462956296629762986299630063016302630363046305630663076308630963106311631263136314631563166317631863196320632163226323632463256326632763286329633063316332633363346335633663376338633963406341634263436344634563466347634863496350635163526353635463556356635763586359636063616362636363646365636663676368636963706371637263736374637563766377637863796380638163826383638463856386638763886389639063916392639363946395639663976398639964006401640264036404640564066407640864096410641164126413641464156416641764186419642064216422642364246425642664276428642964306431643264336434643564366437643864396440644164426443644464456446644764486449645064516452645364546455645664576458645964606461646264636464646564666467646864696470647164726473647464756476647764786479648064816482648364846485648664876488648964906491649264936494649564966497649864996500650165026503650465056506650765086509651065116512651365146515651665176518651965206521652265236524652565266527652865296530653165326533653465356536653765386539654065416542654365446545654665476548654965506551655265536554655565566557655865596560656165626563656465656566656765686569657065716572657365746575657665776578657965806581658265836584658565866587658865896590659165926593659465956596659765986599660066016602660366046605660666076608660966106611661266136614661566166617661866196620662166226623662466256626662766286629663066316632663366346635663666376638663966406641664266436644664566466647664866496650665166526653665466556656665766586659666066616662666366646665666666676668666966706671667266736674667566766677667866796680668166826683668466856686668766886689669066916692669366946695669666976698669967006701670267036704670567066707670867096710671167126713671467156716671767186719672067216722672367246725672667276728672967306731673267336734673567366737673867396740674167426743674467456746674767486749675067516752675367546755675667576758675967606761676267636764676567666767676867696770677167726773677467756776677767786779678067816782678367846785678667876788678967906791679267936794679567966797679867996800680168026803680468056806680768086809681068116812681368146815681668176818681968206821682268236824682568266827682868296830683168326833683468356836683768386839684068416842684368446845684668476848684968506851685268536854685568566857685868596860686168626863686468656866686768686869687068716872687368746875687668776878687968806881688268836884688568866887688868896890689168926893689468956896689768986899690069016902690369046905690669076908690969106911691269136914691569166917691869196920692169226923692469256926692769286929693069316932693369346935693669376938693969406941694269436944694569466947694869496950695169526953695469556956695769586959696069616962696369646965696669676968696969706971697269736974697569766977697869796980698169826983698469856986698769886989699069916992699369946995699669976998699970007001700270037004700570067007700870097010701170127013701470157016701770187019702070217022702370247025702670277028702970307031703270337034703570367037703870397040704170427043704470457046704770487049705070517052705370547055705670577058705970607061706270637064706570667067706870697070707170727073707470757076707770787079708070817082708370847085708670877088708970907091709270937094709570967097709870997100710171027103710471057106710771087109711071117112711371147115711671177118711971207121712271237124712571267127712871297130713171327133713471357136713771387139714071417142714371447145714671477148714971507151715271537154715571567157715871597160716171627163716471657166716771687169717071717172717371747175717671777178717971807181718271837184718571867187718871897190719171927193719471957196719771987199720072017202720372047205720672077208720972107211721272137214721572167217721872197220722172227223722472257226722772287229723072317232723372347235723672377238723972407241724272437244724572467247724872497250725172527253725472557256725772587259726072617262726372647265726672677268726972707271727272737274727572767277727872797280728172827283728472857286728772887289729072917292729372947295729672977298729973007301730273037304730573067307730873097310731173127313731473157316731773187319732073217322732373247325732673277328732973307331733273337334733573367337733873397340734173427343734473457346734773487349735073517352735373547355735673577358735973607361736273637364736573667367736873697370737173727373737473757376737773787379738073817382738373847385738673877388738973907391739273937394739573967397739873997400740174027403740474057406740774087409741074117412741374147415741674177418741974207421742274237424742574267427742874297430743174327433743474357436743774387439744074417442744374447445744674477448744974507451745274537454745574567457745874597460746174627463746474657466746774687469747074717472747374747475747674777478747974807481748274837484748574867487748874897490749174927493749474957496749774987499750075017502750375047505750675077508750975107511751275137514751575167517751875197520752175227523752475257526752775287529753075317532753375347535753675377538753975407541754275437544754575467547754875497550755175527553755475557556755775587559756075617562756375647565756675677568756975707571757275737574757575767577757875797580758175827583758475857586758775887589759075917592759375947595759675977598759976007601760276037604760576067607760876097610761176127613761476157616761776187619762076217622762376247625762676277628762976307631763276337634763576367637763876397640764176427643764476457646764776487649765076517652765376547655765676577658765976607661766276637664766576667667766876697670767176727673767476757676767776787679768076817682768376847685768676877688768976907691769276937694769576967697769876997700770177027703770477057706770777087709771077117712771377147715771677177718771977207721772277237724772577267727772877297730773177327733773477357736773777387739774077417742774377447745774677477748774977507751775277537754775577567757775877597760776177627763776477657766776777687769777077717772777377747775777677777778777977807781778277837784778577867787778877897790779177927793779477957796779777987799780078017802780378047805780678077808780978107811781278137814781578167817781878197820782178227823782478257826782778287829783078317832783378347835783678377838783978407841784278437844784578467847784878497850785178527853785478557856785778587859786078617862786378647865786678677868786978707871787278737874787578767877787878797880788178827883788478857886788778887889789078917892789378947895789678977898789979007901790279037904790579067907790879097910791179127913791479157916791779187919792079217922792379247925792679277928792979307931793279337934793579367937793879397940794179427943794479457946794779487949795079517952795379547955795679577958795979607961796279637964796579667967796879697970797179727973797479757976797779787979798079817982798379847985798679877988798979907991799279937994799579967997799879998000800180028003800480058006800780088009801080118012801380148015801680178018801980208021802280238024802580268027802880298030803180328033803480358036803780388039804080418042804380448045804680478048804980508051805280538054805580568057805880598060806180628063806480658066806780688069807080718072807380748075807680778078807980808081808280838084808580868087808880898090809180928093809480958096809780988099810081018102810381048105810681078108810981108111811281138114811581168117811881198120812181228123812481258126812781288129813081318132813381348135813681378138813981408141814281438144814581468147814881498150815181528153815481558156815781588159816081618162816381648165816681678168816981708171817281738174817581768177817881798180818181828183818481858186818781888189819081918192819381948195819681978198819982008201820282038204820582068207820882098210821182128213821482158216821782188219822082218222822382248225822682278228822982308231823282338234823582368237823882398240824182428243824482458246824782488249825082518252825382548255825682578258825982608261826282638264826582668267826882698270827182728273827482758276827782788279828082818282828382848285828682878288828982908291829282938294829582968297829882998300830183028303830483058306830783088309831083118312831383148315831683178318831983208321832283238324832583268327832883298330833183328333833483358336833783388339834083418342834383448345834683478348834983508351835283538354835583568357835883598360836183628363836483658366836783688369837083718372837383748375837683778378837983808381838283838384838583868387838883898390839183928393839483958396839783988399840084018402840384048405840684078408840984108411841284138414841584168417841884198420842184228423842484258426842784288429843084318432843384348435843684378438843984408441844284438444844584468447844884498450845184528453845484558456845784588459846084618462846384648465846684678468846984708471847284738474847584768477847884798480848184828483848484858486848784888489849084918492849384948495849684978498849985008501850285038504850585068507850885098510851185128513851485158516851785188519852085218522852385248525852685278528852985308531853285338534853585368537853885398540854185428543854485458546854785488549855085518552855385548555855685578558855985608561856285638564856585668567856885698570857185728573857485758576857785788579858085818582858385848585858685878588858985908591859285938594859585968597859885998600860186028603860486058606860786088609861086118612861386148615861686178618861986208621862286238624862586268627862886298630863186328633863486358636863786388639864086418642864386448645864686478648864986508651865286538654865586568657865886598660866186628663866486658666866786688669867086718672867386748675867686778678867986808681868286838684868586868687868886898690869186928693869486958696869786988699870087018702870387048705870687078708870987108711871287138714871587168717871887198720872187228723872487258726872787288729873087318732873387348735873687378738873987408741874287438744874587468747874887498750875187528753875487558756875787588759876087618762876387648765876687678768876987708771877287738774877587768777877887798780878187828783878487858786878787888789879087918792879387948795879687978798879988008801880288038804880588068807880888098810881188128813881488158816881788188819882088218822882388248825882688278828882988308831883288338834883588368837883888398840884188428843884488458846884788488849885088518852885388548855885688578858885988608861886288638864886588668867886888698870887188728873887488758876887788788879888088818882888388848885888688878888888988908891889288938894889588968897889888998900890189028903890489058906890789088909891089118912891389148915891689178918891989208921892289238924892589268927892889298930893189328933893489358936893789388939894089418942894389448945894689478948894989508951895289538954895589568957895889598960896189628963896489658966896789688969897089718972897389748975897689778978897989808981898289838984898589868987898889898990899189928993899489958996899789988999900090019002900390049005900690079008900990109011901290139014901590169017901890199020902190229023902490259026902790289029903090319032903390349035903690379038903990409041904290439044904590469047904890499050905190529053905490559056905790589059906090619062906390649065906690679068906990709071907290739074907590769077907890799080908190829083908490859086908790889089909090919092909390949095909690979098909991009101910291039104910591069107910891099110911191129113911491159116911791189119912091219122912391249125912691279128912991309131913291339134913591369137913891399140914191429143914491459146914791489149915091519152915391549155915691579158915991609161916291639164916591669167916891699170917191729173917491759176917791789179918091819182918391849185918691879188918991909191919291939194919591969197919891999200920192029203920492059206920792089209921092119212921392149215921692179218921992209221922292239224922592269227922892299230923192329233923492359236923792389239924092419242924392449245924692479248924992509251925292539254925592569257925892599260926192629263926492659266926792689269927092719272927392749275927692779278927992809281928292839284928592869287928892899290929192929293929492959296929792989299930093019302930393049305930693079308930993109311931293139314931593169317931893199320932193229323932493259326932793289329933093319332933393349335933693379338933993409341934293439344934593469347934893499350935193529353935493559356935793589359936093619362936393649365936693679368936993709371937293739374937593769377937893799380938193829383938493859386938793889389939093919392939393949395939693979398939994009401940294039404940594069407940894099410941194129413941494159416941794189419942094219422942394249425942694279428942994309431943294339434943594369437943894399440944194429443944494459446944794489449945094519452945394549455945694579458945994609461946294639464946594669467946894699470947194729473947494759476947794789479948094819482948394849485948694879488948994909491949294939494949594969497949894999500950195029503950495059506950795089509951095119512951395149515951695179518951995209521952295239524952595269527952895299530953195329533953495359536953795389539954095419542954395449545954695479548954995509551955295539554955595569557955895599560956195629563956495659566956795689569957095719572957395749575957695779578957995809581958295839584958595869587958895899590959195929593959495959596959795989599960096019602960396049605960696079608960996109611961296139614961596169617961896199620962196229623962496259626962796289629963096319632963396349635963696379638963996409641964296439644964596469647964896499650965196529653965496559656965796589659966096619662966396649665966696679668966996709671967296739674967596769677967896799680968196829683968496859686968796889689969096919692969396949695969696979698969997009701970297039704970597069707970897099710971197129713971497159716971797189719972097219722972397249725972697279728972997309731973297339734973597369737973897399740974197429743974497459746974797489749975097519752975397549755975697579758975997609761976297639764976597669767976897699770977197729773977497759776977797789779978097819782978397849785978697879788978997909791979297939794979597969797979897999800980198029803980498059806980798089809981098119812981398149815981698179818981998209821982298239824982598269827982898299830983198329833983498359836983798389839984098419842984398449845984698479848984998509851985298539854985598569857985898599860986198629863986498659866986798689869987098719872987398749875987698779878987998809881988298839884988598869887988898899890989198929893989498959896989798989899990099019902990399049905990699079908990999109911991299139914991599169917991899199920992199229923992499259926992799289929993099319932993399349935993699379938993999409941994299439944994599469947994899499950995199529953995499559956995799589959996099619962996399649965996699679968996999709971997299739974997599769977997899799980998199829983998499859986998799889989999099919992999399949995999699979998999910000100011000210003100041000510006100071000810009100101001110012100131001410015100161001710018100191002010021100221002310024100251002610027100281002910030100311003210033100341003510036100371003810039100401004110042100431004410045100461004710048100491005010051100521005310054100551005610057100581005910060100611006210063100641006510066100671006810069100701007110072100731007410075100761007710078100791008010081100821008310084100851008610087100881008910090100911009210093100941009510096100971009810099101001010110102101031010410105101061010710108101091011010111101121011310114101151011610117101181011910120101211012210123101241012510126101271012810129101301013110132101331013410135101361013710138101391014010141101421014310144101451014610147101481014910150101511015210153101541015510156101571015810159101601016110162101631016410165101661016710168101691017010171101721017310174101751017610177101781017910180101811018210183101841018510186101871018810189101901019110192101931019410195101961019710198101991020010201102021020310204102051020610207102081020910210102111021210213102141021510216102171021810219102201022110222102231022410225102261022710228102291023010231102321023310234102351023610237102381023910240102411024210243102441024510246102471024810249102501025110252102531025410255102561025710258102591026010261102621026310264102651026610267102681026910270102711027210273102741027510276102771027810279102801028110282102831028410285102861028710288102891029010291102921029310294102951029610297102981029910300103011030210303103041030510306103071030810309103101031110312103131031410315103161031710318103191032010321103221032310324103251032610327103281032910330103311033210333103341033510336103371033810339103401034110342103431034410345103461034710348103491035010351103521035310354103551035610357103581035910360103611036210363103641036510366103671036810369103701037110372103731037410375103761037710378103791038010381103821038310384103851038610387103881038910390103911039210393103941039510396103971039810399104001040110402104031040410405104061040710408104091041010411104121041310414104151041610417104181041910420104211042210423104241042510426104271042810429104301043110432104331043410435104361043710438104391044010441104421044310444104451044610447104481044910450104511045210453104541045510456104571045810459104601046110462104631046410465104661046710468104691047010471104721047310474104751047610477104781047910480104811048210483104841048510486104871048810489104901049110492104931049410495104961049710498104991050010501105021050310504105051050610507105081050910510105111051210513105141051510516105171051810519105201052110522105231052410525105261052710528105291053010531105321053310534105351053610537105381053910540105411054210543105441054510546105471054810549105501055110552105531055410555105561055710558105591056010561105621056310564105651056610567105681056910570105711057210573105741057510576105771057810579105801058110582105831058410585105861058710588105891059010591105921059310594105951059610597105981059910600106011060210603106041060510606106071060810609106101061110612106131061410615106161061710618106191062010621106221062310624106251062610627106281062910630106311063210633106341063510636106371063810639106401064110642106431064410645106461064710648106491065010651106521065310654106551065610657106581065910660106611066210663106641066510666106671066810669106701067110672106731067410675106761067710678106791068010681106821068310684106851068610687106881068910690106911069210693106941069510696106971069810699107001070110702107031070410705107061070710708107091071010711107121071310714107151071610717107181071910720107211072210723107241072510726107271072810729107301073110732107331073410735107361073710738107391074010741107421074310744107451074610747107481074910750107511075210753107541075510756107571075810759107601076110762107631076410765107661076710768107691077010771107721077310774107751077610777107781077910780107811078210783107841078510786107871078810789107901079110792107931079410795107961079710798107991080010801108021080310804108051080610807108081080910810108111081210813108141081510816108171081810819108201082110822108231082410825108261082710828108291083010831108321083310834108351083610837108381083910840108411084210843108441084510846108471084810849108501085110852108531085410855108561085710858108591086010861108621086310864108651086610867108681086910870108711087210873108741087510876108771087810879108801088110882108831088410885108861088710888108891089010891108921089310894108951089610897108981089910900109011090210903109041090510906109071090810909109101091110912109131091410915109161091710918109191092010921109221092310924109251092610927109281092910930109311093210933109341093510936109371093810939109401094110942109431094410945109461094710948109491095010951109521095310954109551095610957109581095910960109611096210963109641096510966109671096810969109701097110972109731097410975109761097710978109791098010981109821098310984109851098610987109881098910990109911099210993109941099510996109971099810999110001100111002110031100411005110061100711008110091101011011110121101311014110151101611017110181101911020110211102211023110241102511026110271102811029110301103111032110331103411035110361103711038110391104011041110421104311044110451104611047110481104911050110511105211053110541105511056110571105811059110601106111062110631106411065110661106711068110691107011071110721107311074110751107611077110781107911080110811108211083110841108511086110871108811089110901109111092110931109411095110961109711098110991110011101111021110311104111051110611107111081110911110111111111211113111141111511116111171111811119111201112111122111231112411125111261112711128111291113011131111321113311134111351113611137111381113911140111411114211143111441114511146111471114811149111501115111152111531115411155111561115711158111591116011161111621116311164111651116611167111681116911170111711117211173111741117511176111771117811179111801118111182111831118411185111861118711188111891119011191111921119311194111951119611197111981119911200112011120211203112041120511206112071120811209112101121111212112131121411215112161121711218112191122011221112221122311224112251122611227112281122911230112311123211233112341123511236112371123811239112401124111242112431124411245112461124711248112491125011251112521125311254112551125611257112581125911260112611126211263112641126511266112671126811269112701127111272112731127411275112761127711278112791128011281112821128311284112851128611287112881128911290112911129211293112941129511296112971129811299113001130111302113031130411305113061130711308113091131011311113121131311314113151131611317113181131911320113211132211323113241132511326113271132811329113301133111332113331133411335113361133711338113391134011341113421134311344113451134611347113481134911350113511135211353113541135511356113571135811359113601136111362113631136411365113661136711368113691137011371113721137311374113751137611377113781137911380113811138211383113841138511386113871138811389113901139111392113931139411395113961139711398113991140011401114021140311404114051140611407114081140911410114111141211413114141141511416114171141811419114201142111422114231142411425114261142711428114291143011431114321143311434114351143611437114381143911440114411144211443114441144511446114471144811449114501145111452114531145411455114561145711458114591146011461114621146311464114651146611467114681146911470114711147211473114741147511476114771147811479114801148111482114831148411485114861148711488114891149011491114921149311494114951149611497114981149911500115011150211503115041150511506115071150811509115101151111512115131151411515115161151711518115191152011521115221152311524115251152611527115281152911530115311153211533115341153511536115371153811539115401154111542115431154411545115461154711548115491155011551115521155311554115551155611557115581155911560115611156211563115641156511566115671156811569115701157111572115731157411575115761157711578115791158011581115821158311584115851158611587115881158911590115911159211593115941159511596115971159811599116001160111602116031160411605116061160711608116091161011611116121161311614116151161611617116181161911620116211162211623116241162511626116271162811629116301163111632116331163411635116361163711638116391164011641116421164311644116451164611647116481164911650116511165211653116541165511656116571165811659116601166111662116631166411665116661166711668116691167011671116721167311674116751167611677116781167911680116811168211683116841168511686116871168811689116901169111692116931169411695116961169711698116991170011701117021170311704117051170611707117081170911710117111171211713117141171511716117171171811719117201172111722117231172411725117261172711728117291173011731117321173311734117351173611737117381173911740117411174211743117441174511746117471174811749117501175111752117531175411755117561175711758117591176011761117621176311764117651176611767117681176911770117711177211773117741177511776117771177811779117801178111782117831178411785117861178711788117891179011791117921179311794117951179611797117981179911800118011180211803118041180511806118071180811809118101181111812118131181411815118161181711818118191182011821118221182311824118251182611827118281182911830118311183211833118341183511836118371183811839118401184111842118431184411845118461184711848118491185011851118521185311854118551185611857118581185911860118611186211863118641186511866118671186811869118701187111872118731187411875118761187711878118791188011881118821188311884118851188611887118881188911890118911189211893118941189511896118971189811899119001190111902119031190411905119061190711908119091191011911119121191311914119151191611917119181191911920119211192211923119241192511926119271192811929119301193111932119331193411935119361193711938119391194011941119421194311944119451194611947119481194911950119511195211953119541195511956119571195811959119601196111962119631196411965119661196711968119691197011971119721197311974119751197611977119781197911980119811198211983119841198511986119871198811989119901199111992119931199411995119961199711998119991200012001120021200312004120051200612007120081200912010120111201212013120141201512016120171201812019120201202112022120231202412025120261202712028120291203012031120321203312034120351203612037120381203912040120411204212043120441204512046120471204812049120501205112052120531205412055120561205712058120591206012061120621206312064120651206612067120681206912070120711207212073120741207512076120771207812079120801208112082120831208412085120861208712088120891209012091120921209312094120951209612097120981209912100121011210212103121041210512106121071210812109121101211112112121131211412115121161211712118121191212012121121221212312124121251212612127121281212912130121311213212133121341213512136121371213812139121401214112142121431214412145121461214712148121491215012151121521215312154121551215612157121581215912160121611216212163121641216512166121671216812169121701217112172121731217412175121761217712178121791218012181121821218312184121851218612187121881218912190121911219212193121941219512196121971219812199122001220112202122031220412205122061220712208122091221012211122121221312214122151221612217122181221912220122211222212223122241222512226122271222812229122301223112232122331223412235122361223712238122391224012241122421224312244122451224612247122481224912250122511225212253122541225512256122571225812259122601226112262122631226412265122661226712268122691227012271122721227312274122751227612277122781227912280122811228212283122841228512286122871228812289122901229112292122931229412295122961229712298122991230012301123021230312304123051230612307123081230912310123111231212313123141231512316123171231812319123201232112322123231232412325123261232712328123291233012331123321233312334123351233612337123381233912340123411234212343123441234512346123471234812349123501235112352123531235412355123561235712358123591236012361123621236312364123651236612367123681236912370123711237212373123741237512376123771237812379123801238112382123831238412385123861238712388123891239012391123921239312394123951239612397123981239912400124011240212403124041240512406124071240812409124101241112412124131241412415124161241712418124191242012421124221242312424124251242612427124281242912430124311243212433124341243512436124371243812439124401244112442124431244412445124461244712448124491245012451124521245312454124551245612457124581245912460124611246212463124641246512466124671246812469124701247112472124731247412475124761247712478124791248012481124821248312484124851248612487124881248912490124911249212493124941249512496124971249812499125001250112502125031250412505125061250712508125091251012511125121251312514125151251612517125181251912520125211252212523125241252512526125271252812529125301253112532125331253412535125361253712538125391254012541125421254312544125451254612547125481254912550125511255212553125541255512556125571255812559125601256112562125631256412565125661256712568125691257012571125721257312574125751257612577125781257912580125811258212583125841258512586125871258812589125901259112592125931259412595125961259712598125991260012601126021260312604126051260612607126081260912610126111261212613126141261512616126171261812619126201262112622126231262412625126261262712628126291263012631126321263312634126351263612637126381263912640126411264212643126441264512646126471264812649126501265112652126531265412655126561265712658126591266012661126621266312664126651266612667126681266912670126711267212673126741267512676126771267812679126801268112682126831268412685126861268712688126891269012691126921269312694126951269612697126981269912700127011270212703127041270512706127071270812709127101271112712127131271412715127161271712718127191272012721127221272312724127251272612727127281272912730127311273212733127341273512736127371273812739127401274112742127431274412745127461274712748127491275012751127521275312754127551275612757127581275912760127611276212763127641276512766127671276812769127701277112772127731277412775127761277712778127791278012781127821278312784127851278612787127881278912790127911279212793127941279512796127971279812799128001280112802128031280412805128061280712808128091281012811128121281312814128151281612817128181281912820128211282212823128241282512826128271282812829128301283112832128331283412835128361283712838128391284012841128421284312844128451284612847128481284912850128511285212853128541285512856128571285812859128601286112862128631286412865128661286712868128691287012871128721287312874128751287612877128781287912880128811288212883128841288512886128871288812889128901289112892128931289412895128961289712898128991290012901129021290312904129051290612907129081290912910129111291212913129141291512916129171291812919129201292112922129231292412925129261292712928129291293012931129321293312934129351293612937129381293912940129411294212943129441294512946129471294812949129501295112952129531295412955129561295712958129591296012961129621296312964129651296612967129681296912970129711297212973129741297512976129771297812979129801298112982129831298412985129861298712988129891299012991129921299312994129951299612997129981299913000130011300213003130041300513006130071300813009130101301113012130131301413015130161301713018130191302013021130221302313024130251302613027130281302913030130311303213033130341303513036130371303813039130401304113042130431304413045130461304713048130491305013051130521305313054130551305613057130581305913060130611306213063130641306513066130671306813069130701307113072130731307413075130761307713078130791308013081130821308313084130851308613087130881308913090130911309213093130941309513096130971309813099131001310113102131031310413105131061310713108131091311013111131121311313114131151311613117131181311913120131211312213123131241312513126131271312813129131301313113132131331313413135131361313713138131391314013141131421314313144131451314613147131481314913150131511315213153131541315513156131571315813159131601316113162131631316413165131661316713168131691317013171131721317313174131751317613177131781317913180131811318213183131841318513186131871318813189131901319113192131931319413195131961319713198131991320013201132021320313204132051320613207132081320913210132111321213213132141321513216132171321813219132201322113222132231322413225132261322713228132291323013231132321323313234132351323613237132381323913240132411324213243132441324513246132471324813249132501325113252132531325413255132561325713258132591326013261132621326313264132651326613267132681326913270132711327213273132741327513276132771327813279132801328113282132831328413285132861328713288132891329013291132921329313294132951329613297132981329913300133011330213303133041330513306133071330813309133101331113312133131331413315133161331713318133191332013321133221332313324133251332613327133281332913330133311333213333133341333513336133371333813339133401334113342133431334413345133461334713348133491335013351133521335313354133551335613357133581335913360133611336213363133641336513366133671336813369133701337113372133731337413375133761337713378133791338013381133821338313384133851338613387133881338913390133911339213393133941339513396133971339813399134001340113402134031340413405134061340713408134091341013411134121341313414134151341613417134181341913420134211342213423134241342513426134271342813429134301343113432134331343413435134361343713438134391344013441134421344313444134451344613447134481344913450134511345213453134541345513456134571345813459134601346113462134631346413465134661346713468134691347013471134721347313474134751347613477134781347913480134811348213483134841348513486134871348813489134901349113492134931349413495134961349713498134991350013501135021350313504135051350613507135081350913510135111351213513135141351513516135171351813519135201352113522135231352413525135261352713528135291353013531135321353313534135351353613537135381353913540135411354213543135441354513546135471354813549135501355113552135531355413555135561355713558135591356013561135621356313564135651356613567135681356913570135711357213573135741357513576135771357813579135801358113582135831358413585135861358713588135891359013591135921359313594135951359613597135981359913600136011360213603136041360513606136071360813609136101361113612136131361413615136161361713618136191362013621136221362313624136251362613627136281362913630136311363213633136341363513636136371363813639136401364113642136431364413645136461364713648136491365013651136521365313654136551365613657136581365913660136611366213663136641366513666136671366813669136701367113672136731367413675136761367713678136791368013681136821368313684136851368613687136881368913690136911369213693136941369513696136971369813699137001370113702137031370413705137061370713708137091371013711137121371313714137151371613717137181371913720137211372213723137241372513726137271372813729137301373113732137331373413735137361373713738137391374013741137421374313744137451374613747137481374913750137511375213753137541375513756137571375813759137601376113762137631376413765137661376713768137691377013771137721377313774137751377613777137781377913780137811378213783137841378513786137871378813789137901379113792137931379413795137961379713798137991380013801138021380313804138051380613807138081380913810138111381213813138141381513816138171381813819138201382113822138231382413825138261382713828138291383013831138321383313834138351383613837138381383913840138411384213843138441384513846138471384813849138501385113852138531385413855138561385713858138591386013861138621386313864138651386613867138681386913870138711387213873138741387513876138771387813879138801388113882138831388413885138861388713888138891389013891138921389313894138951389613897138981389913900139011390213903139041390513906139071390813909139101391113912139131391413915139161391713918139191392013921139221392313924139251392613927139281392913930139311393213933139341393513936139371393813939139401394113942139431394413945139461394713948139491395013951139521395313954139551395613957139581395913960139611396213963139641396513966139671396813969139701397113972139731397413975139761397713978139791398013981139821398313984139851398613987139881398913990139911399213993139941399513996139971399813999140001400114002140031400414005140061400714008140091401014011140121401314014140151401614017140181401914020140211402214023140241402514026140271402814029140301403114032140331403414035140361403714038140391404014041140421404314044140451404614047140481404914050140511405214053140541405514056140571405814059140601406114062140631406414065140661406714068140691407014071140721407314074140751407614077140781407914080140811408214083140841408514086140871408814089140901409114092140931409414095140961409714098140991410014101141021410314104141051410614107141081410914110141111411214113141141411514116141171411814119141201412114122141231412414125141261412714128141291413014131141321413314134141351413614137141381413914140141411414214143141441414514146141471414814149141501415114152141531415414155141561415714158141591416014161141621416314164141651416614167141681416914170141711417214173141741417514176141771417814179141801418114182141831418414185141861418714188141891419014191141921419314194141951419614197141981419914200142011420214203142041420514206142071420814209142101421114212142131421414215142161421714218142191422014221142221422314224142251422614227142281422914230142311423214233142341423514236142371423814239142401424114242142431424414245142461424714248142491425014251142521425314254142551425614257142581425914260142611426214263142641426514266142671426814269142701427114272142731427414275142761427714278142791428014281142821428314284142851428614287142881428914290142911429214293142941429514296142971429814299143001430114302143031430414305143061430714308143091431014311143121431314314143151431614317143181431914320143211432214323143241432514326143271432814329143301433114332143331433414335143361433714338143391434014341143421434314344143451434614347143481434914350143511435214353143541435514356143571435814359143601436114362143631436414365143661436714368143691437014371143721437314374143751437614377143781437914380143811438214383143841438514386143871438814389143901439114392143931439414395143961439714398143991440014401144021440314404144051440614407144081440914410144111441214413144141441514416144171441814419144201442114422144231442414425144261442714428144291443014431144321443314434144351443614437144381443914440144411444214443144441444514446144471444814449144501445114452144531445414455144561445714458144591446014461144621446314464144651446614467144681446914470144711447214473144741447514476144771447814479144801448114482144831448414485144861448714488144891449014491144921449314494144951449614497144981449914500145011450214503145041450514506145071450814509145101451114512145131451414515145161451714518145191452014521145221452314524145251452614527145281452914530145311453214533145341453514536145371453814539145401454114542145431454414545145461454714548145491455014551145521455314554145551455614557145581455914560145611456214563145641456514566145671456814569145701457114572145731457414575145761457714578145791458014581145821458314584145851458614587145881458914590145911459214593145941459514596145971459814599146001460114602146031460414605146061460714608146091461014611146121461314614146151461614617146181461914620146211462214623146241462514626146271462814629146301463114632146331463414635146361463714638146391464014641146421464314644146451464614647146481464914650146511465214653146541465514656146571465814659146601466114662146631466414665146661466714668146691467014671146721467314674146751467614677146781467914680146811468214683146841468514686146871468814689146901469114692146931469414695146961469714698146991470014701147021470314704147051470614707147081470914710147111471214713147141471514716147171471814719147201472114722147231472414725147261472714728147291473014731147321473314734147351473614737147381473914740147411474214743147441474514746147471474814749147501475114752147531475414755147561475714758147591476014761147621476314764147651476614767147681476914770147711477214773147741477514776147771477814779147801478114782147831478414785147861478714788147891479014791147921479314794147951479614797147981479914800148011480214803148041480514806148071480814809148101481114812148131481414815148161481714818148191482014821148221482314824148251482614827148281482914830148311483214833148341483514836148371483814839148401484114842148431484414845148461484714848148491485014851148521485314854148551485614857148581485914860148611486214863148641486514866148671486814869148701487114872148731487414875148761487714878148791488014881148821488314884148851488614887148881488914890148911489214893148941489514896148971489814899149001490114902149031490414905149061490714908149091491014911149121491314914149151491614917149181491914920149211492214923149241492514926149271492814929149301493114932149331493414935149361493714938149391494014941149421494314944149451494614947149481494914950149511495214953149541495514956149571495814959149601496114962149631496414965149661496714968149691497014971149721497314974149751497614977149781497914980149811498214983149841498514986149871498814989149901499114992149931499414995149961499714998149991500015001150021500315004150051500615007150081500915010150111501215013150141501515016150171501815019150201502115022150231502415025150261502715028150291503015031150321503315034150351503615037150381503915040150411504215043150441504515046150471504815049150501505115052150531505415055150561505715058150591506015061150621506315064150651506615067150681506915070150711507215073150741507515076150771507815079150801508115082150831508415085150861508715088150891509015091150921509315094150951509615097150981509915100151011510215103151041510515106151071510815109151101511115112151131511415115151161511715118151191512015121151221512315124151251512615127151281512915130151311513215133151341513515136151371513815139151401514115142151431514415145151461514715148151491515015151151521515315154151551515615157151581515915160151611516215163151641516515166151671516815169151701517115172151731517415175151761517715178151791518015181151821518315184151851518615187151881518915190151911519215193151941519515196151971519815199152001520115202152031520415205152061520715208152091521015211152121521315214152151521615217152181521915220152211522215223152241522515226152271522815229152301523115232152331523415235152361523715238152391524015241152421524315244152451524615247152481524915250152511525215253152541525515256152571525815259152601526115262152631526415265152661526715268152691527015271152721527315274152751527615277152781527915280152811528215283152841528515286152871528815289152901529115292152931529415295152961529715298152991530015301153021530315304153051530615307153081530915310153111531215313153141531515316153171531815319153201532115322153231532415325153261532715328153291533015331153321533315334153351533615337153381533915340153411534215343153441534515346153471534815349153501535115352153531535415355153561535715358153591536015361153621536315364153651536615367153681536915370153711537215373153741537515376153771537815379153801538115382153831538415385153861538715388153891539015391153921539315394153951539615397153981539915400154011540215403154041540515406154071540815409154101541115412154131541415415154161541715418154191542015421154221542315424154251542615427154281542915430154311543215433154341543515436154371543815439154401544115442154431544415445154461544715448154491545015451154521545315454154551545615457154581545915460154611546215463154641546515466154671546815469154701547115472154731547415475154761547715478154791548015481154821548315484154851548615487154881548915490154911549215493154941549515496154971549815499155001550115502155031550415505155061550715508155091551015511155121551315514155151551615517155181551915520155211552215523155241552515526155271552815529155301553115532155331553415535155361553715538155391554015541155421554315544155451554615547155481554915550155511555215553155541555515556155571555815559155601556115562155631556415565155661556715568155691557015571155721557315574155751557615577155781557915580155811558215583155841558515586155871558815589155901559115592155931559415595155961559715598155991560015601156021560315604156051560615607156081560915610156111561215613156141561515616156171561815619156201562115622156231562415625156261562715628156291563015631156321563315634156351563615637156381563915640156411564215643156441564515646156471564815649156501565115652156531565415655156561565715658156591566015661156621566315664156651566615667156681566915670156711567215673156741567515676156771567815679156801568115682156831568415685156861568715688156891569015691156921569315694156951569615697156981569915700157011570215703157041570515706157071570815709157101571115712157131571415715157161571715718157191572015721157221572315724157251572615727157281572915730157311573215733157341573515736157371573815739157401574115742157431574415745157461574715748157491575015751157521575315754157551575615757157581575915760157611576215763157641576515766157671576815769157701577115772157731577415775157761577715778157791578015781157821578315784157851578615787157881578915790157911579215793157941579515796157971579815799158001580115802158031580415805158061580715808158091581015811158121581315814158151581615817158181581915820158211582215823158241582515826158271582815829158301583115832158331583415835158361583715838158391584015841158421584315844158451584615847158481584915850158511585215853158541585515856158571585815859158601586115862158631586415865158661586715868158691587015871158721587315874158751587615877158781587915880158811588215883158841588515886158871588815889158901589115892158931589415895158961589715898158991590015901159021590315904159051590615907159081590915910159111591215913159141591515916159171591815919159201592115922159231592415925159261592715928159291593015931159321593315934159351593615937159381593915940159411594215943159441594515946159471594815949159501595115952159531595415955159561595715958159591596015961159621596315964159651596615967159681596915970159711597215973159741597515976159771597815979159801598115982159831598415985159861598715988159891599015991159921599315994159951599615997159981599916000160011600216003160041600516006160071600816009160101601116012160131601416015160161601716018160191602016021160221602316024160251602616027160281602916030160311603216033160341603516036160371603816039160401604116042160431604416045160461604716048160491605016051160521605316054160551605616057160581605916060160611606216063160641606516066160671606816069160701607116072160731607416075160761607716078160791608016081160821608316084160851608616087160881608916090160911609216093160941609516096160971609816099161001610116102161031610416105161061610716108161091611016111161121611316114161151611616117161181611916120161211612216123161241612516126161271612816129161301613116132161331613416135161361613716138161391614016141161421614316144161451614616147161481614916150161511615216153161541615516156161571615816159161601616116162161631616416165161661616716168161691617016171161721617316174161751617616177161781617916180161811618216183161841618516186161871618816189161901619116192161931619416195161961619716198161991620016201162021620316204162051620616207162081620916210162111621216213162141621516216162171621816219162201622116222162231622416225162261622716228162291623016231162321623316234162351623616237162381623916240162411624216243162441624516246162471624816249162501625116252162531625416255162561625716258162591626016261162621626316264162651626616267162681626916270162711627216273162741627516276162771627816279162801628116282162831628416285162861628716288162891629016291162921629316294162951629616297162981629916300163011630216303163041630516306163071630816309163101631116312163131631416315163161631716318163191632016321163221632316324163251632616327163281632916330163311633216333163341633516336163371633816339163401634116342163431634416345163461634716348163491635016351163521635316354163551635616357163581635916360163611636216363163641636516366163671636816369163701637116372163731637416375163761637716378163791638016381163821638316384163851638616387163881638916390163911639216393163941639516396163971639816399164001640116402164031640416405164061640716408164091641016411164121641316414164151641616417164181641916420164211642216423164241642516426164271642816429164301643116432164331643416435164361643716438164391644016441164421644316444164451644616447164481644916450164511645216453164541645516456164571645816459164601646116462164631646416465164661646716468164691647016471164721647316474164751647616477164781647916480164811648216483164841648516486164871648816489164901649116492164931649416495164961649716498164991650016501165021650316504165051650616507165081650916510165111651216513165141651516516165171651816519165201652116522165231652416525165261652716528165291653016531165321653316534165351653616537165381653916540165411654216543165441654516546165471654816549165501655116552165531655416555165561655716558165591656016561165621656316564165651656616567165681656916570165711657216573165741657516576165771657816579165801658116582165831658416585165861658716588165891659016591165921659316594165951659616597165981659916600166011660216603166041660516606166071660816609166101661116612166131661416615166161661716618166191662016621166221662316624166251662616627166281662916630166311663216633166341663516636166371663816639166401664116642166431664416645166461664716648166491665016651166521665316654166551665616657166581665916660166611666216663166641666516666166671666816669166701667116672166731667416675166761667716678166791668016681166821668316684166851668616687166881668916690166911669216693166941669516696166971669816699167001670116702167031670416705167061670716708167091671016711167121671316714167151671616717167181671916720167211672216723167241672516726167271672816729167301673116732167331673416735167361673716738167391674016741167421674316744167451674616747167481674916750167511675216753167541675516756167571675816759167601676116762167631676416765167661676716768167691677016771167721677316774167751677616777167781677916780167811678216783167841678516786167871678816789167901679116792167931679416795167961679716798167991680016801168021680316804168051680616807168081680916810168111681216813168141681516816168171681816819168201682116822168231682416825168261682716828168291683016831168321683316834168351683616837168381683916840168411684216843168441684516846168471684816849168501685116852168531685416855168561685716858168591686016861168621686316864168651686616867168681686916870168711687216873168741687516876168771687816879168801688116882168831688416885168861688716888168891689016891168921689316894168951689616897168981689916900169011690216903169041690516906169071690816909169101691116912169131691416915169161691716918169191692016921169221692316924169251692616927169281692916930169311693216933169341693516936169371693816939169401694116942169431694416945169461694716948169491695016951169521695316954169551695616957169581695916960169611696216963169641696516966169671696816969169701697116972169731697416975169761697716978169791698016981169821698316984169851698616987169881698916990169911699216993169941699516996169971699816999170001700117002170031700417005170061700717008170091701017011170121701317014170151701617017170181701917020170211702217023170241702517026170271702817029170301703117032170331703417035170361703717038170391704017041170421704317044170451704617047170481704917050170511705217053170541705517056170571705817059170601706117062170631706417065170661706717068170691707017071170721707317074170751707617077170781707917080170811708217083170841708517086170871708817089170901709117092170931709417095170961709717098170991710017101171021710317104171051710617107171081710917110171111711217113171141711517116171171711817119171201712117122171231712417125171261712717128171291713017131171321713317134171351713617137171381713917140171411714217143171441714517146171471714817149171501715117152171531715417155171561715717158171591716017161171621716317164171651716617167171681716917170171711717217173171741717517176171771717817179171801718117182171831718417185171861718717188171891719017191171921719317194171951719617197171981719917200172011720217203172041720517206172071720817209172101721117212172131721417215172161721717218172191722017221172221722317224172251722617227172281722917230172311723217233172341723517236172371723817239172401724117242172431724417245172461724717248172491725017251172521725317254172551725617257172581725917260172611726217263172641726517266172671726817269172701727117272172731727417275172761727717278172791728017281172821728317284172851728617287172881728917290172911729217293172941729517296172971729817299173001730117302173031730417305173061730717308173091731017311173121731317314173151731617317173181731917320173211732217323173241732517326173271732817329173301733117332173331733417335173361733717338173391734017341173421734317344173451734617347173481734917350173511735217353173541735517356173571735817359173601736117362173631736417365173661736717368173691737017371173721737317374173751737617377173781737917380173811738217383173841738517386173871738817389173901739117392173931739417395173961739717398173991740017401174021740317404174051740617407174081740917410174111741217413174141741517416174171741817419174201742117422174231742417425174261742717428174291743017431174321743317434174351743617437174381743917440174411744217443174441744517446174471744817449174501745117452174531745417455174561745717458174591746017461174621746317464174651746617467174681746917470174711747217473174741747517476174771747817479174801748117482174831748417485174861748717488174891749017491174921749317494174951749617497174981749917500175011750217503175041750517506175071750817509175101751117512175131751417515175161751717518175191752017521175221752317524175251752617527175281752917530175311753217533175341753517536175371753817539175401754117542175431754417545175461754717548175491755017551175521755317554175551755617557175581755917560175611756217563175641756517566175671756817569175701757117572175731757417575175761757717578175791758017581175821758317584175851758617587175881758917590175911759217593175941759517596175971759817599176001760117602176031760417605176061760717608176091761017611176121761317614176151761617617176181761917620176211762217623176241762517626176271762817629176301763117632176331763417635176361763717638176391764017641176421764317644176451764617647176481764917650176511765217653176541765517656176571765817659176601766117662176631766417665176661766717668176691767017671176721767317674176751767617677176781767917680176811768217683176841768517686176871768817689176901769117692176931769417695176961769717698176991770017701177021770317704177051770617707177081770917710177111771217713177141771517716177171771817719177201772117722177231772417725177261772717728177291773017731177321773317734177351773617737177381773917740177411774217743177441774517746177471774817749177501775117752177531775417755177561775717758177591776017761177621776317764177651776617767177681776917770177711777217773177741777517776177771777817779177801778117782177831778417785177861778717788177891779017791177921779317794177951779617797177981779917800178011780217803178041780517806178071780817809178101781117812178131781417815178161781717818178191782017821178221782317824178251782617827178281782917830178311783217833178341783517836178371783817839178401784117842178431784417845178461784717848178491785017851178521785317854178551785617857178581785917860178611786217863178641786517866178671786817869178701787117872178731787417875178761787717878178791788017881178821788317884178851788617887178881788917890178911789217893178941789517896178971789817899179001790117902179031790417905179061790717908179091791017911179121791317914179151791617917179181791917920179211792217923179241792517926179271792817929179301793117932179331793417935179361793717938179391794017941179421794317944179451794617947179481794917950179511795217953179541795517956179571795817959179601796117962179631796417965179661796717968179691797017971179721797317974179751797617977179781797917980179811798217983179841798517986179871798817989179901799117992179931799417995179961799717998179991800018001180021800318004180051800618007180081800918010180111801218013180141801518016180171801818019180201802118022180231802418025180261802718028180291803018031180321803318034180351803618037180381803918040180411804218043180441804518046180471804818049180501805118052180531805418055180561805718058180591806018061180621806318064180651806618067180681806918070180711807218073180741807518076180771807818079180801808118082180831808418085180861808718088180891809018091180921809318094180951809618097180981809918100181011810218103181041810518106181071810818109181101811118112181131811418115181161811718118181191812018121181221812318124181251812618127181281812918130181311813218133181341813518136181371813818139181401814118142181431814418145181461814718148181491815018151181521815318154181551815618157181581815918160181611816218163181641816518166181671816818169181701817118172181731817418175181761817718178181791818018181181821818318184181851818618187181881818918190181911819218193181941819518196181971819818199182001820118202182031820418205182061820718208182091821018211182121821318214182151821618217182181821918220182211822218223182241822518226182271822818229182301823118232182331823418235182361823718238182391824018241182421824318244182451824618247182481824918250182511825218253182541825518256182571825818259182601826118262182631826418265182661826718268182691827018271182721827318274182751827618277182781827918280182811828218283182841828518286182871828818289182901829118292182931829418295182961829718298182991830018301183021830318304183051830618307183081830918310183111831218313183141831518316183171831818319183201832118322183231832418325183261832718328183291833018331183321833318334183351833618337183381833918340183411834218343183441834518346183471834818349183501835118352183531835418355183561835718358183591836018361183621836318364183651836618367183681836918370183711837218373183741837518376183771837818379183801838118382183831838418385183861838718388183891839018391183921839318394183951839618397183981839918400184011840218403184041840518406184071840818409184101841118412184131841418415184161841718418184191842018421184221842318424184251842618427184281842918430184311843218433184341843518436184371843818439184401844118442184431844418445184461844718448184491845018451184521845318454184551845618457184581845918460184611846218463184641846518466184671846818469184701847118472184731847418475184761847718478184791848018481184821848318484184851848618487184881848918490184911849218493184941849518496184971849818499185001850118502185031850418505185061850718508185091851018511185121851318514185151851618517185181851918520185211852218523185241852518526185271852818529185301853118532185331853418535185361853718538185391854018541185421854318544185451854618547185481854918550185511855218553185541855518556185571855818559185601856118562185631856418565185661856718568185691857018571185721857318574185751857618577185781857918580185811858218583185841858518586185871858818589185901859118592185931859418595185961859718598185991860018601186021860318604186051860618607186081860918610186111861218613186141861518616186171861818619186201862118622186231862418625186261862718628186291863018631186321863318634186351863618637186381863918640186411864218643186441864518646186471864818649186501865118652186531865418655186561865718658186591866018661186621866318664186651866618667186681866918670186711867218673186741867518676186771867818679186801868118682186831868418685186861868718688186891869018691186921869318694186951869618697186981869918700187011870218703187041870518706187071870818709187101871118712187131871418715187161871718718187191872018721187221872318724187251872618727187281872918730187311873218733187341873518736187371873818739187401874118742187431874418745187461874718748187491875018751187521875318754187551875618757187581875918760187611876218763187641876518766187671876818769187701877118772187731877418775187761877718778187791878018781187821878318784187851878618787187881878918790187911879218793187941879518796187971879818799188001880118802188031880418805188061880718808188091881018811188121881318814188151881618817188181881918820188211882218823188241882518826188271882818829188301883118832188331883418835188361883718838188391884018841188421884318844188451884618847188481884918850188511885218853188541885518856188571885818859188601886118862188631886418865188661886718868188691887018871188721887318874188751887618877188781887918880188811888218883188841888518886188871888818889188901889118892188931889418895188961889718898188991890018901189021890318904189051890618907189081890918910189111891218913189141891518916189171891818919189201892118922189231892418925189261892718928189291893018931189321893318934189351893618937189381893918940189411894218943189441894518946189471894818949189501895118952189531895418955189561895718958189591896018961189621896318964189651896618967189681896918970189711897218973189741897518976189771897818979189801898118982189831898418985189861898718988189891899018991189921899318994189951899618997189981899919000190011900219003190041900519006190071900819009190101901119012190131901419015190161901719018190191902019021190221902319024190251902619027190281902919030190311903219033190341903519036190371903819039190401904119042190431904419045190461904719048190491905019051190521905319054190551905619057190581905919060190611906219063190641906519066190671906819069190701907119072190731907419075190761907719078190791908019081190821908319084190851908619087190881908919090190911909219093190941909519096190971909819099191001910119102191031910419105191061910719108191091911019111191121911319114191151911619117191181911919120191211912219123191241912519126191271912819129191301913119132191331913419135191361913719138191391914019141191421914319144191451914619147191481914919150191511915219153191541915519156191571915819159191601916119162191631916419165191661916719168191691917019171191721917319174191751917619177191781917919180191811918219183191841918519186191871918819189191901919119192191931919419195191961919719198191991920019201192021920319204192051920619207192081920919210192111921219213192141921519216192171921819219192201922119222192231922419225192261922719228192291923019231192321923319234192351923619237192381923919240192411924219243192441924519246192471924819249192501925119252192531925419255192561925719258192591926019261192621926319264192651926619267192681926919270192711927219273192741927519276192771927819279192801928119282192831928419285192861928719288192891929019291192921929319294192951929619297192981929919300193011930219303193041930519306193071930819309193101931119312193131931419315193161931719318193191932019321193221932319324193251932619327193281932919330193311933219333193341933519336193371933819339193401934119342193431934419345193461934719348193491935019351193521935319354193551935619357193581935919360193611936219363193641936519366193671936819369193701937119372193731937419375193761937719378193791938019381193821938319384193851938619387193881938919390193911939219393193941939519396193971939819399194001940119402194031940419405194061940719408194091941019411194121941319414194151941619417194181941919420194211942219423194241942519426194271942819429194301943119432194331943419435194361943719438194391944019441194421944319444194451944619447194481944919450194511945219453194541945519456194571945819459194601946119462194631946419465194661946719468194691947019471194721947319474194751947619477194781947919480194811948219483194841948519486194871948819489194901949119492194931949419495194961949719498194991950019501195021950319504195051950619507195081950919510195111951219513195141951519516195171951819519195201952119522195231952419525195261952719528195291953019531195321953319534195351953619537195381953919540195411954219543195441954519546195471954819549195501955119552195531955419555195561955719558195591956019561195621956319564195651956619567195681956919570195711957219573195741957519576195771957819579195801958119582195831958419585195861958719588195891959019591195921959319594195951959619597195981959919600196011960219603196041960519606196071960819609196101961119612196131961419615196161961719618196191962019621196221962319624196251962619627196281962919630196311963219633196341963519636196371963819639196401964119642196431964419645196461964719648196491965019651196521965319654196551965619657196581965919660196611966219663196641966519666196671966819669196701967119672196731967419675196761967719678196791968019681196821968319684196851968619687196881968919690196911969219693196941969519696196971969819699197001970119702197031970419705197061970719708197091971019711197121971319714197151971619717197181971919720197211972219723197241972519726197271972819729197301973119732197331973419735197361973719738197391974019741197421974319744197451974619747197481974919750197511975219753197541975519756197571975819759197601976119762197631976419765197661976719768197691977019771197721977319774197751977619777197781977919780197811978219783197841978519786197871978819789197901979119792197931979419795197961979719798197991980019801198021980319804198051980619807198081980919810198111981219813198141981519816198171981819819198201982119822198231982419825198261982719828198291983019831198321983319834198351983619837198381983919840198411984219843198441984519846198471984819849198501985119852198531985419855198561985719858198591986019861198621986319864198651986619867198681986919870198711987219873198741987519876198771987819879198801988119882198831988419885198861988719888198891989019891198921989319894198951989619897198981989919900199011990219903199041990519906199071990819909199101991119912199131991419915199161991719918199191992019921199221992319924199251992619927199281992919930199311993219933199341993519936199371993819939199401994119942199431994419945199461994719948199491995019951199521995319954199551995619957199581995919960199611996219963199641996519966199671996819969199701997119972199731997419975199761997719978199791998019981199821998319984199851998619987199881998919990199911999219993199941999519996199971999819999200002000120002200032000420005200062000720008200092001020011200122001320014200152001620017200182001920020200212002220023200242002520026200272002820029200302003120032200332003420035200362003720038200392004020041200422004320044200452004620047200482004920050200512005220053200542005520056200572005820059200602006120062200632006420065200662006720068200692007020071200722007320074200752007620077200782007920080200812008220083200842008520086200872008820089200902009120092200932009420095200962009720098200992010020101201022010320104201052010620107201082010920110201112011220113201142011520116201172011820119201202012120122201232012420125201262012720128201292013020131201322013320134201352013620137201382013920140201412014220143201442014520146201472014820149201502015120152201532015420155201562015720158201592016020161201622016320164201652016620167201682016920170201712017220173201742017520176201772017820179201802018120182201832018420185201862018720188201892019020191201922019320194201952019620197201982019920200202012020220203202042020520206202072020820209202102021120212202132021420215202162021720218202192022020221202222022320224202252022620227202282022920230202312023220233202342023520236202372023820239202402024120242202432024420245202462024720248202492025020251202522025320254202552025620257202582025920260202612026220263202642026520266202672026820269202702027120272202732027420275202762027720278202792028020281202822028320284202852028620287202882028920290202912029220293202942029520296202972029820299203002030120302203032030420305203062030720308203092031020311203122031320314203152031620317203182031920320203212032220323203242032520326203272032820329203302033120332203332033420335203362033720338203392034020341203422034320344203452034620347203482034920350203512035220353203542035520356203572035820359203602036120362203632036420365203662036720368203692037020371203722037320374203752037620377203782037920380203812038220383203842038520386203872038820389203902039120392203932039420395203962039720398203992040020401204022040320404204052040620407204082040920410204112041220413204142041520416204172041820419204202042120422204232042420425204262042720428204292043020431204322043320434204352043620437204382043920440204412044220443204442044520446204472044820449204502045120452204532045420455204562045720458204592046020461204622046320464204652046620467204682046920470204712047220473204742047520476204772047820479204802048120482204832048420485204862048720488204892049020491204922049320494204952049620497204982049920500205012050220503205042050520506205072050820509205102051120512205132051420515205162051720518205192052020521205222052320524205252052620527205282052920530205312053220533205342053520536205372053820539205402054120542205432054420545205462054720548205492055020551205522055320554205552055620557205582055920560205612056220563205642056520566205672056820569205702057120572205732057420575205762057720578205792058020581205822058320584205852058620587205882058920590205912059220593205942059520596205972059820599206002060120602206032060420605206062060720608206092061020611206122061320614206152061620617206182061920620206212062220623206242062520626206272062820629206302063120632206332063420635206362063720638206392064020641206422064320644206452064620647206482064920650206512065220653206542065520656206572065820659206602066120662206632066420665206662066720668206692067020671206722067320674206752067620677206782067920680206812068220683206842068520686206872068820689206902069120692206932069420695206962069720698206992070020701207022070320704207052070620707207082070920710207112071220713207142071520716207172071820719207202072120722207232072420725207262072720728207292073020731207322073320734207352073620737207382073920740207412074220743207442074520746207472074820749207502075120752207532075420755207562075720758207592076020761207622076320764207652076620767207682076920770207712077220773207742077520776207772077820779207802078120782207832078420785207862078720788207892079020791207922079320794207952079620797207982079920800208012080220803208042080520806208072080820809208102081120812208132081420815208162081720818208192082020821208222082320824208252082620827208282082920830208312083220833208342083520836208372083820839208402084120842208432084420845208462084720848208492085020851208522085320854208552085620857208582085920860208612086220863208642086520866208672086820869208702087120872208732087420875208762087720878208792088020881208822088320884208852088620887208882088920890208912089220893208942089520896208972089820899209002090120902209032090420905209062090720908209092091020911209122091320914209152091620917209182091920920209212092220923209242092520926209272092820929209302093120932209332093420935209362093720938209392094020941209422094320944209452094620947209482094920950209512095220953209542095520956209572095820959209602096120962209632096420965209662096720968209692097020971209722097320974209752097620977209782097920980209812098220983209842098520986209872098820989209902099120992209932099420995209962099720998209992100021001210022100321004210052100621007210082100921010210112101221013210142101521016210172101821019210202102121022210232102421025210262102721028210292103021031210322103321034210352103621037210382103921040210412104221043210442104521046210472104821049210502105121052210532105421055210562105721058210592106021061210622106321064210652106621067210682106921070210712107221073210742107521076210772107821079210802108121082210832108421085210862108721088210892109021091210922109321094210952109621097210982109921100211012110221103211042110521106211072110821109211102111121112211132111421115211162111721118211192112021121211222112321124211252112621127211282112921130211312113221133211342113521136211372113821139211402114121142211432114421145211462114721148211492115021151211522115321154211552115621157211582115921160211612116221163211642116521166211672116821169211702117121172211732117421175211762117721178211792118021181211822118321184211852118621187211882118921190211912119221193211942119521196211972119821199212002120121202212032120421205212062120721208212092121021211212122121321214212152121621217212182121921220212212122221223212242122521226212272122821229212302123121232212332123421235212362123721238212392124021241212422124321244212452124621247212482124921250212512125221253212542125521256212572125821259212602126121262212632126421265212662126721268212692127021271212722127321274212752127621277212782127921280212812128221283212842128521286212872128821289212902129121292212932129421295212962129721298212992130021301213022130321304213052130621307213082130921310213112131221313213142131521316213172131821319213202132121322213232132421325213262132721328213292133021331213322133321334213352133621337213382133921340213412134221343213442134521346213472134821349213502135121352213532135421355213562135721358213592136021361213622136321364213652136621367213682136921370213712137221373213742137521376213772137821379213802138121382213832138421385213862138721388213892139021391213922139321394213952139621397213982139921400214012140221403214042140521406214072140821409214102141121412214132141421415214162141721418214192142021421214222142321424214252142621427214282142921430214312143221433214342143521436214372143821439214402144121442214432144421445214462144721448214492145021451214522145321454214552145621457214582145921460214612146221463214642146521466214672146821469214702147121472214732147421475214762147721478214792148021481214822148321484214852148621487214882148921490214912149221493214942149521496214972149821499215002150121502215032150421505215062150721508215092151021511215122151321514215152151621517215182151921520215212152221523215242152521526215272152821529215302153121532215332153421535215362153721538215392154021541215422154321544215452154621547215482154921550215512155221553215542155521556215572155821559215602156121562215632156421565215662156721568215692157021571215722157321574215752157621577215782157921580215812158221583215842158521586215872158821589215902159121592215932159421595215962159721598215992160021601216022160321604216052160621607216082160921610216112161221613216142161521616216172161821619216202162121622216232162421625216262162721628216292163021631216322163321634216352163621637216382163921640216412164221643216442164521646216472164821649216502165121652216532165421655216562165721658216592166021661216622166321664216652166621667216682166921670216712167221673216742167521676216772167821679216802168121682216832168421685216862168721688216892169021691216922169321694216952169621697216982169921700217012170221703217042170521706217072170821709217102171121712217132171421715217162171721718217192172021721217222172321724217252172621727217282172921730217312173221733217342173521736217372173821739217402174121742217432174421745217462174721748217492175021751217522175321754217552175621757217582175921760217612176221763217642176521766217672176821769217702177121772217732177421775217762177721778217792178021781217822178321784217852178621787217882178921790217912179221793217942179521796217972179821799218002180121802218032180421805218062180721808218092181021811218122181321814218152181621817218182181921820218212182221823218242182521826218272182821829218302183121832218332183421835218362183721838218392184021841218422184321844218452184621847218482184921850218512185221853218542185521856218572185821859218602186121862218632186421865218662186721868218692187021871218722187321874218752187621877218782187921880218812188221883218842188521886218872188821889218902189121892218932189421895218962189721898218992190021901219022190321904219052190621907219082190921910219112191221913219142191521916219172191821919219202192121922219232192421925219262192721928219292193021931219322193321934219352193621937219382193921940219412194221943219442194521946219472194821949219502195121952219532195421955219562195721958219592196021961219622196321964219652196621967219682196921970219712197221973219742197521976219772197821979219802198121982219832198421985219862198721988219892199021991219922199321994219952199621997219982199922000220012200222003220042200522006220072200822009220102201122012220132201422015220162201722018220192202022021220222202322024220252202622027220282202922030220312203222033220342203522036220372203822039220402204122042220432204422045220462204722048220492205022051220522205322054220552205622057220582205922060220612206222063220642206522066220672206822069220702207122072220732207422075220762207722078220792208022081220822208322084220852208622087220882208922090220912209222093220942209522096220972209822099221002210122102221032210422105221062210722108221092211022111221122211322114221152211622117221182211922120221212212222123221242212522126221272212822129221302213122132221332213422135221362213722138221392214022141221422214322144221452214622147221482214922150221512215222153221542215522156221572215822159221602216122162221632216422165221662216722168221692217022171221722217322174221752217622177221782217922180221812218222183221842218522186221872218822189221902219122192221932219422195221962219722198221992220022201222022220322204222052220622207222082220922210222112221222213222142221522216222172221822219222202222122222222232222422225222262222722228222292223022231222322223322234222352223622237222382223922240222412224222243222442224522246222472224822249222502225122252222532225422255222562225722258222592226022261222622226322264222652226622267222682226922270222712227222273222742227522276222772227822279222802228122282222832228422285222862228722288222892229022291222922229322294222952229622297222982229922300223012230222303223042230522306223072230822309223102231122312223132231422315223162231722318223192232022321223222232322324223252232622327223282232922330223312233222333223342233522336223372233822339223402234122342223432234422345223462234722348223492235022351223522235322354223552235622357223582235922360223612236222363223642236522366223672236822369223702237122372223732237422375223762237722378223792238022381223822238322384223852238622387223882238922390223912239222393223942239522396223972239822399224002240122402224032240422405224062240722408224092241022411224122241322414224152241622417224182241922420224212242222423224242242522426224272242822429224302243122432224332243422435224362243722438224392244022441224422244322444224452244622447224482244922450224512245222453224542245522456224572245822459224602246122462224632246422465224662246722468224692247022471224722247322474224752247622477224782247922480224812248222483224842248522486224872248822489224902249122492224932249422495224962249722498224992250022501225022250322504225052250622507225082250922510225112251222513225142251522516225172251822519225202252122522225232252422525225262252722528225292253022531225322253322534225352253622537225382253922540225412254222543225442254522546225472254822549225502255122552225532255422555225562255722558225592256022561225622256322564225652256622567225682256922570225712257222573225742257522576225772257822579225802258122582225832258422585225862258722588225892259022591225922259322594225952259622597225982259922600226012260222603226042260522606226072260822609226102261122612226132261422615226162261722618226192262022621226222262322624226252262622627226282262922630226312263222633226342263522636226372263822639226402264122642226432264422645226462264722648226492265022651226522265322654226552265622657226582265922660226612266222663226642266522666226672266822669226702267122672226732267422675226762267722678226792268022681226822268322684226852268622687226882268922690226912269222693226942269522696226972269822699227002270122702227032270422705227062270722708227092271022711227122271322714227152271622717227182271922720227212272222723227242272522726227272272822729227302273122732227332273422735227362273722738227392274022741227422274322744227452274622747227482274922750227512275222753227542275522756227572275822759227602276122762227632276422765227662276722768227692277022771227722277322774227752277622777227782277922780227812278222783227842278522786227872278822789227902279122792227932279422795227962279722798227992280022801228022280322804228052280622807228082280922810228112281222813228142281522816228172281822819228202282122822228232282422825228262282722828228292283022831228322283322834228352283622837228382283922840228412284222843228442284522846228472284822849228502285122852228532285422855228562285722858228592286022861228622286322864228652286622867228682286922870228712287222873228742287522876228772287822879228802288122882228832288422885228862288722888228892289022891228922289322894228952289622897228982289922900229012290222903229042290522906229072290822909229102291122912229132291422915229162291722918229192292022921229222292322924229252292622927229282292922930229312293222933229342293522936229372293822939229402294122942229432294422945229462294722948229492295022951229522295322954229552295622957229582295922960229612296222963229642296522966229672296822969229702297122972229732297422975229762297722978229792298022981229822298322984229852298622987229882298922990229912299222993229942299522996229972299822999230002300123002230032300423005230062300723008230092301023011230122301323014230152301623017230182301923020230212302223023230242302523026230272302823029230302303123032230332303423035230362303723038230392304023041230422304323044230452304623047230482304923050230512305223053230542305523056230572305823059230602306123062230632306423065230662306723068230692307023071230722307323074230752307623077230782307923080230812308223083230842308523086230872308823089230902309123092230932309423095230962309723098230992310023101231022310323104231052310623107231082310923110231112311223113231142311523116231172311823119231202312123122231232312423125231262312723128231292313023131231322313323134231352313623137231382313923140231412314223143231442314523146231472314823149231502315123152231532315423155231562315723158231592316023161231622316323164231652316623167231682316923170231712317223173231742317523176231772317823179231802318123182231832318423185231862318723188231892319023191231922319323194231952319623197231982319923200232012320223203232042320523206232072320823209232102321123212232132321423215232162321723218232192322023221232222322323224232252322623227232282322923230232312323223233232342323523236232372323823239232402324123242232432324423245232462324723248232492325023251232522325323254232552325623257232582325923260232612326223263232642326523266232672326823269232702327123272232732327423275232762327723278232792328023281232822328323284232852328623287232882328923290232912329223293232942329523296232972329823299233002330123302233032330423305233062330723308233092331023311233122331323314233152331623317233182331923320233212332223323233242332523326233272332823329233302333123332233332333423335233362333723338233392334023341233422334323344233452334623347233482334923350233512335223353233542335523356233572335823359233602336123362233632336423365233662336723368233692337023371233722337323374233752337623377233782337923380233812338223383233842338523386233872338823389233902339123392233932339423395233962339723398233992340023401234022340323404234052340623407234082340923410234112341223413234142341523416234172341823419234202342123422234232342423425234262342723428234292343023431234322343323434234352343623437234382343923440234412344223443234442344523446234472344823449234502345123452234532345423455234562345723458234592346023461234622346323464234652346623467234682346923470234712347223473234742347523476234772347823479234802348123482234832348423485234862348723488234892349023491234922349323494234952349623497234982349923500235012350223503235042350523506235072350823509235102351123512235132351423515235162351723518235192352023521235222352323524235252352623527235282352923530235312353223533235342353523536235372353823539235402354123542235432354423545235462354723548235492355023551235522355323554235552355623557235582355923560235612356223563235642356523566235672356823569235702357123572235732357423575235762357723578235792358023581235822358323584235852358623587235882358923590235912359223593235942359523596235972359823599236002360123602236032360423605236062360723608236092361023611236122361323614236152361623617236182361923620236212362223623236242362523626236272362823629236302363123632236332363423635236362363723638236392364023641236422364323644236452364623647236482364923650236512365223653236542365523656236572365823659236602366123662236632366423665236662366723668236692367023671236722367323674236752367623677236782367923680236812368223683236842368523686236872368823689236902369123692236932369423695236962369723698236992370023701237022370323704237052370623707237082370923710237112371223713237142371523716237172371823719237202372123722237232372423725237262372723728237292373023731237322373323734237352373623737237382373923740237412374223743237442374523746237472374823749237502375123752237532375423755237562375723758237592376023761237622376323764237652376623767237682376923770237712377223773237742377523776237772377823779237802378123782237832378423785237862378723788237892379023791237922379323794237952379623797237982379923800238012380223803238042380523806238072380823809238102381123812238132381423815238162381723818238192382023821238222382323824238252382623827238282382923830238312383223833238342383523836238372383823839238402384123842238432384423845238462384723848238492385023851238522385323854238552385623857238582385923860238612386223863238642386523866238672386823869238702387123872238732387423875238762387723878238792388023881238822388323884238852388623887238882388923890238912389223893238942389523896238972389823899239002390123902239032390423905239062390723908239092391023911239122391323914239152391623917239182391923920239212392223923239242392523926239272392823929239302393123932239332393423935239362393723938239392394023941239422394323944239452394623947239482394923950239512395223953239542395523956239572395823959239602396123962239632396423965239662396723968239692397023971239722397323974239752397623977239782397923980239812398223983239842398523986239872398823989239902399123992239932399423995239962399723998239992400024001240022400324004240052400624007240082400924010240112401224013240142401524016240172401824019240202402124022240232402424025240262402724028240292403024031240322403324034240352403624037240382403924040240412404224043240442404524046240472404824049240502405124052240532405424055240562405724058240592406024061240622406324064240652406624067240682406924070240712407224073240742407524076240772407824079240802408124082240832408424085240862408724088240892409024091240922409324094240952409624097240982409924100241012410224103241042410524106241072410824109241102411124112241132411424115241162411724118241192412024121241222412324124241252412624127241282412924130241312413224133241342413524136241372413824139241402414124142241432414424145241462414724148241492415024151241522415324154241552415624157241582415924160241612416224163241642416524166241672416824169241702417124172241732417424175241762417724178241792418024181241822418324184241852418624187241882418924190241912419224193241942419524196241972419824199242002420124202242032420424205242062420724208242092421024211242122421324214242152421624217242182421924220242212422224223242242422524226242272422824229242302423124232242332423424235242362423724238242392424024241242422424324244242452424624247242482424924250242512425224253242542425524256242572425824259242602426124262242632426424265242662426724268242692427024271242722427324274242752427624277242782427924280242812428224283242842428524286242872428824289242902429124292242932429424295242962429724298242992430024301243022430324304243052430624307243082430924310243112431224313243142431524316243172431824319243202432124322243232432424325243262432724328243292433024331243322433324334243352433624337
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.17.3
  6. labels:
  7. external-secrets.io/component: controller
  8. name: clusterexternalsecrets.external-secrets.io
  9. spec:
  10. group: external-secrets.io
  11. names:
  12. categories:
  13. - external-secrets
  14. kind: ClusterExternalSecret
  15. listKind: ClusterExternalSecretList
  16. plural: clusterexternalsecrets
  17. shortNames:
  18. - ces
  19. singular: clusterexternalsecret
  20. scope: Cluster
  21. versions:
  22. - additionalPrinterColumns:
  23. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  24. name: Store
  25. type: string
  26. - jsonPath: .spec.refreshTime
  27. name: Refresh Interval
  28. type: string
  29. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  30. name: Ready
  31. type: string
  32. name: v1
  33. schema:
  34. openAPIV3Schema:
  35. description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
  36. properties:
  37. apiVersion:
  38. description: |-
  39. APIVersion defines the versioned schema of this representation of an object.
  40. Servers should convert recognized schemas to the latest internal value, and
  41. may reject unrecognized values.
  42. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  43. type: string
  44. kind:
  45. description: |-
  46. Kind is a string value representing the REST resource this object represents.
  47. Servers may infer this from the endpoint the client submits requests to.
  48. Cannot be updated.
  49. In CamelCase.
  50. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  51. type: string
  52. metadata:
  53. type: object
  54. spec:
  55. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  56. properties:
  57. externalSecretMetadata:
  58. description: The metadata of the external secrets to be created
  59. properties:
  60. annotations:
  61. additionalProperties:
  62. type: string
  63. type: object
  64. labels:
  65. additionalProperties:
  66. type: string
  67. type: object
  68. type: object
  69. externalSecretName:
  70. description: |-
  71. The name of the external secrets to be created.
  72. Defaults to the name of the ClusterExternalSecret
  73. maxLength: 253
  74. minLength: 1
  75. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  76. type: string
  77. externalSecretSpec:
  78. description: The spec for the ExternalSecrets to be created
  79. properties:
  80. data:
  81. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  82. items:
  83. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  84. properties:
  85. remoteRef:
  86. description: |-
  87. RemoteRef points to the remote secret and defines
  88. which secret (version/property/..) to fetch.
  89. properties:
  90. conversionStrategy:
  91. default: Default
  92. description: Used to define a conversion Strategy
  93. enum:
  94. - Default
  95. - Unicode
  96. type: string
  97. decodingStrategy:
  98. default: None
  99. description: Used to define a decoding Strategy
  100. enum:
  101. - Auto
  102. - Base64
  103. - Base64URL
  104. - None
  105. type: string
  106. key:
  107. description: Key is the key used in the Provider, mandatory
  108. type: string
  109. metadataPolicy:
  110. default: None
  111. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  112. enum:
  113. - None
  114. - Fetch
  115. type: string
  116. property:
  117. description: Used to select a specific property of the Provider value (if a map), if supported
  118. type: string
  119. version:
  120. description: Used to select a specific version of the Provider value, if supported
  121. type: string
  122. required:
  123. - key
  124. type: object
  125. secretKey:
  126. description: The key in the Kubernetes Secret to store the value.
  127. maxLength: 253
  128. minLength: 1
  129. pattern: ^[-._a-zA-Z0-9]+$
  130. type: string
  131. sourceRef:
  132. description: |-
  133. SourceRef allows you to override the source
  134. from which the value will be pulled.
  135. maxProperties: 1
  136. minProperties: 1
  137. properties:
  138. generatorRef:
  139. description: |-
  140. GeneratorRef points to a generator custom resource.
  141. Deprecated: The generatorRef is not implemented in .data[].
  142. this will be removed with v1.
  143. properties:
  144. apiVersion:
  145. default: generators.external-secrets.io/v1alpha1
  146. description: Specify the apiVersion of the generator resource
  147. type: string
  148. kind:
  149. description: Specify the Kind of the generator resource
  150. enum:
  151. - ACRAccessToken
  152. - ClusterGenerator
  153. - ECRAuthorizationToken
  154. - Fake
  155. - GCRAccessToken
  156. - GithubAccessToken
  157. - QuayAccessToken
  158. - Password
  159. - STSSessionToken
  160. - UUID
  161. - VaultDynamicSecret
  162. - Webhook
  163. - Grafana
  164. type: string
  165. name:
  166. description: Specify the name of the generator resource
  167. maxLength: 253
  168. minLength: 1
  169. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  170. type: string
  171. required:
  172. - kind
  173. - name
  174. type: object
  175. storeRef:
  176. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  177. properties:
  178. kind:
  179. description: |-
  180. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  181. Defaults to `SecretStore`
  182. enum:
  183. - SecretStore
  184. - ClusterSecretStore
  185. type: string
  186. name:
  187. description: Name of the SecretStore resource
  188. maxLength: 253
  189. minLength: 1
  190. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  191. type: string
  192. type: object
  193. type: object
  194. required:
  195. - remoteRef
  196. - secretKey
  197. type: object
  198. type: array
  199. dataFrom:
  200. description: |-
  201. DataFrom is used to fetch all properties from a specific Provider data
  202. If multiple entries are specified, the Secret keys are merged in the specified order
  203. items:
  204. properties:
  205. extract:
  206. description: |-
  207. Used to extract multiple key/value pairs from one secret
  208. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  209. properties:
  210. conversionStrategy:
  211. default: Default
  212. description: Used to define a conversion Strategy
  213. enum:
  214. - Default
  215. - Unicode
  216. type: string
  217. decodingStrategy:
  218. default: None
  219. description: Used to define a decoding Strategy
  220. enum:
  221. - Auto
  222. - Base64
  223. - Base64URL
  224. - None
  225. type: string
  226. key:
  227. description: Key is the key used in the Provider, mandatory
  228. type: string
  229. metadataPolicy:
  230. default: None
  231. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  232. enum:
  233. - None
  234. - Fetch
  235. type: string
  236. property:
  237. description: Used to select a specific property of the Provider value (if a map), if supported
  238. type: string
  239. version:
  240. description: Used to select a specific version of the Provider value, if supported
  241. type: string
  242. required:
  243. - key
  244. type: object
  245. find:
  246. description: |-
  247. Used to find secrets based on tags or regular expressions
  248. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  249. properties:
  250. conversionStrategy:
  251. default: Default
  252. description: Used to define a conversion Strategy
  253. enum:
  254. - Default
  255. - Unicode
  256. type: string
  257. decodingStrategy:
  258. default: None
  259. description: Used to define a decoding Strategy
  260. enum:
  261. - Auto
  262. - Base64
  263. - Base64URL
  264. - None
  265. type: string
  266. name:
  267. description: Finds secrets based on the name.
  268. properties:
  269. regexp:
  270. description: Finds secrets base
  271. type: string
  272. type: object
  273. path:
  274. description: A root path to start the find operations.
  275. type: string
  276. tags:
  277. additionalProperties:
  278. type: string
  279. description: Find secrets based on tags.
  280. type: object
  281. type: object
  282. rewrite:
  283. description: |-
  284. Used to rewrite secret Keys after getting them from the secret Provider
  285. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  286. items:
  287. properties:
  288. regexp:
  289. description: |-
  290. Used to rewrite with regular expressions.
  291. The resulting key will be the output of a regexp.ReplaceAll operation.
  292. properties:
  293. source:
  294. description: Used to define the regular expression of a re.Compiler.
  295. type: string
  296. target:
  297. description: Used to define the target pattern of a ReplaceAll operation.
  298. type: string
  299. required:
  300. - source
  301. - target
  302. type: object
  303. transform:
  304. description: |-
  305. Used to apply string transformation on the secrets.
  306. The resulting key will be the output of the template applied by the operation.
  307. properties:
  308. template:
  309. description: |-
  310. Used to define the template to apply on the secret name.
  311. `.value ` will specify the secret name in the template.
  312. type: string
  313. required:
  314. - template
  315. type: object
  316. type: object
  317. type: array
  318. sourceRef:
  319. description: |-
  320. SourceRef points to a store or generator
  321. which contains secret values ready to use.
  322. Use this in combination with Extract or Find pull values out of
  323. a specific SecretStore.
  324. When sourceRef points to a generator Extract or Find is not supported.
  325. The generator returns a static map of values
  326. maxProperties: 1
  327. minProperties: 1
  328. properties:
  329. generatorRef:
  330. description: GeneratorRef points to a generator custom resource.
  331. properties:
  332. apiVersion:
  333. default: generators.external-secrets.io/v1alpha1
  334. description: Specify the apiVersion of the generator resource
  335. type: string
  336. kind:
  337. description: Specify the Kind of the generator resource
  338. enum:
  339. - ACRAccessToken
  340. - ClusterGenerator
  341. - ECRAuthorizationToken
  342. - Fake
  343. - GCRAccessToken
  344. - GithubAccessToken
  345. - QuayAccessToken
  346. - Password
  347. - STSSessionToken
  348. - UUID
  349. - VaultDynamicSecret
  350. - Webhook
  351. - Grafana
  352. type: string
  353. name:
  354. description: Specify the name of the generator resource
  355. maxLength: 253
  356. minLength: 1
  357. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  358. type: string
  359. required:
  360. - kind
  361. - name
  362. type: object
  363. storeRef:
  364. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  365. properties:
  366. kind:
  367. description: |-
  368. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  369. Defaults to `SecretStore`
  370. enum:
  371. - SecretStore
  372. - ClusterSecretStore
  373. type: string
  374. name:
  375. description: Name of the SecretStore resource
  376. maxLength: 253
  377. minLength: 1
  378. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  379. type: string
  380. type: object
  381. type: object
  382. type: object
  383. type: array
  384. refreshInterval:
  385. default: 1h
  386. description: |-
  387. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  388. specified as Golang Duration strings.
  389. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  390. Example values: "1h", "2h30m", "10s"
  391. May be set to zero to fetch and create it once. Defaults to 1h.
  392. type: string
  393. refreshPolicy:
  394. description: |-
  395. RefreshPolicy determines how the ExternalSecret should be refreshed:
  396. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  397. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  398. No periodic updates occur if refreshInterval is 0.
  399. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  400. enum:
  401. - CreatedOnce
  402. - Periodic
  403. - OnChange
  404. type: string
  405. secretStoreRef:
  406. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  407. properties:
  408. kind:
  409. description: |-
  410. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  411. Defaults to `SecretStore`
  412. enum:
  413. - SecretStore
  414. - ClusterSecretStore
  415. type: string
  416. name:
  417. description: Name of the SecretStore resource
  418. maxLength: 253
  419. minLength: 1
  420. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  421. type: string
  422. type: object
  423. target:
  424. default:
  425. creationPolicy: Owner
  426. deletionPolicy: Retain
  427. description: |-
  428. ExternalSecretTarget defines the Kubernetes Secret to be created
  429. There can be only one target per ExternalSecret.
  430. properties:
  431. creationPolicy:
  432. default: Owner
  433. description: |-
  434. CreationPolicy defines rules on how to create the resulting Secret.
  435. Defaults to "Owner"
  436. enum:
  437. - Owner
  438. - Orphan
  439. - Merge
  440. - None
  441. type: string
  442. deletionPolicy:
  443. default: Retain
  444. description: |-
  445. DeletionPolicy defines rules on how to delete the resulting Secret.
  446. Defaults to "Retain"
  447. enum:
  448. - Delete
  449. - Merge
  450. - Retain
  451. type: string
  452. immutable:
  453. description: Immutable defines if the final secret will be immutable
  454. type: boolean
  455. name:
  456. description: |-
  457. The name of the Secret resource to be managed.
  458. Defaults to the .metadata.name of the ExternalSecret resource
  459. maxLength: 253
  460. minLength: 1
  461. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  462. type: string
  463. template:
  464. description: Template defines a blueprint for the created Secret resource.
  465. properties:
  466. data:
  467. additionalProperties:
  468. type: string
  469. type: object
  470. engineVersion:
  471. default: v2
  472. description: |-
  473. EngineVersion specifies the template engine version
  474. that should be used to compile/execute the
  475. template specified in .data and .templateFrom[].
  476. enum:
  477. - v2
  478. type: string
  479. mergePolicy:
  480. default: Replace
  481. enum:
  482. - Replace
  483. - Merge
  484. type: string
  485. metadata:
  486. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  487. properties:
  488. annotations:
  489. additionalProperties:
  490. type: string
  491. type: object
  492. labels:
  493. additionalProperties:
  494. type: string
  495. type: object
  496. type: object
  497. templateFrom:
  498. items:
  499. properties:
  500. configMap:
  501. properties:
  502. items:
  503. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  504. items:
  505. properties:
  506. key:
  507. description: A key in the ConfigMap/Secret
  508. maxLength: 253
  509. minLength: 1
  510. pattern: ^[-._a-zA-Z0-9]+$
  511. type: string
  512. templateAs:
  513. default: Values
  514. enum:
  515. - Values
  516. - KeysAndValues
  517. type: string
  518. required:
  519. - key
  520. type: object
  521. type: array
  522. name:
  523. description: The name of the ConfigMap/Secret resource
  524. maxLength: 253
  525. minLength: 1
  526. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  527. type: string
  528. required:
  529. - items
  530. - name
  531. type: object
  532. literal:
  533. type: string
  534. secret:
  535. properties:
  536. items:
  537. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  538. items:
  539. properties:
  540. key:
  541. description: A key in the ConfigMap/Secret
  542. maxLength: 253
  543. minLength: 1
  544. pattern: ^[-._a-zA-Z0-9]+$
  545. type: string
  546. templateAs:
  547. default: Values
  548. enum:
  549. - Values
  550. - KeysAndValues
  551. type: string
  552. required:
  553. - key
  554. type: object
  555. type: array
  556. name:
  557. description: The name of the ConfigMap/Secret resource
  558. maxLength: 253
  559. minLength: 1
  560. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  561. type: string
  562. required:
  563. - items
  564. - name
  565. type: object
  566. target:
  567. default: Data
  568. enum:
  569. - Data
  570. - Annotations
  571. - Labels
  572. type: string
  573. type: object
  574. type: array
  575. type:
  576. type: string
  577. type: object
  578. type: object
  579. type: object
  580. namespaceSelector:
  581. description: |-
  582. The labels to select by to find the Namespaces to create the ExternalSecrets in.
  583. Deprecated: Use NamespaceSelectors instead.
  584. properties:
  585. matchExpressions:
  586. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  587. items:
  588. description: |-
  589. A label selector requirement is a selector that contains values, a key, and an operator that
  590. relates the key and values.
  591. properties:
  592. key:
  593. description: key is the label key that the selector applies to.
  594. type: string
  595. operator:
  596. description: |-
  597. operator represents a key's relationship to a set of values.
  598. Valid operators are In, NotIn, Exists and DoesNotExist.
  599. type: string
  600. values:
  601. description: |-
  602. values is an array of string values. If the operator is In or NotIn,
  603. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  604. the values array must be empty. This array is replaced during a strategic
  605. merge patch.
  606. items:
  607. type: string
  608. type: array
  609. x-kubernetes-list-type: atomic
  610. required:
  611. - key
  612. - operator
  613. type: object
  614. type: array
  615. x-kubernetes-list-type: atomic
  616. matchLabels:
  617. additionalProperties:
  618. type: string
  619. description: |-
  620. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  621. map is equivalent to an element of matchExpressions, whose key field is "key", the
  622. operator is "In", and the values array contains only "value". The requirements are ANDed.
  623. type: object
  624. type: object
  625. x-kubernetes-map-type: atomic
  626. namespaceSelectors:
  627. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  628. items:
  629. description: |-
  630. A label selector is a label query over a set of resources. The result of matchLabels and
  631. matchExpressions are ANDed. An empty label selector matches all objects. A null
  632. label selector matches no objects.
  633. properties:
  634. matchExpressions:
  635. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  636. items:
  637. description: |-
  638. A label selector requirement is a selector that contains values, a key, and an operator that
  639. relates the key and values.
  640. properties:
  641. key:
  642. description: key is the label key that the selector applies to.
  643. type: string
  644. operator:
  645. description: |-
  646. operator represents a key's relationship to a set of values.
  647. Valid operators are In, NotIn, Exists and DoesNotExist.
  648. type: string
  649. values:
  650. description: |-
  651. values is an array of string values. If the operator is In or NotIn,
  652. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  653. the values array must be empty. This array is replaced during a strategic
  654. merge patch.
  655. items:
  656. type: string
  657. type: array
  658. x-kubernetes-list-type: atomic
  659. required:
  660. - key
  661. - operator
  662. type: object
  663. type: array
  664. x-kubernetes-list-type: atomic
  665. matchLabels:
  666. additionalProperties:
  667. type: string
  668. description: |-
  669. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  670. map is equivalent to an element of matchExpressions, whose key field is "key", the
  671. operator is "In", and the values array contains only "value". The requirements are ANDed.
  672. type: object
  673. type: object
  674. x-kubernetes-map-type: atomic
  675. type: array
  676. namespaces:
  677. description: |-
  678. Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
  679. Deprecated: Use NamespaceSelectors instead.
  680. items:
  681. maxLength: 63
  682. minLength: 1
  683. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  684. type: string
  685. type: array
  686. refreshTime:
  687. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  688. type: string
  689. required:
  690. - externalSecretSpec
  691. type: object
  692. status:
  693. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  694. properties:
  695. conditions:
  696. items:
  697. properties:
  698. message:
  699. type: string
  700. status:
  701. type: string
  702. type:
  703. type: string
  704. required:
  705. - status
  706. - type
  707. type: object
  708. type: array
  709. externalSecretName:
  710. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  711. type: string
  712. failedNamespaces:
  713. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  714. items:
  715. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  716. properties:
  717. namespace:
  718. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  719. type: string
  720. reason:
  721. description: Reason is why the ExternalSecret failed to apply to the namespace
  722. type: string
  723. required:
  724. - namespace
  725. type: object
  726. type: array
  727. provisionedNamespaces:
  728. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  729. items:
  730. type: string
  731. type: array
  732. type: object
  733. type: object
  734. served: true
  735. storage: true
  736. subresources:
  737. status: {}
  738. - additionalPrinterColumns:
  739. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  740. name: Store
  741. type: string
  742. - jsonPath: .spec.refreshTime
  743. name: Refresh Interval
  744. type: string
  745. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  746. name: Ready
  747. type: string
  748. name: v1beta1
  749. schema:
  750. openAPIV3Schema:
  751. description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
  752. properties:
  753. apiVersion:
  754. description: |-
  755. APIVersion defines the versioned schema of this representation of an object.
  756. Servers should convert recognized schemas to the latest internal value, and
  757. may reject unrecognized values.
  758. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  759. type: string
  760. kind:
  761. description: |-
  762. Kind is a string value representing the REST resource this object represents.
  763. Servers may infer this from the endpoint the client submits requests to.
  764. Cannot be updated.
  765. In CamelCase.
  766. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  767. type: string
  768. metadata:
  769. type: object
  770. spec:
  771. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  772. properties:
  773. externalSecretMetadata:
  774. description: The metadata of the external secrets to be created
  775. properties:
  776. annotations:
  777. additionalProperties:
  778. type: string
  779. type: object
  780. labels:
  781. additionalProperties:
  782. type: string
  783. type: object
  784. type: object
  785. externalSecretName:
  786. description: |-
  787. The name of the external secrets to be created.
  788. Defaults to the name of the ClusterExternalSecret
  789. maxLength: 253
  790. minLength: 1
  791. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  792. type: string
  793. externalSecretSpec:
  794. description: The spec for the ExternalSecrets to be created
  795. properties:
  796. data:
  797. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  798. items:
  799. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  800. properties:
  801. remoteRef:
  802. description: |-
  803. RemoteRef points to the remote secret and defines
  804. which secret (version/property/..) to fetch.
  805. properties:
  806. conversionStrategy:
  807. default: Default
  808. description: Used to define a conversion Strategy
  809. enum:
  810. - Default
  811. - Unicode
  812. type: string
  813. decodingStrategy:
  814. default: None
  815. description: Used to define a decoding Strategy
  816. enum:
  817. - Auto
  818. - Base64
  819. - Base64URL
  820. - None
  821. type: string
  822. key:
  823. description: Key is the key used in the Provider, mandatory
  824. type: string
  825. metadataPolicy:
  826. default: None
  827. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  828. enum:
  829. - None
  830. - Fetch
  831. type: string
  832. property:
  833. description: Used to select a specific property of the Provider value (if a map), if supported
  834. type: string
  835. version:
  836. description: Used to select a specific version of the Provider value, if supported
  837. type: string
  838. required:
  839. - key
  840. type: object
  841. secretKey:
  842. description: The key in the Kubernetes Secret to store the value.
  843. maxLength: 253
  844. minLength: 1
  845. pattern: ^[-._a-zA-Z0-9]+$
  846. type: string
  847. sourceRef:
  848. description: |-
  849. SourceRef allows you to override the source
  850. from which the value will be pulled.
  851. maxProperties: 1
  852. minProperties: 1
  853. properties:
  854. generatorRef:
  855. description: |-
  856. GeneratorRef points to a generator custom resource.
  857. Deprecated: The generatorRef is not implemented in .data[].
  858. this will be removed with v1.
  859. properties:
  860. apiVersion:
  861. default: generators.external-secrets.io/v1alpha1
  862. description: Specify the apiVersion of the generator resource
  863. type: string
  864. kind:
  865. description: Specify the Kind of the generator resource
  866. enum:
  867. - ACRAccessToken
  868. - ClusterGenerator
  869. - ECRAuthorizationToken
  870. - Fake
  871. - GCRAccessToken
  872. - GithubAccessToken
  873. - QuayAccessToken
  874. - Password
  875. - STSSessionToken
  876. - UUID
  877. - VaultDynamicSecret
  878. - Webhook
  879. - Grafana
  880. type: string
  881. name:
  882. description: Specify the name of the generator resource
  883. maxLength: 253
  884. minLength: 1
  885. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  886. type: string
  887. required:
  888. - kind
  889. - name
  890. type: object
  891. storeRef:
  892. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  893. properties:
  894. kind:
  895. description: |-
  896. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  897. Defaults to `SecretStore`
  898. enum:
  899. - SecretStore
  900. - ClusterSecretStore
  901. type: string
  902. name:
  903. description: Name of the SecretStore resource
  904. maxLength: 253
  905. minLength: 1
  906. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  907. type: string
  908. type: object
  909. type: object
  910. required:
  911. - remoteRef
  912. - secretKey
  913. type: object
  914. type: array
  915. dataFrom:
  916. description: |-
  917. DataFrom is used to fetch all properties from a specific Provider data
  918. If multiple entries are specified, the Secret keys are merged in the specified order
  919. items:
  920. properties:
  921. extract:
  922. description: |-
  923. Used to extract multiple key/value pairs from one secret
  924. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  925. properties:
  926. conversionStrategy:
  927. default: Default
  928. description: Used to define a conversion Strategy
  929. enum:
  930. - Default
  931. - Unicode
  932. type: string
  933. decodingStrategy:
  934. default: None
  935. description: Used to define a decoding Strategy
  936. enum:
  937. - Auto
  938. - Base64
  939. - Base64URL
  940. - None
  941. type: string
  942. key:
  943. description: Key is the key used in the Provider, mandatory
  944. type: string
  945. metadataPolicy:
  946. default: None
  947. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  948. enum:
  949. - None
  950. - Fetch
  951. type: string
  952. property:
  953. description: Used to select a specific property of the Provider value (if a map), if supported
  954. type: string
  955. version:
  956. description: Used to select a specific version of the Provider value, if supported
  957. type: string
  958. required:
  959. - key
  960. type: object
  961. find:
  962. description: |-
  963. Used to find secrets based on tags or regular expressions
  964. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  965. properties:
  966. conversionStrategy:
  967. default: Default
  968. description: Used to define a conversion Strategy
  969. enum:
  970. - Default
  971. - Unicode
  972. type: string
  973. decodingStrategy:
  974. default: None
  975. description: Used to define a decoding Strategy
  976. enum:
  977. - Auto
  978. - Base64
  979. - Base64URL
  980. - None
  981. type: string
  982. name:
  983. description: Finds secrets based on the name.
  984. properties:
  985. regexp:
  986. description: Finds secrets base
  987. type: string
  988. type: object
  989. path:
  990. description: A root path to start the find operations.
  991. type: string
  992. tags:
  993. additionalProperties:
  994. type: string
  995. description: Find secrets based on tags.
  996. type: object
  997. type: object
  998. rewrite:
  999. description: |-
  1000. Used to rewrite secret Keys after getting them from the secret Provider
  1001. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  1002. items:
  1003. properties:
  1004. regexp:
  1005. description: |-
  1006. Used to rewrite with regular expressions.
  1007. The resulting key will be the output of a regexp.ReplaceAll operation.
  1008. properties:
  1009. source:
  1010. description: Used to define the regular expression of a re.Compiler.
  1011. type: string
  1012. target:
  1013. description: Used to define the target pattern of a ReplaceAll operation.
  1014. type: string
  1015. required:
  1016. - source
  1017. - target
  1018. type: object
  1019. transform:
  1020. description: |-
  1021. Used to apply string transformation on the secrets.
  1022. The resulting key will be the output of the template applied by the operation.
  1023. properties:
  1024. template:
  1025. description: |-
  1026. Used to define the template to apply on the secret name.
  1027. `.value ` will specify the secret name in the template.
  1028. type: string
  1029. required:
  1030. - template
  1031. type: object
  1032. type: object
  1033. type: array
  1034. sourceRef:
  1035. description: |-
  1036. SourceRef points to a store or generator
  1037. which contains secret values ready to use.
  1038. Use this in combination with Extract or Find pull values out of
  1039. a specific SecretStore.
  1040. When sourceRef points to a generator Extract or Find is not supported.
  1041. The generator returns a static map of values
  1042. maxProperties: 1
  1043. minProperties: 1
  1044. properties:
  1045. generatorRef:
  1046. description: GeneratorRef points to a generator custom resource.
  1047. properties:
  1048. apiVersion:
  1049. default: generators.external-secrets.io/v1alpha1
  1050. description: Specify the apiVersion of the generator resource
  1051. type: string
  1052. kind:
  1053. description: Specify the Kind of the generator resource
  1054. enum:
  1055. - ACRAccessToken
  1056. - ClusterGenerator
  1057. - ECRAuthorizationToken
  1058. - Fake
  1059. - GCRAccessToken
  1060. - GithubAccessToken
  1061. - QuayAccessToken
  1062. - Password
  1063. - STSSessionToken
  1064. - UUID
  1065. - VaultDynamicSecret
  1066. - Webhook
  1067. - Grafana
  1068. type: string
  1069. name:
  1070. description: Specify the name of the generator resource
  1071. maxLength: 253
  1072. minLength: 1
  1073. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1074. type: string
  1075. required:
  1076. - kind
  1077. - name
  1078. type: object
  1079. storeRef:
  1080. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1081. properties:
  1082. kind:
  1083. description: |-
  1084. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1085. Defaults to `SecretStore`
  1086. enum:
  1087. - SecretStore
  1088. - ClusterSecretStore
  1089. type: string
  1090. name:
  1091. description: Name of the SecretStore resource
  1092. maxLength: 253
  1093. minLength: 1
  1094. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1095. type: string
  1096. type: object
  1097. type: object
  1098. type: object
  1099. type: array
  1100. refreshInterval:
  1101. default: 1h
  1102. description: |-
  1103. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  1104. specified as Golang Duration strings.
  1105. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  1106. Example values: "1h", "2h30m", "10s"
  1107. May be set to zero to fetch and create it once. Defaults to 1h.
  1108. type: string
  1109. refreshPolicy:
  1110. description: |-
  1111. RefreshPolicy determines how the ExternalSecret should be refreshed:
  1112. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  1113. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  1114. No periodic updates occur if refreshInterval is 0.
  1115. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  1116. enum:
  1117. - CreatedOnce
  1118. - Periodic
  1119. - OnChange
  1120. type: string
  1121. secretStoreRef:
  1122. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1123. properties:
  1124. kind:
  1125. description: |-
  1126. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1127. Defaults to `SecretStore`
  1128. enum:
  1129. - SecretStore
  1130. - ClusterSecretStore
  1131. type: string
  1132. name:
  1133. description: Name of the SecretStore resource
  1134. maxLength: 253
  1135. minLength: 1
  1136. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1137. type: string
  1138. type: object
  1139. target:
  1140. default:
  1141. creationPolicy: Owner
  1142. deletionPolicy: Retain
  1143. description: |-
  1144. ExternalSecretTarget defines the Kubernetes Secret to be created
  1145. There can be only one target per ExternalSecret.
  1146. properties:
  1147. creationPolicy:
  1148. default: Owner
  1149. description: |-
  1150. CreationPolicy defines rules on how to create the resulting Secret.
  1151. Defaults to "Owner"
  1152. enum:
  1153. - Owner
  1154. - Orphan
  1155. - Merge
  1156. - None
  1157. type: string
  1158. deletionPolicy:
  1159. default: Retain
  1160. description: |-
  1161. DeletionPolicy defines rules on how to delete the resulting Secret.
  1162. Defaults to "Retain"
  1163. enum:
  1164. - Delete
  1165. - Merge
  1166. - Retain
  1167. type: string
  1168. immutable:
  1169. description: Immutable defines if the final secret will be immutable
  1170. type: boolean
  1171. name:
  1172. description: |-
  1173. The name of the Secret resource to be managed.
  1174. Defaults to the .metadata.name of the ExternalSecret resource
  1175. maxLength: 253
  1176. minLength: 1
  1177. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1178. type: string
  1179. template:
  1180. description: Template defines a blueprint for the created Secret resource.
  1181. properties:
  1182. data:
  1183. additionalProperties:
  1184. type: string
  1185. type: object
  1186. engineVersion:
  1187. default: v2
  1188. description: |-
  1189. EngineVersion specifies the template engine version
  1190. that should be used to compile/execute the
  1191. template specified in .data and .templateFrom[].
  1192. enum:
  1193. - v2
  1194. type: string
  1195. mergePolicy:
  1196. default: Replace
  1197. enum:
  1198. - Replace
  1199. - Merge
  1200. type: string
  1201. metadata:
  1202. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  1203. properties:
  1204. annotations:
  1205. additionalProperties:
  1206. type: string
  1207. type: object
  1208. labels:
  1209. additionalProperties:
  1210. type: string
  1211. type: object
  1212. type: object
  1213. templateFrom:
  1214. items:
  1215. properties:
  1216. configMap:
  1217. properties:
  1218. items:
  1219. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  1220. items:
  1221. properties:
  1222. key:
  1223. description: A key in the ConfigMap/Secret
  1224. maxLength: 253
  1225. minLength: 1
  1226. pattern: ^[-._a-zA-Z0-9]+$
  1227. type: string
  1228. templateAs:
  1229. default: Values
  1230. enum:
  1231. - Values
  1232. - KeysAndValues
  1233. type: string
  1234. required:
  1235. - key
  1236. type: object
  1237. type: array
  1238. name:
  1239. description: The name of the ConfigMap/Secret resource
  1240. maxLength: 253
  1241. minLength: 1
  1242. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1243. type: string
  1244. required:
  1245. - items
  1246. - name
  1247. type: object
  1248. literal:
  1249. type: string
  1250. secret:
  1251. properties:
  1252. items:
  1253. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  1254. items:
  1255. properties:
  1256. key:
  1257. description: A key in the ConfigMap/Secret
  1258. maxLength: 253
  1259. minLength: 1
  1260. pattern: ^[-._a-zA-Z0-9]+$
  1261. type: string
  1262. templateAs:
  1263. default: Values
  1264. enum:
  1265. - Values
  1266. - KeysAndValues
  1267. type: string
  1268. required:
  1269. - key
  1270. type: object
  1271. type: array
  1272. name:
  1273. description: The name of the ConfigMap/Secret resource
  1274. maxLength: 253
  1275. minLength: 1
  1276. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1277. type: string
  1278. required:
  1279. - items
  1280. - name
  1281. type: object
  1282. target:
  1283. default: Data
  1284. enum:
  1285. - Data
  1286. - Annotations
  1287. - Labels
  1288. type: string
  1289. type: object
  1290. type: array
  1291. type:
  1292. type: string
  1293. type: object
  1294. type: object
  1295. type: object
  1296. namespaceSelector:
  1297. description: |-
  1298. The labels to select by to find the Namespaces to create the ExternalSecrets in.
  1299. Deprecated: Use NamespaceSelectors instead.
  1300. properties:
  1301. matchExpressions:
  1302. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1303. items:
  1304. description: |-
  1305. A label selector requirement is a selector that contains values, a key, and an operator that
  1306. relates the key and values.
  1307. properties:
  1308. key:
  1309. description: key is the label key that the selector applies to.
  1310. type: string
  1311. operator:
  1312. description: |-
  1313. operator represents a key's relationship to a set of values.
  1314. Valid operators are In, NotIn, Exists and DoesNotExist.
  1315. type: string
  1316. values:
  1317. description: |-
  1318. values is an array of string values. If the operator is In or NotIn,
  1319. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1320. the values array must be empty. This array is replaced during a strategic
  1321. merge patch.
  1322. items:
  1323. type: string
  1324. type: array
  1325. x-kubernetes-list-type: atomic
  1326. required:
  1327. - key
  1328. - operator
  1329. type: object
  1330. type: array
  1331. x-kubernetes-list-type: atomic
  1332. matchLabels:
  1333. additionalProperties:
  1334. type: string
  1335. description: |-
  1336. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1337. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1338. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1339. type: object
  1340. type: object
  1341. x-kubernetes-map-type: atomic
  1342. namespaceSelectors:
  1343. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  1344. items:
  1345. description: |-
  1346. A label selector is a label query over a set of resources. The result of matchLabels and
  1347. matchExpressions are ANDed. An empty label selector matches all objects. A null
  1348. label selector matches no objects.
  1349. properties:
  1350. matchExpressions:
  1351. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1352. items:
  1353. description: |-
  1354. A label selector requirement is a selector that contains values, a key, and an operator that
  1355. relates the key and values.
  1356. properties:
  1357. key:
  1358. description: key is the label key that the selector applies to.
  1359. type: string
  1360. operator:
  1361. description: |-
  1362. operator represents a key's relationship to a set of values.
  1363. Valid operators are In, NotIn, Exists and DoesNotExist.
  1364. type: string
  1365. values:
  1366. description: |-
  1367. values is an array of string values. If the operator is In or NotIn,
  1368. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1369. the values array must be empty. This array is replaced during a strategic
  1370. merge patch.
  1371. items:
  1372. type: string
  1373. type: array
  1374. x-kubernetes-list-type: atomic
  1375. required:
  1376. - key
  1377. - operator
  1378. type: object
  1379. type: array
  1380. x-kubernetes-list-type: atomic
  1381. matchLabels:
  1382. additionalProperties:
  1383. type: string
  1384. description: |-
  1385. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1386. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1387. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1388. type: object
  1389. type: object
  1390. x-kubernetes-map-type: atomic
  1391. type: array
  1392. namespaces:
  1393. description: |-
  1394. Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
  1395. Deprecated: Use NamespaceSelectors instead.
  1396. items:
  1397. maxLength: 63
  1398. minLength: 1
  1399. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1400. type: string
  1401. type: array
  1402. refreshTime:
  1403. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  1404. type: string
  1405. required:
  1406. - externalSecretSpec
  1407. type: object
  1408. status:
  1409. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  1410. properties:
  1411. conditions:
  1412. items:
  1413. properties:
  1414. message:
  1415. type: string
  1416. status:
  1417. type: string
  1418. type:
  1419. type: string
  1420. required:
  1421. - status
  1422. - type
  1423. type: object
  1424. type: array
  1425. externalSecretName:
  1426. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  1427. type: string
  1428. failedNamespaces:
  1429. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  1430. items:
  1431. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  1432. properties:
  1433. namespace:
  1434. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  1435. type: string
  1436. reason:
  1437. description: Reason is why the ExternalSecret failed to apply to the namespace
  1438. type: string
  1439. required:
  1440. - namespace
  1441. type: object
  1442. type: array
  1443. provisionedNamespaces:
  1444. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  1445. items:
  1446. type: string
  1447. type: array
  1448. type: object
  1449. type: object
  1450. served: true
  1451. storage: false
  1452. subresources:
  1453. status: {}
  1454. conversion:
  1455. strategy: Webhook
  1456. webhook:
  1457. conversionReviewVersions:
  1458. - v1
  1459. clientConfig:
  1460. service:
  1461. name: kubernetes
  1462. namespace: default
  1463. path: /convert
  1464. ---
  1465. apiVersion: apiextensions.k8s.io/v1
  1466. kind: CustomResourceDefinition
  1467. metadata:
  1468. annotations:
  1469. controller-gen.kubebuilder.io/version: v0.17.3
  1470. labels:
  1471. external-secrets.io/component: controller
  1472. name: clusterpushsecrets.external-secrets.io
  1473. spec:
  1474. group: external-secrets.io
  1475. names:
  1476. categories:
  1477. - external-secrets
  1478. kind: ClusterPushSecret
  1479. listKind: ClusterPushSecretList
  1480. plural: clusterpushsecrets
  1481. singular: clusterpushsecret
  1482. scope: Cluster
  1483. versions:
  1484. - additionalPrinterColumns:
  1485. - jsonPath: .metadata.creationTimestamp
  1486. name: AGE
  1487. type: date
  1488. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  1489. name: Status
  1490. type: string
  1491. name: v1alpha1
  1492. schema:
  1493. openAPIV3Schema:
  1494. properties:
  1495. apiVersion:
  1496. description: |-
  1497. APIVersion defines the versioned schema of this representation of an object.
  1498. Servers should convert recognized schemas to the latest internal value, and
  1499. may reject unrecognized values.
  1500. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  1501. type: string
  1502. kind:
  1503. description: |-
  1504. Kind is a string value representing the REST resource this object represents.
  1505. Servers may infer this from the endpoint the client submits requests to.
  1506. Cannot be updated.
  1507. In CamelCase.
  1508. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  1509. type: string
  1510. metadata:
  1511. type: object
  1512. spec:
  1513. properties:
  1514. namespaceSelectors:
  1515. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  1516. items:
  1517. description: |-
  1518. A label selector is a label query over a set of resources. The result of matchLabels and
  1519. matchExpressions are ANDed. An empty label selector matches all objects. A null
  1520. label selector matches no objects.
  1521. properties:
  1522. matchExpressions:
  1523. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1524. items:
  1525. description: |-
  1526. A label selector requirement is a selector that contains values, a key, and an operator that
  1527. relates the key and values.
  1528. properties:
  1529. key:
  1530. description: key is the label key that the selector applies to.
  1531. type: string
  1532. operator:
  1533. description: |-
  1534. operator represents a key's relationship to a set of values.
  1535. Valid operators are In, NotIn, Exists and DoesNotExist.
  1536. type: string
  1537. values:
  1538. description: |-
  1539. values is an array of string values. If the operator is In or NotIn,
  1540. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1541. the values array must be empty. This array is replaced during a strategic
  1542. merge patch.
  1543. items:
  1544. type: string
  1545. type: array
  1546. x-kubernetes-list-type: atomic
  1547. required:
  1548. - key
  1549. - operator
  1550. type: object
  1551. type: array
  1552. x-kubernetes-list-type: atomic
  1553. matchLabels:
  1554. additionalProperties:
  1555. type: string
  1556. description: |-
  1557. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1558. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1559. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1560. type: object
  1561. type: object
  1562. x-kubernetes-map-type: atomic
  1563. type: array
  1564. pushSecretMetadata:
  1565. description: The metadata of the external secrets to be created
  1566. properties:
  1567. annotations:
  1568. additionalProperties:
  1569. type: string
  1570. type: object
  1571. labels:
  1572. additionalProperties:
  1573. type: string
  1574. type: object
  1575. type: object
  1576. pushSecretName:
  1577. description: |-
  1578. The name of the push secrets to be created.
  1579. Defaults to the name of the ClusterPushSecret
  1580. maxLength: 253
  1581. minLength: 1
  1582. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1583. type: string
  1584. pushSecretSpec:
  1585. description: PushSecretSpec defines what to do with the secrets.
  1586. properties:
  1587. data:
  1588. description: Secret Data that should be pushed to providers
  1589. items:
  1590. properties:
  1591. conversionStrategy:
  1592. default: None
  1593. description: Used to define a conversion Strategy for the secret keys
  1594. enum:
  1595. - None
  1596. - ReverseUnicode
  1597. type: string
  1598. match:
  1599. description: Match a given Secret Key to be pushed to the provider.
  1600. properties:
  1601. remoteRef:
  1602. description: Remote Refs to push to providers.
  1603. properties:
  1604. property:
  1605. description: Name of the property in the resulting secret
  1606. type: string
  1607. remoteKey:
  1608. description: Name of the resulting provider secret.
  1609. type: string
  1610. required:
  1611. - remoteKey
  1612. type: object
  1613. secretKey:
  1614. description: Secret Key to be pushed
  1615. type: string
  1616. required:
  1617. - remoteRef
  1618. type: object
  1619. metadata:
  1620. description: |-
  1621. Metadata is metadata attached to the secret.
  1622. The structure of metadata is provider specific, please look it up in the provider documentation.
  1623. x-kubernetes-preserve-unknown-fields: true
  1624. required:
  1625. - match
  1626. type: object
  1627. type: array
  1628. deletionPolicy:
  1629. default: None
  1630. description: Deletion Policy to handle Secrets in the provider.
  1631. enum:
  1632. - Delete
  1633. - None
  1634. type: string
  1635. refreshInterval:
  1636. default: 1h
  1637. description: The Interval to which External Secrets will try to push a secret definition
  1638. type: string
  1639. secretStoreRefs:
  1640. items:
  1641. properties:
  1642. kind:
  1643. default: SecretStore
  1644. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1645. enum:
  1646. - SecretStore
  1647. - ClusterSecretStore
  1648. type: string
  1649. labelSelector:
  1650. description: Optionally, sync to secret stores with label selector
  1651. properties:
  1652. matchExpressions:
  1653. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1654. items:
  1655. description: |-
  1656. A label selector requirement is a selector that contains values, a key, and an operator that
  1657. relates the key and values.
  1658. properties:
  1659. key:
  1660. description: key is the label key that the selector applies to.
  1661. type: string
  1662. operator:
  1663. description: |-
  1664. operator represents a key's relationship to a set of values.
  1665. Valid operators are In, NotIn, Exists and DoesNotExist.
  1666. type: string
  1667. values:
  1668. description: |-
  1669. values is an array of string values. If the operator is In or NotIn,
  1670. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1671. the values array must be empty. This array is replaced during a strategic
  1672. merge patch.
  1673. items:
  1674. type: string
  1675. type: array
  1676. x-kubernetes-list-type: atomic
  1677. required:
  1678. - key
  1679. - operator
  1680. type: object
  1681. type: array
  1682. x-kubernetes-list-type: atomic
  1683. matchLabels:
  1684. additionalProperties:
  1685. type: string
  1686. description: |-
  1687. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1688. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1689. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1690. type: object
  1691. type: object
  1692. x-kubernetes-map-type: atomic
  1693. name:
  1694. description: Optionally, sync to the SecretStore of the given name
  1695. maxLength: 253
  1696. minLength: 1
  1697. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1698. type: string
  1699. type: object
  1700. type: array
  1701. selector:
  1702. description: The Secret Selector (k8s source) for the Push Secret
  1703. maxProperties: 1
  1704. minProperties: 1
  1705. properties:
  1706. generatorRef:
  1707. description: Point to a generator to create a Secret.
  1708. properties:
  1709. apiVersion:
  1710. default: generators.external-secrets.io/v1alpha1
  1711. description: Specify the apiVersion of the generator resource
  1712. type: string
  1713. kind:
  1714. description: Specify the Kind of the generator resource
  1715. enum:
  1716. - ACRAccessToken
  1717. - ClusterGenerator
  1718. - ECRAuthorizationToken
  1719. - Fake
  1720. - GCRAccessToken
  1721. - GithubAccessToken
  1722. - QuayAccessToken
  1723. - Password
  1724. - STSSessionToken
  1725. - UUID
  1726. - VaultDynamicSecret
  1727. - Webhook
  1728. - Grafana
  1729. type: string
  1730. name:
  1731. description: Specify the name of the generator resource
  1732. maxLength: 253
  1733. minLength: 1
  1734. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1735. type: string
  1736. required:
  1737. - kind
  1738. - name
  1739. type: object
  1740. secret:
  1741. description: Select a Secret to Push.
  1742. properties:
  1743. name:
  1744. description: |-
  1745. Name of the Secret.
  1746. The Secret must exist in the same namespace as the PushSecret manifest.
  1747. maxLength: 253
  1748. minLength: 1
  1749. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1750. type: string
  1751. selector:
  1752. description: Selector chooses secrets using a labelSelector.
  1753. properties:
  1754. matchExpressions:
  1755. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1756. items:
  1757. description: |-
  1758. A label selector requirement is a selector that contains values, a key, and an operator that
  1759. relates the key and values.
  1760. properties:
  1761. key:
  1762. description: key is the label key that the selector applies to.
  1763. type: string
  1764. operator:
  1765. description: |-
  1766. operator represents a key's relationship to a set of values.
  1767. Valid operators are In, NotIn, Exists and DoesNotExist.
  1768. type: string
  1769. values:
  1770. description: |-
  1771. values is an array of string values. If the operator is In or NotIn,
  1772. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1773. the values array must be empty. This array is replaced during a strategic
  1774. merge patch.
  1775. items:
  1776. type: string
  1777. type: array
  1778. x-kubernetes-list-type: atomic
  1779. required:
  1780. - key
  1781. - operator
  1782. type: object
  1783. type: array
  1784. x-kubernetes-list-type: atomic
  1785. matchLabels:
  1786. additionalProperties:
  1787. type: string
  1788. description: |-
  1789. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1790. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1791. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1792. type: object
  1793. type: object
  1794. x-kubernetes-map-type: atomic
  1795. type: object
  1796. type: object
  1797. template:
  1798. description: Template defines a blueprint for the created Secret resource.
  1799. properties:
  1800. data:
  1801. additionalProperties:
  1802. type: string
  1803. type: object
  1804. engineVersion:
  1805. default: v2
  1806. description: |-
  1807. EngineVersion specifies the template engine version
  1808. that should be used to compile/execute the
  1809. template specified in .data and .templateFrom[].
  1810. enum:
  1811. - v2
  1812. type: string
  1813. mergePolicy:
  1814. default: Replace
  1815. enum:
  1816. - Replace
  1817. - Merge
  1818. type: string
  1819. metadata:
  1820. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  1821. properties:
  1822. annotations:
  1823. additionalProperties:
  1824. type: string
  1825. type: object
  1826. labels:
  1827. additionalProperties:
  1828. type: string
  1829. type: object
  1830. type: object
  1831. templateFrom:
  1832. items:
  1833. properties:
  1834. configMap:
  1835. properties:
  1836. items:
  1837. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  1838. items:
  1839. properties:
  1840. key:
  1841. description: A key in the ConfigMap/Secret
  1842. maxLength: 253
  1843. minLength: 1
  1844. pattern: ^[-._a-zA-Z0-9]+$
  1845. type: string
  1846. templateAs:
  1847. default: Values
  1848. enum:
  1849. - Values
  1850. - KeysAndValues
  1851. type: string
  1852. required:
  1853. - key
  1854. type: object
  1855. type: array
  1856. name:
  1857. description: The name of the ConfigMap/Secret resource
  1858. maxLength: 253
  1859. minLength: 1
  1860. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1861. type: string
  1862. required:
  1863. - items
  1864. - name
  1865. type: object
  1866. literal:
  1867. type: string
  1868. secret:
  1869. properties:
  1870. items:
  1871. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  1872. items:
  1873. properties:
  1874. key:
  1875. description: A key in the ConfigMap/Secret
  1876. maxLength: 253
  1877. minLength: 1
  1878. pattern: ^[-._a-zA-Z0-9]+$
  1879. type: string
  1880. templateAs:
  1881. default: Values
  1882. enum:
  1883. - Values
  1884. - KeysAndValues
  1885. type: string
  1886. required:
  1887. - key
  1888. type: object
  1889. type: array
  1890. name:
  1891. description: The name of the ConfigMap/Secret resource
  1892. maxLength: 253
  1893. minLength: 1
  1894. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1895. type: string
  1896. required:
  1897. - items
  1898. - name
  1899. type: object
  1900. target:
  1901. default: Data
  1902. enum:
  1903. - Data
  1904. - Annotations
  1905. - Labels
  1906. type: string
  1907. type: object
  1908. type: array
  1909. type:
  1910. type: string
  1911. type: object
  1912. updatePolicy:
  1913. default: Replace
  1914. description: UpdatePolicy to handle Secrets in the provider.
  1915. enum:
  1916. - Replace
  1917. - IfNotExists
  1918. type: string
  1919. required:
  1920. - secretStoreRefs
  1921. - selector
  1922. type: object
  1923. refreshTime:
  1924. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  1925. type: string
  1926. required:
  1927. - pushSecretSpec
  1928. type: object
  1929. status:
  1930. properties:
  1931. conditions:
  1932. items:
  1933. description: PushSecretStatusCondition indicates the status of the PushSecret.
  1934. properties:
  1935. lastTransitionTime:
  1936. format: date-time
  1937. type: string
  1938. message:
  1939. type: string
  1940. reason:
  1941. type: string
  1942. status:
  1943. type: string
  1944. type:
  1945. description: PushSecretConditionType indicates the condition of the PushSecret.
  1946. type: string
  1947. required:
  1948. - status
  1949. - type
  1950. type: object
  1951. type: array
  1952. failedNamespaces:
  1953. description: Failed namespaces are the namespaces that failed to apply an PushSecret
  1954. items:
  1955. description: ClusterPushSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  1956. properties:
  1957. namespace:
  1958. description: Namespace is the namespace that failed when trying to apply an PushSecret
  1959. type: string
  1960. reason:
  1961. description: Reason is why the PushSecret failed to apply to the namespace
  1962. type: string
  1963. required:
  1964. - namespace
  1965. type: object
  1966. type: array
  1967. provisionedNamespaces:
  1968. description: ProvisionedNamespaces are the namespaces where the ClusterPushSecret has secrets
  1969. items:
  1970. type: string
  1971. type: array
  1972. pushSecretName:
  1973. type: string
  1974. type: object
  1975. type: object
  1976. served: true
  1977. storage: true
  1978. subresources:
  1979. status: {}
  1980. conversion:
  1981. strategy: Webhook
  1982. webhook:
  1983. conversionReviewVersions:
  1984. - v1
  1985. clientConfig:
  1986. service:
  1987. name: kubernetes
  1988. namespace: default
  1989. path: /convert
  1990. ---
  1991. apiVersion: apiextensions.k8s.io/v1
  1992. kind: CustomResourceDefinition
  1993. metadata:
  1994. annotations:
  1995. controller-gen.kubebuilder.io/version: v0.17.3
  1996. labels:
  1997. external-secrets.io/component: controller
  1998. name: clustersecretstores.external-secrets.io
  1999. spec:
  2000. group: external-secrets.io
  2001. names:
  2002. categories:
  2003. - external-secrets
  2004. kind: ClusterSecretStore
  2005. listKind: ClusterSecretStoreList
  2006. plural: clustersecretstores
  2007. shortNames:
  2008. - css
  2009. singular: clustersecretstore
  2010. scope: Cluster
  2011. versions:
  2012. - additionalPrinterColumns:
  2013. - jsonPath: .metadata.creationTimestamp
  2014. name: AGE
  2015. type: date
  2016. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2017. name: Status
  2018. type: string
  2019. - jsonPath: .status.capabilities
  2020. name: Capabilities
  2021. type: string
  2022. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  2023. name: Ready
  2024. type: string
  2025. name: v1
  2026. schema:
  2027. openAPIV3Schema:
  2028. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  2029. properties:
  2030. apiVersion:
  2031. description: |-
  2032. APIVersion defines the versioned schema of this representation of an object.
  2033. Servers should convert recognized schemas to the latest internal value, and
  2034. may reject unrecognized values.
  2035. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  2036. type: string
  2037. kind:
  2038. description: |-
  2039. Kind is a string value representing the REST resource this object represents.
  2040. Servers may infer this from the endpoint the client submits requests to.
  2041. Cannot be updated.
  2042. In CamelCase.
  2043. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  2044. type: string
  2045. metadata:
  2046. type: object
  2047. spec:
  2048. description: SecretStoreSpec defines the desired state of SecretStore.
  2049. properties:
  2050. conditions:
  2051. description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
  2052. items:
  2053. description: |-
  2054. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  2055. for a ClusterSecretStore instance.
  2056. properties:
  2057. namespaceRegexes:
  2058. description: Choose namespaces by using regex matching
  2059. items:
  2060. type: string
  2061. type: array
  2062. namespaceSelector:
  2063. description: Choose namespace using a labelSelector
  2064. properties:
  2065. matchExpressions:
  2066. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2067. items:
  2068. description: |-
  2069. A label selector requirement is a selector that contains values, a key, and an operator that
  2070. relates the key and values.
  2071. properties:
  2072. key:
  2073. description: key is the label key that the selector applies to.
  2074. type: string
  2075. operator:
  2076. description: |-
  2077. operator represents a key's relationship to a set of values.
  2078. Valid operators are In, NotIn, Exists and DoesNotExist.
  2079. type: string
  2080. values:
  2081. description: |-
  2082. values is an array of string values. If the operator is In or NotIn,
  2083. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2084. the values array must be empty. This array is replaced during a strategic
  2085. merge patch.
  2086. items:
  2087. type: string
  2088. type: array
  2089. x-kubernetes-list-type: atomic
  2090. required:
  2091. - key
  2092. - operator
  2093. type: object
  2094. type: array
  2095. x-kubernetes-list-type: atomic
  2096. matchLabels:
  2097. additionalProperties:
  2098. type: string
  2099. description: |-
  2100. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2101. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2102. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2103. type: object
  2104. type: object
  2105. x-kubernetes-map-type: atomic
  2106. namespaces:
  2107. description: Choose namespaces by name
  2108. items:
  2109. maxLength: 63
  2110. minLength: 1
  2111. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2112. type: string
  2113. type: array
  2114. type: object
  2115. type: array
  2116. controller:
  2117. description: |-
  2118. Used to select the correct ESO controller (think: ingress.ingressClassName)
  2119. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  2120. type: string
  2121. provider:
  2122. description: Used to configure the provider. Only one provider may be set
  2123. maxProperties: 1
  2124. minProperties: 1
  2125. properties:
  2126. akeyless:
  2127. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  2128. properties:
  2129. akeylessGWApiURL:
  2130. description: Akeyless GW API Url from which the secrets to be fetched from.
  2131. type: string
  2132. authSecretRef:
  2133. description: Auth configures how the operator authenticates with Akeyless.
  2134. properties:
  2135. kubernetesAuth:
  2136. description: |-
  2137. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  2138. token stored in the named Secret resource.
  2139. properties:
  2140. accessID:
  2141. description: the Akeyless Kubernetes auth-method access-id
  2142. type: string
  2143. k8sConfName:
  2144. description: Kubernetes-auth configuration name in Akeyless-Gateway
  2145. type: string
  2146. secretRef:
  2147. description: |-
  2148. Optional secret field containing a Kubernetes ServiceAccount JWT used
  2149. for authenticating with Akeyless. If a name is specified without a key,
  2150. `token` is the default. If one is not specified, the one bound to
  2151. the controller will be used.
  2152. properties:
  2153. key:
  2154. description: |-
  2155. A key in the referenced Secret.
  2156. Some instances of this field may be defaulted, in others it may be required.
  2157. maxLength: 253
  2158. minLength: 1
  2159. pattern: ^[-._a-zA-Z0-9]+$
  2160. type: string
  2161. name:
  2162. description: The name of the Secret resource being referred to.
  2163. maxLength: 253
  2164. minLength: 1
  2165. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2166. type: string
  2167. namespace:
  2168. description: |-
  2169. The namespace of the Secret resource being referred to.
  2170. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2171. maxLength: 63
  2172. minLength: 1
  2173. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2174. type: string
  2175. type: object
  2176. serviceAccountRef:
  2177. description: |-
  2178. Optional service account field containing the name of a kubernetes ServiceAccount.
  2179. If the service account is specified, the service account secret token JWT will be used
  2180. for authenticating with Akeyless. If the service account selector is not supplied,
  2181. the secretRef will be used instead.
  2182. properties:
  2183. audiences:
  2184. description: |-
  2185. Audience specifies the `aud` claim for the service account token
  2186. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2187. then this audiences will be appended to the list
  2188. items:
  2189. type: string
  2190. type: array
  2191. name:
  2192. description: The name of the ServiceAccount resource being referred to.
  2193. maxLength: 253
  2194. minLength: 1
  2195. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2196. type: string
  2197. namespace:
  2198. description: |-
  2199. Namespace of the resource being referred to.
  2200. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2201. maxLength: 63
  2202. minLength: 1
  2203. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2204. type: string
  2205. required:
  2206. - name
  2207. type: object
  2208. required:
  2209. - accessID
  2210. - k8sConfName
  2211. type: object
  2212. secretRef:
  2213. description: |-
  2214. Reference to a Secret that contains the details
  2215. to authenticate with Akeyless.
  2216. properties:
  2217. accessID:
  2218. description: The SecretAccessID is used for authentication
  2219. properties:
  2220. key:
  2221. description: |-
  2222. A key in the referenced Secret.
  2223. Some instances of this field may be defaulted, in others it may be required.
  2224. maxLength: 253
  2225. minLength: 1
  2226. pattern: ^[-._a-zA-Z0-9]+$
  2227. type: string
  2228. name:
  2229. description: The name of the Secret resource being referred to.
  2230. maxLength: 253
  2231. minLength: 1
  2232. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2233. type: string
  2234. namespace:
  2235. description: |-
  2236. The namespace of the Secret resource being referred to.
  2237. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2238. maxLength: 63
  2239. minLength: 1
  2240. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2241. type: string
  2242. type: object
  2243. accessType:
  2244. description: |-
  2245. A reference to a specific 'key' within a Secret resource.
  2246. In some instances, `key` is a required field.
  2247. properties:
  2248. key:
  2249. description: |-
  2250. A key in the referenced Secret.
  2251. Some instances of this field may be defaulted, in others it may be required.
  2252. maxLength: 253
  2253. minLength: 1
  2254. pattern: ^[-._a-zA-Z0-9]+$
  2255. type: string
  2256. name:
  2257. description: The name of the Secret resource being referred to.
  2258. maxLength: 253
  2259. minLength: 1
  2260. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2261. type: string
  2262. namespace:
  2263. description: |-
  2264. The namespace of the Secret resource being referred to.
  2265. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2266. maxLength: 63
  2267. minLength: 1
  2268. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2269. type: string
  2270. type: object
  2271. accessTypeParam:
  2272. description: |-
  2273. A reference to a specific 'key' within a Secret resource.
  2274. In some instances, `key` is a required field.
  2275. properties:
  2276. key:
  2277. description: |-
  2278. A key in the referenced Secret.
  2279. Some instances of this field may be defaulted, in others it may be required.
  2280. maxLength: 253
  2281. minLength: 1
  2282. pattern: ^[-._a-zA-Z0-9]+$
  2283. type: string
  2284. name:
  2285. description: The name of the Secret resource being referred to.
  2286. maxLength: 253
  2287. minLength: 1
  2288. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2289. type: string
  2290. namespace:
  2291. description: |-
  2292. The namespace of the Secret resource being referred to.
  2293. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2294. maxLength: 63
  2295. minLength: 1
  2296. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2297. type: string
  2298. type: object
  2299. type: object
  2300. type: object
  2301. caBundle:
  2302. description: |-
  2303. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  2304. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  2305. are used to validate the TLS connection.
  2306. format: byte
  2307. type: string
  2308. caProvider:
  2309. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  2310. properties:
  2311. key:
  2312. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2313. maxLength: 253
  2314. minLength: 1
  2315. pattern: ^[-._a-zA-Z0-9]+$
  2316. type: string
  2317. name:
  2318. description: The name of the object located at the provider type.
  2319. maxLength: 253
  2320. minLength: 1
  2321. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2322. type: string
  2323. namespace:
  2324. description: |-
  2325. The namespace the Provider type is in.
  2326. Can only be defined when used in a ClusterSecretStore.
  2327. maxLength: 63
  2328. minLength: 1
  2329. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2330. type: string
  2331. type:
  2332. description: The type of provider to use such as "Secret", or "ConfigMap".
  2333. enum:
  2334. - Secret
  2335. - ConfigMap
  2336. type: string
  2337. required:
  2338. - name
  2339. - type
  2340. type: object
  2341. required:
  2342. - akeylessGWApiURL
  2343. - authSecretRef
  2344. type: object
  2345. alibaba:
  2346. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  2347. properties:
  2348. auth:
  2349. description: AlibabaAuth contains a secretRef for credentials.
  2350. properties:
  2351. rrsa:
  2352. description: Authenticate against Alibaba using RRSA.
  2353. properties:
  2354. oidcProviderArn:
  2355. type: string
  2356. oidcTokenFilePath:
  2357. type: string
  2358. roleArn:
  2359. type: string
  2360. sessionName:
  2361. type: string
  2362. required:
  2363. - oidcProviderArn
  2364. - oidcTokenFilePath
  2365. - roleArn
  2366. - sessionName
  2367. type: object
  2368. secretRef:
  2369. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  2370. properties:
  2371. accessKeyIDSecretRef:
  2372. description: The AccessKeyID is used for authentication
  2373. properties:
  2374. key:
  2375. description: |-
  2376. A key in the referenced Secret.
  2377. Some instances of this field may be defaulted, in others it may be required.
  2378. maxLength: 253
  2379. minLength: 1
  2380. pattern: ^[-._a-zA-Z0-9]+$
  2381. type: string
  2382. name:
  2383. description: The name of the Secret resource being referred to.
  2384. maxLength: 253
  2385. minLength: 1
  2386. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2387. type: string
  2388. namespace:
  2389. description: |-
  2390. The namespace of the Secret resource being referred to.
  2391. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2392. maxLength: 63
  2393. minLength: 1
  2394. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2395. type: string
  2396. type: object
  2397. accessKeySecretSecretRef:
  2398. description: The AccessKeySecret is used for authentication
  2399. properties:
  2400. key:
  2401. description: |-
  2402. A key in the referenced Secret.
  2403. Some instances of this field may be defaulted, in others it may be required.
  2404. maxLength: 253
  2405. minLength: 1
  2406. pattern: ^[-._a-zA-Z0-9]+$
  2407. type: string
  2408. name:
  2409. description: The name of the Secret resource being referred to.
  2410. maxLength: 253
  2411. minLength: 1
  2412. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2413. type: string
  2414. namespace:
  2415. description: |-
  2416. The namespace of the Secret resource being referred to.
  2417. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2418. maxLength: 63
  2419. minLength: 1
  2420. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2421. type: string
  2422. type: object
  2423. required:
  2424. - accessKeyIDSecretRef
  2425. - accessKeySecretSecretRef
  2426. type: object
  2427. type: object
  2428. regionID:
  2429. description: Alibaba Region to be used for the provider
  2430. type: string
  2431. required:
  2432. - auth
  2433. - regionID
  2434. type: object
  2435. aws:
  2436. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  2437. properties:
  2438. additionalRoles:
  2439. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  2440. items:
  2441. type: string
  2442. type: array
  2443. auth:
  2444. description: |-
  2445. Auth defines the information necessary to authenticate against AWS
  2446. if not set aws sdk will infer credentials from your environment
  2447. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  2448. properties:
  2449. jwt:
  2450. description: Authenticate against AWS using service account tokens.
  2451. properties:
  2452. serviceAccountRef:
  2453. description: A reference to a ServiceAccount resource.
  2454. properties:
  2455. audiences:
  2456. description: |-
  2457. Audience specifies the `aud` claim for the service account token
  2458. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2459. then this audiences will be appended to the list
  2460. items:
  2461. type: string
  2462. type: array
  2463. name:
  2464. description: The name of the ServiceAccount resource being referred to.
  2465. maxLength: 253
  2466. minLength: 1
  2467. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2468. type: string
  2469. namespace:
  2470. description: |-
  2471. Namespace of the resource being referred to.
  2472. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2473. maxLength: 63
  2474. minLength: 1
  2475. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2476. type: string
  2477. required:
  2478. - name
  2479. type: object
  2480. type: object
  2481. secretRef:
  2482. description: |-
  2483. AWSAuthSecretRef holds secret references for AWS credentials
  2484. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  2485. properties:
  2486. accessKeyIDSecretRef:
  2487. description: The AccessKeyID is used for authentication
  2488. properties:
  2489. key:
  2490. description: |-
  2491. A key in the referenced Secret.
  2492. Some instances of this field may be defaulted, in others it may be required.
  2493. maxLength: 253
  2494. minLength: 1
  2495. pattern: ^[-._a-zA-Z0-9]+$
  2496. type: string
  2497. name:
  2498. description: The name of the Secret resource being referred to.
  2499. maxLength: 253
  2500. minLength: 1
  2501. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2502. type: string
  2503. namespace:
  2504. description: |-
  2505. The namespace of the Secret resource being referred to.
  2506. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2507. maxLength: 63
  2508. minLength: 1
  2509. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2510. type: string
  2511. type: object
  2512. secretAccessKeySecretRef:
  2513. description: The SecretAccessKey is used for authentication
  2514. properties:
  2515. key:
  2516. description: |-
  2517. A key in the referenced Secret.
  2518. Some instances of this field may be defaulted, in others it may be required.
  2519. maxLength: 253
  2520. minLength: 1
  2521. pattern: ^[-._a-zA-Z0-9]+$
  2522. type: string
  2523. name:
  2524. description: The name of the Secret resource being referred to.
  2525. maxLength: 253
  2526. minLength: 1
  2527. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2528. type: string
  2529. namespace:
  2530. description: |-
  2531. The namespace of the Secret resource being referred to.
  2532. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2533. maxLength: 63
  2534. minLength: 1
  2535. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2536. type: string
  2537. type: object
  2538. sessionTokenSecretRef:
  2539. description: |-
  2540. The SessionToken used for authentication
  2541. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  2542. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  2543. properties:
  2544. key:
  2545. description: |-
  2546. A key in the referenced Secret.
  2547. Some instances of this field may be defaulted, in others it may be required.
  2548. maxLength: 253
  2549. minLength: 1
  2550. pattern: ^[-._a-zA-Z0-9]+$
  2551. type: string
  2552. name:
  2553. description: The name of the Secret resource being referred to.
  2554. maxLength: 253
  2555. minLength: 1
  2556. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2557. type: string
  2558. namespace:
  2559. description: |-
  2560. The namespace of the Secret resource being referred to.
  2561. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2562. maxLength: 63
  2563. minLength: 1
  2564. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2565. type: string
  2566. type: object
  2567. type: object
  2568. type: object
  2569. externalID:
  2570. description: AWS External ID set on assumed IAM roles
  2571. type: string
  2572. prefix:
  2573. description: Prefix adds a prefix to all retrieved values.
  2574. type: string
  2575. region:
  2576. description: AWS Region to be used for the provider
  2577. type: string
  2578. role:
  2579. description: Role is a Role ARN which the provider will assume
  2580. type: string
  2581. secretsManager:
  2582. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  2583. properties:
  2584. forceDeleteWithoutRecovery:
  2585. description: |-
  2586. Specifies whether to delete the secret without any recovery window. You
  2587. can't use both this parameter and RecoveryWindowInDays in the same call.
  2588. If you don't use either, then by default Secrets Manager uses a 30 day
  2589. recovery window.
  2590. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  2591. type: boolean
  2592. recoveryWindowInDays:
  2593. description: |-
  2594. The number of days from 7 to 30 that Secrets Manager waits before
  2595. permanently deleting the secret. You can't use both this parameter and
  2596. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  2597. then by default Secrets Manager uses a 30 day recovery window.
  2598. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  2599. format: int64
  2600. type: integer
  2601. type: object
  2602. service:
  2603. description: Service defines which service should be used to fetch the secrets
  2604. enum:
  2605. - SecretsManager
  2606. - ParameterStore
  2607. type: string
  2608. sessionTags:
  2609. description: AWS STS assume role session tags
  2610. items:
  2611. properties:
  2612. key:
  2613. type: string
  2614. value:
  2615. type: string
  2616. required:
  2617. - key
  2618. - value
  2619. type: object
  2620. type: array
  2621. transitiveTagKeys:
  2622. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  2623. items:
  2624. type: string
  2625. type: array
  2626. required:
  2627. - region
  2628. - service
  2629. type: object
  2630. azurekv:
  2631. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  2632. properties:
  2633. authSecretRef:
  2634. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  2635. properties:
  2636. clientCertificate:
  2637. description: The Azure ClientCertificate of the service principle used for authentication.
  2638. properties:
  2639. key:
  2640. description: |-
  2641. A key in the referenced Secret.
  2642. Some instances of this field may be defaulted, in others it may be required.
  2643. maxLength: 253
  2644. minLength: 1
  2645. pattern: ^[-._a-zA-Z0-9]+$
  2646. type: string
  2647. name:
  2648. description: The name of the Secret resource being referred to.
  2649. maxLength: 253
  2650. minLength: 1
  2651. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2652. type: string
  2653. namespace:
  2654. description: |-
  2655. The namespace of the Secret resource being referred to.
  2656. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2657. maxLength: 63
  2658. minLength: 1
  2659. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2660. type: string
  2661. type: object
  2662. clientId:
  2663. description: The Azure clientId of the service principle or managed identity used for authentication.
  2664. properties:
  2665. key:
  2666. description: |-
  2667. A key in the referenced Secret.
  2668. Some instances of this field may be defaulted, in others it may be required.
  2669. maxLength: 253
  2670. minLength: 1
  2671. pattern: ^[-._a-zA-Z0-9]+$
  2672. type: string
  2673. name:
  2674. description: The name of the Secret resource being referred to.
  2675. maxLength: 253
  2676. minLength: 1
  2677. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2678. type: string
  2679. namespace:
  2680. description: |-
  2681. The namespace of the Secret resource being referred to.
  2682. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2683. maxLength: 63
  2684. minLength: 1
  2685. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2686. type: string
  2687. type: object
  2688. clientSecret:
  2689. description: The Azure ClientSecret of the service principle used for authentication.
  2690. properties:
  2691. key:
  2692. description: |-
  2693. A key in the referenced Secret.
  2694. Some instances of this field may be defaulted, in others it may be required.
  2695. maxLength: 253
  2696. minLength: 1
  2697. pattern: ^[-._a-zA-Z0-9]+$
  2698. type: string
  2699. name:
  2700. description: The name of the Secret resource being referred to.
  2701. maxLength: 253
  2702. minLength: 1
  2703. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2704. type: string
  2705. namespace:
  2706. description: |-
  2707. The namespace of the Secret resource being referred to.
  2708. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2709. maxLength: 63
  2710. minLength: 1
  2711. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2712. type: string
  2713. type: object
  2714. tenantId:
  2715. description: The Azure tenantId of the managed identity used for authentication.
  2716. properties:
  2717. key:
  2718. description: |-
  2719. A key in the referenced Secret.
  2720. Some instances of this field may be defaulted, in others it may be required.
  2721. maxLength: 253
  2722. minLength: 1
  2723. pattern: ^[-._a-zA-Z0-9]+$
  2724. type: string
  2725. name:
  2726. description: The name of the Secret resource being referred to.
  2727. maxLength: 253
  2728. minLength: 1
  2729. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2730. type: string
  2731. namespace:
  2732. description: |-
  2733. The namespace of the Secret resource being referred to.
  2734. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2735. maxLength: 63
  2736. minLength: 1
  2737. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2738. type: string
  2739. type: object
  2740. type: object
  2741. authType:
  2742. default: ServicePrincipal
  2743. description: |-
  2744. Auth type defines how to authenticate to the keyvault service.
  2745. Valid values are:
  2746. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  2747. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  2748. enum:
  2749. - ServicePrincipal
  2750. - ManagedIdentity
  2751. - WorkloadIdentity
  2752. type: string
  2753. environmentType:
  2754. default: PublicCloud
  2755. description: |-
  2756. EnvironmentType specifies the Azure cloud environment endpoints to use for
  2757. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  2758. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  2759. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  2760. enum:
  2761. - PublicCloud
  2762. - USGovernmentCloud
  2763. - ChinaCloud
  2764. - GermanCloud
  2765. type: string
  2766. identityId:
  2767. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  2768. type: string
  2769. serviceAccountRef:
  2770. description: |-
  2771. ServiceAccountRef specified the service account
  2772. that should be used when authenticating with WorkloadIdentity.
  2773. properties:
  2774. audiences:
  2775. description: |-
  2776. Audience specifies the `aud` claim for the service account token
  2777. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2778. then this audiences will be appended to the list
  2779. items:
  2780. type: string
  2781. type: array
  2782. name:
  2783. description: The name of the ServiceAccount resource being referred to.
  2784. maxLength: 253
  2785. minLength: 1
  2786. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2787. type: string
  2788. namespace:
  2789. description: |-
  2790. Namespace of the resource being referred to.
  2791. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2792. maxLength: 63
  2793. minLength: 1
  2794. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2795. type: string
  2796. required:
  2797. - name
  2798. type: object
  2799. tenantId:
  2800. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  2801. type: string
  2802. vaultUrl:
  2803. description: Vault Url from which the secrets to be fetched from.
  2804. type: string
  2805. required:
  2806. - vaultUrl
  2807. type: object
  2808. beyondtrust:
  2809. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  2810. properties:
  2811. auth:
  2812. description: Auth configures how the operator authenticates with Beyondtrust.
  2813. properties:
  2814. apiKey:
  2815. description: APIKey If not provided then ClientID/ClientSecret become required.
  2816. properties:
  2817. secretRef:
  2818. description: SecretRef references a key in a secret that will be used as value.
  2819. properties:
  2820. key:
  2821. description: |-
  2822. A key in the referenced Secret.
  2823. Some instances of this field may be defaulted, in others it may be required.
  2824. maxLength: 253
  2825. minLength: 1
  2826. pattern: ^[-._a-zA-Z0-9]+$
  2827. type: string
  2828. name:
  2829. description: The name of the Secret resource being referred to.
  2830. maxLength: 253
  2831. minLength: 1
  2832. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2833. type: string
  2834. namespace:
  2835. description: |-
  2836. The namespace of the Secret resource being referred to.
  2837. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2838. maxLength: 63
  2839. minLength: 1
  2840. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2841. type: string
  2842. type: object
  2843. value:
  2844. description: Value can be specified directly to set a value without using a secret.
  2845. type: string
  2846. type: object
  2847. certificate:
  2848. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  2849. properties:
  2850. secretRef:
  2851. description: SecretRef references a key in a secret that will be used as value.
  2852. properties:
  2853. key:
  2854. description: |-
  2855. A key in the referenced Secret.
  2856. Some instances of this field may be defaulted, in others it may be required.
  2857. maxLength: 253
  2858. minLength: 1
  2859. pattern: ^[-._a-zA-Z0-9]+$
  2860. type: string
  2861. name:
  2862. description: The name of the Secret resource being referred to.
  2863. maxLength: 253
  2864. minLength: 1
  2865. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2866. type: string
  2867. namespace:
  2868. description: |-
  2869. The namespace of the Secret resource being referred to.
  2870. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2871. maxLength: 63
  2872. minLength: 1
  2873. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2874. type: string
  2875. type: object
  2876. value:
  2877. description: Value can be specified directly to set a value without using a secret.
  2878. type: string
  2879. type: object
  2880. certificateKey:
  2881. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  2882. properties:
  2883. secretRef:
  2884. description: SecretRef references a key in a secret that will be used as value.
  2885. properties:
  2886. key:
  2887. description: |-
  2888. A key in the referenced Secret.
  2889. Some instances of this field may be defaulted, in others it may be required.
  2890. maxLength: 253
  2891. minLength: 1
  2892. pattern: ^[-._a-zA-Z0-9]+$
  2893. type: string
  2894. name:
  2895. description: The name of the Secret resource being referred to.
  2896. maxLength: 253
  2897. minLength: 1
  2898. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2899. type: string
  2900. namespace:
  2901. description: |-
  2902. The namespace of the Secret resource being referred to.
  2903. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2904. maxLength: 63
  2905. minLength: 1
  2906. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2907. type: string
  2908. type: object
  2909. value:
  2910. description: Value can be specified directly to set a value without using a secret.
  2911. type: string
  2912. type: object
  2913. clientId:
  2914. description: ClientID is the API OAuth Client ID.
  2915. properties:
  2916. secretRef:
  2917. description: SecretRef references a key in a secret that will be used as value.
  2918. properties:
  2919. key:
  2920. description: |-
  2921. A key in the referenced Secret.
  2922. Some instances of this field may be defaulted, in others it may be required.
  2923. maxLength: 253
  2924. minLength: 1
  2925. pattern: ^[-._a-zA-Z0-9]+$
  2926. type: string
  2927. name:
  2928. description: The name of the Secret resource being referred to.
  2929. maxLength: 253
  2930. minLength: 1
  2931. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2932. type: string
  2933. namespace:
  2934. description: |-
  2935. The namespace of the Secret resource being referred to.
  2936. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2937. maxLength: 63
  2938. minLength: 1
  2939. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2940. type: string
  2941. type: object
  2942. value:
  2943. description: Value can be specified directly to set a value without using a secret.
  2944. type: string
  2945. type: object
  2946. clientSecret:
  2947. description: ClientSecret is the API OAuth Client Secret.
  2948. properties:
  2949. secretRef:
  2950. description: SecretRef references a key in a secret that will be used as value.
  2951. properties:
  2952. key:
  2953. description: |-
  2954. A key in the referenced Secret.
  2955. Some instances of this field may be defaulted, in others it may be required.
  2956. maxLength: 253
  2957. minLength: 1
  2958. pattern: ^[-._a-zA-Z0-9]+$
  2959. type: string
  2960. name:
  2961. description: The name of the Secret resource being referred to.
  2962. maxLength: 253
  2963. minLength: 1
  2964. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2965. type: string
  2966. namespace:
  2967. description: |-
  2968. The namespace of the Secret resource being referred to.
  2969. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2970. maxLength: 63
  2971. minLength: 1
  2972. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2973. type: string
  2974. type: object
  2975. value:
  2976. description: Value can be specified directly to set a value without using a secret.
  2977. type: string
  2978. type: object
  2979. type: object
  2980. server:
  2981. description: Auth configures how API server works.
  2982. properties:
  2983. apiUrl:
  2984. type: string
  2985. apiVersion:
  2986. type: string
  2987. clientTimeOutSeconds:
  2988. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  2989. type: integer
  2990. retrievalType:
  2991. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  2992. type: string
  2993. separator:
  2994. description: A character that separates the folder names.
  2995. type: string
  2996. verifyCA:
  2997. type: boolean
  2998. required:
  2999. - apiUrl
  3000. - verifyCA
  3001. type: object
  3002. required:
  3003. - auth
  3004. - server
  3005. type: object
  3006. bitwardensecretsmanager:
  3007. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  3008. properties:
  3009. apiURL:
  3010. type: string
  3011. auth:
  3012. description: |-
  3013. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  3014. Make sure that the token being used has permissions on the given secret.
  3015. properties:
  3016. secretRef:
  3017. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  3018. properties:
  3019. credentials:
  3020. description: AccessToken used for the bitwarden instance.
  3021. properties:
  3022. key:
  3023. description: |-
  3024. A key in the referenced Secret.
  3025. Some instances of this field may be defaulted, in others it may be required.
  3026. maxLength: 253
  3027. minLength: 1
  3028. pattern: ^[-._a-zA-Z0-9]+$
  3029. type: string
  3030. name:
  3031. description: The name of the Secret resource being referred to.
  3032. maxLength: 253
  3033. minLength: 1
  3034. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3035. type: string
  3036. namespace:
  3037. description: |-
  3038. The namespace of the Secret resource being referred to.
  3039. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3040. maxLength: 63
  3041. minLength: 1
  3042. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3043. type: string
  3044. type: object
  3045. required:
  3046. - credentials
  3047. type: object
  3048. required:
  3049. - secretRef
  3050. type: object
  3051. bitwardenServerSDKURL:
  3052. type: string
  3053. caBundle:
  3054. description: |-
  3055. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  3056. can be performed.
  3057. type: string
  3058. caProvider:
  3059. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  3060. properties:
  3061. key:
  3062. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3063. maxLength: 253
  3064. minLength: 1
  3065. pattern: ^[-._a-zA-Z0-9]+$
  3066. type: string
  3067. name:
  3068. description: The name of the object located at the provider type.
  3069. maxLength: 253
  3070. minLength: 1
  3071. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3072. type: string
  3073. namespace:
  3074. description: |-
  3075. The namespace the Provider type is in.
  3076. Can only be defined when used in a ClusterSecretStore.
  3077. maxLength: 63
  3078. minLength: 1
  3079. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3080. type: string
  3081. type:
  3082. description: The type of provider to use such as "Secret", or "ConfigMap".
  3083. enum:
  3084. - Secret
  3085. - ConfigMap
  3086. type: string
  3087. required:
  3088. - name
  3089. - type
  3090. type: object
  3091. identityURL:
  3092. type: string
  3093. organizationID:
  3094. description: OrganizationID determines which organization this secret store manages.
  3095. type: string
  3096. projectID:
  3097. description: ProjectID determines which project this secret store manages.
  3098. type: string
  3099. required:
  3100. - auth
  3101. - organizationID
  3102. - projectID
  3103. type: object
  3104. chef:
  3105. description: Chef configures this store to sync secrets with chef server
  3106. properties:
  3107. auth:
  3108. description: Auth defines the information necessary to authenticate against chef Server
  3109. properties:
  3110. secretRef:
  3111. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  3112. properties:
  3113. privateKeySecretRef:
  3114. description: SecretKey is the Signing Key in PEM format, used for authentication.
  3115. properties:
  3116. key:
  3117. description: |-
  3118. A key in the referenced Secret.
  3119. Some instances of this field may be defaulted, in others it may be required.
  3120. maxLength: 253
  3121. minLength: 1
  3122. pattern: ^[-._a-zA-Z0-9]+$
  3123. type: string
  3124. name:
  3125. description: The name of the Secret resource being referred to.
  3126. maxLength: 253
  3127. minLength: 1
  3128. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3129. type: string
  3130. namespace:
  3131. description: |-
  3132. The namespace of the Secret resource being referred to.
  3133. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3134. maxLength: 63
  3135. minLength: 1
  3136. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3137. type: string
  3138. type: object
  3139. required:
  3140. - privateKeySecretRef
  3141. type: object
  3142. required:
  3143. - secretRef
  3144. type: object
  3145. serverUrl:
  3146. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  3147. type: string
  3148. username:
  3149. description: UserName should be the user ID on the chef server
  3150. type: string
  3151. required:
  3152. - auth
  3153. - serverUrl
  3154. - username
  3155. type: object
  3156. cloudrusm:
  3157. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  3158. properties:
  3159. auth:
  3160. description: CSMAuth contains a secretRef for credentials.
  3161. properties:
  3162. secretRef:
  3163. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  3164. properties:
  3165. accessKeyIDSecretRef:
  3166. description: The AccessKeyID is used for authentication
  3167. properties:
  3168. key:
  3169. description: |-
  3170. A key in the referenced Secret.
  3171. Some instances of this field may be defaulted, in others it may be required.
  3172. maxLength: 253
  3173. minLength: 1
  3174. pattern: ^[-._a-zA-Z0-9]+$
  3175. type: string
  3176. name:
  3177. description: The name of the Secret resource being referred to.
  3178. maxLength: 253
  3179. minLength: 1
  3180. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3181. type: string
  3182. namespace:
  3183. description: |-
  3184. The namespace of the Secret resource being referred to.
  3185. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3186. maxLength: 63
  3187. minLength: 1
  3188. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3189. type: string
  3190. type: object
  3191. accessKeySecretSecretRef:
  3192. description: The AccessKeySecret is used for authentication
  3193. properties:
  3194. key:
  3195. description: |-
  3196. A key in the referenced Secret.
  3197. Some instances of this field may be defaulted, in others it may be required.
  3198. maxLength: 253
  3199. minLength: 1
  3200. pattern: ^[-._a-zA-Z0-9]+$
  3201. type: string
  3202. name:
  3203. description: The name of the Secret resource being referred to.
  3204. maxLength: 253
  3205. minLength: 1
  3206. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3207. type: string
  3208. namespace:
  3209. description: |-
  3210. The namespace of the Secret resource being referred to.
  3211. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3212. maxLength: 63
  3213. minLength: 1
  3214. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3215. type: string
  3216. type: object
  3217. required:
  3218. - accessKeyIDSecretRef
  3219. - accessKeySecretSecretRef
  3220. type: object
  3221. type: object
  3222. projectID:
  3223. description: ProjectID is the project, which the secrets are stored in.
  3224. type: string
  3225. required:
  3226. - auth
  3227. type: object
  3228. conjur:
  3229. description: Conjur configures this store to sync secrets using conjur provider
  3230. properties:
  3231. auth:
  3232. description: Defines authentication settings for connecting to Conjur.
  3233. properties:
  3234. apikey:
  3235. description: Authenticates with Conjur using an API key.
  3236. properties:
  3237. account:
  3238. description: Account is the Conjur organization account name.
  3239. type: string
  3240. apiKeyRef:
  3241. description: |-
  3242. A reference to a specific 'key' containing the Conjur API key
  3243. within a Secret resource. In some instances, `key` is a required field.
  3244. properties:
  3245. key:
  3246. description: |-
  3247. A key in the referenced Secret.
  3248. Some instances of this field may be defaulted, in others it may be required.
  3249. maxLength: 253
  3250. minLength: 1
  3251. pattern: ^[-._a-zA-Z0-9]+$
  3252. type: string
  3253. name:
  3254. description: The name of the Secret resource being referred to.
  3255. maxLength: 253
  3256. minLength: 1
  3257. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3258. type: string
  3259. namespace:
  3260. description: |-
  3261. The namespace of the Secret resource being referred to.
  3262. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3263. maxLength: 63
  3264. minLength: 1
  3265. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3266. type: string
  3267. type: object
  3268. userRef:
  3269. description: |-
  3270. A reference to a specific 'key' containing the Conjur username
  3271. within a Secret resource. In some instances, `key` is a required field.
  3272. properties:
  3273. key:
  3274. description: |-
  3275. A key in the referenced Secret.
  3276. Some instances of this field may be defaulted, in others it may be required.
  3277. maxLength: 253
  3278. minLength: 1
  3279. pattern: ^[-._a-zA-Z0-9]+$
  3280. type: string
  3281. name:
  3282. description: The name of the Secret resource being referred to.
  3283. maxLength: 253
  3284. minLength: 1
  3285. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3286. type: string
  3287. namespace:
  3288. description: |-
  3289. The namespace of the Secret resource being referred to.
  3290. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3291. maxLength: 63
  3292. minLength: 1
  3293. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3294. type: string
  3295. type: object
  3296. required:
  3297. - account
  3298. - apiKeyRef
  3299. - userRef
  3300. type: object
  3301. jwt:
  3302. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  3303. properties:
  3304. account:
  3305. description: Account is the Conjur organization account name.
  3306. type: string
  3307. hostId:
  3308. description: |-
  3309. Optional HostID for JWT authentication. This may be used depending
  3310. on how the Conjur JWT authenticator policy is configured.
  3311. type: string
  3312. secretRef:
  3313. description: |-
  3314. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  3315. authenticate with Conjur using the JWT authentication method.
  3316. properties:
  3317. key:
  3318. description: |-
  3319. A key in the referenced Secret.
  3320. Some instances of this field may be defaulted, in others it may be required.
  3321. maxLength: 253
  3322. minLength: 1
  3323. pattern: ^[-._a-zA-Z0-9]+$
  3324. type: string
  3325. name:
  3326. description: The name of the Secret resource being referred to.
  3327. maxLength: 253
  3328. minLength: 1
  3329. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3330. type: string
  3331. namespace:
  3332. description: |-
  3333. The namespace of the Secret resource being referred to.
  3334. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3335. maxLength: 63
  3336. minLength: 1
  3337. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3338. type: string
  3339. type: object
  3340. serviceAccountRef:
  3341. description: |-
  3342. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  3343. a token for with the `TokenRequest` API.
  3344. properties:
  3345. audiences:
  3346. description: |-
  3347. Audience specifies the `aud` claim for the service account token
  3348. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3349. then this audiences will be appended to the list
  3350. items:
  3351. type: string
  3352. type: array
  3353. name:
  3354. description: The name of the ServiceAccount resource being referred to.
  3355. maxLength: 253
  3356. minLength: 1
  3357. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3358. type: string
  3359. namespace:
  3360. description: |-
  3361. Namespace of the resource being referred to.
  3362. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3363. maxLength: 63
  3364. minLength: 1
  3365. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3366. type: string
  3367. required:
  3368. - name
  3369. type: object
  3370. serviceID:
  3371. description: The conjur authn jwt webservice id
  3372. type: string
  3373. required:
  3374. - account
  3375. - serviceID
  3376. type: object
  3377. type: object
  3378. caBundle:
  3379. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  3380. type: string
  3381. caProvider:
  3382. description: |-
  3383. Used to provide custom certificate authority (CA) certificates
  3384. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  3385. that contains a PEM-encoded certificate.
  3386. properties:
  3387. key:
  3388. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3389. maxLength: 253
  3390. minLength: 1
  3391. pattern: ^[-._a-zA-Z0-9]+$
  3392. type: string
  3393. name:
  3394. description: The name of the object located at the provider type.
  3395. maxLength: 253
  3396. minLength: 1
  3397. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3398. type: string
  3399. namespace:
  3400. description: |-
  3401. The namespace the Provider type is in.
  3402. Can only be defined when used in a ClusterSecretStore.
  3403. maxLength: 63
  3404. minLength: 1
  3405. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3406. type: string
  3407. type:
  3408. description: The type of provider to use such as "Secret", or "ConfigMap".
  3409. enum:
  3410. - Secret
  3411. - ConfigMap
  3412. type: string
  3413. required:
  3414. - name
  3415. - type
  3416. type: object
  3417. url:
  3418. description: URL is the endpoint of the Conjur instance.
  3419. type: string
  3420. required:
  3421. - auth
  3422. - url
  3423. type: object
  3424. delinea:
  3425. description: |-
  3426. Delinea DevOps Secrets Vault
  3427. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  3428. properties:
  3429. clientId:
  3430. description: ClientID is the non-secret part of the credential.
  3431. properties:
  3432. secretRef:
  3433. description: SecretRef references a key in a secret that will be used as value.
  3434. properties:
  3435. key:
  3436. description: |-
  3437. A key in the referenced Secret.
  3438. Some instances of this field may be defaulted, in others it may be required.
  3439. maxLength: 253
  3440. minLength: 1
  3441. pattern: ^[-._a-zA-Z0-9]+$
  3442. type: string
  3443. name:
  3444. description: The name of the Secret resource being referred to.
  3445. maxLength: 253
  3446. minLength: 1
  3447. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3448. type: string
  3449. namespace:
  3450. description: |-
  3451. The namespace of the Secret resource being referred to.
  3452. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3453. maxLength: 63
  3454. minLength: 1
  3455. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3456. type: string
  3457. type: object
  3458. value:
  3459. description: Value can be specified directly to set a value without using a secret.
  3460. type: string
  3461. type: object
  3462. clientSecret:
  3463. description: ClientSecret is the secret part of the credential.
  3464. properties:
  3465. secretRef:
  3466. description: SecretRef references a key in a secret that will be used as value.
  3467. properties:
  3468. key:
  3469. description: |-
  3470. A key in the referenced Secret.
  3471. Some instances of this field may be defaulted, in others it may be required.
  3472. maxLength: 253
  3473. minLength: 1
  3474. pattern: ^[-._a-zA-Z0-9]+$
  3475. type: string
  3476. name:
  3477. description: The name of the Secret resource being referred to.
  3478. maxLength: 253
  3479. minLength: 1
  3480. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3481. type: string
  3482. namespace:
  3483. description: |-
  3484. The namespace of the Secret resource being referred to.
  3485. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3486. maxLength: 63
  3487. minLength: 1
  3488. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3489. type: string
  3490. type: object
  3491. value:
  3492. description: Value can be specified directly to set a value without using a secret.
  3493. type: string
  3494. type: object
  3495. tenant:
  3496. description: Tenant is the chosen hostname / site name.
  3497. type: string
  3498. tld:
  3499. description: |-
  3500. TLD is based on the server location that was chosen during provisioning.
  3501. If unset, defaults to "com".
  3502. type: string
  3503. urlTemplate:
  3504. description: |-
  3505. URLTemplate
  3506. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  3507. type: string
  3508. required:
  3509. - clientId
  3510. - clientSecret
  3511. - tenant
  3512. type: object
  3513. device42:
  3514. description: Device42 configures this store to sync secrets using the Device42 provider
  3515. properties:
  3516. auth:
  3517. description: Auth configures how secret-manager authenticates with a Device42 instance.
  3518. properties:
  3519. secretRef:
  3520. properties:
  3521. credentials:
  3522. description: Username / Password is used for authentication.
  3523. properties:
  3524. key:
  3525. description: |-
  3526. A key in the referenced Secret.
  3527. Some instances of this field may be defaulted, in others it may be required.
  3528. maxLength: 253
  3529. minLength: 1
  3530. pattern: ^[-._a-zA-Z0-9]+$
  3531. type: string
  3532. name:
  3533. description: The name of the Secret resource being referred to.
  3534. maxLength: 253
  3535. minLength: 1
  3536. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3537. type: string
  3538. namespace:
  3539. description: |-
  3540. The namespace of the Secret resource being referred to.
  3541. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3542. maxLength: 63
  3543. minLength: 1
  3544. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3545. type: string
  3546. type: object
  3547. type: object
  3548. required:
  3549. - secretRef
  3550. type: object
  3551. host:
  3552. description: URL configures the Device42 instance URL.
  3553. type: string
  3554. required:
  3555. - auth
  3556. - host
  3557. type: object
  3558. doppler:
  3559. description: Doppler configures this store to sync secrets using the Doppler provider
  3560. properties:
  3561. auth:
  3562. description: Auth configures how the Operator authenticates with the Doppler API
  3563. properties:
  3564. secretRef:
  3565. properties:
  3566. dopplerToken:
  3567. description: |-
  3568. The DopplerToken is used for authentication.
  3569. See https://docs.doppler.com/reference/api#authentication for auth token types.
  3570. The Key attribute defaults to dopplerToken if not specified.
  3571. properties:
  3572. key:
  3573. description: |-
  3574. A key in the referenced Secret.
  3575. Some instances of this field may be defaulted, in others it may be required.
  3576. maxLength: 253
  3577. minLength: 1
  3578. pattern: ^[-._a-zA-Z0-9]+$
  3579. type: string
  3580. name:
  3581. description: The name of the Secret resource being referred to.
  3582. maxLength: 253
  3583. minLength: 1
  3584. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3585. type: string
  3586. namespace:
  3587. description: |-
  3588. The namespace of the Secret resource being referred to.
  3589. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3590. maxLength: 63
  3591. minLength: 1
  3592. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3593. type: string
  3594. type: object
  3595. required:
  3596. - dopplerToken
  3597. type: object
  3598. required:
  3599. - secretRef
  3600. type: object
  3601. config:
  3602. description: Doppler config (required if not using a Service Token)
  3603. type: string
  3604. format:
  3605. description: Format enables the downloading of secrets as a file (string)
  3606. enum:
  3607. - json
  3608. - dotnet-json
  3609. - env
  3610. - yaml
  3611. - docker
  3612. type: string
  3613. nameTransformer:
  3614. description: Environment variable compatible name transforms that change secret names to a different format
  3615. enum:
  3616. - upper-camel
  3617. - camel
  3618. - lower-snake
  3619. - tf-var
  3620. - dotnet-env
  3621. - lower-kebab
  3622. type: string
  3623. project:
  3624. description: Doppler project (required if not using a Service Token)
  3625. type: string
  3626. required:
  3627. - auth
  3628. type: object
  3629. fake:
  3630. description: Fake configures a store with static key/value pairs
  3631. properties:
  3632. data:
  3633. items:
  3634. properties:
  3635. key:
  3636. type: string
  3637. value:
  3638. type: string
  3639. version:
  3640. type: string
  3641. required:
  3642. - key
  3643. - value
  3644. type: object
  3645. type: array
  3646. required:
  3647. - data
  3648. type: object
  3649. fortanix:
  3650. description: Fortanix configures this store to sync secrets using the Fortanix provider
  3651. properties:
  3652. apiKey:
  3653. description: APIKey is the API token to access SDKMS Applications.
  3654. properties:
  3655. secretRef:
  3656. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  3657. properties:
  3658. key:
  3659. description: |-
  3660. A key in the referenced Secret.
  3661. Some instances of this field may be defaulted, in others it may be required.
  3662. maxLength: 253
  3663. minLength: 1
  3664. pattern: ^[-._a-zA-Z0-9]+$
  3665. type: string
  3666. name:
  3667. description: The name of the Secret resource being referred to.
  3668. maxLength: 253
  3669. minLength: 1
  3670. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3671. type: string
  3672. namespace:
  3673. description: |-
  3674. The namespace of the Secret resource being referred to.
  3675. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3676. maxLength: 63
  3677. minLength: 1
  3678. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3679. type: string
  3680. type: object
  3681. type: object
  3682. apiUrl:
  3683. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  3684. type: string
  3685. type: object
  3686. gcpsm:
  3687. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  3688. properties:
  3689. auth:
  3690. description: Auth defines the information necessary to authenticate against GCP
  3691. properties:
  3692. secretRef:
  3693. properties:
  3694. secretAccessKeySecretRef:
  3695. description: The SecretAccessKey is used for authentication
  3696. properties:
  3697. key:
  3698. description: |-
  3699. A key in the referenced Secret.
  3700. Some instances of this field may be defaulted, in others it may be required.
  3701. maxLength: 253
  3702. minLength: 1
  3703. pattern: ^[-._a-zA-Z0-9]+$
  3704. type: string
  3705. name:
  3706. description: The name of the Secret resource being referred to.
  3707. maxLength: 253
  3708. minLength: 1
  3709. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3710. type: string
  3711. namespace:
  3712. description: |-
  3713. The namespace of the Secret resource being referred to.
  3714. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3715. maxLength: 63
  3716. minLength: 1
  3717. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3718. type: string
  3719. type: object
  3720. type: object
  3721. workloadIdentity:
  3722. properties:
  3723. clusterLocation:
  3724. description: |-
  3725. ClusterLocation is the location of the cluster
  3726. If not specified, it fetches information from the metadata server
  3727. type: string
  3728. clusterName:
  3729. description: |-
  3730. ClusterName is the name of the cluster
  3731. If not specified, it fetches information from the metadata server
  3732. type: string
  3733. clusterProjectID:
  3734. description: |-
  3735. ClusterProjectID is the project ID of the cluster
  3736. If not specified, it fetches information from the metadata server
  3737. type: string
  3738. serviceAccountRef:
  3739. description: A reference to a ServiceAccount resource.
  3740. properties:
  3741. audiences:
  3742. description: |-
  3743. Audience specifies the `aud` claim for the service account token
  3744. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3745. then this audiences will be appended to the list
  3746. items:
  3747. type: string
  3748. type: array
  3749. name:
  3750. description: The name of the ServiceAccount resource being referred to.
  3751. maxLength: 253
  3752. minLength: 1
  3753. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3754. type: string
  3755. namespace:
  3756. description: |-
  3757. Namespace of the resource being referred to.
  3758. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3759. maxLength: 63
  3760. minLength: 1
  3761. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3762. type: string
  3763. required:
  3764. - name
  3765. type: object
  3766. required:
  3767. - serviceAccountRef
  3768. type: object
  3769. type: object
  3770. location:
  3771. description: Location optionally defines a location for a secret
  3772. type: string
  3773. projectID:
  3774. description: ProjectID project where secret is located
  3775. type: string
  3776. type: object
  3777. github:
  3778. description: Github configures this store to push Github Action secrets using Github API provider
  3779. properties:
  3780. appID:
  3781. description: appID specifies the Github APP that will be used to authenticate the client
  3782. format: int64
  3783. type: integer
  3784. auth:
  3785. description: auth configures how secret-manager authenticates with a Github instance.
  3786. properties:
  3787. privateKey:
  3788. description: |-
  3789. A reference to a specific 'key' within a Secret resource.
  3790. In some instances, `key` is a required field.
  3791. properties:
  3792. key:
  3793. description: |-
  3794. A key in the referenced Secret.
  3795. Some instances of this field may be defaulted, in others it may be required.
  3796. maxLength: 253
  3797. minLength: 1
  3798. pattern: ^[-._a-zA-Z0-9]+$
  3799. type: string
  3800. name:
  3801. description: The name of the Secret resource being referred to.
  3802. maxLength: 253
  3803. minLength: 1
  3804. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3805. type: string
  3806. namespace:
  3807. description: |-
  3808. The namespace of the Secret resource being referred to.
  3809. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3810. maxLength: 63
  3811. minLength: 1
  3812. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3813. type: string
  3814. type: object
  3815. required:
  3816. - privateKey
  3817. type: object
  3818. environment:
  3819. description: environment will be used to fetch secrets from a particular environment within a github repository
  3820. type: string
  3821. installationID:
  3822. description: installationID specifies the Github APP installation that will be used to authenticate the client
  3823. format: int64
  3824. type: integer
  3825. organization:
  3826. description: organization will be used to fetch secrets from the Github organization
  3827. type: string
  3828. repository:
  3829. description: repository will be used to fetch secrets from the Github repository within an organization
  3830. type: string
  3831. uploadURL:
  3832. description: Upload URL for enterprise instances. Default to URL.
  3833. type: string
  3834. url:
  3835. default: https://github.com/
  3836. description: URL configures the Github instance URL. Defaults to https://github.com/.
  3837. type: string
  3838. required:
  3839. - appID
  3840. - auth
  3841. - installationID
  3842. - organization
  3843. type: object
  3844. gitlab:
  3845. description: GitLab configures this store to sync secrets using GitLab Variables provider
  3846. properties:
  3847. auth:
  3848. description: Auth configures how secret-manager authenticates with a GitLab instance.
  3849. properties:
  3850. SecretRef:
  3851. properties:
  3852. accessToken:
  3853. description: AccessToken is used for authentication.
  3854. properties:
  3855. key:
  3856. description: |-
  3857. A key in the referenced Secret.
  3858. Some instances of this field may be defaulted, in others it may be required.
  3859. maxLength: 253
  3860. minLength: 1
  3861. pattern: ^[-._a-zA-Z0-9]+$
  3862. type: string
  3863. name:
  3864. description: The name of the Secret resource being referred to.
  3865. maxLength: 253
  3866. minLength: 1
  3867. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3868. type: string
  3869. namespace:
  3870. description: |-
  3871. The namespace of the Secret resource being referred to.
  3872. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3873. maxLength: 63
  3874. minLength: 1
  3875. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3876. type: string
  3877. type: object
  3878. type: object
  3879. required:
  3880. - SecretRef
  3881. type: object
  3882. environment:
  3883. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  3884. type: string
  3885. groupIDs:
  3886. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  3887. items:
  3888. type: string
  3889. type: array
  3890. inheritFromGroups:
  3891. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  3892. type: boolean
  3893. projectID:
  3894. description: ProjectID specifies a project where secrets are located.
  3895. type: string
  3896. url:
  3897. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  3898. type: string
  3899. required:
  3900. - auth
  3901. type: object
  3902. ibm:
  3903. description: IBM configures this store to sync secrets using IBM Cloud provider
  3904. properties:
  3905. auth:
  3906. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  3907. maxProperties: 1
  3908. minProperties: 1
  3909. properties:
  3910. containerAuth:
  3911. description: IBM Container-based auth with IAM Trusted Profile.
  3912. properties:
  3913. iamEndpoint:
  3914. type: string
  3915. profile:
  3916. description: the IBM Trusted Profile
  3917. type: string
  3918. tokenLocation:
  3919. description: Location the token is mounted on the pod
  3920. type: string
  3921. required:
  3922. - profile
  3923. type: object
  3924. secretRef:
  3925. properties:
  3926. secretApiKeySecretRef:
  3927. description: The SecretAccessKey is used for authentication
  3928. properties:
  3929. key:
  3930. description: |-
  3931. A key in the referenced Secret.
  3932. Some instances of this field may be defaulted, in others it may be required.
  3933. maxLength: 253
  3934. minLength: 1
  3935. pattern: ^[-._a-zA-Z0-9]+$
  3936. type: string
  3937. name:
  3938. description: The name of the Secret resource being referred to.
  3939. maxLength: 253
  3940. minLength: 1
  3941. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3942. type: string
  3943. namespace:
  3944. description: |-
  3945. The namespace of the Secret resource being referred to.
  3946. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3947. maxLength: 63
  3948. minLength: 1
  3949. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3950. type: string
  3951. type: object
  3952. type: object
  3953. type: object
  3954. serviceUrl:
  3955. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  3956. type: string
  3957. required:
  3958. - auth
  3959. type: object
  3960. infisical:
  3961. description: Infisical configures this store to sync secrets using the Infisical provider
  3962. properties:
  3963. auth:
  3964. description: Auth configures how the Operator authenticates with the Infisical API
  3965. properties:
  3966. universalAuthCredentials:
  3967. properties:
  3968. clientId:
  3969. description: |-
  3970. A reference to a specific 'key' within a Secret resource.
  3971. In some instances, `key` is a required field.
  3972. properties:
  3973. key:
  3974. description: |-
  3975. A key in the referenced Secret.
  3976. Some instances of this field may be defaulted, in others it may be required.
  3977. maxLength: 253
  3978. minLength: 1
  3979. pattern: ^[-._a-zA-Z0-9]+$
  3980. type: string
  3981. name:
  3982. description: The name of the Secret resource being referred to.
  3983. maxLength: 253
  3984. minLength: 1
  3985. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3986. type: string
  3987. namespace:
  3988. description: |-
  3989. The namespace of the Secret resource being referred to.
  3990. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3991. maxLength: 63
  3992. minLength: 1
  3993. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3994. type: string
  3995. type: object
  3996. clientSecret:
  3997. description: |-
  3998. A reference to a specific 'key' within a Secret resource.
  3999. In some instances, `key` is a required field.
  4000. properties:
  4001. key:
  4002. description: |-
  4003. A key in the referenced Secret.
  4004. Some instances of this field may be defaulted, in others it may be required.
  4005. maxLength: 253
  4006. minLength: 1
  4007. pattern: ^[-._a-zA-Z0-9]+$
  4008. type: string
  4009. name:
  4010. description: The name of the Secret resource being referred to.
  4011. maxLength: 253
  4012. minLength: 1
  4013. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4014. type: string
  4015. namespace:
  4016. description: |-
  4017. The namespace of the Secret resource being referred to.
  4018. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4019. maxLength: 63
  4020. minLength: 1
  4021. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4022. type: string
  4023. type: object
  4024. required:
  4025. - clientId
  4026. - clientSecret
  4027. type: object
  4028. type: object
  4029. hostAPI:
  4030. default: https://app.infisical.com/api
  4031. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  4032. type: string
  4033. secretsScope:
  4034. description: SecretsScope defines the scope of the secrets within the workspace
  4035. properties:
  4036. environmentSlug:
  4037. description: EnvironmentSlug is the required slug identifier for the environment.
  4038. type: string
  4039. expandSecretReferences:
  4040. default: true
  4041. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  4042. type: boolean
  4043. projectSlug:
  4044. description: ProjectSlug is the required slug identifier for the project.
  4045. type: string
  4046. recursive:
  4047. default: false
  4048. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  4049. type: boolean
  4050. secretsPath:
  4051. default: /
  4052. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  4053. type: string
  4054. required:
  4055. - environmentSlug
  4056. - projectSlug
  4057. type: object
  4058. required:
  4059. - auth
  4060. - secretsScope
  4061. type: object
  4062. keepersecurity:
  4063. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  4064. properties:
  4065. authRef:
  4066. description: |-
  4067. A reference to a specific 'key' within a Secret resource.
  4068. In some instances, `key` is a required field.
  4069. properties:
  4070. key:
  4071. description: |-
  4072. A key in the referenced Secret.
  4073. Some instances of this field may be defaulted, in others it may be required.
  4074. maxLength: 253
  4075. minLength: 1
  4076. pattern: ^[-._a-zA-Z0-9]+$
  4077. type: string
  4078. name:
  4079. description: The name of the Secret resource being referred to.
  4080. maxLength: 253
  4081. minLength: 1
  4082. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4083. type: string
  4084. namespace:
  4085. description: |-
  4086. The namespace of the Secret resource being referred to.
  4087. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4088. maxLength: 63
  4089. minLength: 1
  4090. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4091. type: string
  4092. type: object
  4093. folderID:
  4094. type: string
  4095. required:
  4096. - authRef
  4097. - folderID
  4098. type: object
  4099. kubernetes:
  4100. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  4101. properties:
  4102. auth:
  4103. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  4104. maxProperties: 1
  4105. minProperties: 1
  4106. properties:
  4107. cert:
  4108. description: has both clientCert and clientKey as secretKeySelector
  4109. properties:
  4110. clientCert:
  4111. description: |-
  4112. A reference to a specific 'key' within a Secret resource.
  4113. In some instances, `key` is a required field.
  4114. properties:
  4115. key:
  4116. description: |-
  4117. A key in the referenced Secret.
  4118. Some instances of this field may be defaulted, in others it may be required.
  4119. maxLength: 253
  4120. minLength: 1
  4121. pattern: ^[-._a-zA-Z0-9]+$
  4122. type: string
  4123. name:
  4124. description: The name of the Secret resource being referred to.
  4125. maxLength: 253
  4126. minLength: 1
  4127. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4128. type: string
  4129. namespace:
  4130. description: |-
  4131. The namespace of the Secret resource being referred to.
  4132. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4133. maxLength: 63
  4134. minLength: 1
  4135. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4136. type: string
  4137. type: object
  4138. clientKey:
  4139. description: |-
  4140. A reference to a specific 'key' within a Secret resource.
  4141. In some instances, `key` is a required field.
  4142. properties:
  4143. key:
  4144. description: |-
  4145. A key in the referenced Secret.
  4146. Some instances of this field may be defaulted, in others it may be required.
  4147. maxLength: 253
  4148. minLength: 1
  4149. pattern: ^[-._a-zA-Z0-9]+$
  4150. type: string
  4151. name:
  4152. description: The name of the Secret resource being referred to.
  4153. maxLength: 253
  4154. minLength: 1
  4155. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4156. type: string
  4157. namespace:
  4158. description: |-
  4159. The namespace of the Secret resource being referred to.
  4160. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4161. maxLength: 63
  4162. minLength: 1
  4163. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4164. type: string
  4165. type: object
  4166. type: object
  4167. serviceAccount:
  4168. description: points to a service account that should be used for authentication
  4169. properties:
  4170. audiences:
  4171. description: |-
  4172. Audience specifies the `aud` claim for the service account token
  4173. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4174. then this audiences will be appended to the list
  4175. items:
  4176. type: string
  4177. type: array
  4178. name:
  4179. description: The name of the ServiceAccount resource being referred to.
  4180. maxLength: 253
  4181. minLength: 1
  4182. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4183. type: string
  4184. namespace:
  4185. description: |-
  4186. Namespace of the resource being referred to.
  4187. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4188. maxLength: 63
  4189. minLength: 1
  4190. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4191. type: string
  4192. required:
  4193. - name
  4194. type: object
  4195. token:
  4196. description: use static token to authenticate with
  4197. properties:
  4198. bearerToken:
  4199. description: |-
  4200. A reference to a specific 'key' within a Secret resource.
  4201. In some instances, `key` is a required field.
  4202. properties:
  4203. key:
  4204. description: |-
  4205. A key in the referenced Secret.
  4206. Some instances of this field may be defaulted, in others it may be required.
  4207. maxLength: 253
  4208. minLength: 1
  4209. pattern: ^[-._a-zA-Z0-9]+$
  4210. type: string
  4211. name:
  4212. description: The name of the Secret resource being referred to.
  4213. maxLength: 253
  4214. minLength: 1
  4215. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4216. type: string
  4217. namespace:
  4218. description: |-
  4219. The namespace of the Secret resource being referred to.
  4220. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4221. maxLength: 63
  4222. minLength: 1
  4223. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4224. type: string
  4225. type: object
  4226. type: object
  4227. type: object
  4228. authRef:
  4229. description: A reference to a secret that contains the auth information.
  4230. properties:
  4231. key:
  4232. description: |-
  4233. A key in the referenced Secret.
  4234. Some instances of this field may be defaulted, in others it may be required.
  4235. maxLength: 253
  4236. minLength: 1
  4237. pattern: ^[-._a-zA-Z0-9]+$
  4238. type: string
  4239. name:
  4240. description: The name of the Secret resource being referred to.
  4241. maxLength: 253
  4242. minLength: 1
  4243. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4244. type: string
  4245. namespace:
  4246. description: |-
  4247. The namespace of the Secret resource being referred to.
  4248. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4249. maxLength: 63
  4250. minLength: 1
  4251. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4252. type: string
  4253. type: object
  4254. remoteNamespace:
  4255. default: default
  4256. description: Remote namespace to fetch the secrets from
  4257. maxLength: 63
  4258. minLength: 1
  4259. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4260. type: string
  4261. server:
  4262. description: configures the Kubernetes server Address.
  4263. properties:
  4264. caBundle:
  4265. description: CABundle is a base64-encoded CA certificate
  4266. format: byte
  4267. type: string
  4268. caProvider:
  4269. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  4270. properties:
  4271. key:
  4272. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  4273. maxLength: 253
  4274. minLength: 1
  4275. pattern: ^[-._a-zA-Z0-9]+$
  4276. type: string
  4277. name:
  4278. description: The name of the object located at the provider type.
  4279. maxLength: 253
  4280. minLength: 1
  4281. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4282. type: string
  4283. namespace:
  4284. description: |-
  4285. The namespace the Provider type is in.
  4286. Can only be defined when used in a ClusterSecretStore.
  4287. maxLength: 63
  4288. minLength: 1
  4289. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4290. type: string
  4291. type:
  4292. description: The type of provider to use such as "Secret", or "ConfigMap".
  4293. enum:
  4294. - Secret
  4295. - ConfigMap
  4296. type: string
  4297. required:
  4298. - name
  4299. - type
  4300. type: object
  4301. url:
  4302. default: kubernetes.default
  4303. description: configures the Kubernetes server Address.
  4304. type: string
  4305. type: object
  4306. type: object
  4307. onboardbase:
  4308. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  4309. properties:
  4310. apiHost:
  4311. default: https://public.onboardbase.com/api/v1/
  4312. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  4313. type: string
  4314. auth:
  4315. description: Auth configures how the Operator authenticates with the Onboardbase API
  4316. properties:
  4317. apiKeyRef:
  4318. description: |-
  4319. OnboardbaseAPIKey is the APIKey generated by an admin account.
  4320. It is used to recognize and authorize access to a project and environment within onboardbase
  4321. properties:
  4322. key:
  4323. description: |-
  4324. A key in the referenced Secret.
  4325. Some instances of this field may be defaulted, in others it may be required.
  4326. maxLength: 253
  4327. minLength: 1
  4328. pattern: ^[-._a-zA-Z0-9]+$
  4329. type: string
  4330. name:
  4331. description: The name of the Secret resource being referred to.
  4332. maxLength: 253
  4333. minLength: 1
  4334. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4335. type: string
  4336. namespace:
  4337. description: |-
  4338. The namespace of the Secret resource being referred to.
  4339. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4340. maxLength: 63
  4341. minLength: 1
  4342. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4343. type: string
  4344. type: object
  4345. passcodeRef:
  4346. description: OnboardbasePasscode is the passcode attached to the API Key
  4347. properties:
  4348. key:
  4349. description: |-
  4350. A key in the referenced Secret.
  4351. Some instances of this field may be defaulted, in others it may be required.
  4352. maxLength: 253
  4353. minLength: 1
  4354. pattern: ^[-._a-zA-Z0-9]+$
  4355. type: string
  4356. name:
  4357. description: The name of the Secret resource being referred to.
  4358. maxLength: 253
  4359. minLength: 1
  4360. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4361. type: string
  4362. namespace:
  4363. description: |-
  4364. The namespace of the Secret resource being referred to.
  4365. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4366. maxLength: 63
  4367. minLength: 1
  4368. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4369. type: string
  4370. type: object
  4371. required:
  4372. - apiKeyRef
  4373. - passcodeRef
  4374. type: object
  4375. environment:
  4376. default: development
  4377. description: Environment is the name of an environmnent within a project to pull the secrets from
  4378. type: string
  4379. project:
  4380. default: development
  4381. description: Project is an onboardbase project that the secrets should be pulled from
  4382. type: string
  4383. required:
  4384. - apiHost
  4385. - auth
  4386. - environment
  4387. - project
  4388. type: object
  4389. onepassword:
  4390. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  4391. properties:
  4392. auth:
  4393. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  4394. properties:
  4395. secretRef:
  4396. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  4397. properties:
  4398. connectTokenSecretRef:
  4399. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  4400. properties:
  4401. key:
  4402. description: |-
  4403. A key in the referenced Secret.
  4404. Some instances of this field may be defaulted, in others it may be required.
  4405. maxLength: 253
  4406. minLength: 1
  4407. pattern: ^[-._a-zA-Z0-9]+$
  4408. type: string
  4409. name:
  4410. description: The name of the Secret resource being referred to.
  4411. maxLength: 253
  4412. minLength: 1
  4413. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4414. type: string
  4415. namespace:
  4416. description: |-
  4417. The namespace of the Secret resource being referred to.
  4418. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4419. maxLength: 63
  4420. minLength: 1
  4421. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4422. type: string
  4423. type: object
  4424. required:
  4425. - connectTokenSecretRef
  4426. type: object
  4427. required:
  4428. - secretRef
  4429. type: object
  4430. connectHost:
  4431. description: ConnectHost defines the OnePassword Connect Server to connect to
  4432. type: string
  4433. vaults:
  4434. additionalProperties:
  4435. type: integer
  4436. description: Vaults defines which OnePassword vaults to search in which order
  4437. type: object
  4438. required:
  4439. - auth
  4440. - connectHost
  4441. - vaults
  4442. type: object
  4443. oracle:
  4444. description: Oracle configures this store to sync secrets using Oracle Vault provider
  4445. properties:
  4446. auth:
  4447. description: |-
  4448. Auth configures how secret-manager authenticates with the Oracle Vault.
  4449. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  4450. properties:
  4451. secretRef:
  4452. description: SecretRef to pass through sensitive information.
  4453. properties:
  4454. fingerprint:
  4455. description: Fingerprint is the fingerprint of the API private key.
  4456. properties:
  4457. key:
  4458. description: |-
  4459. A key in the referenced Secret.
  4460. Some instances of this field may be defaulted, in others it may be required.
  4461. maxLength: 253
  4462. minLength: 1
  4463. pattern: ^[-._a-zA-Z0-9]+$
  4464. type: string
  4465. name:
  4466. description: The name of the Secret resource being referred to.
  4467. maxLength: 253
  4468. minLength: 1
  4469. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4470. type: string
  4471. namespace:
  4472. description: |-
  4473. The namespace of the Secret resource being referred to.
  4474. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4475. maxLength: 63
  4476. minLength: 1
  4477. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4478. type: string
  4479. type: object
  4480. privatekey:
  4481. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  4482. properties:
  4483. key:
  4484. description: |-
  4485. A key in the referenced Secret.
  4486. Some instances of this field may be defaulted, in others it may be required.
  4487. maxLength: 253
  4488. minLength: 1
  4489. pattern: ^[-._a-zA-Z0-9]+$
  4490. type: string
  4491. name:
  4492. description: The name of the Secret resource being referred to.
  4493. maxLength: 253
  4494. minLength: 1
  4495. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4496. type: string
  4497. namespace:
  4498. description: |-
  4499. The namespace of the Secret resource being referred to.
  4500. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4501. maxLength: 63
  4502. minLength: 1
  4503. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4504. type: string
  4505. type: object
  4506. required:
  4507. - fingerprint
  4508. - privatekey
  4509. type: object
  4510. tenancy:
  4511. description: Tenancy is the tenancy OCID where user is located.
  4512. type: string
  4513. user:
  4514. description: User is an access OCID specific to the account.
  4515. type: string
  4516. required:
  4517. - secretRef
  4518. - tenancy
  4519. - user
  4520. type: object
  4521. compartment:
  4522. description: |-
  4523. Compartment is the vault compartment OCID.
  4524. Required for PushSecret
  4525. type: string
  4526. encryptionKey:
  4527. description: |-
  4528. EncryptionKey is the OCID of the encryption key within the vault.
  4529. Required for PushSecret
  4530. type: string
  4531. principalType:
  4532. description: |-
  4533. The type of principal to use for authentication. If left blank, the Auth struct will
  4534. determine the principal type. This optional field must be specified if using
  4535. workload identity.
  4536. enum:
  4537. - ""
  4538. - UserPrincipal
  4539. - InstancePrincipal
  4540. - Workload
  4541. type: string
  4542. region:
  4543. description: Region is the region where vault is located.
  4544. type: string
  4545. serviceAccountRef:
  4546. description: |-
  4547. ServiceAccountRef specified the service account
  4548. that should be used when authenticating with WorkloadIdentity.
  4549. properties:
  4550. audiences:
  4551. description: |-
  4552. Audience specifies the `aud` claim for the service account token
  4553. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4554. then this audiences will be appended to the list
  4555. items:
  4556. type: string
  4557. type: array
  4558. name:
  4559. description: The name of the ServiceAccount resource being referred to.
  4560. maxLength: 253
  4561. minLength: 1
  4562. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4563. type: string
  4564. namespace:
  4565. description: |-
  4566. Namespace of the resource being referred to.
  4567. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4568. maxLength: 63
  4569. minLength: 1
  4570. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4571. type: string
  4572. required:
  4573. - name
  4574. type: object
  4575. vault:
  4576. description: Vault is the vault's OCID of the specific vault where secret is located.
  4577. type: string
  4578. required:
  4579. - region
  4580. - vault
  4581. type: object
  4582. passbolt:
  4583. properties:
  4584. auth:
  4585. description: Auth defines the information necessary to authenticate against Passbolt Server
  4586. properties:
  4587. passwordSecretRef:
  4588. description: |-
  4589. A reference to a specific 'key' within a Secret resource.
  4590. In some instances, `key` is a required field.
  4591. properties:
  4592. key:
  4593. description: |-
  4594. A key in the referenced Secret.
  4595. Some instances of this field may be defaulted, in others it may be required.
  4596. maxLength: 253
  4597. minLength: 1
  4598. pattern: ^[-._a-zA-Z0-9]+$
  4599. type: string
  4600. name:
  4601. description: The name of the Secret resource being referred to.
  4602. maxLength: 253
  4603. minLength: 1
  4604. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4605. type: string
  4606. namespace:
  4607. description: |-
  4608. The namespace of the Secret resource being referred to.
  4609. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4610. maxLength: 63
  4611. minLength: 1
  4612. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4613. type: string
  4614. type: object
  4615. privateKeySecretRef:
  4616. description: |-
  4617. A reference to a specific 'key' within a Secret resource.
  4618. In some instances, `key` is a required field.
  4619. properties:
  4620. key:
  4621. description: |-
  4622. A key in the referenced Secret.
  4623. Some instances of this field may be defaulted, in others it may be required.
  4624. maxLength: 253
  4625. minLength: 1
  4626. pattern: ^[-._a-zA-Z0-9]+$
  4627. type: string
  4628. name:
  4629. description: The name of the Secret resource being referred to.
  4630. maxLength: 253
  4631. minLength: 1
  4632. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4633. type: string
  4634. namespace:
  4635. description: |-
  4636. The namespace of the Secret resource being referred to.
  4637. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4638. maxLength: 63
  4639. minLength: 1
  4640. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4641. type: string
  4642. type: object
  4643. required:
  4644. - passwordSecretRef
  4645. - privateKeySecretRef
  4646. type: object
  4647. host:
  4648. description: Host defines the Passbolt Server to connect to
  4649. type: string
  4650. required:
  4651. - auth
  4652. - host
  4653. type: object
  4654. passworddepot:
  4655. description: Configures a store to sync secrets with a Password Depot instance.
  4656. properties:
  4657. auth:
  4658. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  4659. properties:
  4660. secretRef:
  4661. properties:
  4662. credentials:
  4663. description: Username / Password is used for authentication.
  4664. properties:
  4665. key:
  4666. description: |-
  4667. A key in the referenced Secret.
  4668. Some instances of this field may be defaulted, in others it may be required.
  4669. maxLength: 253
  4670. minLength: 1
  4671. pattern: ^[-._a-zA-Z0-9]+$
  4672. type: string
  4673. name:
  4674. description: The name of the Secret resource being referred to.
  4675. maxLength: 253
  4676. minLength: 1
  4677. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4678. type: string
  4679. namespace:
  4680. description: |-
  4681. The namespace of the Secret resource being referred to.
  4682. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4683. maxLength: 63
  4684. minLength: 1
  4685. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4686. type: string
  4687. type: object
  4688. type: object
  4689. required:
  4690. - secretRef
  4691. type: object
  4692. database:
  4693. description: Database to use as source
  4694. type: string
  4695. host:
  4696. description: URL configures the Password Depot instance URL.
  4697. type: string
  4698. required:
  4699. - auth
  4700. - database
  4701. - host
  4702. type: object
  4703. previder:
  4704. description: Previder configures this store to sync secrets using the Previder provider
  4705. properties:
  4706. auth:
  4707. description: PreviderAuth contains a secretRef for credentials.
  4708. properties:
  4709. secretRef:
  4710. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  4711. properties:
  4712. accessToken:
  4713. description: The AccessToken is used for authentication
  4714. properties:
  4715. key:
  4716. description: |-
  4717. A key in the referenced Secret.
  4718. Some instances of this field may be defaulted, in others it may be required.
  4719. maxLength: 253
  4720. minLength: 1
  4721. pattern: ^[-._a-zA-Z0-9]+$
  4722. type: string
  4723. name:
  4724. description: The name of the Secret resource being referred to.
  4725. maxLength: 253
  4726. minLength: 1
  4727. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4728. type: string
  4729. namespace:
  4730. description: |-
  4731. The namespace of the Secret resource being referred to.
  4732. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4733. maxLength: 63
  4734. minLength: 1
  4735. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4736. type: string
  4737. type: object
  4738. required:
  4739. - accessToken
  4740. type: object
  4741. type: object
  4742. baseUri:
  4743. type: string
  4744. required:
  4745. - auth
  4746. type: object
  4747. pulumi:
  4748. description: Pulumi configures this store to sync secrets using the Pulumi provider
  4749. properties:
  4750. accessToken:
  4751. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  4752. properties:
  4753. secretRef:
  4754. description: SecretRef is a reference to a secret containing the Pulumi API token.
  4755. properties:
  4756. key:
  4757. description: |-
  4758. A key in the referenced Secret.
  4759. Some instances of this field may be defaulted, in others it may be required.
  4760. maxLength: 253
  4761. minLength: 1
  4762. pattern: ^[-._a-zA-Z0-9]+$
  4763. type: string
  4764. name:
  4765. description: The name of the Secret resource being referred to.
  4766. maxLength: 253
  4767. minLength: 1
  4768. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4769. type: string
  4770. namespace:
  4771. description: |-
  4772. The namespace of the Secret resource being referred to.
  4773. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4774. maxLength: 63
  4775. minLength: 1
  4776. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4777. type: string
  4778. type: object
  4779. type: object
  4780. apiUrl:
  4781. default: https://api.pulumi.com/api/esc
  4782. description: APIURL is the URL of the Pulumi API.
  4783. type: string
  4784. environment:
  4785. description: |-
  4786. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  4787. dynamically retrieved values from supported providers including all major clouds,
  4788. and other Pulumi ESC environments.
  4789. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  4790. type: string
  4791. organization:
  4792. description: |-
  4793. Organization are a space to collaborate on shared projects and stacks.
  4794. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  4795. type: string
  4796. project:
  4797. description: Project is the name of the Pulumi ESC project the environment belongs to.
  4798. type: string
  4799. required:
  4800. - accessToken
  4801. - environment
  4802. - organization
  4803. - project
  4804. type: object
  4805. scaleway:
  4806. description: Scaleway
  4807. properties:
  4808. accessKey:
  4809. description: AccessKey is the non-secret part of the api key.
  4810. properties:
  4811. secretRef:
  4812. description: SecretRef references a key in a secret that will be used as value.
  4813. properties:
  4814. key:
  4815. description: |-
  4816. A key in the referenced Secret.
  4817. Some instances of this field may be defaulted, in others it may be required.
  4818. maxLength: 253
  4819. minLength: 1
  4820. pattern: ^[-._a-zA-Z0-9]+$
  4821. type: string
  4822. name:
  4823. description: The name of the Secret resource being referred to.
  4824. maxLength: 253
  4825. minLength: 1
  4826. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4827. type: string
  4828. namespace:
  4829. description: |-
  4830. The namespace of the Secret resource being referred to.
  4831. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4832. maxLength: 63
  4833. minLength: 1
  4834. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4835. type: string
  4836. type: object
  4837. value:
  4838. description: Value can be specified directly to set a value without using a secret.
  4839. type: string
  4840. type: object
  4841. apiUrl:
  4842. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  4843. type: string
  4844. projectId:
  4845. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  4846. type: string
  4847. region:
  4848. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  4849. type: string
  4850. secretKey:
  4851. description: SecretKey is the non-secret part of the api key.
  4852. properties:
  4853. secretRef:
  4854. description: SecretRef references a key in a secret that will be used as value.
  4855. properties:
  4856. key:
  4857. description: |-
  4858. A key in the referenced Secret.
  4859. Some instances of this field may be defaulted, in others it may be required.
  4860. maxLength: 253
  4861. minLength: 1
  4862. pattern: ^[-._a-zA-Z0-9]+$
  4863. type: string
  4864. name:
  4865. description: The name of the Secret resource being referred to.
  4866. maxLength: 253
  4867. minLength: 1
  4868. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4869. type: string
  4870. namespace:
  4871. description: |-
  4872. The namespace of the Secret resource being referred to.
  4873. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4874. maxLength: 63
  4875. minLength: 1
  4876. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4877. type: string
  4878. type: object
  4879. value:
  4880. description: Value can be specified directly to set a value without using a secret.
  4881. type: string
  4882. type: object
  4883. required:
  4884. - accessKey
  4885. - projectId
  4886. - region
  4887. - secretKey
  4888. type: object
  4889. secretserver:
  4890. description: |-
  4891. SecretServer configures this store to sync secrets using SecretServer provider
  4892. https://docs.delinea.com/online-help/secret-server/start.htm
  4893. properties:
  4894. password:
  4895. description: Password is the secret server account password.
  4896. properties:
  4897. secretRef:
  4898. description: SecretRef references a key in a secret that will be used as value.
  4899. properties:
  4900. key:
  4901. description: |-
  4902. A key in the referenced Secret.
  4903. Some instances of this field may be defaulted, in others it may be required.
  4904. maxLength: 253
  4905. minLength: 1
  4906. pattern: ^[-._a-zA-Z0-9]+$
  4907. type: string
  4908. name:
  4909. description: The name of the Secret resource being referred to.
  4910. maxLength: 253
  4911. minLength: 1
  4912. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4913. type: string
  4914. namespace:
  4915. description: |-
  4916. The namespace of the Secret resource being referred to.
  4917. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4918. maxLength: 63
  4919. minLength: 1
  4920. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4921. type: string
  4922. type: object
  4923. value:
  4924. description: Value can be specified directly to set a value without using a secret.
  4925. type: string
  4926. type: object
  4927. serverURL:
  4928. description: |-
  4929. ServerURL
  4930. URL to your secret server installation
  4931. type: string
  4932. username:
  4933. description: Username is the secret server account username.
  4934. properties:
  4935. secretRef:
  4936. description: SecretRef references a key in a secret that will be used as value.
  4937. properties:
  4938. key:
  4939. description: |-
  4940. A key in the referenced Secret.
  4941. Some instances of this field may be defaulted, in others it may be required.
  4942. maxLength: 253
  4943. minLength: 1
  4944. pattern: ^[-._a-zA-Z0-9]+$
  4945. type: string
  4946. name:
  4947. description: The name of the Secret resource being referred to.
  4948. maxLength: 253
  4949. minLength: 1
  4950. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4951. type: string
  4952. namespace:
  4953. description: |-
  4954. The namespace of the Secret resource being referred to.
  4955. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4956. maxLength: 63
  4957. minLength: 1
  4958. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4959. type: string
  4960. type: object
  4961. value:
  4962. description: Value can be specified directly to set a value without using a secret.
  4963. type: string
  4964. type: object
  4965. required:
  4966. - password
  4967. - serverURL
  4968. - username
  4969. type: object
  4970. senhasegura:
  4971. description: Senhasegura configures this store to sync secrets using senhasegura provider
  4972. properties:
  4973. auth:
  4974. description: Auth defines parameters to authenticate in senhasegura
  4975. properties:
  4976. clientId:
  4977. type: string
  4978. clientSecretSecretRef:
  4979. description: |-
  4980. A reference to a specific 'key' within a Secret resource.
  4981. In some instances, `key` is a required field.
  4982. properties:
  4983. key:
  4984. description: |-
  4985. A key in the referenced Secret.
  4986. Some instances of this field may be defaulted, in others it may be required.
  4987. maxLength: 253
  4988. minLength: 1
  4989. pattern: ^[-._a-zA-Z0-9]+$
  4990. type: string
  4991. name:
  4992. description: The name of the Secret resource being referred to.
  4993. maxLength: 253
  4994. minLength: 1
  4995. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4996. type: string
  4997. namespace:
  4998. description: |-
  4999. The namespace of the Secret resource being referred to.
  5000. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5001. maxLength: 63
  5002. minLength: 1
  5003. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5004. type: string
  5005. type: object
  5006. required:
  5007. - clientId
  5008. - clientSecretSecretRef
  5009. type: object
  5010. ignoreSslCertificate:
  5011. default: false
  5012. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  5013. type: boolean
  5014. module:
  5015. description: Module defines which senhasegura module should be used to get secrets
  5016. type: string
  5017. url:
  5018. description: URL of senhasegura
  5019. type: string
  5020. required:
  5021. - auth
  5022. - module
  5023. - url
  5024. type: object
  5025. vault:
  5026. description: Vault configures this store to sync secrets using Hashi provider
  5027. properties:
  5028. auth:
  5029. description: Auth configures how secret-manager authenticates with the Vault server.
  5030. properties:
  5031. appRole:
  5032. description: |-
  5033. AppRole authenticates with Vault using the App Role auth mechanism,
  5034. with the role and secret stored in a Kubernetes Secret resource.
  5035. properties:
  5036. path:
  5037. default: approle
  5038. description: |-
  5039. Path where the App Role authentication backend is mounted
  5040. in Vault, e.g: "approle"
  5041. type: string
  5042. roleId:
  5043. description: |-
  5044. RoleID configured in the App Role authentication backend when setting
  5045. up the authentication backend in Vault.
  5046. type: string
  5047. roleRef:
  5048. description: |-
  5049. Reference to a key in a Secret that contains the App Role ID used
  5050. to authenticate with Vault.
  5051. The `key` field must be specified and denotes which entry within the Secret
  5052. resource is used as the app role id.
  5053. properties:
  5054. key:
  5055. description: |-
  5056. A key in the referenced Secret.
  5057. Some instances of this field may be defaulted, in others it may be required.
  5058. maxLength: 253
  5059. minLength: 1
  5060. pattern: ^[-._a-zA-Z0-9]+$
  5061. type: string
  5062. name:
  5063. description: The name of the Secret resource being referred to.
  5064. maxLength: 253
  5065. minLength: 1
  5066. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5067. type: string
  5068. namespace:
  5069. description: |-
  5070. The namespace of the Secret resource being referred to.
  5071. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5072. maxLength: 63
  5073. minLength: 1
  5074. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5075. type: string
  5076. type: object
  5077. secretRef:
  5078. description: |-
  5079. Reference to a key in a Secret that contains the App Role secret used
  5080. to authenticate with Vault.
  5081. The `key` field must be specified and denotes which entry within the Secret
  5082. resource is used as the app role secret.
  5083. properties:
  5084. key:
  5085. description: |-
  5086. A key in the referenced Secret.
  5087. Some instances of this field may be defaulted, in others it may be required.
  5088. maxLength: 253
  5089. minLength: 1
  5090. pattern: ^[-._a-zA-Z0-9]+$
  5091. type: string
  5092. name:
  5093. description: The name of the Secret resource being referred to.
  5094. maxLength: 253
  5095. minLength: 1
  5096. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5097. type: string
  5098. namespace:
  5099. description: |-
  5100. The namespace of the Secret resource being referred to.
  5101. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5102. maxLength: 63
  5103. minLength: 1
  5104. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5105. type: string
  5106. type: object
  5107. required:
  5108. - path
  5109. - secretRef
  5110. type: object
  5111. cert:
  5112. description: |-
  5113. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  5114. Cert authentication method
  5115. properties:
  5116. clientCert:
  5117. description: |-
  5118. ClientCert is a certificate to authenticate using the Cert Vault
  5119. authentication method
  5120. properties:
  5121. key:
  5122. description: |-
  5123. A key in the referenced Secret.
  5124. Some instances of this field may be defaulted, in others it may be required.
  5125. maxLength: 253
  5126. minLength: 1
  5127. pattern: ^[-._a-zA-Z0-9]+$
  5128. type: string
  5129. name:
  5130. description: The name of the Secret resource being referred to.
  5131. maxLength: 253
  5132. minLength: 1
  5133. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5134. type: string
  5135. namespace:
  5136. description: |-
  5137. The namespace of the Secret resource being referred to.
  5138. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5139. maxLength: 63
  5140. minLength: 1
  5141. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5142. type: string
  5143. type: object
  5144. secretRef:
  5145. description: |-
  5146. SecretRef to a key in a Secret resource containing client private key to
  5147. authenticate with Vault using the Cert authentication method
  5148. properties:
  5149. key:
  5150. description: |-
  5151. A key in the referenced Secret.
  5152. Some instances of this field may be defaulted, in others it may be required.
  5153. maxLength: 253
  5154. minLength: 1
  5155. pattern: ^[-._a-zA-Z0-9]+$
  5156. type: string
  5157. name:
  5158. description: The name of the Secret resource being referred to.
  5159. maxLength: 253
  5160. minLength: 1
  5161. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5162. type: string
  5163. namespace:
  5164. description: |-
  5165. The namespace of the Secret resource being referred to.
  5166. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5167. maxLength: 63
  5168. minLength: 1
  5169. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5170. type: string
  5171. type: object
  5172. type: object
  5173. iam:
  5174. description: |-
  5175. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  5176. AWS IAM authentication method
  5177. properties:
  5178. externalID:
  5179. description: AWS External ID set on assumed IAM roles
  5180. type: string
  5181. jwt:
  5182. description: Specify a service account with IRSA enabled
  5183. properties:
  5184. serviceAccountRef:
  5185. description: A reference to a ServiceAccount resource.
  5186. properties:
  5187. audiences:
  5188. description: |-
  5189. Audience specifies the `aud` claim for the service account token
  5190. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  5191. then this audiences will be appended to the list
  5192. items:
  5193. type: string
  5194. type: array
  5195. name:
  5196. description: The name of the ServiceAccount resource being referred to.
  5197. maxLength: 253
  5198. minLength: 1
  5199. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5200. type: string
  5201. namespace:
  5202. description: |-
  5203. Namespace of the resource being referred to.
  5204. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5205. maxLength: 63
  5206. minLength: 1
  5207. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5208. type: string
  5209. required:
  5210. - name
  5211. type: object
  5212. type: object
  5213. path:
  5214. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  5215. type: string
  5216. region:
  5217. description: AWS region
  5218. type: string
  5219. role:
  5220. description: This is the AWS role to be assumed before talking to vault
  5221. type: string
  5222. secretRef:
  5223. description: Specify credentials in a Secret object
  5224. properties:
  5225. accessKeyIDSecretRef:
  5226. description: The AccessKeyID is used for authentication
  5227. properties:
  5228. key:
  5229. description: |-
  5230. A key in the referenced Secret.
  5231. Some instances of this field may be defaulted, in others it may be required.
  5232. maxLength: 253
  5233. minLength: 1
  5234. pattern: ^[-._a-zA-Z0-9]+$
  5235. type: string
  5236. name:
  5237. description: The name of the Secret resource being referred to.
  5238. maxLength: 253
  5239. minLength: 1
  5240. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5241. type: string
  5242. namespace:
  5243. description: |-
  5244. The namespace of the Secret resource being referred to.
  5245. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5246. maxLength: 63
  5247. minLength: 1
  5248. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5249. type: string
  5250. type: object
  5251. secretAccessKeySecretRef:
  5252. description: The SecretAccessKey is used for authentication
  5253. properties:
  5254. key:
  5255. description: |-
  5256. A key in the referenced Secret.
  5257. Some instances of this field may be defaulted, in others it may be required.
  5258. maxLength: 253
  5259. minLength: 1
  5260. pattern: ^[-._a-zA-Z0-9]+$
  5261. type: string
  5262. name:
  5263. description: The name of the Secret resource being referred to.
  5264. maxLength: 253
  5265. minLength: 1
  5266. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5267. type: string
  5268. namespace:
  5269. description: |-
  5270. The namespace of the Secret resource being referred to.
  5271. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5272. maxLength: 63
  5273. minLength: 1
  5274. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5275. type: string
  5276. type: object
  5277. sessionTokenSecretRef:
  5278. description: |-
  5279. The SessionToken used for authentication
  5280. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  5281. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  5282. properties:
  5283. key:
  5284. description: |-
  5285. A key in the referenced Secret.
  5286. Some instances of this field may be defaulted, in others it may be required.
  5287. maxLength: 253
  5288. minLength: 1
  5289. pattern: ^[-._a-zA-Z0-9]+$
  5290. type: string
  5291. name:
  5292. description: The name of the Secret resource being referred to.
  5293. maxLength: 253
  5294. minLength: 1
  5295. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5296. type: string
  5297. namespace:
  5298. description: |-
  5299. The namespace of the Secret resource being referred to.
  5300. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5301. maxLength: 63
  5302. minLength: 1
  5303. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5304. type: string
  5305. type: object
  5306. type: object
  5307. vaultAwsIamServerID:
  5308. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  5309. type: string
  5310. vaultRole:
  5311. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  5312. type: string
  5313. required:
  5314. - vaultRole
  5315. type: object
  5316. jwt:
  5317. description: |-
  5318. Jwt authenticates with Vault by passing role and JWT token using the
  5319. JWT/OIDC authentication method
  5320. properties:
  5321. kubernetesServiceAccountToken:
  5322. description: |-
  5323. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  5324. a token for with the `TokenRequest` API.
  5325. properties:
  5326. audiences:
  5327. description: |-
  5328. Optional audiences field that will be used to request a temporary Kubernetes service
  5329. account token for the service account referenced by `serviceAccountRef`.
  5330. Defaults to a single audience `vault` it not specified.
  5331. Deprecated: use serviceAccountRef.Audiences instead
  5332. items:
  5333. type: string
  5334. type: array
  5335. expirationSeconds:
  5336. description: |-
  5337. Optional expiration time in seconds that will be used to request a temporary
  5338. Kubernetes service account token for the service account referenced by
  5339. `serviceAccountRef`.
  5340. Deprecated: this will be removed in the future.
  5341. Defaults to 10 minutes.
  5342. format: int64
  5343. type: integer
  5344. serviceAccountRef:
  5345. description: Service account field containing the name of a kubernetes ServiceAccount.
  5346. properties:
  5347. audiences:
  5348. description: |-
  5349. Audience specifies the `aud` claim for the service account token
  5350. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  5351. then this audiences will be appended to the list
  5352. items:
  5353. type: string
  5354. type: array
  5355. name:
  5356. description: The name of the ServiceAccount resource being referred to.
  5357. maxLength: 253
  5358. minLength: 1
  5359. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5360. type: string
  5361. namespace:
  5362. description: |-
  5363. Namespace of the resource being referred to.
  5364. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5365. maxLength: 63
  5366. minLength: 1
  5367. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5368. type: string
  5369. required:
  5370. - name
  5371. type: object
  5372. required:
  5373. - serviceAccountRef
  5374. type: object
  5375. path:
  5376. default: jwt
  5377. description: |-
  5378. Path where the JWT authentication backend is mounted
  5379. in Vault, e.g: "jwt"
  5380. type: string
  5381. role:
  5382. description: |-
  5383. Role is a JWT role to authenticate using the JWT/OIDC Vault
  5384. authentication method
  5385. type: string
  5386. secretRef:
  5387. description: |-
  5388. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  5389. authenticate with Vault using the JWT/OIDC authentication method.
  5390. properties:
  5391. key:
  5392. description: |-
  5393. A key in the referenced Secret.
  5394. Some instances of this field may be defaulted, in others it may be required.
  5395. maxLength: 253
  5396. minLength: 1
  5397. pattern: ^[-._a-zA-Z0-9]+$
  5398. type: string
  5399. name:
  5400. description: The name of the Secret resource being referred to.
  5401. maxLength: 253
  5402. minLength: 1
  5403. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5404. type: string
  5405. namespace:
  5406. description: |-
  5407. The namespace of the Secret resource being referred to.
  5408. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5409. maxLength: 63
  5410. minLength: 1
  5411. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5412. type: string
  5413. type: object
  5414. required:
  5415. - path
  5416. type: object
  5417. kubernetes:
  5418. description: |-
  5419. Kubernetes authenticates with Vault by passing the ServiceAccount
  5420. token stored in the named Secret resource to the Vault server.
  5421. properties:
  5422. mountPath:
  5423. default: kubernetes
  5424. description: |-
  5425. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  5426. "kubernetes"
  5427. type: string
  5428. role:
  5429. description: |-
  5430. A required field containing the Vault Role to assume. A Role binds a
  5431. Kubernetes ServiceAccount with a set of Vault policies.
  5432. type: string
  5433. secretRef:
  5434. description: |-
  5435. Optional secret field containing a Kubernetes ServiceAccount JWT used
  5436. for authenticating with Vault. If a name is specified without a key,
  5437. `token` is the default. If one is not specified, the one bound to
  5438. the controller will be used.
  5439. properties:
  5440. key:
  5441. description: |-
  5442. A key in the referenced Secret.
  5443. Some instances of this field may be defaulted, in others it may be required.
  5444. maxLength: 253
  5445. minLength: 1
  5446. pattern: ^[-._a-zA-Z0-9]+$
  5447. type: string
  5448. name:
  5449. description: The name of the Secret resource being referred to.
  5450. maxLength: 253
  5451. minLength: 1
  5452. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5453. type: string
  5454. namespace:
  5455. description: |-
  5456. The namespace of the Secret resource being referred to.
  5457. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5458. maxLength: 63
  5459. minLength: 1
  5460. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5461. type: string
  5462. type: object
  5463. serviceAccountRef:
  5464. description: |-
  5465. Optional service account field containing the name of a kubernetes ServiceAccount.
  5466. If the service account is specified, the service account secret token JWT will be used
  5467. for authenticating with Vault. If the service account selector is not supplied,
  5468. the secretRef will be used instead.
  5469. properties:
  5470. audiences:
  5471. description: |-
  5472. Audience specifies the `aud` claim for the service account token
  5473. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  5474. then this audiences will be appended to the list
  5475. items:
  5476. type: string
  5477. type: array
  5478. name:
  5479. description: The name of the ServiceAccount resource being referred to.
  5480. maxLength: 253
  5481. minLength: 1
  5482. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5483. type: string
  5484. namespace:
  5485. description: |-
  5486. Namespace of the resource being referred to.
  5487. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5488. maxLength: 63
  5489. minLength: 1
  5490. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5491. type: string
  5492. required:
  5493. - name
  5494. type: object
  5495. required:
  5496. - mountPath
  5497. - role
  5498. type: object
  5499. ldap:
  5500. description: |-
  5501. Ldap authenticates with Vault by passing username/password pair using
  5502. the LDAP authentication method
  5503. properties:
  5504. path:
  5505. default: ldap
  5506. description: |-
  5507. Path where the LDAP authentication backend is mounted
  5508. in Vault, e.g: "ldap"
  5509. type: string
  5510. secretRef:
  5511. description: |-
  5512. SecretRef to a key in a Secret resource containing password for the LDAP
  5513. user used to authenticate with Vault using the LDAP authentication
  5514. method
  5515. properties:
  5516. key:
  5517. description: |-
  5518. A key in the referenced Secret.
  5519. Some instances of this field may be defaulted, in others it may be required.
  5520. maxLength: 253
  5521. minLength: 1
  5522. pattern: ^[-._a-zA-Z0-9]+$
  5523. type: string
  5524. name:
  5525. description: The name of the Secret resource being referred to.
  5526. maxLength: 253
  5527. minLength: 1
  5528. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5529. type: string
  5530. namespace:
  5531. description: |-
  5532. The namespace of the Secret resource being referred to.
  5533. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5534. maxLength: 63
  5535. minLength: 1
  5536. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5537. type: string
  5538. type: object
  5539. username:
  5540. description: |-
  5541. Username is an LDAP username used to authenticate using the LDAP Vault
  5542. authentication method
  5543. type: string
  5544. required:
  5545. - path
  5546. - username
  5547. type: object
  5548. namespace:
  5549. description: |-
  5550. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  5551. Namespaces is a set of features within Vault Enterprise that allows
  5552. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  5553. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  5554. This will default to Vault.Namespace field if set, or empty otherwise
  5555. type: string
  5556. tokenSecretRef:
  5557. description: TokenSecretRef authenticates with Vault by presenting a token.
  5558. properties:
  5559. key:
  5560. description: |-
  5561. A key in the referenced Secret.
  5562. Some instances of this field may be defaulted, in others it may be required.
  5563. maxLength: 253
  5564. minLength: 1
  5565. pattern: ^[-._a-zA-Z0-9]+$
  5566. type: string
  5567. name:
  5568. description: The name of the Secret resource being referred to.
  5569. maxLength: 253
  5570. minLength: 1
  5571. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5572. type: string
  5573. namespace:
  5574. description: |-
  5575. The namespace of the Secret resource being referred to.
  5576. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5577. maxLength: 63
  5578. minLength: 1
  5579. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5580. type: string
  5581. type: object
  5582. userPass:
  5583. description: UserPass authenticates with Vault by passing username/password pair
  5584. properties:
  5585. path:
  5586. default: userpass
  5587. description: |-
  5588. Path where the UserPassword authentication backend is mounted
  5589. in Vault, e.g: "userpass"
  5590. type: string
  5591. secretRef:
  5592. description: |-
  5593. SecretRef to a key in a Secret resource containing password for the
  5594. user used to authenticate with Vault using the UserPass authentication
  5595. method
  5596. properties:
  5597. key:
  5598. description: |-
  5599. A key in the referenced Secret.
  5600. Some instances of this field may be defaulted, in others it may be required.
  5601. maxLength: 253
  5602. minLength: 1
  5603. pattern: ^[-._a-zA-Z0-9]+$
  5604. type: string
  5605. name:
  5606. description: The name of the Secret resource being referred to.
  5607. maxLength: 253
  5608. minLength: 1
  5609. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5610. type: string
  5611. namespace:
  5612. description: |-
  5613. The namespace of the Secret resource being referred to.
  5614. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5615. maxLength: 63
  5616. minLength: 1
  5617. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5618. type: string
  5619. type: object
  5620. username:
  5621. description: |-
  5622. Username is a username used to authenticate using the UserPass Vault
  5623. authentication method
  5624. type: string
  5625. required:
  5626. - path
  5627. - username
  5628. type: object
  5629. type: object
  5630. caBundle:
  5631. description: |-
  5632. PEM encoded CA bundle used to validate Vault server certificate. Only used
  5633. if the Server URL is using HTTPS protocol. This parameter is ignored for
  5634. plain HTTP protocol connection. If not set the system root certificates
  5635. are used to validate the TLS connection.
  5636. format: byte
  5637. type: string
  5638. caProvider:
  5639. description: The provider for the CA bundle to use to validate Vault server certificate.
  5640. properties:
  5641. key:
  5642. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5643. maxLength: 253
  5644. minLength: 1
  5645. pattern: ^[-._a-zA-Z0-9]+$
  5646. type: string
  5647. name:
  5648. description: The name of the object located at the provider type.
  5649. maxLength: 253
  5650. minLength: 1
  5651. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5652. type: string
  5653. namespace:
  5654. description: |-
  5655. The namespace the Provider type is in.
  5656. Can only be defined when used in a ClusterSecretStore.
  5657. maxLength: 63
  5658. minLength: 1
  5659. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5660. type: string
  5661. type:
  5662. description: The type of provider to use such as "Secret", or "ConfigMap".
  5663. enum:
  5664. - Secret
  5665. - ConfigMap
  5666. type: string
  5667. required:
  5668. - name
  5669. - type
  5670. type: object
  5671. forwardInconsistent:
  5672. description: |-
  5673. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  5674. leader instead of simply retrying within a loop. This can increase performance if
  5675. the option is enabled serverside.
  5676. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  5677. type: boolean
  5678. headers:
  5679. additionalProperties:
  5680. type: string
  5681. description: Headers to be added in Vault request
  5682. type: object
  5683. namespace:
  5684. description: |-
  5685. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  5686. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  5687. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  5688. type: string
  5689. path:
  5690. description: |-
  5691. Path is the mount path of the Vault KV backend endpoint, e.g:
  5692. "secret". The v2 KV secret engine version specific "/data" path suffix
  5693. for fetching secrets from Vault is optional and will be appended
  5694. if not present in specified path.
  5695. type: string
  5696. readYourWrites:
  5697. description: |-
  5698. ReadYourWrites ensures isolated read-after-write semantics by
  5699. providing discovered cluster replication states in each request.
  5700. More information about eventual consistency in Vault can be found here
  5701. https://www.vaultproject.io/docs/enterprise/consistency
  5702. type: boolean
  5703. server:
  5704. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  5705. type: string
  5706. tls:
  5707. description: |-
  5708. The configuration used for client side related TLS communication, when the Vault server
  5709. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  5710. This parameter is ignored for plain HTTP protocol connection.
  5711. It's worth noting this configuration is different from the "TLS certificates auth method",
  5712. which is available under the `auth.cert` section.
  5713. properties:
  5714. certSecretRef:
  5715. description: |-
  5716. CertSecretRef is a certificate added to the transport layer
  5717. when communicating with the Vault server.
  5718. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  5719. properties:
  5720. key:
  5721. description: |-
  5722. A key in the referenced Secret.
  5723. Some instances of this field may be defaulted, in others it may be required.
  5724. maxLength: 253
  5725. minLength: 1
  5726. pattern: ^[-._a-zA-Z0-9]+$
  5727. type: string
  5728. name:
  5729. description: The name of the Secret resource being referred to.
  5730. maxLength: 253
  5731. minLength: 1
  5732. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5733. type: string
  5734. namespace:
  5735. description: |-
  5736. The namespace of the Secret resource being referred to.
  5737. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5738. maxLength: 63
  5739. minLength: 1
  5740. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5741. type: string
  5742. type: object
  5743. keySecretRef:
  5744. description: |-
  5745. KeySecretRef to a key in a Secret resource containing client private key
  5746. added to the transport layer when communicating with the Vault server.
  5747. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  5748. properties:
  5749. key:
  5750. description: |-
  5751. A key in the referenced Secret.
  5752. Some instances of this field may be defaulted, in others it may be required.
  5753. maxLength: 253
  5754. minLength: 1
  5755. pattern: ^[-._a-zA-Z0-9]+$
  5756. type: string
  5757. name:
  5758. description: The name of the Secret resource being referred to.
  5759. maxLength: 253
  5760. minLength: 1
  5761. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5762. type: string
  5763. namespace:
  5764. description: |-
  5765. The namespace of the Secret resource being referred to.
  5766. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5767. maxLength: 63
  5768. minLength: 1
  5769. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5770. type: string
  5771. type: object
  5772. type: object
  5773. version:
  5774. default: v2
  5775. description: |-
  5776. Version is the Vault KV secret engine version. This can be either "v1" or
  5777. "v2". Version defaults to "v2".
  5778. enum:
  5779. - v1
  5780. - v2
  5781. type: string
  5782. required:
  5783. - server
  5784. type: object
  5785. webhook:
  5786. description: Webhook configures this store to sync secrets using a generic templated webhook
  5787. properties:
  5788. body:
  5789. description: Body
  5790. type: string
  5791. caBundle:
  5792. description: |-
  5793. PEM encoded CA bundle used to validate webhook server certificate. Only used
  5794. if the Server URL is using HTTPS protocol. This parameter is ignored for
  5795. plain HTTP protocol connection. If not set the system root certificates
  5796. are used to validate the TLS connection.
  5797. format: byte
  5798. type: string
  5799. caProvider:
  5800. description: The provider for the CA bundle to use to validate webhook server certificate.
  5801. properties:
  5802. key:
  5803. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5804. maxLength: 253
  5805. minLength: 1
  5806. pattern: ^[-._a-zA-Z0-9]+$
  5807. type: string
  5808. name:
  5809. description: The name of the object located at the provider type.
  5810. maxLength: 253
  5811. minLength: 1
  5812. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5813. type: string
  5814. namespace:
  5815. description: The namespace the Provider type is in.
  5816. maxLength: 63
  5817. minLength: 1
  5818. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5819. type: string
  5820. type:
  5821. description: The type of provider to use such as "Secret", or "ConfigMap".
  5822. enum:
  5823. - Secret
  5824. - ConfigMap
  5825. type: string
  5826. required:
  5827. - name
  5828. - type
  5829. type: object
  5830. headers:
  5831. additionalProperties:
  5832. type: string
  5833. description: Headers
  5834. type: object
  5835. method:
  5836. description: Webhook Method
  5837. type: string
  5838. result:
  5839. description: Result formatting
  5840. properties:
  5841. jsonPath:
  5842. description: Json path of return value
  5843. type: string
  5844. type: object
  5845. secrets:
  5846. description: |-
  5847. Secrets to fill in templates
  5848. These secrets will be passed to the templating function as key value pairs under the given name
  5849. items:
  5850. properties:
  5851. name:
  5852. description: Name of this secret in templates
  5853. type: string
  5854. secretRef:
  5855. description: Secret ref to fill in credentials
  5856. properties:
  5857. key:
  5858. description: |-
  5859. A key in the referenced Secret.
  5860. Some instances of this field may be defaulted, in others it may be required.
  5861. maxLength: 253
  5862. minLength: 1
  5863. pattern: ^[-._a-zA-Z0-9]+$
  5864. type: string
  5865. name:
  5866. description: The name of the Secret resource being referred to.
  5867. maxLength: 253
  5868. minLength: 1
  5869. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5870. type: string
  5871. namespace:
  5872. description: |-
  5873. The namespace of the Secret resource being referred to.
  5874. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5875. maxLength: 63
  5876. minLength: 1
  5877. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5878. type: string
  5879. type: object
  5880. required:
  5881. - name
  5882. - secretRef
  5883. type: object
  5884. type: array
  5885. timeout:
  5886. description: Timeout
  5887. type: string
  5888. url:
  5889. description: Webhook url to call
  5890. type: string
  5891. required:
  5892. - result
  5893. - url
  5894. type: object
  5895. yandexcertificatemanager:
  5896. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  5897. properties:
  5898. apiEndpoint:
  5899. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  5900. type: string
  5901. auth:
  5902. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  5903. properties:
  5904. authorizedKeySecretRef:
  5905. description: The authorized key used for authentication
  5906. properties:
  5907. key:
  5908. description: |-
  5909. A key in the referenced Secret.
  5910. Some instances of this field may be defaulted, in others it may be required.
  5911. maxLength: 253
  5912. minLength: 1
  5913. pattern: ^[-._a-zA-Z0-9]+$
  5914. type: string
  5915. name:
  5916. description: The name of the Secret resource being referred to.
  5917. maxLength: 253
  5918. minLength: 1
  5919. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5920. type: string
  5921. namespace:
  5922. description: |-
  5923. The namespace of the Secret resource being referred to.
  5924. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5925. maxLength: 63
  5926. minLength: 1
  5927. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5928. type: string
  5929. type: object
  5930. type: object
  5931. caProvider:
  5932. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  5933. properties:
  5934. certSecretRef:
  5935. description: |-
  5936. A reference to a specific 'key' within a Secret resource.
  5937. In some instances, `key` is a required field.
  5938. properties:
  5939. key:
  5940. description: |-
  5941. A key in the referenced Secret.
  5942. Some instances of this field may be defaulted, in others it may be required.
  5943. maxLength: 253
  5944. minLength: 1
  5945. pattern: ^[-._a-zA-Z0-9]+$
  5946. type: string
  5947. name:
  5948. description: The name of the Secret resource being referred to.
  5949. maxLength: 253
  5950. minLength: 1
  5951. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5952. type: string
  5953. namespace:
  5954. description: |-
  5955. The namespace of the Secret resource being referred to.
  5956. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5957. maxLength: 63
  5958. minLength: 1
  5959. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5960. type: string
  5961. type: object
  5962. type: object
  5963. required:
  5964. - auth
  5965. type: object
  5966. yandexlockbox:
  5967. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  5968. properties:
  5969. apiEndpoint:
  5970. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  5971. type: string
  5972. auth:
  5973. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  5974. properties:
  5975. authorizedKeySecretRef:
  5976. description: The authorized key used for authentication
  5977. properties:
  5978. key:
  5979. description: |-
  5980. A key in the referenced Secret.
  5981. Some instances of this field may be defaulted, in others it may be required.
  5982. maxLength: 253
  5983. minLength: 1
  5984. pattern: ^[-._a-zA-Z0-9]+$
  5985. type: string
  5986. name:
  5987. description: The name of the Secret resource being referred to.
  5988. maxLength: 253
  5989. minLength: 1
  5990. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5991. type: string
  5992. namespace:
  5993. description: |-
  5994. The namespace of the Secret resource being referred to.
  5995. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5996. maxLength: 63
  5997. minLength: 1
  5998. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5999. type: string
  6000. type: object
  6001. type: object
  6002. caProvider:
  6003. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  6004. properties:
  6005. certSecretRef:
  6006. description: |-
  6007. A reference to a specific 'key' within a Secret resource.
  6008. In some instances, `key` is a required field.
  6009. properties:
  6010. key:
  6011. description: |-
  6012. A key in the referenced Secret.
  6013. Some instances of this field may be defaulted, in others it may be required.
  6014. maxLength: 253
  6015. minLength: 1
  6016. pattern: ^[-._a-zA-Z0-9]+$
  6017. type: string
  6018. name:
  6019. description: The name of the Secret resource being referred to.
  6020. maxLength: 253
  6021. minLength: 1
  6022. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6023. type: string
  6024. namespace:
  6025. description: |-
  6026. The namespace of the Secret resource being referred to.
  6027. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6028. maxLength: 63
  6029. minLength: 1
  6030. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6031. type: string
  6032. type: object
  6033. type: object
  6034. required:
  6035. - auth
  6036. type: object
  6037. type: object
  6038. refreshInterval:
  6039. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  6040. type: integer
  6041. retrySettings:
  6042. description: Used to configure http retries if failed
  6043. properties:
  6044. maxRetries:
  6045. format: int32
  6046. type: integer
  6047. retryInterval:
  6048. type: string
  6049. type: object
  6050. required:
  6051. - provider
  6052. type: object
  6053. status:
  6054. description: SecretStoreStatus defines the observed state of the SecretStore.
  6055. properties:
  6056. capabilities:
  6057. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  6058. type: string
  6059. conditions:
  6060. items:
  6061. properties:
  6062. lastTransitionTime:
  6063. format: date-time
  6064. type: string
  6065. message:
  6066. type: string
  6067. reason:
  6068. type: string
  6069. status:
  6070. type: string
  6071. type:
  6072. type: string
  6073. required:
  6074. - status
  6075. - type
  6076. type: object
  6077. type: array
  6078. type: object
  6079. type: object
  6080. served: true
  6081. storage: true
  6082. subresources:
  6083. status: {}
  6084. - additionalPrinterColumns:
  6085. - jsonPath: .metadata.creationTimestamp
  6086. name: AGE
  6087. type: date
  6088. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  6089. name: Status
  6090. type: string
  6091. - jsonPath: .status.capabilities
  6092. name: Capabilities
  6093. type: string
  6094. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  6095. name: Ready
  6096. type: string
  6097. name: v1beta1
  6098. schema:
  6099. openAPIV3Schema:
  6100. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  6101. properties:
  6102. apiVersion:
  6103. description: |-
  6104. APIVersion defines the versioned schema of this representation of an object.
  6105. Servers should convert recognized schemas to the latest internal value, and
  6106. may reject unrecognized values.
  6107. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  6108. type: string
  6109. kind:
  6110. description: |-
  6111. Kind is a string value representing the REST resource this object represents.
  6112. Servers may infer this from the endpoint the client submits requests to.
  6113. Cannot be updated.
  6114. In CamelCase.
  6115. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  6116. type: string
  6117. metadata:
  6118. type: object
  6119. spec:
  6120. description: SecretStoreSpec defines the desired state of SecretStore.
  6121. properties:
  6122. conditions:
  6123. description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
  6124. items:
  6125. description: |-
  6126. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  6127. for a ClusterSecretStore instance.
  6128. properties:
  6129. namespaceRegexes:
  6130. description: Choose namespaces by using regex matching
  6131. items:
  6132. type: string
  6133. type: array
  6134. namespaceSelector:
  6135. description: Choose namespace using a labelSelector
  6136. properties:
  6137. matchExpressions:
  6138. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  6139. items:
  6140. description: |-
  6141. A label selector requirement is a selector that contains values, a key, and an operator that
  6142. relates the key and values.
  6143. properties:
  6144. key:
  6145. description: key is the label key that the selector applies to.
  6146. type: string
  6147. operator:
  6148. description: |-
  6149. operator represents a key's relationship to a set of values.
  6150. Valid operators are In, NotIn, Exists and DoesNotExist.
  6151. type: string
  6152. values:
  6153. description: |-
  6154. values is an array of string values. If the operator is In or NotIn,
  6155. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  6156. the values array must be empty. This array is replaced during a strategic
  6157. merge patch.
  6158. items:
  6159. type: string
  6160. type: array
  6161. x-kubernetes-list-type: atomic
  6162. required:
  6163. - key
  6164. - operator
  6165. type: object
  6166. type: array
  6167. x-kubernetes-list-type: atomic
  6168. matchLabels:
  6169. additionalProperties:
  6170. type: string
  6171. description: |-
  6172. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  6173. map is equivalent to an element of matchExpressions, whose key field is "key", the
  6174. operator is "In", and the values array contains only "value". The requirements are ANDed.
  6175. type: object
  6176. type: object
  6177. x-kubernetes-map-type: atomic
  6178. namespaces:
  6179. description: Choose namespaces by name
  6180. items:
  6181. maxLength: 63
  6182. minLength: 1
  6183. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6184. type: string
  6185. type: array
  6186. type: object
  6187. type: array
  6188. controller:
  6189. description: |-
  6190. Used to select the correct ESO controller (think: ingress.ingressClassName)
  6191. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  6192. type: string
  6193. provider:
  6194. description: Used to configure the provider. Only one provider may be set
  6195. maxProperties: 1
  6196. minProperties: 1
  6197. properties:
  6198. akeyless:
  6199. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  6200. properties:
  6201. akeylessGWApiURL:
  6202. description: Akeyless GW API Url from which the secrets to be fetched from.
  6203. type: string
  6204. authSecretRef:
  6205. description: Auth configures how the operator authenticates with Akeyless.
  6206. properties:
  6207. kubernetesAuth:
  6208. description: |-
  6209. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  6210. token stored in the named Secret resource.
  6211. properties:
  6212. accessID:
  6213. description: the Akeyless Kubernetes auth-method access-id
  6214. type: string
  6215. k8sConfName:
  6216. description: Kubernetes-auth configuration name in Akeyless-Gateway
  6217. type: string
  6218. secretRef:
  6219. description: |-
  6220. Optional secret field containing a Kubernetes ServiceAccount JWT used
  6221. for authenticating with Akeyless. If a name is specified without a key,
  6222. `token` is the default. If one is not specified, the one bound to
  6223. the controller will be used.
  6224. properties:
  6225. key:
  6226. description: |-
  6227. A key in the referenced Secret.
  6228. Some instances of this field may be defaulted, in others it may be required.
  6229. maxLength: 253
  6230. minLength: 1
  6231. pattern: ^[-._a-zA-Z0-9]+$
  6232. type: string
  6233. name:
  6234. description: The name of the Secret resource being referred to.
  6235. maxLength: 253
  6236. minLength: 1
  6237. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6238. type: string
  6239. namespace:
  6240. description: |-
  6241. The namespace of the Secret resource being referred to.
  6242. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6243. maxLength: 63
  6244. minLength: 1
  6245. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6246. type: string
  6247. type: object
  6248. serviceAccountRef:
  6249. description: |-
  6250. Optional service account field containing the name of a kubernetes ServiceAccount.
  6251. If the service account is specified, the service account secret token JWT will be used
  6252. for authenticating with Akeyless. If the service account selector is not supplied,
  6253. the secretRef will be used instead.
  6254. properties:
  6255. audiences:
  6256. description: |-
  6257. Audience specifies the `aud` claim for the service account token
  6258. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6259. then this audiences will be appended to the list
  6260. items:
  6261. type: string
  6262. type: array
  6263. name:
  6264. description: The name of the ServiceAccount resource being referred to.
  6265. maxLength: 253
  6266. minLength: 1
  6267. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6268. type: string
  6269. namespace:
  6270. description: |-
  6271. Namespace of the resource being referred to.
  6272. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6273. maxLength: 63
  6274. minLength: 1
  6275. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6276. type: string
  6277. required:
  6278. - name
  6279. type: object
  6280. required:
  6281. - accessID
  6282. - k8sConfName
  6283. type: object
  6284. secretRef:
  6285. description: |-
  6286. Reference to a Secret that contains the details
  6287. to authenticate with Akeyless.
  6288. properties:
  6289. accessID:
  6290. description: The SecretAccessID is used for authentication
  6291. properties:
  6292. key:
  6293. description: |-
  6294. A key in the referenced Secret.
  6295. Some instances of this field may be defaulted, in others it may be required.
  6296. maxLength: 253
  6297. minLength: 1
  6298. pattern: ^[-._a-zA-Z0-9]+$
  6299. type: string
  6300. name:
  6301. description: The name of the Secret resource being referred to.
  6302. maxLength: 253
  6303. minLength: 1
  6304. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6305. type: string
  6306. namespace:
  6307. description: |-
  6308. The namespace of the Secret resource being referred to.
  6309. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6310. maxLength: 63
  6311. minLength: 1
  6312. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6313. type: string
  6314. type: object
  6315. accessType:
  6316. description: |-
  6317. A reference to a specific 'key' within a Secret resource.
  6318. In some instances, `key` is a required field.
  6319. properties:
  6320. key:
  6321. description: |-
  6322. A key in the referenced Secret.
  6323. Some instances of this field may be defaulted, in others it may be required.
  6324. maxLength: 253
  6325. minLength: 1
  6326. pattern: ^[-._a-zA-Z0-9]+$
  6327. type: string
  6328. name:
  6329. description: The name of the Secret resource being referred to.
  6330. maxLength: 253
  6331. minLength: 1
  6332. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6333. type: string
  6334. namespace:
  6335. description: |-
  6336. The namespace of the Secret resource being referred to.
  6337. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6338. maxLength: 63
  6339. minLength: 1
  6340. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6341. type: string
  6342. type: object
  6343. accessTypeParam:
  6344. description: |-
  6345. A reference to a specific 'key' within a Secret resource.
  6346. In some instances, `key` is a required field.
  6347. properties:
  6348. key:
  6349. description: |-
  6350. A key in the referenced Secret.
  6351. Some instances of this field may be defaulted, in others it may be required.
  6352. maxLength: 253
  6353. minLength: 1
  6354. pattern: ^[-._a-zA-Z0-9]+$
  6355. type: string
  6356. name:
  6357. description: The name of the Secret resource being referred to.
  6358. maxLength: 253
  6359. minLength: 1
  6360. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6361. type: string
  6362. namespace:
  6363. description: |-
  6364. The namespace of the Secret resource being referred to.
  6365. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6366. maxLength: 63
  6367. minLength: 1
  6368. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6369. type: string
  6370. type: object
  6371. type: object
  6372. type: object
  6373. caBundle:
  6374. description: |-
  6375. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  6376. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  6377. are used to validate the TLS connection.
  6378. format: byte
  6379. type: string
  6380. caProvider:
  6381. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  6382. properties:
  6383. key:
  6384. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6385. maxLength: 253
  6386. minLength: 1
  6387. pattern: ^[-._a-zA-Z0-9]+$
  6388. type: string
  6389. name:
  6390. description: The name of the object located at the provider type.
  6391. maxLength: 253
  6392. minLength: 1
  6393. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6394. type: string
  6395. namespace:
  6396. description: |-
  6397. The namespace the Provider type is in.
  6398. Can only be defined when used in a ClusterSecretStore.
  6399. maxLength: 63
  6400. minLength: 1
  6401. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6402. type: string
  6403. type:
  6404. description: The type of provider to use such as "Secret", or "ConfigMap".
  6405. enum:
  6406. - Secret
  6407. - ConfigMap
  6408. type: string
  6409. required:
  6410. - name
  6411. - type
  6412. type: object
  6413. required:
  6414. - akeylessGWApiURL
  6415. - authSecretRef
  6416. type: object
  6417. alibaba:
  6418. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  6419. properties:
  6420. auth:
  6421. description: AlibabaAuth contains a secretRef for credentials.
  6422. properties:
  6423. rrsa:
  6424. description: Authenticate against Alibaba using RRSA.
  6425. properties:
  6426. oidcProviderArn:
  6427. type: string
  6428. oidcTokenFilePath:
  6429. type: string
  6430. roleArn:
  6431. type: string
  6432. sessionName:
  6433. type: string
  6434. required:
  6435. - oidcProviderArn
  6436. - oidcTokenFilePath
  6437. - roleArn
  6438. - sessionName
  6439. type: object
  6440. secretRef:
  6441. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  6442. properties:
  6443. accessKeyIDSecretRef:
  6444. description: The AccessKeyID is used for authentication
  6445. properties:
  6446. key:
  6447. description: |-
  6448. A key in the referenced Secret.
  6449. Some instances of this field may be defaulted, in others it may be required.
  6450. maxLength: 253
  6451. minLength: 1
  6452. pattern: ^[-._a-zA-Z0-9]+$
  6453. type: string
  6454. name:
  6455. description: The name of the Secret resource being referred to.
  6456. maxLength: 253
  6457. minLength: 1
  6458. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6459. type: string
  6460. namespace:
  6461. description: |-
  6462. The namespace of the Secret resource being referred to.
  6463. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6464. maxLength: 63
  6465. minLength: 1
  6466. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6467. type: string
  6468. type: object
  6469. accessKeySecretSecretRef:
  6470. description: The AccessKeySecret is used for authentication
  6471. properties:
  6472. key:
  6473. description: |-
  6474. A key in the referenced Secret.
  6475. Some instances of this field may be defaulted, in others it may be required.
  6476. maxLength: 253
  6477. minLength: 1
  6478. pattern: ^[-._a-zA-Z0-9]+$
  6479. type: string
  6480. name:
  6481. description: The name of the Secret resource being referred to.
  6482. maxLength: 253
  6483. minLength: 1
  6484. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6485. type: string
  6486. namespace:
  6487. description: |-
  6488. The namespace of the Secret resource being referred to.
  6489. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6490. maxLength: 63
  6491. minLength: 1
  6492. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6493. type: string
  6494. type: object
  6495. required:
  6496. - accessKeyIDSecretRef
  6497. - accessKeySecretSecretRef
  6498. type: object
  6499. type: object
  6500. regionID:
  6501. description: Alibaba Region to be used for the provider
  6502. type: string
  6503. required:
  6504. - auth
  6505. - regionID
  6506. type: object
  6507. aws:
  6508. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  6509. properties:
  6510. additionalRoles:
  6511. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  6512. items:
  6513. type: string
  6514. type: array
  6515. auth:
  6516. description: |-
  6517. Auth defines the information necessary to authenticate against AWS
  6518. if not set aws sdk will infer credentials from your environment
  6519. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  6520. properties:
  6521. jwt:
  6522. description: Authenticate against AWS using service account tokens.
  6523. properties:
  6524. serviceAccountRef:
  6525. description: A reference to a ServiceAccount resource.
  6526. properties:
  6527. audiences:
  6528. description: |-
  6529. Audience specifies the `aud` claim for the service account token
  6530. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6531. then this audiences will be appended to the list
  6532. items:
  6533. type: string
  6534. type: array
  6535. name:
  6536. description: The name of the ServiceAccount resource being referred to.
  6537. maxLength: 253
  6538. minLength: 1
  6539. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6540. type: string
  6541. namespace:
  6542. description: |-
  6543. Namespace of the resource being referred to.
  6544. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6545. maxLength: 63
  6546. minLength: 1
  6547. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6548. type: string
  6549. required:
  6550. - name
  6551. type: object
  6552. type: object
  6553. secretRef:
  6554. description: |-
  6555. AWSAuthSecretRef holds secret references for AWS credentials
  6556. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  6557. properties:
  6558. accessKeyIDSecretRef:
  6559. description: The AccessKeyID is used for authentication
  6560. properties:
  6561. key:
  6562. description: |-
  6563. A key in the referenced Secret.
  6564. Some instances of this field may be defaulted, in others it may be required.
  6565. maxLength: 253
  6566. minLength: 1
  6567. pattern: ^[-._a-zA-Z0-9]+$
  6568. type: string
  6569. name:
  6570. description: The name of the Secret resource being referred to.
  6571. maxLength: 253
  6572. minLength: 1
  6573. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6574. type: string
  6575. namespace:
  6576. description: |-
  6577. The namespace of the Secret resource being referred to.
  6578. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6579. maxLength: 63
  6580. minLength: 1
  6581. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6582. type: string
  6583. type: object
  6584. secretAccessKeySecretRef:
  6585. description: The SecretAccessKey is used for authentication
  6586. properties:
  6587. key:
  6588. description: |-
  6589. A key in the referenced Secret.
  6590. Some instances of this field may be defaulted, in others it may be required.
  6591. maxLength: 253
  6592. minLength: 1
  6593. pattern: ^[-._a-zA-Z0-9]+$
  6594. type: string
  6595. name:
  6596. description: The name of the Secret resource being referred to.
  6597. maxLength: 253
  6598. minLength: 1
  6599. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6600. type: string
  6601. namespace:
  6602. description: |-
  6603. The namespace of the Secret resource being referred to.
  6604. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6605. maxLength: 63
  6606. minLength: 1
  6607. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6608. type: string
  6609. type: object
  6610. sessionTokenSecretRef:
  6611. description: |-
  6612. The SessionToken used for authentication
  6613. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  6614. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  6615. properties:
  6616. key:
  6617. description: |-
  6618. A key in the referenced Secret.
  6619. Some instances of this field may be defaulted, in others it may be required.
  6620. maxLength: 253
  6621. minLength: 1
  6622. pattern: ^[-._a-zA-Z0-9]+$
  6623. type: string
  6624. name:
  6625. description: The name of the Secret resource being referred to.
  6626. maxLength: 253
  6627. minLength: 1
  6628. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6629. type: string
  6630. namespace:
  6631. description: |-
  6632. The namespace of the Secret resource being referred to.
  6633. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6634. maxLength: 63
  6635. minLength: 1
  6636. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6637. type: string
  6638. type: object
  6639. type: object
  6640. type: object
  6641. externalID:
  6642. description: AWS External ID set on assumed IAM roles
  6643. type: string
  6644. prefix:
  6645. description: Prefix adds a prefix to all retrieved values.
  6646. type: string
  6647. region:
  6648. description: AWS Region to be used for the provider
  6649. type: string
  6650. role:
  6651. description: Role is a Role ARN which the provider will assume
  6652. type: string
  6653. secretsManager:
  6654. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  6655. properties:
  6656. forceDeleteWithoutRecovery:
  6657. description: |-
  6658. Specifies whether to delete the secret without any recovery window. You
  6659. can't use both this parameter and RecoveryWindowInDays in the same call.
  6660. If you don't use either, then by default Secrets Manager uses a 30 day
  6661. recovery window.
  6662. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  6663. type: boolean
  6664. recoveryWindowInDays:
  6665. description: |-
  6666. The number of days from 7 to 30 that Secrets Manager waits before
  6667. permanently deleting the secret. You can't use both this parameter and
  6668. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  6669. then by default Secrets Manager uses a 30 day recovery window.
  6670. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  6671. format: int64
  6672. type: integer
  6673. type: object
  6674. service:
  6675. description: Service defines which service should be used to fetch the secrets
  6676. enum:
  6677. - SecretsManager
  6678. - ParameterStore
  6679. type: string
  6680. sessionTags:
  6681. description: AWS STS assume role session tags
  6682. items:
  6683. properties:
  6684. key:
  6685. type: string
  6686. value:
  6687. type: string
  6688. required:
  6689. - key
  6690. - value
  6691. type: object
  6692. type: array
  6693. transitiveTagKeys:
  6694. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  6695. items:
  6696. type: string
  6697. type: array
  6698. required:
  6699. - region
  6700. - service
  6701. type: object
  6702. azurekv:
  6703. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  6704. properties:
  6705. authSecretRef:
  6706. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  6707. properties:
  6708. clientCertificate:
  6709. description: The Azure ClientCertificate of the service principle used for authentication.
  6710. properties:
  6711. key:
  6712. description: |-
  6713. A key in the referenced Secret.
  6714. Some instances of this field may be defaulted, in others it may be required.
  6715. maxLength: 253
  6716. minLength: 1
  6717. pattern: ^[-._a-zA-Z0-9]+$
  6718. type: string
  6719. name:
  6720. description: The name of the Secret resource being referred to.
  6721. maxLength: 253
  6722. minLength: 1
  6723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6724. type: string
  6725. namespace:
  6726. description: |-
  6727. The namespace of the Secret resource being referred to.
  6728. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6729. maxLength: 63
  6730. minLength: 1
  6731. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6732. type: string
  6733. type: object
  6734. clientId:
  6735. description: The Azure clientId of the service principle or managed identity used for authentication.
  6736. properties:
  6737. key:
  6738. description: |-
  6739. A key in the referenced Secret.
  6740. Some instances of this field may be defaulted, in others it may be required.
  6741. maxLength: 253
  6742. minLength: 1
  6743. pattern: ^[-._a-zA-Z0-9]+$
  6744. type: string
  6745. name:
  6746. description: The name of the Secret resource being referred to.
  6747. maxLength: 253
  6748. minLength: 1
  6749. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6750. type: string
  6751. namespace:
  6752. description: |-
  6753. The namespace of the Secret resource being referred to.
  6754. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6755. maxLength: 63
  6756. minLength: 1
  6757. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6758. type: string
  6759. type: object
  6760. clientSecret:
  6761. description: The Azure ClientSecret of the service principle used for authentication.
  6762. properties:
  6763. key:
  6764. description: |-
  6765. A key in the referenced Secret.
  6766. Some instances of this field may be defaulted, in others it may be required.
  6767. maxLength: 253
  6768. minLength: 1
  6769. pattern: ^[-._a-zA-Z0-9]+$
  6770. type: string
  6771. name:
  6772. description: The name of the Secret resource being referred to.
  6773. maxLength: 253
  6774. minLength: 1
  6775. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6776. type: string
  6777. namespace:
  6778. description: |-
  6779. The namespace of the Secret resource being referred to.
  6780. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6781. maxLength: 63
  6782. minLength: 1
  6783. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6784. type: string
  6785. type: object
  6786. tenantId:
  6787. description: The Azure tenantId of the managed identity used for authentication.
  6788. properties:
  6789. key:
  6790. description: |-
  6791. A key in the referenced Secret.
  6792. Some instances of this field may be defaulted, in others it may be required.
  6793. maxLength: 253
  6794. minLength: 1
  6795. pattern: ^[-._a-zA-Z0-9]+$
  6796. type: string
  6797. name:
  6798. description: The name of the Secret resource being referred to.
  6799. maxLength: 253
  6800. minLength: 1
  6801. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6802. type: string
  6803. namespace:
  6804. description: |-
  6805. The namespace of the Secret resource being referred to.
  6806. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6807. maxLength: 63
  6808. minLength: 1
  6809. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6810. type: string
  6811. type: object
  6812. type: object
  6813. authType:
  6814. default: ServicePrincipal
  6815. description: |-
  6816. Auth type defines how to authenticate to the keyvault service.
  6817. Valid values are:
  6818. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  6819. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  6820. enum:
  6821. - ServicePrincipal
  6822. - ManagedIdentity
  6823. - WorkloadIdentity
  6824. type: string
  6825. environmentType:
  6826. default: PublicCloud
  6827. description: |-
  6828. EnvironmentType specifies the Azure cloud environment endpoints to use for
  6829. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  6830. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  6831. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  6832. enum:
  6833. - PublicCloud
  6834. - USGovernmentCloud
  6835. - ChinaCloud
  6836. - GermanCloud
  6837. type: string
  6838. identityId:
  6839. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  6840. type: string
  6841. serviceAccountRef:
  6842. description: |-
  6843. ServiceAccountRef specified the service account
  6844. that should be used when authenticating with WorkloadIdentity.
  6845. properties:
  6846. audiences:
  6847. description: |-
  6848. Audience specifies the `aud` claim for the service account token
  6849. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6850. then this audiences will be appended to the list
  6851. items:
  6852. type: string
  6853. type: array
  6854. name:
  6855. description: The name of the ServiceAccount resource being referred to.
  6856. maxLength: 253
  6857. minLength: 1
  6858. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6859. type: string
  6860. namespace:
  6861. description: |-
  6862. Namespace of the resource being referred to.
  6863. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6864. maxLength: 63
  6865. minLength: 1
  6866. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6867. type: string
  6868. required:
  6869. - name
  6870. type: object
  6871. tenantId:
  6872. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  6873. type: string
  6874. vaultUrl:
  6875. description: Vault Url from which the secrets to be fetched from.
  6876. type: string
  6877. required:
  6878. - vaultUrl
  6879. type: object
  6880. beyondtrust:
  6881. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  6882. properties:
  6883. auth:
  6884. description: Auth configures how the operator authenticates with Beyondtrust.
  6885. properties:
  6886. apiKey:
  6887. description: APIKey If not provided then ClientID/ClientSecret become required.
  6888. properties:
  6889. secretRef:
  6890. description: SecretRef references a key in a secret that will be used as value.
  6891. properties:
  6892. key:
  6893. description: |-
  6894. A key in the referenced Secret.
  6895. Some instances of this field may be defaulted, in others it may be required.
  6896. maxLength: 253
  6897. minLength: 1
  6898. pattern: ^[-._a-zA-Z0-9]+$
  6899. type: string
  6900. name:
  6901. description: The name of the Secret resource being referred to.
  6902. maxLength: 253
  6903. minLength: 1
  6904. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6905. type: string
  6906. namespace:
  6907. description: |-
  6908. The namespace of the Secret resource being referred to.
  6909. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6910. maxLength: 63
  6911. minLength: 1
  6912. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6913. type: string
  6914. type: object
  6915. value:
  6916. description: Value can be specified directly to set a value without using a secret.
  6917. type: string
  6918. type: object
  6919. certificate:
  6920. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  6921. properties:
  6922. secretRef:
  6923. description: SecretRef references a key in a secret that will be used as value.
  6924. properties:
  6925. key:
  6926. description: |-
  6927. A key in the referenced Secret.
  6928. Some instances of this field may be defaulted, in others it may be required.
  6929. maxLength: 253
  6930. minLength: 1
  6931. pattern: ^[-._a-zA-Z0-9]+$
  6932. type: string
  6933. name:
  6934. description: The name of the Secret resource being referred to.
  6935. maxLength: 253
  6936. minLength: 1
  6937. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6938. type: string
  6939. namespace:
  6940. description: |-
  6941. The namespace of the Secret resource being referred to.
  6942. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6943. maxLength: 63
  6944. minLength: 1
  6945. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6946. type: string
  6947. type: object
  6948. value:
  6949. description: Value can be specified directly to set a value without using a secret.
  6950. type: string
  6951. type: object
  6952. certificateKey:
  6953. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  6954. properties:
  6955. secretRef:
  6956. description: SecretRef references a key in a secret that will be used as value.
  6957. properties:
  6958. key:
  6959. description: |-
  6960. A key in the referenced Secret.
  6961. Some instances of this field may be defaulted, in others it may be required.
  6962. maxLength: 253
  6963. minLength: 1
  6964. pattern: ^[-._a-zA-Z0-9]+$
  6965. type: string
  6966. name:
  6967. description: The name of the Secret resource being referred to.
  6968. maxLength: 253
  6969. minLength: 1
  6970. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6971. type: string
  6972. namespace:
  6973. description: |-
  6974. The namespace of the Secret resource being referred to.
  6975. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6976. maxLength: 63
  6977. minLength: 1
  6978. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6979. type: string
  6980. type: object
  6981. value:
  6982. description: Value can be specified directly to set a value without using a secret.
  6983. type: string
  6984. type: object
  6985. clientId:
  6986. description: ClientID is the API OAuth Client ID.
  6987. properties:
  6988. secretRef:
  6989. description: SecretRef references a key in a secret that will be used as value.
  6990. properties:
  6991. key:
  6992. description: |-
  6993. A key in the referenced Secret.
  6994. Some instances of this field may be defaulted, in others it may be required.
  6995. maxLength: 253
  6996. minLength: 1
  6997. pattern: ^[-._a-zA-Z0-9]+$
  6998. type: string
  6999. name:
  7000. description: The name of the Secret resource being referred to.
  7001. maxLength: 253
  7002. minLength: 1
  7003. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7004. type: string
  7005. namespace:
  7006. description: |-
  7007. The namespace of the Secret resource being referred to.
  7008. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7009. maxLength: 63
  7010. minLength: 1
  7011. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7012. type: string
  7013. type: object
  7014. value:
  7015. description: Value can be specified directly to set a value without using a secret.
  7016. type: string
  7017. type: object
  7018. clientSecret:
  7019. description: ClientSecret is the API OAuth Client Secret.
  7020. properties:
  7021. secretRef:
  7022. description: SecretRef references a key in a secret that will be used as value.
  7023. properties:
  7024. key:
  7025. description: |-
  7026. A key in the referenced Secret.
  7027. Some instances of this field may be defaulted, in others it may be required.
  7028. maxLength: 253
  7029. minLength: 1
  7030. pattern: ^[-._a-zA-Z0-9]+$
  7031. type: string
  7032. name:
  7033. description: The name of the Secret resource being referred to.
  7034. maxLength: 253
  7035. minLength: 1
  7036. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7037. type: string
  7038. namespace:
  7039. description: |-
  7040. The namespace of the Secret resource being referred to.
  7041. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7042. maxLength: 63
  7043. minLength: 1
  7044. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7045. type: string
  7046. type: object
  7047. value:
  7048. description: Value can be specified directly to set a value without using a secret.
  7049. type: string
  7050. type: object
  7051. type: object
  7052. server:
  7053. description: Auth configures how API server works.
  7054. properties:
  7055. apiUrl:
  7056. type: string
  7057. apiVersion:
  7058. type: string
  7059. clientTimeOutSeconds:
  7060. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  7061. type: integer
  7062. retrievalType:
  7063. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  7064. type: string
  7065. separator:
  7066. description: A character that separates the folder names.
  7067. type: string
  7068. verifyCA:
  7069. type: boolean
  7070. required:
  7071. - apiUrl
  7072. - verifyCA
  7073. type: object
  7074. required:
  7075. - auth
  7076. - server
  7077. type: object
  7078. bitwardensecretsmanager:
  7079. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  7080. properties:
  7081. apiURL:
  7082. type: string
  7083. auth:
  7084. description: |-
  7085. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  7086. Make sure that the token being used has permissions on the given secret.
  7087. properties:
  7088. secretRef:
  7089. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  7090. properties:
  7091. credentials:
  7092. description: AccessToken used for the bitwarden instance.
  7093. properties:
  7094. key:
  7095. description: |-
  7096. A key in the referenced Secret.
  7097. Some instances of this field may be defaulted, in others it may be required.
  7098. maxLength: 253
  7099. minLength: 1
  7100. pattern: ^[-._a-zA-Z0-9]+$
  7101. type: string
  7102. name:
  7103. description: The name of the Secret resource being referred to.
  7104. maxLength: 253
  7105. minLength: 1
  7106. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7107. type: string
  7108. namespace:
  7109. description: |-
  7110. The namespace of the Secret resource being referred to.
  7111. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7112. maxLength: 63
  7113. minLength: 1
  7114. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7115. type: string
  7116. type: object
  7117. required:
  7118. - credentials
  7119. type: object
  7120. required:
  7121. - secretRef
  7122. type: object
  7123. bitwardenServerSDKURL:
  7124. type: string
  7125. caBundle:
  7126. description: |-
  7127. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  7128. can be performed.
  7129. type: string
  7130. caProvider:
  7131. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  7132. properties:
  7133. key:
  7134. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  7135. maxLength: 253
  7136. minLength: 1
  7137. pattern: ^[-._a-zA-Z0-9]+$
  7138. type: string
  7139. name:
  7140. description: The name of the object located at the provider type.
  7141. maxLength: 253
  7142. minLength: 1
  7143. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7144. type: string
  7145. namespace:
  7146. description: |-
  7147. The namespace the Provider type is in.
  7148. Can only be defined when used in a ClusterSecretStore.
  7149. maxLength: 63
  7150. minLength: 1
  7151. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7152. type: string
  7153. type:
  7154. description: The type of provider to use such as "Secret", or "ConfigMap".
  7155. enum:
  7156. - Secret
  7157. - ConfigMap
  7158. type: string
  7159. required:
  7160. - name
  7161. - type
  7162. type: object
  7163. identityURL:
  7164. type: string
  7165. organizationID:
  7166. description: OrganizationID determines which organization this secret store manages.
  7167. type: string
  7168. projectID:
  7169. description: ProjectID determines which project this secret store manages.
  7170. type: string
  7171. required:
  7172. - auth
  7173. - organizationID
  7174. - projectID
  7175. type: object
  7176. chef:
  7177. description: Chef configures this store to sync secrets with chef server
  7178. properties:
  7179. auth:
  7180. description: Auth defines the information necessary to authenticate against chef Server
  7181. properties:
  7182. secretRef:
  7183. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  7184. properties:
  7185. privateKeySecretRef:
  7186. description: SecretKey is the Signing Key in PEM format, used for authentication.
  7187. properties:
  7188. key:
  7189. description: |-
  7190. A key in the referenced Secret.
  7191. Some instances of this field may be defaulted, in others it may be required.
  7192. maxLength: 253
  7193. minLength: 1
  7194. pattern: ^[-._a-zA-Z0-9]+$
  7195. type: string
  7196. name:
  7197. description: The name of the Secret resource being referred to.
  7198. maxLength: 253
  7199. minLength: 1
  7200. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7201. type: string
  7202. namespace:
  7203. description: |-
  7204. The namespace of the Secret resource being referred to.
  7205. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7206. maxLength: 63
  7207. minLength: 1
  7208. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7209. type: string
  7210. type: object
  7211. required:
  7212. - privateKeySecretRef
  7213. type: object
  7214. required:
  7215. - secretRef
  7216. type: object
  7217. serverUrl:
  7218. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  7219. type: string
  7220. username:
  7221. description: UserName should be the user ID on the chef server
  7222. type: string
  7223. required:
  7224. - auth
  7225. - serverUrl
  7226. - username
  7227. type: object
  7228. cloudrusm:
  7229. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  7230. properties:
  7231. auth:
  7232. description: CSMAuth contains a secretRef for credentials.
  7233. properties:
  7234. secretRef:
  7235. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  7236. properties:
  7237. accessKeyIDSecretRef:
  7238. description: The AccessKeyID is used for authentication
  7239. properties:
  7240. key:
  7241. description: |-
  7242. A key in the referenced Secret.
  7243. Some instances of this field may be defaulted, in others it may be required.
  7244. maxLength: 253
  7245. minLength: 1
  7246. pattern: ^[-._a-zA-Z0-9]+$
  7247. type: string
  7248. name:
  7249. description: The name of the Secret resource being referred to.
  7250. maxLength: 253
  7251. minLength: 1
  7252. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7253. type: string
  7254. namespace:
  7255. description: |-
  7256. The namespace of the Secret resource being referred to.
  7257. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7258. maxLength: 63
  7259. minLength: 1
  7260. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7261. type: string
  7262. type: object
  7263. accessKeySecretSecretRef:
  7264. description: The AccessKeySecret is used for authentication
  7265. properties:
  7266. key:
  7267. description: |-
  7268. A key in the referenced Secret.
  7269. Some instances of this field may be defaulted, in others it may be required.
  7270. maxLength: 253
  7271. minLength: 1
  7272. pattern: ^[-._a-zA-Z0-9]+$
  7273. type: string
  7274. name:
  7275. description: The name of the Secret resource being referred to.
  7276. maxLength: 253
  7277. minLength: 1
  7278. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7279. type: string
  7280. namespace:
  7281. description: |-
  7282. The namespace of the Secret resource being referred to.
  7283. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7284. maxLength: 63
  7285. minLength: 1
  7286. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7287. type: string
  7288. type: object
  7289. required:
  7290. - accessKeyIDSecretRef
  7291. - accessKeySecretSecretRef
  7292. type: object
  7293. type: object
  7294. projectID:
  7295. description: ProjectID is the project, which the secrets are stored in.
  7296. type: string
  7297. required:
  7298. - auth
  7299. type: object
  7300. conjur:
  7301. description: Conjur configures this store to sync secrets using conjur provider
  7302. properties:
  7303. auth:
  7304. description: Defines authentication settings for connecting to Conjur.
  7305. properties:
  7306. apikey:
  7307. description: Authenticates with Conjur using an API key.
  7308. properties:
  7309. account:
  7310. description: Account is the Conjur organization account name.
  7311. type: string
  7312. apiKeyRef:
  7313. description: |-
  7314. A reference to a specific 'key' containing the Conjur API key
  7315. within a Secret resource. In some instances, `key` is a required field.
  7316. properties:
  7317. key:
  7318. description: |-
  7319. A key in the referenced Secret.
  7320. Some instances of this field may be defaulted, in others it may be required.
  7321. maxLength: 253
  7322. minLength: 1
  7323. pattern: ^[-._a-zA-Z0-9]+$
  7324. type: string
  7325. name:
  7326. description: The name of the Secret resource being referred to.
  7327. maxLength: 253
  7328. minLength: 1
  7329. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7330. type: string
  7331. namespace:
  7332. description: |-
  7333. The namespace of the Secret resource being referred to.
  7334. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7335. maxLength: 63
  7336. minLength: 1
  7337. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7338. type: string
  7339. type: object
  7340. userRef:
  7341. description: |-
  7342. A reference to a specific 'key' containing the Conjur username
  7343. within a Secret resource. In some instances, `key` is a required field.
  7344. properties:
  7345. key:
  7346. description: |-
  7347. A key in the referenced Secret.
  7348. Some instances of this field may be defaulted, in others it may be required.
  7349. maxLength: 253
  7350. minLength: 1
  7351. pattern: ^[-._a-zA-Z0-9]+$
  7352. type: string
  7353. name:
  7354. description: The name of the Secret resource being referred to.
  7355. maxLength: 253
  7356. minLength: 1
  7357. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7358. type: string
  7359. namespace:
  7360. description: |-
  7361. The namespace of the Secret resource being referred to.
  7362. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7363. maxLength: 63
  7364. minLength: 1
  7365. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7366. type: string
  7367. type: object
  7368. required:
  7369. - account
  7370. - apiKeyRef
  7371. - userRef
  7372. type: object
  7373. jwt:
  7374. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  7375. properties:
  7376. account:
  7377. description: Account is the Conjur organization account name.
  7378. type: string
  7379. hostId:
  7380. description: |-
  7381. Optional HostID for JWT authentication. This may be used depending
  7382. on how the Conjur JWT authenticator policy is configured.
  7383. type: string
  7384. secretRef:
  7385. description: |-
  7386. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  7387. authenticate with Conjur using the JWT authentication method.
  7388. properties:
  7389. key:
  7390. description: |-
  7391. A key in the referenced Secret.
  7392. Some instances of this field may be defaulted, in others it may be required.
  7393. maxLength: 253
  7394. minLength: 1
  7395. pattern: ^[-._a-zA-Z0-9]+$
  7396. type: string
  7397. name:
  7398. description: The name of the Secret resource being referred to.
  7399. maxLength: 253
  7400. minLength: 1
  7401. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7402. type: string
  7403. namespace:
  7404. description: |-
  7405. The namespace of the Secret resource being referred to.
  7406. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7407. maxLength: 63
  7408. minLength: 1
  7409. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7410. type: string
  7411. type: object
  7412. serviceAccountRef:
  7413. description: |-
  7414. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  7415. a token for with the `TokenRequest` API.
  7416. properties:
  7417. audiences:
  7418. description: |-
  7419. Audience specifies the `aud` claim for the service account token
  7420. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7421. then this audiences will be appended to the list
  7422. items:
  7423. type: string
  7424. type: array
  7425. name:
  7426. description: The name of the ServiceAccount resource being referred to.
  7427. maxLength: 253
  7428. minLength: 1
  7429. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7430. type: string
  7431. namespace:
  7432. description: |-
  7433. Namespace of the resource being referred to.
  7434. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7435. maxLength: 63
  7436. minLength: 1
  7437. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7438. type: string
  7439. required:
  7440. - name
  7441. type: object
  7442. serviceID:
  7443. description: The conjur authn jwt webservice id
  7444. type: string
  7445. required:
  7446. - account
  7447. - serviceID
  7448. type: object
  7449. type: object
  7450. caBundle:
  7451. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  7452. type: string
  7453. caProvider:
  7454. description: |-
  7455. Used to provide custom certificate authority (CA) certificates
  7456. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  7457. that contains a PEM-encoded certificate.
  7458. properties:
  7459. key:
  7460. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  7461. maxLength: 253
  7462. minLength: 1
  7463. pattern: ^[-._a-zA-Z0-9]+$
  7464. type: string
  7465. name:
  7466. description: The name of the object located at the provider type.
  7467. maxLength: 253
  7468. minLength: 1
  7469. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7470. type: string
  7471. namespace:
  7472. description: |-
  7473. The namespace the Provider type is in.
  7474. Can only be defined when used in a ClusterSecretStore.
  7475. maxLength: 63
  7476. minLength: 1
  7477. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7478. type: string
  7479. type:
  7480. description: The type of provider to use such as "Secret", or "ConfigMap".
  7481. enum:
  7482. - Secret
  7483. - ConfigMap
  7484. type: string
  7485. required:
  7486. - name
  7487. - type
  7488. type: object
  7489. url:
  7490. description: URL is the endpoint of the Conjur instance.
  7491. type: string
  7492. required:
  7493. - auth
  7494. - url
  7495. type: object
  7496. delinea:
  7497. description: |-
  7498. Delinea DevOps Secrets Vault
  7499. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  7500. properties:
  7501. clientId:
  7502. description: ClientID is the non-secret part of the credential.
  7503. properties:
  7504. secretRef:
  7505. description: SecretRef references a key in a secret that will be used as value.
  7506. properties:
  7507. key:
  7508. description: |-
  7509. A key in the referenced Secret.
  7510. Some instances of this field may be defaulted, in others it may be required.
  7511. maxLength: 253
  7512. minLength: 1
  7513. pattern: ^[-._a-zA-Z0-9]+$
  7514. type: string
  7515. name:
  7516. description: The name of the Secret resource being referred to.
  7517. maxLength: 253
  7518. minLength: 1
  7519. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7520. type: string
  7521. namespace:
  7522. description: |-
  7523. The namespace of the Secret resource being referred to.
  7524. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7525. maxLength: 63
  7526. minLength: 1
  7527. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7528. type: string
  7529. type: object
  7530. value:
  7531. description: Value can be specified directly to set a value without using a secret.
  7532. type: string
  7533. type: object
  7534. clientSecret:
  7535. description: ClientSecret is the secret part of the credential.
  7536. properties:
  7537. secretRef:
  7538. description: SecretRef references a key in a secret that will be used as value.
  7539. properties:
  7540. key:
  7541. description: |-
  7542. A key in the referenced Secret.
  7543. Some instances of this field may be defaulted, in others it may be required.
  7544. maxLength: 253
  7545. minLength: 1
  7546. pattern: ^[-._a-zA-Z0-9]+$
  7547. type: string
  7548. name:
  7549. description: The name of the Secret resource being referred to.
  7550. maxLength: 253
  7551. minLength: 1
  7552. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7553. type: string
  7554. namespace:
  7555. description: |-
  7556. The namespace of the Secret resource being referred to.
  7557. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7558. maxLength: 63
  7559. minLength: 1
  7560. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7561. type: string
  7562. type: object
  7563. value:
  7564. description: Value can be specified directly to set a value without using a secret.
  7565. type: string
  7566. type: object
  7567. tenant:
  7568. description: Tenant is the chosen hostname / site name.
  7569. type: string
  7570. tld:
  7571. description: |-
  7572. TLD is based on the server location that was chosen during provisioning.
  7573. If unset, defaults to "com".
  7574. type: string
  7575. urlTemplate:
  7576. description: |-
  7577. URLTemplate
  7578. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  7579. type: string
  7580. required:
  7581. - clientId
  7582. - clientSecret
  7583. - tenant
  7584. type: object
  7585. device42:
  7586. description: Device42 configures this store to sync secrets using the Device42 provider
  7587. properties:
  7588. auth:
  7589. description: Auth configures how secret-manager authenticates with a Device42 instance.
  7590. properties:
  7591. secretRef:
  7592. properties:
  7593. credentials:
  7594. description: Username / Password is used for authentication.
  7595. properties:
  7596. key:
  7597. description: |-
  7598. A key in the referenced Secret.
  7599. Some instances of this field may be defaulted, in others it may be required.
  7600. maxLength: 253
  7601. minLength: 1
  7602. pattern: ^[-._a-zA-Z0-9]+$
  7603. type: string
  7604. name:
  7605. description: The name of the Secret resource being referred to.
  7606. maxLength: 253
  7607. minLength: 1
  7608. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7609. type: string
  7610. namespace:
  7611. description: |-
  7612. The namespace of the Secret resource being referred to.
  7613. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7614. maxLength: 63
  7615. minLength: 1
  7616. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7617. type: string
  7618. type: object
  7619. type: object
  7620. required:
  7621. - secretRef
  7622. type: object
  7623. host:
  7624. description: URL configures the Device42 instance URL.
  7625. type: string
  7626. required:
  7627. - auth
  7628. - host
  7629. type: object
  7630. doppler:
  7631. description: Doppler configures this store to sync secrets using the Doppler provider
  7632. properties:
  7633. auth:
  7634. description: Auth configures how the Operator authenticates with the Doppler API
  7635. properties:
  7636. secretRef:
  7637. properties:
  7638. dopplerToken:
  7639. description: |-
  7640. The DopplerToken is used for authentication.
  7641. See https://docs.doppler.com/reference/api#authentication for auth token types.
  7642. The Key attribute defaults to dopplerToken if not specified.
  7643. properties:
  7644. key:
  7645. description: |-
  7646. A key in the referenced Secret.
  7647. Some instances of this field may be defaulted, in others it may be required.
  7648. maxLength: 253
  7649. minLength: 1
  7650. pattern: ^[-._a-zA-Z0-9]+$
  7651. type: string
  7652. name:
  7653. description: The name of the Secret resource being referred to.
  7654. maxLength: 253
  7655. minLength: 1
  7656. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7657. type: string
  7658. namespace:
  7659. description: |-
  7660. The namespace of the Secret resource being referred to.
  7661. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7662. maxLength: 63
  7663. minLength: 1
  7664. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7665. type: string
  7666. type: object
  7667. required:
  7668. - dopplerToken
  7669. type: object
  7670. required:
  7671. - secretRef
  7672. type: object
  7673. config:
  7674. description: Doppler config (required if not using a Service Token)
  7675. type: string
  7676. format:
  7677. description: Format enables the downloading of secrets as a file (string)
  7678. enum:
  7679. - json
  7680. - dotnet-json
  7681. - env
  7682. - yaml
  7683. - docker
  7684. type: string
  7685. nameTransformer:
  7686. description: Environment variable compatible name transforms that change secret names to a different format
  7687. enum:
  7688. - upper-camel
  7689. - camel
  7690. - lower-snake
  7691. - tf-var
  7692. - dotnet-env
  7693. - lower-kebab
  7694. type: string
  7695. project:
  7696. description: Doppler project (required if not using a Service Token)
  7697. type: string
  7698. required:
  7699. - auth
  7700. type: object
  7701. fake:
  7702. description: Fake configures a store with static key/value pairs
  7703. properties:
  7704. data:
  7705. items:
  7706. properties:
  7707. key:
  7708. type: string
  7709. value:
  7710. type: string
  7711. version:
  7712. type: string
  7713. required:
  7714. - key
  7715. - value
  7716. type: object
  7717. type: array
  7718. required:
  7719. - data
  7720. type: object
  7721. fortanix:
  7722. description: Fortanix configures this store to sync secrets using the Fortanix provider
  7723. properties:
  7724. apiKey:
  7725. description: APIKey is the API token to access SDKMS Applications.
  7726. properties:
  7727. secretRef:
  7728. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  7729. properties:
  7730. key:
  7731. description: |-
  7732. A key in the referenced Secret.
  7733. Some instances of this field may be defaulted, in others it may be required.
  7734. maxLength: 253
  7735. minLength: 1
  7736. pattern: ^[-._a-zA-Z0-9]+$
  7737. type: string
  7738. name:
  7739. description: The name of the Secret resource being referred to.
  7740. maxLength: 253
  7741. minLength: 1
  7742. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7743. type: string
  7744. namespace:
  7745. description: |-
  7746. The namespace of the Secret resource being referred to.
  7747. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7748. maxLength: 63
  7749. minLength: 1
  7750. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7751. type: string
  7752. type: object
  7753. type: object
  7754. apiUrl:
  7755. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  7756. type: string
  7757. type: object
  7758. gcpsm:
  7759. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  7760. properties:
  7761. auth:
  7762. description: Auth defines the information necessary to authenticate against GCP
  7763. properties:
  7764. secretRef:
  7765. properties:
  7766. secretAccessKeySecretRef:
  7767. description: The SecretAccessKey is used for authentication
  7768. properties:
  7769. key:
  7770. description: |-
  7771. A key in the referenced Secret.
  7772. Some instances of this field may be defaulted, in others it may be required.
  7773. maxLength: 253
  7774. minLength: 1
  7775. pattern: ^[-._a-zA-Z0-9]+$
  7776. type: string
  7777. name:
  7778. description: The name of the Secret resource being referred to.
  7779. maxLength: 253
  7780. minLength: 1
  7781. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7782. type: string
  7783. namespace:
  7784. description: |-
  7785. The namespace of the Secret resource being referred to.
  7786. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7787. maxLength: 63
  7788. minLength: 1
  7789. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7790. type: string
  7791. type: object
  7792. type: object
  7793. workloadIdentity:
  7794. properties:
  7795. clusterLocation:
  7796. description: |-
  7797. ClusterLocation is the location of the cluster
  7798. If not specified, it fetches information from the metadata server
  7799. type: string
  7800. clusterName:
  7801. description: |-
  7802. ClusterName is the name of the cluster
  7803. If not specified, it fetches information from the metadata server
  7804. type: string
  7805. clusterProjectID:
  7806. description: |-
  7807. ClusterProjectID is the project ID of the cluster
  7808. If not specified, it fetches information from the metadata server
  7809. type: string
  7810. serviceAccountRef:
  7811. description: A reference to a ServiceAccount resource.
  7812. properties:
  7813. audiences:
  7814. description: |-
  7815. Audience specifies the `aud` claim for the service account token
  7816. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7817. then this audiences will be appended to the list
  7818. items:
  7819. type: string
  7820. type: array
  7821. name:
  7822. description: The name of the ServiceAccount resource being referred to.
  7823. maxLength: 253
  7824. minLength: 1
  7825. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7826. type: string
  7827. namespace:
  7828. description: |-
  7829. Namespace of the resource being referred to.
  7830. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7831. maxLength: 63
  7832. minLength: 1
  7833. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7834. type: string
  7835. required:
  7836. - name
  7837. type: object
  7838. required:
  7839. - serviceAccountRef
  7840. type: object
  7841. type: object
  7842. location:
  7843. description: Location optionally defines a location for a secret
  7844. type: string
  7845. projectID:
  7846. description: ProjectID project where secret is located
  7847. type: string
  7848. type: object
  7849. github:
  7850. description: Github configures this store to push Github Action secrets using Github API provider
  7851. properties:
  7852. appID:
  7853. description: appID specifies the Github APP that will be used to authenticate the client
  7854. format: int64
  7855. type: integer
  7856. auth:
  7857. description: auth configures how secret-manager authenticates with a Github instance.
  7858. properties:
  7859. privateKey:
  7860. description: |-
  7861. A reference to a specific 'key' within a Secret resource.
  7862. In some instances, `key` is a required field.
  7863. properties:
  7864. key:
  7865. description: |-
  7866. A key in the referenced Secret.
  7867. Some instances of this field may be defaulted, in others it may be required.
  7868. maxLength: 253
  7869. minLength: 1
  7870. pattern: ^[-._a-zA-Z0-9]+$
  7871. type: string
  7872. name:
  7873. description: The name of the Secret resource being referred to.
  7874. maxLength: 253
  7875. minLength: 1
  7876. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7877. type: string
  7878. namespace:
  7879. description: |-
  7880. The namespace of the Secret resource being referred to.
  7881. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7882. maxLength: 63
  7883. minLength: 1
  7884. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7885. type: string
  7886. type: object
  7887. required:
  7888. - privateKey
  7889. type: object
  7890. environment:
  7891. description: environment will be used to fetch secrets from a particular environment within a github repository
  7892. type: string
  7893. installationID:
  7894. description: installationID specifies the Github APP installation that will be used to authenticate the client
  7895. format: int64
  7896. type: integer
  7897. organization:
  7898. description: organization will be used to fetch secrets from the Github organization
  7899. type: string
  7900. repository:
  7901. description: repository will be used to fetch secrets from the Github repository within an organization
  7902. type: string
  7903. uploadURL:
  7904. description: Upload URL for enterprise instances. Default to URL.
  7905. type: string
  7906. url:
  7907. default: https://github.com/
  7908. description: URL configures the Github instance URL. Defaults to https://github.com/.
  7909. type: string
  7910. required:
  7911. - appID
  7912. - auth
  7913. - installationID
  7914. - organization
  7915. type: object
  7916. gitlab:
  7917. description: GitLab configures this store to sync secrets using GitLab Variables provider
  7918. properties:
  7919. auth:
  7920. description: Auth configures how secret-manager authenticates with a GitLab instance.
  7921. properties:
  7922. SecretRef:
  7923. properties:
  7924. accessToken:
  7925. description: AccessToken is used for authentication.
  7926. properties:
  7927. key:
  7928. description: |-
  7929. A key in the referenced Secret.
  7930. Some instances of this field may be defaulted, in others it may be required.
  7931. maxLength: 253
  7932. minLength: 1
  7933. pattern: ^[-._a-zA-Z0-9]+$
  7934. type: string
  7935. name:
  7936. description: The name of the Secret resource being referred to.
  7937. maxLength: 253
  7938. minLength: 1
  7939. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7940. type: string
  7941. namespace:
  7942. description: |-
  7943. The namespace of the Secret resource being referred to.
  7944. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7945. maxLength: 63
  7946. minLength: 1
  7947. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7948. type: string
  7949. type: object
  7950. type: object
  7951. required:
  7952. - SecretRef
  7953. type: object
  7954. environment:
  7955. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  7956. type: string
  7957. groupIDs:
  7958. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  7959. items:
  7960. type: string
  7961. type: array
  7962. inheritFromGroups:
  7963. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  7964. type: boolean
  7965. projectID:
  7966. description: ProjectID specifies a project where secrets are located.
  7967. type: string
  7968. url:
  7969. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  7970. type: string
  7971. required:
  7972. - auth
  7973. type: object
  7974. ibm:
  7975. description: IBM configures this store to sync secrets using IBM Cloud provider
  7976. properties:
  7977. auth:
  7978. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  7979. maxProperties: 1
  7980. minProperties: 1
  7981. properties:
  7982. containerAuth:
  7983. description: IBM Container-based auth with IAM Trusted Profile.
  7984. properties:
  7985. iamEndpoint:
  7986. type: string
  7987. profile:
  7988. description: the IBM Trusted Profile
  7989. type: string
  7990. tokenLocation:
  7991. description: Location the token is mounted on the pod
  7992. type: string
  7993. required:
  7994. - profile
  7995. type: object
  7996. secretRef:
  7997. properties:
  7998. secretApiKeySecretRef:
  7999. description: The SecretAccessKey is used for authentication
  8000. properties:
  8001. key:
  8002. description: |-
  8003. A key in the referenced Secret.
  8004. Some instances of this field may be defaulted, in others it may be required.
  8005. maxLength: 253
  8006. minLength: 1
  8007. pattern: ^[-._a-zA-Z0-9]+$
  8008. type: string
  8009. name:
  8010. description: The name of the Secret resource being referred to.
  8011. maxLength: 253
  8012. minLength: 1
  8013. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8014. type: string
  8015. namespace:
  8016. description: |-
  8017. The namespace of the Secret resource being referred to.
  8018. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8019. maxLength: 63
  8020. minLength: 1
  8021. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8022. type: string
  8023. type: object
  8024. type: object
  8025. type: object
  8026. serviceUrl:
  8027. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  8028. type: string
  8029. required:
  8030. - auth
  8031. type: object
  8032. infisical:
  8033. description: Infisical configures this store to sync secrets using the Infisical provider
  8034. properties:
  8035. auth:
  8036. description: Auth configures how the Operator authenticates with the Infisical API
  8037. properties:
  8038. universalAuthCredentials:
  8039. properties:
  8040. clientId:
  8041. description: |-
  8042. A reference to a specific 'key' within a Secret resource.
  8043. In some instances, `key` is a required field.
  8044. properties:
  8045. key:
  8046. description: |-
  8047. A key in the referenced Secret.
  8048. Some instances of this field may be defaulted, in others it may be required.
  8049. maxLength: 253
  8050. minLength: 1
  8051. pattern: ^[-._a-zA-Z0-9]+$
  8052. type: string
  8053. name:
  8054. description: The name of the Secret resource being referred to.
  8055. maxLength: 253
  8056. minLength: 1
  8057. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8058. type: string
  8059. namespace:
  8060. description: |-
  8061. The namespace of the Secret resource being referred to.
  8062. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8063. maxLength: 63
  8064. minLength: 1
  8065. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8066. type: string
  8067. type: object
  8068. clientSecret:
  8069. description: |-
  8070. A reference to a specific 'key' within a Secret resource.
  8071. In some instances, `key` is a required field.
  8072. properties:
  8073. key:
  8074. description: |-
  8075. A key in the referenced Secret.
  8076. Some instances of this field may be defaulted, in others it may be required.
  8077. maxLength: 253
  8078. minLength: 1
  8079. pattern: ^[-._a-zA-Z0-9]+$
  8080. type: string
  8081. name:
  8082. description: The name of the Secret resource being referred to.
  8083. maxLength: 253
  8084. minLength: 1
  8085. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8086. type: string
  8087. namespace:
  8088. description: |-
  8089. The namespace of the Secret resource being referred to.
  8090. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8091. maxLength: 63
  8092. minLength: 1
  8093. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8094. type: string
  8095. type: object
  8096. required:
  8097. - clientId
  8098. - clientSecret
  8099. type: object
  8100. type: object
  8101. hostAPI:
  8102. default: https://app.infisical.com/api
  8103. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  8104. type: string
  8105. secretsScope:
  8106. description: SecretsScope defines the scope of the secrets within the workspace
  8107. properties:
  8108. environmentSlug:
  8109. description: EnvironmentSlug is the required slug identifier for the environment.
  8110. type: string
  8111. expandSecretReferences:
  8112. default: true
  8113. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  8114. type: boolean
  8115. projectSlug:
  8116. description: ProjectSlug is the required slug identifier for the project.
  8117. type: string
  8118. recursive:
  8119. default: false
  8120. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  8121. type: boolean
  8122. secretsPath:
  8123. default: /
  8124. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  8125. type: string
  8126. required:
  8127. - environmentSlug
  8128. - projectSlug
  8129. type: object
  8130. required:
  8131. - auth
  8132. - secretsScope
  8133. type: object
  8134. keepersecurity:
  8135. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  8136. properties:
  8137. authRef:
  8138. description: |-
  8139. A reference to a specific 'key' within a Secret resource.
  8140. In some instances, `key` is a required field.
  8141. properties:
  8142. key:
  8143. description: |-
  8144. A key in the referenced Secret.
  8145. Some instances of this field may be defaulted, in others it may be required.
  8146. maxLength: 253
  8147. minLength: 1
  8148. pattern: ^[-._a-zA-Z0-9]+$
  8149. type: string
  8150. name:
  8151. description: The name of the Secret resource being referred to.
  8152. maxLength: 253
  8153. minLength: 1
  8154. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8155. type: string
  8156. namespace:
  8157. description: |-
  8158. The namespace of the Secret resource being referred to.
  8159. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8160. maxLength: 63
  8161. minLength: 1
  8162. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8163. type: string
  8164. type: object
  8165. folderID:
  8166. type: string
  8167. required:
  8168. - authRef
  8169. - folderID
  8170. type: object
  8171. kubernetes:
  8172. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  8173. properties:
  8174. auth:
  8175. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  8176. maxProperties: 1
  8177. minProperties: 1
  8178. properties:
  8179. cert:
  8180. description: has both clientCert and clientKey as secretKeySelector
  8181. properties:
  8182. clientCert:
  8183. description: |-
  8184. A reference to a specific 'key' within a Secret resource.
  8185. In some instances, `key` is a required field.
  8186. properties:
  8187. key:
  8188. description: |-
  8189. A key in the referenced Secret.
  8190. Some instances of this field may be defaulted, in others it may be required.
  8191. maxLength: 253
  8192. minLength: 1
  8193. pattern: ^[-._a-zA-Z0-9]+$
  8194. type: string
  8195. name:
  8196. description: The name of the Secret resource being referred to.
  8197. maxLength: 253
  8198. minLength: 1
  8199. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8200. type: string
  8201. namespace:
  8202. description: |-
  8203. The namespace of the Secret resource being referred to.
  8204. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8205. maxLength: 63
  8206. minLength: 1
  8207. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8208. type: string
  8209. type: object
  8210. clientKey:
  8211. description: |-
  8212. A reference to a specific 'key' within a Secret resource.
  8213. In some instances, `key` is a required field.
  8214. properties:
  8215. key:
  8216. description: |-
  8217. A key in the referenced Secret.
  8218. Some instances of this field may be defaulted, in others it may be required.
  8219. maxLength: 253
  8220. minLength: 1
  8221. pattern: ^[-._a-zA-Z0-9]+$
  8222. type: string
  8223. name:
  8224. description: The name of the Secret resource being referred to.
  8225. maxLength: 253
  8226. minLength: 1
  8227. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8228. type: string
  8229. namespace:
  8230. description: |-
  8231. The namespace of the Secret resource being referred to.
  8232. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8233. maxLength: 63
  8234. minLength: 1
  8235. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8236. type: string
  8237. type: object
  8238. type: object
  8239. serviceAccount:
  8240. description: points to a service account that should be used for authentication
  8241. properties:
  8242. audiences:
  8243. description: |-
  8244. Audience specifies the `aud` claim for the service account token
  8245. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8246. then this audiences will be appended to the list
  8247. items:
  8248. type: string
  8249. type: array
  8250. name:
  8251. description: The name of the ServiceAccount resource being referred to.
  8252. maxLength: 253
  8253. minLength: 1
  8254. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8255. type: string
  8256. namespace:
  8257. description: |-
  8258. Namespace of the resource being referred to.
  8259. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8260. maxLength: 63
  8261. minLength: 1
  8262. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8263. type: string
  8264. required:
  8265. - name
  8266. type: object
  8267. token:
  8268. description: use static token to authenticate with
  8269. properties:
  8270. bearerToken:
  8271. description: |-
  8272. A reference to a specific 'key' within a Secret resource.
  8273. In some instances, `key` is a required field.
  8274. properties:
  8275. key:
  8276. description: |-
  8277. A key in the referenced Secret.
  8278. Some instances of this field may be defaulted, in others it may be required.
  8279. maxLength: 253
  8280. minLength: 1
  8281. pattern: ^[-._a-zA-Z0-9]+$
  8282. type: string
  8283. name:
  8284. description: The name of the Secret resource being referred to.
  8285. maxLength: 253
  8286. minLength: 1
  8287. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8288. type: string
  8289. namespace:
  8290. description: |-
  8291. The namespace of the Secret resource being referred to.
  8292. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8293. maxLength: 63
  8294. minLength: 1
  8295. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8296. type: string
  8297. type: object
  8298. type: object
  8299. type: object
  8300. authRef:
  8301. description: A reference to a secret that contains the auth information.
  8302. properties:
  8303. key:
  8304. description: |-
  8305. A key in the referenced Secret.
  8306. Some instances of this field may be defaulted, in others it may be required.
  8307. maxLength: 253
  8308. minLength: 1
  8309. pattern: ^[-._a-zA-Z0-9]+$
  8310. type: string
  8311. name:
  8312. description: The name of the Secret resource being referred to.
  8313. maxLength: 253
  8314. minLength: 1
  8315. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8316. type: string
  8317. namespace:
  8318. description: |-
  8319. The namespace of the Secret resource being referred to.
  8320. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8321. maxLength: 63
  8322. minLength: 1
  8323. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8324. type: string
  8325. type: object
  8326. remoteNamespace:
  8327. default: default
  8328. description: Remote namespace to fetch the secrets from
  8329. maxLength: 63
  8330. minLength: 1
  8331. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8332. type: string
  8333. server:
  8334. description: configures the Kubernetes server Address.
  8335. properties:
  8336. caBundle:
  8337. description: CABundle is a base64-encoded CA certificate
  8338. format: byte
  8339. type: string
  8340. caProvider:
  8341. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  8342. properties:
  8343. key:
  8344. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8345. maxLength: 253
  8346. minLength: 1
  8347. pattern: ^[-._a-zA-Z0-9]+$
  8348. type: string
  8349. name:
  8350. description: The name of the object located at the provider type.
  8351. maxLength: 253
  8352. minLength: 1
  8353. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8354. type: string
  8355. namespace:
  8356. description: |-
  8357. The namespace the Provider type is in.
  8358. Can only be defined when used in a ClusterSecretStore.
  8359. maxLength: 63
  8360. minLength: 1
  8361. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8362. type: string
  8363. type:
  8364. description: The type of provider to use such as "Secret", or "ConfigMap".
  8365. enum:
  8366. - Secret
  8367. - ConfigMap
  8368. type: string
  8369. required:
  8370. - name
  8371. - type
  8372. type: object
  8373. url:
  8374. default: kubernetes.default
  8375. description: configures the Kubernetes server Address.
  8376. type: string
  8377. type: object
  8378. type: object
  8379. onboardbase:
  8380. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  8381. properties:
  8382. apiHost:
  8383. default: https://public.onboardbase.com/api/v1/
  8384. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  8385. type: string
  8386. auth:
  8387. description: Auth configures how the Operator authenticates with the Onboardbase API
  8388. properties:
  8389. apiKeyRef:
  8390. description: |-
  8391. OnboardbaseAPIKey is the APIKey generated by an admin account.
  8392. It is used to recognize and authorize access to a project and environment within onboardbase
  8393. properties:
  8394. key:
  8395. description: |-
  8396. A key in the referenced Secret.
  8397. Some instances of this field may be defaulted, in others it may be required.
  8398. maxLength: 253
  8399. minLength: 1
  8400. pattern: ^[-._a-zA-Z0-9]+$
  8401. type: string
  8402. name:
  8403. description: The name of the Secret resource being referred to.
  8404. maxLength: 253
  8405. minLength: 1
  8406. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8407. type: string
  8408. namespace:
  8409. description: |-
  8410. The namespace of the Secret resource being referred to.
  8411. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8412. maxLength: 63
  8413. minLength: 1
  8414. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8415. type: string
  8416. type: object
  8417. passcodeRef:
  8418. description: OnboardbasePasscode is the passcode attached to the API Key
  8419. properties:
  8420. key:
  8421. description: |-
  8422. A key in the referenced Secret.
  8423. Some instances of this field may be defaulted, in others it may be required.
  8424. maxLength: 253
  8425. minLength: 1
  8426. pattern: ^[-._a-zA-Z0-9]+$
  8427. type: string
  8428. name:
  8429. description: The name of the Secret resource being referred to.
  8430. maxLength: 253
  8431. minLength: 1
  8432. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8433. type: string
  8434. namespace:
  8435. description: |-
  8436. The namespace of the Secret resource being referred to.
  8437. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8438. maxLength: 63
  8439. minLength: 1
  8440. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8441. type: string
  8442. type: object
  8443. required:
  8444. - apiKeyRef
  8445. - passcodeRef
  8446. type: object
  8447. environment:
  8448. default: development
  8449. description: Environment is the name of an environmnent within a project to pull the secrets from
  8450. type: string
  8451. project:
  8452. default: development
  8453. description: Project is an onboardbase project that the secrets should be pulled from
  8454. type: string
  8455. required:
  8456. - apiHost
  8457. - auth
  8458. - environment
  8459. - project
  8460. type: object
  8461. onepassword:
  8462. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  8463. properties:
  8464. auth:
  8465. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  8466. properties:
  8467. secretRef:
  8468. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  8469. properties:
  8470. connectTokenSecretRef:
  8471. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  8472. properties:
  8473. key:
  8474. description: |-
  8475. A key in the referenced Secret.
  8476. Some instances of this field may be defaulted, in others it may be required.
  8477. maxLength: 253
  8478. minLength: 1
  8479. pattern: ^[-._a-zA-Z0-9]+$
  8480. type: string
  8481. name:
  8482. description: The name of the Secret resource being referred to.
  8483. maxLength: 253
  8484. minLength: 1
  8485. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8486. type: string
  8487. namespace:
  8488. description: |-
  8489. The namespace of the Secret resource being referred to.
  8490. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8491. maxLength: 63
  8492. minLength: 1
  8493. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8494. type: string
  8495. type: object
  8496. required:
  8497. - connectTokenSecretRef
  8498. type: object
  8499. required:
  8500. - secretRef
  8501. type: object
  8502. connectHost:
  8503. description: ConnectHost defines the OnePassword Connect Server to connect to
  8504. type: string
  8505. vaults:
  8506. additionalProperties:
  8507. type: integer
  8508. description: Vaults defines which OnePassword vaults to search in which order
  8509. type: object
  8510. required:
  8511. - auth
  8512. - connectHost
  8513. - vaults
  8514. type: object
  8515. oracle:
  8516. description: Oracle configures this store to sync secrets using Oracle Vault provider
  8517. properties:
  8518. auth:
  8519. description: |-
  8520. Auth configures how secret-manager authenticates with the Oracle Vault.
  8521. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  8522. properties:
  8523. secretRef:
  8524. description: SecretRef to pass through sensitive information.
  8525. properties:
  8526. fingerprint:
  8527. description: Fingerprint is the fingerprint of the API private key.
  8528. properties:
  8529. key:
  8530. description: |-
  8531. A key in the referenced Secret.
  8532. Some instances of this field may be defaulted, in others it may be required.
  8533. maxLength: 253
  8534. minLength: 1
  8535. pattern: ^[-._a-zA-Z0-9]+$
  8536. type: string
  8537. name:
  8538. description: The name of the Secret resource being referred to.
  8539. maxLength: 253
  8540. minLength: 1
  8541. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8542. type: string
  8543. namespace:
  8544. description: |-
  8545. The namespace of the Secret resource being referred to.
  8546. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8547. maxLength: 63
  8548. minLength: 1
  8549. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8550. type: string
  8551. type: object
  8552. privatekey:
  8553. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  8554. properties:
  8555. key:
  8556. description: |-
  8557. A key in the referenced Secret.
  8558. Some instances of this field may be defaulted, in others it may be required.
  8559. maxLength: 253
  8560. minLength: 1
  8561. pattern: ^[-._a-zA-Z0-9]+$
  8562. type: string
  8563. name:
  8564. description: The name of the Secret resource being referred to.
  8565. maxLength: 253
  8566. minLength: 1
  8567. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8568. type: string
  8569. namespace:
  8570. description: |-
  8571. The namespace of the Secret resource being referred to.
  8572. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8573. maxLength: 63
  8574. minLength: 1
  8575. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8576. type: string
  8577. type: object
  8578. required:
  8579. - fingerprint
  8580. - privatekey
  8581. type: object
  8582. tenancy:
  8583. description: Tenancy is the tenancy OCID where user is located.
  8584. type: string
  8585. user:
  8586. description: User is an access OCID specific to the account.
  8587. type: string
  8588. required:
  8589. - secretRef
  8590. - tenancy
  8591. - user
  8592. type: object
  8593. compartment:
  8594. description: |-
  8595. Compartment is the vault compartment OCID.
  8596. Required for PushSecret
  8597. type: string
  8598. encryptionKey:
  8599. description: |-
  8600. EncryptionKey is the OCID of the encryption key within the vault.
  8601. Required for PushSecret
  8602. type: string
  8603. principalType:
  8604. description: |-
  8605. The type of principal to use for authentication. If left blank, the Auth struct will
  8606. determine the principal type. This optional field must be specified if using
  8607. workload identity.
  8608. enum:
  8609. - ""
  8610. - UserPrincipal
  8611. - InstancePrincipal
  8612. - Workload
  8613. type: string
  8614. region:
  8615. description: Region is the region where vault is located.
  8616. type: string
  8617. serviceAccountRef:
  8618. description: |-
  8619. ServiceAccountRef specified the service account
  8620. that should be used when authenticating with WorkloadIdentity.
  8621. properties:
  8622. audiences:
  8623. description: |-
  8624. Audience specifies the `aud` claim for the service account token
  8625. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8626. then this audiences will be appended to the list
  8627. items:
  8628. type: string
  8629. type: array
  8630. name:
  8631. description: The name of the ServiceAccount resource being referred to.
  8632. maxLength: 253
  8633. minLength: 1
  8634. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8635. type: string
  8636. namespace:
  8637. description: |-
  8638. Namespace of the resource being referred to.
  8639. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8640. maxLength: 63
  8641. minLength: 1
  8642. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8643. type: string
  8644. required:
  8645. - name
  8646. type: object
  8647. vault:
  8648. description: Vault is the vault's OCID of the specific vault where secret is located.
  8649. type: string
  8650. required:
  8651. - region
  8652. - vault
  8653. type: object
  8654. passbolt:
  8655. properties:
  8656. auth:
  8657. description: Auth defines the information necessary to authenticate against Passbolt Server
  8658. properties:
  8659. passwordSecretRef:
  8660. description: |-
  8661. A reference to a specific 'key' within a Secret resource.
  8662. In some instances, `key` is a required field.
  8663. properties:
  8664. key:
  8665. description: |-
  8666. A key in the referenced Secret.
  8667. Some instances of this field may be defaulted, in others it may be required.
  8668. maxLength: 253
  8669. minLength: 1
  8670. pattern: ^[-._a-zA-Z0-9]+$
  8671. type: string
  8672. name:
  8673. description: The name of the Secret resource being referred to.
  8674. maxLength: 253
  8675. minLength: 1
  8676. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8677. type: string
  8678. namespace:
  8679. description: |-
  8680. The namespace of the Secret resource being referred to.
  8681. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8682. maxLength: 63
  8683. minLength: 1
  8684. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8685. type: string
  8686. type: object
  8687. privateKeySecretRef:
  8688. description: |-
  8689. A reference to a specific 'key' within a Secret resource.
  8690. In some instances, `key` is a required field.
  8691. properties:
  8692. key:
  8693. description: |-
  8694. A key in the referenced Secret.
  8695. Some instances of this field may be defaulted, in others it may be required.
  8696. maxLength: 253
  8697. minLength: 1
  8698. pattern: ^[-._a-zA-Z0-9]+$
  8699. type: string
  8700. name:
  8701. description: The name of the Secret resource being referred to.
  8702. maxLength: 253
  8703. minLength: 1
  8704. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8705. type: string
  8706. namespace:
  8707. description: |-
  8708. The namespace of the Secret resource being referred to.
  8709. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8710. maxLength: 63
  8711. minLength: 1
  8712. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8713. type: string
  8714. type: object
  8715. required:
  8716. - passwordSecretRef
  8717. - privateKeySecretRef
  8718. type: object
  8719. host:
  8720. description: Host defines the Passbolt Server to connect to
  8721. type: string
  8722. required:
  8723. - auth
  8724. - host
  8725. type: object
  8726. passworddepot:
  8727. description: Configures a store to sync secrets with a Password Depot instance.
  8728. properties:
  8729. auth:
  8730. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  8731. properties:
  8732. secretRef:
  8733. properties:
  8734. credentials:
  8735. description: Username / Password is used for authentication.
  8736. properties:
  8737. key:
  8738. description: |-
  8739. A key in the referenced Secret.
  8740. Some instances of this field may be defaulted, in others it may be required.
  8741. maxLength: 253
  8742. minLength: 1
  8743. pattern: ^[-._a-zA-Z0-9]+$
  8744. type: string
  8745. name:
  8746. description: The name of the Secret resource being referred to.
  8747. maxLength: 253
  8748. minLength: 1
  8749. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8750. type: string
  8751. namespace:
  8752. description: |-
  8753. The namespace of the Secret resource being referred to.
  8754. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8755. maxLength: 63
  8756. minLength: 1
  8757. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8758. type: string
  8759. type: object
  8760. type: object
  8761. required:
  8762. - secretRef
  8763. type: object
  8764. database:
  8765. description: Database to use as source
  8766. type: string
  8767. host:
  8768. description: URL configures the Password Depot instance URL.
  8769. type: string
  8770. required:
  8771. - auth
  8772. - database
  8773. - host
  8774. type: object
  8775. previder:
  8776. description: Previder configures this store to sync secrets using the Previder provider
  8777. properties:
  8778. auth:
  8779. description: PreviderAuth contains a secretRef for credentials.
  8780. properties:
  8781. secretRef:
  8782. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  8783. properties:
  8784. accessToken:
  8785. description: The AccessToken is used for authentication
  8786. properties:
  8787. key:
  8788. description: |-
  8789. A key in the referenced Secret.
  8790. Some instances of this field may be defaulted, in others it may be required.
  8791. maxLength: 253
  8792. minLength: 1
  8793. pattern: ^[-._a-zA-Z0-9]+$
  8794. type: string
  8795. name:
  8796. description: The name of the Secret resource being referred to.
  8797. maxLength: 253
  8798. minLength: 1
  8799. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8800. type: string
  8801. namespace:
  8802. description: |-
  8803. The namespace of the Secret resource being referred to.
  8804. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8805. maxLength: 63
  8806. minLength: 1
  8807. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8808. type: string
  8809. type: object
  8810. required:
  8811. - accessToken
  8812. type: object
  8813. type: object
  8814. baseUri:
  8815. type: string
  8816. required:
  8817. - auth
  8818. type: object
  8819. pulumi:
  8820. description: Pulumi configures this store to sync secrets using the Pulumi provider
  8821. properties:
  8822. accessToken:
  8823. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  8824. properties:
  8825. secretRef:
  8826. description: SecretRef is a reference to a secret containing the Pulumi API token.
  8827. properties:
  8828. key:
  8829. description: |-
  8830. A key in the referenced Secret.
  8831. Some instances of this field may be defaulted, in others it may be required.
  8832. maxLength: 253
  8833. minLength: 1
  8834. pattern: ^[-._a-zA-Z0-9]+$
  8835. type: string
  8836. name:
  8837. description: The name of the Secret resource being referred to.
  8838. maxLength: 253
  8839. minLength: 1
  8840. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8841. type: string
  8842. namespace:
  8843. description: |-
  8844. The namespace of the Secret resource being referred to.
  8845. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8846. maxLength: 63
  8847. minLength: 1
  8848. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8849. type: string
  8850. type: object
  8851. type: object
  8852. apiUrl:
  8853. default: https://api.pulumi.com/api/esc
  8854. description: APIURL is the URL of the Pulumi API.
  8855. type: string
  8856. environment:
  8857. description: |-
  8858. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  8859. dynamically retrieved values from supported providers including all major clouds,
  8860. and other Pulumi ESC environments.
  8861. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  8862. type: string
  8863. organization:
  8864. description: |-
  8865. Organization are a space to collaborate on shared projects and stacks.
  8866. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  8867. type: string
  8868. project:
  8869. description: Project is the name of the Pulumi ESC project the environment belongs to.
  8870. type: string
  8871. required:
  8872. - accessToken
  8873. - environment
  8874. - organization
  8875. - project
  8876. type: object
  8877. scaleway:
  8878. description: Scaleway
  8879. properties:
  8880. accessKey:
  8881. description: AccessKey is the non-secret part of the api key.
  8882. properties:
  8883. secretRef:
  8884. description: SecretRef references a key in a secret that will be used as value.
  8885. properties:
  8886. key:
  8887. description: |-
  8888. A key in the referenced Secret.
  8889. Some instances of this field may be defaulted, in others it may be required.
  8890. maxLength: 253
  8891. minLength: 1
  8892. pattern: ^[-._a-zA-Z0-9]+$
  8893. type: string
  8894. name:
  8895. description: The name of the Secret resource being referred to.
  8896. maxLength: 253
  8897. minLength: 1
  8898. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8899. type: string
  8900. namespace:
  8901. description: |-
  8902. The namespace of the Secret resource being referred to.
  8903. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8904. maxLength: 63
  8905. minLength: 1
  8906. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8907. type: string
  8908. type: object
  8909. value:
  8910. description: Value can be specified directly to set a value without using a secret.
  8911. type: string
  8912. type: object
  8913. apiUrl:
  8914. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  8915. type: string
  8916. projectId:
  8917. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  8918. type: string
  8919. region:
  8920. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  8921. type: string
  8922. secretKey:
  8923. description: SecretKey is the non-secret part of the api key.
  8924. properties:
  8925. secretRef:
  8926. description: SecretRef references a key in a secret that will be used as value.
  8927. properties:
  8928. key:
  8929. description: |-
  8930. A key in the referenced Secret.
  8931. Some instances of this field may be defaulted, in others it may be required.
  8932. maxLength: 253
  8933. minLength: 1
  8934. pattern: ^[-._a-zA-Z0-9]+$
  8935. type: string
  8936. name:
  8937. description: The name of the Secret resource being referred to.
  8938. maxLength: 253
  8939. minLength: 1
  8940. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8941. type: string
  8942. namespace:
  8943. description: |-
  8944. The namespace of the Secret resource being referred to.
  8945. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8946. maxLength: 63
  8947. minLength: 1
  8948. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8949. type: string
  8950. type: object
  8951. value:
  8952. description: Value can be specified directly to set a value without using a secret.
  8953. type: string
  8954. type: object
  8955. required:
  8956. - accessKey
  8957. - projectId
  8958. - region
  8959. - secretKey
  8960. type: object
  8961. secretserver:
  8962. description: |-
  8963. SecretServer configures this store to sync secrets using SecretServer provider
  8964. https://docs.delinea.com/online-help/secret-server/start.htm
  8965. properties:
  8966. password:
  8967. description: Password is the secret server account password.
  8968. properties:
  8969. secretRef:
  8970. description: SecretRef references a key in a secret that will be used as value.
  8971. properties:
  8972. key:
  8973. description: |-
  8974. A key in the referenced Secret.
  8975. Some instances of this field may be defaulted, in others it may be required.
  8976. maxLength: 253
  8977. minLength: 1
  8978. pattern: ^[-._a-zA-Z0-9]+$
  8979. type: string
  8980. name:
  8981. description: The name of the Secret resource being referred to.
  8982. maxLength: 253
  8983. minLength: 1
  8984. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8985. type: string
  8986. namespace:
  8987. description: |-
  8988. The namespace of the Secret resource being referred to.
  8989. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8990. maxLength: 63
  8991. minLength: 1
  8992. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8993. type: string
  8994. type: object
  8995. value:
  8996. description: Value can be specified directly to set a value without using a secret.
  8997. type: string
  8998. type: object
  8999. serverURL:
  9000. description: |-
  9001. ServerURL
  9002. URL to your secret server installation
  9003. type: string
  9004. username:
  9005. description: Username is the secret server account username.
  9006. properties:
  9007. secretRef:
  9008. description: SecretRef references a key in a secret that will be used as value.
  9009. properties:
  9010. key:
  9011. description: |-
  9012. A key in the referenced Secret.
  9013. Some instances of this field may be defaulted, in others it may be required.
  9014. maxLength: 253
  9015. minLength: 1
  9016. pattern: ^[-._a-zA-Z0-9]+$
  9017. type: string
  9018. name:
  9019. description: The name of the Secret resource being referred to.
  9020. maxLength: 253
  9021. minLength: 1
  9022. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9023. type: string
  9024. namespace:
  9025. description: |-
  9026. The namespace of the Secret resource being referred to.
  9027. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9028. maxLength: 63
  9029. minLength: 1
  9030. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9031. type: string
  9032. type: object
  9033. value:
  9034. description: Value can be specified directly to set a value without using a secret.
  9035. type: string
  9036. type: object
  9037. required:
  9038. - password
  9039. - serverURL
  9040. - username
  9041. type: object
  9042. senhasegura:
  9043. description: Senhasegura configures this store to sync secrets using senhasegura provider
  9044. properties:
  9045. auth:
  9046. description: Auth defines parameters to authenticate in senhasegura
  9047. properties:
  9048. clientId:
  9049. type: string
  9050. clientSecretSecretRef:
  9051. description: |-
  9052. A reference to a specific 'key' within a Secret resource.
  9053. In some instances, `key` is a required field.
  9054. properties:
  9055. key:
  9056. description: |-
  9057. A key in the referenced Secret.
  9058. Some instances of this field may be defaulted, in others it may be required.
  9059. maxLength: 253
  9060. minLength: 1
  9061. pattern: ^[-._a-zA-Z0-9]+$
  9062. type: string
  9063. name:
  9064. description: The name of the Secret resource being referred to.
  9065. maxLength: 253
  9066. minLength: 1
  9067. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9068. type: string
  9069. namespace:
  9070. description: |-
  9071. The namespace of the Secret resource being referred to.
  9072. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9073. maxLength: 63
  9074. minLength: 1
  9075. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9076. type: string
  9077. type: object
  9078. required:
  9079. - clientId
  9080. - clientSecretSecretRef
  9081. type: object
  9082. ignoreSslCertificate:
  9083. default: false
  9084. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  9085. type: boolean
  9086. module:
  9087. description: Module defines which senhasegura module should be used to get secrets
  9088. type: string
  9089. url:
  9090. description: URL of senhasegura
  9091. type: string
  9092. required:
  9093. - auth
  9094. - module
  9095. - url
  9096. type: object
  9097. vault:
  9098. description: Vault configures this store to sync secrets using Hashi provider
  9099. properties:
  9100. auth:
  9101. description: Auth configures how secret-manager authenticates with the Vault server.
  9102. properties:
  9103. appRole:
  9104. description: |-
  9105. AppRole authenticates with Vault using the App Role auth mechanism,
  9106. with the role and secret stored in a Kubernetes Secret resource.
  9107. properties:
  9108. path:
  9109. default: approle
  9110. description: |-
  9111. Path where the App Role authentication backend is mounted
  9112. in Vault, e.g: "approle"
  9113. type: string
  9114. roleId:
  9115. description: |-
  9116. RoleID configured in the App Role authentication backend when setting
  9117. up the authentication backend in Vault.
  9118. type: string
  9119. roleRef:
  9120. description: |-
  9121. Reference to a key in a Secret that contains the App Role ID used
  9122. to authenticate with Vault.
  9123. The `key` field must be specified and denotes which entry within the Secret
  9124. resource is used as the app role id.
  9125. properties:
  9126. key:
  9127. description: |-
  9128. A key in the referenced Secret.
  9129. Some instances of this field may be defaulted, in others it may be required.
  9130. maxLength: 253
  9131. minLength: 1
  9132. pattern: ^[-._a-zA-Z0-9]+$
  9133. type: string
  9134. name:
  9135. description: The name of the Secret resource being referred to.
  9136. maxLength: 253
  9137. minLength: 1
  9138. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9139. type: string
  9140. namespace:
  9141. description: |-
  9142. The namespace of the Secret resource being referred to.
  9143. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9144. maxLength: 63
  9145. minLength: 1
  9146. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9147. type: string
  9148. type: object
  9149. secretRef:
  9150. description: |-
  9151. Reference to a key in a Secret that contains the App Role secret used
  9152. to authenticate with Vault.
  9153. The `key` field must be specified and denotes which entry within the Secret
  9154. resource is used as the app role secret.
  9155. properties:
  9156. key:
  9157. description: |-
  9158. A key in the referenced Secret.
  9159. Some instances of this field may be defaulted, in others it may be required.
  9160. maxLength: 253
  9161. minLength: 1
  9162. pattern: ^[-._a-zA-Z0-9]+$
  9163. type: string
  9164. name:
  9165. description: The name of the Secret resource being referred to.
  9166. maxLength: 253
  9167. minLength: 1
  9168. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9169. type: string
  9170. namespace:
  9171. description: |-
  9172. The namespace of the Secret resource being referred to.
  9173. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9174. maxLength: 63
  9175. minLength: 1
  9176. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9177. type: string
  9178. type: object
  9179. required:
  9180. - path
  9181. - secretRef
  9182. type: object
  9183. cert:
  9184. description: |-
  9185. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  9186. Cert authentication method
  9187. properties:
  9188. clientCert:
  9189. description: |-
  9190. ClientCert is a certificate to authenticate using the Cert Vault
  9191. authentication method
  9192. properties:
  9193. key:
  9194. description: |-
  9195. A key in the referenced Secret.
  9196. Some instances of this field may be defaulted, in others it may be required.
  9197. maxLength: 253
  9198. minLength: 1
  9199. pattern: ^[-._a-zA-Z0-9]+$
  9200. type: string
  9201. name:
  9202. description: The name of the Secret resource being referred to.
  9203. maxLength: 253
  9204. minLength: 1
  9205. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9206. type: string
  9207. namespace:
  9208. description: |-
  9209. The namespace of the Secret resource being referred to.
  9210. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9211. maxLength: 63
  9212. minLength: 1
  9213. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9214. type: string
  9215. type: object
  9216. secretRef:
  9217. description: |-
  9218. SecretRef to a key in a Secret resource containing client private key to
  9219. authenticate with Vault using the Cert authentication method
  9220. properties:
  9221. key:
  9222. description: |-
  9223. A key in the referenced Secret.
  9224. Some instances of this field may be defaulted, in others it may be required.
  9225. maxLength: 253
  9226. minLength: 1
  9227. pattern: ^[-._a-zA-Z0-9]+$
  9228. type: string
  9229. name:
  9230. description: The name of the Secret resource being referred to.
  9231. maxLength: 253
  9232. minLength: 1
  9233. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9234. type: string
  9235. namespace:
  9236. description: |-
  9237. The namespace of the Secret resource being referred to.
  9238. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9239. maxLength: 63
  9240. minLength: 1
  9241. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9242. type: string
  9243. type: object
  9244. type: object
  9245. iam:
  9246. description: |-
  9247. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  9248. AWS IAM authentication method
  9249. properties:
  9250. externalID:
  9251. description: AWS External ID set on assumed IAM roles
  9252. type: string
  9253. jwt:
  9254. description: Specify a service account with IRSA enabled
  9255. properties:
  9256. serviceAccountRef:
  9257. description: A reference to a ServiceAccount resource.
  9258. properties:
  9259. audiences:
  9260. description: |-
  9261. Audience specifies the `aud` claim for the service account token
  9262. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9263. then this audiences will be appended to the list
  9264. items:
  9265. type: string
  9266. type: array
  9267. name:
  9268. description: The name of the ServiceAccount resource being referred to.
  9269. maxLength: 253
  9270. minLength: 1
  9271. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9272. type: string
  9273. namespace:
  9274. description: |-
  9275. Namespace of the resource being referred to.
  9276. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9277. maxLength: 63
  9278. minLength: 1
  9279. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9280. type: string
  9281. required:
  9282. - name
  9283. type: object
  9284. type: object
  9285. path:
  9286. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  9287. type: string
  9288. region:
  9289. description: AWS region
  9290. type: string
  9291. role:
  9292. description: This is the AWS role to be assumed before talking to vault
  9293. type: string
  9294. secretRef:
  9295. description: Specify credentials in a Secret object
  9296. properties:
  9297. accessKeyIDSecretRef:
  9298. description: The AccessKeyID is used for authentication
  9299. properties:
  9300. key:
  9301. description: |-
  9302. A key in the referenced Secret.
  9303. Some instances of this field may be defaulted, in others it may be required.
  9304. maxLength: 253
  9305. minLength: 1
  9306. pattern: ^[-._a-zA-Z0-9]+$
  9307. type: string
  9308. name:
  9309. description: The name of the Secret resource being referred to.
  9310. maxLength: 253
  9311. minLength: 1
  9312. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9313. type: string
  9314. namespace:
  9315. description: |-
  9316. The namespace of the Secret resource being referred to.
  9317. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9318. maxLength: 63
  9319. minLength: 1
  9320. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9321. type: string
  9322. type: object
  9323. secretAccessKeySecretRef:
  9324. description: The SecretAccessKey is used for authentication
  9325. properties:
  9326. key:
  9327. description: |-
  9328. A key in the referenced Secret.
  9329. Some instances of this field may be defaulted, in others it may be required.
  9330. maxLength: 253
  9331. minLength: 1
  9332. pattern: ^[-._a-zA-Z0-9]+$
  9333. type: string
  9334. name:
  9335. description: The name of the Secret resource being referred to.
  9336. maxLength: 253
  9337. minLength: 1
  9338. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9339. type: string
  9340. namespace:
  9341. description: |-
  9342. The namespace of the Secret resource being referred to.
  9343. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9344. maxLength: 63
  9345. minLength: 1
  9346. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9347. type: string
  9348. type: object
  9349. sessionTokenSecretRef:
  9350. description: |-
  9351. The SessionToken used for authentication
  9352. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  9353. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  9354. properties:
  9355. key:
  9356. description: |-
  9357. A key in the referenced Secret.
  9358. Some instances of this field may be defaulted, in others it may be required.
  9359. maxLength: 253
  9360. minLength: 1
  9361. pattern: ^[-._a-zA-Z0-9]+$
  9362. type: string
  9363. name:
  9364. description: The name of the Secret resource being referred to.
  9365. maxLength: 253
  9366. minLength: 1
  9367. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9368. type: string
  9369. namespace:
  9370. description: |-
  9371. The namespace of the Secret resource being referred to.
  9372. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9373. maxLength: 63
  9374. minLength: 1
  9375. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9376. type: string
  9377. type: object
  9378. type: object
  9379. vaultAwsIamServerID:
  9380. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  9381. type: string
  9382. vaultRole:
  9383. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  9384. type: string
  9385. required:
  9386. - vaultRole
  9387. type: object
  9388. jwt:
  9389. description: |-
  9390. Jwt authenticates with Vault by passing role and JWT token using the
  9391. JWT/OIDC authentication method
  9392. properties:
  9393. kubernetesServiceAccountToken:
  9394. description: |-
  9395. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  9396. a token for with the `TokenRequest` API.
  9397. properties:
  9398. audiences:
  9399. description: |-
  9400. Optional audiences field that will be used to request a temporary Kubernetes service
  9401. account token for the service account referenced by `serviceAccountRef`.
  9402. Defaults to a single audience `vault` it not specified.
  9403. Deprecated: use serviceAccountRef.Audiences instead
  9404. items:
  9405. type: string
  9406. type: array
  9407. expirationSeconds:
  9408. description: |-
  9409. Optional expiration time in seconds that will be used to request a temporary
  9410. Kubernetes service account token for the service account referenced by
  9411. `serviceAccountRef`.
  9412. Deprecated: this will be removed in the future.
  9413. Defaults to 10 minutes.
  9414. format: int64
  9415. type: integer
  9416. serviceAccountRef:
  9417. description: Service account field containing the name of a kubernetes ServiceAccount.
  9418. properties:
  9419. audiences:
  9420. description: |-
  9421. Audience specifies the `aud` claim for the service account token
  9422. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9423. then this audiences will be appended to the list
  9424. items:
  9425. type: string
  9426. type: array
  9427. name:
  9428. description: The name of the ServiceAccount resource being referred to.
  9429. maxLength: 253
  9430. minLength: 1
  9431. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9432. type: string
  9433. namespace:
  9434. description: |-
  9435. Namespace of the resource being referred to.
  9436. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9437. maxLength: 63
  9438. minLength: 1
  9439. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9440. type: string
  9441. required:
  9442. - name
  9443. type: object
  9444. required:
  9445. - serviceAccountRef
  9446. type: object
  9447. path:
  9448. default: jwt
  9449. description: |-
  9450. Path where the JWT authentication backend is mounted
  9451. in Vault, e.g: "jwt"
  9452. type: string
  9453. role:
  9454. description: |-
  9455. Role is a JWT role to authenticate using the JWT/OIDC Vault
  9456. authentication method
  9457. type: string
  9458. secretRef:
  9459. description: |-
  9460. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  9461. authenticate with Vault using the JWT/OIDC authentication method.
  9462. properties:
  9463. key:
  9464. description: |-
  9465. A key in the referenced Secret.
  9466. Some instances of this field may be defaulted, in others it may be required.
  9467. maxLength: 253
  9468. minLength: 1
  9469. pattern: ^[-._a-zA-Z0-9]+$
  9470. type: string
  9471. name:
  9472. description: The name of the Secret resource being referred to.
  9473. maxLength: 253
  9474. minLength: 1
  9475. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9476. type: string
  9477. namespace:
  9478. description: |-
  9479. The namespace of the Secret resource being referred to.
  9480. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9481. maxLength: 63
  9482. minLength: 1
  9483. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9484. type: string
  9485. type: object
  9486. required:
  9487. - path
  9488. type: object
  9489. kubernetes:
  9490. description: |-
  9491. Kubernetes authenticates with Vault by passing the ServiceAccount
  9492. token stored in the named Secret resource to the Vault server.
  9493. properties:
  9494. mountPath:
  9495. default: kubernetes
  9496. description: |-
  9497. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  9498. "kubernetes"
  9499. type: string
  9500. role:
  9501. description: |-
  9502. A required field containing the Vault Role to assume. A Role binds a
  9503. Kubernetes ServiceAccount with a set of Vault policies.
  9504. type: string
  9505. secretRef:
  9506. description: |-
  9507. Optional secret field containing a Kubernetes ServiceAccount JWT used
  9508. for authenticating with Vault. If a name is specified without a key,
  9509. `token` is the default. If one is not specified, the one bound to
  9510. the controller will be used.
  9511. properties:
  9512. key:
  9513. description: |-
  9514. A key in the referenced Secret.
  9515. Some instances of this field may be defaulted, in others it may be required.
  9516. maxLength: 253
  9517. minLength: 1
  9518. pattern: ^[-._a-zA-Z0-9]+$
  9519. type: string
  9520. name:
  9521. description: The name of the Secret resource being referred to.
  9522. maxLength: 253
  9523. minLength: 1
  9524. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9525. type: string
  9526. namespace:
  9527. description: |-
  9528. The namespace of the Secret resource being referred to.
  9529. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9530. maxLength: 63
  9531. minLength: 1
  9532. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9533. type: string
  9534. type: object
  9535. serviceAccountRef:
  9536. description: |-
  9537. Optional service account field containing the name of a kubernetes ServiceAccount.
  9538. If the service account is specified, the service account secret token JWT will be used
  9539. for authenticating with Vault. If the service account selector is not supplied,
  9540. the secretRef will be used instead.
  9541. properties:
  9542. audiences:
  9543. description: |-
  9544. Audience specifies the `aud` claim for the service account token
  9545. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9546. then this audiences will be appended to the list
  9547. items:
  9548. type: string
  9549. type: array
  9550. name:
  9551. description: The name of the ServiceAccount resource being referred to.
  9552. maxLength: 253
  9553. minLength: 1
  9554. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9555. type: string
  9556. namespace:
  9557. description: |-
  9558. Namespace of the resource being referred to.
  9559. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9560. maxLength: 63
  9561. minLength: 1
  9562. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9563. type: string
  9564. required:
  9565. - name
  9566. type: object
  9567. required:
  9568. - mountPath
  9569. - role
  9570. type: object
  9571. ldap:
  9572. description: |-
  9573. Ldap authenticates with Vault by passing username/password pair using
  9574. the LDAP authentication method
  9575. properties:
  9576. path:
  9577. default: ldap
  9578. description: |-
  9579. Path where the LDAP authentication backend is mounted
  9580. in Vault, e.g: "ldap"
  9581. type: string
  9582. secretRef:
  9583. description: |-
  9584. SecretRef to a key in a Secret resource containing password for the LDAP
  9585. user used to authenticate with Vault using the LDAP authentication
  9586. method
  9587. properties:
  9588. key:
  9589. description: |-
  9590. A key in the referenced Secret.
  9591. Some instances of this field may be defaulted, in others it may be required.
  9592. maxLength: 253
  9593. minLength: 1
  9594. pattern: ^[-._a-zA-Z0-9]+$
  9595. type: string
  9596. name:
  9597. description: The name of the Secret resource being referred to.
  9598. maxLength: 253
  9599. minLength: 1
  9600. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9601. type: string
  9602. namespace:
  9603. description: |-
  9604. The namespace of the Secret resource being referred to.
  9605. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9606. maxLength: 63
  9607. minLength: 1
  9608. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9609. type: string
  9610. type: object
  9611. username:
  9612. description: |-
  9613. Username is an LDAP username used to authenticate using the LDAP Vault
  9614. authentication method
  9615. type: string
  9616. required:
  9617. - path
  9618. - username
  9619. type: object
  9620. namespace:
  9621. description: |-
  9622. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  9623. Namespaces is a set of features within Vault Enterprise that allows
  9624. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  9625. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  9626. This will default to Vault.Namespace field if set, or empty otherwise
  9627. type: string
  9628. tokenSecretRef:
  9629. description: TokenSecretRef authenticates with Vault by presenting a token.
  9630. properties:
  9631. key:
  9632. description: |-
  9633. A key in the referenced Secret.
  9634. Some instances of this field may be defaulted, in others it may be required.
  9635. maxLength: 253
  9636. minLength: 1
  9637. pattern: ^[-._a-zA-Z0-9]+$
  9638. type: string
  9639. name:
  9640. description: The name of the Secret resource being referred to.
  9641. maxLength: 253
  9642. minLength: 1
  9643. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9644. type: string
  9645. namespace:
  9646. description: |-
  9647. The namespace of the Secret resource being referred to.
  9648. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9649. maxLength: 63
  9650. minLength: 1
  9651. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9652. type: string
  9653. type: object
  9654. userPass:
  9655. description: UserPass authenticates with Vault by passing username/password pair
  9656. properties:
  9657. path:
  9658. default: userpass
  9659. description: |-
  9660. Path where the UserPassword authentication backend is mounted
  9661. in Vault, e.g: "userpass"
  9662. type: string
  9663. secretRef:
  9664. description: |-
  9665. SecretRef to a key in a Secret resource containing password for the
  9666. user used to authenticate with Vault using the UserPass authentication
  9667. method
  9668. properties:
  9669. key:
  9670. description: |-
  9671. A key in the referenced Secret.
  9672. Some instances of this field may be defaulted, in others it may be required.
  9673. maxLength: 253
  9674. minLength: 1
  9675. pattern: ^[-._a-zA-Z0-9]+$
  9676. type: string
  9677. name:
  9678. description: The name of the Secret resource being referred to.
  9679. maxLength: 253
  9680. minLength: 1
  9681. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9682. type: string
  9683. namespace:
  9684. description: |-
  9685. The namespace of the Secret resource being referred to.
  9686. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9687. maxLength: 63
  9688. minLength: 1
  9689. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9690. type: string
  9691. type: object
  9692. username:
  9693. description: |-
  9694. Username is a username used to authenticate using the UserPass Vault
  9695. authentication method
  9696. type: string
  9697. required:
  9698. - path
  9699. - username
  9700. type: object
  9701. type: object
  9702. caBundle:
  9703. description: |-
  9704. PEM encoded CA bundle used to validate Vault server certificate. Only used
  9705. if the Server URL is using HTTPS protocol. This parameter is ignored for
  9706. plain HTTP protocol connection. If not set the system root certificates
  9707. are used to validate the TLS connection.
  9708. format: byte
  9709. type: string
  9710. caProvider:
  9711. description: The provider for the CA bundle to use to validate Vault server certificate.
  9712. properties:
  9713. key:
  9714. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  9715. maxLength: 253
  9716. minLength: 1
  9717. pattern: ^[-._a-zA-Z0-9]+$
  9718. type: string
  9719. name:
  9720. description: The name of the object located at the provider type.
  9721. maxLength: 253
  9722. minLength: 1
  9723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9724. type: string
  9725. namespace:
  9726. description: |-
  9727. The namespace the Provider type is in.
  9728. Can only be defined when used in a ClusterSecretStore.
  9729. maxLength: 63
  9730. minLength: 1
  9731. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9732. type: string
  9733. type:
  9734. description: The type of provider to use such as "Secret", or "ConfigMap".
  9735. enum:
  9736. - Secret
  9737. - ConfigMap
  9738. type: string
  9739. required:
  9740. - name
  9741. - type
  9742. type: object
  9743. forwardInconsistent:
  9744. description: |-
  9745. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  9746. leader instead of simply retrying within a loop. This can increase performance if
  9747. the option is enabled serverside.
  9748. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  9749. type: boolean
  9750. headers:
  9751. additionalProperties:
  9752. type: string
  9753. description: Headers to be added in Vault request
  9754. type: object
  9755. namespace:
  9756. description: |-
  9757. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  9758. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  9759. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  9760. type: string
  9761. path:
  9762. description: |-
  9763. Path is the mount path of the Vault KV backend endpoint, e.g:
  9764. "secret". The v2 KV secret engine version specific "/data" path suffix
  9765. for fetching secrets from Vault is optional and will be appended
  9766. if not present in specified path.
  9767. type: string
  9768. readYourWrites:
  9769. description: |-
  9770. ReadYourWrites ensures isolated read-after-write semantics by
  9771. providing discovered cluster replication states in each request.
  9772. More information about eventual consistency in Vault can be found here
  9773. https://www.vaultproject.io/docs/enterprise/consistency
  9774. type: boolean
  9775. server:
  9776. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  9777. type: string
  9778. tls:
  9779. description: |-
  9780. The configuration used for client side related TLS communication, when the Vault server
  9781. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  9782. This parameter is ignored for plain HTTP protocol connection.
  9783. It's worth noting this configuration is different from the "TLS certificates auth method",
  9784. which is available under the `auth.cert` section.
  9785. properties:
  9786. certSecretRef:
  9787. description: |-
  9788. CertSecretRef is a certificate added to the transport layer
  9789. when communicating with the Vault server.
  9790. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  9791. properties:
  9792. key:
  9793. description: |-
  9794. A key in the referenced Secret.
  9795. Some instances of this field may be defaulted, in others it may be required.
  9796. maxLength: 253
  9797. minLength: 1
  9798. pattern: ^[-._a-zA-Z0-9]+$
  9799. type: string
  9800. name:
  9801. description: The name of the Secret resource being referred to.
  9802. maxLength: 253
  9803. minLength: 1
  9804. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9805. type: string
  9806. namespace:
  9807. description: |-
  9808. The namespace of the Secret resource being referred to.
  9809. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9810. maxLength: 63
  9811. minLength: 1
  9812. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9813. type: string
  9814. type: object
  9815. keySecretRef:
  9816. description: |-
  9817. KeySecretRef to a key in a Secret resource containing client private key
  9818. added to the transport layer when communicating with the Vault server.
  9819. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  9820. properties:
  9821. key:
  9822. description: |-
  9823. A key in the referenced Secret.
  9824. Some instances of this field may be defaulted, in others it may be required.
  9825. maxLength: 253
  9826. minLength: 1
  9827. pattern: ^[-._a-zA-Z0-9]+$
  9828. type: string
  9829. name:
  9830. description: The name of the Secret resource being referred to.
  9831. maxLength: 253
  9832. minLength: 1
  9833. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9834. type: string
  9835. namespace:
  9836. description: |-
  9837. The namespace of the Secret resource being referred to.
  9838. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9839. maxLength: 63
  9840. minLength: 1
  9841. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9842. type: string
  9843. type: object
  9844. type: object
  9845. version:
  9846. default: v2
  9847. description: |-
  9848. Version is the Vault KV secret engine version. This can be either "v1" or
  9849. "v2". Version defaults to "v2".
  9850. enum:
  9851. - v1
  9852. - v2
  9853. type: string
  9854. required:
  9855. - server
  9856. type: object
  9857. webhook:
  9858. description: Webhook configures this store to sync secrets using a generic templated webhook
  9859. properties:
  9860. body:
  9861. description: Body
  9862. type: string
  9863. caBundle:
  9864. description: |-
  9865. PEM encoded CA bundle used to validate webhook server certificate. Only used
  9866. if the Server URL is using HTTPS protocol. This parameter is ignored for
  9867. plain HTTP protocol connection. If not set the system root certificates
  9868. are used to validate the TLS connection.
  9869. format: byte
  9870. type: string
  9871. caProvider:
  9872. description: The provider for the CA bundle to use to validate webhook server certificate.
  9873. properties:
  9874. key:
  9875. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  9876. maxLength: 253
  9877. minLength: 1
  9878. pattern: ^[-._a-zA-Z0-9]+$
  9879. type: string
  9880. name:
  9881. description: The name of the object located at the provider type.
  9882. maxLength: 253
  9883. minLength: 1
  9884. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9885. type: string
  9886. namespace:
  9887. description: The namespace the Provider type is in.
  9888. maxLength: 63
  9889. minLength: 1
  9890. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9891. type: string
  9892. type:
  9893. description: The type of provider to use such as "Secret", or "ConfigMap".
  9894. enum:
  9895. - Secret
  9896. - ConfigMap
  9897. type: string
  9898. required:
  9899. - name
  9900. - type
  9901. type: object
  9902. headers:
  9903. additionalProperties:
  9904. type: string
  9905. description: Headers
  9906. type: object
  9907. method:
  9908. description: Webhook Method
  9909. type: string
  9910. result:
  9911. description: Result formatting
  9912. properties:
  9913. jsonPath:
  9914. description: Json path of return value
  9915. type: string
  9916. type: object
  9917. secrets:
  9918. description: |-
  9919. Secrets to fill in templates
  9920. These secrets will be passed to the templating function as key value pairs under the given name
  9921. items:
  9922. properties:
  9923. name:
  9924. description: Name of this secret in templates
  9925. type: string
  9926. secretRef:
  9927. description: Secret ref to fill in credentials
  9928. properties:
  9929. key:
  9930. description: |-
  9931. A key in the referenced Secret.
  9932. Some instances of this field may be defaulted, in others it may be required.
  9933. maxLength: 253
  9934. minLength: 1
  9935. pattern: ^[-._a-zA-Z0-9]+$
  9936. type: string
  9937. name:
  9938. description: The name of the Secret resource being referred to.
  9939. maxLength: 253
  9940. minLength: 1
  9941. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9942. type: string
  9943. namespace:
  9944. description: |-
  9945. The namespace of the Secret resource being referred to.
  9946. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9947. maxLength: 63
  9948. minLength: 1
  9949. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9950. type: string
  9951. type: object
  9952. required:
  9953. - name
  9954. - secretRef
  9955. type: object
  9956. type: array
  9957. timeout:
  9958. description: Timeout
  9959. type: string
  9960. url:
  9961. description: Webhook url to call
  9962. type: string
  9963. required:
  9964. - result
  9965. - url
  9966. type: object
  9967. yandexcertificatemanager:
  9968. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  9969. properties:
  9970. apiEndpoint:
  9971. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  9972. type: string
  9973. auth:
  9974. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  9975. properties:
  9976. authorizedKeySecretRef:
  9977. description: The authorized key used for authentication
  9978. properties:
  9979. key:
  9980. description: |-
  9981. A key in the referenced Secret.
  9982. Some instances of this field may be defaulted, in others it may be required.
  9983. maxLength: 253
  9984. minLength: 1
  9985. pattern: ^[-._a-zA-Z0-9]+$
  9986. type: string
  9987. name:
  9988. description: The name of the Secret resource being referred to.
  9989. maxLength: 253
  9990. minLength: 1
  9991. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9992. type: string
  9993. namespace:
  9994. description: |-
  9995. The namespace of the Secret resource being referred to.
  9996. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9997. maxLength: 63
  9998. minLength: 1
  9999. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10000. type: string
  10001. type: object
  10002. type: object
  10003. caProvider:
  10004. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  10005. properties:
  10006. certSecretRef:
  10007. description: |-
  10008. A reference to a specific 'key' within a Secret resource.
  10009. In some instances, `key` is a required field.
  10010. properties:
  10011. key:
  10012. description: |-
  10013. A key in the referenced Secret.
  10014. Some instances of this field may be defaulted, in others it may be required.
  10015. maxLength: 253
  10016. minLength: 1
  10017. pattern: ^[-._a-zA-Z0-9]+$
  10018. type: string
  10019. name:
  10020. description: The name of the Secret resource being referred to.
  10021. maxLength: 253
  10022. minLength: 1
  10023. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10024. type: string
  10025. namespace:
  10026. description: |-
  10027. The namespace of the Secret resource being referred to.
  10028. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10029. maxLength: 63
  10030. minLength: 1
  10031. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10032. type: string
  10033. type: object
  10034. type: object
  10035. required:
  10036. - auth
  10037. type: object
  10038. yandexlockbox:
  10039. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  10040. properties:
  10041. apiEndpoint:
  10042. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  10043. type: string
  10044. auth:
  10045. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  10046. properties:
  10047. authorizedKeySecretRef:
  10048. description: The authorized key used for authentication
  10049. properties:
  10050. key:
  10051. description: |-
  10052. A key in the referenced Secret.
  10053. Some instances of this field may be defaulted, in others it may be required.
  10054. maxLength: 253
  10055. minLength: 1
  10056. pattern: ^[-._a-zA-Z0-9]+$
  10057. type: string
  10058. name:
  10059. description: The name of the Secret resource being referred to.
  10060. maxLength: 253
  10061. minLength: 1
  10062. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10063. type: string
  10064. namespace:
  10065. description: |-
  10066. The namespace of the Secret resource being referred to.
  10067. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10068. maxLength: 63
  10069. minLength: 1
  10070. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10071. type: string
  10072. type: object
  10073. type: object
  10074. caProvider:
  10075. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  10076. properties:
  10077. certSecretRef:
  10078. description: |-
  10079. A reference to a specific 'key' within a Secret resource.
  10080. In some instances, `key` is a required field.
  10081. properties:
  10082. key:
  10083. description: |-
  10084. A key in the referenced Secret.
  10085. Some instances of this field may be defaulted, in others it may be required.
  10086. maxLength: 253
  10087. minLength: 1
  10088. pattern: ^[-._a-zA-Z0-9]+$
  10089. type: string
  10090. name:
  10091. description: The name of the Secret resource being referred to.
  10092. maxLength: 253
  10093. minLength: 1
  10094. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10095. type: string
  10096. namespace:
  10097. description: |-
  10098. The namespace of the Secret resource being referred to.
  10099. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10100. maxLength: 63
  10101. minLength: 1
  10102. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10103. type: string
  10104. type: object
  10105. type: object
  10106. required:
  10107. - auth
  10108. type: object
  10109. type: object
  10110. refreshInterval:
  10111. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  10112. type: integer
  10113. retrySettings:
  10114. description: Used to configure http retries if failed
  10115. properties:
  10116. maxRetries:
  10117. format: int32
  10118. type: integer
  10119. retryInterval:
  10120. type: string
  10121. type: object
  10122. required:
  10123. - provider
  10124. type: object
  10125. status:
  10126. description: SecretStoreStatus defines the observed state of the SecretStore.
  10127. properties:
  10128. capabilities:
  10129. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  10130. type: string
  10131. conditions:
  10132. items:
  10133. properties:
  10134. lastTransitionTime:
  10135. format: date-time
  10136. type: string
  10137. message:
  10138. type: string
  10139. reason:
  10140. type: string
  10141. status:
  10142. type: string
  10143. type:
  10144. type: string
  10145. required:
  10146. - status
  10147. - type
  10148. type: object
  10149. type: array
  10150. type: object
  10151. type: object
  10152. served: true
  10153. storage: false
  10154. subresources:
  10155. status: {}
  10156. conversion:
  10157. strategy: Webhook
  10158. webhook:
  10159. conversionReviewVersions:
  10160. - v1
  10161. clientConfig:
  10162. service:
  10163. name: kubernetes
  10164. namespace: default
  10165. path: /convert
  10166. ---
  10167. apiVersion: apiextensions.k8s.io/v1
  10168. kind: CustomResourceDefinition
  10169. metadata:
  10170. annotations:
  10171. controller-gen.kubebuilder.io/version: v0.17.3
  10172. labels:
  10173. external-secrets.io/component: controller
  10174. name: externalsecrets.external-secrets.io
  10175. spec:
  10176. group: external-secrets.io
  10177. names:
  10178. categories:
  10179. - external-secrets
  10180. kind: ExternalSecret
  10181. listKind: ExternalSecretList
  10182. plural: externalsecrets
  10183. shortNames:
  10184. - es
  10185. singular: externalsecret
  10186. scope: Namespaced
  10187. versions:
  10188. - additionalPrinterColumns:
  10189. - jsonPath: .spec.secretStoreRef.kind
  10190. name: StoreType
  10191. type: string
  10192. - jsonPath: .spec.secretStoreRef.name
  10193. name: Store
  10194. type: string
  10195. - jsonPath: .spec.refreshInterval
  10196. name: Refresh Interval
  10197. type: string
  10198. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  10199. name: Status
  10200. type: string
  10201. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  10202. name: Ready
  10203. type: string
  10204. name: v1
  10205. schema:
  10206. openAPIV3Schema:
  10207. description: ExternalSecret is the Schema for the external-secrets API.
  10208. properties:
  10209. apiVersion:
  10210. description: |-
  10211. APIVersion defines the versioned schema of this representation of an object.
  10212. Servers should convert recognized schemas to the latest internal value, and
  10213. may reject unrecognized values.
  10214. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  10215. type: string
  10216. kind:
  10217. description: |-
  10218. Kind is a string value representing the REST resource this object represents.
  10219. Servers may infer this from the endpoint the client submits requests to.
  10220. Cannot be updated.
  10221. In CamelCase.
  10222. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  10223. type: string
  10224. metadata:
  10225. type: object
  10226. spec:
  10227. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  10228. properties:
  10229. data:
  10230. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  10231. items:
  10232. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  10233. properties:
  10234. remoteRef:
  10235. description: |-
  10236. RemoteRef points to the remote secret and defines
  10237. which secret (version/property/..) to fetch.
  10238. properties:
  10239. conversionStrategy:
  10240. default: Default
  10241. description: Used to define a conversion Strategy
  10242. enum:
  10243. - Default
  10244. - Unicode
  10245. type: string
  10246. decodingStrategy:
  10247. default: None
  10248. description: Used to define a decoding Strategy
  10249. enum:
  10250. - Auto
  10251. - Base64
  10252. - Base64URL
  10253. - None
  10254. type: string
  10255. key:
  10256. description: Key is the key used in the Provider, mandatory
  10257. type: string
  10258. metadataPolicy:
  10259. default: None
  10260. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  10261. enum:
  10262. - None
  10263. - Fetch
  10264. type: string
  10265. property:
  10266. description: Used to select a specific property of the Provider value (if a map), if supported
  10267. type: string
  10268. version:
  10269. description: Used to select a specific version of the Provider value, if supported
  10270. type: string
  10271. required:
  10272. - key
  10273. type: object
  10274. secretKey:
  10275. description: The key in the Kubernetes Secret to store the value.
  10276. maxLength: 253
  10277. minLength: 1
  10278. pattern: ^[-._a-zA-Z0-9]+$
  10279. type: string
  10280. sourceRef:
  10281. description: |-
  10282. SourceRef allows you to override the source
  10283. from which the value will be pulled.
  10284. maxProperties: 1
  10285. minProperties: 1
  10286. properties:
  10287. generatorRef:
  10288. description: |-
  10289. GeneratorRef points to a generator custom resource.
  10290. Deprecated: The generatorRef is not implemented in .data[].
  10291. this will be removed with v1.
  10292. properties:
  10293. apiVersion:
  10294. default: generators.external-secrets.io/v1alpha1
  10295. description: Specify the apiVersion of the generator resource
  10296. type: string
  10297. kind:
  10298. description: Specify the Kind of the generator resource
  10299. enum:
  10300. - ACRAccessToken
  10301. - ClusterGenerator
  10302. - ECRAuthorizationToken
  10303. - Fake
  10304. - GCRAccessToken
  10305. - GithubAccessToken
  10306. - QuayAccessToken
  10307. - Password
  10308. - STSSessionToken
  10309. - UUID
  10310. - VaultDynamicSecret
  10311. - Webhook
  10312. - Grafana
  10313. type: string
  10314. name:
  10315. description: Specify the name of the generator resource
  10316. maxLength: 253
  10317. minLength: 1
  10318. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10319. type: string
  10320. required:
  10321. - kind
  10322. - name
  10323. type: object
  10324. storeRef:
  10325. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  10326. properties:
  10327. kind:
  10328. description: |-
  10329. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  10330. Defaults to `SecretStore`
  10331. enum:
  10332. - SecretStore
  10333. - ClusterSecretStore
  10334. type: string
  10335. name:
  10336. description: Name of the SecretStore resource
  10337. maxLength: 253
  10338. minLength: 1
  10339. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10340. type: string
  10341. type: object
  10342. type: object
  10343. required:
  10344. - remoteRef
  10345. - secretKey
  10346. type: object
  10347. type: array
  10348. dataFrom:
  10349. description: |-
  10350. DataFrom is used to fetch all properties from a specific Provider data
  10351. If multiple entries are specified, the Secret keys are merged in the specified order
  10352. items:
  10353. properties:
  10354. extract:
  10355. description: |-
  10356. Used to extract multiple key/value pairs from one secret
  10357. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  10358. properties:
  10359. conversionStrategy:
  10360. default: Default
  10361. description: Used to define a conversion Strategy
  10362. enum:
  10363. - Default
  10364. - Unicode
  10365. type: string
  10366. decodingStrategy:
  10367. default: None
  10368. description: Used to define a decoding Strategy
  10369. enum:
  10370. - Auto
  10371. - Base64
  10372. - Base64URL
  10373. - None
  10374. type: string
  10375. key:
  10376. description: Key is the key used in the Provider, mandatory
  10377. type: string
  10378. metadataPolicy:
  10379. default: None
  10380. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  10381. enum:
  10382. - None
  10383. - Fetch
  10384. type: string
  10385. property:
  10386. description: Used to select a specific property of the Provider value (if a map), if supported
  10387. type: string
  10388. version:
  10389. description: Used to select a specific version of the Provider value, if supported
  10390. type: string
  10391. required:
  10392. - key
  10393. type: object
  10394. find:
  10395. description: |-
  10396. Used to find secrets based on tags or regular expressions
  10397. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  10398. properties:
  10399. conversionStrategy:
  10400. default: Default
  10401. description: Used to define a conversion Strategy
  10402. enum:
  10403. - Default
  10404. - Unicode
  10405. type: string
  10406. decodingStrategy:
  10407. default: None
  10408. description: Used to define a decoding Strategy
  10409. enum:
  10410. - Auto
  10411. - Base64
  10412. - Base64URL
  10413. - None
  10414. type: string
  10415. name:
  10416. description: Finds secrets based on the name.
  10417. properties:
  10418. regexp:
  10419. description: Finds secrets base
  10420. type: string
  10421. type: object
  10422. path:
  10423. description: A root path to start the find operations.
  10424. type: string
  10425. tags:
  10426. additionalProperties:
  10427. type: string
  10428. description: Find secrets based on tags.
  10429. type: object
  10430. type: object
  10431. rewrite:
  10432. description: |-
  10433. Used to rewrite secret Keys after getting them from the secret Provider
  10434. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  10435. items:
  10436. properties:
  10437. regexp:
  10438. description: |-
  10439. Used to rewrite with regular expressions.
  10440. The resulting key will be the output of a regexp.ReplaceAll operation.
  10441. properties:
  10442. source:
  10443. description: Used to define the regular expression of a re.Compiler.
  10444. type: string
  10445. target:
  10446. description: Used to define the target pattern of a ReplaceAll operation.
  10447. type: string
  10448. required:
  10449. - source
  10450. - target
  10451. type: object
  10452. transform:
  10453. description: |-
  10454. Used to apply string transformation on the secrets.
  10455. The resulting key will be the output of the template applied by the operation.
  10456. properties:
  10457. template:
  10458. description: |-
  10459. Used to define the template to apply on the secret name.
  10460. `.value ` will specify the secret name in the template.
  10461. type: string
  10462. required:
  10463. - template
  10464. type: object
  10465. type: object
  10466. type: array
  10467. sourceRef:
  10468. description: |-
  10469. SourceRef points to a store or generator
  10470. which contains secret values ready to use.
  10471. Use this in combination with Extract or Find pull values out of
  10472. a specific SecretStore.
  10473. When sourceRef points to a generator Extract or Find is not supported.
  10474. The generator returns a static map of values
  10475. maxProperties: 1
  10476. minProperties: 1
  10477. properties:
  10478. generatorRef:
  10479. description: GeneratorRef points to a generator custom resource.
  10480. properties:
  10481. apiVersion:
  10482. default: generators.external-secrets.io/v1alpha1
  10483. description: Specify the apiVersion of the generator resource
  10484. type: string
  10485. kind:
  10486. description: Specify the Kind of the generator resource
  10487. enum:
  10488. - ACRAccessToken
  10489. - ClusterGenerator
  10490. - ECRAuthorizationToken
  10491. - Fake
  10492. - GCRAccessToken
  10493. - GithubAccessToken
  10494. - QuayAccessToken
  10495. - Password
  10496. - STSSessionToken
  10497. - UUID
  10498. - VaultDynamicSecret
  10499. - Webhook
  10500. - Grafana
  10501. type: string
  10502. name:
  10503. description: Specify the name of the generator resource
  10504. maxLength: 253
  10505. minLength: 1
  10506. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10507. type: string
  10508. required:
  10509. - kind
  10510. - name
  10511. type: object
  10512. storeRef:
  10513. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  10514. properties:
  10515. kind:
  10516. description: |-
  10517. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  10518. Defaults to `SecretStore`
  10519. enum:
  10520. - SecretStore
  10521. - ClusterSecretStore
  10522. type: string
  10523. name:
  10524. description: Name of the SecretStore resource
  10525. maxLength: 253
  10526. minLength: 1
  10527. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10528. type: string
  10529. type: object
  10530. type: object
  10531. type: object
  10532. type: array
  10533. refreshInterval:
  10534. default: 1h
  10535. description: |-
  10536. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  10537. specified as Golang Duration strings.
  10538. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  10539. Example values: "1h", "2h30m", "10s"
  10540. May be set to zero to fetch and create it once. Defaults to 1h.
  10541. type: string
  10542. refreshPolicy:
  10543. description: |-
  10544. RefreshPolicy determines how the ExternalSecret should be refreshed:
  10545. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  10546. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  10547. No periodic updates occur if refreshInterval is 0.
  10548. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  10549. enum:
  10550. - CreatedOnce
  10551. - Periodic
  10552. - OnChange
  10553. type: string
  10554. secretStoreRef:
  10555. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  10556. properties:
  10557. kind:
  10558. description: |-
  10559. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  10560. Defaults to `SecretStore`
  10561. enum:
  10562. - SecretStore
  10563. - ClusterSecretStore
  10564. type: string
  10565. name:
  10566. description: Name of the SecretStore resource
  10567. maxLength: 253
  10568. minLength: 1
  10569. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10570. type: string
  10571. type: object
  10572. target:
  10573. default:
  10574. creationPolicy: Owner
  10575. deletionPolicy: Retain
  10576. description: |-
  10577. ExternalSecretTarget defines the Kubernetes Secret to be created
  10578. There can be only one target per ExternalSecret.
  10579. properties:
  10580. creationPolicy:
  10581. default: Owner
  10582. description: |-
  10583. CreationPolicy defines rules on how to create the resulting Secret.
  10584. Defaults to "Owner"
  10585. enum:
  10586. - Owner
  10587. - Orphan
  10588. - Merge
  10589. - None
  10590. type: string
  10591. deletionPolicy:
  10592. default: Retain
  10593. description: |-
  10594. DeletionPolicy defines rules on how to delete the resulting Secret.
  10595. Defaults to "Retain"
  10596. enum:
  10597. - Delete
  10598. - Merge
  10599. - Retain
  10600. type: string
  10601. immutable:
  10602. description: Immutable defines if the final secret will be immutable
  10603. type: boolean
  10604. name:
  10605. description: |-
  10606. The name of the Secret resource to be managed.
  10607. Defaults to the .metadata.name of the ExternalSecret resource
  10608. maxLength: 253
  10609. minLength: 1
  10610. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10611. type: string
  10612. template:
  10613. description: Template defines a blueprint for the created Secret resource.
  10614. properties:
  10615. data:
  10616. additionalProperties:
  10617. type: string
  10618. type: object
  10619. engineVersion:
  10620. default: v2
  10621. description: |-
  10622. EngineVersion specifies the template engine version
  10623. that should be used to compile/execute the
  10624. template specified in .data and .templateFrom[].
  10625. enum:
  10626. - v2
  10627. type: string
  10628. mergePolicy:
  10629. default: Replace
  10630. enum:
  10631. - Replace
  10632. - Merge
  10633. type: string
  10634. metadata:
  10635. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  10636. properties:
  10637. annotations:
  10638. additionalProperties:
  10639. type: string
  10640. type: object
  10641. labels:
  10642. additionalProperties:
  10643. type: string
  10644. type: object
  10645. type: object
  10646. templateFrom:
  10647. items:
  10648. properties:
  10649. configMap:
  10650. properties:
  10651. items:
  10652. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  10653. items:
  10654. properties:
  10655. key:
  10656. description: A key in the ConfigMap/Secret
  10657. maxLength: 253
  10658. minLength: 1
  10659. pattern: ^[-._a-zA-Z0-9]+$
  10660. type: string
  10661. templateAs:
  10662. default: Values
  10663. enum:
  10664. - Values
  10665. - KeysAndValues
  10666. type: string
  10667. required:
  10668. - key
  10669. type: object
  10670. type: array
  10671. name:
  10672. description: The name of the ConfigMap/Secret resource
  10673. maxLength: 253
  10674. minLength: 1
  10675. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10676. type: string
  10677. required:
  10678. - items
  10679. - name
  10680. type: object
  10681. literal:
  10682. type: string
  10683. secret:
  10684. properties:
  10685. items:
  10686. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  10687. items:
  10688. properties:
  10689. key:
  10690. description: A key in the ConfigMap/Secret
  10691. maxLength: 253
  10692. minLength: 1
  10693. pattern: ^[-._a-zA-Z0-9]+$
  10694. type: string
  10695. templateAs:
  10696. default: Values
  10697. enum:
  10698. - Values
  10699. - KeysAndValues
  10700. type: string
  10701. required:
  10702. - key
  10703. type: object
  10704. type: array
  10705. name:
  10706. description: The name of the ConfigMap/Secret resource
  10707. maxLength: 253
  10708. minLength: 1
  10709. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10710. type: string
  10711. required:
  10712. - items
  10713. - name
  10714. type: object
  10715. target:
  10716. default: Data
  10717. enum:
  10718. - Data
  10719. - Annotations
  10720. - Labels
  10721. type: string
  10722. type: object
  10723. type: array
  10724. type:
  10725. type: string
  10726. type: object
  10727. type: object
  10728. type: object
  10729. status:
  10730. properties:
  10731. binding:
  10732. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  10733. properties:
  10734. name:
  10735. default: ""
  10736. description: |-
  10737. Name of the referent.
  10738. This field is effectively required, but due to backwards compatibility is
  10739. allowed to be empty. Instances of this type with an empty value here are
  10740. almost certainly wrong.
  10741. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  10742. type: string
  10743. type: object
  10744. x-kubernetes-map-type: atomic
  10745. conditions:
  10746. items:
  10747. properties:
  10748. lastTransitionTime:
  10749. format: date-time
  10750. type: string
  10751. message:
  10752. type: string
  10753. reason:
  10754. type: string
  10755. status:
  10756. type: string
  10757. type:
  10758. type: string
  10759. required:
  10760. - status
  10761. - type
  10762. type: object
  10763. type: array
  10764. refreshTime:
  10765. description: |-
  10766. refreshTime is the time and date the external secret was fetched and
  10767. the target secret updated
  10768. format: date-time
  10769. nullable: true
  10770. type: string
  10771. syncedResourceVersion:
  10772. description: SyncedResourceVersion keeps track of the last synced version
  10773. type: string
  10774. type: object
  10775. type: object
  10776. served: true
  10777. storage: true
  10778. subresources:
  10779. status: {}
  10780. - additionalPrinterColumns:
  10781. - jsonPath: .spec.secretStoreRef.kind
  10782. name: StoreType
  10783. type: string
  10784. - jsonPath: .spec.secretStoreRef.name
  10785. name: Store
  10786. type: string
  10787. - jsonPath: .spec.refreshInterval
  10788. name: Refresh Interval
  10789. type: string
  10790. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  10791. name: Status
  10792. type: string
  10793. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  10794. name: Ready
  10795. type: string
  10796. name: v1beta1
  10797. schema:
  10798. openAPIV3Schema:
  10799. description: ExternalSecret is the Schema for the external-secrets API.
  10800. properties:
  10801. apiVersion:
  10802. description: |-
  10803. APIVersion defines the versioned schema of this representation of an object.
  10804. Servers should convert recognized schemas to the latest internal value, and
  10805. may reject unrecognized values.
  10806. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  10807. type: string
  10808. kind:
  10809. description: |-
  10810. Kind is a string value representing the REST resource this object represents.
  10811. Servers may infer this from the endpoint the client submits requests to.
  10812. Cannot be updated.
  10813. In CamelCase.
  10814. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  10815. type: string
  10816. metadata:
  10817. type: object
  10818. spec:
  10819. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  10820. properties:
  10821. data:
  10822. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  10823. items:
  10824. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  10825. properties:
  10826. remoteRef:
  10827. description: |-
  10828. RemoteRef points to the remote secret and defines
  10829. which secret (version/property/..) to fetch.
  10830. properties:
  10831. conversionStrategy:
  10832. default: Default
  10833. description: Used to define a conversion Strategy
  10834. enum:
  10835. - Default
  10836. - Unicode
  10837. type: string
  10838. decodingStrategy:
  10839. default: None
  10840. description: Used to define a decoding Strategy
  10841. enum:
  10842. - Auto
  10843. - Base64
  10844. - Base64URL
  10845. - None
  10846. type: string
  10847. key:
  10848. description: Key is the key used in the Provider, mandatory
  10849. type: string
  10850. metadataPolicy:
  10851. default: None
  10852. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  10853. enum:
  10854. - None
  10855. - Fetch
  10856. type: string
  10857. property:
  10858. description: Used to select a specific property of the Provider value (if a map), if supported
  10859. type: string
  10860. version:
  10861. description: Used to select a specific version of the Provider value, if supported
  10862. type: string
  10863. required:
  10864. - key
  10865. type: object
  10866. secretKey:
  10867. description: The key in the Kubernetes Secret to store the value.
  10868. maxLength: 253
  10869. minLength: 1
  10870. pattern: ^[-._a-zA-Z0-9]+$
  10871. type: string
  10872. sourceRef:
  10873. description: |-
  10874. SourceRef allows you to override the source
  10875. from which the value will be pulled.
  10876. maxProperties: 1
  10877. minProperties: 1
  10878. properties:
  10879. generatorRef:
  10880. description: |-
  10881. GeneratorRef points to a generator custom resource.
  10882. Deprecated: The generatorRef is not implemented in .data[].
  10883. this will be removed with v1.
  10884. properties:
  10885. apiVersion:
  10886. default: generators.external-secrets.io/v1alpha1
  10887. description: Specify the apiVersion of the generator resource
  10888. type: string
  10889. kind:
  10890. description: Specify the Kind of the generator resource
  10891. enum:
  10892. - ACRAccessToken
  10893. - ClusterGenerator
  10894. - ECRAuthorizationToken
  10895. - Fake
  10896. - GCRAccessToken
  10897. - GithubAccessToken
  10898. - QuayAccessToken
  10899. - Password
  10900. - STSSessionToken
  10901. - UUID
  10902. - VaultDynamicSecret
  10903. - Webhook
  10904. - Grafana
  10905. type: string
  10906. name:
  10907. description: Specify the name of the generator resource
  10908. maxLength: 253
  10909. minLength: 1
  10910. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10911. type: string
  10912. required:
  10913. - kind
  10914. - name
  10915. type: object
  10916. storeRef:
  10917. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  10918. properties:
  10919. kind:
  10920. description: |-
  10921. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  10922. Defaults to `SecretStore`
  10923. enum:
  10924. - SecretStore
  10925. - ClusterSecretStore
  10926. type: string
  10927. name:
  10928. description: Name of the SecretStore resource
  10929. maxLength: 253
  10930. minLength: 1
  10931. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10932. type: string
  10933. type: object
  10934. type: object
  10935. required:
  10936. - remoteRef
  10937. - secretKey
  10938. type: object
  10939. type: array
  10940. dataFrom:
  10941. description: |-
  10942. DataFrom is used to fetch all properties from a specific Provider data
  10943. If multiple entries are specified, the Secret keys are merged in the specified order
  10944. items:
  10945. properties:
  10946. extract:
  10947. description: |-
  10948. Used to extract multiple key/value pairs from one secret
  10949. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  10950. properties:
  10951. conversionStrategy:
  10952. default: Default
  10953. description: Used to define a conversion Strategy
  10954. enum:
  10955. - Default
  10956. - Unicode
  10957. type: string
  10958. decodingStrategy:
  10959. default: None
  10960. description: Used to define a decoding Strategy
  10961. enum:
  10962. - Auto
  10963. - Base64
  10964. - Base64URL
  10965. - None
  10966. type: string
  10967. key:
  10968. description: Key is the key used in the Provider, mandatory
  10969. type: string
  10970. metadataPolicy:
  10971. default: None
  10972. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  10973. enum:
  10974. - None
  10975. - Fetch
  10976. type: string
  10977. property:
  10978. description: Used to select a specific property of the Provider value (if a map), if supported
  10979. type: string
  10980. version:
  10981. description: Used to select a specific version of the Provider value, if supported
  10982. type: string
  10983. required:
  10984. - key
  10985. type: object
  10986. find:
  10987. description: |-
  10988. Used to find secrets based on tags or regular expressions
  10989. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  10990. properties:
  10991. conversionStrategy:
  10992. default: Default
  10993. description: Used to define a conversion Strategy
  10994. enum:
  10995. - Default
  10996. - Unicode
  10997. type: string
  10998. decodingStrategy:
  10999. default: None
  11000. description: Used to define a decoding Strategy
  11001. enum:
  11002. - Auto
  11003. - Base64
  11004. - Base64URL
  11005. - None
  11006. type: string
  11007. name:
  11008. description: Finds secrets based on the name.
  11009. properties:
  11010. regexp:
  11011. description: Finds secrets base
  11012. type: string
  11013. type: object
  11014. path:
  11015. description: A root path to start the find operations.
  11016. type: string
  11017. tags:
  11018. additionalProperties:
  11019. type: string
  11020. description: Find secrets based on tags.
  11021. type: object
  11022. type: object
  11023. rewrite:
  11024. description: |-
  11025. Used to rewrite secret Keys after getting them from the secret Provider
  11026. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  11027. items:
  11028. properties:
  11029. regexp:
  11030. description: |-
  11031. Used to rewrite with regular expressions.
  11032. The resulting key will be the output of a regexp.ReplaceAll operation.
  11033. properties:
  11034. source:
  11035. description: Used to define the regular expression of a re.Compiler.
  11036. type: string
  11037. target:
  11038. description: Used to define the target pattern of a ReplaceAll operation.
  11039. type: string
  11040. required:
  11041. - source
  11042. - target
  11043. type: object
  11044. transform:
  11045. description: |-
  11046. Used to apply string transformation on the secrets.
  11047. The resulting key will be the output of the template applied by the operation.
  11048. properties:
  11049. template:
  11050. description: |-
  11051. Used to define the template to apply on the secret name.
  11052. `.value ` will specify the secret name in the template.
  11053. type: string
  11054. required:
  11055. - template
  11056. type: object
  11057. type: object
  11058. type: array
  11059. sourceRef:
  11060. description: |-
  11061. SourceRef points to a store or generator
  11062. which contains secret values ready to use.
  11063. Use this in combination with Extract or Find pull values out of
  11064. a specific SecretStore.
  11065. When sourceRef points to a generator Extract or Find is not supported.
  11066. The generator returns a static map of values
  11067. maxProperties: 1
  11068. minProperties: 1
  11069. properties:
  11070. generatorRef:
  11071. description: GeneratorRef points to a generator custom resource.
  11072. properties:
  11073. apiVersion:
  11074. default: generators.external-secrets.io/v1alpha1
  11075. description: Specify the apiVersion of the generator resource
  11076. type: string
  11077. kind:
  11078. description: Specify the Kind of the generator resource
  11079. enum:
  11080. - ACRAccessToken
  11081. - ClusterGenerator
  11082. - ECRAuthorizationToken
  11083. - Fake
  11084. - GCRAccessToken
  11085. - GithubAccessToken
  11086. - QuayAccessToken
  11087. - Password
  11088. - STSSessionToken
  11089. - UUID
  11090. - VaultDynamicSecret
  11091. - Webhook
  11092. - Grafana
  11093. type: string
  11094. name:
  11095. description: Specify the name of the generator resource
  11096. maxLength: 253
  11097. minLength: 1
  11098. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11099. type: string
  11100. required:
  11101. - kind
  11102. - name
  11103. type: object
  11104. storeRef:
  11105. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  11106. properties:
  11107. kind:
  11108. description: |-
  11109. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  11110. Defaults to `SecretStore`
  11111. enum:
  11112. - SecretStore
  11113. - ClusterSecretStore
  11114. type: string
  11115. name:
  11116. description: Name of the SecretStore resource
  11117. maxLength: 253
  11118. minLength: 1
  11119. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11120. type: string
  11121. type: object
  11122. type: object
  11123. type: object
  11124. type: array
  11125. refreshInterval:
  11126. default: 1h
  11127. description: |-
  11128. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  11129. specified as Golang Duration strings.
  11130. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  11131. Example values: "1h", "2h30m", "10s"
  11132. May be set to zero to fetch and create it once. Defaults to 1h.
  11133. type: string
  11134. refreshPolicy:
  11135. description: |-
  11136. RefreshPolicy determines how the ExternalSecret should be refreshed:
  11137. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  11138. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  11139. No periodic updates occur if refreshInterval is 0.
  11140. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  11141. enum:
  11142. - CreatedOnce
  11143. - Periodic
  11144. - OnChange
  11145. type: string
  11146. secretStoreRef:
  11147. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  11148. properties:
  11149. kind:
  11150. description: |-
  11151. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  11152. Defaults to `SecretStore`
  11153. enum:
  11154. - SecretStore
  11155. - ClusterSecretStore
  11156. type: string
  11157. name:
  11158. description: Name of the SecretStore resource
  11159. maxLength: 253
  11160. minLength: 1
  11161. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11162. type: string
  11163. type: object
  11164. target:
  11165. default:
  11166. creationPolicy: Owner
  11167. deletionPolicy: Retain
  11168. description: |-
  11169. ExternalSecretTarget defines the Kubernetes Secret to be created
  11170. There can be only one target per ExternalSecret.
  11171. properties:
  11172. creationPolicy:
  11173. default: Owner
  11174. description: |-
  11175. CreationPolicy defines rules on how to create the resulting Secret.
  11176. Defaults to "Owner"
  11177. enum:
  11178. - Owner
  11179. - Orphan
  11180. - Merge
  11181. - None
  11182. type: string
  11183. deletionPolicy:
  11184. default: Retain
  11185. description: |-
  11186. DeletionPolicy defines rules on how to delete the resulting Secret.
  11187. Defaults to "Retain"
  11188. enum:
  11189. - Delete
  11190. - Merge
  11191. - Retain
  11192. type: string
  11193. immutable:
  11194. description: Immutable defines if the final secret will be immutable
  11195. type: boolean
  11196. name:
  11197. description: |-
  11198. The name of the Secret resource to be managed.
  11199. Defaults to the .metadata.name of the ExternalSecret resource
  11200. maxLength: 253
  11201. minLength: 1
  11202. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11203. type: string
  11204. template:
  11205. description: Template defines a blueprint for the created Secret resource.
  11206. properties:
  11207. data:
  11208. additionalProperties:
  11209. type: string
  11210. type: object
  11211. engineVersion:
  11212. default: v2
  11213. description: |-
  11214. EngineVersion specifies the template engine version
  11215. that should be used to compile/execute the
  11216. template specified in .data and .templateFrom[].
  11217. enum:
  11218. - v2
  11219. type: string
  11220. mergePolicy:
  11221. default: Replace
  11222. enum:
  11223. - Replace
  11224. - Merge
  11225. type: string
  11226. metadata:
  11227. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  11228. properties:
  11229. annotations:
  11230. additionalProperties:
  11231. type: string
  11232. type: object
  11233. labels:
  11234. additionalProperties:
  11235. type: string
  11236. type: object
  11237. type: object
  11238. templateFrom:
  11239. items:
  11240. properties:
  11241. configMap:
  11242. properties:
  11243. items:
  11244. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  11245. items:
  11246. properties:
  11247. key:
  11248. description: A key in the ConfigMap/Secret
  11249. maxLength: 253
  11250. minLength: 1
  11251. pattern: ^[-._a-zA-Z0-9]+$
  11252. type: string
  11253. templateAs:
  11254. default: Values
  11255. enum:
  11256. - Values
  11257. - KeysAndValues
  11258. type: string
  11259. required:
  11260. - key
  11261. type: object
  11262. type: array
  11263. name:
  11264. description: The name of the ConfigMap/Secret resource
  11265. maxLength: 253
  11266. minLength: 1
  11267. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11268. type: string
  11269. required:
  11270. - items
  11271. - name
  11272. type: object
  11273. literal:
  11274. type: string
  11275. secret:
  11276. properties:
  11277. items:
  11278. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  11279. items:
  11280. properties:
  11281. key:
  11282. description: A key in the ConfigMap/Secret
  11283. maxLength: 253
  11284. minLength: 1
  11285. pattern: ^[-._a-zA-Z0-9]+$
  11286. type: string
  11287. templateAs:
  11288. default: Values
  11289. enum:
  11290. - Values
  11291. - KeysAndValues
  11292. type: string
  11293. required:
  11294. - key
  11295. type: object
  11296. type: array
  11297. name:
  11298. description: The name of the ConfigMap/Secret resource
  11299. maxLength: 253
  11300. minLength: 1
  11301. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11302. type: string
  11303. required:
  11304. - items
  11305. - name
  11306. type: object
  11307. target:
  11308. default: Data
  11309. enum:
  11310. - Data
  11311. - Annotations
  11312. - Labels
  11313. type: string
  11314. type: object
  11315. type: array
  11316. type:
  11317. type: string
  11318. type: object
  11319. type: object
  11320. type: object
  11321. status:
  11322. properties:
  11323. binding:
  11324. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  11325. properties:
  11326. name:
  11327. default: ""
  11328. description: |-
  11329. Name of the referent.
  11330. This field is effectively required, but due to backwards compatibility is
  11331. allowed to be empty. Instances of this type with an empty value here are
  11332. almost certainly wrong.
  11333. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  11334. type: string
  11335. type: object
  11336. x-kubernetes-map-type: atomic
  11337. conditions:
  11338. items:
  11339. properties:
  11340. lastTransitionTime:
  11341. format: date-time
  11342. type: string
  11343. message:
  11344. type: string
  11345. reason:
  11346. type: string
  11347. status:
  11348. type: string
  11349. type:
  11350. type: string
  11351. required:
  11352. - status
  11353. - type
  11354. type: object
  11355. type: array
  11356. refreshTime:
  11357. description: |-
  11358. refreshTime is the time and date the external secret was fetched and
  11359. the target secret updated
  11360. format: date-time
  11361. nullable: true
  11362. type: string
  11363. syncedResourceVersion:
  11364. description: SyncedResourceVersion keeps track of the last synced version
  11365. type: string
  11366. type: object
  11367. type: object
  11368. served: true
  11369. storage: false
  11370. subresources:
  11371. status: {}
  11372. conversion:
  11373. strategy: Webhook
  11374. webhook:
  11375. conversionReviewVersions:
  11376. - v1
  11377. clientConfig:
  11378. service:
  11379. name: kubernetes
  11380. namespace: default
  11381. path: /convert
  11382. ---
  11383. apiVersion: apiextensions.k8s.io/v1
  11384. kind: CustomResourceDefinition
  11385. metadata:
  11386. annotations:
  11387. controller-gen.kubebuilder.io/version: v0.17.3
  11388. labels:
  11389. external-secrets.io/component: controller
  11390. name: pushsecrets.external-secrets.io
  11391. spec:
  11392. group: external-secrets.io
  11393. names:
  11394. categories:
  11395. - external-secrets
  11396. kind: PushSecret
  11397. listKind: PushSecretList
  11398. plural: pushsecrets
  11399. shortNames:
  11400. - ps
  11401. singular: pushsecret
  11402. scope: Namespaced
  11403. versions:
  11404. - additionalPrinterColumns:
  11405. - jsonPath: .metadata.creationTimestamp
  11406. name: AGE
  11407. type: date
  11408. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  11409. name: Status
  11410. type: string
  11411. name: v1alpha1
  11412. schema:
  11413. openAPIV3Schema:
  11414. properties:
  11415. apiVersion:
  11416. description: |-
  11417. APIVersion defines the versioned schema of this representation of an object.
  11418. Servers should convert recognized schemas to the latest internal value, and
  11419. may reject unrecognized values.
  11420. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  11421. type: string
  11422. kind:
  11423. description: |-
  11424. Kind is a string value representing the REST resource this object represents.
  11425. Servers may infer this from the endpoint the client submits requests to.
  11426. Cannot be updated.
  11427. In CamelCase.
  11428. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  11429. type: string
  11430. metadata:
  11431. type: object
  11432. spec:
  11433. description: PushSecretSpec configures the behavior of the PushSecret.
  11434. properties:
  11435. data:
  11436. description: Secret Data that should be pushed to providers
  11437. items:
  11438. properties:
  11439. conversionStrategy:
  11440. default: None
  11441. description: Used to define a conversion Strategy for the secret keys
  11442. enum:
  11443. - None
  11444. - ReverseUnicode
  11445. type: string
  11446. match:
  11447. description: Match a given Secret Key to be pushed to the provider.
  11448. properties:
  11449. remoteRef:
  11450. description: Remote Refs to push to providers.
  11451. properties:
  11452. property:
  11453. description: Name of the property in the resulting secret
  11454. type: string
  11455. remoteKey:
  11456. description: Name of the resulting provider secret.
  11457. type: string
  11458. required:
  11459. - remoteKey
  11460. type: object
  11461. secretKey:
  11462. description: Secret Key to be pushed
  11463. type: string
  11464. required:
  11465. - remoteRef
  11466. type: object
  11467. metadata:
  11468. description: |-
  11469. Metadata is metadata attached to the secret.
  11470. The structure of metadata is provider specific, please look it up in the provider documentation.
  11471. x-kubernetes-preserve-unknown-fields: true
  11472. required:
  11473. - match
  11474. type: object
  11475. type: array
  11476. deletionPolicy:
  11477. default: None
  11478. description: Deletion Policy to handle Secrets in the provider.
  11479. enum:
  11480. - Delete
  11481. - None
  11482. type: string
  11483. refreshInterval:
  11484. default: 1h
  11485. description: The Interval to which External Secrets will try to push a secret definition
  11486. type: string
  11487. secretStoreRefs:
  11488. items:
  11489. properties:
  11490. kind:
  11491. default: SecretStore
  11492. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  11493. enum:
  11494. - SecretStore
  11495. - ClusterSecretStore
  11496. type: string
  11497. labelSelector:
  11498. description: Optionally, sync to secret stores with label selector
  11499. properties:
  11500. matchExpressions:
  11501. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  11502. items:
  11503. description: |-
  11504. A label selector requirement is a selector that contains values, a key, and an operator that
  11505. relates the key and values.
  11506. properties:
  11507. key:
  11508. description: key is the label key that the selector applies to.
  11509. type: string
  11510. operator:
  11511. description: |-
  11512. operator represents a key's relationship to a set of values.
  11513. Valid operators are In, NotIn, Exists and DoesNotExist.
  11514. type: string
  11515. values:
  11516. description: |-
  11517. values is an array of string values. If the operator is In or NotIn,
  11518. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  11519. the values array must be empty. This array is replaced during a strategic
  11520. merge patch.
  11521. items:
  11522. type: string
  11523. type: array
  11524. x-kubernetes-list-type: atomic
  11525. required:
  11526. - key
  11527. - operator
  11528. type: object
  11529. type: array
  11530. x-kubernetes-list-type: atomic
  11531. matchLabels:
  11532. additionalProperties:
  11533. type: string
  11534. description: |-
  11535. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  11536. map is equivalent to an element of matchExpressions, whose key field is "key", the
  11537. operator is "In", and the values array contains only "value". The requirements are ANDed.
  11538. type: object
  11539. type: object
  11540. x-kubernetes-map-type: atomic
  11541. name:
  11542. description: Optionally, sync to the SecretStore of the given name
  11543. maxLength: 253
  11544. minLength: 1
  11545. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11546. type: string
  11547. type: object
  11548. type: array
  11549. selector:
  11550. description: The Secret Selector (k8s source) for the Push Secret
  11551. maxProperties: 1
  11552. minProperties: 1
  11553. properties:
  11554. generatorRef:
  11555. description: Point to a generator to create a Secret.
  11556. properties:
  11557. apiVersion:
  11558. default: generators.external-secrets.io/v1alpha1
  11559. description: Specify the apiVersion of the generator resource
  11560. type: string
  11561. kind:
  11562. description: Specify the Kind of the generator resource
  11563. enum:
  11564. - ACRAccessToken
  11565. - ClusterGenerator
  11566. - ECRAuthorizationToken
  11567. - Fake
  11568. - GCRAccessToken
  11569. - GithubAccessToken
  11570. - QuayAccessToken
  11571. - Password
  11572. - STSSessionToken
  11573. - UUID
  11574. - VaultDynamicSecret
  11575. - Webhook
  11576. - Grafana
  11577. type: string
  11578. name:
  11579. description: Specify the name of the generator resource
  11580. maxLength: 253
  11581. minLength: 1
  11582. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11583. type: string
  11584. required:
  11585. - kind
  11586. - name
  11587. type: object
  11588. secret:
  11589. description: Select a Secret to Push.
  11590. properties:
  11591. name:
  11592. description: |-
  11593. Name of the Secret.
  11594. The Secret must exist in the same namespace as the PushSecret manifest.
  11595. maxLength: 253
  11596. minLength: 1
  11597. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11598. type: string
  11599. selector:
  11600. description: Selector chooses secrets using a labelSelector.
  11601. properties:
  11602. matchExpressions:
  11603. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  11604. items:
  11605. description: |-
  11606. A label selector requirement is a selector that contains values, a key, and an operator that
  11607. relates the key and values.
  11608. properties:
  11609. key:
  11610. description: key is the label key that the selector applies to.
  11611. type: string
  11612. operator:
  11613. description: |-
  11614. operator represents a key's relationship to a set of values.
  11615. Valid operators are In, NotIn, Exists and DoesNotExist.
  11616. type: string
  11617. values:
  11618. description: |-
  11619. values is an array of string values. If the operator is In or NotIn,
  11620. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  11621. the values array must be empty. This array is replaced during a strategic
  11622. merge patch.
  11623. items:
  11624. type: string
  11625. type: array
  11626. x-kubernetes-list-type: atomic
  11627. required:
  11628. - key
  11629. - operator
  11630. type: object
  11631. type: array
  11632. x-kubernetes-list-type: atomic
  11633. matchLabels:
  11634. additionalProperties:
  11635. type: string
  11636. description: |-
  11637. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  11638. map is equivalent to an element of matchExpressions, whose key field is "key", the
  11639. operator is "In", and the values array contains only "value". The requirements are ANDed.
  11640. type: object
  11641. type: object
  11642. x-kubernetes-map-type: atomic
  11643. type: object
  11644. type: object
  11645. template:
  11646. description: Template defines a blueprint for the created Secret resource.
  11647. properties:
  11648. data:
  11649. additionalProperties:
  11650. type: string
  11651. type: object
  11652. engineVersion:
  11653. default: v2
  11654. description: |-
  11655. EngineVersion specifies the template engine version
  11656. that should be used to compile/execute the
  11657. template specified in .data and .templateFrom[].
  11658. enum:
  11659. - v2
  11660. type: string
  11661. mergePolicy:
  11662. default: Replace
  11663. enum:
  11664. - Replace
  11665. - Merge
  11666. type: string
  11667. metadata:
  11668. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  11669. properties:
  11670. annotations:
  11671. additionalProperties:
  11672. type: string
  11673. type: object
  11674. labels:
  11675. additionalProperties:
  11676. type: string
  11677. type: object
  11678. type: object
  11679. templateFrom:
  11680. items:
  11681. properties:
  11682. configMap:
  11683. properties:
  11684. items:
  11685. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  11686. items:
  11687. properties:
  11688. key:
  11689. description: A key in the ConfigMap/Secret
  11690. maxLength: 253
  11691. minLength: 1
  11692. pattern: ^[-._a-zA-Z0-9]+$
  11693. type: string
  11694. templateAs:
  11695. default: Values
  11696. enum:
  11697. - Values
  11698. - KeysAndValues
  11699. type: string
  11700. required:
  11701. - key
  11702. type: object
  11703. type: array
  11704. name:
  11705. description: The name of the ConfigMap/Secret resource
  11706. maxLength: 253
  11707. minLength: 1
  11708. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11709. type: string
  11710. required:
  11711. - items
  11712. - name
  11713. type: object
  11714. literal:
  11715. type: string
  11716. secret:
  11717. properties:
  11718. items:
  11719. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  11720. items:
  11721. properties:
  11722. key:
  11723. description: A key in the ConfigMap/Secret
  11724. maxLength: 253
  11725. minLength: 1
  11726. pattern: ^[-._a-zA-Z0-9]+$
  11727. type: string
  11728. templateAs:
  11729. default: Values
  11730. enum:
  11731. - Values
  11732. - KeysAndValues
  11733. type: string
  11734. required:
  11735. - key
  11736. type: object
  11737. type: array
  11738. name:
  11739. description: The name of the ConfigMap/Secret resource
  11740. maxLength: 253
  11741. minLength: 1
  11742. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11743. type: string
  11744. required:
  11745. - items
  11746. - name
  11747. type: object
  11748. target:
  11749. default: Data
  11750. enum:
  11751. - Data
  11752. - Annotations
  11753. - Labels
  11754. type: string
  11755. type: object
  11756. type: array
  11757. type:
  11758. type: string
  11759. type: object
  11760. updatePolicy:
  11761. default: Replace
  11762. description: UpdatePolicy to handle Secrets in the provider.
  11763. enum:
  11764. - Replace
  11765. - IfNotExists
  11766. type: string
  11767. required:
  11768. - secretStoreRefs
  11769. - selector
  11770. type: object
  11771. status:
  11772. description: PushSecretStatus indicates the history of the status of PushSecret.
  11773. properties:
  11774. conditions:
  11775. items:
  11776. description: PushSecretStatusCondition indicates the status of the PushSecret.
  11777. properties:
  11778. lastTransitionTime:
  11779. format: date-time
  11780. type: string
  11781. message:
  11782. type: string
  11783. reason:
  11784. type: string
  11785. status:
  11786. type: string
  11787. type:
  11788. description: PushSecretConditionType indicates the condition of the PushSecret.
  11789. type: string
  11790. required:
  11791. - status
  11792. - type
  11793. type: object
  11794. type: array
  11795. refreshTime:
  11796. description: |-
  11797. refreshTime is the time and date the external secret was fetched and
  11798. the target secret updated
  11799. format: date-time
  11800. nullable: true
  11801. type: string
  11802. syncedPushSecrets:
  11803. additionalProperties:
  11804. additionalProperties:
  11805. properties:
  11806. conversionStrategy:
  11807. default: None
  11808. description: Used to define a conversion Strategy for the secret keys
  11809. enum:
  11810. - None
  11811. - ReverseUnicode
  11812. type: string
  11813. match:
  11814. description: Match a given Secret Key to be pushed to the provider.
  11815. properties:
  11816. remoteRef:
  11817. description: Remote Refs to push to providers.
  11818. properties:
  11819. property:
  11820. description: Name of the property in the resulting secret
  11821. type: string
  11822. remoteKey:
  11823. description: Name of the resulting provider secret.
  11824. type: string
  11825. required:
  11826. - remoteKey
  11827. type: object
  11828. secretKey:
  11829. description: Secret Key to be pushed
  11830. type: string
  11831. required:
  11832. - remoteRef
  11833. type: object
  11834. metadata:
  11835. description: |-
  11836. Metadata is metadata attached to the secret.
  11837. The structure of metadata is provider specific, please look it up in the provider documentation.
  11838. x-kubernetes-preserve-unknown-fields: true
  11839. required:
  11840. - match
  11841. type: object
  11842. type: object
  11843. description: |-
  11844. Synced PushSecrets, including secrets that already exist in provider.
  11845. Matches secret stores to PushSecretData that was stored to that secret store.
  11846. type: object
  11847. syncedResourceVersion:
  11848. description: SyncedResourceVersion keeps track of the last synced version.
  11849. type: string
  11850. type: object
  11851. type: object
  11852. served: true
  11853. storage: true
  11854. subresources:
  11855. status: {}
  11856. conversion:
  11857. strategy: Webhook
  11858. webhook:
  11859. conversionReviewVersions:
  11860. - v1
  11861. clientConfig:
  11862. service:
  11863. name: kubernetes
  11864. namespace: default
  11865. path: /convert
  11866. ---
  11867. apiVersion: apiextensions.k8s.io/v1
  11868. kind: CustomResourceDefinition
  11869. metadata:
  11870. annotations:
  11871. controller-gen.kubebuilder.io/version: v0.17.3
  11872. labels:
  11873. external-secrets.io/component: controller
  11874. name: secretstores.external-secrets.io
  11875. spec:
  11876. group: external-secrets.io
  11877. names:
  11878. categories:
  11879. - external-secrets
  11880. kind: SecretStore
  11881. listKind: SecretStoreList
  11882. plural: secretstores
  11883. shortNames:
  11884. - ss
  11885. singular: secretstore
  11886. scope: Namespaced
  11887. versions:
  11888. - additionalPrinterColumns:
  11889. - jsonPath: .metadata.creationTimestamp
  11890. name: AGE
  11891. type: date
  11892. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  11893. name: Status
  11894. type: string
  11895. - jsonPath: .status.capabilities
  11896. name: Capabilities
  11897. type: string
  11898. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  11899. name: Ready
  11900. type: string
  11901. name: v1
  11902. schema:
  11903. openAPIV3Schema:
  11904. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  11905. properties:
  11906. apiVersion:
  11907. description: |-
  11908. APIVersion defines the versioned schema of this representation of an object.
  11909. Servers should convert recognized schemas to the latest internal value, and
  11910. may reject unrecognized values.
  11911. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  11912. type: string
  11913. kind:
  11914. description: |-
  11915. Kind is a string value representing the REST resource this object represents.
  11916. Servers may infer this from the endpoint the client submits requests to.
  11917. Cannot be updated.
  11918. In CamelCase.
  11919. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  11920. type: string
  11921. metadata:
  11922. type: object
  11923. spec:
  11924. description: SecretStoreSpec defines the desired state of SecretStore.
  11925. properties:
  11926. conditions:
  11927. description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
  11928. items:
  11929. description: |-
  11930. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  11931. for a ClusterSecretStore instance.
  11932. properties:
  11933. namespaceRegexes:
  11934. description: Choose namespaces by using regex matching
  11935. items:
  11936. type: string
  11937. type: array
  11938. namespaceSelector:
  11939. description: Choose namespace using a labelSelector
  11940. properties:
  11941. matchExpressions:
  11942. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  11943. items:
  11944. description: |-
  11945. A label selector requirement is a selector that contains values, a key, and an operator that
  11946. relates the key and values.
  11947. properties:
  11948. key:
  11949. description: key is the label key that the selector applies to.
  11950. type: string
  11951. operator:
  11952. description: |-
  11953. operator represents a key's relationship to a set of values.
  11954. Valid operators are In, NotIn, Exists and DoesNotExist.
  11955. type: string
  11956. values:
  11957. description: |-
  11958. values is an array of string values. If the operator is In or NotIn,
  11959. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  11960. the values array must be empty. This array is replaced during a strategic
  11961. merge patch.
  11962. items:
  11963. type: string
  11964. type: array
  11965. x-kubernetes-list-type: atomic
  11966. required:
  11967. - key
  11968. - operator
  11969. type: object
  11970. type: array
  11971. x-kubernetes-list-type: atomic
  11972. matchLabels:
  11973. additionalProperties:
  11974. type: string
  11975. description: |-
  11976. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  11977. map is equivalent to an element of matchExpressions, whose key field is "key", the
  11978. operator is "In", and the values array contains only "value". The requirements are ANDed.
  11979. type: object
  11980. type: object
  11981. x-kubernetes-map-type: atomic
  11982. namespaces:
  11983. description: Choose namespaces by name
  11984. items:
  11985. maxLength: 63
  11986. minLength: 1
  11987. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11988. type: string
  11989. type: array
  11990. type: object
  11991. type: array
  11992. controller:
  11993. description: |-
  11994. Used to select the correct ESO controller (think: ingress.ingressClassName)
  11995. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  11996. type: string
  11997. provider:
  11998. description: Used to configure the provider. Only one provider may be set
  11999. maxProperties: 1
  12000. minProperties: 1
  12001. properties:
  12002. akeyless:
  12003. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  12004. properties:
  12005. akeylessGWApiURL:
  12006. description: Akeyless GW API Url from which the secrets to be fetched from.
  12007. type: string
  12008. authSecretRef:
  12009. description: Auth configures how the operator authenticates with Akeyless.
  12010. properties:
  12011. kubernetesAuth:
  12012. description: |-
  12013. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  12014. token stored in the named Secret resource.
  12015. properties:
  12016. accessID:
  12017. description: the Akeyless Kubernetes auth-method access-id
  12018. type: string
  12019. k8sConfName:
  12020. description: Kubernetes-auth configuration name in Akeyless-Gateway
  12021. type: string
  12022. secretRef:
  12023. description: |-
  12024. Optional secret field containing a Kubernetes ServiceAccount JWT used
  12025. for authenticating with Akeyless. If a name is specified without a key,
  12026. `token` is the default. If one is not specified, the one bound to
  12027. the controller will be used.
  12028. properties:
  12029. key:
  12030. description: |-
  12031. A key in the referenced Secret.
  12032. Some instances of this field may be defaulted, in others it may be required.
  12033. maxLength: 253
  12034. minLength: 1
  12035. pattern: ^[-._a-zA-Z0-9]+$
  12036. type: string
  12037. name:
  12038. description: The name of the Secret resource being referred to.
  12039. maxLength: 253
  12040. minLength: 1
  12041. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12042. type: string
  12043. namespace:
  12044. description: |-
  12045. The namespace of the Secret resource being referred to.
  12046. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12047. maxLength: 63
  12048. minLength: 1
  12049. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12050. type: string
  12051. type: object
  12052. serviceAccountRef:
  12053. description: |-
  12054. Optional service account field containing the name of a kubernetes ServiceAccount.
  12055. If the service account is specified, the service account secret token JWT will be used
  12056. for authenticating with Akeyless. If the service account selector is not supplied,
  12057. the secretRef will be used instead.
  12058. properties:
  12059. audiences:
  12060. description: |-
  12061. Audience specifies the `aud` claim for the service account token
  12062. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  12063. then this audiences will be appended to the list
  12064. items:
  12065. type: string
  12066. type: array
  12067. name:
  12068. description: The name of the ServiceAccount resource being referred to.
  12069. maxLength: 253
  12070. minLength: 1
  12071. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12072. type: string
  12073. namespace:
  12074. description: |-
  12075. Namespace of the resource being referred to.
  12076. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12077. maxLength: 63
  12078. minLength: 1
  12079. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12080. type: string
  12081. required:
  12082. - name
  12083. type: object
  12084. required:
  12085. - accessID
  12086. - k8sConfName
  12087. type: object
  12088. secretRef:
  12089. description: |-
  12090. Reference to a Secret that contains the details
  12091. to authenticate with Akeyless.
  12092. properties:
  12093. accessID:
  12094. description: The SecretAccessID is used for authentication
  12095. properties:
  12096. key:
  12097. description: |-
  12098. A key in the referenced Secret.
  12099. Some instances of this field may be defaulted, in others it may be required.
  12100. maxLength: 253
  12101. minLength: 1
  12102. pattern: ^[-._a-zA-Z0-9]+$
  12103. type: string
  12104. name:
  12105. description: The name of the Secret resource being referred to.
  12106. maxLength: 253
  12107. minLength: 1
  12108. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12109. type: string
  12110. namespace:
  12111. description: |-
  12112. The namespace of the Secret resource being referred to.
  12113. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12114. maxLength: 63
  12115. minLength: 1
  12116. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12117. type: string
  12118. type: object
  12119. accessType:
  12120. description: |-
  12121. A reference to a specific 'key' within a Secret resource.
  12122. In some instances, `key` is a required field.
  12123. properties:
  12124. key:
  12125. description: |-
  12126. A key in the referenced Secret.
  12127. Some instances of this field may be defaulted, in others it may be required.
  12128. maxLength: 253
  12129. minLength: 1
  12130. pattern: ^[-._a-zA-Z0-9]+$
  12131. type: string
  12132. name:
  12133. description: The name of the Secret resource being referred to.
  12134. maxLength: 253
  12135. minLength: 1
  12136. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12137. type: string
  12138. namespace:
  12139. description: |-
  12140. The namespace of the Secret resource being referred to.
  12141. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12142. maxLength: 63
  12143. minLength: 1
  12144. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12145. type: string
  12146. type: object
  12147. accessTypeParam:
  12148. description: |-
  12149. A reference to a specific 'key' within a Secret resource.
  12150. In some instances, `key` is a required field.
  12151. properties:
  12152. key:
  12153. description: |-
  12154. A key in the referenced Secret.
  12155. Some instances of this field may be defaulted, in others it may be required.
  12156. maxLength: 253
  12157. minLength: 1
  12158. pattern: ^[-._a-zA-Z0-9]+$
  12159. type: string
  12160. name:
  12161. description: The name of the Secret resource being referred to.
  12162. maxLength: 253
  12163. minLength: 1
  12164. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12165. type: string
  12166. namespace:
  12167. description: |-
  12168. The namespace of the Secret resource being referred to.
  12169. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12170. maxLength: 63
  12171. minLength: 1
  12172. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12173. type: string
  12174. type: object
  12175. type: object
  12176. type: object
  12177. caBundle:
  12178. description: |-
  12179. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  12180. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  12181. are used to validate the TLS connection.
  12182. format: byte
  12183. type: string
  12184. caProvider:
  12185. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  12186. properties:
  12187. key:
  12188. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  12189. maxLength: 253
  12190. minLength: 1
  12191. pattern: ^[-._a-zA-Z0-9]+$
  12192. type: string
  12193. name:
  12194. description: The name of the object located at the provider type.
  12195. maxLength: 253
  12196. minLength: 1
  12197. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12198. type: string
  12199. namespace:
  12200. description: |-
  12201. The namespace the Provider type is in.
  12202. Can only be defined when used in a ClusterSecretStore.
  12203. maxLength: 63
  12204. minLength: 1
  12205. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12206. type: string
  12207. type:
  12208. description: The type of provider to use such as "Secret", or "ConfigMap".
  12209. enum:
  12210. - Secret
  12211. - ConfigMap
  12212. type: string
  12213. required:
  12214. - name
  12215. - type
  12216. type: object
  12217. required:
  12218. - akeylessGWApiURL
  12219. - authSecretRef
  12220. type: object
  12221. alibaba:
  12222. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  12223. properties:
  12224. auth:
  12225. description: AlibabaAuth contains a secretRef for credentials.
  12226. properties:
  12227. rrsa:
  12228. description: Authenticate against Alibaba using RRSA.
  12229. properties:
  12230. oidcProviderArn:
  12231. type: string
  12232. oidcTokenFilePath:
  12233. type: string
  12234. roleArn:
  12235. type: string
  12236. sessionName:
  12237. type: string
  12238. required:
  12239. - oidcProviderArn
  12240. - oidcTokenFilePath
  12241. - roleArn
  12242. - sessionName
  12243. type: object
  12244. secretRef:
  12245. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  12246. properties:
  12247. accessKeyIDSecretRef:
  12248. description: The AccessKeyID is used for authentication
  12249. properties:
  12250. key:
  12251. description: |-
  12252. A key in the referenced Secret.
  12253. Some instances of this field may be defaulted, in others it may be required.
  12254. maxLength: 253
  12255. minLength: 1
  12256. pattern: ^[-._a-zA-Z0-9]+$
  12257. type: string
  12258. name:
  12259. description: The name of the Secret resource being referred to.
  12260. maxLength: 253
  12261. minLength: 1
  12262. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12263. type: string
  12264. namespace:
  12265. description: |-
  12266. The namespace of the Secret resource being referred to.
  12267. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12268. maxLength: 63
  12269. minLength: 1
  12270. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12271. type: string
  12272. type: object
  12273. accessKeySecretSecretRef:
  12274. description: The AccessKeySecret is used for authentication
  12275. properties:
  12276. key:
  12277. description: |-
  12278. A key in the referenced Secret.
  12279. Some instances of this field may be defaulted, in others it may be required.
  12280. maxLength: 253
  12281. minLength: 1
  12282. pattern: ^[-._a-zA-Z0-9]+$
  12283. type: string
  12284. name:
  12285. description: The name of the Secret resource being referred to.
  12286. maxLength: 253
  12287. minLength: 1
  12288. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12289. type: string
  12290. namespace:
  12291. description: |-
  12292. The namespace of the Secret resource being referred to.
  12293. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12294. maxLength: 63
  12295. minLength: 1
  12296. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12297. type: string
  12298. type: object
  12299. required:
  12300. - accessKeyIDSecretRef
  12301. - accessKeySecretSecretRef
  12302. type: object
  12303. type: object
  12304. regionID:
  12305. description: Alibaba Region to be used for the provider
  12306. type: string
  12307. required:
  12308. - auth
  12309. - regionID
  12310. type: object
  12311. aws:
  12312. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  12313. properties:
  12314. additionalRoles:
  12315. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  12316. items:
  12317. type: string
  12318. type: array
  12319. auth:
  12320. description: |-
  12321. Auth defines the information necessary to authenticate against AWS
  12322. if not set aws sdk will infer credentials from your environment
  12323. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  12324. properties:
  12325. jwt:
  12326. description: Authenticate against AWS using service account tokens.
  12327. properties:
  12328. serviceAccountRef:
  12329. description: A reference to a ServiceAccount resource.
  12330. properties:
  12331. audiences:
  12332. description: |-
  12333. Audience specifies the `aud` claim for the service account token
  12334. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  12335. then this audiences will be appended to the list
  12336. items:
  12337. type: string
  12338. type: array
  12339. name:
  12340. description: The name of the ServiceAccount resource being referred to.
  12341. maxLength: 253
  12342. minLength: 1
  12343. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12344. type: string
  12345. namespace:
  12346. description: |-
  12347. Namespace of the resource being referred to.
  12348. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12349. maxLength: 63
  12350. minLength: 1
  12351. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12352. type: string
  12353. required:
  12354. - name
  12355. type: object
  12356. type: object
  12357. secretRef:
  12358. description: |-
  12359. AWSAuthSecretRef holds secret references for AWS credentials
  12360. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  12361. properties:
  12362. accessKeyIDSecretRef:
  12363. description: The AccessKeyID is used for authentication
  12364. properties:
  12365. key:
  12366. description: |-
  12367. A key in the referenced Secret.
  12368. Some instances of this field may be defaulted, in others it may be required.
  12369. maxLength: 253
  12370. minLength: 1
  12371. pattern: ^[-._a-zA-Z0-9]+$
  12372. type: string
  12373. name:
  12374. description: The name of the Secret resource being referred to.
  12375. maxLength: 253
  12376. minLength: 1
  12377. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12378. type: string
  12379. namespace:
  12380. description: |-
  12381. The namespace of the Secret resource being referred to.
  12382. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12383. maxLength: 63
  12384. minLength: 1
  12385. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12386. type: string
  12387. type: object
  12388. secretAccessKeySecretRef:
  12389. description: The SecretAccessKey is used for authentication
  12390. properties:
  12391. key:
  12392. description: |-
  12393. A key in the referenced Secret.
  12394. Some instances of this field may be defaulted, in others it may be required.
  12395. maxLength: 253
  12396. minLength: 1
  12397. pattern: ^[-._a-zA-Z0-9]+$
  12398. type: string
  12399. name:
  12400. description: The name of the Secret resource being referred to.
  12401. maxLength: 253
  12402. minLength: 1
  12403. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12404. type: string
  12405. namespace:
  12406. description: |-
  12407. The namespace of the Secret resource being referred to.
  12408. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12409. maxLength: 63
  12410. minLength: 1
  12411. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12412. type: string
  12413. type: object
  12414. sessionTokenSecretRef:
  12415. description: |-
  12416. The SessionToken used for authentication
  12417. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  12418. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  12419. properties:
  12420. key:
  12421. description: |-
  12422. A key in the referenced Secret.
  12423. Some instances of this field may be defaulted, in others it may be required.
  12424. maxLength: 253
  12425. minLength: 1
  12426. pattern: ^[-._a-zA-Z0-9]+$
  12427. type: string
  12428. name:
  12429. description: The name of the Secret resource being referred to.
  12430. maxLength: 253
  12431. minLength: 1
  12432. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12433. type: string
  12434. namespace:
  12435. description: |-
  12436. The namespace of the Secret resource being referred to.
  12437. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12438. maxLength: 63
  12439. minLength: 1
  12440. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12441. type: string
  12442. type: object
  12443. type: object
  12444. type: object
  12445. externalID:
  12446. description: AWS External ID set on assumed IAM roles
  12447. type: string
  12448. prefix:
  12449. description: Prefix adds a prefix to all retrieved values.
  12450. type: string
  12451. region:
  12452. description: AWS Region to be used for the provider
  12453. type: string
  12454. role:
  12455. description: Role is a Role ARN which the provider will assume
  12456. type: string
  12457. secretsManager:
  12458. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  12459. properties:
  12460. forceDeleteWithoutRecovery:
  12461. description: |-
  12462. Specifies whether to delete the secret without any recovery window. You
  12463. can't use both this parameter and RecoveryWindowInDays in the same call.
  12464. If you don't use either, then by default Secrets Manager uses a 30 day
  12465. recovery window.
  12466. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  12467. type: boolean
  12468. recoveryWindowInDays:
  12469. description: |-
  12470. The number of days from 7 to 30 that Secrets Manager waits before
  12471. permanently deleting the secret. You can't use both this parameter and
  12472. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  12473. then by default Secrets Manager uses a 30 day recovery window.
  12474. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  12475. format: int64
  12476. type: integer
  12477. type: object
  12478. service:
  12479. description: Service defines which service should be used to fetch the secrets
  12480. enum:
  12481. - SecretsManager
  12482. - ParameterStore
  12483. type: string
  12484. sessionTags:
  12485. description: AWS STS assume role session tags
  12486. items:
  12487. properties:
  12488. key:
  12489. type: string
  12490. value:
  12491. type: string
  12492. required:
  12493. - key
  12494. - value
  12495. type: object
  12496. type: array
  12497. transitiveTagKeys:
  12498. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  12499. items:
  12500. type: string
  12501. type: array
  12502. required:
  12503. - region
  12504. - service
  12505. type: object
  12506. azurekv:
  12507. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  12508. properties:
  12509. authSecretRef:
  12510. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  12511. properties:
  12512. clientCertificate:
  12513. description: The Azure ClientCertificate of the service principle used for authentication.
  12514. properties:
  12515. key:
  12516. description: |-
  12517. A key in the referenced Secret.
  12518. Some instances of this field may be defaulted, in others it may be required.
  12519. maxLength: 253
  12520. minLength: 1
  12521. pattern: ^[-._a-zA-Z0-9]+$
  12522. type: string
  12523. name:
  12524. description: The name of the Secret resource being referred to.
  12525. maxLength: 253
  12526. minLength: 1
  12527. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12528. type: string
  12529. namespace:
  12530. description: |-
  12531. The namespace of the Secret resource being referred to.
  12532. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12533. maxLength: 63
  12534. minLength: 1
  12535. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12536. type: string
  12537. type: object
  12538. clientId:
  12539. description: The Azure clientId of the service principle or managed identity used for authentication.
  12540. properties:
  12541. key:
  12542. description: |-
  12543. A key in the referenced Secret.
  12544. Some instances of this field may be defaulted, in others it may be required.
  12545. maxLength: 253
  12546. minLength: 1
  12547. pattern: ^[-._a-zA-Z0-9]+$
  12548. type: string
  12549. name:
  12550. description: The name of the Secret resource being referred to.
  12551. maxLength: 253
  12552. minLength: 1
  12553. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12554. type: string
  12555. namespace:
  12556. description: |-
  12557. The namespace of the Secret resource being referred to.
  12558. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12559. maxLength: 63
  12560. minLength: 1
  12561. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12562. type: string
  12563. type: object
  12564. clientSecret:
  12565. description: The Azure ClientSecret of the service principle used for authentication.
  12566. properties:
  12567. key:
  12568. description: |-
  12569. A key in the referenced Secret.
  12570. Some instances of this field may be defaulted, in others it may be required.
  12571. maxLength: 253
  12572. minLength: 1
  12573. pattern: ^[-._a-zA-Z0-9]+$
  12574. type: string
  12575. name:
  12576. description: The name of the Secret resource being referred to.
  12577. maxLength: 253
  12578. minLength: 1
  12579. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12580. type: string
  12581. namespace:
  12582. description: |-
  12583. The namespace of the Secret resource being referred to.
  12584. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12585. maxLength: 63
  12586. minLength: 1
  12587. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12588. type: string
  12589. type: object
  12590. tenantId:
  12591. description: The Azure tenantId of the managed identity used for authentication.
  12592. properties:
  12593. key:
  12594. description: |-
  12595. A key in the referenced Secret.
  12596. Some instances of this field may be defaulted, in others it may be required.
  12597. maxLength: 253
  12598. minLength: 1
  12599. pattern: ^[-._a-zA-Z0-9]+$
  12600. type: string
  12601. name:
  12602. description: The name of the Secret resource being referred to.
  12603. maxLength: 253
  12604. minLength: 1
  12605. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12606. type: string
  12607. namespace:
  12608. description: |-
  12609. The namespace of the Secret resource being referred to.
  12610. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12611. maxLength: 63
  12612. minLength: 1
  12613. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12614. type: string
  12615. type: object
  12616. type: object
  12617. authType:
  12618. default: ServicePrincipal
  12619. description: |-
  12620. Auth type defines how to authenticate to the keyvault service.
  12621. Valid values are:
  12622. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  12623. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  12624. enum:
  12625. - ServicePrincipal
  12626. - ManagedIdentity
  12627. - WorkloadIdentity
  12628. type: string
  12629. environmentType:
  12630. default: PublicCloud
  12631. description: |-
  12632. EnvironmentType specifies the Azure cloud environment endpoints to use for
  12633. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  12634. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  12635. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  12636. enum:
  12637. - PublicCloud
  12638. - USGovernmentCloud
  12639. - ChinaCloud
  12640. - GermanCloud
  12641. type: string
  12642. identityId:
  12643. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  12644. type: string
  12645. serviceAccountRef:
  12646. description: |-
  12647. ServiceAccountRef specified the service account
  12648. that should be used when authenticating with WorkloadIdentity.
  12649. properties:
  12650. audiences:
  12651. description: |-
  12652. Audience specifies the `aud` claim for the service account token
  12653. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  12654. then this audiences will be appended to the list
  12655. items:
  12656. type: string
  12657. type: array
  12658. name:
  12659. description: The name of the ServiceAccount resource being referred to.
  12660. maxLength: 253
  12661. minLength: 1
  12662. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12663. type: string
  12664. namespace:
  12665. description: |-
  12666. Namespace of the resource being referred to.
  12667. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12668. maxLength: 63
  12669. minLength: 1
  12670. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12671. type: string
  12672. required:
  12673. - name
  12674. type: object
  12675. tenantId:
  12676. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  12677. type: string
  12678. vaultUrl:
  12679. description: Vault Url from which the secrets to be fetched from.
  12680. type: string
  12681. required:
  12682. - vaultUrl
  12683. type: object
  12684. beyondtrust:
  12685. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  12686. properties:
  12687. auth:
  12688. description: Auth configures how the operator authenticates with Beyondtrust.
  12689. properties:
  12690. apiKey:
  12691. description: APIKey If not provided then ClientID/ClientSecret become required.
  12692. properties:
  12693. secretRef:
  12694. description: SecretRef references a key in a secret that will be used as value.
  12695. properties:
  12696. key:
  12697. description: |-
  12698. A key in the referenced Secret.
  12699. Some instances of this field may be defaulted, in others it may be required.
  12700. maxLength: 253
  12701. minLength: 1
  12702. pattern: ^[-._a-zA-Z0-9]+$
  12703. type: string
  12704. name:
  12705. description: The name of the Secret resource being referred to.
  12706. maxLength: 253
  12707. minLength: 1
  12708. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12709. type: string
  12710. namespace:
  12711. description: |-
  12712. The namespace of the Secret resource being referred to.
  12713. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12714. maxLength: 63
  12715. minLength: 1
  12716. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12717. type: string
  12718. type: object
  12719. value:
  12720. description: Value can be specified directly to set a value without using a secret.
  12721. type: string
  12722. type: object
  12723. certificate:
  12724. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  12725. properties:
  12726. secretRef:
  12727. description: SecretRef references a key in a secret that will be used as value.
  12728. properties:
  12729. key:
  12730. description: |-
  12731. A key in the referenced Secret.
  12732. Some instances of this field may be defaulted, in others it may be required.
  12733. maxLength: 253
  12734. minLength: 1
  12735. pattern: ^[-._a-zA-Z0-9]+$
  12736. type: string
  12737. name:
  12738. description: The name of the Secret resource being referred to.
  12739. maxLength: 253
  12740. minLength: 1
  12741. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12742. type: string
  12743. namespace:
  12744. description: |-
  12745. The namespace of the Secret resource being referred to.
  12746. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12747. maxLength: 63
  12748. minLength: 1
  12749. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12750. type: string
  12751. type: object
  12752. value:
  12753. description: Value can be specified directly to set a value without using a secret.
  12754. type: string
  12755. type: object
  12756. certificateKey:
  12757. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  12758. properties:
  12759. secretRef:
  12760. description: SecretRef references a key in a secret that will be used as value.
  12761. properties:
  12762. key:
  12763. description: |-
  12764. A key in the referenced Secret.
  12765. Some instances of this field may be defaulted, in others it may be required.
  12766. maxLength: 253
  12767. minLength: 1
  12768. pattern: ^[-._a-zA-Z0-9]+$
  12769. type: string
  12770. name:
  12771. description: The name of the Secret resource being referred to.
  12772. maxLength: 253
  12773. minLength: 1
  12774. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12775. type: string
  12776. namespace:
  12777. description: |-
  12778. The namespace of the Secret resource being referred to.
  12779. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12780. maxLength: 63
  12781. minLength: 1
  12782. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12783. type: string
  12784. type: object
  12785. value:
  12786. description: Value can be specified directly to set a value without using a secret.
  12787. type: string
  12788. type: object
  12789. clientId:
  12790. description: ClientID is the API OAuth Client ID.
  12791. properties:
  12792. secretRef:
  12793. description: SecretRef references a key in a secret that will be used as value.
  12794. properties:
  12795. key:
  12796. description: |-
  12797. A key in the referenced Secret.
  12798. Some instances of this field may be defaulted, in others it may be required.
  12799. maxLength: 253
  12800. minLength: 1
  12801. pattern: ^[-._a-zA-Z0-9]+$
  12802. type: string
  12803. name:
  12804. description: The name of the Secret resource being referred to.
  12805. maxLength: 253
  12806. minLength: 1
  12807. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12808. type: string
  12809. namespace:
  12810. description: |-
  12811. The namespace of the Secret resource being referred to.
  12812. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12813. maxLength: 63
  12814. minLength: 1
  12815. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12816. type: string
  12817. type: object
  12818. value:
  12819. description: Value can be specified directly to set a value without using a secret.
  12820. type: string
  12821. type: object
  12822. clientSecret:
  12823. description: ClientSecret is the API OAuth Client Secret.
  12824. properties:
  12825. secretRef:
  12826. description: SecretRef references a key in a secret that will be used as value.
  12827. properties:
  12828. key:
  12829. description: |-
  12830. A key in the referenced Secret.
  12831. Some instances of this field may be defaulted, in others it may be required.
  12832. maxLength: 253
  12833. minLength: 1
  12834. pattern: ^[-._a-zA-Z0-9]+$
  12835. type: string
  12836. name:
  12837. description: The name of the Secret resource being referred to.
  12838. maxLength: 253
  12839. minLength: 1
  12840. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12841. type: string
  12842. namespace:
  12843. description: |-
  12844. The namespace of the Secret resource being referred to.
  12845. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12846. maxLength: 63
  12847. minLength: 1
  12848. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12849. type: string
  12850. type: object
  12851. value:
  12852. description: Value can be specified directly to set a value without using a secret.
  12853. type: string
  12854. type: object
  12855. type: object
  12856. server:
  12857. description: Auth configures how API server works.
  12858. properties:
  12859. apiUrl:
  12860. type: string
  12861. apiVersion:
  12862. type: string
  12863. clientTimeOutSeconds:
  12864. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  12865. type: integer
  12866. retrievalType:
  12867. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  12868. type: string
  12869. separator:
  12870. description: A character that separates the folder names.
  12871. type: string
  12872. verifyCA:
  12873. type: boolean
  12874. required:
  12875. - apiUrl
  12876. - verifyCA
  12877. type: object
  12878. required:
  12879. - auth
  12880. - server
  12881. type: object
  12882. bitwardensecretsmanager:
  12883. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  12884. properties:
  12885. apiURL:
  12886. type: string
  12887. auth:
  12888. description: |-
  12889. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  12890. Make sure that the token being used has permissions on the given secret.
  12891. properties:
  12892. secretRef:
  12893. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  12894. properties:
  12895. credentials:
  12896. description: AccessToken used for the bitwarden instance.
  12897. properties:
  12898. key:
  12899. description: |-
  12900. A key in the referenced Secret.
  12901. Some instances of this field may be defaulted, in others it may be required.
  12902. maxLength: 253
  12903. minLength: 1
  12904. pattern: ^[-._a-zA-Z0-9]+$
  12905. type: string
  12906. name:
  12907. description: The name of the Secret resource being referred to.
  12908. maxLength: 253
  12909. minLength: 1
  12910. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12911. type: string
  12912. namespace:
  12913. description: |-
  12914. The namespace of the Secret resource being referred to.
  12915. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12916. maxLength: 63
  12917. minLength: 1
  12918. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12919. type: string
  12920. type: object
  12921. required:
  12922. - credentials
  12923. type: object
  12924. required:
  12925. - secretRef
  12926. type: object
  12927. bitwardenServerSDKURL:
  12928. type: string
  12929. caBundle:
  12930. description: |-
  12931. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  12932. can be performed.
  12933. type: string
  12934. caProvider:
  12935. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  12936. properties:
  12937. key:
  12938. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  12939. maxLength: 253
  12940. minLength: 1
  12941. pattern: ^[-._a-zA-Z0-9]+$
  12942. type: string
  12943. name:
  12944. description: The name of the object located at the provider type.
  12945. maxLength: 253
  12946. minLength: 1
  12947. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12948. type: string
  12949. namespace:
  12950. description: |-
  12951. The namespace the Provider type is in.
  12952. Can only be defined when used in a ClusterSecretStore.
  12953. maxLength: 63
  12954. minLength: 1
  12955. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12956. type: string
  12957. type:
  12958. description: The type of provider to use such as "Secret", or "ConfigMap".
  12959. enum:
  12960. - Secret
  12961. - ConfigMap
  12962. type: string
  12963. required:
  12964. - name
  12965. - type
  12966. type: object
  12967. identityURL:
  12968. type: string
  12969. organizationID:
  12970. description: OrganizationID determines which organization this secret store manages.
  12971. type: string
  12972. projectID:
  12973. description: ProjectID determines which project this secret store manages.
  12974. type: string
  12975. required:
  12976. - auth
  12977. - organizationID
  12978. - projectID
  12979. type: object
  12980. chef:
  12981. description: Chef configures this store to sync secrets with chef server
  12982. properties:
  12983. auth:
  12984. description: Auth defines the information necessary to authenticate against chef Server
  12985. properties:
  12986. secretRef:
  12987. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  12988. properties:
  12989. privateKeySecretRef:
  12990. description: SecretKey is the Signing Key in PEM format, used for authentication.
  12991. properties:
  12992. key:
  12993. description: |-
  12994. A key in the referenced Secret.
  12995. Some instances of this field may be defaulted, in others it may be required.
  12996. maxLength: 253
  12997. minLength: 1
  12998. pattern: ^[-._a-zA-Z0-9]+$
  12999. type: string
  13000. name:
  13001. description: The name of the Secret resource being referred to.
  13002. maxLength: 253
  13003. minLength: 1
  13004. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13005. type: string
  13006. namespace:
  13007. description: |-
  13008. The namespace of the Secret resource being referred to.
  13009. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  13010. maxLength: 63
  13011. minLength: 1
  13012. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  13013. type: string
  13014. type: object
  13015. required:
  13016. - privateKeySecretRef
  13017. type: object
  13018. required:
  13019. - secretRef
  13020. type: object
  13021. serverUrl:
  13022. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  13023. type: string
  13024. username:
  13025. description: UserName should be the user ID on the chef server
  13026. type: string
  13027. required:
  13028. - auth
  13029. - serverUrl
  13030. - username
  13031. type: object
  13032. cloudrusm:
  13033. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  13034. properties:
  13035. auth:
  13036. description: CSMAuth contains a secretRef for credentials.
  13037. properties:
  13038. secretRef:
  13039. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  13040. properties:
  13041. accessKeyIDSecretRef:
  13042. description: The AccessKeyID is used for authentication
  13043. properties:
  13044. key:
  13045. description: |-
  13046. A key in the referenced Secret.
  13047. Some instances of this field may be defaulted, in others it may be required.
  13048. maxLength: 253
  13049. minLength: 1
  13050. pattern: ^[-._a-zA-Z0-9]+$
  13051. type: string
  13052. name:
  13053. description: The name of the Secret resource being referred to.
  13054. maxLength: 253
  13055. minLength: 1
  13056. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13057. type: string
  13058. namespace:
  13059. description: |-
  13060. The namespace of the Secret resource being referred to.
  13061. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  13062. maxLength: 63
  13063. minLength: 1
  13064. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  13065. type: string
  13066. type: object
  13067. accessKeySecretSecretRef:
  13068. description: The AccessKeySecret is used for authentication
  13069. properties:
  13070. key:
  13071. description: |-
  13072. A key in the referenced Secret.
  13073. Some instances of this field may be defaulted, in others it may be required.
  13074. maxLength: 253
  13075. minLength: 1
  13076. pattern: ^[-._a-zA-Z0-9]+$
  13077. type: string
  13078. name:
  13079. description: The name of the Secret resource being referred to.
  13080. maxLength: 253
  13081. minLength: 1
  13082. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13083. type: string
  13084. namespace:
  13085. description: |-
  13086. The namespace of the Secret resource being referred to.
  13087. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  13088. maxLength: 63
  13089. minLength: 1
  13090. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  13091. type: string
  13092. type: object
  13093. required:
  13094. - accessKeyIDSecretRef
  13095. - accessKeySecretSecretRef
  13096. type: object
  13097. type: object
  13098. projectID:
  13099. description: ProjectID is the project, which the secrets are stored in.
  13100. type: string
  13101. required:
  13102. - auth
  13103. type: object
  13104. conjur:
  13105. description: Conjur configures this store to sync secrets using conjur provider
  13106. properties:
  13107. auth:
  13108. description: Defines authentication settings for connecting to Conjur.
  13109. properties:
  13110. apikey:
  13111. description: Authenticates with Conjur using an API key.
  13112. properties:
  13113. account:
  13114. description: Account is the Conjur organization account name.
  13115. type: string
  13116. apiKeyRef:
  13117. description: |-
  13118. A reference to a specific 'key' containing the Conjur API key
  13119. within a Secret resource. In some instances, `key` is a required field.
  13120. properties:
  13121. key:
  13122. description: |-
  13123. A key in the referenced Secret.
  13124. Some instances of this field may be defaulted, in others it may be required.
  13125. maxLength: 253
  13126. minLength: 1
  13127. pattern: ^[-._a-zA-Z0-9]+$
  13128. type: string
  13129. name:
  13130. description: The name of the Secret resource being referred to.
  13131. maxLength: 253
  13132. minLength: 1
  13133. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13134. type: string
  13135. namespace:
  13136. description: |-
  13137. The namespace of the Secret resource being referred to.
  13138. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  13139. maxLength: 63
  13140. minLength: 1
  13141. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  13142. type: string
  13143. type: object
  13144. userRef:
  13145. description: |-
  13146. A reference to a specific 'key' containing the Conjur username
  13147. within a Secret resource. In some instances, `key` is a required field.
  13148. properties:
  13149. key:
  13150. description: |-
  13151. A key in the referenced Secret.
  13152. Some instances of this field may be defaulted, in others it may be required.
  13153. maxLength: 253
  13154. minLength: 1
  13155. pattern: ^[-._a-zA-Z0-9]+$
  13156. type: string
  13157. name:
  13158. description: The name of the Secret resource being referred to.
  13159. maxLength: 253
  13160. minLength: 1
  13161. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13162. type: string
  13163. namespace:
  13164. description: |-
  13165. The namespace of the Secret resource being referred to.
  13166. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  13167. maxLength: 63
  13168. minLength: 1
  13169. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  13170. type: string
  13171. type: object
  13172. required:
  13173. - account
  13174. - apiKeyRef
  13175. - userRef
  13176. type: object
  13177. jwt:
  13178. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  13179. properties:
  13180. account:
  13181. description: Account is the Conjur organization account name.
  13182. type: string
  13183. hostId:
  13184. description: |-
  13185. Optional HostID for JWT authentication. This may be used depending
  13186. on how the Conjur JWT authenticator policy is configured.
  13187. type: string
  13188. secretRef:
  13189. description: |-
  13190. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  13191. authenticate with Conjur using the JWT authentication method.
  13192. properties:
  13193. key:
  13194. description: |-
  13195. A key in the referenced Secret.
  13196. Some instances of this field may be defaulted, in others it may be required.
  13197. maxLength: 253
  13198. minLength: 1
  13199. pattern: ^[-._a-zA-Z0-9]+$
  13200. type: string
  13201. name:
  13202. description: The name of the Secret resource being referred to.
  13203. maxLength: 253
  13204. minLength: 1
  13205. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13206. type: string
  13207. namespace:
  13208. description: |-
  13209. The namespace of the Secret resource being referred to.
  13210. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  13211. maxLength: 63
  13212. minLength: 1
  13213. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  13214. type: string
  13215. type: object
  13216. serviceAccountRef:
  13217. description: |-
  13218. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  13219. a token for with the `TokenRequest` API.
  13220. properties:
  13221. audiences:
  13222. description: |-
  13223. Audience specifies the `aud` claim for the service account token
  13224. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  13225. then this audiences will be appended to the list
  13226. items:
  13227. type: string
  13228. type: array
  13229. name:
  13230. description: The name of the ServiceAccount resource being referred to.
  13231. maxLength: 253
  13232. minLength: 1
  13233. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13234. type: string
  13235. namespace:
  13236. description: |-
  13237. Namespace of the resource being referred to.
  13238. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  13239. maxLength: 63
  13240. minLength: 1
  13241. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  13242. type: string
  13243. required:
  13244. - name
  13245. type: object
  13246. serviceID:
  13247. description: The conjur authn jwt webservice id
  13248. type: string
  13249. required:
  13250. - account
  13251. - serviceID
  13252. type: object
  13253. type: object
  13254. caBundle:
  13255. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  13256. type: string
  13257. caProvider:
  13258. description: |-
  13259. Used to provide custom certificate authority (CA) certificates
  13260. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  13261. that contains a PEM-encoded certificate.
  13262. properties:
  13263. key:
  13264. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  13265. maxLength: 253
  13266. minLength: 1
  13267. pattern: ^[-._a-zA-Z0-9]+$
  13268. type: string
  13269. name:
  13270. description: The name of the object located at the provider type.
  13271. maxLength: 253
  13272. minLength: 1
  13273. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13274. type: string
  13275. namespace:
  13276. description: |-
  13277. The namespace the Provider type is in.
  13278. Can only be defined when used in a ClusterSecretStore.
  13279. maxLength: 63
  13280. minLength: 1
  13281. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  13282. type: string
  13283. type:
  13284. description: The type of provider to use such as "Secret", or "ConfigMap".
  13285. enum:
  13286. - Secret
  13287. - ConfigMap
  13288. type: string
  13289. required:
  13290. - name
  13291. - type
  13292. type: object
  13293. url:
  13294. description: URL is the endpoint of the Conjur instance.
  13295. type: string
  13296. required:
  13297. - auth
  13298. - url
  13299. type: object
  13300. delinea:
  13301. description: |-
  13302. Delinea DevOps Secrets Vault
  13303. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  13304. properties:
  13305. clientId:
  13306. description: ClientID is the non-secret part of the credential.
  13307. properties:
  13308. secretRef:
  13309. description: SecretRef references a key in a secret that will be used as value.
  13310. properties:
  13311. key:
  13312. description: |-
  13313. A key in the referenced Secret.
  13314. Some instances of this field may be defaulted, in others it may be required.
  13315. maxLength: 253
  13316. minLength: 1
  13317. pattern: ^[-._a-zA-Z0-9]+$
  13318. type: string
  13319. name:
  13320. description: The name of the Secret resource being referred to.
  13321. maxLength: 253
  13322. minLength: 1
  13323. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13324. type: string
  13325. namespace:
  13326. description: |-
  13327. The namespace of the Secret resource being referred to.
  13328. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  13329. maxLength: 63
  13330. minLength: 1
  13331. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  13332. type: string
  13333. type: object
  13334. value:
  13335. description: Value can be specified directly to set a value without using a secret.
  13336. type: string
  13337. type: object
  13338. clientSecret:
  13339. description: ClientSecret is the secret part of the credential.
  13340. properties:
  13341. secretRef:
  13342. description: SecretRef references a key in a secret that will be used as value.
  13343. properties:
  13344. key:
  13345. description: |-
  13346. A key in the referenced Secret.
  13347. Some instances of this field may be defaulted, in others it may be required.
  13348. maxLength: 253
  13349. minLength: 1
  13350. pattern: ^[-._a-zA-Z0-9]+$
  13351. type: string
  13352. name:
  13353. description: The name of the Secret resource being referred to.
  13354. maxLength: 253
  13355. minLength: 1
  13356. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13357. type: string
  13358. namespace:
  13359. description: |-
  13360. The namespace of the Secret resource being referred to.
  13361. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  13362. maxLength: 63
  13363. minLength: 1
  13364. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  13365. type: string
  13366. type: object
  13367. value:
  13368. description: Value can be specified directly to set a value without using a secret.
  13369. type: string
  13370. type: object
  13371. tenant:
  13372. description: Tenant is the chosen hostname / site name.
  13373. type: string
  13374. tld:
  13375. description: |-
  13376. TLD is based on the server location that was chosen during provisioning.
  13377. If unset, defaults to "com".
  13378. type: string
  13379. urlTemplate:
  13380. description: |-
  13381. URLTemplate
  13382. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  13383. type: string
  13384. required:
  13385. - clientId
  13386. - clientSecret
  13387. - tenant
  13388. type: object
  13389. device42:
  13390. description: Device42 configures this store to sync secrets using the Device42 provider
  13391. properties:
  13392. auth:
  13393. description: Auth configures how secret-manager authenticates with a Device42 instance.
  13394. properties:
  13395. secretRef:
  13396. properties:
  13397. credentials:
  13398. description: Username / Password is used for authentication.
  13399. properties:
  13400. key:
  13401. description: |-
  13402. A key in the referenced Secret.
  13403. Some instances of this field may be defaulted, in others it may be required.
  13404. maxLength: 253
  13405. minLength: 1
  13406. pattern: ^[-._a-zA-Z0-9]+$
  13407. type: string
  13408. name:
  13409. description: The name of the Secret resource being referred to.
  13410. maxLength: 253
  13411. minLength: 1
  13412. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13413. type: string
  13414. namespace:
  13415. description: |-
  13416. The namespace of the Secret resource being referred to.
  13417. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  13418. maxLength: 63
  13419. minLength: 1
  13420. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  13421. type: string
  13422. type: object
  13423. type: object
  13424. required:
  13425. - secretRef
  13426. type: object
  13427. host:
  13428. description: URL configures the Device42 instance URL.
  13429. type: string
  13430. required:
  13431. - auth
  13432. - host
  13433. type: object
  13434. doppler:
  13435. description: Doppler configures this store to sync secrets using the Doppler provider
  13436. properties:
  13437. auth:
  13438. description: Auth configures how the Operator authenticates with the Doppler API
  13439. properties:
  13440. secretRef:
  13441. properties:
  13442. dopplerToken:
  13443. description: |-
  13444. The DopplerToken is used for authentication.
  13445. See https://docs.doppler.com/reference/api#authentication for auth token types.
  13446. The Key attribute defaults to dopplerToken if not specified.
  13447. properties:
  13448. key:
  13449. description: |-
  13450. A key in the referenced Secret.
  13451. Some instances of this field may be defaulted, in others it may be required.
  13452. maxLength: 253
  13453. minLength: 1
  13454. pattern: ^[-._a-zA-Z0-9]+$
  13455. type: string
  13456. name:
  13457. description: The name of the Secret resource being referred to.
  13458. maxLength: 253
  13459. minLength: 1
  13460. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13461. type: string
  13462. namespace:
  13463. description: |-
  13464. The namespace of the Secret resource being referred to.
  13465. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  13466. maxLength: 63
  13467. minLength: 1
  13468. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  13469. type: string
  13470. type: object
  13471. required:
  13472. - dopplerToken
  13473. type: object
  13474. required:
  13475. - secretRef
  13476. type: object
  13477. config:
  13478. description: Doppler config (required if not using a Service Token)
  13479. type: string
  13480. format:
  13481. description: Format enables the downloading of secrets as a file (string)
  13482. enum:
  13483. - json
  13484. - dotnet-json
  13485. - env
  13486. - yaml
  13487. - docker
  13488. type: string
  13489. nameTransformer:
  13490. description: Environment variable compatible name transforms that change secret names to a different format
  13491. enum:
  13492. - upper-camel
  13493. - camel
  13494. - lower-snake
  13495. - tf-var
  13496. - dotnet-env
  13497. - lower-kebab
  13498. type: string
  13499. project:
  13500. description: Doppler project (required if not using a Service Token)
  13501. type: string
  13502. required:
  13503. - auth
  13504. type: object
  13505. fake:
  13506. description: Fake configures a store with static key/value pairs
  13507. properties:
  13508. data:
  13509. items:
  13510. properties:
  13511. key:
  13512. type: string
  13513. value:
  13514. type: string
  13515. version:
  13516. type: string
  13517. required:
  13518. - key
  13519. - value
  13520. type: object
  13521. type: array
  13522. required:
  13523. - data
  13524. type: object
  13525. fortanix:
  13526. description: Fortanix configures this store to sync secrets using the Fortanix provider
  13527. properties:
  13528. apiKey:
  13529. description: APIKey is the API token to access SDKMS Applications.
  13530. properties:
  13531. secretRef:
  13532. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  13533. properties:
  13534. key:
  13535. description: |-
  13536. A key in the referenced Secret.
  13537. Some instances of this field may be defaulted, in others it may be required.
  13538. maxLength: 253
  13539. minLength: 1
  13540. pattern: ^[-._a-zA-Z0-9]+$
  13541. type: string
  13542. name:
  13543. description: The name of the Secret resource being referred to.
  13544. maxLength: 253
  13545. minLength: 1
  13546. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13547. type: string
  13548. namespace:
  13549. description: |-
  13550. The namespace of the Secret resource being referred to.
  13551. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  13552. maxLength: 63
  13553. minLength: 1
  13554. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  13555. type: string
  13556. type: object
  13557. type: object
  13558. apiUrl:
  13559. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  13560. type: string
  13561. type: object
  13562. gcpsm:
  13563. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  13564. properties:
  13565. auth:
  13566. description: Auth defines the information necessary to authenticate against GCP
  13567. properties:
  13568. secretRef:
  13569. properties:
  13570. secretAccessKeySecretRef:
  13571. description: The SecretAccessKey is used for authentication
  13572. properties:
  13573. key:
  13574. description: |-
  13575. A key in the referenced Secret.
  13576. Some instances of this field may be defaulted, in others it may be required.
  13577. maxLength: 253
  13578. minLength: 1
  13579. pattern: ^[-._a-zA-Z0-9]+$
  13580. type: string
  13581. name:
  13582. description: The name of the Secret resource being referred to.
  13583. maxLength: 253
  13584. minLength: 1
  13585. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13586. type: string
  13587. namespace:
  13588. description: |-
  13589. The namespace of the Secret resource being referred to.
  13590. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  13591. maxLength: 63
  13592. minLength: 1
  13593. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  13594. type: string
  13595. type: object
  13596. type: object
  13597. workloadIdentity:
  13598. properties:
  13599. clusterLocation:
  13600. description: |-
  13601. ClusterLocation is the location of the cluster
  13602. If not specified, it fetches information from the metadata server
  13603. type: string
  13604. clusterName:
  13605. description: |-
  13606. ClusterName is the name of the cluster
  13607. If not specified, it fetches information from the metadata server
  13608. type: string
  13609. clusterProjectID:
  13610. description: |-
  13611. ClusterProjectID is the project ID of the cluster
  13612. If not specified, it fetches information from the metadata server
  13613. type: string
  13614. serviceAccountRef:
  13615. description: A reference to a ServiceAccount resource.
  13616. properties:
  13617. audiences:
  13618. description: |-
  13619. Audience specifies the `aud` claim for the service account token
  13620. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  13621. then this audiences will be appended to the list
  13622. items:
  13623. type: string
  13624. type: array
  13625. name:
  13626. description: The name of the ServiceAccount resource being referred to.
  13627. maxLength: 253
  13628. minLength: 1
  13629. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13630. type: string
  13631. namespace:
  13632. description: |-
  13633. Namespace of the resource being referred to.
  13634. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  13635. maxLength: 63
  13636. minLength: 1
  13637. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  13638. type: string
  13639. required:
  13640. - name
  13641. type: object
  13642. required:
  13643. - serviceAccountRef
  13644. type: object
  13645. type: object
  13646. location:
  13647. description: Location optionally defines a location for a secret
  13648. type: string
  13649. projectID:
  13650. description: ProjectID project where secret is located
  13651. type: string
  13652. type: object
  13653. github:
  13654. description: Github configures this store to push Github Action secrets using Github API provider
  13655. properties:
  13656. appID:
  13657. description: appID specifies the Github APP that will be used to authenticate the client
  13658. format: int64
  13659. type: integer
  13660. auth:
  13661. description: auth configures how secret-manager authenticates with a Github instance.
  13662. properties:
  13663. privateKey:
  13664. description: |-
  13665. A reference to a specific 'key' within a Secret resource.
  13666. In some instances, `key` is a required field.
  13667. properties:
  13668. key:
  13669. description: |-
  13670. A key in the referenced Secret.
  13671. Some instances of this field may be defaulted, in others it may be required.
  13672. maxLength: 253
  13673. minLength: 1
  13674. pattern: ^[-._a-zA-Z0-9]+$
  13675. type: string
  13676. name:
  13677. description: The name of the Secret resource being referred to.
  13678. maxLength: 253
  13679. minLength: 1
  13680. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13681. type: string
  13682. namespace:
  13683. description: |-
  13684. The namespace of the Secret resource being referred to.
  13685. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  13686. maxLength: 63
  13687. minLength: 1
  13688. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  13689. type: string
  13690. type: object
  13691. required:
  13692. - privateKey
  13693. type: object
  13694. environment:
  13695. description: environment will be used to fetch secrets from a particular environment within a github repository
  13696. type: string
  13697. installationID:
  13698. description: installationID specifies the Github APP installation that will be used to authenticate the client
  13699. format: int64
  13700. type: integer
  13701. organization:
  13702. description: organization will be used to fetch secrets from the Github organization
  13703. type: string
  13704. repository:
  13705. description: repository will be used to fetch secrets from the Github repository within an organization
  13706. type: string
  13707. uploadURL:
  13708. description: Upload URL for enterprise instances. Default to URL.
  13709. type: string
  13710. url:
  13711. default: https://github.com/
  13712. description: URL configures the Github instance URL. Defaults to https://github.com/.
  13713. type: string
  13714. required:
  13715. - appID
  13716. - auth
  13717. - installationID
  13718. - organization
  13719. type: object
  13720. gitlab:
  13721. description: GitLab configures this store to sync secrets using GitLab Variables provider
  13722. properties:
  13723. auth:
  13724. description: Auth configures how secret-manager authenticates with a GitLab instance.
  13725. properties:
  13726. SecretRef:
  13727. properties:
  13728. accessToken:
  13729. description: AccessToken is used for authentication.
  13730. properties:
  13731. key:
  13732. description: |-
  13733. A key in the referenced Secret.
  13734. Some instances of this field may be defaulted, in others it may be required.
  13735. maxLength: 253
  13736. minLength: 1
  13737. pattern: ^[-._a-zA-Z0-9]+$
  13738. type: string
  13739. name:
  13740. description: The name of the Secret resource being referred to.
  13741. maxLength: 253
  13742. minLength: 1
  13743. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13744. type: string
  13745. namespace:
  13746. description: |-
  13747. The namespace of the Secret resource being referred to.
  13748. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  13749. maxLength: 63
  13750. minLength: 1
  13751. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  13752. type: string
  13753. type: object
  13754. type: object
  13755. required:
  13756. - SecretRef
  13757. type: object
  13758. environment:
  13759. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  13760. type: string
  13761. groupIDs:
  13762. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  13763. items:
  13764. type: string
  13765. type: array
  13766. inheritFromGroups:
  13767. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  13768. type: boolean
  13769. projectID:
  13770. description: ProjectID specifies a project where secrets are located.
  13771. type: string
  13772. url:
  13773. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  13774. type: string
  13775. required:
  13776. - auth
  13777. type: object
  13778. ibm:
  13779. description: IBM configures this store to sync secrets using IBM Cloud provider
  13780. properties:
  13781. auth:
  13782. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  13783. maxProperties: 1
  13784. minProperties: 1
  13785. properties:
  13786. containerAuth:
  13787. description: IBM Container-based auth with IAM Trusted Profile.
  13788. properties:
  13789. iamEndpoint:
  13790. type: string
  13791. profile:
  13792. description: the IBM Trusted Profile
  13793. type: string
  13794. tokenLocation:
  13795. description: Location the token is mounted on the pod
  13796. type: string
  13797. required:
  13798. - profile
  13799. type: object
  13800. secretRef:
  13801. properties:
  13802. secretApiKeySecretRef:
  13803. description: The SecretAccessKey is used for authentication
  13804. properties:
  13805. key:
  13806. description: |-
  13807. A key in the referenced Secret.
  13808. Some instances of this field may be defaulted, in others it may be required.
  13809. maxLength: 253
  13810. minLength: 1
  13811. pattern: ^[-._a-zA-Z0-9]+$
  13812. type: string
  13813. name:
  13814. description: The name of the Secret resource being referred to.
  13815. maxLength: 253
  13816. minLength: 1
  13817. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13818. type: string
  13819. namespace:
  13820. description: |-
  13821. The namespace of the Secret resource being referred to.
  13822. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  13823. maxLength: 63
  13824. minLength: 1
  13825. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  13826. type: string
  13827. type: object
  13828. type: object
  13829. type: object
  13830. serviceUrl:
  13831. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  13832. type: string
  13833. required:
  13834. - auth
  13835. type: object
  13836. infisical:
  13837. description: Infisical configures this store to sync secrets using the Infisical provider
  13838. properties:
  13839. auth:
  13840. description: Auth configures how the Operator authenticates with the Infisical API
  13841. properties:
  13842. universalAuthCredentials:
  13843. properties:
  13844. clientId:
  13845. description: |-
  13846. A reference to a specific 'key' within a Secret resource.
  13847. In some instances, `key` is a required field.
  13848. properties:
  13849. key:
  13850. description: |-
  13851. A key in the referenced Secret.
  13852. Some instances of this field may be defaulted, in others it may be required.
  13853. maxLength: 253
  13854. minLength: 1
  13855. pattern: ^[-._a-zA-Z0-9]+$
  13856. type: string
  13857. name:
  13858. description: The name of the Secret resource being referred to.
  13859. maxLength: 253
  13860. minLength: 1
  13861. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13862. type: string
  13863. namespace:
  13864. description: |-
  13865. The namespace of the Secret resource being referred to.
  13866. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  13867. maxLength: 63
  13868. minLength: 1
  13869. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  13870. type: string
  13871. type: object
  13872. clientSecret:
  13873. description: |-
  13874. A reference to a specific 'key' within a Secret resource.
  13875. In some instances, `key` is a required field.
  13876. properties:
  13877. key:
  13878. description: |-
  13879. A key in the referenced Secret.
  13880. Some instances of this field may be defaulted, in others it may be required.
  13881. maxLength: 253
  13882. minLength: 1
  13883. pattern: ^[-._a-zA-Z0-9]+$
  13884. type: string
  13885. name:
  13886. description: The name of the Secret resource being referred to.
  13887. maxLength: 253
  13888. minLength: 1
  13889. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13890. type: string
  13891. namespace:
  13892. description: |-
  13893. The namespace of the Secret resource being referred to.
  13894. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  13895. maxLength: 63
  13896. minLength: 1
  13897. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  13898. type: string
  13899. type: object
  13900. required:
  13901. - clientId
  13902. - clientSecret
  13903. type: object
  13904. type: object
  13905. hostAPI:
  13906. default: https://app.infisical.com/api
  13907. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  13908. type: string
  13909. secretsScope:
  13910. description: SecretsScope defines the scope of the secrets within the workspace
  13911. properties:
  13912. environmentSlug:
  13913. description: EnvironmentSlug is the required slug identifier for the environment.
  13914. type: string
  13915. expandSecretReferences:
  13916. default: true
  13917. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  13918. type: boolean
  13919. projectSlug:
  13920. description: ProjectSlug is the required slug identifier for the project.
  13921. type: string
  13922. recursive:
  13923. default: false
  13924. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  13925. type: boolean
  13926. secretsPath:
  13927. default: /
  13928. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  13929. type: string
  13930. required:
  13931. - environmentSlug
  13932. - projectSlug
  13933. type: object
  13934. required:
  13935. - auth
  13936. - secretsScope
  13937. type: object
  13938. keepersecurity:
  13939. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  13940. properties:
  13941. authRef:
  13942. description: |-
  13943. A reference to a specific 'key' within a Secret resource.
  13944. In some instances, `key` is a required field.
  13945. properties:
  13946. key:
  13947. description: |-
  13948. A key in the referenced Secret.
  13949. Some instances of this field may be defaulted, in others it may be required.
  13950. maxLength: 253
  13951. minLength: 1
  13952. pattern: ^[-._a-zA-Z0-9]+$
  13953. type: string
  13954. name:
  13955. description: The name of the Secret resource being referred to.
  13956. maxLength: 253
  13957. minLength: 1
  13958. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13959. type: string
  13960. namespace:
  13961. description: |-
  13962. The namespace of the Secret resource being referred to.
  13963. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  13964. maxLength: 63
  13965. minLength: 1
  13966. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  13967. type: string
  13968. type: object
  13969. folderID:
  13970. type: string
  13971. required:
  13972. - authRef
  13973. - folderID
  13974. type: object
  13975. kubernetes:
  13976. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  13977. properties:
  13978. auth:
  13979. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  13980. maxProperties: 1
  13981. minProperties: 1
  13982. properties:
  13983. cert:
  13984. description: has both clientCert and clientKey as secretKeySelector
  13985. properties:
  13986. clientCert:
  13987. description: |-
  13988. A reference to a specific 'key' within a Secret resource.
  13989. In some instances, `key` is a required field.
  13990. properties:
  13991. key:
  13992. description: |-
  13993. A key in the referenced Secret.
  13994. Some instances of this field may be defaulted, in others it may be required.
  13995. maxLength: 253
  13996. minLength: 1
  13997. pattern: ^[-._a-zA-Z0-9]+$
  13998. type: string
  13999. name:
  14000. description: The name of the Secret resource being referred to.
  14001. maxLength: 253
  14002. minLength: 1
  14003. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14004. type: string
  14005. namespace:
  14006. description: |-
  14007. The namespace of the Secret resource being referred to.
  14008. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14009. maxLength: 63
  14010. minLength: 1
  14011. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14012. type: string
  14013. type: object
  14014. clientKey:
  14015. description: |-
  14016. A reference to a specific 'key' within a Secret resource.
  14017. In some instances, `key` is a required field.
  14018. properties:
  14019. key:
  14020. description: |-
  14021. A key in the referenced Secret.
  14022. Some instances of this field may be defaulted, in others it may be required.
  14023. maxLength: 253
  14024. minLength: 1
  14025. pattern: ^[-._a-zA-Z0-9]+$
  14026. type: string
  14027. name:
  14028. description: The name of the Secret resource being referred to.
  14029. maxLength: 253
  14030. minLength: 1
  14031. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14032. type: string
  14033. namespace:
  14034. description: |-
  14035. The namespace of the Secret resource being referred to.
  14036. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14037. maxLength: 63
  14038. minLength: 1
  14039. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14040. type: string
  14041. type: object
  14042. type: object
  14043. serviceAccount:
  14044. description: points to a service account that should be used for authentication
  14045. properties:
  14046. audiences:
  14047. description: |-
  14048. Audience specifies the `aud` claim for the service account token
  14049. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  14050. then this audiences will be appended to the list
  14051. items:
  14052. type: string
  14053. type: array
  14054. name:
  14055. description: The name of the ServiceAccount resource being referred to.
  14056. maxLength: 253
  14057. minLength: 1
  14058. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14059. type: string
  14060. namespace:
  14061. description: |-
  14062. Namespace of the resource being referred to.
  14063. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14064. maxLength: 63
  14065. minLength: 1
  14066. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14067. type: string
  14068. required:
  14069. - name
  14070. type: object
  14071. token:
  14072. description: use static token to authenticate with
  14073. properties:
  14074. bearerToken:
  14075. description: |-
  14076. A reference to a specific 'key' within a Secret resource.
  14077. In some instances, `key` is a required field.
  14078. properties:
  14079. key:
  14080. description: |-
  14081. A key in the referenced Secret.
  14082. Some instances of this field may be defaulted, in others it may be required.
  14083. maxLength: 253
  14084. minLength: 1
  14085. pattern: ^[-._a-zA-Z0-9]+$
  14086. type: string
  14087. name:
  14088. description: The name of the Secret resource being referred to.
  14089. maxLength: 253
  14090. minLength: 1
  14091. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14092. type: string
  14093. namespace:
  14094. description: |-
  14095. The namespace of the Secret resource being referred to.
  14096. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14097. maxLength: 63
  14098. minLength: 1
  14099. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14100. type: string
  14101. type: object
  14102. type: object
  14103. type: object
  14104. authRef:
  14105. description: A reference to a secret that contains the auth information.
  14106. properties:
  14107. key:
  14108. description: |-
  14109. A key in the referenced Secret.
  14110. Some instances of this field may be defaulted, in others it may be required.
  14111. maxLength: 253
  14112. minLength: 1
  14113. pattern: ^[-._a-zA-Z0-9]+$
  14114. type: string
  14115. name:
  14116. description: The name of the Secret resource being referred to.
  14117. maxLength: 253
  14118. minLength: 1
  14119. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14120. type: string
  14121. namespace:
  14122. description: |-
  14123. The namespace of the Secret resource being referred to.
  14124. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14125. maxLength: 63
  14126. minLength: 1
  14127. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14128. type: string
  14129. type: object
  14130. remoteNamespace:
  14131. default: default
  14132. description: Remote namespace to fetch the secrets from
  14133. maxLength: 63
  14134. minLength: 1
  14135. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14136. type: string
  14137. server:
  14138. description: configures the Kubernetes server Address.
  14139. properties:
  14140. caBundle:
  14141. description: CABundle is a base64-encoded CA certificate
  14142. format: byte
  14143. type: string
  14144. caProvider:
  14145. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  14146. properties:
  14147. key:
  14148. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  14149. maxLength: 253
  14150. minLength: 1
  14151. pattern: ^[-._a-zA-Z0-9]+$
  14152. type: string
  14153. name:
  14154. description: The name of the object located at the provider type.
  14155. maxLength: 253
  14156. minLength: 1
  14157. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14158. type: string
  14159. namespace:
  14160. description: |-
  14161. The namespace the Provider type is in.
  14162. Can only be defined when used in a ClusterSecretStore.
  14163. maxLength: 63
  14164. minLength: 1
  14165. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14166. type: string
  14167. type:
  14168. description: The type of provider to use such as "Secret", or "ConfigMap".
  14169. enum:
  14170. - Secret
  14171. - ConfigMap
  14172. type: string
  14173. required:
  14174. - name
  14175. - type
  14176. type: object
  14177. url:
  14178. default: kubernetes.default
  14179. description: configures the Kubernetes server Address.
  14180. type: string
  14181. type: object
  14182. type: object
  14183. onboardbase:
  14184. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  14185. properties:
  14186. apiHost:
  14187. default: https://public.onboardbase.com/api/v1/
  14188. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  14189. type: string
  14190. auth:
  14191. description: Auth configures how the Operator authenticates with the Onboardbase API
  14192. properties:
  14193. apiKeyRef:
  14194. description: |-
  14195. OnboardbaseAPIKey is the APIKey generated by an admin account.
  14196. It is used to recognize and authorize access to a project and environment within onboardbase
  14197. properties:
  14198. key:
  14199. description: |-
  14200. A key in the referenced Secret.
  14201. Some instances of this field may be defaulted, in others it may be required.
  14202. maxLength: 253
  14203. minLength: 1
  14204. pattern: ^[-._a-zA-Z0-9]+$
  14205. type: string
  14206. name:
  14207. description: The name of the Secret resource being referred to.
  14208. maxLength: 253
  14209. minLength: 1
  14210. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14211. type: string
  14212. namespace:
  14213. description: |-
  14214. The namespace of the Secret resource being referred to.
  14215. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14216. maxLength: 63
  14217. minLength: 1
  14218. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14219. type: string
  14220. type: object
  14221. passcodeRef:
  14222. description: OnboardbasePasscode is the passcode attached to the API Key
  14223. properties:
  14224. key:
  14225. description: |-
  14226. A key in the referenced Secret.
  14227. Some instances of this field may be defaulted, in others it may be required.
  14228. maxLength: 253
  14229. minLength: 1
  14230. pattern: ^[-._a-zA-Z0-9]+$
  14231. type: string
  14232. name:
  14233. description: The name of the Secret resource being referred to.
  14234. maxLength: 253
  14235. minLength: 1
  14236. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14237. type: string
  14238. namespace:
  14239. description: |-
  14240. The namespace of the Secret resource being referred to.
  14241. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14242. maxLength: 63
  14243. minLength: 1
  14244. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14245. type: string
  14246. type: object
  14247. required:
  14248. - apiKeyRef
  14249. - passcodeRef
  14250. type: object
  14251. environment:
  14252. default: development
  14253. description: Environment is the name of an environmnent within a project to pull the secrets from
  14254. type: string
  14255. project:
  14256. default: development
  14257. description: Project is an onboardbase project that the secrets should be pulled from
  14258. type: string
  14259. required:
  14260. - apiHost
  14261. - auth
  14262. - environment
  14263. - project
  14264. type: object
  14265. onepassword:
  14266. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  14267. properties:
  14268. auth:
  14269. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  14270. properties:
  14271. secretRef:
  14272. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  14273. properties:
  14274. connectTokenSecretRef:
  14275. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  14276. properties:
  14277. key:
  14278. description: |-
  14279. A key in the referenced Secret.
  14280. Some instances of this field may be defaulted, in others it may be required.
  14281. maxLength: 253
  14282. minLength: 1
  14283. pattern: ^[-._a-zA-Z0-9]+$
  14284. type: string
  14285. name:
  14286. description: The name of the Secret resource being referred to.
  14287. maxLength: 253
  14288. minLength: 1
  14289. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14290. type: string
  14291. namespace:
  14292. description: |-
  14293. The namespace of the Secret resource being referred to.
  14294. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14295. maxLength: 63
  14296. minLength: 1
  14297. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14298. type: string
  14299. type: object
  14300. required:
  14301. - connectTokenSecretRef
  14302. type: object
  14303. required:
  14304. - secretRef
  14305. type: object
  14306. connectHost:
  14307. description: ConnectHost defines the OnePassword Connect Server to connect to
  14308. type: string
  14309. vaults:
  14310. additionalProperties:
  14311. type: integer
  14312. description: Vaults defines which OnePassword vaults to search in which order
  14313. type: object
  14314. required:
  14315. - auth
  14316. - connectHost
  14317. - vaults
  14318. type: object
  14319. oracle:
  14320. description: Oracle configures this store to sync secrets using Oracle Vault provider
  14321. properties:
  14322. auth:
  14323. description: |-
  14324. Auth configures how secret-manager authenticates with the Oracle Vault.
  14325. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  14326. properties:
  14327. secretRef:
  14328. description: SecretRef to pass through sensitive information.
  14329. properties:
  14330. fingerprint:
  14331. description: Fingerprint is the fingerprint of the API private key.
  14332. properties:
  14333. key:
  14334. description: |-
  14335. A key in the referenced Secret.
  14336. Some instances of this field may be defaulted, in others it may be required.
  14337. maxLength: 253
  14338. minLength: 1
  14339. pattern: ^[-._a-zA-Z0-9]+$
  14340. type: string
  14341. name:
  14342. description: The name of the Secret resource being referred to.
  14343. maxLength: 253
  14344. minLength: 1
  14345. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14346. type: string
  14347. namespace:
  14348. description: |-
  14349. The namespace of the Secret resource being referred to.
  14350. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14351. maxLength: 63
  14352. minLength: 1
  14353. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14354. type: string
  14355. type: object
  14356. privatekey:
  14357. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  14358. properties:
  14359. key:
  14360. description: |-
  14361. A key in the referenced Secret.
  14362. Some instances of this field may be defaulted, in others it may be required.
  14363. maxLength: 253
  14364. minLength: 1
  14365. pattern: ^[-._a-zA-Z0-9]+$
  14366. type: string
  14367. name:
  14368. description: The name of the Secret resource being referred to.
  14369. maxLength: 253
  14370. minLength: 1
  14371. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14372. type: string
  14373. namespace:
  14374. description: |-
  14375. The namespace of the Secret resource being referred to.
  14376. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14377. maxLength: 63
  14378. minLength: 1
  14379. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14380. type: string
  14381. type: object
  14382. required:
  14383. - fingerprint
  14384. - privatekey
  14385. type: object
  14386. tenancy:
  14387. description: Tenancy is the tenancy OCID where user is located.
  14388. type: string
  14389. user:
  14390. description: User is an access OCID specific to the account.
  14391. type: string
  14392. required:
  14393. - secretRef
  14394. - tenancy
  14395. - user
  14396. type: object
  14397. compartment:
  14398. description: |-
  14399. Compartment is the vault compartment OCID.
  14400. Required for PushSecret
  14401. type: string
  14402. encryptionKey:
  14403. description: |-
  14404. EncryptionKey is the OCID of the encryption key within the vault.
  14405. Required for PushSecret
  14406. type: string
  14407. principalType:
  14408. description: |-
  14409. The type of principal to use for authentication. If left blank, the Auth struct will
  14410. determine the principal type. This optional field must be specified if using
  14411. workload identity.
  14412. enum:
  14413. - ""
  14414. - UserPrincipal
  14415. - InstancePrincipal
  14416. - Workload
  14417. type: string
  14418. region:
  14419. description: Region is the region where vault is located.
  14420. type: string
  14421. serviceAccountRef:
  14422. description: |-
  14423. ServiceAccountRef specified the service account
  14424. that should be used when authenticating with WorkloadIdentity.
  14425. properties:
  14426. audiences:
  14427. description: |-
  14428. Audience specifies the `aud` claim for the service account token
  14429. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  14430. then this audiences will be appended to the list
  14431. items:
  14432. type: string
  14433. type: array
  14434. name:
  14435. description: The name of the ServiceAccount resource being referred to.
  14436. maxLength: 253
  14437. minLength: 1
  14438. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14439. type: string
  14440. namespace:
  14441. description: |-
  14442. Namespace of the resource being referred to.
  14443. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14444. maxLength: 63
  14445. minLength: 1
  14446. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14447. type: string
  14448. required:
  14449. - name
  14450. type: object
  14451. vault:
  14452. description: Vault is the vault's OCID of the specific vault where secret is located.
  14453. type: string
  14454. required:
  14455. - region
  14456. - vault
  14457. type: object
  14458. passbolt:
  14459. properties:
  14460. auth:
  14461. description: Auth defines the information necessary to authenticate against Passbolt Server
  14462. properties:
  14463. passwordSecretRef:
  14464. description: |-
  14465. A reference to a specific 'key' within a Secret resource.
  14466. In some instances, `key` is a required field.
  14467. properties:
  14468. key:
  14469. description: |-
  14470. A key in the referenced Secret.
  14471. Some instances of this field may be defaulted, in others it may be required.
  14472. maxLength: 253
  14473. minLength: 1
  14474. pattern: ^[-._a-zA-Z0-9]+$
  14475. type: string
  14476. name:
  14477. description: The name of the Secret resource being referred to.
  14478. maxLength: 253
  14479. minLength: 1
  14480. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14481. type: string
  14482. namespace:
  14483. description: |-
  14484. The namespace of the Secret resource being referred to.
  14485. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14486. maxLength: 63
  14487. minLength: 1
  14488. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14489. type: string
  14490. type: object
  14491. privateKeySecretRef:
  14492. description: |-
  14493. A reference to a specific 'key' within a Secret resource.
  14494. In some instances, `key` is a required field.
  14495. properties:
  14496. key:
  14497. description: |-
  14498. A key in the referenced Secret.
  14499. Some instances of this field may be defaulted, in others it may be required.
  14500. maxLength: 253
  14501. minLength: 1
  14502. pattern: ^[-._a-zA-Z0-9]+$
  14503. type: string
  14504. name:
  14505. description: The name of the Secret resource being referred to.
  14506. maxLength: 253
  14507. minLength: 1
  14508. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14509. type: string
  14510. namespace:
  14511. description: |-
  14512. The namespace of the Secret resource being referred to.
  14513. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14514. maxLength: 63
  14515. minLength: 1
  14516. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14517. type: string
  14518. type: object
  14519. required:
  14520. - passwordSecretRef
  14521. - privateKeySecretRef
  14522. type: object
  14523. host:
  14524. description: Host defines the Passbolt Server to connect to
  14525. type: string
  14526. required:
  14527. - auth
  14528. - host
  14529. type: object
  14530. passworddepot:
  14531. description: Configures a store to sync secrets with a Password Depot instance.
  14532. properties:
  14533. auth:
  14534. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  14535. properties:
  14536. secretRef:
  14537. properties:
  14538. credentials:
  14539. description: Username / Password is used for authentication.
  14540. properties:
  14541. key:
  14542. description: |-
  14543. A key in the referenced Secret.
  14544. Some instances of this field may be defaulted, in others it may be required.
  14545. maxLength: 253
  14546. minLength: 1
  14547. pattern: ^[-._a-zA-Z0-9]+$
  14548. type: string
  14549. name:
  14550. description: The name of the Secret resource being referred to.
  14551. maxLength: 253
  14552. minLength: 1
  14553. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14554. type: string
  14555. namespace:
  14556. description: |-
  14557. The namespace of the Secret resource being referred to.
  14558. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14559. maxLength: 63
  14560. minLength: 1
  14561. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14562. type: string
  14563. type: object
  14564. type: object
  14565. required:
  14566. - secretRef
  14567. type: object
  14568. database:
  14569. description: Database to use as source
  14570. type: string
  14571. host:
  14572. description: URL configures the Password Depot instance URL.
  14573. type: string
  14574. required:
  14575. - auth
  14576. - database
  14577. - host
  14578. type: object
  14579. previder:
  14580. description: Previder configures this store to sync secrets using the Previder provider
  14581. properties:
  14582. auth:
  14583. description: PreviderAuth contains a secretRef for credentials.
  14584. properties:
  14585. secretRef:
  14586. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  14587. properties:
  14588. accessToken:
  14589. description: The AccessToken is used for authentication
  14590. properties:
  14591. key:
  14592. description: |-
  14593. A key in the referenced Secret.
  14594. Some instances of this field may be defaulted, in others it may be required.
  14595. maxLength: 253
  14596. minLength: 1
  14597. pattern: ^[-._a-zA-Z0-9]+$
  14598. type: string
  14599. name:
  14600. description: The name of the Secret resource being referred to.
  14601. maxLength: 253
  14602. minLength: 1
  14603. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14604. type: string
  14605. namespace:
  14606. description: |-
  14607. The namespace of the Secret resource being referred to.
  14608. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14609. maxLength: 63
  14610. minLength: 1
  14611. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14612. type: string
  14613. type: object
  14614. required:
  14615. - accessToken
  14616. type: object
  14617. type: object
  14618. baseUri:
  14619. type: string
  14620. required:
  14621. - auth
  14622. type: object
  14623. pulumi:
  14624. description: Pulumi configures this store to sync secrets using the Pulumi provider
  14625. properties:
  14626. accessToken:
  14627. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  14628. properties:
  14629. secretRef:
  14630. description: SecretRef is a reference to a secret containing the Pulumi API token.
  14631. properties:
  14632. key:
  14633. description: |-
  14634. A key in the referenced Secret.
  14635. Some instances of this field may be defaulted, in others it may be required.
  14636. maxLength: 253
  14637. minLength: 1
  14638. pattern: ^[-._a-zA-Z0-9]+$
  14639. type: string
  14640. name:
  14641. description: The name of the Secret resource being referred to.
  14642. maxLength: 253
  14643. minLength: 1
  14644. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14645. type: string
  14646. namespace:
  14647. description: |-
  14648. The namespace of the Secret resource being referred to.
  14649. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14650. maxLength: 63
  14651. minLength: 1
  14652. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14653. type: string
  14654. type: object
  14655. type: object
  14656. apiUrl:
  14657. default: https://api.pulumi.com/api/esc
  14658. description: APIURL is the URL of the Pulumi API.
  14659. type: string
  14660. environment:
  14661. description: |-
  14662. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  14663. dynamically retrieved values from supported providers including all major clouds,
  14664. and other Pulumi ESC environments.
  14665. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  14666. type: string
  14667. organization:
  14668. description: |-
  14669. Organization are a space to collaborate on shared projects and stacks.
  14670. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  14671. type: string
  14672. project:
  14673. description: Project is the name of the Pulumi ESC project the environment belongs to.
  14674. type: string
  14675. required:
  14676. - accessToken
  14677. - environment
  14678. - organization
  14679. - project
  14680. type: object
  14681. scaleway:
  14682. description: Scaleway
  14683. properties:
  14684. accessKey:
  14685. description: AccessKey is the non-secret part of the api key.
  14686. properties:
  14687. secretRef:
  14688. description: SecretRef references a key in a secret that will be used as value.
  14689. properties:
  14690. key:
  14691. description: |-
  14692. A key in the referenced Secret.
  14693. Some instances of this field may be defaulted, in others it may be required.
  14694. maxLength: 253
  14695. minLength: 1
  14696. pattern: ^[-._a-zA-Z0-9]+$
  14697. type: string
  14698. name:
  14699. description: The name of the Secret resource being referred to.
  14700. maxLength: 253
  14701. minLength: 1
  14702. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14703. type: string
  14704. namespace:
  14705. description: |-
  14706. The namespace of the Secret resource being referred to.
  14707. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14708. maxLength: 63
  14709. minLength: 1
  14710. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14711. type: string
  14712. type: object
  14713. value:
  14714. description: Value can be specified directly to set a value without using a secret.
  14715. type: string
  14716. type: object
  14717. apiUrl:
  14718. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  14719. type: string
  14720. projectId:
  14721. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  14722. type: string
  14723. region:
  14724. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  14725. type: string
  14726. secretKey:
  14727. description: SecretKey is the non-secret part of the api key.
  14728. properties:
  14729. secretRef:
  14730. description: SecretRef references a key in a secret that will be used as value.
  14731. properties:
  14732. key:
  14733. description: |-
  14734. A key in the referenced Secret.
  14735. Some instances of this field may be defaulted, in others it may be required.
  14736. maxLength: 253
  14737. minLength: 1
  14738. pattern: ^[-._a-zA-Z0-9]+$
  14739. type: string
  14740. name:
  14741. description: The name of the Secret resource being referred to.
  14742. maxLength: 253
  14743. minLength: 1
  14744. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14745. type: string
  14746. namespace:
  14747. description: |-
  14748. The namespace of the Secret resource being referred to.
  14749. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14750. maxLength: 63
  14751. minLength: 1
  14752. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14753. type: string
  14754. type: object
  14755. value:
  14756. description: Value can be specified directly to set a value without using a secret.
  14757. type: string
  14758. type: object
  14759. required:
  14760. - accessKey
  14761. - projectId
  14762. - region
  14763. - secretKey
  14764. type: object
  14765. secretserver:
  14766. description: |-
  14767. SecretServer configures this store to sync secrets using SecretServer provider
  14768. https://docs.delinea.com/online-help/secret-server/start.htm
  14769. properties:
  14770. password:
  14771. description: Password is the secret server account password.
  14772. properties:
  14773. secretRef:
  14774. description: SecretRef references a key in a secret that will be used as value.
  14775. properties:
  14776. key:
  14777. description: |-
  14778. A key in the referenced Secret.
  14779. Some instances of this field may be defaulted, in others it may be required.
  14780. maxLength: 253
  14781. minLength: 1
  14782. pattern: ^[-._a-zA-Z0-9]+$
  14783. type: string
  14784. name:
  14785. description: The name of the Secret resource being referred to.
  14786. maxLength: 253
  14787. minLength: 1
  14788. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14789. type: string
  14790. namespace:
  14791. description: |-
  14792. The namespace of the Secret resource being referred to.
  14793. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14794. maxLength: 63
  14795. minLength: 1
  14796. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14797. type: string
  14798. type: object
  14799. value:
  14800. description: Value can be specified directly to set a value without using a secret.
  14801. type: string
  14802. type: object
  14803. serverURL:
  14804. description: |-
  14805. ServerURL
  14806. URL to your secret server installation
  14807. type: string
  14808. username:
  14809. description: Username is the secret server account username.
  14810. properties:
  14811. secretRef:
  14812. description: SecretRef references a key in a secret that will be used as value.
  14813. properties:
  14814. key:
  14815. description: |-
  14816. A key in the referenced Secret.
  14817. Some instances of this field may be defaulted, in others it may be required.
  14818. maxLength: 253
  14819. minLength: 1
  14820. pattern: ^[-._a-zA-Z0-9]+$
  14821. type: string
  14822. name:
  14823. description: The name of the Secret resource being referred to.
  14824. maxLength: 253
  14825. minLength: 1
  14826. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14827. type: string
  14828. namespace:
  14829. description: |-
  14830. The namespace of the Secret resource being referred to.
  14831. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14832. maxLength: 63
  14833. minLength: 1
  14834. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14835. type: string
  14836. type: object
  14837. value:
  14838. description: Value can be specified directly to set a value without using a secret.
  14839. type: string
  14840. type: object
  14841. required:
  14842. - password
  14843. - serverURL
  14844. - username
  14845. type: object
  14846. senhasegura:
  14847. description: Senhasegura configures this store to sync secrets using senhasegura provider
  14848. properties:
  14849. auth:
  14850. description: Auth defines parameters to authenticate in senhasegura
  14851. properties:
  14852. clientId:
  14853. type: string
  14854. clientSecretSecretRef:
  14855. description: |-
  14856. A reference to a specific 'key' within a Secret resource.
  14857. In some instances, `key` is a required field.
  14858. properties:
  14859. key:
  14860. description: |-
  14861. A key in the referenced Secret.
  14862. Some instances of this field may be defaulted, in others it may be required.
  14863. maxLength: 253
  14864. minLength: 1
  14865. pattern: ^[-._a-zA-Z0-9]+$
  14866. type: string
  14867. name:
  14868. description: The name of the Secret resource being referred to.
  14869. maxLength: 253
  14870. minLength: 1
  14871. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14872. type: string
  14873. namespace:
  14874. description: |-
  14875. The namespace of the Secret resource being referred to.
  14876. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14877. maxLength: 63
  14878. minLength: 1
  14879. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14880. type: string
  14881. type: object
  14882. required:
  14883. - clientId
  14884. - clientSecretSecretRef
  14885. type: object
  14886. ignoreSslCertificate:
  14887. default: false
  14888. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  14889. type: boolean
  14890. module:
  14891. description: Module defines which senhasegura module should be used to get secrets
  14892. type: string
  14893. url:
  14894. description: URL of senhasegura
  14895. type: string
  14896. required:
  14897. - auth
  14898. - module
  14899. - url
  14900. type: object
  14901. vault:
  14902. description: Vault configures this store to sync secrets using Hashi provider
  14903. properties:
  14904. auth:
  14905. description: Auth configures how secret-manager authenticates with the Vault server.
  14906. properties:
  14907. appRole:
  14908. description: |-
  14909. AppRole authenticates with Vault using the App Role auth mechanism,
  14910. with the role and secret stored in a Kubernetes Secret resource.
  14911. properties:
  14912. path:
  14913. default: approle
  14914. description: |-
  14915. Path where the App Role authentication backend is mounted
  14916. in Vault, e.g: "approle"
  14917. type: string
  14918. roleId:
  14919. description: |-
  14920. RoleID configured in the App Role authentication backend when setting
  14921. up the authentication backend in Vault.
  14922. type: string
  14923. roleRef:
  14924. description: |-
  14925. Reference to a key in a Secret that contains the App Role ID used
  14926. to authenticate with Vault.
  14927. The `key` field must be specified and denotes which entry within the Secret
  14928. resource is used as the app role id.
  14929. properties:
  14930. key:
  14931. description: |-
  14932. A key in the referenced Secret.
  14933. Some instances of this field may be defaulted, in others it may be required.
  14934. maxLength: 253
  14935. minLength: 1
  14936. pattern: ^[-._a-zA-Z0-9]+$
  14937. type: string
  14938. name:
  14939. description: The name of the Secret resource being referred to.
  14940. maxLength: 253
  14941. minLength: 1
  14942. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14943. type: string
  14944. namespace:
  14945. description: |-
  14946. The namespace of the Secret resource being referred to.
  14947. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14948. maxLength: 63
  14949. minLength: 1
  14950. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14951. type: string
  14952. type: object
  14953. secretRef:
  14954. description: |-
  14955. Reference to a key in a Secret that contains the App Role secret used
  14956. to authenticate with Vault.
  14957. The `key` field must be specified and denotes which entry within the Secret
  14958. resource is used as the app role secret.
  14959. properties:
  14960. key:
  14961. description: |-
  14962. A key in the referenced Secret.
  14963. Some instances of this field may be defaulted, in others it may be required.
  14964. maxLength: 253
  14965. minLength: 1
  14966. pattern: ^[-._a-zA-Z0-9]+$
  14967. type: string
  14968. name:
  14969. description: The name of the Secret resource being referred to.
  14970. maxLength: 253
  14971. minLength: 1
  14972. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14973. type: string
  14974. namespace:
  14975. description: |-
  14976. The namespace of the Secret resource being referred to.
  14977. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14978. maxLength: 63
  14979. minLength: 1
  14980. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14981. type: string
  14982. type: object
  14983. required:
  14984. - path
  14985. - secretRef
  14986. type: object
  14987. cert:
  14988. description: |-
  14989. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  14990. Cert authentication method
  14991. properties:
  14992. clientCert:
  14993. description: |-
  14994. ClientCert is a certificate to authenticate using the Cert Vault
  14995. authentication method
  14996. properties:
  14997. key:
  14998. description: |-
  14999. A key in the referenced Secret.
  15000. Some instances of this field may be defaulted, in others it may be required.
  15001. maxLength: 253
  15002. minLength: 1
  15003. pattern: ^[-._a-zA-Z0-9]+$
  15004. type: string
  15005. name:
  15006. description: The name of the Secret resource being referred to.
  15007. maxLength: 253
  15008. minLength: 1
  15009. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15010. type: string
  15011. namespace:
  15012. description: |-
  15013. The namespace of the Secret resource being referred to.
  15014. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15015. maxLength: 63
  15016. minLength: 1
  15017. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15018. type: string
  15019. type: object
  15020. secretRef:
  15021. description: |-
  15022. SecretRef to a key in a Secret resource containing client private key to
  15023. authenticate with Vault using the Cert authentication method
  15024. properties:
  15025. key:
  15026. description: |-
  15027. A key in the referenced Secret.
  15028. Some instances of this field may be defaulted, in others it may be required.
  15029. maxLength: 253
  15030. minLength: 1
  15031. pattern: ^[-._a-zA-Z0-9]+$
  15032. type: string
  15033. name:
  15034. description: The name of the Secret resource being referred to.
  15035. maxLength: 253
  15036. minLength: 1
  15037. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15038. type: string
  15039. namespace:
  15040. description: |-
  15041. The namespace of the Secret resource being referred to.
  15042. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15043. maxLength: 63
  15044. minLength: 1
  15045. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15046. type: string
  15047. type: object
  15048. type: object
  15049. iam:
  15050. description: |-
  15051. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  15052. AWS IAM authentication method
  15053. properties:
  15054. externalID:
  15055. description: AWS External ID set on assumed IAM roles
  15056. type: string
  15057. jwt:
  15058. description: Specify a service account with IRSA enabled
  15059. properties:
  15060. serviceAccountRef:
  15061. description: A reference to a ServiceAccount resource.
  15062. properties:
  15063. audiences:
  15064. description: |-
  15065. Audience specifies the `aud` claim for the service account token
  15066. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15067. then this audiences will be appended to the list
  15068. items:
  15069. type: string
  15070. type: array
  15071. name:
  15072. description: The name of the ServiceAccount resource being referred to.
  15073. maxLength: 253
  15074. minLength: 1
  15075. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15076. type: string
  15077. namespace:
  15078. description: |-
  15079. Namespace of the resource being referred to.
  15080. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15081. maxLength: 63
  15082. minLength: 1
  15083. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15084. type: string
  15085. required:
  15086. - name
  15087. type: object
  15088. type: object
  15089. path:
  15090. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  15091. type: string
  15092. region:
  15093. description: AWS region
  15094. type: string
  15095. role:
  15096. description: This is the AWS role to be assumed before talking to vault
  15097. type: string
  15098. secretRef:
  15099. description: Specify credentials in a Secret object
  15100. properties:
  15101. accessKeyIDSecretRef:
  15102. description: The AccessKeyID is used for authentication
  15103. properties:
  15104. key:
  15105. description: |-
  15106. A key in the referenced Secret.
  15107. Some instances of this field may be defaulted, in others it may be required.
  15108. maxLength: 253
  15109. minLength: 1
  15110. pattern: ^[-._a-zA-Z0-9]+$
  15111. type: string
  15112. name:
  15113. description: The name of the Secret resource being referred to.
  15114. maxLength: 253
  15115. minLength: 1
  15116. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15117. type: string
  15118. namespace:
  15119. description: |-
  15120. The namespace of the Secret resource being referred to.
  15121. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15122. maxLength: 63
  15123. minLength: 1
  15124. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15125. type: string
  15126. type: object
  15127. secretAccessKeySecretRef:
  15128. description: The SecretAccessKey is used for authentication
  15129. properties:
  15130. key:
  15131. description: |-
  15132. A key in the referenced Secret.
  15133. Some instances of this field may be defaulted, in others it may be required.
  15134. maxLength: 253
  15135. minLength: 1
  15136. pattern: ^[-._a-zA-Z0-9]+$
  15137. type: string
  15138. name:
  15139. description: The name of the Secret resource being referred to.
  15140. maxLength: 253
  15141. minLength: 1
  15142. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15143. type: string
  15144. namespace:
  15145. description: |-
  15146. The namespace of the Secret resource being referred to.
  15147. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15148. maxLength: 63
  15149. minLength: 1
  15150. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15151. type: string
  15152. type: object
  15153. sessionTokenSecretRef:
  15154. description: |-
  15155. The SessionToken used for authentication
  15156. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  15157. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  15158. properties:
  15159. key:
  15160. description: |-
  15161. A key in the referenced Secret.
  15162. Some instances of this field may be defaulted, in others it may be required.
  15163. maxLength: 253
  15164. minLength: 1
  15165. pattern: ^[-._a-zA-Z0-9]+$
  15166. type: string
  15167. name:
  15168. description: The name of the Secret resource being referred to.
  15169. maxLength: 253
  15170. minLength: 1
  15171. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15172. type: string
  15173. namespace:
  15174. description: |-
  15175. The namespace of the Secret resource being referred to.
  15176. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15177. maxLength: 63
  15178. minLength: 1
  15179. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15180. type: string
  15181. type: object
  15182. type: object
  15183. vaultAwsIamServerID:
  15184. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  15185. type: string
  15186. vaultRole:
  15187. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  15188. type: string
  15189. required:
  15190. - vaultRole
  15191. type: object
  15192. jwt:
  15193. description: |-
  15194. Jwt authenticates with Vault by passing role and JWT token using the
  15195. JWT/OIDC authentication method
  15196. properties:
  15197. kubernetesServiceAccountToken:
  15198. description: |-
  15199. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  15200. a token for with the `TokenRequest` API.
  15201. properties:
  15202. audiences:
  15203. description: |-
  15204. Optional audiences field that will be used to request a temporary Kubernetes service
  15205. account token for the service account referenced by `serviceAccountRef`.
  15206. Defaults to a single audience `vault` it not specified.
  15207. Deprecated: use serviceAccountRef.Audiences instead
  15208. items:
  15209. type: string
  15210. type: array
  15211. expirationSeconds:
  15212. description: |-
  15213. Optional expiration time in seconds that will be used to request a temporary
  15214. Kubernetes service account token for the service account referenced by
  15215. `serviceAccountRef`.
  15216. Deprecated: this will be removed in the future.
  15217. Defaults to 10 minutes.
  15218. format: int64
  15219. type: integer
  15220. serviceAccountRef:
  15221. description: Service account field containing the name of a kubernetes ServiceAccount.
  15222. properties:
  15223. audiences:
  15224. description: |-
  15225. Audience specifies the `aud` claim for the service account token
  15226. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15227. then this audiences will be appended to the list
  15228. items:
  15229. type: string
  15230. type: array
  15231. name:
  15232. description: The name of the ServiceAccount resource being referred to.
  15233. maxLength: 253
  15234. minLength: 1
  15235. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15236. type: string
  15237. namespace:
  15238. description: |-
  15239. Namespace of the resource being referred to.
  15240. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15241. maxLength: 63
  15242. minLength: 1
  15243. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15244. type: string
  15245. required:
  15246. - name
  15247. type: object
  15248. required:
  15249. - serviceAccountRef
  15250. type: object
  15251. path:
  15252. default: jwt
  15253. description: |-
  15254. Path where the JWT authentication backend is mounted
  15255. in Vault, e.g: "jwt"
  15256. type: string
  15257. role:
  15258. description: |-
  15259. Role is a JWT role to authenticate using the JWT/OIDC Vault
  15260. authentication method
  15261. type: string
  15262. secretRef:
  15263. description: |-
  15264. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  15265. authenticate with Vault using the JWT/OIDC authentication method.
  15266. properties:
  15267. key:
  15268. description: |-
  15269. A key in the referenced Secret.
  15270. Some instances of this field may be defaulted, in others it may be required.
  15271. maxLength: 253
  15272. minLength: 1
  15273. pattern: ^[-._a-zA-Z0-9]+$
  15274. type: string
  15275. name:
  15276. description: The name of the Secret resource being referred to.
  15277. maxLength: 253
  15278. minLength: 1
  15279. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15280. type: string
  15281. namespace:
  15282. description: |-
  15283. The namespace of the Secret resource being referred to.
  15284. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15285. maxLength: 63
  15286. minLength: 1
  15287. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15288. type: string
  15289. type: object
  15290. required:
  15291. - path
  15292. type: object
  15293. kubernetes:
  15294. description: |-
  15295. Kubernetes authenticates with Vault by passing the ServiceAccount
  15296. token stored in the named Secret resource to the Vault server.
  15297. properties:
  15298. mountPath:
  15299. default: kubernetes
  15300. description: |-
  15301. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  15302. "kubernetes"
  15303. type: string
  15304. role:
  15305. description: |-
  15306. A required field containing the Vault Role to assume. A Role binds a
  15307. Kubernetes ServiceAccount with a set of Vault policies.
  15308. type: string
  15309. secretRef:
  15310. description: |-
  15311. Optional secret field containing a Kubernetes ServiceAccount JWT used
  15312. for authenticating with Vault. If a name is specified without a key,
  15313. `token` is the default. If one is not specified, the one bound to
  15314. the controller will be used.
  15315. properties:
  15316. key:
  15317. description: |-
  15318. A key in the referenced Secret.
  15319. Some instances of this field may be defaulted, in others it may be required.
  15320. maxLength: 253
  15321. minLength: 1
  15322. pattern: ^[-._a-zA-Z0-9]+$
  15323. type: string
  15324. name:
  15325. description: The name of the Secret resource being referred to.
  15326. maxLength: 253
  15327. minLength: 1
  15328. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15329. type: string
  15330. namespace:
  15331. description: |-
  15332. The namespace of the Secret resource being referred to.
  15333. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15334. maxLength: 63
  15335. minLength: 1
  15336. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15337. type: string
  15338. type: object
  15339. serviceAccountRef:
  15340. description: |-
  15341. Optional service account field containing the name of a kubernetes ServiceAccount.
  15342. If the service account is specified, the service account secret token JWT will be used
  15343. for authenticating with Vault. If the service account selector is not supplied,
  15344. the secretRef will be used instead.
  15345. properties:
  15346. audiences:
  15347. description: |-
  15348. Audience specifies the `aud` claim for the service account token
  15349. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15350. then this audiences will be appended to the list
  15351. items:
  15352. type: string
  15353. type: array
  15354. name:
  15355. description: The name of the ServiceAccount resource being referred to.
  15356. maxLength: 253
  15357. minLength: 1
  15358. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15359. type: string
  15360. namespace:
  15361. description: |-
  15362. Namespace of the resource being referred to.
  15363. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15364. maxLength: 63
  15365. minLength: 1
  15366. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15367. type: string
  15368. required:
  15369. - name
  15370. type: object
  15371. required:
  15372. - mountPath
  15373. - role
  15374. type: object
  15375. ldap:
  15376. description: |-
  15377. Ldap authenticates with Vault by passing username/password pair using
  15378. the LDAP authentication method
  15379. properties:
  15380. path:
  15381. default: ldap
  15382. description: |-
  15383. Path where the LDAP authentication backend is mounted
  15384. in Vault, e.g: "ldap"
  15385. type: string
  15386. secretRef:
  15387. description: |-
  15388. SecretRef to a key in a Secret resource containing password for the LDAP
  15389. user used to authenticate with Vault using the LDAP authentication
  15390. method
  15391. properties:
  15392. key:
  15393. description: |-
  15394. A key in the referenced Secret.
  15395. Some instances of this field may be defaulted, in others it may be required.
  15396. maxLength: 253
  15397. minLength: 1
  15398. pattern: ^[-._a-zA-Z0-9]+$
  15399. type: string
  15400. name:
  15401. description: The name of the Secret resource being referred to.
  15402. maxLength: 253
  15403. minLength: 1
  15404. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15405. type: string
  15406. namespace:
  15407. description: |-
  15408. The namespace of the Secret resource being referred to.
  15409. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15410. maxLength: 63
  15411. minLength: 1
  15412. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15413. type: string
  15414. type: object
  15415. username:
  15416. description: |-
  15417. Username is an LDAP username used to authenticate using the LDAP Vault
  15418. authentication method
  15419. type: string
  15420. required:
  15421. - path
  15422. - username
  15423. type: object
  15424. namespace:
  15425. description: |-
  15426. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  15427. Namespaces is a set of features within Vault Enterprise that allows
  15428. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  15429. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  15430. This will default to Vault.Namespace field if set, or empty otherwise
  15431. type: string
  15432. tokenSecretRef:
  15433. description: TokenSecretRef authenticates with Vault by presenting a token.
  15434. properties:
  15435. key:
  15436. description: |-
  15437. A key in the referenced Secret.
  15438. Some instances of this field may be defaulted, in others it may be required.
  15439. maxLength: 253
  15440. minLength: 1
  15441. pattern: ^[-._a-zA-Z0-9]+$
  15442. type: string
  15443. name:
  15444. description: The name of the Secret resource being referred to.
  15445. maxLength: 253
  15446. minLength: 1
  15447. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15448. type: string
  15449. namespace:
  15450. description: |-
  15451. The namespace of the Secret resource being referred to.
  15452. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15453. maxLength: 63
  15454. minLength: 1
  15455. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15456. type: string
  15457. type: object
  15458. userPass:
  15459. description: UserPass authenticates with Vault by passing username/password pair
  15460. properties:
  15461. path:
  15462. default: userpass
  15463. description: |-
  15464. Path where the UserPassword authentication backend is mounted
  15465. in Vault, e.g: "userpass"
  15466. type: string
  15467. secretRef:
  15468. description: |-
  15469. SecretRef to a key in a Secret resource containing password for the
  15470. user used to authenticate with Vault using the UserPass authentication
  15471. method
  15472. properties:
  15473. key:
  15474. description: |-
  15475. A key in the referenced Secret.
  15476. Some instances of this field may be defaulted, in others it may be required.
  15477. maxLength: 253
  15478. minLength: 1
  15479. pattern: ^[-._a-zA-Z0-9]+$
  15480. type: string
  15481. name:
  15482. description: The name of the Secret resource being referred to.
  15483. maxLength: 253
  15484. minLength: 1
  15485. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15486. type: string
  15487. namespace:
  15488. description: |-
  15489. The namespace of the Secret resource being referred to.
  15490. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15491. maxLength: 63
  15492. minLength: 1
  15493. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15494. type: string
  15495. type: object
  15496. username:
  15497. description: |-
  15498. Username is a username used to authenticate using the UserPass Vault
  15499. authentication method
  15500. type: string
  15501. required:
  15502. - path
  15503. - username
  15504. type: object
  15505. type: object
  15506. caBundle:
  15507. description: |-
  15508. PEM encoded CA bundle used to validate Vault server certificate. Only used
  15509. if the Server URL is using HTTPS protocol. This parameter is ignored for
  15510. plain HTTP protocol connection. If not set the system root certificates
  15511. are used to validate the TLS connection.
  15512. format: byte
  15513. type: string
  15514. caProvider:
  15515. description: The provider for the CA bundle to use to validate Vault server certificate.
  15516. properties:
  15517. key:
  15518. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  15519. maxLength: 253
  15520. minLength: 1
  15521. pattern: ^[-._a-zA-Z0-9]+$
  15522. type: string
  15523. name:
  15524. description: The name of the object located at the provider type.
  15525. maxLength: 253
  15526. minLength: 1
  15527. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15528. type: string
  15529. namespace:
  15530. description: |-
  15531. The namespace the Provider type is in.
  15532. Can only be defined when used in a ClusterSecretStore.
  15533. maxLength: 63
  15534. minLength: 1
  15535. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15536. type: string
  15537. type:
  15538. description: The type of provider to use such as "Secret", or "ConfigMap".
  15539. enum:
  15540. - Secret
  15541. - ConfigMap
  15542. type: string
  15543. required:
  15544. - name
  15545. - type
  15546. type: object
  15547. forwardInconsistent:
  15548. description: |-
  15549. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  15550. leader instead of simply retrying within a loop. This can increase performance if
  15551. the option is enabled serverside.
  15552. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  15553. type: boolean
  15554. headers:
  15555. additionalProperties:
  15556. type: string
  15557. description: Headers to be added in Vault request
  15558. type: object
  15559. namespace:
  15560. description: |-
  15561. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  15562. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  15563. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  15564. type: string
  15565. path:
  15566. description: |-
  15567. Path is the mount path of the Vault KV backend endpoint, e.g:
  15568. "secret". The v2 KV secret engine version specific "/data" path suffix
  15569. for fetching secrets from Vault is optional and will be appended
  15570. if not present in specified path.
  15571. type: string
  15572. readYourWrites:
  15573. description: |-
  15574. ReadYourWrites ensures isolated read-after-write semantics by
  15575. providing discovered cluster replication states in each request.
  15576. More information about eventual consistency in Vault can be found here
  15577. https://www.vaultproject.io/docs/enterprise/consistency
  15578. type: boolean
  15579. server:
  15580. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  15581. type: string
  15582. tls:
  15583. description: |-
  15584. The configuration used for client side related TLS communication, when the Vault server
  15585. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  15586. This parameter is ignored for plain HTTP protocol connection.
  15587. It's worth noting this configuration is different from the "TLS certificates auth method",
  15588. which is available under the `auth.cert` section.
  15589. properties:
  15590. certSecretRef:
  15591. description: |-
  15592. CertSecretRef is a certificate added to the transport layer
  15593. when communicating with the Vault server.
  15594. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  15595. properties:
  15596. key:
  15597. description: |-
  15598. A key in the referenced Secret.
  15599. Some instances of this field may be defaulted, in others it may be required.
  15600. maxLength: 253
  15601. minLength: 1
  15602. pattern: ^[-._a-zA-Z0-9]+$
  15603. type: string
  15604. name:
  15605. description: The name of the Secret resource being referred to.
  15606. maxLength: 253
  15607. minLength: 1
  15608. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15609. type: string
  15610. namespace:
  15611. description: |-
  15612. The namespace of the Secret resource being referred to.
  15613. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15614. maxLength: 63
  15615. minLength: 1
  15616. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15617. type: string
  15618. type: object
  15619. keySecretRef:
  15620. description: |-
  15621. KeySecretRef to a key in a Secret resource containing client private key
  15622. added to the transport layer when communicating with the Vault server.
  15623. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  15624. properties:
  15625. key:
  15626. description: |-
  15627. A key in the referenced Secret.
  15628. Some instances of this field may be defaulted, in others it may be required.
  15629. maxLength: 253
  15630. minLength: 1
  15631. pattern: ^[-._a-zA-Z0-9]+$
  15632. type: string
  15633. name:
  15634. description: The name of the Secret resource being referred to.
  15635. maxLength: 253
  15636. minLength: 1
  15637. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15638. type: string
  15639. namespace:
  15640. description: |-
  15641. The namespace of the Secret resource being referred to.
  15642. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15643. maxLength: 63
  15644. minLength: 1
  15645. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15646. type: string
  15647. type: object
  15648. type: object
  15649. version:
  15650. default: v2
  15651. description: |-
  15652. Version is the Vault KV secret engine version. This can be either "v1" or
  15653. "v2". Version defaults to "v2".
  15654. enum:
  15655. - v1
  15656. - v2
  15657. type: string
  15658. required:
  15659. - server
  15660. type: object
  15661. webhook:
  15662. description: Webhook configures this store to sync secrets using a generic templated webhook
  15663. properties:
  15664. body:
  15665. description: Body
  15666. type: string
  15667. caBundle:
  15668. description: |-
  15669. PEM encoded CA bundle used to validate webhook server certificate. Only used
  15670. if the Server URL is using HTTPS protocol. This parameter is ignored for
  15671. plain HTTP protocol connection. If not set the system root certificates
  15672. are used to validate the TLS connection.
  15673. format: byte
  15674. type: string
  15675. caProvider:
  15676. description: The provider for the CA bundle to use to validate webhook server certificate.
  15677. properties:
  15678. key:
  15679. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  15680. maxLength: 253
  15681. minLength: 1
  15682. pattern: ^[-._a-zA-Z0-9]+$
  15683. type: string
  15684. name:
  15685. description: The name of the object located at the provider type.
  15686. maxLength: 253
  15687. minLength: 1
  15688. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15689. type: string
  15690. namespace:
  15691. description: The namespace the Provider type is in.
  15692. maxLength: 63
  15693. minLength: 1
  15694. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15695. type: string
  15696. type:
  15697. description: The type of provider to use such as "Secret", or "ConfigMap".
  15698. enum:
  15699. - Secret
  15700. - ConfigMap
  15701. type: string
  15702. required:
  15703. - name
  15704. - type
  15705. type: object
  15706. headers:
  15707. additionalProperties:
  15708. type: string
  15709. description: Headers
  15710. type: object
  15711. method:
  15712. description: Webhook Method
  15713. type: string
  15714. result:
  15715. description: Result formatting
  15716. properties:
  15717. jsonPath:
  15718. description: Json path of return value
  15719. type: string
  15720. type: object
  15721. secrets:
  15722. description: |-
  15723. Secrets to fill in templates
  15724. These secrets will be passed to the templating function as key value pairs under the given name
  15725. items:
  15726. properties:
  15727. name:
  15728. description: Name of this secret in templates
  15729. type: string
  15730. secretRef:
  15731. description: Secret ref to fill in credentials
  15732. properties:
  15733. key:
  15734. description: |-
  15735. A key in the referenced Secret.
  15736. Some instances of this field may be defaulted, in others it may be required.
  15737. maxLength: 253
  15738. minLength: 1
  15739. pattern: ^[-._a-zA-Z0-9]+$
  15740. type: string
  15741. name:
  15742. description: The name of the Secret resource being referred to.
  15743. maxLength: 253
  15744. minLength: 1
  15745. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15746. type: string
  15747. namespace:
  15748. description: |-
  15749. The namespace of the Secret resource being referred to.
  15750. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15751. maxLength: 63
  15752. minLength: 1
  15753. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15754. type: string
  15755. type: object
  15756. required:
  15757. - name
  15758. - secretRef
  15759. type: object
  15760. type: array
  15761. timeout:
  15762. description: Timeout
  15763. type: string
  15764. url:
  15765. description: Webhook url to call
  15766. type: string
  15767. required:
  15768. - result
  15769. - url
  15770. type: object
  15771. yandexcertificatemanager:
  15772. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  15773. properties:
  15774. apiEndpoint:
  15775. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  15776. type: string
  15777. auth:
  15778. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  15779. properties:
  15780. authorizedKeySecretRef:
  15781. description: The authorized key used for authentication
  15782. properties:
  15783. key:
  15784. description: |-
  15785. A key in the referenced Secret.
  15786. Some instances of this field may be defaulted, in others it may be required.
  15787. maxLength: 253
  15788. minLength: 1
  15789. pattern: ^[-._a-zA-Z0-9]+$
  15790. type: string
  15791. name:
  15792. description: The name of the Secret resource being referred to.
  15793. maxLength: 253
  15794. minLength: 1
  15795. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15796. type: string
  15797. namespace:
  15798. description: |-
  15799. The namespace of the Secret resource being referred to.
  15800. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15801. maxLength: 63
  15802. minLength: 1
  15803. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15804. type: string
  15805. type: object
  15806. type: object
  15807. caProvider:
  15808. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  15809. properties:
  15810. certSecretRef:
  15811. description: |-
  15812. A reference to a specific 'key' within a Secret resource.
  15813. In some instances, `key` is a required field.
  15814. properties:
  15815. key:
  15816. description: |-
  15817. A key in the referenced Secret.
  15818. Some instances of this field may be defaulted, in others it may be required.
  15819. maxLength: 253
  15820. minLength: 1
  15821. pattern: ^[-._a-zA-Z0-9]+$
  15822. type: string
  15823. name:
  15824. description: The name of the Secret resource being referred to.
  15825. maxLength: 253
  15826. minLength: 1
  15827. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15828. type: string
  15829. namespace:
  15830. description: |-
  15831. The namespace of the Secret resource being referred to.
  15832. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15833. maxLength: 63
  15834. minLength: 1
  15835. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15836. type: string
  15837. type: object
  15838. type: object
  15839. required:
  15840. - auth
  15841. type: object
  15842. yandexlockbox:
  15843. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  15844. properties:
  15845. apiEndpoint:
  15846. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  15847. type: string
  15848. auth:
  15849. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  15850. properties:
  15851. authorizedKeySecretRef:
  15852. description: The authorized key used for authentication
  15853. properties:
  15854. key:
  15855. description: |-
  15856. A key in the referenced Secret.
  15857. Some instances of this field may be defaulted, in others it may be required.
  15858. maxLength: 253
  15859. minLength: 1
  15860. pattern: ^[-._a-zA-Z0-9]+$
  15861. type: string
  15862. name:
  15863. description: The name of the Secret resource being referred to.
  15864. maxLength: 253
  15865. minLength: 1
  15866. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15867. type: string
  15868. namespace:
  15869. description: |-
  15870. The namespace of the Secret resource being referred to.
  15871. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15872. maxLength: 63
  15873. minLength: 1
  15874. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15875. type: string
  15876. type: object
  15877. type: object
  15878. caProvider:
  15879. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  15880. properties:
  15881. certSecretRef:
  15882. description: |-
  15883. A reference to a specific 'key' within a Secret resource.
  15884. In some instances, `key` is a required field.
  15885. properties:
  15886. key:
  15887. description: |-
  15888. A key in the referenced Secret.
  15889. Some instances of this field may be defaulted, in others it may be required.
  15890. maxLength: 253
  15891. minLength: 1
  15892. pattern: ^[-._a-zA-Z0-9]+$
  15893. type: string
  15894. name:
  15895. description: The name of the Secret resource being referred to.
  15896. maxLength: 253
  15897. minLength: 1
  15898. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15899. type: string
  15900. namespace:
  15901. description: |-
  15902. The namespace of the Secret resource being referred to.
  15903. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15904. maxLength: 63
  15905. minLength: 1
  15906. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15907. type: string
  15908. type: object
  15909. type: object
  15910. required:
  15911. - auth
  15912. type: object
  15913. type: object
  15914. refreshInterval:
  15915. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  15916. type: integer
  15917. retrySettings:
  15918. description: Used to configure http retries if failed
  15919. properties:
  15920. maxRetries:
  15921. format: int32
  15922. type: integer
  15923. retryInterval:
  15924. type: string
  15925. type: object
  15926. required:
  15927. - provider
  15928. type: object
  15929. status:
  15930. description: SecretStoreStatus defines the observed state of the SecretStore.
  15931. properties:
  15932. capabilities:
  15933. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  15934. type: string
  15935. conditions:
  15936. items:
  15937. properties:
  15938. lastTransitionTime:
  15939. format: date-time
  15940. type: string
  15941. message:
  15942. type: string
  15943. reason:
  15944. type: string
  15945. status:
  15946. type: string
  15947. type:
  15948. type: string
  15949. required:
  15950. - status
  15951. - type
  15952. type: object
  15953. type: array
  15954. type: object
  15955. type: object
  15956. served: true
  15957. storage: true
  15958. subresources:
  15959. status: {}
  15960. - additionalPrinterColumns:
  15961. - jsonPath: .metadata.creationTimestamp
  15962. name: AGE
  15963. type: date
  15964. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  15965. name: Status
  15966. type: string
  15967. - jsonPath: .status.capabilities
  15968. name: Capabilities
  15969. type: string
  15970. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  15971. name: Ready
  15972. type: string
  15973. name: v1beta1
  15974. schema:
  15975. openAPIV3Schema:
  15976. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  15977. properties:
  15978. apiVersion:
  15979. description: |-
  15980. APIVersion defines the versioned schema of this representation of an object.
  15981. Servers should convert recognized schemas to the latest internal value, and
  15982. may reject unrecognized values.
  15983. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  15984. type: string
  15985. kind:
  15986. description: |-
  15987. Kind is a string value representing the REST resource this object represents.
  15988. Servers may infer this from the endpoint the client submits requests to.
  15989. Cannot be updated.
  15990. In CamelCase.
  15991. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  15992. type: string
  15993. metadata:
  15994. type: object
  15995. spec:
  15996. description: SecretStoreSpec defines the desired state of SecretStore.
  15997. properties:
  15998. conditions:
  15999. description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
  16000. items:
  16001. description: |-
  16002. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  16003. for a ClusterSecretStore instance.
  16004. properties:
  16005. namespaceRegexes:
  16006. description: Choose namespaces by using regex matching
  16007. items:
  16008. type: string
  16009. type: array
  16010. namespaceSelector:
  16011. description: Choose namespace using a labelSelector
  16012. properties:
  16013. matchExpressions:
  16014. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  16015. items:
  16016. description: |-
  16017. A label selector requirement is a selector that contains values, a key, and an operator that
  16018. relates the key and values.
  16019. properties:
  16020. key:
  16021. description: key is the label key that the selector applies to.
  16022. type: string
  16023. operator:
  16024. description: |-
  16025. operator represents a key's relationship to a set of values.
  16026. Valid operators are In, NotIn, Exists and DoesNotExist.
  16027. type: string
  16028. values:
  16029. description: |-
  16030. values is an array of string values. If the operator is In or NotIn,
  16031. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  16032. the values array must be empty. This array is replaced during a strategic
  16033. merge patch.
  16034. items:
  16035. type: string
  16036. type: array
  16037. x-kubernetes-list-type: atomic
  16038. required:
  16039. - key
  16040. - operator
  16041. type: object
  16042. type: array
  16043. x-kubernetes-list-type: atomic
  16044. matchLabels:
  16045. additionalProperties:
  16046. type: string
  16047. description: |-
  16048. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  16049. map is equivalent to an element of matchExpressions, whose key field is "key", the
  16050. operator is "In", and the values array contains only "value". The requirements are ANDed.
  16051. type: object
  16052. type: object
  16053. x-kubernetes-map-type: atomic
  16054. namespaces:
  16055. description: Choose namespaces by name
  16056. items:
  16057. maxLength: 63
  16058. minLength: 1
  16059. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16060. type: string
  16061. type: array
  16062. type: object
  16063. type: array
  16064. controller:
  16065. description: |-
  16066. Used to select the correct ESO controller (think: ingress.ingressClassName)
  16067. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  16068. type: string
  16069. provider:
  16070. description: Used to configure the provider. Only one provider may be set
  16071. maxProperties: 1
  16072. minProperties: 1
  16073. properties:
  16074. akeyless:
  16075. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  16076. properties:
  16077. akeylessGWApiURL:
  16078. description: Akeyless GW API Url from which the secrets to be fetched from.
  16079. type: string
  16080. authSecretRef:
  16081. description: Auth configures how the operator authenticates with Akeyless.
  16082. properties:
  16083. kubernetesAuth:
  16084. description: |-
  16085. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  16086. token stored in the named Secret resource.
  16087. properties:
  16088. accessID:
  16089. description: the Akeyless Kubernetes auth-method access-id
  16090. type: string
  16091. k8sConfName:
  16092. description: Kubernetes-auth configuration name in Akeyless-Gateway
  16093. type: string
  16094. secretRef:
  16095. description: |-
  16096. Optional secret field containing a Kubernetes ServiceAccount JWT used
  16097. for authenticating with Akeyless. If a name is specified without a key,
  16098. `token` is the default. If one is not specified, the one bound to
  16099. the controller will be used.
  16100. properties:
  16101. key:
  16102. description: |-
  16103. A key in the referenced Secret.
  16104. Some instances of this field may be defaulted, in others it may be required.
  16105. maxLength: 253
  16106. minLength: 1
  16107. pattern: ^[-._a-zA-Z0-9]+$
  16108. type: string
  16109. name:
  16110. description: The name of the Secret resource being referred to.
  16111. maxLength: 253
  16112. minLength: 1
  16113. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16114. type: string
  16115. namespace:
  16116. description: |-
  16117. The namespace of the Secret resource being referred to.
  16118. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16119. maxLength: 63
  16120. minLength: 1
  16121. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16122. type: string
  16123. type: object
  16124. serviceAccountRef:
  16125. description: |-
  16126. Optional service account field containing the name of a kubernetes ServiceAccount.
  16127. If the service account is specified, the service account secret token JWT will be used
  16128. for authenticating with Akeyless. If the service account selector is not supplied,
  16129. the secretRef will be used instead.
  16130. properties:
  16131. audiences:
  16132. description: |-
  16133. Audience specifies the `aud` claim for the service account token
  16134. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16135. then this audiences will be appended to the list
  16136. items:
  16137. type: string
  16138. type: array
  16139. name:
  16140. description: The name of the ServiceAccount resource being referred to.
  16141. maxLength: 253
  16142. minLength: 1
  16143. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16144. type: string
  16145. namespace:
  16146. description: |-
  16147. Namespace of the resource being referred to.
  16148. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16149. maxLength: 63
  16150. minLength: 1
  16151. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16152. type: string
  16153. required:
  16154. - name
  16155. type: object
  16156. required:
  16157. - accessID
  16158. - k8sConfName
  16159. type: object
  16160. secretRef:
  16161. description: |-
  16162. Reference to a Secret that contains the details
  16163. to authenticate with Akeyless.
  16164. properties:
  16165. accessID:
  16166. description: The SecretAccessID is used for authentication
  16167. properties:
  16168. key:
  16169. description: |-
  16170. A key in the referenced Secret.
  16171. Some instances of this field may be defaulted, in others it may be required.
  16172. maxLength: 253
  16173. minLength: 1
  16174. pattern: ^[-._a-zA-Z0-9]+$
  16175. type: string
  16176. name:
  16177. description: The name of the Secret resource being referred to.
  16178. maxLength: 253
  16179. minLength: 1
  16180. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16181. type: string
  16182. namespace:
  16183. description: |-
  16184. The namespace of the Secret resource being referred to.
  16185. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16186. maxLength: 63
  16187. minLength: 1
  16188. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16189. type: string
  16190. type: object
  16191. accessType:
  16192. description: |-
  16193. A reference to a specific 'key' within a Secret resource.
  16194. In some instances, `key` is a required field.
  16195. properties:
  16196. key:
  16197. description: |-
  16198. A key in the referenced Secret.
  16199. Some instances of this field may be defaulted, in others it may be required.
  16200. maxLength: 253
  16201. minLength: 1
  16202. pattern: ^[-._a-zA-Z0-9]+$
  16203. type: string
  16204. name:
  16205. description: The name of the Secret resource being referred to.
  16206. maxLength: 253
  16207. minLength: 1
  16208. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16209. type: string
  16210. namespace:
  16211. description: |-
  16212. The namespace of the Secret resource being referred to.
  16213. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16214. maxLength: 63
  16215. minLength: 1
  16216. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16217. type: string
  16218. type: object
  16219. accessTypeParam:
  16220. description: |-
  16221. A reference to a specific 'key' within a Secret resource.
  16222. In some instances, `key` is a required field.
  16223. properties:
  16224. key:
  16225. description: |-
  16226. A key in the referenced Secret.
  16227. Some instances of this field may be defaulted, in others it may be required.
  16228. maxLength: 253
  16229. minLength: 1
  16230. pattern: ^[-._a-zA-Z0-9]+$
  16231. type: string
  16232. name:
  16233. description: The name of the Secret resource being referred to.
  16234. maxLength: 253
  16235. minLength: 1
  16236. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16237. type: string
  16238. namespace:
  16239. description: |-
  16240. The namespace of the Secret resource being referred to.
  16241. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16242. maxLength: 63
  16243. minLength: 1
  16244. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16245. type: string
  16246. type: object
  16247. type: object
  16248. type: object
  16249. caBundle:
  16250. description: |-
  16251. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  16252. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  16253. are used to validate the TLS connection.
  16254. format: byte
  16255. type: string
  16256. caProvider:
  16257. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  16258. properties:
  16259. key:
  16260. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  16261. maxLength: 253
  16262. minLength: 1
  16263. pattern: ^[-._a-zA-Z0-9]+$
  16264. type: string
  16265. name:
  16266. description: The name of the object located at the provider type.
  16267. maxLength: 253
  16268. minLength: 1
  16269. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16270. type: string
  16271. namespace:
  16272. description: |-
  16273. The namespace the Provider type is in.
  16274. Can only be defined when used in a ClusterSecretStore.
  16275. maxLength: 63
  16276. minLength: 1
  16277. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16278. type: string
  16279. type:
  16280. description: The type of provider to use such as "Secret", or "ConfigMap".
  16281. enum:
  16282. - Secret
  16283. - ConfigMap
  16284. type: string
  16285. required:
  16286. - name
  16287. - type
  16288. type: object
  16289. required:
  16290. - akeylessGWApiURL
  16291. - authSecretRef
  16292. type: object
  16293. alibaba:
  16294. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  16295. properties:
  16296. auth:
  16297. description: AlibabaAuth contains a secretRef for credentials.
  16298. properties:
  16299. rrsa:
  16300. description: Authenticate against Alibaba using RRSA.
  16301. properties:
  16302. oidcProviderArn:
  16303. type: string
  16304. oidcTokenFilePath:
  16305. type: string
  16306. roleArn:
  16307. type: string
  16308. sessionName:
  16309. type: string
  16310. required:
  16311. - oidcProviderArn
  16312. - oidcTokenFilePath
  16313. - roleArn
  16314. - sessionName
  16315. type: object
  16316. secretRef:
  16317. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  16318. properties:
  16319. accessKeyIDSecretRef:
  16320. description: The AccessKeyID is used for authentication
  16321. properties:
  16322. key:
  16323. description: |-
  16324. A key in the referenced Secret.
  16325. Some instances of this field may be defaulted, in others it may be required.
  16326. maxLength: 253
  16327. minLength: 1
  16328. pattern: ^[-._a-zA-Z0-9]+$
  16329. type: string
  16330. name:
  16331. description: The name of the Secret resource being referred to.
  16332. maxLength: 253
  16333. minLength: 1
  16334. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16335. type: string
  16336. namespace:
  16337. description: |-
  16338. The namespace of the Secret resource being referred to.
  16339. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16340. maxLength: 63
  16341. minLength: 1
  16342. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16343. type: string
  16344. type: object
  16345. accessKeySecretSecretRef:
  16346. description: The AccessKeySecret is used for authentication
  16347. properties:
  16348. key:
  16349. description: |-
  16350. A key in the referenced Secret.
  16351. Some instances of this field may be defaulted, in others it may be required.
  16352. maxLength: 253
  16353. minLength: 1
  16354. pattern: ^[-._a-zA-Z0-9]+$
  16355. type: string
  16356. name:
  16357. description: The name of the Secret resource being referred to.
  16358. maxLength: 253
  16359. minLength: 1
  16360. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16361. type: string
  16362. namespace:
  16363. description: |-
  16364. The namespace of the Secret resource being referred to.
  16365. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16366. maxLength: 63
  16367. minLength: 1
  16368. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16369. type: string
  16370. type: object
  16371. required:
  16372. - accessKeyIDSecretRef
  16373. - accessKeySecretSecretRef
  16374. type: object
  16375. type: object
  16376. regionID:
  16377. description: Alibaba Region to be used for the provider
  16378. type: string
  16379. required:
  16380. - auth
  16381. - regionID
  16382. type: object
  16383. aws:
  16384. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  16385. properties:
  16386. additionalRoles:
  16387. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  16388. items:
  16389. type: string
  16390. type: array
  16391. auth:
  16392. description: |-
  16393. Auth defines the information necessary to authenticate against AWS
  16394. if not set aws sdk will infer credentials from your environment
  16395. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  16396. properties:
  16397. jwt:
  16398. description: Authenticate against AWS using service account tokens.
  16399. properties:
  16400. serviceAccountRef:
  16401. description: A reference to a ServiceAccount resource.
  16402. properties:
  16403. audiences:
  16404. description: |-
  16405. Audience specifies the `aud` claim for the service account token
  16406. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16407. then this audiences will be appended to the list
  16408. items:
  16409. type: string
  16410. type: array
  16411. name:
  16412. description: The name of the ServiceAccount resource being referred to.
  16413. maxLength: 253
  16414. minLength: 1
  16415. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16416. type: string
  16417. namespace:
  16418. description: |-
  16419. Namespace of the resource being referred to.
  16420. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16421. maxLength: 63
  16422. minLength: 1
  16423. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16424. type: string
  16425. required:
  16426. - name
  16427. type: object
  16428. type: object
  16429. secretRef:
  16430. description: |-
  16431. AWSAuthSecretRef holds secret references for AWS credentials
  16432. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  16433. properties:
  16434. accessKeyIDSecretRef:
  16435. description: The AccessKeyID is used for authentication
  16436. properties:
  16437. key:
  16438. description: |-
  16439. A key in the referenced Secret.
  16440. Some instances of this field may be defaulted, in others it may be required.
  16441. maxLength: 253
  16442. minLength: 1
  16443. pattern: ^[-._a-zA-Z0-9]+$
  16444. type: string
  16445. name:
  16446. description: The name of the Secret resource being referred to.
  16447. maxLength: 253
  16448. minLength: 1
  16449. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16450. type: string
  16451. namespace:
  16452. description: |-
  16453. The namespace of the Secret resource being referred to.
  16454. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16455. maxLength: 63
  16456. minLength: 1
  16457. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16458. type: string
  16459. type: object
  16460. secretAccessKeySecretRef:
  16461. description: The SecretAccessKey is used for authentication
  16462. properties:
  16463. key:
  16464. description: |-
  16465. A key in the referenced Secret.
  16466. Some instances of this field may be defaulted, in others it may be required.
  16467. maxLength: 253
  16468. minLength: 1
  16469. pattern: ^[-._a-zA-Z0-9]+$
  16470. type: string
  16471. name:
  16472. description: The name of the Secret resource being referred to.
  16473. maxLength: 253
  16474. minLength: 1
  16475. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16476. type: string
  16477. namespace:
  16478. description: |-
  16479. The namespace of the Secret resource being referred to.
  16480. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16481. maxLength: 63
  16482. minLength: 1
  16483. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16484. type: string
  16485. type: object
  16486. sessionTokenSecretRef:
  16487. description: |-
  16488. The SessionToken used for authentication
  16489. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  16490. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  16491. properties:
  16492. key:
  16493. description: |-
  16494. A key in the referenced Secret.
  16495. Some instances of this field may be defaulted, in others it may be required.
  16496. maxLength: 253
  16497. minLength: 1
  16498. pattern: ^[-._a-zA-Z0-9]+$
  16499. type: string
  16500. name:
  16501. description: The name of the Secret resource being referred to.
  16502. maxLength: 253
  16503. minLength: 1
  16504. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16505. type: string
  16506. namespace:
  16507. description: |-
  16508. The namespace of the Secret resource being referred to.
  16509. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16510. maxLength: 63
  16511. minLength: 1
  16512. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16513. type: string
  16514. type: object
  16515. type: object
  16516. type: object
  16517. externalID:
  16518. description: AWS External ID set on assumed IAM roles
  16519. type: string
  16520. prefix:
  16521. description: Prefix adds a prefix to all retrieved values.
  16522. type: string
  16523. region:
  16524. description: AWS Region to be used for the provider
  16525. type: string
  16526. role:
  16527. description: Role is a Role ARN which the provider will assume
  16528. type: string
  16529. secretsManager:
  16530. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  16531. properties:
  16532. forceDeleteWithoutRecovery:
  16533. description: |-
  16534. Specifies whether to delete the secret without any recovery window. You
  16535. can't use both this parameter and RecoveryWindowInDays in the same call.
  16536. If you don't use either, then by default Secrets Manager uses a 30 day
  16537. recovery window.
  16538. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  16539. type: boolean
  16540. recoveryWindowInDays:
  16541. description: |-
  16542. The number of days from 7 to 30 that Secrets Manager waits before
  16543. permanently deleting the secret. You can't use both this parameter and
  16544. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  16545. then by default Secrets Manager uses a 30 day recovery window.
  16546. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  16547. format: int64
  16548. type: integer
  16549. type: object
  16550. service:
  16551. description: Service defines which service should be used to fetch the secrets
  16552. enum:
  16553. - SecretsManager
  16554. - ParameterStore
  16555. type: string
  16556. sessionTags:
  16557. description: AWS STS assume role session tags
  16558. items:
  16559. properties:
  16560. key:
  16561. type: string
  16562. value:
  16563. type: string
  16564. required:
  16565. - key
  16566. - value
  16567. type: object
  16568. type: array
  16569. transitiveTagKeys:
  16570. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  16571. items:
  16572. type: string
  16573. type: array
  16574. required:
  16575. - region
  16576. - service
  16577. type: object
  16578. azurekv:
  16579. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  16580. properties:
  16581. authSecretRef:
  16582. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  16583. properties:
  16584. clientCertificate:
  16585. description: The Azure ClientCertificate of the service principle used for authentication.
  16586. properties:
  16587. key:
  16588. description: |-
  16589. A key in the referenced Secret.
  16590. Some instances of this field may be defaulted, in others it may be required.
  16591. maxLength: 253
  16592. minLength: 1
  16593. pattern: ^[-._a-zA-Z0-9]+$
  16594. type: string
  16595. name:
  16596. description: The name of the Secret resource being referred to.
  16597. maxLength: 253
  16598. minLength: 1
  16599. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16600. type: string
  16601. namespace:
  16602. description: |-
  16603. The namespace of the Secret resource being referred to.
  16604. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16605. maxLength: 63
  16606. minLength: 1
  16607. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16608. type: string
  16609. type: object
  16610. clientId:
  16611. description: The Azure clientId of the service principle or managed identity used for authentication.
  16612. properties:
  16613. key:
  16614. description: |-
  16615. A key in the referenced Secret.
  16616. Some instances of this field may be defaulted, in others it may be required.
  16617. maxLength: 253
  16618. minLength: 1
  16619. pattern: ^[-._a-zA-Z0-9]+$
  16620. type: string
  16621. name:
  16622. description: The name of the Secret resource being referred to.
  16623. maxLength: 253
  16624. minLength: 1
  16625. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16626. type: string
  16627. namespace:
  16628. description: |-
  16629. The namespace of the Secret resource being referred to.
  16630. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16631. maxLength: 63
  16632. minLength: 1
  16633. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16634. type: string
  16635. type: object
  16636. clientSecret:
  16637. description: The Azure ClientSecret of the service principle used for authentication.
  16638. properties:
  16639. key:
  16640. description: |-
  16641. A key in the referenced Secret.
  16642. Some instances of this field may be defaulted, in others it may be required.
  16643. maxLength: 253
  16644. minLength: 1
  16645. pattern: ^[-._a-zA-Z0-9]+$
  16646. type: string
  16647. name:
  16648. description: The name of the Secret resource being referred to.
  16649. maxLength: 253
  16650. minLength: 1
  16651. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16652. type: string
  16653. namespace:
  16654. description: |-
  16655. The namespace of the Secret resource being referred to.
  16656. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16657. maxLength: 63
  16658. minLength: 1
  16659. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16660. type: string
  16661. type: object
  16662. tenantId:
  16663. description: The Azure tenantId of the managed identity used for authentication.
  16664. properties:
  16665. key:
  16666. description: |-
  16667. A key in the referenced Secret.
  16668. Some instances of this field may be defaulted, in others it may be required.
  16669. maxLength: 253
  16670. minLength: 1
  16671. pattern: ^[-._a-zA-Z0-9]+$
  16672. type: string
  16673. name:
  16674. description: The name of the Secret resource being referred to.
  16675. maxLength: 253
  16676. minLength: 1
  16677. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16678. type: string
  16679. namespace:
  16680. description: |-
  16681. The namespace of the Secret resource being referred to.
  16682. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16683. maxLength: 63
  16684. minLength: 1
  16685. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16686. type: string
  16687. type: object
  16688. type: object
  16689. authType:
  16690. default: ServicePrincipal
  16691. description: |-
  16692. Auth type defines how to authenticate to the keyvault service.
  16693. Valid values are:
  16694. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  16695. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  16696. enum:
  16697. - ServicePrincipal
  16698. - ManagedIdentity
  16699. - WorkloadIdentity
  16700. type: string
  16701. environmentType:
  16702. default: PublicCloud
  16703. description: |-
  16704. EnvironmentType specifies the Azure cloud environment endpoints to use for
  16705. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  16706. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  16707. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  16708. enum:
  16709. - PublicCloud
  16710. - USGovernmentCloud
  16711. - ChinaCloud
  16712. - GermanCloud
  16713. type: string
  16714. identityId:
  16715. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  16716. type: string
  16717. serviceAccountRef:
  16718. description: |-
  16719. ServiceAccountRef specified the service account
  16720. that should be used when authenticating with WorkloadIdentity.
  16721. properties:
  16722. audiences:
  16723. description: |-
  16724. Audience specifies the `aud` claim for the service account token
  16725. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16726. then this audiences will be appended to the list
  16727. items:
  16728. type: string
  16729. type: array
  16730. name:
  16731. description: The name of the ServiceAccount resource being referred to.
  16732. maxLength: 253
  16733. minLength: 1
  16734. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16735. type: string
  16736. namespace:
  16737. description: |-
  16738. Namespace of the resource being referred to.
  16739. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16740. maxLength: 63
  16741. minLength: 1
  16742. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16743. type: string
  16744. required:
  16745. - name
  16746. type: object
  16747. tenantId:
  16748. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  16749. type: string
  16750. vaultUrl:
  16751. description: Vault Url from which the secrets to be fetched from.
  16752. type: string
  16753. required:
  16754. - vaultUrl
  16755. type: object
  16756. beyondtrust:
  16757. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  16758. properties:
  16759. auth:
  16760. description: Auth configures how the operator authenticates with Beyondtrust.
  16761. properties:
  16762. apiKey:
  16763. description: APIKey If not provided then ClientID/ClientSecret become required.
  16764. properties:
  16765. secretRef:
  16766. description: SecretRef references a key in a secret that will be used as value.
  16767. properties:
  16768. key:
  16769. description: |-
  16770. A key in the referenced Secret.
  16771. Some instances of this field may be defaulted, in others it may be required.
  16772. maxLength: 253
  16773. minLength: 1
  16774. pattern: ^[-._a-zA-Z0-9]+$
  16775. type: string
  16776. name:
  16777. description: The name of the Secret resource being referred to.
  16778. maxLength: 253
  16779. minLength: 1
  16780. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16781. type: string
  16782. namespace:
  16783. description: |-
  16784. The namespace of the Secret resource being referred to.
  16785. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16786. maxLength: 63
  16787. minLength: 1
  16788. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16789. type: string
  16790. type: object
  16791. value:
  16792. description: Value can be specified directly to set a value without using a secret.
  16793. type: string
  16794. type: object
  16795. certificate:
  16796. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  16797. properties:
  16798. secretRef:
  16799. description: SecretRef references a key in a secret that will be used as value.
  16800. properties:
  16801. key:
  16802. description: |-
  16803. A key in the referenced Secret.
  16804. Some instances of this field may be defaulted, in others it may be required.
  16805. maxLength: 253
  16806. minLength: 1
  16807. pattern: ^[-._a-zA-Z0-9]+$
  16808. type: string
  16809. name:
  16810. description: The name of the Secret resource being referred to.
  16811. maxLength: 253
  16812. minLength: 1
  16813. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16814. type: string
  16815. namespace:
  16816. description: |-
  16817. The namespace of the Secret resource being referred to.
  16818. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16819. maxLength: 63
  16820. minLength: 1
  16821. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16822. type: string
  16823. type: object
  16824. value:
  16825. description: Value can be specified directly to set a value without using a secret.
  16826. type: string
  16827. type: object
  16828. certificateKey:
  16829. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  16830. properties:
  16831. secretRef:
  16832. description: SecretRef references a key in a secret that will be used as value.
  16833. properties:
  16834. key:
  16835. description: |-
  16836. A key in the referenced Secret.
  16837. Some instances of this field may be defaulted, in others it may be required.
  16838. maxLength: 253
  16839. minLength: 1
  16840. pattern: ^[-._a-zA-Z0-9]+$
  16841. type: string
  16842. name:
  16843. description: The name of the Secret resource being referred to.
  16844. maxLength: 253
  16845. minLength: 1
  16846. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16847. type: string
  16848. namespace:
  16849. description: |-
  16850. The namespace of the Secret resource being referred to.
  16851. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16852. maxLength: 63
  16853. minLength: 1
  16854. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16855. type: string
  16856. type: object
  16857. value:
  16858. description: Value can be specified directly to set a value without using a secret.
  16859. type: string
  16860. type: object
  16861. clientId:
  16862. description: ClientID is the API OAuth Client ID.
  16863. properties:
  16864. secretRef:
  16865. description: SecretRef references a key in a secret that will be used as value.
  16866. properties:
  16867. key:
  16868. description: |-
  16869. A key in the referenced Secret.
  16870. Some instances of this field may be defaulted, in others it may be required.
  16871. maxLength: 253
  16872. minLength: 1
  16873. pattern: ^[-._a-zA-Z0-9]+$
  16874. type: string
  16875. name:
  16876. description: The name of the Secret resource being referred to.
  16877. maxLength: 253
  16878. minLength: 1
  16879. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16880. type: string
  16881. namespace:
  16882. description: |-
  16883. The namespace of the Secret resource being referred to.
  16884. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16885. maxLength: 63
  16886. minLength: 1
  16887. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16888. type: string
  16889. type: object
  16890. value:
  16891. description: Value can be specified directly to set a value without using a secret.
  16892. type: string
  16893. type: object
  16894. clientSecret:
  16895. description: ClientSecret is the API OAuth Client Secret.
  16896. properties:
  16897. secretRef:
  16898. description: SecretRef references a key in a secret that will be used as value.
  16899. properties:
  16900. key:
  16901. description: |-
  16902. A key in the referenced Secret.
  16903. Some instances of this field may be defaulted, in others it may be required.
  16904. maxLength: 253
  16905. minLength: 1
  16906. pattern: ^[-._a-zA-Z0-9]+$
  16907. type: string
  16908. name:
  16909. description: The name of the Secret resource being referred to.
  16910. maxLength: 253
  16911. minLength: 1
  16912. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16913. type: string
  16914. namespace:
  16915. description: |-
  16916. The namespace of the Secret resource being referred to.
  16917. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16918. maxLength: 63
  16919. minLength: 1
  16920. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16921. type: string
  16922. type: object
  16923. value:
  16924. description: Value can be specified directly to set a value without using a secret.
  16925. type: string
  16926. type: object
  16927. type: object
  16928. server:
  16929. description: Auth configures how API server works.
  16930. properties:
  16931. apiUrl:
  16932. type: string
  16933. apiVersion:
  16934. type: string
  16935. clientTimeOutSeconds:
  16936. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  16937. type: integer
  16938. retrievalType:
  16939. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  16940. type: string
  16941. separator:
  16942. description: A character that separates the folder names.
  16943. type: string
  16944. verifyCA:
  16945. type: boolean
  16946. required:
  16947. - apiUrl
  16948. - verifyCA
  16949. type: object
  16950. required:
  16951. - auth
  16952. - server
  16953. type: object
  16954. bitwardensecretsmanager:
  16955. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  16956. properties:
  16957. apiURL:
  16958. type: string
  16959. auth:
  16960. description: |-
  16961. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  16962. Make sure that the token being used has permissions on the given secret.
  16963. properties:
  16964. secretRef:
  16965. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  16966. properties:
  16967. credentials:
  16968. description: AccessToken used for the bitwarden instance.
  16969. properties:
  16970. key:
  16971. description: |-
  16972. A key in the referenced Secret.
  16973. Some instances of this field may be defaulted, in others it may be required.
  16974. maxLength: 253
  16975. minLength: 1
  16976. pattern: ^[-._a-zA-Z0-9]+$
  16977. type: string
  16978. name:
  16979. description: The name of the Secret resource being referred to.
  16980. maxLength: 253
  16981. minLength: 1
  16982. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16983. type: string
  16984. namespace:
  16985. description: |-
  16986. The namespace of the Secret resource being referred to.
  16987. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16988. maxLength: 63
  16989. minLength: 1
  16990. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16991. type: string
  16992. type: object
  16993. required:
  16994. - credentials
  16995. type: object
  16996. required:
  16997. - secretRef
  16998. type: object
  16999. bitwardenServerSDKURL:
  17000. type: string
  17001. caBundle:
  17002. description: |-
  17003. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  17004. can be performed.
  17005. type: string
  17006. caProvider:
  17007. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  17008. properties:
  17009. key:
  17010. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  17011. maxLength: 253
  17012. minLength: 1
  17013. pattern: ^[-._a-zA-Z0-9]+$
  17014. type: string
  17015. name:
  17016. description: The name of the object located at the provider type.
  17017. maxLength: 253
  17018. minLength: 1
  17019. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17020. type: string
  17021. namespace:
  17022. description: |-
  17023. The namespace the Provider type is in.
  17024. Can only be defined when used in a ClusterSecretStore.
  17025. maxLength: 63
  17026. minLength: 1
  17027. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17028. type: string
  17029. type:
  17030. description: The type of provider to use such as "Secret", or "ConfigMap".
  17031. enum:
  17032. - Secret
  17033. - ConfigMap
  17034. type: string
  17035. required:
  17036. - name
  17037. - type
  17038. type: object
  17039. identityURL:
  17040. type: string
  17041. organizationID:
  17042. description: OrganizationID determines which organization this secret store manages.
  17043. type: string
  17044. projectID:
  17045. description: ProjectID determines which project this secret store manages.
  17046. type: string
  17047. required:
  17048. - auth
  17049. - organizationID
  17050. - projectID
  17051. type: object
  17052. chef:
  17053. description: Chef configures this store to sync secrets with chef server
  17054. properties:
  17055. auth:
  17056. description: Auth defines the information necessary to authenticate against chef Server
  17057. properties:
  17058. secretRef:
  17059. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  17060. properties:
  17061. privateKeySecretRef:
  17062. description: SecretKey is the Signing Key in PEM format, used for authentication.
  17063. properties:
  17064. key:
  17065. description: |-
  17066. A key in the referenced Secret.
  17067. Some instances of this field may be defaulted, in others it may be required.
  17068. maxLength: 253
  17069. minLength: 1
  17070. pattern: ^[-._a-zA-Z0-9]+$
  17071. type: string
  17072. name:
  17073. description: The name of the Secret resource being referred to.
  17074. maxLength: 253
  17075. minLength: 1
  17076. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17077. type: string
  17078. namespace:
  17079. description: |-
  17080. The namespace of the Secret resource being referred to.
  17081. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17082. maxLength: 63
  17083. minLength: 1
  17084. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17085. type: string
  17086. type: object
  17087. required:
  17088. - privateKeySecretRef
  17089. type: object
  17090. required:
  17091. - secretRef
  17092. type: object
  17093. serverUrl:
  17094. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  17095. type: string
  17096. username:
  17097. description: UserName should be the user ID on the chef server
  17098. type: string
  17099. required:
  17100. - auth
  17101. - serverUrl
  17102. - username
  17103. type: object
  17104. cloudrusm:
  17105. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  17106. properties:
  17107. auth:
  17108. description: CSMAuth contains a secretRef for credentials.
  17109. properties:
  17110. secretRef:
  17111. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  17112. properties:
  17113. accessKeyIDSecretRef:
  17114. description: The AccessKeyID is used for authentication
  17115. properties:
  17116. key:
  17117. description: |-
  17118. A key in the referenced Secret.
  17119. Some instances of this field may be defaulted, in others it may be required.
  17120. maxLength: 253
  17121. minLength: 1
  17122. pattern: ^[-._a-zA-Z0-9]+$
  17123. type: string
  17124. name:
  17125. description: The name of the Secret resource being referred to.
  17126. maxLength: 253
  17127. minLength: 1
  17128. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17129. type: string
  17130. namespace:
  17131. description: |-
  17132. The namespace of the Secret resource being referred to.
  17133. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17134. maxLength: 63
  17135. minLength: 1
  17136. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17137. type: string
  17138. type: object
  17139. accessKeySecretSecretRef:
  17140. description: The AccessKeySecret is used for authentication
  17141. properties:
  17142. key:
  17143. description: |-
  17144. A key in the referenced Secret.
  17145. Some instances of this field may be defaulted, in others it may be required.
  17146. maxLength: 253
  17147. minLength: 1
  17148. pattern: ^[-._a-zA-Z0-9]+$
  17149. type: string
  17150. name:
  17151. description: The name of the Secret resource being referred to.
  17152. maxLength: 253
  17153. minLength: 1
  17154. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17155. type: string
  17156. namespace:
  17157. description: |-
  17158. The namespace of the Secret resource being referred to.
  17159. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17160. maxLength: 63
  17161. minLength: 1
  17162. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17163. type: string
  17164. type: object
  17165. required:
  17166. - accessKeyIDSecretRef
  17167. - accessKeySecretSecretRef
  17168. type: object
  17169. type: object
  17170. projectID:
  17171. description: ProjectID is the project, which the secrets are stored in.
  17172. type: string
  17173. required:
  17174. - auth
  17175. type: object
  17176. conjur:
  17177. description: Conjur configures this store to sync secrets using conjur provider
  17178. properties:
  17179. auth:
  17180. description: Defines authentication settings for connecting to Conjur.
  17181. properties:
  17182. apikey:
  17183. description: Authenticates with Conjur using an API key.
  17184. properties:
  17185. account:
  17186. description: Account is the Conjur organization account name.
  17187. type: string
  17188. apiKeyRef:
  17189. description: |-
  17190. A reference to a specific 'key' containing the Conjur API key
  17191. within a Secret resource. In some instances, `key` is a required field.
  17192. properties:
  17193. key:
  17194. description: |-
  17195. A key in the referenced Secret.
  17196. Some instances of this field may be defaulted, in others it may be required.
  17197. maxLength: 253
  17198. minLength: 1
  17199. pattern: ^[-._a-zA-Z0-9]+$
  17200. type: string
  17201. name:
  17202. description: The name of the Secret resource being referred to.
  17203. maxLength: 253
  17204. minLength: 1
  17205. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17206. type: string
  17207. namespace:
  17208. description: |-
  17209. The namespace of the Secret resource being referred to.
  17210. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17211. maxLength: 63
  17212. minLength: 1
  17213. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17214. type: string
  17215. type: object
  17216. userRef:
  17217. description: |-
  17218. A reference to a specific 'key' containing the Conjur username
  17219. within a Secret resource. In some instances, `key` is a required field.
  17220. properties:
  17221. key:
  17222. description: |-
  17223. A key in the referenced Secret.
  17224. Some instances of this field may be defaulted, in others it may be required.
  17225. maxLength: 253
  17226. minLength: 1
  17227. pattern: ^[-._a-zA-Z0-9]+$
  17228. type: string
  17229. name:
  17230. description: The name of the Secret resource being referred to.
  17231. maxLength: 253
  17232. minLength: 1
  17233. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17234. type: string
  17235. namespace:
  17236. description: |-
  17237. The namespace of the Secret resource being referred to.
  17238. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17239. maxLength: 63
  17240. minLength: 1
  17241. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17242. type: string
  17243. type: object
  17244. required:
  17245. - account
  17246. - apiKeyRef
  17247. - userRef
  17248. type: object
  17249. jwt:
  17250. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  17251. properties:
  17252. account:
  17253. description: Account is the Conjur organization account name.
  17254. type: string
  17255. hostId:
  17256. description: |-
  17257. Optional HostID for JWT authentication. This may be used depending
  17258. on how the Conjur JWT authenticator policy is configured.
  17259. type: string
  17260. secretRef:
  17261. description: |-
  17262. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  17263. authenticate with Conjur using the JWT authentication method.
  17264. properties:
  17265. key:
  17266. description: |-
  17267. A key in the referenced Secret.
  17268. Some instances of this field may be defaulted, in others it may be required.
  17269. maxLength: 253
  17270. minLength: 1
  17271. pattern: ^[-._a-zA-Z0-9]+$
  17272. type: string
  17273. name:
  17274. description: The name of the Secret resource being referred to.
  17275. maxLength: 253
  17276. minLength: 1
  17277. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17278. type: string
  17279. namespace:
  17280. description: |-
  17281. The namespace of the Secret resource being referred to.
  17282. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17283. maxLength: 63
  17284. minLength: 1
  17285. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17286. type: string
  17287. type: object
  17288. serviceAccountRef:
  17289. description: |-
  17290. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  17291. a token for with the `TokenRequest` API.
  17292. properties:
  17293. audiences:
  17294. description: |-
  17295. Audience specifies the `aud` claim for the service account token
  17296. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  17297. then this audiences will be appended to the list
  17298. items:
  17299. type: string
  17300. type: array
  17301. name:
  17302. description: The name of the ServiceAccount resource being referred to.
  17303. maxLength: 253
  17304. minLength: 1
  17305. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17306. type: string
  17307. namespace:
  17308. description: |-
  17309. Namespace of the resource being referred to.
  17310. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17311. maxLength: 63
  17312. minLength: 1
  17313. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17314. type: string
  17315. required:
  17316. - name
  17317. type: object
  17318. serviceID:
  17319. description: The conjur authn jwt webservice id
  17320. type: string
  17321. required:
  17322. - account
  17323. - serviceID
  17324. type: object
  17325. type: object
  17326. caBundle:
  17327. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  17328. type: string
  17329. caProvider:
  17330. description: |-
  17331. Used to provide custom certificate authority (CA) certificates
  17332. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  17333. that contains a PEM-encoded certificate.
  17334. properties:
  17335. key:
  17336. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  17337. maxLength: 253
  17338. minLength: 1
  17339. pattern: ^[-._a-zA-Z0-9]+$
  17340. type: string
  17341. name:
  17342. description: The name of the object located at the provider type.
  17343. maxLength: 253
  17344. minLength: 1
  17345. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17346. type: string
  17347. namespace:
  17348. description: |-
  17349. The namespace the Provider type is in.
  17350. Can only be defined when used in a ClusterSecretStore.
  17351. maxLength: 63
  17352. minLength: 1
  17353. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17354. type: string
  17355. type:
  17356. description: The type of provider to use such as "Secret", or "ConfigMap".
  17357. enum:
  17358. - Secret
  17359. - ConfigMap
  17360. type: string
  17361. required:
  17362. - name
  17363. - type
  17364. type: object
  17365. url:
  17366. description: URL is the endpoint of the Conjur instance.
  17367. type: string
  17368. required:
  17369. - auth
  17370. - url
  17371. type: object
  17372. delinea:
  17373. description: |-
  17374. Delinea DevOps Secrets Vault
  17375. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  17376. properties:
  17377. clientId:
  17378. description: ClientID is the non-secret part of the credential.
  17379. properties:
  17380. secretRef:
  17381. description: SecretRef references a key in a secret that will be used as value.
  17382. properties:
  17383. key:
  17384. description: |-
  17385. A key in the referenced Secret.
  17386. Some instances of this field may be defaulted, in others it may be required.
  17387. maxLength: 253
  17388. minLength: 1
  17389. pattern: ^[-._a-zA-Z0-9]+$
  17390. type: string
  17391. name:
  17392. description: The name of the Secret resource being referred to.
  17393. maxLength: 253
  17394. minLength: 1
  17395. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17396. type: string
  17397. namespace:
  17398. description: |-
  17399. The namespace of the Secret resource being referred to.
  17400. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17401. maxLength: 63
  17402. minLength: 1
  17403. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17404. type: string
  17405. type: object
  17406. value:
  17407. description: Value can be specified directly to set a value without using a secret.
  17408. type: string
  17409. type: object
  17410. clientSecret:
  17411. description: ClientSecret is the secret part of the credential.
  17412. properties:
  17413. secretRef:
  17414. description: SecretRef references a key in a secret that will be used as value.
  17415. properties:
  17416. key:
  17417. description: |-
  17418. A key in the referenced Secret.
  17419. Some instances of this field may be defaulted, in others it may be required.
  17420. maxLength: 253
  17421. minLength: 1
  17422. pattern: ^[-._a-zA-Z0-9]+$
  17423. type: string
  17424. name:
  17425. description: The name of the Secret resource being referred to.
  17426. maxLength: 253
  17427. minLength: 1
  17428. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17429. type: string
  17430. namespace:
  17431. description: |-
  17432. The namespace of the Secret resource being referred to.
  17433. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17434. maxLength: 63
  17435. minLength: 1
  17436. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17437. type: string
  17438. type: object
  17439. value:
  17440. description: Value can be specified directly to set a value without using a secret.
  17441. type: string
  17442. type: object
  17443. tenant:
  17444. description: Tenant is the chosen hostname / site name.
  17445. type: string
  17446. tld:
  17447. description: |-
  17448. TLD is based on the server location that was chosen during provisioning.
  17449. If unset, defaults to "com".
  17450. type: string
  17451. urlTemplate:
  17452. description: |-
  17453. URLTemplate
  17454. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  17455. type: string
  17456. required:
  17457. - clientId
  17458. - clientSecret
  17459. - tenant
  17460. type: object
  17461. device42:
  17462. description: Device42 configures this store to sync secrets using the Device42 provider
  17463. properties:
  17464. auth:
  17465. description: Auth configures how secret-manager authenticates with a Device42 instance.
  17466. properties:
  17467. secretRef:
  17468. properties:
  17469. credentials:
  17470. description: Username / Password is used for authentication.
  17471. properties:
  17472. key:
  17473. description: |-
  17474. A key in the referenced Secret.
  17475. Some instances of this field may be defaulted, in others it may be required.
  17476. maxLength: 253
  17477. minLength: 1
  17478. pattern: ^[-._a-zA-Z0-9]+$
  17479. type: string
  17480. name:
  17481. description: The name of the Secret resource being referred to.
  17482. maxLength: 253
  17483. minLength: 1
  17484. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17485. type: string
  17486. namespace:
  17487. description: |-
  17488. The namespace of the Secret resource being referred to.
  17489. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17490. maxLength: 63
  17491. minLength: 1
  17492. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17493. type: string
  17494. type: object
  17495. type: object
  17496. required:
  17497. - secretRef
  17498. type: object
  17499. host:
  17500. description: URL configures the Device42 instance URL.
  17501. type: string
  17502. required:
  17503. - auth
  17504. - host
  17505. type: object
  17506. doppler:
  17507. description: Doppler configures this store to sync secrets using the Doppler provider
  17508. properties:
  17509. auth:
  17510. description: Auth configures how the Operator authenticates with the Doppler API
  17511. properties:
  17512. secretRef:
  17513. properties:
  17514. dopplerToken:
  17515. description: |-
  17516. The DopplerToken is used for authentication.
  17517. See https://docs.doppler.com/reference/api#authentication for auth token types.
  17518. The Key attribute defaults to dopplerToken if not specified.
  17519. properties:
  17520. key:
  17521. description: |-
  17522. A key in the referenced Secret.
  17523. Some instances of this field may be defaulted, in others it may be required.
  17524. maxLength: 253
  17525. minLength: 1
  17526. pattern: ^[-._a-zA-Z0-9]+$
  17527. type: string
  17528. name:
  17529. description: The name of the Secret resource being referred to.
  17530. maxLength: 253
  17531. minLength: 1
  17532. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17533. type: string
  17534. namespace:
  17535. description: |-
  17536. The namespace of the Secret resource being referred to.
  17537. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17538. maxLength: 63
  17539. minLength: 1
  17540. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17541. type: string
  17542. type: object
  17543. required:
  17544. - dopplerToken
  17545. type: object
  17546. required:
  17547. - secretRef
  17548. type: object
  17549. config:
  17550. description: Doppler config (required if not using a Service Token)
  17551. type: string
  17552. format:
  17553. description: Format enables the downloading of secrets as a file (string)
  17554. enum:
  17555. - json
  17556. - dotnet-json
  17557. - env
  17558. - yaml
  17559. - docker
  17560. type: string
  17561. nameTransformer:
  17562. description: Environment variable compatible name transforms that change secret names to a different format
  17563. enum:
  17564. - upper-camel
  17565. - camel
  17566. - lower-snake
  17567. - tf-var
  17568. - dotnet-env
  17569. - lower-kebab
  17570. type: string
  17571. project:
  17572. description: Doppler project (required if not using a Service Token)
  17573. type: string
  17574. required:
  17575. - auth
  17576. type: object
  17577. fake:
  17578. description: Fake configures a store with static key/value pairs
  17579. properties:
  17580. data:
  17581. items:
  17582. properties:
  17583. key:
  17584. type: string
  17585. value:
  17586. type: string
  17587. version:
  17588. type: string
  17589. required:
  17590. - key
  17591. - value
  17592. type: object
  17593. type: array
  17594. required:
  17595. - data
  17596. type: object
  17597. fortanix:
  17598. description: Fortanix configures this store to sync secrets using the Fortanix provider
  17599. properties:
  17600. apiKey:
  17601. description: APIKey is the API token to access SDKMS Applications.
  17602. properties:
  17603. secretRef:
  17604. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  17605. properties:
  17606. key:
  17607. description: |-
  17608. A key in the referenced Secret.
  17609. Some instances of this field may be defaulted, in others it may be required.
  17610. maxLength: 253
  17611. minLength: 1
  17612. pattern: ^[-._a-zA-Z0-9]+$
  17613. type: string
  17614. name:
  17615. description: The name of the Secret resource being referred to.
  17616. maxLength: 253
  17617. minLength: 1
  17618. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17619. type: string
  17620. namespace:
  17621. description: |-
  17622. The namespace of the Secret resource being referred to.
  17623. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17624. maxLength: 63
  17625. minLength: 1
  17626. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17627. type: string
  17628. type: object
  17629. type: object
  17630. apiUrl:
  17631. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  17632. type: string
  17633. type: object
  17634. gcpsm:
  17635. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  17636. properties:
  17637. auth:
  17638. description: Auth defines the information necessary to authenticate against GCP
  17639. properties:
  17640. secretRef:
  17641. properties:
  17642. secretAccessKeySecretRef:
  17643. description: The SecretAccessKey is used for authentication
  17644. properties:
  17645. key:
  17646. description: |-
  17647. A key in the referenced Secret.
  17648. Some instances of this field may be defaulted, in others it may be required.
  17649. maxLength: 253
  17650. minLength: 1
  17651. pattern: ^[-._a-zA-Z0-9]+$
  17652. type: string
  17653. name:
  17654. description: The name of the Secret resource being referred to.
  17655. maxLength: 253
  17656. minLength: 1
  17657. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17658. type: string
  17659. namespace:
  17660. description: |-
  17661. The namespace of the Secret resource being referred to.
  17662. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17663. maxLength: 63
  17664. minLength: 1
  17665. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17666. type: string
  17667. type: object
  17668. type: object
  17669. workloadIdentity:
  17670. properties:
  17671. clusterLocation:
  17672. description: |-
  17673. ClusterLocation is the location of the cluster
  17674. If not specified, it fetches information from the metadata server
  17675. type: string
  17676. clusterName:
  17677. description: |-
  17678. ClusterName is the name of the cluster
  17679. If not specified, it fetches information from the metadata server
  17680. type: string
  17681. clusterProjectID:
  17682. description: |-
  17683. ClusterProjectID is the project ID of the cluster
  17684. If not specified, it fetches information from the metadata server
  17685. type: string
  17686. serviceAccountRef:
  17687. description: A reference to a ServiceAccount resource.
  17688. properties:
  17689. audiences:
  17690. description: |-
  17691. Audience specifies the `aud` claim for the service account token
  17692. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  17693. then this audiences will be appended to the list
  17694. items:
  17695. type: string
  17696. type: array
  17697. name:
  17698. description: The name of the ServiceAccount resource being referred to.
  17699. maxLength: 253
  17700. minLength: 1
  17701. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17702. type: string
  17703. namespace:
  17704. description: |-
  17705. Namespace of the resource being referred to.
  17706. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17707. maxLength: 63
  17708. minLength: 1
  17709. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17710. type: string
  17711. required:
  17712. - name
  17713. type: object
  17714. required:
  17715. - serviceAccountRef
  17716. type: object
  17717. type: object
  17718. location:
  17719. description: Location optionally defines a location for a secret
  17720. type: string
  17721. projectID:
  17722. description: ProjectID project where secret is located
  17723. type: string
  17724. type: object
  17725. github:
  17726. description: Github configures this store to push Github Action secrets using Github API provider
  17727. properties:
  17728. appID:
  17729. description: appID specifies the Github APP that will be used to authenticate the client
  17730. format: int64
  17731. type: integer
  17732. auth:
  17733. description: auth configures how secret-manager authenticates with a Github instance.
  17734. properties:
  17735. privateKey:
  17736. description: |-
  17737. A reference to a specific 'key' within a Secret resource.
  17738. In some instances, `key` is a required field.
  17739. properties:
  17740. key:
  17741. description: |-
  17742. A key in the referenced Secret.
  17743. Some instances of this field may be defaulted, in others it may be required.
  17744. maxLength: 253
  17745. minLength: 1
  17746. pattern: ^[-._a-zA-Z0-9]+$
  17747. type: string
  17748. name:
  17749. description: The name of the Secret resource being referred to.
  17750. maxLength: 253
  17751. minLength: 1
  17752. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17753. type: string
  17754. namespace:
  17755. description: |-
  17756. The namespace of the Secret resource being referred to.
  17757. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17758. maxLength: 63
  17759. minLength: 1
  17760. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17761. type: string
  17762. type: object
  17763. required:
  17764. - privateKey
  17765. type: object
  17766. environment:
  17767. description: environment will be used to fetch secrets from a particular environment within a github repository
  17768. type: string
  17769. installationID:
  17770. description: installationID specifies the Github APP installation that will be used to authenticate the client
  17771. format: int64
  17772. type: integer
  17773. organization:
  17774. description: organization will be used to fetch secrets from the Github organization
  17775. type: string
  17776. repository:
  17777. description: repository will be used to fetch secrets from the Github repository within an organization
  17778. type: string
  17779. uploadURL:
  17780. description: Upload URL for enterprise instances. Default to URL.
  17781. type: string
  17782. url:
  17783. default: https://github.com/
  17784. description: URL configures the Github instance URL. Defaults to https://github.com/.
  17785. type: string
  17786. required:
  17787. - appID
  17788. - auth
  17789. - installationID
  17790. - organization
  17791. type: object
  17792. gitlab:
  17793. description: GitLab configures this store to sync secrets using GitLab Variables provider
  17794. properties:
  17795. auth:
  17796. description: Auth configures how secret-manager authenticates with a GitLab instance.
  17797. properties:
  17798. SecretRef:
  17799. properties:
  17800. accessToken:
  17801. description: AccessToken is used for authentication.
  17802. properties:
  17803. key:
  17804. description: |-
  17805. A key in the referenced Secret.
  17806. Some instances of this field may be defaulted, in others it may be required.
  17807. maxLength: 253
  17808. minLength: 1
  17809. pattern: ^[-._a-zA-Z0-9]+$
  17810. type: string
  17811. name:
  17812. description: The name of the Secret resource being referred to.
  17813. maxLength: 253
  17814. minLength: 1
  17815. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17816. type: string
  17817. namespace:
  17818. description: |-
  17819. The namespace of the Secret resource being referred to.
  17820. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17821. maxLength: 63
  17822. minLength: 1
  17823. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17824. type: string
  17825. type: object
  17826. type: object
  17827. required:
  17828. - SecretRef
  17829. type: object
  17830. environment:
  17831. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  17832. type: string
  17833. groupIDs:
  17834. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  17835. items:
  17836. type: string
  17837. type: array
  17838. inheritFromGroups:
  17839. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  17840. type: boolean
  17841. projectID:
  17842. description: ProjectID specifies a project where secrets are located.
  17843. type: string
  17844. url:
  17845. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  17846. type: string
  17847. required:
  17848. - auth
  17849. type: object
  17850. ibm:
  17851. description: IBM configures this store to sync secrets using IBM Cloud provider
  17852. properties:
  17853. auth:
  17854. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  17855. maxProperties: 1
  17856. minProperties: 1
  17857. properties:
  17858. containerAuth:
  17859. description: IBM Container-based auth with IAM Trusted Profile.
  17860. properties:
  17861. iamEndpoint:
  17862. type: string
  17863. profile:
  17864. description: the IBM Trusted Profile
  17865. type: string
  17866. tokenLocation:
  17867. description: Location the token is mounted on the pod
  17868. type: string
  17869. required:
  17870. - profile
  17871. type: object
  17872. secretRef:
  17873. properties:
  17874. secretApiKeySecretRef:
  17875. description: The SecretAccessKey is used for authentication
  17876. properties:
  17877. key:
  17878. description: |-
  17879. A key in the referenced Secret.
  17880. Some instances of this field may be defaulted, in others it may be required.
  17881. maxLength: 253
  17882. minLength: 1
  17883. pattern: ^[-._a-zA-Z0-9]+$
  17884. type: string
  17885. name:
  17886. description: The name of the Secret resource being referred to.
  17887. maxLength: 253
  17888. minLength: 1
  17889. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17890. type: string
  17891. namespace:
  17892. description: |-
  17893. The namespace of the Secret resource being referred to.
  17894. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17895. maxLength: 63
  17896. minLength: 1
  17897. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17898. type: string
  17899. type: object
  17900. type: object
  17901. type: object
  17902. serviceUrl:
  17903. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  17904. type: string
  17905. required:
  17906. - auth
  17907. type: object
  17908. infisical:
  17909. description: Infisical configures this store to sync secrets using the Infisical provider
  17910. properties:
  17911. auth:
  17912. description: Auth configures how the Operator authenticates with the Infisical API
  17913. properties:
  17914. universalAuthCredentials:
  17915. properties:
  17916. clientId:
  17917. description: |-
  17918. A reference to a specific 'key' within a Secret resource.
  17919. In some instances, `key` is a required field.
  17920. properties:
  17921. key:
  17922. description: |-
  17923. A key in the referenced Secret.
  17924. Some instances of this field may be defaulted, in others it may be required.
  17925. maxLength: 253
  17926. minLength: 1
  17927. pattern: ^[-._a-zA-Z0-9]+$
  17928. type: string
  17929. name:
  17930. description: The name of the Secret resource being referred to.
  17931. maxLength: 253
  17932. minLength: 1
  17933. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17934. type: string
  17935. namespace:
  17936. description: |-
  17937. The namespace of the Secret resource being referred to.
  17938. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17939. maxLength: 63
  17940. minLength: 1
  17941. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17942. type: string
  17943. type: object
  17944. clientSecret:
  17945. description: |-
  17946. A reference to a specific 'key' within a Secret resource.
  17947. In some instances, `key` is a required field.
  17948. properties:
  17949. key:
  17950. description: |-
  17951. A key in the referenced Secret.
  17952. Some instances of this field may be defaulted, in others it may be required.
  17953. maxLength: 253
  17954. minLength: 1
  17955. pattern: ^[-._a-zA-Z0-9]+$
  17956. type: string
  17957. name:
  17958. description: The name of the Secret resource being referred to.
  17959. maxLength: 253
  17960. minLength: 1
  17961. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17962. type: string
  17963. namespace:
  17964. description: |-
  17965. The namespace of the Secret resource being referred to.
  17966. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17967. maxLength: 63
  17968. minLength: 1
  17969. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17970. type: string
  17971. type: object
  17972. required:
  17973. - clientId
  17974. - clientSecret
  17975. type: object
  17976. type: object
  17977. hostAPI:
  17978. default: https://app.infisical.com/api
  17979. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  17980. type: string
  17981. secretsScope:
  17982. description: SecretsScope defines the scope of the secrets within the workspace
  17983. properties:
  17984. environmentSlug:
  17985. description: EnvironmentSlug is the required slug identifier for the environment.
  17986. type: string
  17987. expandSecretReferences:
  17988. default: true
  17989. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  17990. type: boolean
  17991. projectSlug:
  17992. description: ProjectSlug is the required slug identifier for the project.
  17993. type: string
  17994. recursive:
  17995. default: false
  17996. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  17997. type: boolean
  17998. secretsPath:
  17999. default: /
  18000. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  18001. type: string
  18002. required:
  18003. - environmentSlug
  18004. - projectSlug
  18005. type: object
  18006. required:
  18007. - auth
  18008. - secretsScope
  18009. type: object
  18010. keepersecurity:
  18011. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  18012. properties:
  18013. authRef:
  18014. description: |-
  18015. A reference to a specific 'key' within a Secret resource.
  18016. In some instances, `key` is a required field.
  18017. properties:
  18018. key:
  18019. description: |-
  18020. A key in the referenced Secret.
  18021. Some instances of this field may be defaulted, in others it may be required.
  18022. maxLength: 253
  18023. minLength: 1
  18024. pattern: ^[-._a-zA-Z0-9]+$
  18025. type: string
  18026. name:
  18027. description: The name of the Secret resource being referred to.
  18028. maxLength: 253
  18029. minLength: 1
  18030. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18031. type: string
  18032. namespace:
  18033. description: |-
  18034. The namespace of the Secret resource being referred to.
  18035. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18036. maxLength: 63
  18037. minLength: 1
  18038. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18039. type: string
  18040. type: object
  18041. folderID:
  18042. type: string
  18043. required:
  18044. - authRef
  18045. - folderID
  18046. type: object
  18047. kubernetes:
  18048. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  18049. properties:
  18050. auth:
  18051. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  18052. maxProperties: 1
  18053. minProperties: 1
  18054. properties:
  18055. cert:
  18056. description: has both clientCert and clientKey as secretKeySelector
  18057. properties:
  18058. clientCert:
  18059. description: |-
  18060. A reference to a specific 'key' within a Secret resource.
  18061. In some instances, `key` is a required field.
  18062. properties:
  18063. key:
  18064. description: |-
  18065. A key in the referenced Secret.
  18066. Some instances of this field may be defaulted, in others it may be required.
  18067. maxLength: 253
  18068. minLength: 1
  18069. pattern: ^[-._a-zA-Z0-9]+$
  18070. type: string
  18071. name:
  18072. description: The name of the Secret resource being referred to.
  18073. maxLength: 253
  18074. minLength: 1
  18075. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18076. type: string
  18077. namespace:
  18078. description: |-
  18079. The namespace of the Secret resource being referred to.
  18080. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18081. maxLength: 63
  18082. minLength: 1
  18083. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18084. type: string
  18085. type: object
  18086. clientKey:
  18087. description: |-
  18088. A reference to a specific 'key' within a Secret resource.
  18089. In some instances, `key` is a required field.
  18090. properties:
  18091. key:
  18092. description: |-
  18093. A key in the referenced Secret.
  18094. Some instances of this field may be defaulted, in others it may be required.
  18095. maxLength: 253
  18096. minLength: 1
  18097. pattern: ^[-._a-zA-Z0-9]+$
  18098. type: string
  18099. name:
  18100. description: The name of the Secret resource being referred to.
  18101. maxLength: 253
  18102. minLength: 1
  18103. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18104. type: string
  18105. namespace:
  18106. description: |-
  18107. The namespace of the Secret resource being referred to.
  18108. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18109. maxLength: 63
  18110. minLength: 1
  18111. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18112. type: string
  18113. type: object
  18114. type: object
  18115. serviceAccount:
  18116. description: points to a service account that should be used for authentication
  18117. properties:
  18118. audiences:
  18119. description: |-
  18120. Audience specifies the `aud` claim for the service account token
  18121. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  18122. then this audiences will be appended to the list
  18123. items:
  18124. type: string
  18125. type: array
  18126. name:
  18127. description: The name of the ServiceAccount resource being referred to.
  18128. maxLength: 253
  18129. minLength: 1
  18130. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18131. type: string
  18132. namespace:
  18133. description: |-
  18134. Namespace of the resource being referred to.
  18135. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18136. maxLength: 63
  18137. minLength: 1
  18138. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18139. type: string
  18140. required:
  18141. - name
  18142. type: object
  18143. token:
  18144. description: use static token to authenticate with
  18145. properties:
  18146. bearerToken:
  18147. description: |-
  18148. A reference to a specific 'key' within a Secret resource.
  18149. In some instances, `key` is a required field.
  18150. properties:
  18151. key:
  18152. description: |-
  18153. A key in the referenced Secret.
  18154. Some instances of this field may be defaulted, in others it may be required.
  18155. maxLength: 253
  18156. minLength: 1
  18157. pattern: ^[-._a-zA-Z0-9]+$
  18158. type: string
  18159. name:
  18160. description: The name of the Secret resource being referred to.
  18161. maxLength: 253
  18162. minLength: 1
  18163. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18164. type: string
  18165. namespace:
  18166. description: |-
  18167. The namespace of the Secret resource being referred to.
  18168. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18169. maxLength: 63
  18170. minLength: 1
  18171. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18172. type: string
  18173. type: object
  18174. type: object
  18175. type: object
  18176. authRef:
  18177. description: A reference to a secret that contains the auth information.
  18178. properties:
  18179. key:
  18180. description: |-
  18181. A key in the referenced Secret.
  18182. Some instances of this field may be defaulted, in others it may be required.
  18183. maxLength: 253
  18184. minLength: 1
  18185. pattern: ^[-._a-zA-Z0-9]+$
  18186. type: string
  18187. name:
  18188. description: The name of the Secret resource being referred to.
  18189. maxLength: 253
  18190. minLength: 1
  18191. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18192. type: string
  18193. namespace:
  18194. description: |-
  18195. The namespace of the Secret resource being referred to.
  18196. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18197. maxLength: 63
  18198. minLength: 1
  18199. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18200. type: string
  18201. type: object
  18202. remoteNamespace:
  18203. default: default
  18204. description: Remote namespace to fetch the secrets from
  18205. maxLength: 63
  18206. minLength: 1
  18207. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18208. type: string
  18209. server:
  18210. description: configures the Kubernetes server Address.
  18211. properties:
  18212. caBundle:
  18213. description: CABundle is a base64-encoded CA certificate
  18214. format: byte
  18215. type: string
  18216. caProvider:
  18217. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  18218. properties:
  18219. key:
  18220. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  18221. maxLength: 253
  18222. minLength: 1
  18223. pattern: ^[-._a-zA-Z0-9]+$
  18224. type: string
  18225. name:
  18226. description: The name of the object located at the provider type.
  18227. maxLength: 253
  18228. minLength: 1
  18229. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18230. type: string
  18231. namespace:
  18232. description: |-
  18233. The namespace the Provider type is in.
  18234. Can only be defined when used in a ClusterSecretStore.
  18235. maxLength: 63
  18236. minLength: 1
  18237. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18238. type: string
  18239. type:
  18240. description: The type of provider to use such as "Secret", or "ConfigMap".
  18241. enum:
  18242. - Secret
  18243. - ConfigMap
  18244. type: string
  18245. required:
  18246. - name
  18247. - type
  18248. type: object
  18249. url:
  18250. default: kubernetes.default
  18251. description: configures the Kubernetes server Address.
  18252. type: string
  18253. type: object
  18254. type: object
  18255. onboardbase:
  18256. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  18257. properties:
  18258. apiHost:
  18259. default: https://public.onboardbase.com/api/v1/
  18260. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  18261. type: string
  18262. auth:
  18263. description: Auth configures how the Operator authenticates with the Onboardbase API
  18264. properties:
  18265. apiKeyRef:
  18266. description: |-
  18267. OnboardbaseAPIKey is the APIKey generated by an admin account.
  18268. It is used to recognize and authorize access to a project and environment within onboardbase
  18269. properties:
  18270. key:
  18271. description: |-
  18272. A key in the referenced Secret.
  18273. Some instances of this field may be defaulted, in others it may be required.
  18274. maxLength: 253
  18275. minLength: 1
  18276. pattern: ^[-._a-zA-Z0-9]+$
  18277. type: string
  18278. name:
  18279. description: The name of the Secret resource being referred to.
  18280. maxLength: 253
  18281. minLength: 1
  18282. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18283. type: string
  18284. namespace:
  18285. description: |-
  18286. The namespace of the Secret resource being referred to.
  18287. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18288. maxLength: 63
  18289. minLength: 1
  18290. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18291. type: string
  18292. type: object
  18293. passcodeRef:
  18294. description: OnboardbasePasscode is the passcode attached to the API Key
  18295. properties:
  18296. key:
  18297. description: |-
  18298. A key in the referenced Secret.
  18299. Some instances of this field may be defaulted, in others it may be required.
  18300. maxLength: 253
  18301. minLength: 1
  18302. pattern: ^[-._a-zA-Z0-9]+$
  18303. type: string
  18304. name:
  18305. description: The name of the Secret resource being referred to.
  18306. maxLength: 253
  18307. minLength: 1
  18308. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18309. type: string
  18310. namespace:
  18311. description: |-
  18312. The namespace of the Secret resource being referred to.
  18313. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18314. maxLength: 63
  18315. minLength: 1
  18316. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18317. type: string
  18318. type: object
  18319. required:
  18320. - apiKeyRef
  18321. - passcodeRef
  18322. type: object
  18323. environment:
  18324. default: development
  18325. description: Environment is the name of an environmnent within a project to pull the secrets from
  18326. type: string
  18327. project:
  18328. default: development
  18329. description: Project is an onboardbase project that the secrets should be pulled from
  18330. type: string
  18331. required:
  18332. - apiHost
  18333. - auth
  18334. - environment
  18335. - project
  18336. type: object
  18337. onepassword:
  18338. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  18339. properties:
  18340. auth:
  18341. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  18342. properties:
  18343. secretRef:
  18344. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  18345. properties:
  18346. connectTokenSecretRef:
  18347. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  18348. properties:
  18349. key:
  18350. description: |-
  18351. A key in the referenced Secret.
  18352. Some instances of this field may be defaulted, in others it may be required.
  18353. maxLength: 253
  18354. minLength: 1
  18355. pattern: ^[-._a-zA-Z0-9]+$
  18356. type: string
  18357. name:
  18358. description: The name of the Secret resource being referred to.
  18359. maxLength: 253
  18360. minLength: 1
  18361. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18362. type: string
  18363. namespace:
  18364. description: |-
  18365. The namespace of the Secret resource being referred to.
  18366. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18367. maxLength: 63
  18368. minLength: 1
  18369. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18370. type: string
  18371. type: object
  18372. required:
  18373. - connectTokenSecretRef
  18374. type: object
  18375. required:
  18376. - secretRef
  18377. type: object
  18378. connectHost:
  18379. description: ConnectHost defines the OnePassword Connect Server to connect to
  18380. type: string
  18381. vaults:
  18382. additionalProperties:
  18383. type: integer
  18384. description: Vaults defines which OnePassword vaults to search in which order
  18385. type: object
  18386. required:
  18387. - auth
  18388. - connectHost
  18389. - vaults
  18390. type: object
  18391. oracle:
  18392. description: Oracle configures this store to sync secrets using Oracle Vault provider
  18393. properties:
  18394. auth:
  18395. description: |-
  18396. Auth configures how secret-manager authenticates with the Oracle Vault.
  18397. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  18398. properties:
  18399. secretRef:
  18400. description: SecretRef to pass through sensitive information.
  18401. properties:
  18402. fingerprint:
  18403. description: Fingerprint is the fingerprint of the API private key.
  18404. properties:
  18405. key:
  18406. description: |-
  18407. A key in the referenced Secret.
  18408. Some instances of this field may be defaulted, in others it may be required.
  18409. maxLength: 253
  18410. minLength: 1
  18411. pattern: ^[-._a-zA-Z0-9]+$
  18412. type: string
  18413. name:
  18414. description: The name of the Secret resource being referred to.
  18415. maxLength: 253
  18416. minLength: 1
  18417. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18418. type: string
  18419. namespace:
  18420. description: |-
  18421. The namespace of the Secret resource being referred to.
  18422. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18423. maxLength: 63
  18424. minLength: 1
  18425. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18426. type: string
  18427. type: object
  18428. privatekey:
  18429. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  18430. properties:
  18431. key:
  18432. description: |-
  18433. A key in the referenced Secret.
  18434. Some instances of this field may be defaulted, in others it may be required.
  18435. maxLength: 253
  18436. minLength: 1
  18437. pattern: ^[-._a-zA-Z0-9]+$
  18438. type: string
  18439. name:
  18440. description: The name of the Secret resource being referred to.
  18441. maxLength: 253
  18442. minLength: 1
  18443. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18444. type: string
  18445. namespace:
  18446. description: |-
  18447. The namespace of the Secret resource being referred to.
  18448. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18449. maxLength: 63
  18450. minLength: 1
  18451. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18452. type: string
  18453. type: object
  18454. required:
  18455. - fingerprint
  18456. - privatekey
  18457. type: object
  18458. tenancy:
  18459. description: Tenancy is the tenancy OCID where user is located.
  18460. type: string
  18461. user:
  18462. description: User is an access OCID specific to the account.
  18463. type: string
  18464. required:
  18465. - secretRef
  18466. - tenancy
  18467. - user
  18468. type: object
  18469. compartment:
  18470. description: |-
  18471. Compartment is the vault compartment OCID.
  18472. Required for PushSecret
  18473. type: string
  18474. encryptionKey:
  18475. description: |-
  18476. EncryptionKey is the OCID of the encryption key within the vault.
  18477. Required for PushSecret
  18478. type: string
  18479. principalType:
  18480. description: |-
  18481. The type of principal to use for authentication. If left blank, the Auth struct will
  18482. determine the principal type. This optional field must be specified if using
  18483. workload identity.
  18484. enum:
  18485. - ""
  18486. - UserPrincipal
  18487. - InstancePrincipal
  18488. - Workload
  18489. type: string
  18490. region:
  18491. description: Region is the region where vault is located.
  18492. type: string
  18493. serviceAccountRef:
  18494. description: |-
  18495. ServiceAccountRef specified the service account
  18496. that should be used when authenticating with WorkloadIdentity.
  18497. properties:
  18498. audiences:
  18499. description: |-
  18500. Audience specifies the `aud` claim for the service account token
  18501. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  18502. then this audiences will be appended to the list
  18503. items:
  18504. type: string
  18505. type: array
  18506. name:
  18507. description: The name of the ServiceAccount resource being referred to.
  18508. maxLength: 253
  18509. minLength: 1
  18510. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18511. type: string
  18512. namespace:
  18513. description: |-
  18514. Namespace of the resource being referred to.
  18515. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18516. maxLength: 63
  18517. minLength: 1
  18518. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18519. type: string
  18520. required:
  18521. - name
  18522. type: object
  18523. vault:
  18524. description: Vault is the vault's OCID of the specific vault where secret is located.
  18525. type: string
  18526. required:
  18527. - region
  18528. - vault
  18529. type: object
  18530. passbolt:
  18531. properties:
  18532. auth:
  18533. description: Auth defines the information necessary to authenticate against Passbolt Server
  18534. properties:
  18535. passwordSecretRef:
  18536. description: |-
  18537. A reference to a specific 'key' within a Secret resource.
  18538. In some instances, `key` is a required field.
  18539. properties:
  18540. key:
  18541. description: |-
  18542. A key in the referenced Secret.
  18543. Some instances of this field may be defaulted, in others it may be required.
  18544. maxLength: 253
  18545. minLength: 1
  18546. pattern: ^[-._a-zA-Z0-9]+$
  18547. type: string
  18548. name:
  18549. description: The name of the Secret resource being referred to.
  18550. maxLength: 253
  18551. minLength: 1
  18552. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18553. type: string
  18554. namespace:
  18555. description: |-
  18556. The namespace of the Secret resource being referred to.
  18557. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18558. maxLength: 63
  18559. minLength: 1
  18560. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18561. type: string
  18562. type: object
  18563. privateKeySecretRef:
  18564. description: |-
  18565. A reference to a specific 'key' within a Secret resource.
  18566. In some instances, `key` is a required field.
  18567. properties:
  18568. key:
  18569. description: |-
  18570. A key in the referenced Secret.
  18571. Some instances of this field may be defaulted, in others it may be required.
  18572. maxLength: 253
  18573. minLength: 1
  18574. pattern: ^[-._a-zA-Z0-9]+$
  18575. type: string
  18576. name:
  18577. description: The name of the Secret resource being referred to.
  18578. maxLength: 253
  18579. minLength: 1
  18580. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18581. type: string
  18582. namespace:
  18583. description: |-
  18584. The namespace of the Secret resource being referred to.
  18585. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18586. maxLength: 63
  18587. minLength: 1
  18588. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18589. type: string
  18590. type: object
  18591. required:
  18592. - passwordSecretRef
  18593. - privateKeySecretRef
  18594. type: object
  18595. host:
  18596. description: Host defines the Passbolt Server to connect to
  18597. type: string
  18598. required:
  18599. - auth
  18600. - host
  18601. type: object
  18602. passworddepot:
  18603. description: Configures a store to sync secrets with a Password Depot instance.
  18604. properties:
  18605. auth:
  18606. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  18607. properties:
  18608. secretRef:
  18609. properties:
  18610. credentials:
  18611. description: Username / Password is used for authentication.
  18612. properties:
  18613. key:
  18614. description: |-
  18615. A key in the referenced Secret.
  18616. Some instances of this field may be defaulted, in others it may be required.
  18617. maxLength: 253
  18618. minLength: 1
  18619. pattern: ^[-._a-zA-Z0-9]+$
  18620. type: string
  18621. name:
  18622. description: The name of the Secret resource being referred to.
  18623. maxLength: 253
  18624. minLength: 1
  18625. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18626. type: string
  18627. namespace:
  18628. description: |-
  18629. The namespace of the Secret resource being referred to.
  18630. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18631. maxLength: 63
  18632. minLength: 1
  18633. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18634. type: string
  18635. type: object
  18636. type: object
  18637. required:
  18638. - secretRef
  18639. type: object
  18640. database:
  18641. description: Database to use as source
  18642. type: string
  18643. host:
  18644. description: URL configures the Password Depot instance URL.
  18645. type: string
  18646. required:
  18647. - auth
  18648. - database
  18649. - host
  18650. type: object
  18651. previder:
  18652. description: Previder configures this store to sync secrets using the Previder provider
  18653. properties:
  18654. auth:
  18655. description: PreviderAuth contains a secretRef for credentials.
  18656. properties:
  18657. secretRef:
  18658. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  18659. properties:
  18660. accessToken:
  18661. description: The AccessToken is used for authentication
  18662. properties:
  18663. key:
  18664. description: |-
  18665. A key in the referenced Secret.
  18666. Some instances of this field may be defaulted, in others it may be required.
  18667. maxLength: 253
  18668. minLength: 1
  18669. pattern: ^[-._a-zA-Z0-9]+$
  18670. type: string
  18671. name:
  18672. description: The name of the Secret resource being referred to.
  18673. maxLength: 253
  18674. minLength: 1
  18675. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18676. type: string
  18677. namespace:
  18678. description: |-
  18679. The namespace of the Secret resource being referred to.
  18680. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18681. maxLength: 63
  18682. minLength: 1
  18683. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18684. type: string
  18685. type: object
  18686. required:
  18687. - accessToken
  18688. type: object
  18689. type: object
  18690. baseUri:
  18691. type: string
  18692. required:
  18693. - auth
  18694. type: object
  18695. pulumi:
  18696. description: Pulumi configures this store to sync secrets using the Pulumi provider
  18697. properties:
  18698. accessToken:
  18699. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  18700. properties:
  18701. secretRef:
  18702. description: SecretRef is a reference to a secret containing the Pulumi API token.
  18703. properties:
  18704. key:
  18705. description: |-
  18706. A key in the referenced Secret.
  18707. Some instances of this field may be defaulted, in others it may be required.
  18708. maxLength: 253
  18709. minLength: 1
  18710. pattern: ^[-._a-zA-Z0-9]+$
  18711. type: string
  18712. name:
  18713. description: The name of the Secret resource being referred to.
  18714. maxLength: 253
  18715. minLength: 1
  18716. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18717. type: string
  18718. namespace:
  18719. description: |-
  18720. The namespace of the Secret resource being referred to.
  18721. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18722. maxLength: 63
  18723. minLength: 1
  18724. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18725. type: string
  18726. type: object
  18727. type: object
  18728. apiUrl:
  18729. default: https://api.pulumi.com/api/esc
  18730. description: APIURL is the URL of the Pulumi API.
  18731. type: string
  18732. environment:
  18733. description: |-
  18734. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  18735. dynamically retrieved values from supported providers including all major clouds,
  18736. and other Pulumi ESC environments.
  18737. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  18738. type: string
  18739. organization:
  18740. description: |-
  18741. Organization are a space to collaborate on shared projects and stacks.
  18742. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  18743. type: string
  18744. project:
  18745. description: Project is the name of the Pulumi ESC project the environment belongs to.
  18746. type: string
  18747. required:
  18748. - accessToken
  18749. - environment
  18750. - organization
  18751. - project
  18752. type: object
  18753. scaleway:
  18754. description: Scaleway
  18755. properties:
  18756. accessKey:
  18757. description: AccessKey is the non-secret part of the api key.
  18758. properties:
  18759. secretRef:
  18760. description: SecretRef references a key in a secret that will be used as value.
  18761. properties:
  18762. key:
  18763. description: |-
  18764. A key in the referenced Secret.
  18765. Some instances of this field may be defaulted, in others it may be required.
  18766. maxLength: 253
  18767. minLength: 1
  18768. pattern: ^[-._a-zA-Z0-9]+$
  18769. type: string
  18770. name:
  18771. description: The name of the Secret resource being referred to.
  18772. maxLength: 253
  18773. minLength: 1
  18774. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18775. type: string
  18776. namespace:
  18777. description: |-
  18778. The namespace of the Secret resource being referred to.
  18779. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18780. maxLength: 63
  18781. minLength: 1
  18782. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18783. type: string
  18784. type: object
  18785. value:
  18786. description: Value can be specified directly to set a value without using a secret.
  18787. type: string
  18788. type: object
  18789. apiUrl:
  18790. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  18791. type: string
  18792. projectId:
  18793. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  18794. type: string
  18795. region:
  18796. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  18797. type: string
  18798. secretKey:
  18799. description: SecretKey is the non-secret part of the api key.
  18800. properties:
  18801. secretRef:
  18802. description: SecretRef references a key in a secret that will be used as value.
  18803. properties:
  18804. key:
  18805. description: |-
  18806. A key in the referenced Secret.
  18807. Some instances of this field may be defaulted, in others it may be required.
  18808. maxLength: 253
  18809. minLength: 1
  18810. pattern: ^[-._a-zA-Z0-9]+$
  18811. type: string
  18812. name:
  18813. description: The name of the Secret resource being referred to.
  18814. maxLength: 253
  18815. minLength: 1
  18816. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18817. type: string
  18818. namespace:
  18819. description: |-
  18820. The namespace of the Secret resource being referred to.
  18821. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18822. maxLength: 63
  18823. minLength: 1
  18824. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18825. type: string
  18826. type: object
  18827. value:
  18828. description: Value can be specified directly to set a value without using a secret.
  18829. type: string
  18830. type: object
  18831. required:
  18832. - accessKey
  18833. - projectId
  18834. - region
  18835. - secretKey
  18836. type: object
  18837. secretserver:
  18838. description: |-
  18839. SecretServer configures this store to sync secrets using SecretServer provider
  18840. https://docs.delinea.com/online-help/secret-server/start.htm
  18841. properties:
  18842. password:
  18843. description: Password is the secret server account password.
  18844. properties:
  18845. secretRef:
  18846. description: SecretRef references a key in a secret that will be used as value.
  18847. properties:
  18848. key:
  18849. description: |-
  18850. A key in the referenced Secret.
  18851. Some instances of this field may be defaulted, in others it may be required.
  18852. maxLength: 253
  18853. minLength: 1
  18854. pattern: ^[-._a-zA-Z0-9]+$
  18855. type: string
  18856. name:
  18857. description: The name of the Secret resource being referred to.
  18858. maxLength: 253
  18859. minLength: 1
  18860. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18861. type: string
  18862. namespace:
  18863. description: |-
  18864. The namespace of the Secret resource being referred to.
  18865. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18866. maxLength: 63
  18867. minLength: 1
  18868. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18869. type: string
  18870. type: object
  18871. value:
  18872. description: Value can be specified directly to set a value without using a secret.
  18873. type: string
  18874. type: object
  18875. serverURL:
  18876. description: |-
  18877. ServerURL
  18878. URL to your secret server installation
  18879. type: string
  18880. username:
  18881. description: Username is the secret server account username.
  18882. properties:
  18883. secretRef:
  18884. description: SecretRef references a key in a secret that will be used as value.
  18885. properties:
  18886. key:
  18887. description: |-
  18888. A key in the referenced Secret.
  18889. Some instances of this field may be defaulted, in others it may be required.
  18890. maxLength: 253
  18891. minLength: 1
  18892. pattern: ^[-._a-zA-Z0-9]+$
  18893. type: string
  18894. name:
  18895. description: The name of the Secret resource being referred to.
  18896. maxLength: 253
  18897. minLength: 1
  18898. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18899. type: string
  18900. namespace:
  18901. description: |-
  18902. The namespace of the Secret resource being referred to.
  18903. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18904. maxLength: 63
  18905. minLength: 1
  18906. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18907. type: string
  18908. type: object
  18909. value:
  18910. description: Value can be specified directly to set a value without using a secret.
  18911. type: string
  18912. type: object
  18913. required:
  18914. - password
  18915. - serverURL
  18916. - username
  18917. type: object
  18918. senhasegura:
  18919. description: Senhasegura configures this store to sync secrets using senhasegura provider
  18920. properties:
  18921. auth:
  18922. description: Auth defines parameters to authenticate in senhasegura
  18923. properties:
  18924. clientId:
  18925. type: string
  18926. clientSecretSecretRef:
  18927. description: |-
  18928. A reference to a specific 'key' within a Secret resource.
  18929. In some instances, `key` is a required field.
  18930. properties:
  18931. key:
  18932. description: |-
  18933. A key in the referenced Secret.
  18934. Some instances of this field may be defaulted, in others it may be required.
  18935. maxLength: 253
  18936. minLength: 1
  18937. pattern: ^[-._a-zA-Z0-9]+$
  18938. type: string
  18939. name:
  18940. description: The name of the Secret resource being referred to.
  18941. maxLength: 253
  18942. minLength: 1
  18943. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18944. type: string
  18945. namespace:
  18946. description: |-
  18947. The namespace of the Secret resource being referred to.
  18948. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18949. maxLength: 63
  18950. minLength: 1
  18951. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18952. type: string
  18953. type: object
  18954. required:
  18955. - clientId
  18956. - clientSecretSecretRef
  18957. type: object
  18958. ignoreSslCertificate:
  18959. default: false
  18960. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  18961. type: boolean
  18962. module:
  18963. description: Module defines which senhasegura module should be used to get secrets
  18964. type: string
  18965. url:
  18966. description: URL of senhasegura
  18967. type: string
  18968. required:
  18969. - auth
  18970. - module
  18971. - url
  18972. type: object
  18973. vault:
  18974. description: Vault configures this store to sync secrets using Hashi provider
  18975. properties:
  18976. auth:
  18977. description: Auth configures how secret-manager authenticates with the Vault server.
  18978. properties:
  18979. appRole:
  18980. description: |-
  18981. AppRole authenticates with Vault using the App Role auth mechanism,
  18982. with the role and secret stored in a Kubernetes Secret resource.
  18983. properties:
  18984. path:
  18985. default: approle
  18986. description: |-
  18987. Path where the App Role authentication backend is mounted
  18988. in Vault, e.g: "approle"
  18989. type: string
  18990. roleId:
  18991. description: |-
  18992. RoleID configured in the App Role authentication backend when setting
  18993. up the authentication backend in Vault.
  18994. type: string
  18995. roleRef:
  18996. description: |-
  18997. Reference to a key in a Secret that contains the App Role ID used
  18998. to authenticate with Vault.
  18999. The `key` field must be specified and denotes which entry within the Secret
  19000. resource is used as the app role id.
  19001. properties:
  19002. key:
  19003. description: |-
  19004. A key in the referenced Secret.
  19005. Some instances of this field may be defaulted, in others it may be required.
  19006. maxLength: 253
  19007. minLength: 1
  19008. pattern: ^[-._a-zA-Z0-9]+$
  19009. type: string
  19010. name:
  19011. description: The name of the Secret resource being referred to.
  19012. maxLength: 253
  19013. minLength: 1
  19014. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19015. type: string
  19016. namespace:
  19017. description: |-
  19018. The namespace of the Secret resource being referred to.
  19019. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19020. maxLength: 63
  19021. minLength: 1
  19022. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19023. type: string
  19024. type: object
  19025. secretRef:
  19026. description: |-
  19027. Reference to a key in a Secret that contains the App Role secret used
  19028. to authenticate with Vault.
  19029. The `key` field must be specified and denotes which entry within the Secret
  19030. resource is used as the app role secret.
  19031. properties:
  19032. key:
  19033. description: |-
  19034. A key in the referenced Secret.
  19035. Some instances of this field may be defaulted, in others it may be required.
  19036. maxLength: 253
  19037. minLength: 1
  19038. pattern: ^[-._a-zA-Z0-9]+$
  19039. type: string
  19040. name:
  19041. description: The name of the Secret resource being referred to.
  19042. maxLength: 253
  19043. minLength: 1
  19044. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19045. type: string
  19046. namespace:
  19047. description: |-
  19048. The namespace of the Secret resource being referred to.
  19049. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19050. maxLength: 63
  19051. minLength: 1
  19052. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19053. type: string
  19054. type: object
  19055. required:
  19056. - path
  19057. - secretRef
  19058. type: object
  19059. cert:
  19060. description: |-
  19061. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  19062. Cert authentication method
  19063. properties:
  19064. clientCert:
  19065. description: |-
  19066. ClientCert is a certificate to authenticate using the Cert Vault
  19067. authentication method
  19068. properties:
  19069. key:
  19070. description: |-
  19071. A key in the referenced Secret.
  19072. Some instances of this field may be defaulted, in others it may be required.
  19073. maxLength: 253
  19074. minLength: 1
  19075. pattern: ^[-._a-zA-Z0-9]+$
  19076. type: string
  19077. name:
  19078. description: The name of the Secret resource being referred to.
  19079. maxLength: 253
  19080. minLength: 1
  19081. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19082. type: string
  19083. namespace:
  19084. description: |-
  19085. The namespace of the Secret resource being referred to.
  19086. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19087. maxLength: 63
  19088. minLength: 1
  19089. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19090. type: string
  19091. type: object
  19092. secretRef:
  19093. description: |-
  19094. SecretRef to a key in a Secret resource containing client private key to
  19095. authenticate with Vault using the Cert authentication method
  19096. properties:
  19097. key:
  19098. description: |-
  19099. A key in the referenced Secret.
  19100. Some instances of this field may be defaulted, in others it may be required.
  19101. maxLength: 253
  19102. minLength: 1
  19103. pattern: ^[-._a-zA-Z0-9]+$
  19104. type: string
  19105. name:
  19106. description: The name of the Secret resource being referred to.
  19107. maxLength: 253
  19108. minLength: 1
  19109. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19110. type: string
  19111. namespace:
  19112. description: |-
  19113. The namespace of the Secret resource being referred to.
  19114. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19115. maxLength: 63
  19116. minLength: 1
  19117. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19118. type: string
  19119. type: object
  19120. type: object
  19121. iam:
  19122. description: |-
  19123. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  19124. AWS IAM authentication method
  19125. properties:
  19126. externalID:
  19127. description: AWS External ID set on assumed IAM roles
  19128. type: string
  19129. jwt:
  19130. description: Specify a service account with IRSA enabled
  19131. properties:
  19132. serviceAccountRef:
  19133. description: A reference to a ServiceAccount resource.
  19134. properties:
  19135. audiences:
  19136. description: |-
  19137. Audience specifies the `aud` claim for the service account token
  19138. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19139. then this audiences will be appended to the list
  19140. items:
  19141. type: string
  19142. type: array
  19143. name:
  19144. description: The name of the ServiceAccount resource being referred to.
  19145. maxLength: 253
  19146. minLength: 1
  19147. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19148. type: string
  19149. namespace:
  19150. description: |-
  19151. Namespace of the resource being referred to.
  19152. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19153. maxLength: 63
  19154. minLength: 1
  19155. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19156. type: string
  19157. required:
  19158. - name
  19159. type: object
  19160. type: object
  19161. path:
  19162. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  19163. type: string
  19164. region:
  19165. description: AWS region
  19166. type: string
  19167. role:
  19168. description: This is the AWS role to be assumed before talking to vault
  19169. type: string
  19170. secretRef:
  19171. description: Specify credentials in a Secret object
  19172. properties:
  19173. accessKeyIDSecretRef:
  19174. description: The AccessKeyID is used for authentication
  19175. properties:
  19176. key:
  19177. description: |-
  19178. A key in the referenced Secret.
  19179. Some instances of this field may be defaulted, in others it may be required.
  19180. maxLength: 253
  19181. minLength: 1
  19182. pattern: ^[-._a-zA-Z0-9]+$
  19183. type: string
  19184. name:
  19185. description: The name of the Secret resource being referred to.
  19186. maxLength: 253
  19187. minLength: 1
  19188. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19189. type: string
  19190. namespace:
  19191. description: |-
  19192. The namespace of the Secret resource being referred to.
  19193. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19194. maxLength: 63
  19195. minLength: 1
  19196. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19197. type: string
  19198. type: object
  19199. secretAccessKeySecretRef:
  19200. description: The SecretAccessKey is used for authentication
  19201. properties:
  19202. key:
  19203. description: |-
  19204. A key in the referenced Secret.
  19205. Some instances of this field may be defaulted, in others it may be required.
  19206. maxLength: 253
  19207. minLength: 1
  19208. pattern: ^[-._a-zA-Z0-9]+$
  19209. type: string
  19210. name:
  19211. description: The name of the Secret resource being referred to.
  19212. maxLength: 253
  19213. minLength: 1
  19214. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19215. type: string
  19216. namespace:
  19217. description: |-
  19218. The namespace of the Secret resource being referred to.
  19219. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19220. maxLength: 63
  19221. minLength: 1
  19222. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19223. type: string
  19224. type: object
  19225. sessionTokenSecretRef:
  19226. description: |-
  19227. The SessionToken used for authentication
  19228. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  19229. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  19230. properties:
  19231. key:
  19232. description: |-
  19233. A key in the referenced Secret.
  19234. Some instances of this field may be defaulted, in others it may be required.
  19235. maxLength: 253
  19236. minLength: 1
  19237. pattern: ^[-._a-zA-Z0-9]+$
  19238. type: string
  19239. name:
  19240. description: The name of the Secret resource being referred to.
  19241. maxLength: 253
  19242. minLength: 1
  19243. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19244. type: string
  19245. namespace:
  19246. description: |-
  19247. The namespace of the Secret resource being referred to.
  19248. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19249. maxLength: 63
  19250. minLength: 1
  19251. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19252. type: string
  19253. type: object
  19254. type: object
  19255. vaultAwsIamServerID:
  19256. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  19257. type: string
  19258. vaultRole:
  19259. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  19260. type: string
  19261. required:
  19262. - vaultRole
  19263. type: object
  19264. jwt:
  19265. description: |-
  19266. Jwt authenticates with Vault by passing role and JWT token using the
  19267. JWT/OIDC authentication method
  19268. properties:
  19269. kubernetesServiceAccountToken:
  19270. description: |-
  19271. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  19272. a token for with the `TokenRequest` API.
  19273. properties:
  19274. audiences:
  19275. description: |-
  19276. Optional audiences field that will be used to request a temporary Kubernetes service
  19277. account token for the service account referenced by `serviceAccountRef`.
  19278. Defaults to a single audience `vault` it not specified.
  19279. Deprecated: use serviceAccountRef.Audiences instead
  19280. items:
  19281. type: string
  19282. type: array
  19283. expirationSeconds:
  19284. description: |-
  19285. Optional expiration time in seconds that will be used to request a temporary
  19286. Kubernetes service account token for the service account referenced by
  19287. `serviceAccountRef`.
  19288. Deprecated: this will be removed in the future.
  19289. Defaults to 10 minutes.
  19290. format: int64
  19291. type: integer
  19292. serviceAccountRef:
  19293. description: Service account field containing the name of a kubernetes ServiceAccount.
  19294. properties:
  19295. audiences:
  19296. description: |-
  19297. Audience specifies the `aud` claim for the service account token
  19298. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19299. then this audiences will be appended to the list
  19300. items:
  19301. type: string
  19302. type: array
  19303. name:
  19304. description: The name of the ServiceAccount resource being referred to.
  19305. maxLength: 253
  19306. minLength: 1
  19307. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19308. type: string
  19309. namespace:
  19310. description: |-
  19311. Namespace of the resource being referred to.
  19312. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19313. maxLength: 63
  19314. minLength: 1
  19315. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19316. type: string
  19317. required:
  19318. - name
  19319. type: object
  19320. required:
  19321. - serviceAccountRef
  19322. type: object
  19323. path:
  19324. default: jwt
  19325. description: |-
  19326. Path where the JWT authentication backend is mounted
  19327. in Vault, e.g: "jwt"
  19328. type: string
  19329. role:
  19330. description: |-
  19331. Role is a JWT role to authenticate using the JWT/OIDC Vault
  19332. authentication method
  19333. type: string
  19334. secretRef:
  19335. description: |-
  19336. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  19337. authenticate with Vault using the JWT/OIDC authentication method.
  19338. properties:
  19339. key:
  19340. description: |-
  19341. A key in the referenced Secret.
  19342. Some instances of this field may be defaulted, in others it may be required.
  19343. maxLength: 253
  19344. minLength: 1
  19345. pattern: ^[-._a-zA-Z0-9]+$
  19346. type: string
  19347. name:
  19348. description: The name of the Secret resource being referred to.
  19349. maxLength: 253
  19350. minLength: 1
  19351. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19352. type: string
  19353. namespace:
  19354. description: |-
  19355. The namespace of the Secret resource being referred to.
  19356. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19357. maxLength: 63
  19358. minLength: 1
  19359. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19360. type: string
  19361. type: object
  19362. required:
  19363. - path
  19364. type: object
  19365. kubernetes:
  19366. description: |-
  19367. Kubernetes authenticates with Vault by passing the ServiceAccount
  19368. token stored in the named Secret resource to the Vault server.
  19369. properties:
  19370. mountPath:
  19371. default: kubernetes
  19372. description: |-
  19373. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  19374. "kubernetes"
  19375. type: string
  19376. role:
  19377. description: |-
  19378. A required field containing the Vault Role to assume. A Role binds a
  19379. Kubernetes ServiceAccount with a set of Vault policies.
  19380. type: string
  19381. secretRef:
  19382. description: |-
  19383. Optional secret field containing a Kubernetes ServiceAccount JWT used
  19384. for authenticating with Vault. If a name is specified without a key,
  19385. `token` is the default. If one is not specified, the one bound to
  19386. the controller will be used.
  19387. properties:
  19388. key:
  19389. description: |-
  19390. A key in the referenced Secret.
  19391. Some instances of this field may be defaulted, in others it may be required.
  19392. maxLength: 253
  19393. minLength: 1
  19394. pattern: ^[-._a-zA-Z0-9]+$
  19395. type: string
  19396. name:
  19397. description: The name of the Secret resource being referred to.
  19398. maxLength: 253
  19399. minLength: 1
  19400. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19401. type: string
  19402. namespace:
  19403. description: |-
  19404. The namespace of the Secret resource being referred to.
  19405. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19406. maxLength: 63
  19407. minLength: 1
  19408. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19409. type: string
  19410. type: object
  19411. serviceAccountRef:
  19412. description: |-
  19413. Optional service account field containing the name of a kubernetes ServiceAccount.
  19414. If the service account is specified, the service account secret token JWT will be used
  19415. for authenticating with Vault. If the service account selector is not supplied,
  19416. the secretRef will be used instead.
  19417. properties:
  19418. audiences:
  19419. description: |-
  19420. Audience specifies the `aud` claim for the service account token
  19421. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19422. then this audiences will be appended to the list
  19423. items:
  19424. type: string
  19425. type: array
  19426. name:
  19427. description: The name of the ServiceAccount resource being referred to.
  19428. maxLength: 253
  19429. minLength: 1
  19430. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19431. type: string
  19432. namespace:
  19433. description: |-
  19434. Namespace of the resource being referred to.
  19435. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19436. maxLength: 63
  19437. minLength: 1
  19438. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19439. type: string
  19440. required:
  19441. - name
  19442. type: object
  19443. required:
  19444. - mountPath
  19445. - role
  19446. type: object
  19447. ldap:
  19448. description: |-
  19449. Ldap authenticates with Vault by passing username/password pair using
  19450. the LDAP authentication method
  19451. properties:
  19452. path:
  19453. default: ldap
  19454. description: |-
  19455. Path where the LDAP authentication backend is mounted
  19456. in Vault, e.g: "ldap"
  19457. type: string
  19458. secretRef:
  19459. description: |-
  19460. SecretRef to a key in a Secret resource containing password for the LDAP
  19461. user used to authenticate with Vault using the LDAP authentication
  19462. method
  19463. properties:
  19464. key:
  19465. description: |-
  19466. A key in the referenced Secret.
  19467. Some instances of this field may be defaulted, in others it may be required.
  19468. maxLength: 253
  19469. minLength: 1
  19470. pattern: ^[-._a-zA-Z0-9]+$
  19471. type: string
  19472. name:
  19473. description: The name of the Secret resource being referred to.
  19474. maxLength: 253
  19475. minLength: 1
  19476. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19477. type: string
  19478. namespace:
  19479. description: |-
  19480. The namespace of the Secret resource being referred to.
  19481. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19482. maxLength: 63
  19483. minLength: 1
  19484. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19485. type: string
  19486. type: object
  19487. username:
  19488. description: |-
  19489. Username is an LDAP username used to authenticate using the LDAP Vault
  19490. authentication method
  19491. type: string
  19492. required:
  19493. - path
  19494. - username
  19495. type: object
  19496. namespace:
  19497. description: |-
  19498. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  19499. Namespaces is a set of features within Vault Enterprise that allows
  19500. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  19501. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  19502. This will default to Vault.Namespace field if set, or empty otherwise
  19503. type: string
  19504. tokenSecretRef:
  19505. description: TokenSecretRef authenticates with Vault by presenting a token.
  19506. properties:
  19507. key:
  19508. description: |-
  19509. A key in the referenced Secret.
  19510. Some instances of this field may be defaulted, in others it may be required.
  19511. maxLength: 253
  19512. minLength: 1
  19513. pattern: ^[-._a-zA-Z0-9]+$
  19514. type: string
  19515. name:
  19516. description: The name of the Secret resource being referred to.
  19517. maxLength: 253
  19518. minLength: 1
  19519. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19520. type: string
  19521. namespace:
  19522. description: |-
  19523. The namespace of the Secret resource being referred to.
  19524. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19525. maxLength: 63
  19526. minLength: 1
  19527. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19528. type: string
  19529. type: object
  19530. userPass:
  19531. description: UserPass authenticates with Vault by passing username/password pair
  19532. properties:
  19533. path:
  19534. default: userpass
  19535. description: |-
  19536. Path where the UserPassword authentication backend is mounted
  19537. in Vault, e.g: "userpass"
  19538. type: string
  19539. secretRef:
  19540. description: |-
  19541. SecretRef to a key in a Secret resource containing password for the
  19542. user used to authenticate with Vault using the UserPass authentication
  19543. method
  19544. properties:
  19545. key:
  19546. description: |-
  19547. A key in the referenced Secret.
  19548. Some instances of this field may be defaulted, in others it may be required.
  19549. maxLength: 253
  19550. minLength: 1
  19551. pattern: ^[-._a-zA-Z0-9]+$
  19552. type: string
  19553. name:
  19554. description: The name of the Secret resource being referred to.
  19555. maxLength: 253
  19556. minLength: 1
  19557. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19558. type: string
  19559. namespace:
  19560. description: |-
  19561. The namespace of the Secret resource being referred to.
  19562. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19563. maxLength: 63
  19564. minLength: 1
  19565. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19566. type: string
  19567. type: object
  19568. username:
  19569. description: |-
  19570. Username is a username used to authenticate using the UserPass Vault
  19571. authentication method
  19572. type: string
  19573. required:
  19574. - path
  19575. - username
  19576. type: object
  19577. type: object
  19578. caBundle:
  19579. description: |-
  19580. PEM encoded CA bundle used to validate Vault server certificate. Only used
  19581. if the Server URL is using HTTPS protocol. This parameter is ignored for
  19582. plain HTTP protocol connection. If not set the system root certificates
  19583. are used to validate the TLS connection.
  19584. format: byte
  19585. type: string
  19586. caProvider:
  19587. description: The provider for the CA bundle to use to validate Vault server certificate.
  19588. properties:
  19589. key:
  19590. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19591. maxLength: 253
  19592. minLength: 1
  19593. pattern: ^[-._a-zA-Z0-9]+$
  19594. type: string
  19595. name:
  19596. description: The name of the object located at the provider type.
  19597. maxLength: 253
  19598. minLength: 1
  19599. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19600. type: string
  19601. namespace:
  19602. description: |-
  19603. The namespace the Provider type is in.
  19604. Can only be defined when used in a ClusterSecretStore.
  19605. maxLength: 63
  19606. minLength: 1
  19607. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19608. type: string
  19609. type:
  19610. description: The type of provider to use such as "Secret", or "ConfigMap".
  19611. enum:
  19612. - Secret
  19613. - ConfigMap
  19614. type: string
  19615. required:
  19616. - name
  19617. - type
  19618. type: object
  19619. forwardInconsistent:
  19620. description: |-
  19621. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  19622. leader instead of simply retrying within a loop. This can increase performance if
  19623. the option is enabled serverside.
  19624. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  19625. type: boolean
  19626. headers:
  19627. additionalProperties:
  19628. type: string
  19629. description: Headers to be added in Vault request
  19630. type: object
  19631. namespace:
  19632. description: |-
  19633. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  19634. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  19635. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  19636. type: string
  19637. path:
  19638. description: |-
  19639. Path is the mount path of the Vault KV backend endpoint, e.g:
  19640. "secret". The v2 KV secret engine version specific "/data" path suffix
  19641. for fetching secrets from Vault is optional and will be appended
  19642. if not present in specified path.
  19643. type: string
  19644. readYourWrites:
  19645. description: |-
  19646. ReadYourWrites ensures isolated read-after-write semantics by
  19647. providing discovered cluster replication states in each request.
  19648. More information about eventual consistency in Vault can be found here
  19649. https://www.vaultproject.io/docs/enterprise/consistency
  19650. type: boolean
  19651. server:
  19652. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  19653. type: string
  19654. tls:
  19655. description: |-
  19656. The configuration used for client side related TLS communication, when the Vault server
  19657. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  19658. This parameter is ignored for plain HTTP protocol connection.
  19659. It's worth noting this configuration is different from the "TLS certificates auth method",
  19660. which is available under the `auth.cert` section.
  19661. properties:
  19662. certSecretRef:
  19663. description: |-
  19664. CertSecretRef is a certificate added to the transport layer
  19665. when communicating with the Vault server.
  19666. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  19667. properties:
  19668. key:
  19669. description: |-
  19670. A key in the referenced Secret.
  19671. Some instances of this field may be defaulted, in others it may be required.
  19672. maxLength: 253
  19673. minLength: 1
  19674. pattern: ^[-._a-zA-Z0-9]+$
  19675. type: string
  19676. name:
  19677. description: The name of the Secret resource being referred to.
  19678. maxLength: 253
  19679. minLength: 1
  19680. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19681. type: string
  19682. namespace:
  19683. description: |-
  19684. The namespace of the Secret resource being referred to.
  19685. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19686. maxLength: 63
  19687. minLength: 1
  19688. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19689. type: string
  19690. type: object
  19691. keySecretRef:
  19692. description: |-
  19693. KeySecretRef to a key in a Secret resource containing client private key
  19694. added to the transport layer when communicating with the Vault server.
  19695. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  19696. properties:
  19697. key:
  19698. description: |-
  19699. A key in the referenced Secret.
  19700. Some instances of this field may be defaulted, in others it may be required.
  19701. maxLength: 253
  19702. minLength: 1
  19703. pattern: ^[-._a-zA-Z0-9]+$
  19704. type: string
  19705. name:
  19706. description: The name of the Secret resource being referred to.
  19707. maxLength: 253
  19708. minLength: 1
  19709. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19710. type: string
  19711. namespace:
  19712. description: |-
  19713. The namespace of the Secret resource being referred to.
  19714. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19715. maxLength: 63
  19716. minLength: 1
  19717. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19718. type: string
  19719. type: object
  19720. type: object
  19721. version:
  19722. default: v2
  19723. description: |-
  19724. Version is the Vault KV secret engine version. This can be either "v1" or
  19725. "v2". Version defaults to "v2".
  19726. enum:
  19727. - v1
  19728. - v2
  19729. type: string
  19730. required:
  19731. - server
  19732. type: object
  19733. webhook:
  19734. description: Webhook configures this store to sync secrets using a generic templated webhook
  19735. properties:
  19736. body:
  19737. description: Body
  19738. type: string
  19739. caBundle:
  19740. description: |-
  19741. PEM encoded CA bundle used to validate webhook server certificate. Only used
  19742. if the Server URL is using HTTPS protocol. This parameter is ignored for
  19743. plain HTTP protocol connection. If not set the system root certificates
  19744. are used to validate the TLS connection.
  19745. format: byte
  19746. type: string
  19747. caProvider:
  19748. description: The provider for the CA bundle to use to validate webhook server certificate.
  19749. properties:
  19750. key:
  19751. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19752. maxLength: 253
  19753. minLength: 1
  19754. pattern: ^[-._a-zA-Z0-9]+$
  19755. type: string
  19756. name:
  19757. description: The name of the object located at the provider type.
  19758. maxLength: 253
  19759. minLength: 1
  19760. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19761. type: string
  19762. namespace:
  19763. description: The namespace the Provider type is in.
  19764. maxLength: 63
  19765. minLength: 1
  19766. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19767. type: string
  19768. type:
  19769. description: The type of provider to use such as "Secret", or "ConfigMap".
  19770. enum:
  19771. - Secret
  19772. - ConfigMap
  19773. type: string
  19774. required:
  19775. - name
  19776. - type
  19777. type: object
  19778. headers:
  19779. additionalProperties:
  19780. type: string
  19781. description: Headers
  19782. type: object
  19783. method:
  19784. description: Webhook Method
  19785. type: string
  19786. result:
  19787. description: Result formatting
  19788. properties:
  19789. jsonPath:
  19790. description: Json path of return value
  19791. type: string
  19792. type: object
  19793. secrets:
  19794. description: |-
  19795. Secrets to fill in templates
  19796. These secrets will be passed to the templating function as key value pairs under the given name
  19797. items:
  19798. properties:
  19799. name:
  19800. description: Name of this secret in templates
  19801. type: string
  19802. secretRef:
  19803. description: Secret ref to fill in credentials
  19804. properties:
  19805. key:
  19806. description: |-
  19807. A key in the referenced Secret.
  19808. Some instances of this field may be defaulted, in others it may be required.
  19809. maxLength: 253
  19810. minLength: 1
  19811. pattern: ^[-._a-zA-Z0-9]+$
  19812. type: string
  19813. name:
  19814. description: The name of the Secret resource being referred to.
  19815. maxLength: 253
  19816. minLength: 1
  19817. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19818. type: string
  19819. namespace:
  19820. description: |-
  19821. The namespace of the Secret resource being referred to.
  19822. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19823. maxLength: 63
  19824. minLength: 1
  19825. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19826. type: string
  19827. type: object
  19828. required:
  19829. - name
  19830. - secretRef
  19831. type: object
  19832. type: array
  19833. timeout:
  19834. description: Timeout
  19835. type: string
  19836. url:
  19837. description: Webhook url to call
  19838. type: string
  19839. required:
  19840. - result
  19841. - url
  19842. type: object
  19843. yandexcertificatemanager:
  19844. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  19845. properties:
  19846. apiEndpoint:
  19847. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  19848. type: string
  19849. auth:
  19850. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  19851. properties:
  19852. authorizedKeySecretRef:
  19853. description: The authorized key used for authentication
  19854. properties:
  19855. key:
  19856. description: |-
  19857. A key in the referenced Secret.
  19858. Some instances of this field may be defaulted, in others it may be required.
  19859. maxLength: 253
  19860. minLength: 1
  19861. pattern: ^[-._a-zA-Z0-9]+$
  19862. type: string
  19863. name:
  19864. description: The name of the Secret resource being referred to.
  19865. maxLength: 253
  19866. minLength: 1
  19867. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19868. type: string
  19869. namespace:
  19870. description: |-
  19871. The namespace of the Secret resource being referred to.
  19872. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19873. maxLength: 63
  19874. minLength: 1
  19875. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19876. type: string
  19877. type: object
  19878. type: object
  19879. caProvider:
  19880. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  19881. properties:
  19882. certSecretRef:
  19883. description: |-
  19884. A reference to a specific 'key' within a Secret resource.
  19885. In some instances, `key` is a required field.
  19886. properties:
  19887. key:
  19888. description: |-
  19889. A key in the referenced Secret.
  19890. Some instances of this field may be defaulted, in others it may be required.
  19891. maxLength: 253
  19892. minLength: 1
  19893. pattern: ^[-._a-zA-Z0-9]+$
  19894. type: string
  19895. name:
  19896. description: The name of the Secret resource being referred to.
  19897. maxLength: 253
  19898. minLength: 1
  19899. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19900. type: string
  19901. namespace:
  19902. description: |-
  19903. The namespace of the Secret resource being referred to.
  19904. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19905. maxLength: 63
  19906. minLength: 1
  19907. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19908. type: string
  19909. type: object
  19910. type: object
  19911. required:
  19912. - auth
  19913. type: object
  19914. yandexlockbox:
  19915. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  19916. properties:
  19917. apiEndpoint:
  19918. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  19919. type: string
  19920. auth:
  19921. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  19922. properties:
  19923. authorizedKeySecretRef:
  19924. description: The authorized key used for authentication
  19925. properties:
  19926. key:
  19927. description: |-
  19928. A key in the referenced Secret.
  19929. Some instances of this field may be defaulted, in others it may be required.
  19930. maxLength: 253
  19931. minLength: 1
  19932. pattern: ^[-._a-zA-Z0-9]+$
  19933. type: string
  19934. name:
  19935. description: The name of the Secret resource being referred to.
  19936. maxLength: 253
  19937. minLength: 1
  19938. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19939. type: string
  19940. namespace:
  19941. description: |-
  19942. The namespace of the Secret resource being referred to.
  19943. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19944. maxLength: 63
  19945. minLength: 1
  19946. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19947. type: string
  19948. type: object
  19949. type: object
  19950. caProvider:
  19951. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  19952. properties:
  19953. certSecretRef:
  19954. description: |-
  19955. A reference to a specific 'key' within a Secret resource.
  19956. In some instances, `key` is a required field.
  19957. properties:
  19958. key:
  19959. description: |-
  19960. A key in the referenced Secret.
  19961. Some instances of this field may be defaulted, in others it may be required.
  19962. maxLength: 253
  19963. minLength: 1
  19964. pattern: ^[-._a-zA-Z0-9]+$
  19965. type: string
  19966. name:
  19967. description: The name of the Secret resource being referred to.
  19968. maxLength: 253
  19969. minLength: 1
  19970. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19971. type: string
  19972. namespace:
  19973. description: |-
  19974. The namespace of the Secret resource being referred to.
  19975. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19976. maxLength: 63
  19977. minLength: 1
  19978. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19979. type: string
  19980. type: object
  19981. type: object
  19982. required:
  19983. - auth
  19984. type: object
  19985. type: object
  19986. refreshInterval:
  19987. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  19988. type: integer
  19989. retrySettings:
  19990. description: Used to configure http retries if failed
  19991. properties:
  19992. maxRetries:
  19993. format: int32
  19994. type: integer
  19995. retryInterval:
  19996. type: string
  19997. type: object
  19998. required:
  19999. - provider
  20000. type: object
  20001. status:
  20002. description: SecretStoreStatus defines the observed state of the SecretStore.
  20003. properties:
  20004. capabilities:
  20005. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  20006. type: string
  20007. conditions:
  20008. items:
  20009. properties:
  20010. lastTransitionTime:
  20011. format: date-time
  20012. type: string
  20013. message:
  20014. type: string
  20015. reason:
  20016. type: string
  20017. status:
  20018. type: string
  20019. type:
  20020. type: string
  20021. required:
  20022. - status
  20023. - type
  20024. type: object
  20025. type: array
  20026. type: object
  20027. type: object
  20028. served: true
  20029. storage: false
  20030. subresources:
  20031. status: {}
  20032. conversion:
  20033. strategy: Webhook
  20034. webhook:
  20035. conversionReviewVersions:
  20036. - v1
  20037. clientConfig:
  20038. service:
  20039. name: kubernetes
  20040. namespace: default
  20041. path: /convert
  20042. ---
  20043. apiVersion: apiextensions.k8s.io/v1
  20044. kind: CustomResourceDefinition
  20045. metadata:
  20046. annotations:
  20047. controller-gen.kubebuilder.io/version: v0.17.3
  20048. labels:
  20049. external-secrets.io/component: controller
  20050. name: acraccesstokens.generators.external-secrets.io
  20051. spec:
  20052. group: generators.external-secrets.io
  20053. names:
  20054. categories:
  20055. - external-secrets
  20056. - external-secrets-generators
  20057. kind: ACRAccessToken
  20058. listKind: ACRAccessTokenList
  20059. plural: acraccesstokens
  20060. singular: acraccesstoken
  20061. scope: Namespaced
  20062. versions:
  20063. - name: v1alpha1
  20064. schema:
  20065. openAPIV3Schema:
  20066. description: |-
  20067. ACRAccessToken returns an Azure Container Registry token
  20068. that can be used for pushing/pulling images.
  20069. Note: by default it will return an ACR Refresh Token with full access
  20070. (depending on the identity).
  20071. This can be scoped down to the repository level using .spec.scope.
  20072. In case scope is defined it will return an ACR Access Token.
  20073. See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
  20074. properties:
  20075. apiVersion:
  20076. description: |-
  20077. APIVersion defines the versioned schema of this representation of an object.
  20078. Servers should convert recognized schemas to the latest internal value, and
  20079. may reject unrecognized values.
  20080. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  20081. type: string
  20082. kind:
  20083. description: |-
  20084. Kind is a string value representing the REST resource this object represents.
  20085. Servers may infer this from the endpoint the client submits requests to.
  20086. Cannot be updated.
  20087. In CamelCase.
  20088. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  20089. type: string
  20090. metadata:
  20091. type: object
  20092. spec:
  20093. description: |-
  20094. ACRAccessTokenSpec defines how to generate the access token
  20095. e.g. how to authenticate and which registry to use.
  20096. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  20097. properties:
  20098. auth:
  20099. properties:
  20100. managedIdentity:
  20101. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  20102. properties:
  20103. identityId:
  20104. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  20105. type: string
  20106. type: object
  20107. servicePrincipal:
  20108. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  20109. properties:
  20110. secretRef:
  20111. description: |-
  20112. Configuration used to authenticate with Azure using static
  20113. credentials stored in a Kind=Secret.
  20114. properties:
  20115. clientId:
  20116. description: The Azure clientId of the service principle used for authentication.
  20117. properties:
  20118. key:
  20119. description: |-
  20120. A key in the referenced Secret.
  20121. Some instances of this field may be defaulted, in others it may be required.
  20122. maxLength: 253
  20123. minLength: 1
  20124. pattern: ^[-._a-zA-Z0-9]+$
  20125. type: string
  20126. name:
  20127. description: The name of the Secret resource being referred to.
  20128. maxLength: 253
  20129. minLength: 1
  20130. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20131. type: string
  20132. namespace:
  20133. description: |-
  20134. The namespace of the Secret resource being referred to.
  20135. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20136. maxLength: 63
  20137. minLength: 1
  20138. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20139. type: string
  20140. type: object
  20141. clientSecret:
  20142. description: The Azure ClientSecret of the service principle used for authentication.
  20143. properties:
  20144. key:
  20145. description: |-
  20146. A key in the referenced Secret.
  20147. Some instances of this field may be defaulted, in others it may be required.
  20148. maxLength: 253
  20149. minLength: 1
  20150. pattern: ^[-._a-zA-Z0-9]+$
  20151. type: string
  20152. name:
  20153. description: The name of the Secret resource being referred to.
  20154. maxLength: 253
  20155. minLength: 1
  20156. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20157. type: string
  20158. namespace:
  20159. description: |-
  20160. The namespace of the Secret resource being referred to.
  20161. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20162. maxLength: 63
  20163. minLength: 1
  20164. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20165. type: string
  20166. type: object
  20167. type: object
  20168. required:
  20169. - secretRef
  20170. type: object
  20171. workloadIdentity:
  20172. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  20173. properties:
  20174. serviceAccountRef:
  20175. description: |-
  20176. ServiceAccountRef specified the service account
  20177. that should be used when authenticating with WorkloadIdentity.
  20178. properties:
  20179. audiences:
  20180. description: |-
  20181. Audience specifies the `aud` claim for the service account token
  20182. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20183. then this audiences will be appended to the list
  20184. items:
  20185. type: string
  20186. type: array
  20187. name:
  20188. description: The name of the ServiceAccount resource being referred to.
  20189. maxLength: 253
  20190. minLength: 1
  20191. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20192. type: string
  20193. namespace:
  20194. description: |-
  20195. Namespace of the resource being referred to.
  20196. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20197. maxLength: 63
  20198. minLength: 1
  20199. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20200. type: string
  20201. required:
  20202. - name
  20203. type: object
  20204. type: object
  20205. type: object
  20206. environmentType:
  20207. default: PublicCloud
  20208. description: |-
  20209. EnvironmentType specifies the Azure cloud environment endpoints to use for
  20210. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  20211. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  20212. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  20213. enum:
  20214. - PublicCloud
  20215. - USGovernmentCloud
  20216. - ChinaCloud
  20217. - GermanCloud
  20218. type: string
  20219. registry:
  20220. description: |-
  20221. the domain name of the ACR registry
  20222. e.g. foobarexample.azurecr.io
  20223. type: string
  20224. scope:
  20225. description: |-
  20226. Define the scope for the access token, e.g. pull/push access for a repository.
  20227. if not provided it will return a refresh token that has full scope.
  20228. Note: you need to pin it down to the repository level, there is no wildcard available.
  20229. examples:
  20230. repository:my-repository:pull,push
  20231. repository:my-repository:pull
  20232. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  20233. type: string
  20234. tenantId:
  20235. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  20236. type: string
  20237. required:
  20238. - auth
  20239. - registry
  20240. type: object
  20241. type: object
  20242. served: true
  20243. storage: true
  20244. subresources:
  20245. status: {}
  20246. conversion:
  20247. strategy: Webhook
  20248. webhook:
  20249. conversionReviewVersions:
  20250. - v1
  20251. clientConfig:
  20252. service:
  20253. name: kubernetes
  20254. namespace: default
  20255. path: /convert
  20256. ---
  20257. apiVersion: apiextensions.k8s.io/v1
  20258. kind: CustomResourceDefinition
  20259. metadata:
  20260. annotations:
  20261. controller-gen.kubebuilder.io/version: v0.17.3
  20262. labels:
  20263. external-secrets.io/component: controller
  20264. name: clustergenerators.generators.external-secrets.io
  20265. spec:
  20266. group: generators.external-secrets.io
  20267. names:
  20268. categories:
  20269. - external-secrets
  20270. - external-secrets-generators
  20271. kind: ClusterGenerator
  20272. listKind: ClusterGeneratorList
  20273. plural: clustergenerators
  20274. singular: clustergenerator
  20275. scope: Cluster
  20276. versions:
  20277. - name: v1alpha1
  20278. schema:
  20279. openAPIV3Schema:
  20280. description: ClusterGenerator represents a cluster-wide generator which can be referenced as part of `generatorRef` fields.
  20281. properties:
  20282. apiVersion:
  20283. description: |-
  20284. APIVersion defines the versioned schema of this representation of an object.
  20285. Servers should convert recognized schemas to the latest internal value, and
  20286. may reject unrecognized values.
  20287. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  20288. type: string
  20289. kind:
  20290. description: |-
  20291. Kind is a string value representing the REST resource this object represents.
  20292. Servers may infer this from the endpoint the client submits requests to.
  20293. Cannot be updated.
  20294. In CamelCase.
  20295. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  20296. type: string
  20297. metadata:
  20298. type: object
  20299. spec:
  20300. properties:
  20301. generator:
  20302. description: Generator the spec for this generator, must match the kind.
  20303. maxProperties: 1
  20304. minProperties: 1
  20305. properties:
  20306. acrAccessTokenSpec:
  20307. description: |-
  20308. ACRAccessTokenSpec defines how to generate the access token
  20309. e.g. how to authenticate and which registry to use.
  20310. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  20311. properties:
  20312. auth:
  20313. properties:
  20314. managedIdentity:
  20315. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  20316. properties:
  20317. identityId:
  20318. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  20319. type: string
  20320. type: object
  20321. servicePrincipal:
  20322. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  20323. properties:
  20324. secretRef:
  20325. description: |-
  20326. Configuration used to authenticate with Azure using static
  20327. credentials stored in a Kind=Secret.
  20328. properties:
  20329. clientId:
  20330. description: The Azure clientId of the service principle used for authentication.
  20331. properties:
  20332. key:
  20333. description: |-
  20334. A key in the referenced Secret.
  20335. Some instances of this field may be defaulted, in others it may be required.
  20336. maxLength: 253
  20337. minLength: 1
  20338. pattern: ^[-._a-zA-Z0-9]+$
  20339. type: string
  20340. name:
  20341. description: The name of the Secret resource being referred to.
  20342. maxLength: 253
  20343. minLength: 1
  20344. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20345. type: string
  20346. namespace:
  20347. description: |-
  20348. The namespace of the Secret resource being referred to.
  20349. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20350. maxLength: 63
  20351. minLength: 1
  20352. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20353. type: string
  20354. type: object
  20355. clientSecret:
  20356. description: The Azure ClientSecret of the service principle used for authentication.
  20357. properties:
  20358. key:
  20359. description: |-
  20360. A key in the referenced Secret.
  20361. Some instances of this field may be defaulted, in others it may be required.
  20362. maxLength: 253
  20363. minLength: 1
  20364. pattern: ^[-._a-zA-Z0-9]+$
  20365. type: string
  20366. name:
  20367. description: The name of the Secret resource being referred to.
  20368. maxLength: 253
  20369. minLength: 1
  20370. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20371. type: string
  20372. namespace:
  20373. description: |-
  20374. The namespace of the Secret resource being referred to.
  20375. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20376. maxLength: 63
  20377. minLength: 1
  20378. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20379. type: string
  20380. type: object
  20381. type: object
  20382. required:
  20383. - secretRef
  20384. type: object
  20385. workloadIdentity:
  20386. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  20387. properties:
  20388. serviceAccountRef:
  20389. description: |-
  20390. ServiceAccountRef specified the service account
  20391. that should be used when authenticating with WorkloadIdentity.
  20392. properties:
  20393. audiences:
  20394. description: |-
  20395. Audience specifies the `aud` claim for the service account token
  20396. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20397. then this audiences will be appended to the list
  20398. items:
  20399. type: string
  20400. type: array
  20401. name:
  20402. description: The name of the ServiceAccount resource being referred to.
  20403. maxLength: 253
  20404. minLength: 1
  20405. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20406. type: string
  20407. namespace:
  20408. description: |-
  20409. Namespace of the resource being referred to.
  20410. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20411. maxLength: 63
  20412. minLength: 1
  20413. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20414. type: string
  20415. required:
  20416. - name
  20417. type: object
  20418. type: object
  20419. type: object
  20420. environmentType:
  20421. default: PublicCloud
  20422. description: |-
  20423. EnvironmentType specifies the Azure cloud environment endpoints to use for
  20424. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  20425. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  20426. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  20427. enum:
  20428. - PublicCloud
  20429. - USGovernmentCloud
  20430. - ChinaCloud
  20431. - GermanCloud
  20432. type: string
  20433. registry:
  20434. description: |-
  20435. the domain name of the ACR registry
  20436. e.g. foobarexample.azurecr.io
  20437. type: string
  20438. scope:
  20439. description: |-
  20440. Define the scope for the access token, e.g. pull/push access for a repository.
  20441. if not provided it will return a refresh token that has full scope.
  20442. Note: you need to pin it down to the repository level, there is no wildcard available.
  20443. examples:
  20444. repository:my-repository:pull,push
  20445. repository:my-repository:pull
  20446. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  20447. type: string
  20448. tenantId:
  20449. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  20450. type: string
  20451. required:
  20452. - auth
  20453. - registry
  20454. type: object
  20455. ecrAuthorizationTokenSpec:
  20456. properties:
  20457. auth:
  20458. description: Auth defines how to authenticate with AWS
  20459. properties:
  20460. jwt:
  20461. description: Authenticate against AWS using service account tokens.
  20462. properties:
  20463. serviceAccountRef:
  20464. description: A reference to a ServiceAccount resource.
  20465. properties:
  20466. audiences:
  20467. description: |-
  20468. Audience specifies the `aud` claim for the service account token
  20469. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20470. then this audiences will be appended to the list
  20471. items:
  20472. type: string
  20473. type: array
  20474. name:
  20475. description: The name of the ServiceAccount resource being referred to.
  20476. maxLength: 253
  20477. minLength: 1
  20478. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20479. type: string
  20480. namespace:
  20481. description: |-
  20482. Namespace of the resource being referred to.
  20483. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20484. maxLength: 63
  20485. minLength: 1
  20486. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20487. type: string
  20488. required:
  20489. - name
  20490. type: object
  20491. type: object
  20492. secretRef:
  20493. description: |-
  20494. AWSAuthSecretRef holds secret references for AWS credentials
  20495. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  20496. properties:
  20497. accessKeyIDSecretRef:
  20498. description: The AccessKeyID is used for authentication
  20499. properties:
  20500. key:
  20501. description: |-
  20502. A key in the referenced Secret.
  20503. Some instances of this field may be defaulted, in others it may be required.
  20504. maxLength: 253
  20505. minLength: 1
  20506. pattern: ^[-._a-zA-Z0-9]+$
  20507. type: string
  20508. name:
  20509. description: The name of the Secret resource being referred to.
  20510. maxLength: 253
  20511. minLength: 1
  20512. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20513. type: string
  20514. namespace:
  20515. description: |-
  20516. The namespace of the Secret resource being referred to.
  20517. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20518. maxLength: 63
  20519. minLength: 1
  20520. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20521. type: string
  20522. type: object
  20523. secretAccessKeySecretRef:
  20524. description: The SecretAccessKey is used for authentication
  20525. properties:
  20526. key:
  20527. description: |-
  20528. A key in the referenced Secret.
  20529. Some instances of this field may be defaulted, in others it may be required.
  20530. maxLength: 253
  20531. minLength: 1
  20532. pattern: ^[-._a-zA-Z0-9]+$
  20533. type: string
  20534. name:
  20535. description: The name of the Secret resource being referred to.
  20536. maxLength: 253
  20537. minLength: 1
  20538. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20539. type: string
  20540. namespace:
  20541. description: |-
  20542. The namespace of the Secret resource being referred to.
  20543. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20544. maxLength: 63
  20545. minLength: 1
  20546. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20547. type: string
  20548. type: object
  20549. sessionTokenSecretRef:
  20550. description: |-
  20551. The SessionToken used for authentication
  20552. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  20553. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  20554. properties:
  20555. key:
  20556. description: |-
  20557. A key in the referenced Secret.
  20558. Some instances of this field may be defaulted, in others it may be required.
  20559. maxLength: 253
  20560. minLength: 1
  20561. pattern: ^[-._a-zA-Z0-9]+$
  20562. type: string
  20563. name:
  20564. description: The name of the Secret resource being referred to.
  20565. maxLength: 253
  20566. minLength: 1
  20567. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20568. type: string
  20569. namespace:
  20570. description: |-
  20571. The namespace of the Secret resource being referred to.
  20572. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20573. maxLength: 63
  20574. minLength: 1
  20575. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20576. type: string
  20577. type: object
  20578. type: object
  20579. type: object
  20580. region:
  20581. description: Region specifies the region to operate in.
  20582. type: string
  20583. role:
  20584. description: |-
  20585. You can assume a role before making calls to the
  20586. desired AWS service.
  20587. type: string
  20588. scope:
  20589. description: |-
  20590. Scope specifies the ECR service scope.
  20591. Valid options are private and public.
  20592. type: string
  20593. required:
  20594. - region
  20595. type: object
  20596. fakeSpec:
  20597. description: FakeSpec contains the static data.
  20598. properties:
  20599. controller:
  20600. description: |-
  20601. Used to select the correct ESO controller (think: ingress.ingressClassName)
  20602. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  20603. type: string
  20604. data:
  20605. additionalProperties:
  20606. type: string
  20607. description: |-
  20608. Data defines the static data returned
  20609. by this generator.
  20610. type: object
  20611. type: object
  20612. gcrAccessTokenSpec:
  20613. properties:
  20614. auth:
  20615. description: Auth defines the means for authenticating with GCP
  20616. properties:
  20617. secretRef:
  20618. properties:
  20619. secretAccessKeySecretRef:
  20620. description: The SecretAccessKey is used for authentication
  20621. properties:
  20622. key:
  20623. description: |-
  20624. A key in the referenced Secret.
  20625. Some instances of this field may be defaulted, in others it may be required.
  20626. maxLength: 253
  20627. minLength: 1
  20628. pattern: ^[-._a-zA-Z0-9]+$
  20629. type: string
  20630. name:
  20631. description: The name of the Secret resource being referred to.
  20632. maxLength: 253
  20633. minLength: 1
  20634. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20635. type: string
  20636. namespace:
  20637. description: |-
  20638. The namespace of the Secret resource being referred to.
  20639. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20640. maxLength: 63
  20641. minLength: 1
  20642. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20643. type: string
  20644. type: object
  20645. type: object
  20646. workloadIdentity:
  20647. properties:
  20648. clusterLocation:
  20649. type: string
  20650. clusterName:
  20651. type: string
  20652. clusterProjectID:
  20653. type: string
  20654. serviceAccountRef:
  20655. description: A reference to a ServiceAccount resource.
  20656. properties:
  20657. audiences:
  20658. description: |-
  20659. Audience specifies the `aud` claim for the service account token
  20660. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20661. then this audiences will be appended to the list
  20662. items:
  20663. type: string
  20664. type: array
  20665. name:
  20666. description: The name of the ServiceAccount resource being referred to.
  20667. maxLength: 253
  20668. minLength: 1
  20669. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20670. type: string
  20671. namespace:
  20672. description: |-
  20673. Namespace of the resource being referred to.
  20674. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20675. maxLength: 63
  20676. minLength: 1
  20677. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20678. type: string
  20679. required:
  20680. - name
  20681. type: object
  20682. required:
  20683. - clusterLocation
  20684. - clusterName
  20685. - serviceAccountRef
  20686. type: object
  20687. type: object
  20688. projectID:
  20689. description: ProjectID defines which project to use to authenticate with
  20690. type: string
  20691. required:
  20692. - auth
  20693. - projectID
  20694. type: object
  20695. githubAccessTokenSpec:
  20696. properties:
  20697. appID:
  20698. type: string
  20699. auth:
  20700. description: Auth configures how ESO authenticates with a Github instance.
  20701. properties:
  20702. privateKey:
  20703. properties:
  20704. secretRef:
  20705. description: |-
  20706. A reference to a specific 'key' within a Secret resource.
  20707. In some instances, `key` is a required field.
  20708. properties:
  20709. key:
  20710. description: |-
  20711. A key in the referenced Secret.
  20712. Some instances of this field may be defaulted, in others it may be required.
  20713. maxLength: 253
  20714. minLength: 1
  20715. pattern: ^[-._a-zA-Z0-9]+$
  20716. type: string
  20717. name:
  20718. description: The name of the Secret resource being referred to.
  20719. maxLength: 253
  20720. minLength: 1
  20721. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20722. type: string
  20723. namespace:
  20724. description: |-
  20725. The namespace of the Secret resource being referred to.
  20726. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20727. maxLength: 63
  20728. minLength: 1
  20729. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20730. type: string
  20731. type: object
  20732. required:
  20733. - secretRef
  20734. type: object
  20735. required:
  20736. - privateKey
  20737. type: object
  20738. installID:
  20739. type: string
  20740. permissions:
  20741. additionalProperties:
  20742. type: string
  20743. description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
  20744. type: object
  20745. repositories:
  20746. description: |-
  20747. List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
  20748. is installed to.
  20749. items:
  20750. type: string
  20751. type: array
  20752. url:
  20753. description: URL configures the Github instance URL. Defaults to https://github.com/.
  20754. type: string
  20755. required:
  20756. - appID
  20757. - auth
  20758. - installID
  20759. type: object
  20760. grafanaSpec:
  20761. description: GrafanaSpec controls the behavior of the grafana generator.
  20762. properties:
  20763. auth:
  20764. description: |-
  20765. Auth is the authentication configuration to authenticate
  20766. against the Grafana instance.
  20767. properties:
  20768. basic:
  20769. description: |-
  20770. Basic auth credentials used to authenticate against the Grafana instance.
  20771. Note: you need a token which has elevated permissions to create service accounts.
  20772. See here for the documentation on basic roles offered by Grafana:
  20773. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  20774. properties:
  20775. password:
  20776. description: A basic auth password used to authenticate against the Grafana instance.
  20777. properties:
  20778. key:
  20779. description: The key where the token is found.
  20780. maxLength: 253
  20781. minLength: 1
  20782. pattern: ^[-._a-zA-Z0-9]+$
  20783. type: string
  20784. name:
  20785. description: The name of the Secret resource being referred to.
  20786. maxLength: 253
  20787. minLength: 1
  20788. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20789. type: string
  20790. type: object
  20791. username:
  20792. description: A basic auth username used to authenticate against the Grafana instance.
  20793. type: string
  20794. required:
  20795. - password
  20796. - username
  20797. type: object
  20798. token:
  20799. description: |-
  20800. A service account token used to authenticate against the Grafana instance.
  20801. Note: you need a token which has elevated permissions to create service accounts.
  20802. See here for the documentation on basic roles offered by Grafana:
  20803. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  20804. properties:
  20805. key:
  20806. description: The key where the token is found.
  20807. maxLength: 253
  20808. minLength: 1
  20809. pattern: ^[-._a-zA-Z0-9]+$
  20810. type: string
  20811. name:
  20812. description: The name of the Secret resource being referred to.
  20813. maxLength: 253
  20814. minLength: 1
  20815. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20816. type: string
  20817. type: object
  20818. type: object
  20819. serviceAccount:
  20820. description: |-
  20821. ServiceAccount is the configuration for the service account that
  20822. is supposed to be generated by the generator.
  20823. properties:
  20824. name:
  20825. description: Name is the name of the service account that will be created by ESO.
  20826. type: string
  20827. role:
  20828. description: |-
  20829. Role is the role of the service account.
  20830. See here for the documentation on basic roles offered by Grafana:
  20831. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  20832. type: string
  20833. required:
  20834. - name
  20835. - role
  20836. type: object
  20837. url:
  20838. description: URL is the URL of the Grafana instance.
  20839. type: string
  20840. required:
  20841. - auth
  20842. - serviceAccount
  20843. - url
  20844. type: object
  20845. passwordSpec:
  20846. description: PasswordSpec controls the behavior of the password generator.
  20847. properties:
  20848. allowRepeat:
  20849. default: false
  20850. description: set AllowRepeat to true to allow repeating characters.
  20851. type: boolean
  20852. digits:
  20853. description: |-
  20854. Digits specifies the number of digits in the generated
  20855. password. If omitted it defaults to 25% of the length of the password
  20856. type: integer
  20857. length:
  20858. default: 24
  20859. description: |-
  20860. Length of the password to be generated.
  20861. Defaults to 24
  20862. type: integer
  20863. noUpper:
  20864. default: false
  20865. description: Set NoUpper to disable uppercase characters
  20866. type: boolean
  20867. symbolCharacters:
  20868. description: |-
  20869. SymbolCharacters specifies the special characters that should be used
  20870. in the generated password.
  20871. type: string
  20872. symbols:
  20873. description: |-
  20874. Symbols specifies the number of symbol characters in the generated
  20875. password. If omitted it defaults to 25% of the length of the password
  20876. type: integer
  20877. required:
  20878. - allowRepeat
  20879. - length
  20880. - noUpper
  20881. type: object
  20882. quayAccessTokenSpec:
  20883. properties:
  20884. robotAccount:
  20885. description: Name of the robot account you are federating with
  20886. type: string
  20887. serviceAccountRef:
  20888. description: Name of the service account you are federating with
  20889. properties:
  20890. audiences:
  20891. description: |-
  20892. Audience specifies the `aud` claim for the service account token
  20893. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20894. then this audiences will be appended to the list
  20895. items:
  20896. type: string
  20897. type: array
  20898. name:
  20899. description: The name of the ServiceAccount resource being referred to.
  20900. maxLength: 253
  20901. minLength: 1
  20902. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20903. type: string
  20904. namespace:
  20905. description: |-
  20906. Namespace of the resource being referred to.
  20907. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20908. maxLength: 63
  20909. minLength: 1
  20910. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20911. type: string
  20912. required:
  20913. - name
  20914. type: object
  20915. url:
  20916. description: URL configures the Quay instance URL. Defaults to quay.io.
  20917. type: string
  20918. required:
  20919. - robotAccount
  20920. - serviceAccountRef
  20921. type: object
  20922. stsSessionTokenSpec:
  20923. properties:
  20924. auth:
  20925. description: Auth defines how to authenticate with AWS
  20926. properties:
  20927. jwt:
  20928. description: Authenticate against AWS using service account tokens.
  20929. properties:
  20930. serviceAccountRef:
  20931. description: A reference to a ServiceAccount resource.
  20932. properties:
  20933. audiences:
  20934. description: |-
  20935. Audience specifies the `aud` claim for the service account token
  20936. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20937. then this audiences will be appended to the list
  20938. items:
  20939. type: string
  20940. type: array
  20941. name:
  20942. description: The name of the ServiceAccount resource being referred to.
  20943. maxLength: 253
  20944. minLength: 1
  20945. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20946. type: string
  20947. namespace:
  20948. description: |-
  20949. Namespace of the resource being referred to.
  20950. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20951. maxLength: 63
  20952. minLength: 1
  20953. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20954. type: string
  20955. required:
  20956. - name
  20957. type: object
  20958. type: object
  20959. secretRef:
  20960. description: |-
  20961. AWSAuthSecretRef holds secret references for AWS credentials
  20962. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  20963. properties:
  20964. accessKeyIDSecretRef:
  20965. description: The AccessKeyID is used for authentication
  20966. properties:
  20967. key:
  20968. description: |-
  20969. A key in the referenced Secret.
  20970. Some instances of this field may be defaulted, in others it may be required.
  20971. maxLength: 253
  20972. minLength: 1
  20973. pattern: ^[-._a-zA-Z0-9]+$
  20974. type: string
  20975. name:
  20976. description: The name of the Secret resource being referred to.
  20977. maxLength: 253
  20978. minLength: 1
  20979. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20980. type: string
  20981. namespace:
  20982. description: |-
  20983. The namespace of the Secret resource being referred to.
  20984. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20985. maxLength: 63
  20986. minLength: 1
  20987. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20988. type: string
  20989. type: object
  20990. secretAccessKeySecretRef:
  20991. description: The SecretAccessKey is used for authentication
  20992. properties:
  20993. key:
  20994. description: |-
  20995. A key in the referenced Secret.
  20996. Some instances of this field may be defaulted, in others it may be required.
  20997. maxLength: 253
  20998. minLength: 1
  20999. pattern: ^[-._a-zA-Z0-9]+$
  21000. type: string
  21001. name:
  21002. description: The name of the Secret resource being referred to.
  21003. maxLength: 253
  21004. minLength: 1
  21005. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21006. type: string
  21007. namespace:
  21008. description: |-
  21009. The namespace of the Secret resource being referred to.
  21010. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21011. maxLength: 63
  21012. minLength: 1
  21013. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21014. type: string
  21015. type: object
  21016. sessionTokenSecretRef:
  21017. description: |-
  21018. The SessionToken used for authentication
  21019. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  21020. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  21021. properties:
  21022. key:
  21023. description: |-
  21024. A key in the referenced Secret.
  21025. Some instances of this field may be defaulted, in others it may be required.
  21026. maxLength: 253
  21027. minLength: 1
  21028. pattern: ^[-._a-zA-Z0-9]+$
  21029. type: string
  21030. name:
  21031. description: The name of the Secret resource being referred to.
  21032. maxLength: 253
  21033. minLength: 1
  21034. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21035. type: string
  21036. namespace:
  21037. description: |-
  21038. The namespace of the Secret resource being referred to.
  21039. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21040. maxLength: 63
  21041. minLength: 1
  21042. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21043. type: string
  21044. type: object
  21045. type: object
  21046. type: object
  21047. region:
  21048. description: Region specifies the region to operate in.
  21049. type: string
  21050. requestParameters:
  21051. description: RequestParameters contains parameters that can be passed to the STS service.
  21052. properties:
  21053. serialNumber:
  21054. description: |-
  21055. SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
  21056. the GetSessionToken call.
  21057. Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
  21058. (such as arn:aws:iam::123456789012:mfa/user)
  21059. type: string
  21060. sessionDuration:
  21061. description: |-
  21062. SessionDuration The duration, in seconds, that the credentials should remain valid. Acceptable durations for
  21063. IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds
  21064. (12 hours) as the default.
  21065. format: int64
  21066. type: integer
  21067. tokenCode:
  21068. description: TokenCode is the value provided by the MFA device, if MFA is required.
  21069. type: string
  21070. type: object
  21071. role:
  21072. description: |-
  21073. You can assume a role before making calls to the
  21074. desired AWS service.
  21075. type: string
  21076. required:
  21077. - region
  21078. type: object
  21079. uuidSpec:
  21080. description: UUIDSpec controls the behavior of the uuid generator.
  21081. type: object
  21082. vaultDynamicSecretSpec:
  21083. properties:
  21084. allowEmptyResponse:
  21085. default: false
  21086. description: Do not fail if no secrets are found. Useful for requests where no data is expected.
  21087. type: boolean
  21088. controller:
  21089. description: |-
  21090. Used to select the correct ESO controller (think: ingress.ingressClassName)
  21091. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  21092. type: string
  21093. method:
  21094. description: Vault API method to use (GET/POST/other)
  21095. type: string
  21096. parameters:
  21097. description: Parameters to pass to Vault write (for non-GET methods)
  21098. x-kubernetes-preserve-unknown-fields: true
  21099. path:
  21100. description: Vault path to obtain the dynamic secret from
  21101. type: string
  21102. provider:
  21103. description: Vault provider common spec
  21104. properties:
  21105. auth:
  21106. description: Auth configures how secret-manager authenticates with the Vault server.
  21107. properties:
  21108. appRole:
  21109. description: |-
  21110. AppRole authenticates with Vault using the App Role auth mechanism,
  21111. with the role and secret stored in a Kubernetes Secret resource.
  21112. properties:
  21113. path:
  21114. default: approle
  21115. description: |-
  21116. Path where the App Role authentication backend is mounted
  21117. in Vault, e.g: "approle"
  21118. type: string
  21119. roleId:
  21120. description: |-
  21121. RoleID configured in the App Role authentication backend when setting
  21122. up the authentication backend in Vault.
  21123. type: string
  21124. roleRef:
  21125. description: |-
  21126. Reference to a key in a Secret that contains the App Role ID used
  21127. to authenticate with Vault.
  21128. The `key` field must be specified and denotes which entry within the Secret
  21129. resource is used as the app role id.
  21130. properties:
  21131. key:
  21132. description: |-
  21133. A key in the referenced Secret.
  21134. Some instances of this field may be defaulted, in others it may be required.
  21135. maxLength: 253
  21136. minLength: 1
  21137. pattern: ^[-._a-zA-Z0-9]+$
  21138. type: string
  21139. name:
  21140. description: The name of the Secret resource being referred to.
  21141. maxLength: 253
  21142. minLength: 1
  21143. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21144. type: string
  21145. namespace:
  21146. description: |-
  21147. The namespace of the Secret resource being referred to.
  21148. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21149. maxLength: 63
  21150. minLength: 1
  21151. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21152. type: string
  21153. type: object
  21154. secretRef:
  21155. description: |-
  21156. Reference to a key in a Secret that contains the App Role secret used
  21157. to authenticate with Vault.
  21158. The `key` field must be specified and denotes which entry within the Secret
  21159. resource is used as the app role secret.
  21160. properties:
  21161. key:
  21162. description: |-
  21163. A key in the referenced Secret.
  21164. Some instances of this field may be defaulted, in others it may be required.
  21165. maxLength: 253
  21166. minLength: 1
  21167. pattern: ^[-._a-zA-Z0-9]+$
  21168. type: string
  21169. name:
  21170. description: The name of the Secret resource being referred to.
  21171. maxLength: 253
  21172. minLength: 1
  21173. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21174. type: string
  21175. namespace:
  21176. description: |-
  21177. The namespace of the Secret resource being referred to.
  21178. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21179. maxLength: 63
  21180. minLength: 1
  21181. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21182. type: string
  21183. type: object
  21184. required:
  21185. - path
  21186. - secretRef
  21187. type: object
  21188. cert:
  21189. description: |-
  21190. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  21191. Cert authentication method
  21192. properties:
  21193. clientCert:
  21194. description: |-
  21195. ClientCert is a certificate to authenticate using the Cert Vault
  21196. authentication method
  21197. properties:
  21198. key:
  21199. description: |-
  21200. A key in the referenced Secret.
  21201. Some instances of this field may be defaulted, in others it may be required.
  21202. maxLength: 253
  21203. minLength: 1
  21204. pattern: ^[-._a-zA-Z0-9]+$
  21205. type: string
  21206. name:
  21207. description: The name of the Secret resource being referred to.
  21208. maxLength: 253
  21209. minLength: 1
  21210. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21211. type: string
  21212. namespace:
  21213. description: |-
  21214. The namespace of the Secret resource being referred to.
  21215. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21216. maxLength: 63
  21217. minLength: 1
  21218. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21219. type: string
  21220. type: object
  21221. secretRef:
  21222. description: |-
  21223. SecretRef to a key in a Secret resource containing client private key to
  21224. authenticate with Vault using the Cert authentication method
  21225. properties:
  21226. key:
  21227. description: |-
  21228. A key in the referenced Secret.
  21229. Some instances of this field may be defaulted, in others it may be required.
  21230. maxLength: 253
  21231. minLength: 1
  21232. pattern: ^[-._a-zA-Z0-9]+$
  21233. type: string
  21234. name:
  21235. description: The name of the Secret resource being referred to.
  21236. maxLength: 253
  21237. minLength: 1
  21238. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21239. type: string
  21240. namespace:
  21241. description: |-
  21242. The namespace of the Secret resource being referred to.
  21243. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21244. maxLength: 63
  21245. minLength: 1
  21246. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21247. type: string
  21248. type: object
  21249. type: object
  21250. iam:
  21251. description: |-
  21252. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  21253. AWS IAM authentication method
  21254. properties:
  21255. externalID:
  21256. description: AWS External ID set on assumed IAM roles
  21257. type: string
  21258. jwt:
  21259. description: Specify a service account with IRSA enabled
  21260. properties:
  21261. serviceAccountRef:
  21262. description: A reference to a ServiceAccount resource.
  21263. properties:
  21264. audiences:
  21265. description: |-
  21266. Audience specifies the `aud` claim for the service account token
  21267. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  21268. then this audiences will be appended to the list
  21269. items:
  21270. type: string
  21271. type: array
  21272. name:
  21273. description: The name of the ServiceAccount resource being referred to.
  21274. maxLength: 253
  21275. minLength: 1
  21276. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21277. type: string
  21278. namespace:
  21279. description: |-
  21280. Namespace of the resource being referred to.
  21281. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21282. maxLength: 63
  21283. minLength: 1
  21284. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21285. type: string
  21286. required:
  21287. - name
  21288. type: object
  21289. type: object
  21290. path:
  21291. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  21292. type: string
  21293. region:
  21294. description: AWS region
  21295. type: string
  21296. role:
  21297. description: This is the AWS role to be assumed before talking to vault
  21298. type: string
  21299. secretRef:
  21300. description: Specify credentials in a Secret object
  21301. properties:
  21302. accessKeyIDSecretRef:
  21303. description: The AccessKeyID is used for authentication
  21304. properties:
  21305. key:
  21306. description: |-
  21307. A key in the referenced Secret.
  21308. Some instances of this field may be defaulted, in others it may be required.
  21309. maxLength: 253
  21310. minLength: 1
  21311. pattern: ^[-._a-zA-Z0-9]+$
  21312. type: string
  21313. name:
  21314. description: The name of the Secret resource being referred to.
  21315. maxLength: 253
  21316. minLength: 1
  21317. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21318. type: string
  21319. namespace:
  21320. description: |-
  21321. The namespace of the Secret resource being referred to.
  21322. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21323. maxLength: 63
  21324. minLength: 1
  21325. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21326. type: string
  21327. type: object
  21328. secretAccessKeySecretRef:
  21329. description: The SecretAccessKey is used for authentication
  21330. properties:
  21331. key:
  21332. description: |-
  21333. A key in the referenced Secret.
  21334. Some instances of this field may be defaulted, in others it may be required.
  21335. maxLength: 253
  21336. minLength: 1
  21337. pattern: ^[-._a-zA-Z0-9]+$
  21338. type: string
  21339. name:
  21340. description: The name of the Secret resource being referred to.
  21341. maxLength: 253
  21342. minLength: 1
  21343. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21344. type: string
  21345. namespace:
  21346. description: |-
  21347. The namespace of the Secret resource being referred to.
  21348. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21349. maxLength: 63
  21350. minLength: 1
  21351. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21352. type: string
  21353. type: object
  21354. sessionTokenSecretRef:
  21355. description: |-
  21356. The SessionToken used for authentication
  21357. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  21358. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  21359. properties:
  21360. key:
  21361. description: |-
  21362. A key in the referenced Secret.
  21363. Some instances of this field may be defaulted, in others it may be required.
  21364. maxLength: 253
  21365. minLength: 1
  21366. pattern: ^[-._a-zA-Z0-9]+$
  21367. type: string
  21368. name:
  21369. description: The name of the Secret resource being referred to.
  21370. maxLength: 253
  21371. minLength: 1
  21372. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21373. type: string
  21374. namespace:
  21375. description: |-
  21376. The namespace of the Secret resource being referred to.
  21377. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21378. maxLength: 63
  21379. minLength: 1
  21380. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21381. type: string
  21382. type: object
  21383. type: object
  21384. vaultAwsIamServerID:
  21385. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  21386. type: string
  21387. vaultRole:
  21388. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  21389. type: string
  21390. required:
  21391. - vaultRole
  21392. type: object
  21393. jwt:
  21394. description: |-
  21395. Jwt authenticates with Vault by passing role and JWT token using the
  21396. JWT/OIDC authentication method
  21397. properties:
  21398. kubernetesServiceAccountToken:
  21399. description: |-
  21400. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  21401. a token for with the `TokenRequest` API.
  21402. properties:
  21403. audiences:
  21404. description: |-
  21405. Optional audiences field that will be used to request a temporary Kubernetes service
  21406. account token for the service account referenced by `serviceAccountRef`.
  21407. Defaults to a single audience `vault` it not specified.
  21408. Deprecated: use serviceAccountRef.Audiences instead
  21409. items:
  21410. type: string
  21411. type: array
  21412. expirationSeconds:
  21413. description: |-
  21414. Optional expiration time in seconds that will be used to request a temporary
  21415. Kubernetes service account token for the service account referenced by
  21416. `serviceAccountRef`.
  21417. Deprecated: this will be removed in the future.
  21418. Defaults to 10 minutes.
  21419. format: int64
  21420. type: integer
  21421. serviceAccountRef:
  21422. description: Service account field containing the name of a kubernetes ServiceAccount.
  21423. properties:
  21424. audiences:
  21425. description: |-
  21426. Audience specifies the `aud` claim for the service account token
  21427. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  21428. then this audiences will be appended to the list
  21429. items:
  21430. type: string
  21431. type: array
  21432. name:
  21433. description: The name of the ServiceAccount resource being referred to.
  21434. maxLength: 253
  21435. minLength: 1
  21436. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21437. type: string
  21438. namespace:
  21439. description: |-
  21440. Namespace of the resource being referred to.
  21441. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21442. maxLength: 63
  21443. minLength: 1
  21444. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21445. type: string
  21446. required:
  21447. - name
  21448. type: object
  21449. required:
  21450. - serviceAccountRef
  21451. type: object
  21452. path:
  21453. default: jwt
  21454. description: |-
  21455. Path where the JWT authentication backend is mounted
  21456. in Vault, e.g: "jwt"
  21457. type: string
  21458. role:
  21459. description: |-
  21460. Role is a JWT role to authenticate using the JWT/OIDC Vault
  21461. authentication method
  21462. type: string
  21463. secretRef:
  21464. description: |-
  21465. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  21466. authenticate with Vault using the JWT/OIDC authentication method.
  21467. properties:
  21468. key:
  21469. description: |-
  21470. A key in the referenced Secret.
  21471. Some instances of this field may be defaulted, in others it may be required.
  21472. maxLength: 253
  21473. minLength: 1
  21474. pattern: ^[-._a-zA-Z0-9]+$
  21475. type: string
  21476. name:
  21477. description: The name of the Secret resource being referred to.
  21478. maxLength: 253
  21479. minLength: 1
  21480. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21481. type: string
  21482. namespace:
  21483. description: |-
  21484. The namespace of the Secret resource being referred to.
  21485. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21486. maxLength: 63
  21487. minLength: 1
  21488. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21489. type: string
  21490. type: object
  21491. required:
  21492. - path
  21493. type: object
  21494. kubernetes:
  21495. description: |-
  21496. Kubernetes authenticates with Vault by passing the ServiceAccount
  21497. token stored in the named Secret resource to the Vault server.
  21498. properties:
  21499. mountPath:
  21500. default: kubernetes
  21501. description: |-
  21502. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  21503. "kubernetes"
  21504. type: string
  21505. role:
  21506. description: |-
  21507. A required field containing the Vault Role to assume. A Role binds a
  21508. Kubernetes ServiceAccount with a set of Vault policies.
  21509. type: string
  21510. secretRef:
  21511. description: |-
  21512. Optional secret field containing a Kubernetes ServiceAccount JWT used
  21513. for authenticating with Vault. If a name is specified without a key,
  21514. `token` is the default. If one is not specified, the one bound to
  21515. the controller will be used.
  21516. properties:
  21517. key:
  21518. description: |-
  21519. A key in the referenced Secret.
  21520. Some instances of this field may be defaulted, in others it may be required.
  21521. maxLength: 253
  21522. minLength: 1
  21523. pattern: ^[-._a-zA-Z0-9]+$
  21524. type: string
  21525. name:
  21526. description: The name of the Secret resource being referred to.
  21527. maxLength: 253
  21528. minLength: 1
  21529. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21530. type: string
  21531. namespace:
  21532. description: |-
  21533. The namespace of the Secret resource being referred to.
  21534. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21535. maxLength: 63
  21536. minLength: 1
  21537. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21538. type: string
  21539. type: object
  21540. serviceAccountRef:
  21541. description: |-
  21542. Optional service account field containing the name of a kubernetes ServiceAccount.
  21543. If the service account is specified, the service account secret token JWT will be used
  21544. for authenticating with Vault. If the service account selector is not supplied,
  21545. the secretRef will be used instead.
  21546. properties:
  21547. audiences:
  21548. description: |-
  21549. Audience specifies the `aud` claim for the service account token
  21550. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  21551. then this audiences will be appended to the list
  21552. items:
  21553. type: string
  21554. type: array
  21555. name:
  21556. description: The name of the ServiceAccount resource being referred to.
  21557. maxLength: 253
  21558. minLength: 1
  21559. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21560. type: string
  21561. namespace:
  21562. description: |-
  21563. Namespace of the resource being referred to.
  21564. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21565. maxLength: 63
  21566. minLength: 1
  21567. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21568. type: string
  21569. required:
  21570. - name
  21571. type: object
  21572. required:
  21573. - mountPath
  21574. - role
  21575. type: object
  21576. ldap:
  21577. description: |-
  21578. Ldap authenticates with Vault by passing username/password pair using
  21579. the LDAP authentication method
  21580. properties:
  21581. path:
  21582. default: ldap
  21583. description: |-
  21584. Path where the LDAP authentication backend is mounted
  21585. in Vault, e.g: "ldap"
  21586. type: string
  21587. secretRef:
  21588. description: |-
  21589. SecretRef to a key in a Secret resource containing password for the LDAP
  21590. user used to authenticate with Vault using the LDAP authentication
  21591. method
  21592. properties:
  21593. key:
  21594. description: |-
  21595. A key in the referenced Secret.
  21596. Some instances of this field may be defaulted, in others it may be required.
  21597. maxLength: 253
  21598. minLength: 1
  21599. pattern: ^[-._a-zA-Z0-9]+$
  21600. type: string
  21601. name:
  21602. description: The name of the Secret resource being referred to.
  21603. maxLength: 253
  21604. minLength: 1
  21605. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21606. type: string
  21607. namespace:
  21608. description: |-
  21609. The namespace of the Secret resource being referred to.
  21610. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21611. maxLength: 63
  21612. minLength: 1
  21613. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21614. type: string
  21615. type: object
  21616. username:
  21617. description: |-
  21618. Username is an LDAP username used to authenticate using the LDAP Vault
  21619. authentication method
  21620. type: string
  21621. required:
  21622. - path
  21623. - username
  21624. type: object
  21625. namespace:
  21626. description: |-
  21627. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  21628. Namespaces is a set of features within Vault Enterprise that allows
  21629. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  21630. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  21631. This will default to Vault.Namespace field if set, or empty otherwise
  21632. type: string
  21633. tokenSecretRef:
  21634. description: TokenSecretRef authenticates with Vault by presenting a token.
  21635. properties:
  21636. key:
  21637. description: |-
  21638. A key in the referenced Secret.
  21639. Some instances of this field may be defaulted, in others it may be required.
  21640. maxLength: 253
  21641. minLength: 1
  21642. pattern: ^[-._a-zA-Z0-9]+$
  21643. type: string
  21644. name:
  21645. description: The name of the Secret resource being referred to.
  21646. maxLength: 253
  21647. minLength: 1
  21648. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21649. type: string
  21650. namespace:
  21651. description: |-
  21652. The namespace of the Secret resource being referred to.
  21653. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21654. maxLength: 63
  21655. minLength: 1
  21656. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21657. type: string
  21658. type: object
  21659. userPass:
  21660. description: UserPass authenticates with Vault by passing username/password pair
  21661. properties:
  21662. path:
  21663. default: userpass
  21664. description: |-
  21665. Path where the UserPassword authentication backend is mounted
  21666. in Vault, e.g: "userpass"
  21667. type: string
  21668. secretRef:
  21669. description: |-
  21670. SecretRef to a key in a Secret resource containing password for the
  21671. user used to authenticate with Vault using the UserPass authentication
  21672. method
  21673. properties:
  21674. key:
  21675. description: |-
  21676. A key in the referenced Secret.
  21677. Some instances of this field may be defaulted, in others it may be required.
  21678. maxLength: 253
  21679. minLength: 1
  21680. pattern: ^[-._a-zA-Z0-9]+$
  21681. type: string
  21682. name:
  21683. description: The name of the Secret resource being referred to.
  21684. maxLength: 253
  21685. minLength: 1
  21686. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21687. type: string
  21688. namespace:
  21689. description: |-
  21690. The namespace of the Secret resource being referred to.
  21691. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21692. maxLength: 63
  21693. minLength: 1
  21694. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21695. type: string
  21696. type: object
  21697. username:
  21698. description: |-
  21699. Username is a username used to authenticate using the UserPass Vault
  21700. authentication method
  21701. type: string
  21702. required:
  21703. - path
  21704. - username
  21705. type: object
  21706. type: object
  21707. caBundle:
  21708. description: |-
  21709. PEM encoded CA bundle used to validate Vault server certificate. Only used
  21710. if the Server URL is using HTTPS protocol. This parameter is ignored for
  21711. plain HTTP protocol connection. If not set the system root certificates
  21712. are used to validate the TLS connection.
  21713. format: byte
  21714. type: string
  21715. caProvider:
  21716. description: The provider for the CA bundle to use to validate Vault server certificate.
  21717. properties:
  21718. key:
  21719. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  21720. maxLength: 253
  21721. minLength: 1
  21722. pattern: ^[-._a-zA-Z0-9]+$
  21723. type: string
  21724. name:
  21725. description: The name of the object located at the provider type.
  21726. maxLength: 253
  21727. minLength: 1
  21728. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21729. type: string
  21730. namespace:
  21731. description: |-
  21732. The namespace the Provider type is in.
  21733. Can only be defined when used in a ClusterSecretStore.
  21734. maxLength: 63
  21735. minLength: 1
  21736. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21737. type: string
  21738. type:
  21739. description: The type of provider to use such as "Secret", or "ConfigMap".
  21740. enum:
  21741. - Secret
  21742. - ConfigMap
  21743. type: string
  21744. required:
  21745. - name
  21746. - type
  21747. type: object
  21748. forwardInconsistent:
  21749. description: |-
  21750. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  21751. leader instead of simply retrying within a loop. This can increase performance if
  21752. the option is enabled serverside.
  21753. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  21754. type: boolean
  21755. headers:
  21756. additionalProperties:
  21757. type: string
  21758. description: Headers to be added in Vault request
  21759. type: object
  21760. namespace:
  21761. description: |-
  21762. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  21763. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  21764. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  21765. type: string
  21766. path:
  21767. description: |-
  21768. Path is the mount path of the Vault KV backend endpoint, e.g:
  21769. "secret". The v2 KV secret engine version specific "/data" path suffix
  21770. for fetching secrets from Vault is optional and will be appended
  21771. if not present in specified path.
  21772. type: string
  21773. readYourWrites:
  21774. description: |-
  21775. ReadYourWrites ensures isolated read-after-write semantics by
  21776. providing discovered cluster replication states in each request.
  21777. More information about eventual consistency in Vault can be found here
  21778. https://www.vaultproject.io/docs/enterprise/consistency
  21779. type: boolean
  21780. server:
  21781. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  21782. type: string
  21783. tls:
  21784. description: |-
  21785. The configuration used for client side related TLS communication, when the Vault server
  21786. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  21787. This parameter is ignored for plain HTTP protocol connection.
  21788. It's worth noting this configuration is different from the "TLS certificates auth method",
  21789. which is available under the `auth.cert` section.
  21790. properties:
  21791. certSecretRef:
  21792. description: |-
  21793. CertSecretRef is a certificate added to the transport layer
  21794. when communicating with the Vault server.
  21795. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  21796. properties:
  21797. key:
  21798. description: |-
  21799. A key in the referenced Secret.
  21800. Some instances of this field may be defaulted, in others it may be required.
  21801. maxLength: 253
  21802. minLength: 1
  21803. pattern: ^[-._a-zA-Z0-9]+$
  21804. type: string
  21805. name:
  21806. description: The name of the Secret resource being referred to.
  21807. maxLength: 253
  21808. minLength: 1
  21809. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21810. type: string
  21811. namespace:
  21812. description: |-
  21813. The namespace of the Secret resource being referred to.
  21814. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21815. maxLength: 63
  21816. minLength: 1
  21817. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21818. type: string
  21819. type: object
  21820. keySecretRef:
  21821. description: |-
  21822. KeySecretRef to a key in a Secret resource containing client private key
  21823. added to the transport layer when communicating with the Vault server.
  21824. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  21825. properties:
  21826. key:
  21827. description: |-
  21828. A key in the referenced Secret.
  21829. Some instances of this field may be defaulted, in others it may be required.
  21830. maxLength: 253
  21831. minLength: 1
  21832. pattern: ^[-._a-zA-Z0-9]+$
  21833. type: string
  21834. name:
  21835. description: The name of the Secret resource being referred to.
  21836. maxLength: 253
  21837. minLength: 1
  21838. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21839. type: string
  21840. namespace:
  21841. description: |-
  21842. The namespace of the Secret resource being referred to.
  21843. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21844. maxLength: 63
  21845. minLength: 1
  21846. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21847. type: string
  21848. type: object
  21849. type: object
  21850. version:
  21851. default: v2
  21852. description: |-
  21853. Version is the Vault KV secret engine version. This can be either "v1" or
  21854. "v2". Version defaults to "v2".
  21855. enum:
  21856. - v1
  21857. - v2
  21858. type: string
  21859. required:
  21860. - server
  21861. type: object
  21862. resultType:
  21863. default: Data
  21864. description: |-
  21865. Result type defines which data is returned from the generator.
  21866. By default it is the "data" section of the Vault API response.
  21867. When using e.g. /auth/token/create the "data" section is empty but
  21868. the "auth" section contains the generated token.
  21869. Please refer to the vault docs regarding the result data structure.
  21870. Additionally, accessing the raw response is possibly by using "Raw" result type.
  21871. enum:
  21872. - Data
  21873. - Auth
  21874. - Raw
  21875. type: string
  21876. retrySettings:
  21877. description: Used to configure http retries if failed
  21878. properties:
  21879. maxRetries:
  21880. format: int32
  21881. type: integer
  21882. retryInterval:
  21883. type: string
  21884. type: object
  21885. required:
  21886. - path
  21887. - provider
  21888. type: object
  21889. webhookSpec:
  21890. description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
  21891. properties:
  21892. body:
  21893. description: Body
  21894. type: string
  21895. caBundle:
  21896. description: |-
  21897. PEM encoded CA bundle used to validate webhook server certificate. Only used
  21898. if the Server URL is using HTTPS protocol. This parameter is ignored for
  21899. plain HTTP protocol connection. If not set the system root certificates
  21900. are used to validate the TLS connection.
  21901. format: byte
  21902. type: string
  21903. caProvider:
  21904. description: The provider for the CA bundle to use to validate webhook server certificate.
  21905. properties:
  21906. key:
  21907. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  21908. maxLength: 253
  21909. minLength: 1
  21910. pattern: ^[-._a-zA-Z0-9]+$
  21911. type: string
  21912. name:
  21913. description: The name of the object located at the provider type.
  21914. maxLength: 253
  21915. minLength: 1
  21916. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21917. type: string
  21918. namespace:
  21919. description: The namespace the Provider type is in.
  21920. maxLength: 63
  21921. minLength: 1
  21922. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21923. type: string
  21924. type:
  21925. description: The type of provider to use such as "Secret", or "ConfigMap".
  21926. enum:
  21927. - Secret
  21928. - ConfigMap
  21929. type: string
  21930. required:
  21931. - name
  21932. - type
  21933. type: object
  21934. headers:
  21935. additionalProperties:
  21936. type: string
  21937. description: Headers
  21938. type: object
  21939. method:
  21940. description: Webhook Method
  21941. type: string
  21942. result:
  21943. description: Result formatting
  21944. properties:
  21945. jsonPath:
  21946. description: Json path of return value
  21947. type: string
  21948. type: object
  21949. secrets:
  21950. description: |-
  21951. Secrets to fill in templates
  21952. These secrets will be passed to the templating function as key value pairs under the given name
  21953. items:
  21954. properties:
  21955. name:
  21956. description: Name of this secret in templates
  21957. type: string
  21958. secretRef:
  21959. description: Secret ref to fill in credentials
  21960. properties:
  21961. key:
  21962. description: The key where the token is found.
  21963. maxLength: 253
  21964. minLength: 1
  21965. pattern: ^[-._a-zA-Z0-9]+$
  21966. type: string
  21967. name:
  21968. description: The name of the Secret resource being referred to.
  21969. maxLength: 253
  21970. minLength: 1
  21971. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21972. type: string
  21973. type: object
  21974. required:
  21975. - name
  21976. - secretRef
  21977. type: object
  21978. type: array
  21979. timeout:
  21980. description: Timeout
  21981. type: string
  21982. url:
  21983. description: Webhook url to call
  21984. type: string
  21985. required:
  21986. - result
  21987. - url
  21988. type: object
  21989. type: object
  21990. kind:
  21991. description: Kind the kind of this generator.
  21992. enum:
  21993. - ACRAccessToken
  21994. - ECRAuthorizationToken
  21995. - Fake
  21996. - GCRAccessToken
  21997. - GithubAccessToken
  21998. - QuayAccessToken
  21999. - Password
  22000. - STSSessionToken
  22001. - UUID
  22002. - VaultDynamicSecret
  22003. - Webhook
  22004. - Grafana
  22005. type: string
  22006. required:
  22007. - generator
  22008. - kind
  22009. type: object
  22010. type: object
  22011. served: true
  22012. storage: true
  22013. subresources:
  22014. status: {}
  22015. conversion:
  22016. strategy: Webhook
  22017. webhook:
  22018. conversionReviewVersions:
  22019. - v1
  22020. clientConfig:
  22021. service:
  22022. name: kubernetes
  22023. namespace: default
  22024. path: /convert
  22025. ---
  22026. apiVersion: apiextensions.k8s.io/v1
  22027. kind: CustomResourceDefinition
  22028. metadata:
  22029. annotations:
  22030. controller-gen.kubebuilder.io/version: v0.17.3
  22031. labels:
  22032. external-secrets.io/component: controller
  22033. name: ecrauthorizationtokens.generators.external-secrets.io
  22034. spec:
  22035. group: generators.external-secrets.io
  22036. names:
  22037. categories:
  22038. - external-secrets
  22039. - external-secrets-generators
  22040. kind: ECRAuthorizationToken
  22041. listKind: ECRAuthorizationTokenList
  22042. plural: ecrauthorizationtokens
  22043. singular: ecrauthorizationtoken
  22044. scope: Namespaced
  22045. versions:
  22046. - name: v1alpha1
  22047. schema:
  22048. openAPIV3Schema:
  22049. description: |-
  22050. ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an
  22051. authorization token.
  22052. The authorization token is valid for 12 hours.
  22053. The authorizationToken returned is a base64 encoded string that can be decoded
  22054. and used in a docker login command to authenticate to a registry.
  22055. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
  22056. properties:
  22057. apiVersion:
  22058. description: |-
  22059. APIVersion defines the versioned schema of this representation of an object.
  22060. Servers should convert recognized schemas to the latest internal value, and
  22061. may reject unrecognized values.
  22062. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  22063. type: string
  22064. kind:
  22065. description: |-
  22066. Kind is a string value representing the REST resource this object represents.
  22067. Servers may infer this from the endpoint the client submits requests to.
  22068. Cannot be updated.
  22069. In CamelCase.
  22070. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  22071. type: string
  22072. metadata:
  22073. type: object
  22074. spec:
  22075. properties:
  22076. auth:
  22077. description: Auth defines how to authenticate with AWS
  22078. properties:
  22079. jwt:
  22080. description: Authenticate against AWS using service account tokens.
  22081. properties:
  22082. serviceAccountRef:
  22083. description: A reference to a ServiceAccount resource.
  22084. properties:
  22085. audiences:
  22086. description: |-
  22087. Audience specifies the `aud` claim for the service account token
  22088. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22089. then this audiences will be appended to the list
  22090. items:
  22091. type: string
  22092. type: array
  22093. name:
  22094. description: The name of the ServiceAccount resource being referred to.
  22095. maxLength: 253
  22096. minLength: 1
  22097. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22098. type: string
  22099. namespace:
  22100. description: |-
  22101. Namespace of the resource being referred to.
  22102. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22103. maxLength: 63
  22104. minLength: 1
  22105. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22106. type: string
  22107. required:
  22108. - name
  22109. type: object
  22110. type: object
  22111. secretRef:
  22112. description: |-
  22113. AWSAuthSecretRef holds secret references for AWS credentials
  22114. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  22115. properties:
  22116. accessKeyIDSecretRef:
  22117. description: The AccessKeyID is used for authentication
  22118. properties:
  22119. key:
  22120. description: |-
  22121. A key in the referenced Secret.
  22122. Some instances of this field may be defaulted, in others it may be required.
  22123. maxLength: 253
  22124. minLength: 1
  22125. pattern: ^[-._a-zA-Z0-9]+$
  22126. type: string
  22127. name:
  22128. description: The name of the Secret resource being referred to.
  22129. maxLength: 253
  22130. minLength: 1
  22131. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22132. type: string
  22133. namespace:
  22134. description: |-
  22135. The namespace of the Secret resource being referred to.
  22136. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22137. maxLength: 63
  22138. minLength: 1
  22139. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22140. type: string
  22141. type: object
  22142. secretAccessKeySecretRef:
  22143. description: The SecretAccessKey is used for authentication
  22144. properties:
  22145. key:
  22146. description: |-
  22147. A key in the referenced Secret.
  22148. Some instances of this field may be defaulted, in others it may be required.
  22149. maxLength: 253
  22150. minLength: 1
  22151. pattern: ^[-._a-zA-Z0-9]+$
  22152. type: string
  22153. name:
  22154. description: The name of the Secret resource being referred to.
  22155. maxLength: 253
  22156. minLength: 1
  22157. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22158. type: string
  22159. namespace:
  22160. description: |-
  22161. The namespace of the Secret resource being referred to.
  22162. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22163. maxLength: 63
  22164. minLength: 1
  22165. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22166. type: string
  22167. type: object
  22168. sessionTokenSecretRef:
  22169. description: |-
  22170. The SessionToken used for authentication
  22171. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  22172. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  22173. properties:
  22174. key:
  22175. description: |-
  22176. A key in the referenced Secret.
  22177. Some instances of this field may be defaulted, in others it may be required.
  22178. maxLength: 253
  22179. minLength: 1
  22180. pattern: ^[-._a-zA-Z0-9]+$
  22181. type: string
  22182. name:
  22183. description: The name of the Secret resource being referred to.
  22184. maxLength: 253
  22185. minLength: 1
  22186. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22187. type: string
  22188. namespace:
  22189. description: |-
  22190. The namespace of the Secret resource being referred to.
  22191. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22192. maxLength: 63
  22193. minLength: 1
  22194. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22195. type: string
  22196. type: object
  22197. type: object
  22198. type: object
  22199. region:
  22200. description: Region specifies the region to operate in.
  22201. type: string
  22202. role:
  22203. description: |-
  22204. You can assume a role before making calls to the
  22205. desired AWS service.
  22206. type: string
  22207. scope:
  22208. description: |-
  22209. Scope specifies the ECR service scope.
  22210. Valid options are private and public.
  22211. type: string
  22212. required:
  22213. - region
  22214. type: object
  22215. type: object
  22216. served: true
  22217. storage: true
  22218. subresources:
  22219. status: {}
  22220. conversion:
  22221. strategy: Webhook
  22222. webhook:
  22223. conversionReviewVersions:
  22224. - v1
  22225. clientConfig:
  22226. service:
  22227. name: kubernetes
  22228. namespace: default
  22229. path: /convert
  22230. ---
  22231. apiVersion: apiextensions.k8s.io/v1
  22232. kind: CustomResourceDefinition
  22233. metadata:
  22234. annotations:
  22235. controller-gen.kubebuilder.io/version: v0.17.3
  22236. labels:
  22237. external-secrets.io/component: controller
  22238. name: fakes.generators.external-secrets.io
  22239. spec:
  22240. group: generators.external-secrets.io
  22241. names:
  22242. categories:
  22243. - external-secrets
  22244. - external-secrets-generators
  22245. kind: Fake
  22246. listKind: FakeList
  22247. plural: fakes
  22248. singular: fake
  22249. scope: Namespaced
  22250. versions:
  22251. - name: v1alpha1
  22252. schema:
  22253. openAPIV3Schema:
  22254. description: |-
  22255. Fake generator is used for testing. It lets you define
  22256. a static set of credentials that is always returned.
  22257. properties:
  22258. apiVersion:
  22259. description: |-
  22260. APIVersion defines the versioned schema of this representation of an object.
  22261. Servers should convert recognized schemas to the latest internal value, and
  22262. may reject unrecognized values.
  22263. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  22264. type: string
  22265. kind:
  22266. description: |-
  22267. Kind is a string value representing the REST resource this object represents.
  22268. Servers may infer this from the endpoint the client submits requests to.
  22269. Cannot be updated.
  22270. In CamelCase.
  22271. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  22272. type: string
  22273. metadata:
  22274. type: object
  22275. spec:
  22276. description: FakeSpec contains the static data.
  22277. properties:
  22278. controller:
  22279. description: |-
  22280. Used to select the correct ESO controller (think: ingress.ingressClassName)
  22281. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  22282. type: string
  22283. data:
  22284. additionalProperties:
  22285. type: string
  22286. description: |-
  22287. Data defines the static data returned
  22288. by this generator.
  22289. type: object
  22290. type: object
  22291. type: object
  22292. served: true
  22293. storage: true
  22294. subresources:
  22295. status: {}
  22296. conversion:
  22297. strategy: Webhook
  22298. webhook:
  22299. conversionReviewVersions:
  22300. - v1
  22301. clientConfig:
  22302. service:
  22303. name: kubernetes
  22304. namespace: default
  22305. path: /convert
  22306. ---
  22307. apiVersion: apiextensions.k8s.io/v1
  22308. kind: CustomResourceDefinition
  22309. metadata:
  22310. annotations:
  22311. controller-gen.kubebuilder.io/version: v0.17.3
  22312. labels:
  22313. external-secrets.io/component: controller
  22314. name: gcraccesstokens.generators.external-secrets.io
  22315. spec:
  22316. group: generators.external-secrets.io
  22317. names:
  22318. categories:
  22319. - external-secrets
  22320. - external-secrets-generators
  22321. kind: GCRAccessToken
  22322. listKind: GCRAccessTokenList
  22323. plural: gcraccesstokens
  22324. singular: gcraccesstoken
  22325. scope: Namespaced
  22326. versions:
  22327. - name: v1alpha1
  22328. schema:
  22329. openAPIV3Schema:
  22330. description: |-
  22331. GCRAccessToken generates an GCP access token
  22332. that can be used to authenticate with GCR.
  22333. properties:
  22334. apiVersion:
  22335. description: |-
  22336. APIVersion defines the versioned schema of this representation of an object.
  22337. Servers should convert recognized schemas to the latest internal value, and
  22338. may reject unrecognized values.
  22339. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  22340. type: string
  22341. kind:
  22342. description: |-
  22343. Kind is a string value representing the REST resource this object represents.
  22344. Servers may infer this from the endpoint the client submits requests to.
  22345. Cannot be updated.
  22346. In CamelCase.
  22347. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  22348. type: string
  22349. metadata:
  22350. type: object
  22351. spec:
  22352. properties:
  22353. auth:
  22354. description: Auth defines the means for authenticating with GCP
  22355. properties:
  22356. secretRef:
  22357. properties:
  22358. secretAccessKeySecretRef:
  22359. description: The SecretAccessKey is used for authentication
  22360. properties:
  22361. key:
  22362. description: |-
  22363. A key in the referenced Secret.
  22364. Some instances of this field may be defaulted, in others it may be required.
  22365. maxLength: 253
  22366. minLength: 1
  22367. pattern: ^[-._a-zA-Z0-9]+$
  22368. type: string
  22369. name:
  22370. description: The name of the Secret resource being referred to.
  22371. maxLength: 253
  22372. minLength: 1
  22373. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22374. type: string
  22375. namespace:
  22376. description: |-
  22377. The namespace of the Secret resource being referred to.
  22378. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22379. maxLength: 63
  22380. minLength: 1
  22381. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22382. type: string
  22383. type: object
  22384. type: object
  22385. workloadIdentity:
  22386. properties:
  22387. clusterLocation:
  22388. type: string
  22389. clusterName:
  22390. type: string
  22391. clusterProjectID:
  22392. type: string
  22393. serviceAccountRef:
  22394. description: A reference to a ServiceAccount resource.
  22395. properties:
  22396. audiences:
  22397. description: |-
  22398. Audience specifies the `aud` claim for the service account token
  22399. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22400. then this audiences will be appended to the list
  22401. items:
  22402. type: string
  22403. type: array
  22404. name:
  22405. description: The name of the ServiceAccount resource being referred to.
  22406. maxLength: 253
  22407. minLength: 1
  22408. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22409. type: string
  22410. namespace:
  22411. description: |-
  22412. Namespace of the resource being referred to.
  22413. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22414. maxLength: 63
  22415. minLength: 1
  22416. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22417. type: string
  22418. required:
  22419. - name
  22420. type: object
  22421. required:
  22422. - clusterLocation
  22423. - clusterName
  22424. - serviceAccountRef
  22425. type: object
  22426. type: object
  22427. projectID:
  22428. description: ProjectID defines which project to use to authenticate with
  22429. type: string
  22430. required:
  22431. - auth
  22432. - projectID
  22433. type: object
  22434. type: object
  22435. served: true
  22436. storage: true
  22437. subresources:
  22438. status: {}
  22439. conversion:
  22440. strategy: Webhook
  22441. webhook:
  22442. conversionReviewVersions:
  22443. - v1
  22444. clientConfig:
  22445. service:
  22446. name: kubernetes
  22447. namespace: default
  22448. path: /convert
  22449. ---
  22450. apiVersion: apiextensions.k8s.io/v1
  22451. kind: CustomResourceDefinition
  22452. metadata:
  22453. annotations:
  22454. controller-gen.kubebuilder.io/version: v0.17.3
  22455. labels:
  22456. external-secrets.io/component: controller
  22457. name: generatorstates.generators.external-secrets.io
  22458. spec:
  22459. group: generators.external-secrets.io
  22460. names:
  22461. categories:
  22462. - external-secrets
  22463. - external-secrets-generators
  22464. kind: GeneratorState
  22465. listKind: GeneratorStateList
  22466. plural: generatorstates
  22467. shortNames:
  22468. - gs
  22469. singular: generatorstate
  22470. scope: Namespaced
  22471. versions:
  22472. - additionalPrinterColumns:
  22473. - jsonPath: .spec.garbageCollectionDeadline
  22474. name: GC Deadline
  22475. type: string
  22476. - jsonPath: .metadata.creationTimestamp
  22477. name: Age
  22478. type: date
  22479. name: v1alpha1
  22480. schema:
  22481. openAPIV3Schema:
  22482. properties:
  22483. apiVersion:
  22484. description: |-
  22485. APIVersion defines the versioned schema of this representation of an object.
  22486. Servers should convert recognized schemas to the latest internal value, and
  22487. may reject unrecognized values.
  22488. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  22489. type: string
  22490. kind:
  22491. description: |-
  22492. Kind is a string value representing the REST resource this object represents.
  22493. Servers may infer this from the endpoint the client submits requests to.
  22494. Cannot be updated.
  22495. In CamelCase.
  22496. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  22497. type: string
  22498. metadata:
  22499. type: object
  22500. spec:
  22501. properties:
  22502. garbageCollectionDeadline:
  22503. description: |-
  22504. GarbageCollectionDeadline is the time after which the generator state
  22505. will be deleted.
  22506. It is set by the controller which creates the generator state and
  22507. can be set configured by the user.
  22508. If the garbage collection deadline is not set the generator state will not be deleted.
  22509. format: date-time
  22510. type: string
  22511. resource:
  22512. description: |-
  22513. Resource is the generator manifest that produced the state.
  22514. It is a snapshot of the generator manifest at the time the state was produced.
  22515. This manifest will be used to delete the resource. Any configuration that is referenced
  22516. in the manifest should be available at the time of garbage collection. If that is not the case deletion will
  22517. be blocked by a finalizer.
  22518. x-kubernetes-preserve-unknown-fields: true
  22519. state:
  22520. description: State is the state that was produced by the generator implementation.
  22521. x-kubernetes-preserve-unknown-fields: true
  22522. required:
  22523. - resource
  22524. - state
  22525. type: object
  22526. status:
  22527. properties:
  22528. conditions:
  22529. items:
  22530. properties:
  22531. lastTransitionTime:
  22532. format: date-time
  22533. type: string
  22534. message:
  22535. type: string
  22536. reason:
  22537. type: string
  22538. status:
  22539. type: string
  22540. type:
  22541. type: string
  22542. required:
  22543. - status
  22544. - type
  22545. type: object
  22546. type: array
  22547. type: object
  22548. type: object
  22549. served: true
  22550. storage: true
  22551. subresources: {}
  22552. conversion:
  22553. strategy: Webhook
  22554. webhook:
  22555. conversionReviewVersions:
  22556. - v1
  22557. clientConfig:
  22558. service:
  22559. name: kubernetes
  22560. namespace: default
  22561. path: /convert
  22562. ---
  22563. apiVersion: apiextensions.k8s.io/v1
  22564. kind: CustomResourceDefinition
  22565. metadata:
  22566. annotations:
  22567. controller-gen.kubebuilder.io/version: v0.17.3
  22568. labels:
  22569. external-secrets.io/component: controller
  22570. name: githubaccesstokens.generators.external-secrets.io
  22571. spec:
  22572. group: generators.external-secrets.io
  22573. names:
  22574. categories:
  22575. - external-secrets
  22576. - external-secrets-generators
  22577. kind: GithubAccessToken
  22578. listKind: GithubAccessTokenList
  22579. plural: githubaccesstokens
  22580. singular: githubaccesstoken
  22581. scope: Namespaced
  22582. versions:
  22583. - name: v1alpha1
  22584. schema:
  22585. openAPIV3Schema:
  22586. description: GithubAccessToken generates ghs_ accessToken
  22587. properties:
  22588. apiVersion:
  22589. description: |-
  22590. APIVersion defines the versioned schema of this representation of an object.
  22591. Servers should convert recognized schemas to the latest internal value, and
  22592. may reject unrecognized values.
  22593. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  22594. type: string
  22595. kind:
  22596. description: |-
  22597. Kind is a string value representing the REST resource this object represents.
  22598. Servers may infer this from the endpoint the client submits requests to.
  22599. Cannot be updated.
  22600. In CamelCase.
  22601. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  22602. type: string
  22603. metadata:
  22604. type: object
  22605. spec:
  22606. properties:
  22607. appID:
  22608. type: string
  22609. auth:
  22610. description: Auth configures how ESO authenticates with a Github instance.
  22611. properties:
  22612. privateKey:
  22613. properties:
  22614. secretRef:
  22615. description: |-
  22616. A reference to a specific 'key' within a Secret resource.
  22617. In some instances, `key` is a required field.
  22618. properties:
  22619. key:
  22620. description: |-
  22621. A key in the referenced Secret.
  22622. Some instances of this field may be defaulted, in others it may be required.
  22623. maxLength: 253
  22624. minLength: 1
  22625. pattern: ^[-._a-zA-Z0-9]+$
  22626. type: string
  22627. name:
  22628. description: The name of the Secret resource being referred to.
  22629. maxLength: 253
  22630. minLength: 1
  22631. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22632. type: string
  22633. namespace:
  22634. description: |-
  22635. The namespace of the Secret resource being referred to.
  22636. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22637. maxLength: 63
  22638. minLength: 1
  22639. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22640. type: string
  22641. type: object
  22642. required:
  22643. - secretRef
  22644. type: object
  22645. required:
  22646. - privateKey
  22647. type: object
  22648. installID:
  22649. type: string
  22650. permissions:
  22651. additionalProperties:
  22652. type: string
  22653. description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
  22654. type: object
  22655. repositories:
  22656. description: |-
  22657. List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
  22658. is installed to.
  22659. items:
  22660. type: string
  22661. type: array
  22662. url:
  22663. description: URL configures the Github instance URL. Defaults to https://github.com/.
  22664. type: string
  22665. required:
  22666. - appID
  22667. - auth
  22668. - installID
  22669. type: object
  22670. type: object
  22671. served: true
  22672. storage: true
  22673. subresources:
  22674. status: {}
  22675. conversion:
  22676. strategy: Webhook
  22677. webhook:
  22678. conversionReviewVersions:
  22679. - v1
  22680. clientConfig:
  22681. service:
  22682. name: kubernetes
  22683. namespace: default
  22684. path: /convert
  22685. ---
  22686. apiVersion: apiextensions.k8s.io/v1
  22687. kind: CustomResourceDefinition
  22688. metadata:
  22689. annotations:
  22690. controller-gen.kubebuilder.io/version: v0.17.3
  22691. labels:
  22692. external-secrets.io/component: controller
  22693. name: grafanas.generators.external-secrets.io
  22694. spec:
  22695. group: generators.external-secrets.io
  22696. names:
  22697. categories:
  22698. - external-secrets
  22699. - external-secrets-generators
  22700. kind: Grafana
  22701. listKind: GrafanaList
  22702. plural: grafanas
  22703. singular: grafana
  22704. scope: Namespaced
  22705. versions:
  22706. - name: v1alpha1
  22707. schema:
  22708. openAPIV3Schema:
  22709. properties:
  22710. apiVersion:
  22711. description: |-
  22712. APIVersion defines the versioned schema of this representation of an object.
  22713. Servers should convert recognized schemas to the latest internal value, and
  22714. may reject unrecognized values.
  22715. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  22716. type: string
  22717. kind:
  22718. description: |-
  22719. Kind is a string value representing the REST resource this object represents.
  22720. Servers may infer this from the endpoint the client submits requests to.
  22721. Cannot be updated.
  22722. In CamelCase.
  22723. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  22724. type: string
  22725. metadata:
  22726. type: object
  22727. spec:
  22728. description: GrafanaSpec controls the behavior of the grafana generator.
  22729. properties:
  22730. auth:
  22731. description: |-
  22732. Auth is the authentication configuration to authenticate
  22733. against the Grafana instance.
  22734. properties:
  22735. basic:
  22736. description: |-
  22737. Basic auth credentials used to authenticate against the Grafana instance.
  22738. Note: you need a token which has elevated permissions to create service accounts.
  22739. See here for the documentation on basic roles offered by Grafana:
  22740. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  22741. properties:
  22742. password:
  22743. description: A basic auth password used to authenticate against the Grafana instance.
  22744. properties:
  22745. key:
  22746. description: The key where the token is found.
  22747. maxLength: 253
  22748. minLength: 1
  22749. pattern: ^[-._a-zA-Z0-9]+$
  22750. type: string
  22751. name:
  22752. description: The name of the Secret resource being referred to.
  22753. maxLength: 253
  22754. minLength: 1
  22755. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22756. type: string
  22757. type: object
  22758. username:
  22759. description: A basic auth username used to authenticate against the Grafana instance.
  22760. type: string
  22761. required:
  22762. - password
  22763. - username
  22764. type: object
  22765. token:
  22766. description: |-
  22767. A service account token used to authenticate against the Grafana instance.
  22768. Note: you need a token which has elevated permissions to create service accounts.
  22769. See here for the documentation on basic roles offered by Grafana:
  22770. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  22771. properties:
  22772. key:
  22773. description: The key where the token is found.
  22774. maxLength: 253
  22775. minLength: 1
  22776. pattern: ^[-._a-zA-Z0-9]+$
  22777. type: string
  22778. name:
  22779. description: The name of the Secret resource being referred to.
  22780. maxLength: 253
  22781. minLength: 1
  22782. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22783. type: string
  22784. type: object
  22785. type: object
  22786. serviceAccount:
  22787. description: |-
  22788. ServiceAccount is the configuration for the service account that
  22789. is supposed to be generated by the generator.
  22790. properties:
  22791. name:
  22792. description: Name is the name of the service account that will be created by ESO.
  22793. type: string
  22794. role:
  22795. description: |-
  22796. Role is the role of the service account.
  22797. See here for the documentation on basic roles offered by Grafana:
  22798. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  22799. type: string
  22800. required:
  22801. - name
  22802. - role
  22803. type: object
  22804. url:
  22805. description: URL is the URL of the Grafana instance.
  22806. type: string
  22807. required:
  22808. - auth
  22809. - serviceAccount
  22810. - url
  22811. type: object
  22812. type: object
  22813. served: true
  22814. storage: true
  22815. subresources:
  22816. status: {}
  22817. conversion:
  22818. strategy: Webhook
  22819. webhook:
  22820. conversionReviewVersions:
  22821. - v1
  22822. clientConfig:
  22823. service:
  22824. name: kubernetes
  22825. namespace: default
  22826. path: /convert
  22827. ---
  22828. apiVersion: apiextensions.k8s.io/v1
  22829. kind: CustomResourceDefinition
  22830. metadata:
  22831. annotations:
  22832. controller-gen.kubebuilder.io/version: v0.17.3
  22833. labels:
  22834. external-secrets.io/component: controller
  22835. name: passwords.generators.external-secrets.io
  22836. spec:
  22837. group: generators.external-secrets.io
  22838. names:
  22839. categories:
  22840. - external-secrets
  22841. - external-secrets-generators
  22842. kind: Password
  22843. listKind: PasswordList
  22844. plural: passwords
  22845. singular: password
  22846. scope: Namespaced
  22847. versions:
  22848. - name: v1alpha1
  22849. schema:
  22850. openAPIV3Schema:
  22851. description: |-
  22852. Password generates a random password based on the
  22853. configuration parameters in spec.
  22854. You can specify the length, characterset and other attributes.
  22855. properties:
  22856. apiVersion:
  22857. description: |-
  22858. APIVersion defines the versioned schema of this representation of an object.
  22859. Servers should convert recognized schemas to the latest internal value, and
  22860. may reject unrecognized values.
  22861. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  22862. type: string
  22863. kind:
  22864. description: |-
  22865. Kind is a string value representing the REST resource this object represents.
  22866. Servers may infer this from the endpoint the client submits requests to.
  22867. Cannot be updated.
  22868. In CamelCase.
  22869. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  22870. type: string
  22871. metadata:
  22872. type: object
  22873. spec:
  22874. description: PasswordSpec controls the behavior of the password generator.
  22875. properties:
  22876. allowRepeat:
  22877. default: false
  22878. description: set AllowRepeat to true to allow repeating characters.
  22879. type: boolean
  22880. digits:
  22881. description: |-
  22882. Digits specifies the number of digits in the generated
  22883. password. If omitted it defaults to 25% of the length of the password
  22884. type: integer
  22885. length:
  22886. default: 24
  22887. description: |-
  22888. Length of the password to be generated.
  22889. Defaults to 24
  22890. type: integer
  22891. noUpper:
  22892. default: false
  22893. description: Set NoUpper to disable uppercase characters
  22894. type: boolean
  22895. symbolCharacters:
  22896. description: |-
  22897. SymbolCharacters specifies the special characters that should be used
  22898. in the generated password.
  22899. type: string
  22900. symbols:
  22901. description: |-
  22902. Symbols specifies the number of symbol characters in the generated
  22903. password. If omitted it defaults to 25% of the length of the password
  22904. type: integer
  22905. required:
  22906. - allowRepeat
  22907. - length
  22908. - noUpper
  22909. type: object
  22910. type: object
  22911. served: true
  22912. storage: true
  22913. subresources:
  22914. status: {}
  22915. conversion:
  22916. strategy: Webhook
  22917. webhook:
  22918. conversionReviewVersions:
  22919. - v1
  22920. clientConfig:
  22921. service:
  22922. name: kubernetes
  22923. namespace: default
  22924. path: /convert
  22925. ---
  22926. apiVersion: apiextensions.k8s.io/v1
  22927. kind: CustomResourceDefinition
  22928. metadata:
  22929. annotations:
  22930. controller-gen.kubebuilder.io/version: v0.17.3
  22931. labels:
  22932. external-secrets.io/component: controller
  22933. name: quayaccesstokens.generators.external-secrets.io
  22934. spec:
  22935. group: generators.external-secrets.io
  22936. names:
  22937. categories:
  22938. - external-secrets
  22939. - external-secrets-generators
  22940. kind: QuayAccessToken
  22941. listKind: QuayAccessTokenList
  22942. plural: quayaccesstokens
  22943. singular: quayaccesstoken
  22944. scope: Namespaced
  22945. versions:
  22946. - name: v1alpha1
  22947. schema:
  22948. openAPIV3Schema:
  22949. description: QuayAccessToken generates Quay oauth token for pulling/pushing images
  22950. properties:
  22951. apiVersion:
  22952. description: |-
  22953. APIVersion defines the versioned schema of this representation of an object.
  22954. Servers should convert recognized schemas to the latest internal value, and
  22955. may reject unrecognized values.
  22956. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  22957. type: string
  22958. kind:
  22959. description: |-
  22960. Kind is a string value representing the REST resource this object represents.
  22961. Servers may infer this from the endpoint the client submits requests to.
  22962. Cannot be updated.
  22963. In CamelCase.
  22964. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  22965. type: string
  22966. metadata:
  22967. type: object
  22968. spec:
  22969. properties:
  22970. robotAccount:
  22971. description: Name of the robot account you are federating with
  22972. type: string
  22973. serviceAccountRef:
  22974. description: Name of the service account you are federating with
  22975. properties:
  22976. audiences:
  22977. description: |-
  22978. Audience specifies the `aud` claim for the service account token
  22979. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22980. then this audiences will be appended to the list
  22981. items:
  22982. type: string
  22983. type: array
  22984. name:
  22985. description: The name of the ServiceAccount resource being referred to.
  22986. maxLength: 253
  22987. minLength: 1
  22988. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22989. type: string
  22990. namespace:
  22991. description: |-
  22992. Namespace of the resource being referred to.
  22993. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22994. maxLength: 63
  22995. minLength: 1
  22996. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22997. type: string
  22998. required:
  22999. - name
  23000. type: object
  23001. url:
  23002. description: URL configures the Quay instance URL. Defaults to quay.io.
  23003. type: string
  23004. required:
  23005. - robotAccount
  23006. - serviceAccountRef
  23007. type: object
  23008. type: object
  23009. served: true
  23010. storage: true
  23011. subresources:
  23012. status: {}
  23013. conversion:
  23014. strategy: Webhook
  23015. webhook:
  23016. conversionReviewVersions:
  23017. - v1
  23018. clientConfig:
  23019. service:
  23020. name: kubernetes
  23021. namespace: default
  23022. path: /convert
  23023. ---
  23024. apiVersion: apiextensions.k8s.io/v1
  23025. kind: CustomResourceDefinition
  23026. metadata:
  23027. annotations:
  23028. controller-gen.kubebuilder.io/version: v0.17.3
  23029. labels:
  23030. external-secrets.io/component: controller
  23031. name: stssessiontokens.generators.external-secrets.io
  23032. spec:
  23033. group: generators.external-secrets.io
  23034. names:
  23035. categories:
  23036. - external-secrets
  23037. - external-secrets-generators
  23038. kind: STSSessionToken
  23039. listKind: STSSessionTokenList
  23040. plural: stssessiontokens
  23041. singular: stssessiontoken
  23042. scope: Namespaced
  23043. versions:
  23044. - name: v1alpha1
  23045. schema:
  23046. openAPIV3Schema:
  23047. description: |-
  23048. STSSessionToken uses the GetSessionToken API to retrieve an authorization token.
  23049. The authorization token is valid for 12 hours.
  23050. The authorizationToken returned is a base64 encoded string that can be decoded.
  23051. For more information, see GetSessionToken (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html).
  23052. properties:
  23053. apiVersion:
  23054. description: |-
  23055. APIVersion defines the versioned schema of this representation of an object.
  23056. Servers should convert recognized schemas to the latest internal value, and
  23057. may reject unrecognized values.
  23058. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  23059. type: string
  23060. kind:
  23061. description: |-
  23062. Kind is a string value representing the REST resource this object represents.
  23063. Servers may infer this from the endpoint the client submits requests to.
  23064. Cannot be updated.
  23065. In CamelCase.
  23066. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  23067. type: string
  23068. metadata:
  23069. type: object
  23070. spec:
  23071. properties:
  23072. auth:
  23073. description: Auth defines how to authenticate with AWS
  23074. properties:
  23075. jwt:
  23076. description: Authenticate against AWS using service account tokens.
  23077. properties:
  23078. serviceAccountRef:
  23079. description: A reference to a ServiceAccount resource.
  23080. properties:
  23081. audiences:
  23082. description: |-
  23083. Audience specifies the `aud` claim for the service account token
  23084. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  23085. then this audiences will be appended to the list
  23086. items:
  23087. type: string
  23088. type: array
  23089. name:
  23090. description: The name of the ServiceAccount resource being referred to.
  23091. maxLength: 253
  23092. minLength: 1
  23093. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23094. type: string
  23095. namespace:
  23096. description: |-
  23097. Namespace of the resource being referred to.
  23098. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23099. maxLength: 63
  23100. minLength: 1
  23101. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23102. type: string
  23103. required:
  23104. - name
  23105. type: object
  23106. type: object
  23107. secretRef:
  23108. description: |-
  23109. AWSAuthSecretRef holds secret references for AWS credentials
  23110. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  23111. properties:
  23112. accessKeyIDSecretRef:
  23113. description: The AccessKeyID is used for authentication
  23114. properties:
  23115. key:
  23116. description: |-
  23117. A key in the referenced Secret.
  23118. Some instances of this field may be defaulted, in others it may be required.
  23119. maxLength: 253
  23120. minLength: 1
  23121. pattern: ^[-._a-zA-Z0-9]+$
  23122. type: string
  23123. name:
  23124. description: The name of the Secret resource being referred to.
  23125. maxLength: 253
  23126. minLength: 1
  23127. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23128. type: string
  23129. namespace:
  23130. description: |-
  23131. The namespace of the Secret resource being referred to.
  23132. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23133. maxLength: 63
  23134. minLength: 1
  23135. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23136. type: string
  23137. type: object
  23138. secretAccessKeySecretRef:
  23139. description: The SecretAccessKey is used for authentication
  23140. properties:
  23141. key:
  23142. description: |-
  23143. A key in the referenced Secret.
  23144. Some instances of this field may be defaulted, in others it may be required.
  23145. maxLength: 253
  23146. minLength: 1
  23147. pattern: ^[-._a-zA-Z0-9]+$
  23148. type: string
  23149. name:
  23150. description: The name of the Secret resource being referred to.
  23151. maxLength: 253
  23152. minLength: 1
  23153. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23154. type: string
  23155. namespace:
  23156. description: |-
  23157. The namespace of the Secret resource being referred to.
  23158. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23159. maxLength: 63
  23160. minLength: 1
  23161. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23162. type: string
  23163. type: object
  23164. sessionTokenSecretRef:
  23165. description: |-
  23166. The SessionToken used for authentication
  23167. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  23168. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  23169. properties:
  23170. key:
  23171. description: |-
  23172. A key in the referenced Secret.
  23173. Some instances of this field may be defaulted, in others it may be required.
  23174. maxLength: 253
  23175. minLength: 1
  23176. pattern: ^[-._a-zA-Z0-9]+$
  23177. type: string
  23178. name:
  23179. description: The name of the Secret resource being referred to.
  23180. maxLength: 253
  23181. minLength: 1
  23182. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23183. type: string
  23184. namespace:
  23185. description: |-
  23186. The namespace of the Secret resource being referred to.
  23187. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23188. maxLength: 63
  23189. minLength: 1
  23190. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23191. type: string
  23192. type: object
  23193. type: object
  23194. type: object
  23195. region:
  23196. description: Region specifies the region to operate in.
  23197. type: string
  23198. requestParameters:
  23199. description: RequestParameters contains parameters that can be passed to the STS service.
  23200. properties:
  23201. serialNumber:
  23202. description: |-
  23203. SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
  23204. the GetSessionToken call.
  23205. Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
  23206. (such as arn:aws:iam::123456789012:mfa/user)
  23207. type: string
  23208. sessionDuration:
  23209. description: |-
  23210. SessionDuration The duration, in seconds, that the credentials should remain valid. Acceptable durations for
  23211. IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds
  23212. (12 hours) as the default.
  23213. format: int64
  23214. type: integer
  23215. tokenCode:
  23216. description: TokenCode is the value provided by the MFA device, if MFA is required.
  23217. type: string
  23218. type: object
  23219. role:
  23220. description: |-
  23221. You can assume a role before making calls to the
  23222. desired AWS service.
  23223. type: string
  23224. required:
  23225. - region
  23226. type: object
  23227. type: object
  23228. served: true
  23229. storage: true
  23230. subresources:
  23231. status: {}
  23232. conversion:
  23233. strategy: Webhook
  23234. webhook:
  23235. conversionReviewVersions:
  23236. - v1
  23237. clientConfig:
  23238. service:
  23239. name: kubernetes
  23240. namespace: default
  23241. path: /convert
  23242. ---
  23243. apiVersion: apiextensions.k8s.io/v1
  23244. kind: CustomResourceDefinition
  23245. metadata:
  23246. annotations:
  23247. controller-gen.kubebuilder.io/version: v0.17.3
  23248. labels:
  23249. external-secrets.io/component: controller
  23250. name: uuids.generators.external-secrets.io
  23251. spec:
  23252. group: generators.external-secrets.io
  23253. names:
  23254. categories:
  23255. - external-secrets
  23256. - external-secrets-generators
  23257. kind: UUID
  23258. listKind: UUIDList
  23259. plural: uuids
  23260. singular: uuid
  23261. scope: Namespaced
  23262. versions:
  23263. - name: v1alpha1
  23264. schema:
  23265. openAPIV3Schema:
  23266. description: UUID generates a version 1 UUID (e56657e3-764f-11ef-a397-65231a88c216).
  23267. properties:
  23268. apiVersion:
  23269. description: |-
  23270. APIVersion defines the versioned schema of this representation of an object.
  23271. Servers should convert recognized schemas to the latest internal value, and
  23272. may reject unrecognized values.
  23273. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  23274. type: string
  23275. kind:
  23276. description: |-
  23277. Kind is a string value representing the REST resource this object represents.
  23278. Servers may infer this from the endpoint the client submits requests to.
  23279. Cannot be updated.
  23280. In CamelCase.
  23281. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  23282. type: string
  23283. metadata:
  23284. type: object
  23285. spec:
  23286. description: UUIDSpec controls the behavior of the uuid generator.
  23287. type: object
  23288. type: object
  23289. served: true
  23290. storage: true
  23291. subresources:
  23292. status: {}
  23293. conversion:
  23294. strategy: Webhook
  23295. webhook:
  23296. conversionReviewVersions:
  23297. - v1
  23298. clientConfig:
  23299. service:
  23300. name: kubernetes
  23301. namespace: default
  23302. path: /convert
  23303. ---
  23304. apiVersion: apiextensions.k8s.io/v1
  23305. kind: CustomResourceDefinition
  23306. metadata:
  23307. annotations:
  23308. controller-gen.kubebuilder.io/version: v0.17.3
  23309. labels:
  23310. external-secrets.io/component: controller
  23311. name: vaultdynamicsecrets.generators.external-secrets.io
  23312. spec:
  23313. group: generators.external-secrets.io
  23314. names:
  23315. categories:
  23316. - external-secrets
  23317. - external-secrets-generators
  23318. kind: VaultDynamicSecret
  23319. listKind: VaultDynamicSecretList
  23320. plural: vaultdynamicsecrets
  23321. singular: vaultdynamicsecret
  23322. scope: Namespaced
  23323. versions:
  23324. - name: v1alpha1
  23325. schema:
  23326. openAPIV3Schema:
  23327. properties:
  23328. apiVersion:
  23329. description: |-
  23330. APIVersion defines the versioned schema of this representation of an object.
  23331. Servers should convert recognized schemas to the latest internal value, and
  23332. may reject unrecognized values.
  23333. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  23334. type: string
  23335. kind:
  23336. description: |-
  23337. Kind is a string value representing the REST resource this object represents.
  23338. Servers may infer this from the endpoint the client submits requests to.
  23339. Cannot be updated.
  23340. In CamelCase.
  23341. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  23342. type: string
  23343. metadata:
  23344. type: object
  23345. spec:
  23346. properties:
  23347. allowEmptyResponse:
  23348. default: false
  23349. description: Do not fail if no secrets are found. Useful for requests where no data is expected.
  23350. type: boolean
  23351. controller:
  23352. description: |-
  23353. Used to select the correct ESO controller (think: ingress.ingressClassName)
  23354. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  23355. type: string
  23356. method:
  23357. description: Vault API method to use (GET/POST/other)
  23358. type: string
  23359. parameters:
  23360. description: Parameters to pass to Vault write (for non-GET methods)
  23361. x-kubernetes-preserve-unknown-fields: true
  23362. path:
  23363. description: Vault path to obtain the dynamic secret from
  23364. type: string
  23365. provider:
  23366. description: Vault provider common spec
  23367. properties:
  23368. auth:
  23369. description: Auth configures how secret-manager authenticates with the Vault server.
  23370. properties:
  23371. appRole:
  23372. description: |-
  23373. AppRole authenticates with Vault using the App Role auth mechanism,
  23374. with the role and secret stored in a Kubernetes Secret resource.
  23375. properties:
  23376. path:
  23377. default: approle
  23378. description: |-
  23379. Path where the App Role authentication backend is mounted
  23380. in Vault, e.g: "approle"
  23381. type: string
  23382. roleId:
  23383. description: |-
  23384. RoleID configured in the App Role authentication backend when setting
  23385. up the authentication backend in Vault.
  23386. type: string
  23387. roleRef:
  23388. description: |-
  23389. Reference to a key in a Secret that contains the App Role ID used
  23390. to authenticate with Vault.
  23391. The `key` field must be specified and denotes which entry within the Secret
  23392. resource is used as the app role id.
  23393. properties:
  23394. key:
  23395. description: |-
  23396. A key in the referenced Secret.
  23397. Some instances of this field may be defaulted, in others it may be required.
  23398. maxLength: 253
  23399. minLength: 1
  23400. pattern: ^[-._a-zA-Z0-9]+$
  23401. type: string
  23402. name:
  23403. description: The name of the Secret resource being referred to.
  23404. maxLength: 253
  23405. minLength: 1
  23406. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23407. type: string
  23408. namespace:
  23409. description: |-
  23410. The namespace of the Secret resource being referred to.
  23411. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23412. maxLength: 63
  23413. minLength: 1
  23414. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23415. type: string
  23416. type: object
  23417. secretRef:
  23418. description: |-
  23419. Reference to a key in a Secret that contains the App Role secret used
  23420. to authenticate with Vault.
  23421. The `key` field must be specified and denotes which entry within the Secret
  23422. resource is used as the app role secret.
  23423. properties:
  23424. key:
  23425. description: |-
  23426. A key in the referenced Secret.
  23427. Some instances of this field may be defaulted, in others it may be required.
  23428. maxLength: 253
  23429. minLength: 1
  23430. pattern: ^[-._a-zA-Z0-9]+$
  23431. type: string
  23432. name:
  23433. description: The name of the Secret resource being referred to.
  23434. maxLength: 253
  23435. minLength: 1
  23436. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23437. type: string
  23438. namespace:
  23439. description: |-
  23440. The namespace of the Secret resource being referred to.
  23441. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23442. maxLength: 63
  23443. minLength: 1
  23444. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23445. type: string
  23446. type: object
  23447. required:
  23448. - path
  23449. - secretRef
  23450. type: object
  23451. cert:
  23452. description: |-
  23453. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  23454. Cert authentication method
  23455. properties:
  23456. clientCert:
  23457. description: |-
  23458. ClientCert is a certificate to authenticate using the Cert Vault
  23459. authentication method
  23460. properties:
  23461. key:
  23462. description: |-
  23463. A key in the referenced Secret.
  23464. Some instances of this field may be defaulted, in others it may be required.
  23465. maxLength: 253
  23466. minLength: 1
  23467. pattern: ^[-._a-zA-Z0-9]+$
  23468. type: string
  23469. name:
  23470. description: The name of the Secret resource being referred to.
  23471. maxLength: 253
  23472. minLength: 1
  23473. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23474. type: string
  23475. namespace:
  23476. description: |-
  23477. The namespace of the Secret resource being referred to.
  23478. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23479. maxLength: 63
  23480. minLength: 1
  23481. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23482. type: string
  23483. type: object
  23484. secretRef:
  23485. description: |-
  23486. SecretRef to a key in a Secret resource containing client private key to
  23487. authenticate with Vault using the Cert authentication method
  23488. properties:
  23489. key:
  23490. description: |-
  23491. A key in the referenced Secret.
  23492. Some instances of this field may be defaulted, in others it may be required.
  23493. maxLength: 253
  23494. minLength: 1
  23495. pattern: ^[-._a-zA-Z0-9]+$
  23496. type: string
  23497. name:
  23498. description: The name of the Secret resource being referred to.
  23499. maxLength: 253
  23500. minLength: 1
  23501. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23502. type: string
  23503. namespace:
  23504. description: |-
  23505. The namespace of the Secret resource being referred to.
  23506. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23507. maxLength: 63
  23508. minLength: 1
  23509. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23510. type: string
  23511. type: object
  23512. type: object
  23513. iam:
  23514. description: |-
  23515. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  23516. AWS IAM authentication method
  23517. properties:
  23518. externalID:
  23519. description: AWS External ID set on assumed IAM roles
  23520. type: string
  23521. jwt:
  23522. description: Specify a service account with IRSA enabled
  23523. properties:
  23524. serviceAccountRef:
  23525. description: A reference to a ServiceAccount resource.
  23526. properties:
  23527. audiences:
  23528. description: |-
  23529. Audience specifies the `aud` claim for the service account token
  23530. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  23531. then this audiences will be appended to the list
  23532. items:
  23533. type: string
  23534. type: array
  23535. name:
  23536. description: The name of the ServiceAccount resource being referred to.
  23537. maxLength: 253
  23538. minLength: 1
  23539. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23540. type: string
  23541. namespace:
  23542. description: |-
  23543. Namespace of the resource being referred to.
  23544. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23545. maxLength: 63
  23546. minLength: 1
  23547. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23548. type: string
  23549. required:
  23550. - name
  23551. type: object
  23552. type: object
  23553. path:
  23554. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  23555. type: string
  23556. region:
  23557. description: AWS region
  23558. type: string
  23559. role:
  23560. description: This is the AWS role to be assumed before talking to vault
  23561. type: string
  23562. secretRef:
  23563. description: Specify credentials in a Secret object
  23564. properties:
  23565. accessKeyIDSecretRef:
  23566. description: The AccessKeyID is used for authentication
  23567. properties:
  23568. key:
  23569. description: |-
  23570. A key in the referenced Secret.
  23571. Some instances of this field may be defaulted, in others it may be required.
  23572. maxLength: 253
  23573. minLength: 1
  23574. pattern: ^[-._a-zA-Z0-9]+$
  23575. type: string
  23576. name:
  23577. description: The name of the Secret resource being referred to.
  23578. maxLength: 253
  23579. minLength: 1
  23580. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23581. type: string
  23582. namespace:
  23583. description: |-
  23584. The namespace of the Secret resource being referred to.
  23585. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23586. maxLength: 63
  23587. minLength: 1
  23588. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23589. type: string
  23590. type: object
  23591. secretAccessKeySecretRef:
  23592. description: The SecretAccessKey is used for authentication
  23593. properties:
  23594. key:
  23595. description: |-
  23596. A key in the referenced Secret.
  23597. Some instances of this field may be defaulted, in others it may be required.
  23598. maxLength: 253
  23599. minLength: 1
  23600. pattern: ^[-._a-zA-Z0-9]+$
  23601. type: string
  23602. name:
  23603. description: The name of the Secret resource being referred to.
  23604. maxLength: 253
  23605. minLength: 1
  23606. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23607. type: string
  23608. namespace:
  23609. description: |-
  23610. The namespace of the Secret resource being referred to.
  23611. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23612. maxLength: 63
  23613. minLength: 1
  23614. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23615. type: string
  23616. type: object
  23617. sessionTokenSecretRef:
  23618. description: |-
  23619. The SessionToken used for authentication
  23620. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  23621. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  23622. properties:
  23623. key:
  23624. description: |-
  23625. A key in the referenced Secret.
  23626. Some instances of this field may be defaulted, in others it may be required.
  23627. maxLength: 253
  23628. minLength: 1
  23629. pattern: ^[-._a-zA-Z0-9]+$
  23630. type: string
  23631. name:
  23632. description: The name of the Secret resource being referred to.
  23633. maxLength: 253
  23634. minLength: 1
  23635. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23636. type: string
  23637. namespace:
  23638. description: |-
  23639. The namespace of the Secret resource being referred to.
  23640. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23641. maxLength: 63
  23642. minLength: 1
  23643. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23644. type: string
  23645. type: object
  23646. type: object
  23647. vaultAwsIamServerID:
  23648. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  23649. type: string
  23650. vaultRole:
  23651. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  23652. type: string
  23653. required:
  23654. - vaultRole
  23655. type: object
  23656. jwt:
  23657. description: |-
  23658. Jwt authenticates with Vault by passing role and JWT token using the
  23659. JWT/OIDC authentication method
  23660. properties:
  23661. kubernetesServiceAccountToken:
  23662. description: |-
  23663. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  23664. a token for with the `TokenRequest` API.
  23665. properties:
  23666. audiences:
  23667. description: |-
  23668. Optional audiences field that will be used to request a temporary Kubernetes service
  23669. account token for the service account referenced by `serviceAccountRef`.
  23670. Defaults to a single audience `vault` it not specified.
  23671. Deprecated: use serviceAccountRef.Audiences instead
  23672. items:
  23673. type: string
  23674. type: array
  23675. expirationSeconds:
  23676. description: |-
  23677. Optional expiration time in seconds that will be used to request a temporary
  23678. Kubernetes service account token for the service account referenced by
  23679. `serviceAccountRef`.
  23680. Deprecated: this will be removed in the future.
  23681. Defaults to 10 minutes.
  23682. format: int64
  23683. type: integer
  23684. serviceAccountRef:
  23685. description: Service account field containing the name of a kubernetes ServiceAccount.
  23686. properties:
  23687. audiences:
  23688. description: |-
  23689. Audience specifies the `aud` claim for the service account token
  23690. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  23691. then this audiences will be appended to the list
  23692. items:
  23693. type: string
  23694. type: array
  23695. name:
  23696. description: The name of the ServiceAccount resource being referred to.
  23697. maxLength: 253
  23698. minLength: 1
  23699. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23700. type: string
  23701. namespace:
  23702. description: |-
  23703. Namespace of the resource being referred to.
  23704. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23705. maxLength: 63
  23706. minLength: 1
  23707. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23708. type: string
  23709. required:
  23710. - name
  23711. type: object
  23712. required:
  23713. - serviceAccountRef
  23714. type: object
  23715. path:
  23716. default: jwt
  23717. description: |-
  23718. Path where the JWT authentication backend is mounted
  23719. in Vault, e.g: "jwt"
  23720. type: string
  23721. role:
  23722. description: |-
  23723. Role is a JWT role to authenticate using the JWT/OIDC Vault
  23724. authentication method
  23725. type: string
  23726. secretRef:
  23727. description: |-
  23728. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  23729. authenticate with Vault using the JWT/OIDC authentication method.
  23730. properties:
  23731. key:
  23732. description: |-
  23733. A key in the referenced Secret.
  23734. Some instances of this field may be defaulted, in others it may be required.
  23735. maxLength: 253
  23736. minLength: 1
  23737. pattern: ^[-._a-zA-Z0-9]+$
  23738. type: string
  23739. name:
  23740. description: The name of the Secret resource being referred to.
  23741. maxLength: 253
  23742. minLength: 1
  23743. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23744. type: string
  23745. namespace:
  23746. description: |-
  23747. The namespace of the Secret resource being referred to.
  23748. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23749. maxLength: 63
  23750. minLength: 1
  23751. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23752. type: string
  23753. type: object
  23754. required:
  23755. - path
  23756. type: object
  23757. kubernetes:
  23758. description: |-
  23759. Kubernetes authenticates with Vault by passing the ServiceAccount
  23760. token stored in the named Secret resource to the Vault server.
  23761. properties:
  23762. mountPath:
  23763. default: kubernetes
  23764. description: |-
  23765. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  23766. "kubernetes"
  23767. type: string
  23768. role:
  23769. description: |-
  23770. A required field containing the Vault Role to assume. A Role binds a
  23771. Kubernetes ServiceAccount with a set of Vault policies.
  23772. type: string
  23773. secretRef:
  23774. description: |-
  23775. Optional secret field containing a Kubernetes ServiceAccount JWT used
  23776. for authenticating with Vault. If a name is specified without a key,
  23777. `token` is the default. If one is not specified, the one bound to
  23778. the controller will be used.
  23779. properties:
  23780. key:
  23781. description: |-
  23782. A key in the referenced Secret.
  23783. Some instances of this field may be defaulted, in others it may be required.
  23784. maxLength: 253
  23785. minLength: 1
  23786. pattern: ^[-._a-zA-Z0-9]+$
  23787. type: string
  23788. name:
  23789. description: The name of the Secret resource being referred to.
  23790. maxLength: 253
  23791. minLength: 1
  23792. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23793. type: string
  23794. namespace:
  23795. description: |-
  23796. The namespace of the Secret resource being referred to.
  23797. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23798. maxLength: 63
  23799. minLength: 1
  23800. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23801. type: string
  23802. type: object
  23803. serviceAccountRef:
  23804. description: |-
  23805. Optional service account field containing the name of a kubernetes ServiceAccount.
  23806. If the service account is specified, the service account secret token JWT will be used
  23807. for authenticating with Vault. If the service account selector is not supplied,
  23808. the secretRef will be used instead.
  23809. properties:
  23810. audiences:
  23811. description: |-
  23812. Audience specifies the `aud` claim for the service account token
  23813. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  23814. then this audiences will be appended to the list
  23815. items:
  23816. type: string
  23817. type: array
  23818. name:
  23819. description: The name of the ServiceAccount resource being referred to.
  23820. maxLength: 253
  23821. minLength: 1
  23822. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23823. type: string
  23824. namespace:
  23825. description: |-
  23826. Namespace of the resource being referred to.
  23827. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23828. maxLength: 63
  23829. minLength: 1
  23830. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23831. type: string
  23832. required:
  23833. - name
  23834. type: object
  23835. required:
  23836. - mountPath
  23837. - role
  23838. type: object
  23839. ldap:
  23840. description: |-
  23841. Ldap authenticates with Vault by passing username/password pair using
  23842. the LDAP authentication method
  23843. properties:
  23844. path:
  23845. default: ldap
  23846. description: |-
  23847. Path where the LDAP authentication backend is mounted
  23848. in Vault, e.g: "ldap"
  23849. type: string
  23850. secretRef:
  23851. description: |-
  23852. SecretRef to a key in a Secret resource containing password for the LDAP
  23853. user used to authenticate with Vault using the LDAP authentication
  23854. method
  23855. properties:
  23856. key:
  23857. description: |-
  23858. A key in the referenced Secret.
  23859. Some instances of this field may be defaulted, in others it may be required.
  23860. maxLength: 253
  23861. minLength: 1
  23862. pattern: ^[-._a-zA-Z0-9]+$
  23863. type: string
  23864. name:
  23865. description: The name of the Secret resource being referred to.
  23866. maxLength: 253
  23867. minLength: 1
  23868. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23869. type: string
  23870. namespace:
  23871. description: |-
  23872. The namespace of the Secret resource being referred to.
  23873. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23874. maxLength: 63
  23875. minLength: 1
  23876. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23877. type: string
  23878. type: object
  23879. username:
  23880. description: |-
  23881. Username is an LDAP username used to authenticate using the LDAP Vault
  23882. authentication method
  23883. type: string
  23884. required:
  23885. - path
  23886. - username
  23887. type: object
  23888. namespace:
  23889. description: |-
  23890. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  23891. Namespaces is a set of features within Vault Enterprise that allows
  23892. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  23893. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  23894. This will default to Vault.Namespace field if set, or empty otherwise
  23895. type: string
  23896. tokenSecretRef:
  23897. description: TokenSecretRef authenticates with Vault by presenting a token.
  23898. properties:
  23899. key:
  23900. description: |-
  23901. A key in the referenced Secret.
  23902. Some instances of this field may be defaulted, in others it may be required.
  23903. maxLength: 253
  23904. minLength: 1
  23905. pattern: ^[-._a-zA-Z0-9]+$
  23906. type: string
  23907. name:
  23908. description: The name of the Secret resource being referred to.
  23909. maxLength: 253
  23910. minLength: 1
  23911. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23912. type: string
  23913. namespace:
  23914. description: |-
  23915. The namespace of the Secret resource being referred to.
  23916. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23917. maxLength: 63
  23918. minLength: 1
  23919. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23920. type: string
  23921. type: object
  23922. userPass:
  23923. description: UserPass authenticates with Vault by passing username/password pair
  23924. properties:
  23925. path:
  23926. default: userpass
  23927. description: |-
  23928. Path where the UserPassword authentication backend is mounted
  23929. in Vault, e.g: "userpass"
  23930. type: string
  23931. secretRef:
  23932. description: |-
  23933. SecretRef to a key in a Secret resource containing password for the
  23934. user used to authenticate with Vault using the UserPass authentication
  23935. method
  23936. properties:
  23937. key:
  23938. description: |-
  23939. A key in the referenced Secret.
  23940. Some instances of this field may be defaulted, in others it may be required.
  23941. maxLength: 253
  23942. minLength: 1
  23943. pattern: ^[-._a-zA-Z0-9]+$
  23944. type: string
  23945. name:
  23946. description: The name of the Secret resource being referred to.
  23947. maxLength: 253
  23948. minLength: 1
  23949. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23950. type: string
  23951. namespace:
  23952. description: |-
  23953. The namespace of the Secret resource being referred to.
  23954. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23955. maxLength: 63
  23956. minLength: 1
  23957. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23958. type: string
  23959. type: object
  23960. username:
  23961. description: |-
  23962. Username is a username used to authenticate using the UserPass Vault
  23963. authentication method
  23964. type: string
  23965. required:
  23966. - path
  23967. - username
  23968. type: object
  23969. type: object
  23970. caBundle:
  23971. description: |-
  23972. PEM encoded CA bundle used to validate Vault server certificate. Only used
  23973. if the Server URL is using HTTPS protocol. This parameter is ignored for
  23974. plain HTTP protocol connection. If not set the system root certificates
  23975. are used to validate the TLS connection.
  23976. format: byte
  23977. type: string
  23978. caProvider:
  23979. description: The provider for the CA bundle to use to validate Vault server certificate.
  23980. properties:
  23981. key:
  23982. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  23983. maxLength: 253
  23984. minLength: 1
  23985. pattern: ^[-._a-zA-Z0-9]+$
  23986. type: string
  23987. name:
  23988. description: The name of the object located at the provider type.
  23989. maxLength: 253
  23990. minLength: 1
  23991. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23992. type: string
  23993. namespace:
  23994. description: |-
  23995. The namespace the Provider type is in.
  23996. Can only be defined when used in a ClusterSecretStore.
  23997. maxLength: 63
  23998. minLength: 1
  23999. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24000. type: string
  24001. type:
  24002. description: The type of provider to use such as "Secret", or "ConfigMap".
  24003. enum:
  24004. - Secret
  24005. - ConfigMap
  24006. type: string
  24007. required:
  24008. - name
  24009. - type
  24010. type: object
  24011. forwardInconsistent:
  24012. description: |-
  24013. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  24014. leader instead of simply retrying within a loop. This can increase performance if
  24015. the option is enabled serverside.
  24016. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  24017. type: boolean
  24018. headers:
  24019. additionalProperties:
  24020. type: string
  24021. description: Headers to be added in Vault request
  24022. type: object
  24023. namespace:
  24024. description: |-
  24025. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  24026. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  24027. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  24028. type: string
  24029. path:
  24030. description: |-
  24031. Path is the mount path of the Vault KV backend endpoint, e.g:
  24032. "secret". The v2 KV secret engine version specific "/data" path suffix
  24033. for fetching secrets from Vault is optional and will be appended
  24034. if not present in specified path.
  24035. type: string
  24036. readYourWrites:
  24037. description: |-
  24038. ReadYourWrites ensures isolated read-after-write semantics by
  24039. providing discovered cluster replication states in each request.
  24040. More information about eventual consistency in Vault can be found here
  24041. https://www.vaultproject.io/docs/enterprise/consistency
  24042. type: boolean
  24043. server:
  24044. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  24045. type: string
  24046. tls:
  24047. description: |-
  24048. The configuration used for client side related TLS communication, when the Vault server
  24049. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  24050. This parameter is ignored for plain HTTP protocol connection.
  24051. It's worth noting this configuration is different from the "TLS certificates auth method",
  24052. which is available under the `auth.cert` section.
  24053. properties:
  24054. certSecretRef:
  24055. description: |-
  24056. CertSecretRef is a certificate added to the transport layer
  24057. when communicating with the Vault server.
  24058. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  24059. properties:
  24060. key:
  24061. description: |-
  24062. A key in the referenced Secret.
  24063. Some instances of this field may be defaulted, in others it may be required.
  24064. maxLength: 253
  24065. minLength: 1
  24066. pattern: ^[-._a-zA-Z0-9]+$
  24067. type: string
  24068. name:
  24069. description: The name of the Secret resource being referred to.
  24070. maxLength: 253
  24071. minLength: 1
  24072. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24073. type: string
  24074. namespace:
  24075. description: |-
  24076. The namespace of the Secret resource being referred to.
  24077. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24078. maxLength: 63
  24079. minLength: 1
  24080. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24081. type: string
  24082. type: object
  24083. keySecretRef:
  24084. description: |-
  24085. KeySecretRef to a key in a Secret resource containing client private key
  24086. added to the transport layer when communicating with the Vault server.
  24087. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  24088. properties:
  24089. key:
  24090. description: |-
  24091. A key in the referenced Secret.
  24092. Some instances of this field may be defaulted, in others it may be required.
  24093. maxLength: 253
  24094. minLength: 1
  24095. pattern: ^[-._a-zA-Z0-9]+$
  24096. type: string
  24097. name:
  24098. description: The name of the Secret resource being referred to.
  24099. maxLength: 253
  24100. minLength: 1
  24101. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24102. type: string
  24103. namespace:
  24104. description: |-
  24105. The namespace of the Secret resource being referred to.
  24106. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24107. maxLength: 63
  24108. minLength: 1
  24109. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24110. type: string
  24111. type: object
  24112. type: object
  24113. version:
  24114. default: v2
  24115. description: |-
  24116. Version is the Vault KV secret engine version. This can be either "v1" or
  24117. "v2". Version defaults to "v2".
  24118. enum:
  24119. - v1
  24120. - v2
  24121. type: string
  24122. required:
  24123. - server
  24124. type: object
  24125. resultType:
  24126. default: Data
  24127. description: |-
  24128. Result type defines which data is returned from the generator.
  24129. By default it is the "data" section of the Vault API response.
  24130. When using e.g. /auth/token/create the "data" section is empty but
  24131. the "auth" section contains the generated token.
  24132. Please refer to the vault docs regarding the result data structure.
  24133. Additionally, accessing the raw response is possibly by using "Raw" result type.
  24134. enum:
  24135. - Data
  24136. - Auth
  24137. - Raw
  24138. type: string
  24139. retrySettings:
  24140. description: Used to configure http retries if failed
  24141. properties:
  24142. maxRetries:
  24143. format: int32
  24144. type: integer
  24145. retryInterval:
  24146. type: string
  24147. type: object
  24148. required:
  24149. - path
  24150. - provider
  24151. type: object
  24152. type: object
  24153. served: true
  24154. storage: true
  24155. subresources:
  24156. status: {}
  24157. conversion:
  24158. strategy: Webhook
  24159. webhook:
  24160. conversionReviewVersions:
  24161. - v1
  24162. clientConfig:
  24163. service:
  24164. name: kubernetes
  24165. namespace: default
  24166. path: /convert
  24167. ---
  24168. apiVersion: apiextensions.k8s.io/v1
  24169. kind: CustomResourceDefinition
  24170. metadata:
  24171. annotations:
  24172. controller-gen.kubebuilder.io/version: v0.17.3
  24173. labels:
  24174. external-secrets.io/component: controller
  24175. name: webhooks.generators.external-secrets.io
  24176. spec:
  24177. group: generators.external-secrets.io
  24178. names:
  24179. categories:
  24180. - external-secrets
  24181. - external-secrets-generators
  24182. kind: Webhook
  24183. listKind: WebhookList
  24184. plural: webhooks
  24185. singular: webhook
  24186. scope: Namespaced
  24187. versions:
  24188. - name: v1alpha1
  24189. schema:
  24190. openAPIV3Schema:
  24191. description: |-
  24192. Webhook connects to a third party API server to handle the secrets generation
  24193. configuration parameters in spec.
  24194. You can specify the server, the token, and additional body parameters.
  24195. See documentation for the full API specification for requests and responses.
  24196. properties:
  24197. apiVersion:
  24198. description: |-
  24199. APIVersion defines the versioned schema of this representation of an object.
  24200. Servers should convert recognized schemas to the latest internal value, and
  24201. may reject unrecognized values.
  24202. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  24203. type: string
  24204. kind:
  24205. description: |-
  24206. Kind is a string value representing the REST resource this object represents.
  24207. Servers may infer this from the endpoint the client submits requests to.
  24208. Cannot be updated.
  24209. In CamelCase.
  24210. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  24211. type: string
  24212. metadata:
  24213. type: object
  24214. spec:
  24215. description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
  24216. properties:
  24217. body:
  24218. description: Body
  24219. type: string
  24220. caBundle:
  24221. description: |-
  24222. PEM encoded CA bundle used to validate webhook server certificate. Only used
  24223. if the Server URL is using HTTPS protocol. This parameter is ignored for
  24224. plain HTTP protocol connection. If not set the system root certificates
  24225. are used to validate the TLS connection.
  24226. format: byte
  24227. type: string
  24228. caProvider:
  24229. description: The provider for the CA bundle to use to validate webhook server certificate.
  24230. properties:
  24231. key:
  24232. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  24233. maxLength: 253
  24234. minLength: 1
  24235. pattern: ^[-._a-zA-Z0-9]+$
  24236. type: string
  24237. name:
  24238. description: The name of the object located at the provider type.
  24239. maxLength: 253
  24240. minLength: 1
  24241. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24242. type: string
  24243. namespace:
  24244. description: The namespace the Provider type is in.
  24245. maxLength: 63
  24246. minLength: 1
  24247. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24248. type: string
  24249. type:
  24250. description: The type of provider to use such as "Secret", or "ConfigMap".
  24251. enum:
  24252. - Secret
  24253. - ConfigMap
  24254. type: string
  24255. required:
  24256. - name
  24257. - type
  24258. type: object
  24259. headers:
  24260. additionalProperties:
  24261. type: string
  24262. description: Headers
  24263. type: object
  24264. method:
  24265. description: Webhook Method
  24266. type: string
  24267. result:
  24268. description: Result formatting
  24269. properties:
  24270. jsonPath:
  24271. description: Json path of return value
  24272. type: string
  24273. type: object
  24274. secrets:
  24275. description: |-
  24276. Secrets to fill in templates
  24277. These secrets will be passed to the templating function as key value pairs under the given name
  24278. items:
  24279. properties:
  24280. name:
  24281. description: Name of this secret in templates
  24282. type: string
  24283. secretRef:
  24284. description: Secret ref to fill in credentials
  24285. properties:
  24286. key:
  24287. description: The key where the token is found.
  24288. maxLength: 253
  24289. minLength: 1
  24290. pattern: ^[-._a-zA-Z0-9]+$
  24291. type: string
  24292. name:
  24293. description: The name of the Secret resource being referred to.
  24294. maxLength: 253
  24295. minLength: 1
  24296. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24297. type: string
  24298. type: object
  24299. required:
  24300. - name
  24301. - secretRef
  24302. type: object
  24303. type: array
  24304. timeout:
  24305. description: Timeout
  24306. type: string
  24307. url:
  24308. description: Webhook url to call
  24309. type: string
  24310. required:
  24311. - result
  24312. - url
  24313. type: object
  24314. type: object
  24315. served: true
  24316. storage: true
  24317. subresources:
  24318. status: {}
  24319. conversion:
  24320. strategy: Webhook
  24321. webhook:
  24322. conversionReviewVersions:
  24323. - v1
  24324. clientConfig:
  24325. service:
  24326. name: kubernetes
  24327. namespace: default
  24328. path: /convert