| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297 |
- apiVersion: apiextensions.k8s.io/v1
- kind: CustomResourceDefinition
- metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.8.0
- creationTimestamp: null
- name: clustersecretstores.external-secrets.io
- spec:
- group: external-secrets.io
- names:
- categories:
- - externalsecrets
- kind: ClusterSecretStore
- listKind: ClusterSecretStoreList
- plural: clustersecretstores
- shortNames:
- - css
- singular: clustersecretstore
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: AGE
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- description: ClusterSecretStore represents a secure external location for
- storing secrets, which can be referenced as part of `storeRef` fields.
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: SecretStoreSpec defines the desired state of SecretStore.
- properties:
- controller:
- description: 'Used to select the correct KES controller (think: ingress.ingressClassName)
- The KES controller is instantiated with a specific controller name
- and filters ES based on this property'
- type: string
- provider:
- description: Used to configure the provider. Only one provider may
- be set
- maxProperties: 1
- minProperties: 1
- properties:
- akeyless:
- description: Akeyless configures this store to sync secrets using
- Akeyless Vault provider
- properties:
- akeylessGWApiURL:
- description: Akeyless GW API Url from which the secrets to
- be fetched from.
- type: string
- authSecretRef:
- description: Auth configures how the operator authenticates
- with Akeyless.
- properties:
- secretRef:
- description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM:
- AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
- properties:
- accessID:
- description: The SecretAccessID is used for authentication
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- type: object
- accessType:
- description: A reference to a specific 'key' within
- a Secret resource, In some instances, `key` is a
- required field.
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- type: object
- accessTypeParam:
- description: A reference to a specific 'key' within
- a Secret resource, In some instances, `key` is a
- required field.
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- required:
- - akeylessGWApiURL
- - authSecretRef
- type: object
- alibaba:
- description: Alibaba configures this store to sync secrets using
- Alibaba Cloud provider
- properties:
- auth:
- description: AlibabaAuth contains a secretRef for credentials.
- properties:
- secretRef:
- description: AlibabaAuthSecretRef holds secret references
- for Alibaba credentials.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- type: object
- accessKeySecretSecretRef:
- description: The AccessKeySecret is used for authentication
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- type: object
- required:
- - accessKeyIDSecretRef
- - accessKeySecretSecretRef
- type: object
- required:
- - secretRef
- type: object
- endpoint:
- type: string
- regionID:
- description: Alibaba Region to be used for the provider
- type: string
- required:
- - auth
- - regionID
- type: object
- aws:
- description: AWS configures this store to sync secrets using AWS
- Secret Manager provider
- properties:
- auth:
- description: 'Auth defines the information necessary to authenticate
- against AWS if not set aws sdk will infer credentials from
- your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- properties:
- jwt:
- description: Authenticate against AWS using service account
- tokens.
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- name:
- description: The name of the ServiceAccount resource
- being referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- required:
- - name
- type: object
- type: object
- secretRef:
- description: AWSAuthSecretRef holds secret references
- for AWS credentials both AccessKeyID and SecretAccessKey
- must be defined in order to properly authenticate.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- type: object
- type: object
- type: object
- region:
- description: AWS Region to be used for the provider
- type: string
- role:
- description: Role is a Role ARN which the SecretManager provider
- will assume
- type: string
- service:
- description: Service defines which service should be used
- to fetch the secrets
- enum:
- - SecretsManager
- - ParameterStore
- type: string
- required:
- - region
- - service
- type: object
- azurekv:
- description: AzureKV configures this store to sync secrets using
- Azure Key Vault provider
- properties:
- authSecretRef:
- description: Auth configures how the operator authenticates
- with Azure. Required for ServicePrincipal auth type.
- properties:
- clientId:
- description: The Azure clientId of the service principle
- used for authentication.
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped. cluster-scoped
- defaults to the namespace of the referent.
- type: string
- type: object
- clientSecret:
- description: The Azure ClientSecret of the service principle
- used for authentication.
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped. cluster-scoped
- defaults to the namespace of the referent.
- type: string
- type: object
- required:
- - clientId
- - clientSecret
- type: object
- authType:
- default: ServicePrincipal
- description: 'Auth type defines how to authenticate to the
- keyvault service. Valid values are: - "ServicePrincipal"
- (default): Using a service principal (tenantId, clientId,
- clientSecret) - "ManagedIdentity": Using Managed Identity
- assigned to the pod (see aad-pod-identity)'
- enum:
- - ServicePrincipal
- - ManagedIdentity
- type: string
- identityId:
- description: If multiple Managed Identity is assigned to the
- pod, you can select the one to be used
- type: string
- tenantId:
- description: TenantID configures the Azure Tenant to send
- requests to. Required for ServicePrincipal auth type.
- type: string
- vaultUrl:
- description: Vault Url from which the secrets to be fetched
- from.
- type: string
- required:
- - vaultUrl
- type: object
- gcpsm:
- description: GCPSM configures this store to sync secrets using
- Google Cloud Platform Secret Manager provider
- properties:
- auth:
- description: Auth defines the information necessary to authenticate
- against GCP
- properties:
- secretRef:
- properties:
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- type: object
- type: object
- workloadIdentity:
- properties:
- clusterLocation:
- type: string
- clusterName:
- type: string
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- name:
- description: The name of the ServiceAccount resource
- being referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- required:
- - name
- type: object
- required:
- - clusterLocation
- - clusterName
- - serviceAccountRef
- type: object
- type: object
- projectID:
- description: ProjectID project where secret is located
- type: string
- type: object
- gitlab:
- description: GItlab configures this store to sync secrets using
- Gitlab Variables provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates
- with a GitLab instance.
- properties:
- SecretRef:
- properties:
- accessToken:
- description: AccessToken is used for authentication.
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- type: object
- type: object
- required:
- - SecretRef
- type: object
- projectID:
- description: ProjectID specifies a project where secrets are
- located.
- type: string
- url:
- description: URL configures the GitLab instance URL. Defaults
- to https://gitlab.com/.
- type: string
- required:
- - auth
- type: object
- ibm:
- description: IBM configures this store to sync secrets using IBM
- Cloud provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates
- with the IBM secrets manager.
- properties:
- secretRef:
- properties:
- secretApiKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- serviceUrl:
- description: ServiceURL is the Endpoint URL that is specific
- to the Secrets Manager service instance
- type: string
- required:
- - auth
- type: object
- kubernetes:
- description: Kubernetes configures this store to sync secrets
- using a Kubernetes cluster provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates
- with a Kubernetes instance.
- properties:
- cert:
- description: has both clientCert and clientKey as secretKeySelector
- properties:
- cert:
- description: A reference to a specific 'key' within
- a Secret resource, In some instances, `key` is a
- required field.
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- type: object
- key:
- description: A reference to a specific 'key' within
- a Secret resource, In some instances, `key` is a
- required field.
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- type: object
- type: object
- serviceAccount:
- description: points to a service account that should be
- used for authentication
- properties:
- serviceAccount:
- description: A reference to a ServiceAccount resource.
- properties:
- name:
- description: The name of the ServiceAccount resource
- being referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- required:
- - name
- type: object
- type: object
- token:
- description: use static token to authenticate with
- properties:
- bearerToken:
- description: A reference to a specific 'key' within
- a Secret resource, In some instances, `key` is a
- required field.
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- type: object
- type: object
- type: object
- remoteNamespace:
- default: default
- description: Remote namespace to fetch the secrets from
- type: string
- server:
- default: kubernetes.default
- description: configures the Kubernetes server Address.
- properties:
- caBundle:
- description: CABundle is a base64-encoded CA certificate
- format: byte
- type: string
- caProvider:
- description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
- properties:
- key:
- description: The key the value inside of the provider
- type to use, only used with "Secret" type
- type: string
- name:
- description: The name of the object located at the
- provider type.
- type: string
- namespace:
- description: The namespace the Provider type is in.
- type: string
- type:
- description: The type of provider to use such as "Secret",
- or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- url:
- default: kubernetes.default
- description: configures the Kubernetes server Address.
- type: string
- type: object
- required:
- - auth
- type: object
- oracle:
- description: Oracle configures this store to sync secrets using
- Oracle Vault provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates
- with the Oracle Vault.
- properties:
- secretRef:
- description: SecretRef to pass through sensitive information.
- properties:
- fingerprint:
- description: Fingerprint is the fingerprint of the
- API private key.
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- type: object
- privatekey:
- description: PrivateKey is the user's API Signing
- Key in PEM format, used for authentication.
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- region:
- description: Region is the region where secret is located.
- type: string
- tenancy:
- description: Tenancy is the tenancy OCID where secret is located.
- type: string
- user:
- description: User is an access OCID specific to the account.
- type: string
- vault:
- description: Vault is the vault's OCID of the specific vault
- where secret is located.
- type: string
- required:
- - auth
- type: object
- vault:
- description: Vault configures this store to sync secrets using
- Hashi provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates
- with the Vault server.
- properties:
- appRole:
- description: AppRole authenticates with Vault using the
- App Role auth mechanism, with the role and secret stored
- in a Kubernetes Secret resource.
- properties:
- path:
- default: approle
- description: 'Path where the App Role authentication
- backend is mounted in Vault, e.g: "approle"'
- type: string
- roleId:
- description: RoleID configured in the App Role authentication
- backend when setting up the authentication backend
- in Vault.
- type: string
- secretRef:
- description: Reference to a key in a Secret that contains
- the App Role secret used to authenticate with Vault.
- The `key` field must be specified and denotes which
- entry within the Secret resource is used as the
- app role secret.
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- type: object
- required:
- - path
- - roleId
- - secretRef
- type: object
- cert:
- description: Cert authenticates with TLS Certificates
- by passing client certificate, private key and ca certificate
- Cert authentication method
- properties:
- clientCert:
- description: ClientCert is a certificate to authenticate
- using the Cert Vault authentication method
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- type: object
- secretRef:
- description: SecretRef to a key in a Secret resource
- containing client private key to authenticate with
- Vault using the Cert authentication method
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- type: object
- type: object
- jwt:
- description: Jwt authenticates with Vault by passing role
- and JWT token using the JWT/OIDC authentication method
- properties:
- path:
- default: jwt
- description: 'Path where the JWT authentication backend
- is mounted in Vault, e.g: "jwt"'
- type: string
- role:
- description: Role is a JWT role to authenticate using
- the JWT/OIDC Vault authentication method
- type: string
- secretRef:
- description: SecretRef to a key in a Secret resource
- containing JWT token to authenticate with Vault
- using the JWT/OIDC authentication method
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- type: object
- required:
- - path
- type: object
- kubernetes:
- description: Kubernetes authenticates with Vault by passing
- the ServiceAccount token stored in the named Secret
- resource to the Vault server.
- properties:
- mountPath:
- default: kubernetes
- description: 'Path where the Kubernetes authentication
- backend is mounted in Vault, e.g: "kubernetes"'
- type: string
- role:
- description: A required field containing the Vault
- Role to assume. A Role binds a Kubernetes ServiceAccount
- with a set of Vault policies.
- type: string
- secretRef:
- description: Optional secret field containing a Kubernetes
- ServiceAccount JWT used for authenticating with
- Vault. If a name is specified without a key, `token`
- is the default. If one is not specified, the one
- bound to the controller will be used.
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- type: object
- serviceAccountRef:
- description: Optional service account field containing
- the name of a kubernetes ServiceAccount. If the
- service account is specified, the service account
- secret token JWT will be used for authenticating
- with Vault. If the service account selector is not
- supplied, the secretRef will be used instead.
- properties:
- name:
- description: The name of the ServiceAccount resource
- being referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- required:
- - name
- type: object
- required:
- - mountPath
- - role
- type: object
- ldap:
- description: Ldap authenticates with Vault by passing
- username/password pair using the LDAP authentication
- method
- properties:
- path:
- default: ldap
- description: 'Path where the LDAP authentication backend
- is mounted in Vault, e.g: "ldap"'
- type: string
- secretRef:
- description: SecretRef to a key in a Secret resource
- containing password for the LDAP user used to authenticate
- with Vault using the LDAP authentication method
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it
- may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of
- the referent.
- type: string
- type: object
- username:
- description: Username is a LDAP user name used to
- authenticate using the LDAP Vault authentication
- method
- type: string
- required:
- - path
- - username
- type: object
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by
- presenting a token.
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped. cluster-scoped
- defaults to the namespace of the referent.
- type: string
- type: object
- type: object
- caBundle:
- description: PEM encoded CA bundle used to validate Vault
- server certificate. Only used if the Server URL is using
- HTTPS protocol. This parameter is ignored for plain HTTP
- protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate
- Vault server certificate.
- properties:
- key:
- description: The key the value inside of the provider
- type to use, only used with "Secret" type
- type: string
- name:
- description: The name of the object located at the provider
- type.
- type: string
- namespace:
- description: The namespace the Provider type is in.
- type: string
- type:
- description: The type of provider to use such as "Secret",
- or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- forwardInconsistent:
- description: ForwardInconsistent tells Vault to forward read-after-write
- requests to the Vault leader instead of simply retrying
- within a loop. This can increase performance if the option
- is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
- type: boolean
- namespace:
- description: 'Name of the vault namespace. Namespaces is a
- set of features within Vault Enterprise that allows Vault
- environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
- type: string
- path:
- description: 'Path is the mount path of the Vault KV backend
- endpoint, e.g: "secret". The v2 KV secret engine version
- specific "/data" path suffix for fetching secrets from Vault
- is optional and will be appended if not present in specified
- path.'
- type: string
- readYourWrites:
- description: ReadYourWrites ensures isolated read-after-write
- semantics by providing discovered cluster replication states
- in each request. More information about eventual consistency
- in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
- type: boolean
- server:
- description: 'Server is the connection address for the Vault
- server, e.g: "https://vault.example.com:8200".'
- type: string
- version:
- default: v2
- description: Version is the Vault KV secret engine version.
- This can be either "v1" or "v2". Version defaults to "v2".
- enum:
- - v1
- - v2
- type: string
- required:
- - auth
- - server
- type: object
- webhook:
- description: Webhook configures this store to sync secrets using
- a generic templated webhook
- properties:
- body:
- description: Body
- type: string
- caBundle:
- description: PEM encoded CA bundle used to validate webhook
- server certificate. Only used if the Server URL is using
- HTTPS protocol. This parameter is ignored for plain HTTP
- protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate
- webhook server certificate.
- properties:
- key:
- description: The key the value inside of the provider
- type to use, only used with "Secret" type
- type: string
- name:
- description: The name of the object located at the provider
- type.
- type: string
- namespace:
- description: The namespace the Provider type is in.
- type: string
- type:
- description: The type of provider to use such as "Secret",
- or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- headers:
- additionalProperties:
- type: string
- description: Headers
- type: object
- method:
- description: Webhook Method
- type: string
- result:
- description: Result formatting
- properties:
- jsonPath:
- description: Json path of return value
- type: string
- type: object
- secrets:
- description: Secrets to fill in templates These secrets will
- be passed to the templating function as key value pairs
- under the given name
- items:
- properties:
- name:
- description: Name of this secret in templates
- type: string
- secretRef:
- description: Secret ref to fill in credentials
- properties:
- key:
- description: The key of the entry in the Secret
- resource's `data` field to be used. Some instances
- of this field may be defaulted, in others it may
- be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped.
- cluster-scoped defaults to the namespace of the
- referent.
- type: string
- type: object
- required:
- - name
- - secretRef
- type: object
- type: array
- timeout:
- description: Timeout
- type: string
- url:
- description: Webhook url to call
- type: string
- required:
- - result
- - url
- type: object
- yandexlockbox:
- description: YandexLockbox configures this store to sync secrets
- using Yandex Lockbox provider
- properties:
- apiEndpoint:
- description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
- type: string
- auth:
- description: Auth defines the information necessary to authenticate
- against Yandex Lockbox
- properties:
- authorizedKeySecretRef:
- description: The authorized key used for authentication
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped. cluster-scoped
- defaults to the namespace of the referent.
- type: string
- type: object
- type: object
- caProvider:
- description: The provider for the CA bundle to use to validate
- Yandex.Cloud server certificate.
- properties:
- certSecretRef:
- description: A reference to a specific 'key' within a
- Secret resource, In some instances, `key` is a required
- field.
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: Namespace of the resource being referred
- to. Ignored if referent is not cluster-scoped. cluster-scoped
- defaults to the namespace of the referent.
- type: string
- type: object
- type: object
- required:
- - auth
- type: object
- type: object
- retrySettings:
- description: Used to configure http retries if failed
- properties:
- maxRetries:
- format: int32
- type: integer
- retryInterval:
- type: string
- type: object
- required:
- - provider
- type: object
- status:
- description: SecretStoreStatus defines the observed state of the SecretStore.
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- type: string
- reason:
- type: string
- status:
- type: string
- type:
- type: string
- required:
- - status
- - type
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
|
