bundle.yaml 1.8 MB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439444044414442444344444445444644474448444944504451445244534454445544564457445844594460446144624463446444654466446744684469447044714472447344744475447644774478447944804481448244834484448544864487448844894490449144924493449444954496449744984499450045014502450345044505450645074508450945104511451245134514451545164517451845194520452145224523452445254526452745284529453045314532453345344535453645374538453945404541454245434544454545464547454845494550455145524553455445554556455745584559456045614562456345644565456645674568456945704571457245734574457545764577457845794580458145824583458445854586458745884589459045914592459345944595459645974598459946004601460246034604460546064607460846094610461146124613461446154616461746184619462046214622462346244625462646274628462946304631463246334634463546364637463846394640464146424643464446454646464746484649465046514652465346544655465646574658465946604661466246634664466546664667466846694670467146724673467446754676467746784679468046814682468346844685468646874688468946904691469246934694469546964697469846994700470147024703470447054706470747084709471047114712471347144715471647174718471947204721472247234724472547264727472847294730473147324733473447354736473747384739474047414742474347444745474647474748474947504751475247534754475547564757475847594760476147624763476447654766476747684769477047714772477347744775477647774778477947804781478247834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808480948104811481248134814481548164817481848194820482148224823482448254826482748284829483048314832483348344835483648374838483948404841484248434844484548464847484848494850485148524853485448554856485748584859486048614862486348644865486648674868486948704871487248734874487548764877487848794880488148824883488448854886488748884889489048914892489348944895489648974898489949004901490249034904490549064907490849094910491149124913491449154916491749184919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943494449454946494749484949495049514952495349544955495649574958495949604961496249634964496549664967496849694970497149724973497449754976497749784979498049814982498349844985498649874988498949904991499249934994499549964997499849995000500150025003500450055006500750085009501050115012501350145015501650175018501950205021502250235024502550265027502850295030503150325033503450355036503750385039504050415042504350445045504650475048504950505051505250535054505550565057505850595060506150625063506450655066506750685069507050715072507350745075507650775078507950805081508250835084508550865087508850895090509150925093509450955096509750985099510051015102510351045105510651075108510951105111511251135114511551165117511851195120512151225123512451255126512751285129513051315132513351345135513651375138513951405141514251435144514551465147514851495150515151525153515451555156515751585159516051615162516351645165516651675168516951705171517251735174517551765177517851795180518151825183518451855186518751885189519051915192519351945195519651975198519952005201520252035204520552065207520852095210521152125213521452155216521752185219522052215222522352245225522652275228522952305231523252335234523552365237523852395240524152425243524452455246524752485249525052515252525352545255525652575258525952605261526252635264526552665267526852695270527152725273527452755276527752785279528052815282528352845285528652875288528952905291529252935294529552965297529852995300530153025303530453055306530753085309531053115312531353145315531653175318531953205321532253235324532553265327532853295330533153325333533453355336533753385339534053415342534353445345534653475348534953505351535253535354535553565357535853595360536153625363536453655366536753685369537053715372537353745375537653775378537953805381538253835384538553865387538853895390539153925393539453955396539753985399540054015402540354045405540654075408540954105411541254135414541554165417541854195420542154225423542454255426542754285429543054315432543354345435543654375438543954405441544254435444544554465447544854495450545154525453545454555456545754585459546054615462546354645465546654675468546954705471547254735474547554765477547854795480548154825483548454855486548754885489549054915492549354945495549654975498549955005501550255035504550555065507550855095510551155125513551455155516551755185519552055215522552355245525552655275528552955305531553255335534553555365537553855395540554155425543554455455546554755485549555055515552555355545555555655575558555955605561556255635564556555665567556855695570557155725573557455755576557755785579558055815582558355845585558655875588558955905591559255935594559555965597559855995600560156025603560456055606560756085609561056115612561356145615561656175618561956205621562256235624562556265627562856295630563156325633563456355636563756385639564056415642564356445645564656475648564956505651565256535654565556565657565856595660566156625663566456655666566756685669567056715672567356745675567656775678567956805681568256835684568556865687568856895690569156925693569456955696569756985699570057015702570357045705570657075708570957105711571257135714571557165717571857195720572157225723572457255726572757285729573057315732573357345735573657375738573957405741574257435744574557465747574857495750575157525753575457555756575757585759576057615762576357645765576657675768576957705771577257735774577557765777577857795780578157825783578457855786578757885789579057915792579357945795579657975798579958005801580258035804580558065807580858095810581158125813581458155816581758185819582058215822582358245825582658275828582958305831583258335834583558365837583858395840584158425843584458455846584758485849585058515852585358545855585658575858585958605861586258635864586558665867586858695870587158725873587458755876587758785879588058815882588358845885588658875888588958905891589258935894589558965897589858995900590159025903590459055906590759085909591059115912591359145915591659175918591959205921592259235924592559265927592859295930593159325933593459355936593759385939594059415942594359445945594659475948594959505951595259535954595559565957595859595960596159625963596459655966596759685969597059715972597359745975597659775978597959805981598259835984598559865987598859895990599159925993599459955996599759985999600060016002600360046005600660076008600960106011601260136014601560166017601860196020602160226023602460256026602760286029603060316032603360346035603660376038603960406041604260436044604560466047604860496050605160526053605460556056605760586059606060616062606360646065606660676068606960706071607260736074607560766077607860796080608160826083608460856086608760886089609060916092609360946095609660976098609961006101610261036104610561066107610861096110611161126113611461156116611761186119612061216122612361246125612661276128612961306131613261336134613561366137613861396140614161426143614461456146614761486149615061516152615361546155615661576158615961606161616261636164616561666167616861696170617161726173617461756176617761786179618061816182618361846185618661876188618961906191619261936194619561966197619861996200620162026203620462056206620762086209621062116212621362146215621662176218621962206221622262236224622562266227622862296230623162326233623462356236623762386239624062416242624362446245624662476248624962506251625262536254625562566257625862596260626162626263626462656266626762686269627062716272627362746275627662776278627962806281628262836284628562866287628862896290629162926293629462956296629762986299630063016302630363046305630663076308630963106311631263136314631563166317631863196320632163226323632463256326632763286329633063316332633363346335633663376338633963406341634263436344634563466347634863496350635163526353635463556356635763586359636063616362636363646365636663676368636963706371637263736374637563766377637863796380638163826383638463856386638763886389639063916392639363946395639663976398639964006401640264036404640564066407640864096410641164126413641464156416641764186419642064216422642364246425642664276428642964306431643264336434643564366437643864396440644164426443644464456446644764486449645064516452645364546455645664576458645964606461646264636464646564666467646864696470647164726473647464756476647764786479648064816482648364846485648664876488648964906491649264936494649564966497649864996500650165026503650465056506650765086509651065116512651365146515651665176518651965206521652265236524652565266527652865296530653165326533653465356536653765386539654065416542654365446545654665476548654965506551655265536554655565566557655865596560656165626563656465656566656765686569657065716572657365746575657665776578657965806581658265836584658565866587658865896590659165926593659465956596659765986599660066016602660366046605660666076608660966106611661266136614661566166617661866196620662166226623662466256626662766286629663066316632663366346635663666376638663966406641664266436644664566466647664866496650665166526653665466556656665766586659666066616662666366646665666666676668666966706671667266736674667566766677667866796680668166826683668466856686668766886689669066916692669366946695669666976698669967006701670267036704670567066707670867096710671167126713671467156716671767186719672067216722672367246725672667276728672967306731673267336734673567366737673867396740674167426743674467456746674767486749675067516752675367546755675667576758675967606761676267636764676567666767676867696770677167726773677467756776677767786779678067816782678367846785678667876788678967906791679267936794679567966797679867996800680168026803680468056806680768086809681068116812681368146815681668176818681968206821682268236824682568266827682868296830683168326833683468356836683768386839684068416842684368446845684668476848684968506851685268536854685568566857685868596860686168626863686468656866686768686869687068716872687368746875687668776878687968806881688268836884688568866887688868896890689168926893689468956896689768986899690069016902690369046905690669076908690969106911691269136914691569166917691869196920692169226923692469256926692769286929693069316932693369346935693669376938693969406941694269436944694569466947694869496950695169526953695469556956695769586959696069616962696369646965696669676968696969706971697269736974697569766977697869796980698169826983698469856986698769886989699069916992699369946995699669976998699970007001700270037004700570067007700870097010701170127013701470157016701770187019702070217022702370247025702670277028702970307031703270337034703570367037703870397040704170427043704470457046704770487049705070517052705370547055705670577058705970607061706270637064706570667067706870697070707170727073707470757076707770787079708070817082708370847085708670877088708970907091709270937094709570967097709870997100710171027103710471057106710771087109711071117112711371147115711671177118711971207121712271237124712571267127712871297130713171327133713471357136713771387139714071417142714371447145714671477148714971507151715271537154715571567157715871597160716171627163716471657166716771687169717071717172717371747175717671777178717971807181718271837184718571867187718871897190719171927193719471957196719771987199720072017202720372047205720672077208720972107211721272137214721572167217721872197220722172227223722472257226722772287229723072317232723372347235723672377238723972407241724272437244724572467247724872497250725172527253725472557256725772587259726072617262726372647265726672677268726972707271727272737274727572767277727872797280728172827283728472857286728772887289729072917292729372947295729672977298729973007301730273037304730573067307730873097310731173127313731473157316731773187319732073217322732373247325732673277328732973307331733273337334733573367337733873397340734173427343734473457346734773487349735073517352735373547355735673577358735973607361736273637364736573667367736873697370737173727373737473757376737773787379738073817382738373847385738673877388738973907391739273937394739573967397739873997400740174027403740474057406740774087409741074117412741374147415741674177418741974207421742274237424742574267427742874297430743174327433743474357436743774387439744074417442744374447445744674477448744974507451745274537454745574567457745874597460746174627463746474657466746774687469747074717472747374747475747674777478747974807481748274837484748574867487748874897490749174927493749474957496749774987499750075017502750375047505750675077508750975107511751275137514751575167517751875197520752175227523752475257526752775287529753075317532753375347535753675377538753975407541754275437544754575467547754875497550755175527553755475557556755775587559756075617562756375647565756675677568756975707571757275737574757575767577757875797580758175827583758475857586758775887589759075917592759375947595759675977598759976007601760276037604760576067607760876097610761176127613761476157616761776187619762076217622762376247625762676277628762976307631763276337634763576367637763876397640764176427643764476457646764776487649765076517652765376547655765676577658765976607661766276637664766576667667766876697670767176727673767476757676767776787679768076817682768376847685768676877688768976907691769276937694769576967697769876997700770177027703770477057706770777087709771077117712771377147715771677177718771977207721772277237724772577267727772877297730773177327733773477357736773777387739774077417742774377447745774677477748774977507751775277537754775577567757775877597760776177627763776477657766776777687769777077717772777377747775777677777778777977807781778277837784778577867787778877897790779177927793779477957796779777987799780078017802780378047805780678077808780978107811781278137814781578167817781878197820782178227823782478257826782778287829783078317832783378347835783678377838783978407841784278437844784578467847784878497850785178527853785478557856785778587859786078617862786378647865786678677868786978707871787278737874787578767877787878797880788178827883788478857886788778887889789078917892789378947895789678977898789979007901790279037904790579067907790879097910791179127913791479157916791779187919792079217922792379247925792679277928792979307931793279337934793579367937793879397940794179427943794479457946794779487949795079517952795379547955795679577958795979607961796279637964796579667967796879697970797179727973797479757976797779787979798079817982798379847985798679877988798979907991799279937994799579967997799879998000800180028003800480058006800780088009801080118012801380148015801680178018801980208021802280238024802580268027802880298030803180328033803480358036803780388039804080418042804380448045804680478048804980508051805280538054805580568057805880598060806180628063806480658066806780688069807080718072807380748075807680778078807980808081808280838084808580868087808880898090809180928093809480958096809780988099810081018102810381048105810681078108810981108111811281138114811581168117811881198120812181228123812481258126812781288129813081318132813381348135813681378138813981408141814281438144814581468147814881498150815181528153815481558156815781588159816081618162816381648165816681678168816981708171817281738174817581768177817881798180818181828183818481858186818781888189819081918192819381948195819681978198819982008201820282038204820582068207820882098210821182128213821482158216821782188219822082218222822382248225822682278228822982308231823282338234823582368237823882398240824182428243824482458246824782488249825082518252825382548255825682578258825982608261826282638264826582668267826882698270827182728273827482758276827782788279828082818282828382848285828682878288828982908291829282938294829582968297829882998300830183028303830483058306830783088309831083118312831383148315831683178318831983208321832283238324832583268327832883298330833183328333833483358336833783388339834083418342834383448345834683478348834983508351835283538354835583568357835883598360836183628363836483658366836783688369837083718372837383748375837683778378837983808381838283838384838583868387838883898390839183928393839483958396839783988399840084018402840384048405840684078408840984108411841284138414841584168417841884198420842184228423842484258426842784288429843084318432843384348435843684378438843984408441844284438444844584468447844884498450845184528453845484558456845784588459846084618462846384648465846684678468846984708471847284738474847584768477847884798480848184828483848484858486848784888489849084918492849384948495849684978498849985008501850285038504850585068507850885098510851185128513851485158516851785188519852085218522852385248525852685278528852985308531853285338534853585368537853885398540854185428543854485458546854785488549855085518552855385548555855685578558855985608561856285638564856585668567856885698570857185728573857485758576857785788579858085818582858385848585858685878588858985908591859285938594859585968597859885998600860186028603860486058606860786088609861086118612861386148615861686178618861986208621862286238624862586268627862886298630863186328633863486358636863786388639864086418642864386448645864686478648864986508651865286538654865586568657865886598660866186628663866486658666866786688669867086718672867386748675867686778678867986808681868286838684868586868687868886898690869186928693869486958696869786988699870087018702870387048705870687078708870987108711871287138714871587168717871887198720872187228723872487258726872787288729873087318732873387348735873687378738873987408741874287438744874587468747874887498750875187528753875487558756875787588759876087618762876387648765876687678768876987708771877287738774877587768777877887798780878187828783878487858786878787888789879087918792879387948795879687978798879988008801880288038804880588068807880888098810881188128813881488158816881788188819882088218822882388248825882688278828882988308831883288338834883588368837883888398840884188428843884488458846884788488849885088518852885388548855885688578858885988608861886288638864886588668867886888698870887188728873887488758876887788788879888088818882888388848885888688878888888988908891889288938894889588968897889888998900890189028903890489058906890789088909891089118912891389148915891689178918891989208921892289238924892589268927892889298930893189328933893489358936893789388939894089418942894389448945894689478948894989508951895289538954895589568957895889598960896189628963896489658966896789688969897089718972897389748975897689778978897989808981898289838984898589868987898889898990899189928993899489958996899789988999900090019002900390049005900690079008900990109011901290139014901590169017901890199020902190229023902490259026902790289029903090319032903390349035903690379038903990409041904290439044904590469047904890499050905190529053905490559056905790589059906090619062906390649065906690679068906990709071907290739074907590769077907890799080908190829083908490859086908790889089909090919092909390949095909690979098909991009101910291039104910591069107910891099110911191129113911491159116911791189119912091219122912391249125912691279128912991309131913291339134913591369137913891399140914191429143914491459146914791489149915091519152915391549155915691579158915991609161916291639164916591669167916891699170917191729173917491759176917791789179918091819182918391849185918691879188918991909191919291939194919591969197919891999200920192029203920492059206920792089209921092119212921392149215921692179218921992209221922292239224922592269227922892299230923192329233923492359236923792389239924092419242924392449245924692479248924992509251925292539254925592569257925892599260926192629263926492659266926792689269927092719272927392749275927692779278927992809281928292839284928592869287928892899290929192929293929492959296929792989299930093019302930393049305930693079308930993109311931293139314931593169317931893199320932193229323932493259326932793289329933093319332933393349335933693379338933993409341934293439344934593469347934893499350935193529353935493559356935793589359936093619362936393649365936693679368936993709371937293739374937593769377937893799380938193829383938493859386938793889389939093919392939393949395939693979398939994009401940294039404940594069407940894099410941194129413941494159416941794189419942094219422942394249425942694279428942994309431943294339434943594369437943894399440944194429443944494459446944794489449945094519452945394549455945694579458945994609461946294639464946594669467946894699470947194729473947494759476947794789479948094819482948394849485948694879488948994909491949294939494949594969497949894999500950195029503950495059506950795089509951095119512951395149515951695179518951995209521952295239524952595269527952895299530953195329533953495359536953795389539954095419542954395449545954695479548954995509551955295539554955595569557955895599560956195629563956495659566956795689569957095719572957395749575957695779578957995809581958295839584958595869587958895899590959195929593959495959596959795989599960096019602960396049605960696079608960996109611961296139614961596169617961896199620962196229623962496259626962796289629963096319632963396349635963696379638963996409641964296439644964596469647964896499650965196529653965496559656965796589659966096619662966396649665966696679668966996709671967296739674967596769677967896799680968196829683968496859686968796889689969096919692969396949695969696979698969997009701970297039704970597069707970897099710971197129713971497159716971797189719972097219722972397249725972697279728972997309731973297339734973597369737973897399740974197429743974497459746974797489749975097519752975397549755975697579758975997609761976297639764976597669767976897699770977197729773977497759776977797789779978097819782978397849785978697879788978997909791979297939794979597969797979897999800980198029803980498059806980798089809981098119812981398149815981698179818981998209821982298239824982598269827982898299830983198329833983498359836983798389839984098419842984398449845984698479848984998509851985298539854985598569857985898599860986198629863986498659866986798689869987098719872987398749875987698779878987998809881988298839884988598869887988898899890989198929893989498959896989798989899990099019902990399049905990699079908990999109911991299139914991599169917991899199920992199229923992499259926992799289929993099319932993399349935993699379938993999409941994299439944994599469947994899499950995199529953995499559956995799589959996099619962996399649965996699679968996999709971997299739974997599769977997899799980998199829983998499859986998799889989999099919992999399949995999699979998999910000100011000210003100041000510006100071000810009100101001110012100131001410015100161001710018100191002010021100221002310024100251002610027100281002910030100311003210033100341003510036100371003810039100401004110042100431004410045100461004710048100491005010051100521005310054100551005610057100581005910060100611006210063100641006510066100671006810069100701007110072100731007410075100761007710078100791008010081100821008310084100851008610087100881008910090100911009210093100941009510096100971009810099101001010110102101031010410105101061010710108101091011010111101121011310114101151011610117101181011910120101211012210123101241012510126101271012810129101301013110132101331013410135101361013710138101391014010141101421014310144101451014610147101481014910150101511015210153101541015510156101571015810159101601016110162101631016410165101661016710168101691017010171101721017310174101751017610177101781017910180101811018210183101841018510186101871018810189101901019110192101931019410195101961019710198101991020010201102021020310204102051020610207102081020910210102111021210213102141021510216102171021810219102201022110222102231022410225102261022710228102291023010231102321023310234102351023610237102381023910240102411024210243102441024510246102471024810249102501025110252102531025410255102561025710258102591026010261102621026310264102651026610267102681026910270102711027210273102741027510276102771027810279102801028110282102831028410285102861028710288102891029010291102921029310294102951029610297102981029910300103011030210303103041030510306103071030810309103101031110312103131031410315103161031710318103191032010321103221032310324103251032610327103281032910330103311033210333103341033510336103371033810339103401034110342103431034410345103461034710348103491035010351103521035310354103551035610357103581035910360103611036210363103641036510366103671036810369103701037110372103731037410375103761037710378103791038010381103821038310384103851038610387103881038910390103911039210393103941039510396103971039810399104001040110402104031040410405104061040710408104091041010411104121041310414104151041610417104181041910420104211042210423104241042510426104271042810429104301043110432104331043410435104361043710438104391044010441104421044310444104451044610447104481044910450104511045210453104541045510456104571045810459104601046110462104631046410465104661046710468104691047010471104721047310474104751047610477104781047910480104811048210483104841048510486104871048810489104901049110492104931049410495104961049710498104991050010501105021050310504105051050610507105081050910510105111051210513105141051510516105171051810519105201052110522105231052410525105261052710528105291053010531105321053310534105351053610537105381053910540105411054210543105441054510546105471054810549105501055110552105531055410555105561055710558105591056010561105621056310564105651056610567105681056910570105711057210573105741057510576105771057810579105801058110582105831058410585105861058710588105891059010591105921059310594105951059610597105981059910600106011060210603106041060510606106071060810609106101061110612106131061410615106161061710618106191062010621106221062310624106251062610627106281062910630106311063210633106341063510636106371063810639106401064110642106431064410645106461064710648106491065010651106521065310654106551065610657106581065910660106611066210663106641066510666106671066810669106701067110672106731067410675106761067710678106791068010681106821068310684106851068610687106881068910690106911069210693106941069510696106971069810699107001070110702107031070410705107061070710708107091071010711107121071310714107151071610717107181071910720107211072210723107241072510726107271072810729107301073110732107331073410735107361073710738107391074010741107421074310744107451074610747107481074910750107511075210753107541075510756107571075810759107601076110762107631076410765107661076710768107691077010771107721077310774107751077610777107781077910780107811078210783107841078510786107871078810789107901079110792107931079410795107961079710798107991080010801108021080310804108051080610807108081080910810108111081210813108141081510816108171081810819108201082110822108231082410825108261082710828108291083010831108321083310834108351083610837108381083910840108411084210843108441084510846108471084810849108501085110852108531085410855108561085710858108591086010861108621086310864108651086610867108681086910870108711087210873108741087510876108771087810879108801088110882108831088410885108861088710888108891089010891108921089310894108951089610897108981089910900109011090210903109041090510906109071090810909109101091110912109131091410915109161091710918109191092010921109221092310924109251092610927109281092910930109311093210933109341093510936109371093810939109401094110942109431094410945109461094710948109491095010951109521095310954109551095610957109581095910960109611096210963109641096510966109671096810969109701097110972109731097410975109761097710978109791098010981109821098310984109851098610987109881098910990109911099210993109941099510996109971099810999110001100111002110031100411005110061100711008110091101011011110121101311014110151101611017110181101911020110211102211023110241102511026110271102811029110301103111032110331103411035110361103711038110391104011041110421104311044110451104611047110481104911050110511105211053110541105511056110571105811059110601106111062110631106411065110661106711068110691107011071110721107311074110751107611077110781107911080110811108211083110841108511086110871108811089110901109111092110931109411095110961109711098110991110011101111021110311104111051110611107111081110911110111111111211113111141111511116111171111811119111201112111122111231112411125111261112711128111291113011131111321113311134111351113611137111381113911140111411114211143111441114511146111471114811149111501115111152111531115411155111561115711158111591116011161111621116311164111651116611167111681116911170111711117211173111741117511176111771117811179111801118111182111831118411185111861118711188111891119011191111921119311194111951119611197111981119911200112011120211203112041120511206112071120811209112101121111212112131121411215112161121711218112191122011221112221122311224112251122611227112281122911230112311123211233112341123511236112371123811239112401124111242112431124411245112461124711248112491125011251112521125311254112551125611257112581125911260112611126211263112641126511266112671126811269112701127111272112731127411275112761127711278112791128011281112821128311284112851128611287112881128911290112911129211293112941129511296112971129811299113001130111302113031130411305113061130711308113091131011311113121131311314113151131611317113181131911320113211132211323113241132511326113271132811329113301133111332113331133411335113361133711338113391134011341113421134311344113451134611347113481134911350113511135211353113541135511356113571135811359113601136111362113631136411365113661136711368113691137011371113721137311374113751137611377113781137911380113811138211383113841138511386113871138811389113901139111392113931139411395113961139711398113991140011401114021140311404114051140611407114081140911410114111141211413114141141511416114171141811419114201142111422114231142411425114261142711428114291143011431114321143311434114351143611437114381143911440114411144211443114441144511446114471144811449114501145111452114531145411455114561145711458114591146011461114621146311464114651146611467114681146911470114711147211473114741147511476114771147811479114801148111482114831148411485114861148711488114891149011491114921149311494114951149611497114981149911500115011150211503115041150511506115071150811509115101151111512115131151411515115161151711518115191152011521115221152311524115251152611527115281152911530115311153211533115341153511536115371153811539115401154111542115431154411545115461154711548115491155011551115521155311554115551155611557115581155911560115611156211563115641156511566115671156811569115701157111572115731157411575115761157711578115791158011581115821158311584115851158611587115881158911590115911159211593115941159511596115971159811599116001160111602116031160411605116061160711608116091161011611116121161311614116151161611617116181161911620116211162211623116241162511626116271162811629116301163111632116331163411635116361163711638116391164011641116421164311644116451164611647116481164911650116511165211653116541165511656116571165811659116601166111662116631166411665116661166711668116691167011671116721167311674116751167611677116781167911680116811168211683116841168511686116871168811689116901169111692116931169411695116961169711698116991170011701117021170311704117051170611707117081170911710117111171211713117141171511716117171171811719117201172111722117231172411725117261172711728117291173011731117321173311734117351173611737117381173911740117411174211743117441174511746117471174811749117501175111752117531175411755117561175711758117591176011761117621176311764117651176611767117681176911770117711177211773117741177511776117771177811779117801178111782117831178411785117861178711788117891179011791117921179311794117951179611797117981179911800118011180211803118041180511806118071180811809118101181111812118131181411815118161181711818118191182011821118221182311824118251182611827118281182911830118311183211833118341183511836118371183811839118401184111842118431184411845118461184711848118491185011851118521185311854118551185611857118581185911860118611186211863118641186511866118671186811869118701187111872118731187411875118761187711878118791188011881118821188311884118851188611887118881188911890118911189211893118941189511896118971189811899119001190111902119031190411905119061190711908119091191011911119121191311914119151191611917119181191911920119211192211923119241192511926119271192811929119301193111932119331193411935119361193711938119391194011941119421194311944119451194611947119481194911950119511195211953119541195511956119571195811959119601196111962119631196411965119661196711968119691197011971119721197311974119751197611977119781197911980119811198211983119841198511986119871198811989119901199111992119931199411995119961199711998119991200012001120021200312004120051200612007120081200912010120111201212013120141201512016120171201812019120201202112022120231202412025120261202712028120291203012031120321203312034120351203612037120381203912040120411204212043120441204512046120471204812049120501205112052120531205412055120561205712058120591206012061120621206312064120651206612067120681206912070120711207212073120741207512076120771207812079120801208112082120831208412085120861208712088120891209012091120921209312094120951209612097120981209912100121011210212103121041210512106121071210812109121101211112112121131211412115121161211712118121191212012121121221212312124121251212612127121281212912130121311213212133121341213512136121371213812139121401214112142121431214412145121461214712148121491215012151121521215312154121551215612157121581215912160121611216212163121641216512166121671216812169121701217112172121731217412175121761217712178121791218012181121821218312184121851218612187121881218912190121911219212193121941219512196121971219812199122001220112202122031220412205122061220712208122091221012211122121221312214122151221612217122181221912220122211222212223122241222512226122271222812229122301223112232122331223412235122361223712238122391224012241122421224312244122451224612247122481224912250122511225212253122541225512256122571225812259122601226112262122631226412265122661226712268122691227012271122721227312274122751227612277122781227912280122811228212283122841228512286122871228812289122901229112292122931229412295122961229712298122991230012301123021230312304123051230612307123081230912310123111231212313123141231512316123171231812319123201232112322123231232412325123261232712328123291233012331123321233312334123351233612337123381233912340123411234212343123441234512346123471234812349123501235112352123531235412355123561235712358123591236012361123621236312364123651236612367123681236912370123711237212373123741237512376123771237812379123801238112382123831238412385123861238712388123891239012391123921239312394123951239612397123981239912400124011240212403124041240512406124071240812409124101241112412124131241412415124161241712418124191242012421124221242312424124251242612427124281242912430124311243212433124341243512436124371243812439124401244112442124431244412445124461244712448124491245012451124521245312454124551245612457124581245912460124611246212463124641246512466124671246812469124701247112472124731247412475124761247712478124791248012481124821248312484124851248612487124881248912490124911249212493124941249512496124971249812499125001250112502125031250412505125061250712508125091251012511125121251312514125151251612517125181251912520125211252212523125241252512526125271252812529125301253112532125331253412535125361253712538125391254012541125421254312544125451254612547125481254912550125511255212553125541255512556125571255812559125601256112562125631256412565125661256712568125691257012571125721257312574125751257612577125781257912580125811258212583125841258512586125871258812589125901259112592125931259412595125961259712598125991260012601126021260312604126051260612607126081260912610126111261212613126141261512616126171261812619126201262112622126231262412625126261262712628126291263012631126321263312634126351263612637126381263912640126411264212643126441264512646126471264812649126501265112652126531265412655126561265712658126591266012661126621266312664126651266612667126681266912670126711267212673126741267512676126771267812679126801268112682126831268412685126861268712688126891269012691126921269312694126951269612697126981269912700127011270212703127041270512706127071270812709127101271112712127131271412715127161271712718127191272012721127221272312724127251272612727127281272912730127311273212733127341273512736127371273812739127401274112742127431274412745127461274712748127491275012751127521275312754127551275612757127581275912760127611276212763127641276512766127671276812769127701277112772127731277412775127761277712778127791278012781127821278312784127851278612787127881278912790127911279212793127941279512796127971279812799128001280112802128031280412805128061280712808128091281012811128121281312814128151281612817128181281912820128211282212823128241282512826128271282812829128301283112832128331283412835128361283712838128391284012841128421284312844128451284612847128481284912850128511285212853128541285512856128571285812859128601286112862128631286412865128661286712868128691287012871128721287312874128751287612877128781287912880128811288212883128841288512886128871288812889128901289112892128931289412895128961289712898128991290012901129021290312904129051290612907129081290912910129111291212913129141291512916129171291812919129201292112922129231292412925129261292712928129291293012931129321293312934129351293612937129381293912940129411294212943129441294512946129471294812949129501295112952129531295412955129561295712958129591296012961129621296312964129651296612967129681296912970129711297212973129741297512976129771297812979129801298112982129831298412985129861298712988129891299012991129921299312994129951299612997129981299913000130011300213003130041300513006130071300813009130101301113012130131301413015130161301713018130191302013021130221302313024130251302613027130281302913030130311303213033130341303513036130371303813039130401304113042130431304413045130461304713048130491305013051130521305313054130551305613057130581305913060130611306213063130641306513066130671306813069130701307113072130731307413075130761307713078130791308013081130821308313084130851308613087130881308913090130911309213093130941309513096130971309813099131001310113102131031310413105131061310713108131091311013111131121311313114131151311613117131181311913120131211312213123131241312513126131271312813129131301313113132131331313413135131361313713138131391314013141131421314313144131451314613147131481314913150131511315213153131541315513156131571315813159131601316113162131631316413165131661316713168131691317013171131721317313174131751317613177131781317913180131811318213183131841318513186131871318813189131901319113192131931319413195131961319713198131991320013201132021320313204132051320613207132081320913210132111321213213132141321513216132171321813219132201322113222132231322413225132261322713228132291323013231132321323313234132351323613237132381323913240132411324213243132441324513246132471324813249132501325113252132531325413255132561325713258132591326013261132621326313264132651326613267132681326913270132711327213273132741327513276132771327813279132801328113282132831328413285132861328713288132891329013291132921329313294132951329613297132981329913300133011330213303133041330513306133071330813309133101331113312133131331413315133161331713318133191332013321133221332313324133251332613327133281332913330133311333213333133341333513336133371333813339133401334113342133431334413345133461334713348133491335013351133521335313354133551335613357133581335913360133611336213363133641336513366133671336813369133701337113372133731337413375133761337713378133791338013381133821338313384133851338613387133881338913390133911339213393133941339513396133971339813399134001340113402134031340413405134061340713408134091341013411134121341313414134151341613417134181341913420134211342213423134241342513426134271342813429134301343113432134331343413435134361343713438134391344013441134421344313444134451344613447134481344913450134511345213453134541345513456134571345813459134601346113462134631346413465134661346713468134691347013471134721347313474134751347613477134781347913480134811348213483134841348513486134871348813489134901349113492134931349413495134961349713498134991350013501135021350313504135051350613507135081350913510135111351213513135141351513516135171351813519135201352113522135231352413525135261352713528135291353013531135321353313534135351353613537135381353913540135411354213543135441354513546135471354813549135501355113552135531355413555135561355713558135591356013561135621356313564135651356613567135681356913570135711357213573135741357513576135771357813579135801358113582135831358413585135861358713588135891359013591135921359313594135951359613597135981359913600136011360213603136041360513606136071360813609136101361113612136131361413615136161361713618136191362013621136221362313624136251362613627136281362913630136311363213633136341363513636136371363813639136401364113642136431364413645136461364713648136491365013651136521365313654136551365613657136581365913660136611366213663136641366513666136671366813669136701367113672136731367413675136761367713678136791368013681136821368313684136851368613687136881368913690136911369213693136941369513696136971369813699137001370113702137031370413705137061370713708137091371013711137121371313714137151371613717137181371913720137211372213723137241372513726137271372813729137301373113732137331373413735137361373713738137391374013741137421374313744137451374613747137481374913750137511375213753137541375513756137571375813759137601376113762137631376413765137661376713768137691377013771137721377313774137751377613777137781377913780137811378213783137841378513786137871378813789137901379113792137931379413795137961379713798137991380013801138021380313804138051380613807138081380913810138111381213813138141381513816138171381813819138201382113822138231382413825138261382713828138291383013831138321383313834138351383613837138381383913840138411384213843138441384513846138471384813849138501385113852138531385413855138561385713858138591386013861138621386313864138651386613867138681386913870138711387213873138741387513876138771387813879138801388113882138831388413885138861388713888138891389013891138921389313894138951389613897138981389913900139011390213903139041390513906139071390813909139101391113912139131391413915139161391713918139191392013921139221392313924139251392613927139281392913930139311393213933139341393513936139371393813939139401394113942139431394413945139461394713948139491395013951139521395313954139551395613957139581395913960139611396213963139641396513966139671396813969139701397113972139731397413975139761397713978139791398013981139821398313984139851398613987139881398913990139911399213993139941399513996139971399813999140001400114002140031400414005140061400714008140091401014011140121401314014140151401614017140181401914020140211402214023140241402514026140271402814029140301403114032140331403414035140361403714038140391404014041140421404314044140451404614047140481404914050140511405214053140541405514056140571405814059140601406114062140631406414065140661406714068140691407014071140721407314074140751407614077140781407914080140811408214083140841408514086140871408814089140901409114092140931409414095140961409714098140991410014101141021410314104141051410614107141081410914110141111411214113141141411514116141171411814119141201412114122141231412414125141261412714128141291413014131141321413314134141351413614137141381413914140141411414214143141441414514146141471414814149141501415114152141531415414155141561415714158141591416014161141621416314164141651416614167141681416914170141711417214173141741417514176141771417814179141801418114182141831418414185141861418714188141891419014191141921419314194141951419614197141981419914200142011420214203142041420514206142071420814209142101421114212142131421414215142161421714218142191422014221142221422314224142251422614227142281422914230142311423214233142341423514236142371423814239142401424114242142431424414245142461424714248142491425014251142521425314254142551425614257142581425914260142611426214263142641426514266142671426814269142701427114272142731427414275142761427714278142791428014281142821428314284142851428614287142881428914290142911429214293142941429514296142971429814299143001430114302143031430414305143061430714308143091431014311143121431314314143151431614317143181431914320143211432214323143241432514326143271432814329143301433114332143331433414335143361433714338143391434014341143421434314344143451434614347143481434914350143511435214353143541435514356143571435814359143601436114362143631436414365143661436714368143691437014371143721437314374143751437614377143781437914380143811438214383143841438514386143871438814389143901439114392143931439414395143961439714398143991440014401144021440314404144051440614407144081440914410144111441214413144141441514416144171441814419144201442114422144231442414425144261442714428144291443014431144321443314434144351443614437144381443914440144411444214443144441444514446144471444814449144501445114452144531445414455144561445714458144591446014461144621446314464144651446614467144681446914470144711447214473144741447514476144771447814479144801448114482144831448414485144861448714488144891449014491144921449314494144951449614497144981449914500145011450214503145041450514506145071450814509145101451114512145131451414515145161451714518145191452014521145221452314524145251452614527145281452914530145311453214533145341453514536145371453814539145401454114542145431454414545145461454714548145491455014551145521455314554145551455614557145581455914560145611456214563145641456514566145671456814569145701457114572145731457414575145761457714578145791458014581145821458314584145851458614587145881458914590145911459214593145941459514596145971459814599146001460114602146031460414605146061460714608146091461014611146121461314614146151461614617146181461914620146211462214623146241462514626146271462814629146301463114632146331463414635146361463714638146391464014641146421464314644146451464614647146481464914650146511465214653146541465514656146571465814659146601466114662146631466414665146661466714668146691467014671146721467314674146751467614677146781467914680146811468214683146841468514686146871468814689146901469114692146931469414695146961469714698146991470014701147021470314704147051470614707147081470914710147111471214713147141471514716147171471814719147201472114722147231472414725147261472714728147291473014731147321473314734147351473614737147381473914740147411474214743147441474514746147471474814749147501475114752147531475414755147561475714758147591476014761147621476314764147651476614767147681476914770147711477214773147741477514776147771477814779147801478114782147831478414785147861478714788147891479014791147921479314794147951479614797147981479914800148011480214803148041480514806148071480814809148101481114812148131481414815148161481714818148191482014821148221482314824148251482614827148281482914830148311483214833148341483514836148371483814839148401484114842148431484414845148461484714848148491485014851148521485314854148551485614857148581485914860148611486214863148641486514866148671486814869148701487114872148731487414875148761487714878148791488014881148821488314884148851488614887148881488914890148911489214893148941489514896148971489814899149001490114902149031490414905149061490714908149091491014911149121491314914149151491614917149181491914920149211492214923149241492514926149271492814929149301493114932149331493414935149361493714938149391494014941149421494314944149451494614947149481494914950149511495214953149541495514956149571495814959149601496114962149631496414965149661496714968149691497014971149721497314974149751497614977149781497914980149811498214983149841498514986149871498814989149901499114992149931499414995149961499714998149991500015001150021500315004150051500615007150081500915010150111501215013150141501515016150171501815019150201502115022150231502415025150261502715028150291503015031150321503315034150351503615037150381503915040150411504215043150441504515046150471504815049150501505115052150531505415055150561505715058150591506015061150621506315064150651506615067150681506915070150711507215073150741507515076150771507815079150801508115082150831508415085150861508715088150891509015091150921509315094150951509615097150981509915100151011510215103151041510515106151071510815109151101511115112151131511415115151161511715118151191512015121151221512315124151251512615127151281512915130151311513215133151341513515136151371513815139151401514115142151431514415145151461514715148151491515015151151521515315154151551515615157151581515915160151611516215163151641516515166151671516815169151701517115172151731517415175151761517715178151791518015181151821518315184151851518615187151881518915190151911519215193151941519515196151971519815199152001520115202152031520415205152061520715208152091521015211152121521315214152151521615217152181521915220152211522215223152241522515226152271522815229152301523115232152331523415235152361523715238152391524015241152421524315244152451524615247152481524915250152511525215253152541525515256152571525815259152601526115262152631526415265152661526715268152691527015271152721527315274152751527615277152781527915280152811528215283152841528515286152871528815289152901529115292152931529415295152961529715298152991530015301153021530315304153051530615307153081530915310153111531215313153141531515316153171531815319153201532115322153231532415325153261532715328153291533015331153321533315334153351533615337153381533915340153411534215343153441534515346153471534815349153501535115352153531535415355153561535715358153591536015361153621536315364153651536615367153681536915370153711537215373153741537515376153771537815379153801538115382153831538415385153861538715388153891539015391153921539315394153951539615397153981539915400154011540215403154041540515406154071540815409154101541115412154131541415415154161541715418154191542015421154221542315424154251542615427154281542915430154311543215433154341543515436154371543815439154401544115442154431544415445154461544715448154491545015451154521545315454154551545615457154581545915460154611546215463154641546515466154671546815469154701547115472154731547415475154761547715478154791548015481154821548315484154851548615487154881548915490154911549215493154941549515496154971549815499155001550115502155031550415505155061550715508155091551015511155121551315514155151551615517155181551915520155211552215523155241552515526155271552815529155301553115532155331553415535155361553715538155391554015541155421554315544155451554615547155481554915550155511555215553155541555515556155571555815559155601556115562155631556415565155661556715568155691557015571155721557315574155751557615577155781557915580155811558215583155841558515586155871558815589155901559115592155931559415595155961559715598155991560015601156021560315604156051560615607156081560915610156111561215613156141561515616156171561815619156201562115622156231562415625156261562715628156291563015631156321563315634156351563615637156381563915640156411564215643156441564515646156471564815649156501565115652156531565415655156561565715658156591566015661156621566315664156651566615667156681566915670156711567215673156741567515676156771567815679156801568115682156831568415685156861568715688156891569015691156921569315694156951569615697156981569915700157011570215703157041570515706157071570815709157101571115712157131571415715157161571715718157191572015721157221572315724157251572615727157281572915730157311573215733157341573515736157371573815739157401574115742157431574415745157461574715748157491575015751157521575315754157551575615757157581575915760157611576215763157641576515766157671576815769157701577115772157731577415775157761577715778157791578015781157821578315784157851578615787157881578915790157911579215793157941579515796157971579815799158001580115802158031580415805158061580715808158091581015811158121581315814158151581615817158181581915820158211582215823158241582515826158271582815829158301583115832158331583415835158361583715838158391584015841158421584315844158451584615847158481584915850158511585215853158541585515856158571585815859158601586115862158631586415865158661586715868158691587015871158721587315874158751587615877158781587915880158811588215883158841588515886158871588815889158901589115892158931589415895158961589715898158991590015901159021590315904159051590615907159081590915910159111591215913159141591515916159171591815919159201592115922159231592415925159261592715928159291593015931159321593315934159351593615937159381593915940159411594215943159441594515946159471594815949159501595115952159531595415955159561595715958159591596015961159621596315964159651596615967159681596915970159711597215973159741597515976159771597815979159801598115982159831598415985159861598715988159891599015991159921599315994159951599615997159981599916000160011600216003160041600516006160071600816009160101601116012160131601416015160161601716018160191602016021160221602316024160251602616027160281602916030160311603216033160341603516036160371603816039160401604116042160431604416045160461604716048160491605016051160521605316054160551605616057160581605916060160611606216063160641606516066160671606816069160701607116072160731607416075160761607716078160791608016081160821608316084160851608616087160881608916090160911609216093160941609516096160971609816099161001610116102161031610416105161061610716108161091611016111161121611316114161151611616117161181611916120161211612216123161241612516126161271612816129161301613116132161331613416135161361613716138161391614016141161421614316144161451614616147161481614916150161511615216153161541615516156161571615816159161601616116162161631616416165161661616716168161691617016171161721617316174161751617616177161781617916180161811618216183161841618516186161871618816189161901619116192161931619416195161961619716198161991620016201162021620316204162051620616207162081620916210162111621216213162141621516216162171621816219162201622116222162231622416225162261622716228162291623016231162321623316234162351623616237162381623916240162411624216243162441624516246162471624816249162501625116252162531625416255162561625716258162591626016261162621626316264162651626616267162681626916270162711627216273162741627516276162771627816279162801628116282162831628416285162861628716288162891629016291162921629316294162951629616297162981629916300163011630216303163041630516306163071630816309163101631116312163131631416315163161631716318163191632016321163221632316324163251632616327163281632916330163311633216333163341633516336163371633816339163401634116342163431634416345163461634716348163491635016351163521635316354163551635616357163581635916360163611636216363163641636516366163671636816369163701637116372163731637416375163761637716378163791638016381163821638316384163851638616387163881638916390163911639216393163941639516396163971639816399164001640116402164031640416405164061640716408164091641016411164121641316414164151641616417164181641916420164211642216423164241642516426164271642816429164301643116432164331643416435164361643716438164391644016441164421644316444164451644616447164481644916450164511645216453164541645516456164571645816459164601646116462164631646416465164661646716468164691647016471164721647316474164751647616477164781647916480164811648216483164841648516486164871648816489164901649116492164931649416495164961649716498164991650016501165021650316504165051650616507165081650916510165111651216513165141651516516165171651816519165201652116522165231652416525165261652716528165291653016531165321653316534165351653616537165381653916540165411654216543165441654516546165471654816549165501655116552165531655416555165561655716558165591656016561165621656316564165651656616567165681656916570165711657216573165741657516576165771657816579165801658116582165831658416585165861658716588165891659016591165921659316594165951659616597165981659916600166011660216603166041660516606166071660816609166101661116612166131661416615166161661716618166191662016621166221662316624166251662616627166281662916630166311663216633166341663516636166371663816639166401664116642166431664416645166461664716648166491665016651166521665316654166551665616657166581665916660166611666216663166641666516666166671666816669166701667116672166731667416675166761667716678166791668016681166821668316684166851668616687166881668916690166911669216693166941669516696166971669816699167001670116702167031670416705167061670716708167091671016711167121671316714167151671616717167181671916720167211672216723167241672516726167271672816729167301673116732167331673416735167361673716738167391674016741167421674316744167451674616747167481674916750167511675216753167541675516756167571675816759167601676116762167631676416765167661676716768167691677016771167721677316774167751677616777167781677916780167811678216783167841678516786167871678816789167901679116792167931679416795167961679716798167991680016801168021680316804168051680616807168081680916810168111681216813168141681516816168171681816819168201682116822168231682416825168261682716828168291683016831168321683316834168351683616837168381683916840168411684216843168441684516846168471684816849168501685116852168531685416855168561685716858168591686016861168621686316864168651686616867168681686916870168711687216873168741687516876168771687816879168801688116882168831688416885168861688716888168891689016891168921689316894168951689616897168981689916900169011690216903169041690516906169071690816909169101691116912169131691416915169161691716918169191692016921169221692316924169251692616927169281692916930169311693216933169341693516936169371693816939169401694116942169431694416945169461694716948169491695016951169521695316954169551695616957169581695916960169611696216963169641696516966169671696816969169701697116972169731697416975169761697716978169791698016981169821698316984169851698616987169881698916990169911699216993169941699516996169971699816999170001700117002170031700417005170061700717008170091701017011170121701317014170151701617017170181701917020170211702217023170241702517026170271702817029170301703117032170331703417035170361703717038170391704017041170421704317044170451704617047170481704917050170511705217053170541705517056170571705817059170601706117062170631706417065170661706717068170691707017071170721707317074170751707617077170781707917080170811708217083170841708517086170871708817089170901709117092170931709417095170961709717098170991710017101171021710317104171051710617107171081710917110171111711217113171141711517116171171711817119171201712117122171231712417125171261712717128171291713017131171321713317134171351713617137171381713917140171411714217143171441714517146171471714817149171501715117152171531715417155171561715717158171591716017161171621716317164171651716617167171681716917170171711717217173171741717517176171771717817179171801718117182171831718417185171861718717188171891719017191171921719317194171951719617197171981719917200172011720217203172041720517206172071720817209172101721117212172131721417215172161721717218172191722017221172221722317224172251722617227172281722917230172311723217233172341723517236172371723817239172401724117242172431724417245172461724717248172491725017251172521725317254172551725617257172581725917260172611726217263172641726517266172671726817269172701727117272172731727417275172761727717278172791728017281172821728317284172851728617287172881728917290172911729217293172941729517296172971729817299173001730117302173031730417305173061730717308173091731017311173121731317314173151731617317173181731917320173211732217323173241732517326173271732817329173301733117332173331733417335173361733717338173391734017341173421734317344173451734617347173481734917350173511735217353173541735517356173571735817359173601736117362173631736417365173661736717368173691737017371173721737317374173751737617377173781737917380173811738217383173841738517386173871738817389173901739117392173931739417395173961739717398173991740017401174021740317404174051740617407174081740917410174111741217413174141741517416174171741817419174201742117422174231742417425174261742717428174291743017431174321743317434174351743617437174381743917440174411744217443174441744517446174471744817449174501745117452174531745417455174561745717458174591746017461174621746317464174651746617467174681746917470174711747217473174741747517476174771747817479174801748117482174831748417485174861748717488174891749017491174921749317494174951749617497174981749917500175011750217503175041750517506175071750817509175101751117512175131751417515175161751717518175191752017521175221752317524175251752617527175281752917530175311753217533175341753517536175371753817539175401754117542175431754417545175461754717548175491755017551175521755317554175551755617557175581755917560175611756217563175641756517566175671756817569175701757117572175731757417575175761757717578175791758017581175821758317584175851758617587175881758917590175911759217593175941759517596175971759817599176001760117602176031760417605176061760717608176091761017611176121761317614176151761617617176181761917620176211762217623176241762517626176271762817629176301763117632176331763417635176361763717638176391764017641176421764317644176451764617647176481764917650176511765217653176541765517656176571765817659176601766117662176631766417665176661766717668176691767017671176721767317674176751767617677176781767917680176811768217683176841768517686176871768817689176901769117692176931769417695176961769717698176991770017701177021770317704177051770617707177081770917710177111771217713177141771517716177171771817719177201772117722177231772417725177261772717728177291773017731177321773317734177351773617737177381773917740177411774217743177441774517746177471774817749177501775117752177531775417755177561775717758177591776017761177621776317764177651776617767177681776917770177711777217773177741777517776177771777817779177801778117782177831778417785177861778717788177891779017791177921779317794177951779617797177981779917800178011780217803178041780517806178071780817809178101781117812178131781417815178161781717818178191782017821178221782317824178251782617827178281782917830178311783217833178341783517836178371783817839178401784117842178431784417845178461784717848178491785017851178521785317854178551785617857178581785917860178611786217863178641786517866178671786817869178701787117872178731787417875178761787717878178791788017881178821788317884178851788617887178881788917890178911789217893178941789517896178971789817899179001790117902179031790417905179061790717908179091791017911179121791317914179151791617917179181791917920179211792217923179241792517926179271792817929179301793117932179331793417935179361793717938179391794017941179421794317944179451794617947179481794917950179511795217953179541795517956179571795817959179601796117962179631796417965179661796717968179691797017971179721797317974179751797617977179781797917980179811798217983179841798517986179871798817989179901799117992179931799417995179961799717998179991800018001180021800318004180051800618007180081800918010180111801218013180141801518016180171801818019180201802118022180231802418025180261802718028180291803018031180321803318034180351803618037180381803918040180411804218043180441804518046180471804818049180501805118052180531805418055180561805718058180591806018061180621806318064180651806618067180681806918070180711807218073180741807518076180771807818079180801808118082180831808418085180861808718088180891809018091180921809318094180951809618097180981809918100181011810218103181041810518106181071810818109181101811118112181131811418115181161811718118181191812018121181221812318124181251812618127181281812918130181311813218133181341813518136181371813818139181401814118142181431814418145181461814718148181491815018151181521815318154181551815618157181581815918160181611816218163181641816518166181671816818169181701817118172181731817418175181761817718178181791818018181181821818318184181851818618187181881818918190181911819218193181941819518196181971819818199182001820118202182031820418205182061820718208182091821018211182121821318214182151821618217182181821918220182211822218223182241822518226182271822818229182301823118232182331823418235182361823718238182391824018241182421824318244182451824618247182481824918250182511825218253182541825518256182571825818259182601826118262182631826418265182661826718268182691827018271182721827318274182751827618277182781827918280182811828218283182841828518286182871828818289182901829118292182931829418295182961829718298182991830018301183021830318304183051830618307183081830918310183111831218313183141831518316183171831818319183201832118322183231832418325183261832718328183291833018331183321833318334183351833618337183381833918340183411834218343183441834518346183471834818349183501835118352183531835418355183561835718358183591836018361183621836318364183651836618367183681836918370183711837218373183741837518376183771837818379183801838118382183831838418385183861838718388183891839018391183921839318394183951839618397183981839918400184011840218403184041840518406184071840818409184101841118412184131841418415184161841718418184191842018421184221842318424184251842618427184281842918430184311843218433184341843518436184371843818439184401844118442184431844418445184461844718448184491845018451184521845318454184551845618457184581845918460184611846218463184641846518466184671846818469184701847118472184731847418475184761847718478184791848018481184821848318484184851848618487184881848918490184911849218493184941849518496184971849818499185001850118502185031850418505185061850718508185091851018511185121851318514185151851618517185181851918520185211852218523185241852518526185271852818529185301853118532185331853418535185361853718538185391854018541185421854318544185451854618547185481854918550185511855218553185541855518556185571855818559185601856118562185631856418565185661856718568185691857018571185721857318574185751857618577185781857918580185811858218583185841858518586185871858818589185901859118592185931859418595185961859718598185991860018601186021860318604186051860618607186081860918610186111861218613186141861518616186171861818619186201862118622186231862418625186261862718628186291863018631186321863318634186351863618637186381863918640186411864218643186441864518646186471864818649186501865118652186531865418655186561865718658186591866018661186621866318664186651866618667186681866918670186711867218673186741867518676186771867818679186801868118682186831868418685186861868718688186891869018691186921869318694186951869618697186981869918700187011870218703187041870518706187071870818709187101871118712187131871418715187161871718718187191872018721187221872318724187251872618727187281872918730187311873218733187341873518736187371873818739187401874118742187431874418745187461874718748187491875018751187521875318754187551875618757187581875918760187611876218763187641876518766187671876818769187701877118772187731877418775187761877718778187791878018781187821878318784187851878618787187881878918790187911879218793187941879518796187971879818799188001880118802188031880418805188061880718808188091881018811188121881318814188151881618817188181881918820188211882218823188241882518826188271882818829188301883118832188331883418835188361883718838188391884018841188421884318844188451884618847188481884918850188511885218853188541885518856188571885818859188601886118862188631886418865188661886718868188691887018871188721887318874188751887618877188781887918880188811888218883188841888518886188871888818889188901889118892188931889418895188961889718898188991890018901189021890318904189051890618907189081890918910189111891218913189141891518916189171891818919189201892118922189231892418925189261892718928189291893018931189321893318934189351893618937189381893918940189411894218943189441894518946189471894818949189501895118952189531895418955189561895718958189591896018961189621896318964189651896618967189681896918970189711897218973189741897518976189771897818979189801898118982189831898418985189861898718988189891899018991189921899318994189951899618997189981899919000190011900219003190041900519006190071900819009190101901119012190131901419015190161901719018190191902019021190221902319024190251902619027190281902919030190311903219033190341903519036190371903819039190401904119042190431904419045190461904719048190491905019051190521905319054190551905619057190581905919060190611906219063190641906519066190671906819069190701907119072190731907419075190761907719078190791908019081190821908319084190851908619087190881908919090190911909219093190941909519096190971909819099191001910119102191031910419105191061910719108191091911019111191121911319114191151911619117191181911919120191211912219123191241912519126191271912819129191301913119132191331913419135191361913719138191391914019141191421914319144191451914619147191481914919150191511915219153191541915519156191571915819159191601916119162191631916419165191661916719168191691917019171191721917319174191751917619177191781917919180191811918219183191841918519186191871918819189191901919119192191931919419195191961919719198191991920019201192021920319204192051920619207192081920919210192111921219213192141921519216192171921819219192201922119222192231922419225192261922719228192291923019231192321923319234192351923619237192381923919240192411924219243192441924519246192471924819249192501925119252192531925419255192561925719258192591926019261192621926319264192651926619267192681926919270192711927219273192741927519276192771927819279192801928119282192831928419285192861928719288192891929019291192921929319294192951929619297192981929919300193011930219303193041930519306193071930819309193101931119312193131931419315193161931719318193191932019321193221932319324193251932619327193281932919330193311933219333193341933519336193371933819339193401934119342193431934419345193461934719348193491935019351193521935319354193551935619357193581935919360193611936219363193641936519366193671936819369193701937119372193731937419375193761937719378193791938019381193821938319384193851938619387193881938919390193911939219393193941939519396193971939819399194001940119402194031940419405194061940719408194091941019411194121941319414194151941619417194181941919420194211942219423194241942519426194271942819429194301943119432194331943419435194361943719438194391944019441194421944319444194451944619447194481944919450194511945219453194541945519456194571945819459194601946119462194631946419465194661946719468194691947019471194721947319474194751947619477194781947919480194811948219483194841948519486194871948819489194901949119492194931949419495194961949719498194991950019501195021950319504195051950619507195081950919510195111951219513195141951519516195171951819519195201952119522195231952419525195261952719528195291953019531195321953319534195351953619537195381953919540195411954219543195441954519546195471954819549195501955119552195531955419555195561955719558195591956019561195621956319564195651956619567195681956919570195711957219573195741957519576195771957819579195801958119582195831958419585195861958719588195891959019591195921959319594195951959619597195981959919600196011960219603196041960519606196071960819609196101961119612196131961419615196161961719618196191962019621196221962319624196251962619627196281962919630196311963219633196341963519636196371963819639196401964119642196431964419645196461964719648196491965019651196521965319654196551965619657196581965919660196611966219663196641966519666196671966819669196701967119672196731967419675196761967719678196791968019681196821968319684196851968619687196881968919690196911969219693196941969519696196971969819699197001970119702197031970419705197061970719708197091971019711197121971319714197151971619717197181971919720197211972219723197241972519726197271972819729197301973119732197331973419735197361973719738197391974019741197421974319744197451974619747197481974919750197511975219753197541975519756197571975819759197601976119762197631976419765197661976719768197691977019771197721977319774197751977619777197781977919780197811978219783197841978519786197871978819789197901979119792197931979419795197961979719798197991980019801198021980319804198051980619807198081980919810198111981219813198141981519816198171981819819198201982119822198231982419825198261982719828198291983019831198321983319834198351983619837198381983919840198411984219843198441984519846198471984819849198501985119852198531985419855198561985719858198591986019861198621986319864198651986619867198681986919870198711987219873198741987519876198771987819879198801988119882198831988419885198861988719888198891989019891198921989319894198951989619897198981989919900199011990219903199041990519906199071990819909199101991119912199131991419915199161991719918199191992019921199221992319924199251992619927199281992919930199311993219933199341993519936199371993819939199401994119942199431994419945199461994719948199491995019951199521995319954199551995619957199581995919960199611996219963199641996519966199671996819969199701997119972199731997419975199761997719978199791998019981199821998319984199851998619987199881998919990199911999219993199941999519996199971999819999200002000120002200032000420005200062000720008200092001020011200122001320014200152001620017200182001920020200212002220023200242002520026200272002820029200302003120032200332003420035200362003720038200392004020041200422004320044200452004620047200482004920050200512005220053200542005520056200572005820059200602006120062200632006420065200662006720068200692007020071200722007320074200752007620077200782007920080200812008220083200842008520086200872008820089200902009120092200932009420095200962009720098200992010020101201022010320104201052010620107201082010920110201112011220113201142011520116201172011820119201202012120122201232012420125201262012720128201292013020131201322013320134201352013620137201382013920140201412014220143201442014520146201472014820149201502015120152201532015420155201562015720158201592016020161201622016320164201652016620167201682016920170201712017220173201742017520176201772017820179201802018120182201832018420185201862018720188201892019020191201922019320194201952019620197201982019920200202012020220203202042020520206202072020820209202102021120212202132021420215202162021720218202192022020221202222022320224202252022620227202282022920230202312023220233202342023520236202372023820239202402024120242202432024420245202462024720248202492025020251202522025320254202552025620257202582025920260202612026220263202642026520266202672026820269202702027120272202732027420275202762027720278202792028020281202822028320284202852028620287202882028920290202912029220293202942029520296202972029820299203002030120302203032030420305203062030720308203092031020311203122031320314203152031620317203182031920320203212032220323203242032520326203272032820329203302033120332203332033420335203362033720338203392034020341203422034320344203452034620347203482034920350203512035220353203542035520356203572035820359203602036120362203632036420365203662036720368203692037020371203722037320374203752037620377203782037920380203812038220383203842038520386203872038820389203902039120392203932039420395203962039720398203992040020401204022040320404204052040620407204082040920410204112041220413204142041520416204172041820419204202042120422204232042420425204262042720428204292043020431204322043320434204352043620437204382043920440204412044220443204442044520446204472044820449204502045120452204532045420455204562045720458204592046020461204622046320464204652046620467204682046920470204712047220473204742047520476204772047820479204802048120482204832048420485204862048720488204892049020491204922049320494204952049620497204982049920500205012050220503205042050520506205072050820509205102051120512205132051420515205162051720518205192052020521205222052320524205252052620527205282052920530205312053220533205342053520536205372053820539205402054120542205432054420545205462054720548205492055020551205522055320554205552055620557205582055920560205612056220563205642056520566205672056820569205702057120572205732057420575205762057720578205792058020581205822058320584205852058620587205882058920590205912059220593205942059520596205972059820599206002060120602206032060420605206062060720608206092061020611206122061320614206152061620617206182061920620206212062220623206242062520626206272062820629206302063120632206332063420635206362063720638206392064020641206422064320644206452064620647206482064920650206512065220653206542065520656206572065820659206602066120662206632066420665206662066720668206692067020671206722067320674206752067620677206782067920680206812068220683206842068520686206872068820689206902069120692206932069420695206962069720698206992070020701207022070320704207052070620707207082070920710207112071220713207142071520716207172071820719207202072120722207232072420725207262072720728207292073020731207322073320734207352073620737207382073920740207412074220743207442074520746207472074820749207502075120752207532075420755207562075720758207592076020761207622076320764207652076620767207682076920770207712077220773207742077520776207772077820779207802078120782207832078420785207862078720788207892079020791207922079320794207952079620797207982079920800208012080220803208042080520806208072080820809208102081120812208132081420815208162081720818208192082020821208222082320824208252082620827208282082920830208312083220833208342083520836208372083820839208402084120842208432084420845208462084720848208492085020851208522085320854208552085620857208582085920860208612086220863208642086520866208672086820869208702087120872208732087420875208762087720878208792088020881208822088320884208852088620887208882088920890208912089220893208942089520896208972089820899209002090120902209032090420905209062090720908209092091020911209122091320914209152091620917209182091920920209212092220923209242092520926209272092820929209302093120932209332093420935209362093720938209392094020941209422094320944209452094620947209482094920950209512095220953209542095520956209572095820959209602096120962209632096420965209662096720968209692097020971209722097320974209752097620977209782097920980209812098220983209842098520986209872098820989209902099120992209932099420995209962099720998209992100021001210022100321004210052100621007210082100921010210112101221013210142101521016210172101821019210202102121022210232102421025210262102721028210292103021031210322103321034210352103621037210382103921040210412104221043210442104521046210472104821049210502105121052210532105421055210562105721058210592106021061210622106321064210652106621067210682106921070210712107221073210742107521076210772107821079210802108121082210832108421085210862108721088210892109021091210922109321094210952109621097210982109921100211012110221103211042110521106211072110821109211102111121112211132111421115211162111721118211192112021121211222112321124211252112621127211282112921130211312113221133211342113521136211372113821139211402114121142211432114421145211462114721148211492115021151211522115321154211552115621157211582115921160211612116221163211642116521166211672116821169211702117121172211732117421175211762117721178211792118021181211822118321184211852118621187211882118921190211912119221193211942119521196211972119821199212002120121202212032120421205212062120721208212092121021211212122121321214212152121621217212182121921220212212122221223212242122521226212272122821229212302123121232212332123421235212362123721238212392124021241212422124321244212452124621247212482124921250212512125221253212542125521256212572125821259212602126121262212632126421265212662126721268212692127021271212722127321274212752127621277212782127921280212812128221283212842128521286212872128821289212902129121292212932129421295212962129721298212992130021301213022130321304213052130621307213082130921310213112131221313213142131521316213172131821319213202132121322213232132421325213262132721328213292133021331213322133321334213352133621337213382133921340213412134221343213442134521346213472134821349213502135121352213532135421355213562135721358213592136021361213622136321364213652136621367213682136921370213712137221373213742137521376213772137821379213802138121382213832138421385213862138721388213892139021391213922139321394213952139621397213982139921400214012140221403214042140521406214072140821409214102141121412214132141421415214162141721418214192142021421214222142321424214252142621427214282142921430214312143221433214342143521436214372143821439214402144121442214432144421445214462144721448214492145021451214522145321454214552145621457214582145921460214612146221463214642146521466214672146821469214702147121472214732147421475214762147721478214792148021481214822148321484214852148621487214882148921490214912149221493214942149521496214972149821499215002150121502215032150421505215062150721508215092151021511215122151321514215152151621517215182151921520215212152221523215242152521526215272152821529215302153121532215332153421535215362153721538215392154021541215422154321544215452154621547215482154921550215512155221553215542155521556215572155821559215602156121562215632156421565215662156721568215692157021571215722157321574215752157621577215782157921580215812158221583215842158521586215872158821589215902159121592215932159421595215962159721598215992160021601216022160321604216052160621607216082160921610216112161221613216142161521616216172161821619216202162121622216232162421625216262162721628216292163021631216322163321634216352163621637216382163921640216412164221643216442164521646216472164821649216502165121652216532165421655216562165721658216592166021661216622166321664216652166621667216682166921670216712167221673216742167521676216772167821679216802168121682216832168421685216862168721688216892169021691216922169321694216952169621697216982169921700217012170221703217042170521706217072170821709217102171121712217132171421715217162171721718217192172021721217222172321724217252172621727217282172921730217312173221733217342173521736217372173821739217402174121742217432174421745217462174721748217492175021751217522175321754217552175621757217582175921760217612176221763217642176521766217672176821769217702177121772217732177421775217762177721778217792178021781217822178321784217852178621787217882178921790217912179221793217942179521796217972179821799218002180121802218032180421805218062180721808218092181021811218122181321814218152181621817218182181921820218212182221823218242182521826218272182821829218302183121832218332183421835218362183721838218392184021841218422184321844218452184621847218482184921850218512185221853218542185521856218572185821859218602186121862218632186421865218662186721868218692187021871218722187321874218752187621877218782187921880218812188221883218842188521886218872188821889218902189121892218932189421895218962189721898218992190021901219022190321904219052190621907219082190921910219112191221913219142191521916219172191821919219202192121922219232192421925219262192721928219292193021931219322193321934219352193621937219382193921940219412194221943219442194521946219472194821949219502195121952219532195421955219562195721958219592196021961219622196321964219652196621967219682196921970219712197221973219742197521976219772197821979219802198121982219832198421985219862198721988219892199021991219922199321994219952199621997219982199922000220012200222003220042200522006220072200822009220102201122012220132201422015220162201722018220192202022021220222202322024220252202622027220282202922030220312203222033220342203522036220372203822039220402204122042220432204422045220462204722048220492205022051220522205322054220552205622057220582205922060220612206222063220642206522066220672206822069220702207122072220732207422075220762207722078220792208022081220822208322084220852208622087220882208922090220912209222093220942209522096220972209822099221002210122102221032210422105221062210722108221092211022111221122211322114221152211622117221182211922120221212212222123221242212522126221272212822129221302213122132221332213422135221362213722138221392214022141221422214322144221452214622147221482214922150221512215222153221542215522156221572215822159221602216122162221632216422165221662216722168221692217022171221722217322174221752217622177221782217922180221812218222183221842218522186221872218822189221902219122192221932219422195221962219722198221992220022201222022220322204222052220622207222082220922210222112221222213222142221522216222172221822219222202222122222222232222422225222262222722228222292223022231222322223322234222352223622237222382223922240222412224222243222442224522246222472224822249222502225122252222532225422255222562225722258222592226022261222622226322264222652226622267222682226922270222712227222273222742227522276222772227822279222802228122282222832228422285222862228722288222892229022291222922229322294222952229622297222982229922300223012230222303223042230522306223072230822309223102231122312223132231422315223162231722318223192232022321223222232322324223252232622327223282232922330223312233222333223342233522336223372233822339223402234122342223432234422345223462234722348223492235022351223522235322354223552235622357223582235922360223612236222363223642236522366223672236822369223702237122372223732237422375223762237722378223792238022381223822238322384223852238622387223882238922390223912239222393223942239522396223972239822399224002240122402224032240422405224062240722408224092241022411224122241322414224152241622417224182241922420224212242222423224242242522426224272242822429224302243122432224332243422435224362243722438224392244022441224422244322444224452244622447224482244922450224512245222453224542245522456224572245822459224602246122462224632246422465224662246722468224692247022471224722247322474224752247622477224782247922480224812248222483224842248522486224872248822489224902249122492224932249422495224962249722498224992250022501225022250322504225052250622507225082250922510225112251222513225142251522516225172251822519225202252122522225232252422525225262252722528225292253022531225322253322534225352253622537225382253922540225412254222543225442254522546225472254822549225502255122552225532255422555225562255722558225592256022561225622256322564225652256622567225682256922570225712257222573225742257522576225772257822579225802258122582225832258422585225862258722588225892259022591225922259322594225952259622597225982259922600226012260222603226042260522606226072260822609226102261122612226132261422615226162261722618226192262022621226222262322624226252262622627226282262922630226312263222633226342263522636226372263822639226402264122642226432264422645226462264722648226492265022651226522265322654226552265622657226582265922660226612266222663226642266522666226672266822669226702267122672226732267422675226762267722678226792268022681226822268322684226852268622687226882268922690226912269222693226942269522696226972269822699227002270122702227032270422705227062270722708227092271022711227122271322714227152271622717227182271922720227212272222723227242272522726227272272822729227302273122732227332273422735227362273722738227392274022741227422274322744227452274622747227482274922750227512275222753227542275522756227572275822759227602276122762227632276422765227662276722768227692277022771227722277322774227752277622777227782277922780227812278222783227842278522786227872278822789227902279122792227932279422795227962279722798227992280022801228022280322804228052280622807228082280922810228112281222813228142281522816228172281822819228202282122822228232282422825228262282722828228292283022831228322283322834228352283622837228382283922840228412284222843228442284522846228472284822849228502285122852228532285422855228562285722858228592286022861228622286322864228652286622867228682286922870228712287222873228742287522876228772287822879228802288122882228832288422885228862288722888228892289022891228922289322894228952289622897228982289922900229012290222903229042290522906229072290822909229102291122912229132291422915229162291722918229192292022921229222292322924229252292622927229282292922930229312293222933229342293522936229372293822939229402294122942229432294422945229462294722948229492295022951229522295322954229552295622957229582295922960229612296222963229642296522966229672296822969229702297122972229732297422975229762297722978229792298022981229822298322984229852298622987229882298922990229912299222993229942299522996229972299822999230002300123002230032300423005230062300723008230092301023011230122301323014230152301623017230182301923020230212302223023230242302523026230272302823029230302303123032230332303423035230362303723038230392304023041230422304323044230452304623047230482304923050230512305223053230542305523056230572305823059230602306123062230632306423065230662306723068230692307023071230722307323074230752307623077230782307923080230812308223083230842308523086230872308823089230902309123092230932309423095230962309723098230992310023101231022310323104231052310623107231082310923110231112311223113231142311523116231172311823119231202312123122231232312423125231262312723128231292313023131231322313323134231352313623137231382313923140231412314223143231442314523146231472314823149231502315123152231532315423155231562315723158231592316023161231622316323164231652316623167231682316923170231712317223173231742317523176231772317823179231802318123182231832318423185231862318723188231892319023191231922319323194231952319623197231982319923200232012320223203232042320523206232072320823209232102321123212232132321423215232162321723218232192322023221232222322323224232252322623227232282322923230232312323223233232342323523236232372323823239232402324123242232432324423245232462324723248232492325023251232522325323254232552325623257232582325923260232612326223263232642326523266232672326823269232702327123272232732327423275232762327723278232792328023281232822328323284232852328623287232882328923290232912329223293232942329523296232972329823299233002330123302233032330423305233062330723308233092331023311233122331323314233152331623317233182331923320233212332223323233242332523326233272332823329233302333123332233332333423335233362333723338233392334023341233422334323344233452334623347233482334923350233512335223353233542335523356233572335823359233602336123362233632336423365233662336723368233692337023371233722337323374233752337623377233782337923380233812338223383233842338523386233872338823389233902339123392233932339423395233962339723398233992340023401234022340323404234052340623407234082340923410234112341223413234142341523416234172341823419234202342123422234232342423425234262342723428234292343023431234322343323434234352343623437234382343923440234412344223443234442344523446234472344823449234502345123452234532345423455234562345723458234592346023461234622346323464234652346623467234682346923470234712347223473234742347523476234772347823479234802348123482234832348423485234862348723488234892349023491234922349323494234952349623497234982349923500235012350223503235042350523506235072350823509235102351123512235132351423515235162351723518235192352023521235222352323524235252352623527235282352923530235312353223533235342353523536235372353823539235402354123542235432354423545235462354723548235492355023551235522355323554235552355623557235582355923560235612356223563235642356523566235672356823569235702357123572235732357423575235762357723578235792358023581235822358323584235852358623587235882358923590235912359223593235942359523596235972359823599236002360123602236032360423605236062360723608236092361023611236122361323614236152361623617236182361923620236212362223623236242362523626236272362823629236302363123632236332363423635236362363723638236392364023641236422364323644236452364623647236482364923650236512365223653236542365523656236572365823659236602366123662236632366423665236662366723668236692367023671236722367323674236752367623677236782367923680236812368223683236842368523686236872368823689236902369123692236932369423695236962369723698236992370023701237022370323704237052370623707237082370923710237112371223713237142371523716237172371823719237202372123722237232372423725237262372723728237292373023731237322373323734237352373623737237382373923740237412374223743237442374523746237472374823749237502375123752237532375423755237562375723758237592376023761237622376323764237652376623767237682376923770237712377223773237742377523776237772377823779237802378123782237832378423785237862378723788237892379023791237922379323794237952379623797237982379923800238012380223803238042380523806238072380823809238102381123812238132381423815238162381723818238192382023821238222382323824238252382623827238282382923830238312383223833238342383523836238372383823839238402384123842238432384423845238462384723848238492385023851238522385323854238552385623857238582385923860238612386223863238642386523866238672386823869238702387123872238732387423875238762387723878238792388023881238822388323884238852388623887238882388923890238912389223893238942389523896238972389823899239002390123902239032390423905239062390723908239092391023911239122391323914239152391623917239182391923920239212392223923239242392523926239272392823929239302393123932239332393423935239362393723938239392394023941239422394323944239452394623947239482394923950239512395223953239542395523956239572395823959239602396123962239632396423965239662396723968239692397023971239722397323974239752397623977239782397923980239812398223983239842398523986239872398823989239902399123992239932399423995239962399723998239992400024001240022400324004240052400624007240082400924010240112401224013240142401524016240172401824019240202402124022240232402424025240262402724028240292403024031240322403324034240352403624037240382403924040240412404224043240442404524046240472404824049240502405124052240532405424055240562405724058240592406024061240622406324064240652406624067240682406924070240712407224073240742407524076240772407824079240802408124082240832408424085240862408724088240892409024091240922409324094240952409624097240982409924100241012410224103241042410524106241072410824109241102411124112241132411424115241162411724118241192412024121241222412324124241252412624127241282412924130241312413224133241342413524136241372413824139241402414124142241432414424145241462414724148241492415024151241522415324154241552415624157241582415924160241612416224163241642416524166241672416824169241702417124172241732417424175241762417724178241792418024181241822418324184241852418624187241882418924190241912419224193241942419524196241972419824199242002420124202242032420424205242062420724208242092421024211242122421324214242152421624217242182421924220242212422224223242242422524226242272422824229242302423124232242332423424235242362423724238242392424024241242422424324244242452424624247242482424924250242512425224253242542425524256242572425824259242602426124262242632426424265242662426724268242692427024271242722427324274242752427624277242782427924280242812428224283242842428524286242872428824289242902429124292242932429424295242962429724298242992430024301243022430324304243052430624307243082430924310243112431224313243142431524316243172431824319243202432124322243232432424325243262432724328243292433024331243322433324334243352433624337243382433924340243412434224343243442434524346243472434824349243502435124352243532435424355243562435724358243592436024361243622436324364243652436624367243682436924370243712437224373243742437524376243772437824379243802438124382243832438424385243862438724388243892439024391243922439324394243952439624397243982439924400244012440224403244042440524406244072440824409244102441124412244132441424415244162441724418244192442024421244222442324424244252442624427244282442924430244312443224433244342443524436244372443824439244402444124442244432444424445244462444724448244492445024451244522445324454244552445624457244582445924460244612446224463244642446524466244672446824469244702447124472244732447424475244762447724478244792448024481244822448324484244852448624487244882448924490244912449224493244942449524496244972449824499245002450124502245032450424505245062450724508245092451024511245122451324514245152451624517245182451924520245212452224523245242452524526245272452824529245302453124532245332453424535245362453724538245392454024541245422454324544245452454624547245482454924550245512455224553245542455524556245572455824559245602456124562245632456424565245662456724568245692457024571245722457324574245752457624577245782457924580245812458224583245842458524586245872458824589245902459124592245932459424595245962459724598245992460024601246022460324604246052460624607246082460924610246112461224613246142461524616246172461824619246202462124622246232462424625246262462724628246292463024631246322463324634246352463624637246382463924640246412464224643246442464524646246472464824649246502465124652246532465424655246562465724658246592466024661246622466324664246652466624667246682466924670246712467224673246742467524676246772467824679246802468124682246832468424685246862468724688246892469024691246922469324694246952469624697246982469924700247012470224703247042470524706247072470824709247102471124712247132471424715247162471724718247192472024721247222472324724247252472624727247282472924730247312473224733247342473524736247372473824739247402474124742247432474424745247462474724748247492475024751247522475324754247552475624757247582475924760247612476224763247642476524766247672476824769247702477124772247732477424775247762477724778247792478024781247822478324784247852478624787247882478924790247912479224793247942479524796247972479824799248002480124802248032480424805248062480724808248092481024811248122481324814248152481624817248182481924820248212482224823248242482524826248272482824829248302483124832248332483424835248362483724838248392484024841248422484324844248452484624847248482484924850248512485224853248542485524856248572485824859248602486124862248632486424865248662486724868248692487024871248722487324874248752487624877248782487924880248812488224883248842488524886248872488824889248902489124892248932489424895248962489724898248992490024901249022490324904249052490624907249082490924910249112491224913249142491524916249172491824919249202492124922249232492424925249262492724928249292493024931249322493324934249352493624937249382493924940249412494224943249442494524946249472494824949249502495124952249532495424955249562495724958249592496024961249622496324964249652496624967249682496924970249712497224973249742497524976249772497824979249802498124982249832498424985249862498724988249892499024991249922499324994249952499624997249982499925000250012500225003250042500525006250072500825009250102501125012250132501425015250162501725018250192502025021250222502325024250252502625027250282502925030250312503225033250342503525036250372503825039250402504125042250432504425045250462504725048250492505025051250522505325054250552505625057250582505925060250612506225063250642506525066250672506825069250702507125072250732507425075250762507725078250792508025081250822508325084250852508625087250882508925090250912509225093250942509525096250972509825099251002510125102251032510425105251062510725108251092511025111251122511325114251152511625117251182511925120251212512225123251242512525126251272512825129251302513125132251332513425135251362513725138251392514025141251422514325144251452514625147251482514925150251512515225153251542515525156251572515825159251602516125162251632516425165251662516725168251692517025171251722517325174251752517625177251782517925180251812518225183251842518525186251872518825189251902519125192251932519425195251962519725198251992520025201252022520325204252052520625207252082520925210252112521225213252142521525216252172521825219252202522125222252232522425225252262522725228252292523025231252322523325234252352523625237252382523925240252412524225243252442524525246252472524825249252502525125252252532525425255252562525725258252592526025261252622526325264252652526625267252682526925270252712527225273252742527525276252772527825279252802528125282252832528425285252862528725288252892529025291252922529325294252952529625297252982529925300253012530225303253042530525306253072530825309253102531125312253132531425315253162531725318253192532025321253222532325324253252532625327253282532925330253312533225333253342533525336253372533825339253402534125342253432534425345253462534725348253492535025351253522535325354253552535625357253582535925360253612536225363253642536525366253672536825369253702537125372253732537425375253762537725378253792538025381253822538325384253852538625387253882538925390253912539225393253942539525396253972539825399254002540125402254032540425405254062540725408254092541025411254122541325414254152541625417254182541925420254212542225423254242542525426254272542825429254302543125432254332543425435254362543725438254392544025441254422544325444254452544625447254482544925450254512545225453254542545525456254572545825459254602546125462254632546425465254662546725468254692547025471254722547325474254752547625477254782547925480254812548225483254842548525486254872548825489254902549125492254932549425495254962549725498254992550025501255022550325504255052550625507255082550925510255112551225513255142551525516255172551825519255202552125522255232552425525255262552725528255292553025531255322553325534255352553625537255382553925540255412554225543255442554525546255472554825549255502555125552255532555425555255562555725558255592556025561255622556325564255652556625567255682556925570255712557225573255742557525576255772557825579255802558125582255832558425585255862558725588255892559025591255922559325594255952559625597255982559925600256012560225603256042560525606256072560825609256102561125612256132561425615256162561725618256192562025621256222562325624256252562625627256282562925630256312563225633256342563525636256372563825639256402564125642256432564425645256462564725648256492565025651256522565325654256552565625657256582565925660256612566225663256642566525666256672566825669256702567125672256732567425675256762567725678256792568025681256822568325684256852568625687256882568925690256912569225693256942569525696256972569825699257002570125702257032570425705257062570725708257092571025711257122571325714257152571625717257182571925720257212572225723257242572525726257272572825729257302573125732257332573425735257362573725738257392574025741257422574325744257452574625747257482574925750257512575225753257542575525756257572575825759257602576125762257632576425765257662576725768257692577025771257722577325774257752577625777257782577925780257812578225783257842578525786257872578825789257902579125792257932579425795257962579725798257992580025801258022580325804258052580625807258082580925810258112581225813258142581525816258172581825819258202582125822258232582425825258262582725828258292583025831258322583325834258352583625837258382583925840258412584225843258442584525846258472584825849258502585125852258532585425855258562585725858258592586025861258622586325864258652586625867258682586925870258712587225873258742587525876258772587825879258802588125882258832588425885258862588725888258892589025891258922589325894258952589625897258982589925900259012590225903259042590525906259072590825909259102591125912259132591425915259162591725918259192592025921259222592325924259252592625927259282592925930259312593225933259342593525936259372593825939259402594125942259432594425945259462594725948259492595025951259522595325954259552595625957259582595925960259612596225963259642596525966259672596825969259702597125972259732597425975259762597725978259792598025981259822598325984259852598625987259882598925990259912599225993259942599525996259972599825999260002600126002260032600426005260062600726008260092601026011260122601326014260152601626017260182601926020260212602226023260242602526026260272602826029260302603126032260332603426035260362603726038260392604026041260422604326044260452604626047260482604926050260512605226053260542605526056260572605826059260602606126062260632606426065260662606726068260692607026071260722607326074260752607626077260782607926080260812608226083260842608526086260872608826089260902609126092260932609426095260962609726098260992610026101261022610326104261052610626107261082610926110261112611226113261142611526116261172611826119261202612126122261232612426125261262612726128261292613026131261322613326134261352613626137261382613926140261412614226143261442614526146261472614826149261502615126152261532615426155261562615726158261592616026161261622616326164261652616626167261682616926170261712617226173261742617526176261772617826179261802618126182261832618426185261862618726188261892619026191261922619326194261952619626197261982619926200262012620226203262042620526206262072620826209262102621126212262132621426215262162621726218262192622026221262222622326224262252622626227262282622926230262312623226233262342623526236262372623826239262402624126242262432624426245262462624726248262492625026251262522625326254262552625626257262582625926260262612626226263262642626526266262672626826269262702627126272262732627426275262762627726278262792628026281262822628326284262852628626287262882628926290262912629226293262942629526296262972629826299263002630126302263032630426305263062630726308263092631026311263122631326314263152631626317263182631926320263212632226323263242632526326263272632826329263302633126332263332633426335263362633726338263392634026341263422634326344263452634626347263482634926350263512635226353263542635526356263572635826359263602636126362263632636426365263662636726368263692637026371263722637326374263752637626377263782637926380263812638226383263842638526386263872638826389263902639126392263932639426395263962639726398263992640026401264022640326404264052640626407264082640926410264112641226413264142641526416264172641826419264202642126422264232642426425264262642726428264292643026431264322643326434264352643626437264382643926440264412644226443264442644526446264472644826449264502645126452264532645426455264562645726458264592646026461264622646326464264652646626467264682646926470264712647226473264742647526476264772647826479264802648126482264832648426485264862648726488264892649026491264922649326494264952649626497264982649926500265012650226503265042650526506265072650826509265102651126512265132651426515265162651726518265192652026521265222652326524265252652626527265282652926530265312653226533265342653526536265372653826539265402654126542265432654426545265462654726548265492655026551265522655326554265552655626557265582655926560265612656226563265642656526566265672656826569265702657126572265732657426575265762657726578265792658026581265822658326584265852658626587265882658926590265912659226593265942659526596265972659826599266002660126602266032660426605266062660726608266092661026611266122661326614266152661626617266182661926620266212662226623266242662526626266272662826629266302663126632266332663426635266362663726638266392664026641266422664326644266452664626647266482664926650266512665226653266542665526656266572665826659266602666126662266632666426665266662666726668266692667026671266722667326674266752667626677266782667926680266812668226683266842668526686266872668826689266902669126692266932669426695266962669726698266992670026701267022670326704267052670626707267082670926710267112671226713267142671526716267172671826719267202672126722267232672426725267262672726728267292673026731267322673326734267352673626737267382673926740267412674226743267442674526746267472674826749267502675126752267532675426755267562675726758267592676026761267622676326764267652676626767267682676926770267712677226773267742677526776267772677826779267802678126782267832678426785267862678726788267892679026791267922679326794267952679626797267982679926800268012680226803268042680526806268072680826809268102681126812268132681426815268162681726818268192682026821268222682326824268252682626827268282682926830268312683226833268342683526836268372683826839268402684126842268432684426845268462684726848268492685026851268522685326854268552685626857268582685926860268612686226863268642686526866268672686826869268702687126872268732687426875268762687726878268792688026881268822688326884268852688626887268882688926890268912689226893268942689526896268972689826899269002690126902269032690426905269062690726908269092691026911269122691326914269152691626917269182691926920269212692226923269242692526926269272692826929269302693126932269332693426935269362693726938269392694026941269422694326944269452694626947269482694926950269512695226953269542695526956269572695826959269602696126962269632696426965269662696726968269692697026971269722697326974269752697626977269782697926980269812698226983269842698526986269872698826989269902699126992269932699426995269962699726998269992700027001270022700327004270052700627007270082700927010270112701227013270142701527016270172701827019270202702127022270232702427025270262702727028270292703027031270322703327034270352703627037270382703927040270412704227043270442704527046270472704827049270502705127052270532705427055270562705727058270592706027061270622706327064270652706627067270682706927070270712707227073270742707527076270772707827079270802708127082270832708427085270862708727088270892709027091270922709327094270952709627097270982709927100271012710227103271042710527106271072710827109271102711127112271132711427115271162711727118271192712027121271222712327124271252712627127271282712927130271312713227133271342713527136271372713827139271402714127142271432714427145271462714727148271492715027151271522715327154271552715627157271582715927160271612716227163271642716527166271672716827169271702717127172271732717427175271762717727178271792718027181271822718327184271852718627187271882718927190271912719227193271942719527196271972719827199272002720127202272032720427205272062720727208272092721027211272122721327214272152721627217272182721927220272212722227223272242722527226272272722827229272302723127232272332723427235272362723727238272392724027241272422724327244272452724627247272482724927250272512725227253272542725527256272572725827259272602726127262272632726427265272662726727268272692727027271272722727327274272752727627277272782727927280272812728227283272842728527286272872728827289272902729127292272932729427295272962729727298272992730027301273022730327304273052730627307273082730927310273112731227313273142731527316273172731827319273202732127322273232732427325273262732727328273292733027331273322733327334273352733627337273382733927340273412734227343273442734527346273472734827349273502735127352273532735427355273562735727358273592736027361273622736327364273652736627367273682736927370273712737227373273742737527376273772737827379273802738127382273832738427385273862738727388273892739027391273922739327394273952739627397273982739927400274012740227403274042740527406274072740827409274102741127412274132741427415274162741727418274192742027421274222742327424274252742627427274282742927430274312743227433274342743527436274372743827439274402744127442274432744427445274462744727448274492745027451274522745327454274552745627457274582745927460274612746227463274642746527466274672746827469274702747127472274732747427475274762747727478274792748027481274822748327484274852748627487274882748927490274912749227493274942749527496274972749827499275002750127502275032750427505275062750727508275092751027511275122751327514275152751627517275182751927520275212752227523275242752527526275272752827529275302753127532275332753427535275362753727538275392754027541275422754327544275452754627547275482754927550275512755227553275542755527556275572755827559275602756127562275632756427565275662756727568275692757027571275722757327574275752757627577275782757927580275812758227583275842758527586275872758827589275902759127592275932759427595275962759727598275992760027601276022760327604276052760627607276082760927610276112761227613276142761527616276172761827619276202762127622276232762427625276262762727628276292763027631276322763327634276352763627637276382763927640276412764227643276442764527646276472764827649276502765127652276532765427655276562765727658276592766027661276622766327664276652766627667276682766927670276712767227673276742767527676276772767827679276802768127682276832768427685276862768727688276892769027691276922769327694276952769627697276982769927700277012770227703277042770527706277072770827709277102771127712277132771427715277162771727718277192772027721277222772327724277252772627727277282772927730277312773227733277342773527736277372773827739277402774127742277432774427745277462774727748277492775027751277522775327754277552775627757277582775927760277612776227763277642776527766277672776827769277702777127772277732777427775277762777727778277792778027781277822778327784277852778627787277882778927790277912779227793277942779527796277972779827799278002780127802278032780427805278062780727808278092781027811278122781327814278152781627817278182781927820278212782227823278242782527826278272782827829278302783127832278332783427835278362783727838278392784027841278422784327844278452784627847278482784927850278512785227853278542785527856278572785827859278602786127862278632786427865278662786727868278692787027871278722787327874278752787627877278782787927880278812788227883278842788527886278872788827889278902789127892278932789427895278962789727898278992790027901279022790327904279052790627907279082790927910279112791227913279142791527916279172791827919279202792127922279232792427925279262792727928279292793027931279322793327934279352793627937279382793927940279412794227943279442794527946279472794827949279502795127952279532795427955279562795727958279592796027961279622796327964279652796627967279682796927970279712797227973279742797527976279772797827979279802798127982279832798427985279862798727988279892799027991279922799327994279952799627997279982799928000280012800228003280042800528006280072800828009280102801128012280132801428015280162801728018280192802028021280222802328024280252802628027280282802928030280312803228033280342803528036280372803828039280402804128042280432804428045280462804728048280492805028051280522805328054280552805628057280582805928060280612806228063280642806528066280672806828069280702807128072280732807428075280762807728078280792808028081280822808328084280852808628087280882808928090280912809228093280942809528096280972809828099281002810128102281032810428105281062810728108281092811028111281122811328114281152811628117281182811928120281212812228123281242812528126281272812828129281302813128132281332813428135281362813728138281392814028141281422814328144281452814628147281482814928150281512815228153281542815528156281572815828159281602816128162281632816428165281662816728168281692817028171281722817328174281752817628177281782817928180281812818228183281842818528186281872818828189281902819128192281932819428195281962819728198281992820028201282022820328204282052820628207282082820928210282112821228213282142821528216282172821828219282202822128222282232822428225282262822728228282292823028231282322823328234282352823628237282382823928240282412824228243282442824528246282472824828249282502825128252282532825428255282562825728258282592826028261282622826328264282652826628267282682826928270282712827228273282742827528276282772827828279282802828128282282832828428285282862828728288282892829028291282922829328294282952829628297282982829928300283012830228303283042830528306283072830828309283102831128312283132831428315283162831728318283192832028321283222832328324283252832628327283282832928330283312833228333283342833528336283372833828339283402834128342283432834428345283462834728348283492835028351283522835328354283552835628357283582835928360283612836228363283642836528366283672836828369283702837128372283732837428375283762837728378283792838028381283822838328384283852838628387283882838928390283912839228393283942839528396283972839828399284002840128402284032840428405284062840728408284092841028411284122841328414284152841628417284182841928420284212842228423284242842528426284272842828429284302843128432284332843428435284362843728438284392844028441284422844328444284452844628447284482844928450284512845228453284542845528456284572845828459284602846128462284632846428465284662846728468284692847028471284722847328474284752847628477284782847928480284812848228483284842848528486284872848828489284902849128492284932849428495284962849728498284992850028501285022850328504285052850628507285082850928510285112851228513285142851528516285172851828519285202852128522285232852428525285262852728528285292853028531285322853328534285352853628537285382853928540285412854228543285442854528546285472854828549285502855128552285532855428555285562855728558285592856028561285622856328564285652856628567285682856928570285712857228573285742857528576285772857828579285802858128582285832858428585285862858728588285892859028591285922859328594285952859628597285982859928600286012860228603286042860528606286072860828609286102861128612286132861428615286162861728618286192862028621286222862328624286252862628627286282862928630286312863228633286342863528636286372863828639286402864128642286432864428645286462864728648286492865028651286522865328654286552865628657286582865928660286612866228663286642866528666286672866828669286702867128672286732867428675286762867728678286792868028681286822868328684286852868628687286882868928690286912869228693286942869528696286972869828699287002870128702287032870428705287062870728708287092871028711287122871328714287152871628717287182871928720287212872228723287242872528726287272872828729287302873128732287332873428735287362873728738287392874028741287422874328744287452874628747287482874928750287512875228753287542875528756287572875828759287602876128762287632876428765287662876728768287692877028771287722877328774287752877628777287782877928780287812878228783287842878528786287872878828789287902879128792287932879428795287962879728798287992880028801288022880328804288052880628807288082880928810288112881228813288142881528816288172881828819288202882128822288232882428825288262882728828288292883028831288322883328834288352883628837288382883928840288412884228843288442884528846288472884828849288502885128852288532885428855288562885728858288592886028861288622886328864288652886628867288682886928870288712887228873288742887528876288772887828879288802888128882288832888428885288862888728888288892889028891288922889328894288952889628897288982889928900289012890228903289042890528906289072890828909289102891128912289132891428915289162891728918289192892028921289222892328924289252892628927289282892928930289312893228933289342893528936289372893828939289402894128942289432894428945289462894728948289492895028951289522895328954289552895628957289582895928960289612896228963289642896528966289672896828969289702897128972289732897428975289762897728978289792898028981289822898328984289852898628987289882898928990289912899228993289942899528996289972899828999290002900129002290032900429005290062900729008290092901029011290122901329014290152901629017290182901929020290212902229023290242902529026290272902829029290302903129032290332903429035290362903729038290392904029041290422904329044290452904629047290482904929050290512905229053290542905529056290572905829059290602906129062290632906429065290662906729068290692907029071290722907329074290752907629077290782907929080290812908229083290842908529086290872908829089290902909129092290932909429095290962909729098290992910029101291022910329104291052910629107291082910929110291112911229113291142911529116291172911829119291202912129122291232912429125291262912729128291292913029131291322913329134291352913629137291382913929140291412914229143291442914529146291472914829149291502915129152291532915429155291562915729158291592916029161291622916329164291652916629167291682916929170291712917229173291742917529176291772917829179291802918129182291832918429185291862918729188291892919029191291922919329194291952919629197291982919929200292012920229203292042920529206292072920829209292102921129212292132921429215292162921729218292192922029221292222922329224292252922629227292282922929230292312923229233292342923529236292372923829239292402924129242292432924429245292462924729248292492925029251292522925329254292552925629257292582925929260292612926229263292642926529266292672926829269292702927129272292732927429275292762927729278292792928029281292822928329284292852928629287292882928929290292912929229293292942929529296292972929829299293002930129302293032930429305293062930729308293092931029311293122931329314293152931629317293182931929320293212932229323293242932529326293272932829329293302933129332293332933429335293362933729338293392934029341293422934329344293452934629347293482934929350293512935229353293542935529356293572935829359293602936129362293632936429365293662936729368293692937029371293722937329374293752937629377293782937929380293812938229383293842938529386293872938829389293902939129392293932939429395293962939729398293992940029401294022940329404294052940629407294082940929410294112941229413294142941529416294172941829419294202942129422294232942429425294262942729428294292943029431294322943329434294352943629437294382943929440294412944229443294442944529446294472944829449294502945129452294532945429455294562945729458294592946029461294622946329464294652946629467294682946929470294712947229473294742947529476294772947829479294802948129482294832948429485294862948729488294892949029491294922949329494294952949629497294982949929500295012950229503295042950529506295072950829509295102951129512295132951429515295162951729518295192952029521295222952329524295252952629527295282952929530295312953229533295342953529536295372953829539295402954129542295432954429545295462954729548295492955029551295522955329554295552955629557295582955929560295612956229563295642956529566295672956829569295702957129572295732957429575295762957729578295792958029581295822958329584295852958629587295882958929590295912959229593295942959529596295972959829599296002960129602296032960429605296062960729608296092961029611296122961329614296152961629617296182961929620296212962229623296242962529626296272962829629296302963129632296332963429635296362963729638296392964029641296422964329644296452964629647296482964929650296512965229653296542965529656296572965829659296602966129662296632966429665296662966729668296692967029671296722967329674296752967629677296782967929680296812968229683296842968529686296872968829689296902969129692296932969429695296962969729698296992970029701297022970329704297052970629707297082970929710297112971229713297142971529716297172971829719297202972129722297232972429725297262972729728297292973029731297322973329734297352973629737297382973929740297412974229743297442974529746297472974829749297502975129752297532975429755297562975729758297592976029761297622976329764297652976629767297682976929770297712977229773297742977529776297772977829779297802978129782297832978429785297862978729788297892979029791297922979329794297952979629797297982979929800298012980229803298042980529806298072980829809298102981129812298132981429815298162981729818298192982029821298222982329824298252982629827298282982929830298312983229833298342983529836298372983829839298402984129842298432984429845298462984729848298492985029851298522985329854298552985629857298582985929860298612986229863298642986529866298672986829869298702987129872298732987429875298762987729878298792988029881298822988329884298852988629887298882988929890298912989229893298942989529896298972989829899299002990129902299032990429905299062990729908299092991029911299122991329914299152991629917299182991929920299212992229923299242992529926299272992829929299302993129932299332993429935299362993729938299392994029941299422994329944299452994629947299482994929950299512995229953299542995529956299572995829959299602996129962299632996429965299662996729968299692997029971299722997329974299752997629977299782997929980299812998229983299842998529986299872998829989299902999129992299932999429995299962999729998299993000030001300023000330004300053000630007300083000930010300113001230013300143001530016300173001830019300203002130022300233002430025300263002730028300293003030031300323003330034300353003630037300383003930040300413004230043300443004530046300473004830049300503005130052300533005430055300563005730058300593006030061300623006330064300653006630067300683006930070300713007230073300743007530076300773007830079300803008130082300833008430085300863008730088300893009030091300923009330094300953009630097300983009930100301013010230103301043010530106301073010830109301103011130112301133011430115301163011730118301193012030121301223012330124301253012630127301283012930130301313013230133301343013530136301373013830139301403014130142301433014430145301463014730148301493015030151301523015330154301553015630157301583015930160301613016230163301643016530166301673016830169301703017130172301733017430175301763017730178301793018030181301823018330184301853018630187301883018930190301913019230193301943019530196301973019830199302003020130202302033020430205302063020730208302093021030211302123021330214302153021630217302183021930220302213022230223302243022530226302273022830229302303023130232302333023430235302363023730238302393024030241302423024330244302453024630247302483024930250302513025230253302543025530256302573025830259302603026130262302633026430265302663026730268302693027030271302723027330274302753027630277302783027930280302813028230283302843028530286302873028830289302903029130292302933029430295302963029730298302993030030301303023030330304303053030630307303083030930310303113031230313303143031530316303173031830319303203032130322303233032430325303263032730328303293033030331303323033330334303353033630337303383033930340303413034230343303443034530346303473034830349303503035130352303533035430355303563035730358303593036030361303623036330364303653036630367303683036930370303713037230373303743037530376303773037830379303803038130382303833038430385303863038730388303893039030391303923039330394303953039630397303983039930400304013040230403304043040530406304073040830409304103041130412304133041430415304163041730418304193042030421304223042330424304253042630427304283042930430304313043230433304343043530436304373043830439304403044130442304433044430445304463044730448304493045030451304523045330454304553045630457304583045930460304613046230463304643046530466304673046830469304703047130472304733047430475304763047730478304793048030481304823048330484304853048630487304883048930490304913049230493304943049530496304973049830499305003050130502305033050430505305063050730508305093051030511305123051330514305153051630517305183051930520305213052230523305243052530526305273052830529305303053130532305333053430535305363053730538305393054030541305423054330544305453054630547305483054930550305513055230553305543055530556305573055830559305603056130562305633056430565305663056730568305693057030571305723057330574305753057630577305783057930580305813058230583305843058530586305873058830589305903059130592305933059430595305963059730598305993060030601306023060330604306053060630607306083060930610306113061230613306143061530616306173061830619306203062130622306233062430625306263062730628306293063030631306323063330634306353063630637306383063930640306413064230643306443064530646306473064830649306503065130652306533065430655306563065730658306593066030661306623066330664306653066630667306683066930670306713067230673306743067530676306773067830679306803068130682306833068430685306863068730688306893069030691306923069330694306953069630697306983069930700307013070230703307043070530706307073070830709307103071130712307133071430715307163071730718307193072030721307223072330724307253072630727307283072930730307313073230733307343073530736307373073830739307403074130742307433074430745307463074730748307493075030751307523075330754307553075630757307583075930760307613076230763307643076530766307673076830769307703077130772307733077430775307763077730778307793078030781307823078330784307853078630787307883078930790307913079230793307943079530796307973079830799308003080130802308033080430805308063080730808308093081030811308123081330814308153081630817308183081930820308213082230823308243082530826308273082830829308303083130832308333083430835308363083730838308393084030841308423084330844308453084630847308483084930850308513085230853308543085530856308573085830859308603086130862308633086430865308663086730868308693087030871308723087330874308753087630877308783087930880308813088230883308843088530886308873088830889308903089130892308933089430895308963089730898308993090030901309023090330904309053090630907309083090930910309113091230913309143091530916309173091830919309203092130922309233092430925309263092730928309293093030931309323093330934309353093630937309383093930940309413094230943309443094530946309473094830949309503095130952309533095430955309563095730958309593096030961309623096330964309653096630967309683096930970309713097230973309743097530976309773097830979309803098130982309833098430985309863098730988309893099030991309923099330994309953099630997309983099931000310013100231003310043100531006310073100831009310103101131012310133101431015310163101731018310193102031021310223102331024310253102631027310283102931030310313103231033310343103531036310373103831039310403104131042310433104431045310463104731048310493105031051310523105331054310553105631057310583105931060310613106231063310643106531066310673106831069310703107131072310733107431075310763107731078310793108031081310823108331084310853108631087310883108931090310913109231093310943109531096310973109831099311003110131102311033110431105311063110731108311093111031111311123111331114311153111631117311183111931120311213112231123311243112531126311273112831129311303113131132311333113431135311363113731138311393114031141311423114331144311453114631147311483114931150311513115231153311543115531156311573115831159311603116131162311633116431165311663116731168311693117031171311723117331174311753117631177311783117931180311813118231183311843118531186311873118831189311903119131192311933119431195311963119731198311993120031201312023120331204312053120631207312083120931210312113121231213312143121531216312173121831219312203122131222312233122431225312263122731228312293123031231312323123331234312353123631237312383123931240312413124231243312443124531246312473124831249312503125131252312533125431255312563125731258312593126031261312623126331264312653126631267312683126931270312713127231273312743127531276312773127831279312803128131282312833128431285312863128731288312893129031291312923129331294312953129631297312983129931300313013130231303313043130531306313073130831309313103131131312313133131431315313163131731318313193132031321313223132331324313253132631327313283132931330313313133231333313343133531336313373133831339313403134131342313433134431345313463134731348313493135031351313523135331354313553135631357313583135931360313613136231363313643136531366313673136831369313703137131372313733137431375313763137731378313793138031381313823138331384313853138631387313883138931390313913139231393313943139531396313973139831399314003140131402314033140431405314063140731408314093141031411314123141331414314153141631417314183141931420314213142231423314243142531426314273142831429314303143131432314333143431435314363143731438314393144031441314423144331444314453144631447314483144931450314513145231453314543145531456314573145831459314603146131462314633146431465314663146731468314693147031471314723147331474314753147631477314783147931480314813148231483314843148531486314873148831489314903149131492314933149431495314963149731498314993150031501315023150331504315053150631507315083150931510315113151231513315143151531516315173151831519315203152131522315233152431525315263152731528315293153031531315323153331534315353153631537315383153931540315413154231543315443154531546315473154831549315503155131552315533155431555315563155731558315593156031561315623156331564315653156631567315683156931570315713157231573315743157531576315773157831579315803158131582315833158431585315863158731588315893159031591315923159331594315953159631597315983159931600316013160231603316043160531606316073160831609316103161131612316133161431615316163161731618316193162031621316223162331624316253162631627316283162931630316313163231633316343163531636316373163831639316403164131642316433164431645316463164731648316493165031651316523165331654316553165631657316583165931660316613166231663316643166531666316673166831669316703167131672316733167431675316763167731678316793168031681316823168331684316853168631687316883168931690316913169231693316943169531696316973169831699317003170131702317033170431705317063170731708317093171031711317123171331714317153171631717317183171931720317213172231723317243172531726317273172831729317303173131732317333173431735317363173731738317393174031741317423174331744317453174631747317483174931750317513175231753317543175531756317573175831759317603176131762317633176431765317663176731768317693177031771317723177331774317753177631777317783177931780317813178231783317843178531786317873178831789317903179131792317933179431795317963179731798317993180031801318023180331804318053180631807318083180931810318113181231813318143181531816318173181831819318203182131822318233182431825318263182731828318293183031831318323183331834318353183631837318383183931840318413184231843318443184531846318473184831849318503185131852318533185431855318563185731858318593186031861318623186331864318653186631867318683186931870318713187231873318743187531876318773187831879318803188131882318833188431885318863188731888318893189031891318923189331894318953189631897318983189931900319013190231903319043190531906319073190831909319103191131912319133191431915319163191731918319193192031921319223192331924319253192631927319283192931930319313193231933319343193531936319373193831939319403194131942319433194431945319463194731948319493195031951319523195331954319553195631957319583195931960319613196231963319643196531966319673196831969319703197131972319733197431975319763197731978319793198031981319823198331984319853198631987319883198931990319913199231993319943199531996319973199831999320003200132002320033200432005320063200732008320093201032011320123201332014320153201632017320183201932020320213202232023320243202532026320273202832029320303203132032320333203432035320363203732038320393204032041320423204332044320453204632047320483204932050320513205232053320543205532056320573205832059320603206132062320633206432065320663206732068320693207032071320723207332074320753207632077320783207932080320813208232083320843208532086320873208832089320903209132092320933209432095320963209732098320993210032101321023210332104321053210632107321083210932110321113211232113321143211532116321173211832119321203212132122321233212432125321263212732128321293213032131321323213332134321353213632137321383213932140321413214232143321443214532146321473214832149321503215132152321533215432155321563215732158321593216032161321623216332164321653216632167321683216932170321713217232173321743217532176321773217832179321803218132182321833218432185321863218732188321893219032191321923219332194321953219632197321983219932200322013220232203322043220532206322073220832209322103221132212322133221432215322163221732218322193222032221322223222332224322253222632227322283222932230322313223232233322343223532236322373223832239322403224132242322433224432245322463224732248322493225032251322523225332254322553225632257322583225932260322613226232263322643226532266322673226832269322703227132272322733227432275322763227732278322793228032281322823228332284322853228632287322883228932290322913229232293322943229532296322973229832299323003230132302323033230432305323063230732308323093231032311323123231332314323153231632317323183231932320323213232232323323243232532326323273232832329323303233132332323333233432335323363233732338323393234032341323423234332344323453234632347323483234932350323513235232353323543235532356323573235832359323603236132362323633236432365323663236732368323693237032371323723237332374323753237632377323783237932380323813238232383323843238532386323873238832389323903239132392323933239432395323963239732398323993240032401324023240332404324053240632407324083240932410324113241232413324143241532416324173241832419324203242132422324233242432425324263242732428324293243032431324323243332434324353243632437324383243932440324413244232443324443244532446324473244832449324503245132452324533245432455324563245732458324593246032461324623246332464324653246632467324683246932470324713247232473
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.19.0
  6. labels:
  7. external-secrets.io/component: controller
  8. name: clusterexternalsecrets.external-secrets.io
  9. spec:
  10. group: external-secrets.io
  11. names:
  12. categories:
  13. - external-secrets
  14. kind: ClusterExternalSecret
  15. listKind: ClusterExternalSecretList
  16. plural: clusterexternalsecrets
  17. shortNames:
  18. - ces
  19. singular: clusterexternalsecret
  20. scope: Cluster
  21. versions:
  22. - additionalPrinterColumns:
  23. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  24. name: Store
  25. type: string
  26. - jsonPath: .spec.refreshTime
  27. name: Refresh Interval
  28. type: string
  29. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  30. name: Ready
  31. type: string
  32. name: v1
  33. schema:
  34. openAPIV3Schema:
  35. description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
  36. properties:
  37. apiVersion:
  38. description: |-
  39. APIVersion defines the versioned schema of this representation of an object.
  40. Servers should convert recognized schemas to the latest internal value, and
  41. may reject unrecognized values.
  42. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  43. type: string
  44. kind:
  45. description: |-
  46. Kind is a string value representing the REST resource this object represents.
  47. Servers may infer this from the endpoint the client submits requests to.
  48. Cannot be updated.
  49. In CamelCase.
  50. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  51. type: string
  52. metadata:
  53. type: object
  54. spec:
  55. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  56. properties:
  57. externalSecretMetadata:
  58. description: The metadata of the external secrets to be created
  59. properties:
  60. annotations:
  61. additionalProperties:
  62. type: string
  63. type: object
  64. labels:
  65. additionalProperties:
  66. type: string
  67. type: object
  68. type: object
  69. externalSecretName:
  70. description: |-
  71. The name of the external secrets to be created.
  72. Defaults to the name of the ClusterExternalSecret
  73. maxLength: 253
  74. minLength: 1
  75. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  76. type: string
  77. externalSecretSpec:
  78. description: The spec for the ExternalSecrets to be created
  79. properties:
  80. data:
  81. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  82. items:
  83. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  84. properties:
  85. remoteRef:
  86. description: |-
  87. RemoteRef points to the remote secret and defines
  88. which secret (version/property/..) to fetch.
  89. properties:
  90. conversionStrategy:
  91. default: Default
  92. description: Used to define a conversion Strategy
  93. enum:
  94. - Default
  95. - Unicode
  96. type: string
  97. decodingStrategy:
  98. default: None
  99. description: Used to define a decoding Strategy
  100. enum:
  101. - Auto
  102. - Base64
  103. - Base64URL
  104. - None
  105. type: string
  106. key:
  107. description: Key is the key used in the Provider, mandatory
  108. type: string
  109. metadataPolicy:
  110. default: None
  111. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  112. enum:
  113. - None
  114. - Fetch
  115. type: string
  116. nullBytePolicy:
  117. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  118. enum:
  119. - Ignore
  120. - Fail
  121. type: string
  122. property:
  123. description: Used to select a specific property of the Provider value (if a map), if supported
  124. type: string
  125. version:
  126. description: Used to select a specific version of the Provider value, if supported
  127. type: string
  128. required:
  129. - key
  130. type: object
  131. secretKey:
  132. description: The key in the Kubernetes Secret to store the value.
  133. maxLength: 253
  134. minLength: 1
  135. pattern: ^[-._a-zA-Z0-9]+$
  136. type: string
  137. sourceRef:
  138. description: |-
  139. SourceRef allows you to override the source
  140. from which the value will be pulled.
  141. maxProperties: 1
  142. minProperties: 1
  143. properties:
  144. generatorRef:
  145. description: |-
  146. GeneratorRef points to a generator custom resource.
  147. Deprecated: The generatorRef is not implemented in .data[].
  148. this will be removed with v1.
  149. properties:
  150. apiVersion:
  151. default: generators.external-secrets.io/v1alpha1
  152. description: Specify the apiVersion of the generator resource
  153. type: string
  154. kind:
  155. description: Specify the Kind of the generator resource
  156. enum:
  157. - ACRAccessToken
  158. - BeyondtrustWorkloadCredentialsDynamicSecret
  159. - ClusterGenerator
  160. - CloudsmithAccessToken
  161. - ECRAuthorizationToken
  162. - Fake
  163. - GCRAccessToken
  164. - GithubAccessToken
  165. - QuayAccessToken
  166. - Password
  167. - SSHKey
  168. - STSSessionToken
  169. - UUID
  170. - VaultDynamicSecret
  171. - Webhook
  172. - Grafana
  173. - MFA
  174. type: string
  175. name:
  176. description: Specify the name of the generator resource
  177. maxLength: 253
  178. minLength: 1
  179. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  180. type: string
  181. required:
  182. - kind
  183. - name
  184. type: object
  185. storeRef:
  186. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  187. properties:
  188. kind:
  189. description: |-
  190. Kind of the SecretStore resource (SecretStore, ClusterSecretStore)
  191. Defaults to `SecretStore`
  192. enum:
  193. - SecretStore
  194. - ClusterSecretStore
  195. type: string
  196. name:
  197. description: Name of the SecretStore resource
  198. maxLength: 253
  199. minLength: 1
  200. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  201. type: string
  202. type: object
  203. type: object
  204. required:
  205. - remoteRef
  206. - secretKey
  207. type: object
  208. type: array
  209. dataFrom:
  210. description: |-
  211. DataFrom is used to fetch all properties from a specific Provider data
  212. If multiple entries are specified, the Secret keys are merged in the specified order
  213. items:
  214. description: |-
  215. ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data
  216. when using DataFrom to fetch multiple values from a Provider.
  217. properties:
  218. extract:
  219. description: |-
  220. Used to extract multiple key/value pairs from one secret
  221. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  222. properties:
  223. conversionStrategy:
  224. default: Default
  225. description: Used to define a conversion Strategy
  226. enum:
  227. - Default
  228. - Unicode
  229. type: string
  230. decodingStrategy:
  231. default: None
  232. description: Used to define a decoding Strategy
  233. enum:
  234. - Auto
  235. - Base64
  236. - Base64URL
  237. - None
  238. type: string
  239. key:
  240. description: Key is the key used in the Provider, mandatory
  241. type: string
  242. metadataPolicy:
  243. default: None
  244. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  245. enum:
  246. - None
  247. - Fetch
  248. type: string
  249. nullBytePolicy:
  250. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  251. enum:
  252. - Ignore
  253. - Fail
  254. type: string
  255. property:
  256. description: Used to select a specific property of the Provider value (if a map), if supported
  257. type: string
  258. version:
  259. description: Used to select a specific version of the Provider value, if supported
  260. type: string
  261. required:
  262. - key
  263. type: object
  264. find:
  265. description: |-
  266. Used to find secrets based on tags or regular expressions
  267. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  268. properties:
  269. conversionStrategy:
  270. default: Default
  271. description: Used to define a conversion Strategy
  272. enum:
  273. - Default
  274. - Unicode
  275. type: string
  276. decodingStrategy:
  277. default: None
  278. description: Used to define a decoding Strategy
  279. enum:
  280. - Auto
  281. - Base64
  282. - Base64URL
  283. - None
  284. type: string
  285. name:
  286. description: Finds secrets based on the name.
  287. properties:
  288. regexp:
  289. description: Finds secrets base
  290. type: string
  291. type: object
  292. nullBytePolicy:
  293. description: Controls how ESO handles fetched secret data containing NUL bytes for this find source.
  294. enum:
  295. - Ignore
  296. - Fail
  297. type: string
  298. path:
  299. description: A root path to start the find operations.
  300. type: string
  301. tags:
  302. additionalProperties:
  303. type: string
  304. description: Find secrets based on tags.
  305. type: object
  306. type: object
  307. rewrite:
  308. description: |-
  309. Used to rewrite secret Keys after getting them from the secret Provider
  310. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  311. items:
  312. description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret.
  313. maxProperties: 1
  314. minProperties: 1
  315. properties:
  316. merge:
  317. description: |-
  318. Used to merge key/values in one single Secret
  319. The resulting key will contain all values from the specified secrets
  320. properties:
  321. conflictPolicy:
  322. default: Error
  323. description: Used to define the policy to use in conflict resolution.
  324. enum:
  325. - Ignore
  326. - Error
  327. type: string
  328. into:
  329. default: ""
  330. description: |-
  331. Used to define the target key of the merge operation.
  332. Required if strategy is JSON. Ignored otherwise.
  333. type: string
  334. priority:
  335. description: Used to define key priority in conflict resolution.
  336. items:
  337. type: string
  338. type: array
  339. priorityPolicy:
  340. default: Strict
  341. description: Used to define the policy when a key in the priority list does not exist in the input.
  342. enum:
  343. - IgnoreNotFound
  344. - Strict
  345. type: string
  346. strategy:
  347. default: Extract
  348. description: Used to define the strategy to use in the merge operation.
  349. enum:
  350. - Extract
  351. - JSON
  352. type: string
  353. type: object
  354. regexp:
  355. description: |-
  356. Used to rewrite with regular expressions.
  357. The resulting key will be the output of a regexp.ReplaceAll operation.
  358. properties:
  359. source:
  360. description: Used to define the regular expression of a re.Compiler.
  361. type: string
  362. target:
  363. description: Used to define the target pattern of a ReplaceAll operation.
  364. type: string
  365. required:
  366. - source
  367. - target
  368. type: object
  369. transform:
  370. description: |-
  371. Used to apply string transformation on the secrets.
  372. The resulting key will be the output of the template applied by the operation.
  373. properties:
  374. template:
  375. description: |-
  376. Used to define the template to apply on the secret name.
  377. `.value ` will specify the secret name in the template.
  378. type: string
  379. required:
  380. - template
  381. type: object
  382. type: object
  383. type: array
  384. sourceRef:
  385. description: |-
  386. SourceRef points to a store or generator
  387. which contains secret values ready to use.
  388. Use this in combination with Extract or Find pull values out of
  389. a specific SecretStore.
  390. When sourceRef points to a generator Extract or Find is not supported.
  391. The generator returns a static map of values
  392. maxProperties: 1
  393. minProperties: 1
  394. properties:
  395. generatorRef:
  396. description: GeneratorRef points to a generator custom resource.
  397. properties:
  398. apiVersion:
  399. default: generators.external-secrets.io/v1alpha1
  400. description: Specify the apiVersion of the generator resource
  401. type: string
  402. kind:
  403. description: Specify the Kind of the generator resource
  404. enum:
  405. - ACRAccessToken
  406. - BeyondtrustWorkloadCredentialsDynamicSecret
  407. - ClusterGenerator
  408. - CloudsmithAccessToken
  409. - ECRAuthorizationToken
  410. - Fake
  411. - GCRAccessToken
  412. - GithubAccessToken
  413. - QuayAccessToken
  414. - Password
  415. - SSHKey
  416. - STSSessionToken
  417. - UUID
  418. - VaultDynamicSecret
  419. - Webhook
  420. - Grafana
  421. - MFA
  422. type: string
  423. name:
  424. description: Specify the name of the generator resource
  425. maxLength: 253
  426. minLength: 1
  427. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  428. type: string
  429. required:
  430. - kind
  431. - name
  432. type: object
  433. storeRef:
  434. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  435. properties:
  436. kind:
  437. description: |-
  438. Kind of the SecretStore resource (SecretStore, ClusterSecretStore)
  439. Defaults to `SecretStore`
  440. enum:
  441. - SecretStore
  442. - ClusterSecretStore
  443. type: string
  444. name:
  445. description: Name of the SecretStore resource
  446. maxLength: 253
  447. minLength: 1
  448. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  449. type: string
  450. type: object
  451. type: object
  452. type: object
  453. type: array
  454. refreshInterval:
  455. default: 1h0m0s
  456. description: |-
  457. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  458. specified as Golang Duration strings.
  459. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  460. Example values: "1h0m0s", "2h30m0s", "10m0s"
  461. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  462. type: string
  463. refreshPolicy:
  464. description: |-
  465. RefreshPolicy determines how the ExternalSecret should be refreshed:
  466. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  467. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  468. No periodic updates occur if refreshInterval is 0.
  469. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  470. enum:
  471. - CreatedOnce
  472. - Periodic
  473. - OnChange
  474. type: string
  475. secretStoreRef:
  476. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  477. properties:
  478. kind:
  479. description: |-
  480. Kind of the SecretStore resource (SecretStore, ClusterSecretStore)
  481. Defaults to `SecretStore`
  482. enum:
  483. - SecretStore
  484. - ClusterSecretStore
  485. type: string
  486. name:
  487. description: Name of the SecretStore resource
  488. maxLength: 253
  489. minLength: 1
  490. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  491. type: string
  492. type: object
  493. target:
  494. default:
  495. creationPolicy: Owner
  496. deletionPolicy: Retain
  497. description: |-
  498. ExternalSecretTarget defines the Kubernetes Secret to be created,
  499. there can be only one target per ExternalSecret.
  500. properties:
  501. creationPolicy:
  502. default: Owner
  503. description: |-
  504. CreationPolicy defines rules on how to create the resulting Secret.
  505. Defaults to "Owner"
  506. enum:
  507. - Owner
  508. - Orphan
  509. - Merge
  510. - None
  511. type: string
  512. deletionPolicy:
  513. default: Retain
  514. description: |-
  515. DeletionPolicy defines rules on how to delete the resulting Secret.
  516. Defaults to "Retain"
  517. enum:
  518. - Delete
  519. - Merge
  520. - Retain
  521. type: string
  522. immutable:
  523. description: Immutable defines if the final secret will be immutable
  524. type: boolean
  525. manifest:
  526. description: |-
  527. Manifest defines a custom Kubernetes resource to create instead of a Secret.
  528. When specified, ExternalSecret will create the resource type defined here
  529. (e.g., ConfigMap, Custom Resource) instead of a Secret.
  530. Warning: Using Generic target. Make sure access policies and encryption are properly configured.
  531. properties:
  532. apiVersion:
  533. description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
  534. minLength: 1
  535. type: string
  536. kind:
  537. description: Kind of the target resource (e.g., "ConfigMap", "Application")
  538. minLength: 1
  539. type: string
  540. required:
  541. - apiVersion
  542. - kind
  543. type: object
  544. name:
  545. description: |-
  546. The name of the Secret resource to be managed.
  547. Defaults to the .metadata.name of the ExternalSecret resource
  548. maxLength: 253
  549. minLength: 1
  550. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  551. type: string
  552. template:
  553. description: Template defines a blueprint for the created Secret resource.
  554. properties:
  555. data:
  556. additionalProperties:
  557. type: string
  558. type: object
  559. engineVersion:
  560. default: v2
  561. description: |-
  562. EngineVersion specifies the template engine version
  563. that should be used to compile/execute the
  564. template specified in .data and .templateFrom[].
  565. enum:
  566. - v2
  567. type: string
  568. mergePolicy:
  569. default: Replace
  570. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  571. enum:
  572. - Replace
  573. - Merge
  574. type: string
  575. metadata:
  576. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  577. properties:
  578. annotations:
  579. additionalProperties:
  580. type: string
  581. type: object
  582. finalizers:
  583. items:
  584. type: string
  585. type: array
  586. labels:
  587. additionalProperties:
  588. type: string
  589. type: object
  590. type: object
  591. templateFrom:
  592. items:
  593. description: |-
  594. TemplateFrom specifies a source for templates.
  595. Each item in the list can either reference a ConfigMap or a Secret resource.
  596. properties:
  597. configMap:
  598. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  599. properties:
  600. items:
  601. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  602. items:
  603. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  604. properties:
  605. key:
  606. description: A key in the ConfigMap/Secret
  607. maxLength: 253
  608. minLength: 1
  609. pattern: ^[-._a-zA-Z0-9]+$
  610. type: string
  611. templateAs:
  612. default: Values
  613. description: TemplateScope specifies how the template keys should be interpreted.
  614. enum:
  615. - Values
  616. - KeysAndValues
  617. type: string
  618. required:
  619. - key
  620. type: object
  621. type: array
  622. name:
  623. description: The name of the ConfigMap/Secret resource
  624. maxLength: 253
  625. minLength: 1
  626. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  627. type: string
  628. required:
  629. - items
  630. - name
  631. type: object
  632. literal:
  633. type: string
  634. secret:
  635. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  636. properties:
  637. items:
  638. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  639. items:
  640. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  641. properties:
  642. key:
  643. description: A key in the ConfigMap/Secret
  644. maxLength: 253
  645. minLength: 1
  646. pattern: ^[-._a-zA-Z0-9]+$
  647. type: string
  648. templateAs:
  649. default: Values
  650. description: TemplateScope specifies how the template keys should be interpreted.
  651. enum:
  652. - Values
  653. - KeysAndValues
  654. type: string
  655. required:
  656. - key
  657. type: object
  658. type: array
  659. name:
  660. description: The name of the ConfigMap/Secret resource
  661. maxLength: 253
  662. minLength: 1
  663. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  664. type: string
  665. required:
  666. - items
  667. - name
  668. type: object
  669. target:
  670. default: Data
  671. description: |-
  672. Target specifies where to place the template result.
  673. For Secret resources, common values are: "Data", "Annotations", "Labels".
  674. For custom resources (when spec.target.manifest is set), this supports
  675. nested paths like "spec.database.config" or "data".
  676. type: string
  677. valuesDecodingStrategy:
  678. default: None
  679. description: Used to define a decoding Strategy for the rendered template values.
  680. enum:
  681. - Auto
  682. - Base64
  683. - Base64URL
  684. - None
  685. type: string
  686. type: object
  687. type: array
  688. type:
  689. type: string
  690. type: object
  691. type: object
  692. type: object
  693. namespaceSelector:
  694. description: |-
  695. The labels to select by to find the Namespaces to create the ExternalSecrets in.
  696. Deprecated: Use NamespaceSelectors instead.
  697. properties:
  698. matchExpressions:
  699. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  700. items:
  701. description: |-
  702. A label selector requirement is a selector that contains values, a key, and an operator that
  703. relates the key and values.
  704. properties:
  705. key:
  706. description: key is the label key that the selector applies to.
  707. type: string
  708. operator:
  709. description: |-
  710. operator represents a key's relationship to a set of values.
  711. Valid operators are In, NotIn, Exists and DoesNotExist.
  712. type: string
  713. values:
  714. description: |-
  715. values is an array of string values. If the operator is In or NotIn,
  716. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  717. the values array must be empty. This array is replaced during a strategic
  718. merge patch.
  719. items:
  720. type: string
  721. type: array
  722. x-kubernetes-list-type: atomic
  723. required:
  724. - key
  725. - operator
  726. type: object
  727. type: array
  728. x-kubernetes-list-type: atomic
  729. matchLabels:
  730. additionalProperties:
  731. type: string
  732. description: |-
  733. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  734. map is equivalent to an element of matchExpressions, whose key field is "key", the
  735. operator is "In", and the values array contains only "value". The requirements are ANDed.
  736. type: object
  737. type: object
  738. x-kubernetes-map-type: atomic
  739. namespaceSelectors:
  740. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  741. items:
  742. description: |-
  743. A label selector is a label query over a set of resources. The result of matchLabels and
  744. matchExpressions are ANDed. An empty label selector matches all objects. A null
  745. label selector matches no objects.
  746. properties:
  747. matchExpressions:
  748. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  749. items:
  750. description: |-
  751. A label selector requirement is a selector that contains values, a key, and an operator that
  752. relates the key and values.
  753. properties:
  754. key:
  755. description: key is the label key that the selector applies to.
  756. type: string
  757. operator:
  758. description: |-
  759. operator represents a key's relationship to a set of values.
  760. Valid operators are In, NotIn, Exists and DoesNotExist.
  761. type: string
  762. values:
  763. description: |-
  764. values is an array of string values. If the operator is In or NotIn,
  765. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  766. the values array must be empty. This array is replaced during a strategic
  767. merge patch.
  768. items:
  769. type: string
  770. type: array
  771. x-kubernetes-list-type: atomic
  772. required:
  773. - key
  774. - operator
  775. type: object
  776. type: array
  777. x-kubernetes-list-type: atomic
  778. matchLabels:
  779. additionalProperties:
  780. type: string
  781. description: |-
  782. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  783. map is equivalent to an element of matchExpressions, whose key field is "key", the
  784. operator is "In", and the values array contains only "value". The requirements are ANDed.
  785. type: object
  786. type: object
  787. x-kubernetes-map-type: atomic
  788. type: array
  789. namespaces:
  790. description: |-
  791. Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
  792. Deprecated: Use NamespaceSelectors instead.
  793. items:
  794. maxLength: 63
  795. minLength: 1
  796. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  797. type: string
  798. type: array
  799. refreshTime:
  800. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  801. type: string
  802. required:
  803. - externalSecretSpec
  804. type: object
  805. status:
  806. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  807. properties:
  808. conditions:
  809. items:
  810. description: ClusterExternalSecretStatusCondition defines the observed state of a ClusterExternalSecret resource.
  811. properties:
  812. message:
  813. type: string
  814. status:
  815. type: string
  816. type:
  817. description: ClusterExternalSecretConditionType defines a value type for ClusterExternalSecret conditions.
  818. type: string
  819. required:
  820. - status
  821. - type
  822. type: object
  823. type: array
  824. externalSecretName:
  825. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  826. type: string
  827. failedNamespaces:
  828. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  829. items:
  830. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  831. properties:
  832. namespace:
  833. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  834. type: string
  835. reason:
  836. description: Reason is why the ExternalSecret failed to apply to the namespace
  837. type: string
  838. required:
  839. - namespace
  840. type: object
  841. type: array
  842. provisionedNamespaces:
  843. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  844. items:
  845. type: string
  846. type: array
  847. type: object
  848. type: object
  849. served: true
  850. storage: true
  851. subresources:
  852. status: {}
  853. - additionalPrinterColumns:
  854. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  855. name: Store
  856. type: string
  857. - jsonPath: .spec.refreshTime
  858. name: Refresh Interval
  859. type: string
  860. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  861. name: Ready
  862. type: string
  863. deprecated: true
  864. name: v1beta1
  865. schema:
  866. openAPIV3Schema:
  867. description: ClusterExternalSecret is the schema for the clusterexternalsecrets API.
  868. properties:
  869. apiVersion:
  870. description: |-
  871. APIVersion defines the versioned schema of this representation of an object.
  872. Servers should convert recognized schemas to the latest internal value, and
  873. may reject unrecognized values.
  874. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  875. type: string
  876. kind:
  877. description: |-
  878. Kind is a string value representing the REST resource this object represents.
  879. Servers may infer this from the endpoint the client submits requests to.
  880. Cannot be updated.
  881. In CamelCase.
  882. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  883. type: string
  884. metadata:
  885. type: object
  886. spec:
  887. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  888. properties:
  889. externalSecretMetadata:
  890. description: The metadata of the external secrets to be created
  891. properties:
  892. annotations:
  893. additionalProperties:
  894. type: string
  895. type: object
  896. labels:
  897. additionalProperties:
  898. type: string
  899. type: object
  900. type: object
  901. externalSecretName:
  902. description: |-
  903. The name of the external secrets to be created.
  904. Defaults to the name of the ClusterExternalSecret
  905. maxLength: 253
  906. minLength: 1
  907. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  908. type: string
  909. externalSecretSpec:
  910. description: The spec for the ExternalSecrets to be created
  911. properties:
  912. data:
  913. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  914. items:
  915. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  916. properties:
  917. remoteRef:
  918. description: |-
  919. RemoteRef points to the remote secret and defines
  920. which secret (version/property/..) to fetch.
  921. properties:
  922. conversionStrategy:
  923. default: Default
  924. description: Used to define a conversion Strategy
  925. enum:
  926. - Default
  927. - Unicode
  928. type: string
  929. decodingStrategy:
  930. default: None
  931. description: Used to define a decoding Strategy
  932. enum:
  933. - Auto
  934. - Base64
  935. - Base64URL
  936. - None
  937. type: string
  938. key:
  939. description: Key is the key used in the Provider, mandatory
  940. type: string
  941. metadataPolicy:
  942. default: None
  943. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  944. enum:
  945. - None
  946. - Fetch
  947. type: string
  948. property:
  949. description: Used to select a specific property of the Provider value (if a map), if supported
  950. type: string
  951. version:
  952. description: Used to select a specific version of the Provider value, if supported
  953. type: string
  954. required:
  955. - key
  956. type: object
  957. secretKey:
  958. description: The key in the Kubernetes Secret to store the value.
  959. maxLength: 253
  960. minLength: 1
  961. pattern: ^[-._a-zA-Z0-9]+$
  962. type: string
  963. sourceRef:
  964. description: |-
  965. SourceRef allows you to override the source
  966. from which the value will be pulled.
  967. maxProperties: 1
  968. minProperties: 1
  969. properties:
  970. generatorRef:
  971. description: |-
  972. GeneratorRef points to a generator custom resource.
  973. Deprecated: The generatorRef is not implemented in .data[].
  974. this will be removed with v1.
  975. properties:
  976. apiVersion:
  977. default: generators.external-secrets.io/v1alpha1
  978. description: Specify the apiVersion of the generator resource
  979. type: string
  980. kind:
  981. description: Specify the Kind of the generator resource
  982. enum:
  983. - ACRAccessToken
  984. - ClusterGenerator
  985. - ECRAuthorizationToken
  986. - Fake
  987. - GCRAccessToken
  988. - GithubAccessToken
  989. - QuayAccessToken
  990. - Password
  991. - SSHKey
  992. - STSSessionToken
  993. - UUID
  994. - VaultDynamicSecret
  995. - Webhook
  996. - Grafana
  997. type: string
  998. name:
  999. description: Specify the name of the generator resource
  1000. maxLength: 253
  1001. minLength: 1
  1002. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1003. type: string
  1004. required:
  1005. - kind
  1006. - name
  1007. type: object
  1008. storeRef:
  1009. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1010. properties:
  1011. kind:
  1012. description: |-
  1013. Kind of the SecretStore resource (SecretStore, ClusterSecretStore)
  1014. Defaults to `SecretStore`
  1015. enum:
  1016. - SecretStore
  1017. - ClusterSecretStore
  1018. type: string
  1019. name:
  1020. description: Name of the SecretStore resource
  1021. maxLength: 253
  1022. minLength: 1
  1023. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1024. type: string
  1025. type: object
  1026. type: object
  1027. required:
  1028. - remoteRef
  1029. - secretKey
  1030. type: object
  1031. type: array
  1032. dataFrom:
  1033. description: |-
  1034. DataFrom is used to fetch all properties from a specific Provider data
  1035. If multiple entries are specified, the Secret keys are merged in the specified order
  1036. items:
  1037. description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options.
  1038. properties:
  1039. extract:
  1040. description: |-
  1041. Used to extract multiple key/value pairs from one secret
  1042. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  1043. properties:
  1044. conversionStrategy:
  1045. default: Default
  1046. description: Used to define a conversion Strategy
  1047. enum:
  1048. - Default
  1049. - Unicode
  1050. type: string
  1051. decodingStrategy:
  1052. default: None
  1053. description: Used to define a decoding Strategy
  1054. enum:
  1055. - Auto
  1056. - Base64
  1057. - Base64URL
  1058. - None
  1059. type: string
  1060. key:
  1061. description: Key is the key used in the Provider, mandatory
  1062. type: string
  1063. metadataPolicy:
  1064. default: None
  1065. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  1066. enum:
  1067. - None
  1068. - Fetch
  1069. type: string
  1070. property:
  1071. description: Used to select a specific property of the Provider value (if a map), if supported
  1072. type: string
  1073. version:
  1074. description: Used to select a specific version of the Provider value, if supported
  1075. type: string
  1076. required:
  1077. - key
  1078. type: object
  1079. find:
  1080. description: |-
  1081. Used to find secrets based on tags or regular expressions
  1082. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  1083. properties:
  1084. conversionStrategy:
  1085. default: Default
  1086. description: Used to define a conversion Strategy
  1087. enum:
  1088. - Default
  1089. - Unicode
  1090. type: string
  1091. decodingStrategy:
  1092. default: None
  1093. description: Used to define a decoding Strategy
  1094. enum:
  1095. - Auto
  1096. - Base64
  1097. - Base64URL
  1098. - None
  1099. type: string
  1100. name:
  1101. description: Finds secrets based on the name.
  1102. properties:
  1103. regexp:
  1104. description: Finds secrets base
  1105. type: string
  1106. type: object
  1107. path:
  1108. description: A root path to start the find operations.
  1109. type: string
  1110. tags:
  1111. additionalProperties:
  1112. type: string
  1113. description: Find secrets based on tags.
  1114. type: object
  1115. type: object
  1116. rewrite:
  1117. description: |-
  1118. Used to rewrite secret Keys after getting them from the secret Provider
  1119. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  1120. items:
  1121. description: ExternalSecretRewrite defines rules on how to rewrite secret keys.
  1122. maxProperties: 1
  1123. minProperties: 1
  1124. properties:
  1125. regexp:
  1126. description: |-
  1127. Used to rewrite with regular expressions.
  1128. The resulting key will be the output of a regexp.ReplaceAll operation.
  1129. properties:
  1130. source:
  1131. description: Used to define the regular expression of a re.Compiler.
  1132. type: string
  1133. target:
  1134. description: Used to define the target pattern of a ReplaceAll operation.
  1135. type: string
  1136. required:
  1137. - source
  1138. - target
  1139. type: object
  1140. transform:
  1141. description: |-
  1142. Used to apply string transformation on the secrets.
  1143. The resulting key will be the output of the template applied by the operation.
  1144. properties:
  1145. template:
  1146. description: |-
  1147. Used to define the template to apply on the secret name.
  1148. `.value ` will specify the secret name in the template.
  1149. type: string
  1150. required:
  1151. - template
  1152. type: object
  1153. type: object
  1154. type: array
  1155. sourceRef:
  1156. description: |-
  1157. SourceRef points to a store or generator
  1158. which contains secret values ready to use.
  1159. Use this in combination with Extract or Find pull values out of
  1160. a specific SecretStore.
  1161. When sourceRef points to a generator Extract or Find is not supported.
  1162. The generator returns a static map of values
  1163. maxProperties: 1
  1164. minProperties: 1
  1165. properties:
  1166. generatorRef:
  1167. description: GeneratorRef points to a generator custom resource.
  1168. properties:
  1169. apiVersion:
  1170. default: generators.external-secrets.io/v1alpha1
  1171. description: Specify the apiVersion of the generator resource
  1172. type: string
  1173. kind:
  1174. description: Specify the Kind of the generator resource
  1175. enum:
  1176. - ACRAccessToken
  1177. - ClusterGenerator
  1178. - ECRAuthorizationToken
  1179. - Fake
  1180. - GCRAccessToken
  1181. - GithubAccessToken
  1182. - QuayAccessToken
  1183. - Password
  1184. - SSHKey
  1185. - STSSessionToken
  1186. - UUID
  1187. - VaultDynamicSecret
  1188. - Webhook
  1189. - Grafana
  1190. type: string
  1191. name:
  1192. description: Specify the name of the generator resource
  1193. maxLength: 253
  1194. minLength: 1
  1195. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1196. type: string
  1197. required:
  1198. - kind
  1199. - name
  1200. type: object
  1201. storeRef:
  1202. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1203. properties:
  1204. kind:
  1205. description: |-
  1206. Kind of the SecretStore resource (SecretStore, ClusterSecretStore)
  1207. Defaults to `SecretStore`
  1208. enum:
  1209. - SecretStore
  1210. - ClusterSecretStore
  1211. type: string
  1212. name:
  1213. description: Name of the SecretStore resource
  1214. maxLength: 253
  1215. minLength: 1
  1216. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1217. type: string
  1218. type: object
  1219. type: object
  1220. type: object
  1221. type: array
  1222. refreshInterval:
  1223. default: 1h0m0s
  1224. description: |-
  1225. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  1226. specified as Golang Duration strings.
  1227. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  1228. Example values: "1h0m0s", "2h30m0s", "10m0s"
  1229. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  1230. type: string
  1231. refreshPolicy:
  1232. description: |-
  1233. RefreshPolicy determines how the ExternalSecret should be refreshed:
  1234. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  1235. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  1236. No periodic updates occur if refreshInterval is 0.
  1237. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  1238. enum:
  1239. - CreatedOnce
  1240. - Periodic
  1241. - OnChange
  1242. type: string
  1243. secretStoreRef:
  1244. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1245. properties:
  1246. kind:
  1247. description: |-
  1248. Kind of the SecretStore resource (SecretStore, ClusterSecretStore)
  1249. Defaults to `SecretStore`
  1250. enum:
  1251. - SecretStore
  1252. - ClusterSecretStore
  1253. type: string
  1254. name:
  1255. description: Name of the SecretStore resource
  1256. maxLength: 253
  1257. minLength: 1
  1258. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1259. type: string
  1260. type: object
  1261. target:
  1262. default:
  1263. creationPolicy: Owner
  1264. deletionPolicy: Retain
  1265. description: |-
  1266. ExternalSecretTarget defines the Kubernetes Secret to be created
  1267. There can be only one target per ExternalSecret.
  1268. properties:
  1269. creationPolicy:
  1270. default: Owner
  1271. description: |-
  1272. CreationPolicy defines rules on how to create the resulting Secret.
  1273. Defaults to "Owner"
  1274. enum:
  1275. - Owner
  1276. - Orphan
  1277. - Merge
  1278. - None
  1279. type: string
  1280. deletionPolicy:
  1281. default: Retain
  1282. description: |-
  1283. DeletionPolicy defines rules on how to delete the resulting Secret.
  1284. Defaults to "Retain"
  1285. enum:
  1286. - Delete
  1287. - Merge
  1288. - Retain
  1289. type: string
  1290. immutable:
  1291. description: Immutable defines if the final secret will be immutable
  1292. type: boolean
  1293. name:
  1294. description: |-
  1295. The name of the Secret resource to be managed.
  1296. Defaults to the .metadata.name of the ExternalSecret resource
  1297. maxLength: 253
  1298. minLength: 1
  1299. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1300. type: string
  1301. template:
  1302. description: Template defines a blueprint for the created Secret resource.
  1303. properties:
  1304. data:
  1305. additionalProperties:
  1306. type: string
  1307. type: object
  1308. engineVersion:
  1309. default: v2
  1310. description: |-
  1311. EngineVersion specifies the template engine version
  1312. that should be used to compile/execute the
  1313. template specified in .data and .templateFrom[].
  1314. enum:
  1315. - v2
  1316. type: string
  1317. mergePolicy:
  1318. default: Replace
  1319. description: TemplateMergePolicy defines how template values should be merged when generating a secret.
  1320. enum:
  1321. - Replace
  1322. - Merge
  1323. type: string
  1324. metadata:
  1325. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  1326. properties:
  1327. annotations:
  1328. additionalProperties:
  1329. type: string
  1330. type: object
  1331. labels:
  1332. additionalProperties:
  1333. type: string
  1334. type: object
  1335. type: object
  1336. templateFrom:
  1337. items:
  1338. description: TemplateFrom defines a source for template data.
  1339. properties:
  1340. configMap:
  1341. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  1342. properties:
  1343. items:
  1344. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  1345. items:
  1346. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  1347. properties:
  1348. key:
  1349. description: A key in the ConfigMap/Secret
  1350. maxLength: 253
  1351. minLength: 1
  1352. pattern: ^[-._a-zA-Z0-9]+$
  1353. type: string
  1354. templateAs:
  1355. default: Values
  1356. description: TemplateScope defines the scope of the template when processing template data.
  1357. enum:
  1358. - Values
  1359. - KeysAndValues
  1360. type: string
  1361. required:
  1362. - key
  1363. type: object
  1364. type: array
  1365. name:
  1366. description: The name of the ConfigMap/Secret resource
  1367. maxLength: 253
  1368. minLength: 1
  1369. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1370. type: string
  1371. required:
  1372. - items
  1373. - name
  1374. type: object
  1375. literal:
  1376. type: string
  1377. secret:
  1378. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  1379. properties:
  1380. items:
  1381. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  1382. items:
  1383. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  1384. properties:
  1385. key:
  1386. description: A key in the ConfigMap/Secret
  1387. maxLength: 253
  1388. minLength: 1
  1389. pattern: ^[-._a-zA-Z0-9]+$
  1390. type: string
  1391. templateAs:
  1392. default: Values
  1393. description: TemplateScope defines the scope of the template when processing template data.
  1394. enum:
  1395. - Values
  1396. - KeysAndValues
  1397. type: string
  1398. required:
  1399. - key
  1400. type: object
  1401. type: array
  1402. name:
  1403. description: The name of the ConfigMap/Secret resource
  1404. maxLength: 253
  1405. minLength: 1
  1406. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1407. type: string
  1408. required:
  1409. - items
  1410. - name
  1411. type: object
  1412. target:
  1413. default: Data
  1414. description: TemplateTarget defines the target field where the template result will be stored.
  1415. enum:
  1416. - Data
  1417. - Annotations
  1418. - Labels
  1419. type: string
  1420. type: object
  1421. type: array
  1422. type:
  1423. type: string
  1424. type: object
  1425. type: object
  1426. type: object
  1427. namespaceSelector:
  1428. description: The labels to select by to find the Namespaces to create the ExternalSecrets in
  1429. properties:
  1430. matchExpressions:
  1431. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1432. items:
  1433. description: |-
  1434. A label selector requirement is a selector that contains values, a key, and an operator that
  1435. relates the key and values.
  1436. properties:
  1437. key:
  1438. description: key is the label key that the selector applies to.
  1439. type: string
  1440. operator:
  1441. description: |-
  1442. operator represents a key's relationship to a set of values.
  1443. Valid operators are In, NotIn, Exists and DoesNotExist.
  1444. type: string
  1445. values:
  1446. description: |-
  1447. values is an array of string values. If the operator is In or NotIn,
  1448. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1449. the values array must be empty. This array is replaced during a strategic
  1450. merge patch.
  1451. items:
  1452. type: string
  1453. type: array
  1454. x-kubernetes-list-type: atomic
  1455. required:
  1456. - key
  1457. - operator
  1458. type: object
  1459. type: array
  1460. x-kubernetes-list-type: atomic
  1461. matchLabels:
  1462. additionalProperties:
  1463. type: string
  1464. description: |-
  1465. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1466. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1467. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1468. type: object
  1469. type: object
  1470. x-kubernetes-map-type: atomic
  1471. namespaceSelectors:
  1472. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  1473. items:
  1474. description: |-
  1475. A label selector is a label query over a set of resources. The result of matchLabels and
  1476. matchExpressions are ANDed. An empty label selector matches all objects. A null
  1477. label selector matches no objects.
  1478. properties:
  1479. matchExpressions:
  1480. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1481. items:
  1482. description: |-
  1483. A label selector requirement is a selector that contains values, a key, and an operator that
  1484. relates the key and values.
  1485. properties:
  1486. key:
  1487. description: key is the label key that the selector applies to.
  1488. type: string
  1489. operator:
  1490. description: |-
  1491. operator represents a key's relationship to a set of values.
  1492. Valid operators are In, NotIn, Exists and DoesNotExist.
  1493. type: string
  1494. values:
  1495. description: |-
  1496. values is an array of string values. If the operator is In or NotIn,
  1497. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1498. the values array must be empty. This array is replaced during a strategic
  1499. merge patch.
  1500. items:
  1501. type: string
  1502. type: array
  1503. x-kubernetes-list-type: atomic
  1504. required:
  1505. - key
  1506. - operator
  1507. type: object
  1508. type: array
  1509. x-kubernetes-list-type: atomic
  1510. matchLabels:
  1511. additionalProperties:
  1512. type: string
  1513. description: |-
  1514. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1515. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1516. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1517. type: object
  1518. type: object
  1519. x-kubernetes-map-type: atomic
  1520. type: array
  1521. namespaces:
  1522. description: |-
  1523. Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
  1524. Deprecated: Use NamespaceSelectors instead.
  1525. items:
  1526. maxLength: 63
  1527. minLength: 1
  1528. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1529. type: string
  1530. type: array
  1531. refreshTime:
  1532. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  1533. type: string
  1534. required:
  1535. - externalSecretSpec
  1536. type: object
  1537. status:
  1538. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  1539. properties:
  1540. conditions:
  1541. items:
  1542. description: ClusterExternalSecretStatusCondition indicates the status of the ClusterExternalSecret.
  1543. properties:
  1544. message:
  1545. type: string
  1546. status:
  1547. type: string
  1548. type:
  1549. description: ClusterExternalSecretConditionType indicates the condition of the ClusterExternalSecret.
  1550. type: string
  1551. required:
  1552. - status
  1553. - type
  1554. type: object
  1555. type: array
  1556. externalSecretName:
  1557. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  1558. type: string
  1559. failedNamespaces:
  1560. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  1561. items:
  1562. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  1563. properties:
  1564. namespace:
  1565. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  1566. type: string
  1567. reason:
  1568. description: Reason is why the ExternalSecret failed to apply to the namespace
  1569. type: string
  1570. required:
  1571. - namespace
  1572. type: object
  1573. type: array
  1574. provisionedNamespaces:
  1575. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  1576. items:
  1577. type: string
  1578. type: array
  1579. type: object
  1580. type: object
  1581. served: false
  1582. storage: false
  1583. subresources:
  1584. status: {}
  1585. ---
  1586. apiVersion: apiextensions.k8s.io/v1
  1587. kind: CustomResourceDefinition
  1588. metadata:
  1589. annotations:
  1590. controller-gen.kubebuilder.io/version: v0.19.0
  1591. name: clusterproviderclasses.external-secrets.io
  1592. spec:
  1593. group: external-secrets.io
  1594. names:
  1595. categories:
  1596. - externalsecrets
  1597. kind: ClusterProviderClass
  1598. listKind: ClusterProviderClassList
  1599. plural: clusterproviderclasses
  1600. shortNames:
  1601. - cpc
  1602. singular: clusterproviderclass
  1603. scope: Cluster
  1604. versions:
  1605. - additionalPrinterColumns:
  1606. - jsonPath: .spec.address
  1607. name: Address
  1608. type: string
  1609. name: v1alpha1
  1610. schema:
  1611. openAPIV3Schema:
  1612. description: ClusterProviderClass is a cluster-scoped store runtime class.
  1613. properties:
  1614. apiVersion:
  1615. description: |-
  1616. APIVersion defines the versioned schema of this representation of an object.
  1617. Servers should convert recognized schemas to the latest internal value, and
  1618. may reject unrecognized values.
  1619. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  1620. type: string
  1621. kind:
  1622. description: |-
  1623. Kind is a string value representing the REST resource this object represents.
  1624. Servers may infer this from the endpoint the client submits requests to.
  1625. Cannot be updated.
  1626. In CamelCase.
  1627. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  1628. type: string
  1629. metadata:
  1630. type: object
  1631. spec:
  1632. description: ClusterProviderClassSpec defines the desired state of ClusterProviderClass.
  1633. properties:
  1634. address:
  1635. minLength: 1
  1636. type: string
  1637. required:
  1638. - address
  1639. type: object
  1640. status:
  1641. description: ClusterProviderClassStatus defines the observed state of ClusterProviderClass.
  1642. properties:
  1643. conditions:
  1644. items:
  1645. description: Condition contains details for one aspect of the current state of this API Resource.
  1646. properties:
  1647. lastTransitionTime:
  1648. description: |-
  1649. lastTransitionTime is the last time the condition transitioned from one status to another.
  1650. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
  1651. format: date-time
  1652. type: string
  1653. message:
  1654. description: |-
  1655. message is a human readable message indicating details about the transition.
  1656. This may be an empty string.
  1657. maxLength: 32768
  1658. type: string
  1659. observedGeneration:
  1660. description: |-
  1661. observedGeneration represents the .metadata.generation that the condition was set based upon.
  1662. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
  1663. with respect to the current state of the instance.
  1664. format: int64
  1665. minimum: 0
  1666. type: integer
  1667. reason:
  1668. description: |-
  1669. reason contains a programmatic identifier indicating the reason for the condition's last transition.
  1670. Producers of specific condition types may define expected values and meanings for this field,
  1671. and whether the values are considered a guaranteed API.
  1672. The value should be a CamelCase string.
  1673. This field may not be empty.
  1674. maxLength: 1024
  1675. minLength: 1
  1676. pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
  1677. type: string
  1678. status:
  1679. description: status of the condition, one of True, False, Unknown.
  1680. enum:
  1681. - "True"
  1682. - "False"
  1683. - Unknown
  1684. type: string
  1685. type:
  1686. description: type of condition in CamelCase or in foo.example.com/CamelCase.
  1687. maxLength: 316
  1688. pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
  1689. type: string
  1690. required:
  1691. - lastTransitionTime
  1692. - message
  1693. - reason
  1694. - status
  1695. - type
  1696. type: object
  1697. type: array
  1698. type: object
  1699. required:
  1700. - spec
  1701. type: object
  1702. served: true
  1703. storage: true
  1704. subresources:
  1705. status: {}
  1706. ---
  1707. apiVersion: apiextensions.k8s.io/v1
  1708. kind: CustomResourceDefinition
  1709. metadata:
  1710. annotations:
  1711. controller-gen.kubebuilder.io/version: v0.19.0
  1712. labels:
  1713. external-secrets.io/component: controller
  1714. name: clusterpushsecrets.external-secrets.io
  1715. spec:
  1716. group: external-secrets.io
  1717. names:
  1718. categories:
  1719. - external-secrets
  1720. kind: ClusterPushSecret
  1721. listKind: ClusterPushSecretList
  1722. plural: clusterpushsecrets
  1723. singular: clusterpushsecret
  1724. scope: Cluster
  1725. versions:
  1726. - additionalPrinterColumns:
  1727. - jsonPath: .metadata.creationTimestamp
  1728. name: AGE
  1729. type: date
  1730. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  1731. name: Status
  1732. type: string
  1733. name: v1alpha1
  1734. schema:
  1735. openAPIV3Schema:
  1736. description: ClusterPushSecret is the Schema for the ClusterPushSecrets API that enables cluster-wide management of pushing Kubernetes secrets to external providers.
  1737. properties:
  1738. apiVersion:
  1739. description: |-
  1740. APIVersion defines the versioned schema of this representation of an object.
  1741. Servers should convert recognized schemas to the latest internal value, and
  1742. may reject unrecognized values.
  1743. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  1744. type: string
  1745. kind:
  1746. description: |-
  1747. Kind is a string value representing the REST resource this object represents.
  1748. Servers may infer this from the endpoint the client submits requests to.
  1749. Cannot be updated.
  1750. In CamelCase.
  1751. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  1752. type: string
  1753. metadata:
  1754. type: object
  1755. spec:
  1756. description: ClusterPushSecretSpec defines the configuration for a ClusterPushSecret resource.
  1757. properties:
  1758. namespaceSelectors:
  1759. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  1760. items:
  1761. description: |-
  1762. A label selector is a label query over a set of resources. The result of matchLabels and
  1763. matchExpressions are ANDed. An empty label selector matches all objects. A null
  1764. label selector matches no objects.
  1765. properties:
  1766. matchExpressions:
  1767. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1768. items:
  1769. description: |-
  1770. A label selector requirement is a selector that contains values, a key, and an operator that
  1771. relates the key and values.
  1772. properties:
  1773. key:
  1774. description: key is the label key that the selector applies to.
  1775. type: string
  1776. operator:
  1777. description: |-
  1778. operator represents a key's relationship to a set of values.
  1779. Valid operators are In, NotIn, Exists and DoesNotExist.
  1780. type: string
  1781. values:
  1782. description: |-
  1783. values is an array of string values. If the operator is In or NotIn,
  1784. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1785. the values array must be empty. This array is replaced during a strategic
  1786. merge patch.
  1787. items:
  1788. type: string
  1789. type: array
  1790. x-kubernetes-list-type: atomic
  1791. required:
  1792. - key
  1793. - operator
  1794. type: object
  1795. type: array
  1796. x-kubernetes-list-type: atomic
  1797. matchLabels:
  1798. additionalProperties:
  1799. type: string
  1800. description: |-
  1801. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1802. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1803. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1804. type: object
  1805. type: object
  1806. x-kubernetes-map-type: atomic
  1807. type: array
  1808. pushSecretMetadata:
  1809. description: The metadata of the external secrets to be created
  1810. properties:
  1811. annotations:
  1812. additionalProperties:
  1813. type: string
  1814. type: object
  1815. labels:
  1816. additionalProperties:
  1817. type: string
  1818. type: object
  1819. type: object
  1820. pushSecretName:
  1821. description: |-
  1822. The name of the push secrets to be created.
  1823. Defaults to the name of the ClusterPushSecret
  1824. maxLength: 253
  1825. minLength: 1
  1826. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1827. type: string
  1828. pushSecretSpec:
  1829. description: PushSecretSpec defines what to do with the secrets.
  1830. properties:
  1831. data:
  1832. description: Secret Data that should be pushed to providers
  1833. items:
  1834. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  1835. properties:
  1836. conversionStrategy:
  1837. default: None
  1838. description: Used to define a conversion Strategy for the secret keys
  1839. enum:
  1840. - None
  1841. - ReverseUnicode
  1842. type: string
  1843. match:
  1844. description: Match a given Secret Key to be pushed to the provider.
  1845. properties:
  1846. remoteRef:
  1847. description: Remote Refs to push to providers.
  1848. properties:
  1849. property:
  1850. description: Name of the property in the resulting secret
  1851. type: string
  1852. remoteKey:
  1853. description: Name of the resulting provider secret.
  1854. type: string
  1855. required:
  1856. - remoteKey
  1857. type: object
  1858. secretKey:
  1859. description: Secret Key to be pushed
  1860. type: string
  1861. required:
  1862. - remoteRef
  1863. type: object
  1864. metadata:
  1865. description: |-
  1866. Metadata is metadata attached to the secret.
  1867. The structure of metadata is provider specific, please look it up in the provider documentation.
  1868. x-kubernetes-preserve-unknown-fields: true
  1869. required:
  1870. - match
  1871. type: object
  1872. type: array
  1873. dataTo:
  1874. description: DataTo defines bulk push rules that expand source Secret keys into provider entries.
  1875. items:
  1876. description: PushSecretDataTo defines how to bulk-push secrets to providers without explicit per-key mappings.
  1877. properties:
  1878. conversionStrategy:
  1879. default: None
  1880. description: Used to define a conversion Strategy for the secret keys
  1881. enum:
  1882. - None
  1883. - ReverseUnicode
  1884. type: string
  1885. match:
  1886. description: |-
  1887. Match pattern for selecting keys from the source Secret.
  1888. If not specified, all keys are selected.
  1889. properties:
  1890. regexp:
  1891. description: |-
  1892. Regexp matches keys by regular expression.
  1893. If not specified, all keys are matched.
  1894. type: string
  1895. type: object
  1896. metadata:
  1897. description: |-
  1898. Metadata is metadata attached to the secret.
  1899. The structure of metadata is provider specific, please look it up in the provider documentation.
  1900. x-kubernetes-preserve-unknown-fields: true
  1901. remoteKey:
  1902. description: |-
  1903. RemoteKey is the name of the single provider secret that will receive ALL
  1904. matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}).
  1905. When set, per-key expansion is skipped and a single push is performed.
  1906. The provider's store prefix (if any) is still prepended to this value.
  1907. When not set, each matched key is pushed as its own individual provider secret.
  1908. type: string
  1909. rewrite:
  1910. description: |-
  1911. Rewrite operations to transform keys before pushing to the provider.
  1912. Operations are applied sequentially.
  1913. items:
  1914. description: PushSecretRewrite defines how to transform secret keys before pushing.
  1915. properties:
  1916. regexp:
  1917. description: Used to rewrite with regular expressions.
  1918. properties:
  1919. source:
  1920. description: Used to define the regular expression of a re.Compiler.
  1921. type: string
  1922. target:
  1923. description: Used to define the target pattern of a ReplaceAll operation.
  1924. type: string
  1925. required:
  1926. - source
  1927. - target
  1928. type: object
  1929. transform:
  1930. description: Used to apply string transformation on the secrets.
  1931. properties:
  1932. template:
  1933. description: |-
  1934. Used to define the template to apply on the secret name.
  1935. `.value ` will specify the secret name in the template.
  1936. type: string
  1937. required:
  1938. - template
  1939. type: object
  1940. type: object
  1941. x-kubernetes-validations:
  1942. - message: exactly one of regexp or transform must be set
  1943. rule: (has(self.regexp) && !has(self.transform)) || (!has(self.regexp) && has(self.transform))
  1944. type: array
  1945. storeRef:
  1946. description: StoreRef specifies which SecretStore to push to. Required.
  1947. properties:
  1948. apiVersion:
  1949. description: |-
  1950. APIVersion of the referenced store resource.
  1951. This field is optional and depends on the selected store kind.
  1952. type: string
  1953. kind:
  1954. description: Kind of the SecretStore resource (SecretStore, ClusterSecretStore)
  1955. enum:
  1956. - SecretStore
  1957. - ClusterSecretStore
  1958. type: string
  1959. labelSelector:
  1960. description: Optionally, sync to secret stores with label selector
  1961. properties:
  1962. matchExpressions:
  1963. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1964. items:
  1965. description: |-
  1966. A label selector requirement is a selector that contains values, a key, and an operator that
  1967. relates the key and values.
  1968. properties:
  1969. key:
  1970. description: key is the label key that the selector applies to.
  1971. type: string
  1972. operator:
  1973. description: |-
  1974. operator represents a key's relationship to a set of values.
  1975. Valid operators are In, NotIn, Exists and DoesNotExist.
  1976. type: string
  1977. values:
  1978. description: |-
  1979. values is an array of string values. If the operator is In or NotIn,
  1980. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1981. the values array must be empty. This array is replaced during a strategic
  1982. merge patch.
  1983. items:
  1984. type: string
  1985. type: array
  1986. x-kubernetes-list-type: atomic
  1987. required:
  1988. - key
  1989. - operator
  1990. type: object
  1991. type: array
  1992. x-kubernetes-list-type: atomic
  1993. matchLabels:
  1994. additionalProperties:
  1995. type: string
  1996. description: |-
  1997. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1998. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1999. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2000. type: object
  2001. type: object
  2002. x-kubernetes-map-type: atomic
  2003. name:
  2004. description: Optionally, sync to the SecretStore of the given name
  2005. maxLength: 253
  2006. minLength: 1
  2007. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2008. type: string
  2009. type: object
  2010. type: object
  2011. x-kubernetes-validations:
  2012. - message: storeRef must specify either name or labelSelector
  2013. rule: has(self.storeRef) && (has(self.storeRef.name) || has(self.storeRef.labelSelector))
  2014. - message: 'remoteKey and rewrite are mutually exclusive: rewrite is only supported in per-key mode (without remoteKey)'
  2015. rule: '!has(self.remoteKey) || !has(self.rewrite) || size(self.rewrite) == 0'
  2016. type: array
  2017. deletionPolicy:
  2018. default: None
  2019. description: Deletion Policy to handle Secrets in the provider.
  2020. enum:
  2021. - Delete
  2022. - None
  2023. type: string
  2024. refreshInterval:
  2025. default: 1h0m0s
  2026. description: The Interval to which External Secrets will try to push a secret definition
  2027. type: string
  2028. secretStoreRefs:
  2029. items:
  2030. description: PushSecretStoreRef contains a reference on how to sync to a SecretStore.
  2031. properties:
  2032. apiVersion:
  2033. description: |-
  2034. APIVersion of the referenced store resource.
  2035. This field is optional and depends on the selected store kind.
  2036. type: string
  2037. kind:
  2038. description: Kind of the SecretStore resource (SecretStore, ClusterSecretStore)
  2039. enum:
  2040. - SecretStore
  2041. - ClusterSecretStore
  2042. type: string
  2043. labelSelector:
  2044. description: Optionally, sync to secret stores with label selector
  2045. properties:
  2046. matchExpressions:
  2047. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2048. items:
  2049. description: |-
  2050. A label selector requirement is a selector that contains values, a key, and an operator that
  2051. relates the key and values.
  2052. properties:
  2053. key:
  2054. description: key is the label key that the selector applies to.
  2055. type: string
  2056. operator:
  2057. description: |-
  2058. operator represents a key's relationship to a set of values.
  2059. Valid operators are In, NotIn, Exists and DoesNotExist.
  2060. type: string
  2061. values:
  2062. description: |-
  2063. values is an array of string values. If the operator is In or NotIn,
  2064. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2065. the values array must be empty. This array is replaced during a strategic
  2066. merge patch.
  2067. items:
  2068. type: string
  2069. type: array
  2070. x-kubernetes-list-type: atomic
  2071. required:
  2072. - key
  2073. - operator
  2074. type: object
  2075. type: array
  2076. x-kubernetes-list-type: atomic
  2077. matchLabels:
  2078. additionalProperties:
  2079. type: string
  2080. description: |-
  2081. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2082. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2083. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2084. type: object
  2085. type: object
  2086. x-kubernetes-map-type: atomic
  2087. name:
  2088. description: Optionally, sync to the SecretStore of the given name
  2089. maxLength: 253
  2090. minLength: 1
  2091. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2092. type: string
  2093. type: object
  2094. type: array
  2095. selector:
  2096. description: The Secret Selector (k8s source) for the Push Secret
  2097. maxProperties: 1
  2098. minProperties: 1
  2099. properties:
  2100. generatorRef:
  2101. description: Point to a generator to create a Secret.
  2102. properties:
  2103. apiVersion:
  2104. default: generators.external-secrets.io/v1alpha1
  2105. description: Specify the apiVersion of the generator resource
  2106. type: string
  2107. kind:
  2108. description: Specify the Kind of the generator resource
  2109. enum:
  2110. - ACRAccessToken
  2111. - BeyondtrustWorkloadCredentialsDynamicSecret
  2112. - ClusterGenerator
  2113. - CloudsmithAccessToken
  2114. - ECRAuthorizationToken
  2115. - Fake
  2116. - GCRAccessToken
  2117. - GithubAccessToken
  2118. - QuayAccessToken
  2119. - Password
  2120. - SSHKey
  2121. - STSSessionToken
  2122. - UUID
  2123. - VaultDynamicSecret
  2124. - Webhook
  2125. - Grafana
  2126. - MFA
  2127. type: string
  2128. name:
  2129. description: Specify the name of the generator resource
  2130. maxLength: 253
  2131. minLength: 1
  2132. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2133. type: string
  2134. required:
  2135. - kind
  2136. - name
  2137. type: object
  2138. secret:
  2139. description: Select a Secret to Push.
  2140. properties:
  2141. name:
  2142. description: |-
  2143. Name of the Secret.
  2144. The Secret must exist in the same namespace as the PushSecret manifest.
  2145. maxLength: 253
  2146. minLength: 1
  2147. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2148. type: string
  2149. selector:
  2150. description: Selector chooses secrets using a labelSelector.
  2151. properties:
  2152. matchExpressions:
  2153. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2154. items:
  2155. description: |-
  2156. A label selector requirement is a selector that contains values, a key, and an operator that
  2157. relates the key and values.
  2158. properties:
  2159. key:
  2160. description: key is the label key that the selector applies to.
  2161. type: string
  2162. operator:
  2163. description: |-
  2164. operator represents a key's relationship to a set of values.
  2165. Valid operators are In, NotIn, Exists and DoesNotExist.
  2166. type: string
  2167. values:
  2168. description: |-
  2169. values is an array of string values. If the operator is In or NotIn,
  2170. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2171. the values array must be empty. This array is replaced during a strategic
  2172. merge patch.
  2173. items:
  2174. type: string
  2175. type: array
  2176. x-kubernetes-list-type: atomic
  2177. required:
  2178. - key
  2179. - operator
  2180. type: object
  2181. type: array
  2182. x-kubernetes-list-type: atomic
  2183. matchLabels:
  2184. additionalProperties:
  2185. type: string
  2186. description: |-
  2187. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2188. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2189. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2190. type: object
  2191. type: object
  2192. x-kubernetes-map-type: atomic
  2193. type: object
  2194. type: object
  2195. template:
  2196. description: Template defines a blueprint for the created Secret resource.
  2197. properties:
  2198. data:
  2199. additionalProperties:
  2200. type: string
  2201. type: object
  2202. engineVersion:
  2203. default: v2
  2204. description: |-
  2205. EngineVersion specifies the template engine version
  2206. that should be used to compile/execute the
  2207. template specified in .data and .templateFrom[].
  2208. enum:
  2209. - v2
  2210. type: string
  2211. mergePolicy:
  2212. default: Replace
  2213. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  2214. enum:
  2215. - Replace
  2216. - Merge
  2217. type: string
  2218. metadata:
  2219. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  2220. properties:
  2221. annotations:
  2222. additionalProperties:
  2223. type: string
  2224. type: object
  2225. finalizers:
  2226. items:
  2227. type: string
  2228. type: array
  2229. labels:
  2230. additionalProperties:
  2231. type: string
  2232. type: object
  2233. type: object
  2234. templateFrom:
  2235. items:
  2236. description: |-
  2237. TemplateFrom specifies a source for templates.
  2238. Each item in the list can either reference a ConfigMap or a Secret resource.
  2239. properties:
  2240. configMap:
  2241. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  2242. properties:
  2243. items:
  2244. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  2245. items:
  2246. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  2247. properties:
  2248. key:
  2249. description: A key in the ConfigMap/Secret
  2250. maxLength: 253
  2251. minLength: 1
  2252. pattern: ^[-._a-zA-Z0-9]+$
  2253. type: string
  2254. templateAs:
  2255. default: Values
  2256. description: TemplateScope specifies how the template keys should be interpreted.
  2257. enum:
  2258. - Values
  2259. - KeysAndValues
  2260. type: string
  2261. required:
  2262. - key
  2263. type: object
  2264. type: array
  2265. name:
  2266. description: The name of the ConfigMap/Secret resource
  2267. maxLength: 253
  2268. minLength: 1
  2269. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2270. type: string
  2271. required:
  2272. - items
  2273. - name
  2274. type: object
  2275. literal:
  2276. type: string
  2277. secret:
  2278. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  2279. properties:
  2280. items:
  2281. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  2282. items:
  2283. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  2284. properties:
  2285. key:
  2286. description: A key in the ConfigMap/Secret
  2287. maxLength: 253
  2288. minLength: 1
  2289. pattern: ^[-._a-zA-Z0-9]+$
  2290. type: string
  2291. templateAs:
  2292. default: Values
  2293. description: TemplateScope specifies how the template keys should be interpreted.
  2294. enum:
  2295. - Values
  2296. - KeysAndValues
  2297. type: string
  2298. required:
  2299. - key
  2300. type: object
  2301. type: array
  2302. name:
  2303. description: The name of the ConfigMap/Secret resource
  2304. maxLength: 253
  2305. minLength: 1
  2306. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2307. type: string
  2308. required:
  2309. - items
  2310. - name
  2311. type: object
  2312. target:
  2313. default: Data
  2314. description: |-
  2315. Target specifies where to place the template result.
  2316. For Secret resources, common values are: "Data", "Annotations", "Labels".
  2317. For custom resources (when spec.target.manifest is set), this supports
  2318. nested paths like "spec.database.config" or "data".
  2319. type: string
  2320. valuesDecodingStrategy:
  2321. default: None
  2322. description: Used to define a decoding Strategy for the rendered template values.
  2323. enum:
  2324. - Auto
  2325. - Base64
  2326. - Base64URL
  2327. - None
  2328. type: string
  2329. type: object
  2330. type: array
  2331. type:
  2332. type: string
  2333. type: object
  2334. updatePolicy:
  2335. default: Replace
  2336. description: UpdatePolicy to handle Secrets in the provider.
  2337. enum:
  2338. - Replace
  2339. - IfNotExists
  2340. type: string
  2341. required:
  2342. - secretStoreRefs
  2343. - selector
  2344. type: object
  2345. refreshTime:
  2346. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  2347. type: string
  2348. required:
  2349. - pushSecretSpec
  2350. type: object
  2351. status:
  2352. description: ClusterPushSecretStatus contains the status information for the ClusterPushSecret resource.
  2353. properties:
  2354. conditions:
  2355. items:
  2356. description: PushSecretStatusCondition indicates the status of the PushSecret.
  2357. properties:
  2358. lastTransitionTime:
  2359. format: date-time
  2360. type: string
  2361. message:
  2362. type: string
  2363. reason:
  2364. type: string
  2365. status:
  2366. type: string
  2367. type:
  2368. description: PushSecretConditionType indicates the condition of the PushSecret.
  2369. type: string
  2370. required:
  2371. - status
  2372. - type
  2373. type: object
  2374. type: array
  2375. failedNamespaces:
  2376. description: Failed namespaces are the namespaces that failed to apply an PushSecret
  2377. items:
  2378. description: ClusterPushSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  2379. properties:
  2380. namespace:
  2381. description: Namespace is the namespace that failed when trying to apply an PushSecret
  2382. type: string
  2383. reason:
  2384. description: Reason is why the PushSecret failed to apply to the namespace
  2385. type: string
  2386. required:
  2387. - namespace
  2388. type: object
  2389. type: array
  2390. provisionedNamespaces:
  2391. description: ProvisionedNamespaces are the namespaces where the ClusterPushSecret has secrets
  2392. items:
  2393. type: string
  2394. type: array
  2395. pushSecretName:
  2396. type: string
  2397. type: object
  2398. type: object
  2399. served: true
  2400. storage: true
  2401. subresources:
  2402. status: {}
  2403. ---
  2404. apiVersion: apiextensions.k8s.io/v1
  2405. kind: CustomResourceDefinition
  2406. metadata:
  2407. annotations:
  2408. controller-gen.kubebuilder.io/version: v0.19.0
  2409. labels:
  2410. external-secrets.io/component: controller
  2411. name: clustersecretstores.external-secrets.io
  2412. spec:
  2413. group: external-secrets.io
  2414. names:
  2415. categories:
  2416. - external-secrets
  2417. kind: ClusterSecretStore
  2418. listKind: ClusterSecretStoreList
  2419. plural: clustersecretstores
  2420. shortNames:
  2421. - css
  2422. singular: clustersecretstore
  2423. scope: Cluster
  2424. versions:
  2425. - additionalPrinterColumns:
  2426. - jsonPath: .metadata.creationTimestamp
  2427. name: AGE
  2428. type: date
  2429. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2430. name: Status
  2431. type: string
  2432. - jsonPath: .status.capabilities
  2433. name: Capabilities
  2434. type: string
  2435. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  2436. name: Ready
  2437. type: string
  2438. name: v1
  2439. schema:
  2440. openAPIV3Schema:
  2441. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  2442. properties:
  2443. apiVersion:
  2444. description: |-
  2445. APIVersion defines the versioned schema of this representation of an object.
  2446. Servers should convert recognized schemas to the latest internal value, and
  2447. may reject unrecognized values.
  2448. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  2449. type: string
  2450. kind:
  2451. description: |-
  2452. Kind is a string value representing the REST resource this object represents.
  2453. Servers may infer this from the endpoint the client submits requests to.
  2454. Cannot be updated.
  2455. In CamelCase.
  2456. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  2457. type: string
  2458. metadata:
  2459. type: object
  2460. spec:
  2461. description: SecretStoreSpec defines the desired state of SecretStore.
  2462. properties:
  2463. conditions:
  2464. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  2465. items:
  2466. description: |-
  2467. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  2468. for a ClusterSecretStore instance.
  2469. properties:
  2470. namespaceRegexes:
  2471. description: Choose namespaces by using regex matching
  2472. items:
  2473. type: string
  2474. type: array
  2475. namespaceSelector:
  2476. description: Choose namespace using a labelSelector
  2477. properties:
  2478. matchExpressions:
  2479. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2480. items:
  2481. description: |-
  2482. A label selector requirement is a selector that contains values, a key, and an operator that
  2483. relates the key and values.
  2484. properties:
  2485. key:
  2486. description: key is the label key that the selector applies to.
  2487. type: string
  2488. operator:
  2489. description: |-
  2490. operator represents a key's relationship to a set of values.
  2491. Valid operators are In, NotIn, Exists and DoesNotExist.
  2492. type: string
  2493. values:
  2494. description: |-
  2495. values is an array of string values. If the operator is In or NotIn,
  2496. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2497. the values array must be empty. This array is replaced during a strategic
  2498. merge patch.
  2499. items:
  2500. type: string
  2501. type: array
  2502. x-kubernetes-list-type: atomic
  2503. required:
  2504. - key
  2505. - operator
  2506. type: object
  2507. type: array
  2508. x-kubernetes-list-type: atomic
  2509. matchLabels:
  2510. additionalProperties:
  2511. type: string
  2512. description: |-
  2513. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2514. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2515. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2516. type: object
  2517. type: object
  2518. x-kubernetes-map-type: atomic
  2519. namespaces:
  2520. description: Choose namespaces by name
  2521. items:
  2522. maxLength: 63
  2523. minLength: 1
  2524. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2525. type: string
  2526. type: array
  2527. type: object
  2528. type: array
  2529. controller:
  2530. description: |-
  2531. Used to select the correct ESO controller (think: ingress.ingressClassName)
  2532. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  2533. type: string
  2534. provider:
  2535. description: Used to configure the provider. Only one provider may be set
  2536. maxProperties: 1
  2537. minProperties: 1
  2538. properties:
  2539. akeyless:
  2540. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  2541. properties:
  2542. akeylessGWApiURL:
  2543. description: Akeyless GW API Url from which the secrets to be fetched from.
  2544. type: string
  2545. authSecretRef:
  2546. description: Auth configures how the operator authenticates with Akeyless.
  2547. properties:
  2548. kubernetesAuth:
  2549. description: |-
  2550. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  2551. token stored in the named Secret resource.
  2552. properties:
  2553. accessID:
  2554. description: the Akeyless Kubernetes auth-method access-id
  2555. type: string
  2556. k8sConfName:
  2557. description: Kubernetes-auth configuration name in Akeyless-Gateway
  2558. type: string
  2559. secretRef:
  2560. description: |-
  2561. Optional secret field containing a Kubernetes ServiceAccount JWT used
  2562. for authenticating with Akeyless. If a name is specified without a key,
  2563. `token` is the default. If one is not specified, the one bound to
  2564. the controller will be used.
  2565. properties:
  2566. key:
  2567. description: |-
  2568. A key in the referenced Secret.
  2569. Some instances of this field may be defaulted, in others it may be required.
  2570. maxLength: 253
  2571. minLength: 1
  2572. pattern: ^[-._a-zA-Z0-9]+$
  2573. type: string
  2574. name:
  2575. description: The name of the Secret resource being referred to.
  2576. maxLength: 253
  2577. minLength: 1
  2578. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2579. type: string
  2580. namespace:
  2581. description: |-
  2582. The namespace of the Secret resource being referred to.
  2583. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2584. maxLength: 63
  2585. minLength: 1
  2586. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2587. type: string
  2588. type: object
  2589. serviceAccountRef:
  2590. description: |-
  2591. Optional service account field containing the name of a kubernetes ServiceAccount.
  2592. If the service account is specified, the service account secret token JWT will be used
  2593. for authenticating with Akeyless. If the service account selector is not supplied,
  2594. the secretRef will be used instead.
  2595. properties:
  2596. audiences:
  2597. description: |-
  2598. Audience specifies the `aud` claim for the service account token
  2599. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2600. then this audiences will be appended to the list
  2601. items:
  2602. type: string
  2603. type: array
  2604. name:
  2605. description: The name of the ServiceAccount resource being referred to.
  2606. maxLength: 253
  2607. minLength: 1
  2608. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2609. type: string
  2610. namespace:
  2611. description: |-
  2612. Namespace of the resource being referred to.
  2613. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2614. maxLength: 63
  2615. minLength: 1
  2616. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2617. type: string
  2618. required:
  2619. - name
  2620. type: object
  2621. required:
  2622. - accessID
  2623. - k8sConfName
  2624. type: object
  2625. secretRef:
  2626. description: |-
  2627. Reference to a Secret that contains the details
  2628. to authenticate with Akeyless.
  2629. properties:
  2630. accessID:
  2631. description: The SecretAccessID is used for authentication
  2632. properties:
  2633. key:
  2634. description: |-
  2635. A key in the referenced Secret.
  2636. Some instances of this field may be defaulted, in others it may be required.
  2637. maxLength: 253
  2638. minLength: 1
  2639. pattern: ^[-._a-zA-Z0-9]+$
  2640. type: string
  2641. name:
  2642. description: The name of the Secret resource being referred to.
  2643. maxLength: 253
  2644. minLength: 1
  2645. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2646. type: string
  2647. namespace:
  2648. description: |-
  2649. The namespace of the Secret resource being referred to.
  2650. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2651. maxLength: 63
  2652. minLength: 1
  2653. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2654. type: string
  2655. type: object
  2656. accessType:
  2657. description: |-
  2658. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  2659. In some instances, `key` is a required field.
  2660. properties:
  2661. key:
  2662. description: |-
  2663. A key in the referenced Secret.
  2664. Some instances of this field may be defaulted, in others it may be required.
  2665. maxLength: 253
  2666. minLength: 1
  2667. pattern: ^[-._a-zA-Z0-9]+$
  2668. type: string
  2669. name:
  2670. description: The name of the Secret resource being referred to.
  2671. maxLength: 253
  2672. minLength: 1
  2673. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2674. type: string
  2675. namespace:
  2676. description: |-
  2677. The namespace of the Secret resource being referred to.
  2678. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2679. maxLength: 63
  2680. minLength: 1
  2681. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2682. type: string
  2683. type: object
  2684. accessTypeParam:
  2685. description: |-
  2686. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  2687. In some instances, `key` is a required field.
  2688. properties:
  2689. key:
  2690. description: |-
  2691. A key in the referenced Secret.
  2692. Some instances of this field may be defaulted, in others it may be required.
  2693. maxLength: 253
  2694. minLength: 1
  2695. pattern: ^[-._a-zA-Z0-9]+$
  2696. type: string
  2697. name:
  2698. description: The name of the Secret resource being referred to.
  2699. maxLength: 253
  2700. minLength: 1
  2701. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2702. type: string
  2703. namespace:
  2704. description: |-
  2705. The namespace of the Secret resource being referred to.
  2706. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2707. maxLength: 63
  2708. minLength: 1
  2709. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2710. type: string
  2711. type: object
  2712. type: object
  2713. type: object
  2714. caBundle:
  2715. description: |-
  2716. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  2717. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  2718. are used to validate the TLS connection.
  2719. format: byte
  2720. type: string
  2721. caProvider:
  2722. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  2723. properties:
  2724. key:
  2725. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2726. maxLength: 253
  2727. minLength: 1
  2728. pattern: ^[-._a-zA-Z0-9]+$
  2729. type: string
  2730. name:
  2731. description: The name of the object located at the provider type.
  2732. maxLength: 253
  2733. minLength: 1
  2734. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2735. type: string
  2736. namespace:
  2737. description: |-
  2738. The namespace the Provider type is in.
  2739. Can only be defined when used in a ClusterSecretStore.
  2740. maxLength: 63
  2741. minLength: 1
  2742. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2743. type: string
  2744. type:
  2745. description: The type of provider to use such as "Secret", or "ConfigMap".
  2746. enum:
  2747. - Secret
  2748. - ConfigMap
  2749. type: string
  2750. required:
  2751. - name
  2752. - type
  2753. type: object
  2754. required:
  2755. - akeylessGWApiURL
  2756. - authSecretRef
  2757. type: object
  2758. aws:
  2759. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  2760. properties:
  2761. additionalRoles:
  2762. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  2763. items:
  2764. type: string
  2765. type: array
  2766. auth:
  2767. description: |-
  2768. Auth defines the information necessary to authenticate against AWS
  2769. if not set aws sdk will infer credentials from your environment
  2770. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  2771. properties:
  2772. jwt:
  2773. description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.
  2774. properties:
  2775. serviceAccountRef:
  2776. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  2777. properties:
  2778. audiences:
  2779. description: |-
  2780. Audience specifies the `aud` claim for the service account token
  2781. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2782. then this audiences will be appended to the list
  2783. items:
  2784. type: string
  2785. type: array
  2786. name:
  2787. description: The name of the ServiceAccount resource being referred to.
  2788. maxLength: 253
  2789. minLength: 1
  2790. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2791. type: string
  2792. namespace:
  2793. description: |-
  2794. Namespace of the resource being referred to.
  2795. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2796. maxLength: 63
  2797. minLength: 1
  2798. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2799. type: string
  2800. required:
  2801. - name
  2802. type: object
  2803. type: object
  2804. secretRef:
  2805. description: |-
  2806. AWSAuthSecretRef holds secret references for AWS credentials
  2807. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  2808. properties:
  2809. accessKeyIDSecretRef:
  2810. description: The AccessKeyID is used for authentication
  2811. properties:
  2812. key:
  2813. description: |-
  2814. A key in the referenced Secret.
  2815. Some instances of this field may be defaulted, in others it may be required.
  2816. maxLength: 253
  2817. minLength: 1
  2818. pattern: ^[-._a-zA-Z0-9]+$
  2819. type: string
  2820. name:
  2821. description: The name of the Secret resource being referred to.
  2822. maxLength: 253
  2823. minLength: 1
  2824. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2825. type: string
  2826. namespace:
  2827. description: |-
  2828. The namespace of the Secret resource being referred to.
  2829. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2830. maxLength: 63
  2831. minLength: 1
  2832. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2833. type: string
  2834. type: object
  2835. secretAccessKeySecretRef:
  2836. description: The SecretAccessKey is used for authentication
  2837. properties:
  2838. key:
  2839. description: |-
  2840. A key in the referenced Secret.
  2841. Some instances of this field may be defaulted, in others it may be required.
  2842. maxLength: 253
  2843. minLength: 1
  2844. pattern: ^[-._a-zA-Z0-9]+$
  2845. type: string
  2846. name:
  2847. description: The name of the Secret resource being referred to.
  2848. maxLength: 253
  2849. minLength: 1
  2850. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2851. type: string
  2852. namespace:
  2853. description: |-
  2854. The namespace of the Secret resource being referred to.
  2855. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2856. maxLength: 63
  2857. minLength: 1
  2858. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2859. type: string
  2860. type: object
  2861. sessionTokenSecretRef:
  2862. description: |-
  2863. The SessionToken used for authentication
  2864. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  2865. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  2866. properties:
  2867. key:
  2868. description: |-
  2869. A key in the referenced Secret.
  2870. Some instances of this field may be defaulted, in others it may be required.
  2871. maxLength: 253
  2872. minLength: 1
  2873. pattern: ^[-._a-zA-Z0-9]+$
  2874. type: string
  2875. name:
  2876. description: The name of the Secret resource being referred to.
  2877. maxLength: 253
  2878. minLength: 1
  2879. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2880. type: string
  2881. namespace:
  2882. description: |-
  2883. The namespace of the Secret resource being referred to.
  2884. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2885. maxLength: 63
  2886. minLength: 1
  2887. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2888. type: string
  2889. type: object
  2890. type: object
  2891. type: object
  2892. customSessionTags:
  2893. additionalProperties:
  2894. type: string
  2895. description: |-
  2896. CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom.
  2897. These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags.
  2898. type: object
  2899. x-kubernetes-validations:
  2900. - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind'
  2901. rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)'
  2902. externalID:
  2903. description: AWS External ID set on assumed IAM roles
  2904. type: string
  2905. prefix:
  2906. description: Prefix adds a prefix to all retrieved values.
  2907. type: string
  2908. region:
  2909. description: AWS Region to be used for the provider
  2910. type: string
  2911. role:
  2912. description: Role is a Role ARN which the provider will assume
  2913. type: string
  2914. secretsManager:
  2915. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  2916. properties:
  2917. forceDeleteWithoutRecovery:
  2918. description: |-
  2919. Specifies whether to delete the secret without any recovery window. You
  2920. can't use both this parameter and RecoveryWindowInDays in the same call.
  2921. If you don't use either, then by default Secrets Manager uses a 30 day
  2922. recovery window.
  2923. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  2924. type: boolean
  2925. recoveryWindowInDays:
  2926. description: |-
  2927. The number of days from 7 to 30 that Secrets Manager waits before
  2928. permanently deleting the secret. You can't use both this parameter and
  2929. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  2930. then by default Secrets Manager uses a 30-day recovery window.
  2931. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  2932. type: integer
  2933. type: object
  2934. service:
  2935. description: Service defines which service should be used to fetch the secrets
  2936. enum:
  2937. - SecretsManager
  2938. - ParameterStore
  2939. type: string
  2940. sessionTags:
  2941. description: AWS STS assume role session tags
  2942. items:
  2943. description: |-
  2944. Tag is a key-value pair that can be attached to an AWS resource.
  2945. see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
  2946. properties:
  2947. key:
  2948. type: string
  2949. value:
  2950. type: string
  2951. required:
  2952. - key
  2953. - value
  2954. type: object
  2955. type: array
  2956. sessionTagsPolicy:
  2957. default: None
  2958. description: |-
  2959. SessionTagsPolicy controls whether and how STS session tags are added when assuming roles.
  2960. None (default): no tags are added.
  2961. Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags.
  2962. Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags.
  2963. Note: the IAM role must have sts:TagSession permission when using Simple or Custom.
  2964. enum:
  2965. - None
  2966. - Simple
  2967. - Custom
  2968. type: string
  2969. transitiveTagKeys:
  2970. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  2971. items:
  2972. type: string
  2973. type: array
  2974. required:
  2975. - region
  2976. - service
  2977. type: object
  2978. azurekv:
  2979. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  2980. properties:
  2981. authSecretRef:
  2982. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  2983. properties:
  2984. clientCertificate:
  2985. description: The Azure ClientCertificate of the service principle used for authentication.
  2986. properties:
  2987. key:
  2988. description: |-
  2989. A key in the referenced Secret.
  2990. Some instances of this field may be defaulted, in others it may be required.
  2991. maxLength: 253
  2992. minLength: 1
  2993. pattern: ^[-._a-zA-Z0-9]+$
  2994. type: string
  2995. name:
  2996. description: The name of the Secret resource being referred to.
  2997. maxLength: 253
  2998. minLength: 1
  2999. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3000. type: string
  3001. namespace:
  3002. description: |-
  3003. The namespace of the Secret resource being referred to.
  3004. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3005. maxLength: 63
  3006. minLength: 1
  3007. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3008. type: string
  3009. type: object
  3010. clientId:
  3011. description: The Azure clientId of the service principle or managed identity used for authentication.
  3012. properties:
  3013. key:
  3014. description: |-
  3015. A key in the referenced Secret.
  3016. Some instances of this field may be defaulted, in others it may be required.
  3017. maxLength: 253
  3018. minLength: 1
  3019. pattern: ^[-._a-zA-Z0-9]+$
  3020. type: string
  3021. name:
  3022. description: The name of the Secret resource being referred to.
  3023. maxLength: 253
  3024. minLength: 1
  3025. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3026. type: string
  3027. namespace:
  3028. description: |-
  3029. The namespace of the Secret resource being referred to.
  3030. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3031. maxLength: 63
  3032. minLength: 1
  3033. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3034. type: string
  3035. type: object
  3036. clientSecret:
  3037. description: The Azure ClientSecret of the service principle used for authentication.
  3038. properties:
  3039. key:
  3040. description: |-
  3041. A key in the referenced Secret.
  3042. Some instances of this field may be defaulted, in others it may be required.
  3043. maxLength: 253
  3044. minLength: 1
  3045. pattern: ^[-._a-zA-Z0-9]+$
  3046. type: string
  3047. name:
  3048. description: The name of the Secret resource being referred to.
  3049. maxLength: 253
  3050. minLength: 1
  3051. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3052. type: string
  3053. namespace:
  3054. description: |-
  3055. The namespace of the Secret resource being referred to.
  3056. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3057. maxLength: 63
  3058. minLength: 1
  3059. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3060. type: string
  3061. type: object
  3062. tenantId:
  3063. description: The Azure tenantId of the managed identity used for authentication.
  3064. properties:
  3065. key:
  3066. description: |-
  3067. A key in the referenced Secret.
  3068. Some instances of this field may be defaulted, in others it may be required.
  3069. maxLength: 253
  3070. minLength: 1
  3071. pattern: ^[-._a-zA-Z0-9]+$
  3072. type: string
  3073. name:
  3074. description: The name of the Secret resource being referred to.
  3075. maxLength: 253
  3076. minLength: 1
  3077. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3078. type: string
  3079. namespace:
  3080. description: |-
  3081. The namespace of the Secret resource being referred to.
  3082. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3083. maxLength: 63
  3084. minLength: 1
  3085. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3086. type: string
  3087. type: object
  3088. type: object
  3089. authType:
  3090. default: ServicePrincipal
  3091. description: |-
  3092. Auth type defines how to authenticate to the keyvault service.
  3093. Valid values are:
  3094. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  3095. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  3096. enum:
  3097. - ServicePrincipal
  3098. - ManagedIdentity
  3099. - WorkloadIdentity
  3100. type: string
  3101. customCloudConfig:
  3102. description: |-
  3103. CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
  3104. Required when EnvironmentType is AzureStackCloud.
  3105. Optional for other environment types - useful for Azure China when using Workload Identity
  3106. with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
  3107. standard China Cloud endpoint (login.chinacloudapi.cn).
  3108. IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
  3109. configuration is not supported with the legacy go-autorest SDK.
  3110. properties:
  3111. activeDirectoryEndpoint:
  3112. description: |-
  3113. ActiveDirectoryEndpoint is the AAD endpoint for authentication
  3114. Required when using custom cloud configuration
  3115. type: string
  3116. keyVaultDNSSuffix:
  3117. description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
  3118. type: string
  3119. keyVaultEndpoint:
  3120. description: KeyVaultEndpoint is the Key Vault service endpoint
  3121. type: string
  3122. resourceManagerEndpoint:
  3123. description: ResourceManagerEndpoint is the Azure Resource Manager endpoint
  3124. type: string
  3125. required:
  3126. - activeDirectoryEndpoint
  3127. type: object
  3128. environmentType:
  3129. default: PublicCloud
  3130. description: |-
  3131. EnvironmentType specifies the Azure cloud environment endpoints to use for
  3132. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  3133. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  3134. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
  3135. Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
  3136. enum:
  3137. - PublicCloud
  3138. - USGovernmentCloud
  3139. - ChinaCloud
  3140. - GermanCloud
  3141. - AzureStackCloud
  3142. type: string
  3143. identityId:
  3144. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  3145. type: string
  3146. serviceAccountRef:
  3147. description: |-
  3148. ServiceAccountRef specified the service account
  3149. that should be used when authenticating with WorkloadIdentity.
  3150. properties:
  3151. audiences:
  3152. description: |-
  3153. Audience specifies the `aud` claim for the service account token
  3154. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3155. then this audiences will be appended to the list
  3156. items:
  3157. type: string
  3158. type: array
  3159. name:
  3160. description: The name of the ServiceAccount resource being referred to.
  3161. maxLength: 253
  3162. minLength: 1
  3163. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3164. type: string
  3165. namespace:
  3166. description: |-
  3167. Namespace of the resource being referred to.
  3168. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3169. maxLength: 63
  3170. minLength: 1
  3171. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3172. type: string
  3173. required:
  3174. - name
  3175. type: object
  3176. tenantId:
  3177. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  3178. type: string
  3179. useAzureSDK:
  3180. default: false
  3181. description: |-
  3182. UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
  3183. This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
  3184. type: boolean
  3185. vaultUrl:
  3186. description: Vault Url from which the secrets to be fetched from.
  3187. type: string
  3188. required:
  3189. - vaultUrl
  3190. type: object
  3191. barbican:
  3192. description: Barbican configures this store to sync secrets using the OpenStack Barbican provider
  3193. properties:
  3194. auth:
  3195. description: BarbicanAuth contains the authentication information for Barbican.
  3196. properties:
  3197. password:
  3198. description: BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
  3199. properties:
  3200. secretRef:
  3201. description: |-
  3202. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  3203. In some instances, `key` is a required field.
  3204. properties:
  3205. key:
  3206. description: |-
  3207. A key in the referenced Secret.
  3208. Some instances of this field may be defaulted, in others it may be required.
  3209. maxLength: 253
  3210. minLength: 1
  3211. pattern: ^[-._a-zA-Z0-9]+$
  3212. type: string
  3213. name:
  3214. description: The name of the Secret resource being referred to.
  3215. maxLength: 253
  3216. minLength: 1
  3217. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3218. type: string
  3219. namespace:
  3220. description: |-
  3221. The namespace of the Secret resource being referred to.
  3222. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3223. maxLength: 63
  3224. minLength: 1
  3225. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3226. type: string
  3227. type: object
  3228. required:
  3229. - secretRef
  3230. type: object
  3231. username:
  3232. description: BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
  3233. maxProperties: 1
  3234. minProperties: 1
  3235. properties:
  3236. secretRef:
  3237. description: |-
  3238. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  3239. In some instances, `key` is a required field.
  3240. properties:
  3241. key:
  3242. description: |-
  3243. A key in the referenced Secret.
  3244. Some instances of this field may be defaulted, in others it may be required.
  3245. maxLength: 253
  3246. minLength: 1
  3247. pattern: ^[-._a-zA-Z0-9]+$
  3248. type: string
  3249. name:
  3250. description: The name of the Secret resource being referred to.
  3251. maxLength: 253
  3252. minLength: 1
  3253. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3254. type: string
  3255. namespace:
  3256. description: |-
  3257. The namespace of the Secret resource being referred to.
  3258. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3259. maxLength: 63
  3260. minLength: 1
  3261. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3262. type: string
  3263. type: object
  3264. value:
  3265. type: string
  3266. type: object
  3267. required:
  3268. - password
  3269. - username
  3270. type: object
  3271. authURL:
  3272. type: string
  3273. domainName:
  3274. type: string
  3275. region:
  3276. type: string
  3277. tenantName:
  3278. type: string
  3279. required:
  3280. - auth
  3281. type: object
  3282. beyondtrust:
  3283. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  3284. properties:
  3285. auth:
  3286. description: Auth configures how the operator authenticates with Beyondtrust.
  3287. properties:
  3288. apiKey:
  3289. description: APIKey If not provided then ClientID/ClientSecret become required.
  3290. properties:
  3291. secretRef:
  3292. description: SecretRef references a key in a secret that will be used as value.
  3293. properties:
  3294. key:
  3295. description: |-
  3296. A key in the referenced Secret.
  3297. Some instances of this field may be defaulted, in others it may be required.
  3298. maxLength: 253
  3299. minLength: 1
  3300. pattern: ^[-._a-zA-Z0-9]+$
  3301. type: string
  3302. name:
  3303. description: The name of the Secret resource being referred to.
  3304. maxLength: 253
  3305. minLength: 1
  3306. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3307. type: string
  3308. namespace:
  3309. description: |-
  3310. The namespace of the Secret resource being referred to.
  3311. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3312. maxLength: 63
  3313. minLength: 1
  3314. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3315. type: string
  3316. type: object
  3317. value:
  3318. description: Value can be specified directly to set a value without using a secret.
  3319. type: string
  3320. type: object
  3321. certificate:
  3322. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  3323. properties:
  3324. secretRef:
  3325. description: SecretRef references a key in a secret that will be used as value.
  3326. properties:
  3327. key:
  3328. description: |-
  3329. A key in the referenced Secret.
  3330. Some instances of this field may be defaulted, in others it may be required.
  3331. maxLength: 253
  3332. minLength: 1
  3333. pattern: ^[-._a-zA-Z0-9]+$
  3334. type: string
  3335. name:
  3336. description: The name of the Secret resource being referred to.
  3337. maxLength: 253
  3338. minLength: 1
  3339. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3340. type: string
  3341. namespace:
  3342. description: |-
  3343. The namespace of the Secret resource being referred to.
  3344. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3345. maxLength: 63
  3346. minLength: 1
  3347. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3348. type: string
  3349. type: object
  3350. value:
  3351. description: Value can be specified directly to set a value without using a secret.
  3352. type: string
  3353. type: object
  3354. certificateKey:
  3355. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  3356. properties:
  3357. secretRef:
  3358. description: SecretRef references a key in a secret that will be used as value.
  3359. properties:
  3360. key:
  3361. description: |-
  3362. A key in the referenced Secret.
  3363. Some instances of this field may be defaulted, in others it may be required.
  3364. maxLength: 253
  3365. minLength: 1
  3366. pattern: ^[-._a-zA-Z0-9]+$
  3367. type: string
  3368. name:
  3369. description: The name of the Secret resource being referred to.
  3370. maxLength: 253
  3371. minLength: 1
  3372. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3373. type: string
  3374. namespace:
  3375. description: |-
  3376. The namespace of the Secret resource being referred to.
  3377. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3378. maxLength: 63
  3379. minLength: 1
  3380. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3381. type: string
  3382. type: object
  3383. value:
  3384. description: Value can be specified directly to set a value without using a secret.
  3385. type: string
  3386. type: object
  3387. clientId:
  3388. description: ClientID is the API OAuth Client ID.
  3389. properties:
  3390. secretRef:
  3391. description: SecretRef references a key in a secret that will be used as value.
  3392. properties:
  3393. key:
  3394. description: |-
  3395. A key in the referenced Secret.
  3396. Some instances of this field may be defaulted, in others it may be required.
  3397. maxLength: 253
  3398. minLength: 1
  3399. pattern: ^[-._a-zA-Z0-9]+$
  3400. type: string
  3401. name:
  3402. description: The name of the Secret resource being referred to.
  3403. maxLength: 253
  3404. minLength: 1
  3405. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3406. type: string
  3407. namespace:
  3408. description: |-
  3409. The namespace of the Secret resource being referred to.
  3410. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3411. maxLength: 63
  3412. minLength: 1
  3413. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3414. type: string
  3415. type: object
  3416. value:
  3417. description: Value can be specified directly to set a value without using a secret.
  3418. type: string
  3419. type: object
  3420. clientSecret:
  3421. description: ClientSecret is the API OAuth Client Secret.
  3422. properties:
  3423. secretRef:
  3424. description: SecretRef references a key in a secret that will be used as value.
  3425. properties:
  3426. key:
  3427. description: |-
  3428. A key in the referenced Secret.
  3429. Some instances of this field may be defaulted, in others it may be required.
  3430. maxLength: 253
  3431. minLength: 1
  3432. pattern: ^[-._a-zA-Z0-9]+$
  3433. type: string
  3434. name:
  3435. description: The name of the Secret resource being referred to.
  3436. maxLength: 253
  3437. minLength: 1
  3438. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3439. type: string
  3440. namespace:
  3441. description: |-
  3442. The namespace of the Secret resource being referred to.
  3443. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3444. maxLength: 63
  3445. minLength: 1
  3446. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3447. type: string
  3448. type: object
  3449. value:
  3450. description: Value can be specified directly to set a value without using a secret.
  3451. type: string
  3452. type: object
  3453. type: object
  3454. server:
  3455. description: Auth configures how API server works.
  3456. properties:
  3457. apiUrl:
  3458. type: string
  3459. apiVersion:
  3460. type: string
  3461. clientTimeOutSeconds:
  3462. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  3463. type: integer
  3464. decrypt:
  3465. default: true
  3466. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  3467. type: boolean
  3468. retrievalType:
  3469. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  3470. type: string
  3471. separator:
  3472. description: A character that separates the folder names.
  3473. type: string
  3474. verifyCA:
  3475. type: boolean
  3476. required:
  3477. - apiUrl
  3478. - verifyCA
  3479. type: object
  3480. required:
  3481. - auth
  3482. - server
  3483. type: object
  3484. beyondtrustworkloadcredentials:
  3485. description: BeyondtrustWorkloadCredentials configures this store to sync secrets using the BeyondTrust Workload Credentials provider.
  3486. properties:
  3487. auth:
  3488. description: |-
  3489. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  3490. Currently supports API key authentication via Kubernetes secret reference.
  3491. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  3492. properties:
  3493. apikey:
  3494. description: |-
  3495. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  3496. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  3497. properties:
  3498. token:
  3499. description: |-
  3500. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  3501. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  3502. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  3503. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  3504. properties:
  3505. key:
  3506. description: |-
  3507. A key in the referenced Secret.
  3508. Some instances of this field may be defaulted, in others it may be required.
  3509. maxLength: 253
  3510. minLength: 1
  3511. pattern: ^[-._a-zA-Z0-9]+$
  3512. type: string
  3513. name:
  3514. description: The name of the Secret resource being referred to.
  3515. maxLength: 253
  3516. minLength: 1
  3517. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3518. type: string
  3519. namespace:
  3520. description: |-
  3521. The namespace of the Secret resource being referred to.
  3522. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3523. maxLength: 63
  3524. minLength: 1
  3525. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3526. type: string
  3527. type: object
  3528. required:
  3529. - token
  3530. type: object
  3531. required:
  3532. - apikey
  3533. type: object
  3534. caBundle:
  3535. description: |-
  3536. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  3537. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  3538. If not set, the system's trusted root certificates are used.
  3539. format: byte
  3540. type: string
  3541. caProvider:
  3542. description: |-
  3543. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  3544. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  3545. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  3546. properties:
  3547. key:
  3548. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3549. maxLength: 253
  3550. minLength: 1
  3551. pattern: ^[-._a-zA-Z0-9]+$
  3552. type: string
  3553. name:
  3554. description: The name of the object located at the provider type.
  3555. maxLength: 253
  3556. minLength: 1
  3557. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3558. type: string
  3559. namespace:
  3560. description: |-
  3561. The namespace the Provider type is in.
  3562. Can only be defined when used in a ClusterSecretStore.
  3563. maxLength: 63
  3564. minLength: 1
  3565. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3566. type: string
  3567. type:
  3568. description: The type of provider to use such as "Secret", or "ConfigMap".
  3569. enum:
  3570. - Secret
  3571. - ConfigMap
  3572. type: string
  3573. required:
  3574. - name
  3575. - type
  3576. type: object
  3577. folderPath:
  3578. description: |-
  3579. FolderPath specifies the default folder path for secret retrieval.
  3580. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  3581. Example: "production/database" or "dev/api-keys"
  3582. Leave empty to retrieve secrets from the root folder.
  3583. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  3584. type: string
  3585. server:
  3586. description: |-
  3587. Server configures the BeyondTrust Workload Credentials server connection details.
  3588. Includes the API URL and Site ID for your BeyondTrust instance.
  3589. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  3590. properties:
  3591. apiUrl:
  3592. description: |-
  3593. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  3594. This should be the full URL to your BeyondTrust instance.
  3595. Example: https://api.beyondtrust.io/siie
  3596. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  3597. type: string
  3598. siteId:
  3599. description: |-
  3600. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  3601. This identifier is unique to your BeyondTrust Workload Credentials instance.
  3602. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  3603. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  3604. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  3605. type: string
  3606. required:
  3607. - apiUrl
  3608. - siteId
  3609. type: object
  3610. required:
  3611. - auth
  3612. - server
  3613. type: object
  3614. bitwardensecretsmanager:
  3615. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  3616. properties:
  3617. apiURL:
  3618. type: string
  3619. auth:
  3620. description: |-
  3621. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  3622. Make sure that the token being used has permissions on the given secret.
  3623. properties:
  3624. secretRef:
  3625. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  3626. properties:
  3627. credentials:
  3628. description: AccessToken used for the bitwarden instance.
  3629. properties:
  3630. key:
  3631. description: |-
  3632. A key in the referenced Secret.
  3633. Some instances of this field may be defaulted, in others it may be required.
  3634. maxLength: 253
  3635. minLength: 1
  3636. pattern: ^[-._a-zA-Z0-9]+$
  3637. type: string
  3638. name:
  3639. description: The name of the Secret resource being referred to.
  3640. maxLength: 253
  3641. minLength: 1
  3642. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3643. type: string
  3644. namespace:
  3645. description: |-
  3646. The namespace of the Secret resource being referred to.
  3647. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3648. maxLength: 63
  3649. minLength: 1
  3650. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3651. type: string
  3652. type: object
  3653. required:
  3654. - credentials
  3655. type: object
  3656. required:
  3657. - secretRef
  3658. type: object
  3659. bitwardenServerSDKURL:
  3660. type: string
  3661. caBundle:
  3662. description: |-
  3663. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  3664. can be performed.
  3665. type: string
  3666. caProvider:
  3667. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  3668. properties:
  3669. key:
  3670. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3671. maxLength: 253
  3672. minLength: 1
  3673. pattern: ^[-._a-zA-Z0-9]+$
  3674. type: string
  3675. name:
  3676. description: The name of the object located at the provider type.
  3677. maxLength: 253
  3678. minLength: 1
  3679. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3680. type: string
  3681. namespace:
  3682. description: |-
  3683. The namespace the Provider type is in.
  3684. Can only be defined when used in a ClusterSecretStore.
  3685. maxLength: 63
  3686. minLength: 1
  3687. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3688. type: string
  3689. type:
  3690. description: The type of provider to use such as "Secret", or "ConfigMap".
  3691. enum:
  3692. - Secret
  3693. - ConfigMap
  3694. type: string
  3695. required:
  3696. - name
  3697. - type
  3698. type: object
  3699. identityURL:
  3700. type: string
  3701. organizationID:
  3702. description: OrganizationID determines which organization this secret store manages.
  3703. type: string
  3704. projectID:
  3705. description: ProjectID determines which project this secret store manages.
  3706. type: string
  3707. required:
  3708. - auth
  3709. - organizationID
  3710. - projectID
  3711. type: object
  3712. chef:
  3713. description: Chef configures this store to sync secrets with chef server
  3714. properties:
  3715. auth:
  3716. description: Auth defines the information necessary to authenticate against chef Server
  3717. properties:
  3718. secretRef:
  3719. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  3720. properties:
  3721. privateKeySecretRef:
  3722. description: SecretKey is the Signing Key in PEM format, used for authentication.
  3723. properties:
  3724. key:
  3725. description: |-
  3726. A key in the referenced Secret.
  3727. Some instances of this field may be defaulted, in others it may be required.
  3728. maxLength: 253
  3729. minLength: 1
  3730. pattern: ^[-._a-zA-Z0-9]+$
  3731. type: string
  3732. name:
  3733. description: The name of the Secret resource being referred to.
  3734. maxLength: 253
  3735. minLength: 1
  3736. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3737. type: string
  3738. namespace:
  3739. description: |-
  3740. The namespace of the Secret resource being referred to.
  3741. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3742. maxLength: 63
  3743. minLength: 1
  3744. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3745. type: string
  3746. type: object
  3747. required:
  3748. - privateKeySecretRef
  3749. type: object
  3750. required:
  3751. - secretRef
  3752. type: object
  3753. serverUrl:
  3754. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  3755. type: string
  3756. username:
  3757. description: UserName should be the user ID on the chef server
  3758. type: string
  3759. required:
  3760. - auth
  3761. - serverUrl
  3762. - username
  3763. type: object
  3764. cloudrusm:
  3765. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  3766. properties:
  3767. auth:
  3768. description: CSMAuth contains a secretRef for credentials.
  3769. properties:
  3770. secretRef:
  3771. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  3772. properties:
  3773. accessKeyIDSecretRef:
  3774. description: The AccessKeyID is used for authentication
  3775. properties:
  3776. key:
  3777. description: |-
  3778. A key in the referenced Secret.
  3779. Some instances of this field may be defaulted, in others it may be required.
  3780. maxLength: 253
  3781. minLength: 1
  3782. pattern: ^[-._a-zA-Z0-9]+$
  3783. type: string
  3784. name:
  3785. description: The name of the Secret resource being referred to.
  3786. maxLength: 253
  3787. minLength: 1
  3788. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3789. type: string
  3790. namespace:
  3791. description: |-
  3792. The namespace of the Secret resource being referred to.
  3793. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3794. maxLength: 63
  3795. minLength: 1
  3796. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3797. type: string
  3798. type: object
  3799. accessKeySecretSecretRef:
  3800. description: The AccessKeySecret is used for authentication
  3801. properties:
  3802. key:
  3803. description: |-
  3804. A key in the referenced Secret.
  3805. Some instances of this field may be defaulted, in others it may be required.
  3806. maxLength: 253
  3807. minLength: 1
  3808. pattern: ^[-._a-zA-Z0-9]+$
  3809. type: string
  3810. name:
  3811. description: The name of the Secret resource being referred to.
  3812. maxLength: 253
  3813. minLength: 1
  3814. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3815. type: string
  3816. namespace:
  3817. description: |-
  3818. The namespace of the Secret resource being referred to.
  3819. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3820. maxLength: 63
  3821. minLength: 1
  3822. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3823. type: string
  3824. type: object
  3825. required:
  3826. - accessKeyIDSecretRef
  3827. - accessKeySecretSecretRef
  3828. type: object
  3829. type: object
  3830. projectID:
  3831. description: ProjectID is the project, which the secrets are stored in.
  3832. type: string
  3833. required:
  3834. - auth
  3835. type: object
  3836. conjur:
  3837. description: Conjur configures this store to sync secrets using conjur provider
  3838. properties:
  3839. auth:
  3840. description: Defines authentication settings for connecting to Conjur.
  3841. properties:
  3842. apikey:
  3843. description: Authenticates with Conjur using an API key.
  3844. properties:
  3845. account:
  3846. description: Account is the Conjur organization account name.
  3847. type: string
  3848. apiKeyRef:
  3849. description: |-
  3850. A reference to a specific 'key' containing the Conjur API key
  3851. within a Secret resource. In some instances, `key` is a required field.
  3852. properties:
  3853. key:
  3854. description: |-
  3855. A key in the referenced Secret.
  3856. Some instances of this field may be defaulted, in others it may be required.
  3857. maxLength: 253
  3858. minLength: 1
  3859. pattern: ^[-._a-zA-Z0-9]+$
  3860. type: string
  3861. name:
  3862. description: The name of the Secret resource being referred to.
  3863. maxLength: 253
  3864. minLength: 1
  3865. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3866. type: string
  3867. namespace:
  3868. description: |-
  3869. The namespace of the Secret resource being referred to.
  3870. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3871. maxLength: 63
  3872. minLength: 1
  3873. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3874. type: string
  3875. type: object
  3876. userRef:
  3877. description: |-
  3878. A reference to a specific 'key' containing the Conjur username
  3879. within a Secret resource. In some instances, `key` is a required field.
  3880. properties:
  3881. key:
  3882. description: |-
  3883. A key in the referenced Secret.
  3884. Some instances of this field may be defaulted, in others it may be required.
  3885. maxLength: 253
  3886. minLength: 1
  3887. pattern: ^[-._a-zA-Z0-9]+$
  3888. type: string
  3889. name:
  3890. description: The name of the Secret resource being referred to.
  3891. maxLength: 253
  3892. minLength: 1
  3893. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3894. type: string
  3895. namespace:
  3896. description: |-
  3897. The namespace of the Secret resource being referred to.
  3898. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3899. maxLength: 63
  3900. minLength: 1
  3901. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3902. type: string
  3903. type: object
  3904. required:
  3905. - account
  3906. - apiKeyRef
  3907. - userRef
  3908. type: object
  3909. jwt:
  3910. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  3911. properties:
  3912. account:
  3913. description: Account is the Conjur organization account name.
  3914. type: string
  3915. hostId:
  3916. description: |-
  3917. Optional HostID for JWT authentication. This may be used depending
  3918. on how the Conjur JWT authenticator policy is configured.
  3919. type: string
  3920. secretRef:
  3921. description: |-
  3922. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  3923. authenticate with Conjur using the JWT authentication method.
  3924. properties:
  3925. key:
  3926. description: |-
  3927. A key in the referenced Secret.
  3928. Some instances of this field may be defaulted, in others it may be required.
  3929. maxLength: 253
  3930. minLength: 1
  3931. pattern: ^[-._a-zA-Z0-9]+$
  3932. type: string
  3933. name:
  3934. description: The name of the Secret resource being referred to.
  3935. maxLength: 253
  3936. minLength: 1
  3937. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3938. type: string
  3939. namespace:
  3940. description: |-
  3941. The namespace of the Secret resource being referred to.
  3942. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3943. maxLength: 63
  3944. minLength: 1
  3945. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3946. type: string
  3947. type: object
  3948. serviceAccountRef:
  3949. description: |-
  3950. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  3951. a token for with the `TokenRequest` API.
  3952. properties:
  3953. audiences:
  3954. description: |-
  3955. Audience specifies the `aud` claim for the service account token
  3956. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3957. then this audiences will be appended to the list
  3958. items:
  3959. type: string
  3960. type: array
  3961. name:
  3962. description: The name of the ServiceAccount resource being referred to.
  3963. maxLength: 253
  3964. minLength: 1
  3965. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3966. type: string
  3967. namespace:
  3968. description: |-
  3969. Namespace of the resource being referred to.
  3970. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3971. maxLength: 63
  3972. minLength: 1
  3973. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3974. type: string
  3975. required:
  3976. - name
  3977. type: object
  3978. serviceID:
  3979. description: The conjur authn jwt webservice id
  3980. type: string
  3981. required:
  3982. - account
  3983. - serviceID
  3984. type: object
  3985. type: object
  3986. caBundle:
  3987. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  3988. type: string
  3989. caProvider:
  3990. description: |-
  3991. Used to provide custom certificate authority (CA) certificates
  3992. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  3993. that contains a PEM-encoded certificate.
  3994. properties:
  3995. key:
  3996. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3997. maxLength: 253
  3998. minLength: 1
  3999. pattern: ^[-._a-zA-Z0-9]+$
  4000. type: string
  4001. name:
  4002. description: The name of the object located at the provider type.
  4003. maxLength: 253
  4004. minLength: 1
  4005. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4006. type: string
  4007. namespace:
  4008. description: |-
  4009. The namespace the Provider type is in.
  4010. Can only be defined when used in a ClusterSecretStore.
  4011. maxLength: 63
  4012. minLength: 1
  4013. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4014. type: string
  4015. type:
  4016. description: The type of provider to use such as "Secret", or "ConfigMap".
  4017. enum:
  4018. - Secret
  4019. - ConfigMap
  4020. type: string
  4021. required:
  4022. - name
  4023. - type
  4024. type: object
  4025. url:
  4026. description: URL is the endpoint of the Conjur instance.
  4027. type: string
  4028. required:
  4029. - auth
  4030. - url
  4031. type: object
  4032. delinea:
  4033. description: |-
  4034. Delinea DevOps Secrets Vault
  4035. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  4036. properties:
  4037. clientId:
  4038. description: ClientID is the non-secret part of the credential.
  4039. properties:
  4040. secretRef:
  4041. description: SecretRef references a key in a secret that will be used as value.
  4042. properties:
  4043. key:
  4044. description: |-
  4045. A key in the referenced Secret.
  4046. Some instances of this field may be defaulted, in others it may be required.
  4047. maxLength: 253
  4048. minLength: 1
  4049. pattern: ^[-._a-zA-Z0-9]+$
  4050. type: string
  4051. name:
  4052. description: The name of the Secret resource being referred to.
  4053. maxLength: 253
  4054. minLength: 1
  4055. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4056. type: string
  4057. namespace:
  4058. description: |-
  4059. The namespace of the Secret resource being referred to.
  4060. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4061. maxLength: 63
  4062. minLength: 1
  4063. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4064. type: string
  4065. type: object
  4066. value:
  4067. description: Value can be specified directly to set a value without using a secret.
  4068. type: string
  4069. type: object
  4070. clientSecret:
  4071. description: ClientSecret is the secret part of the credential.
  4072. properties:
  4073. secretRef:
  4074. description: SecretRef references a key in a secret that will be used as value.
  4075. properties:
  4076. key:
  4077. description: |-
  4078. A key in the referenced Secret.
  4079. Some instances of this field may be defaulted, in others it may be required.
  4080. maxLength: 253
  4081. minLength: 1
  4082. pattern: ^[-._a-zA-Z0-9]+$
  4083. type: string
  4084. name:
  4085. description: The name of the Secret resource being referred to.
  4086. maxLength: 253
  4087. minLength: 1
  4088. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4089. type: string
  4090. namespace:
  4091. description: |-
  4092. The namespace of the Secret resource being referred to.
  4093. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4094. maxLength: 63
  4095. minLength: 1
  4096. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4097. type: string
  4098. type: object
  4099. value:
  4100. description: Value can be specified directly to set a value without using a secret.
  4101. type: string
  4102. type: object
  4103. tenant:
  4104. description: Tenant is the chosen hostname / site name.
  4105. type: string
  4106. tld:
  4107. description: |-
  4108. TLD is based on the server location that was chosen during provisioning.
  4109. If unset, defaults to "com".
  4110. type: string
  4111. urlTemplate:
  4112. description: |-
  4113. URLTemplate
  4114. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  4115. type: string
  4116. required:
  4117. - clientId
  4118. - clientSecret
  4119. - tenant
  4120. type: object
  4121. doppler:
  4122. description: Doppler configures this store to sync secrets using the Doppler provider
  4123. properties:
  4124. auth:
  4125. description: Auth configures how the Operator authenticates with the Doppler API
  4126. properties:
  4127. oidcConfig:
  4128. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  4129. properties:
  4130. expirationSeconds:
  4131. default: 600
  4132. description: |-
  4133. ExpirationSeconds sets the ServiceAccount token validity duration.
  4134. Defaults to 10 minutes.
  4135. format: int64
  4136. type: integer
  4137. identity:
  4138. description: Identity is the Doppler Service Account Identity ID configured for OIDC authentication.
  4139. type: string
  4140. serviceAccountRef:
  4141. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  4142. properties:
  4143. audiences:
  4144. description: |-
  4145. Audience specifies the `aud` claim for the service account token
  4146. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4147. then this audiences will be appended to the list
  4148. items:
  4149. type: string
  4150. type: array
  4151. name:
  4152. description: The name of the ServiceAccount resource being referred to.
  4153. maxLength: 253
  4154. minLength: 1
  4155. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4156. type: string
  4157. namespace:
  4158. description: |-
  4159. Namespace of the resource being referred to.
  4160. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4161. maxLength: 63
  4162. minLength: 1
  4163. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4164. type: string
  4165. required:
  4166. - name
  4167. type: object
  4168. required:
  4169. - identity
  4170. - serviceAccountRef
  4171. type: object
  4172. secretRef:
  4173. description: SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.
  4174. properties:
  4175. dopplerToken:
  4176. description: |-
  4177. The DopplerToken is used for authentication.
  4178. See https://docs.doppler.com/reference/api#authentication for auth token types.
  4179. The Key attribute defaults to dopplerToken if not specified.
  4180. properties:
  4181. key:
  4182. description: |-
  4183. A key in the referenced Secret.
  4184. Some instances of this field may be defaulted, in others it may be required.
  4185. maxLength: 253
  4186. minLength: 1
  4187. pattern: ^[-._a-zA-Z0-9]+$
  4188. type: string
  4189. name:
  4190. description: The name of the Secret resource being referred to.
  4191. maxLength: 253
  4192. minLength: 1
  4193. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4194. type: string
  4195. namespace:
  4196. description: |-
  4197. The namespace of the Secret resource being referred to.
  4198. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4199. maxLength: 63
  4200. minLength: 1
  4201. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4202. type: string
  4203. type: object
  4204. required:
  4205. - dopplerToken
  4206. type: object
  4207. type: object
  4208. x-kubernetes-validations:
  4209. - message: Exactly one of 'secretRef' or 'oidcConfig' must be specified
  4210. rule: (has(self.secretRef) && !has(self.oidcConfig)) || (!has(self.secretRef) && has(self.oidcConfig))
  4211. config:
  4212. description: Doppler config (required if not using a Service Token)
  4213. type: string
  4214. format:
  4215. description: Format enables the downloading of secrets as a file (string)
  4216. enum:
  4217. - json
  4218. - dotnet-json
  4219. - env
  4220. - yaml
  4221. - docker
  4222. type: string
  4223. nameTransformer:
  4224. description: Environment variable compatible name transforms that change secret names to a different format
  4225. enum:
  4226. - upper-camel
  4227. - camel
  4228. - lower-snake
  4229. - tf-var
  4230. - dotnet-env
  4231. - lower-kebab
  4232. type: string
  4233. project:
  4234. description: Doppler project (required if not using a Service Token)
  4235. type: string
  4236. required:
  4237. - auth
  4238. type: object
  4239. dvls:
  4240. description: DVLS configures this store to sync secrets using Devolutions Server provider
  4241. properties:
  4242. auth:
  4243. description: Auth defines the authentication method to use.
  4244. properties:
  4245. secretRef:
  4246. description: SecretRef contains the Application ID and Application Secret for authentication.
  4247. properties:
  4248. appId:
  4249. description: AppID is the reference to the secret containing the Application ID.
  4250. properties:
  4251. key:
  4252. description: |-
  4253. A key in the referenced Secret.
  4254. Some instances of this field may be defaulted, in others it may be required.
  4255. maxLength: 253
  4256. minLength: 1
  4257. pattern: ^[-._a-zA-Z0-9]+$
  4258. type: string
  4259. name:
  4260. description: The name of the Secret resource being referred to.
  4261. maxLength: 253
  4262. minLength: 1
  4263. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4264. type: string
  4265. namespace:
  4266. description: |-
  4267. The namespace of the Secret resource being referred to.
  4268. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4269. maxLength: 63
  4270. minLength: 1
  4271. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4272. type: string
  4273. type: object
  4274. appSecret:
  4275. description: AppSecret is the reference to the secret containing the Application Secret.
  4276. properties:
  4277. key:
  4278. description: |-
  4279. A key in the referenced Secret.
  4280. Some instances of this field may be defaulted, in others it may be required.
  4281. maxLength: 253
  4282. minLength: 1
  4283. pattern: ^[-._a-zA-Z0-9]+$
  4284. type: string
  4285. name:
  4286. description: The name of the Secret resource being referred to.
  4287. maxLength: 253
  4288. minLength: 1
  4289. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4290. type: string
  4291. namespace:
  4292. description: |-
  4293. The namespace of the Secret resource being referred to.
  4294. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4295. maxLength: 63
  4296. minLength: 1
  4297. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4298. type: string
  4299. type: object
  4300. required:
  4301. - appId
  4302. - appSecret
  4303. type: object
  4304. required:
  4305. - secretRef
  4306. type: object
  4307. insecure:
  4308. description: |-
  4309. Insecure allows connecting to DVLS over plain HTTP.
  4310. This is NOT RECOMMENDED for production use.
  4311. Set to true only if you understand the security implications.
  4312. type: boolean
  4313. serverUrl:
  4314. description: ServerURL is the DVLS instance URL (e.g., https://dvls.example.com).
  4315. type: string
  4316. vault:
  4317. description: |-
  4318. Vault is the name or UUID of the vault to fetch secrets from.
  4319. When omitted, the vault must be specified in the secret key using the legacy format "<vault-id>/<entry-id>".
  4320. type: string
  4321. required:
  4322. - auth
  4323. - serverUrl
  4324. type: object
  4325. fake:
  4326. description: Fake configures a store with static key/value pairs
  4327. properties:
  4328. data:
  4329. items:
  4330. description: FakeProviderData defines a key-value pair with optional version for the fake provider.
  4331. properties:
  4332. key:
  4333. type: string
  4334. value:
  4335. type: string
  4336. version:
  4337. type: string
  4338. required:
  4339. - key
  4340. - value
  4341. type: object
  4342. type: array
  4343. validationResult:
  4344. description: ValidationResult is defined type for the number of validation results.
  4345. type: integer
  4346. required:
  4347. - data
  4348. type: object
  4349. fortanix:
  4350. description: Fortanix configures this store to sync secrets using the Fortanix provider
  4351. properties:
  4352. apiKey:
  4353. description: APIKey is the API token to access SDKMS Applications.
  4354. properties:
  4355. secretRef:
  4356. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  4357. properties:
  4358. key:
  4359. description: |-
  4360. A key in the referenced Secret.
  4361. Some instances of this field may be defaulted, in others it may be required.
  4362. maxLength: 253
  4363. minLength: 1
  4364. pattern: ^[-._a-zA-Z0-9]+$
  4365. type: string
  4366. name:
  4367. description: The name of the Secret resource being referred to.
  4368. maxLength: 253
  4369. minLength: 1
  4370. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4371. type: string
  4372. namespace:
  4373. description: |-
  4374. The namespace of the Secret resource being referred to.
  4375. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4376. maxLength: 63
  4377. minLength: 1
  4378. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4379. type: string
  4380. type: object
  4381. type: object
  4382. apiUrl:
  4383. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  4384. type: string
  4385. type: object
  4386. gcpsm:
  4387. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  4388. properties:
  4389. auth:
  4390. description: Auth defines the information necessary to authenticate against GCP
  4391. properties:
  4392. secretRef:
  4393. description: GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication.
  4394. properties:
  4395. secretAccessKeySecretRef:
  4396. description: The SecretAccessKey is used for authentication
  4397. properties:
  4398. key:
  4399. description: |-
  4400. A key in the referenced Secret.
  4401. Some instances of this field may be defaulted, in others it may be required.
  4402. maxLength: 253
  4403. minLength: 1
  4404. pattern: ^[-._a-zA-Z0-9]+$
  4405. type: string
  4406. name:
  4407. description: The name of the Secret resource being referred to.
  4408. maxLength: 253
  4409. minLength: 1
  4410. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4411. type: string
  4412. namespace:
  4413. description: |-
  4414. The namespace of the Secret resource being referred to.
  4415. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4416. maxLength: 63
  4417. minLength: 1
  4418. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4419. type: string
  4420. type: object
  4421. type: object
  4422. workloadIdentity:
  4423. description: GCPWorkloadIdentity defines configuration for workload identity authentication to GCP.
  4424. properties:
  4425. clusterLocation:
  4426. description: |-
  4427. ClusterLocation is the location of the cluster
  4428. If not specified, it fetches information from the metadata server
  4429. type: string
  4430. clusterName:
  4431. description: |-
  4432. ClusterName is the name of the cluster
  4433. If not specified, it fetches information from the metadata server
  4434. type: string
  4435. clusterProjectID:
  4436. description: |-
  4437. ClusterProjectID is the project ID of the cluster
  4438. If not specified, it fetches information from the metadata server
  4439. type: string
  4440. serviceAccountRef:
  4441. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  4442. properties:
  4443. audiences:
  4444. description: |-
  4445. Audience specifies the `aud` claim for the service account token
  4446. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4447. then this audiences will be appended to the list
  4448. items:
  4449. type: string
  4450. type: array
  4451. name:
  4452. description: The name of the ServiceAccount resource being referred to.
  4453. maxLength: 253
  4454. minLength: 1
  4455. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4456. type: string
  4457. namespace:
  4458. description: |-
  4459. Namespace of the resource being referred to.
  4460. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4461. maxLength: 63
  4462. minLength: 1
  4463. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4464. type: string
  4465. required:
  4466. - name
  4467. type: object
  4468. required:
  4469. - serviceAccountRef
  4470. type: object
  4471. workloadIdentityFederation:
  4472. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  4473. properties:
  4474. audience:
  4475. description: |-
  4476. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  4477. If specified, Audience found in the external account credential config will be overridden with the configured value.
  4478. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  4479. type: string
  4480. awsSecurityCredentials:
  4481. description: |-
  4482. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  4483. when using the AWS metadata server is not an option.
  4484. properties:
  4485. awsCredentialsSecretRef:
  4486. description: |-
  4487. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  4488. Secret should be created with below names for keys
  4489. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  4490. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  4491. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  4492. properties:
  4493. name:
  4494. description: name of the secret.
  4495. maxLength: 253
  4496. minLength: 1
  4497. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4498. type: string
  4499. namespace:
  4500. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  4501. maxLength: 63
  4502. minLength: 1
  4503. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4504. type: string
  4505. required:
  4506. - name
  4507. type: object
  4508. region:
  4509. description: region is for configuring the AWS region to be used.
  4510. example: ap-south-1
  4511. maxLength: 50
  4512. minLength: 1
  4513. pattern: ^[a-z0-9-]+$
  4514. type: string
  4515. required:
  4516. - awsCredentialsSecretRef
  4517. - region
  4518. type: object
  4519. credConfig:
  4520. description: |-
  4521. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  4522. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  4523. serviceAccountRef must be used by providing operators service account details.
  4524. properties:
  4525. key:
  4526. description: key name holding the external account credential config.
  4527. maxLength: 253
  4528. minLength: 1
  4529. pattern: ^[-._a-zA-Z0-9]+$
  4530. type: string
  4531. name:
  4532. description: name of the configmap.
  4533. maxLength: 253
  4534. minLength: 1
  4535. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4536. type: string
  4537. namespace:
  4538. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  4539. maxLength: 63
  4540. minLength: 1
  4541. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4542. type: string
  4543. required:
  4544. - key
  4545. - name
  4546. type: object
  4547. externalTokenEndpoint:
  4548. description: |-
  4549. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  4550. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  4551. URL is having the expected value.
  4552. type: string
  4553. gcpServiceAccountEmail:
  4554. description: |-
  4555. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  4556. after Workload Identity Federation. Use this to grant access through the service account's
  4557. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  4558. service_account_impersonation_url in the external account JSON from credConfig;
  4559. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  4560. on that ServiceAccount.
  4561. example: my-gsa@my-project.iam.gserviceaccount.com
  4562. minLength: 1
  4563. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  4564. type: string
  4565. serviceAccountRef:
  4566. description: |-
  4567. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  4568. when Kubernetes is configured as provider in workload identity pool.
  4569. properties:
  4570. audiences:
  4571. description: |-
  4572. Audience specifies the `aud` claim for the service account token
  4573. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4574. then this audiences will be appended to the list
  4575. items:
  4576. type: string
  4577. type: array
  4578. name:
  4579. description: The name of the ServiceAccount resource being referred to.
  4580. maxLength: 253
  4581. minLength: 1
  4582. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4583. type: string
  4584. namespace:
  4585. description: |-
  4586. Namespace of the resource being referred to.
  4587. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4588. maxLength: 63
  4589. minLength: 1
  4590. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4591. type: string
  4592. required:
  4593. - name
  4594. type: object
  4595. type: object
  4596. type: object
  4597. location:
  4598. description: Location optionally defines a location for a secret
  4599. type: string
  4600. projectID:
  4601. description: ProjectID project where secret is located
  4602. type: string
  4603. secretVersionSelectionPolicy:
  4604. default: LatestOrFail
  4605. description: |-
  4606. SecretVersionSelectionPolicy specifies how the provider selects a secret version
  4607. when "latest" is disabled or destroyed.
  4608. Possible values are:
  4609. - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed.
  4610. - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED
  4611. type: string
  4612. type: object
  4613. github:
  4614. description: |-
  4615. Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  4616. Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
  4617. properties:
  4618. appID:
  4619. description: appID specifies the Github APP that will be used to authenticate the client
  4620. type: integer
  4621. auth:
  4622. description: auth configures how secret-manager authenticates with a Github instance.
  4623. properties:
  4624. privateKey:
  4625. description: |-
  4626. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4627. In some instances, `key` is a required field.
  4628. properties:
  4629. key:
  4630. description: |-
  4631. A key in the referenced Secret.
  4632. Some instances of this field may be defaulted, in others it may be required.
  4633. maxLength: 253
  4634. minLength: 1
  4635. pattern: ^[-._a-zA-Z0-9]+$
  4636. type: string
  4637. name:
  4638. description: The name of the Secret resource being referred to.
  4639. maxLength: 253
  4640. minLength: 1
  4641. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4642. type: string
  4643. namespace:
  4644. description: |-
  4645. The namespace of the Secret resource being referred to.
  4646. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4647. maxLength: 63
  4648. minLength: 1
  4649. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4650. type: string
  4651. type: object
  4652. required:
  4653. - privateKey
  4654. type: object
  4655. environment:
  4656. description: environment will be used to fetch secrets from a particular environment within a github repository
  4657. type: string
  4658. installationID:
  4659. description: installationID specifies the Github APP installation that will be used to authenticate the client
  4660. type: integer
  4661. orgSecretVisibility:
  4662. description: |-
  4663. orgSecretVisibility controls the visibility of organization secrets pushed via PushSecret.
  4664. Valid values are "all" or "private".
  4665. When unset, new secrets are created with visibility "all" and existing secrets preserve
  4666. whatever visibility they already have in GitHub.
  4667. enum:
  4668. - all
  4669. - private
  4670. type: string
  4671. organization:
  4672. description: organization will be used to fetch secrets from the Github organization
  4673. type: string
  4674. repository:
  4675. description: repository will be used to fetch secrets from the Github repository within an organization
  4676. type: string
  4677. uploadURL:
  4678. description: Upload URL for enterprise instances. Default to URL.
  4679. type: string
  4680. url:
  4681. default: https://github.com/
  4682. description: URL configures the Github instance URL. Defaults to https://github.com/.
  4683. type: string
  4684. required:
  4685. - appID
  4686. - auth
  4687. - installationID
  4688. - organization
  4689. type: object
  4690. gitlab:
  4691. description: GitLab configures this store to sync secrets using GitLab Variables provider
  4692. properties:
  4693. auth:
  4694. description: Auth configures how secret-manager authenticates with a GitLab instance.
  4695. properties:
  4696. SecretRef:
  4697. description: GitlabSecretRef contains the secret reference for GitLab authentication credentials.
  4698. properties:
  4699. accessToken:
  4700. description: AccessToken is used for authentication.
  4701. properties:
  4702. key:
  4703. description: |-
  4704. A key in the referenced Secret.
  4705. Some instances of this field may be defaulted, in others it may be required.
  4706. maxLength: 253
  4707. minLength: 1
  4708. pattern: ^[-._a-zA-Z0-9]+$
  4709. type: string
  4710. name:
  4711. description: The name of the Secret resource being referred to.
  4712. maxLength: 253
  4713. minLength: 1
  4714. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4715. type: string
  4716. namespace:
  4717. description: |-
  4718. The namespace of the Secret resource being referred to.
  4719. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4720. maxLength: 63
  4721. minLength: 1
  4722. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4723. type: string
  4724. type: object
  4725. type: object
  4726. required:
  4727. - SecretRef
  4728. type: object
  4729. caBundle:
  4730. description: |-
  4731. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  4732. can be performed.
  4733. format: byte
  4734. type: string
  4735. caProvider:
  4736. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  4737. properties:
  4738. key:
  4739. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  4740. maxLength: 253
  4741. minLength: 1
  4742. pattern: ^[-._a-zA-Z0-9]+$
  4743. type: string
  4744. name:
  4745. description: The name of the object located at the provider type.
  4746. maxLength: 253
  4747. minLength: 1
  4748. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4749. type: string
  4750. namespace:
  4751. description: |-
  4752. The namespace the Provider type is in.
  4753. Can only be defined when used in a ClusterSecretStore.
  4754. maxLength: 63
  4755. minLength: 1
  4756. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4757. type: string
  4758. type:
  4759. description: The type of provider to use such as "Secret", or "ConfigMap".
  4760. enum:
  4761. - Secret
  4762. - ConfigMap
  4763. type: string
  4764. required:
  4765. - name
  4766. - type
  4767. type: object
  4768. environment:
  4769. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  4770. type: string
  4771. groupIDs:
  4772. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  4773. items:
  4774. type: string
  4775. type: array
  4776. inheritFromGroups:
  4777. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  4778. type: boolean
  4779. projectID:
  4780. description: ProjectID specifies a project where secrets are located.
  4781. type: string
  4782. url:
  4783. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  4784. type: string
  4785. required:
  4786. - auth
  4787. type: object
  4788. ibm:
  4789. description: IBM configures this store to sync secrets using IBM Cloud provider
  4790. properties:
  4791. auth:
  4792. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  4793. maxProperties: 1
  4794. minProperties: 1
  4795. properties:
  4796. containerAuth:
  4797. description: IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile.
  4798. properties:
  4799. iamEndpoint:
  4800. type: string
  4801. profile:
  4802. description: the IBM Trusted Profile
  4803. type: string
  4804. tokenLocation:
  4805. description: Location the token is mounted on the pod
  4806. type: string
  4807. required:
  4808. - profile
  4809. type: object
  4810. secretRef:
  4811. description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
  4812. properties:
  4813. iamEndpoint:
  4814. description: The IAM endpoint used to obain a token
  4815. type: string
  4816. secretApiKeySecretRef:
  4817. description: The SecretAccessKey is used for authentication
  4818. properties:
  4819. key:
  4820. description: |-
  4821. A key in the referenced Secret.
  4822. Some instances of this field may be defaulted, in others it may be required.
  4823. maxLength: 253
  4824. minLength: 1
  4825. pattern: ^[-._a-zA-Z0-9]+$
  4826. type: string
  4827. name:
  4828. description: The name of the Secret resource being referred to.
  4829. maxLength: 253
  4830. minLength: 1
  4831. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4832. type: string
  4833. namespace:
  4834. description: |-
  4835. The namespace of the Secret resource being referred to.
  4836. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4837. maxLength: 63
  4838. minLength: 1
  4839. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4840. type: string
  4841. type: object
  4842. type: object
  4843. type: object
  4844. serviceUrl:
  4845. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  4846. type: string
  4847. required:
  4848. - auth
  4849. type: object
  4850. infisical:
  4851. description: Infisical configures this store to sync secrets using the Infisical provider
  4852. properties:
  4853. auth:
  4854. description: Auth configures how the Operator authenticates with the Infisical API
  4855. properties:
  4856. awsAuthCredentials:
  4857. description: AwsAuthCredentials represents the credentials for AWS authentication.
  4858. properties:
  4859. identityId:
  4860. description: |-
  4861. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4862. In some instances, `key` is a required field.
  4863. properties:
  4864. key:
  4865. description: |-
  4866. A key in the referenced Secret.
  4867. Some instances of this field may be defaulted, in others it may be required.
  4868. maxLength: 253
  4869. minLength: 1
  4870. pattern: ^[-._a-zA-Z0-9]+$
  4871. type: string
  4872. name:
  4873. description: The name of the Secret resource being referred to.
  4874. maxLength: 253
  4875. minLength: 1
  4876. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4877. type: string
  4878. namespace:
  4879. description: |-
  4880. The namespace of the Secret resource being referred to.
  4881. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4882. maxLength: 63
  4883. minLength: 1
  4884. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4885. type: string
  4886. type: object
  4887. required:
  4888. - identityId
  4889. type: object
  4890. azureAuthCredentials:
  4891. description: AzureAuthCredentials represents the credentials for Azure authentication.
  4892. properties:
  4893. identityId:
  4894. description: |-
  4895. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4896. In some instances, `key` is a required field.
  4897. properties:
  4898. key:
  4899. description: |-
  4900. A key in the referenced Secret.
  4901. Some instances of this field may be defaulted, in others it may be required.
  4902. maxLength: 253
  4903. minLength: 1
  4904. pattern: ^[-._a-zA-Z0-9]+$
  4905. type: string
  4906. name:
  4907. description: The name of the Secret resource being referred to.
  4908. maxLength: 253
  4909. minLength: 1
  4910. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4911. type: string
  4912. namespace:
  4913. description: |-
  4914. The namespace of the Secret resource being referred to.
  4915. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4916. maxLength: 63
  4917. minLength: 1
  4918. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4919. type: string
  4920. type: object
  4921. resource:
  4922. description: |-
  4923. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4924. In some instances, `key` is a required field.
  4925. properties:
  4926. key:
  4927. description: |-
  4928. A key in the referenced Secret.
  4929. Some instances of this field may be defaulted, in others it may be required.
  4930. maxLength: 253
  4931. minLength: 1
  4932. pattern: ^[-._a-zA-Z0-9]+$
  4933. type: string
  4934. name:
  4935. description: The name of the Secret resource being referred to.
  4936. maxLength: 253
  4937. minLength: 1
  4938. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4939. type: string
  4940. namespace:
  4941. description: |-
  4942. The namespace of the Secret resource being referred to.
  4943. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4944. maxLength: 63
  4945. minLength: 1
  4946. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4947. type: string
  4948. type: object
  4949. required:
  4950. - identityId
  4951. type: object
  4952. gcpIamAuthCredentials:
  4953. description: GcpIamAuthCredentials represents the credentials for GCP IAM authentication.
  4954. properties:
  4955. identityId:
  4956. description: |-
  4957. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4958. In some instances, `key` is a required field.
  4959. properties:
  4960. key:
  4961. description: |-
  4962. A key in the referenced Secret.
  4963. Some instances of this field may be defaulted, in others it may be required.
  4964. maxLength: 253
  4965. minLength: 1
  4966. pattern: ^[-._a-zA-Z0-9]+$
  4967. type: string
  4968. name:
  4969. description: The name of the Secret resource being referred to.
  4970. maxLength: 253
  4971. minLength: 1
  4972. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4973. type: string
  4974. namespace:
  4975. description: |-
  4976. The namespace of the Secret resource being referred to.
  4977. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4978. maxLength: 63
  4979. minLength: 1
  4980. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4981. type: string
  4982. type: object
  4983. serviceAccountKeyFilePath:
  4984. description: |-
  4985. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4986. In some instances, `key` is a required field.
  4987. properties:
  4988. key:
  4989. description: |-
  4990. A key in the referenced Secret.
  4991. Some instances of this field may be defaulted, in others it may be required.
  4992. maxLength: 253
  4993. minLength: 1
  4994. pattern: ^[-._a-zA-Z0-9]+$
  4995. type: string
  4996. name:
  4997. description: The name of the Secret resource being referred to.
  4998. maxLength: 253
  4999. minLength: 1
  5000. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5001. type: string
  5002. namespace:
  5003. description: |-
  5004. The namespace of the Secret resource being referred to.
  5005. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5006. maxLength: 63
  5007. minLength: 1
  5008. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5009. type: string
  5010. type: object
  5011. required:
  5012. - identityId
  5013. - serviceAccountKeyFilePath
  5014. type: object
  5015. gcpIdTokenAuthCredentials:
  5016. description: GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication.
  5017. properties:
  5018. identityId:
  5019. description: |-
  5020. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5021. In some instances, `key` is a required field.
  5022. properties:
  5023. key:
  5024. description: |-
  5025. A key in the referenced Secret.
  5026. Some instances of this field may be defaulted, in others it may be required.
  5027. maxLength: 253
  5028. minLength: 1
  5029. pattern: ^[-._a-zA-Z0-9]+$
  5030. type: string
  5031. name:
  5032. description: The name of the Secret resource being referred to.
  5033. maxLength: 253
  5034. minLength: 1
  5035. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5036. type: string
  5037. namespace:
  5038. description: |-
  5039. The namespace of the Secret resource being referred to.
  5040. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5041. maxLength: 63
  5042. minLength: 1
  5043. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5044. type: string
  5045. type: object
  5046. required:
  5047. - identityId
  5048. type: object
  5049. jwtAuthCredentials:
  5050. description: JwtAuthCredentials represents the credentials for JWT authentication.
  5051. properties:
  5052. identityId:
  5053. description: |-
  5054. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5055. In some instances, `key` is a required field.
  5056. properties:
  5057. key:
  5058. description: |-
  5059. A key in the referenced Secret.
  5060. Some instances of this field may be defaulted, in others it may be required.
  5061. maxLength: 253
  5062. minLength: 1
  5063. pattern: ^[-._a-zA-Z0-9]+$
  5064. type: string
  5065. name:
  5066. description: The name of the Secret resource being referred to.
  5067. maxLength: 253
  5068. minLength: 1
  5069. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5070. type: string
  5071. namespace:
  5072. description: |-
  5073. The namespace of the Secret resource being referred to.
  5074. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5075. maxLength: 63
  5076. minLength: 1
  5077. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5078. type: string
  5079. type: object
  5080. jwt:
  5081. description: |-
  5082. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5083. In some instances, `key` is a required field.
  5084. properties:
  5085. key:
  5086. description: |-
  5087. A key in the referenced Secret.
  5088. Some instances of this field may be defaulted, in others it may be required.
  5089. maxLength: 253
  5090. minLength: 1
  5091. pattern: ^[-._a-zA-Z0-9]+$
  5092. type: string
  5093. name:
  5094. description: The name of the Secret resource being referred to.
  5095. maxLength: 253
  5096. minLength: 1
  5097. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5098. type: string
  5099. namespace:
  5100. description: |-
  5101. The namespace of the Secret resource being referred to.
  5102. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5103. maxLength: 63
  5104. minLength: 1
  5105. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5106. type: string
  5107. type: object
  5108. required:
  5109. - identityId
  5110. - jwt
  5111. type: object
  5112. kubernetesAuthCredentials:
  5113. description: KubernetesAuthCredentials represents the credentials for Kubernetes authentication.
  5114. properties:
  5115. identityId:
  5116. description: |-
  5117. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5118. In some instances, `key` is a required field.
  5119. properties:
  5120. key:
  5121. description: |-
  5122. A key in the referenced Secret.
  5123. Some instances of this field may be defaulted, in others it may be required.
  5124. maxLength: 253
  5125. minLength: 1
  5126. pattern: ^[-._a-zA-Z0-9]+$
  5127. type: string
  5128. name:
  5129. description: The name of the Secret resource being referred to.
  5130. maxLength: 253
  5131. minLength: 1
  5132. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5133. type: string
  5134. namespace:
  5135. description: |-
  5136. The namespace of the Secret resource being referred to.
  5137. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5138. maxLength: 63
  5139. minLength: 1
  5140. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5141. type: string
  5142. type: object
  5143. serviceAccountTokenPath:
  5144. description: |-
  5145. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5146. In some instances, `key` is a required field.
  5147. properties:
  5148. key:
  5149. description: |-
  5150. A key in the referenced Secret.
  5151. Some instances of this field may be defaulted, in others it may be required.
  5152. maxLength: 253
  5153. minLength: 1
  5154. pattern: ^[-._a-zA-Z0-9]+$
  5155. type: string
  5156. name:
  5157. description: The name of the Secret resource being referred to.
  5158. maxLength: 253
  5159. minLength: 1
  5160. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5161. type: string
  5162. namespace:
  5163. description: |-
  5164. The namespace of the Secret resource being referred to.
  5165. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5166. maxLength: 63
  5167. minLength: 1
  5168. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5169. type: string
  5170. type: object
  5171. required:
  5172. - identityId
  5173. type: object
  5174. ldapAuthCredentials:
  5175. description: LdapAuthCredentials represents the credentials for LDAP authentication.
  5176. properties:
  5177. identityId:
  5178. description: |-
  5179. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5180. In some instances, `key` is a required field.
  5181. properties:
  5182. key:
  5183. description: |-
  5184. A key in the referenced Secret.
  5185. Some instances of this field may be defaulted, in others it may be required.
  5186. maxLength: 253
  5187. minLength: 1
  5188. pattern: ^[-._a-zA-Z0-9]+$
  5189. type: string
  5190. name:
  5191. description: The name of the Secret resource being referred to.
  5192. maxLength: 253
  5193. minLength: 1
  5194. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5195. type: string
  5196. namespace:
  5197. description: |-
  5198. The namespace of the Secret resource being referred to.
  5199. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5200. maxLength: 63
  5201. minLength: 1
  5202. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5203. type: string
  5204. type: object
  5205. ldapPassword:
  5206. description: |-
  5207. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5208. In some instances, `key` is a required field.
  5209. properties:
  5210. key:
  5211. description: |-
  5212. A key in the referenced Secret.
  5213. Some instances of this field may be defaulted, in others it may be required.
  5214. maxLength: 253
  5215. minLength: 1
  5216. pattern: ^[-._a-zA-Z0-9]+$
  5217. type: string
  5218. name:
  5219. description: The name of the Secret resource being referred to.
  5220. maxLength: 253
  5221. minLength: 1
  5222. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5223. type: string
  5224. namespace:
  5225. description: |-
  5226. The namespace of the Secret resource being referred to.
  5227. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5228. maxLength: 63
  5229. minLength: 1
  5230. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5231. type: string
  5232. type: object
  5233. ldapUsername:
  5234. description: |-
  5235. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5236. In some instances, `key` is a required field.
  5237. properties:
  5238. key:
  5239. description: |-
  5240. A key in the referenced Secret.
  5241. Some instances of this field may be defaulted, in others it may be required.
  5242. maxLength: 253
  5243. minLength: 1
  5244. pattern: ^[-._a-zA-Z0-9]+$
  5245. type: string
  5246. name:
  5247. description: The name of the Secret resource being referred to.
  5248. maxLength: 253
  5249. minLength: 1
  5250. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5251. type: string
  5252. namespace:
  5253. description: |-
  5254. The namespace of the Secret resource being referred to.
  5255. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5256. maxLength: 63
  5257. minLength: 1
  5258. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5259. type: string
  5260. type: object
  5261. required:
  5262. - identityId
  5263. - ldapPassword
  5264. - ldapUsername
  5265. type: object
  5266. ociAuthCredentials:
  5267. description: OciAuthCredentials represents the credentials for OCI authentication.
  5268. properties:
  5269. fingerprint:
  5270. description: |-
  5271. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5272. In some instances, `key` is a required field.
  5273. properties:
  5274. key:
  5275. description: |-
  5276. A key in the referenced Secret.
  5277. Some instances of this field may be defaulted, in others it may be required.
  5278. maxLength: 253
  5279. minLength: 1
  5280. pattern: ^[-._a-zA-Z0-9]+$
  5281. type: string
  5282. name:
  5283. description: The name of the Secret resource being referred to.
  5284. maxLength: 253
  5285. minLength: 1
  5286. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5287. type: string
  5288. namespace:
  5289. description: |-
  5290. The namespace of the Secret resource being referred to.
  5291. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5292. maxLength: 63
  5293. minLength: 1
  5294. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5295. type: string
  5296. type: object
  5297. identityId:
  5298. description: |-
  5299. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5300. In some instances, `key` is a required field.
  5301. properties:
  5302. key:
  5303. description: |-
  5304. A key in the referenced Secret.
  5305. Some instances of this field may be defaulted, in others it may be required.
  5306. maxLength: 253
  5307. minLength: 1
  5308. pattern: ^[-._a-zA-Z0-9]+$
  5309. type: string
  5310. name:
  5311. description: The name of the Secret resource being referred to.
  5312. maxLength: 253
  5313. minLength: 1
  5314. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5315. type: string
  5316. namespace:
  5317. description: |-
  5318. The namespace of the Secret resource being referred to.
  5319. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5320. maxLength: 63
  5321. minLength: 1
  5322. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5323. type: string
  5324. type: object
  5325. privateKey:
  5326. description: |-
  5327. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5328. In some instances, `key` is a required field.
  5329. properties:
  5330. key:
  5331. description: |-
  5332. A key in the referenced Secret.
  5333. Some instances of this field may be defaulted, in others it may be required.
  5334. maxLength: 253
  5335. minLength: 1
  5336. pattern: ^[-._a-zA-Z0-9]+$
  5337. type: string
  5338. name:
  5339. description: The name of the Secret resource being referred to.
  5340. maxLength: 253
  5341. minLength: 1
  5342. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5343. type: string
  5344. namespace:
  5345. description: |-
  5346. The namespace of the Secret resource being referred to.
  5347. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5348. maxLength: 63
  5349. minLength: 1
  5350. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5351. type: string
  5352. type: object
  5353. privateKeyPassphrase:
  5354. description: |-
  5355. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5356. In some instances, `key` is a required field.
  5357. properties:
  5358. key:
  5359. description: |-
  5360. A key in the referenced Secret.
  5361. Some instances of this field may be defaulted, in others it may be required.
  5362. maxLength: 253
  5363. minLength: 1
  5364. pattern: ^[-._a-zA-Z0-9]+$
  5365. type: string
  5366. name:
  5367. description: The name of the Secret resource being referred to.
  5368. maxLength: 253
  5369. minLength: 1
  5370. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5371. type: string
  5372. namespace:
  5373. description: |-
  5374. The namespace of the Secret resource being referred to.
  5375. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5376. maxLength: 63
  5377. minLength: 1
  5378. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5379. type: string
  5380. type: object
  5381. region:
  5382. description: |-
  5383. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5384. In some instances, `key` is a required field.
  5385. properties:
  5386. key:
  5387. description: |-
  5388. A key in the referenced Secret.
  5389. Some instances of this field may be defaulted, in others it may be required.
  5390. maxLength: 253
  5391. minLength: 1
  5392. pattern: ^[-._a-zA-Z0-9]+$
  5393. type: string
  5394. name:
  5395. description: The name of the Secret resource being referred to.
  5396. maxLength: 253
  5397. minLength: 1
  5398. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5399. type: string
  5400. namespace:
  5401. description: |-
  5402. The namespace of the Secret resource being referred to.
  5403. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5404. maxLength: 63
  5405. minLength: 1
  5406. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5407. type: string
  5408. type: object
  5409. tenancyId:
  5410. description: |-
  5411. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5412. In some instances, `key` is a required field.
  5413. properties:
  5414. key:
  5415. description: |-
  5416. A key in the referenced Secret.
  5417. Some instances of this field may be defaulted, in others it may be required.
  5418. maxLength: 253
  5419. minLength: 1
  5420. pattern: ^[-._a-zA-Z0-9]+$
  5421. type: string
  5422. name:
  5423. description: The name of the Secret resource being referred to.
  5424. maxLength: 253
  5425. minLength: 1
  5426. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5427. type: string
  5428. namespace:
  5429. description: |-
  5430. The namespace of the Secret resource being referred to.
  5431. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5432. maxLength: 63
  5433. minLength: 1
  5434. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5435. type: string
  5436. type: object
  5437. userId:
  5438. description: |-
  5439. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5440. In some instances, `key` is a required field.
  5441. properties:
  5442. key:
  5443. description: |-
  5444. A key in the referenced Secret.
  5445. Some instances of this field may be defaulted, in others it may be required.
  5446. maxLength: 253
  5447. minLength: 1
  5448. pattern: ^[-._a-zA-Z0-9]+$
  5449. type: string
  5450. name:
  5451. description: The name of the Secret resource being referred to.
  5452. maxLength: 253
  5453. minLength: 1
  5454. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5455. type: string
  5456. namespace:
  5457. description: |-
  5458. The namespace of the Secret resource being referred to.
  5459. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5460. maxLength: 63
  5461. minLength: 1
  5462. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5463. type: string
  5464. type: object
  5465. required:
  5466. - fingerprint
  5467. - identityId
  5468. - privateKey
  5469. - region
  5470. - tenancyId
  5471. - userId
  5472. type: object
  5473. tokenAuthCredentials:
  5474. description: TokenAuthCredentials represents the credentials for access token-based authentication.
  5475. properties:
  5476. accessToken:
  5477. description: |-
  5478. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5479. In some instances, `key` is a required field.
  5480. properties:
  5481. key:
  5482. description: |-
  5483. A key in the referenced Secret.
  5484. Some instances of this field may be defaulted, in others it may be required.
  5485. maxLength: 253
  5486. minLength: 1
  5487. pattern: ^[-._a-zA-Z0-9]+$
  5488. type: string
  5489. name:
  5490. description: The name of the Secret resource being referred to.
  5491. maxLength: 253
  5492. minLength: 1
  5493. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5494. type: string
  5495. namespace:
  5496. description: |-
  5497. The namespace of the Secret resource being referred to.
  5498. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5499. maxLength: 63
  5500. minLength: 1
  5501. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5502. type: string
  5503. type: object
  5504. required:
  5505. - accessToken
  5506. type: object
  5507. universalAuthCredentials:
  5508. description: UniversalAuthCredentials represents the client credentials for universal authentication.
  5509. properties:
  5510. clientId:
  5511. description: |-
  5512. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5513. In some instances, `key` is a required field.
  5514. properties:
  5515. key:
  5516. description: |-
  5517. A key in the referenced Secret.
  5518. Some instances of this field may be defaulted, in others it may be required.
  5519. maxLength: 253
  5520. minLength: 1
  5521. pattern: ^[-._a-zA-Z0-9]+$
  5522. type: string
  5523. name:
  5524. description: The name of the Secret resource being referred to.
  5525. maxLength: 253
  5526. minLength: 1
  5527. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5528. type: string
  5529. namespace:
  5530. description: |-
  5531. The namespace of the Secret resource being referred to.
  5532. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5533. maxLength: 63
  5534. minLength: 1
  5535. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5536. type: string
  5537. type: object
  5538. clientSecret:
  5539. description: |-
  5540. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5541. In some instances, `key` is a required field.
  5542. properties:
  5543. key:
  5544. description: |-
  5545. A key in the referenced Secret.
  5546. Some instances of this field may be defaulted, in others it may be required.
  5547. maxLength: 253
  5548. minLength: 1
  5549. pattern: ^[-._a-zA-Z0-9]+$
  5550. type: string
  5551. name:
  5552. description: The name of the Secret resource being referred to.
  5553. maxLength: 253
  5554. minLength: 1
  5555. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5556. type: string
  5557. namespace:
  5558. description: |-
  5559. The namespace of the Secret resource being referred to.
  5560. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5561. maxLength: 63
  5562. minLength: 1
  5563. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5564. type: string
  5565. type: object
  5566. required:
  5567. - clientId
  5568. - clientSecret
  5569. type: object
  5570. type: object
  5571. caBundle:
  5572. description: |-
  5573. CABundle is a PEM-encoded CA certificate bundle used to validate
  5574. the Infisical server's TLS certificate. Mutually exclusive with CAProvider.
  5575. format: byte
  5576. type: string
  5577. caProvider:
  5578. description: |-
  5579. CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
  5580. The certificate is used to validate the Infisical server's TLS certificate.
  5581. Mutually exclusive with CABundle.
  5582. properties:
  5583. key:
  5584. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5585. maxLength: 253
  5586. minLength: 1
  5587. pattern: ^[-._a-zA-Z0-9]+$
  5588. type: string
  5589. name:
  5590. description: The name of the object located at the provider type.
  5591. maxLength: 253
  5592. minLength: 1
  5593. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5594. type: string
  5595. namespace:
  5596. description: |-
  5597. The namespace the Provider type is in.
  5598. Can only be defined when used in a ClusterSecretStore.
  5599. maxLength: 63
  5600. minLength: 1
  5601. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5602. type: string
  5603. type:
  5604. description: The type of provider to use such as "Secret", or "ConfigMap".
  5605. enum:
  5606. - Secret
  5607. - ConfigMap
  5608. type: string
  5609. required:
  5610. - name
  5611. - type
  5612. type: object
  5613. hostAPI:
  5614. default: https://app.infisical.com/api
  5615. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  5616. type: string
  5617. secretsScope:
  5618. description: SecretsScope defines the scope of the secrets within the workspace
  5619. properties:
  5620. environmentSlug:
  5621. description: EnvironmentSlug is the required slug identifier for the environment.
  5622. type: string
  5623. expandSecretReferences:
  5624. default: true
  5625. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  5626. type: boolean
  5627. organizationSlug:
  5628. description: |-
  5629. OrganizationSlug is the optional slug that identifies the organization that will be used
  5630. during authentication. Useful for sub-organization setups
  5631. type: string
  5632. projectSlug:
  5633. description: ProjectSlug is the required slug identifier for the project.
  5634. type: string
  5635. recursive:
  5636. default: false
  5637. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  5638. type: boolean
  5639. secretsPath:
  5640. default: /
  5641. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  5642. type: string
  5643. required:
  5644. - environmentSlug
  5645. - projectSlug
  5646. type: object
  5647. required:
  5648. - auth
  5649. - secretsScope
  5650. type: object
  5651. keepersecurity:
  5652. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  5653. properties:
  5654. authRef:
  5655. description: |-
  5656. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5657. In some instances, `key` is a required field.
  5658. properties:
  5659. key:
  5660. description: |-
  5661. A key in the referenced Secret.
  5662. Some instances of this field may be defaulted, in others it may be required.
  5663. maxLength: 253
  5664. minLength: 1
  5665. pattern: ^[-._a-zA-Z0-9]+$
  5666. type: string
  5667. name:
  5668. description: The name of the Secret resource being referred to.
  5669. maxLength: 253
  5670. minLength: 1
  5671. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5672. type: string
  5673. namespace:
  5674. description: |-
  5675. The namespace of the Secret resource being referred to.
  5676. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5677. maxLength: 63
  5678. minLength: 1
  5679. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5680. type: string
  5681. type: object
  5682. folderID:
  5683. type: string
  5684. getByTitleFallback:
  5685. type: boolean
  5686. required:
  5687. - authRef
  5688. - folderID
  5689. type: object
  5690. kubernetes:
  5691. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  5692. properties:
  5693. auth:
  5694. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  5695. maxProperties: 1
  5696. minProperties: 1
  5697. properties:
  5698. cert:
  5699. description: has both clientCert and clientKey as secretKeySelector
  5700. properties:
  5701. clientCert:
  5702. description: |-
  5703. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5704. In some instances, `key` is a required field.
  5705. properties:
  5706. key:
  5707. description: |-
  5708. A key in the referenced Secret.
  5709. Some instances of this field may be defaulted, in others it may be required.
  5710. maxLength: 253
  5711. minLength: 1
  5712. pattern: ^[-._a-zA-Z0-9]+$
  5713. type: string
  5714. name:
  5715. description: The name of the Secret resource being referred to.
  5716. maxLength: 253
  5717. minLength: 1
  5718. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5719. type: string
  5720. namespace:
  5721. description: |-
  5722. The namespace of the Secret resource being referred to.
  5723. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5724. maxLength: 63
  5725. minLength: 1
  5726. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5727. type: string
  5728. type: object
  5729. clientKey:
  5730. description: |-
  5731. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5732. In some instances, `key` is a required field.
  5733. properties:
  5734. key:
  5735. description: |-
  5736. A key in the referenced Secret.
  5737. Some instances of this field may be defaulted, in others it may be required.
  5738. maxLength: 253
  5739. minLength: 1
  5740. pattern: ^[-._a-zA-Z0-9]+$
  5741. type: string
  5742. name:
  5743. description: The name of the Secret resource being referred to.
  5744. maxLength: 253
  5745. minLength: 1
  5746. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5747. type: string
  5748. namespace:
  5749. description: |-
  5750. The namespace of the Secret resource being referred to.
  5751. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5752. maxLength: 63
  5753. minLength: 1
  5754. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5755. type: string
  5756. type: object
  5757. type: object
  5758. serviceAccount:
  5759. description: points to a service account that should be used for authentication
  5760. properties:
  5761. audiences:
  5762. description: |-
  5763. Audience specifies the `aud` claim for the service account token
  5764. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  5765. then this audiences will be appended to the list
  5766. items:
  5767. type: string
  5768. type: array
  5769. name:
  5770. description: The name of the ServiceAccount resource being referred to.
  5771. maxLength: 253
  5772. minLength: 1
  5773. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5774. type: string
  5775. namespace:
  5776. description: |-
  5777. Namespace of the resource being referred to.
  5778. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5779. maxLength: 63
  5780. minLength: 1
  5781. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5782. type: string
  5783. required:
  5784. - name
  5785. type: object
  5786. token:
  5787. description: use static token to authenticate with
  5788. properties:
  5789. bearerToken:
  5790. description: |-
  5791. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5792. In some instances, `key` is a required field.
  5793. properties:
  5794. key:
  5795. description: |-
  5796. A key in the referenced Secret.
  5797. Some instances of this field may be defaulted, in others it may be required.
  5798. maxLength: 253
  5799. minLength: 1
  5800. pattern: ^[-._a-zA-Z0-9]+$
  5801. type: string
  5802. name:
  5803. description: The name of the Secret resource being referred to.
  5804. maxLength: 253
  5805. minLength: 1
  5806. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5807. type: string
  5808. namespace:
  5809. description: |-
  5810. The namespace of the Secret resource being referred to.
  5811. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5812. maxLength: 63
  5813. minLength: 1
  5814. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5815. type: string
  5816. type: object
  5817. type: object
  5818. type: object
  5819. authRef:
  5820. description: A reference to a secret that contains the auth information.
  5821. properties:
  5822. key:
  5823. description: |-
  5824. A key in the referenced Secret.
  5825. Some instances of this field may be defaulted, in others it may be required.
  5826. maxLength: 253
  5827. minLength: 1
  5828. pattern: ^[-._a-zA-Z0-9]+$
  5829. type: string
  5830. name:
  5831. description: The name of the Secret resource being referred to.
  5832. maxLength: 253
  5833. minLength: 1
  5834. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5835. type: string
  5836. namespace:
  5837. description: |-
  5838. The namespace of the Secret resource being referred to.
  5839. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5840. maxLength: 63
  5841. minLength: 1
  5842. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5843. type: string
  5844. type: object
  5845. remoteNamespace:
  5846. default: default
  5847. description: Remote namespace to fetch the secrets from
  5848. maxLength: 63
  5849. minLength: 1
  5850. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5851. type: string
  5852. server:
  5853. description: configures the Kubernetes server Address.
  5854. properties:
  5855. caBundle:
  5856. description: CABundle is a base64-encoded CA certificate
  5857. format: byte
  5858. type: string
  5859. caProvider:
  5860. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  5861. properties:
  5862. key:
  5863. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5864. maxLength: 253
  5865. minLength: 1
  5866. pattern: ^[-._a-zA-Z0-9]+$
  5867. type: string
  5868. name:
  5869. description: The name of the object located at the provider type.
  5870. maxLength: 253
  5871. minLength: 1
  5872. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5873. type: string
  5874. namespace:
  5875. description: |-
  5876. The namespace the Provider type is in.
  5877. Can only be defined when used in a ClusterSecretStore.
  5878. maxLength: 63
  5879. minLength: 1
  5880. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5881. type: string
  5882. type:
  5883. description: The type of provider to use such as "Secret", or "ConfigMap".
  5884. enum:
  5885. - Secret
  5886. - ConfigMap
  5887. type: string
  5888. required:
  5889. - name
  5890. - type
  5891. type: object
  5892. url:
  5893. default: kubernetes.default
  5894. description: configures the Kubernetes server Address.
  5895. type: string
  5896. type: object
  5897. type: object
  5898. nebiusmysterybox:
  5899. description: NebiusMysterybox configures this store to sync secrets using NebiusMysterybox provider
  5900. properties:
  5901. apiDomain:
  5902. description: NebiusMysterybox API endpoint
  5903. type: string
  5904. auth:
  5905. description: Auth defines parameters to authenticate in MysteryBox
  5906. properties:
  5907. serviceAccountCredsSecretRef:
  5908. description: |-
  5909. ServiceAccountCreds references a Kubernetes Secret key that contains a JSON
  5910. document with service account credentials used to get an IAM token.
  5911. Expected JSON structure:
  5912. {
  5913. "subject-credentials": {
  5914. "alg": "RS256",
  5915. "private-key": "-----BEGIN PRIVATE KEY-----\n<private-key>\n-----END PRIVATE KEY-----\n",
  5916. "kid": "<public-key-id>",
  5917. "iss": "<issuer-service-account-id>",
  5918. "sub": "<subject-service-account-id>"
  5919. }
  5920. }
  5921. properties:
  5922. key:
  5923. description: |-
  5924. A key in the referenced Secret.
  5925. Some instances of this field may be defaulted, in others it may be required.
  5926. maxLength: 253
  5927. minLength: 1
  5928. pattern: ^[-._a-zA-Z0-9]+$
  5929. type: string
  5930. name:
  5931. description: The name of the Secret resource being referred to.
  5932. maxLength: 253
  5933. minLength: 1
  5934. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5935. type: string
  5936. namespace:
  5937. description: |-
  5938. The namespace of the Secret resource being referred to.
  5939. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5940. maxLength: 63
  5941. minLength: 1
  5942. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5943. type: string
  5944. type: object
  5945. tokenSecretRef:
  5946. description: Token authenticates with Nebius Mysterybox by presenting a token.
  5947. properties:
  5948. key:
  5949. description: |-
  5950. A key in the referenced Secret.
  5951. Some instances of this field may be defaulted, in others it may be required.
  5952. maxLength: 253
  5953. minLength: 1
  5954. pattern: ^[-._a-zA-Z0-9]+$
  5955. type: string
  5956. name:
  5957. description: The name of the Secret resource being referred to.
  5958. maxLength: 253
  5959. minLength: 1
  5960. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5961. type: string
  5962. namespace:
  5963. description: |-
  5964. The namespace of the Secret resource being referred to.
  5965. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5966. maxLength: 63
  5967. minLength: 1
  5968. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5969. type: string
  5970. type: object
  5971. type: object
  5972. x-kubernetes-validations:
  5973. - message: either serviceAccountCredsSecretRef or tokenSecretRef must be set
  5974. rule: has(self.serviceAccountCredsSecretRef) || has(self.tokenSecretRef)
  5975. caProvider:
  5976. description: The provider for the CA bundle to use to validate NebiusMysterybox server certificate.
  5977. properties:
  5978. certSecretRef:
  5979. description: |-
  5980. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5981. In some instances, `key` is a required field.
  5982. properties:
  5983. key:
  5984. description: |-
  5985. A key in the referenced Secret.
  5986. Some instances of this field may be defaulted, in others it may be required.
  5987. maxLength: 253
  5988. minLength: 1
  5989. pattern: ^[-._a-zA-Z0-9]+$
  5990. type: string
  5991. name:
  5992. description: The name of the Secret resource being referred to.
  5993. maxLength: 253
  5994. minLength: 1
  5995. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5996. type: string
  5997. namespace:
  5998. description: |-
  5999. The namespace of the Secret resource being referred to.
  6000. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6001. maxLength: 63
  6002. minLength: 1
  6003. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6004. type: string
  6005. type: object
  6006. type: object
  6007. required:
  6008. - apiDomain
  6009. - auth
  6010. type: object
  6011. ngrok:
  6012. description: Ngrok configures this store to sync secrets using the ngrok provider.
  6013. properties:
  6014. apiUrl:
  6015. default: https://api.ngrok.com
  6016. description: APIURL is the URL of the ngrok API.
  6017. type: string
  6018. auth:
  6019. description: Auth configures how the ngrok provider authenticates with the ngrok API.
  6020. maxProperties: 1
  6021. minProperties: 1
  6022. properties:
  6023. apiKey:
  6024. description: APIKey is the API Key used to authenticate with ngrok. See https://ngrok.com/docs/api/#authentication
  6025. properties:
  6026. secretRef:
  6027. description: SecretRef is a reference to a secret containing the ngrok API key.
  6028. properties:
  6029. key:
  6030. description: |-
  6031. A key in the referenced Secret.
  6032. Some instances of this field may be defaulted, in others it may be required.
  6033. maxLength: 253
  6034. minLength: 1
  6035. pattern: ^[-._a-zA-Z0-9]+$
  6036. type: string
  6037. name:
  6038. description: The name of the Secret resource being referred to.
  6039. maxLength: 253
  6040. minLength: 1
  6041. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6042. type: string
  6043. namespace:
  6044. description: |-
  6045. The namespace of the Secret resource being referred to.
  6046. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6047. maxLength: 63
  6048. minLength: 1
  6049. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6050. type: string
  6051. type: object
  6052. type: object
  6053. type: object
  6054. vault:
  6055. description: Vault configures the ngrok vault to sync secrets with.
  6056. properties:
  6057. name:
  6058. description: Name is the name of the ngrok vault to sync secrets with.
  6059. type: string
  6060. required:
  6061. - name
  6062. type: object
  6063. required:
  6064. - auth
  6065. - vault
  6066. type: object
  6067. onboardbase:
  6068. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  6069. properties:
  6070. apiHost:
  6071. default: https://public.onboardbase.com/api/v1/
  6072. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  6073. type: string
  6074. auth:
  6075. description: Auth configures how the Operator authenticates with the Onboardbase API
  6076. properties:
  6077. apiKeyRef:
  6078. description: |-
  6079. OnboardbaseAPIKey is the APIKey generated by an admin account.
  6080. It is used to recognize and authorize access to a project and environment within onboardbase
  6081. properties:
  6082. key:
  6083. description: |-
  6084. A key in the referenced Secret.
  6085. Some instances of this field may be defaulted, in others it may be required.
  6086. maxLength: 253
  6087. minLength: 1
  6088. pattern: ^[-._a-zA-Z0-9]+$
  6089. type: string
  6090. name:
  6091. description: The name of the Secret resource being referred to.
  6092. maxLength: 253
  6093. minLength: 1
  6094. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6095. type: string
  6096. namespace:
  6097. description: |-
  6098. The namespace of the Secret resource being referred to.
  6099. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6100. maxLength: 63
  6101. minLength: 1
  6102. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6103. type: string
  6104. type: object
  6105. passcodeRef:
  6106. description: OnboardbasePasscode is the passcode attached to the API Key
  6107. properties:
  6108. key:
  6109. description: |-
  6110. A key in the referenced Secret.
  6111. Some instances of this field may be defaulted, in others it may be required.
  6112. maxLength: 253
  6113. minLength: 1
  6114. pattern: ^[-._a-zA-Z0-9]+$
  6115. type: string
  6116. name:
  6117. description: The name of the Secret resource being referred to.
  6118. maxLength: 253
  6119. minLength: 1
  6120. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6121. type: string
  6122. namespace:
  6123. description: |-
  6124. The namespace of the Secret resource being referred to.
  6125. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6126. maxLength: 63
  6127. minLength: 1
  6128. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6129. type: string
  6130. type: object
  6131. required:
  6132. - apiKeyRef
  6133. - passcodeRef
  6134. type: object
  6135. environment:
  6136. default: development
  6137. description: Environment is the name of an environmnent within a project to pull the secrets from
  6138. type: string
  6139. project:
  6140. default: development
  6141. description: Project is an onboardbase project that the secrets should be pulled from
  6142. type: string
  6143. required:
  6144. - apiHost
  6145. - auth
  6146. - environment
  6147. - project
  6148. type: object
  6149. onepassword:
  6150. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  6151. properties:
  6152. auth:
  6153. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  6154. properties:
  6155. secretRef:
  6156. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  6157. properties:
  6158. connectTokenSecretRef:
  6159. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  6160. properties:
  6161. key:
  6162. description: |-
  6163. A key in the referenced Secret.
  6164. Some instances of this field may be defaulted, in others it may be required.
  6165. maxLength: 253
  6166. minLength: 1
  6167. pattern: ^[-._a-zA-Z0-9]+$
  6168. type: string
  6169. name:
  6170. description: The name of the Secret resource being referred to.
  6171. maxLength: 253
  6172. minLength: 1
  6173. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6174. type: string
  6175. namespace:
  6176. description: |-
  6177. The namespace of the Secret resource being referred to.
  6178. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6179. maxLength: 63
  6180. minLength: 1
  6181. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6182. type: string
  6183. type: object
  6184. required:
  6185. - connectTokenSecretRef
  6186. type: object
  6187. required:
  6188. - secretRef
  6189. type: object
  6190. connectHost:
  6191. description: ConnectHost defines the OnePassword Connect Server to connect to
  6192. type: string
  6193. vaults:
  6194. additionalProperties:
  6195. type: integer
  6196. description: Vaults defines which OnePassword vaults to search in which order
  6197. type: object
  6198. required:
  6199. - auth
  6200. - connectHost
  6201. - vaults
  6202. type: object
  6203. onepasswordSDK:
  6204. description: OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets.
  6205. properties:
  6206. auth:
  6207. description: Auth defines the information necessary to authenticate against OnePassword API.
  6208. properties:
  6209. serviceAccountSecretRef:
  6210. description: ServiceAccountSecretRef points to the secret containing the token to access 1Password vault.
  6211. properties:
  6212. key:
  6213. description: |-
  6214. A key in the referenced Secret.
  6215. Some instances of this field may be defaulted, in others it may be required.
  6216. maxLength: 253
  6217. minLength: 1
  6218. pattern: ^[-._a-zA-Z0-9]+$
  6219. type: string
  6220. name:
  6221. description: The name of the Secret resource being referred to.
  6222. maxLength: 253
  6223. minLength: 1
  6224. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6225. type: string
  6226. namespace:
  6227. description: |-
  6228. The namespace of the Secret resource being referred to.
  6229. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6230. maxLength: 63
  6231. minLength: 1
  6232. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6233. type: string
  6234. type: object
  6235. required:
  6236. - serviceAccountSecretRef
  6237. type: object
  6238. cache:
  6239. description: |-
  6240. Cache configures client-side caching for read operations (GetSecret, GetSecretMap).
  6241. When enabled, secrets are cached with the specified TTL.
  6242. Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.
  6243. If omitted, caching is disabled (default).
  6244. cache: {} is a valid option to set.
  6245. properties:
  6246. maxSize:
  6247. default: 100
  6248. description: |-
  6249. MaxSize is the maximum number of secrets to cache.
  6250. When the cache is full, least-recently-used entries are evicted.
  6251. minimum: 1
  6252. type: integer
  6253. ttl:
  6254. default: 5m
  6255. description: |-
  6256. TTL is the time-to-live for cached secrets.
  6257. Format: duration string (e.g., "5m", "1h", "30s")
  6258. type: string
  6259. type: object
  6260. integrationInfo:
  6261. description: |-
  6262. IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
  6263. If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively.
  6264. properties:
  6265. name:
  6266. default: 1Password SDK
  6267. description: Name defaults to "1Password SDK".
  6268. type: string
  6269. version:
  6270. default: v1.0.0
  6271. description: Version defaults to "v1.0.0".
  6272. type: string
  6273. type: object
  6274. vault:
  6275. description: Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically.
  6276. type: string
  6277. required:
  6278. - auth
  6279. - vault
  6280. type: object
  6281. openBao:
  6282. description: OpenBao configures this store to sync secrets using the OpenBao provider.
  6283. properties:
  6284. auth:
  6285. description: Auth configures how secret-manager authenticates with the OpenBao server.
  6286. maxProperties: 1
  6287. properties:
  6288. tokenSecretRef:
  6289. description: TokenSecretRef authenticates with OpenBao by presenting a token.
  6290. properties:
  6291. key:
  6292. description: |-
  6293. A key in the referenced Secret.
  6294. Some instances of this field may be defaulted, in others it may be required.
  6295. maxLength: 253
  6296. minLength: 1
  6297. pattern: ^[-._a-zA-Z0-9]+$
  6298. type: string
  6299. name:
  6300. description: The name of the Secret resource being referred to.
  6301. maxLength: 253
  6302. minLength: 1
  6303. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6304. type: string
  6305. namespace:
  6306. description: |-
  6307. The namespace of the Secret resource being referred to.
  6308. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6309. maxLength: 63
  6310. minLength: 1
  6311. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6312. type: string
  6313. type: object
  6314. userPass:
  6315. description: UserPass authenticates with OpenBao by passing a username/password pair
  6316. properties:
  6317. path:
  6318. default: userpass
  6319. description: |-
  6320. Path where the UserPassword authentication backend is mounted
  6321. in OpenBao, e.g: "userpass"
  6322. type: string
  6323. secretRef:
  6324. description: |-
  6325. SecretRef to a key in a Secret resource containing password for the user
  6326. used to authenticate with OpenBao using the [UserPass authentication
  6327. method]
  6328. [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
  6329. properties:
  6330. key:
  6331. description: |-
  6332. A key in the referenced Secret.
  6333. Some instances of this field may be defaulted, in others it may be required.
  6334. maxLength: 253
  6335. minLength: 1
  6336. pattern: ^[-._a-zA-Z0-9]+$
  6337. type: string
  6338. name:
  6339. description: The name of the Secret resource being referred to.
  6340. maxLength: 253
  6341. minLength: 1
  6342. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6343. type: string
  6344. namespace:
  6345. description: |-
  6346. The namespace of the Secret resource being referred to.
  6347. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6348. maxLength: 63
  6349. minLength: 1
  6350. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6351. type: string
  6352. type: object
  6353. username:
  6354. description: |-
  6355. Username is a username used to authenticate using the [UserPass
  6356. authentication method]
  6357. [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
  6358. type: string
  6359. required:
  6360. - path
  6361. - username
  6362. type: object
  6363. type: object
  6364. caBundle:
  6365. description: |-
  6366. PEM encoded CA bundle used to validate the OpenBao server certificate. If
  6367. this and `caProvider` are not set the system root certificates are used
  6368. to validate the TLS connection.
  6369. format: byte
  6370. type: string
  6371. caProvider:
  6372. description: |-
  6373. The provider for the CA bundle to use to validate OpenBao server
  6374. certificate. If this and `caBundle` are not set the system root
  6375. certificates are used to validate the TLS connection.
  6376. properties:
  6377. key:
  6378. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6379. maxLength: 253
  6380. minLength: 1
  6381. pattern: ^[-._a-zA-Z0-9]+$
  6382. type: string
  6383. name:
  6384. description: The name of the object located at the provider type.
  6385. maxLength: 253
  6386. minLength: 1
  6387. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6388. type: string
  6389. namespace:
  6390. description: |-
  6391. The namespace the Provider type is in.
  6392. Can only be defined when used in a ClusterSecretStore.
  6393. maxLength: 63
  6394. minLength: 1
  6395. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6396. type: string
  6397. type:
  6398. description: The type of provider to use such as "Secret", or "ConfigMap".
  6399. enum:
  6400. - Secret
  6401. - ConfigMap
  6402. type: string
  6403. required:
  6404. - name
  6405. - type
  6406. type: object
  6407. path:
  6408. description: |-
  6409. Path is the mount path of the OpenBao KV backend endpoint, e.g:
  6410. "secret". The v2 KV secret engine version specific "/data" path suffix
  6411. for fetching secrets from OpenBao is optional and will be appended
  6412. if not present in specified path.
  6413. type: string
  6414. server:
  6415. description: 'Server is the connection address for the OpenBao server, e.g: `https://openbao.example.com:8200`.'
  6416. type: string
  6417. version:
  6418. default: v2
  6419. description: |-
  6420. Version is the OpenBao KV secret engine version. This can be either "v1" or
  6421. "v2". Version defaults to "v2".
  6422. enum:
  6423. - v1
  6424. - v2
  6425. type: string
  6426. required:
  6427. - server
  6428. type: object
  6429. x-kubernetes-validations:
  6430. - message: at most one of the fields in [caBundle caProvider] may be set
  6431. rule: '[has(self.caBundle),has(self.caProvider)].filter(x,x==true).size() <= 1'
  6432. oracle:
  6433. description: Oracle configures this store to sync secrets using Oracle Vault provider
  6434. properties:
  6435. auth:
  6436. description: |-
  6437. Auth configures how secret-manager authenticates with the Oracle Vault.
  6438. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  6439. properties:
  6440. secretRef:
  6441. description: SecretRef to pass through sensitive information.
  6442. properties:
  6443. fingerprint:
  6444. description: Fingerprint is the fingerprint of the API private key.
  6445. properties:
  6446. key:
  6447. description: |-
  6448. A key in the referenced Secret.
  6449. Some instances of this field may be defaulted, in others it may be required.
  6450. maxLength: 253
  6451. minLength: 1
  6452. pattern: ^[-._a-zA-Z0-9]+$
  6453. type: string
  6454. name:
  6455. description: The name of the Secret resource being referred to.
  6456. maxLength: 253
  6457. minLength: 1
  6458. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6459. type: string
  6460. namespace:
  6461. description: |-
  6462. The namespace of the Secret resource being referred to.
  6463. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6464. maxLength: 63
  6465. minLength: 1
  6466. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6467. type: string
  6468. type: object
  6469. privatekey:
  6470. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  6471. properties:
  6472. key:
  6473. description: |-
  6474. A key in the referenced Secret.
  6475. Some instances of this field may be defaulted, in others it may be required.
  6476. maxLength: 253
  6477. minLength: 1
  6478. pattern: ^[-._a-zA-Z0-9]+$
  6479. type: string
  6480. name:
  6481. description: The name of the Secret resource being referred to.
  6482. maxLength: 253
  6483. minLength: 1
  6484. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6485. type: string
  6486. namespace:
  6487. description: |-
  6488. The namespace of the Secret resource being referred to.
  6489. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6490. maxLength: 63
  6491. minLength: 1
  6492. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6493. type: string
  6494. type: object
  6495. required:
  6496. - fingerprint
  6497. - privatekey
  6498. type: object
  6499. tenancy:
  6500. description: Tenancy is the tenancy OCID where user is located.
  6501. type: string
  6502. user:
  6503. description: User is an access OCID specific to the account.
  6504. type: string
  6505. required:
  6506. - secretRef
  6507. - tenancy
  6508. - user
  6509. type: object
  6510. compartment:
  6511. description: |-
  6512. Compartment is the vault compartment OCID.
  6513. Required for PushSecret
  6514. type: string
  6515. encryptionKey:
  6516. description: |-
  6517. EncryptionKey is the OCID of the encryption key within the vault.
  6518. Required for PushSecret
  6519. type: string
  6520. principalType:
  6521. description: |-
  6522. The type of principal to use for authentication. If left blank, the Auth struct will
  6523. determine the principal type. This optional field must be specified if using
  6524. workload identity.
  6525. enum:
  6526. - ""
  6527. - UserPrincipal
  6528. - InstancePrincipal
  6529. - Workload
  6530. type: string
  6531. region:
  6532. description: Region is the region where vault is located.
  6533. type: string
  6534. serviceAccountRef:
  6535. description: |-
  6536. ServiceAccountRef specified the service account
  6537. that should be used when authenticating with WorkloadIdentity.
  6538. properties:
  6539. audiences:
  6540. description: |-
  6541. Audience specifies the `aud` claim for the service account token
  6542. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6543. then this audiences will be appended to the list
  6544. items:
  6545. type: string
  6546. type: array
  6547. name:
  6548. description: The name of the ServiceAccount resource being referred to.
  6549. maxLength: 253
  6550. minLength: 1
  6551. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6552. type: string
  6553. namespace:
  6554. description: |-
  6555. Namespace of the resource being referred to.
  6556. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6557. maxLength: 63
  6558. minLength: 1
  6559. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6560. type: string
  6561. required:
  6562. - name
  6563. type: object
  6564. vault:
  6565. description: Vault is the vault's OCID of the specific vault where secret is located.
  6566. type: string
  6567. required:
  6568. - region
  6569. - vault
  6570. type: object
  6571. ovh:
  6572. description: OVHcloud configures this store to sync secrets using the OVHcloud provider.
  6573. properties:
  6574. auth:
  6575. description: Authentication method (mtls or token).
  6576. properties:
  6577. mtls:
  6578. description: OvhClientMTLS defines the configuration required to authenticate to OVHcloud's Secret Manager using mTLS.
  6579. properties:
  6580. caBundle:
  6581. format: byte
  6582. type: string
  6583. caProvider:
  6584. description: |-
  6585. CAProvider provides a custom certificate authority for accessing the provider's store.
  6586. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
  6587. properties:
  6588. key:
  6589. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6590. maxLength: 253
  6591. minLength: 1
  6592. pattern: ^[-._a-zA-Z0-9]+$
  6593. type: string
  6594. name:
  6595. description: The name of the object located at the provider type.
  6596. maxLength: 253
  6597. minLength: 1
  6598. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6599. type: string
  6600. namespace:
  6601. description: |-
  6602. The namespace the Provider type is in.
  6603. Can only be defined when used in a ClusterSecretStore.
  6604. maxLength: 63
  6605. minLength: 1
  6606. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6607. type: string
  6608. type:
  6609. description: The type of provider to use such as "Secret", or "ConfigMap".
  6610. enum:
  6611. - Secret
  6612. - ConfigMap
  6613. type: string
  6614. required:
  6615. - name
  6616. - type
  6617. type: object
  6618. certSecretRef:
  6619. description: |-
  6620. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6621. In some instances, `key` is a required field.
  6622. properties:
  6623. key:
  6624. description: |-
  6625. A key in the referenced Secret.
  6626. Some instances of this field may be defaulted, in others it may be required.
  6627. maxLength: 253
  6628. minLength: 1
  6629. pattern: ^[-._a-zA-Z0-9]+$
  6630. type: string
  6631. name:
  6632. description: The name of the Secret resource being referred to.
  6633. maxLength: 253
  6634. minLength: 1
  6635. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6636. type: string
  6637. namespace:
  6638. description: |-
  6639. The namespace of the Secret resource being referred to.
  6640. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6641. maxLength: 63
  6642. minLength: 1
  6643. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6644. type: string
  6645. type: object
  6646. keySecretRef:
  6647. description: |-
  6648. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6649. In some instances, `key` is a required field.
  6650. properties:
  6651. key:
  6652. description: |-
  6653. A key in the referenced Secret.
  6654. Some instances of this field may be defaulted, in others it may be required.
  6655. maxLength: 253
  6656. minLength: 1
  6657. pattern: ^[-._a-zA-Z0-9]+$
  6658. type: string
  6659. name:
  6660. description: The name of the Secret resource being referred to.
  6661. maxLength: 253
  6662. minLength: 1
  6663. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6664. type: string
  6665. namespace:
  6666. description: |-
  6667. The namespace of the Secret resource being referred to.
  6668. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6669. maxLength: 63
  6670. minLength: 1
  6671. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6672. type: string
  6673. type: object
  6674. required:
  6675. - certSecretRef
  6676. - keySecretRef
  6677. type: object
  6678. token:
  6679. description: OvhClientToken defines the configuration required to authenticate to OVHcloud's Secret Manager using a token.
  6680. properties:
  6681. tokenSecretRef:
  6682. description: |-
  6683. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6684. In some instances, `key` is a required field.
  6685. properties:
  6686. key:
  6687. description: |-
  6688. A key in the referenced Secret.
  6689. Some instances of this field may be defaulted, in others it may be required.
  6690. maxLength: 253
  6691. minLength: 1
  6692. pattern: ^[-._a-zA-Z0-9]+$
  6693. type: string
  6694. name:
  6695. description: The name of the Secret resource being referred to.
  6696. maxLength: 253
  6697. minLength: 1
  6698. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6699. type: string
  6700. namespace:
  6701. description: |-
  6702. The namespace of the Secret resource being referred to.
  6703. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6704. maxLength: 63
  6705. minLength: 1
  6706. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6707. type: string
  6708. type: object
  6709. required:
  6710. - tokenSecretRef
  6711. type: object
  6712. type: object
  6713. casRequired:
  6714. description: 'Enables or disables check-and-set (CAS) (default: false).'
  6715. type: boolean
  6716. okmsTimeout:
  6717. default: 30
  6718. description: 'Setup a timeout in seconds when requests to the KMS are made (default: 30).'
  6719. format: int32
  6720. minimum: 1
  6721. type: integer
  6722. okmsid:
  6723. description: specifies the OKMS ID.
  6724. type: string
  6725. server:
  6726. description: specifies the OKMS server endpoint.
  6727. type: string
  6728. required:
  6729. - auth
  6730. - okmsid
  6731. - server
  6732. type: object
  6733. passbolt:
  6734. description: |-
  6735. PassboltProvider provides access to Passbolt secrets manager.
  6736. See: https://www.passbolt.com.
  6737. properties:
  6738. auth:
  6739. description: Auth defines the information necessary to authenticate against Passbolt Server
  6740. properties:
  6741. passwordSecretRef:
  6742. description: |-
  6743. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6744. In some instances, `key` is a required field.
  6745. properties:
  6746. key:
  6747. description: |-
  6748. A key in the referenced Secret.
  6749. Some instances of this field may be defaulted, in others it may be required.
  6750. maxLength: 253
  6751. minLength: 1
  6752. pattern: ^[-._a-zA-Z0-9]+$
  6753. type: string
  6754. name:
  6755. description: The name of the Secret resource being referred to.
  6756. maxLength: 253
  6757. minLength: 1
  6758. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6759. type: string
  6760. namespace:
  6761. description: |-
  6762. The namespace of the Secret resource being referred to.
  6763. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6764. maxLength: 63
  6765. minLength: 1
  6766. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6767. type: string
  6768. type: object
  6769. privateKeySecretRef:
  6770. description: |-
  6771. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6772. In some instances, `key` is a required field.
  6773. properties:
  6774. key:
  6775. description: |-
  6776. A key in the referenced Secret.
  6777. Some instances of this field may be defaulted, in others it may be required.
  6778. maxLength: 253
  6779. minLength: 1
  6780. pattern: ^[-._a-zA-Z0-9]+$
  6781. type: string
  6782. name:
  6783. description: The name of the Secret resource being referred to.
  6784. maxLength: 253
  6785. minLength: 1
  6786. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6787. type: string
  6788. namespace:
  6789. description: |-
  6790. The namespace of the Secret resource being referred to.
  6791. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6792. maxLength: 63
  6793. minLength: 1
  6794. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6795. type: string
  6796. type: object
  6797. required:
  6798. - passwordSecretRef
  6799. - privateKeySecretRef
  6800. type: object
  6801. caBundle:
  6802. description: |-
  6803. PEM encoded CA bundle used to validate Passbolt server certificate. Only used
  6804. if the Host URL is using HTTPS protocol. If not set the system root certificates
  6805. are used to validate the TLS connection.
  6806. format: byte
  6807. type: string
  6808. caProvider:
  6809. description: The provider for the CA bundle to use to validate Passbolt server certificate.
  6810. properties:
  6811. key:
  6812. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6813. maxLength: 253
  6814. minLength: 1
  6815. pattern: ^[-._a-zA-Z0-9]+$
  6816. type: string
  6817. name:
  6818. description: The name of the object located at the provider type.
  6819. maxLength: 253
  6820. minLength: 1
  6821. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6822. type: string
  6823. namespace:
  6824. description: |-
  6825. The namespace the Provider type is in.
  6826. Can only be defined when used in a ClusterSecretStore.
  6827. maxLength: 63
  6828. minLength: 1
  6829. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6830. type: string
  6831. type:
  6832. description: The type of provider to use such as "Secret", or "ConfigMap".
  6833. enum:
  6834. - Secret
  6835. - ConfigMap
  6836. type: string
  6837. required:
  6838. - name
  6839. - type
  6840. type: object
  6841. host:
  6842. description: Host defines the Passbolt Server to connect to
  6843. type: string
  6844. required:
  6845. - auth
  6846. - host
  6847. type: object
  6848. passworddepot:
  6849. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  6850. properties:
  6851. auth:
  6852. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  6853. properties:
  6854. secretRef:
  6855. description: PasswordDepotSecretRef contains the secret reference for Password Depot authentication.
  6856. properties:
  6857. credentials:
  6858. description: Username / Password is used for authentication.
  6859. properties:
  6860. key:
  6861. description: |-
  6862. A key in the referenced Secret.
  6863. Some instances of this field may be defaulted, in others it may be required.
  6864. maxLength: 253
  6865. minLength: 1
  6866. pattern: ^[-._a-zA-Z0-9]+$
  6867. type: string
  6868. name:
  6869. description: The name of the Secret resource being referred to.
  6870. maxLength: 253
  6871. minLength: 1
  6872. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6873. type: string
  6874. namespace:
  6875. description: |-
  6876. The namespace of the Secret resource being referred to.
  6877. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6878. maxLength: 63
  6879. minLength: 1
  6880. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6881. type: string
  6882. type: object
  6883. type: object
  6884. required:
  6885. - secretRef
  6886. type: object
  6887. database:
  6888. description: Database to use as source
  6889. type: string
  6890. host:
  6891. description: URL configures the Password Depot instance URL.
  6892. type: string
  6893. required:
  6894. - auth
  6895. - database
  6896. - host
  6897. type: object
  6898. previder:
  6899. description: Previder configures this store to sync secrets using the Previder provider
  6900. properties:
  6901. auth:
  6902. description: PreviderAuth contains a secretRef for credentials.
  6903. properties:
  6904. secretRef:
  6905. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  6906. properties:
  6907. accessToken:
  6908. description: The AccessToken is used for authentication
  6909. properties:
  6910. key:
  6911. description: |-
  6912. A key in the referenced Secret.
  6913. Some instances of this field may be defaulted, in others it may be required.
  6914. maxLength: 253
  6915. minLength: 1
  6916. pattern: ^[-._a-zA-Z0-9]+$
  6917. type: string
  6918. name:
  6919. description: The name of the Secret resource being referred to.
  6920. maxLength: 253
  6921. minLength: 1
  6922. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6923. type: string
  6924. namespace:
  6925. description: |-
  6926. The namespace of the Secret resource being referred to.
  6927. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6928. maxLength: 63
  6929. minLength: 1
  6930. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6931. type: string
  6932. type: object
  6933. required:
  6934. - accessToken
  6935. type: object
  6936. type: object
  6937. baseUri:
  6938. type: string
  6939. required:
  6940. - auth
  6941. type: object
  6942. pulumi:
  6943. description: Pulumi configures this store to sync secrets using the Pulumi provider
  6944. properties:
  6945. accessToken:
  6946. description: |-
  6947. AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  6948. Deprecated: Use auth.accessToken instead.
  6949. properties:
  6950. secretRef:
  6951. description: SecretRef is a reference to a secret containing the Pulumi API token.
  6952. properties:
  6953. key:
  6954. description: |-
  6955. A key in the referenced Secret.
  6956. Some instances of this field may be defaulted, in others it may be required.
  6957. maxLength: 253
  6958. minLength: 1
  6959. pattern: ^[-._a-zA-Z0-9]+$
  6960. type: string
  6961. name:
  6962. description: The name of the Secret resource being referred to.
  6963. maxLength: 253
  6964. minLength: 1
  6965. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6966. type: string
  6967. namespace:
  6968. description: |-
  6969. The namespace of the Secret resource being referred to.
  6970. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6971. maxLength: 63
  6972. minLength: 1
  6973. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6974. type: string
  6975. type: object
  6976. type: object
  6977. apiUrl:
  6978. default: https://api.pulumi.com/api/esc
  6979. description: APIURL is the URL of the Pulumi API.
  6980. type: string
  6981. auth:
  6982. description: |-
  6983. Auth configures how the Operator authenticates with the Pulumi API.
  6984. Either auth or the deprecated accessToken field must be specified.
  6985. properties:
  6986. accessToken:
  6987. description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret.
  6988. properties:
  6989. secretRef:
  6990. description: SecretRef is a reference to a secret containing the Pulumi API token.
  6991. properties:
  6992. key:
  6993. description: |-
  6994. A key in the referenced Secret.
  6995. Some instances of this field may be defaulted, in others it may be required.
  6996. maxLength: 253
  6997. minLength: 1
  6998. pattern: ^[-._a-zA-Z0-9]+$
  6999. type: string
  7000. name:
  7001. description: The name of the Secret resource being referred to.
  7002. maxLength: 253
  7003. minLength: 1
  7004. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7005. type: string
  7006. namespace:
  7007. description: |-
  7008. The namespace of the Secret resource being referred to.
  7009. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7010. maxLength: 63
  7011. minLength: 1
  7012. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7013. type: string
  7014. type: object
  7015. type: object
  7016. oidcConfig:
  7017. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  7018. properties:
  7019. expirationSeconds:
  7020. default: 600
  7021. description: |-
  7022. ExpirationSeconds sets the token validity duration for service account and OIDC token.
  7023. Defaults to 10 minutes.
  7024. format: int64
  7025. minimum: 600
  7026. type: integer
  7027. organization:
  7028. description: Organization is the name of the Pulumi organization configured for OIDC authentication.
  7029. type: string
  7030. serviceAccountRef:
  7031. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  7032. properties:
  7033. audiences:
  7034. description: |-
  7035. Audience specifies the `aud` claim for the service account token
  7036. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7037. then this audiences will be appended to the list
  7038. items:
  7039. type: string
  7040. type: array
  7041. name:
  7042. description: The name of the ServiceAccount resource being referred to.
  7043. maxLength: 253
  7044. minLength: 1
  7045. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7046. type: string
  7047. namespace:
  7048. description: |-
  7049. Namespace of the resource being referred to.
  7050. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7051. maxLength: 63
  7052. minLength: 1
  7053. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7054. type: string
  7055. required:
  7056. - name
  7057. type: object
  7058. required:
  7059. - organization
  7060. - serviceAccountRef
  7061. type: object
  7062. type: object
  7063. x-kubernetes-validations:
  7064. - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified
  7065. rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig))
  7066. environment:
  7067. description: |-
  7068. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  7069. dynamically retrieved values from supported providers including all major clouds,
  7070. and other Pulumi ESC environments.
  7071. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  7072. type: string
  7073. organization:
  7074. description: |-
  7075. Organization are a space to collaborate on shared projects and stacks.
  7076. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  7077. type: string
  7078. project:
  7079. description: Project is the name of the Pulumi ESC project the environment belongs to.
  7080. type: string
  7081. required:
  7082. - environment
  7083. - organization
  7084. - project
  7085. type: object
  7086. x-kubernetes-validations:
  7087. - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified
  7088. rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken))
  7089. scaleway:
  7090. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  7091. properties:
  7092. accessKey:
  7093. description: AccessKey is the non-secret part of the api key.
  7094. properties:
  7095. secretRef:
  7096. description: SecretRef references a key in a secret that will be used as value.
  7097. properties:
  7098. key:
  7099. description: |-
  7100. A key in the referenced Secret.
  7101. Some instances of this field may be defaulted, in others it may be required.
  7102. maxLength: 253
  7103. minLength: 1
  7104. pattern: ^[-._a-zA-Z0-9]+$
  7105. type: string
  7106. name:
  7107. description: The name of the Secret resource being referred to.
  7108. maxLength: 253
  7109. minLength: 1
  7110. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7111. type: string
  7112. namespace:
  7113. description: |-
  7114. The namespace of the Secret resource being referred to.
  7115. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7116. maxLength: 63
  7117. minLength: 1
  7118. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7119. type: string
  7120. type: object
  7121. value:
  7122. description: Value can be specified directly to set a value without using a secret.
  7123. type: string
  7124. type: object
  7125. apiUrl:
  7126. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  7127. type: string
  7128. projectId:
  7129. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  7130. type: string
  7131. region:
  7132. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  7133. type: string
  7134. secretKey:
  7135. description: SecretKey is the non-secret part of the api key.
  7136. properties:
  7137. secretRef:
  7138. description: SecretRef references a key in a secret that will be used as value.
  7139. properties:
  7140. key:
  7141. description: |-
  7142. A key in the referenced Secret.
  7143. Some instances of this field may be defaulted, in others it may be required.
  7144. maxLength: 253
  7145. minLength: 1
  7146. pattern: ^[-._a-zA-Z0-9]+$
  7147. type: string
  7148. name:
  7149. description: The name of the Secret resource being referred to.
  7150. maxLength: 253
  7151. minLength: 1
  7152. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7153. type: string
  7154. namespace:
  7155. description: |-
  7156. The namespace of the Secret resource being referred to.
  7157. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7158. maxLength: 63
  7159. minLength: 1
  7160. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7161. type: string
  7162. type: object
  7163. value:
  7164. description: Value can be specified directly to set a value without using a secret.
  7165. type: string
  7166. type: object
  7167. required:
  7168. - accessKey
  7169. - projectId
  7170. - region
  7171. - secretKey
  7172. type: object
  7173. secretserver:
  7174. description: |-
  7175. SecretServer configures this store to sync secrets using SecretServer provider
  7176. https://docs.delinea.com/online-help/secret-server/start.htm
  7177. properties:
  7178. caBundle:
  7179. description: |-
  7180. PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used
  7181. if the ServerURL URL is using HTTPS protocol. If not set the system root certificates
  7182. are used to validate the TLS connection.
  7183. format: byte
  7184. type: string
  7185. caProvider:
  7186. description: The provider for the CA bundle to use to validate Secret ServerURL certificate.
  7187. properties:
  7188. key:
  7189. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  7190. maxLength: 253
  7191. minLength: 1
  7192. pattern: ^[-._a-zA-Z0-9]+$
  7193. type: string
  7194. name:
  7195. description: The name of the object located at the provider type.
  7196. maxLength: 253
  7197. minLength: 1
  7198. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7199. type: string
  7200. namespace:
  7201. description: |-
  7202. The namespace the Provider type is in.
  7203. Can only be defined when used in a ClusterSecretStore.
  7204. maxLength: 63
  7205. minLength: 1
  7206. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7207. type: string
  7208. type:
  7209. description: The type of provider to use such as "Secret", or "ConfigMap".
  7210. enum:
  7211. - Secret
  7212. - ConfigMap
  7213. type: string
  7214. required:
  7215. - name
  7216. - type
  7217. type: object
  7218. domain:
  7219. description: Domain is the secret server domain.
  7220. type: string
  7221. password:
  7222. description: Password is the secret server account password.
  7223. properties:
  7224. secretRef:
  7225. description: SecretRef references a key in a secret that will be used as value.
  7226. properties:
  7227. key:
  7228. description: |-
  7229. A key in the referenced Secret.
  7230. Some instances of this field may be defaulted, in others it may be required.
  7231. maxLength: 253
  7232. minLength: 1
  7233. pattern: ^[-._a-zA-Z0-9]+$
  7234. type: string
  7235. name:
  7236. description: The name of the Secret resource being referred to.
  7237. maxLength: 253
  7238. minLength: 1
  7239. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7240. type: string
  7241. namespace:
  7242. description: |-
  7243. The namespace of the Secret resource being referred to.
  7244. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7245. maxLength: 63
  7246. minLength: 1
  7247. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7248. type: string
  7249. type: object
  7250. value:
  7251. description: Value can be specified directly to set a value without using a secret.
  7252. type: string
  7253. type: object
  7254. serverURL:
  7255. description: |-
  7256. ServerURL
  7257. URL to your secret server installation
  7258. type: string
  7259. username:
  7260. description: Username is the secret server account username.
  7261. properties:
  7262. secretRef:
  7263. description: SecretRef references a key in a secret that will be used as value.
  7264. properties:
  7265. key:
  7266. description: |-
  7267. A key in the referenced Secret.
  7268. Some instances of this field may be defaulted, in others it may be required.
  7269. maxLength: 253
  7270. minLength: 1
  7271. pattern: ^[-._a-zA-Z0-9]+$
  7272. type: string
  7273. name:
  7274. description: The name of the Secret resource being referred to.
  7275. maxLength: 253
  7276. minLength: 1
  7277. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7278. type: string
  7279. namespace:
  7280. description: |-
  7281. The namespace of the Secret resource being referred to.
  7282. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7283. maxLength: 63
  7284. minLength: 1
  7285. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7286. type: string
  7287. type: object
  7288. value:
  7289. description: Value can be specified directly to set a value without using a secret.
  7290. type: string
  7291. type: object
  7292. required:
  7293. - password
  7294. - serverURL
  7295. - username
  7296. type: object
  7297. senhasegura:
  7298. description: Senhasegura configures this store to sync secrets using senhasegura provider
  7299. properties:
  7300. auth:
  7301. description: Auth defines parameters to authenticate in senhasegura
  7302. properties:
  7303. clientId:
  7304. type: string
  7305. clientSecretSecretRef:
  7306. description: |-
  7307. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  7308. In some instances, `key` is a required field.
  7309. properties:
  7310. key:
  7311. description: |-
  7312. A key in the referenced Secret.
  7313. Some instances of this field may be defaulted, in others it may be required.
  7314. maxLength: 253
  7315. minLength: 1
  7316. pattern: ^[-._a-zA-Z0-9]+$
  7317. type: string
  7318. name:
  7319. description: The name of the Secret resource being referred to.
  7320. maxLength: 253
  7321. minLength: 1
  7322. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7323. type: string
  7324. namespace:
  7325. description: |-
  7326. The namespace of the Secret resource being referred to.
  7327. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7328. maxLength: 63
  7329. minLength: 1
  7330. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7331. type: string
  7332. type: object
  7333. required:
  7334. - clientId
  7335. - clientSecretSecretRef
  7336. type: object
  7337. ignoreSslCertificate:
  7338. default: false
  7339. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  7340. type: boolean
  7341. module:
  7342. description: Module defines which senhasegura module should be used to get secrets
  7343. type: string
  7344. url:
  7345. description: URL of senhasegura
  7346. type: string
  7347. required:
  7348. - auth
  7349. - module
  7350. - url
  7351. type: object
  7352. vault:
  7353. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  7354. properties:
  7355. auth:
  7356. description: Auth configures how secret-manager authenticates with the Vault server.
  7357. properties:
  7358. appRole:
  7359. description: |-
  7360. AppRole authenticates with Vault using the App Role auth mechanism,
  7361. with the role and secret stored in a Kubernetes Secret resource.
  7362. properties:
  7363. path:
  7364. default: approle
  7365. description: |-
  7366. Path where the App Role authentication backend is mounted
  7367. in Vault, e.g: "approle"
  7368. type: string
  7369. roleId:
  7370. description: |-
  7371. RoleID configured in the App Role authentication backend when setting
  7372. up the authentication backend in Vault.
  7373. type: string
  7374. roleRef:
  7375. description: |-
  7376. Reference to a key in a Secret that contains the App Role ID used
  7377. to authenticate with Vault.
  7378. The `key` field must be specified and denotes which entry within the Secret
  7379. resource is used as the app role id.
  7380. properties:
  7381. key:
  7382. description: |-
  7383. A key in the referenced Secret.
  7384. Some instances of this field may be defaulted, in others it may be required.
  7385. maxLength: 253
  7386. minLength: 1
  7387. pattern: ^[-._a-zA-Z0-9]+$
  7388. type: string
  7389. name:
  7390. description: The name of the Secret resource being referred to.
  7391. maxLength: 253
  7392. minLength: 1
  7393. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7394. type: string
  7395. namespace:
  7396. description: |-
  7397. The namespace of the Secret resource being referred to.
  7398. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7399. maxLength: 63
  7400. minLength: 1
  7401. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7402. type: string
  7403. type: object
  7404. secretRef:
  7405. description: |-
  7406. Reference to a key in a Secret that contains the App Role secret used
  7407. to authenticate with Vault.
  7408. The `key` field must be specified and denotes which entry within the Secret
  7409. resource is used as the app role secret.
  7410. properties:
  7411. key:
  7412. description: |-
  7413. A key in the referenced Secret.
  7414. Some instances of this field may be defaulted, in others it may be required.
  7415. maxLength: 253
  7416. minLength: 1
  7417. pattern: ^[-._a-zA-Z0-9]+$
  7418. type: string
  7419. name:
  7420. description: The name of the Secret resource being referred to.
  7421. maxLength: 253
  7422. minLength: 1
  7423. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7424. type: string
  7425. namespace:
  7426. description: |-
  7427. The namespace of the Secret resource being referred to.
  7428. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7429. maxLength: 63
  7430. minLength: 1
  7431. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7432. type: string
  7433. type: object
  7434. required:
  7435. - path
  7436. - secretRef
  7437. type: object
  7438. cert:
  7439. description: |-
  7440. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  7441. Cert authentication method
  7442. properties:
  7443. clientCert:
  7444. description: |-
  7445. ClientCert is a certificate to authenticate using the Cert Vault
  7446. authentication method
  7447. properties:
  7448. key:
  7449. description: |-
  7450. A key in the referenced Secret.
  7451. Some instances of this field may be defaulted, in others it may be required.
  7452. maxLength: 253
  7453. minLength: 1
  7454. pattern: ^[-._a-zA-Z0-9]+$
  7455. type: string
  7456. name:
  7457. description: The name of the Secret resource being referred to.
  7458. maxLength: 253
  7459. minLength: 1
  7460. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7461. type: string
  7462. namespace:
  7463. description: |-
  7464. The namespace of the Secret resource being referred to.
  7465. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7466. maxLength: 63
  7467. minLength: 1
  7468. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7469. type: string
  7470. type: object
  7471. path:
  7472. default: cert
  7473. description: |-
  7474. Path where the Certificate authentication backend is mounted
  7475. in Vault, e.g: "cert"
  7476. type: string
  7477. secretRef:
  7478. description: |-
  7479. SecretRef to a key in a Secret resource containing client private key to
  7480. authenticate with Vault using the Cert authentication method
  7481. properties:
  7482. key:
  7483. description: |-
  7484. A key in the referenced Secret.
  7485. Some instances of this field may be defaulted, in others it may be required.
  7486. maxLength: 253
  7487. minLength: 1
  7488. pattern: ^[-._a-zA-Z0-9]+$
  7489. type: string
  7490. name:
  7491. description: The name of the Secret resource being referred to.
  7492. maxLength: 253
  7493. minLength: 1
  7494. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7495. type: string
  7496. namespace:
  7497. description: |-
  7498. The namespace of the Secret resource being referred to.
  7499. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7500. maxLength: 63
  7501. minLength: 1
  7502. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7503. type: string
  7504. type: object
  7505. vaultRole:
  7506. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  7507. type: string
  7508. type: object
  7509. gcp:
  7510. description: |-
  7511. Gcp authenticates with Vault using Google Cloud Platform authentication method
  7512. GCP authentication method
  7513. properties:
  7514. location:
  7515. description: Location optionally defines a location/region for the secret
  7516. type: string
  7517. path:
  7518. default: gcp
  7519. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  7520. type: string
  7521. projectID:
  7522. description: Project ID of the Google Cloud Platform project
  7523. type: string
  7524. role:
  7525. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  7526. type: string
  7527. secretRef:
  7528. description: Specify credentials in a Secret object
  7529. properties:
  7530. secretAccessKeySecretRef:
  7531. description: The SecretAccessKey is used for authentication
  7532. properties:
  7533. key:
  7534. description: |-
  7535. A key in the referenced Secret.
  7536. Some instances of this field may be defaulted, in others it may be required.
  7537. maxLength: 253
  7538. minLength: 1
  7539. pattern: ^[-._a-zA-Z0-9]+$
  7540. type: string
  7541. name:
  7542. description: The name of the Secret resource being referred to.
  7543. maxLength: 253
  7544. minLength: 1
  7545. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7546. type: string
  7547. namespace:
  7548. description: |-
  7549. The namespace of the Secret resource being referred to.
  7550. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7551. maxLength: 63
  7552. minLength: 1
  7553. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7554. type: string
  7555. type: object
  7556. type: object
  7557. serviceAccountRef:
  7558. description: ServiceAccountRef to a service account for impersonation
  7559. properties:
  7560. audiences:
  7561. description: |-
  7562. Audience specifies the `aud` claim for the service account token
  7563. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7564. then this audiences will be appended to the list
  7565. items:
  7566. type: string
  7567. type: array
  7568. name:
  7569. description: The name of the ServiceAccount resource being referred to.
  7570. maxLength: 253
  7571. minLength: 1
  7572. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7573. type: string
  7574. namespace:
  7575. description: |-
  7576. Namespace of the resource being referred to.
  7577. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7578. maxLength: 63
  7579. minLength: 1
  7580. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7581. type: string
  7582. required:
  7583. - name
  7584. type: object
  7585. workloadIdentity:
  7586. description: Specify a service account with Workload Identity
  7587. properties:
  7588. clusterLocation:
  7589. description: |-
  7590. ClusterLocation is the location of the cluster
  7591. If not specified, it fetches information from the metadata server
  7592. type: string
  7593. clusterName:
  7594. description: |-
  7595. ClusterName is the name of the cluster
  7596. If not specified, it fetches information from the metadata server
  7597. type: string
  7598. clusterProjectID:
  7599. description: |-
  7600. ClusterProjectID is the project ID of the cluster
  7601. If not specified, it fetches information from the metadata server
  7602. type: string
  7603. serviceAccountRef:
  7604. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  7605. properties:
  7606. audiences:
  7607. description: |-
  7608. Audience specifies the `aud` claim for the service account token
  7609. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7610. then this audiences will be appended to the list
  7611. items:
  7612. type: string
  7613. type: array
  7614. name:
  7615. description: The name of the ServiceAccount resource being referred to.
  7616. maxLength: 253
  7617. minLength: 1
  7618. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7619. type: string
  7620. namespace:
  7621. description: |-
  7622. Namespace of the resource being referred to.
  7623. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7624. maxLength: 63
  7625. minLength: 1
  7626. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7627. type: string
  7628. required:
  7629. - name
  7630. type: object
  7631. required:
  7632. - serviceAccountRef
  7633. type: object
  7634. required:
  7635. - role
  7636. type: object
  7637. iam:
  7638. description: |-
  7639. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  7640. AWS IAM authentication method
  7641. properties:
  7642. externalID:
  7643. description: AWS External ID set on assumed IAM roles
  7644. type: string
  7645. jwt:
  7646. description: Specify a service account with IRSA enabled
  7647. properties:
  7648. serviceAccountRef:
  7649. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  7650. properties:
  7651. audiences:
  7652. description: |-
  7653. Audience specifies the `aud` claim for the service account token
  7654. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7655. then this audiences will be appended to the list
  7656. items:
  7657. type: string
  7658. type: array
  7659. name:
  7660. description: The name of the ServiceAccount resource being referred to.
  7661. maxLength: 253
  7662. minLength: 1
  7663. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7664. type: string
  7665. namespace:
  7666. description: |-
  7667. Namespace of the resource being referred to.
  7668. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7669. maxLength: 63
  7670. minLength: 1
  7671. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7672. type: string
  7673. required:
  7674. - name
  7675. type: object
  7676. type: object
  7677. path:
  7678. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  7679. type: string
  7680. region:
  7681. description: AWS region
  7682. type: string
  7683. role:
  7684. description: This is the AWS role to be assumed before talking to vault
  7685. type: string
  7686. secretRef:
  7687. description: Specify credentials in a Secret object
  7688. properties:
  7689. accessKeyIDSecretRef:
  7690. description: The AccessKeyID is used for authentication
  7691. properties:
  7692. key:
  7693. description: |-
  7694. A key in the referenced Secret.
  7695. Some instances of this field may be defaulted, in others it may be required.
  7696. maxLength: 253
  7697. minLength: 1
  7698. pattern: ^[-._a-zA-Z0-9]+$
  7699. type: string
  7700. name:
  7701. description: The name of the Secret resource being referred to.
  7702. maxLength: 253
  7703. minLength: 1
  7704. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7705. type: string
  7706. namespace:
  7707. description: |-
  7708. The namespace of the Secret resource being referred to.
  7709. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7710. maxLength: 63
  7711. minLength: 1
  7712. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7713. type: string
  7714. type: object
  7715. secretAccessKeySecretRef:
  7716. description: The SecretAccessKey is used for authentication
  7717. properties:
  7718. key:
  7719. description: |-
  7720. A key in the referenced Secret.
  7721. Some instances of this field may be defaulted, in others it may be required.
  7722. maxLength: 253
  7723. minLength: 1
  7724. pattern: ^[-._a-zA-Z0-9]+$
  7725. type: string
  7726. name:
  7727. description: The name of the Secret resource being referred to.
  7728. maxLength: 253
  7729. minLength: 1
  7730. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7731. type: string
  7732. namespace:
  7733. description: |-
  7734. The namespace of the Secret resource being referred to.
  7735. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7736. maxLength: 63
  7737. minLength: 1
  7738. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7739. type: string
  7740. type: object
  7741. sessionTokenSecretRef:
  7742. description: |-
  7743. The SessionToken used for authentication
  7744. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  7745. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  7746. properties:
  7747. key:
  7748. description: |-
  7749. A key in the referenced Secret.
  7750. Some instances of this field may be defaulted, in others it may be required.
  7751. maxLength: 253
  7752. minLength: 1
  7753. pattern: ^[-._a-zA-Z0-9]+$
  7754. type: string
  7755. name:
  7756. description: The name of the Secret resource being referred to.
  7757. maxLength: 253
  7758. minLength: 1
  7759. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7760. type: string
  7761. namespace:
  7762. description: |-
  7763. The namespace of the Secret resource being referred to.
  7764. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7765. maxLength: 63
  7766. minLength: 1
  7767. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7768. type: string
  7769. type: object
  7770. type: object
  7771. vaultAwsIamServerID:
  7772. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  7773. type: string
  7774. vaultRole:
  7775. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  7776. type: string
  7777. required:
  7778. - vaultRole
  7779. type: object
  7780. jwt:
  7781. description: |-
  7782. Jwt authenticates with Vault by passing role and JWT token using the
  7783. JWT/OIDC authentication method
  7784. properties:
  7785. kubernetesServiceAccountToken:
  7786. description: |-
  7787. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  7788. a token for with the `TokenRequest` API.
  7789. properties:
  7790. audiences:
  7791. description: |-
  7792. Optional audiences field that will be used to request a temporary Kubernetes service
  7793. account token for the service account referenced by `serviceAccountRef`.
  7794. Defaults to a single audience `vault` it not specified.
  7795. Deprecated: use serviceAccountRef.Audiences instead
  7796. items:
  7797. type: string
  7798. type: array
  7799. expirationSeconds:
  7800. description: |-
  7801. Optional expiration time in seconds that will be used to request a temporary
  7802. Kubernetes service account token for the service account referenced by
  7803. `serviceAccountRef`.
  7804. Deprecated: this will be removed in the future.
  7805. Defaults to 10 minutes.
  7806. type: integer
  7807. serviceAccountRef:
  7808. description: Service account field containing the name of a kubernetes ServiceAccount.
  7809. properties:
  7810. audiences:
  7811. description: |-
  7812. Audience specifies the `aud` claim for the service account token
  7813. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7814. then this audiences will be appended to the list
  7815. items:
  7816. type: string
  7817. type: array
  7818. name:
  7819. description: The name of the ServiceAccount resource being referred to.
  7820. maxLength: 253
  7821. minLength: 1
  7822. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7823. type: string
  7824. namespace:
  7825. description: |-
  7826. Namespace of the resource being referred to.
  7827. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7828. maxLength: 63
  7829. minLength: 1
  7830. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7831. type: string
  7832. required:
  7833. - name
  7834. type: object
  7835. required:
  7836. - serviceAccountRef
  7837. type: object
  7838. path:
  7839. default: jwt
  7840. description: |-
  7841. Path where the JWT authentication backend is mounted
  7842. in Vault, e.g: "jwt"
  7843. type: string
  7844. role:
  7845. description: |-
  7846. Role is a JWT role to authenticate using the JWT/OIDC Vault
  7847. authentication method
  7848. type: string
  7849. secretRef:
  7850. description: |-
  7851. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  7852. authenticate with Vault using the JWT/OIDC authentication method.
  7853. properties:
  7854. key:
  7855. description: |-
  7856. A key in the referenced Secret.
  7857. Some instances of this field may be defaulted, in others it may be required.
  7858. maxLength: 253
  7859. minLength: 1
  7860. pattern: ^[-._a-zA-Z0-9]+$
  7861. type: string
  7862. name:
  7863. description: The name of the Secret resource being referred to.
  7864. maxLength: 253
  7865. minLength: 1
  7866. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7867. type: string
  7868. namespace:
  7869. description: |-
  7870. The namespace of the Secret resource being referred to.
  7871. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7872. maxLength: 63
  7873. minLength: 1
  7874. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7875. type: string
  7876. type: object
  7877. required:
  7878. - path
  7879. type: object
  7880. kubernetes:
  7881. description: |-
  7882. Kubernetes authenticates with Vault by passing the ServiceAccount
  7883. token stored in the named Secret resource to the Vault server.
  7884. properties:
  7885. mountPath:
  7886. default: kubernetes
  7887. description: |-
  7888. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  7889. "kubernetes"
  7890. type: string
  7891. role:
  7892. description: |-
  7893. A required field containing the Vault Role to assume. A Role binds a
  7894. Kubernetes ServiceAccount with a set of Vault policies.
  7895. type: string
  7896. secretRef:
  7897. description: |-
  7898. Optional secret field containing a Kubernetes ServiceAccount JWT used
  7899. for authenticating with Vault. If a name is specified without a key,
  7900. `token` is the default. If one is not specified, the one bound to
  7901. the controller will be used.
  7902. properties:
  7903. key:
  7904. description: |-
  7905. A key in the referenced Secret.
  7906. Some instances of this field may be defaulted, in others it may be required.
  7907. maxLength: 253
  7908. minLength: 1
  7909. pattern: ^[-._a-zA-Z0-9]+$
  7910. type: string
  7911. name:
  7912. description: The name of the Secret resource being referred to.
  7913. maxLength: 253
  7914. minLength: 1
  7915. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7916. type: string
  7917. namespace:
  7918. description: |-
  7919. The namespace of the Secret resource being referred to.
  7920. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7921. maxLength: 63
  7922. minLength: 1
  7923. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7924. type: string
  7925. type: object
  7926. serviceAccountRef:
  7927. description: |-
  7928. Optional service account field containing the name of a kubernetes ServiceAccount.
  7929. If the service account is specified, the service account secret token JWT will be used
  7930. for authenticating with Vault. If the service account selector is not supplied,
  7931. the secretRef will be used instead.
  7932. properties:
  7933. audiences:
  7934. description: |-
  7935. Audience specifies the `aud` claim for the service account token
  7936. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7937. then this audiences will be appended to the list
  7938. items:
  7939. type: string
  7940. type: array
  7941. name:
  7942. description: The name of the ServiceAccount resource being referred to.
  7943. maxLength: 253
  7944. minLength: 1
  7945. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7946. type: string
  7947. namespace:
  7948. description: |-
  7949. Namespace of the resource being referred to.
  7950. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7951. maxLength: 63
  7952. minLength: 1
  7953. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7954. type: string
  7955. required:
  7956. - name
  7957. type: object
  7958. required:
  7959. - mountPath
  7960. - role
  7961. type: object
  7962. ldap:
  7963. description: |-
  7964. Ldap authenticates with Vault by passing username/password pair using
  7965. the LDAP authentication method
  7966. properties:
  7967. path:
  7968. default: ldap
  7969. description: |-
  7970. Path where the LDAP authentication backend is mounted
  7971. in Vault, e.g: "ldap"
  7972. type: string
  7973. secretRef:
  7974. description: |-
  7975. SecretRef to a key in a Secret resource containing password for the LDAP
  7976. user used to authenticate with Vault using the LDAP authentication
  7977. method
  7978. properties:
  7979. key:
  7980. description: |-
  7981. A key in the referenced Secret.
  7982. Some instances of this field may be defaulted, in others it may be required.
  7983. maxLength: 253
  7984. minLength: 1
  7985. pattern: ^[-._a-zA-Z0-9]+$
  7986. type: string
  7987. name:
  7988. description: The name of the Secret resource being referred to.
  7989. maxLength: 253
  7990. minLength: 1
  7991. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7992. type: string
  7993. namespace:
  7994. description: |-
  7995. The namespace of the Secret resource being referred to.
  7996. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7997. maxLength: 63
  7998. minLength: 1
  7999. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8000. type: string
  8001. type: object
  8002. username:
  8003. description: |-
  8004. Username is an LDAP username used to authenticate using the LDAP Vault
  8005. authentication method
  8006. type: string
  8007. required:
  8008. - path
  8009. - username
  8010. type: object
  8011. namespace:
  8012. description: |-
  8013. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  8014. Namespaces is a set of features within Vault Enterprise that allows
  8015. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  8016. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  8017. This will default to Vault.Namespace field if set, or empty otherwise
  8018. type: string
  8019. tokenSecretRef:
  8020. description: TokenSecretRef authenticates with Vault by presenting a token.
  8021. properties:
  8022. key:
  8023. description: |-
  8024. A key in the referenced Secret.
  8025. Some instances of this field may be defaulted, in others it may be required.
  8026. maxLength: 253
  8027. minLength: 1
  8028. pattern: ^[-._a-zA-Z0-9]+$
  8029. type: string
  8030. name:
  8031. description: The name of the Secret resource being referred to.
  8032. maxLength: 253
  8033. minLength: 1
  8034. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8035. type: string
  8036. namespace:
  8037. description: |-
  8038. The namespace of the Secret resource being referred to.
  8039. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8040. maxLength: 63
  8041. minLength: 1
  8042. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8043. type: string
  8044. type: object
  8045. userPass:
  8046. description: UserPass authenticates with Vault by passing username/password pair
  8047. properties:
  8048. path:
  8049. default: userpass
  8050. description: |-
  8051. Path where the UserPassword authentication backend is mounted
  8052. in Vault, e.g: "userpass"
  8053. type: string
  8054. secretRef:
  8055. description: |-
  8056. SecretRef to a key in a Secret resource containing password for the
  8057. user used to authenticate with Vault using the UserPass authentication
  8058. method
  8059. properties:
  8060. key:
  8061. description: |-
  8062. A key in the referenced Secret.
  8063. Some instances of this field may be defaulted, in others it may be required.
  8064. maxLength: 253
  8065. minLength: 1
  8066. pattern: ^[-._a-zA-Z0-9]+$
  8067. type: string
  8068. name:
  8069. description: The name of the Secret resource being referred to.
  8070. maxLength: 253
  8071. minLength: 1
  8072. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8073. type: string
  8074. namespace:
  8075. description: |-
  8076. The namespace of the Secret resource being referred to.
  8077. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8078. maxLength: 63
  8079. minLength: 1
  8080. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8081. type: string
  8082. type: object
  8083. username:
  8084. description: |-
  8085. Username is a username used to authenticate using the UserPass Vault
  8086. authentication method
  8087. type: string
  8088. required:
  8089. - path
  8090. - username
  8091. type: object
  8092. type: object
  8093. caBundle:
  8094. description: |-
  8095. PEM encoded CA bundle used to validate Vault server certificate. Only used
  8096. if the Server URL is using HTTPS protocol. This parameter is ignored for
  8097. plain HTTP protocol connection. If not set the system root certificates
  8098. are used to validate the TLS connection.
  8099. format: byte
  8100. type: string
  8101. caProvider:
  8102. description: The provider for the CA bundle to use to validate Vault server certificate.
  8103. properties:
  8104. key:
  8105. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8106. maxLength: 253
  8107. minLength: 1
  8108. pattern: ^[-._a-zA-Z0-9]+$
  8109. type: string
  8110. name:
  8111. description: The name of the object located at the provider type.
  8112. maxLength: 253
  8113. minLength: 1
  8114. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8115. type: string
  8116. namespace:
  8117. description: |-
  8118. The namespace the Provider type is in.
  8119. Can only be defined when used in a ClusterSecretStore.
  8120. maxLength: 63
  8121. minLength: 1
  8122. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8123. type: string
  8124. type:
  8125. description: The type of provider to use such as "Secret", or "ConfigMap".
  8126. enum:
  8127. - Secret
  8128. - ConfigMap
  8129. type: string
  8130. required:
  8131. - name
  8132. - type
  8133. type: object
  8134. checkAndSet:
  8135. description: |-
  8136. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  8137. Only applies to Vault KV v2 stores. When enabled, write operations must include
  8138. the current version of the secret to prevent unintentional overwrites.
  8139. properties:
  8140. required:
  8141. description: |-
  8142. Required when true, all write operations must include a check-and-set parameter.
  8143. This helps prevent unintentional overwrites of secrets.
  8144. type: boolean
  8145. type: object
  8146. forwardInconsistent:
  8147. description: |-
  8148. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  8149. leader instead of simply retrying within a loop. This can increase performance if
  8150. the option is enabled serverside.
  8151. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  8152. type: boolean
  8153. headers:
  8154. additionalProperties:
  8155. type: string
  8156. description: Headers to be added in Vault request
  8157. type: object
  8158. namespace:
  8159. description: |-
  8160. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  8161. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  8162. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  8163. type: string
  8164. path:
  8165. description: |-
  8166. Path is the mount path of the Vault KV backend endpoint, e.g:
  8167. "secret". The v2 KV secret engine version specific "/data" path suffix
  8168. for fetching secrets from Vault is optional and will be appended
  8169. if not present in specified path.
  8170. type: string
  8171. readYourWrites:
  8172. description: |-
  8173. ReadYourWrites ensures isolated read-after-write semantics by
  8174. providing discovered cluster replication states in each request.
  8175. More information about eventual consistency in Vault can be found here
  8176. https://www.vaultproject.io/docs/enterprise/consistency
  8177. type: boolean
  8178. server:
  8179. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  8180. type: string
  8181. tls:
  8182. description: |-
  8183. The configuration used for client side related TLS communication, when the Vault server
  8184. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  8185. This parameter is ignored for plain HTTP protocol connection.
  8186. It's worth noting this configuration is different from the "TLS certificates auth method",
  8187. which is available under the `auth.cert` section.
  8188. properties:
  8189. certSecretRef:
  8190. description: |-
  8191. CertSecretRef is a certificate added to the transport layer
  8192. when communicating with the Vault server.
  8193. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  8194. properties:
  8195. key:
  8196. description: |-
  8197. A key in the referenced Secret.
  8198. Some instances of this field may be defaulted, in others it may be required.
  8199. maxLength: 253
  8200. minLength: 1
  8201. pattern: ^[-._a-zA-Z0-9]+$
  8202. type: string
  8203. name:
  8204. description: The name of the Secret resource being referred to.
  8205. maxLength: 253
  8206. minLength: 1
  8207. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8208. type: string
  8209. namespace:
  8210. description: |-
  8211. The namespace of the Secret resource being referred to.
  8212. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8213. maxLength: 63
  8214. minLength: 1
  8215. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8216. type: string
  8217. type: object
  8218. keySecretRef:
  8219. description: |-
  8220. KeySecretRef to a key in a Secret resource containing client private key
  8221. added to the transport layer when communicating with the Vault server.
  8222. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  8223. properties:
  8224. key:
  8225. description: |-
  8226. A key in the referenced Secret.
  8227. Some instances of this field may be defaulted, in others it may be required.
  8228. maxLength: 253
  8229. minLength: 1
  8230. pattern: ^[-._a-zA-Z0-9]+$
  8231. type: string
  8232. name:
  8233. description: The name of the Secret resource being referred to.
  8234. maxLength: 253
  8235. minLength: 1
  8236. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8237. type: string
  8238. namespace:
  8239. description: |-
  8240. The namespace of the Secret resource being referred to.
  8241. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8242. maxLength: 63
  8243. minLength: 1
  8244. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8245. type: string
  8246. type: object
  8247. type: object
  8248. version:
  8249. default: v2
  8250. description: |-
  8251. Version is the Vault KV secret engine version. This can be either "v1" or
  8252. "v2". Version defaults to "v2".
  8253. enum:
  8254. - v1
  8255. - v2
  8256. type: string
  8257. required:
  8258. - server
  8259. type: object
  8260. volcengine:
  8261. description: Volcengine configures this store to sync secrets using the Volcengine provider
  8262. properties:
  8263. auth:
  8264. description: |-
  8265. Auth defines the authentication method to use.
  8266. If not specified, the provider will try to use IRSA (IAM Role for Service Account).
  8267. properties:
  8268. secretRef:
  8269. description: |-
  8270. SecretRef defines the static credentials to use for authentication.
  8271. If not set, IRSA is used.
  8272. properties:
  8273. accessKeyID:
  8274. description: AccessKeyID is the reference to the secret containing the Access Key ID.
  8275. properties:
  8276. key:
  8277. description: |-
  8278. A key in the referenced Secret.
  8279. Some instances of this field may be defaulted, in others it may be required.
  8280. maxLength: 253
  8281. minLength: 1
  8282. pattern: ^[-._a-zA-Z0-9]+$
  8283. type: string
  8284. name:
  8285. description: The name of the Secret resource being referred to.
  8286. maxLength: 253
  8287. minLength: 1
  8288. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8289. type: string
  8290. namespace:
  8291. description: |-
  8292. The namespace of the Secret resource being referred to.
  8293. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8294. maxLength: 63
  8295. minLength: 1
  8296. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8297. type: string
  8298. type: object
  8299. secretAccessKey:
  8300. description: SecretAccessKey is the reference to the secret containing the Secret Access Key.
  8301. properties:
  8302. key:
  8303. description: |-
  8304. A key in the referenced Secret.
  8305. Some instances of this field may be defaulted, in others it may be required.
  8306. maxLength: 253
  8307. minLength: 1
  8308. pattern: ^[-._a-zA-Z0-9]+$
  8309. type: string
  8310. name:
  8311. description: The name of the Secret resource being referred to.
  8312. maxLength: 253
  8313. minLength: 1
  8314. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8315. type: string
  8316. namespace:
  8317. description: |-
  8318. The namespace of the Secret resource being referred to.
  8319. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8320. maxLength: 63
  8321. minLength: 1
  8322. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8323. type: string
  8324. type: object
  8325. token:
  8326. description: Token is the reference to the secret containing the STS(Security Token Service) Token.
  8327. properties:
  8328. key:
  8329. description: |-
  8330. A key in the referenced Secret.
  8331. Some instances of this field may be defaulted, in others it may be required.
  8332. maxLength: 253
  8333. minLength: 1
  8334. pattern: ^[-._a-zA-Z0-9]+$
  8335. type: string
  8336. name:
  8337. description: The name of the Secret resource being referred to.
  8338. maxLength: 253
  8339. minLength: 1
  8340. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8341. type: string
  8342. namespace:
  8343. description: |-
  8344. The namespace of the Secret resource being referred to.
  8345. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8346. maxLength: 63
  8347. minLength: 1
  8348. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8349. type: string
  8350. type: object
  8351. required:
  8352. - accessKeyID
  8353. - secretAccessKey
  8354. type: object
  8355. type: object
  8356. region:
  8357. description: Region specifies the Volcengine region to connect to.
  8358. type: string
  8359. required:
  8360. - region
  8361. type: object
  8362. webhook:
  8363. description: Webhook configures this store to sync secrets using a generic templated webhook
  8364. properties:
  8365. auth:
  8366. description: Auth specifies a authorization protocol. Only one protocol may be set.
  8367. maxProperties: 1
  8368. minProperties: 1
  8369. properties:
  8370. ntlm:
  8371. description: NTLMProtocol configures the store to use NTLM for auth
  8372. properties:
  8373. passwordSecret:
  8374. description: |-
  8375. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8376. In some instances, `key` is a required field.
  8377. properties:
  8378. key:
  8379. description: |-
  8380. A key in the referenced Secret.
  8381. Some instances of this field may be defaulted, in others it may be required.
  8382. maxLength: 253
  8383. minLength: 1
  8384. pattern: ^[-._a-zA-Z0-9]+$
  8385. type: string
  8386. name:
  8387. description: The name of the Secret resource being referred to.
  8388. maxLength: 253
  8389. minLength: 1
  8390. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8391. type: string
  8392. namespace:
  8393. description: |-
  8394. The namespace of the Secret resource being referred to.
  8395. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8396. maxLength: 63
  8397. minLength: 1
  8398. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8399. type: string
  8400. type: object
  8401. usernameSecret:
  8402. description: |-
  8403. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8404. In some instances, `key` is a required field.
  8405. properties:
  8406. key:
  8407. description: |-
  8408. A key in the referenced Secret.
  8409. Some instances of this field may be defaulted, in others it may be required.
  8410. maxLength: 253
  8411. minLength: 1
  8412. pattern: ^[-._a-zA-Z0-9]+$
  8413. type: string
  8414. name:
  8415. description: The name of the Secret resource being referred to.
  8416. maxLength: 253
  8417. minLength: 1
  8418. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8419. type: string
  8420. namespace:
  8421. description: |-
  8422. The namespace of the Secret resource being referred to.
  8423. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8424. maxLength: 63
  8425. minLength: 1
  8426. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8427. type: string
  8428. type: object
  8429. required:
  8430. - passwordSecret
  8431. - usernameSecret
  8432. type: object
  8433. type: object
  8434. body:
  8435. description: Body
  8436. type: string
  8437. caBundle:
  8438. description: |-
  8439. PEM encoded CA bundle used to validate webhook server certificate. Only used
  8440. if the Server URL is using HTTPS protocol. This parameter is ignored for
  8441. plain HTTP protocol connection. If not set the system root certificates
  8442. are used to validate the TLS connection.
  8443. format: byte
  8444. type: string
  8445. caProvider:
  8446. description: The provider for the CA bundle to use to validate webhook server certificate.
  8447. properties:
  8448. key:
  8449. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8450. maxLength: 253
  8451. minLength: 1
  8452. pattern: ^[-._a-zA-Z0-9]+$
  8453. type: string
  8454. name:
  8455. description: The name of the object located at the provider type.
  8456. maxLength: 253
  8457. minLength: 1
  8458. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8459. type: string
  8460. namespace:
  8461. description: The namespace the Provider type is in.
  8462. maxLength: 63
  8463. minLength: 1
  8464. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8465. type: string
  8466. type:
  8467. description: The type of provider to use such as "Secret", or "ConfigMap".
  8468. enum:
  8469. - Secret
  8470. - ConfigMap
  8471. type: string
  8472. required:
  8473. - name
  8474. - type
  8475. type: object
  8476. headers:
  8477. additionalProperties:
  8478. type: string
  8479. description: Headers
  8480. type: object
  8481. method:
  8482. description: Webhook Method
  8483. type: string
  8484. result:
  8485. description: Result formatting
  8486. properties:
  8487. jsonPath:
  8488. description: Json path of return value
  8489. type: string
  8490. type: object
  8491. secrets:
  8492. description: |-
  8493. Secrets to fill in templates
  8494. These secrets will be passed to the templating function as key value pairs under the given name
  8495. items:
  8496. description: WebhookSecret defines a secret that will be passed to the webhook request.
  8497. properties:
  8498. name:
  8499. description: Name of this secret in templates
  8500. type: string
  8501. secretRef:
  8502. description: Secret ref to fill in credentials
  8503. properties:
  8504. key:
  8505. description: |-
  8506. A key in the referenced Secret.
  8507. Some instances of this field may be defaulted, in others it may be required.
  8508. maxLength: 253
  8509. minLength: 1
  8510. pattern: ^[-._a-zA-Z0-9]+$
  8511. type: string
  8512. name:
  8513. description: The name of the Secret resource being referred to.
  8514. maxLength: 253
  8515. minLength: 1
  8516. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8517. type: string
  8518. namespace:
  8519. description: |-
  8520. The namespace of the Secret resource being referred to.
  8521. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8522. maxLength: 63
  8523. minLength: 1
  8524. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8525. type: string
  8526. type: object
  8527. required:
  8528. - name
  8529. - secretRef
  8530. type: object
  8531. type: array
  8532. timeout:
  8533. description: Timeout
  8534. type: string
  8535. url:
  8536. description: Webhook url to call
  8537. type: string
  8538. required:
  8539. - url
  8540. type: object
  8541. yandexcertificatemanager:
  8542. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  8543. properties:
  8544. apiEndpoint:
  8545. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  8546. type: string
  8547. auth:
  8548. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  8549. properties:
  8550. authorizedKeySecretRef:
  8551. description: The authorized key used for authentication
  8552. properties:
  8553. key:
  8554. description: |-
  8555. A key in the referenced Secret.
  8556. Some instances of this field may be defaulted, in others it may be required.
  8557. maxLength: 253
  8558. minLength: 1
  8559. pattern: ^[-._a-zA-Z0-9]+$
  8560. type: string
  8561. name:
  8562. description: The name of the Secret resource being referred to.
  8563. maxLength: 253
  8564. minLength: 1
  8565. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8566. type: string
  8567. namespace:
  8568. description: |-
  8569. The namespace of the Secret resource being referred to.
  8570. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8571. maxLength: 63
  8572. minLength: 1
  8573. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8574. type: string
  8575. type: object
  8576. type: object
  8577. caProvider:
  8578. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  8579. properties:
  8580. certSecretRef:
  8581. description: |-
  8582. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8583. In some instances, `key` is a required field.
  8584. properties:
  8585. key:
  8586. description: |-
  8587. A key in the referenced Secret.
  8588. Some instances of this field may be defaulted, in others it may be required.
  8589. maxLength: 253
  8590. minLength: 1
  8591. pattern: ^[-._a-zA-Z0-9]+$
  8592. type: string
  8593. name:
  8594. description: The name of the Secret resource being referred to.
  8595. maxLength: 253
  8596. minLength: 1
  8597. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8598. type: string
  8599. namespace:
  8600. description: |-
  8601. The namespace of the Secret resource being referred to.
  8602. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8603. maxLength: 63
  8604. minLength: 1
  8605. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8606. type: string
  8607. type: object
  8608. type: object
  8609. fetching:
  8610. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name
  8611. maxProperties: 1
  8612. minProperties: 1
  8613. properties:
  8614. byID:
  8615. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  8616. type: object
  8617. byName:
  8618. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  8619. properties:
  8620. folderID:
  8621. description: The folder to fetch secrets from
  8622. type: string
  8623. required:
  8624. - folderID
  8625. type: object
  8626. type: object
  8627. required:
  8628. - auth
  8629. type: object
  8630. yandexlockbox:
  8631. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  8632. properties:
  8633. apiEndpoint:
  8634. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  8635. type: string
  8636. auth:
  8637. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  8638. properties:
  8639. authorizedKeySecretRef:
  8640. description: The authorized key used for authentication
  8641. properties:
  8642. key:
  8643. description: |-
  8644. A key in the referenced Secret.
  8645. Some instances of this field may be defaulted, in others it may be required.
  8646. maxLength: 253
  8647. minLength: 1
  8648. pattern: ^[-._a-zA-Z0-9]+$
  8649. type: string
  8650. name:
  8651. description: The name of the Secret resource being referred to.
  8652. maxLength: 253
  8653. minLength: 1
  8654. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8655. type: string
  8656. namespace:
  8657. description: |-
  8658. The namespace of the Secret resource being referred to.
  8659. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8660. maxLength: 63
  8661. minLength: 1
  8662. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8663. type: string
  8664. type: object
  8665. type: object
  8666. caProvider:
  8667. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  8668. properties:
  8669. certSecretRef:
  8670. description: |-
  8671. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8672. In some instances, `key` is a required field.
  8673. properties:
  8674. key:
  8675. description: |-
  8676. A key in the referenced Secret.
  8677. Some instances of this field may be defaulted, in others it may be required.
  8678. maxLength: 253
  8679. minLength: 1
  8680. pattern: ^[-._a-zA-Z0-9]+$
  8681. type: string
  8682. name:
  8683. description: The name of the Secret resource being referred to.
  8684. maxLength: 253
  8685. minLength: 1
  8686. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8687. type: string
  8688. namespace:
  8689. description: |-
  8690. The namespace of the Secret resource being referred to.
  8691. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8692. maxLength: 63
  8693. minLength: 1
  8694. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8695. type: string
  8696. type: object
  8697. type: object
  8698. fetching:
  8699. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name
  8700. maxProperties: 1
  8701. minProperties: 1
  8702. properties:
  8703. byID:
  8704. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  8705. type: object
  8706. byName:
  8707. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  8708. properties:
  8709. folderID:
  8710. description: The folder to fetch secrets from
  8711. type: string
  8712. required:
  8713. - folderID
  8714. type: object
  8715. type: object
  8716. required:
  8717. - auth
  8718. type: object
  8719. type: object
  8720. providerRef:
  8721. description: ProviderRef references a provider configuration managed externally.
  8722. properties:
  8723. apiVersion:
  8724. description: APIVersion identifies the API schema version for the provider resource.
  8725. minLength: 1
  8726. type: string
  8727. kind:
  8728. description: Kind identifies the provider resource type referenced by this store.
  8729. minLength: 1
  8730. type: string
  8731. name:
  8732. description: Name is the provider resource name referenced by this store.
  8733. maxLength: 253
  8734. minLength: 1
  8735. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8736. type: string
  8737. namespace:
  8738. description: Namespace is the provider resource namespace referenced by this store.
  8739. maxLength: 63
  8740. minLength: 1
  8741. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8742. type: string
  8743. required:
  8744. - apiVersion
  8745. - kind
  8746. - name
  8747. type: object
  8748. refreshInterval:
  8749. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  8750. type: integer
  8751. retrySettings:
  8752. description: Used to configure HTTP retries on failures.
  8753. properties:
  8754. maxRetries:
  8755. type: integer
  8756. retryInterval:
  8757. type: string
  8758. type: object
  8759. runtimeRef:
  8760. description: RuntimeRef points to runtime configuration for this store.
  8761. properties:
  8762. kind:
  8763. description: Kind identifies the runtime resource type referenced by this store.
  8764. enum:
  8765. - ProviderClass
  8766. - ClusterProviderClass
  8767. type: string
  8768. name:
  8769. description: Name is the runtime resource name referenced by this store.
  8770. maxLength: 253
  8771. minLength: 1
  8772. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8773. type: string
  8774. required:
  8775. - name
  8776. type: object
  8777. type: object
  8778. x-kubernetes-validations:
  8779. - message: exactly one of spec.provider or spec.providerRef must be set
  8780. rule: (has(self.provider) && !has(self.providerRef)) || (!has(self.provider) && has(self.providerRef))
  8781. - message: spec.runtimeRef must be empty when spec.provider is set
  8782. rule: '!(has(self.provider) && has(self.runtimeRef))'
  8783. - message: spec.runtimeRef is required when spec.providerRef is set
  8784. rule: '!has(self.providerRef) || has(self.runtimeRef)'
  8785. status:
  8786. description: SecretStoreStatus defines the observed state of the SecretStore.
  8787. properties:
  8788. capabilities:
  8789. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  8790. type: string
  8791. conditions:
  8792. items:
  8793. description: SecretStoreStatusCondition contains condition information for a SecretStore.
  8794. properties:
  8795. lastTransitionTime:
  8796. format: date-time
  8797. type: string
  8798. message:
  8799. type: string
  8800. reason:
  8801. type: string
  8802. status:
  8803. type: string
  8804. type:
  8805. description: SecretStoreConditionType represents the condition of the SecretStore.
  8806. type: string
  8807. required:
  8808. - status
  8809. - type
  8810. type: object
  8811. type: array
  8812. type: object
  8813. type: object
  8814. served: true
  8815. storage: true
  8816. subresources:
  8817. status: {}
  8818. - additionalPrinterColumns:
  8819. - jsonPath: .metadata.creationTimestamp
  8820. name: AGE
  8821. type: date
  8822. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  8823. name: Status
  8824. type: string
  8825. - jsonPath: .status.capabilities
  8826. name: Capabilities
  8827. type: string
  8828. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  8829. name: Ready
  8830. type: string
  8831. deprecated: true
  8832. name: v1beta1
  8833. schema:
  8834. openAPIV3Schema:
  8835. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  8836. properties:
  8837. apiVersion:
  8838. description: |-
  8839. APIVersion defines the versioned schema of this representation of an object.
  8840. Servers should convert recognized schemas to the latest internal value, and
  8841. may reject unrecognized values.
  8842. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  8843. type: string
  8844. kind:
  8845. description: |-
  8846. Kind is a string value representing the REST resource this object represents.
  8847. Servers may infer this from the endpoint the client submits requests to.
  8848. Cannot be updated.
  8849. In CamelCase.
  8850. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  8851. type: string
  8852. metadata:
  8853. type: object
  8854. spec:
  8855. description: SecretStoreSpec defines the desired state of SecretStore.
  8856. properties:
  8857. conditions:
  8858. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  8859. items:
  8860. description: |-
  8861. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  8862. for a ClusterSecretStore instance.
  8863. properties:
  8864. namespaceRegexes:
  8865. description: Choose namespaces by using regex matching
  8866. items:
  8867. type: string
  8868. type: array
  8869. namespaceSelector:
  8870. description: Choose namespace using a labelSelector
  8871. properties:
  8872. matchExpressions:
  8873. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  8874. items:
  8875. description: |-
  8876. A label selector requirement is a selector that contains values, a key, and an operator that
  8877. relates the key and values.
  8878. properties:
  8879. key:
  8880. description: key is the label key that the selector applies to.
  8881. type: string
  8882. operator:
  8883. description: |-
  8884. operator represents a key's relationship to a set of values.
  8885. Valid operators are In, NotIn, Exists and DoesNotExist.
  8886. type: string
  8887. values:
  8888. description: |-
  8889. values is an array of string values. If the operator is In or NotIn,
  8890. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  8891. the values array must be empty. This array is replaced during a strategic
  8892. merge patch.
  8893. items:
  8894. type: string
  8895. type: array
  8896. x-kubernetes-list-type: atomic
  8897. required:
  8898. - key
  8899. - operator
  8900. type: object
  8901. type: array
  8902. x-kubernetes-list-type: atomic
  8903. matchLabels:
  8904. additionalProperties:
  8905. type: string
  8906. description: |-
  8907. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  8908. map is equivalent to an element of matchExpressions, whose key field is "key", the
  8909. operator is "In", and the values array contains only "value". The requirements are ANDed.
  8910. type: object
  8911. type: object
  8912. x-kubernetes-map-type: atomic
  8913. namespaces:
  8914. description: Choose namespaces by name
  8915. items:
  8916. maxLength: 63
  8917. minLength: 1
  8918. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8919. type: string
  8920. type: array
  8921. type: object
  8922. type: array
  8923. controller:
  8924. description: |-
  8925. Used to select the correct ESO controller (think: ingress.ingressClassName)
  8926. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  8927. type: string
  8928. provider:
  8929. description: Used to configure the provider. Only one provider may be set
  8930. maxProperties: 1
  8931. minProperties: 1
  8932. properties:
  8933. akeyless:
  8934. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  8935. properties:
  8936. akeylessGWApiURL:
  8937. description: Akeyless GW API Url from which the secrets to be fetched from.
  8938. type: string
  8939. authSecretRef:
  8940. description: Auth configures how the operator authenticates with Akeyless.
  8941. properties:
  8942. kubernetesAuth:
  8943. description: |-
  8944. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  8945. token stored in the named Secret resource.
  8946. properties:
  8947. accessID:
  8948. description: the Akeyless Kubernetes auth-method access-id
  8949. type: string
  8950. k8sConfName:
  8951. description: Kubernetes-auth configuration name in Akeyless-Gateway
  8952. type: string
  8953. secretRef:
  8954. description: |-
  8955. Optional secret field containing a Kubernetes ServiceAccount JWT used
  8956. for authenticating with Akeyless. If a name is specified without a key,
  8957. `token` is the default. If one is not specified, the one bound to
  8958. the controller will be used.
  8959. properties:
  8960. key:
  8961. description: |-
  8962. A key in the referenced Secret.
  8963. Some instances of this field may be defaulted, in others it may be required.
  8964. maxLength: 253
  8965. minLength: 1
  8966. pattern: ^[-._a-zA-Z0-9]+$
  8967. type: string
  8968. name:
  8969. description: The name of the Secret resource being referred to.
  8970. maxLength: 253
  8971. minLength: 1
  8972. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8973. type: string
  8974. namespace:
  8975. description: |-
  8976. The namespace of the Secret resource being referred to.
  8977. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8978. maxLength: 63
  8979. minLength: 1
  8980. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8981. type: string
  8982. type: object
  8983. serviceAccountRef:
  8984. description: |-
  8985. Optional service account field containing the name of a kubernetes ServiceAccount.
  8986. If the service account is specified, the service account secret token JWT will be used
  8987. for authenticating with Akeyless. If the service account selector is not supplied,
  8988. the secretRef will be used instead.
  8989. properties:
  8990. audiences:
  8991. description: |-
  8992. Audience specifies the `aud` claim for the service account token
  8993. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8994. then this audiences will be appended to the list
  8995. items:
  8996. type: string
  8997. type: array
  8998. name:
  8999. description: The name of the ServiceAccount resource being referred to.
  9000. maxLength: 253
  9001. minLength: 1
  9002. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9003. type: string
  9004. namespace:
  9005. description: |-
  9006. Namespace of the resource being referred to.
  9007. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9008. maxLength: 63
  9009. minLength: 1
  9010. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9011. type: string
  9012. required:
  9013. - name
  9014. type: object
  9015. required:
  9016. - accessID
  9017. - k8sConfName
  9018. type: object
  9019. secretRef:
  9020. description: |-
  9021. Reference to a Secret that contains the details
  9022. to authenticate with Akeyless.
  9023. properties:
  9024. accessID:
  9025. description: The SecretAccessID is used for authentication
  9026. properties:
  9027. key:
  9028. description: |-
  9029. A key in the referenced Secret.
  9030. Some instances of this field may be defaulted, in others it may be required.
  9031. maxLength: 253
  9032. minLength: 1
  9033. pattern: ^[-._a-zA-Z0-9]+$
  9034. type: string
  9035. name:
  9036. description: The name of the Secret resource being referred to.
  9037. maxLength: 253
  9038. minLength: 1
  9039. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9040. type: string
  9041. namespace:
  9042. description: |-
  9043. The namespace of the Secret resource being referred to.
  9044. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9045. maxLength: 63
  9046. minLength: 1
  9047. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9048. type: string
  9049. type: object
  9050. accessType:
  9051. description: |-
  9052. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  9053. In some instances, `key` is a required field.
  9054. properties:
  9055. key:
  9056. description: |-
  9057. A key in the referenced Secret.
  9058. Some instances of this field may be defaulted, in others it may be required.
  9059. maxLength: 253
  9060. minLength: 1
  9061. pattern: ^[-._a-zA-Z0-9]+$
  9062. type: string
  9063. name:
  9064. description: The name of the Secret resource being referred to.
  9065. maxLength: 253
  9066. minLength: 1
  9067. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9068. type: string
  9069. namespace:
  9070. description: |-
  9071. The namespace of the Secret resource being referred to.
  9072. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9073. maxLength: 63
  9074. minLength: 1
  9075. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9076. type: string
  9077. type: object
  9078. accessTypeParam:
  9079. description: |-
  9080. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  9081. In some instances, `key` is a required field.
  9082. properties:
  9083. key:
  9084. description: |-
  9085. A key in the referenced Secret.
  9086. Some instances of this field may be defaulted, in others it may be required.
  9087. maxLength: 253
  9088. minLength: 1
  9089. pattern: ^[-._a-zA-Z0-9]+$
  9090. type: string
  9091. name:
  9092. description: The name of the Secret resource being referred to.
  9093. maxLength: 253
  9094. minLength: 1
  9095. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9096. type: string
  9097. namespace:
  9098. description: |-
  9099. The namespace of the Secret resource being referred to.
  9100. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9101. maxLength: 63
  9102. minLength: 1
  9103. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9104. type: string
  9105. type: object
  9106. type: object
  9107. type: object
  9108. caBundle:
  9109. description: |-
  9110. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  9111. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  9112. are used to validate the TLS connection.
  9113. format: byte
  9114. type: string
  9115. caProvider:
  9116. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  9117. properties:
  9118. key:
  9119. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  9120. maxLength: 253
  9121. minLength: 1
  9122. pattern: ^[-._a-zA-Z0-9]+$
  9123. type: string
  9124. name:
  9125. description: The name of the object located at the provider type.
  9126. maxLength: 253
  9127. minLength: 1
  9128. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9129. type: string
  9130. namespace:
  9131. description: |-
  9132. The namespace the Provider type is in.
  9133. Can only be defined when used in a ClusterSecretStore.
  9134. maxLength: 63
  9135. minLength: 1
  9136. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9137. type: string
  9138. type:
  9139. description: The type of provider to use such as "Secret", or "ConfigMap".
  9140. enum:
  9141. - Secret
  9142. - ConfigMap
  9143. type: string
  9144. required:
  9145. - name
  9146. - type
  9147. type: object
  9148. required:
  9149. - akeylessGWApiURL
  9150. - authSecretRef
  9151. type: object
  9152. alibaba:
  9153. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  9154. properties:
  9155. auth:
  9156. description: AlibabaAuth contains a secretRef for credentials.
  9157. properties:
  9158. rrsa:
  9159. description: AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication).
  9160. properties:
  9161. oidcProviderArn:
  9162. type: string
  9163. oidcTokenFilePath:
  9164. type: string
  9165. roleArn:
  9166. type: string
  9167. sessionName:
  9168. type: string
  9169. required:
  9170. - oidcProviderArn
  9171. - oidcTokenFilePath
  9172. - roleArn
  9173. - sessionName
  9174. type: object
  9175. secretRef:
  9176. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  9177. properties:
  9178. accessKeyIDSecretRef:
  9179. description: The AccessKeyID is used for authentication
  9180. properties:
  9181. key:
  9182. description: |-
  9183. A key in the referenced Secret.
  9184. Some instances of this field may be defaulted, in others it may be required.
  9185. maxLength: 253
  9186. minLength: 1
  9187. pattern: ^[-._a-zA-Z0-9]+$
  9188. type: string
  9189. name:
  9190. description: The name of the Secret resource being referred to.
  9191. maxLength: 253
  9192. minLength: 1
  9193. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9194. type: string
  9195. namespace:
  9196. description: |-
  9197. The namespace of the Secret resource being referred to.
  9198. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9199. maxLength: 63
  9200. minLength: 1
  9201. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9202. type: string
  9203. type: object
  9204. accessKeySecretSecretRef:
  9205. description: The AccessKeySecret is used for authentication
  9206. properties:
  9207. key:
  9208. description: |-
  9209. A key in the referenced Secret.
  9210. Some instances of this field may be defaulted, in others it may be required.
  9211. maxLength: 253
  9212. minLength: 1
  9213. pattern: ^[-._a-zA-Z0-9]+$
  9214. type: string
  9215. name:
  9216. description: The name of the Secret resource being referred to.
  9217. maxLength: 253
  9218. minLength: 1
  9219. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9220. type: string
  9221. namespace:
  9222. description: |-
  9223. The namespace of the Secret resource being referred to.
  9224. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9225. maxLength: 63
  9226. minLength: 1
  9227. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9228. type: string
  9229. type: object
  9230. required:
  9231. - accessKeyIDSecretRef
  9232. - accessKeySecretSecretRef
  9233. type: object
  9234. type: object
  9235. regionID:
  9236. description: Alibaba Region to be used for the provider
  9237. type: string
  9238. required:
  9239. - auth
  9240. - regionID
  9241. type: object
  9242. aws:
  9243. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  9244. properties:
  9245. additionalRoles:
  9246. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  9247. items:
  9248. type: string
  9249. type: array
  9250. auth:
  9251. description: |-
  9252. Auth defines the information necessary to authenticate against AWS
  9253. if not set aws sdk will infer credentials from your environment
  9254. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  9255. properties:
  9256. jwt:
  9257. description: AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster.
  9258. properties:
  9259. serviceAccountRef:
  9260. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  9261. properties:
  9262. audiences:
  9263. description: |-
  9264. Audience specifies the `aud` claim for the service account token
  9265. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9266. then this audiences will be appended to the list
  9267. items:
  9268. type: string
  9269. type: array
  9270. name:
  9271. description: The name of the ServiceAccount resource being referred to.
  9272. maxLength: 253
  9273. minLength: 1
  9274. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9275. type: string
  9276. namespace:
  9277. description: |-
  9278. Namespace of the resource being referred to.
  9279. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9280. maxLength: 63
  9281. minLength: 1
  9282. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9283. type: string
  9284. required:
  9285. - name
  9286. type: object
  9287. type: object
  9288. secretRef:
  9289. description: |-
  9290. AWSAuthSecretRef holds secret references for AWS credentials
  9291. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  9292. properties:
  9293. accessKeyIDSecretRef:
  9294. description: The AccessKeyID is used for authentication
  9295. properties:
  9296. key:
  9297. description: |-
  9298. A key in the referenced Secret.
  9299. Some instances of this field may be defaulted, in others it may be required.
  9300. maxLength: 253
  9301. minLength: 1
  9302. pattern: ^[-._a-zA-Z0-9]+$
  9303. type: string
  9304. name:
  9305. description: The name of the Secret resource being referred to.
  9306. maxLength: 253
  9307. minLength: 1
  9308. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9309. type: string
  9310. namespace:
  9311. description: |-
  9312. The namespace of the Secret resource being referred to.
  9313. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9314. maxLength: 63
  9315. minLength: 1
  9316. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9317. type: string
  9318. type: object
  9319. secretAccessKeySecretRef:
  9320. description: The SecretAccessKey is used for authentication
  9321. properties:
  9322. key:
  9323. description: |-
  9324. A key in the referenced Secret.
  9325. Some instances of this field may be defaulted, in others it may be required.
  9326. maxLength: 253
  9327. minLength: 1
  9328. pattern: ^[-._a-zA-Z0-9]+$
  9329. type: string
  9330. name:
  9331. description: The name of the Secret resource being referred to.
  9332. maxLength: 253
  9333. minLength: 1
  9334. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9335. type: string
  9336. namespace:
  9337. description: |-
  9338. The namespace of the Secret resource being referred to.
  9339. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9340. maxLength: 63
  9341. minLength: 1
  9342. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9343. type: string
  9344. type: object
  9345. sessionTokenSecretRef:
  9346. description: |-
  9347. The SessionToken used for authentication
  9348. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  9349. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  9350. properties:
  9351. key:
  9352. description: |-
  9353. A key in the referenced Secret.
  9354. Some instances of this field may be defaulted, in others it may be required.
  9355. maxLength: 253
  9356. minLength: 1
  9357. pattern: ^[-._a-zA-Z0-9]+$
  9358. type: string
  9359. name:
  9360. description: The name of the Secret resource being referred to.
  9361. maxLength: 253
  9362. minLength: 1
  9363. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9364. type: string
  9365. namespace:
  9366. description: |-
  9367. The namespace of the Secret resource being referred to.
  9368. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9369. maxLength: 63
  9370. minLength: 1
  9371. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9372. type: string
  9373. type: object
  9374. type: object
  9375. type: object
  9376. externalID:
  9377. description: AWS External ID set on assumed IAM roles
  9378. type: string
  9379. prefix:
  9380. description: Prefix adds a prefix to all retrieved values.
  9381. type: string
  9382. region:
  9383. description: AWS Region to be used for the provider
  9384. type: string
  9385. role:
  9386. description: Role is a Role ARN which the provider will assume
  9387. type: string
  9388. secretsManager:
  9389. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  9390. properties:
  9391. forceDeleteWithoutRecovery:
  9392. description: |-
  9393. Specifies whether to delete the secret without any recovery window. You
  9394. can't use both this parameter and RecoveryWindowInDays in the same call.
  9395. If you don't use either, then by default Secrets Manager uses a 30 day
  9396. recovery window.
  9397. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  9398. type: boolean
  9399. recoveryWindowInDays:
  9400. description: |-
  9401. The number of days from 7 to 30 that Secrets Manager waits before
  9402. permanently deleting the secret. You can't use both this parameter and
  9403. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  9404. then by default Secrets Manager uses a 30 day recovery window.
  9405. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  9406. type: integer
  9407. type: object
  9408. service:
  9409. description: Service defines which service should be used to fetch the secrets
  9410. enum:
  9411. - SecretsManager
  9412. - ParameterStore
  9413. type: string
  9414. sessionTags:
  9415. description: AWS STS assume role session tags
  9416. items:
  9417. description: Tag defines a tag key and value for AWS resources.
  9418. properties:
  9419. key:
  9420. type: string
  9421. value:
  9422. type: string
  9423. required:
  9424. - key
  9425. - value
  9426. type: object
  9427. type: array
  9428. transitiveTagKeys:
  9429. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  9430. items:
  9431. type: string
  9432. type: array
  9433. required:
  9434. - region
  9435. - service
  9436. type: object
  9437. azurekv:
  9438. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  9439. properties:
  9440. authSecretRef:
  9441. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  9442. properties:
  9443. clientCertificate:
  9444. description: The Azure ClientCertificate of the service principle used for authentication.
  9445. properties:
  9446. key:
  9447. description: |-
  9448. A key in the referenced Secret.
  9449. Some instances of this field may be defaulted, in others it may be required.
  9450. maxLength: 253
  9451. minLength: 1
  9452. pattern: ^[-._a-zA-Z0-9]+$
  9453. type: string
  9454. name:
  9455. description: The name of the Secret resource being referred to.
  9456. maxLength: 253
  9457. minLength: 1
  9458. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9459. type: string
  9460. namespace:
  9461. description: |-
  9462. The namespace of the Secret resource being referred to.
  9463. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9464. maxLength: 63
  9465. minLength: 1
  9466. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9467. type: string
  9468. type: object
  9469. clientId:
  9470. description: The Azure clientId of the service principle or managed identity used for authentication.
  9471. properties:
  9472. key:
  9473. description: |-
  9474. A key in the referenced Secret.
  9475. Some instances of this field may be defaulted, in others it may be required.
  9476. maxLength: 253
  9477. minLength: 1
  9478. pattern: ^[-._a-zA-Z0-9]+$
  9479. type: string
  9480. name:
  9481. description: The name of the Secret resource being referred to.
  9482. maxLength: 253
  9483. minLength: 1
  9484. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9485. type: string
  9486. namespace:
  9487. description: |-
  9488. The namespace of the Secret resource being referred to.
  9489. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9490. maxLength: 63
  9491. minLength: 1
  9492. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9493. type: string
  9494. type: object
  9495. clientSecret:
  9496. description: The Azure ClientSecret of the service principle used for authentication.
  9497. properties:
  9498. key:
  9499. description: |-
  9500. A key in the referenced Secret.
  9501. Some instances of this field may be defaulted, in others it may be required.
  9502. maxLength: 253
  9503. minLength: 1
  9504. pattern: ^[-._a-zA-Z0-9]+$
  9505. type: string
  9506. name:
  9507. description: The name of the Secret resource being referred to.
  9508. maxLength: 253
  9509. minLength: 1
  9510. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9511. type: string
  9512. namespace:
  9513. description: |-
  9514. The namespace of the Secret resource being referred to.
  9515. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9516. maxLength: 63
  9517. minLength: 1
  9518. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9519. type: string
  9520. type: object
  9521. tenantId:
  9522. description: The Azure tenantId of the managed identity used for authentication.
  9523. properties:
  9524. key:
  9525. description: |-
  9526. A key in the referenced Secret.
  9527. Some instances of this field may be defaulted, in others it may be required.
  9528. maxLength: 253
  9529. minLength: 1
  9530. pattern: ^[-._a-zA-Z0-9]+$
  9531. type: string
  9532. name:
  9533. description: The name of the Secret resource being referred to.
  9534. maxLength: 253
  9535. minLength: 1
  9536. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9537. type: string
  9538. namespace:
  9539. description: |-
  9540. The namespace of the Secret resource being referred to.
  9541. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9542. maxLength: 63
  9543. minLength: 1
  9544. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9545. type: string
  9546. type: object
  9547. type: object
  9548. authType:
  9549. default: ServicePrincipal
  9550. description: |-
  9551. Auth type defines how to authenticate to the keyvault service.
  9552. Valid values are:
  9553. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  9554. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  9555. enum:
  9556. - ServicePrincipal
  9557. - ManagedIdentity
  9558. - WorkloadIdentity
  9559. type: string
  9560. environmentType:
  9561. default: PublicCloud
  9562. description: |-
  9563. EnvironmentType specifies the Azure cloud environment endpoints to use for
  9564. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  9565. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  9566. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  9567. enum:
  9568. - PublicCloud
  9569. - USGovernmentCloud
  9570. - ChinaCloud
  9571. - GermanCloud
  9572. type: string
  9573. identityId:
  9574. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  9575. type: string
  9576. serviceAccountRef:
  9577. description: |-
  9578. ServiceAccountRef specified the service account
  9579. that should be used when authenticating with WorkloadIdentity.
  9580. properties:
  9581. audiences:
  9582. description: |-
  9583. Audience specifies the `aud` claim for the service account token
  9584. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9585. then this audiences will be appended to the list
  9586. items:
  9587. type: string
  9588. type: array
  9589. name:
  9590. description: The name of the ServiceAccount resource being referred to.
  9591. maxLength: 253
  9592. minLength: 1
  9593. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9594. type: string
  9595. namespace:
  9596. description: |-
  9597. Namespace of the resource being referred to.
  9598. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9599. maxLength: 63
  9600. minLength: 1
  9601. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9602. type: string
  9603. required:
  9604. - name
  9605. type: object
  9606. tenantId:
  9607. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  9608. type: string
  9609. vaultUrl:
  9610. description: Vault Url from which the secrets to be fetched from.
  9611. type: string
  9612. required:
  9613. - vaultUrl
  9614. type: object
  9615. beyondtrust:
  9616. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  9617. properties:
  9618. auth:
  9619. description: Auth configures how the operator authenticates with Beyondtrust.
  9620. properties:
  9621. apiKey:
  9622. description: APIKey If not provided then ClientID/ClientSecret become required.
  9623. properties:
  9624. secretRef:
  9625. description: SecretRef references a key in a secret that will be used as value.
  9626. properties:
  9627. key:
  9628. description: |-
  9629. A key in the referenced Secret.
  9630. Some instances of this field may be defaulted, in others it may be required.
  9631. maxLength: 253
  9632. minLength: 1
  9633. pattern: ^[-._a-zA-Z0-9]+$
  9634. type: string
  9635. name:
  9636. description: The name of the Secret resource being referred to.
  9637. maxLength: 253
  9638. minLength: 1
  9639. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9640. type: string
  9641. namespace:
  9642. description: |-
  9643. The namespace of the Secret resource being referred to.
  9644. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9645. maxLength: 63
  9646. minLength: 1
  9647. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9648. type: string
  9649. type: object
  9650. value:
  9651. description: Value can be specified directly to set a value without using a secret.
  9652. type: string
  9653. type: object
  9654. certificate:
  9655. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  9656. properties:
  9657. secretRef:
  9658. description: SecretRef references a key in a secret that will be used as value.
  9659. properties:
  9660. key:
  9661. description: |-
  9662. A key in the referenced Secret.
  9663. Some instances of this field may be defaulted, in others it may be required.
  9664. maxLength: 253
  9665. minLength: 1
  9666. pattern: ^[-._a-zA-Z0-9]+$
  9667. type: string
  9668. name:
  9669. description: The name of the Secret resource being referred to.
  9670. maxLength: 253
  9671. minLength: 1
  9672. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9673. type: string
  9674. namespace:
  9675. description: |-
  9676. The namespace of the Secret resource being referred to.
  9677. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9678. maxLength: 63
  9679. minLength: 1
  9680. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9681. type: string
  9682. type: object
  9683. value:
  9684. description: Value can be specified directly to set a value without using a secret.
  9685. type: string
  9686. type: object
  9687. certificateKey:
  9688. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  9689. properties:
  9690. secretRef:
  9691. description: SecretRef references a key in a secret that will be used as value.
  9692. properties:
  9693. key:
  9694. description: |-
  9695. A key in the referenced Secret.
  9696. Some instances of this field may be defaulted, in others it may be required.
  9697. maxLength: 253
  9698. minLength: 1
  9699. pattern: ^[-._a-zA-Z0-9]+$
  9700. type: string
  9701. name:
  9702. description: The name of the Secret resource being referred to.
  9703. maxLength: 253
  9704. minLength: 1
  9705. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9706. type: string
  9707. namespace:
  9708. description: |-
  9709. The namespace of the Secret resource being referred to.
  9710. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9711. maxLength: 63
  9712. minLength: 1
  9713. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9714. type: string
  9715. type: object
  9716. value:
  9717. description: Value can be specified directly to set a value without using a secret.
  9718. type: string
  9719. type: object
  9720. clientId:
  9721. description: ClientID is the API OAuth Client ID.
  9722. properties:
  9723. secretRef:
  9724. description: SecretRef references a key in a secret that will be used as value.
  9725. properties:
  9726. key:
  9727. description: |-
  9728. A key in the referenced Secret.
  9729. Some instances of this field may be defaulted, in others it may be required.
  9730. maxLength: 253
  9731. minLength: 1
  9732. pattern: ^[-._a-zA-Z0-9]+$
  9733. type: string
  9734. name:
  9735. description: The name of the Secret resource being referred to.
  9736. maxLength: 253
  9737. minLength: 1
  9738. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9739. type: string
  9740. namespace:
  9741. description: |-
  9742. The namespace of the Secret resource being referred to.
  9743. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9744. maxLength: 63
  9745. minLength: 1
  9746. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9747. type: string
  9748. type: object
  9749. value:
  9750. description: Value can be specified directly to set a value without using a secret.
  9751. type: string
  9752. type: object
  9753. clientSecret:
  9754. description: ClientSecret is the API OAuth Client Secret.
  9755. properties:
  9756. secretRef:
  9757. description: SecretRef references a key in a secret that will be used as value.
  9758. properties:
  9759. key:
  9760. description: |-
  9761. A key in the referenced Secret.
  9762. Some instances of this field may be defaulted, in others it may be required.
  9763. maxLength: 253
  9764. minLength: 1
  9765. pattern: ^[-._a-zA-Z0-9]+$
  9766. type: string
  9767. name:
  9768. description: The name of the Secret resource being referred to.
  9769. maxLength: 253
  9770. minLength: 1
  9771. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9772. type: string
  9773. namespace:
  9774. description: |-
  9775. The namespace of the Secret resource being referred to.
  9776. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9777. maxLength: 63
  9778. minLength: 1
  9779. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9780. type: string
  9781. type: object
  9782. value:
  9783. description: Value can be specified directly to set a value without using a secret.
  9784. type: string
  9785. type: object
  9786. type: object
  9787. server:
  9788. description: Auth configures how API server works.
  9789. properties:
  9790. apiUrl:
  9791. type: string
  9792. apiVersion:
  9793. type: string
  9794. clientTimeOutSeconds:
  9795. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  9796. type: integer
  9797. decrypt:
  9798. default: true
  9799. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  9800. type: boolean
  9801. retrievalType:
  9802. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  9803. type: string
  9804. separator:
  9805. description: A character that separates the folder names.
  9806. type: string
  9807. verifyCA:
  9808. type: boolean
  9809. required:
  9810. - apiUrl
  9811. - verifyCA
  9812. type: object
  9813. required:
  9814. - auth
  9815. - server
  9816. type: object
  9817. bitwardensecretsmanager:
  9818. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  9819. properties:
  9820. apiURL:
  9821. type: string
  9822. auth:
  9823. description: |-
  9824. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  9825. Make sure that the token being used has permissions on the given secret.
  9826. properties:
  9827. secretRef:
  9828. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  9829. properties:
  9830. credentials:
  9831. description: AccessToken used for the bitwarden instance.
  9832. properties:
  9833. key:
  9834. description: |-
  9835. A key in the referenced Secret.
  9836. Some instances of this field may be defaulted, in others it may be required.
  9837. maxLength: 253
  9838. minLength: 1
  9839. pattern: ^[-._a-zA-Z0-9]+$
  9840. type: string
  9841. name:
  9842. description: The name of the Secret resource being referred to.
  9843. maxLength: 253
  9844. minLength: 1
  9845. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9846. type: string
  9847. namespace:
  9848. description: |-
  9849. The namespace of the Secret resource being referred to.
  9850. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9851. maxLength: 63
  9852. minLength: 1
  9853. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9854. type: string
  9855. type: object
  9856. required:
  9857. - credentials
  9858. type: object
  9859. required:
  9860. - secretRef
  9861. type: object
  9862. bitwardenServerSDKURL:
  9863. type: string
  9864. caBundle:
  9865. description: |-
  9866. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  9867. can be performed.
  9868. type: string
  9869. caProvider:
  9870. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  9871. properties:
  9872. key:
  9873. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  9874. maxLength: 253
  9875. minLength: 1
  9876. pattern: ^[-._a-zA-Z0-9]+$
  9877. type: string
  9878. name:
  9879. description: The name of the object located at the provider type.
  9880. maxLength: 253
  9881. minLength: 1
  9882. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9883. type: string
  9884. namespace:
  9885. description: |-
  9886. The namespace the Provider type is in.
  9887. Can only be defined when used in a ClusterSecretStore.
  9888. maxLength: 63
  9889. minLength: 1
  9890. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9891. type: string
  9892. type:
  9893. description: The type of provider to use such as "Secret", or "ConfigMap".
  9894. enum:
  9895. - Secret
  9896. - ConfigMap
  9897. type: string
  9898. required:
  9899. - name
  9900. - type
  9901. type: object
  9902. identityURL:
  9903. type: string
  9904. organizationID:
  9905. description: OrganizationID determines which organization this secret store manages.
  9906. type: string
  9907. projectID:
  9908. description: ProjectID determines which project this secret store manages.
  9909. type: string
  9910. required:
  9911. - auth
  9912. - organizationID
  9913. - projectID
  9914. type: object
  9915. chef:
  9916. description: Chef configures this store to sync secrets with chef server
  9917. properties:
  9918. auth:
  9919. description: Auth defines the information necessary to authenticate against chef Server
  9920. properties:
  9921. secretRef:
  9922. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  9923. properties:
  9924. privateKeySecretRef:
  9925. description: SecretKey is the Signing Key in PEM format, used for authentication.
  9926. properties:
  9927. key:
  9928. description: |-
  9929. A key in the referenced Secret.
  9930. Some instances of this field may be defaulted, in others it may be required.
  9931. maxLength: 253
  9932. minLength: 1
  9933. pattern: ^[-._a-zA-Z0-9]+$
  9934. type: string
  9935. name:
  9936. description: The name of the Secret resource being referred to.
  9937. maxLength: 253
  9938. minLength: 1
  9939. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9940. type: string
  9941. namespace:
  9942. description: |-
  9943. The namespace of the Secret resource being referred to.
  9944. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9945. maxLength: 63
  9946. minLength: 1
  9947. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9948. type: string
  9949. type: object
  9950. required:
  9951. - privateKeySecretRef
  9952. type: object
  9953. required:
  9954. - secretRef
  9955. type: object
  9956. serverUrl:
  9957. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  9958. type: string
  9959. username:
  9960. description: UserName should be the user ID on the chef server
  9961. type: string
  9962. required:
  9963. - auth
  9964. - serverUrl
  9965. - username
  9966. type: object
  9967. cloudrusm:
  9968. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  9969. properties:
  9970. auth:
  9971. description: CSMAuth contains a secretRef for credentials.
  9972. properties:
  9973. secretRef:
  9974. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  9975. properties:
  9976. accessKeyIDSecretRef:
  9977. description: The AccessKeyID is used for authentication
  9978. properties:
  9979. key:
  9980. description: |-
  9981. A key in the referenced Secret.
  9982. Some instances of this field may be defaulted, in others it may be required.
  9983. maxLength: 253
  9984. minLength: 1
  9985. pattern: ^[-._a-zA-Z0-9]+$
  9986. type: string
  9987. name:
  9988. description: The name of the Secret resource being referred to.
  9989. maxLength: 253
  9990. minLength: 1
  9991. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9992. type: string
  9993. namespace:
  9994. description: |-
  9995. The namespace of the Secret resource being referred to.
  9996. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9997. maxLength: 63
  9998. minLength: 1
  9999. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10000. type: string
  10001. type: object
  10002. accessKeySecretSecretRef:
  10003. description: The AccessKeySecret is used for authentication
  10004. properties:
  10005. key:
  10006. description: |-
  10007. A key in the referenced Secret.
  10008. Some instances of this field may be defaulted, in others it may be required.
  10009. maxLength: 253
  10010. minLength: 1
  10011. pattern: ^[-._a-zA-Z0-9]+$
  10012. type: string
  10013. name:
  10014. description: The name of the Secret resource being referred to.
  10015. maxLength: 253
  10016. minLength: 1
  10017. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10018. type: string
  10019. namespace:
  10020. description: |-
  10021. The namespace of the Secret resource being referred to.
  10022. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10023. maxLength: 63
  10024. minLength: 1
  10025. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10026. type: string
  10027. type: object
  10028. required:
  10029. - accessKeyIDSecretRef
  10030. - accessKeySecretSecretRef
  10031. type: object
  10032. type: object
  10033. projectID:
  10034. description: ProjectID is the project, which the secrets are stored in.
  10035. type: string
  10036. required:
  10037. - auth
  10038. type: object
  10039. conjur:
  10040. description: Conjur configures this store to sync secrets using conjur provider
  10041. properties:
  10042. auth:
  10043. description: Defines authentication settings for connecting to Conjur.
  10044. properties:
  10045. apikey:
  10046. description: Authenticates with Conjur using an API key.
  10047. properties:
  10048. account:
  10049. description: Account is the Conjur organization account name.
  10050. type: string
  10051. apiKeyRef:
  10052. description: |-
  10053. A reference to a specific 'key' containing the Conjur API key
  10054. within a Secret resource. In some instances, `key` is a required field.
  10055. properties:
  10056. key:
  10057. description: |-
  10058. A key in the referenced Secret.
  10059. Some instances of this field may be defaulted, in others it may be required.
  10060. maxLength: 253
  10061. minLength: 1
  10062. pattern: ^[-._a-zA-Z0-9]+$
  10063. type: string
  10064. name:
  10065. description: The name of the Secret resource being referred to.
  10066. maxLength: 253
  10067. minLength: 1
  10068. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10069. type: string
  10070. namespace:
  10071. description: |-
  10072. The namespace of the Secret resource being referred to.
  10073. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10074. maxLength: 63
  10075. minLength: 1
  10076. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10077. type: string
  10078. type: object
  10079. userRef:
  10080. description: |-
  10081. A reference to a specific 'key' containing the Conjur username
  10082. within a Secret resource. In some instances, `key` is a required field.
  10083. properties:
  10084. key:
  10085. description: |-
  10086. A key in the referenced Secret.
  10087. Some instances of this field may be defaulted, in others it may be required.
  10088. maxLength: 253
  10089. minLength: 1
  10090. pattern: ^[-._a-zA-Z0-9]+$
  10091. type: string
  10092. name:
  10093. description: The name of the Secret resource being referred to.
  10094. maxLength: 253
  10095. minLength: 1
  10096. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10097. type: string
  10098. namespace:
  10099. description: |-
  10100. The namespace of the Secret resource being referred to.
  10101. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10102. maxLength: 63
  10103. minLength: 1
  10104. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10105. type: string
  10106. type: object
  10107. required:
  10108. - account
  10109. - apiKeyRef
  10110. - userRef
  10111. type: object
  10112. jwt:
  10113. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  10114. properties:
  10115. account:
  10116. description: Account is the Conjur organization account name.
  10117. type: string
  10118. hostId:
  10119. description: |-
  10120. Optional HostID for JWT authentication. This may be used depending
  10121. on how the Conjur JWT authenticator policy is configured.
  10122. type: string
  10123. secretRef:
  10124. description: |-
  10125. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  10126. authenticate with Conjur using the JWT authentication method.
  10127. properties:
  10128. key:
  10129. description: |-
  10130. A key in the referenced Secret.
  10131. Some instances of this field may be defaulted, in others it may be required.
  10132. maxLength: 253
  10133. minLength: 1
  10134. pattern: ^[-._a-zA-Z0-9]+$
  10135. type: string
  10136. name:
  10137. description: The name of the Secret resource being referred to.
  10138. maxLength: 253
  10139. minLength: 1
  10140. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10141. type: string
  10142. namespace:
  10143. description: |-
  10144. The namespace of the Secret resource being referred to.
  10145. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10146. maxLength: 63
  10147. minLength: 1
  10148. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10149. type: string
  10150. type: object
  10151. serviceAccountRef:
  10152. description: |-
  10153. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  10154. a token for with the `TokenRequest` API.
  10155. properties:
  10156. audiences:
  10157. description: |-
  10158. Audience specifies the `aud` claim for the service account token
  10159. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10160. then this audiences will be appended to the list
  10161. items:
  10162. type: string
  10163. type: array
  10164. name:
  10165. description: The name of the ServiceAccount resource being referred to.
  10166. maxLength: 253
  10167. minLength: 1
  10168. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10169. type: string
  10170. namespace:
  10171. description: |-
  10172. Namespace of the resource being referred to.
  10173. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10174. maxLength: 63
  10175. minLength: 1
  10176. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10177. type: string
  10178. required:
  10179. - name
  10180. type: object
  10181. serviceID:
  10182. description: The conjur authn jwt webservice id
  10183. type: string
  10184. required:
  10185. - account
  10186. - serviceID
  10187. type: object
  10188. type: object
  10189. caBundle:
  10190. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  10191. type: string
  10192. caProvider:
  10193. description: |-
  10194. Used to provide custom certificate authority (CA) certificates
  10195. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  10196. that contains a PEM-encoded certificate.
  10197. properties:
  10198. key:
  10199. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  10200. maxLength: 253
  10201. minLength: 1
  10202. pattern: ^[-._a-zA-Z0-9]+$
  10203. type: string
  10204. name:
  10205. description: The name of the object located at the provider type.
  10206. maxLength: 253
  10207. minLength: 1
  10208. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10209. type: string
  10210. namespace:
  10211. description: |-
  10212. The namespace the Provider type is in.
  10213. Can only be defined when used in a ClusterSecretStore.
  10214. maxLength: 63
  10215. minLength: 1
  10216. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10217. type: string
  10218. type:
  10219. description: The type of provider to use such as "Secret", or "ConfigMap".
  10220. enum:
  10221. - Secret
  10222. - ConfigMap
  10223. type: string
  10224. required:
  10225. - name
  10226. - type
  10227. type: object
  10228. url:
  10229. description: URL is the endpoint of the Conjur instance.
  10230. type: string
  10231. required:
  10232. - auth
  10233. - url
  10234. type: object
  10235. delinea:
  10236. description: |-
  10237. Delinea DevOps Secrets Vault
  10238. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  10239. properties:
  10240. clientId:
  10241. description: ClientID is the non-secret part of the credential.
  10242. properties:
  10243. secretRef:
  10244. description: SecretRef references a key in a secret that will be used as value.
  10245. properties:
  10246. key:
  10247. description: |-
  10248. A key in the referenced Secret.
  10249. Some instances of this field may be defaulted, in others it may be required.
  10250. maxLength: 253
  10251. minLength: 1
  10252. pattern: ^[-._a-zA-Z0-9]+$
  10253. type: string
  10254. name:
  10255. description: The name of the Secret resource being referred to.
  10256. maxLength: 253
  10257. minLength: 1
  10258. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10259. type: string
  10260. namespace:
  10261. description: |-
  10262. The namespace of the Secret resource being referred to.
  10263. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10264. maxLength: 63
  10265. minLength: 1
  10266. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10267. type: string
  10268. type: object
  10269. value:
  10270. description: Value can be specified directly to set a value without using a secret.
  10271. type: string
  10272. type: object
  10273. clientSecret:
  10274. description: ClientSecret is the secret part of the credential.
  10275. properties:
  10276. secretRef:
  10277. description: SecretRef references a key in a secret that will be used as value.
  10278. properties:
  10279. key:
  10280. description: |-
  10281. A key in the referenced Secret.
  10282. Some instances of this field may be defaulted, in others it may be required.
  10283. maxLength: 253
  10284. minLength: 1
  10285. pattern: ^[-._a-zA-Z0-9]+$
  10286. type: string
  10287. name:
  10288. description: The name of the Secret resource being referred to.
  10289. maxLength: 253
  10290. minLength: 1
  10291. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10292. type: string
  10293. namespace:
  10294. description: |-
  10295. The namespace of the Secret resource being referred to.
  10296. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10297. maxLength: 63
  10298. minLength: 1
  10299. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10300. type: string
  10301. type: object
  10302. value:
  10303. description: Value can be specified directly to set a value without using a secret.
  10304. type: string
  10305. type: object
  10306. tenant:
  10307. description: Tenant is the chosen hostname / site name.
  10308. type: string
  10309. tld:
  10310. description: |-
  10311. TLD is based on the server location that was chosen during provisioning.
  10312. If unset, defaults to "com".
  10313. type: string
  10314. urlTemplate:
  10315. description: |-
  10316. URLTemplate
  10317. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  10318. type: string
  10319. required:
  10320. - clientId
  10321. - clientSecret
  10322. - tenant
  10323. type: object
  10324. device42:
  10325. description: Device42 configures this store to sync secrets using the Device42 provider
  10326. properties:
  10327. auth:
  10328. description: Auth configures how secret-manager authenticates with a Device42 instance.
  10329. properties:
  10330. secretRef:
  10331. description: Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider.
  10332. properties:
  10333. credentials:
  10334. description: Username / Password is used for authentication.
  10335. properties:
  10336. key:
  10337. description: |-
  10338. A key in the referenced Secret.
  10339. Some instances of this field may be defaulted, in others it may be required.
  10340. maxLength: 253
  10341. minLength: 1
  10342. pattern: ^[-._a-zA-Z0-9]+$
  10343. type: string
  10344. name:
  10345. description: The name of the Secret resource being referred to.
  10346. maxLength: 253
  10347. minLength: 1
  10348. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10349. type: string
  10350. namespace:
  10351. description: |-
  10352. The namespace of the Secret resource being referred to.
  10353. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10354. maxLength: 63
  10355. minLength: 1
  10356. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10357. type: string
  10358. type: object
  10359. type: object
  10360. required:
  10361. - secretRef
  10362. type: object
  10363. host:
  10364. description: URL configures the Device42 instance URL.
  10365. type: string
  10366. required:
  10367. - auth
  10368. - host
  10369. type: object
  10370. doppler:
  10371. description: Doppler configures this store to sync secrets using the Doppler provider
  10372. properties:
  10373. auth:
  10374. description: Auth configures how the Operator authenticates with the Doppler API
  10375. properties:
  10376. secretRef:
  10377. description: DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider.
  10378. properties:
  10379. dopplerToken:
  10380. description: |-
  10381. The DopplerToken is used for authentication.
  10382. See https://docs.doppler.com/reference/api#authentication for auth token types.
  10383. The Key attribute defaults to dopplerToken if not specified.
  10384. properties:
  10385. key:
  10386. description: |-
  10387. A key in the referenced Secret.
  10388. Some instances of this field may be defaulted, in others it may be required.
  10389. maxLength: 253
  10390. minLength: 1
  10391. pattern: ^[-._a-zA-Z0-9]+$
  10392. type: string
  10393. name:
  10394. description: The name of the Secret resource being referred to.
  10395. maxLength: 253
  10396. minLength: 1
  10397. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10398. type: string
  10399. namespace:
  10400. description: |-
  10401. The namespace of the Secret resource being referred to.
  10402. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10403. maxLength: 63
  10404. minLength: 1
  10405. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10406. type: string
  10407. type: object
  10408. required:
  10409. - dopplerToken
  10410. type: object
  10411. required:
  10412. - secretRef
  10413. type: object
  10414. config:
  10415. description: Doppler config (required if not using a Service Token)
  10416. type: string
  10417. format:
  10418. description: Format enables the downloading of secrets as a file (string)
  10419. enum:
  10420. - json
  10421. - dotnet-json
  10422. - env
  10423. - yaml
  10424. - docker
  10425. type: string
  10426. nameTransformer:
  10427. description: Environment variable compatible name transforms that change secret names to a different format
  10428. enum:
  10429. - upper-camel
  10430. - camel
  10431. - lower-snake
  10432. - tf-var
  10433. - dotnet-env
  10434. - lower-kebab
  10435. type: string
  10436. project:
  10437. description: Doppler project (required if not using a Service Token)
  10438. type: string
  10439. required:
  10440. - auth
  10441. type: object
  10442. fake:
  10443. description: Fake configures a store with static key/value pairs
  10444. properties:
  10445. data:
  10446. items:
  10447. description: FakeProviderData defines a key-value pair for the fake provider used in testing.
  10448. properties:
  10449. key:
  10450. type: string
  10451. value:
  10452. type: string
  10453. version:
  10454. type: string
  10455. required:
  10456. - key
  10457. - value
  10458. type: object
  10459. type: array
  10460. required:
  10461. - data
  10462. type: object
  10463. fortanix:
  10464. description: Fortanix configures this store to sync secrets using the Fortanix provider
  10465. properties:
  10466. apiKey:
  10467. description: APIKey is the API token to access SDKMS Applications.
  10468. properties:
  10469. secretRef:
  10470. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  10471. properties:
  10472. key:
  10473. description: |-
  10474. A key in the referenced Secret.
  10475. Some instances of this field may be defaulted, in others it may be required.
  10476. maxLength: 253
  10477. minLength: 1
  10478. pattern: ^[-._a-zA-Z0-9]+$
  10479. type: string
  10480. name:
  10481. description: The name of the Secret resource being referred to.
  10482. maxLength: 253
  10483. minLength: 1
  10484. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10485. type: string
  10486. namespace:
  10487. description: |-
  10488. The namespace of the Secret resource being referred to.
  10489. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10490. maxLength: 63
  10491. minLength: 1
  10492. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10493. type: string
  10494. type: object
  10495. type: object
  10496. apiUrl:
  10497. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  10498. type: string
  10499. type: object
  10500. gcpsm:
  10501. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  10502. properties:
  10503. auth:
  10504. description: Auth defines the information necessary to authenticate against GCP
  10505. properties:
  10506. secretRef:
  10507. description: GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider.
  10508. properties:
  10509. secretAccessKeySecretRef:
  10510. description: The SecretAccessKey is used for authentication
  10511. properties:
  10512. key:
  10513. description: |-
  10514. A key in the referenced Secret.
  10515. Some instances of this field may be defaulted, in others it may be required.
  10516. maxLength: 253
  10517. minLength: 1
  10518. pattern: ^[-._a-zA-Z0-9]+$
  10519. type: string
  10520. name:
  10521. description: The name of the Secret resource being referred to.
  10522. maxLength: 253
  10523. minLength: 1
  10524. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10525. type: string
  10526. namespace:
  10527. description: |-
  10528. The namespace of the Secret resource being referred to.
  10529. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10530. maxLength: 63
  10531. minLength: 1
  10532. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10533. type: string
  10534. type: object
  10535. type: object
  10536. workloadIdentity:
  10537. description: GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication.
  10538. properties:
  10539. clusterLocation:
  10540. description: |-
  10541. ClusterLocation is the location of the cluster
  10542. If not specified, it fetches information from the metadata server
  10543. type: string
  10544. clusterName:
  10545. description: |-
  10546. ClusterName is the name of the cluster
  10547. If not specified, it fetches information from the metadata server
  10548. type: string
  10549. clusterProjectID:
  10550. description: |-
  10551. ClusterProjectID is the project ID of the cluster
  10552. If not specified, it fetches information from the metadata server
  10553. type: string
  10554. serviceAccountRef:
  10555. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  10556. properties:
  10557. audiences:
  10558. description: |-
  10559. Audience specifies the `aud` claim for the service account token
  10560. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10561. then this audiences will be appended to the list
  10562. items:
  10563. type: string
  10564. type: array
  10565. name:
  10566. description: The name of the ServiceAccount resource being referred to.
  10567. maxLength: 253
  10568. minLength: 1
  10569. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10570. type: string
  10571. namespace:
  10572. description: |-
  10573. Namespace of the resource being referred to.
  10574. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10575. maxLength: 63
  10576. minLength: 1
  10577. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10578. type: string
  10579. required:
  10580. - name
  10581. type: object
  10582. required:
  10583. - serviceAccountRef
  10584. type: object
  10585. type: object
  10586. location:
  10587. description: Location optionally defines a location for a secret
  10588. type: string
  10589. projectID:
  10590. description: ProjectID project where secret is located
  10591. type: string
  10592. type: object
  10593. github:
  10594. description: Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  10595. properties:
  10596. appID:
  10597. description: appID specifies the Github APP that will be used to authenticate the client
  10598. type: integer
  10599. auth:
  10600. description: auth configures how secret-manager authenticates with a Github instance.
  10601. properties:
  10602. privateKey:
  10603. description: |-
  10604. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10605. In some instances, `key` is a required field.
  10606. properties:
  10607. key:
  10608. description: |-
  10609. A key in the referenced Secret.
  10610. Some instances of this field may be defaulted, in others it may be required.
  10611. maxLength: 253
  10612. minLength: 1
  10613. pattern: ^[-._a-zA-Z0-9]+$
  10614. type: string
  10615. name:
  10616. description: The name of the Secret resource being referred to.
  10617. maxLength: 253
  10618. minLength: 1
  10619. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10620. type: string
  10621. namespace:
  10622. description: |-
  10623. The namespace of the Secret resource being referred to.
  10624. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10625. maxLength: 63
  10626. minLength: 1
  10627. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10628. type: string
  10629. type: object
  10630. required:
  10631. - privateKey
  10632. type: object
  10633. environment:
  10634. description: environment will be used to fetch secrets from a particular environment within a github repository
  10635. type: string
  10636. installationID:
  10637. description: installationID specifies the Github APP installation that will be used to authenticate the client
  10638. type: integer
  10639. organization:
  10640. description: organization will be used to fetch secrets from the Github organization
  10641. type: string
  10642. repository:
  10643. description: repository will be used to fetch secrets from the Github repository within an organization
  10644. type: string
  10645. uploadURL:
  10646. description: Upload URL for enterprise instances. Default to URL.
  10647. type: string
  10648. url:
  10649. default: https://github.com/
  10650. description: URL configures the Github instance URL. Defaults to https://github.com/.
  10651. type: string
  10652. required:
  10653. - appID
  10654. - auth
  10655. - installationID
  10656. - organization
  10657. type: object
  10658. gitlab:
  10659. description: GitLab configures this store to sync secrets using GitLab Variables provider
  10660. properties:
  10661. auth:
  10662. description: Auth configures how secret-manager authenticates with a GitLab instance.
  10663. properties:
  10664. SecretRef:
  10665. description: GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider.
  10666. properties:
  10667. accessToken:
  10668. description: AccessToken is used for authentication.
  10669. properties:
  10670. key:
  10671. description: |-
  10672. A key in the referenced Secret.
  10673. Some instances of this field may be defaulted, in others it may be required.
  10674. maxLength: 253
  10675. minLength: 1
  10676. pattern: ^[-._a-zA-Z0-9]+$
  10677. type: string
  10678. name:
  10679. description: The name of the Secret resource being referred to.
  10680. maxLength: 253
  10681. minLength: 1
  10682. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10683. type: string
  10684. namespace:
  10685. description: |-
  10686. The namespace of the Secret resource being referred to.
  10687. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10688. maxLength: 63
  10689. minLength: 1
  10690. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10691. type: string
  10692. type: object
  10693. type: object
  10694. required:
  10695. - SecretRef
  10696. type: object
  10697. caBundle:
  10698. description: |-
  10699. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  10700. can be performed.
  10701. format: byte
  10702. type: string
  10703. caProvider:
  10704. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  10705. properties:
  10706. key:
  10707. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  10708. maxLength: 253
  10709. minLength: 1
  10710. pattern: ^[-._a-zA-Z0-9]+$
  10711. type: string
  10712. name:
  10713. description: The name of the object located at the provider type.
  10714. maxLength: 253
  10715. minLength: 1
  10716. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10717. type: string
  10718. namespace:
  10719. description: |-
  10720. The namespace the Provider type is in.
  10721. Can only be defined when used in a ClusterSecretStore.
  10722. maxLength: 63
  10723. minLength: 1
  10724. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10725. type: string
  10726. type:
  10727. description: The type of provider to use such as "Secret", or "ConfigMap".
  10728. enum:
  10729. - Secret
  10730. - ConfigMap
  10731. type: string
  10732. required:
  10733. - name
  10734. - type
  10735. type: object
  10736. environment:
  10737. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  10738. type: string
  10739. groupIDs:
  10740. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  10741. items:
  10742. type: string
  10743. type: array
  10744. inheritFromGroups:
  10745. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  10746. type: boolean
  10747. projectID:
  10748. description: ProjectID specifies a project where secrets are located.
  10749. type: string
  10750. url:
  10751. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  10752. type: string
  10753. required:
  10754. - auth
  10755. type: object
  10756. ibm:
  10757. description: IBM configures this store to sync secrets using IBM Cloud provider
  10758. properties:
  10759. auth:
  10760. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  10761. maxProperties: 1
  10762. minProperties: 1
  10763. properties:
  10764. containerAuth:
  10765. description: IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile.
  10766. properties:
  10767. iamEndpoint:
  10768. type: string
  10769. profile:
  10770. description: the IBM Trusted Profile
  10771. type: string
  10772. tokenLocation:
  10773. description: Location the token is mounted on the pod
  10774. type: string
  10775. required:
  10776. - profile
  10777. type: object
  10778. secretRef:
  10779. description: IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider.
  10780. properties:
  10781. secretApiKeySecretRef:
  10782. description: The SecretAccessKey is used for authentication
  10783. properties:
  10784. key:
  10785. description: |-
  10786. A key in the referenced Secret.
  10787. Some instances of this field may be defaulted, in others it may be required.
  10788. maxLength: 253
  10789. minLength: 1
  10790. pattern: ^[-._a-zA-Z0-9]+$
  10791. type: string
  10792. name:
  10793. description: The name of the Secret resource being referred to.
  10794. maxLength: 253
  10795. minLength: 1
  10796. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10797. type: string
  10798. namespace:
  10799. description: |-
  10800. The namespace of the Secret resource being referred to.
  10801. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10802. maxLength: 63
  10803. minLength: 1
  10804. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10805. type: string
  10806. type: object
  10807. type: object
  10808. type: object
  10809. serviceUrl:
  10810. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  10811. type: string
  10812. required:
  10813. - auth
  10814. type: object
  10815. infisical:
  10816. description: Infisical configures this store to sync secrets using the Infisical provider
  10817. properties:
  10818. auth:
  10819. description: Auth configures how the Operator authenticates with the Infisical API
  10820. properties:
  10821. universalAuthCredentials:
  10822. description: UniversalAuthCredentials defines the credentials for Infisical Universal Auth.
  10823. properties:
  10824. clientId:
  10825. description: |-
  10826. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10827. In some instances, `key` is a required field.
  10828. properties:
  10829. key:
  10830. description: |-
  10831. A key in the referenced Secret.
  10832. Some instances of this field may be defaulted, in others it may be required.
  10833. maxLength: 253
  10834. minLength: 1
  10835. pattern: ^[-._a-zA-Z0-9]+$
  10836. type: string
  10837. name:
  10838. description: The name of the Secret resource being referred to.
  10839. maxLength: 253
  10840. minLength: 1
  10841. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10842. type: string
  10843. namespace:
  10844. description: |-
  10845. The namespace of the Secret resource being referred to.
  10846. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10847. maxLength: 63
  10848. minLength: 1
  10849. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10850. type: string
  10851. type: object
  10852. clientSecret:
  10853. description: |-
  10854. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10855. In some instances, `key` is a required field.
  10856. properties:
  10857. key:
  10858. description: |-
  10859. A key in the referenced Secret.
  10860. Some instances of this field may be defaulted, in others it may be required.
  10861. maxLength: 253
  10862. minLength: 1
  10863. pattern: ^[-._a-zA-Z0-9]+$
  10864. type: string
  10865. name:
  10866. description: The name of the Secret resource being referred to.
  10867. maxLength: 253
  10868. minLength: 1
  10869. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10870. type: string
  10871. namespace:
  10872. description: |-
  10873. The namespace of the Secret resource being referred to.
  10874. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10875. maxLength: 63
  10876. minLength: 1
  10877. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10878. type: string
  10879. type: object
  10880. required:
  10881. - clientId
  10882. - clientSecret
  10883. type: object
  10884. type: object
  10885. hostAPI:
  10886. default: https://app.infisical.com/api
  10887. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  10888. type: string
  10889. secretsScope:
  10890. description: SecretsScope defines the scope of the secrets within the workspace
  10891. properties:
  10892. environmentSlug:
  10893. description: EnvironmentSlug is the required slug identifier for the environment.
  10894. type: string
  10895. expandSecretReferences:
  10896. default: true
  10897. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  10898. type: boolean
  10899. projectSlug:
  10900. description: ProjectSlug is the required slug identifier for the project.
  10901. type: string
  10902. recursive:
  10903. default: false
  10904. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  10905. type: boolean
  10906. secretsPath:
  10907. default: /
  10908. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  10909. type: string
  10910. required:
  10911. - environmentSlug
  10912. - projectSlug
  10913. type: object
  10914. required:
  10915. - auth
  10916. - secretsScope
  10917. type: object
  10918. keepersecurity:
  10919. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  10920. properties:
  10921. authRef:
  10922. description: |-
  10923. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10924. In some instances, `key` is a required field.
  10925. properties:
  10926. key:
  10927. description: |-
  10928. A key in the referenced Secret.
  10929. Some instances of this field may be defaulted, in others it may be required.
  10930. maxLength: 253
  10931. minLength: 1
  10932. pattern: ^[-._a-zA-Z0-9]+$
  10933. type: string
  10934. name:
  10935. description: The name of the Secret resource being referred to.
  10936. maxLength: 253
  10937. minLength: 1
  10938. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10939. type: string
  10940. namespace:
  10941. description: |-
  10942. The namespace of the Secret resource being referred to.
  10943. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10944. maxLength: 63
  10945. minLength: 1
  10946. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10947. type: string
  10948. type: object
  10949. folderID:
  10950. type: string
  10951. required:
  10952. - authRef
  10953. - folderID
  10954. type: object
  10955. kubernetes:
  10956. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  10957. properties:
  10958. auth:
  10959. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  10960. maxProperties: 1
  10961. minProperties: 1
  10962. properties:
  10963. cert:
  10964. description: has both clientCert and clientKey as secretKeySelector
  10965. properties:
  10966. clientCert:
  10967. description: |-
  10968. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10969. In some instances, `key` is a required field.
  10970. properties:
  10971. key:
  10972. description: |-
  10973. A key in the referenced Secret.
  10974. Some instances of this field may be defaulted, in others it may be required.
  10975. maxLength: 253
  10976. minLength: 1
  10977. pattern: ^[-._a-zA-Z0-9]+$
  10978. type: string
  10979. name:
  10980. description: The name of the Secret resource being referred to.
  10981. maxLength: 253
  10982. minLength: 1
  10983. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10984. type: string
  10985. namespace:
  10986. description: |-
  10987. The namespace of the Secret resource being referred to.
  10988. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10989. maxLength: 63
  10990. minLength: 1
  10991. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10992. type: string
  10993. type: object
  10994. clientKey:
  10995. description: |-
  10996. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10997. In some instances, `key` is a required field.
  10998. properties:
  10999. key:
  11000. description: |-
  11001. A key in the referenced Secret.
  11002. Some instances of this field may be defaulted, in others it may be required.
  11003. maxLength: 253
  11004. minLength: 1
  11005. pattern: ^[-._a-zA-Z0-9]+$
  11006. type: string
  11007. name:
  11008. description: The name of the Secret resource being referred to.
  11009. maxLength: 253
  11010. minLength: 1
  11011. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11012. type: string
  11013. namespace:
  11014. description: |-
  11015. The namespace of the Secret resource being referred to.
  11016. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11017. maxLength: 63
  11018. minLength: 1
  11019. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11020. type: string
  11021. type: object
  11022. type: object
  11023. serviceAccount:
  11024. description: points to a service account that should be used for authentication
  11025. properties:
  11026. audiences:
  11027. description: |-
  11028. Audience specifies the `aud` claim for the service account token
  11029. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11030. then this audiences will be appended to the list
  11031. items:
  11032. type: string
  11033. type: array
  11034. name:
  11035. description: The name of the ServiceAccount resource being referred to.
  11036. maxLength: 253
  11037. minLength: 1
  11038. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11039. type: string
  11040. namespace:
  11041. description: |-
  11042. Namespace of the resource being referred to.
  11043. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11044. maxLength: 63
  11045. minLength: 1
  11046. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11047. type: string
  11048. required:
  11049. - name
  11050. type: object
  11051. token:
  11052. description: use static token to authenticate with
  11053. properties:
  11054. bearerToken:
  11055. description: |-
  11056. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  11057. In some instances, `key` is a required field.
  11058. properties:
  11059. key:
  11060. description: |-
  11061. A key in the referenced Secret.
  11062. Some instances of this field may be defaulted, in others it may be required.
  11063. maxLength: 253
  11064. minLength: 1
  11065. pattern: ^[-._a-zA-Z0-9]+$
  11066. type: string
  11067. name:
  11068. description: The name of the Secret resource being referred to.
  11069. maxLength: 253
  11070. minLength: 1
  11071. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11072. type: string
  11073. namespace:
  11074. description: |-
  11075. The namespace of the Secret resource being referred to.
  11076. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11077. maxLength: 63
  11078. minLength: 1
  11079. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11080. type: string
  11081. type: object
  11082. type: object
  11083. type: object
  11084. authRef:
  11085. description: A reference to a secret that contains the auth information.
  11086. properties:
  11087. key:
  11088. description: |-
  11089. A key in the referenced Secret.
  11090. Some instances of this field may be defaulted, in others it may be required.
  11091. maxLength: 253
  11092. minLength: 1
  11093. pattern: ^[-._a-zA-Z0-9]+$
  11094. type: string
  11095. name:
  11096. description: The name of the Secret resource being referred to.
  11097. maxLength: 253
  11098. minLength: 1
  11099. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11100. type: string
  11101. namespace:
  11102. description: |-
  11103. The namespace of the Secret resource being referred to.
  11104. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11105. maxLength: 63
  11106. minLength: 1
  11107. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11108. type: string
  11109. type: object
  11110. remoteNamespace:
  11111. default: default
  11112. description: Remote namespace to fetch the secrets from
  11113. maxLength: 63
  11114. minLength: 1
  11115. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11116. type: string
  11117. server:
  11118. description: configures the Kubernetes server Address.
  11119. properties:
  11120. caBundle:
  11121. description: CABundle is a base64-encoded CA certificate
  11122. format: byte
  11123. type: string
  11124. caProvider:
  11125. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  11126. properties:
  11127. key:
  11128. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  11129. maxLength: 253
  11130. minLength: 1
  11131. pattern: ^[-._a-zA-Z0-9]+$
  11132. type: string
  11133. name:
  11134. description: The name of the object located at the provider type.
  11135. maxLength: 253
  11136. minLength: 1
  11137. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11138. type: string
  11139. namespace:
  11140. description: |-
  11141. The namespace the Provider type is in.
  11142. Can only be defined when used in a ClusterSecretStore.
  11143. maxLength: 63
  11144. minLength: 1
  11145. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11146. type: string
  11147. type:
  11148. description: The type of provider to use such as "Secret", or "ConfigMap".
  11149. enum:
  11150. - Secret
  11151. - ConfigMap
  11152. type: string
  11153. required:
  11154. - name
  11155. - type
  11156. type: object
  11157. url:
  11158. default: kubernetes.default
  11159. description: configures the Kubernetes server Address.
  11160. type: string
  11161. type: object
  11162. type: object
  11163. onboardbase:
  11164. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  11165. properties:
  11166. apiHost:
  11167. default: https://public.onboardbase.com/api/v1/
  11168. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  11169. type: string
  11170. auth:
  11171. description: Auth configures how the Operator authenticates with the Onboardbase API
  11172. properties:
  11173. apiKeyRef:
  11174. description: |-
  11175. OnboardbaseAPIKey is the APIKey generated by an admin account.
  11176. It is used to recognize and authorize access to a project and environment within onboardbase
  11177. properties:
  11178. key:
  11179. description: |-
  11180. A key in the referenced Secret.
  11181. Some instances of this field may be defaulted, in others it may be required.
  11182. maxLength: 253
  11183. minLength: 1
  11184. pattern: ^[-._a-zA-Z0-9]+$
  11185. type: string
  11186. name:
  11187. description: The name of the Secret resource being referred to.
  11188. maxLength: 253
  11189. minLength: 1
  11190. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11191. type: string
  11192. namespace:
  11193. description: |-
  11194. The namespace of the Secret resource being referred to.
  11195. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11196. maxLength: 63
  11197. minLength: 1
  11198. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11199. type: string
  11200. type: object
  11201. passcodeRef:
  11202. description: OnboardbasePasscode is the passcode attached to the API Key
  11203. properties:
  11204. key:
  11205. description: |-
  11206. A key in the referenced Secret.
  11207. Some instances of this field may be defaulted, in others it may be required.
  11208. maxLength: 253
  11209. minLength: 1
  11210. pattern: ^[-._a-zA-Z0-9]+$
  11211. type: string
  11212. name:
  11213. description: The name of the Secret resource being referred to.
  11214. maxLength: 253
  11215. minLength: 1
  11216. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11217. type: string
  11218. namespace:
  11219. description: |-
  11220. The namespace of the Secret resource being referred to.
  11221. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11222. maxLength: 63
  11223. minLength: 1
  11224. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11225. type: string
  11226. type: object
  11227. required:
  11228. - apiKeyRef
  11229. - passcodeRef
  11230. type: object
  11231. environment:
  11232. default: development
  11233. description: Environment is the name of an environmnent within a project to pull the secrets from
  11234. type: string
  11235. project:
  11236. default: development
  11237. description: Project is an onboardbase project that the secrets should be pulled from
  11238. type: string
  11239. required:
  11240. - apiHost
  11241. - auth
  11242. - environment
  11243. - project
  11244. type: object
  11245. onepassword:
  11246. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  11247. properties:
  11248. auth:
  11249. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  11250. properties:
  11251. secretRef:
  11252. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  11253. properties:
  11254. connectTokenSecretRef:
  11255. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  11256. properties:
  11257. key:
  11258. description: |-
  11259. A key in the referenced Secret.
  11260. Some instances of this field may be defaulted, in others it may be required.
  11261. maxLength: 253
  11262. minLength: 1
  11263. pattern: ^[-._a-zA-Z0-9]+$
  11264. type: string
  11265. name:
  11266. description: The name of the Secret resource being referred to.
  11267. maxLength: 253
  11268. minLength: 1
  11269. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11270. type: string
  11271. namespace:
  11272. description: |-
  11273. The namespace of the Secret resource being referred to.
  11274. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11275. maxLength: 63
  11276. minLength: 1
  11277. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11278. type: string
  11279. type: object
  11280. required:
  11281. - connectTokenSecretRef
  11282. type: object
  11283. required:
  11284. - secretRef
  11285. type: object
  11286. connectHost:
  11287. description: ConnectHost defines the OnePassword Connect Server to connect to
  11288. type: string
  11289. vaults:
  11290. additionalProperties:
  11291. type: integer
  11292. description: Vaults defines which OnePassword vaults to search in which order
  11293. type: object
  11294. required:
  11295. - auth
  11296. - connectHost
  11297. - vaults
  11298. type: object
  11299. oracle:
  11300. description: Oracle configures this store to sync secrets using Oracle Vault provider
  11301. properties:
  11302. auth:
  11303. description: |-
  11304. Auth configures how secret-manager authenticates with the Oracle Vault.
  11305. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  11306. properties:
  11307. secretRef:
  11308. description: SecretRef to pass through sensitive information.
  11309. properties:
  11310. fingerprint:
  11311. description: Fingerprint is the fingerprint of the API private key.
  11312. properties:
  11313. key:
  11314. description: |-
  11315. A key in the referenced Secret.
  11316. Some instances of this field may be defaulted, in others it may be required.
  11317. maxLength: 253
  11318. minLength: 1
  11319. pattern: ^[-._a-zA-Z0-9]+$
  11320. type: string
  11321. name:
  11322. description: The name of the Secret resource being referred to.
  11323. maxLength: 253
  11324. minLength: 1
  11325. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11326. type: string
  11327. namespace:
  11328. description: |-
  11329. The namespace of the Secret resource being referred to.
  11330. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11331. maxLength: 63
  11332. minLength: 1
  11333. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11334. type: string
  11335. type: object
  11336. privatekey:
  11337. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  11338. properties:
  11339. key:
  11340. description: |-
  11341. A key in the referenced Secret.
  11342. Some instances of this field may be defaulted, in others it may be required.
  11343. maxLength: 253
  11344. minLength: 1
  11345. pattern: ^[-._a-zA-Z0-9]+$
  11346. type: string
  11347. name:
  11348. description: The name of the Secret resource being referred to.
  11349. maxLength: 253
  11350. minLength: 1
  11351. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11352. type: string
  11353. namespace:
  11354. description: |-
  11355. The namespace of the Secret resource being referred to.
  11356. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11357. maxLength: 63
  11358. minLength: 1
  11359. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11360. type: string
  11361. type: object
  11362. required:
  11363. - fingerprint
  11364. - privatekey
  11365. type: object
  11366. tenancy:
  11367. description: Tenancy is the tenancy OCID where user is located.
  11368. type: string
  11369. user:
  11370. description: User is an access OCID specific to the account.
  11371. type: string
  11372. required:
  11373. - secretRef
  11374. - tenancy
  11375. - user
  11376. type: object
  11377. compartment:
  11378. description: |-
  11379. Compartment is the vault compartment OCID.
  11380. Required for PushSecret
  11381. type: string
  11382. encryptionKey:
  11383. description: |-
  11384. EncryptionKey is the OCID of the encryption key within the vault.
  11385. Required for PushSecret
  11386. type: string
  11387. principalType:
  11388. description: |-
  11389. The type of principal to use for authentication. If left blank, the Auth struct will
  11390. determine the principal type. This optional field must be specified if using
  11391. workload identity.
  11392. enum:
  11393. - ""
  11394. - UserPrincipal
  11395. - InstancePrincipal
  11396. - Workload
  11397. type: string
  11398. region:
  11399. description: Region is the region where vault is located.
  11400. type: string
  11401. serviceAccountRef:
  11402. description: |-
  11403. ServiceAccountRef specified the service account
  11404. that should be used when authenticating with WorkloadIdentity.
  11405. properties:
  11406. audiences:
  11407. description: |-
  11408. Audience specifies the `aud` claim for the service account token
  11409. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11410. then this audiences will be appended to the list
  11411. items:
  11412. type: string
  11413. type: array
  11414. name:
  11415. description: The name of the ServiceAccount resource being referred to.
  11416. maxLength: 253
  11417. minLength: 1
  11418. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11419. type: string
  11420. namespace:
  11421. description: |-
  11422. Namespace of the resource being referred to.
  11423. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11424. maxLength: 63
  11425. minLength: 1
  11426. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11427. type: string
  11428. required:
  11429. - name
  11430. type: object
  11431. vault:
  11432. description: Vault is the vault's OCID of the specific vault where secret is located.
  11433. type: string
  11434. required:
  11435. - region
  11436. - vault
  11437. type: object
  11438. passbolt:
  11439. description: PassboltProvider defines configuration for the Passbolt provider.
  11440. properties:
  11441. auth:
  11442. description: Auth defines the information necessary to authenticate against Passbolt Server
  11443. properties:
  11444. passwordSecretRef:
  11445. description: PasswordSecretRef is a reference to the secret containing the Passbolt password
  11446. properties:
  11447. key:
  11448. description: |-
  11449. A key in the referenced Secret.
  11450. Some instances of this field may be defaulted, in others it may be required.
  11451. maxLength: 253
  11452. minLength: 1
  11453. pattern: ^[-._a-zA-Z0-9]+$
  11454. type: string
  11455. name:
  11456. description: The name of the Secret resource being referred to.
  11457. maxLength: 253
  11458. minLength: 1
  11459. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11460. type: string
  11461. namespace:
  11462. description: |-
  11463. The namespace of the Secret resource being referred to.
  11464. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11465. maxLength: 63
  11466. minLength: 1
  11467. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11468. type: string
  11469. type: object
  11470. privateKeySecretRef:
  11471. description: PrivateKeySecretRef is a reference to the secret containing the Passbolt private key
  11472. properties:
  11473. key:
  11474. description: |-
  11475. A key in the referenced Secret.
  11476. Some instances of this field may be defaulted, in others it may be required.
  11477. maxLength: 253
  11478. minLength: 1
  11479. pattern: ^[-._a-zA-Z0-9]+$
  11480. type: string
  11481. name:
  11482. description: The name of the Secret resource being referred to.
  11483. maxLength: 253
  11484. minLength: 1
  11485. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11486. type: string
  11487. namespace:
  11488. description: |-
  11489. The namespace of the Secret resource being referred to.
  11490. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11491. maxLength: 63
  11492. minLength: 1
  11493. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11494. type: string
  11495. type: object
  11496. required:
  11497. - passwordSecretRef
  11498. - privateKeySecretRef
  11499. type: object
  11500. host:
  11501. description: Host defines the Passbolt Server to connect to
  11502. type: string
  11503. required:
  11504. - auth
  11505. - host
  11506. type: object
  11507. passworddepot:
  11508. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  11509. properties:
  11510. auth:
  11511. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  11512. properties:
  11513. secretRef:
  11514. description: PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider.
  11515. properties:
  11516. credentials:
  11517. description: Username / Password is used for authentication.
  11518. properties:
  11519. key:
  11520. description: |-
  11521. A key in the referenced Secret.
  11522. Some instances of this field may be defaulted, in others it may be required.
  11523. maxLength: 253
  11524. minLength: 1
  11525. pattern: ^[-._a-zA-Z0-9]+$
  11526. type: string
  11527. name:
  11528. description: The name of the Secret resource being referred to.
  11529. maxLength: 253
  11530. minLength: 1
  11531. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11532. type: string
  11533. namespace:
  11534. description: |-
  11535. The namespace of the Secret resource being referred to.
  11536. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11537. maxLength: 63
  11538. minLength: 1
  11539. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11540. type: string
  11541. type: object
  11542. type: object
  11543. required:
  11544. - secretRef
  11545. type: object
  11546. database:
  11547. description: Database to use as source
  11548. type: string
  11549. host:
  11550. description: URL configures the Password Depot instance URL.
  11551. type: string
  11552. required:
  11553. - auth
  11554. - database
  11555. - host
  11556. type: object
  11557. previder:
  11558. description: Previder configures this store to sync secrets using the Previder provider
  11559. properties:
  11560. auth:
  11561. description: PreviderAuth contains a secretRef for credentials.
  11562. properties:
  11563. secretRef:
  11564. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  11565. properties:
  11566. accessToken:
  11567. description: The AccessToken is used for authentication
  11568. properties:
  11569. key:
  11570. description: |-
  11571. A key in the referenced Secret.
  11572. Some instances of this field may be defaulted, in others it may be required.
  11573. maxLength: 253
  11574. minLength: 1
  11575. pattern: ^[-._a-zA-Z0-9]+$
  11576. type: string
  11577. name:
  11578. description: The name of the Secret resource being referred to.
  11579. maxLength: 253
  11580. minLength: 1
  11581. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11582. type: string
  11583. namespace:
  11584. description: |-
  11585. The namespace of the Secret resource being referred to.
  11586. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11587. maxLength: 63
  11588. minLength: 1
  11589. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11590. type: string
  11591. type: object
  11592. required:
  11593. - accessToken
  11594. type: object
  11595. type: object
  11596. baseUri:
  11597. type: string
  11598. required:
  11599. - auth
  11600. type: object
  11601. pulumi:
  11602. description: Pulumi configures this store to sync secrets using the Pulumi provider
  11603. properties:
  11604. accessToken:
  11605. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  11606. properties:
  11607. secretRef:
  11608. description: SecretRef is a reference to a secret containing the Pulumi API token.
  11609. properties:
  11610. key:
  11611. description: |-
  11612. A key in the referenced Secret.
  11613. Some instances of this field may be defaulted, in others it may be required.
  11614. maxLength: 253
  11615. minLength: 1
  11616. pattern: ^[-._a-zA-Z0-9]+$
  11617. type: string
  11618. name:
  11619. description: The name of the Secret resource being referred to.
  11620. maxLength: 253
  11621. minLength: 1
  11622. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11623. type: string
  11624. namespace:
  11625. description: |-
  11626. The namespace of the Secret resource being referred to.
  11627. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11628. maxLength: 63
  11629. minLength: 1
  11630. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11631. type: string
  11632. type: object
  11633. type: object
  11634. apiUrl:
  11635. default: https://api.pulumi.com/api/esc
  11636. description: APIURL is the URL of the Pulumi API.
  11637. type: string
  11638. environment:
  11639. description: |-
  11640. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  11641. dynamically retrieved values from supported providers including all major clouds,
  11642. and other Pulumi ESC environments.
  11643. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  11644. type: string
  11645. organization:
  11646. description: |-
  11647. Organization are a space to collaborate on shared projects and stacks.
  11648. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  11649. type: string
  11650. project:
  11651. description: Project is the name of the Pulumi ESC project the environment belongs to.
  11652. type: string
  11653. required:
  11654. - accessToken
  11655. - environment
  11656. - organization
  11657. - project
  11658. type: object
  11659. scaleway:
  11660. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  11661. properties:
  11662. accessKey:
  11663. description: AccessKey is the non-secret part of the api key.
  11664. properties:
  11665. secretRef:
  11666. description: SecretRef references a key in a secret that will be used as value.
  11667. properties:
  11668. key:
  11669. description: |-
  11670. A key in the referenced Secret.
  11671. Some instances of this field may be defaulted, in others it may be required.
  11672. maxLength: 253
  11673. minLength: 1
  11674. pattern: ^[-._a-zA-Z0-9]+$
  11675. type: string
  11676. name:
  11677. description: The name of the Secret resource being referred to.
  11678. maxLength: 253
  11679. minLength: 1
  11680. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11681. type: string
  11682. namespace:
  11683. description: |-
  11684. The namespace of the Secret resource being referred to.
  11685. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11686. maxLength: 63
  11687. minLength: 1
  11688. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11689. type: string
  11690. type: object
  11691. value:
  11692. description: Value can be specified directly to set a value without using a secret.
  11693. type: string
  11694. type: object
  11695. apiUrl:
  11696. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  11697. type: string
  11698. projectId:
  11699. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  11700. type: string
  11701. region:
  11702. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  11703. type: string
  11704. secretKey:
  11705. description: SecretKey is the non-secret part of the api key.
  11706. properties:
  11707. secretRef:
  11708. description: SecretRef references a key in a secret that will be used as value.
  11709. properties:
  11710. key:
  11711. description: |-
  11712. A key in the referenced Secret.
  11713. Some instances of this field may be defaulted, in others it may be required.
  11714. maxLength: 253
  11715. minLength: 1
  11716. pattern: ^[-._a-zA-Z0-9]+$
  11717. type: string
  11718. name:
  11719. description: The name of the Secret resource being referred to.
  11720. maxLength: 253
  11721. minLength: 1
  11722. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11723. type: string
  11724. namespace:
  11725. description: |-
  11726. The namespace of the Secret resource being referred to.
  11727. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11728. maxLength: 63
  11729. minLength: 1
  11730. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11731. type: string
  11732. type: object
  11733. value:
  11734. description: Value can be specified directly to set a value without using a secret.
  11735. type: string
  11736. type: object
  11737. required:
  11738. - accessKey
  11739. - projectId
  11740. - region
  11741. - secretKey
  11742. type: object
  11743. secretserver:
  11744. description: |-
  11745. SecretServer configures this store to sync secrets using SecretServer provider
  11746. https://docs.delinea.com/online-help/secret-server/start.htm
  11747. properties:
  11748. password:
  11749. description: Password is the secret server account password.
  11750. properties:
  11751. secretRef:
  11752. description: SecretRef references a key in a secret that will be used as value.
  11753. properties:
  11754. key:
  11755. description: |-
  11756. A key in the referenced Secret.
  11757. Some instances of this field may be defaulted, in others it may be required.
  11758. maxLength: 253
  11759. minLength: 1
  11760. pattern: ^[-._a-zA-Z0-9]+$
  11761. type: string
  11762. name:
  11763. description: The name of the Secret resource being referred to.
  11764. maxLength: 253
  11765. minLength: 1
  11766. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11767. type: string
  11768. namespace:
  11769. description: |-
  11770. The namespace of the Secret resource being referred to.
  11771. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11772. maxLength: 63
  11773. minLength: 1
  11774. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11775. type: string
  11776. type: object
  11777. value:
  11778. description: Value can be specified directly to set a value without using a secret.
  11779. type: string
  11780. type: object
  11781. serverURL:
  11782. description: |-
  11783. ServerURL
  11784. URL to your secret server installation
  11785. type: string
  11786. username:
  11787. description: Username is the secret server account username.
  11788. properties:
  11789. secretRef:
  11790. description: SecretRef references a key in a secret that will be used as value.
  11791. properties:
  11792. key:
  11793. description: |-
  11794. A key in the referenced Secret.
  11795. Some instances of this field may be defaulted, in others it may be required.
  11796. maxLength: 253
  11797. minLength: 1
  11798. pattern: ^[-._a-zA-Z0-9]+$
  11799. type: string
  11800. name:
  11801. description: The name of the Secret resource being referred to.
  11802. maxLength: 253
  11803. minLength: 1
  11804. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11805. type: string
  11806. namespace:
  11807. description: |-
  11808. The namespace of the Secret resource being referred to.
  11809. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11810. maxLength: 63
  11811. minLength: 1
  11812. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11813. type: string
  11814. type: object
  11815. value:
  11816. description: Value can be specified directly to set a value without using a secret.
  11817. type: string
  11818. type: object
  11819. required:
  11820. - password
  11821. - serverURL
  11822. - username
  11823. type: object
  11824. senhasegura:
  11825. description: Senhasegura configures this store to sync secrets using senhasegura provider
  11826. properties:
  11827. auth:
  11828. description: Auth defines parameters to authenticate in senhasegura
  11829. properties:
  11830. clientId:
  11831. type: string
  11832. clientSecretSecretRef:
  11833. description: |-
  11834. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  11835. In some instances, `key` is a required field.
  11836. properties:
  11837. key:
  11838. description: |-
  11839. A key in the referenced Secret.
  11840. Some instances of this field may be defaulted, in others it may be required.
  11841. maxLength: 253
  11842. minLength: 1
  11843. pattern: ^[-._a-zA-Z0-9]+$
  11844. type: string
  11845. name:
  11846. description: The name of the Secret resource being referred to.
  11847. maxLength: 253
  11848. minLength: 1
  11849. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11850. type: string
  11851. namespace:
  11852. description: |-
  11853. The namespace of the Secret resource being referred to.
  11854. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11855. maxLength: 63
  11856. minLength: 1
  11857. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11858. type: string
  11859. type: object
  11860. required:
  11861. - clientId
  11862. - clientSecretSecretRef
  11863. type: object
  11864. ignoreSslCertificate:
  11865. default: false
  11866. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  11867. type: boolean
  11868. module:
  11869. description: Module defines which senhasegura module should be used to get secrets
  11870. type: string
  11871. url:
  11872. description: URL of senhasegura
  11873. type: string
  11874. required:
  11875. - auth
  11876. - module
  11877. - url
  11878. type: object
  11879. vault:
  11880. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  11881. properties:
  11882. auth:
  11883. description: Auth configures how secret-manager authenticates with the Vault server.
  11884. properties:
  11885. appRole:
  11886. description: |-
  11887. AppRole authenticates with Vault using the App Role auth mechanism,
  11888. with the role and secret stored in a Kubernetes Secret resource.
  11889. properties:
  11890. path:
  11891. default: approle
  11892. description: |-
  11893. Path where the App Role authentication backend is mounted
  11894. in Vault, e.g: "approle"
  11895. type: string
  11896. roleId:
  11897. description: |-
  11898. RoleID configured in the App Role authentication backend when setting
  11899. up the authentication backend in Vault.
  11900. type: string
  11901. roleRef:
  11902. description: |-
  11903. Reference to a key in a Secret that contains the App Role ID used
  11904. to authenticate with Vault.
  11905. The `key` field must be specified and denotes which entry within the Secret
  11906. resource is used as the app role id.
  11907. properties:
  11908. key:
  11909. description: |-
  11910. A key in the referenced Secret.
  11911. Some instances of this field may be defaulted, in others it may be required.
  11912. maxLength: 253
  11913. minLength: 1
  11914. pattern: ^[-._a-zA-Z0-9]+$
  11915. type: string
  11916. name:
  11917. description: The name of the Secret resource being referred to.
  11918. maxLength: 253
  11919. minLength: 1
  11920. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11921. type: string
  11922. namespace:
  11923. description: |-
  11924. The namespace of the Secret resource being referred to.
  11925. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11926. maxLength: 63
  11927. minLength: 1
  11928. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11929. type: string
  11930. type: object
  11931. secretRef:
  11932. description: |-
  11933. Reference to a key in a Secret that contains the App Role secret used
  11934. to authenticate with Vault.
  11935. The `key` field must be specified and denotes which entry within the Secret
  11936. resource is used as the app role secret.
  11937. properties:
  11938. key:
  11939. description: |-
  11940. A key in the referenced Secret.
  11941. Some instances of this field may be defaulted, in others it may be required.
  11942. maxLength: 253
  11943. minLength: 1
  11944. pattern: ^[-._a-zA-Z0-9]+$
  11945. type: string
  11946. name:
  11947. description: The name of the Secret resource being referred to.
  11948. maxLength: 253
  11949. minLength: 1
  11950. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11951. type: string
  11952. namespace:
  11953. description: |-
  11954. The namespace of the Secret resource being referred to.
  11955. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11956. maxLength: 63
  11957. minLength: 1
  11958. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11959. type: string
  11960. type: object
  11961. required:
  11962. - path
  11963. - secretRef
  11964. type: object
  11965. cert:
  11966. description: |-
  11967. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  11968. Cert authentication method
  11969. properties:
  11970. clientCert:
  11971. description: |-
  11972. ClientCert is a certificate to authenticate using the Cert Vault
  11973. authentication method
  11974. properties:
  11975. key:
  11976. description: |-
  11977. A key in the referenced Secret.
  11978. Some instances of this field may be defaulted, in others it may be required.
  11979. maxLength: 253
  11980. minLength: 1
  11981. pattern: ^[-._a-zA-Z0-9]+$
  11982. type: string
  11983. name:
  11984. description: The name of the Secret resource being referred to.
  11985. maxLength: 253
  11986. minLength: 1
  11987. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11988. type: string
  11989. namespace:
  11990. description: |-
  11991. The namespace of the Secret resource being referred to.
  11992. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11993. maxLength: 63
  11994. minLength: 1
  11995. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11996. type: string
  11997. type: object
  11998. secretRef:
  11999. description: |-
  12000. SecretRef to a key in a Secret resource containing client private key to
  12001. authenticate with Vault using the Cert authentication method
  12002. properties:
  12003. key:
  12004. description: |-
  12005. A key in the referenced Secret.
  12006. Some instances of this field may be defaulted, in others it may be required.
  12007. maxLength: 253
  12008. minLength: 1
  12009. pattern: ^[-._a-zA-Z0-9]+$
  12010. type: string
  12011. name:
  12012. description: The name of the Secret resource being referred to.
  12013. maxLength: 253
  12014. minLength: 1
  12015. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12016. type: string
  12017. namespace:
  12018. description: |-
  12019. The namespace of the Secret resource being referred to.
  12020. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12021. maxLength: 63
  12022. minLength: 1
  12023. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12024. type: string
  12025. type: object
  12026. type: object
  12027. iam:
  12028. description: |-
  12029. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  12030. AWS IAM authentication method
  12031. properties:
  12032. externalID:
  12033. description: AWS External ID set on assumed IAM roles
  12034. type: string
  12035. jwt:
  12036. description: Specify a service account with IRSA enabled
  12037. properties:
  12038. serviceAccountRef:
  12039. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  12040. properties:
  12041. audiences:
  12042. description: |-
  12043. Audience specifies the `aud` claim for the service account token
  12044. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  12045. then this audiences will be appended to the list
  12046. items:
  12047. type: string
  12048. type: array
  12049. name:
  12050. description: The name of the ServiceAccount resource being referred to.
  12051. maxLength: 253
  12052. minLength: 1
  12053. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12054. type: string
  12055. namespace:
  12056. description: |-
  12057. Namespace of the resource being referred to.
  12058. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12059. maxLength: 63
  12060. minLength: 1
  12061. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12062. type: string
  12063. required:
  12064. - name
  12065. type: object
  12066. type: object
  12067. path:
  12068. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  12069. type: string
  12070. region:
  12071. description: AWS region
  12072. type: string
  12073. role:
  12074. description: This is the AWS role to be assumed before talking to vault
  12075. type: string
  12076. secretRef:
  12077. description: Specify credentials in a Secret object
  12078. properties:
  12079. accessKeyIDSecretRef:
  12080. description: The AccessKeyID is used for authentication
  12081. properties:
  12082. key:
  12083. description: |-
  12084. A key in the referenced Secret.
  12085. Some instances of this field may be defaulted, in others it may be required.
  12086. maxLength: 253
  12087. minLength: 1
  12088. pattern: ^[-._a-zA-Z0-9]+$
  12089. type: string
  12090. name:
  12091. description: The name of the Secret resource being referred to.
  12092. maxLength: 253
  12093. minLength: 1
  12094. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12095. type: string
  12096. namespace:
  12097. description: |-
  12098. The namespace of the Secret resource being referred to.
  12099. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12100. maxLength: 63
  12101. minLength: 1
  12102. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12103. type: string
  12104. type: object
  12105. secretAccessKeySecretRef:
  12106. description: The SecretAccessKey is used for authentication
  12107. properties:
  12108. key:
  12109. description: |-
  12110. A key in the referenced Secret.
  12111. Some instances of this field may be defaulted, in others it may be required.
  12112. maxLength: 253
  12113. minLength: 1
  12114. pattern: ^[-._a-zA-Z0-9]+$
  12115. type: string
  12116. name:
  12117. description: The name of the Secret resource being referred to.
  12118. maxLength: 253
  12119. minLength: 1
  12120. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12121. type: string
  12122. namespace:
  12123. description: |-
  12124. The namespace of the Secret resource being referred to.
  12125. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12126. maxLength: 63
  12127. minLength: 1
  12128. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12129. type: string
  12130. type: object
  12131. sessionTokenSecretRef:
  12132. description: |-
  12133. The SessionToken used for authentication
  12134. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  12135. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  12136. properties:
  12137. key:
  12138. description: |-
  12139. A key in the referenced Secret.
  12140. Some instances of this field may be defaulted, in others it may be required.
  12141. maxLength: 253
  12142. minLength: 1
  12143. pattern: ^[-._a-zA-Z0-9]+$
  12144. type: string
  12145. name:
  12146. description: The name of the Secret resource being referred to.
  12147. maxLength: 253
  12148. minLength: 1
  12149. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12150. type: string
  12151. namespace:
  12152. description: |-
  12153. The namespace of the Secret resource being referred to.
  12154. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12155. maxLength: 63
  12156. minLength: 1
  12157. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12158. type: string
  12159. type: object
  12160. type: object
  12161. vaultAwsIamServerID:
  12162. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  12163. type: string
  12164. vaultRole:
  12165. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  12166. type: string
  12167. required:
  12168. - vaultRole
  12169. type: object
  12170. jwt:
  12171. description: |-
  12172. Jwt authenticates with Vault by passing role and JWT token using the
  12173. JWT/OIDC authentication method
  12174. properties:
  12175. kubernetesServiceAccountToken:
  12176. description: |-
  12177. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  12178. a token for with the `TokenRequest` API.
  12179. properties:
  12180. audiences:
  12181. description: |-
  12182. Optional audiences field that will be used to request a temporary Kubernetes service
  12183. account token for the service account referenced by `serviceAccountRef`.
  12184. Defaults to a single audience `vault` it not specified.
  12185. Deprecated: use serviceAccountRef.Audiences instead
  12186. items:
  12187. type: string
  12188. type: array
  12189. expirationSeconds:
  12190. description: |-
  12191. Optional expiration time in seconds that will be used to request a temporary
  12192. Kubernetes service account token for the service account referenced by
  12193. `serviceAccountRef`.
  12194. Deprecated: this will be removed in the future.
  12195. Defaults to 10 minutes.
  12196. type: integer
  12197. serviceAccountRef:
  12198. description: Service account field containing the name of a kubernetes ServiceAccount.
  12199. properties:
  12200. audiences:
  12201. description: |-
  12202. Audience specifies the `aud` claim for the service account token
  12203. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  12204. then this audiences will be appended to the list
  12205. items:
  12206. type: string
  12207. type: array
  12208. name:
  12209. description: The name of the ServiceAccount resource being referred to.
  12210. maxLength: 253
  12211. minLength: 1
  12212. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12213. type: string
  12214. namespace:
  12215. description: |-
  12216. Namespace of the resource being referred to.
  12217. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12218. maxLength: 63
  12219. minLength: 1
  12220. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12221. type: string
  12222. required:
  12223. - name
  12224. type: object
  12225. required:
  12226. - serviceAccountRef
  12227. type: object
  12228. path:
  12229. default: jwt
  12230. description: |-
  12231. Path where the JWT authentication backend is mounted
  12232. in Vault, e.g: "jwt"
  12233. type: string
  12234. role:
  12235. description: |-
  12236. Role is a JWT role to authenticate using the JWT/OIDC Vault
  12237. authentication method
  12238. type: string
  12239. secretRef:
  12240. description: |-
  12241. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  12242. authenticate with Vault using the JWT/OIDC authentication method.
  12243. properties:
  12244. key:
  12245. description: |-
  12246. A key in the referenced Secret.
  12247. Some instances of this field may be defaulted, in others it may be required.
  12248. maxLength: 253
  12249. minLength: 1
  12250. pattern: ^[-._a-zA-Z0-9]+$
  12251. type: string
  12252. name:
  12253. description: The name of the Secret resource being referred to.
  12254. maxLength: 253
  12255. minLength: 1
  12256. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12257. type: string
  12258. namespace:
  12259. description: |-
  12260. The namespace of the Secret resource being referred to.
  12261. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12262. maxLength: 63
  12263. minLength: 1
  12264. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12265. type: string
  12266. type: object
  12267. required:
  12268. - path
  12269. type: object
  12270. kubernetes:
  12271. description: |-
  12272. Kubernetes authenticates with Vault by passing the ServiceAccount
  12273. token stored in the named Secret resource to the Vault server.
  12274. properties:
  12275. mountPath:
  12276. default: kubernetes
  12277. description: |-
  12278. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  12279. "kubernetes"
  12280. type: string
  12281. role:
  12282. description: |-
  12283. A required field containing the Vault Role to assume. A Role binds a
  12284. Kubernetes ServiceAccount with a set of Vault policies.
  12285. type: string
  12286. secretRef:
  12287. description: |-
  12288. Optional secret field containing a Kubernetes ServiceAccount JWT used
  12289. for authenticating with Vault. If a name is specified without a key,
  12290. `token` is the default. If one is not specified, the one bound to
  12291. the controller will be used.
  12292. properties:
  12293. key:
  12294. description: |-
  12295. A key in the referenced Secret.
  12296. Some instances of this field may be defaulted, in others it may be required.
  12297. maxLength: 253
  12298. minLength: 1
  12299. pattern: ^[-._a-zA-Z0-9]+$
  12300. type: string
  12301. name:
  12302. description: The name of the Secret resource being referred to.
  12303. maxLength: 253
  12304. minLength: 1
  12305. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12306. type: string
  12307. namespace:
  12308. description: |-
  12309. The namespace of the Secret resource being referred to.
  12310. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12311. maxLength: 63
  12312. minLength: 1
  12313. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12314. type: string
  12315. type: object
  12316. serviceAccountRef:
  12317. description: |-
  12318. Optional service account field containing the name of a kubernetes ServiceAccount.
  12319. If the service account is specified, the service account secret token JWT will be used
  12320. for authenticating with Vault. If the service account selector is not supplied,
  12321. the secretRef will be used instead.
  12322. properties:
  12323. audiences:
  12324. description: |-
  12325. Audience specifies the `aud` claim for the service account token
  12326. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  12327. then this audiences will be appended to the list
  12328. items:
  12329. type: string
  12330. type: array
  12331. name:
  12332. description: The name of the ServiceAccount resource being referred to.
  12333. maxLength: 253
  12334. minLength: 1
  12335. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12336. type: string
  12337. namespace:
  12338. description: |-
  12339. Namespace of the resource being referred to.
  12340. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12341. maxLength: 63
  12342. minLength: 1
  12343. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12344. type: string
  12345. required:
  12346. - name
  12347. type: object
  12348. required:
  12349. - mountPath
  12350. - role
  12351. type: object
  12352. ldap:
  12353. description: |-
  12354. Ldap authenticates with Vault by passing username/password pair using
  12355. the LDAP authentication method
  12356. properties:
  12357. path:
  12358. default: ldap
  12359. description: |-
  12360. Path where the LDAP authentication backend is mounted
  12361. in Vault, e.g: "ldap"
  12362. type: string
  12363. secretRef:
  12364. description: |-
  12365. SecretRef to a key in a Secret resource containing password for the LDAP
  12366. user used to authenticate with Vault using the LDAP authentication
  12367. method
  12368. properties:
  12369. key:
  12370. description: |-
  12371. A key in the referenced Secret.
  12372. Some instances of this field may be defaulted, in others it may be required.
  12373. maxLength: 253
  12374. minLength: 1
  12375. pattern: ^[-._a-zA-Z0-9]+$
  12376. type: string
  12377. name:
  12378. description: The name of the Secret resource being referred to.
  12379. maxLength: 253
  12380. minLength: 1
  12381. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12382. type: string
  12383. namespace:
  12384. description: |-
  12385. The namespace of the Secret resource being referred to.
  12386. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12387. maxLength: 63
  12388. minLength: 1
  12389. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12390. type: string
  12391. type: object
  12392. username:
  12393. description: |-
  12394. Username is an LDAP username used to authenticate using the LDAP Vault
  12395. authentication method
  12396. type: string
  12397. required:
  12398. - path
  12399. - username
  12400. type: object
  12401. namespace:
  12402. description: |-
  12403. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  12404. Namespaces is a set of features within Vault Enterprise that allows
  12405. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  12406. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  12407. This will default to Vault.Namespace field if set, or empty otherwise
  12408. type: string
  12409. tokenSecretRef:
  12410. description: TokenSecretRef authenticates with Vault by presenting a token.
  12411. properties:
  12412. key:
  12413. description: |-
  12414. A key in the referenced Secret.
  12415. Some instances of this field may be defaulted, in others it may be required.
  12416. maxLength: 253
  12417. minLength: 1
  12418. pattern: ^[-._a-zA-Z0-9]+$
  12419. type: string
  12420. name:
  12421. description: The name of the Secret resource being referred to.
  12422. maxLength: 253
  12423. minLength: 1
  12424. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12425. type: string
  12426. namespace:
  12427. description: |-
  12428. The namespace of the Secret resource being referred to.
  12429. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12430. maxLength: 63
  12431. minLength: 1
  12432. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12433. type: string
  12434. type: object
  12435. userPass:
  12436. description: UserPass authenticates with Vault by passing username/password pair
  12437. properties:
  12438. path:
  12439. default: userpass
  12440. description: |-
  12441. Path where the UserPassword authentication backend is mounted
  12442. in Vault, e.g: "userpass"
  12443. type: string
  12444. secretRef:
  12445. description: |-
  12446. SecretRef to a key in a Secret resource containing password for the
  12447. user used to authenticate with Vault using the UserPass authentication
  12448. method
  12449. properties:
  12450. key:
  12451. description: |-
  12452. A key in the referenced Secret.
  12453. Some instances of this field may be defaulted, in others it may be required.
  12454. maxLength: 253
  12455. minLength: 1
  12456. pattern: ^[-._a-zA-Z0-9]+$
  12457. type: string
  12458. name:
  12459. description: The name of the Secret resource being referred to.
  12460. maxLength: 253
  12461. minLength: 1
  12462. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12463. type: string
  12464. namespace:
  12465. description: |-
  12466. The namespace of the Secret resource being referred to.
  12467. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12468. maxLength: 63
  12469. minLength: 1
  12470. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12471. type: string
  12472. type: object
  12473. username:
  12474. description: |-
  12475. Username is a username used to authenticate using the UserPass Vault
  12476. authentication method
  12477. type: string
  12478. required:
  12479. - path
  12480. - username
  12481. type: object
  12482. type: object
  12483. caBundle:
  12484. description: |-
  12485. PEM encoded CA bundle used to validate Vault server certificate. Only used
  12486. if the Server URL is using HTTPS protocol. This parameter is ignored for
  12487. plain HTTP protocol connection. If not set the system root certificates
  12488. are used to validate the TLS connection.
  12489. format: byte
  12490. type: string
  12491. caProvider:
  12492. description: The provider for the CA bundle to use to validate Vault server certificate.
  12493. properties:
  12494. key:
  12495. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  12496. maxLength: 253
  12497. minLength: 1
  12498. pattern: ^[-._a-zA-Z0-9]+$
  12499. type: string
  12500. name:
  12501. description: The name of the object located at the provider type.
  12502. maxLength: 253
  12503. minLength: 1
  12504. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12505. type: string
  12506. namespace:
  12507. description: |-
  12508. The namespace the Provider type is in.
  12509. Can only be defined when used in a ClusterSecretStore.
  12510. maxLength: 63
  12511. minLength: 1
  12512. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12513. type: string
  12514. type:
  12515. description: The type of provider to use such as "Secret", or "ConfigMap".
  12516. enum:
  12517. - Secret
  12518. - ConfigMap
  12519. type: string
  12520. required:
  12521. - name
  12522. - type
  12523. type: object
  12524. forwardInconsistent:
  12525. description: |-
  12526. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  12527. leader instead of simply retrying within a loop. This can increase performance if
  12528. the option is enabled serverside.
  12529. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  12530. type: boolean
  12531. headers:
  12532. additionalProperties:
  12533. type: string
  12534. description: Headers to be added in Vault request
  12535. type: object
  12536. namespace:
  12537. description: |-
  12538. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  12539. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  12540. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  12541. type: string
  12542. path:
  12543. description: |-
  12544. Path is the mount path of the Vault KV backend endpoint, e.g:
  12545. "secret". The v2 KV secret engine version specific "/data" path suffix
  12546. for fetching secrets from Vault is optional and will be appended
  12547. if not present in specified path.
  12548. type: string
  12549. readYourWrites:
  12550. description: |-
  12551. ReadYourWrites ensures isolated read-after-write semantics by
  12552. providing discovered cluster replication states in each request.
  12553. More information about eventual consistency in Vault can be found here
  12554. https://www.vaultproject.io/docs/enterprise/consistency
  12555. type: boolean
  12556. server:
  12557. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  12558. type: string
  12559. tls:
  12560. description: |-
  12561. The configuration used for client side related TLS communication, when the Vault server
  12562. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  12563. This parameter is ignored for plain HTTP protocol connection.
  12564. It's worth noting this configuration is different from the "TLS certificates auth method",
  12565. which is available under the `auth.cert` section.
  12566. properties:
  12567. certSecretRef:
  12568. description: |-
  12569. CertSecretRef is a certificate added to the transport layer
  12570. when communicating with the Vault server.
  12571. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  12572. properties:
  12573. key:
  12574. description: |-
  12575. A key in the referenced Secret.
  12576. Some instances of this field may be defaulted, in others it may be required.
  12577. maxLength: 253
  12578. minLength: 1
  12579. pattern: ^[-._a-zA-Z0-9]+$
  12580. type: string
  12581. name:
  12582. description: The name of the Secret resource being referred to.
  12583. maxLength: 253
  12584. minLength: 1
  12585. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12586. type: string
  12587. namespace:
  12588. description: |-
  12589. The namespace of the Secret resource being referred to.
  12590. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12591. maxLength: 63
  12592. minLength: 1
  12593. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12594. type: string
  12595. type: object
  12596. keySecretRef:
  12597. description: |-
  12598. KeySecretRef to a key in a Secret resource containing client private key
  12599. added to the transport layer when communicating with the Vault server.
  12600. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  12601. properties:
  12602. key:
  12603. description: |-
  12604. A key in the referenced Secret.
  12605. Some instances of this field may be defaulted, in others it may be required.
  12606. maxLength: 253
  12607. minLength: 1
  12608. pattern: ^[-._a-zA-Z0-9]+$
  12609. type: string
  12610. name:
  12611. description: The name of the Secret resource being referred to.
  12612. maxLength: 253
  12613. minLength: 1
  12614. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12615. type: string
  12616. namespace:
  12617. description: |-
  12618. The namespace of the Secret resource being referred to.
  12619. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12620. maxLength: 63
  12621. minLength: 1
  12622. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12623. type: string
  12624. type: object
  12625. type: object
  12626. version:
  12627. default: v2
  12628. description: |-
  12629. Version is the Vault KV secret engine version. This can be either "v1" or
  12630. "v2". Version defaults to "v2".
  12631. enum:
  12632. - v1
  12633. - v2
  12634. type: string
  12635. required:
  12636. - server
  12637. type: object
  12638. webhook:
  12639. description: Webhook configures this store to sync secrets using a generic templated webhook
  12640. properties:
  12641. auth:
  12642. description: Auth specifies a authorization protocol. Only one protocol may be set.
  12643. maxProperties: 1
  12644. minProperties: 1
  12645. properties:
  12646. ntlm:
  12647. description: NTLMProtocol configures the store to use NTLM for auth
  12648. properties:
  12649. passwordSecret:
  12650. description: |-
  12651. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12652. In some instances, `key` is a required field.
  12653. properties:
  12654. key:
  12655. description: |-
  12656. A key in the referenced Secret.
  12657. Some instances of this field may be defaulted, in others it may be required.
  12658. maxLength: 253
  12659. minLength: 1
  12660. pattern: ^[-._a-zA-Z0-9]+$
  12661. type: string
  12662. name:
  12663. description: The name of the Secret resource being referred to.
  12664. maxLength: 253
  12665. minLength: 1
  12666. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12667. type: string
  12668. namespace:
  12669. description: |-
  12670. The namespace of the Secret resource being referred to.
  12671. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12672. maxLength: 63
  12673. minLength: 1
  12674. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12675. type: string
  12676. type: object
  12677. usernameSecret:
  12678. description: |-
  12679. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12680. In some instances, `key` is a required field.
  12681. properties:
  12682. key:
  12683. description: |-
  12684. A key in the referenced Secret.
  12685. Some instances of this field may be defaulted, in others it may be required.
  12686. maxLength: 253
  12687. minLength: 1
  12688. pattern: ^[-._a-zA-Z0-9]+$
  12689. type: string
  12690. name:
  12691. description: The name of the Secret resource being referred to.
  12692. maxLength: 253
  12693. minLength: 1
  12694. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12695. type: string
  12696. namespace:
  12697. description: |-
  12698. The namespace of the Secret resource being referred to.
  12699. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12700. maxLength: 63
  12701. minLength: 1
  12702. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12703. type: string
  12704. type: object
  12705. required:
  12706. - passwordSecret
  12707. - usernameSecret
  12708. type: object
  12709. type: object
  12710. body:
  12711. description: Body
  12712. type: string
  12713. caBundle:
  12714. description: |-
  12715. PEM encoded CA bundle used to validate webhook server certificate. Only used
  12716. if the Server URL is using HTTPS protocol. This parameter is ignored for
  12717. plain HTTP protocol connection. If not set the system root certificates
  12718. are used to validate the TLS connection.
  12719. format: byte
  12720. type: string
  12721. caProvider:
  12722. description: The provider for the CA bundle to use to validate webhook server certificate.
  12723. properties:
  12724. key:
  12725. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  12726. maxLength: 253
  12727. minLength: 1
  12728. pattern: ^[-._a-zA-Z0-9]+$
  12729. type: string
  12730. name:
  12731. description: The name of the object located at the provider type.
  12732. maxLength: 253
  12733. minLength: 1
  12734. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12735. type: string
  12736. namespace:
  12737. description: The namespace the Provider type is in.
  12738. maxLength: 63
  12739. minLength: 1
  12740. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12741. type: string
  12742. type:
  12743. description: The type of provider to use such as "Secret", or "ConfigMap".
  12744. enum:
  12745. - Secret
  12746. - ConfigMap
  12747. type: string
  12748. required:
  12749. - name
  12750. - type
  12751. type: object
  12752. headers:
  12753. additionalProperties:
  12754. type: string
  12755. description: Headers
  12756. type: object
  12757. method:
  12758. description: Webhook Method
  12759. type: string
  12760. result:
  12761. description: Result formatting
  12762. properties:
  12763. jsonPath:
  12764. description: Json path of return value
  12765. type: string
  12766. type: object
  12767. secrets:
  12768. description: |-
  12769. Secrets to fill in templates
  12770. These secrets will be passed to the templating function as key value pairs under the given name
  12771. items:
  12772. description: WebhookSecret defines a secret to be used in webhook templates.
  12773. properties:
  12774. name:
  12775. description: Name of this secret in templates
  12776. type: string
  12777. secretRef:
  12778. description: Secret ref to fill in credentials
  12779. properties:
  12780. key:
  12781. description: |-
  12782. A key in the referenced Secret.
  12783. Some instances of this field may be defaulted, in others it may be required.
  12784. maxLength: 253
  12785. minLength: 1
  12786. pattern: ^[-._a-zA-Z0-9]+$
  12787. type: string
  12788. name:
  12789. description: The name of the Secret resource being referred to.
  12790. maxLength: 253
  12791. minLength: 1
  12792. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12793. type: string
  12794. namespace:
  12795. description: |-
  12796. The namespace of the Secret resource being referred to.
  12797. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12798. maxLength: 63
  12799. minLength: 1
  12800. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12801. type: string
  12802. type: object
  12803. required:
  12804. - name
  12805. - secretRef
  12806. type: object
  12807. type: array
  12808. timeout:
  12809. description: Timeout
  12810. type: string
  12811. url:
  12812. description: Webhook url to call
  12813. type: string
  12814. required:
  12815. - result
  12816. - url
  12817. type: object
  12818. yandexcertificatemanager:
  12819. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  12820. properties:
  12821. apiEndpoint:
  12822. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  12823. type: string
  12824. auth:
  12825. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  12826. properties:
  12827. authorizedKeySecretRef:
  12828. description: The authorized key used for authentication
  12829. properties:
  12830. key:
  12831. description: |-
  12832. A key in the referenced Secret.
  12833. Some instances of this field may be defaulted, in others it may be required.
  12834. maxLength: 253
  12835. minLength: 1
  12836. pattern: ^[-._a-zA-Z0-9]+$
  12837. type: string
  12838. name:
  12839. description: The name of the Secret resource being referred to.
  12840. maxLength: 253
  12841. minLength: 1
  12842. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12843. type: string
  12844. namespace:
  12845. description: |-
  12846. The namespace of the Secret resource being referred to.
  12847. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12848. maxLength: 63
  12849. minLength: 1
  12850. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12851. type: string
  12852. type: object
  12853. type: object
  12854. caProvider:
  12855. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  12856. properties:
  12857. certSecretRef:
  12858. description: |-
  12859. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12860. In some instances, `key` is a required field.
  12861. properties:
  12862. key:
  12863. description: |-
  12864. A key in the referenced Secret.
  12865. Some instances of this field may be defaulted, in others it may be required.
  12866. maxLength: 253
  12867. minLength: 1
  12868. pattern: ^[-._a-zA-Z0-9]+$
  12869. type: string
  12870. name:
  12871. description: The name of the Secret resource being referred to.
  12872. maxLength: 253
  12873. minLength: 1
  12874. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12875. type: string
  12876. namespace:
  12877. description: |-
  12878. The namespace of the Secret resource being referred to.
  12879. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12880. maxLength: 63
  12881. minLength: 1
  12882. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12883. type: string
  12884. type: object
  12885. type: object
  12886. required:
  12887. - auth
  12888. type: object
  12889. yandexlockbox:
  12890. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  12891. properties:
  12892. apiEndpoint:
  12893. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  12894. type: string
  12895. auth:
  12896. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  12897. properties:
  12898. authorizedKeySecretRef:
  12899. description: The authorized key used for authentication
  12900. properties:
  12901. key:
  12902. description: |-
  12903. A key in the referenced Secret.
  12904. Some instances of this field may be defaulted, in others it may be required.
  12905. maxLength: 253
  12906. minLength: 1
  12907. pattern: ^[-._a-zA-Z0-9]+$
  12908. type: string
  12909. name:
  12910. description: The name of the Secret resource being referred to.
  12911. maxLength: 253
  12912. minLength: 1
  12913. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12914. type: string
  12915. namespace:
  12916. description: |-
  12917. The namespace of the Secret resource being referred to.
  12918. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12919. maxLength: 63
  12920. minLength: 1
  12921. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12922. type: string
  12923. type: object
  12924. type: object
  12925. caProvider:
  12926. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  12927. properties:
  12928. certSecretRef:
  12929. description: |-
  12930. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12931. In some instances, `key` is a required field.
  12932. properties:
  12933. key:
  12934. description: |-
  12935. A key in the referenced Secret.
  12936. Some instances of this field may be defaulted, in others it may be required.
  12937. maxLength: 253
  12938. minLength: 1
  12939. pattern: ^[-._a-zA-Z0-9]+$
  12940. type: string
  12941. name:
  12942. description: The name of the Secret resource being referred to.
  12943. maxLength: 253
  12944. minLength: 1
  12945. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12946. type: string
  12947. namespace:
  12948. description: |-
  12949. The namespace of the Secret resource being referred to.
  12950. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12951. maxLength: 63
  12952. minLength: 1
  12953. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12954. type: string
  12955. type: object
  12956. type: object
  12957. required:
  12958. - auth
  12959. type: object
  12960. type: object
  12961. providerRef:
  12962. description: ProviderRef references a provider configuration managed externally.
  12963. properties:
  12964. apiVersion:
  12965. description: APIVersion identifies the API schema version for the provider resource.
  12966. minLength: 1
  12967. type: string
  12968. kind:
  12969. description: Kind identifies the provider resource type referenced by this store.
  12970. minLength: 1
  12971. type: string
  12972. name:
  12973. description: Name is the provider resource name referenced by this store.
  12974. maxLength: 253
  12975. minLength: 1
  12976. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12977. type: string
  12978. namespace:
  12979. description: Namespace is the provider resource namespace referenced by this store.
  12980. maxLength: 63
  12981. minLength: 1
  12982. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12983. type: string
  12984. required:
  12985. - apiVersion
  12986. - kind
  12987. - name
  12988. type: object
  12989. refreshInterval:
  12990. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  12991. type: integer
  12992. retrySettings:
  12993. description: Used to configure HTTP retries on failures.
  12994. properties:
  12995. maxRetries:
  12996. description: MaxRetries is the maximum number of retry attempts.
  12997. format: int32
  12998. type: integer
  12999. retryInterval:
  13000. description: RetryInterval is the interval between retry attempts.
  13001. type: string
  13002. type: object
  13003. runtimeRef:
  13004. description: RuntimeRef points to runtime configuration for this store.
  13005. properties:
  13006. kind:
  13007. description: Kind identifies the runtime resource type referenced by this store.
  13008. enum:
  13009. - ProviderClass
  13010. - ClusterProviderClass
  13011. type: string
  13012. name:
  13013. description: Name is the runtime resource name referenced by this store.
  13014. maxLength: 253
  13015. minLength: 1
  13016. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13017. type: string
  13018. required:
  13019. - name
  13020. type: object
  13021. type: object
  13022. x-kubernetes-validations:
  13023. - message: exactly one of spec.provider or spec.providerRef must be set
  13024. rule: (has(self.provider) && !has(self.providerRef)) || (!has(self.provider) && has(self.providerRef))
  13025. - message: spec.runtimeRef must be empty when spec.provider is set
  13026. rule: '!(has(self.provider) && has(self.runtimeRef))'
  13027. - message: spec.runtimeRef is required when spec.providerRef is set
  13028. rule: '!has(self.providerRef) || has(self.runtimeRef)'
  13029. status:
  13030. description: SecretStoreStatus defines the observed state of the SecretStore.
  13031. properties:
  13032. capabilities:
  13033. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  13034. type: string
  13035. conditions:
  13036. items:
  13037. description: SecretStoreStatusCondition defines the observed condition of the SecretStore.
  13038. properties:
  13039. lastTransitionTime:
  13040. format: date-time
  13041. type: string
  13042. message:
  13043. type: string
  13044. reason:
  13045. type: string
  13046. status:
  13047. type: string
  13048. type:
  13049. description: SecretStoreConditionType represents the condition type of the SecretStore.
  13050. type: string
  13051. required:
  13052. - status
  13053. - type
  13054. type: object
  13055. type: array
  13056. type: object
  13057. type: object
  13058. served: false
  13059. storage: false
  13060. subresources:
  13061. status: {}
  13062. ---
  13063. apiVersion: apiextensions.k8s.io/v1
  13064. kind: CustomResourceDefinition
  13065. metadata:
  13066. annotations:
  13067. controller-gen.kubebuilder.io/version: v0.19.0
  13068. labels:
  13069. external-secrets.io/component: controller
  13070. name: externalsecrets.external-secrets.io
  13071. spec:
  13072. group: external-secrets.io
  13073. names:
  13074. categories:
  13075. - external-secrets
  13076. kind: ExternalSecret
  13077. listKind: ExternalSecretList
  13078. plural: externalsecrets
  13079. shortNames:
  13080. - es
  13081. singular: externalsecret
  13082. scope: Namespaced
  13083. versions:
  13084. - additionalPrinterColumns:
  13085. - jsonPath: .spec.secretStoreRef.kind
  13086. name: StoreType
  13087. type: string
  13088. - jsonPath: .spec.secretStoreRef.name
  13089. name: Store
  13090. type: string
  13091. - jsonPath: .spec.refreshInterval
  13092. name: Refresh Interval
  13093. type: string
  13094. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  13095. name: Status
  13096. type: string
  13097. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  13098. name: Ready
  13099. type: string
  13100. - jsonPath: .status.refreshTime
  13101. name: Last Sync
  13102. type: date
  13103. name: v1
  13104. schema:
  13105. openAPIV3Schema:
  13106. description: |-
  13107. ExternalSecret is the Schema for the external-secrets API.
  13108. It defines how to fetch data from external APIs and make it available as Kubernetes Secrets.
  13109. properties:
  13110. apiVersion:
  13111. description: |-
  13112. APIVersion defines the versioned schema of this representation of an object.
  13113. Servers should convert recognized schemas to the latest internal value, and
  13114. may reject unrecognized values.
  13115. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  13116. type: string
  13117. kind:
  13118. description: |-
  13119. Kind is a string value representing the REST resource this object represents.
  13120. Servers may infer this from the endpoint the client submits requests to.
  13121. Cannot be updated.
  13122. In CamelCase.
  13123. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  13124. type: string
  13125. metadata:
  13126. type: object
  13127. spec:
  13128. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  13129. properties:
  13130. data:
  13131. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  13132. items:
  13133. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  13134. properties:
  13135. remoteRef:
  13136. description: |-
  13137. RemoteRef points to the remote secret and defines
  13138. which secret (version/property/..) to fetch.
  13139. properties:
  13140. conversionStrategy:
  13141. default: Default
  13142. description: Used to define a conversion Strategy
  13143. enum:
  13144. - Default
  13145. - Unicode
  13146. type: string
  13147. decodingStrategy:
  13148. default: None
  13149. description: Used to define a decoding Strategy
  13150. enum:
  13151. - Auto
  13152. - Base64
  13153. - Base64URL
  13154. - None
  13155. type: string
  13156. key:
  13157. description: Key is the key used in the Provider, mandatory
  13158. type: string
  13159. metadataPolicy:
  13160. default: None
  13161. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13162. enum:
  13163. - None
  13164. - Fetch
  13165. type: string
  13166. nullBytePolicy:
  13167. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  13168. enum:
  13169. - Ignore
  13170. - Fail
  13171. type: string
  13172. property:
  13173. description: Used to select a specific property of the Provider value (if a map), if supported
  13174. type: string
  13175. version:
  13176. description: Used to select a specific version of the Provider value, if supported
  13177. type: string
  13178. required:
  13179. - key
  13180. type: object
  13181. secretKey:
  13182. description: The key in the Kubernetes Secret to store the value.
  13183. maxLength: 253
  13184. minLength: 1
  13185. pattern: ^[-._a-zA-Z0-9]+$
  13186. type: string
  13187. sourceRef:
  13188. description: |-
  13189. SourceRef allows you to override the source
  13190. from which the value will be pulled.
  13191. maxProperties: 1
  13192. minProperties: 1
  13193. properties:
  13194. generatorRef:
  13195. description: |-
  13196. GeneratorRef points to a generator custom resource.
  13197. Deprecated: The generatorRef is not implemented in .data[].
  13198. this will be removed with v1.
  13199. properties:
  13200. apiVersion:
  13201. default: generators.external-secrets.io/v1alpha1
  13202. description: Specify the apiVersion of the generator resource
  13203. type: string
  13204. kind:
  13205. description: Specify the Kind of the generator resource
  13206. enum:
  13207. - ACRAccessToken
  13208. - BeyondtrustWorkloadCredentialsDynamicSecret
  13209. - ClusterGenerator
  13210. - CloudsmithAccessToken
  13211. - ECRAuthorizationToken
  13212. - Fake
  13213. - GCRAccessToken
  13214. - GithubAccessToken
  13215. - QuayAccessToken
  13216. - Password
  13217. - SSHKey
  13218. - STSSessionToken
  13219. - UUID
  13220. - VaultDynamicSecret
  13221. - Webhook
  13222. - Grafana
  13223. - MFA
  13224. type: string
  13225. name:
  13226. description: Specify the name of the generator resource
  13227. maxLength: 253
  13228. minLength: 1
  13229. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13230. type: string
  13231. required:
  13232. - kind
  13233. - name
  13234. type: object
  13235. storeRef:
  13236. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13237. properties:
  13238. kind:
  13239. description: |-
  13240. Kind of the SecretStore resource (SecretStore, ClusterSecretStore)
  13241. Defaults to `SecretStore`
  13242. enum:
  13243. - SecretStore
  13244. - ClusterSecretStore
  13245. type: string
  13246. name:
  13247. description: Name of the SecretStore resource
  13248. maxLength: 253
  13249. minLength: 1
  13250. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13251. type: string
  13252. type: object
  13253. type: object
  13254. required:
  13255. - remoteRef
  13256. - secretKey
  13257. type: object
  13258. type: array
  13259. dataFrom:
  13260. description: |-
  13261. DataFrom is used to fetch all properties from a specific Provider data
  13262. If multiple entries are specified, the Secret keys are merged in the specified order
  13263. items:
  13264. description: |-
  13265. ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data
  13266. when using DataFrom to fetch multiple values from a Provider.
  13267. properties:
  13268. extract:
  13269. description: |-
  13270. Used to extract multiple key/value pairs from one secret
  13271. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13272. properties:
  13273. conversionStrategy:
  13274. default: Default
  13275. description: Used to define a conversion Strategy
  13276. enum:
  13277. - Default
  13278. - Unicode
  13279. type: string
  13280. decodingStrategy:
  13281. default: None
  13282. description: Used to define a decoding Strategy
  13283. enum:
  13284. - Auto
  13285. - Base64
  13286. - Base64URL
  13287. - None
  13288. type: string
  13289. key:
  13290. description: Key is the key used in the Provider, mandatory
  13291. type: string
  13292. metadataPolicy:
  13293. default: None
  13294. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13295. enum:
  13296. - None
  13297. - Fetch
  13298. type: string
  13299. nullBytePolicy:
  13300. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  13301. enum:
  13302. - Ignore
  13303. - Fail
  13304. type: string
  13305. property:
  13306. description: Used to select a specific property of the Provider value (if a map), if supported
  13307. type: string
  13308. version:
  13309. description: Used to select a specific version of the Provider value, if supported
  13310. type: string
  13311. required:
  13312. - key
  13313. type: object
  13314. find:
  13315. description: |-
  13316. Used to find secrets based on tags or regular expressions
  13317. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13318. properties:
  13319. conversionStrategy:
  13320. default: Default
  13321. description: Used to define a conversion Strategy
  13322. enum:
  13323. - Default
  13324. - Unicode
  13325. type: string
  13326. decodingStrategy:
  13327. default: None
  13328. description: Used to define a decoding Strategy
  13329. enum:
  13330. - Auto
  13331. - Base64
  13332. - Base64URL
  13333. - None
  13334. type: string
  13335. name:
  13336. description: Finds secrets based on the name.
  13337. properties:
  13338. regexp:
  13339. description: Finds secrets base
  13340. type: string
  13341. type: object
  13342. nullBytePolicy:
  13343. description: Controls how ESO handles fetched secret data containing NUL bytes for this find source.
  13344. enum:
  13345. - Ignore
  13346. - Fail
  13347. type: string
  13348. path:
  13349. description: A root path to start the find operations.
  13350. type: string
  13351. tags:
  13352. additionalProperties:
  13353. type: string
  13354. description: Find secrets based on tags.
  13355. type: object
  13356. type: object
  13357. rewrite:
  13358. description: |-
  13359. Used to rewrite secret Keys after getting them from the secret Provider
  13360. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  13361. items:
  13362. description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret.
  13363. maxProperties: 1
  13364. minProperties: 1
  13365. properties:
  13366. merge:
  13367. description: |-
  13368. Used to merge key/values in one single Secret
  13369. The resulting key will contain all values from the specified secrets
  13370. properties:
  13371. conflictPolicy:
  13372. default: Error
  13373. description: Used to define the policy to use in conflict resolution.
  13374. enum:
  13375. - Ignore
  13376. - Error
  13377. type: string
  13378. into:
  13379. default: ""
  13380. description: |-
  13381. Used to define the target key of the merge operation.
  13382. Required if strategy is JSON. Ignored otherwise.
  13383. type: string
  13384. priority:
  13385. description: Used to define key priority in conflict resolution.
  13386. items:
  13387. type: string
  13388. type: array
  13389. priorityPolicy:
  13390. default: Strict
  13391. description: Used to define the policy when a key in the priority list does not exist in the input.
  13392. enum:
  13393. - IgnoreNotFound
  13394. - Strict
  13395. type: string
  13396. strategy:
  13397. default: Extract
  13398. description: Used to define the strategy to use in the merge operation.
  13399. enum:
  13400. - Extract
  13401. - JSON
  13402. type: string
  13403. type: object
  13404. regexp:
  13405. description: |-
  13406. Used to rewrite with regular expressions.
  13407. The resulting key will be the output of a regexp.ReplaceAll operation.
  13408. properties:
  13409. source:
  13410. description: Used to define the regular expression of a re.Compiler.
  13411. type: string
  13412. target:
  13413. description: Used to define the target pattern of a ReplaceAll operation.
  13414. type: string
  13415. required:
  13416. - source
  13417. - target
  13418. type: object
  13419. transform:
  13420. description: |-
  13421. Used to apply string transformation on the secrets.
  13422. The resulting key will be the output of the template applied by the operation.
  13423. properties:
  13424. template:
  13425. description: |-
  13426. Used to define the template to apply on the secret name.
  13427. `.value ` will specify the secret name in the template.
  13428. type: string
  13429. required:
  13430. - template
  13431. type: object
  13432. type: object
  13433. type: array
  13434. sourceRef:
  13435. description: |-
  13436. SourceRef points to a store or generator
  13437. which contains secret values ready to use.
  13438. Use this in combination with Extract or Find pull values out of
  13439. a specific SecretStore.
  13440. When sourceRef points to a generator Extract or Find is not supported.
  13441. The generator returns a static map of values
  13442. maxProperties: 1
  13443. minProperties: 1
  13444. properties:
  13445. generatorRef:
  13446. description: GeneratorRef points to a generator custom resource.
  13447. properties:
  13448. apiVersion:
  13449. default: generators.external-secrets.io/v1alpha1
  13450. description: Specify the apiVersion of the generator resource
  13451. type: string
  13452. kind:
  13453. description: Specify the Kind of the generator resource
  13454. enum:
  13455. - ACRAccessToken
  13456. - BeyondtrustWorkloadCredentialsDynamicSecret
  13457. - ClusterGenerator
  13458. - CloudsmithAccessToken
  13459. - ECRAuthorizationToken
  13460. - Fake
  13461. - GCRAccessToken
  13462. - GithubAccessToken
  13463. - QuayAccessToken
  13464. - Password
  13465. - SSHKey
  13466. - STSSessionToken
  13467. - UUID
  13468. - VaultDynamicSecret
  13469. - Webhook
  13470. - Grafana
  13471. - MFA
  13472. type: string
  13473. name:
  13474. description: Specify the name of the generator resource
  13475. maxLength: 253
  13476. minLength: 1
  13477. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13478. type: string
  13479. required:
  13480. - kind
  13481. - name
  13482. type: object
  13483. storeRef:
  13484. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13485. properties:
  13486. kind:
  13487. description: |-
  13488. Kind of the SecretStore resource (SecretStore, ClusterSecretStore)
  13489. Defaults to `SecretStore`
  13490. enum:
  13491. - SecretStore
  13492. - ClusterSecretStore
  13493. type: string
  13494. name:
  13495. description: Name of the SecretStore resource
  13496. maxLength: 253
  13497. minLength: 1
  13498. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13499. type: string
  13500. type: object
  13501. type: object
  13502. type: object
  13503. type: array
  13504. refreshInterval:
  13505. default: 1h0m0s
  13506. description: |-
  13507. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  13508. specified as Golang Duration strings.
  13509. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  13510. Example values: "1h0m0s", "2h30m0s", "10m0s"
  13511. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  13512. type: string
  13513. refreshPolicy:
  13514. description: |-
  13515. RefreshPolicy determines how the ExternalSecret should be refreshed:
  13516. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  13517. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  13518. No periodic updates occur if refreshInterval is 0.
  13519. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  13520. enum:
  13521. - CreatedOnce
  13522. - Periodic
  13523. - OnChange
  13524. type: string
  13525. secretStoreRef:
  13526. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13527. properties:
  13528. kind:
  13529. description: |-
  13530. Kind of the SecretStore resource (SecretStore, ClusterSecretStore)
  13531. Defaults to `SecretStore`
  13532. enum:
  13533. - SecretStore
  13534. - ClusterSecretStore
  13535. type: string
  13536. name:
  13537. description: Name of the SecretStore resource
  13538. maxLength: 253
  13539. minLength: 1
  13540. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13541. type: string
  13542. type: object
  13543. target:
  13544. default:
  13545. creationPolicy: Owner
  13546. deletionPolicy: Retain
  13547. description: |-
  13548. ExternalSecretTarget defines the Kubernetes Secret to be created,
  13549. there can be only one target per ExternalSecret.
  13550. properties:
  13551. creationPolicy:
  13552. default: Owner
  13553. description: |-
  13554. CreationPolicy defines rules on how to create the resulting Secret.
  13555. Defaults to "Owner"
  13556. enum:
  13557. - Owner
  13558. - Orphan
  13559. - Merge
  13560. - None
  13561. type: string
  13562. deletionPolicy:
  13563. default: Retain
  13564. description: |-
  13565. DeletionPolicy defines rules on how to delete the resulting Secret.
  13566. Defaults to "Retain"
  13567. enum:
  13568. - Delete
  13569. - Merge
  13570. - Retain
  13571. type: string
  13572. immutable:
  13573. description: Immutable defines if the final secret will be immutable
  13574. type: boolean
  13575. manifest:
  13576. description: |-
  13577. Manifest defines a custom Kubernetes resource to create instead of a Secret.
  13578. When specified, ExternalSecret will create the resource type defined here
  13579. (e.g., ConfigMap, Custom Resource) instead of a Secret.
  13580. Warning: Using Generic target. Make sure access policies and encryption are properly configured.
  13581. properties:
  13582. apiVersion:
  13583. description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
  13584. minLength: 1
  13585. type: string
  13586. kind:
  13587. description: Kind of the target resource (e.g., "ConfigMap", "Application")
  13588. minLength: 1
  13589. type: string
  13590. required:
  13591. - apiVersion
  13592. - kind
  13593. type: object
  13594. name:
  13595. description: |-
  13596. The name of the Secret resource to be managed.
  13597. Defaults to the .metadata.name of the ExternalSecret resource
  13598. maxLength: 253
  13599. minLength: 1
  13600. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13601. type: string
  13602. template:
  13603. description: Template defines a blueprint for the created Secret resource.
  13604. properties:
  13605. data:
  13606. additionalProperties:
  13607. type: string
  13608. type: object
  13609. engineVersion:
  13610. default: v2
  13611. description: |-
  13612. EngineVersion specifies the template engine version
  13613. that should be used to compile/execute the
  13614. template specified in .data and .templateFrom[].
  13615. enum:
  13616. - v2
  13617. type: string
  13618. mergePolicy:
  13619. default: Replace
  13620. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  13621. enum:
  13622. - Replace
  13623. - Merge
  13624. type: string
  13625. metadata:
  13626. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  13627. properties:
  13628. annotations:
  13629. additionalProperties:
  13630. type: string
  13631. type: object
  13632. finalizers:
  13633. items:
  13634. type: string
  13635. type: array
  13636. labels:
  13637. additionalProperties:
  13638. type: string
  13639. type: object
  13640. type: object
  13641. templateFrom:
  13642. items:
  13643. description: |-
  13644. TemplateFrom specifies a source for templates.
  13645. Each item in the list can either reference a ConfigMap or a Secret resource.
  13646. properties:
  13647. configMap:
  13648. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  13649. properties:
  13650. items:
  13651. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13652. items:
  13653. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  13654. properties:
  13655. key:
  13656. description: A key in the ConfigMap/Secret
  13657. maxLength: 253
  13658. minLength: 1
  13659. pattern: ^[-._a-zA-Z0-9]+$
  13660. type: string
  13661. templateAs:
  13662. default: Values
  13663. description: TemplateScope specifies how the template keys should be interpreted.
  13664. enum:
  13665. - Values
  13666. - KeysAndValues
  13667. type: string
  13668. required:
  13669. - key
  13670. type: object
  13671. type: array
  13672. name:
  13673. description: The name of the ConfigMap/Secret resource
  13674. maxLength: 253
  13675. minLength: 1
  13676. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13677. type: string
  13678. required:
  13679. - items
  13680. - name
  13681. type: object
  13682. literal:
  13683. type: string
  13684. secret:
  13685. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  13686. properties:
  13687. items:
  13688. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13689. items:
  13690. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  13691. properties:
  13692. key:
  13693. description: A key in the ConfigMap/Secret
  13694. maxLength: 253
  13695. minLength: 1
  13696. pattern: ^[-._a-zA-Z0-9]+$
  13697. type: string
  13698. templateAs:
  13699. default: Values
  13700. description: TemplateScope specifies how the template keys should be interpreted.
  13701. enum:
  13702. - Values
  13703. - KeysAndValues
  13704. type: string
  13705. required:
  13706. - key
  13707. type: object
  13708. type: array
  13709. name:
  13710. description: The name of the ConfigMap/Secret resource
  13711. maxLength: 253
  13712. minLength: 1
  13713. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13714. type: string
  13715. required:
  13716. - items
  13717. - name
  13718. type: object
  13719. target:
  13720. default: Data
  13721. description: |-
  13722. Target specifies where to place the template result.
  13723. For Secret resources, common values are: "Data", "Annotations", "Labels".
  13724. For custom resources (when spec.target.manifest is set), this supports
  13725. nested paths like "spec.database.config" or "data".
  13726. type: string
  13727. valuesDecodingStrategy:
  13728. default: None
  13729. description: Used to define a decoding Strategy for the rendered template values.
  13730. enum:
  13731. - Auto
  13732. - Base64
  13733. - Base64URL
  13734. - None
  13735. type: string
  13736. type: object
  13737. type: array
  13738. type:
  13739. type: string
  13740. type: object
  13741. type: object
  13742. type: object
  13743. status:
  13744. description: ExternalSecretStatus defines the observed state of ExternalSecret.
  13745. properties:
  13746. binding:
  13747. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  13748. properties:
  13749. name:
  13750. default: ""
  13751. description: |-
  13752. Name of the referent.
  13753. This field is effectively required, but due to backwards compatibility is
  13754. allowed to be empty. Instances of this type with an empty value here are
  13755. almost certainly wrong.
  13756. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  13757. type: string
  13758. type: object
  13759. x-kubernetes-map-type: atomic
  13760. conditions:
  13761. items:
  13762. description: ExternalSecretStatusCondition defines a status condition of an ExternalSecret resource.
  13763. properties:
  13764. lastTransitionTime:
  13765. format: date-time
  13766. type: string
  13767. message:
  13768. type: string
  13769. reason:
  13770. type: string
  13771. status:
  13772. type: string
  13773. type:
  13774. description: ExternalSecretConditionType defines a value type for ExternalSecret conditions.
  13775. enum:
  13776. - Ready
  13777. - Deleted
  13778. type: string
  13779. required:
  13780. - status
  13781. - type
  13782. type: object
  13783. type: array
  13784. refreshTime:
  13785. description: |-
  13786. refreshTime is the time and date the external secret was fetched and
  13787. the target secret updated
  13788. format: date-time
  13789. nullable: true
  13790. type: string
  13791. syncedResourceVersion:
  13792. description: SyncedResourceVersion keeps track of the last synced version
  13793. type: string
  13794. type: object
  13795. type: object
  13796. selectableFields:
  13797. - jsonPath: .spec.secretStoreRef.name
  13798. - jsonPath: .spec.secretStoreRef.kind
  13799. - jsonPath: .spec.target.name
  13800. - jsonPath: .spec.refreshInterval
  13801. served: true
  13802. storage: true
  13803. subresources:
  13804. status: {}
  13805. - additionalPrinterColumns:
  13806. - jsonPath: .spec.secretStoreRef.kind
  13807. name: StoreType
  13808. type: string
  13809. - jsonPath: .spec.secretStoreRef.name
  13810. name: Store
  13811. type: string
  13812. - jsonPath: .spec.refreshInterval
  13813. name: Refresh Interval
  13814. type: string
  13815. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  13816. name: Status
  13817. type: string
  13818. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  13819. name: Ready
  13820. type: string
  13821. - jsonPath: .status.refreshTime
  13822. name: Last Sync
  13823. type: date
  13824. deprecated: true
  13825. name: v1beta1
  13826. schema:
  13827. openAPIV3Schema:
  13828. description: ExternalSecret is the schema for the external-secrets API.
  13829. properties:
  13830. apiVersion:
  13831. description: |-
  13832. APIVersion defines the versioned schema of this representation of an object.
  13833. Servers should convert recognized schemas to the latest internal value, and
  13834. may reject unrecognized values.
  13835. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  13836. type: string
  13837. kind:
  13838. description: |-
  13839. Kind is a string value representing the REST resource this object represents.
  13840. Servers may infer this from the endpoint the client submits requests to.
  13841. Cannot be updated.
  13842. In CamelCase.
  13843. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  13844. type: string
  13845. metadata:
  13846. type: object
  13847. spec:
  13848. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  13849. properties:
  13850. data:
  13851. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  13852. items:
  13853. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  13854. properties:
  13855. remoteRef:
  13856. description: |-
  13857. RemoteRef points to the remote secret and defines
  13858. which secret (version/property/..) to fetch.
  13859. properties:
  13860. conversionStrategy:
  13861. default: Default
  13862. description: Used to define a conversion Strategy
  13863. enum:
  13864. - Default
  13865. - Unicode
  13866. type: string
  13867. decodingStrategy:
  13868. default: None
  13869. description: Used to define a decoding Strategy
  13870. enum:
  13871. - Auto
  13872. - Base64
  13873. - Base64URL
  13874. - None
  13875. type: string
  13876. key:
  13877. description: Key is the key used in the Provider, mandatory
  13878. type: string
  13879. metadataPolicy:
  13880. default: None
  13881. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13882. enum:
  13883. - None
  13884. - Fetch
  13885. type: string
  13886. property:
  13887. description: Used to select a specific property of the Provider value (if a map), if supported
  13888. type: string
  13889. version:
  13890. description: Used to select a specific version of the Provider value, if supported
  13891. type: string
  13892. required:
  13893. - key
  13894. type: object
  13895. secretKey:
  13896. description: The key in the Kubernetes Secret to store the value.
  13897. maxLength: 253
  13898. minLength: 1
  13899. pattern: ^[-._a-zA-Z0-9]+$
  13900. type: string
  13901. sourceRef:
  13902. description: |-
  13903. SourceRef allows you to override the source
  13904. from which the value will be pulled.
  13905. maxProperties: 1
  13906. minProperties: 1
  13907. properties:
  13908. generatorRef:
  13909. description: |-
  13910. GeneratorRef points to a generator custom resource.
  13911. Deprecated: The generatorRef is not implemented in .data[].
  13912. this will be removed with v1.
  13913. properties:
  13914. apiVersion:
  13915. default: generators.external-secrets.io/v1alpha1
  13916. description: Specify the apiVersion of the generator resource
  13917. type: string
  13918. kind:
  13919. description: Specify the Kind of the generator resource
  13920. enum:
  13921. - ACRAccessToken
  13922. - ClusterGenerator
  13923. - ECRAuthorizationToken
  13924. - Fake
  13925. - GCRAccessToken
  13926. - GithubAccessToken
  13927. - QuayAccessToken
  13928. - Password
  13929. - SSHKey
  13930. - STSSessionToken
  13931. - UUID
  13932. - VaultDynamicSecret
  13933. - Webhook
  13934. - Grafana
  13935. type: string
  13936. name:
  13937. description: Specify the name of the generator resource
  13938. maxLength: 253
  13939. minLength: 1
  13940. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13941. type: string
  13942. required:
  13943. - kind
  13944. - name
  13945. type: object
  13946. storeRef:
  13947. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13948. properties:
  13949. kind:
  13950. description: |-
  13951. Kind of the SecretStore resource (SecretStore, ClusterSecretStore)
  13952. Defaults to `SecretStore`
  13953. enum:
  13954. - SecretStore
  13955. - ClusterSecretStore
  13956. type: string
  13957. name:
  13958. description: Name of the SecretStore resource
  13959. maxLength: 253
  13960. minLength: 1
  13961. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13962. type: string
  13963. type: object
  13964. type: object
  13965. required:
  13966. - remoteRef
  13967. - secretKey
  13968. type: object
  13969. type: array
  13970. dataFrom:
  13971. description: |-
  13972. DataFrom is used to fetch all properties from a specific Provider data
  13973. If multiple entries are specified, the Secret keys are merged in the specified order
  13974. items:
  13975. description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options.
  13976. properties:
  13977. extract:
  13978. description: |-
  13979. Used to extract multiple key/value pairs from one secret
  13980. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13981. properties:
  13982. conversionStrategy:
  13983. default: Default
  13984. description: Used to define a conversion Strategy
  13985. enum:
  13986. - Default
  13987. - Unicode
  13988. type: string
  13989. decodingStrategy:
  13990. default: None
  13991. description: Used to define a decoding Strategy
  13992. enum:
  13993. - Auto
  13994. - Base64
  13995. - Base64URL
  13996. - None
  13997. type: string
  13998. key:
  13999. description: Key is the key used in the Provider, mandatory
  14000. type: string
  14001. metadataPolicy:
  14002. default: None
  14003. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  14004. enum:
  14005. - None
  14006. - Fetch
  14007. type: string
  14008. property:
  14009. description: Used to select a specific property of the Provider value (if a map), if supported
  14010. type: string
  14011. version:
  14012. description: Used to select a specific version of the Provider value, if supported
  14013. type: string
  14014. required:
  14015. - key
  14016. type: object
  14017. find:
  14018. description: |-
  14019. Used to find secrets based on tags or regular expressions
  14020. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  14021. properties:
  14022. conversionStrategy:
  14023. default: Default
  14024. description: Used to define a conversion Strategy
  14025. enum:
  14026. - Default
  14027. - Unicode
  14028. type: string
  14029. decodingStrategy:
  14030. default: None
  14031. description: Used to define a decoding Strategy
  14032. enum:
  14033. - Auto
  14034. - Base64
  14035. - Base64URL
  14036. - None
  14037. type: string
  14038. name:
  14039. description: Finds secrets based on the name.
  14040. properties:
  14041. regexp:
  14042. description: Finds secrets base
  14043. type: string
  14044. type: object
  14045. path:
  14046. description: A root path to start the find operations.
  14047. type: string
  14048. tags:
  14049. additionalProperties:
  14050. type: string
  14051. description: Find secrets based on tags.
  14052. type: object
  14053. type: object
  14054. rewrite:
  14055. description: |-
  14056. Used to rewrite secret Keys after getting them from the secret Provider
  14057. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  14058. items:
  14059. description: ExternalSecretRewrite defines rules on how to rewrite secret keys.
  14060. maxProperties: 1
  14061. minProperties: 1
  14062. properties:
  14063. regexp:
  14064. description: |-
  14065. Used to rewrite with regular expressions.
  14066. The resulting key will be the output of a regexp.ReplaceAll operation.
  14067. properties:
  14068. source:
  14069. description: Used to define the regular expression of a re.Compiler.
  14070. type: string
  14071. target:
  14072. description: Used to define the target pattern of a ReplaceAll operation.
  14073. type: string
  14074. required:
  14075. - source
  14076. - target
  14077. type: object
  14078. transform:
  14079. description: |-
  14080. Used to apply string transformation on the secrets.
  14081. The resulting key will be the output of the template applied by the operation.
  14082. properties:
  14083. template:
  14084. description: |-
  14085. Used to define the template to apply on the secret name.
  14086. `.value ` will specify the secret name in the template.
  14087. type: string
  14088. required:
  14089. - template
  14090. type: object
  14091. type: object
  14092. type: array
  14093. sourceRef:
  14094. description: |-
  14095. SourceRef points to a store or generator
  14096. which contains secret values ready to use.
  14097. Use this in combination with Extract or Find pull values out of
  14098. a specific SecretStore.
  14099. When sourceRef points to a generator Extract or Find is not supported.
  14100. The generator returns a static map of values
  14101. maxProperties: 1
  14102. minProperties: 1
  14103. properties:
  14104. generatorRef:
  14105. description: GeneratorRef points to a generator custom resource.
  14106. properties:
  14107. apiVersion:
  14108. default: generators.external-secrets.io/v1alpha1
  14109. description: Specify the apiVersion of the generator resource
  14110. type: string
  14111. kind:
  14112. description: Specify the Kind of the generator resource
  14113. enum:
  14114. - ACRAccessToken
  14115. - ClusterGenerator
  14116. - ECRAuthorizationToken
  14117. - Fake
  14118. - GCRAccessToken
  14119. - GithubAccessToken
  14120. - QuayAccessToken
  14121. - Password
  14122. - SSHKey
  14123. - STSSessionToken
  14124. - UUID
  14125. - VaultDynamicSecret
  14126. - Webhook
  14127. - Grafana
  14128. type: string
  14129. name:
  14130. description: Specify the name of the generator resource
  14131. maxLength: 253
  14132. minLength: 1
  14133. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14134. type: string
  14135. required:
  14136. - kind
  14137. - name
  14138. type: object
  14139. storeRef:
  14140. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  14141. properties:
  14142. kind:
  14143. description: |-
  14144. Kind of the SecretStore resource (SecretStore, ClusterSecretStore)
  14145. Defaults to `SecretStore`
  14146. enum:
  14147. - SecretStore
  14148. - ClusterSecretStore
  14149. type: string
  14150. name:
  14151. description: Name of the SecretStore resource
  14152. maxLength: 253
  14153. minLength: 1
  14154. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14155. type: string
  14156. type: object
  14157. type: object
  14158. type: object
  14159. type: array
  14160. refreshInterval:
  14161. default: 1h0m0s
  14162. description: |-
  14163. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  14164. specified as Golang Duration strings.
  14165. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  14166. Example values: "1h0m0s", "2h30m0s", "10m0s"
  14167. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  14168. type: string
  14169. refreshPolicy:
  14170. description: |-
  14171. RefreshPolicy determines how the ExternalSecret should be refreshed:
  14172. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  14173. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  14174. No periodic updates occur if refreshInterval is 0.
  14175. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  14176. enum:
  14177. - CreatedOnce
  14178. - Periodic
  14179. - OnChange
  14180. type: string
  14181. secretStoreRef:
  14182. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  14183. properties:
  14184. kind:
  14185. description: |-
  14186. Kind of the SecretStore resource (SecretStore, ClusterSecretStore)
  14187. Defaults to `SecretStore`
  14188. enum:
  14189. - SecretStore
  14190. - ClusterSecretStore
  14191. type: string
  14192. name:
  14193. description: Name of the SecretStore resource
  14194. maxLength: 253
  14195. minLength: 1
  14196. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14197. type: string
  14198. type: object
  14199. target:
  14200. default:
  14201. creationPolicy: Owner
  14202. deletionPolicy: Retain
  14203. description: |-
  14204. ExternalSecretTarget defines the Kubernetes Secret to be created
  14205. There can be only one target per ExternalSecret.
  14206. properties:
  14207. creationPolicy:
  14208. default: Owner
  14209. description: |-
  14210. CreationPolicy defines rules on how to create the resulting Secret.
  14211. Defaults to "Owner"
  14212. enum:
  14213. - Owner
  14214. - Orphan
  14215. - Merge
  14216. - None
  14217. type: string
  14218. deletionPolicy:
  14219. default: Retain
  14220. description: |-
  14221. DeletionPolicy defines rules on how to delete the resulting Secret.
  14222. Defaults to "Retain"
  14223. enum:
  14224. - Delete
  14225. - Merge
  14226. - Retain
  14227. type: string
  14228. immutable:
  14229. description: Immutable defines if the final secret will be immutable
  14230. type: boolean
  14231. name:
  14232. description: |-
  14233. The name of the Secret resource to be managed.
  14234. Defaults to the .metadata.name of the ExternalSecret resource
  14235. maxLength: 253
  14236. minLength: 1
  14237. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14238. type: string
  14239. template:
  14240. description: Template defines a blueprint for the created Secret resource.
  14241. properties:
  14242. data:
  14243. additionalProperties:
  14244. type: string
  14245. type: object
  14246. engineVersion:
  14247. default: v2
  14248. description: |-
  14249. EngineVersion specifies the template engine version
  14250. that should be used to compile/execute the
  14251. template specified in .data and .templateFrom[].
  14252. enum:
  14253. - v2
  14254. type: string
  14255. mergePolicy:
  14256. default: Replace
  14257. description: TemplateMergePolicy defines how template values should be merged when generating a secret.
  14258. enum:
  14259. - Replace
  14260. - Merge
  14261. type: string
  14262. metadata:
  14263. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  14264. properties:
  14265. annotations:
  14266. additionalProperties:
  14267. type: string
  14268. type: object
  14269. labels:
  14270. additionalProperties:
  14271. type: string
  14272. type: object
  14273. type: object
  14274. templateFrom:
  14275. items:
  14276. description: TemplateFrom defines a source for template data.
  14277. properties:
  14278. configMap:
  14279. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  14280. properties:
  14281. items:
  14282. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14283. items:
  14284. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  14285. properties:
  14286. key:
  14287. description: A key in the ConfigMap/Secret
  14288. maxLength: 253
  14289. minLength: 1
  14290. pattern: ^[-._a-zA-Z0-9]+$
  14291. type: string
  14292. templateAs:
  14293. default: Values
  14294. description: TemplateScope defines the scope of the template when processing template data.
  14295. enum:
  14296. - Values
  14297. - KeysAndValues
  14298. type: string
  14299. required:
  14300. - key
  14301. type: object
  14302. type: array
  14303. name:
  14304. description: The name of the ConfigMap/Secret resource
  14305. maxLength: 253
  14306. minLength: 1
  14307. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14308. type: string
  14309. required:
  14310. - items
  14311. - name
  14312. type: object
  14313. literal:
  14314. type: string
  14315. secret:
  14316. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  14317. properties:
  14318. items:
  14319. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14320. items:
  14321. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  14322. properties:
  14323. key:
  14324. description: A key in the ConfigMap/Secret
  14325. maxLength: 253
  14326. minLength: 1
  14327. pattern: ^[-._a-zA-Z0-9]+$
  14328. type: string
  14329. templateAs:
  14330. default: Values
  14331. description: TemplateScope defines the scope of the template when processing template data.
  14332. enum:
  14333. - Values
  14334. - KeysAndValues
  14335. type: string
  14336. required:
  14337. - key
  14338. type: object
  14339. type: array
  14340. name:
  14341. description: The name of the ConfigMap/Secret resource
  14342. maxLength: 253
  14343. minLength: 1
  14344. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14345. type: string
  14346. required:
  14347. - items
  14348. - name
  14349. type: object
  14350. target:
  14351. default: Data
  14352. description: TemplateTarget defines the target field where the template result will be stored.
  14353. enum:
  14354. - Data
  14355. - Annotations
  14356. - Labels
  14357. type: string
  14358. type: object
  14359. type: array
  14360. type:
  14361. type: string
  14362. type: object
  14363. type: object
  14364. type: object
  14365. status:
  14366. description: ExternalSecretStatus defines the observed state of ExternalSecret.
  14367. properties:
  14368. binding:
  14369. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  14370. properties:
  14371. name:
  14372. default: ""
  14373. description: |-
  14374. Name of the referent.
  14375. This field is effectively required, but due to backwards compatibility is
  14376. allowed to be empty. Instances of this type with an empty value here are
  14377. almost certainly wrong.
  14378. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  14379. type: string
  14380. type: object
  14381. x-kubernetes-map-type: atomic
  14382. conditions:
  14383. items:
  14384. description: ExternalSecretStatusCondition contains condition information for an ExternalSecret.
  14385. properties:
  14386. lastTransitionTime:
  14387. format: date-time
  14388. type: string
  14389. message:
  14390. type: string
  14391. reason:
  14392. type: string
  14393. status:
  14394. type: string
  14395. type:
  14396. description: ExternalSecretConditionType defines the condition type for an ExternalSecret.
  14397. type: string
  14398. required:
  14399. - status
  14400. - type
  14401. type: object
  14402. type: array
  14403. refreshTime:
  14404. description: |-
  14405. refreshTime is the time and date the external secret was fetched and
  14406. the target secret updated
  14407. format: date-time
  14408. nullable: true
  14409. type: string
  14410. syncedResourceVersion:
  14411. description: SyncedResourceVersion keeps track of the last synced version
  14412. type: string
  14413. type: object
  14414. type: object
  14415. served: false
  14416. storage: false
  14417. subresources:
  14418. status: {}
  14419. ---
  14420. apiVersion: apiextensions.k8s.io/v1
  14421. kind: CustomResourceDefinition
  14422. metadata:
  14423. annotations:
  14424. controller-gen.kubebuilder.io/version: v0.19.0
  14425. name: providerclasses.external-secrets.io
  14426. spec:
  14427. group: external-secrets.io
  14428. names:
  14429. categories:
  14430. - externalsecrets
  14431. kind: ProviderClass
  14432. listKind: ProviderClassList
  14433. plural: providerclasses
  14434. shortNames:
  14435. - pc
  14436. singular: providerclass
  14437. scope: Namespaced
  14438. versions:
  14439. - additionalPrinterColumns:
  14440. - jsonPath: .spec.address
  14441. name: Address
  14442. type: string
  14443. name: v1alpha1
  14444. schema:
  14445. openAPIV3Schema:
  14446. description: ProviderClass is a namespaced store runtime class.
  14447. properties:
  14448. apiVersion:
  14449. description: |-
  14450. APIVersion defines the versioned schema of this representation of an object.
  14451. Servers should convert recognized schemas to the latest internal value, and
  14452. may reject unrecognized values.
  14453. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  14454. type: string
  14455. kind:
  14456. description: |-
  14457. Kind is a string value representing the REST resource this object represents.
  14458. Servers may infer this from the endpoint the client submits requests to.
  14459. Cannot be updated.
  14460. In CamelCase.
  14461. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  14462. type: string
  14463. metadata:
  14464. type: object
  14465. spec:
  14466. description: ProviderClassSpec defines the desired state of ProviderClass.
  14467. properties:
  14468. address:
  14469. minLength: 1
  14470. type: string
  14471. required:
  14472. - address
  14473. type: object
  14474. status:
  14475. description: ProviderClassStatus defines the observed state of ProviderClass.
  14476. properties:
  14477. conditions:
  14478. items:
  14479. description: Condition contains details for one aspect of the current state of this API Resource.
  14480. properties:
  14481. lastTransitionTime:
  14482. description: |-
  14483. lastTransitionTime is the last time the condition transitioned from one status to another.
  14484. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
  14485. format: date-time
  14486. type: string
  14487. message:
  14488. description: |-
  14489. message is a human readable message indicating details about the transition.
  14490. This may be an empty string.
  14491. maxLength: 32768
  14492. type: string
  14493. observedGeneration:
  14494. description: |-
  14495. observedGeneration represents the .metadata.generation that the condition was set based upon.
  14496. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
  14497. with respect to the current state of the instance.
  14498. format: int64
  14499. minimum: 0
  14500. type: integer
  14501. reason:
  14502. description: |-
  14503. reason contains a programmatic identifier indicating the reason for the condition's last transition.
  14504. Producers of specific condition types may define expected values and meanings for this field,
  14505. and whether the values are considered a guaranteed API.
  14506. The value should be a CamelCase string.
  14507. This field may not be empty.
  14508. maxLength: 1024
  14509. minLength: 1
  14510. pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
  14511. type: string
  14512. status:
  14513. description: status of the condition, one of True, False, Unknown.
  14514. enum:
  14515. - "True"
  14516. - "False"
  14517. - Unknown
  14518. type: string
  14519. type:
  14520. description: type of condition in CamelCase or in foo.example.com/CamelCase.
  14521. maxLength: 316
  14522. pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
  14523. type: string
  14524. required:
  14525. - lastTransitionTime
  14526. - message
  14527. - reason
  14528. - status
  14529. - type
  14530. type: object
  14531. type: array
  14532. type: object
  14533. required:
  14534. - spec
  14535. type: object
  14536. served: true
  14537. storage: true
  14538. subresources:
  14539. status: {}
  14540. ---
  14541. apiVersion: apiextensions.k8s.io/v1
  14542. kind: CustomResourceDefinition
  14543. metadata:
  14544. annotations:
  14545. controller-gen.kubebuilder.io/version: v0.19.0
  14546. labels:
  14547. external-secrets.io/component: controller
  14548. name: pushsecrets.external-secrets.io
  14549. spec:
  14550. group: external-secrets.io
  14551. names:
  14552. categories:
  14553. - external-secrets
  14554. kind: PushSecret
  14555. listKind: PushSecretList
  14556. plural: pushsecrets
  14557. shortNames:
  14558. - ps
  14559. singular: pushsecret
  14560. scope: Namespaced
  14561. versions:
  14562. - additionalPrinterColumns:
  14563. - jsonPath: .metadata.creationTimestamp
  14564. name: AGE
  14565. type: date
  14566. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  14567. name: Status
  14568. type: string
  14569. - jsonPath: .status.refreshTime
  14570. name: Last Sync
  14571. type: date
  14572. name: v1alpha1
  14573. schema:
  14574. openAPIV3Schema:
  14575. description: PushSecret is the Schema for the PushSecrets API that enables pushing Kubernetes secrets to external secret providers.
  14576. properties:
  14577. apiVersion:
  14578. description: |-
  14579. APIVersion defines the versioned schema of this representation of an object.
  14580. Servers should convert recognized schemas to the latest internal value, and
  14581. may reject unrecognized values.
  14582. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  14583. type: string
  14584. kind:
  14585. description: |-
  14586. Kind is a string value representing the REST resource this object represents.
  14587. Servers may infer this from the endpoint the client submits requests to.
  14588. Cannot be updated.
  14589. In CamelCase.
  14590. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  14591. type: string
  14592. metadata:
  14593. type: object
  14594. spec:
  14595. description: PushSecretSpec configures the behavior of the PushSecret.
  14596. properties:
  14597. data:
  14598. description: Secret Data that should be pushed to providers
  14599. items:
  14600. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  14601. properties:
  14602. conversionStrategy:
  14603. default: None
  14604. description: Used to define a conversion Strategy for the secret keys
  14605. enum:
  14606. - None
  14607. - ReverseUnicode
  14608. type: string
  14609. match:
  14610. description: Match a given Secret Key to be pushed to the provider.
  14611. properties:
  14612. remoteRef:
  14613. description: Remote Refs to push to providers.
  14614. properties:
  14615. property:
  14616. description: Name of the property in the resulting secret
  14617. type: string
  14618. remoteKey:
  14619. description: Name of the resulting provider secret.
  14620. type: string
  14621. required:
  14622. - remoteKey
  14623. type: object
  14624. secretKey:
  14625. description: Secret Key to be pushed
  14626. type: string
  14627. required:
  14628. - remoteRef
  14629. type: object
  14630. metadata:
  14631. description: |-
  14632. Metadata is metadata attached to the secret.
  14633. The structure of metadata is provider specific, please look it up in the provider documentation.
  14634. x-kubernetes-preserve-unknown-fields: true
  14635. required:
  14636. - match
  14637. type: object
  14638. type: array
  14639. dataTo:
  14640. description: DataTo defines bulk push rules that expand source Secret keys into provider entries.
  14641. items:
  14642. description: PushSecretDataTo defines how to bulk-push secrets to providers without explicit per-key mappings.
  14643. properties:
  14644. conversionStrategy:
  14645. default: None
  14646. description: Used to define a conversion Strategy for the secret keys
  14647. enum:
  14648. - None
  14649. - ReverseUnicode
  14650. type: string
  14651. match:
  14652. description: |-
  14653. Match pattern for selecting keys from the source Secret.
  14654. If not specified, all keys are selected.
  14655. properties:
  14656. regexp:
  14657. description: |-
  14658. Regexp matches keys by regular expression.
  14659. If not specified, all keys are matched.
  14660. type: string
  14661. type: object
  14662. metadata:
  14663. description: |-
  14664. Metadata is metadata attached to the secret.
  14665. The structure of metadata is provider specific, please look it up in the provider documentation.
  14666. x-kubernetes-preserve-unknown-fields: true
  14667. remoteKey:
  14668. description: |-
  14669. RemoteKey is the name of the single provider secret that will receive ALL
  14670. matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}).
  14671. When set, per-key expansion is skipped and a single push is performed.
  14672. The provider's store prefix (if any) is still prepended to this value.
  14673. When not set, each matched key is pushed as its own individual provider secret.
  14674. type: string
  14675. rewrite:
  14676. description: |-
  14677. Rewrite operations to transform keys before pushing to the provider.
  14678. Operations are applied sequentially.
  14679. items:
  14680. description: PushSecretRewrite defines how to transform secret keys before pushing.
  14681. properties:
  14682. regexp:
  14683. description: Used to rewrite with regular expressions.
  14684. properties:
  14685. source:
  14686. description: Used to define the regular expression of a re.Compiler.
  14687. type: string
  14688. target:
  14689. description: Used to define the target pattern of a ReplaceAll operation.
  14690. type: string
  14691. required:
  14692. - source
  14693. - target
  14694. type: object
  14695. transform:
  14696. description: Used to apply string transformation on the secrets.
  14697. properties:
  14698. template:
  14699. description: |-
  14700. Used to define the template to apply on the secret name.
  14701. `.value ` will specify the secret name in the template.
  14702. type: string
  14703. required:
  14704. - template
  14705. type: object
  14706. type: object
  14707. x-kubernetes-validations:
  14708. - message: exactly one of regexp or transform must be set
  14709. rule: (has(self.regexp) && !has(self.transform)) || (!has(self.regexp) && has(self.transform))
  14710. type: array
  14711. storeRef:
  14712. description: StoreRef specifies which SecretStore to push to. Required.
  14713. properties:
  14714. apiVersion:
  14715. description: |-
  14716. APIVersion of the referenced store resource.
  14717. This field is optional and depends on the selected store kind.
  14718. type: string
  14719. kind:
  14720. description: Kind of the SecretStore resource (SecretStore, ClusterSecretStore)
  14721. enum:
  14722. - SecretStore
  14723. - ClusterSecretStore
  14724. type: string
  14725. labelSelector:
  14726. description: Optionally, sync to secret stores with label selector
  14727. properties:
  14728. matchExpressions:
  14729. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14730. items:
  14731. description: |-
  14732. A label selector requirement is a selector that contains values, a key, and an operator that
  14733. relates the key and values.
  14734. properties:
  14735. key:
  14736. description: key is the label key that the selector applies to.
  14737. type: string
  14738. operator:
  14739. description: |-
  14740. operator represents a key's relationship to a set of values.
  14741. Valid operators are In, NotIn, Exists and DoesNotExist.
  14742. type: string
  14743. values:
  14744. description: |-
  14745. values is an array of string values. If the operator is In or NotIn,
  14746. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14747. the values array must be empty. This array is replaced during a strategic
  14748. merge patch.
  14749. items:
  14750. type: string
  14751. type: array
  14752. x-kubernetes-list-type: atomic
  14753. required:
  14754. - key
  14755. - operator
  14756. type: object
  14757. type: array
  14758. x-kubernetes-list-type: atomic
  14759. matchLabels:
  14760. additionalProperties:
  14761. type: string
  14762. description: |-
  14763. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14764. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14765. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14766. type: object
  14767. type: object
  14768. x-kubernetes-map-type: atomic
  14769. name:
  14770. description: Optionally, sync to the SecretStore of the given name
  14771. maxLength: 253
  14772. minLength: 1
  14773. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14774. type: string
  14775. type: object
  14776. type: object
  14777. x-kubernetes-validations:
  14778. - message: storeRef must specify either name or labelSelector
  14779. rule: has(self.storeRef) && (has(self.storeRef.name) || has(self.storeRef.labelSelector))
  14780. - message: 'remoteKey and rewrite are mutually exclusive: rewrite is only supported in per-key mode (without remoteKey)'
  14781. rule: '!has(self.remoteKey) || !has(self.rewrite) || size(self.rewrite) == 0'
  14782. type: array
  14783. deletionPolicy:
  14784. default: None
  14785. description: Deletion Policy to handle Secrets in the provider.
  14786. enum:
  14787. - Delete
  14788. - None
  14789. type: string
  14790. refreshInterval:
  14791. default: 1h0m0s
  14792. description: The Interval to which External Secrets will try to push a secret definition
  14793. type: string
  14794. secretStoreRefs:
  14795. items:
  14796. description: PushSecretStoreRef contains a reference on how to sync to a SecretStore.
  14797. properties:
  14798. apiVersion:
  14799. description: |-
  14800. APIVersion of the referenced store resource.
  14801. This field is optional and depends on the selected store kind.
  14802. type: string
  14803. kind:
  14804. description: Kind of the SecretStore resource (SecretStore, ClusterSecretStore)
  14805. enum:
  14806. - SecretStore
  14807. - ClusterSecretStore
  14808. type: string
  14809. labelSelector:
  14810. description: Optionally, sync to secret stores with label selector
  14811. properties:
  14812. matchExpressions:
  14813. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14814. items:
  14815. description: |-
  14816. A label selector requirement is a selector that contains values, a key, and an operator that
  14817. relates the key and values.
  14818. properties:
  14819. key:
  14820. description: key is the label key that the selector applies to.
  14821. type: string
  14822. operator:
  14823. description: |-
  14824. operator represents a key's relationship to a set of values.
  14825. Valid operators are In, NotIn, Exists and DoesNotExist.
  14826. type: string
  14827. values:
  14828. description: |-
  14829. values is an array of string values. If the operator is In or NotIn,
  14830. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14831. the values array must be empty. This array is replaced during a strategic
  14832. merge patch.
  14833. items:
  14834. type: string
  14835. type: array
  14836. x-kubernetes-list-type: atomic
  14837. required:
  14838. - key
  14839. - operator
  14840. type: object
  14841. type: array
  14842. x-kubernetes-list-type: atomic
  14843. matchLabels:
  14844. additionalProperties:
  14845. type: string
  14846. description: |-
  14847. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14848. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14849. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14850. type: object
  14851. type: object
  14852. x-kubernetes-map-type: atomic
  14853. name:
  14854. description: Optionally, sync to the SecretStore of the given name
  14855. maxLength: 253
  14856. minLength: 1
  14857. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14858. type: string
  14859. type: object
  14860. type: array
  14861. selector:
  14862. description: The Secret Selector (k8s source) for the Push Secret
  14863. maxProperties: 1
  14864. minProperties: 1
  14865. properties:
  14866. generatorRef:
  14867. description: Point to a generator to create a Secret.
  14868. properties:
  14869. apiVersion:
  14870. default: generators.external-secrets.io/v1alpha1
  14871. description: Specify the apiVersion of the generator resource
  14872. type: string
  14873. kind:
  14874. description: Specify the Kind of the generator resource
  14875. enum:
  14876. - ACRAccessToken
  14877. - BeyondtrustWorkloadCredentialsDynamicSecret
  14878. - ClusterGenerator
  14879. - CloudsmithAccessToken
  14880. - ECRAuthorizationToken
  14881. - Fake
  14882. - GCRAccessToken
  14883. - GithubAccessToken
  14884. - QuayAccessToken
  14885. - Password
  14886. - SSHKey
  14887. - STSSessionToken
  14888. - UUID
  14889. - VaultDynamicSecret
  14890. - Webhook
  14891. - Grafana
  14892. - MFA
  14893. type: string
  14894. name:
  14895. description: Specify the name of the generator resource
  14896. maxLength: 253
  14897. minLength: 1
  14898. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14899. type: string
  14900. required:
  14901. - kind
  14902. - name
  14903. type: object
  14904. secret:
  14905. description: Select a Secret to Push.
  14906. properties:
  14907. name:
  14908. description: |-
  14909. Name of the Secret.
  14910. The Secret must exist in the same namespace as the PushSecret manifest.
  14911. maxLength: 253
  14912. minLength: 1
  14913. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14914. type: string
  14915. selector:
  14916. description: Selector chooses secrets using a labelSelector.
  14917. properties:
  14918. matchExpressions:
  14919. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14920. items:
  14921. description: |-
  14922. A label selector requirement is a selector that contains values, a key, and an operator that
  14923. relates the key and values.
  14924. properties:
  14925. key:
  14926. description: key is the label key that the selector applies to.
  14927. type: string
  14928. operator:
  14929. description: |-
  14930. operator represents a key's relationship to a set of values.
  14931. Valid operators are In, NotIn, Exists and DoesNotExist.
  14932. type: string
  14933. values:
  14934. description: |-
  14935. values is an array of string values. If the operator is In or NotIn,
  14936. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14937. the values array must be empty. This array is replaced during a strategic
  14938. merge patch.
  14939. items:
  14940. type: string
  14941. type: array
  14942. x-kubernetes-list-type: atomic
  14943. required:
  14944. - key
  14945. - operator
  14946. type: object
  14947. type: array
  14948. x-kubernetes-list-type: atomic
  14949. matchLabels:
  14950. additionalProperties:
  14951. type: string
  14952. description: |-
  14953. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14954. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14955. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14956. type: object
  14957. type: object
  14958. x-kubernetes-map-type: atomic
  14959. type: object
  14960. type: object
  14961. template:
  14962. description: Template defines a blueprint for the created Secret resource.
  14963. properties:
  14964. data:
  14965. additionalProperties:
  14966. type: string
  14967. type: object
  14968. engineVersion:
  14969. default: v2
  14970. description: |-
  14971. EngineVersion specifies the template engine version
  14972. that should be used to compile/execute the
  14973. template specified in .data and .templateFrom[].
  14974. enum:
  14975. - v2
  14976. type: string
  14977. mergePolicy:
  14978. default: Replace
  14979. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  14980. enum:
  14981. - Replace
  14982. - Merge
  14983. type: string
  14984. metadata:
  14985. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  14986. properties:
  14987. annotations:
  14988. additionalProperties:
  14989. type: string
  14990. type: object
  14991. finalizers:
  14992. items:
  14993. type: string
  14994. type: array
  14995. labels:
  14996. additionalProperties:
  14997. type: string
  14998. type: object
  14999. type: object
  15000. templateFrom:
  15001. items:
  15002. description: |-
  15003. TemplateFrom specifies a source for templates.
  15004. Each item in the list can either reference a ConfigMap or a Secret resource.
  15005. properties:
  15006. configMap:
  15007. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  15008. properties:
  15009. items:
  15010. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  15011. items:
  15012. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  15013. properties:
  15014. key:
  15015. description: A key in the ConfigMap/Secret
  15016. maxLength: 253
  15017. minLength: 1
  15018. pattern: ^[-._a-zA-Z0-9]+$
  15019. type: string
  15020. templateAs:
  15021. default: Values
  15022. description: TemplateScope specifies how the template keys should be interpreted.
  15023. enum:
  15024. - Values
  15025. - KeysAndValues
  15026. type: string
  15027. required:
  15028. - key
  15029. type: object
  15030. type: array
  15031. name:
  15032. description: The name of the ConfigMap/Secret resource
  15033. maxLength: 253
  15034. minLength: 1
  15035. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15036. type: string
  15037. required:
  15038. - items
  15039. - name
  15040. type: object
  15041. literal:
  15042. type: string
  15043. secret:
  15044. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  15045. properties:
  15046. items:
  15047. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  15048. items:
  15049. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  15050. properties:
  15051. key:
  15052. description: A key in the ConfigMap/Secret
  15053. maxLength: 253
  15054. minLength: 1
  15055. pattern: ^[-._a-zA-Z0-9]+$
  15056. type: string
  15057. templateAs:
  15058. default: Values
  15059. description: TemplateScope specifies how the template keys should be interpreted.
  15060. enum:
  15061. - Values
  15062. - KeysAndValues
  15063. type: string
  15064. required:
  15065. - key
  15066. type: object
  15067. type: array
  15068. name:
  15069. description: The name of the ConfigMap/Secret resource
  15070. maxLength: 253
  15071. minLength: 1
  15072. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15073. type: string
  15074. required:
  15075. - items
  15076. - name
  15077. type: object
  15078. target:
  15079. default: Data
  15080. description: |-
  15081. Target specifies where to place the template result.
  15082. For Secret resources, common values are: "Data", "Annotations", "Labels".
  15083. For custom resources (when spec.target.manifest is set), this supports
  15084. nested paths like "spec.database.config" or "data".
  15085. type: string
  15086. valuesDecodingStrategy:
  15087. default: None
  15088. description: Used to define a decoding Strategy for the rendered template values.
  15089. enum:
  15090. - Auto
  15091. - Base64
  15092. - Base64URL
  15093. - None
  15094. type: string
  15095. type: object
  15096. type: array
  15097. type:
  15098. type: string
  15099. type: object
  15100. updatePolicy:
  15101. default: Replace
  15102. description: UpdatePolicy to handle Secrets in the provider.
  15103. enum:
  15104. - Replace
  15105. - IfNotExists
  15106. type: string
  15107. required:
  15108. - secretStoreRefs
  15109. - selector
  15110. type: object
  15111. status:
  15112. description: PushSecretStatus indicates the history of the status of PushSecret.
  15113. properties:
  15114. conditions:
  15115. items:
  15116. description: PushSecretStatusCondition indicates the status of the PushSecret.
  15117. properties:
  15118. lastTransitionTime:
  15119. format: date-time
  15120. type: string
  15121. message:
  15122. type: string
  15123. reason:
  15124. type: string
  15125. status:
  15126. type: string
  15127. type:
  15128. description: PushSecretConditionType indicates the condition of the PushSecret.
  15129. type: string
  15130. required:
  15131. - status
  15132. - type
  15133. type: object
  15134. type: array
  15135. refreshTime:
  15136. description: |-
  15137. refreshTime is the time and date the external secret was fetched and
  15138. the target secret updated
  15139. format: date-time
  15140. nullable: true
  15141. type: string
  15142. syncedPushSecrets:
  15143. additionalProperties:
  15144. additionalProperties:
  15145. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  15146. properties:
  15147. conversionStrategy:
  15148. default: None
  15149. description: Used to define a conversion Strategy for the secret keys
  15150. enum:
  15151. - None
  15152. - ReverseUnicode
  15153. type: string
  15154. match:
  15155. description: Match a given Secret Key to be pushed to the provider.
  15156. properties:
  15157. remoteRef:
  15158. description: Remote Refs to push to providers.
  15159. properties:
  15160. property:
  15161. description: Name of the property in the resulting secret
  15162. type: string
  15163. remoteKey:
  15164. description: Name of the resulting provider secret.
  15165. type: string
  15166. required:
  15167. - remoteKey
  15168. type: object
  15169. secretKey:
  15170. description: Secret Key to be pushed
  15171. type: string
  15172. required:
  15173. - remoteRef
  15174. type: object
  15175. metadata:
  15176. description: |-
  15177. Metadata is metadata attached to the secret.
  15178. The structure of metadata is provider specific, please look it up in the provider documentation.
  15179. x-kubernetes-preserve-unknown-fields: true
  15180. required:
  15181. - match
  15182. type: object
  15183. type: object
  15184. description: |-
  15185. Synced PushSecrets, including secrets that already exist in provider.
  15186. Matches secret stores to PushSecretData that was stored to that secret store.
  15187. type: object
  15188. syncedResourceVersion:
  15189. description: SyncedResourceVersion keeps track of the last synced version.
  15190. type: string
  15191. type: object
  15192. type: object
  15193. served: true
  15194. storage: true
  15195. subresources:
  15196. status: {}
  15197. ---
  15198. apiVersion: apiextensions.k8s.io/v1
  15199. kind: CustomResourceDefinition
  15200. metadata:
  15201. annotations:
  15202. controller-gen.kubebuilder.io/version: v0.19.0
  15203. labels:
  15204. external-secrets.io/component: controller
  15205. name: secretstores.external-secrets.io
  15206. spec:
  15207. group: external-secrets.io
  15208. names:
  15209. categories:
  15210. - external-secrets
  15211. kind: SecretStore
  15212. listKind: SecretStoreList
  15213. plural: secretstores
  15214. shortNames:
  15215. - ss
  15216. singular: secretstore
  15217. scope: Namespaced
  15218. versions:
  15219. - additionalPrinterColumns:
  15220. - jsonPath: .metadata.creationTimestamp
  15221. name: AGE
  15222. type: date
  15223. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  15224. name: Status
  15225. type: string
  15226. - jsonPath: .status.capabilities
  15227. name: Capabilities
  15228. type: string
  15229. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  15230. name: Ready
  15231. type: string
  15232. name: v1
  15233. schema:
  15234. openAPIV3Schema:
  15235. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  15236. properties:
  15237. apiVersion:
  15238. description: |-
  15239. APIVersion defines the versioned schema of this representation of an object.
  15240. Servers should convert recognized schemas to the latest internal value, and
  15241. may reject unrecognized values.
  15242. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  15243. type: string
  15244. kind:
  15245. description: |-
  15246. Kind is a string value representing the REST resource this object represents.
  15247. Servers may infer this from the endpoint the client submits requests to.
  15248. Cannot be updated.
  15249. In CamelCase.
  15250. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  15251. type: string
  15252. metadata:
  15253. type: object
  15254. spec:
  15255. description: SecretStoreSpec defines the desired state of SecretStore.
  15256. properties:
  15257. conditions:
  15258. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  15259. items:
  15260. description: |-
  15261. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  15262. for a ClusterSecretStore instance.
  15263. properties:
  15264. namespaceRegexes:
  15265. description: Choose namespaces by using regex matching
  15266. items:
  15267. type: string
  15268. type: array
  15269. namespaceSelector:
  15270. description: Choose namespace using a labelSelector
  15271. properties:
  15272. matchExpressions:
  15273. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  15274. items:
  15275. description: |-
  15276. A label selector requirement is a selector that contains values, a key, and an operator that
  15277. relates the key and values.
  15278. properties:
  15279. key:
  15280. description: key is the label key that the selector applies to.
  15281. type: string
  15282. operator:
  15283. description: |-
  15284. operator represents a key's relationship to a set of values.
  15285. Valid operators are In, NotIn, Exists and DoesNotExist.
  15286. type: string
  15287. values:
  15288. description: |-
  15289. values is an array of string values. If the operator is In or NotIn,
  15290. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  15291. the values array must be empty. This array is replaced during a strategic
  15292. merge patch.
  15293. items:
  15294. type: string
  15295. type: array
  15296. x-kubernetes-list-type: atomic
  15297. required:
  15298. - key
  15299. - operator
  15300. type: object
  15301. type: array
  15302. x-kubernetes-list-type: atomic
  15303. matchLabels:
  15304. additionalProperties:
  15305. type: string
  15306. description: |-
  15307. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  15308. map is equivalent to an element of matchExpressions, whose key field is "key", the
  15309. operator is "In", and the values array contains only "value". The requirements are ANDed.
  15310. type: object
  15311. type: object
  15312. x-kubernetes-map-type: atomic
  15313. namespaces:
  15314. description: Choose namespaces by name
  15315. items:
  15316. maxLength: 63
  15317. minLength: 1
  15318. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15319. type: string
  15320. type: array
  15321. type: object
  15322. type: array
  15323. controller:
  15324. description: |-
  15325. Used to select the correct ESO controller (think: ingress.ingressClassName)
  15326. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  15327. type: string
  15328. provider:
  15329. description: Used to configure the provider. Only one provider may be set
  15330. maxProperties: 1
  15331. minProperties: 1
  15332. properties:
  15333. akeyless:
  15334. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  15335. properties:
  15336. akeylessGWApiURL:
  15337. description: Akeyless GW API Url from which the secrets to be fetched from.
  15338. type: string
  15339. authSecretRef:
  15340. description: Auth configures how the operator authenticates with Akeyless.
  15341. properties:
  15342. kubernetesAuth:
  15343. description: |-
  15344. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  15345. token stored in the named Secret resource.
  15346. properties:
  15347. accessID:
  15348. description: the Akeyless Kubernetes auth-method access-id
  15349. type: string
  15350. k8sConfName:
  15351. description: Kubernetes-auth configuration name in Akeyless-Gateway
  15352. type: string
  15353. secretRef:
  15354. description: |-
  15355. Optional secret field containing a Kubernetes ServiceAccount JWT used
  15356. for authenticating with Akeyless. If a name is specified without a key,
  15357. `token` is the default. If one is not specified, the one bound to
  15358. the controller will be used.
  15359. properties:
  15360. key:
  15361. description: |-
  15362. A key in the referenced Secret.
  15363. Some instances of this field may be defaulted, in others it may be required.
  15364. maxLength: 253
  15365. minLength: 1
  15366. pattern: ^[-._a-zA-Z0-9]+$
  15367. type: string
  15368. name:
  15369. description: The name of the Secret resource being referred to.
  15370. maxLength: 253
  15371. minLength: 1
  15372. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15373. type: string
  15374. namespace:
  15375. description: |-
  15376. The namespace of the Secret resource being referred to.
  15377. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15378. maxLength: 63
  15379. minLength: 1
  15380. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15381. type: string
  15382. type: object
  15383. serviceAccountRef:
  15384. description: |-
  15385. Optional service account field containing the name of a kubernetes ServiceAccount.
  15386. If the service account is specified, the service account secret token JWT will be used
  15387. for authenticating with Akeyless. If the service account selector is not supplied,
  15388. the secretRef will be used instead.
  15389. properties:
  15390. audiences:
  15391. description: |-
  15392. Audience specifies the `aud` claim for the service account token
  15393. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15394. then this audiences will be appended to the list
  15395. items:
  15396. type: string
  15397. type: array
  15398. name:
  15399. description: The name of the ServiceAccount resource being referred to.
  15400. maxLength: 253
  15401. minLength: 1
  15402. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15403. type: string
  15404. namespace:
  15405. description: |-
  15406. Namespace of the resource being referred to.
  15407. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15408. maxLength: 63
  15409. minLength: 1
  15410. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15411. type: string
  15412. required:
  15413. - name
  15414. type: object
  15415. required:
  15416. - accessID
  15417. - k8sConfName
  15418. type: object
  15419. secretRef:
  15420. description: |-
  15421. Reference to a Secret that contains the details
  15422. to authenticate with Akeyless.
  15423. properties:
  15424. accessID:
  15425. description: The SecretAccessID is used for authentication
  15426. properties:
  15427. key:
  15428. description: |-
  15429. A key in the referenced Secret.
  15430. Some instances of this field may be defaulted, in others it may be required.
  15431. maxLength: 253
  15432. minLength: 1
  15433. pattern: ^[-._a-zA-Z0-9]+$
  15434. type: string
  15435. name:
  15436. description: The name of the Secret resource being referred to.
  15437. maxLength: 253
  15438. minLength: 1
  15439. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15440. type: string
  15441. namespace:
  15442. description: |-
  15443. The namespace of the Secret resource being referred to.
  15444. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15445. maxLength: 63
  15446. minLength: 1
  15447. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15448. type: string
  15449. type: object
  15450. accessType:
  15451. description: |-
  15452. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15453. In some instances, `key` is a required field.
  15454. properties:
  15455. key:
  15456. description: |-
  15457. A key in the referenced Secret.
  15458. Some instances of this field may be defaulted, in others it may be required.
  15459. maxLength: 253
  15460. minLength: 1
  15461. pattern: ^[-._a-zA-Z0-9]+$
  15462. type: string
  15463. name:
  15464. description: The name of the Secret resource being referred to.
  15465. maxLength: 253
  15466. minLength: 1
  15467. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15468. type: string
  15469. namespace:
  15470. description: |-
  15471. The namespace of the Secret resource being referred to.
  15472. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15473. maxLength: 63
  15474. minLength: 1
  15475. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15476. type: string
  15477. type: object
  15478. accessTypeParam:
  15479. description: |-
  15480. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15481. In some instances, `key` is a required field.
  15482. properties:
  15483. key:
  15484. description: |-
  15485. A key in the referenced Secret.
  15486. Some instances of this field may be defaulted, in others it may be required.
  15487. maxLength: 253
  15488. minLength: 1
  15489. pattern: ^[-._a-zA-Z0-9]+$
  15490. type: string
  15491. name:
  15492. description: The name of the Secret resource being referred to.
  15493. maxLength: 253
  15494. minLength: 1
  15495. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15496. type: string
  15497. namespace:
  15498. description: |-
  15499. The namespace of the Secret resource being referred to.
  15500. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15501. maxLength: 63
  15502. minLength: 1
  15503. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15504. type: string
  15505. type: object
  15506. type: object
  15507. type: object
  15508. caBundle:
  15509. description: |-
  15510. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  15511. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  15512. are used to validate the TLS connection.
  15513. format: byte
  15514. type: string
  15515. caProvider:
  15516. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  15517. properties:
  15518. key:
  15519. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  15520. maxLength: 253
  15521. minLength: 1
  15522. pattern: ^[-._a-zA-Z0-9]+$
  15523. type: string
  15524. name:
  15525. description: The name of the object located at the provider type.
  15526. maxLength: 253
  15527. minLength: 1
  15528. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15529. type: string
  15530. namespace:
  15531. description: |-
  15532. The namespace the Provider type is in.
  15533. Can only be defined when used in a ClusterSecretStore.
  15534. maxLength: 63
  15535. minLength: 1
  15536. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15537. type: string
  15538. type:
  15539. description: The type of provider to use such as "Secret", or "ConfigMap".
  15540. enum:
  15541. - Secret
  15542. - ConfigMap
  15543. type: string
  15544. required:
  15545. - name
  15546. - type
  15547. type: object
  15548. required:
  15549. - akeylessGWApiURL
  15550. - authSecretRef
  15551. type: object
  15552. aws:
  15553. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  15554. properties:
  15555. additionalRoles:
  15556. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  15557. items:
  15558. type: string
  15559. type: array
  15560. auth:
  15561. description: |-
  15562. Auth defines the information necessary to authenticate against AWS
  15563. if not set aws sdk will infer credentials from your environment
  15564. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  15565. properties:
  15566. jwt:
  15567. description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.
  15568. properties:
  15569. serviceAccountRef:
  15570. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  15571. properties:
  15572. audiences:
  15573. description: |-
  15574. Audience specifies the `aud` claim for the service account token
  15575. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15576. then this audiences will be appended to the list
  15577. items:
  15578. type: string
  15579. type: array
  15580. name:
  15581. description: The name of the ServiceAccount resource being referred to.
  15582. maxLength: 253
  15583. minLength: 1
  15584. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15585. type: string
  15586. namespace:
  15587. description: |-
  15588. Namespace of the resource being referred to.
  15589. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15590. maxLength: 63
  15591. minLength: 1
  15592. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15593. type: string
  15594. required:
  15595. - name
  15596. type: object
  15597. type: object
  15598. secretRef:
  15599. description: |-
  15600. AWSAuthSecretRef holds secret references for AWS credentials
  15601. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  15602. properties:
  15603. accessKeyIDSecretRef:
  15604. description: The AccessKeyID is used for authentication
  15605. properties:
  15606. key:
  15607. description: |-
  15608. A key in the referenced Secret.
  15609. Some instances of this field may be defaulted, in others it may be required.
  15610. maxLength: 253
  15611. minLength: 1
  15612. pattern: ^[-._a-zA-Z0-9]+$
  15613. type: string
  15614. name:
  15615. description: The name of the Secret resource being referred to.
  15616. maxLength: 253
  15617. minLength: 1
  15618. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15619. type: string
  15620. namespace:
  15621. description: |-
  15622. The namespace of the Secret resource being referred to.
  15623. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15624. maxLength: 63
  15625. minLength: 1
  15626. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15627. type: string
  15628. type: object
  15629. secretAccessKeySecretRef:
  15630. description: The SecretAccessKey is used for authentication
  15631. properties:
  15632. key:
  15633. description: |-
  15634. A key in the referenced Secret.
  15635. Some instances of this field may be defaulted, in others it may be required.
  15636. maxLength: 253
  15637. minLength: 1
  15638. pattern: ^[-._a-zA-Z0-9]+$
  15639. type: string
  15640. name:
  15641. description: The name of the Secret resource being referred to.
  15642. maxLength: 253
  15643. minLength: 1
  15644. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15645. type: string
  15646. namespace:
  15647. description: |-
  15648. The namespace of the Secret resource being referred to.
  15649. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15650. maxLength: 63
  15651. minLength: 1
  15652. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15653. type: string
  15654. type: object
  15655. sessionTokenSecretRef:
  15656. description: |-
  15657. The SessionToken used for authentication
  15658. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  15659. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  15660. properties:
  15661. key:
  15662. description: |-
  15663. A key in the referenced Secret.
  15664. Some instances of this field may be defaulted, in others it may be required.
  15665. maxLength: 253
  15666. minLength: 1
  15667. pattern: ^[-._a-zA-Z0-9]+$
  15668. type: string
  15669. name:
  15670. description: The name of the Secret resource being referred to.
  15671. maxLength: 253
  15672. minLength: 1
  15673. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15674. type: string
  15675. namespace:
  15676. description: |-
  15677. The namespace of the Secret resource being referred to.
  15678. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15679. maxLength: 63
  15680. minLength: 1
  15681. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15682. type: string
  15683. type: object
  15684. type: object
  15685. type: object
  15686. customSessionTags:
  15687. additionalProperties:
  15688. type: string
  15689. description: |-
  15690. CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom.
  15691. These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags.
  15692. type: object
  15693. x-kubernetes-validations:
  15694. - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind'
  15695. rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)'
  15696. externalID:
  15697. description: AWS External ID set on assumed IAM roles
  15698. type: string
  15699. prefix:
  15700. description: Prefix adds a prefix to all retrieved values.
  15701. type: string
  15702. region:
  15703. description: AWS Region to be used for the provider
  15704. type: string
  15705. role:
  15706. description: Role is a Role ARN which the provider will assume
  15707. type: string
  15708. secretsManager:
  15709. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  15710. properties:
  15711. forceDeleteWithoutRecovery:
  15712. description: |-
  15713. Specifies whether to delete the secret without any recovery window. You
  15714. can't use both this parameter and RecoveryWindowInDays in the same call.
  15715. If you don't use either, then by default Secrets Manager uses a 30 day
  15716. recovery window.
  15717. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  15718. type: boolean
  15719. recoveryWindowInDays:
  15720. description: |-
  15721. The number of days from 7 to 30 that Secrets Manager waits before
  15722. permanently deleting the secret. You can't use both this parameter and
  15723. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  15724. then by default Secrets Manager uses a 30-day recovery window.
  15725. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  15726. type: integer
  15727. type: object
  15728. service:
  15729. description: Service defines which service should be used to fetch the secrets
  15730. enum:
  15731. - SecretsManager
  15732. - ParameterStore
  15733. type: string
  15734. sessionTags:
  15735. description: AWS STS assume role session tags
  15736. items:
  15737. description: |-
  15738. Tag is a key-value pair that can be attached to an AWS resource.
  15739. see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
  15740. properties:
  15741. key:
  15742. type: string
  15743. value:
  15744. type: string
  15745. required:
  15746. - key
  15747. - value
  15748. type: object
  15749. type: array
  15750. sessionTagsPolicy:
  15751. default: None
  15752. description: |-
  15753. SessionTagsPolicy controls whether and how STS session tags are added when assuming roles.
  15754. None (default): no tags are added.
  15755. Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags.
  15756. Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags.
  15757. Note: the IAM role must have sts:TagSession permission when using Simple or Custom.
  15758. enum:
  15759. - None
  15760. - Simple
  15761. - Custom
  15762. type: string
  15763. transitiveTagKeys:
  15764. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  15765. items:
  15766. type: string
  15767. type: array
  15768. required:
  15769. - region
  15770. - service
  15771. type: object
  15772. azurekv:
  15773. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  15774. properties:
  15775. authSecretRef:
  15776. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  15777. properties:
  15778. clientCertificate:
  15779. description: The Azure ClientCertificate of the service principle used for authentication.
  15780. properties:
  15781. key:
  15782. description: |-
  15783. A key in the referenced Secret.
  15784. Some instances of this field may be defaulted, in others it may be required.
  15785. maxLength: 253
  15786. minLength: 1
  15787. pattern: ^[-._a-zA-Z0-9]+$
  15788. type: string
  15789. name:
  15790. description: The name of the Secret resource being referred to.
  15791. maxLength: 253
  15792. minLength: 1
  15793. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15794. type: string
  15795. namespace:
  15796. description: |-
  15797. The namespace of the Secret resource being referred to.
  15798. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15799. maxLength: 63
  15800. minLength: 1
  15801. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15802. type: string
  15803. type: object
  15804. clientId:
  15805. description: The Azure clientId of the service principle or managed identity used for authentication.
  15806. properties:
  15807. key:
  15808. description: |-
  15809. A key in the referenced Secret.
  15810. Some instances of this field may be defaulted, in others it may be required.
  15811. maxLength: 253
  15812. minLength: 1
  15813. pattern: ^[-._a-zA-Z0-9]+$
  15814. type: string
  15815. name:
  15816. description: The name of the Secret resource being referred to.
  15817. maxLength: 253
  15818. minLength: 1
  15819. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15820. type: string
  15821. namespace:
  15822. description: |-
  15823. The namespace of the Secret resource being referred to.
  15824. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15825. maxLength: 63
  15826. minLength: 1
  15827. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15828. type: string
  15829. type: object
  15830. clientSecret:
  15831. description: The Azure ClientSecret of the service principle used for authentication.
  15832. properties:
  15833. key:
  15834. description: |-
  15835. A key in the referenced Secret.
  15836. Some instances of this field may be defaulted, in others it may be required.
  15837. maxLength: 253
  15838. minLength: 1
  15839. pattern: ^[-._a-zA-Z0-9]+$
  15840. type: string
  15841. name:
  15842. description: The name of the Secret resource being referred to.
  15843. maxLength: 253
  15844. minLength: 1
  15845. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15846. type: string
  15847. namespace:
  15848. description: |-
  15849. The namespace of the Secret resource being referred to.
  15850. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15851. maxLength: 63
  15852. minLength: 1
  15853. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15854. type: string
  15855. type: object
  15856. tenantId:
  15857. description: The Azure tenantId of the managed identity used for authentication.
  15858. properties:
  15859. key:
  15860. description: |-
  15861. A key in the referenced Secret.
  15862. Some instances of this field may be defaulted, in others it may be required.
  15863. maxLength: 253
  15864. minLength: 1
  15865. pattern: ^[-._a-zA-Z0-9]+$
  15866. type: string
  15867. name:
  15868. description: The name of the Secret resource being referred to.
  15869. maxLength: 253
  15870. minLength: 1
  15871. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15872. type: string
  15873. namespace:
  15874. description: |-
  15875. The namespace of the Secret resource being referred to.
  15876. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15877. maxLength: 63
  15878. minLength: 1
  15879. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15880. type: string
  15881. type: object
  15882. type: object
  15883. authType:
  15884. default: ServicePrincipal
  15885. description: |-
  15886. Auth type defines how to authenticate to the keyvault service.
  15887. Valid values are:
  15888. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  15889. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  15890. enum:
  15891. - ServicePrincipal
  15892. - ManagedIdentity
  15893. - WorkloadIdentity
  15894. type: string
  15895. customCloudConfig:
  15896. description: |-
  15897. CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
  15898. Required when EnvironmentType is AzureStackCloud.
  15899. Optional for other environment types - useful for Azure China when using Workload Identity
  15900. with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
  15901. standard China Cloud endpoint (login.chinacloudapi.cn).
  15902. IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
  15903. configuration is not supported with the legacy go-autorest SDK.
  15904. properties:
  15905. activeDirectoryEndpoint:
  15906. description: |-
  15907. ActiveDirectoryEndpoint is the AAD endpoint for authentication
  15908. Required when using custom cloud configuration
  15909. type: string
  15910. keyVaultDNSSuffix:
  15911. description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
  15912. type: string
  15913. keyVaultEndpoint:
  15914. description: KeyVaultEndpoint is the Key Vault service endpoint
  15915. type: string
  15916. resourceManagerEndpoint:
  15917. description: ResourceManagerEndpoint is the Azure Resource Manager endpoint
  15918. type: string
  15919. required:
  15920. - activeDirectoryEndpoint
  15921. type: object
  15922. environmentType:
  15923. default: PublicCloud
  15924. description: |-
  15925. EnvironmentType specifies the Azure cloud environment endpoints to use for
  15926. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  15927. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  15928. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
  15929. Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
  15930. enum:
  15931. - PublicCloud
  15932. - USGovernmentCloud
  15933. - ChinaCloud
  15934. - GermanCloud
  15935. - AzureStackCloud
  15936. type: string
  15937. identityId:
  15938. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  15939. type: string
  15940. serviceAccountRef:
  15941. description: |-
  15942. ServiceAccountRef specified the service account
  15943. that should be used when authenticating with WorkloadIdentity.
  15944. properties:
  15945. audiences:
  15946. description: |-
  15947. Audience specifies the `aud` claim for the service account token
  15948. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15949. then this audiences will be appended to the list
  15950. items:
  15951. type: string
  15952. type: array
  15953. name:
  15954. description: The name of the ServiceAccount resource being referred to.
  15955. maxLength: 253
  15956. minLength: 1
  15957. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15958. type: string
  15959. namespace:
  15960. description: |-
  15961. Namespace of the resource being referred to.
  15962. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15963. maxLength: 63
  15964. minLength: 1
  15965. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15966. type: string
  15967. required:
  15968. - name
  15969. type: object
  15970. tenantId:
  15971. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  15972. type: string
  15973. useAzureSDK:
  15974. default: false
  15975. description: |-
  15976. UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
  15977. This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
  15978. type: boolean
  15979. vaultUrl:
  15980. description: Vault Url from which the secrets to be fetched from.
  15981. type: string
  15982. required:
  15983. - vaultUrl
  15984. type: object
  15985. barbican:
  15986. description: Barbican configures this store to sync secrets using the OpenStack Barbican provider
  15987. properties:
  15988. auth:
  15989. description: BarbicanAuth contains the authentication information for Barbican.
  15990. properties:
  15991. password:
  15992. description: BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
  15993. properties:
  15994. secretRef:
  15995. description: |-
  15996. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15997. In some instances, `key` is a required field.
  15998. properties:
  15999. key:
  16000. description: |-
  16001. A key in the referenced Secret.
  16002. Some instances of this field may be defaulted, in others it may be required.
  16003. maxLength: 253
  16004. minLength: 1
  16005. pattern: ^[-._a-zA-Z0-9]+$
  16006. type: string
  16007. name:
  16008. description: The name of the Secret resource being referred to.
  16009. maxLength: 253
  16010. minLength: 1
  16011. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16012. type: string
  16013. namespace:
  16014. description: |-
  16015. The namespace of the Secret resource being referred to.
  16016. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16017. maxLength: 63
  16018. minLength: 1
  16019. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16020. type: string
  16021. type: object
  16022. required:
  16023. - secretRef
  16024. type: object
  16025. username:
  16026. description: BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
  16027. maxProperties: 1
  16028. minProperties: 1
  16029. properties:
  16030. secretRef:
  16031. description: |-
  16032. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  16033. In some instances, `key` is a required field.
  16034. properties:
  16035. key:
  16036. description: |-
  16037. A key in the referenced Secret.
  16038. Some instances of this field may be defaulted, in others it may be required.
  16039. maxLength: 253
  16040. minLength: 1
  16041. pattern: ^[-._a-zA-Z0-9]+$
  16042. type: string
  16043. name:
  16044. description: The name of the Secret resource being referred to.
  16045. maxLength: 253
  16046. minLength: 1
  16047. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16048. type: string
  16049. namespace:
  16050. description: |-
  16051. The namespace of the Secret resource being referred to.
  16052. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16053. maxLength: 63
  16054. minLength: 1
  16055. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16056. type: string
  16057. type: object
  16058. value:
  16059. type: string
  16060. type: object
  16061. required:
  16062. - password
  16063. - username
  16064. type: object
  16065. authURL:
  16066. type: string
  16067. domainName:
  16068. type: string
  16069. region:
  16070. type: string
  16071. tenantName:
  16072. type: string
  16073. required:
  16074. - auth
  16075. type: object
  16076. beyondtrust:
  16077. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  16078. properties:
  16079. auth:
  16080. description: Auth configures how the operator authenticates with Beyondtrust.
  16081. properties:
  16082. apiKey:
  16083. description: APIKey If not provided then ClientID/ClientSecret become required.
  16084. properties:
  16085. secretRef:
  16086. description: SecretRef references a key in a secret that will be used as value.
  16087. properties:
  16088. key:
  16089. description: |-
  16090. A key in the referenced Secret.
  16091. Some instances of this field may be defaulted, in others it may be required.
  16092. maxLength: 253
  16093. minLength: 1
  16094. pattern: ^[-._a-zA-Z0-9]+$
  16095. type: string
  16096. name:
  16097. description: The name of the Secret resource being referred to.
  16098. maxLength: 253
  16099. minLength: 1
  16100. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16101. type: string
  16102. namespace:
  16103. description: |-
  16104. The namespace of the Secret resource being referred to.
  16105. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16106. maxLength: 63
  16107. minLength: 1
  16108. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16109. type: string
  16110. type: object
  16111. value:
  16112. description: Value can be specified directly to set a value without using a secret.
  16113. type: string
  16114. type: object
  16115. certificate:
  16116. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  16117. properties:
  16118. secretRef:
  16119. description: SecretRef references a key in a secret that will be used as value.
  16120. properties:
  16121. key:
  16122. description: |-
  16123. A key in the referenced Secret.
  16124. Some instances of this field may be defaulted, in others it may be required.
  16125. maxLength: 253
  16126. minLength: 1
  16127. pattern: ^[-._a-zA-Z0-9]+$
  16128. type: string
  16129. name:
  16130. description: The name of the Secret resource being referred to.
  16131. maxLength: 253
  16132. minLength: 1
  16133. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16134. type: string
  16135. namespace:
  16136. description: |-
  16137. The namespace of the Secret resource being referred to.
  16138. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16139. maxLength: 63
  16140. minLength: 1
  16141. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16142. type: string
  16143. type: object
  16144. value:
  16145. description: Value can be specified directly to set a value without using a secret.
  16146. type: string
  16147. type: object
  16148. certificateKey:
  16149. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  16150. properties:
  16151. secretRef:
  16152. description: SecretRef references a key in a secret that will be used as value.
  16153. properties:
  16154. key:
  16155. description: |-
  16156. A key in the referenced Secret.
  16157. Some instances of this field may be defaulted, in others it may be required.
  16158. maxLength: 253
  16159. minLength: 1
  16160. pattern: ^[-._a-zA-Z0-9]+$
  16161. type: string
  16162. name:
  16163. description: The name of the Secret resource being referred to.
  16164. maxLength: 253
  16165. minLength: 1
  16166. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16167. type: string
  16168. namespace:
  16169. description: |-
  16170. The namespace of the Secret resource being referred to.
  16171. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16172. maxLength: 63
  16173. minLength: 1
  16174. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16175. type: string
  16176. type: object
  16177. value:
  16178. description: Value can be specified directly to set a value without using a secret.
  16179. type: string
  16180. type: object
  16181. clientId:
  16182. description: ClientID is the API OAuth Client ID.
  16183. properties:
  16184. secretRef:
  16185. description: SecretRef references a key in a secret that will be used as value.
  16186. properties:
  16187. key:
  16188. description: |-
  16189. A key in the referenced Secret.
  16190. Some instances of this field may be defaulted, in others it may be required.
  16191. maxLength: 253
  16192. minLength: 1
  16193. pattern: ^[-._a-zA-Z0-9]+$
  16194. type: string
  16195. name:
  16196. description: The name of the Secret resource being referred to.
  16197. maxLength: 253
  16198. minLength: 1
  16199. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16200. type: string
  16201. namespace:
  16202. description: |-
  16203. The namespace of the Secret resource being referred to.
  16204. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16205. maxLength: 63
  16206. minLength: 1
  16207. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16208. type: string
  16209. type: object
  16210. value:
  16211. description: Value can be specified directly to set a value without using a secret.
  16212. type: string
  16213. type: object
  16214. clientSecret:
  16215. description: ClientSecret is the API OAuth Client Secret.
  16216. properties:
  16217. secretRef:
  16218. description: SecretRef references a key in a secret that will be used as value.
  16219. properties:
  16220. key:
  16221. description: |-
  16222. A key in the referenced Secret.
  16223. Some instances of this field may be defaulted, in others it may be required.
  16224. maxLength: 253
  16225. minLength: 1
  16226. pattern: ^[-._a-zA-Z0-9]+$
  16227. type: string
  16228. name:
  16229. description: The name of the Secret resource being referred to.
  16230. maxLength: 253
  16231. minLength: 1
  16232. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16233. type: string
  16234. namespace:
  16235. description: |-
  16236. The namespace of the Secret resource being referred to.
  16237. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16238. maxLength: 63
  16239. minLength: 1
  16240. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16241. type: string
  16242. type: object
  16243. value:
  16244. description: Value can be specified directly to set a value without using a secret.
  16245. type: string
  16246. type: object
  16247. type: object
  16248. server:
  16249. description: Auth configures how API server works.
  16250. properties:
  16251. apiUrl:
  16252. type: string
  16253. apiVersion:
  16254. type: string
  16255. clientTimeOutSeconds:
  16256. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  16257. type: integer
  16258. decrypt:
  16259. default: true
  16260. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  16261. type: boolean
  16262. retrievalType:
  16263. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  16264. type: string
  16265. separator:
  16266. description: A character that separates the folder names.
  16267. type: string
  16268. verifyCA:
  16269. type: boolean
  16270. required:
  16271. - apiUrl
  16272. - verifyCA
  16273. type: object
  16274. required:
  16275. - auth
  16276. - server
  16277. type: object
  16278. beyondtrustworkloadcredentials:
  16279. description: BeyondtrustWorkloadCredentials configures this store to sync secrets using the BeyondTrust Workload Credentials provider.
  16280. properties:
  16281. auth:
  16282. description: |-
  16283. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  16284. Currently supports API key authentication via Kubernetes secret reference.
  16285. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  16286. properties:
  16287. apikey:
  16288. description: |-
  16289. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  16290. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  16291. properties:
  16292. token:
  16293. description: |-
  16294. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  16295. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  16296. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  16297. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  16298. properties:
  16299. key:
  16300. description: |-
  16301. A key in the referenced Secret.
  16302. Some instances of this field may be defaulted, in others it may be required.
  16303. maxLength: 253
  16304. minLength: 1
  16305. pattern: ^[-._a-zA-Z0-9]+$
  16306. type: string
  16307. name:
  16308. description: The name of the Secret resource being referred to.
  16309. maxLength: 253
  16310. minLength: 1
  16311. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16312. type: string
  16313. namespace:
  16314. description: |-
  16315. The namespace of the Secret resource being referred to.
  16316. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16317. maxLength: 63
  16318. minLength: 1
  16319. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16320. type: string
  16321. type: object
  16322. required:
  16323. - token
  16324. type: object
  16325. required:
  16326. - apikey
  16327. type: object
  16328. caBundle:
  16329. description: |-
  16330. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  16331. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  16332. If not set, the system's trusted root certificates are used.
  16333. format: byte
  16334. type: string
  16335. caProvider:
  16336. description: |-
  16337. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  16338. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  16339. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  16340. properties:
  16341. key:
  16342. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  16343. maxLength: 253
  16344. minLength: 1
  16345. pattern: ^[-._a-zA-Z0-9]+$
  16346. type: string
  16347. name:
  16348. description: The name of the object located at the provider type.
  16349. maxLength: 253
  16350. minLength: 1
  16351. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16352. type: string
  16353. namespace:
  16354. description: |-
  16355. The namespace the Provider type is in.
  16356. Can only be defined when used in a ClusterSecretStore.
  16357. maxLength: 63
  16358. minLength: 1
  16359. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16360. type: string
  16361. type:
  16362. description: The type of provider to use such as "Secret", or "ConfigMap".
  16363. enum:
  16364. - Secret
  16365. - ConfigMap
  16366. type: string
  16367. required:
  16368. - name
  16369. - type
  16370. type: object
  16371. folderPath:
  16372. description: |-
  16373. FolderPath specifies the default folder path for secret retrieval.
  16374. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  16375. Example: "production/database" or "dev/api-keys"
  16376. Leave empty to retrieve secrets from the root folder.
  16377. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  16378. type: string
  16379. server:
  16380. description: |-
  16381. Server configures the BeyondTrust Workload Credentials server connection details.
  16382. Includes the API URL and Site ID for your BeyondTrust instance.
  16383. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  16384. properties:
  16385. apiUrl:
  16386. description: |-
  16387. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  16388. This should be the full URL to your BeyondTrust instance.
  16389. Example: https://api.beyondtrust.io/siie
  16390. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  16391. type: string
  16392. siteId:
  16393. description: |-
  16394. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  16395. This identifier is unique to your BeyondTrust Workload Credentials instance.
  16396. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  16397. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  16398. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  16399. type: string
  16400. required:
  16401. - apiUrl
  16402. - siteId
  16403. type: object
  16404. required:
  16405. - auth
  16406. - server
  16407. type: object
  16408. bitwardensecretsmanager:
  16409. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  16410. properties:
  16411. apiURL:
  16412. type: string
  16413. auth:
  16414. description: |-
  16415. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  16416. Make sure that the token being used has permissions on the given secret.
  16417. properties:
  16418. secretRef:
  16419. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  16420. properties:
  16421. credentials:
  16422. description: AccessToken used for the bitwarden instance.
  16423. properties:
  16424. key:
  16425. description: |-
  16426. A key in the referenced Secret.
  16427. Some instances of this field may be defaulted, in others it may be required.
  16428. maxLength: 253
  16429. minLength: 1
  16430. pattern: ^[-._a-zA-Z0-9]+$
  16431. type: string
  16432. name:
  16433. description: The name of the Secret resource being referred to.
  16434. maxLength: 253
  16435. minLength: 1
  16436. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16437. type: string
  16438. namespace:
  16439. description: |-
  16440. The namespace of the Secret resource being referred to.
  16441. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16442. maxLength: 63
  16443. minLength: 1
  16444. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16445. type: string
  16446. type: object
  16447. required:
  16448. - credentials
  16449. type: object
  16450. required:
  16451. - secretRef
  16452. type: object
  16453. bitwardenServerSDKURL:
  16454. type: string
  16455. caBundle:
  16456. description: |-
  16457. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  16458. can be performed.
  16459. type: string
  16460. caProvider:
  16461. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  16462. properties:
  16463. key:
  16464. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  16465. maxLength: 253
  16466. minLength: 1
  16467. pattern: ^[-._a-zA-Z0-9]+$
  16468. type: string
  16469. name:
  16470. description: The name of the object located at the provider type.
  16471. maxLength: 253
  16472. minLength: 1
  16473. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16474. type: string
  16475. namespace:
  16476. description: |-
  16477. The namespace the Provider type is in.
  16478. Can only be defined when used in a ClusterSecretStore.
  16479. maxLength: 63
  16480. minLength: 1
  16481. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16482. type: string
  16483. type:
  16484. description: The type of provider to use such as "Secret", or "ConfigMap".
  16485. enum:
  16486. - Secret
  16487. - ConfigMap
  16488. type: string
  16489. required:
  16490. - name
  16491. - type
  16492. type: object
  16493. identityURL:
  16494. type: string
  16495. organizationID:
  16496. description: OrganizationID determines which organization this secret store manages.
  16497. type: string
  16498. projectID:
  16499. description: ProjectID determines which project this secret store manages.
  16500. type: string
  16501. required:
  16502. - auth
  16503. - organizationID
  16504. - projectID
  16505. type: object
  16506. chef:
  16507. description: Chef configures this store to sync secrets with chef server
  16508. properties:
  16509. auth:
  16510. description: Auth defines the information necessary to authenticate against chef Server
  16511. properties:
  16512. secretRef:
  16513. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  16514. properties:
  16515. privateKeySecretRef:
  16516. description: SecretKey is the Signing Key in PEM format, used for authentication.
  16517. properties:
  16518. key:
  16519. description: |-
  16520. A key in the referenced Secret.
  16521. Some instances of this field may be defaulted, in others it may be required.
  16522. maxLength: 253
  16523. minLength: 1
  16524. pattern: ^[-._a-zA-Z0-9]+$
  16525. type: string
  16526. name:
  16527. description: The name of the Secret resource being referred to.
  16528. maxLength: 253
  16529. minLength: 1
  16530. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16531. type: string
  16532. namespace:
  16533. description: |-
  16534. The namespace of the Secret resource being referred to.
  16535. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16536. maxLength: 63
  16537. minLength: 1
  16538. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16539. type: string
  16540. type: object
  16541. required:
  16542. - privateKeySecretRef
  16543. type: object
  16544. required:
  16545. - secretRef
  16546. type: object
  16547. serverUrl:
  16548. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  16549. type: string
  16550. username:
  16551. description: UserName should be the user ID on the chef server
  16552. type: string
  16553. required:
  16554. - auth
  16555. - serverUrl
  16556. - username
  16557. type: object
  16558. cloudrusm:
  16559. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  16560. properties:
  16561. auth:
  16562. description: CSMAuth contains a secretRef for credentials.
  16563. properties:
  16564. secretRef:
  16565. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  16566. properties:
  16567. accessKeyIDSecretRef:
  16568. description: The AccessKeyID is used for authentication
  16569. properties:
  16570. key:
  16571. description: |-
  16572. A key in the referenced Secret.
  16573. Some instances of this field may be defaulted, in others it may be required.
  16574. maxLength: 253
  16575. minLength: 1
  16576. pattern: ^[-._a-zA-Z0-9]+$
  16577. type: string
  16578. name:
  16579. description: The name of the Secret resource being referred to.
  16580. maxLength: 253
  16581. minLength: 1
  16582. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16583. type: string
  16584. namespace:
  16585. description: |-
  16586. The namespace of the Secret resource being referred to.
  16587. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16588. maxLength: 63
  16589. minLength: 1
  16590. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16591. type: string
  16592. type: object
  16593. accessKeySecretSecretRef:
  16594. description: The AccessKeySecret is used for authentication
  16595. properties:
  16596. key:
  16597. description: |-
  16598. A key in the referenced Secret.
  16599. Some instances of this field may be defaulted, in others it may be required.
  16600. maxLength: 253
  16601. minLength: 1
  16602. pattern: ^[-._a-zA-Z0-9]+$
  16603. type: string
  16604. name:
  16605. description: The name of the Secret resource being referred to.
  16606. maxLength: 253
  16607. minLength: 1
  16608. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16609. type: string
  16610. namespace:
  16611. description: |-
  16612. The namespace of the Secret resource being referred to.
  16613. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16614. maxLength: 63
  16615. minLength: 1
  16616. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16617. type: string
  16618. type: object
  16619. required:
  16620. - accessKeyIDSecretRef
  16621. - accessKeySecretSecretRef
  16622. type: object
  16623. type: object
  16624. projectID:
  16625. description: ProjectID is the project, which the secrets are stored in.
  16626. type: string
  16627. required:
  16628. - auth
  16629. type: object
  16630. conjur:
  16631. description: Conjur configures this store to sync secrets using conjur provider
  16632. properties:
  16633. auth:
  16634. description: Defines authentication settings for connecting to Conjur.
  16635. properties:
  16636. apikey:
  16637. description: Authenticates with Conjur using an API key.
  16638. properties:
  16639. account:
  16640. description: Account is the Conjur organization account name.
  16641. type: string
  16642. apiKeyRef:
  16643. description: |-
  16644. A reference to a specific 'key' containing the Conjur API key
  16645. within a Secret resource. In some instances, `key` is a required field.
  16646. properties:
  16647. key:
  16648. description: |-
  16649. A key in the referenced Secret.
  16650. Some instances of this field may be defaulted, in others it may be required.
  16651. maxLength: 253
  16652. minLength: 1
  16653. pattern: ^[-._a-zA-Z0-9]+$
  16654. type: string
  16655. name:
  16656. description: The name of the Secret resource being referred to.
  16657. maxLength: 253
  16658. minLength: 1
  16659. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16660. type: string
  16661. namespace:
  16662. description: |-
  16663. The namespace of the Secret resource being referred to.
  16664. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16665. maxLength: 63
  16666. minLength: 1
  16667. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16668. type: string
  16669. type: object
  16670. userRef:
  16671. description: |-
  16672. A reference to a specific 'key' containing the Conjur username
  16673. within a Secret resource. In some instances, `key` is a required field.
  16674. properties:
  16675. key:
  16676. description: |-
  16677. A key in the referenced Secret.
  16678. Some instances of this field may be defaulted, in others it may be required.
  16679. maxLength: 253
  16680. minLength: 1
  16681. pattern: ^[-._a-zA-Z0-9]+$
  16682. type: string
  16683. name:
  16684. description: The name of the Secret resource being referred to.
  16685. maxLength: 253
  16686. minLength: 1
  16687. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16688. type: string
  16689. namespace:
  16690. description: |-
  16691. The namespace of the Secret resource being referred to.
  16692. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16693. maxLength: 63
  16694. minLength: 1
  16695. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16696. type: string
  16697. type: object
  16698. required:
  16699. - account
  16700. - apiKeyRef
  16701. - userRef
  16702. type: object
  16703. jwt:
  16704. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  16705. properties:
  16706. account:
  16707. description: Account is the Conjur organization account name.
  16708. type: string
  16709. hostId:
  16710. description: |-
  16711. Optional HostID for JWT authentication. This may be used depending
  16712. on how the Conjur JWT authenticator policy is configured.
  16713. type: string
  16714. secretRef:
  16715. description: |-
  16716. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  16717. authenticate with Conjur using the JWT authentication method.
  16718. properties:
  16719. key:
  16720. description: |-
  16721. A key in the referenced Secret.
  16722. Some instances of this field may be defaulted, in others it may be required.
  16723. maxLength: 253
  16724. minLength: 1
  16725. pattern: ^[-._a-zA-Z0-9]+$
  16726. type: string
  16727. name:
  16728. description: The name of the Secret resource being referred to.
  16729. maxLength: 253
  16730. minLength: 1
  16731. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16732. type: string
  16733. namespace:
  16734. description: |-
  16735. The namespace of the Secret resource being referred to.
  16736. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16737. maxLength: 63
  16738. minLength: 1
  16739. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16740. type: string
  16741. type: object
  16742. serviceAccountRef:
  16743. description: |-
  16744. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  16745. a token for with the `TokenRequest` API.
  16746. properties:
  16747. audiences:
  16748. description: |-
  16749. Audience specifies the `aud` claim for the service account token
  16750. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16751. then this audiences will be appended to the list
  16752. items:
  16753. type: string
  16754. type: array
  16755. name:
  16756. description: The name of the ServiceAccount resource being referred to.
  16757. maxLength: 253
  16758. minLength: 1
  16759. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16760. type: string
  16761. namespace:
  16762. description: |-
  16763. Namespace of the resource being referred to.
  16764. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16765. maxLength: 63
  16766. minLength: 1
  16767. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16768. type: string
  16769. required:
  16770. - name
  16771. type: object
  16772. serviceID:
  16773. description: The conjur authn jwt webservice id
  16774. type: string
  16775. required:
  16776. - account
  16777. - serviceID
  16778. type: object
  16779. type: object
  16780. caBundle:
  16781. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  16782. type: string
  16783. caProvider:
  16784. description: |-
  16785. Used to provide custom certificate authority (CA) certificates
  16786. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  16787. that contains a PEM-encoded certificate.
  16788. properties:
  16789. key:
  16790. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  16791. maxLength: 253
  16792. minLength: 1
  16793. pattern: ^[-._a-zA-Z0-9]+$
  16794. type: string
  16795. name:
  16796. description: The name of the object located at the provider type.
  16797. maxLength: 253
  16798. minLength: 1
  16799. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16800. type: string
  16801. namespace:
  16802. description: |-
  16803. The namespace the Provider type is in.
  16804. Can only be defined when used in a ClusterSecretStore.
  16805. maxLength: 63
  16806. minLength: 1
  16807. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16808. type: string
  16809. type:
  16810. description: The type of provider to use such as "Secret", or "ConfigMap".
  16811. enum:
  16812. - Secret
  16813. - ConfigMap
  16814. type: string
  16815. required:
  16816. - name
  16817. - type
  16818. type: object
  16819. url:
  16820. description: URL is the endpoint of the Conjur instance.
  16821. type: string
  16822. required:
  16823. - auth
  16824. - url
  16825. type: object
  16826. delinea:
  16827. description: |-
  16828. Delinea DevOps Secrets Vault
  16829. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  16830. properties:
  16831. clientId:
  16832. description: ClientID is the non-secret part of the credential.
  16833. properties:
  16834. secretRef:
  16835. description: SecretRef references a key in a secret that will be used as value.
  16836. properties:
  16837. key:
  16838. description: |-
  16839. A key in the referenced Secret.
  16840. Some instances of this field may be defaulted, in others it may be required.
  16841. maxLength: 253
  16842. minLength: 1
  16843. pattern: ^[-._a-zA-Z0-9]+$
  16844. type: string
  16845. name:
  16846. description: The name of the Secret resource being referred to.
  16847. maxLength: 253
  16848. minLength: 1
  16849. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16850. type: string
  16851. namespace:
  16852. description: |-
  16853. The namespace of the Secret resource being referred to.
  16854. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16855. maxLength: 63
  16856. minLength: 1
  16857. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16858. type: string
  16859. type: object
  16860. value:
  16861. description: Value can be specified directly to set a value without using a secret.
  16862. type: string
  16863. type: object
  16864. clientSecret:
  16865. description: ClientSecret is the secret part of the credential.
  16866. properties:
  16867. secretRef:
  16868. description: SecretRef references a key in a secret that will be used as value.
  16869. properties:
  16870. key:
  16871. description: |-
  16872. A key in the referenced Secret.
  16873. Some instances of this field may be defaulted, in others it may be required.
  16874. maxLength: 253
  16875. minLength: 1
  16876. pattern: ^[-._a-zA-Z0-9]+$
  16877. type: string
  16878. name:
  16879. description: The name of the Secret resource being referred to.
  16880. maxLength: 253
  16881. minLength: 1
  16882. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16883. type: string
  16884. namespace:
  16885. description: |-
  16886. The namespace of the Secret resource being referred to.
  16887. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16888. maxLength: 63
  16889. minLength: 1
  16890. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16891. type: string
  16892. type: object
  16893. value:
  16894. description: Value can be specified directly to set a value without using a secret.
  16895. type: string
  16896. type: object
  16897. tenant:
  16898. description: Tenant is the chosen hostname / site name.
  16899. type: string
  16900. tld:
  16901. description: |-
  16902. TLD is based on the server location that was chosen during provisioning.
  16903. If unset, defaults to "com".
  16904. type: string
  16905. urlTemplate:
  16906. description: |-
  16907. URLTemplate
  16908. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  16909. type: string
  16910. required:
  16911. - clientId
  16912. - clientSecret
  16913. - tenant
  16914. type: object
  16915. doppler:
  16916. description: Doppler configures this store to sync secrets using the Doppler provider
  16917. properties:
  16918. auth:
  16919. description: Auth configures how the Operator authenticates with the Doppler API
  16920. properties:
  16921. oidcConfig:
  16922. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  16923. properties:
  16924. expirationSeconds:
  16925. default: 600
  16926. description: |-
  16927. ExpirationSeconds sets the ServiceAccount token validity duration.
  16928. Defaults to 10 minutes.
  16929. format: int64
  16930. type: integer
  16931. identity:
  16932. description: Identity is the Doppler Service Account Identity ID configured for OIDC authentication.
  16933. type: string
  16934. serviceAccountRef:
  16935. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  16936. properties:
  16937. audiences:
  16938. description: |-
  16939. Audience specifies the `aud` claim for the service account token
  16940. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16941. then this audiences will be appended to the list
  16942. items:
  16943. type: string
  16944. type: array
  16945. name:
  16946. description: The name of the ServiceAccount resource being referred to.
  16947. maxLength: 253
  16948. minLength: 1
  16949. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16950. type: string
  16951. namespace:
  16952. description: |-
  16953. Namespace of the resource being referred to.
  16954. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16955. maxLength: 63
  16956. minLength: 1
  16957. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16958. type: string
  16959. required:
  16960. - name
  16961. type: object
  16962. required:
  16963. - identity
  16964. - serviceAccountRef
  16965. type: object
  16966. secretRef:
  16967. description: SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.
  16968. properties:
  16969. dopplerToken:
  16970. description: |-
  16971. The DopplerToken is used for authentication.
  16972. See https://docs.doppler.com/reference/api#authentication for auth token types.
  16973. The Key attribute defaults to dopplerToken if not specified.
  16974. properties:
  16975. key:
  16976. description: |-
  16977. A key in the referenced Secret.
  16978. Some instances of this field may be defaulted, in others it may be required.
  16979. maxLength: 253
  16980. minLength: 1
  16981. pattern: ^[-._a-zA-Z0-9]+$
  16982. type: string
  16983. name:
  16984. description: The name of the Secret resource being referred to.
  16985. maxLength: 253
  16986. minLength: 1
  16987. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16988. type: string
  16989. namespace:
  16990. description: |-
  16991. The namespace of the Secret resource being referred to.
  16992. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16993. maxLength: 63
  16994. minLength: 1
  16995. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16996. type: string
  16997. type: object
  16998. required:
  16999. - dopplerToken
  17000. type: object
  17001. type: object
  17002. x-kubernetes-validations:
  17003. - message: Exactly one of 'secretRef' or 'oidcConfig' must be specified
  17004. rule: (has(self.secretRef) && !has(self.oidcConfig)) || (!has(self.secretRef) && has(self.oidcConfig))
  17005. config:
  17006. description: Doppler config (required if not using a Service Token)
  17007. type: string
  17008. format:
  17009. description: Format enables the downloading of secrets as a file (string)
  17010. enum:
  17011. - json
  17012. - dotnet-json
  17013. - env
  17014. - yaml
  17015. - docker
  17016. type: string
  17017. nameTransformer:
  17018. description: Environment variable compatible name transforms that change secret names to a different format
  17019. enum:
  17020. - upper-camel
  17021. - camel
  17022. - lower-snake
  17023. - tf-var
  17024. - dotnet-env
  17025. - lower-kebab
  17026. type: string
  17027. project:
  17028. description: Doppler project (required if not using a Service Token)
  17029. type: string
  17030. required:
  17031. - auth
  17032. type: object
  17033. dvls:
  17034. description: DVLS configures this store to sync secrets using Devolutions Server provider
  17035. properties:
  17036. auth:
  17037. description: Auth defines the authentication method to use.
  17038. properties:
  17039. secretRef:
  17040. description: SecretRef contains the Application ID and Application Secret for authentication.
  17041. properties:
  17042. appId:
  17043. description: AppID is the reference to the secret containing the Application ID.
  17044. properties:
  17045. key:
  17046. description: |-
  17047. A key in the referenced Secret.
  17048. Some instances of this field may be defaulted, in others it may be required.
  17049. maxLength: 253
  17050. minLength: 1
  17051. pattern: ^[-._a-zA-Z0-9]+$
  17052. type: string
  17053. name:
  17054. description: The name of the Secret resource being referred to.
  17055. maxLength: 253
  17056. minLength: 1
  17057. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17058. type: string
  17059. namespace:
  17060. description: |-
  17061. The namespace of the Secret resource being referred to.
  17062. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17063. maxLength: 63
  17064. minLength: 1
  17065. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17066. type: string
  17067. type: object
  17068. appSecret:
  17069. description: AppSecret is the reference to the secret containing the Application Secret.
  17070. properties:
  17071. key:
  17072. description: |-
  17073. A key in the referenced Secret.
  17074. Some instances of this field may be defaulted, in others it may be required.
  17075. maxLength: 253
  17076. minLength: 1
  17077. pattern: ^[-._a-zA-Z0-9]+$
  17078. type: string
  17079. name:
  17080. description: The name of the Secret resource being referred to.
  17081. maxLength: 253
  17082. minLength: 1
  17083. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17084. type: string
  17085. namespace:
  17086. description: |-
  17087. The namespace of the Secret resource being referred to.
  17088. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17089. maxLength: 63
  17090. minLength: 1
  17091. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17092. type: string
  17093. type: object
  17094. required:
  17095. - appId
  17096. - appSecret
  17097. type: object
  17098. required:
  17099. - secretRef
  17100. type: object
  17101. insecure:
  17102. description: |-
  17103. Insecure allows connecting to DVLS over plain HTTP.
  17104. This is NOT RECOMMENDED for production use.
  17105. Set to true only if you understand the security implications.
  17106. type: boolean
  17107. serverUrl:
  17108. description: ServerURL is the DVLS instance URL (e.g., https://dvls.example.com).
  17109. type: string
  17110. vault:
  17111. description: |-
  17112. Vault is the name or UUID of the vault to fetch secrets from.
  17113. When omitted, the vault must be specified in the secret key using the legacy format "<vault-id>/<entry-id>".
  17114. type: string
  17115. required:
  17116. - auth
  17117. - serverUrl
  17118. type: object
  17119. fake:
  17120. description: Fake configures a store with static key/value pairs
  17121. properties:
  17122. data:
  17123. items:
  17124. description: FakeProviderData defines a key-value pair with optional version for the fake provider.
  17125. properties:
  17126. key:
  17127. type: string
  17128. value:
  17129. type: string
  17130. version:
  17131. type: string
  17132. required:
  17133. - key
  17134. - value
  17135. type: object
  17136. type: array
  17137. validationResult:
  17138. description: ValidationResult is defined type for the number of validation results.
  17139. type: integer
  17140. required:
  17141. - data
  17142. type: object
  17143. fortanix:
  17144. description: Fortanix configures this store to sync secrets using the Fortanix provider
  17145. properties:
  17146. apiKey:
  17147. description: APIKey is the API token to access SDKMS Applications.
  17148. properties:
  17149. secretRef:
  17150. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  17151. properties:
  17152. key:
  17153. description: |-
  17154. A key in the referenced Secret.
  17155. Some instances of this field may be defaulted, in others it may be required.
  17156. maxLength: 253
  17157. minLength: 1
  17158. pattern: ^[-._a-zA-Z0-9]+$
  17159. type: string
  17160. name:
  17161. description: The name of the Secret resource being referred to.
  17162. maxLength: 253
  17163. minLength: 1
  17164. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17165. type: string
  17166. namespace:
  17167. description: |-
  17168. The namespace of the Secret resource being referred to.
  17169. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17170. maxLength: 63
  17171. minLength: 1
  17172. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17173. type: string
  17174. type: object
  17175. type: object
  17176. apiUrl:
  17177. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  17178. type: string
  17179. type: object
  17180. gcpsm:
  17181. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  17182. properties:
  17183. auth:
  17184. description: Auth defines the information necessary to authenticate against GCP
  17185. properties:
  17186. secretRef:
  17187. description: GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication.
  17188. properties:
  17189. secretAccessKeySecretRef:
  17190. description: The SecretAccessKey is used for authentication
  17191. properties:
  17192. key:
  17193. description: |-
  17194. A key in the referenced Secret.
  17195. Some instances of this field may be defaulted, in others it may be required.
  17196. maxLength: 253
  17197. minLength: 1
  17198. pattern: ^[-._a-zA-Z0-9]+$
  17199. type: string
  17200. name:
  17201. description: The name of the Secret resource being referred to.
  17202. maxLength: 253
  17203. minLength: 1
  17204. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17205. type: string
  17206. namespace:
  17207. description: |-
  17208. The namespace of the Secret resource being referred to.
  17209. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17210. maxLength: 63
  17211. minLength: 1
  17212. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17213. type: string
  17214. type: object
  17215. type: object
  17216. workloadIdentity:
  17217. description: GCPWorkloadIdentity defines configuration for workload identity authentication to GCP.
  17218. properties:
  17219. clusterLocation:
  17220. description: |-
  17221. ClusterLocation is the location of the cluster
  17222. If not specified, it fetches information from the metadata server
  17223. type: string
  17224. clusterName:
  17225. description: |-
  17226. ClusterName is the name of the cluster
  17227. If not specified, it fetches information from the metadata server
  17228. type: string
  17229. clusterProjectID:
  17230. description: |-
  17231. ClusterProjectID is the project ID of the cluster
  17232. If not specified, it fetches information from the metadata server
  17233. type: string
  17234. serviceAccountRef:
  17235. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  17236. properties:
  17237. audiences:
  17238. description: |-
  17239. Audience specifies the `aud` claim for the service account token
  17240. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  17241. then this audiences will be appended to the list
  17242. items:
  17243. type: string
  17244. type: array
  17245. name:
  17246. description: The name of the ServiceAccount resource being referred to.
  17247. maxLength: 253
  17248. minLength: 1
  17249. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17250. type: string
  17251. namespace:
  17252. description: |-
  17253. Namespace of the resource being referred to.
  17254. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17255. maxLength: 63
  17256. minLength: 1
  17257. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17258. type: string
  17259. required:
  17260. - name
  17261. type: object
  17262. required:
  17263. - serviceAccountRef
  17264. type: object
  17265. workloadIdentityFederation:
  17266. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  17267. properties:
  17268. audience:
  17269. description: |-
  17270. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  17271. If specified, Audience found in the external account credential config will be overridden with the configured value.
  17272. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  17273. type: string
  17274. awsSecurityCredentials:
  17275. description: |-
  17276. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  17277. when using the AWS metadata server is not an option.
  17278. properties:
  17279. awsCredentialsSecretRef:
  17280. description: |-
  17281. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  17282. Secret should be created with below names for keys
  17283. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  17284. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  17285. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  17286. properties:
  17287. name:
  17288. description: name of the secret.
  17289. maxLength: 253
  17290. minLength: 1
  17291. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17292. type: string
  17293. namespace:
  17294. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  17295. maxLength: 63
  17296. minLength: 1
  17297. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17298. type: string
  17299. required:
  17300. - name
  17301. type: object
  17302. region:
  17303. description: region is for configuring the AWS region to be used.
  17304. example: ap-south-1
  17305. maxLength: 50
  17306. minLength: 1
  17307. pattern: ^[a-z0-9-]+$
  17308. type: string
  17309. required:
  17310. - awsCredentialsSecretRef
  17311. - region
  17312. type: object
  17313. credConfig:
  17314. description: |-
  17315. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  17316. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  17317. serviceAccountRef must be used by providing operators service account details.
  17318. properties:
  17319. key:
  17320. description: key name holding the external account credential config.
  17321. maxLength: 253
  17322. minLength: 1
  17323. pattern: ^[-._a-zA-Z0-9]+$
  17324. type: string
  17325. name:
  17326. description: name of the configmap.
  17327. maxLength: 253
  17328. minLength: 1
  17329. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17330. type: string
  17331. namespace:
  17332. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  17333. maxLength: 63
  17334. minLength: 1
  17335. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17336. type: string
  17337. required:
  17338. - key
  17339. - name
  17340. type: object
  17341. externalTokenEndpoint:
  17342. description: |-
  17343. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  17344. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  17345. URL is having the expected value.
  17346. type: string
  17347. gcpServiceAccountEmail:
  17348. description: |-
  17349. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  17350. after Workload Identity Federation. Use this to grant access through the service account's
  17351. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  17352. service_account_impersonation_url in the external account JSON from credConfig;
  17353. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  17354. on that ServiceAccount.
  17355. example: my-gsa@my-project.iam.gserviceaccount.com
  17356. minLength: 1
  17357. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  17358. type: string
  17359. serviceAccountRef:
  17360. description: |-
  17361. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  17362. when Kubernetes is configured as provider in workload identity pool.
  17363. properties:
  17364. audiences:
  17365. description: |-
  17366. Audience specifies the `aud` claim for the service account token
  17367. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  17368. then this audiences will be appended to the list
  17369. items:
  17370. type: string
  17371. type: array
  17372. name:
  17373. description: The name of the ServiceAccount resource being referred to.
  17374. maxLength: 253
  17375. minLength: 1
  17376. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17377. type: string
  17378. namespace:
  17379. description: |-
  17380. Namespace of the resource being referred to.
  17381. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17382. maxLength: 63
  17383. minLength: 1
  17384. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17385. type: string
  17386. required:
  17387. - name
  17388. type: object
  17389. type: object
  17390. type: object
  17391. location:
  17392. description: Location optionally defines a location for a secret
  17393. type: string
  17394. projectID:
  17395. description: ProjectID project where secret is located
  17396. type: string
  17397. secretVersionSelectionPolicy:
  17398. default: LatestOrFail
  17399. description: |-
  17400. SecretVersionSelectionPolicy specifies how the provider selects a secret version
  17401. when "latest" is disabled or destroyed.
  17402. Possible values are:
  17403. - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed.
  17404. - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED
  17405. type: string
  17406. type: object
  17407. github:
  17408. description: |-
  17409. Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  17410. Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
  17411. properties:
  17412. appID:
  17413. description: appID specifies the Github APP that will be used to authenticate the client
  17414. type: integer
  17415. auth:
  17416. description: auth configures how secret-manager authenticates with a Github instance.
  17417. properties:
  17418. privateKey:
  17419. description: |-
  17420. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17421. In some instances, `key` is a required field.
  17422. properties:
  17423. key:
  17424. description: |-
  17425. A key in the referenced Secret.
  17426. Some instances of this field may be defaulted, in others it may be required.
  17427. maxLength: 253
  17428. minLength: 1
  17429. pattern: ^[-._a-zA-Z0-9]+$
  17430. type: string
  17431. name:
  17432. description: The name of the Secret resource being referred to.
  17433. maxLength: 253
  17434. minLength: 1
  17435. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17436. type: string
  17437. namespace:
  17438. description: |-
  17439. The namespace of the Secret resource being referred to.
  17440. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17441. maxLength: 63
  17442. minLength: 1
  17443. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17444. type: string
  17445. type: object
  17446. required:
  17447. - privateKey
  17448. type: object
  17449. environment:
  17450. description: environment will be used to fetch secrets from a particular environment within a github repository
  17451. type: string
  17452. installationID:
  17453. description: installationID specifies the Github APP installation that will be used to authenticate the client
  17454. type: integer
  17455. orgSecretVisibility:
  17456. description: |-
  17457. orgSecretVisibility controls the visibility of organization secrets pushed via PushSecret.
  17458. Valid values are "all" or "private".
  17459. When unset, new secrets are created with visibility "all" and existing secrets preserve
  17460. whatever visibility they already have in GitHub.
  17461. enum:
  17462. - all
  17463. - private
  17464. type: string
  17465. organization:
  17466. description: organization will be used to fetch secrets from the Github organization
  17467. type: string
  17468. repository:
  17469. description: repository will be used to fetch secrets from the Github repository within an organization
  17470. type: string
  17471. uploadURL:
  17472. description: Upload URL for enterprise instances. Default to URL.
  17473. type: string
  17474. url:
  17475. default: https://github.com/
  17476. description: URL configures the Github instance URL. Defaults to https://github.com/.
  17477. type: string
  17478. required:
  17479. - appID
  17480. - auth
  17481. - installationID
  17482. - organization
  17483. type: object
  17484. gitlab:
  17485. description: GitLab configures this store to sync secrets using GitLab Variables provider
  17486. properties:
  17487. auth:
  17488. description: Auth configures how secret-manager authenticates with a GitLab instance.
  17489. properties:
  17490. SecretRef:
  17491. description: GitlabSecretRef contains the secret reference for GitLab authentication credentials.
  17492. properties:
  17493. accessToken:
  17494. description: AccessToken is used for authentication.
  17495. properties:
  17496. key:
  17497. description: |-
  17498. A key in the referenced Secret.
  17499. Some instances of this field may be defaulted, in others it may be required.
  17500. maxLength: 253
  17501. minLength: 1
  17502. pattern: ^[-._a-zA-Z0-9]+$
  17503. type: string
  17504. name:
  17505. description: The name of the Secret resource being referred to.
  17506. maxLength: 253
  17507. minLength: 1
  17508. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17509. type: string
  17510. namespace:
  17511. description: |-
  17512. The namespace of the Secret resource being referred to.
  17513. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17514. maxLength: 63
  17515. minLength: 1
  17516. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17517. type: string
  17518. type: object
  17519. type: object
  17520. required:
  17521. - SecretRef
  17522. type: object
  17523. caBundle:
  17524. description: |-
  17525. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  17526. can be performed.
  17527. format: byte
  17528. type: string
  17529. caProvider:
  17530. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  17531. properties:
  17532. key:
  17533. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  17534. maxLength: 253
  17535. minLength: 1
  17536. pattern: ^[-._a-zA-Z0-9]+$
  17537. type: string
  17538. name:
  17539. description: The name of the object located at the provider type.
  17540. maxLength: 253
  17541. minLength: 1
  17542. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17543. type: string
  17544. namespace:
  17545. description: |-
  17546. The namespace the Provider type is in.
  17547. Can only be defined when used in a ClusterSecretStore.
  17548. maxLength: 63
  17549. minLength: 1
  17550. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17551. type: string
  17552. type:
  17553. description: The type of provider to use such as "Secret", or "ConfigMap".
  17554. enum:
  17555. - Secret
  17556. - ConfigMap
  17557. type: string
  17558. required:
  17559. - name
  17560. - type
  17561. type: object
  17562. environment:
  17563. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  17564. type: string
  17565. groupIDs:
  17566. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  17567. items:
  17568. type: string
  17569. type: array
  17570. inheritFromGroups:
  17571. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  17572. type: boolean
  17573. projectID:
  17574. description: ProjectID specifies a project where secrets are located.
  17575. type: string
  17576. url:
  17577. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  17578. type: string
  17579. required:
  17580. - auth
  17581. type: object
  17582. ibm:
  17583. description: IBM configures this store to sync secrets using IBM Cloud provider
  17584. properties:
  17585. auth:
  17586. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  17587. maxProperties: 1
  17588. minProperties: 1
  17589. properties:
  17590. containerAuth:
  17591. description: IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile.
  17592. properties:
  17593. iamEndpoint:
  17594. type: string
  17595. profile:
  17596. description: the IBM Trusted Profile
  17597. type: string
  17598. tokenLocation:
  17599. description: Location the token is mounted on the pod
  17600. type: string
  17601. required:
  17602. - profile
  17603. type: object
  17604. secretRef:
  17605. description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
  17606. properties:
  17607. iamEndpoint:
  17608. description: The IAM endpoint used to obain a token
  17609. type: string
  17610. secretApiKeySecretRef:
  17611. description: The SecretAccessKey is used for authentication
  17612. properties:
  17613. key:
  17614. description: |-
  17615. A key in the referenced Secret.
  17616. Some instances of this field may be defaulted, in others it may be required.
  17617. maxLength: 253
  17618. minLength: 1
  17619. pattern: ^[-._a-zA-Z0-9]+$
  17620. type: string
  17621. name:
  17622. description: The name of the Secret resource being referred to.
  17623. maxLength: 253
  17624. minLength: 1
  17625. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17626. type: string
  17627. namespace:
  17628. description: |-
  17629. The namespace of the Secret resource being referred to.
  17630. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17631. maxLength: 63
  17632. minLength: 1
  17633. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17634. type: string
  17635. type: object
  17636. type: object
  17637. type: object
  17638. serviceUrl:
  17639. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  17640. type: string
  17641. required:
  17642. - auth
  17643. type: object
  17644. infisical:
  17645. description: Infisical configures this store to sync secrets using the Infisical provider
  17646. properties:
  17647. auth:
  17648. description: Auth configures how the Operator authenticates with the Infisical API
  17649. properties:
  17650. awsAuthCredentials:
  17651. description: AwsAuthCredentials represents the credentials for AWS authentication.
  17652. properties:
  17653. identityId:
  17654. description: |-
  17655. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17656. In some instances, `key` is a required field.
  17657. properties:
  17658. key:
  17659. description: |-
  17660. A key in the referenced Secret.
  17661. Some instances of this field may be defaulted, in others it may be required.
  17662. maxLength: 253
  17663. minLength: 1
  17664. pattern: ^[-._a-zA-Z0-9]+$
  17665. type: string
  17666. name:
  17667. description: The name of the Secret resource being referred to.
  17668. maxLength: 253
  17669. minLength: 1
  17670. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17671. type: string
  17672. namespace:
  17673. description: |-
  17674. The namespace of the Secret resource being referred to.
  17675. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17676. maxLength: 63
  17677. minLength: 1
  17678. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17679. type: string
  17680. type: object
  17681. required:
  17682. - identityId
  17683. type: object
  17684. azureAuthCredentials:
  17685. description: AzureAuthCredentials represents the credentials for Azure authentication.
  17686. properties:
  17687. identityId:
  17688. description: |-
  17689. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17690. In some instances, `key` is a required field.
  17691. properties:
  17692. key:
  17693. description: |-
  17694. A key in the referenced Secret.
  17695. Some instances of this field may be defaulted, in others it may be required.
  17696. maxLength: 253
  17697. minLength: 1
  17698. pattern: ^[-._a-zA-Z0-9]+$
  17699. type: string
  17700. name:
  17701. description: The name of the Secret resource being referred to.
  17702. maxLength: 253
  17703. minLength: 1
  17704. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17705. type: string
  17706. namespace:
  17707. description: |-
  17708. The namespace of the Secret resource being referred to.
  17709. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17710. maxLength: 63
  17711. minLength: 1
  17712. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17713. type: string
  17714. type: object
  17715. resource:
  17716. description: |-
  17717. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17718. In some instances, `key` is a required field.
  17719. properties:
  17720. key:
  17721. description: |-
  17722. A key in the referenced Secret.
  17723. Some instances of this field may be defaulted, in others it may be required.
  17724. maxLength: 253
  17725. minLength: 1
  17726. pattern: ^[-._a-zA-Z0-9]+$
  17727. type: string
  17728. name:
  17729. description: The name of the Secret resource being referred to.
  17730. maxLength: 253
  17731. minLength: 1
  17732. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17733. type: string
  17734. namespace:
  17735. description: |-
  17736. The namespace of the Secret resource being referred to.
  17737. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17738. maxLength: 63
  17739. minLength: 1
  17740. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17741. type: string
  17742. type: object
  17743. required:
  17744. - identityId
  17745. type: object
  17746. gcpIamAuthCredentials:
  17747. description: GcpIamAuthCredentials represents the credentials for GCP IAM authentication.
  17748. properties:
  17749. identityId:
  17750. description: |-
  17751. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17752. In some instances, `key` is a required field.
  17753. properties:
  17754. key:
  17755. description: |-
  17756. A key in the referenced Secret.
  17757. Some instances of this field may be defaulted, in others it may be required.
  17758. maxLength: 253
  17759. minLength: 1
  17760. pattern: ^[-._a-zA-Z0-9]+$
  17761. type: string
  17762. name:
  17763. description: The name of the Secret resource being referred to.
  17764. maxLength: 253
  17765. minLength: 1
  17766. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17767. type: string
  17768. namespace:
  17769. description: |-
  17770. The namespace of the Secret resource being referred to.
  17771. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17772. maxLength: 63
  17773. minLength: 1
  17774. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17775. type: string
  17776. type: object
  17777. serviceAccountKeyFilePath:
  17778. description: |-
  17779. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17780. In some instances, `key` is a required field.
  17781. properties:
  17782. key:
  17783. description: |-
  17784. A key in the referenced Secret.
  17785. Some instances of this field may be defaulted, in others it may be required.
  17786. maxLength: 253
  17787. minLength: 1
  17788. pattern: ^[-._a-zA-Z0-9]+$
  17789. type: string
  17790. name:
  17791. description: The name of the Secret resource being referred to.
  17792. maxLength: 253
  17793. minLength: 1
  17794. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17795. type: string
  17796. namespace:
  17797. description: |-
  17798. The namespace of the Secret resource being referred to.
  17799. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17800. maxLength: 63
  17801. minLength: 1
  17802. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17803. type: string
  17804. type: object
  17805. required:
  17806. - identityId
  17807. - serviceAccountKeyFilePath
  17808. type: object
  17809. gcpIdTokenAuthCredentials:
  17810. description: GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication.
  17811. properties:
  17812. identityId:
  17813. description: |-
  17814. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17815. In some instances, `key` is a required field.
  17816. properties:
  17817. key:
  17818. description: |-
  17819. A key in the referenced Secret.
  17820. Some instances of this field may be defaulted, in others it may be required.
  17821. maxLength: 253
  17822. minLength: 1
  17823. pattern: ^[-._a-zA-Z0-9]+$
  17824. type: string
  17825. name:
  17826. description: The name of the Secret resource being referred to.
  17827. maxLength: 253
  17828. minLength: 1
  17829. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17830. type: string
  17831. namespace:
  17832. description: |-
  17833. The namespace of the Secret resource being referred to.
  17834. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17835. maxLength: 63
  17836. minLength: 1
  17837. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17838. type: string
  17839. type: object
  17840. required:
  17841. - identityId
  17842. type: object
  17843. jwtAuthCredentials:
  17844. description: JwtAuthCredentials represents the credentials for JWT authentication.
  17845. properties:
  17846. identityId:
  17847. description: |-
  17848. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17849. In some instances, `key` is a required field.
  17850. properties:
  17851. key:
  17852. description: |-
  17853. A key in the referenced Secret.
  17854. Some instances of this field may be defaulted, in others it may be required.
  17855. maxLength: 253
  17856. minLength: 1
  17857. pattern: ^[-._a-zA-Z0-9]+$
  17858. type: string
  17859. name:
  17860. description: The name of the Secret resource being referred to.
  17861. maxLength: 253
  17862. minLength: 1
  17863. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17864. type: string
  17865. namespace:
  17866. description: |-
  17867. The namespace of the Secret resource being referred to.
  17868. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17869. maxLength: 63
  17870. minLength: 1
  17871. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17872. type: string
  17873. type: object
  17874. jwt:
  17875. description: |-
  17876. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17877. In some instances, `key` is a required field.
  17878. properties:
  17879. key:
  17880. description: |-
  17881. A key in the referenced Secret.
  17882. Some instances of this field may be defaulted, in others it may be required.
  17883. maxLength: 253
  17884. minLength: 1
  17885. pattern: ^[-._a-zA-Z0-9]+$
  17886. type: string
  17887. name:
  17888. description: The name of the Secret resource being referred to.
  17889. maxLength: 253
  17890. minLength: 1
  17891. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17892. type: string
  17893. namespace:
  17894. description: |-
  17895. The namespace of the Secret resource being referred to.
  17896. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17897. maxLength: 63
  17898. minLength: 1
  17899. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17900. type: string
  17901. type: object
  17902. required:
  17903. - identityId
  17904. - jwt
  17905. type: object
  17906. kubernetesAuthCredentials:
  17907. description: KubernetesAuthCredentials represents the credentials for Kubernetes authentication.
  17908. properties:
  17909. identityId:
  17910. description: |-
  17911. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17912. In some instances, `key` is a required field.
  17913. properties:
  17914. key:
  17915. description: |-
  17916. A key in the referenced Secret.
  17917. Some instances of this field may be defaulted, in others it may be required.
  17918. maxLength: 253
  17919. minLength: 1
  17920. pattern: ^[-._a-zA-Z0-9]+$
  17921. type: string
  17922. name:
  17923. description: The name of the Secret resource being referred to.
  17924. maxLength: 253
  17925. minLength: 1
  17926. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17927. type: string
  17928. namespace:
  17929. description: |-
  17930. The namespace of the Secret resource being referred to.
  17931. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17932. maxLength: 63
  17933. minLength: 1
  17934. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17935. type: string
  17936. type: object
  17937. serviceAccountTokenPath:
  17938. description: |-
  17939. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17940. In some instances, `key` is a required field.
  17941. properties:
  17942. key:
  17943. description: |-
  17944. A key in the referenced Secret.
  17945. Some instances of this field may be defaulted, in others it may be required.
  17946. maxLength: 253
  17947. minLength: 1
  17948. pattern: ^[-._a-zA-Z0-9]+$
  17949. type: string
  17950. name:
  17951. description: The name of the Secret resource being referred to.
  17952. maxLength: 253
  17953. minLength: 1
  17954. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17955. type: string
  17956. namespace:
  17957. description: |-
  17958. The namespace of the Secret resource being referred to.
  17959. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17960. maxLength: 63
  17961. minLength: 1
  17962. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17963. type: string
  17964. type: object
  17965. required:
  17966. - identityId
  17967. type: object
  17968. ldapAuthCredentials:
  17969. description: LdapAuthCredentials represents the credentials for LDAP authentication.
  17970. properties:
  17971. identityId:
  17972. description: |-
  17973. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17974. In some instances, `key` is a required field.
  17975. properties:
  17976. key:
  17977. description: |-
  17978. A key in the referenced Secret.
  17979. Some instances of this field may be defaulted, in others it may be required.
  17980. maxLength: 253
  17981. minLength: 1
  17982. pattern: ^[-._a-zA-Z0-9]+$
  17983. type: string
  17984. name:
  17985. description: The name of the Secret resource being referred to.
  17986. maxLength: 253
  17987. minLength: 1
  17988. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17989. type: string
  17990. namespace:
  17991. description: |-
  17992. The namespace of the Secret resource being referred to.
  17993. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17994. maxLength: 63
  17995. minLength: 1
  17996. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17997. type: string
  17998. type: object
  17999. ldapPassword:
  18000. description: |-
  18001. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18002. In some instances, `key` is a required field.
  18003. properties:
  18004. key:
  18005. description: |-
  18006. A key in the referenced Secret.
  18007. Some instances of this field may be defaulted, in others it may be required.
  18008. maxLength: 253
  18009. minLength: 1
  18010. pattern: ^[-._a-zA-Z0-9]+$
  18011. type: string
  18012. name:
  18013. description: The name of the Secret resource being referred to.
  18014. maxLength: 253
  18015. minLength: 1
  18016. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18017. type: string
  18018. namespace:
  18019. description: |-
  18020. The namespace of the Secret resource being referred to.
  18021. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18022. maxLength: 63
  18023. minLength: 1
  18024. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18025. type: string
  18026. type: object
  18027. ldapUsername:
  18028. description: |-
  18029. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18030. In some instances, `key` is a required field.
  18031. properties:
  18032. key:
  18033. description: |-
  18034. A key in the referenced Secret.
  18035. Some instances of this field may be defaulted, in others it may be required.
  18036. maxLength: 253
  18037. minLength: 1
  18038. pattern: ^[-._a-zA-Z0-9]+$
  18039. type: string
  18040. name:
  18041. description: The name of the Secret resource being referred to.
  18042. maxLength: 253
  18043. minLength: 1
  18044. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18045. type: string
  18046. namespace:
  18047. description: |-
  18048. The namespace of the Secret resource being referred to.
  18049. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18050. maxLength: 63
  18051. minLength: 1
  18052. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18053. type: string
  18054. type: object
  18055. required:
  18056. - identityId
  18057. - ldapPassword
  18058. - ldapUsername
  18059. type: object
  18060. ociAuthCredentials:
  18061. description: OciAuthCredentials represents the credentials for OCI authentication.
  18062. properties:
  18063. fingerprint:
  18064. description: |-
  18065. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18066. In some instances, `key` is a required field.
  18067. properties:
  18068. key:
  18069. description: |-
  18070. A key in the referenced Secret.
  18071. Some instances of this field may be defaulted, in others it may be required.
  18072. maxLength: 253
  18073. minLength: 1
  18074. pattern: ^[-._a-zA-Z0-9]+$
  18075. type: string
  18076. name:
  18077. description: The name of the Secret resource being referred to.
  18078. maxLength: 253
  18079. minLength: 1
  18080. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18081. type: string
  18082. namespace:
  18083. description: |-
  18084. The namespace of the Secret resource being referred to.
  18085. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18086. maxLength: 63
  18087. minLength: 1
  18088. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18089. type: string
  18090. type: object
  18091. identityId:
  18092. description: |-
  18093. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18094. In some instances, `key` is a required field.
  18095. properties:
  18096. key:
  18097. description: |-
  18098. A key in the referenced Secret.
  18099. Some instances of this field may be defaulted, in others it may be required.
  18100. maxLength: 253
  18101. minLength: 1
  18102. pattern: ^[-._a-zA-Z0-9]+$
  18103. type: string
  18104. name:
  18105. description: The name of the Secret resource being referred to.
  18106. maxLength: 253
  18107. minLength: 1
  18108. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18109. type: string
  18110. namespace:
  18111. description: |-
  18112. The namespace of the Secret resource being referred to.
  18113. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18114. maxLength: 63
  18115. minLength: 1
  18116. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18117. type: string
  18118. type: object
  18119. privateKey:
  18120. description: |-
  18121. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18122. In some instances, `key` is a required field.
  18123. properties:
  18124. key:
  18125. description: |-
  18126. A key in the referenced Secret.
  18127. Some instances of this field may be defaulted, in others it may be required.
  18128. maxLength: 253
  18129. minLength: 1
  18130. pattern: ^[-._a-zA-Z0-9]+$
  18131. type: string
  18132. name:
  18133. description: The name of the Secret resource being referred to.
  18134. maxLength: 253
  18135. minLength: 1
  18136. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18137. type: string
  18138. namespace:
  18139. description: |-
  18140. The namespace of the Secret resource being referred to.
  18141. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18142. maxLength: 63
  18143. minLength: 1
  18144. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18145. type: string
  18146. type: object
  18147. privateKeyPassphrase:
  18148. description: |-
  18149. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18150. In some instances, `key` is a required field.
  18151. properties:
  18152. key:
  18153. description: |-
  18154. A key in the referenced Secret.
  18155. Some instances of this field may be defaulted, in others it may be required.
  18156. maxLength: 253
  18157. minLength: 1
  18158. pattern: ^[-._a-zA-Z0-9]+$
  18159. type: string
  18160. name:
  18161. description: The name of the Secret resource being referred to.
  18162. maxLength: 253
  18163. minLength: 1
  18164. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18165. type: string
  18166. namespace:
  18167. description: |-
  18168. The namespace of the Secret resource being referred to.
  18169. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18170. maxLength: 63
  18171. minLength: 1
  18172. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18173. type: string
  18174. type: object
  18175. region:
  18176. description: |-
  18177. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18178. In some instances, `key` is a required field.
  18179. properties:
  18180. key:
  18181. description: |-
  18182. A key in the referenced Secret.
  18183. Some instances of this field may be defaulted, in others it may be required.
  18184. maxLength: 253
  18185. minLength: 1
  18186. pattern: ^[-._a-zA-Z0-9]+$
  18187. type: string
  18188. name:
  18189. description: The name of the Secret resource being referred to.
  18190. maxLength: 253
  18191. minLength: 1
  18192. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18193. type: string
  18194. namespace:
  18195. description: |-
  18196. The namespace of the Secret resource being referred to.
  18197. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18198. maxLength: 63
  18199. minLength: 1
  18200. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18201. type: string
  18202. type: object
  18203. tenancyId:
  18204. description: |-
  18205. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18206. In some instances, `key` is a required field.
  18207. properties:
  18208. key:
  18209. description: |-
  18210. A key in the referenced Secret.
  18211. Some instances of this field may be defaulted, in others it may be required.
  18212. maxLength: 253
  18213. minLength: 1
  18214. pattern: ^[-._a-zA-Z0-9]+$
  18215. type: string
  18216. name:
  18217. description: The name of the Secret resource being referred to.
  18218. maxLength: 253
  18219. minLength: 1
  18220. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18221. type: string
  18222. namespace:
  18223. description: |-
  18224. The namespace of the Secret resource being referred to.
  18225. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18226. maxLength: 63
  18227. minLength: 1
  18228. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18229. type: string
  18230. type: object
  18231. userId:
  18232. description: |-
  18233. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18234. In some instances, `key` is a required field.
  18235. properties:
  18236. key:
  18237. description: |-
  18238. A key in the referenced Secret.
  18239. Some instances of this field may be defaulted, in others it may be required.
  18240. maxLength: 253
  18241. minLength: 1
  18242. pattern: ^[-._a-zA-Z0-9]+$
  18243. type: string
  18244. name:
  18245. description: The name of the Secret resource being referred to.
  18246. maxLength: 253
  18247. minLength: 1
  18248. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18249. type: string
  18250. namespace:
  18251. description: |-
  18252. The namespace of the Secret resource being referred to.
  18253. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18254. maxLength: 63
  18255. minLength: 1
  18256. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18257. type: string
  18258. type: object
  18259. required:
  18260. - fingerprint
  18261. - identityId
  18262. - privateKey
  18263. - region
  18264. - tenancyId
  18265. - userId
  18266. type: object
  18267. tokenAuthCredentials:
  18268. description: TokenAuthCredentials represents the credentials for access token-based authentication.
  18269. properties:
  18270. accessToken:
  18271. description: |-
  18272. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18273. In some instances, `key` is a required field.
  18274. properties:
  18275. key:
  18276. description: |-
  18277. A key in the referenced Secret.
  18278. Some instances of this field may be defaulted, in others it may be required.
  18279. maxLength: 253
  18280. minLength: 1
  18281. pattern: ^[-._a-zA-Z0-9]+$
  18282. type: string
  18283. name:
  18284. description: The name of the Secret resource being referred to.
  18285. maxLength: 253
  18286. minLength: 1
  18287. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18288. type: string
  18289. namespace:
  18290. description: |-
  18291. The namespace of the Secret resource being referred to.
  18292. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18293. maxLength: 63
  18294. minLength: 1
  18295. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18296. type: string
  18297. type: object
  18298. required:
  18299. - accessToken
  18300. type: object
  18301. universalAuthCredentials:
  18302. description: UniversalAuthCredentials represents the client credentials for universal authentication.
  18303. properties:
  18304. clientId:
  18305. description: |-
  18306. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18307. In some instances, `key` is a required field.
  18308. properties:
  18309. key:
  18310. description: |-
  18311. A key in the referenced Secret.
  18312. Some instances of this field may be defaulted, in others it may be required.
  18313. maxLength: 253
  18314. minLength: 1
  18315. pattern: ^[-._a-zA-Z0-9]+$
  18316. type: string
  18317. name:
  18318. description: The name of the Secret resource being referred to.
  18319. maxLength: 253
  18320. minLength: 1
  18321. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18322. type: string
  18323. namespace:
  18324. description: |-
  18325. The namespace of the Secret resource being referred to.
  18326. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18327. maxLength: 63
  18328. minLength: 1
  18329. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18330. type: string
  18331. type: object
  18332. clientSecret:
  18333. description: |-
  18334. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18335. In some instances, `key` is a required field.
  18336. properties:
  18337. key:
  18338. description: |-
  18339. A key in the referenced Secret.
  18340. Some instances of this field may be defaulted, in others it may be required.
  18341. maxLength: 253
  18342. minLength: 1
  18343. pattern: ^[-._a-zA-Z0-9]+$
  18344. type: string
  18345. name:
  18346. description: The name of the Secret resource being referred to.
  18347. maxLength: 253
  18348. minLength: 1
  18349. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18350. type: string
  18351. namespace:
  18352. description: |-
  18353. The namespace of the Secret resource being referred to.
  18354. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18355. maxLength: 63
  18356. minLength: 1
  18357. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18358. type: string
  18359. type: object
  18360. required:
  18361. - clientId
  18362. - clientSecret
  18363. type: object
  18364. type: object
  18365. caBundle:
  18366. description: |-
  18367. CABundle is a PEM-encoded CA certificate bundle used to validate
  18368. the Infisical server's TLS certificate. Mutually exclusive with CAProvider.
  18369. format: byte
  18370. type: string
  18371. caProvider:
  18372. description: |-
  18373. CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
  18374. The certificate is used to validate the Infisical server's TLS certificate.
  18375. Mutually exclusive with CABundle.
  18376. properties:
  18377. key:
  18378. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  18379. maxLength: 253
  18380. minLength: 1
  18381. pattern: ^[-._a-zA-Z0-9]+$
  18382. type: string
  18383. name:
  18384. description: The name of the object located at the provider type.
  18385. maxLength: 253
  18386. minLength: 1
  18387. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18388. type: string
  18389. namespace:
  18390. description: |-
  18391. The namespace the Provider type is in.
  18392. Can only be defined when used in a ClusterSecretStore.
  18393. maxLength: 63
  18394. minLength: 1
  18395. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18396. type: string
  18397. type:
  18398. description: The type of provider to use such as "Secret", or "ConfigMap".
  18399. enum:
  18400. - Secret
  18401. - ConfigMap
  18402. type: string
  18403. required:
  18404. - name
  18405. - type
  18406. type: object
  18407. hostAPI:
  18408. default: https://app.infisical.com/api
  18409. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  18410. type: string
  18411. secretsScope:
  18412. description: SecretsScope defines the scope of the secrets within the workspace
  18413. properties:
  18414. environmentSlug:
  18415. description: EnvironmentSlug is the required slug identifier for the environment.
  18416. type: string
  18417. expandSecretReferences:
  18418. default: true
  18419. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  18420. type: boolean
  18421. organizationSlug:
  18422. description: |-
  18423. OrganizationSlug is the optional slug that identifies the organization that will be used
  18424. during authentication. Useful for sub-organization setups
  18425. type: string
  18426. projectSlug:
  18427. description: ProjectSlug is the required slug identifier for the project.
  18428. type: string
  18429. recursive:
  18430. default: false
  18431. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  18432. type: boolean
  18433. secretsPath:
  18434. default: /
  18435. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  18436. type: string
  18437. required:
  18438. - environmentSlug
  18439. - projectSlug
  18440. type: object
  18441. required:
  18442. - auth
  18443. - secretsScope
  18444. type: object
  18445. keepersecurity:
  18446. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  18447. properties:
  18448. authRef:
  18449. description: |-
  18450. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18451. In some instances, `key` is a required field.
  18452. properties:
  18453. key:
  18454. description: |-
  18455. A key in the referenced Secret.
  18456. Some instances of this field may be defaulted, in others it may be required.
  18457. maxLength: 253
  18458. minLength: 1
  18459. pattern: ^[-._a-zA-Z0-9]+$
  18460. type: string
  18461. name:
  18462. description: The name of the Secret resource being referred to.
  18463. maxLength: 253
  18464. minLength: 1
  18465. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18466. type: string
  18467. namespace:
  18468. description: |-
  18469. The namespace of the Secret resource being referred to.
  18470. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18471. maxLength: 63
  18472. minLength: 1
  18473. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18474. type: string
  18475. type: object
  18476. folderID:
  18477. type: string
  18478. getByTitleFallback:
  18479. type: boolean
  18480. required:
  18481. - authRef
  18482. - folderID
  18483. type: object
  18484. kubernetes:
  18485. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  18486. properties:
  18487. auth:
  18488. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  18489. maxProperties: 1
  18490. minProperties: 1
  18491. properties:
  18492. cert:
  18493. description: has both clientCert and clientKey as secretKeySelector
  18494. properties:
  18495. clientCert:
  18496. description: |-
  18497. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18498. In some instances, `key` is a required field.
  18499. properties:
  18500. key:
  18501. description: |-
  18502. A key in the referenced Secret.
  18503. Some instances of this field may be defaulted, in others it may be required.
  18504. maxLength: 253
  18505. minLength: 1
  18506. pattern: ^[-._a-zA-Z0-9]+$
  18507. type: string
  18508. name:
  18509. description: The name of the Secret resource being referred to.
  18510. maxLength: 253
  18511. minLength: 1
  18512. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18513. type: string
  18514. namespace:
  18515. description: |-
  18516. The namespace of the Secret resource being referred to.
  18517. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18518. maxLength: 63
  18519. minLength: 1
  18520. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18521. type: string
  18522. type: object
  18523. clientKey:
  18524. description: |-
  18525. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18526. In some instances, `key` is a required field.
  18527. properties:
  18528. key:
  18529. description: |-
  18530. A key in the referenced Secret.
  18531. Some instances of this field may be defaulted, in others it may be required.
  18532. maxLength: 253
  18533. minLength: 1
  18534. pattern: ^[-._a-zA-Z0-9]+$
  18535. type: string
  18536. name:
  18537. description: The name of the Secret resource being referred to.
  18538. maxLength: 253
  18539. minLength: 1
  18540. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18541. type: string
  18542. namespace:
  18543. description: |-
  18544. The namespace of the Secret resource being referred to.
  18545. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18546. maxLength: 63
  18547. minLength: 1
  18548. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18549. type: string
  18550. type: object
  18551. type: object
  18552. serviceAccount:
  18553. description: points to a service account that should be used for authentication
  18554. properties:
  18555. audiences:
  18556. description: |-
  18557. Audience specifies the `aud` claim for the service account token
  18558. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  18559. then this audiences will be appended to the list
  18560. items:
  18561. type: string
  18562. type: array
  18563. name:
  18564. description: The name of the ServiceAccount resource being referred to.
  18565. maxLength: 253
  18566. minLength: 1
  18567. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18568. type: string
  18569. namespace:
  18570. description: |-
  18571. Namespace of the resource being referred to.
  18572. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18573. maxLength: 63
  18574. minLength: 1
  18575. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18576. type: string
  18577. required:
  18578. - name
  18579. type: object
  18580. token:
  18581. description: use static token to authenticate with
  18582. properties:
  18583. bearerToken:
  18584. description: |-
  18585. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18586. In some instances, `key` is a required field.
  18587. properties:
  18588. key:
  18589. description: |-
  18590. A key in the referenced Secret.
  18591. Some instances of this field may be defaulted, in others it may be required.
  18592. maxLength: 253
  18593. minLength: 1
  18594. pattern: ^[-._a-zA-Z0-9]+$
  18595. type: string
  18596. name:
  18597. description: The name of the Secret resource being referred to.
  18598. maxLength: 253
  18599. minLength: 1
  18600. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18601. type: string
  18602. namespace:
  18603. description: |-
  18604. The namespace of the Secret resource being referred to.
  18605. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18606. maxLength: 63
  18607. minLength: 1
  18608. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18609. type: string
  18610. type: object
  18611. type: object
  18612. type: object
  18613. authRef:
  18614. description: A reference to a secret that contains the auth information.
  18615. properties:
  18616. key:
  18617. description: |-
  18618. A key in the referenced Secret.
  18619. Some instances of this field may be defaulted, in others it may be required.
  18620. maxLength: 253
  18621. minLength: 1
  18622. pattern: ^[-._a-zA-Z0-9]+$
  18623. type: string
  18624. name:
  18625. description: The name of the Secret resource being referred to.
  18626. maxLength: 253
  18627. minLength: 1
  18628. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18629. type: string
  18630. namespace:
  18631. description: |-
  18632. The namespace of the Secret resource being referred to.
  18633. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18634. maxLength: 63
  18635. minLength: 1
  18636. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18637. type: string
  18638. type: object
  18639. remoteNamespace:
  18640. default: default
  18641. description: Remote namespace to fetch the secrets from
  18642. maxLength: 63
  18643. minLength: 1
  18644. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18645. type: string
  18646. server:
  18647. description: configures the Kubernetes server Address.
  18648. properties:
  18649. caBundle:
  18650. description: CABundle is a base64-encoded CA certificate
  18651. format: byte
  18652. type: string
  18653. caProvider:
  18654. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  18655. properties:
  18656. key:
  18657. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  18658. maxLength: 253
  18659. minLength: 1
  18660. pattern: ^[-._a-zA-Z0-9]+$
  18661. type: string
  18662. name:
  18663. description: The name of the object located at the provider type.
  18664. maxLength: 253
  18665. minLength: 1
  18666. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18667. type: string
  18668. namespace:
  18669. description: |-
  18670. The namespace the Provider type is in.
  18671. Can only be defined when used in a ClusterSecretStore.
  18672. maxLength: 63
  18673. minLength: 1
  18674. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18675. type: string
  18676. type:
  18677. description: The type of provider to use such as "Secret", or "ConfigMap".
  18678. enum:
  18679. - Secret
  18680. - ConfigMap
  18681. type: string
  18682. required:
  18683. - name
  18684. - type
  18685. type: object
  18686. url:
  18687. default: kubernetes.default
  18688. description: configures the Kubernetes server Address.
  18689. type: string
  18690. type: object
  18691. type: object
  18692. nebiusmysterybox:
  18693. description: NebiusMysterybox configures this store to sync secrets using NebiusMysterybox provider
  18694. properties:
  18695. apiDomain:
  18696. description: NebiusMysterybox API endpoint
  18697. type: string
  18698. auth:
  18699. description: Auth defines parameters to authenticate in MysteryBox
  18700. properties:
  18701. serviceAccountCredsSecretRef:
  18702. description: |-
  18703. ServiceAccountCreds references a Kubernetes Secret key that contains a JSON
  18704. document with service account credentials used to get an IAM token.
  18705. Expected JSON structure:
  18706. {
  18707. "subject-credentials": {
  18708. "alg": "RS256",
  18709. "private-key": "-----BEGIN PRIVATE KEY-----\n<private-key>\n-----END PRIVATE KEY-----\n",
  18710. "kid": "<public-key-id>",
  18711. "iss": "<issuer-service-account-id>",
  18712. "sub": "<subject-service-account-id>"
  18713. }
  18714. }
  18715. properties:
  18716. key:
  18717. description: |-
  18718. A key in the referenced Secret.
  18719. Some instances of this field may be defaulted, in others it may be required.
  18720. maxLength: 253
  18721. minLength: 1
  18722. pattern: ^[-._a-zA-Z0-9]+$
  18723. type: string
  18724. name:
  18725. description: The name of the Secret resource being referred to.
  18726. maxLength: 253
  18727. minLength: 1
  18728. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18729. type: string
  18730. namespace:
  18731. description: |-
  18732. The namespace of the Secret resource being referred to.
  18733. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18734. maxLength: 63
  18735. minLength: 1
  18736. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18737. type: string
  18738. type: object
  18739. tokenSecretRef:
  18740. description: Token authenticates with Nebius Mysterybox by presenting a token.
  18741. properties:
  18742. key:
  18743. description: |-
  18744. A key in the referenced Secret.
  18745. Some instances of this field may be defaulted, in others it may be required.
  18746. maxLength: 253
  18747. minLength: 1
  18748. pattern: ^[-._a-zA-Z0-9]+$
  18749. type: string
  18750. name:
  18751. description: The name of the Secret resource being referred to.
  18752. maxLength: 253
  18753. minLength: 1
  18754. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18755. type: string
  18756. namespace:
  18757. description: |-
  18758. The namespace of the Secret resource being referred to.
  18759. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18760. maxLength: 63
  18761. minLength: 1
  18762. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18763. type: string
  18764. type: object
  18765. type: object
  18766. x-kubernetes-validations:
  18767. - message: either serviceAccountCredsSecretRef or tokenSecretRef must be set
  18768. rule: has(self.serviceAccountCredsSecretRef) || has(self.tokenSecretRef)
  18769. caProvider:
  18770. description: The provider for the CA bundle to use to validate NebiusMysterybox server certificate.
  18771. properties:
  18772. certSecretRef:
  18773. description: |-
  18774. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18775. In some instances, `key` is a required field.
  18776. properties:
  18777. key:
  18778. description: |-
  18779. A key in the referenced Secret.
  18780. Some instances of this field may be defaulted, in others it may be required.
  18781. maxLength: 253
  18782. minLength: 1
  18783. pattern: ^[-._a-zA-Z0-9]+$
  18784. type: string
  18785. name:
  18786. description: The name of the Secret resource being referred to.
  18787. maxLength: 253
  18788. minLength: 1
  18789. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18790. type: string
  18791. namespace:
  18792. description: |-
  18793. The namespace of the Secret resource being referred to.
  18794. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18795. maxLength: 63
  18796. minLength: 1
  18797. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18798. type: string
  18799. type: object
  18800. type: object
  18801. required:
  18802. - apiDomain
  18803. - auth
  18804. type: object
  18805. ngrok:
  18806. description: Ngrok configures this store to sync secrets using the ngrok provider.
  18807. properties:
  18808. apiUrl:
  18809. default: https://api.ngrok.com
  18810. description: APIURL is the URL of the ngrok API.
  18811. type: string
  18812. auth:
  18813. description: Auth configures how the ngrok provider authenticates with the ngrok API.
  18814. maxProperties: 1
  18815. minProperties: 1
  18816. properties:
  18817. apiKey:
  18818. description: APIKey is the API Key used to authenticate with ngrok. See https://ngrok.com/docs/api/#authentication
  18819. properties:
  18820. secretRef:
  18821. description: SecretRef is a reference to a secret containing the ngrok API key.
  18822. properties:
  18823. key:
  18824. description: |-
  18825. A key in the referenced Secret.
  18826. Some instances of this field may be defaulted, in others it may be required.
  18827. maxLength: 253
  18828. minLength: 1
  18829. pattern: ^[-._a-zA-Z0-9]+$
  18830. type: string
  18831. name:
  18832. description: The name of the Secret resource being referred to.
  18833. maxLength: 253
  18834. minLength: 1
  18835. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18836. type: string
  18837. namespace:
  18838. description: |-
  18839. The namespace of the Secret resource being referred to.
  18840. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18841. maxLength: 63
  18842. minLength: 1
  18843. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18844. type: string
  18845. type: object
  18846. type: object
  18847. type: object
  18848. vault:
  18849. description: Vault configures the ngrok vault to sync secrets with.
  18850. properties:
  18851. name:
  18852. description: Name is the name of the ngrok vault to sync secrets with.
  18853. type: string
  18854. required:
  18855. - name
  18856. type: object
  18857. required:
  18858. - auth
  18859. - vault
  18860. type: object
  18861. onboardbase:
  18862. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  18863. properties:
  18864. apiHost:
  18865. default: https://public.onboardbase.com/api/v1/
  18866. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  18867. type: string
  18868. auth:
  18869. description: Auth configures how the Operator authenticates with the Onboardbase API
  18870. properties:
  18871. apiKeyRef:
  18872. description: |-
  18873. OnboardbaseAPIKey is the APIKey generated by an admin account.
  18874. It is used to recognize and authorize access to a project and environment within onboardbase
  18875. properties:
  18876. key:
  18877. description: |-
  18878. A key in the referenced Secret.
  18879. Some instances of this field may be defaulted, in others it may be required.
  18880. maxLength: 253
  18881. minLength: 1
  18882. pattern: ^[-._a-zA-Z0-9]+$
  18883. type: string
  18884. name:
  18885. description: The name of the Secret resource being referred to.
  18886. maxLength: 253
  18887. minLength: 1
  18888. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18889. type: string
  18890. namespace:
  18891. description: |-
  18892. The namespace of the Secret resource being referred to.
  18893. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18894. maxLength: 63
  18895. minLength: 1
  18896. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18897. type: string
  18898. type: object
  18899. passcodeRef:
  18900. description: OnboardbasePasscode is the passcode attached to the API Key
  18901. properties:
  18902. key:
  18903. description: |-
  18904. A key in the referenced Secret.
  18905. Some instances of this field may be defaulted, in others it may be required.
  18906. maxLength: 253
  18907. minLength: 1
  18908. pattern: ^[-._a-zA-Z0-9]+$
  18909. type: string
  18910. name:
  18911. description: The name of the Secret resource being referred to.
  18912. maxLength: 253
  18913. minLength: 1
  18914. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18915. type: string
  18916. namespace:
  18917. description: |-
  18918. The namespace of the Secret resource being referred to.
  18919. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18920. maxLength: 63
  18921. minLength: 1
  18922. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18923. type: string
  18924. type: object
  18925. required:
  18926. - apiKeyRef
  18927. - passcodeRef
  18928. type: object
  18929. environment:
  18930. default: development
  18931. description: Environment is the name of an environmnent within a project to pull the secrets from
  18932. type: string
  18933. project:
  18934. default: development
  18935. description: Project is an onboardbase project that the secrets should be pulled from
  18936. type: string
  18937. required:
  18938. - apiHost
  18939. - auth
  18940. - environment
  18941. - project
  18942. type: object
  18943. onepassword:
  18944. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  18945. properties:
  18946. auth:
  18947. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  18948. properties:
  18949. secretRef:
  18950. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  18951. properties:
  18952. connectTokenSecretRef:
  18953. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  18954. properties:
  18955. key:
  18956. description: |-
  18957. A key in the referenced Secret.
  18958. Some instances of this field may be defaulted, in others it may be required.
  18959. maxLength: 253
  18960. minLength: 1
  18961. pattern: ^[-._a-zA-Z0-9]+$
  18962. type: string
  18963. name:
  18964. description: The name of the Secret resource being referred to.
  18965. maxLength: 253
  18966. minLength: 1
  18967. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18968. type: string
  18969. namespace:
  18970. description: |-
  18971. The namespace of the Secret resource being referred to.
  18972. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18973. maxLength: 63
  18974. minLength: 1
  18975. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18976. type: string
  18977. type: object
  18978. required:
  18979. - connectTokenSecretRef
  18980. type: object
  18981. required:
  18982. - secretRef
  18983. type: object
  18984. connectHost:
  18985. description: ConnectHost defines the OnePassword Connect Server to connect to
  18986. type: string
  18987. vaults:
  18988. additionalProperties:
  18989. type: integer
  18990. description: Vaults defines which OnePassword vaults to search in which order
  18991. type: object
  18992. required:
  18993. - auth
  18994. - connectHost
  18995. - vaults
  18996. type: object
  18997. onepasswordSDK:
  18998. description: OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets.
  18999. properties:
  19000. auth:
  19001. description: Auth defines the information necessary to authenticate against OnePassword API.
  19002. properties:
  19003. serviceAccountSecretRef:
  19004. description: ServiceAccountSecretRef points to the secret containing the token to access 1Password vault.
  19005. properties:
  19006. key:
  19007. description: |-
  19008. A key in the referenced Secret.
  19009. Some instances of this field may be defaulted, in others it may be required.
  19010. maxLength: 253
  19011. minLength: 1
  19012. pattern: ^[-._a-zA-Z0-9]+$
  19013. type: string
  19014. name:
  19015. description: The name of the Secret resource being referred to.
  19016. maxLength: 253
  19017. minLength: 1
  19018. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19019. type: string
  19020. namespace:
  19021. description: |-
  19022. The namespace of the Secret resource being referred to.
  19023. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19024. maxLength: 63
  19025. minLength: 1
  19026. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19027. type: string
  19028. type: object
  19029. required:
  19030. - serviceAccountSecretRef
  19031. type: object
  19032. cache:
  19033. description: |-
  19034. Cache configures client-side caching for read operations (GetSecret, GetSecretMap).
  19035. When enabled, secrets are cached with the specified TTL.
  19036. Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.
  19037. If omitted, caching is disabled (default).
  19038. cache: {} is a valid option to set.
  19039. properties:
  19040. maxSize:
  19041. default: 100
  19042. description: |-
  19043. MaxSize is the maximum number of secrets to cache.
  19044. When the cache is full, least-recently-used entries are evicted.
  19045. minimum: 1
  19046. type: integer
  19047. ttl:
  19048. default: 5m
  19049. description: |-
  19050. TTL is the time-to-live for cached secrets.
  19051. Format: duration string (e.g., "5m", "1h", "30s")
  19052. type: string
  19053. type: object
  19054. integrationInfo:
  19055. description: |-
  19056. IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
  19057. If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively.
  19058. properties:
  19059. name:
  19060. default: 1Password SDK
  19061. description: Name defaults to "1Password SDK".
  19062. type: string
  19063. version:
  19064. default: v1.0.0
  19065. description: Version defaults to "v1.0.0".
  19066. type: string
  19067. type: object
  19068. vault:
  19069. description: Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically.
  19070. type: string
  19071. required:
  19072. - auth
  19073. - vault
  19074. type: object
  19075. openBao:
  19076. description: OpenBao configures this store to sync secrets using the OpenBao provider.
  19077. properties:
  19078. auth:
  19079. description: Auth configures how secret-manager authenticates with the OpenBao server.
  19080. maxProperties: 1
  19081. properties:
  19082. tokenSecretRef:
  19083. description: TokenSecretRef authenticates with OpenBao by presenting a token.
  19084. properties:
  19085. key:
  19086. description: |-
  19087. A key in the referenced Secret.
  19088. Some instances of this field may be defaulted, in others it may be required.
  19089. maxLength: 253
  19090. minLength: 1
  19091. pattern: ^[-._a-zA-Z0-9]+$
  19092. type: string
  19093. name:
  19094. description: The name of the Secret resource being referred to.
  19095. maxLength: 253
  19096. minLength: 1
  19097. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19098. type: string
  19099. namespace:
  19100. description: |-
  19101. The namespace of the Secret resource being referred to.
  19102. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19103. maxLength: 63
  19104. minLength: 1
  19105. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19106. type: string
  19107. type: object
  19108. userPass:
  19109. description: UserPass authenticates with OpenBao by passing a username/password pair
  19110. properties:
  19111. path:
  19112. default: userpass
  19113. description: |-
  19114. Path where the UserPassword authentication backend is mounted
  19115. in OpenBao, e.g: "userpass"
  19116. type: string
  19117. secretRef:
  19118. description: |-
  19119. SecretRef to a key in a Secret resource containing password for the user
  19120. used to authenticate with OpenBao using the [UserPass authentication
  19121. method]
  19122. [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
  19123. properties:
  19124. key:
  19125. description: |-
  19126. A key in the referenced Secret.
  19127. Some instances of this field may be defaulted, in others it may be required.
  19128. maxLength: 253
  19129. minLength: 1
  19130. pattern: ^[-._a-zA-Z0-9]+$
  19131. type: string
  19132. name:
  19133. description: The name of the Secret resource being referred to.
  19134. maxLength: 253
  19135. minLength: 1
  19136. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19137. type: string
  19138. namespace:
  19139. description: |-
  19140. The namespace of the Secret resource being referred to.
  19141. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19142. maxLength: 63
  19143. minLength: 1
  19144. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19145. type: string
  19146. type: object
  19147. username:
  19148. description: |-
  19149. Username is a username used to authenticate using the [UserPass
  19150. authentication method]
  19151. [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
  19152. type: string
  19153. required:
  19154. - path
  19155. - username
  19156. type: object
  19157. type: object
  19158. caBundle:
  19159. description: |-
  19160. PEM encoded CA bundle used to validate the OpenBao server certificate. If
  19161. this and `caProvider` are not set the system root certificates are used
  19162. to validate the TLS connection.
  19163. format: byte
  19164. type: string
  19165. caProvider:
  19166. description: |-
  19167. The provider for the CA bundle to use to validate OpenBao server
  19168. certificate. If this and `caBundle` are not set the system root
  19169. certificates are used to validate the TLS connection.
  19170. properties:
  19171. key:
  19172. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19173. maxLength: 253
  19174. minLength: 1
  19175. pattern: ^[-._a-zA-Z0-9]+$
  19176. type: string
  19177. name:
  19178. description: The name of the object located at the provider type.
  19179. maxLength: 253
  19180. minLength: 1
  19181. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19182. type: string
  19183. namespace:
  19184. description: |-
  19185. The namespace the Provider type is in.
  19186. Can only be defined when used in a ClusterSecretStore.
  19187. maxLength: 63
  19188. minLength: 1
  19189. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19190. type: string
  19191. type:
  19192. description: The type of provider to use such as "Secret", or "ConfigMap".
  19193. enum:
  19194. - Secret
  19195. - ConfigMap
  19196. type: string
  19197. required:
  19198. - name
  19199. - type
  19200. type: object
  19201. path:
  19202. description: |-
  19203. Path is the mount path of the OpenBao KV backend endpoint, e.g:
  19204. "secret". The v2 KV secret engine version specific "/data" path suffix
  19205. for fetching secrets from OpenBao is optional and will be appended
  19206. if not present in specified path.
  19207. type: string
  19208. server:
  19209. description: 'Server is the connection address for the OpenBao server, e.g: `https://openbao.example.com:8200`.'
  19210. type: string
  19211. version:
  19212. default: v2
  19213. description: |-
  19214. Version is the OpenBao KV secret engine version. This can be either "v1" or
  19215. "v2". Version defaults to "v2".
  19216. enum:
  19217. - v1
  19218. - v2
  19219. type: string
  19220. required:
  19221. - server
  19222. type: object
  19223. x-kubernetes-validations:
  19224. - message: at most one of the fields in [caBundle caProvider] may be set
  19225. rule: '[has(self.caBundle),has(self.caProvider)].filter(x,x==true).size() <= 1'
  19226. oracle:
  19227. description: Oracle configures this store to sync secrets using Oracle Vault provider
  19228. properties:
  19229. auth:
  19230. description: |-
  19231. Auth configures how secret-manager authenticates with the Oracle Vault.
  19232. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  19233. properties:
  19234. secretRef:
  19235. description: SecretRef to pass through sensitive information.
  19236. properties:
  19237. fingerprint:
  19238. description: Fingerprint is the fingerprint of the API private key.
  19239. properties:
  19240. key:
  19241. description: |-
  19242. A key in the referenced Secret.
  19243. Some instances of this field may be defaulted, in others it may be required.
  19244. maxLength: 253
  19245. minLength: 1
  19246. pattern: ^[-._a-zA-Z0-9]+$
  19247. type: string
  19248. name:
  19249. description: The name of the Secret resource being referred to.
  19250. maxLength: 253
  19251. minLength: 1
  19252. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19253. type: string
  19254. namespace:
  19255. description: |-
  19256. The namespace of the Secret resource being referred to.
  19257. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19258. maxLength: 63
  19259. minLength: 1
  19260. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19261. type: string
  19262. type: object
  19263. privatekey:
  19264. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  19265. properties:
  19266. key:
  19267. description: |-
  19268. A key in the referenced Secret.
  19269. Some instances of this field may be defaulted, in others it may be required.
  19270. maxLength: 253
  19271. minLength: 1
  19272. pattern: ^[-._a-zA-Z0-9]+$
  19273. type: string
  19274. name:
  19275. description: The name of the Secret resource being referred to.
  19276. maxLength: 253
  19277. minLength: 1
  19278. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19279. type: string
  19280. namespace:
  19281. description: |-
  19282. The namespace of the Secret resource being referred to.
  19283. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19284. maxLength: 63
  19285. minLength: 1
  19286. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19287. type: string
  19288. type: object
  19289. required:
  19290. - fingerprint
  19291. - privatekey
  19292. type: object
  19293. tenancy:
  19294. description: Tenancy is the tenancy OCID where user is located.
  19295. type: string
  19296. user:
  19297. description: User is an access OCID specific to the account.
  19298. type: string
  19299. required:
  19300. - secretRef
  19301. - tenancy
  19302. - user
  19303. type: object
  19304. compartment:
  19305. description: |-
  19306. Compartment is the vault compartment OCID.
  19307. Required for PushSecret
  19308. type: string
  19309. encryptionKey:
  19310. description: |-
  19311. EncryptionKey is the OCID of the encryption key within the vault.
  19312. Required for PushSecret
  19313. type: string
  19314. principalType:
  19315. description: |-
  19316. The type of principal to use for authentication. If left blank, the Auth struct will
  19317. determine the principal type. This optional field must be specified if using
  19318. workload identity.
  19319. enum:
  19320. - ""
  19321. - UserPrincipal
  19322. - InstancePrincipal
  19323. - Workload
  19324. type: string
  19325. region:
  19326. description: Region is the region where vault is located.
  19327. type: string
  19328. serviceAccountRef:
  19329. description: |-
  19330. ServiceAccountRef specified the service account
  19331. that should be used when authenticating with WorkloadIdentity.
  19332. properties:
  19333. audiences:
  19334. description: |-
  19335. Audience specifies the `aud` claim for the service account token
  19336. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19337. then this audiences will be appended to the list
  19338. items:
  19339. type: string
  19340. type: array
  19341. name:
  19342. description: The name of the ServiceAccount resource being referred to.
  19343. maxLength: 253
  19344. minLength: 1
  19345. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19346. type: string
  19347. namespace:
  19348. description: |-
  19349. Namespace of the resource being referred to.
  19350. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19351. maxLength: 63
  19352. minLength: 1
  19353. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19354. type: string
  19355. required:
  19356. - name
  19357. type: object
  19358. vault:
  19359. description: Vault is the vault's OCID of the specific vault where secret is located.
  19360. type: string
  19361. required:
  19362. - region
  19363. - vault
  19364. type: object
  19365. ovh:
  19366. description: OVHcloud configures this store to sync secrets using the OVHcloud provider.
  19367. properties:
  19368. auth:
  19369. description: Authentication method (mtls or token).
  19370. properties:
  19371. mtls:
  19372. description: OvhClientMTLS defines the configuration required to authenticate to OVHcloud's Secret Manager using mTLS.
  19373. properties:
  19374. caBundle:
  19375. format: byte
  19376. type: string
  19377. caProvider:
  19378. description: |-
  19379. CAProvider provides a custom certificate authority for accessing the provider's store.
  19380. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
  19381. properties:
  19382. key:
  19383. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19384. maxLength: 253
  19385. minLength: 1
  19386. pattern: ^[-._a-zA-Z0-9]+$
  19387. type: string
  19388. name:
  19389. description: The name of the object located at the provider type.
  19390. maxLength: 253
  19391. minLength: 1
  19392. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19393. type: string
  19394. namespace:
  19395. description: |-
  19396. The namespace the Provider type is in.
  19397. Can only be defined when used in a ClusterSecretStore.
  19398. maxLength: 63
  19399. minLength: 1
  19400. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19401. type: string
  19402. type:
  19403. description: The type of provider to use such as "Secret", or "ConfigMap".
  19404. enum:
  19405. - Secret
  19406. - ConfigMap
  19407. type: string
  19408. required:
  19409. - name
  19410. - type
  19411. type: object
  19412. certSecretRef:
  19413. description: |-
  19414. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19415. In some instances, `key` is a required field.
  19416. properties:
  19417. key:
  19418. description: |-
  19419. A key in the referenced Secret.
  19420. Some instances of this field may be defaulted, in others it may be required.
  19421. maxLength: 253
  19422. minLength: 1
  19423. pattern: ^[-._a-zA-Z0-9]+$
  19424. type: string
  19425. name:
  19426. description: The name of the Secret resource being referred to.
  19427. maxLength: 253
  19428. minLength: 1
  19429. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19430. type: string
  19431. namespace:
  19432. description: |-
  19433. The namespace of the Secret resource being referred to.
  19434. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19435. maxLength: 63
  19436. minLength: 1
  19437. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19438. type: string
  19439. type: object
  19440. keySecretRef:
  19441. description: |-
  19442. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19443. In some instances, `key` is a required field.
  19444. properties:
  19445. key:
  19446. description: |-
  19447. A key in the referenced Secret.
  19448. Some instances of this field may be defaulted, in others it may be required.
  19449. maxLength: 253
  19450. minLength: 1
  19451. pattern: ^[-._a-zA-Z0-9]+$
  19452. type: string
  19453. name:
  19454. description: The name of the Secret resource being referred to.
  19455. maxLength: 253
  19456. minLength: 1
  19457. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19458. type: string
  19459. namespace:
  19460. description: |-
  19461. The namespace of the Secret resource being referred to.
  19462. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19463. maxLength: 63
  19464. minLength: 1
  19465. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19466. type: string
  19467. type: object
  19468. required:
  19469. - certSecretRef
  19470. - keySecretRef
  19471. type: object
  19472. token:
  19473. description: OvhClientToken defines the configuration required to authenticate to OVHcloud's Secret Manager using a token.
  19474. properties:
  19475. tokenSecretRef:
  19476. description: |-
  19477. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19478. In some instances, `key` is a required field.
  19479. properties:
  19480. key:
  19481. description: |-
  19482. A key in the referenced Secret.
  19483. Some instances of this field may be defaulted, in others it may be required.
  19484. maxLength: 253
  19485. minLength: 1
  19486. pattern: ^[-._a-zA-Z0-9]+$
  19487. type: string
  19488. name:
  19489. description: The name of the Secret resource being referred to.
  19490. maxLength: 253
  19491. minLength: 1
  19492. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19493. type: string
  19494. namespace:
  19495. description: |-
  19496. The namespace of the Secret resource being referred to.
  19497. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19498. maxLength: 63
  19499. minLength: 1
  19500. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19501. type: string
  19502. type: object
  19503. required:
  19504. - tokenSecretRef
  19505. type: object
  19506. type: object
  19507. casRequired:
  19508. description: 'Enables or disables check-and-set (CAS) (default: false).'
  19509. type: boolean
  19510. okmsTimeout:
  19511. default: 30
  19512. description: 'Setup a timeout in seconds when requests to the KMS are made (default: 30).'
  19513. format: int32
  19514. minimum: 1
  19515. type: integer
  19516. okmsid:
  19517. description: specifies the OKMS ID.
  19518. type: string
  19519. server:
  19520. description: specifies the OKMS server endpoint.
  19521. type: string
  19522. required:
  19523. - auth
  19524. - okmsid
  19525. - server
  19526. type: object
  19527. passbolt:
  19528. description: |-
  19529. PassboltProvider provides access to Passbolt secrets manager.
  19530. See: https://www.passbolt.com.
  19531. properties:
  19532. auth:
  19533. description: Auth defines the information necessary to authenticate against Passbolt Server
  19534. properties:
  19535. passwordSecretRef:
  19536. description: |-
  19537. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19538. In some instances, `key` is a required field.
  19539. properties:
  19540. key:
  19541. description: |-
  19542. A key in the referenced Secret.
  19543. Some instances of this field may be defaulted, in others it may be required.
  19544. maxLength: 253
  19545. minLength: 1
  19546. pattern: ^[-._a-zA-Z0-9]+$
  19547. type: string
  19548. name:
  19549. description: The name of the Secret resource being referred to.
  19550. maxLength: 253
  19551. minLength: 1
  19552. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19553. type: string
  19554. namespace:
  19555. description: |-
  19556. The namespace of the Secret resource being referred to.
  19557. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19558. maxLength: 63
  19559. minLength: 1
  19560. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19561. type: string
  19562. type: object
  19563. privateKeySecretRef:
  19564. description: |-
  19565. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19566. In some instances, `key` is a required field.
  19567. properties:
  19568. key:
  19569. description: |-
  19570. A key in the referenced Secret.
  19571. Some instances of this field may be defaulted, in others it may be required.
  19572. maxLength: 253
  19573. minLength: 1
  19574. pattern: ^[-._a-zA-Z0-9]+$
  19575. type: string
  19576. name:
  19577. description: The name of the Secret resource being referred to.
  19578. maxLength: 253
  19579. minLength: 1
  19580. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19581. type: string
  19582. namespace:
  19583. description: |-
  19584. The namespace of the Secret resource being referred to.
  19585. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19586. maxLength: 63
  19587. minLength: 1
  19588. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19589. type: string
  19590. type: object
  19591. required:
  19592. - passwordSecretRef
  19593. - privateKeySecretRef
  19594. type: object
  19595. caBundle:
  19596. description: |-
  19597. PEM encoded CA bundle used to validate Passbolt server certificate. Only used
  19598. if the Host URL is using HTTPS protocol. If not set the system root certificates
  19599. are used to validate the TLS connection.
  19600. format: byte
  19601. type: string
  19602. caProvider:
  19603. description: The provider for the CA bundle to use to validate Passbolt server certificate.
  19604. properties:
  19605. key:
  19606. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19607. maxLength: 253
  19608. minLength: 1
  19609. pattern: ^[-._a-zA-Z0-9]+$
  19610. type: string
  19611. name:
  19612. description: The name of the object located at the provider type.
  19613. maxLength: 253
  19614. minLength: 1
  19615. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19616. type: string
  19617. namespace:
  19618. description: |-
  19619. The namespace the Provider type is in.
  19620. Can only be defined when used in a ClusterSecretStore.
  19621. maxLength: 63
  19622. minLength: 1
  19623. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19624. type: string
  19625. type:
  19626. description: The type of provider to use such as "Secret", or "ConfigMap".
  19627. enum:
  19628. - Secret
  19629. - ConfigMap
  19630. type: string
  19631. required:
  19632. - name
  19633. - type
  19634. type: object
  19635. host:
  19636. description: Host defines the Passbolt Server to connect to
  19637. type: string
  19638. required:
  19639. - auth
  19640. - host
  19641. type: object
  19642. passworddepot:
  19643. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  19644. properties:
  19645. auth:
  19646. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  19647. properties:
  19648. secretRef:
  19649. description: PasswordDepotSecretRef contains the secret reference for Password Depot authentication.
  19650. properties:
  19651. credentials:
  19652. description: Username / Password is used for authentication.
  19653. properties:
  19654. key:
  19655. description: |-
  19656. A key in the referenced Secret.
  19657. Some instances of this field may be defaulted, in others it may be required.
  19658. maxLength: 253
  19659. minLength: 1
  19660. pattern: ^[-._a-zA-Z0-9]+$
  19661. type: string
  19662. name:
  19663. description: The name of the Secret resource being referred to.
  19664. maxLength: 253
  19665. minLength: 1
  19666. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19667. type: string
  19668. namespace:
  19669. description: |-
  19670. The namespace of the Secret resource being referred to.
  19671. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19672. maxLength: 63
  19673. minLength: 1
  19674. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19675. type: string
  19676. type: object
  19677. type: object
  19678. required:
  19679. - secretRef
  19680. type: object
  19681. database:
  19682. description: Database to use as source
  19683. type: string
  19684. host:
  19685. description: URL configures the Password Depot instance URL.
  19686. type: string
  19687. required:
  19688. - auth
  19689. - database
  19690. - host
  19691. type: object
  19692. previder:
  19693. description: Previder configures this store to sync secrets using the Previder provider
  19694. properties:
  19695. auth:
  19696. description: PreviderAuth contains a secretRef for credentials.
  19697. properties:
  19698. secretRef:
  19699. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  19700. properties:
  19701. accessToken:
  19702. description: The AccessToken is used for authentication
  19703. properties:
  19704. key:
  19705. description: |-
  19706. A key in the referenced Secret.
  19707. Some instances of this field may be defaulted, in others it may be required.
  19708. maxLength: 253
  19709. minLength: 1
  19710. pattern: ^[-._a-zA-Z0-9]+$
  19711. type: string
  19712. name:
  19713. description: The name of the Secret resource being referred to.
  19714. maxLength: 253
  19715. minLength: 1
  19716. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19717. type: string
  19718. namespace:
  19719. description: |-
  19720. The namespace of the Secret resource being referred to.
  19721. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19722. maxLength: 63
  19723. minLength: 1
  19724. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19725. type: string
  19726. type: object
  19727. required:
  19728. - accessToken
  19729. type: object
  19730. type: object
  19731. baseUri:
  19732. type: string
  19733. required:
  19734. - auth
  19735. type: object
  19736. pulumi:
  19737. description: Pulumi configures this store to sync secrets using the Pulumi provider
  19738. properties:
  19739. accessToken:
  19740. description: |-
  19741. AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  19742. Deprecated: Use auth.accessToken instead.
  19743. properties:
  19744. secretRef:
  19745. description: SecretRef is a reference to a secret containing the Pulumi API token.
  19746. properties:
  19747. key:
  19748. description: |-
  19749. A key in the referenced Secret.
  19750. Some instances of this field may be defaulted, in others it may be required.
  19751. maxLength: 253
  19752. minLength: 1
  19753. pattern: ^[-._a-zA-Z0-9]+$
  19754. type: string
  19755. name:
  19756. description: The name of the Secret resource being referred to.
  19757. maxLength: 253
  19758. minLength: 1
  19759. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19760. type: string
  19761. namespace:
  19762. description: |-
  19763. The namespace of the Secret resource being referred to.
  19764. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19765. maxLength: 63
  19766. minLength: 1
  19767. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19768. type: string
  19769. type: object
  19770. type: object
  19771. apiUrl:
  19772. default: https://api.pulumi.com/api/esc
  19773. description: APIURL is the URL of the Pulumi API.
  19774. type: string
  19775. auth:
  19776. description: |-
  19777. Auth configures how the Operator authenticates with the Pulumi API.
  19778. Either auth or the deprecated accessToken field must be specified.
  19779. properties:
  19780. accessToken:
  19781. description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret.
  19782. properties:
  19783. secretRef:
  19784. description: SecretRef is a reference to a secret containing the Pulumi API token.
  19785. properties:
  19786. key:
  19787. description: |-
  19788. A key in the referenced Secret.
  19789. Some instances of this field may be defaulted, in others it may be required.
  19790. maxLength: 253
  19791. minLength: 1
  19792. pattern: ^[-._a-zA-Z0-9]+$
  19793. type: string
  19794. name:
  19795. description: The name of the Secret resource being referred to.
  19796. maxLength: 253
  19797. minLength: 1
  19798. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19799. type: string
  19800. namespace:
  19801. description: |-
  19802. The namespace of the Secret resource being referred to.
  19803. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19804. maxLength: 63
  19805. minLength: 1
  19806. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19807. type: string
  19808. type: object
  19809. type: object
  19810. oidcConfig:
  19811. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  19812. properties:
  19813. expirationSeconds:
  19814. default: 600
  19815. description: |-
  19816. ExpirationSeconds sets the token validity duration for service account and OIDC token.
  19817. Defaults to 10 minutes.
  19818. format: int64
  19819. minimum: 600
  19820. type: integer
  19821. organization:
  19822. description: Organization is the name of the Pulumi organization configured for OIDC authentication.
  19823. type: string
  19824. serviceAccountRef:
  19825. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  19826. properties:
  19827. audiences:
  19828. description: |-
  19829. Audience specifies the `aud` claim for the service account token
  19830. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19831. then this audiences will be appended to the list
  19832. items:
  19833. type: string
  19834. type: array
  19835. name:
  19836. description: The name of the ServiceAccount resource being referred to.
  19837. maxLength: 253
  19838. minLength: 1
  19839. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19840. type: string
  19841. namespace:
  19842. description: |-
  19843. Namespace of the resource being referred to.
  19844. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19845. maxLength: 63
  19846. minLength: 1
  19847. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19848. type: string
  19849. required:
  19850. - name
  19851. type: object
  19852. required:
  19853. - organization
  19854. - serviceAccountRef
  19855. type: object
  19856. type: object
  19857. x-kubernetes-validations:
  19858. - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified
  19859. rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig))
  19860. environment:
  19861. description: |-
  19862. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  19863. dynamically retrieved values from supported providers including all major clouds,
  19864. and other Pulumi ESC environments.
  19865. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  19866. type: string
  19867. organization:
  19868. description: |-
  19869. Organization are a space to collaborate on shared projects and stacks.
  19870. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  19871. type: string
  19872. project:
  19873. description: Project is the name of the Pulumi ESC project the environment belongs to.
  19874. type: string
  19875. required:
  19876. - environment
  19877. - organization
  19878. - project
  19879. type: object
  19880. x-kubernetes-validations:
  19881. - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified
  19882. rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken))
  19883. scaleway:
  19884. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  19885. properties:
  19886. accessKey:
  19887. description: AccessKey is the non-secret part of the api key.
  19888. properties:
  19889. secretRef:
  19890. description: SecretRef references a key in a secret that will be used as value.
  19891. properties:
  19892. key:
  19893. description: |-
  19894. A key in the referenced Secret.
  19895. Some instances of this field may be defaulted, in others it may be required.
  19896. maxLength: 253
  19897. minLength: 1
  19898. pattern: ^[-._a-zA-Z0-9]+$
  19899. type: string
  19900. name:
  19901. description: The name of the Secret resource being referred to.
  19902. maxLength: 253
  19903. minLength: 1
  19904. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19905. type: string
  19906. namespace:
  19907. description: |-
  19908. The namespace of the Secret resource being referred to.
  19909. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19910. maxLength: 63
  19911. minLength: 1
  19912. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19913. type: string
  19914. type: object
  19915. value:
  19916. description: Value can be specified directly to set a value without using a secret.
  19917. type: string
  19918. type: object
  19919. apiUrl:
  19920. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  19921. type: string
  19922. projectId:
  19923. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  19924. type: string
  19925. region:
  19926. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  19927. type: string
  19928. secretKey:
  19929. description: SecretKey is the non-secret part of the api key.
  19930. properties:
  19931. secretRef:
  19932. description: SecretRef references a key in a secret that will be used as value.
  19933. properties:
  19934. key:
  19935. description: |-
  19936. A key in the referenced Secret.
  19937. Some instances of this field may be defaulted, in others it may be required.
  19938. maxLength: 253
  19939. minLength: 1
  19940. pattern: ^[-._a-zA-Z0-9]+$
  19941. type: string
  19942. name:
  19943. description: The name of the Secret resource being referred to.
  19944. maxLength: 253
  19945. minLength: 1
  19946. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19947. type: string
  19948. namespace:
  19949. description: |-
  19950. The namespace of the Secret resource being referred to.
  19951. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19952. maxLength: 63
  19953. minLength: 1
  19954. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19955. type: string
  19956. type: object
  19957. value:
  19958. description: Value can be specified directly to set a value without using a secret.
  19959. type: string
  19960. type: object
  19961. required:
  19962. - accessKey
  19963. - projectId
  19964. - region
  19965. - secretKey
  19966. type: object
  19967. secretserver:
  19968. description: |-
  19969. SecretServer configures this store to sync secrets using SecretServer provider
  19970. https://docs.delinea.com/online-help/secret-server/start.htm
  19971. properties:
  19972. caBundle:
  19973. description: |-
  19974. PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used
  19975. if the ServerURL URL is using HTTPS protocol. If not set the system root certificates
  19976. are used to validate the TLS connection.
  19977. format: byte
  19978. type: string
  19979. caProvider:
  19980. description: The provider for the CA bundle to use to validate Secret ServerURL certificate.
  19981. properties:
  19982. key:
  19983. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19984. maxLength: 253
  19985. minLength: 1
  19986. pattern: ^[-._a-zA-Z0-9]+$
  19987. type: string
  19988. name:
  19989. description: The name of the object located at the provider type.
  19990. maxLength: 253
  19991. minLength: 1
  19992. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19993. type: string
  19994. namespace:
  19995. description: |-
  19996. The namespace the Provider type is in.
  19997. Can only be defined when used in a ClusterSecretStore.
  19998. maxLength: 63
  19999. minLength: 1
  20000. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20001. type: string
  20002. type:
  20003. description: The type of provider to use such as "Secret", or "ConfigMap".
  20004. enum:
  20005. - Secret
  20006. - ConfigMap
  20007. type: string
  20008. required:
  20009. - name
  20010. - type
  20011. type: object
  20012. domain:
  20013. description: Domain is the secret server domain.
  20014. type: string
  20015. password:
  20016. description: Password is the secret server account password.
  20017. properties:
  20018. secretRef:
  20019. description: SecretRef references a key in a secret that will be used as value.
  20020. properties:
  20021. key:
  20022. description: |-
  20023. A key in the referenced Secret.
  20024. Some instances of this field may be defaulted, in others it may be required.
  20025. maxLength: 253
  20026. minLength: 1
  20027. pattern: ^[-._a-zA-Z0-9]+$
  20028. type: string
  20029. name:
  20030. description: The name of the Secret resource being referred to.
  20031. maxLength: 253
  20032. minLength: 1
  20033. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20034. type: string
  20035. namespace:
  20036. description: |-
  20037. The namespace of the Secret resource being referred to.
  20038. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20039. maxLength: 63
  20040. minLength: 1
  20041. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20042. type: string
  20043. type: object
  20044. value:
  20045. description: Value can be specified directly to set a value without using a secret.
  20046. type: string
  20047. type: object
  20048. serverURL:
  20049. description: |-
  20050. ServerURL
  20051. URL to your secret server installation
  20052. type: string
  20053. username:
  20054. description: Username is the secret server account username.
  20055. properties:
  20056. secretRef:
  20057. description: SecretRef references a key in a secret that will be used as value.
  20058. properties:
  20059. key:
  20060. description: |-
  20061. A key in the referenced Secret.
  20062. Some instances of this field may be defaulted, in others it may be required.
  20063. maxLength: 253
  20064. minLength: 1
  20065. pattern: ^[-._a-zA-Z0-9]+$
  20066. type: string
  20067. name:
  20068. description: The name of the Secret resource being referred to.
  20069. maxLength: 253
  20070. minLength: 1
  20071. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20072. type: string
  20073. namespace:
  20074. description: |-
  20075. The namespace of the Secret resource being referred to.
  20076. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20077. maxLength: 63
  20078. minLength: 1
  20079. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20080. type: string
  20081. type: object
  20082. value:
  20083. description: Value can be specified directly to set a value without using a secret.
  20084. type: string
  20085. type: object
  20086. required:
  20087. - password
  20088. - serverURL
  20089. - username
  20090. type: object
  20091. senhasegura:
  20092. description: Senhasegura configures this store to sync secrets using senhasegura provider
  20093. properties:
  20094. auth:
  20095. description: Auth defines parameters to authenticate in senhasegura
  20096. properties:
  20097. clientId:
  20098. type: string
  20099. clientSecretSecretRef:
  20100. description: |-
  20101. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20102. In some instances, `key` is a required field.
  20103. properties:
  20104. key:
  20105. description: |-
  20106. A key in the referenced Secret.
  20107. Some instances of this field may be defaulted, in others it may be required.
  20108. maxLength: 253
  20109. minLength: 1
  20110. pattern: ^[-._a-zA-Z0-9]+$
  20111. type: string
  20112. name:
  20113. description: The name of the Secret resource being referred to.
  20114. maxLength: 253
  20115. minLength: 1
  20116. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20117. type: string
  20118. namespace:
  20119. description: |-
  20120. The namespace of the Secret resource being referred to.
  20121. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20122. maxLength: 63
  20123. minLength: 1
  20124. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20125. type: string
  20126. type: object
  20127. required:
  20128. - clientId
  20129. - clientSecretSecretRef
  20130. type: object
  20131. ignoreSslCertificate:
  20132. default: false
  20133. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  20134. type: boolean
  20135. module:
  20136. description: Module defines which senhasegura module should be used to get secrets
  20137. type: string
  20138. url:
  20139. description: URL of senhasegura
  20140. type: string
  20141. required:
  20142. - auth
  20143. - module
  20144. - url
  20145. type: object
  20146. vault:
  20147. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  20148. properties:
  20149. auth:
  20150. description: Auth configures how secret-manager authenticates with the Vault server.
  20151. properties:
  20152. appRole:
  20153. description: |-
  20154. AppRole authenticates with Vault using the App Role auth mechanism,
  20155. with the role and secret stored in a Kubernetes Secret resource.
  20156. properties:
  20157. path:
  20158. default: approle
  20159. description: |-
  20160. Path where the App Role authentication backend is mounted
  20161. in Vault, e.g: "approle"
  20162. type: string
  20163. roleId:
  20164. description: |-
  20165. RoleID configured in the App Role authentication backend when setting
  20166. up the authentication backend in Vault.
  20167. type: string
  20168. roleRef:
  20169. description: |-
  20170. Reference to a key in a Secret that contains the App Role ID used
  20171. to authenticate with Vault.
  20172. The `key` field must be specified and denotes which entry within the Secret
  20173. resource is used as the app role id.
  20174. properties:
  20175. key:
  20176. description: |-
  20177. A key in the referenced Secret.
  20178. Some instances of this field may be defaulted, in others it may be required.
  20179. maxLength: 253
  20180. minLength: 1
  20181. pattern: ^[-._a-zA-Z0-9]+$
  20182. type: string
  20183. name:
  20184. description: The name of the Secret resource being referred to.
  20185. maxLength: 253
  20186. minLength: 1
  20187. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20188. type: string
  20189. namespace:
  20190. description: |-
  20191. The namespace of the Secret resource being referred to.
  20192. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20193. maxLength: 63
  20194. minLength: 1
  20195. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20196. type: string
  20197. type: object
  20198. secretRef:
  20199. description: |-
  20200. Reference to a key in a Secret that contains the App Role secret used
  20201. to authenticate with Vault.
  20202. The `key` field must be specified and denotes which entry within the Secret
  20203. resource is used as the app role secret.
  20204. properties:
  20205. key:
  20206. description: |-
  20207. A key in the referenced Secret.
  20208. Some instances of this field may be defaulted, in others it may be required.
  20209. maxLength: 253
  20210. minLength: 1
  20211. pattern: ^[-._a-zA-Z0-9]+$
  20212. type: string
  20213. name:
  20214. description: The name of the Secret resource being referred to.
  20215. maxLength: 253
  20216. minLength: 1
  20217. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20218. type: string
  20219. namespace:
  20220. description: |-
  20221. The namespace of the Secret resource being referred to.
  20222. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20223. maxLength: 63
  20224. minLength: 1
  20225. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20226. type: string
  20227. type: object
  20228. required:
  20229. - path
  20230. - secretRef
  20231. type: object
  20232. cert:
  20233. description: |-
  20234. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  20235. Cert authentication method
  20236. properties:
  20237. clientCert:
  20238. description: |-
  20239. ClientCert is a certificate to authenticate using the Cert Vault
  20240. authentication method
  20241. properties:
  20242. key:
  20243. description: |-
  20244. A key in the referenced Secret.
  20245. Some instances of this field may be defaulted, in others it may be required.
  20246. maxLength: 253
  20247. minLength: 1
  20248. pattern: ^[-._a-zA-Z0-9]+$
  20249. type: string
  20250. name:
  20251. description: The name of the Secret resource being referred to.
  20252. maxLength: 253
  20253. minLength: 1
  20254. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20255. type: string
  20256. namespace:
  20257. description: |-
  20258. The namespace of the Secret resource being referred to.
  20259. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20260. maxLength: 63
  20261. minLength: 1
  20262. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20263. type: string
  20264. type: object
  20265. path:
  20266. default: cert
  20267. description: |-
  20268. Path where the Certificate authentication backend is mounted
  20269. in Vault, e.g: "cert"
  20270. type: string
  20271. secretRef:
  20272. description: |-
  20273. SecretRef to a key in a Secret resource containing client private key to
  20274. authenticate with Vault using the Cert authentication method
  20275. properties:
  20276. key:
  20277. description: |-
  20278. A key in the referenced Secret.
  20279. Some instances of this field may be defaulted, in others it may be required.
  20280. maxLength: 253
  20281. minLength: 1
  20282. pattern: ^[-._a-zA-Z0-9]+$
  20283. type: string
  20284. name:
  20285. description: The name of the Secret resource being referred to.
  20286. maxLength: 253
  20287. minLength: 1
  20288. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20289. type: string
  20290. namespace:
  20291. description: |-
  20292. The namespace of the Secret resource being referred to.
  20293. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20294. maxLength: 63
  20295. minLength: 1
  20296. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20297. type: string
  20298. type: object
  20299. vaultRole:
  20300. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  20301. type: string
  20302. type: object
  20303. gcp:
  20304. description: |-
  20305. Gcp authenticates with Vault using Google Cloud Platform authentication method
  20306. GCP authentication method
  20307. properties:
  20308. location:
  20309. description: Location optionally defines a location/region for the secret
  20310. type: string
  20311. path:
  20312. default: gcp
  20313. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  20314. type: string
  20315. projectID:
  20316. description: Project ID of the Google Cloud Platform project
  20317. type: string
  20318. role:
  20319. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  20320. type: string
  20321. secretRef:
  20322. description: Specify credentials in a Secret object
  20323. properties:
  20324. secretAccessKeySecretRef:
  20325. description: The SecretAccessKey is used for authentication
  20326. properties:
  20327. key:
  20328. description: |-
  20329. A key in the referenced Secret.
  20330. Some instances of this field may be defaulted, in others it may be required.
  20331. maxLength: 253
  20332. minLength: 1
  20333. pattern: ^[-._a-zA-Z0-9]+$
  20334. type: string
  20335. name:
  20336. description: The name of the Secret resource being referred to.
  20337. maxLength: 253
  20338. minLength: 1
  20339. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20340. type: string
  20341. namespace:
  20342. description: |-
  20343. The namespace of the Secret resource being referred to.
  20344. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20345. maxLength: 63
  20346. minLength: 1
  20347. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20348. type: string
  20349. type: object
  20350. type: object
  20351. serviceAccountRef:
  20352. description: ServiceAccountRef to a service account for impersonation
  20353. properties:
  20354. audiences:
  20355. description: |-
  20356. Audience specifies the `aud` claim for the service account token
  20357. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20358. then this audiences will be appended to the list
  20359. items:
  20360. type: string
  20361. type: array
  20362. name:
  20363. description: The name of the ServiceAccount resource being referred to.
  20364. maxLength: 253
  20365. minLength: 1
  20366. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20367. type: string
  20368. namespace:
  20369. description: |-
  20370. Namespace of the resource being referred to.
  20371. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20372. maxLength: 63
  20373. minLength: 1
  20374. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20375. type: string
  20376. required:
  20377. - name
  20378. type: object
  20379. workloadIdentity:
  20380. description: Specify a service account with Workload Identity
  20381. properties:
  20382. clusterLocation:
  20383. description: |-
  20384. ClusterLocation is the location of the cluster
  20385. If not specified, it fetches information from the metadata server
  20386. type: string
  20387. clusterName:
  20388. description: |-
  20389. ClusterName is the name of the cluster
  20390. If not specified, it fetches information from the metadata server
  20391. type: string
  20392. clusterProjectID:
  20393. description: |-
  20394. ClusterProjectID is the project ID of the cluster
  20395. If not specified, it fetches information from the metadata server
  20396. type: string
  20397. serviceAccountRef:
  20398. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  20399. properties:
  20400. audiences:
  20401. description: |-
  20402. Audience specifies the `aud` claim for the service account token
  20403. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20404. then this audiences will be appended to the list
  20405. items:
  20406. type: string
  20407. type: array
  20408. name:
  20409. description: The name of the ServiceAccount resource being referred to.
  20410. maxLength: 253
  20411. minLength: 1
  20412. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20413. type: string
  20414. namespace:
  20415. description: |-
  20416. Namespace of the resource being referred to.
  20417. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20418. maxLength: 63
  20419. minLength: 1
  20420. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20421. type: string
  20422. required:
  20423. - name
  20424. type: object
  20425. required:
  20426. - serviceAccountRef
  20427. type: object
  20428. required:
  20429. - role
  20430. type: object
  20431. iam:
  20432. description: |-
  20433. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  20434. AWS IAM authentication method
  20435. properties:
  20436. externalID:
  20437. description: AWS External ID set on assumed IAM roles
  20438. type: string
  20439. jwt:
  20440. description: Specify a service account with IRSA enabled
  20441. properties:
  20442. serviceAccountRef:
  20443. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  20444. properties:
  20445. audiences:
  20446. description: |-
  20447. Audience specifies the `aud` claim for the service account token
  20448. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20449. then this audiences will be appended to the list
  20450. items:
  20451. type: string
  20452. type: array
  20453. name:
  20454. description: The name of the ServiceAccount resource being referred to.
  20455. maxLength: 253
  20456. minLength: 1
  20457. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20458. type: string
  20459. namespace:
  20460. description: |-
  20461. Namespace of the resource being referred to.
  20462. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20463. maxLength: 63
  20464. minLength: 1
  20465. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20466. type: string
  20467. required:
  20468. - name
  20469. type: object
  20470. type: object
  20471. path:
  20472. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  20473. type: string
  20474. region:
  20475. description: AWS region
  20476. type: string
  20477. role:
  20478. description: This is the AWS role to be assumed before talking to vault
  20479. type: string
  20480. secretRef:
  20481. description: Specify credentials in a Secret object
  20482. properties:
  20483. accessKeyIDSecretRef:
  20484. description: The AccessKeyID is used for authentication
  20485. properties:
  20486. key:
  20487. description: |-
  20488. A key in the referenced Secret.
  20489. Some instances of this field may be defaulted, in others it may be required.
  20490. maxLength: 253
  20491. minLength: 1
  20492. pattern: ^[-._a-zA-Z0-9]+$
  20493. type: string
  20494. name:
  20495. description: The name of the Secret resource being referred to.
  20496. maxLength: 253
  20497. minLength: 1
  20498. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20499. type: string
  20500. namespace:
  20501. description: |-
  20502. The namespace of the Secret resource being referred to.
  20503. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20504. maxLength: 63
  20505. minLength: 1
  20506. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20507. type: string
  20508. type: object
  20509. secretAccessKeySecretRef:
  20510. description: The SecretAccessKey is used for authentication
  20511. properties:
  20512. key:
  20513. description: |-
  20514. A key in the referenced Secret.
  20515. Some instances of this field may be defaulted, in others it may be required.
  20516. maxLength: 253
  20517. minLength: 1
  20518. pattern: ^[-._a-zA-Z0-9]+$
  20519. type: string
  20520. name:
  20521. description: The name of the Secret resource being referred to.
  20522. maxLength: 253
  20523. minLength: 1
  20524. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20525. type: string
  20526. namespace:
  20527. description: |-
  20528. The namespace of the Secret resource being referred to.
  20529. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20530. maxLength: 63
  20531. minLength: 1
  20532. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20533. type: string
  20534. type: object
  20535. sessionTokenSecretRef:
  20536. description: |-
  20537. The SessionToken used for authentication
  20538. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  20539. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  20540. properties:
  20541. key:
  20542. description: |-
  20543. A key in the referenced Secret.
  20544. Some instances of this field may be defaulted, in others it may be required.
  20545. maxLength: 253
  20546. minLength: 1
  20547. pattern: ^[-._a-zA-Z0-9]+$
  20548. type: string
  20549. name:
  20550. description: The name of the Secret resource being referred to.
  20551. maxLength: 253
  20552. minLength: 1
  20553. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20554. type: string
  20555. namespace:
  20556. description: |-
  20557. The namespace of the Secret resource being referred to.
  20558. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20559. maxLength: 63
  20560. minLength: 1
  20561. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20562. type: string
  20563. type: object
  20564. type: object
  20565. vaultAwsIamServerID:
  20566. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  20567. type: string
  20568. vaultRole:
  20569. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  20570. type: string
  20571. required:
  20572. - vaultRole
  20573. type: object
  20574. jwt:
  20575. description: |-
  20576. Jwt authenticates with Vault by passing role and JWT token using the
  20577. JWT/OIDC authentication method
  20578. properties:
  20579. kubernetesServiceAccountToken:
  20580. description: |-
  20581. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  20582. a token for with the `TokenRequest` API.
  20583. properties:
  20584. audiences:
  20585. description: |-
  20586. Optional audiences field that will be used to request a temporary Kubernetes service
  20587. account token for the service account referenced by `serviceAccountRef`.
  20588. Defaults to a single audience `vault` it not specified.
  20589. Deprecated: use serviceAccountRef.Audiences instead
  20590. items:
  20591. type: string
  20592. type: array
  20593. expirationSeconds:
  20594. description: |-
  20595. Optional expiration time in seconds that will be used to request a temporary
  20596. Kubernetes service account token for the service account referenced by
  20597. `serviceAccountRef`.
  20598. Deprecated: this will be removed in the future.
  20599. Defaults to 10 minutes.
  20600. type: integer
  20601. serviceAccountRef:
  20602. description: Service account field containing the name of a kubernetes ServiceAccount.
  20603. properties:
  20604. audiences:
  20605. description: |-
  20606. Audience specifies the `aud` claim for the service account token
  20607. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20608. then this audiences will be appended to the list
  20609. items:
  20610. type: string
  20611. type: array
  20612. name:
  20613. description: The name of the ServiceAccount resource being referred to.
  20614. maxLength: 253
  20615. minLength: 1
  20616. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20617. type: string
  20618. namespace:
  20619. description: |-
  20620. Namespace of the resource being referred to.
  20621. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20622. maxLength: 63
  20623. minLength: 1
  20624. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20625. type: string
  20626. required:
  20627. - name
  20628. type: object
  20629. required:
  20630. - serviceAccountRef
  20631. type: object
  20632. path:
  20633. default: jwt
  20634. description: |-
  20635. Path where the JWT authentication backend is mounted
  20636. in Vault, e.g: "jwt"
  20637. type: string
  20638. role:
  20639. description: |-
  20640. Role is a JWT role to authenticate using the JWT/OIDC Vault
  20641. authentication method
  20642. type: string
  20643. secretRef:
  20644. description: |-
  20645. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  20646. authenticate with Vault using the JWT/OIDC authentication method.
  20647. properties:
  20648. key:
  20649. description: |-
  20650. A key in the referenced Secret.
  20651. Some instances of this field may be defaulted, in others it may be required.
  20652. maxLength: 253
  20653. minLength: 1
  20654. pattern: ^[-._a-zA-Z0-9]+$
  20655. type: string
  20656. name:
  20657. description: The name of the Secret resource being referred to.
  20658. maxLength: 253
  20659. minLength: 1
  20660. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20661. type: string
  20662. namespace:
  20663. description: |-
  20664. The namespace of the Secret resource being referred to.
  20665. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20666. maxLength: 63
  20667. minLength: 1
  20668. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20669. type: string
  20670. type: object
  20671. required:
  20672. - path
  20673. type: object
  20674. kubernetes:
  20675. description: |-
  20676. Kubernetes authenticates with Vault by passing the ServiceAccount
  20677. token stored in the named Secret resource to the Vault server.
  20678. properties:
  20679. mountPath:
  20680. default: kubernetes
  20681. description: |-
  20682. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  20683. "kubernetes"
  20684. type: string
  20685. role:
  20686. description: |-
  20687. A required field containing the Vault Role to assume. A Role binds a
  20688. Kubernetes ServiceAccount with a set of Vault policies.
  20689. type: string
  20690. secretRef:
  20691. description: |-
  20692. Optional secret field containing a Kubernetes ServiceAccount JWT used
  20693. for authenticating with Vault. If a name is specified without a key,
  20694. `token` is the default. If one is not specified, the one bound to
  20695. the controller will be used.
  20696. properties:
  20697. key:
  20698. description: |-
  20699. A key in the referenced Secret.
  20700. Some instances of this field may be defaulted, in others it may be required.
  20701. maxLength: 253
  20702. minLength: 1
  20703. pattern: ^[-._a-zA-Z0-9]+$
  20704. type: string
  20705. name:
  20706. description: The name of the Secret resource being referred to.
  20707. maxLength: 253
  20708. minLength: 1
  20709. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20710. type: string
  20711. namespace:
  20712. description: |-
  20713. The namespace of the Secret resource being referred to.
  20714. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20715. maxLength: 63
  20716. minLength: 1
  20717. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20718. type: string
  20719. type: object
  20720. serviceAccountRef:
  20721. description: |-
  20722. Optional service account field containing the name of a kubernetes ServiceAccount.
  20723. If the service account is specified, the service account secret token JWT will be used
  20724. for authenticating with Vault. If the service account selector is not supplied,
  20725. the secretRef will be used instead.
  20726. properties:
  20727. audiences:
  20728. description: |-
  20729. Audience specifies the `aud` claim for the service account token
  20730. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20731. then this audiences will be appended to the list
  20732. items:
  20733. type: string
  20734. type: array
  20735. name:
  20736. description: The name of the ServiceAccount resource being referred to.
  20737. maxLength: 253
  20738. minLength: 1
  20739. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20740. type: string
  20741. namespace:
  20742. description: |-
  20743. Namespace of the resource being referred to.
  20744. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20745. maxLength: 63
  20746. minLength: 1
  20747. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20748. type: string
  20749. required:
  20750. - name
  20751. type: object
  20752. required:
  20753. - mountPath
  20754. - role
  20755. type: object
  20756. ldap:
  20757. description: |-
  20758. Ldap authenticates with Vault by passing username/password pair using
  20759. the LDAP authentication method
  20760. properties:
  20761. path:
  20762. default: ldap
  20763. description: |-
  20764. Path where the LDAP authentication backend is mounted
  20765. in Vault, e.g: "ldap"
  20766. type: string
  20767. secretRef:
  20768. description: |-
  20769. SecretRef to a key in a Secret resource containing password for the LDAP
  20770. user used to authenticate with Vault using the LDAP authentication
  20771. method
  20772. properties:
  20773. key:
  20774. description: |-
  20775. A key in the referenced Secret.
  20776. Some instances of this field may be defaulted, in others it may be required.
  20777. maxLength: 253
  20778. minLength: 1
  20779. pattern: ^[-._a-zA-Z0-9]+$
  20780. type: string
  20781. name:
  20782. description: The name of the Secret resource being referred to.
  20783. maxLength: 253
  20784. minLength: 1
  20785. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20786. type: string
  20787. namespace:
  20788. description: |-
  20789. The namespace of the Secret resource being referred to.
  20790. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20791. maxLength: 63
  20792. minLength: 1
  20793. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20794. type: string
  20795. type: object
  20796. username:
  20797. description: |-
  20798. Username is an LDAP username used to authenticate using the LDAP Vault
  20799. authentication method
  20800. type: string
  20801. required:
  20802. - path
  20803. - username
  20804. type: object
  20805. namespace:
  20806. description: |-
  20807. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  20808. Namespaces is a set of features within Vault Enterprise that allows
  20809. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  20810. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  20811. This will default to Vault.Namespace field if set, or empty otherwise
  20812. type: string
  20813. tokenSecretRef:
  20814. description: TokenSecretRef authenticates with Vault by presenting a token.
  20815. properties:
  20816. key:
  20817. description: |-
  20818. A key in the referenced Secret.
  20819. Some instances of this field may be defaulted, in others it may be required.
  20820. maxLength: 253
  20821. minLength: 1
  20822. pattern: ^[-._a-zA-Z0-9]+$
  20823. type: string
  20824. name:
  20825. description: The name of the Secret resource being referred to.
  20826. maxLength: 253
  20827. minLength: 1
  20828. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20829. type: string
  20830. namespace:
  20831. description: |-
  20832. The namespace of the Secret resource being referred to.
  20833. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20834. maxLength: 63
  20835. minLength: 1
  20836. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20837. type: string
  20838. type: object
  20839. userPass:
  20840. description: UserPass authenticates with Vault by passing username/password pair
  20841. properties:
  20842. path:
  20843. default: userpass
  20844. description: |-
  20845. Path where the UserPassword authentication backend is mounted
  20846. in Vault, e.g: "userpass"
  20847. type: string
  20848. secretRef:
  20849. description: |-
  20850. SecretRef to a key in a Secret resource containing password for the
  20851. user used to authenticate with Vault using the UserPass authentication
  20852. method
  20853. properties:
  20854. key:
  20855. description: |-
  20856. A key in the referenced Secret.
  20857. Some instances of this field may be defaulted, in others it may be required.
  20858. maxLength: 253
  20859. minLength: 1
  20860. pattern: ^[-._a-zA-Z0-9]+$
  20861. type: string
  20862. name:
  20863. description: The name of the Secret resource being referred to.
  20864. maxLength: 253
  20865. minLength: 1
  20866. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20867. type: string
  20868. namespace:
  20869. description: |-
  20870. The namespace of the Secret resource being referred to.
  20871. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20872. maxLength: 63
  20873. minLength: 1
  20874. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20875. type: string
  20876. type: object
  20877. username:
  20878. description: |-
  20879. Username is a username used to authenticate using the UserPass Vault
  20880. authentication method
  20881. type: string
  20882. required:
  20883. - path
  20884. - username
  20885. type: object
  20886. type: object
  20887. caBundle:
  20888. description: |-
  20889. PEM encoded CA bundle used to validate Vault server certificate. Only used
  20890. if the Server URL is using HTTPS protocol. This parameter is ignored for
  20891. plain HTTP protocol connection. If not set the system root certificates
  20892. are used to validate the TLS connection.
  20893. format: byte
  20894. type: string
  20895. caProvider:
  20896. description: The provider for the CA bundle to use to validate Vault server certificate.
  20897. properties:
  20898. key:
  20899. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  20900. maxLength: 253
  20901. minLength: 1
  20902. pattern: ^[-._a-zA-Z0-9]+$
  20903. type: string
  20904. name:
  20905. description: The name of the object located at the provider type.
  20906. maxLength: 253
  20907. minLength: 1
  20908. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20909. type: string
  20910. namespace:
  20911. description: |-
  20912. The namespace the Provider type is in.
  20913. Can only be defined when used in a ClusterSecretStore.
  20914. maxLength: 63
  20915. minLength: 1
  20916. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20917. type: string
  20918. type:
  20919. description: The type of provider to use such as "Secret", or "ConfigMap".
  20920. enum:
  20921. - Secret
  20922. - ConfigMap
  20923. type: string
  20924. required:
  20925. - name
  20926. - type
  20927. type: object
  20928. checkAndSet:
  20929. description: |-
  20930. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  20931. Only applies to Vault KV v2 stores. When enabled, write operations must include
  20932. the current version of the secret to prevent unintentional overwrites.
  20933. properties:
  20934. required:
  20935. description: |-
  20936. Required when true, all write operations must include a check-and-set parameter.
  20937. This helps prevent unintentional overwrites of secrets.
  20938. type: boolean
  20939. type: object
  20940. forwardInconsistent:
  20941. description: |-
  20942. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  20943. leader instead of simply retrying within a loop. This can increase performance if
  20944. the option is enabled serverside.
  20945. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  20946. type: boolean
  20947. headers:
  20948. additionalProperties:
  20949. type: string
  20950. description: Headers to be added in Vault request
  20951. type: object
  20952. namespace:
  20953. description: |-
  20954. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  20955. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  20956. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  20957. type: string
  20958. path:
  20959. description: |-
  20960. Path is the mount path of the Vault KV backend endpoint, e.g:
  20961. "secret". The v2 KV secret engine version specific "/data" path suffix
  20962. for fetching secrets from Vault is optional and will be appended
  20963. if not present in specified path.
  20964. type: string
  20965. readYourWrites:
  20966. description: |-
  20967. ReadYourWrites ensures isolated read-after-write semantics by
  20968. providing discovered cluster replication states in each request.
  20969. More information about eventual consistency in Vault can be found here
  20970. https://www.vaultproject.io/docs/enterprise/consistency
  20971. type: boolean
  20972. server:
  20973. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  20974. type: string
  20975. tls:
  20976. description: |-
  20977. The configuration used for client side related TLS communication, when the Vault server
  20978. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  20979. This parameter is ignored for plain HTTP protocol connection.
  20980. It's worth noting this configuration is different from the "TLS certificates auth method",
  20981. which is available under the `auth.cert` section.
  20982. properties:
  20983. certSecretRef:
  20984. description: |-
  20985. CertSecretRef is a certificate added to the transport layer
  20986. when communicating with the Vault server.
  20987. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  20988. properties:
  20989. key:
  20990. description: |-
  20991. A key in the referenced Secret.
  20992. Some instances of this field may be defaulted, in others it may be required.
  20993. maxLength: 253
  20994. minLength: 1
  20995. pattern: ^[-._a-zA-Z0-9]+$
  20996. type: string
  20997. name:
  20998. description: The name of the Secret resource being referred to.
  20999. maxLength: 253
  21000. minLength: 1
  21001. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21002. type: string
  21003. namespace:
  21004. description: |-
  21005. The namespace of the Secret resource being referred to.
  21006. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21007. maxLength: 63
  21008. minLength: 1
  21009. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21010. type: string
  21011. type: object
  21012. keySecretRef:
  21013. description: |-
  21014. KeySecretRef to a key in a Secret resource containing client private key
  21015. added to the transport layer when communicating with the Vault server.
  21016. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  21017. properties:
  21018. key:
  21019. description: |-
  21020. A key in the referenced Secret.
  21021. Some instances of this field may be defaulted, in others it may be required.
  21022. maxLength: 253
  21023. minLength: 1
  21024. pattern: ^[-._a-zA-Z0-9]+$
  21025. type: string
  21026. name:
  21027. description: The name of the Secret resource being referred to.
  21028. maxLength: 253
  21029. minLength: 1
  21030. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21031. type: string
  21032. namespace:
  21033. description: |-
  21034. The namespace of the Secret resource being referred to.
  21035. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21036. maxLength: 63
  21037. minLength: 1
  21038. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21039. type: string
  21040. type: object
  21041. type: object
  21042. version:
  21043. default: v2
  21044. description: |-
  21045. Version is the Vault KV secret engine version. This can be either "v1" or
  21046. "v2". Version defaults to "v2".
  21047. enum:
  21048. - v1
  21049. - v2
  21050. type: string
  21051. required:
  21052. - server
  21053. type: object
  21054. volcengine:
  21055. description: Volcengine configures this store to sync secrets using the Volcengine provider
  21056. properties:
  21057. auth:
  21058. description: |-
  21059. Auth defines the authentication method to use.
  21060. If not specified, the provider will try to use IRSA (IAM Role for Service Account).
  21061. properties:
  21062. secretRef:
  21063. description: |-
  21064. SecretRef defines the static credentials to use for authentication.
  21065. If not set, IRSA is used.
  21066. properties:
  21067. accessKeyID:
  21068. description: AccessKeyID is the reference to the secret containing the Access Key ID.
  21069. properties:
  21070. key:
  21071. description: |-
  21072. A key in the referenced Secret.
  21073. Some instances of this field may be defaulted, in others it may be required.
  21074. maxLength: 253
  21075. minLength: 1
  21076. pattern: ^[-._a-zA-Z0-9]+$
  21077. type: string
  21078. name:
  21079. description: The name of the Secret resource being referred to.
  21080. maxLength: 253
  21081. minLength: 1
  21082. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21083. type: string
  21084. namespace:
  21085. description: |-
  21086. The namespace of the Secret resource being referred to.
  21087. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21088. maxLength: 63
  21089. minLength: 1
  21090. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21091. type: string
  21092. type: object
  21093. secretAccessKey:
  21094. description: SecretAccessKey is the reference to the secret containing the Secret Access Key.
  21095. properties:
  21096. key:
  21097. description: |-
  21098. A key in the referenced Secret.
  21099. Some instances of this field may be defaulted, in others it may be required.
  21100. maxLength: 253
  21101. minLength: 1
  21102. pattern: ^[-._a-zA-Z0-9]+$
  21103. type: string
  21104. name:
  21105. description: The name of the Secret resource being referred to.
  21106. maxLength: 253
  21107. minLength: 1
  21108. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21109. type: string
  21110. namespace:
  21111. description: |-
  21112. The namespace of the Secret resource being referred to.
  21113. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21114. maxLength: 63
  21115. minLength: 1
  21116. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21117. type: string
  21118. type: object
  21119. token:
  21120. description: Token is the reference to the secret containing the STS(Security Token Service) Token.
  21121. properties:
  21122. key:
  21123. description: |-
  21124. A key in the referenced Secret.
  21125. Some instances of this field may be defaulted, in others it may be required.
  21126. maxLength: 253
  21127. minLength: 1
  21128. pattern: ^[-._a-zA-Z0-9]+$
  21129. type: string
  21130. name:
  21131. description: The name of the Secret resource being referred to.
  21132. maxLength: 253
  21133. minLength: 1
  21134. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21135. type: string
  21136. namespace:
  21137. description: |-
  21138. The namespace of the Secret resource being referred to.
  21139. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21140. maxLength: 63
  21141. minLength: 1
  21142. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21143. type: string
  21144. type: object
  21145. required:
  21146. - accessKeyID
  21147. - secretAccessKey
  21148. type: object
  21149. type: object
  21150. region:
  21151. description: Region specifies the Volcengine region to connect to.
  21152. type: string
  21153. required:
  21154. - region
  21155. type: object
  21156. webhook:
  21157. description: Webhook configures this store to sync secrets using a generic templated webhook
  21158. properties:
  21159. auth:
  21160. description: Auth specifies a authorization protocol. Only one protocol may be set.
  21161. maxProperties: 1
  21162. minProperties: 1
  21163. properties:
  21164. ntlm:
  21165. description: NTLMProtocol configures the store to use NTLM for auth
  21166. properties:
  21167. passwordSecret:
  21168. description: |-
  21169. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21170. In some instances, `key` is a required field.
  21171. properties:
  21172. key:
  21173. description: |-
  21174. A key in the referenced Secret.
  21175. Some instances of this field may be defaulted, in others it may be required.
  21176. maxLength: 253
  21177. minLength: 1
  21178. pattern: ^[-._a-zA-Z0-9]+$
  21179. type: string
  21180. name:
  21181. description: The name of the Secret resource being referred to.
  21182. maxLength: 253
  21183. minLength: 1
  21184. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21185. type: string
  21186. namespace:
  21187. description: |-
  21188. The namespace of the Secret resource being referred to.
  21189. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21190. maxLength: 63
  21191. minLength: 1
  21192. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21193. type: string
  21194. type: object
  21195. usernameSecret:
  21196. description: |-
  21197. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21198. In some instances, `key` is a required field.
  21199. properties:
  21200. key:
  21201. description: |-
  21202. A key in the referenced Secret.
  21203. Some instances of this field may be defaulted, in others it may be required.
  21204. maxLength: 253
  21205. minLength: 1
  21206. pattern: ^[-._a-zA-Z0-9]+$
  21207. type: string
  21208. name:
  21209. description: The name of the Secret resource being referred to.
  21210. maxLength: 253
  21211. minLength: 1
  21212. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21213. type: string
  21214. namespace:
  21215. description: |-
  21216. The namespace of the Secret resource being referred to.
  21217. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21218. maxLength: 63
  21219. minLength: 1
  21220. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21221. type: string
  21222. type: object
  21223. required:
  21224. - passwordSecret
  21225. - usernameSecret
  21226. type: object
  21227. type: object
  21228. body:
  21229. description: Body
  21230. type: string
  21231. caBundle:
  21232. description: |-
  21233. PEM encoded CA bundle used to validate webhook server certificate. Only used
  21234. if the Server URL is using HTTPS protocol. This parameter is ignored for
  21235. plain HTTP protocol connection. If not set the system root certificates
  21236. are used to validate the TLS connection.
  21237. format: byte
  21238. type: string
  21239. caProvider:
  21240. description: The provider for the CA bundle to use to validate webhook server certificate.
  21241. properties:
  21242. key:
  21243. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  21244. maxLength: 253
  21245. minLength: 1
  21246. pattern: ^[-._a-zA-Z0-9]+$
  21247. type: string
  21248. name:
  21249. description: The name of the object located at the provider type.
  21250. maxLength: 253
  21251. minLength: 1
  21252. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21253. type: string
  21254. namespace:
  21255. description: The namespace the Provider type is in.
  21256. maxLength: 63
  21257. minLength: 1
  21258. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21259. type: string
  21260. type:
  21261. description: The type of provider to use such as "Secret", or "ConfigMap".
  21262. enum:
  21263. - Secret
  21264. - ConfigMap
  21265. type: string
  21266. required:
  21267. - name
  21268. - type
  21269. type: object
  21270. headers:
  21271. additionalProperties:
  21272. type: string
  21273. description: Headers
  21274. type: object
  21275. method:
  21276. description: Webhook Method
  21277. type: string
  21278. result:
  21279. description: Result formatting
  21280. properties:
  21281. jsonPath:
  21282. description: Json path of return value
  21283. type: string
  21284. type: object
  21285. secrets:
  21286. description: |-
  21287. Secrets to fill in templates
  21288. These secrets will be passed to the templating function as key value pairs under the given name
  21289. items:
  21290. description: WebhookSecret defines a secret that will be passed to the webhook request.
  21291. properties:
  21292. name:
  21293. description: Name of this secret in templates
  21294. type: string
  21295. secretRef:
  21296. description: Secret ref to fill in credentials
  21297. properties:
  21298. key:
  21299. description: |-
  21300. A key in the referenced Secret.
  21301. Some instances of this field may be defaulted, in others it may be required.
  21302. maxLength: 253
  21303. minLength: 1
  21304. pattern: ^[-._a-zA-Z0-9]+$
  21305. type: string
  21306. name:
  21307. description: The name of the Secret resource being referred to.
  21308. maxLength: 253
  21309. minLength: 1
  21310. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21311. type: string
  21312. namespace:
  21313. description: |-
  21314. The namespace of the Secret resource being referred to.
  21315. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21316. maxLength: 63
  21317. minLength: 1
  21318. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21319. type: string
  21320. type: object
  21321. required:
  21322. - name
  21323. - secretRef
  21324. type: object
  21325. type: array
  21326. timeout:
  21327. description: Timeout
  21328. type: string
  21329. url:
  21330. description: Webhook url to call
  21331. type: string
  21332. required:
  21333. - url
  21334. type: object
  21335. yandexcertificatemanager:
  21336. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  21337. properties:
  21338. apiEndpoint:
  21339. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  21340. type: string
  21341. auth:
  21342. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  21343. properties:
  21344. authorizedKeySecretRef:
  21345. description: The authorized key used for authentication
  21346. properties:
  21347. key:
  21348. description: |-
  21349. A key in the referenced Secret.
  21350. Some instances of this field may be defaulted, in others it may be required.
  21351. maxLength: 253
  21352. minLength: 1
  21353. pattern: ^[-._a-zA-Z0-9]+$
  21354. type: string
  21355. name:
  21356. description: The name of the Secret resource being referred to.
  21357. maxLength: 253
  21358. minLength: 1
  21359. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21360. type: string
  21361. namespace:
  21362. description: |-
  21363. The namespace of the Secret resource being referred to.
  21364. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21365. maxLength: 63
  21366. minLength: 1
  21367. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21368. type: string
  21369. type: object
  21370. type: object
  21371. caProvider:
  21372. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  21373. properties:
  21374. certSecretRef:
  21375. description: |-
  21376. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21377. In some instances, `key` is a required field.
  21378. properties:
  21379. key:
  21380. description: |-
  21381. A key in the referenced Secret.
  21382. Some instances of this field may be defaulted, in others it may be required.
  21383. maxLength: 253
  21384. minLength: 1
  21385. pattern: ^[-._a-zA-Z0-9]+$
  21386. type: string
  21387. name:
  21388. description: The name of the Secret resource being referred to.
  21389. maxLength: 253
  21390. minLength: 1
  21391. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21392. type: string
  21393. namespace:
  21394. description: |-
  21395. The namespace of the Secret resource being referred to.
  21396. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21397. maxLength: 63
  21398. minLength: 1
  21399. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21400. type: string
  21401. type: object
  21402. type: object
  21403. fetching:
  21404. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name
  21405. maxProperties: 1
  21406. minProperties: 1
  21407. properties:
  21408. byID:
  21409. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  21410. type: object
  21411. byName:
  21412. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  21413. properties:
  21414. folderID:
  21415. description: The folder to fetch secrets from
  21416. type: string
  21417. required:
  21418. - folderID
  21419. type: object
  21420. type: object
  21421. required:
  21422. - auth
  21423. type: object
  21424. yandexlockbox:
  21425. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  21426. properties:
  21427. apiEndpoint:
  21428. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  21429. type: string
  21430. auth:
  21431. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  21432. properties:
  21433. authorizedKeySecretRef:
  21434. description: The authorized key used for authentication
  21435. properties:
  21436. key:
  21437. description: |-
  21438. A key in the referenced Secret.
  21439. Some instances of this field may be defaulted, in others it may be required.
  21440. maxLength: 253
  21441. minLength: 1
  21442. pattern: ^[-._a-zA-Z0-9]+$
  21443. type: string
  21444. name:
  21445. description: The name of the Secret resource being referred to.
  21446. maxLength: 253
  21447. minLength: 1
  21448. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21449. type: string
  21450. namespace:
  21451. description: |-
  21452. The namespace of the Secret resource being referred to.
  21453. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21454. maxLength: 63
  21455. minLength: 1
  21456. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21457. type: string
  21458. type: object
  21459. type: object
  21460. caProvider:
  21461. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  21462. properties:
  21463. certSecretRef:
  21464. description: |-
  21465. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21466. In some instances, `key` is a required field.
  21467. properties:
  21468. key:
  21469. description: |-
  21470. A key in the referenced Secret.
  21471. Some instances of this field may be defaulted, in others it may be required.
  21472. maxLength: 253
  21473. minLength: 1
  21474. pattern: ^[-._a-zA-Z0-9]+$
  21475. type: string
  21476. name:
  21477. description: The name of the Secret resource being referred to.
  21478. maxLength: 253
  21479. minLength: 1
  21480. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21481. type: string
  21482. namespace:
  21483. description: |-
  21484. The namespace of the Secret resource being referred to.
  21485. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21486. maxLength: 63
  21487. minLength: 1
  21488. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21489. type: string
  21490. type: object
  21491. type: object
  21492. fetching:
  21493. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name
  21494. maxProperties: 1
  21495. minProperties: 1
  21496. properties:
  21497. byID:
  21498. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  21499. type: object
  21500. byName:
  21501. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  21502. properties:
  21503. folderID:
  21504. description: The folder to fetch secrets from
  21505. type: string
  21506. required:
  21507. - folderID
  21508. type: object
  21509. type: object
  21510. required:
  21511. - auth
  21512. type: object
  21513. type: object
  21514. providerRef:
  21515. description: ProviderRef references a provider configuration managed externally.
  21516. properties:
  21517. apiVersion:
  21518. description: APIVersion identifies the API schema version for the provider resource.
  21519. minLength: 1
  21520. type: string
  21521. kind:
  21522. description: Kind identifies the provider resource type referenced by this store.
  21523. minLength: 1
  21524. type: string
  21525. name:
  21526. description: Name is the provider resource name referenced by this store.
  21527. maxLength: 253
  21528. minLength: 1
  21529. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21530. type: string
  21531. namespace:
  21532. description: Namespace is the provider resource namespace referenced by this store.
  21533. maxLength: 63
  21534. minLength: 1
  21535. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21536. type: string
  21537. required:
  21538. - apiVersion
  21539. - kind
  21540. - name
  21541. type: object
  21542. refreshInterval:
  21543. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  21544. type: integer
  21545. retrySettings:
  21546. description: Used to configure HTTP retries on failures.
  21547. properties:
  21548. maxRetries:
  21549. type: integer
  21550. retryInterval:
  21551. type: string
  21552. type: object
  21553. runtimeRef:
  21554. description: RuntimeRef points to runtime configuration for this store.
  21555. properties:
  21556. kind:
  21557. description: Kind identifies the runtime resource type referenced by this store.
  21558. enum:
  21559. - ProviderClass
  21560. - ClusterProviderClass
  21561. type: string
  21562. name:
  21563. description: Name is the runtime resource name referenced by this store.
  21564. maxLength: 253
  21565. minLength: 1
  21566. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21567. type: string
  21568. required:
  21569. - name
  21570. type: object
  21571. type: object
  21572. x-kubernetes-validations:
  21573. - message: exactly one of spec.provider or spec.providerRef must be set
  21574. rule: (has(self.provider) && !has(self.providerRef)) || (!has(self.provider) && has(self.providerRef))
  21575. - message: spec.runtimeRef must be empty when spec.provider is set
  21576. rule: '!(has(self.provider) && has(self.runtimeRef))'
  21577. - message: spec.runtimeRef is required when spec.providerRef is set
  21578. rule: '!has(self.providerRef) || has(self.runtimeRef)'
  21579. status:
  21580. description: SecretStoreStatus defines the observed state of the SecretStore.
  21581. properties:
  21582. capabilities:
  21583. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  21584. type: string
  21585. conditions:
  21586. items:
  21587. description: SecretStoreStatusCondition contains condition information for a SecretStore.
  21588. properties:
  21589. lastTransitionTime:
  21590. format: date-time
  21591. type: string
  21592. message:
  21593. type: string
  21594. reason:
  21595. type: string
  21596. status:
  21597. type: string
  21598. type:
  21599. description: SecretStoreConditionType represents the condition of the SecretStore.
  21600. type: string
  21601. required:
  21602. - status
  21603. - type
  21604. type: object
  21605. type: array
  21606. type: object
  21607. type: object
  21608. served: true
  21609. storage: true
  21610. subresources:
  21611. status: {}
  21612. - additionalPrinterColumns:
  21613. - jsonPath: .metadata.creationTimestamp
  21614. name: AGE
  21615. type: date
  21616. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  21617. name: Status
  21618. type: string
  21619. - jsonPath: .status.capabilities
  21620. name: Capabilities
  21621. type: string
  21622. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  21623. name: Ready
  21624. type: string
  21625. deprecated: true
  21626. name: v1beta1
  21627. schema:
  21628. openAPIV3Schema:
  21629. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  21630. properties:
  21631. apiVersion:
  21632. description: |-
  21633. APIVersion defines the versioned schema of this representation of an object.
  21634. Servers should convert recognized schemas to the latest internal value, and
  21635. may reject unrecognized values.
  21636. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  21637. type: string
  21638. kind:
  21639. description: |-
  21640. Kind is a string value representing the REST resource this object represents.
  21641. Servers may infer this from the endpoint the client submits requests to.
  21642. Cannot be updated.
  21643. In CamelCase.
  21644. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  21645. type: string
  21646. metadata:
  21647. type: object
  21648. spec:
  21649. description: SecretStoreSpec defines the desired state of SecretStore.
  21650. properties:
  21651. conditions:
  21652. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  21653. items:
  21654. description: |-
  21655. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  21656. for a ClusterSecretStore instance.
  21657. properties:
  21658. namespaceRegexes:
  21659. description: Choose namespaces by using regex matching
  21660. items:
  21661. type: string
  21662. type: array
  21663. namespaceSelector:
  21664. description: Choose namespace using a labelSelector
  21665. properties:
  21666. matchExpressions:
  21667. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  21668. items:
  21669. description: |-
  21670. A label selector requirement is a selector that contains values, a key, and an operator that
  21671. relates the key and values.
  21672. properties:
  21673. key:
  21674. description: key is the label key that the selector applies to.
  21675. type: string
  21676. operator:
  21677. description: |-
  21678. operator represents a key's relationship to a set of values.
  21679. Valid operators are In, NotIn, Exists and DoesNotExist.
  21680. type: string
  21681. values:
  21682. description: |-
  21683. values is an array of string values. If the operator is In or NotIn,
  21684. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  21685. the values array must be empty. This array is replaced during a strategic
  21686. merge patch.
  21687. items:
  21688. type: string
  21689. type: array
  21690. x-kubernetes-list-type: atomic
  21691. required:
  21692. - key
  21693. - operator
  21694. type: object
  21695. type: array
  21696. x-kubernetes-list-type: atomic
  21697. matchLabels:
  21698. additionalProperties:
  21699. type: string
  21700. description: |-
  21701. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  21702. map is equivalent to an element of matchExpressions, whose key field is "key", the
  21703. operator is "In", and the values array contains only "value". The requirements are ANDed.
  21704. type: object
  21705. type: object
  21706. x-kubernetes-map-type: atomic
  21707. namespaces:
  21708. description: Choose namespaces by name
  21709. items:
  21710. maxLength: 63
  21711. minLength: 1
  21712. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21713. type: string
  21714. type: array
  21715. type: object
  21716. type: array
  21717. controller:
  21718. description: |-
  21719. Used to select the correct ESO controller (think: ingress.ingressClassName)
  21720. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  21721. type: string
  21722. provider:
  21723. description: Used to configure the provider. Only one provider may be set
  21724. maxProperties: 1
  21725. minProperties: 1
  21726. properties:
  21727. akeyless:
  21728. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  21729. properties:
  21730. akeylessGWApiURL:
  21731. description: Akeyless GW API Url from which the secrets to be fetched from.
  21732. type: string
  21733. authSecretRef:
  21734. description: Auth configures how the operator authenticates with Akeyless.
  21735. properties:
  21736. kubernetesAuth:
  21737. description: |-
  21738. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  21739. token stored in the named Secret resource.
  21740. properties:
  21741. accessID:
  21742. description: the Akeyless Kubernetes auth-method access-id
  21743. type: string
  21744. k8sConfName:
  21745. description: Kubernetes-auth configuration name in Akeyless-Gateway
  21746. type: string
  21747. secretRef:
  21748. description: |-
  21749. Optional secret field containing a Kubernetes ServiceAccount JWT used
  21750. for authenticating with Akeyless. If a name is specified without a key,
  21751. `token` is the default. If one is not specified, the one bound to
  21752. the controller will be used.
  21753. properties:
  21754. key:
  21755. description: |-
  21756. A key in the referenced Secret.
  21757. Some instances of this field may be defaulted, in others it may be required.
  21758. maxLength: 253
  21759. minLength: 1
  21760. pattern: ^[-._a-zA-Z0-9]+$
  21761. type: string
  21762. name:
  21763. description: The name of the Secret resource being referred to.
  21764. maxLength: 253
  21765. minLength: 1
  21766. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21767. type: string
  21768. namespace:
  21769. description: |-
  21770. The namespace of the Secret resource being referred to.
  21771. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21772. maxLength: 63
  21773. minLength: 1
  21774. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21775. type: string
  21776. type: object
  21777. serviceAccountRef:
  21778. description: |-
  21779. Optional service account field containing the name of a kubernetes ServiceAccount.
  21780. If the service account is specified, the service account secret token JWT will be used
  21781. for authenticating with Akeyless. If the service account selector is not supplied,
  21782. the secretRef will be used instead.
  21783. properties:
  21784. audiences:
  21785. description: |-
  21786. Audience specifies the `aud` claim for the service account token
  21787. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  21788. then this audiences will be appended to the list
  21789. items:
  21790. type: string
  21791. type: array
  21792. name:
  21793. description: The name of the ServiceAccount resource being referred to.
  21794. maxLength: 253
  21795. minLength: 1
  21796. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21797. type: string
  21798. namespace:
  21799. description: |-
  21800. Namespace of the resource being referred to.
  21801. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21802. maxLength: 63
  21803. minLength: 1
  21804. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21805. type: string
  21806. required:
  21807. - name
  21808. type: object
  21809. required:
  21810. - accessID
  21811. - k8sConfName
  21812. type: object
  21813. secretRef:
  21814. description: |-
  21815. Reference to a Secret that contains the details
  21816. to authenticate with Akeyless.
  21817. properties:
  21818. accessID:
  21819. description: The SecretAccessID is used for authentication
  21820. properties:
  21821. key:
  21822. description: |-
  21823. A key in the referenced Secret.
  21824. Some instances of this field may be defaulted, in others it may be required.
  21825. maxLength: 253
  21826. minLength: 1
  21827. pattern: ^[-._a-zA-Z0-9]+$
  21828. type: string
  21829. name:
  21830. description: The name of the Secret resource being referred to.
  21831. maxLength: 253
  21832. minLength: 1
  21833. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21834. type: string
  21835. namespace:
  21836. description: |-
  21837. The namespace of the Secret resource being referred to.
  21838. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21839. maxLength: 63
  21840. minLength: 1
  21841. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21842. type: string
  21843. type: object
  21844. accessType:
  21845. description: |-
  21846. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21847. In some instances, `key` is a required field.
  21848. properties:
  21849. key:
  21850. description: |-
  21851. A key in the referenced Secret.
  21852. Some instances of this field may be defaulted, in others it may be required.
  21853. maxLength: 253
  21854. minLength: 1
  21855. pattern: ^[-._a-zA-Z0-9]+$
  21856. type: string
  21857. name:
  21858. description: The name of the Secret resource being referred to.
  21859. maxLength: 253
  21860. minLength: 1
  21861. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21862. type: string
  21863. namespace:
  21864. description: |-
  21865. The namespace of the Secret resource being referred to.
  21866. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21867. maxLength: 63
  21868. minLength: 1
  21869. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21870. type: string
  21871. type: object
  21872. accessTypeParam:
  21873. description: |-
  21874. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21875. In some instances, `key` is a required field.
  21876. properties:
  21877. key:
  21878. description: |-
  21879. A key in the referenced Secret.
  21880. Some instances of this field may be defaulted, in others it may be required.
  21881. maxLength: 253
  21882. minLength: 1
  21883. pattern: ^[-._a-zA-Z0-9]+$
  21884. type: string
  21885. name:
  21886. description: The name of the Secret resource being referred to.
  21887. maxLength: 253
  21888. minLength: 1
  21889. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21890. type: string
  21891. namespace:
  21892. description: |-
  21893. The namespace of the Secret resource being referred to.
  21894. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21895. maxLength: 63
  21896. minLength: 1
  21897. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21898. type: string
  21899. type: object
  21900. type: object
  21901. type: object
  21902. caBundle:
  21903. description: |-
  21904. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  21905. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  21906. are used to validate the TLS connection.
  21907. format: byte
  21908. type: string
  21909. caProvider:
  21910. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  21911. properties:
  21912. key:
  21913. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  21914. maxLength: 253
  21915. minLength: 1
  21916. pattern: ^[-._a-zA-Z0-9]+$
  21917. type: string
  21918. name:
  21919. description: The name of the object located at the provider type.
  21920. maxLength: 253
  21921. minLength: 1
  21922. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21923. type: string
  21924. namespace:
  21925. description: |-
  21926. The namespace the Provider type is in.
  21927. Can only be defined when used in a ClusterSecretStore.
  21928. maxLength: 63
  21929. minLength: 1
  21930. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21931. type: string
  21932. type:
  21933. description: The type of provider to use such as "Secret", or "ConfigMap".
  21934. enum:
  21935. - Secret
  21936. - ConfigMap
  21937. type: string
  21938. required:
  21939. - name
  21940. - type
  21941. type: object
  21942. required:
  21943. - akeylessGWApiURL
  21944. - authSecretRef
  21945. type: object
  21946. alibaba:
  21947. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  21948. properties:
  21949. auth:
  21950. description: AlibabaAuth contains a secretRef for credentials.
  21951. properties:
  21952. rrsa:
  21953. description: AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication).
  21954. properties:
  21955. oidcProviderArn:
  21956. type: string
  21957. oidcTokenFilePath:
  21958. type: string
  21959. roleArn:
  21960. type: string
  21961. sessionName:
  21962. type: string
  21963. required:
  21964. - oidcProviderArn
  21965. - oidcTokenFilePath
  21966. - roleArn
  21967. - sessionName
  21968. type: object
  21969. secretRef:
  21970. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  21971. properties:
  21972. accessKeyIDSecretRef:
  21973. description: The AccessKeyID is used for authentication
  21974. properties:
  21975. key:
  21976. description: |-
  21977. A key in the referenced Secret.
  21978. Some instances of this field may be defaulted, in others it may be required.
  21979. maxLength: 253
  21980. minLength: 1
  21981. pattern: ^[-._a-zA-Z0-9]+$
  21982. type: string
  21983. name:
  21984. description: The name of the Secret resource being referred to.
  21985. maxLength: 253
  21986. minLength: 1
  21987. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21988. type: string
  21989. namespace:
  21990. description: |-
  21991. The namespace of the Secret resource being referred to.
  21992. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21993. maxLength: 63
  21994. minLength: 1
  21995. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21996. type: string
  21997. type: object
  21998. accessKeySecretSecretRef:
  21999. description: The AccessKeySecret is used for authentication
  22000. properties:
  22001. key:
  22002. description: |-
  22003. A key in the referenced Secret.
  22004. Some instances of this field may be defaulted, in others it may be required.
  22005. maxLength: 253
  22006. minLength: 1
  22007. pattern: ^[-._a-zA-Z0-9]+$
  22008. type: string
  22009. name:
  22010. description: The name of the Secret resource being referred to.
  22011. maxLength: 253
  22012. minLength: 1
  22013. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22014. type: string
  22015. namespace:
  22016. description: |-
  22017. The namespace of the Secret resource being referred to.
  22018. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22019. maxLength: 63
  22020. minLength: 1
  22021. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22022. type: string
  22023. type: object
  22024. required:
  22025. - accessKeyIDSecretRef
  22026. - accessKeySecretSecretRef
  22027. type: object
  22028. type: object
  22029. regionID:
  22030. description: Alibaba Region to be used for the provider
  22031. type: string
  22032. required:
  22033. - auth
  22034. - regionID
  22035. type: object
  22036. aws:
  22037. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  22038. properties:
  22039. additionalRoles:
  22040. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  22041. items:
  22042. type: string
  22043. type: array
  22044. auth:
  22045. description: |-
  22046. Auth defines the information necessary to authenticate against AWS
  22047. if not set aws sdk will infer credentials from your environment
  22048. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  22049. properties:
  22050. jwt:
  22051. description: AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster.
  22052. properties:
  22053. serviceAccountRef:
  22054. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  22055. properties:
  22056. audiences:
  22057. description: |-
  22058. Audience specifies the `aud` claim for the service account token
  22059. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22060. then this audiences will be appended to the list
  22061. items:
  22062. type: string
  22063. type: array
  22064. name:
  22065. description: The name of the ServiceAccount resource being referred to.
  22066. maxLength: 253
  22067. minLength: 1
  22068. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22069. type: string
  22070. namespace:
  22071. description: |-
  22072. Namespace of the resource being referred to.
  22073. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22074. maxLength: 63
  22075. minLength: 1
  22076. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22077. type: string
  22078. required:
  22079. - name
  22080. type: object
  22081. type: object
  22082. secretRef:
  22083. description: |-
  22084. AWSAuthSecretRef holds secret references for AWS credentials
  22085. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  22086. properties:
  22087. accessKeyIDSecretRef:
  22088. description: The AccessKeyID is used for authentication
  22089. properties:
  22090. key:
  22091. description: |-
  22092. A key in the referenced Secret.
  22093. Some instances of this field may be defaulted, in others it may be required.
  22094. maxLength: 253
  22095. minLength: 1
  22096. pattern: ^[-._a-zA-Z0-9]+$
  22097. type: string
  22098. name:
  22099. description: The name of the Secret resource being referred to.
  22100. maxLength: 253
  22101. minLength: 1
  22102. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22103. type: string
  22104. namespace:
  22105. description: |-
  22106. The namespace of the Secret resource being referred to.
  22107. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22108. maxLength: 63
  22109. minLength: 1
  22110. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22111. type: string
  22112. type: object
  22113. secretAccessKeySecretRef:
  22114. description: The SecretAccessKey is used for authentication
  22115. properties:
  22116. key:
  22117. description: |-
  22118. A key in the referenced Secret.
  22119. Some instances of this field may be defaulted, in others it may be required.
  22120. maxLength: 253
  22121. minLength: 1
  22122. pattern: ^[-._a-zA-Z0-9]+$
  22123. type: string
  22124. name:
  22125. description: The name of the Secret resource being referred to.
  22126. maxLength: 253
  22127. minLength: 1
  22128. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22129. type: string
  22130. namespace:
  22131. description: |-
  22132. The namespace of the Secret resource being referred to.
  22133. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22134. maxLength: 63
  22135. minLength: 1
  22136. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22137. type: string
  22138. type: object
  22139. sessionTokenSecretRef:
  22140. description: |-
  22141. The SessionToken used for authentication
  22142. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  22143. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  22144. properties:
  22145. key:
  22146. description: |-
  22147. A key in the referenced Secret.
  22148. Some instances of this field may be defaulted, in others it may be required.
  22149. maxLength: 253
  22150. minLength: 1
  22151. pattern: ^[-._a-zA-Z0-9]+$
  22152. type: string
  22153. name:
  22154. description: The name of the Secret resource being referred to.
  22155. maxLength: 253
  22156. minLength: 1
  22157. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22158. type: string
  22159. namespace:
  22160. description: |-
  22161. The namespace of the Secret resource being referred to.
  22162. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22163. maxLength: 63
  22164. minLength: 1
  22165. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22166. type: string
  22167. type: object
  22168. type: object
  22169. type: object
  22170. externalID:
  22171. description: AWS External ID set on assumed IAM roles
  22172. type: string
  22173. prefix:
  22174. description: Prefix adds a prefix to all retrieved values.
  22175. type: string
  22176. region:
  22177. description: AWS Region to be used for the provider
  22178. type: string
  22179. role:
  22180. description: Role is a Role ARN which the provider will assume
  22181. type: string
  22182. secretsManager:
  22183. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  22184. properties:
  22185. forceDeleteWithoutRecovery:
  22186. description: |-
  22187. Specifies whether to delete the secret without any recovery window. You
  22188. can't use both this parameter and RecoveryWindowInDays in the same call.
  22189. If you don't use either, then by default Secrets Manager uses a 30 day
  22190. recovery window.
  22191. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  22192. type: boolean
  22193. recoveryWindowInDays:
  22194. description: |-
  22195. The number of days from 7 to 30 that Secrets Manager waits before
  22196. permanently deleting the secret. You can't use both this parameter and
  22197. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  22198. then by default Secrets Manager uses a 30 day recovery window.
  22199. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  22200. type: integer
  22201. type: object
  22202. service:
  22203. description: Service defines which service should be used to fetch the secrets
  22204. enum:
  22205. - SecretsManager
  22206. - ParameterStore
  22207. type: string
  22208. sessionTags:
  22209. description: AWS STS assume role session tags
  22210. items:
  22211. description: Tag defines a tag key and value for AWS resources.
  22212. properties:
  22213. key:
  22214. type: string
  22215. value:
  22216. type: string
  22217. required:
  22218. - key
  22219. - value
  22220. type: object
  22221. type: array
  22222. transitiveTagKeys:
  22223. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  22224. items:
  22225. type: string
  22226. type: array
  22227. required:
  22228. - region
  22229. - service
  22230. type: object
  22231. azurekv:
  22232. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  22233. properties:
  22234. authSecretRef:
  22235. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  22236. properties:
  22237. clientCertificate:
  22238. description: The Azure ClientCertificate of the service principle used for authentication.
  22239. properties:
  22240. key:
  22241. description: |-
  22242. A key in the referenced Secret.
  22243. Some instances of this field may be defaulted, in others it may be required.
  22244. maxLength: 253
  22245. minLength: 1
  22246. pattern: ^[-._a-zA-Z0-9]+$
  22247. type: string
  22248. name:
  22249. description: The name of the Secret resource being referred to.
  22250. maxLength: 253
  22251. minLength: 1
  22252. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22253. type: string
  22254. namespace:
  22255. description: |-
  22256. The namespace of the Secret resource being referred to.
  22257. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22258. maxLength: 63
  22259. minLength: 1
  22260. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22261. type: string
  22262. type: object
  22263. clientId:
  22264. description: The Azure clientId of the service principle or managed identity used for authentication.
  22265. properties:
  22266. key:
  22267. description: |-
  22268. A key in the referenced Secret.
  22269. Some instances of this field may be defaulted, in others it may be required.
  22270. maxLength: 253
  22271. minLength: 1
  22272. pattern: ^[-._a-zA-Z0-9]+$
  22273. type: string
  22274. name:
  22275. description: The name of the Secret resource being referred to.
  22276. maxLength: 253
  22277. minLength: 1
  22278. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22279. type: string
  22280. namespace:
  22281. description: |-
  22282. The namespace of the Secret resource being referred to.
  22283. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22284. maxLength: 63
  22285. minLength: 1
  22286. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22287. type: string
  22288. type: object
  22289. clientSecret:
  22290. description: The Azure ClientSecret of the service principle used for authentication.
  22291. properties:
  22292. key:
  22293. description: |-
  22294. A key in the referenced Secret.
  22295. Some instances of this field may be defaulted, in others it may be required.
  22296. maxLength: 253
  22297. minLength: 1
  22298. pattern: ^[-._a-zA-Z0-9]+$
  22299. type: string
  22300. name:
  22301. description: The name of the Secret resource being referred to.
  22302. maxLength: 253
  22303. minLength: 1
  22304. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22305. type: string
  22306. namespace:
  22307. description: |-
  22308. The namespace of the Secret resource being referred to.
  22309. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22310. maxLength: 63
  22311. minLength: 1
  22312. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22313. type: string
  22314. type: object
  22315. tenantId:
  22316. description: The Azure tenantId of the managed identity used for authentication.
  22317. properties:
  22318. key:
  22319. description: |-
  22320. A key in the referenced Secret.
  22321. Some instances of this field may be defaulted, in others it may be required.
  22322. maxLength: 253
  22323. minLength: 1
  22324. pattern: ^[-._a-zA-Z0-9]+$
  22325. type: string
  22326. name:
  22327. description: The name of the Secret resource being referred to.
  22328. maxLength: 253
  22329. minLength: 1
  22330. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22331. type: string
  22332. namespace:
  22333. description: |-
  22334. The namespace of the Secret resource being referred to.
  22335. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22336. maxLength: 63
  22337. minLength: 1
  22338. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22339. type: string
  22340. type: object
  22341. type: object
  22342. authType:
  22343. default: ServicePrincipal
  22344. description: |-
  22345. Auth type defines how to authenticate to the keyvault service.
  22346. Valid values are:
  22347. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  22348. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  22349. enum:
  22350. - ServicePrincipal
  22351. - ManagedIdentity
  22352. - WorkloadIdentity
  22353. type: string
  22354. environmentType:
  22355. default: PublicCloud
  22356. description: |-
  22357. EnvironmentType specifies the Azure cloud environment endpoints to use for
  22358. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  22359. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  22360. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  22361. enum:
  22362. - PublicCloud
  22363. - USGovernmentCloud
  22364. - ChinaCloud
  22365. - GermanCloud
  22366. type: string
  22367. identityId:
  22368. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  22369. type: string
  22370. serviceAccountRef:
  22371. description: |-
  22372. ServiceAccountRef specified the service account
  22373. that should be used when authenticating with WorkloadIdentity.
  22374. properties:
  22375. audiences:
  22376. description: |-
  22377. Audience specifies the `aud` claim for the service account token
  22378. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22379. then this audiences will be appended to the list
  22380. items:
  22381. type: string
  22382. type: array
  22383. name:
  22384. description: The name of the ServiceAccount resource being referred to.
  22385. maxLength: 253
  22386. minLength: 1
  22387. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22388. type: string
  22389. namespace:
  22390. description: |-
  22391. Namespace of the resource being referred to.
  22392. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22393. maxLength: 63
  22394. minLength: 1
  22395. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22396. type: string
  22397. required:
  22398. - name
  22399. type: object
  22400. tenantId:
  22401. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  22402. type: string
  22403. vaultUrl:
  22404. description: Vault Url from which the secrets to be fetched from.
  22405. type: string
  22406. required:
  22407. - vaultUrl
  22408. type: object
  22409. beyondtrust:
  22410. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  22411. properties:
  22412. auth:
  22413. description: Auth configures how the operator authenticates with Beyondtrust.
  22414. properties:
  22415. apiKey:
  22416. description: APIKey If not provided then ClientID/ClientSecret become required.
  22417. properties:
  22418. secretRef:
  22419. description: SecretRef references a key in a secret that will be used as value.
  22420. properties:
  22421. key:
  22422. description: |-
  22423. A key in the referenced Secret.
  22424. Some instances of this field may be defaulted, in others it may be required.
  22425. maxLength: 253
  22426. minLength: 1
  22427. pattern: ^[-._a-zA-Z0-9]+$
  22428. type: string
  22429. name:
  22430. description: The name of the Secret resource being referred to.
  22431. maxLength: 253
  22432. minLength: 1
  22433. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22434. type: string
  22435. namespace:
  22436. description: |-
  22437. The namespace of the Secret resource being referred to.
  22438. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22439. maxLength: 63
  22440. minLength: 1
  22441. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22442. type: string
  22443. type: object
  22444. value:
  22445. description: Value can be specified directly to set a value without using a secret.
  22446. type: string
  22447. type: object
  22448. certificate:
  22449. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  22450. properties:
  22451. secretRef:
  22452. description: SecretRef references a key in a secret that will be used as value.
  22453. properties:
  22454. key:
  22455. description: |-
  22456. A key in the referenced Secret.
  22457. Some instances of this field may be defaulted, in others it may be required.
  22458. maxLength: 253
  22459. minLength: 1
  22460. pattern: ^[-._a-zA-Z0-9]+$
  22461. type: string
  22462. name:
  22463. description: The name of the Secret resource being referred to.
  22464. maxLength: 253
  22465. minLength: 1
  22466. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22467. type: string
  22468. namespace:
  22469. description: |-
  22470. The namespace of the Secret resource being referred to.
  22471. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22472. maxLength: 63
  22473. minLength: 1
  22474. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22475. type: string
  22476. type: object
  22477. value:
  22478. description: Value can be specified directly to set a value without using a secret.
  22479. type: string
  22480. type: object
  22481. certificateKey:
  22482. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  22483. properties:
  22484. secretRef:
  22485. description: SecretRef references a key in a secret that will be used as value.
  22486. properties:
  22487. key:
  22488. description: |-
  22489. A key in the referenced Secret.
  22490. Some instances of this field may be defaulted, in others it may be required.
  22491. maxLength: 253
  22492. minLength: 1
  22493. pattern: ^[-._a-zA-Z0-9]+$
  22494. type: string
  22495. name:
  22496. description: The name of the Secret resource being referred to.
  22497. maxLength: 253
  22498. minLength: 1
  22499. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22500. type: string
  22501. namespace:
  22502. description: |-
  22503. The namespace of the Secret resource being referred to.
  22504. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22505. maxLength: 63
  22506. minLength: 1
  22507. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22508. type: string
  22509. type: object
  22510. value:
  22511. description: Value can be specified directly to set a value without using a secret.
  22512. type: string
  22513. type: object
  22514. clientId:
  22515. description: ClientID is the API OAuth Client ID.
  22516. properties:
  22517. secretRef:
  22518. description: SecretRef references a key in a secret that will be used as value.
  22519. properties:
  22520. key:
  22521. description: |-
  22522. A key in the referenced Secret.
  22523. Some instances of this field may be defaulted, in others it may be required.
  22524. maxLength: 253
  22525. minLength: 1
  22526. pattern: ^[-._a-zA-Z0-9]+$
  22527. type: string
  22528. name:
  22529. description: The name of the Secret resource being referred to.
  22530. maxLength: 253
  22531. minLength: 1
  22532. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22533. type: string
  22534. namespace:
  22535. description: |-
  22536. The namespace of the Secret resource being referred to.
  22537. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22538. maxLength: 63
  22539. minLength: 1
  22540. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22541. type: string
  22542. type: object
  22543. value:
  22544. description: Value can be specified directly to set a value without using a secret.
  22545. type: string
  22546. type: object
  22547. clientSecret:
  22548. description: ClientSecret is the API OAuth Client Secret.
  22549. properties:
  22550. secretRef:
  22551. description: SecretRef references a key in a secret that will be used as value.
  22552. properties:
  22553. key:
  22554. description: |-
  22555. A key in the referenced Secret.
  22556. Some instances of this field may be defaulted, in others it may be required.
  22557. maxLength: 253
  22558. minLength: 1
  22559. pattern: ^[-._a-zA-Z0-9]+$
  22560. type: string
  22561. name:
  22562. description: The name of the Secret resource being referred to.
  22563. maxLength: 253
  22564. minLength: 1
  22565. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22566. type: string
  22567. namespace:
  22568. description: |-
  22569. The namespace of the Secret resource being referred to.
  22570. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22571. maxLength: 63
  22572. minLength: 1
  22573. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22574. type: string
  22575. type: object
  22576. value:
  22577. description: Value can be specified directly to set a value without using a secret.
  22578. type: string
  22579. type: object
  22580. type: object
  22581. server:
  22582. description: Auth configures how API server works.
  22583. properties:
  22584. apiUrl:
  22585. type: string
  22586. apiVersion:
  22587. type: string
  22588. clientTimeOutSeconds:
  22589. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  22590. type: integer
  22591. decrypt:
  22592. default: true
  22593. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  22594. type: boolean
  22595. retrievalType:
  22596. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  22597. type: string
  22598. separator:
  22599. description: A character that separates the folder names.
  22600. type: string
  22601. verifyCA:
  22602. type: boolean
  22603. required:
  22604. - apiUrl
  22605. - verifyCA
  22606. type: object
  22607. required:
  22608. - auth
  22609. - server
  22610. type: object
  22611. bitwardensecretsmanager:
  22612. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  22613. properties:
  22614. apiURL:
  22615. type: string
  22616. auth:
  22617. description: |-
  22618. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  22619. Make sure that the token being used has permissions on the given secret.
  22620. properties:
  22621. secretRef:
  22622. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  22623. properties:
  22624. credentials:
  22625. description: AccessToken used for the bitwarden instance.
  22626. properties:
  22627. key:
  22628. description: |-
  22629. A key in the referenced Secret.
  22630. Some instances of this field may be defaulted, in others it may be required.
  22631. maxLength: 253
  22632. minLength: 1
  22633. pattern: ^[-._a-zA-Z0-9]+$
  22634. type: string
  22635. name:
  22636. description: The name of the Secret resource being referred to.
  22637. maxLength: 253
  22638. minLength: 1
  22639. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22640. type: string
  22641. namespace:
  22642. description: |-
  22643. The namespace of the Secret resource being referred to.
  22644. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22645. maxLength: 63
  22646. minLength: 1
  22647. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22648. type: string
  22649. type: object
  22650. required:
  22651. - credentials
  22652. type: object
  22653. required:
  22654. - secretRef
  22655. type: object
  22656. bitwardenServerSDKURL:
  22657. type: string
  22658. caBundle:
  22659. description: |-
  22660. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  22661. can be performed.
  22662. type: string
  22663. caProvider:
  22664. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  22665. properties:
  22666. key:
  22667. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  22668. maxLength: 253
  22669. minLength: 1
  22670. pattern: ^[-._a-zA-Z0-9]+$
  22671. type: string
  22672. name:
  22673. description: The name of the object located at the provider type.
  22674. maxLength: 253
  22675. minLength: 1
  22676. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22677. type: string
  22678. namespace:
  22679. description: |-
  22680. The namespace the Provider type is in.
  22681. Can only be defined when used in a ClusterSecretStore.
  22682. maxLength: 63
  22683. minLength: 1
  22684. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22685. type: string
  22686. type:
  22687. description: The type of provider to use such as "Secret", or "ConfigMap".
  22688. enum:
  22689. - Secret
  22690. - ConfigMap
  22691. type: string
  22692. required:
  22693. - name
  22694. - type
  22695. type: object
  22696. identityURL:
  22697. type: string
  22698. organizationID:
  22699. description: OrganizationID determines which organization this secret store manages.
  22700. type: string
  22701. projectID:
  22702. description: ProjectID determines which project this secret store manages.
  22703. type: string
  22704. required:
  22705. - auth
  22706. - organizationID
  22707. - projectID
  22708. type: object
  22709. chef:
  22710. description: Chef configures this store to sync secrets with chef server
  22711. properties:
  22712. auth:
  22713. description: Auth defines the information necessary to authenticate against chef Server
  22714. properties:
  22715. secretRef:
  22716. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  22717. properties:
  22718. privateKeySecretRef:
  22719. description: SecretKey is the Signing Key in PEM format, used for authentication.
  22720. properties:
  22721. key:
  22722. description: |-
  22723. A key in the referenced Secret.
  22724. Some instances of this field may be defaulted, in others it may be required.
  22725. maxLength: 253
  22726. minLength: 1
  22727. pattern: ^[-._a-zA-Z0-9]+$
  22728. type: string
  22729. name:
  22730. description: The name of the Secret resource being referred to.
  22731. maxLength: 253
  22732. minLength: 1
  22733. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22734. type: string
  22735. namespace:
  22736. description: |-
  22737. The namespace of the Secret resource being referred to.
  22738. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22739. maxLength: 63
  22740. minLength: 1
  22741. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22742. type: string
  22743. type: object
  22744. required:
  22745. - privateKeySecretRef
  22746. type: object
  22747. required:
  22748. - secretRef
  22749. type: object
  22750. serverUrl:
  22751. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  22752. type: string
  22753. username:
  22754. description: UserName should be the user ID on the chef server
  22755. type: string
  22756. required:
  22757. - auth
  22758. - serverUrl
  22759. - username
  22760. type: object
  22761. cloudrusm:
  22762. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  22763. properties:
  22764. auth:
  22765. description: CSMAuth contains a secretRef for credentials.
  22766. properties:
  22767. secretRef:
  22768. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  22769. properties:
  22770. accessKeyIDSecretRef:
  22771. description: The AccessKeyID is used for authentication
  22772. properties:
  22773. key:
  22774. description: |-
  22775. A key in the referenced Secret.
  22776. Some instances of this field may be defaulted, in others it may be required.
  22777. maxLength: 253
  22778. minLength: 1
  22779. pattern: ^[-._a-zA-Z0-9]+$
  22780. type: string
  22781. name:
  22782. description: The name of the Secret resource being referred to.
  22783. maxLength: 253
  22784. minLength: 1
  22785. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22786. type: string
  22787. namespace:
  22788. description: |-
  22789. The namespace of the Secret resource being referred to.
  22790. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22791. maxLength: 63
  22792. minLength: 1
  22793. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22794. type: string
  22795. type: object
  22796. accessKeySecretSecretRef:
  22797. description: The AccessKeySecret is used for authentication
  22798. properties:
  22799. key:
  22800. description: |-
  22801. A key in the referenced Secret.
  22802. Some instances of this field may be defaulted, in others it may be required.
  22803. maxLength: 253
  22804. minLength: 1
  22805. pattern: ^[-._a-zA-Z0-9]+$
  22806. type: string
  22807. name:
  22808. description: The name of the Secret resource being referred to.
  22809. maxLength: 253
  22810. minLength: 1
  22811. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22812. type: string
  22813. namespace:
  22814. description: |-
  22815. The namespace of the Secret resource being referred to.
  22816. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22817. maxLength: 63
  22818. minLength: 1
  22819. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22820. type: string
  22821. type: object
  22822. required:
  22823. - accessKeyIDSecretRef
  22824. - accessKeySecretSecretRef
  22825. type: object
  22826. type: object
  22827. projectID:
  22828. description: ProjectID is the project, which the secrets are stored in.
  22829. type: string
  22830. required:
  22831. - auth
  22832. type: object
  22833. conjur:
  22834. description: Conjur configures this store to sync secrets using conjur provider
  22835. properties:
  22836. auth:
  22837. description: Defines authentication settings for connecting to Conjur.
  22838. properties:
  22839. apikey:
  22840. description: Authenticates with Conjur using an API key.
  22841. properties:
  22842. account:
  22843. description: Account is the Conjur organization account name.
  22844. type: string
  22845. apiKeyRef:
  22846. description: |-
  22847. A reference to a specific 'key' containing the Conjur API key
  22848. within a Secret resource. In some instances, `key` is a required field.
  22849. properties:
  22850. key:
  22851. description: |-
  22852. A key in the referenced Secret.
  22853. Some instances of this field may be defaulted, in others it may be required.
  22854. maxLength: 253
  22855. minLength: 1
  22856. pattern: ^[-._a-zA-Z0-9]+$
  22857. type: string
  22858. name:
  22859. description: The name of the Secret resource being referred to.
  22860. maxLength: 253
  22861. minLength: 1
  22862. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22863. type: string
  22864. namespace:
  22865. description: |-
  22866. The namespace of the Secret resource being referred to.
  22867. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22868. maxLength: 63
  22869. minLength: 1
  22870. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22871. type: string
  22872. type: object
  22873. userRef:
  22874. description: |-
  22875. A reference to a specific 'key' containing the Conjur username
  22876. within a Secret resource. In some instances, `key` is a required field.
  22877. properties:
  22878. key:
  22879. description: |-
  22880. A key in the referenced Secret.
  22881. Some instances of this field may be defaulted, in others it may be required.
  22882. maxLength: 253
  22883. minLength: 1
  22884. pattern: ^[-._a-zA-Z0-9]+$
  22885. type: string
  22886. name:
  22887. description: The name of the Secret resource being referred to.
  22888. maxLength: 253
  22889. minLength: 1
  22890. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22891. type: string
  22892. namespace:
  22893. description: |-
  22894. The namespace of the Secret resource being referred to.
  22895. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22896. maxLength: 63
  22897. minLength: 1
  22898. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22899. type: string
  22900. type: object
  22901. required:
  22902. - account
  22903. - apiKeyRef
  22904. - userRef
  22905. type: object
  22906. jwt:
  22907. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  22908. properties:
  22909. account:
  22910. description: Account is the Conjur organization account name.
  22911. type: string
  22912. hostId:
  22913. description: |-
  22914. Optional HostID for JWT authentication. This may be used depending
  22915. on how the Conjur JWT authenticator policy is configured.
  22916. type: string
  22917. secretRef:
  22918. description: |-
  22919. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  22920. authenticate with Conjur using the JWT authentication method.
  22921. properties:
  22922. key:
  22923. description: |-
  22924. A key in the referenced Secret.
  22925. Some instances of this field may be defaulted, in others it may be required.
  22926. maxLength: 253
  22927. minLength: 1
  22928. pattern: ^[-._a-zA-Z0-9]+$
  22929. type: string
  22930. name:
  22931. description: The name of the Secret resource being referred to.
  22932. maxLength: 253
  22933. minLength: 1
  22934. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22935. type: string
  22936. namespace:
  22937. description: |-
  22938. The namespace of the Secret resource being referred to.
  22939. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22940. maxLength: 63
  22941. minLength: 1
  22942. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22943. type: string
  22944. type: object
  22945. serviceAccountRef:
  22946. description: |-
  22947. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  22948. a token for with the `TokenRequest` API.
  22949. properties:
  22950. audiences:
  22951. description: |-
  22952. Audience specifies the `aud` claim for the service account token
  22953. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22954. then this audiences will be appended to the list
  22955. items:
  22956. type: string
  22957. type: array
  22958. name:
  22959. description: The name of the ServiceAccount resource being referred to.
  22960. maxLength: 253
  22961. minLength: 1
  22962. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22963. type: string
  22964. namespace:
  22965. description: |-
  22966. Namespace of the resource being referred to.
  22967. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22968. maxLength: 63
  22969. minLength: 1
  22970. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22971. type: string
  22972. required:
  22973. - name
  22974. type: object
  22975. serviceID:
  22976. description: The conjur authn jwt webservice id
  22977. type: string
  22978. required:
  22979. - account
  22980. - serviceID
  22981. type: object
  22982. type: object
  22983. caBundle:
  22984. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  22985. type: string
  22986. caProvider:
  22987. description: |-
  22988. Used to provide custom certificate authority (CA) certificates
  22989. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  22990. that contains a PEM-encoded certificate.
  22991. properties:
  22992. key:
  22993. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  22994. maxLength: 253
  22995. minLength: 1
  22996. pattern: ^[-._a-zA-Z0-9]+$
  22997. type: string
  22998. name:
  22999. description: The name of the object located at the provider type.
  23000. maxLength: 253
  23001. minLength: 1
  23002. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23003. type: string
  23004. namespace:
  23005. description: |-
  23006. The namespace the Provider type is in.
  23007. Can only be defined when used in a ClusterSecretStore.
  23008. maxLength: 63
  23009. minLength: 1
  23010. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23011. type: string
  23012. type:
  23013. description: The type of provider to use such as "Secret", or "ConfigMap".
  23014. enum:
  23015. - Secret
  23016. - ConfigMap
  23017. type: string
  23018. required:
  23019. - name
  23020. - type
  23021. type: object
  23022. url:
  23023. description: URL is the endpoint of the Conjur instance.
  23024. type: string
  23025. required:
  23026. - auth
  23027. - url
  23028. type: object
  23029. delinea:
  23030. description: |-
  23031. Delinea DevOps Secrets Vault
  23032. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  23033. properties:
  23034. clientId:
  23035. description: ClientID is the non-secret part of the credential.
  23036. properties:
  23037. secretRef:
  23038. description: SecretRef references a key in a secret that will be used as value.
  23039. properties:
  23040. key:
  23041. description: |-
  23042. A key in the referenced Secret.
  23043. Some instances of this field may be defaulted, in others it may be required.
  23044. maxLength: 253
  23045. minLength: 1
  23046. pattern: ^[-._a-zA-Z0-9]+$
  23047. type: string
  23048. name:
  23049. description: The name of the Secret resource being referred to.
  23050. maxLength: 253
  23051. minLength: 1
  23052. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23053. type: string
  23054. namespace:
  23055. description: |-
  23056. The namespace of the Secret resource being referred to.
  23057. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23058. maxLength: 63
  23059. minLength: 1
  23060. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23061. type: string
  23062. type: object
  23063. value:
  23064. description: Value can be specified directly to set a value without using a secret.
  23065. type: string
  23066. type: object
  23067. clientSecret:
  23068. description: ClientSecret is the secret part of the credential.
  23069. properties:
  23070. secretRef:
  23071. description: SecretRef references a key in a secret that will be used as value.
  23072. properties:
  23073. key:
  23074. description: |-
  23075. A key in the referenced Secret.
  23076. Some instances of this field may be defaulted, in others it may be required.
  23077. maxLength: 253
  23078. minLength: 1
  23079. pattern: ^[-._a-zA-Z0-9]+$
  23080. type: string
  23081. name:
  23082. description: The name of the Secret resource being referred to.
  23083. maxLength: 253
  23084. minLength: 1
  23085. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23086. type: string
  23087. namespace:
  23088. description: |-
  23089. The namespace of the Secret resource being referred to.
  23090. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23091. maxLength: 63
  23092. minLength: 1
  23093. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23094. type: string
  23095. type: object
  23096. value:
  23097. description: Value can be specified directly to set a value without using a secret.
  23098. type: string
  23099. type: object
  23100. tenant:
  23101. description: Tenant is the chosen hostname / site name.
  23102. type: string
  23103. tld:
  23104. description: |-
  23105. TLD is based on the server location that was chosen during provisioning.
  23106. If unset, defaults to "com".
  23107. type: string
  23108. urlTemplate:
  23109. description: |-
  23110. URLTemplate
  23111. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  23112. type: string
  23113. required:
  23114. - clientId
  23115. - clientSecret
  23116. - tenant
  23117. type: object
  23118. device42:
  23119. description: Device42 configures this store to sync secrets using the Device42 provider
  23120. properties:
  23121. auth:
  23122. description: Auth configures how secret-manager authenticates with a Device42 instance.
  23123. properties:
  23124. secretRef:
  23125. description: Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider.
  23126. properties:
  23127. credentials:
  23128. description: Username / Password is used for authentication.
  23129. properties:
  23130. key:
  23131. description: |-
  23132. A key in the referenced Secret.
  23133. Some instances of this field may be defaulted, in others it may be required.
  23134. maxLength: 253
  23135. minLength: 1
  23136. pattern: ^[-._a-zA-Z0-9]+$
  23137. type: string
  23138. name:
  23139. description: The name of the Secret resource being referred to.
  23140. maxLength: 253
  23141. minLength: 1
  23142. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23143. type: string
  23144. namespace:
  23145. description: |-
  23146. The namespace of the Secret resource being referred to.
  23147. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23148. maxLength: 63
  23149. minLength: 1
  23150. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23151. type: string
  23152. type: object
  23153. type: object
  23154. required:
  23155. - secretRef
  23156. type: object
  23157. host:
  23158. description: URL configures the Device42 instance URL.
  23159. type: string
  23160. required:
  23161. - auth
  23162. - host
  23163. type: object
  23164. doppler:
  23165. description: Doppler configures this store to sync secrets using the Doppler provider
  23166. properties:
  23167. auth:
  23168. description: Auth configures how the Operator authenticates with the Doppler API
  23169. properties:
  23170. secretRef:
  23171. description: DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider.
  23172. properties:
  23173. dopplerToken:
  23174. description: |-
  23175. The DopplerToken is used for authentication.
  23176. See https://docs.doppler.com/reference/api#authentication for auth token types.
  23177. The Key attribute defaults to dopplerToken if not specified.
  23178. properties:
  23179. key:
  23180. description: |-
  23181. A key in the referenced Secret.
  23182. Some instances of this field may be defaulted, in others it may be required.
  23183. maxLength: 253
  23184. minLength: 1
  23185. pattern: ^[-._a-zA-Z0-9]+$
  23186. type: string
  23187. name:
  23188. description: The name of the Secret resource being referred to.
  23189. maxLength: 253
  23190. minLength: 1
  23191. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23192. type: string
  23193. namespace:
  23194. description: |-
  23195. The namespace of the Secret resource being referred to.
  23196. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23197. maxLength: 63
  23198. minLength: 1
  23199. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23200. type: string
  23201. type: object
  23202. required:
  23203. - dopplerToken
  23204. type: object
  23205. required:
  23206. - secretRef
  23207. type: object
  23208. config:
  23209. description: Doppler config (required if not using a Service Token)
  23210. type: string
  23211. format:
  23212. description: Format enables the downloading of secrets as a file (string)
  23213. enum:
  23214. - json
  23215. - dotnet-json
  23216. - env
  23217. - yaml
  23218. - docker
  23219. type: string
  23220. nameTransformer:
  23221. description: Environment variable compatible name transforms that change secret names to a different format
  23222. enum:
  23223. - upper-camel
  23224. - camel
  23225. - lower-snake
  23226. - tf-var
  23227. - dotnet-env
  23228. - lower-kebab
  23229. type: string
  23230. project:
  23231. description: Doppler project (required if not using a Service Token)
  23232. type: string
  23233. required:
  23234. - auth
  23235. type: object
  23236. fake:
  23237. description: Fake configures a store with static key/value pairs
  23238. properties:
  23239. data:
  23240. items:
  23241. description: FakeProviderData defines a key-value pair for the fake provider used in testing.
  23242. properties:
  23243. key:
  23244. type: string
  23245. value:
  23246. type: string
  23247. version:
  23248. type: string
  23249. required:
  23250. - key
  23251. - value
  23252. type: object
  23253. type: array
  23254. required:
  23255. - data
  23256. type: object
  23257. fortanix:
  23258. description: Fortanix configures this store to sync secrets using the Fortanix provider
  23259. properties:
  23260. apiKey:
  23261. description: APIKey is the API token to access SDKMS Applications.
  23262. properties:
  23263. secretRef:
  23264. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  23265. properties:
  23266. key:
  23267. description: |-
  23268. A key in the referenced Secret.
  23269. Some instances of this field may be defaulted, in others it may be required.
  23270. maxLength: 253
  23271. minLength: 1
  23272. pattern: ^[-._a-zA-Z0-9]+$
  23273. type: string
  23274. name:
  23275. description: The name of the Secret resource being referred to.
  23276. maxLength: 253
  23277. minLength: 1
  23278. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23279. type: string
  23280. namespace:
  23281. description: |-
  23282. The namespace of the Secret resource being referred to.
  23283. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23284. maxLength: 63
  23285. minLength: 1
  23286. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23287. type: string
  23288. type: object
  23289. type: object
  23290. apiUrl:
  23291. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  23292. type: string
  23293. type: object
  23294. gcpsm:
  23295. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  23296. properties:
  23297. auth:
  23298. description: Auth defines the information necessary to authenticate against GCP
  23299. properties:
  23300. secretRef:
  23301. description: GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider.
  23302. properties:
  23303. secretAccessKeySecretRef:
  23304. description: The SecretAccessKey is used for authentication
  23305. properties:
  23306. key:
  23307. description: |-
  23308. A key in the referenced Secret.
  23309. Some instances of this field may be defaulted, in others it may be required.
  23310. maxLength: 253
  23311. minLength: 1
  23312. pattern: ^[-._a-zA-Z0-9]+$
  23313. type: string
  23314. name:
  23315. description: The name of the Secret resource being referred to.
  23316. maxLength: 253
  23317. minLength: 1
  23318. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23319. type: string
  23320. namespace:
  23321. description: |-
  23322. The namespace of the Secret resource being referred to.
  23323. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23324. maxLength: 63
  23325. minLength: 1
  23326. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23327. type: string
  23328. type: object
  23329. type: object
  23330. workloadIdentity:
  23331. description: GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication.
  23332. properties:
  23333. clusterLocation:
  23334. description: |-
  23335. ClusterLocation is the location of the cluster
  23336. If not specified, it fetches information from the metadata server
  23337. type: string
  23338. clusterName:
  23339. description: |-
  23340. ClusterName is the name of the cluster
  23341. If not specified, it fetches information from the metadata server
  23342. type: string
  23343. clusterProjectID:
  23344. description: |-
  23345. ClusterProjectID is the project ID of the cluster
  23346. If not specified, it fetches information from the metadata server
  23347. type: string
  23348. serviceAccountRef:
  23349. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  23350. properties:
  23351. audiences:
  23352. description: |-
  23353. Audience specifies the `aud` claim for the service account token
  23354. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  23355. then this audiences will be appended to the list
  23356. items:
  23357. type: string
  23358. type: array
  23359. name:
  23360. description: The name of the ServiceAccount resource being referred to.
  23361. maxLength: 253
  23362. minLength: 1
  23363. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23364. type: string
  23365. namespace:
  23366. description: |-
  23367. Namespace of the resource being referred to.
  23368. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23369. maxLength: 63
  23370. minLength: 1
  23371. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23372. type: string
  23373. required:
  23374. - name
  23375. type: object
  23376. required:
  23377. - serviceAccountRef
  23378. type: object
  23379. type: object
  23380. location:
  23381. description: Location optionally defines a location for a secret
  23382. type: string
  23383. projectID:
  23384. description: ProjectID project where secret is located
  23385. type: string
  23386. type: object
  23387. github:
  23388. description: Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  23389. properties:
  23390. appID:
  23391. description: appID specifies the Github APP that will be used to authenticate the client
  23392. type: integer
  23393. auth:
  23394. description: auth configures how secret-manager authenticates with a Github instance.
  23395. properties:
  23396. privateKey:
  23397. description: |-
  23398. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23399. In some instances, `key` is a required field.
  23400. properties:
  23401. key:
  23402. description: |-
  23403. A key in the referenced Secret.
  23404. Some instances of this field may be defaulted, in others it may be required.
  23405. maxLength: 253
  23406. minLength: 1
  23407. pattern: ^[-._a-zA-Z0-9]+$
  23408. type: string
  23409. name:
  23410. description: The name of the Secret resource being referred to.
  23411. maxLength: 253
  23412. minLength: 1
  23413. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23414. type: string
  23415. namespace:
  23416. description: |-
  23417. The namespace of the Secret resource being referred to.
  23418. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23419. maxLength: 63
  23420. minLength: 1
  23421. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23422. type: string
  23423. type: object
  23424. required:
  23425. - privateKey
  23426. type: object
  23427. environment:
  23428. description: environment will be used to fetch secrets from a particular environment within a github repository
  23429. type: string
  23430. installationID:
  23431. description: installationID specifies the Github APP installation that will be used to authenticate the client
  23432. type: integer
  23433. organization:
  23434. description: organization will be used to fetch secrets from the Github organization
  23435. type: string
  23436. repository:
  23437. description: repository will be used to fetch secrets from the Github repository within an organization
  23438. type: string
  23439. uploadURL:
  23440. description: Upload URL for enterprise instances. Default to URL.
  23441. type: string
  23442. url:
  23443. default: https://github.com/
  23444. description: URL configures the Github instance URL. Defaults to https://github.com/.
  23445. type: string
  23446. required:
  23447. - appID
  23448. - auth
  23449. - installationID
  23450. - organization
  23451. type: object
  23452. gitlab:
  23453. description: GitLab configures this store to sync secrets using GitLab Variables provider
  23454. properties:
  23455. auth:
  23456. description: Auth configures how secret-manager authenticates with a GitLab instance.
  23457. properties:
  23458. SecretRef:
  23459. description: GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider.
  23460. properties:
  23461. accessToken:
  23462. description: AccessToken is used for authentication.
  23463. properties:
  23464. key:
  23465. description: |-
  23466. A key in the referenced Secret.
  23467. Some instances of this field may be defaulted, in others it may be required.
  23468. maxLength: 253
  23469. minLength: 1
  23470. pattern: ^[-._a-zA-Z0-9]+$
  23471. type: string
  23472. name:
  23473. description: The name of the Secret resource being referred to.
  23474. maxLength: 253
  23475. minLength: 1
  23476. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23477. type: string
  23478. namespace:
  23479. description: |-
  23480. The namespace of the Secret resource being referred to.
  23481. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23482. maxLength: 63
  23483. minLength: 1
  23484. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23485. type: string
  23486. type: object
  23487. type: object
  23488. required:
  23489. - SecretRef
  23490. type: object
  23491. caBundle:
  23492. description: |-
  23493. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  23494. can be performed.
  23495. format: byte
  23496. type: string
  23497. caProvider:
  23498. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  23499. properties:
  23500. key:
  23501. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  23502. maxLength: 253
  23503. minLength: 1
  23504. pattern: ^[-._a-zA-Z0-9]+$
  23505. type: string
  23506. name:
  23507. description: The name of the object located at the provider type.
  23508. maxLength: 253
  23509. minLength: 1
  23510. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23511. type: string
  23512. namespace:
  23513. description: |-
  23514. The namespace the Provider type is in.
  23515. Can only be defined when used in a ClusterSecretStore.
  23516. maxLength: 63
  23517. minLength: 1
  23518. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23519. type: string
  23520. type:
  23521. description: The type of provider to use such as "Secret", or "ConfigMap".
  23522. enum:
  23523. - Secret
  23524. - ConfigMap
  23525. type: string
  23526. required:
  23527. - name
  23528. - type
  23529. type: object
  23530. environment:
  23531. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  23532. type: string
  23533. groupIDs:
  23534. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  23535. items:
  23536. type: string
  23537. type: array
  23538. inheritFromGroups:
  23539. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  23540. type: boolean
  23541. projectID:
  23542. description: ProjectID specifies a project where secrets are located.
  23543. type: string
  23544. url:
  23545. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  23546. type: string
  23547. required:
  23548. - auth
  23549. type: object
  23550. ibm:
  23551. description: IBM configures this store to sync secrets using IBM Cloud provider
  23552. properties:
  23553. auth:
  23554. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  23555. maxProperties: 1
  23556. minProperties: 1
  23557. properties:
  23558. containerAuth:
  23559. description: IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile.
  23560. properties:
  23561. iamEndpoint:
  23562. type: string
  23563. profile:
  23564. description: the IBM Trusted Profile
  23565. type: string
  23566. tokenLocation:
  23567. description: Location the token is mounted on the pod
  23568. type: string
  23569. required:
  23570. - profile
  23571. type: object
  23572. secretRef:
  23573. description: IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider.
  23574. properties:
  23575. secretApiKeySecretRef:
  23576. description: The SecretAccessKey is used for authentication
  23577. properties:
  23578. key:
  23579. description: |-
  23580. A key in the referenced Secret.
  23581. Some instances of this field may be defaulted, in others it may be required.
  23582. maxLength: 253
  23583. minLength: 1
  23584. pattern: ^[-._a-zA-Z0-9]+$
  23585. type: string
  23586. name:
  23587. description: The name of the Secret resource being referred to.
  23588. maxLength: 253
  23589. minLength: 1
  23590. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23591. type: string
  23592. namespace:
  23593. description: |-
  23594. The namespace of the Secret resource being referred to.
  23595. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23596. maxLength: 63
  23597. minLength: 1
  23598. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23599. type: string
  23600. type: object
  23601. type: object
  23602. type: object
  23603. serviceUrl:
  23604. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  23605. type: string
  23606. required:
  23607. - auth
  23608. type: object
  23609. infisical:
  23610. description: Infisical configures this store to sync secrets using the Infisical provider
  23611. properties:
  23612. auth:
  23613. description: Auth configures how the Operator authenticates with the Infisical API
  23614. properties:
  23615. universalAuthCredentials:
  23616. description: UniversalAuthCredentials defines the credentials for Infisical Universal Auth.
  23617. properties:
  23618. clientId:
  23619. description: |-
  23620. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23621. In some instances, `key` is a required field.
  23622. properties:
  23623. key:
  23624. description: |-
  23625. A key in the referenced Secret.
  23626. Some instances of this field may be defaulted, in others it may be required.
  23627. maxLength: 253
  23628. minLength: 1
  23629. pattern: ^[-._a-zA-Z0-9]+$
  23630. type: string
  23631. name:
  23632. description: The name of the Secret resource being referred to.
  23633. maxLength: 253
  23634. minLength: 1
  23635. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23636. type: string
  23637. namespace:
  23638. description: |-
  23639. The namespace of the Secret resource being referred to.
  23640. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23641. maxLength: 63
  23642. minLength: 1
  23643. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23644. type: string
  23645. type: object
  23646. clientSecret:
  23647. description: |-
  23648. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23649. In some instances, `key` is a required field.
  23650. properties:
  23651. key:
  23652. description: |-
  23653. A key in the referenced Secret.
  23654. Some instances of this field may be defaulted, in others it may be required.
  23655. maxLength: 253
  23656. minLength: 1
  23657. pattern: ^[-._a-zA-Z0-9]+$
  23658. type: string
  23659. name:
  23660. description: The name of the Secret resource being referred to.
  23661. maxLength: 253
  23662. minLength: 1
  23663. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23664. type: string
  23665. namespace:
  23666. description: |-
  23667. The namespace of the Secret resource being referred to.
  23668. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23669. maxLength: 63
  23670. minLength: 1
  23671. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23672. type: string
  23673. type: object
  23674. required:
  23675. - clientId
  23676. - clientSecret
  23677. type: object
  23678. type: object
  23679. hostAPI:
  23680. default: https://app.infisical.com/api
  23681. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  23682. type: string
  23683. secretsScope:
  23684. description: SecretsScope defines the scope of the secrets within the workspace
  23685. properties:
  23686. environmentSlug:
  23687. description: EnvironmentSlug is the required slug identifier for the environment.
  23688. type: string
  23689. expandSecretReferences:
  23690. default: true
  23691. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  23692. type: boolean
  23693. projectSlug:
  23694. description: ProjectSlug is the required slug identifier for the project.
  23695. type: string
  23696. recursive:
  23697. default: false
  23698. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  23699. type: boolean
  23700. secretsPath:
  23701. default: /
  23702. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  23703. type: string
  23704. required:
  23705. - environmentSlug
  23706. - projectSlug
  23707. type: object
  23708. required:
  23709. - auth
  23710. - secretsScope
  23711. type: object
  23712. keepersecurity:
  23713. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  23714. properties:
  23715. authRef:
  23716. description: |-
  23717. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23718. In some instances, `key` is a required field.
  23719. properties:
  23720. key:
  23721. description: |-
  23722. A key in the referenced Secret.
  23723. Some instances of this field may be defaulted, in others it may be required.
  23724. maxLength: 253
  23725. minLength: 1
  23726. pattern: ^[-._a-zA-Z0-9]+$
  23727. type: string
  23728. name:
  23729. description: The name of the Secret resource being referred to.
  23730. maxLength: 253
  23731. minLength: 1
  23732. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23733. type: string
  23734. namespace:
  23735. description: |-
  23736. The namespace of the Secret resource being referred to.
  23737. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23738. maxLength: 63
  23739. minLength: 1
  23740. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23741. type: string
  23742. type: object
  23743. folderID:
  23744. type: string
  23745. required:
  23746. - authRef
  23747. - folderID
  23748. type: object
  23749. kubernetes:
  23750. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  23751. properties:
  23752. auth:
  23753. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  23754. maxProperties: 1
  23755. minProperties: 1
  23756. properties:
  23757. cert:
  23758. description: has both clientCert and clientKey as secretKeySelector
  23759. properties:
  23760. clientCert:
  23761. description: |-
  23762. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23763. In some instances, `key` is a required field.
  23764. properties:
  23765. key:
  23766. description: |-
  23767. A key in the referenced Secret.
  23768. Some instances of this field may be defaulted, in others it may be required.
  23769. maxLength: 253
  23770. minLength: 1
  23771. pattern: ^[-._a-zA-Z0-9]+$
  23772. type: string
  23773. name:
  23774. description: The name of the Secret resource being referred to.
  23775. maxLength: 253
  23776. minLength: 1
  23777. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23778. type: string
  23779. namespace:
  23780. description: |-
  23781. The namespace of the Secret resource being referred to.
  23782. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23783. maxLength: 63
  23784. minLength: 1
  23785. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23786. type: string
  23787. type: object
  23788. clientKey:
  23789. description: |-
  23790. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23791. In some instances, `key` is a required field.
  23792. properties:
  23793. key:
  23794. description: |-
  23795. A key in the referenced Secret.
  23796. Some instances of this field may be defaulted, in others it may be required.
  23797. maxLength: 253
  23798. minLength: 1
  23799. pattern: ^[-._a-zA-Z0-9]+$
  23800. type: string
  23801. name:
  23802. description: The name of the Secret resource being referred to.
  23803. maxLength: 253
  23804. minLength: 1
  23805. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23806. type: string
  23807. namespace:
  23808. description: |-
  23809. The namespace of the Secret resource being referred to.
  23810. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23811. maxLength: 63
  23812. minLength: 1
  23813. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23814. type: string
  23815. type: object
  23816. type: object
  23817. serviceAccount:
  23818. description: points to a service account that should be used for authentication
  23819. properties:
  23820. audiences:
  23821. description: |-
  23822. Audience specifies the `aud` claim for the service account token
  23823. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  23824. then this audiences will be appended to the list
  23825. items:
  23826. type: string
  23827. type: array
  23828. name:
  23829. description: The name of the ServiceAccount resource being referred to.
  23830. maxLength: 253
  23831. minLength: 1
  23832. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23833. type: string
  23834. namespace:
  23835. description: |-
  23836. Namespace of the resource being referred to.
  23837. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23838. maxLength: 63
  23839. minLength: 1
  23840. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23841. type: string
  23842. required:
  23843. - name
  23844. type: object
  23845. token:
  23846. description: use static token to authenticate with
  23847. properties:
  23848. bearerToken:
  23849. description: |-
  23850. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23851. In some instances, `key` is a required field.
  23852. properties:
  23853. key:
  23854. description: |-
  23855. A key in the referenced Secret.
  23856. Some instances of this field may be defaulted, in others it may be required.
  23857. maxLength: 253
  23858. minLength: 1
  23859. pattern: ^[-._a-zA-Z0-9]+$
  23860. type: string
  23861. name:
  23862. description: The name of the Secret resource being referred to.
  23863. maxLength: 253
  23864. minLength: 1
  23865. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23866. type: string
  23867. namespace:
  23868. description: |-
  23869. The namespace of the Secret resource being referred to.
  23870. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23871. maxLength: 63
  23872. minLength: 1
  23873. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23874. type: string
  23875. type: object
  23876. type: object
  23877. type: object
  23878. authRef:
  23879. description: A reference to a secret that contains the auth information.
  23880. properties:
  23881. key:
  23882. description: |-
  23883. A key in the referenced Secret.
  23884. Some instances of this field may be defaulted, in others it may be required.
  23885. maxLength: 253
  23886. minLength: 1
  23887. pattern: ^[-._a-zA-Z0-9]+$
  23888. type: string
  23889. name:
  23890. description: The name of the Secret resource being referred to.
  23891. maxLength: 253
  23892. minLength: 1
  23893. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23894. type: string
  23895. namespace:
  23896. description: |-
  23897. The namespace of the Secret resource being referred to.
  23898. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23899. maxLength: 63
  23900. minLength: 1
  23901. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23902. type: string
  23903. type: object
  23904. remoteNamespace:
  23905. default: default
  23906. description: Remote namespace to fetch the secrets from
  23907. maxLength: 63
  23908. minLength: 1
  23909. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23910. type: string
  23911. server:
  23912. description: configures the Kubernetes server Address.
  23913. properties:
  23914. caBundle:
  23915. description: CABundle is a base64-encoded CA certificate
  23916. format: byte
  23917. type: string
  23918. caProvider:
  23919. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  23920. properties:
  23921. key:
  23922. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  23923. maxLength: 253
  23924. minLength: 1
  23925. pattern: ^[-._a-zA-Z0-9]+$
  23926. type: string
  23927. name:
  23928. description: The name of the object located at the provider type.
  23929. maxLength: 253
  23930. minLength: 1
  23931. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23932. type: string
  23933. namespace:
  23934. description: |-
  23935. The namespace the Provider type is in.
  23936. Can only be defined when used in a ClusterSecretStore.
  23937. maxLength: 63
  23938. minLength: 1
  23939. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23940. type: string
  23941. type:
  23942. description: The type of provider to use such as "Secret", or "ConfigMap".
  23943. enum:
  23944. - Secret
  23945. - ConfigMap
  23946. type: string
  23947. required:
  23948. - name
  23949. - type
  23950. type: object
  23951. url:
  23952. default: kubernetes.default
  23953. description: configures the Kubernetes server Address.
  23954. type: string
  23955. type: object
  23956. type: object
  23957. onboardbase:
  23958. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  23959. properties:
  23960. apiHost:
  23961. default: https://public.onboardbase.com/api/v1/
  23962. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  23963. type: string
  23964. auth:
  23965. description: Auth configures how the Operator authenticates with the Onboardbase API
  23966. properties:
  23967. apiKeyRef:
  23968. description: |-
  23969. OnboardbaseAPIKey is the APIKey generated by an admin account.
  23970. It is used to recognize and authorize access to a project and environment within onboardbase
  23971. properties:
  23972. key:
  23973. description: |-
  23974. A key in the referenced Secret.
  23975. Some instances of this field may be defaulted, in others it may be required.
  23976. maxLength: 253
  23977. minLength: 1
  23978. pattern: ^[-._a-zA-Z0-9]+$
  23979. type: string
  23980. name:
  23981. description: The name of the Secret resource being referred to.
  23982. maxLength: 253
  23983. minLength: 1
  23984. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23985. type: string
  23986. namespace:
  23987. description: |-
  23988. The namespace of the Secret resource being referred to.
  23989. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23990. maxLength: 63
  23991. minLength: 1
  23992. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23993. type: string
  23994. type: object
  23995. passcodeRef:
  23996. description: OnboardbasePasscode is the passcode attached to the API Key
  23997. properties:
  23998. key:
  23999. description: |-
  24000. A key in the referenced Secret.
  24001. Some instances of this field may be defaulted, in others it may be required.
  24002. maxLength: 253
  24003. minLength: 1
  24004. pattern: ^[-._a-zA-Z0-9]+$
  24005. type: string
  24006. name:
  24007. description: The name of the Secret resource being referred to.
  24008. maxLength: 253
  24009. minLength: 1
  24010. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24011. type: string
  24012. namespace:
  24013. description: |-
  24014. The namespace of the Secret resource being referred to.
  24015. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24016. maxLength: 63
  24017. minLength: 1
  24018. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24019. type: string
  24020. type: object
  24021. required:
  24022. - apiKeyRef
  24023. - passcodeRef
  24024. type: object
  24025. environment:
  24026. default: development
  24027. description: Environment is the name of an environmnent within a project to pull the secrets from
  24028. type: string
  24029. project:
  24030. default: development
  24031. description: Project is an onboardbase project that the secrets should be pulled from
  24032. type: string
  24033. required:
  24034. - apiHost
  24035. - auth
  24036. - environment
  24037. - project
  24038. type: object
  24039. onepassword:
  24040. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  24041. properties:
  24042. auth:
  24043. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  24044. properties:
  24045. secretRef:
  24046. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  24047. properties:
  24048. connectTokenSecretRef:
  24049. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  24050. properties:
  24051. key:
  24052. description: |-
  24053. A key in the referenced Secret.
  24054. Some instances of this field may be defaulted, in others it may be required.
  24055. maxLength: 253
  24056. minLength: 1
  24057. pattern: ^[-._a-zA-Z0-9]+$
  24058. type: string
  24059. name:
  24060. description: The name of the Secret resource being referred to.
  24061. maxLength: 253
  24062. minLength: 1
  24063. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24064. type: string
  24065. namespace:
  24066. description: |-
  24067. The namespace of the Secret resource being referred to.
  24068. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24069. maxLength: 63
  24070. minLength: 1
  24071. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24072. type: string
  24073. type: object
  24074. required:
  24075. - connectTokenSecretRef
  24076. type: object
  24077. required:
  24078. - secretRef
  24079. type: object
  24080. connectHost:
  24081. description: ConnectHost defines the OnePassword Connect Server to connect to
  24082. type: string
  24083. vaults:
  24084. additionalProperties:
  24085. type: integer
  24086. description: Vaults defines which OnePassword vaults to search in which order
  24087. type: object
  24088. required:
  24089. - auth
  24090. - connectHost
  24091. - vaults
  24092. type: object
  24093. oracle:
  24094. description: Oracle configures this store to sync secrets using Oracle Vault provider
  24095. properties:
  24096. auth:
  24097. description: |-
  24098. Auth configures how secret-manager authenticates with the Oracle Vault.
  24099. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  24100. properties:
  24101. secretRef:
  24102. description: SecretRef to pass through sensitive information.
  24103. properties:
  24104. fingerprint:
  24105. description: Fingerprint is the fingerprint of the API private key.
  24106. properties:
  24107. key:
  24108. description: |-
  24109. A key in the referenced Secret.
  24110. Some instances of this field may be defaulted, in others it may be required.
  24111. maxLength: 253
  24112. minLength: 1
  24113. pattern: ^[-._a-zA-Z0-9]+$
  24114. type: string
  24115. name:
  24116. description: The name of the Secret resource being referred to.
  24117. maxLength: 253
  24118. minLength: 1
  24119. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24120. type: string
  24121. namespace:
  24122. description: |-
  24123. The namespace of the Secret resource being referred to.
  24124. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24125. maxLength: 63
  24126. minLength: 1
  24127. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24128. type: string
  24129. type: object
  24130. privatekey:
  24131. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  24132. properties:
  24133. key:
  24134. description: |-
  24135. A key in the referenced Secret.
  24136. Some instances of this field may be defaulted, in others it may be required.
  24137. maxLength: 253
  24138. minLength: 1
  24139. pattern: ^[-._a-zA-Z0-9]+$
  24140. type: string
  24141. name:
  24142. description: The name of the Secret resource being referred to.
  24143. maxLength: 253
  24144. minLength: 1
  24145. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24146. type: string
  24147. namespace:
  24148. description: |-
  24149. The namespace of the Secret resource being referred to.
  24150. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24151. maxLength: 63
  24152. minLength: 1
  24153. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24154. type: string
  24155. type: object
  24156. required:
  24157. - fingerprint
  24158. - privatekey
  24159. type: object
  24160. tenancy:
  24161. description: Tenancy is the tenancy OCID where user is located.
  24162. type: string
  24163. user:
  24164. description: User is an access OCID specific to the account.
  24165. type: string
  24166. required:
  24167. - secretRef
  24168. - tenancy
  24169. - user
  24170. type: object
  24171. compartment:
  24172. description: |-
  24173. Compartment is the vault compartment OCID.
  24174. Required for PushSecret
  24175. type: string
  24176. encryptionKey:
  24177. description: |-
  24178. EncryptionKey is the OCID of the encryption key within the vault.
  24179. Required for PushSecret
  24180. type: string
  24181. principalType:
  24182. description: |-
  24183. The type of principal to use for authentication. If left blank, the Auth struct will
  24184. determine the principal type. This optional field must be specified if using
  24185. workload identity.
  24186. enum:
  24187. - ""
  24188. - UserPrincipal
  24189. - InstancePrincipal
  24190. - Workload
  24191. type: string
  24192. region:
  24193. description: Region is the region where vault is located.
  24194. type: string
  24195. serviceAccountRef:
  24196. description: |-
  24197. ServiceAccountRef specified the service account
  24198. that should be used when authenticating with WorkloadIdentity.
  24199. properties:
  24200. audiences:
  24201. description: |-
  24202. Audience specifies the `aud` claim for the service account token
  24203. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24204. then this audiences will be appended to the list
  24205. items:
  24206. type: string
  24207. type: array
  24208. name:
  24209. description: The name of the ServiceAccount resource being referred to.
  24210. maxLength: 253
  24211. minLength: 1
  24212. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24213. type: string
  24214. namespace:
  24215. description: |-
  24216. Namespace of the resource being referred to.
  24217. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24218. maxLength: 63
  24219. minLength: 1
  24220. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24221. type: string
  24222. required:
  24223. - name
  24224. type: object
  24225. vault:
  24226. description: Vault is the vault's OCID of the specific vault where secret is located.
  24227. type: string
  24228. required:
  24229. - region
  24230. - vault
  24231. type: object
  24232. passbolt:
  24233. description: PassboltProvider defines configuration for the Passbolt provider.
  24234. properties:
  24235. auth:
  24236. description: Auth defines the information necessary to authenticate against Passbolt Server
  24237. properties:
  24238. passwordSecretRef:
  24239. description: PasswordSecretRef is a reference to the secret containing the Passbolt password
  24240. properties:
  24241. key:
  24242. description: |-
  24243. A key in the referenced Secret.
  24244. Some instances of this field may be defaulted, in others it may be required.
  24245. maxLength: 253
  24246. minLength: 1
  24247. pattern: ^[-._a-zA-Z0-9]+$
  24248. type: string
  24249. name:
  24250. description: The name of the Secret resource being referred to.
  24251. maxLength: 253
  24252. minLength: 1
  24253. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24254. type: string
  24255. namespace:
  24256. description: |-
  24257. The namespace of the Secret resource being referred to.
  24258. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24259. maxLength: 63
  24260. minLength: 1
  24261. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24262. type: string
  24263. type: object
  24264. privateKeySecretRef:
  24265. description: PrivateKeySecretRef is a reference to the secret containing the Passbolt private key
  24266. properties:
  24267. key:
  24268. description: |-
  24269. A key in the referenced Secret.
  24270. Some instances of this field may be defaulted, in others it may be required.
  24271. maxLength: 253
  24272. minLength: 1
  24273. pattern: ^[-._a-zA-Z0-9]+$
  24274. type: string
  24275. name:
  24276. description: The name of the Secret resource being referred to.
  24277. maxLength: 253
  24278. minLength: 1
  24279. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24280. type: string
  24281. namespace:
  24282. description: |-
  24283. The namespace of the Secret resource being referred to.
  24284. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24285. maxLength: 63
  24286. minLength: 1
  24287. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24288. type: string
  24289. type: object
  24290. required:
  24291. - passwordSecretRef
  24292. - privateKeySecretRef
  24293. type: object
  24294. host:
  24295. description: Host defines the Passbolt Server to connect to
  24296. type: string
  24297. required:
  24298. - auth
  24299. - host
  24300. type: object
  24301. passworddepot:
  24302. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  24303. properties:
  24304. auth:
  24305. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  24306. properties:
  24307. secretRef:
  24308. description: PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider.
  24309. properties:
  24310. credentials:
  24311. description: Username / Password is used for authentication.
  24312. properties:
  24313. key:
  24314. description: |-
  24315. A key in the referenced Secret.
  24316. Some instances of this field may be defaulted, in others it may be required.
  24317. maxLength: 253
  24318. minLength: 1
  24319. pattern: ^[-._a-zA-Z0-9]+$
  24320. type: string
  24321. name:
  24322. description: The name of the Secret resource being referred to.
  24323. maxLength: 253
  24324. minLength: 1
  24325. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24326. type: string
  24327. namespace:
  24328. description: |-
  24329. The namespace of the Secret resource being referred to.
  24330. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24331. maxLength: 63
  24332. minLength: 1
  24333. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24334. type: string
  24335. type: object
  24336. type: object
  24337. required:
  24338. - secretRef
  24339. type: object
  24340. database:
  24341. description: Database to use as source
  24342. type: string
  24343. host:
  24344. description: URL configures the Password Depot instance URL.
  24345. type: string
  24346. required:
  24347. - auth
  24348. - database
  24349. - host
  24350. type: object
  24351. previder:
  24352. description: Previder configures this store to sync secrets using the Previder provider
  24353. properties:
  24354. auth:
  24355. description: PreviderAuth contains a secretRef for credentials.
  24356. properties:
  24357. secretRef:
  24358. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  24359. properties:
  24360. accessToken:
  24361. description: The AccessToken is used for authentication
  24362. properties:
  24363. key:
  24364. description: |-
  24365. A key in the referenced Secret.
  24366. Some instances of this field may be defaulted, in others it may be required.
  24367. maxLength: 253
  24368. minLength: 1
  24369. pattern: ^[-._a-zA-Z0-9]+$
  24370. type: string
  24371. name:
  24372. description: The name of the Secret resource being referred to.
  24373. maxLength: 253
  24374. minLength: 1
  24375. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24376. type: string
  24377. namespace:
  24378. description: |-
  24379. The namespace of the Secret resource being referred to.
  24380. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24381. maxLength: 63
  24382. minLength: 1
  24383. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24384. type: string
  24385. type: object
  24386. required:
  24387. - accessToken
  24388. type: object
  24389. type: object
  24390. baseUri:
  24391. type: string
  24392. required:
  24393. - auth
  24394. type: object
  24395. pulumi:
  24396. description: Pulumi configures this store to sync secrets using the Pulumi provider
  24397. properties:
  24398. accessToken:
  24399. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  24400. properties:
  24401. secretRef:
  24402. description: SecretRef is a reference to a secret containing the Pulumi API token.
  24403. properties:
  24404. key:
  24405. description: |-
  24406. A key in the referenced Secret.
  24407. Some instances of this field may be defaulted, in others it may be required.
  24408. maxLength: 253
  24409. minLength: 1
  24410. pattern: ^[-._a-zA-Z0-9]+$
  24411. type: string
  24412. name:
  24413. description: The name of the Secret resource being referred to.
  24414. maxLength: 253
  24415. minLength: 1
  24416. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24417. type: string
  24418. namespace:
  24419. description: |-
  24420. The namespace of the Secret resource being referred to.
  24421. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24422. maxLength: 63
  24423. minLength: 1
  24424. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24425. type: string
  24426. type: object
  24427. type: object
  24428. apiUrl:
  24429. default: https://api.pulumi.com/api/esc
  24430. description: APIURL is the URL of the Pulumi API.
  24431. type: string
  24432. environment:
  24433. description: |-
  24434. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  24435. dynamically retrieved values from supported providers including all major clouds,
  24436. and other Pulumi ESC environments.
  24437. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  24438. type: string
  24439. organization:
  24440. description: |-
  24441. Organization are a space to collaborate on shared projects and stacks.
  24442. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  24443. type: string
  24444. project:
  24445. description: Project is the name of the Pulumi ESC project the environment belongs to.
  24446. type: string
  24447. required:
  24448. - accessToken
  24449. - environment
  24450. - organization
  24451. - project
  24452. type: object
  24453. scaleway:
  24454. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  24455. properties:
  24456. accessKey:
  24457. description: AccessKey is the non-secret part of the api key.
  24458. properties:
  24459. secretRef:
  24460. description: SecretRef references a key in a secret that will be used as value.
  24461. properties:
  24462. key:
  24463. description: |-
  24464. A key in the referenced Secret.
  24465. Some instances of this field may be defaulted, in others it may be required.
  24466. maxLength: 253
  24467. minLength: 1
  24468. pattern: ^[-._a-zA-Z0-9]+$
  24469. type: string
  24470. name:
  24471. description: The name of the Secret resource being referred to.
  24472. maxLength: 253
  24473. minLength: 1
  24474. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24475. type: string
  24476. namespace:
  24477. description: |-
  24478. The namespace of the Secret resource being referred to.
  24479. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24480. maxLength: 63
  24481. minLength: 1
  24482. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24483. type: string
  24484. type: object
  24485. value:
  24486. description: Value can be specified directly to set a value without using a secret.
  24487. type: string
  24488. type: object
  24489. apiUrl:
  24490. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  24491. type: string
  24492. projectId:
  24493. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  24494. type: string
  24495. region:
  24496. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  24497. type: string
  24498. secretKey:
  24499. description: SecretKey is the non-secret part of the api key.
  24500. properties:
  24501. secretRef:
  24502. description: SecretRef references a key in a secret that will be used as value.
  24503. properties:
  24504. key:
  24505. description: |-
  24506. A key in the referenced Secret.
  24507. Some instances of this field may be defaulted, in others it may be required.
  24508. maxLength: 253
  24509. minLength: 1
  24510. pattern: ^[-._a-zA-Z0-9]+$
  24511. type: string
  24512. name:
  24513. description: The name of the Secret resource being referred to.
  24514. maxLength: 253
  24515. minLength: 1
  24516. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24517. type: string
  24518. namespace:
  24519. description: |-
  24520. The namespace of the Secret resource being referred to.
  24521. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24522. maxLength: 63
  24523. minLength: 1
  24524. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24525. type: string
  24526. type: object
  24527. value:
  24528. description: Value can be specified directly to set a value without using a secret.
  24529. type: string
  24530. type: object
  24531. required:
  24532. - accessKey
  24533. - projectId
  24534. - region
  24535. - secretKey
  24536. type: object
  24537. secretserver:
  24538. description: |-
  24539. SecretServer configures this store to sync secrets using SecretServer provider
  24540. https://docs.delinea.com/online-help/secret-server/start.htm
  24541. properties:
  24542. password:
  24543. description: Password is the secret server account password.
  24544. properties:
  24545. secretRef:
  24546. description: SecretRef references a key in a secret that will be used as value.
  24547. properties:
  24548. key:
  24549. description: |-
  24550. A key in the referenced Secret.
  24551. Some instances of this field may be defaulted, in others it may be required.
  24552. maxLength: 253
  24553. minLength: 1
  24554. pattern: ^[-._a-zA-Z0-9]+$
  24555. type: string
  24556. name:
  24557. description: The name of the Secret resource being referred to.
  24558. maxLength: 253
  24559. minLength: 1
  24560. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24561. type: string
  24562. namespace:
  24563. description: |-
  24564. The namespace of the Secret resource being referred to.
  24565. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24566. maxLength: 63
  24567. minLength: 1
  24568. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24569. type: string
  24570. type: object
  24571. value:
  24572. description: Value can be specified directly to set a value without using a secret.
  24573. type: string
  24574. type: object
  24575. serverURL:
  24576. description: |-
  24577. ServerURL
  24578. URL to your secret server installation
  24579. type: string
  24580. username:
  24581. description: Username is the secret server account username.
  24582. properties:
  24583. secretRef:
  24584. description: SecretRef references a key in a secret that will be used as value.
  24585. properties:
  24586. key:
  24587. description: |-
  24588. A key in the referenced Secret.
  24589. Some instances of this field may be defaulted, in others it may be required.
  24590. maxLength: 253
  24591. minLength: 1
  24592. pattern: ^[-._a-zA-Z0-9]+$
  24593. type: string
  24594. name:
  24595. description: The name of the Secret resource being referred to.
  24596. maxLength: 253
  24597. minLength: 1
  24598. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24599. type: string
  24600. namespace:
  24601. description: |-
  24602. The namespace of the Secret resource being referred to.
  24603. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24604. maxLength: 63
  24605. minLength: 1
  24606. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24607. type: string
  24608. type: object
  24609. value:
  24610. description: Value can be specified directly to set a value without using a secret.
  24611. type: string
  24612. type: object
  24613. required:
  24614. - password
  24615. - serverURL
  24616. - username
  24617. type: object
  24618. senhasegura:
  24619. description: Senhasegura configures this store to sync secrets using senhasegura provider
  24620. properties:
  24621. auth:
  24622. description: Auth defines parameters to authenticate in senhasegura
  24623. properties:
  24624. clientId:
  24625. type: string
  24626. clientSecretSecretRef:
  24627. description: |-
  24628. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  24629. In some instances, `key` is a required field.
  24630. properties:
  24631. key:
  24632. description: |-
  24633. A key in the referenced Secret.
  24634. Some instances of this field may be defaulted, in others it may be required.
  24635. maxLength: 253
  24636. minLength: 1
  24637. pattern: ^[-._a-zA-Z0-9]+$
  24638. type: string
  24639. name:
  24640. description: The name of the Secret resource being referred to.
  24641. maxLength: 253
  24642. minLength: 1
  24643. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24644. type: string
  24645. namespace:
  24646. description: |-
  24647. The namespace of the Secret resource being referred to.
  24648. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24649. maxLength: 63
  24650. minLength: 1
  24651. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24652. type: string
  24653. type: object
  24654. required:
  24655. - clientId
  24656. - clientSecretSecretRef
  24657. type: object
  24658. ignoreSslCertificate:
  24659. default: false
  24660. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  24661. type: boolean
  24662. module:
  24663. description: Module defines which senhasegura module should be used to get secrets
  24664. type: string
  24665. url:
  24666. description: URL of senhasegura
  24667. type: string
  24668. required:
  24669. - auth
  24670. - module
  24671. - url
  24672. type: object
  24673. vault:
  24674. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  24675. properties:
  24676. auth:
  24677. description: Auth configures how secret-manager authenticates with the Vault server.
  24678. properties:
  24679. appRole:
  24680. description: |-
  24681. AppRole authenticates with Vault using the App Role auth mechanism,
  24682. with the role and secret stored in a Kubernetes Secret resource.
  24683. properties:
  24684. path:
  24685. default: approle
  24686. description: |-
  24687. Path where the App Role authentication backend is mounted
  24688. in Vault, e.g: "approle"
  24689. type: string
  24690. roleId:
  24691. description: |-
  24692. RoleID configured in the App Role authentication backend when setting
  24693. up the authentication backend in Vault.
  24694. type: string
  24695. roleRef:
  24696. description: |-
  24697. Reference to a key in a Secret that contains the App Role ID used
  24698. to authenticate with Vault.
  24699. The `key` field must be specified and denotes which entry within the Secret
  24700. resource is used as the app role id.
  24701. properties:
  24702. key:
  24703. description: |-
  24704. A key in the referenced Secret.
  24705. Some instances of this field may be defaulted, in others it may be required.
  24706. maxLength: 253
  24707. minLength: 1
  24708. pattern: ^[-._a-zA-Z0-9]+$
  24709. type: string
  24710. name:
  24711. description: The name of the Secret resource being referred to.
  24712. maxLength: 253
  24713. minLength: 1
  24714. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24715. type: string
  24716. namespace:
  24717. description: |-
  24718. The namespace of the Secret resource being referred to.
  24719. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24720. maxLength: 63
  24721. minLength: 1
  24722. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24723. type: string
  24724. type: object
  24725. secretRef:
  24726. description: |-
  24727. Reference to a key in a Secret that contains the App Role secret used
  24728. to authenticate with Vault.
  24729. The `key` field must be specified and denotes which entry within the Secret
  24730. resource is used as the app role secret.
  24731. properties:
  24732. key:
  24733. description: |-
  24734. A key in the referenced Secret.
  24735. Some instances of this field may be defaulted, in others it may be required.
  24736. maxLength: 253
  24737. minLength: 1
  24738. pattern: ^[-._a-zA-Z0-9]+$
  24739. type: string
  24740. name:
  24741. description: The name of the Secret resource being referred to.
  24742. maxLength: 253
  24743. minLength: 1
  24744. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24745. type: string
  24746. namespace:
  24747. description: |-
  24748. The namespace of the Secret resource being referred to.
  24749. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24750. maxLength: 63
  24751. minLength: 1
  24752. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24753. type: string
  24754. type: object
  24755. required:
  24756. - path
  24757. - secretRef
  24758. type: object
  24759. cert:
  24760. description: |-
  24761. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  24762. Cert authentication method
  24763. properties:
  24764. clientCert:
  24765. description: |-
  24766. ClientCert is a certificate to authenticate using the Cert Vault
  24767. authentication method
  24768. properties:
  24769. key:
  24770. description: |-
  24771. A key in the referenced Secret.
  24772. Some instances of this field may be defaulted, in others it may be required.
  24773. maxLength: 253
  24774. minLength: 1
  24775. pattern: ^[-._a-zA-Z0-9]+$
  24776. type: string
  24777. name:
  24778. description: The name of the Secret resource being referred to.
  24779. maxLength: 253
  24780. minLength: 1
  24781. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24782. type: string
  24783. namespace:
  24784. description: |-
  24785. The namespace of the Secret resource being referred to.
  24786. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24787. maxLength: 63
  24788. minLength: 1
  24789. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24790. type: string
  24791. type: object
  24792. secretRef:
  24793. description: |-
  24794. SecretRef to a key in a Secret resource containing client private key to
  24795. authenticate with Vault using the Cert authentication method
  24796. properties:
  24797. key:
  24798. description: |-
  24799. A key in the referenced Secret.
  24800. Some instances of this field may be defaulted, in others it may be required.
  24801. maxLength: 253
  24802. minLength: 1
  24803. pattern: ^[-._a-zA-Z0-9]+$
  24804. type: string
  24805. name:
  24806. description: The name of the Secret resource being referred to.
  24807. maxLength: 253
  24808. minLength: 1
  24809. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24810. type: string
  24811. namespace:
  24812. description: |-
  24813. The namespace of the Secret resource being referred to.
  24814. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24815. maxLength: 63
  24816. minLength: 1
  24817. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24818. type: string
  24819. type: object
  24820. type: object
  24821. iam:
  24822. description: |-
  24823. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  24824. AWS IAM authentication method
  24825. properties:
  24826. externalID:
  24827. description: AWS External ID set on assumed IAM roles
  24828. type: string
  24829. jwt:
  24830. description: Specify a service account with IRSA enabled
  24831. properties:
  24832. serviceAccountRef:
  24833. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  24834. properties:
  24835. audiences:
  24836. description: |-
  24837. Audience specifies the `aud` claim for the service account token
  24838. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24839. then this audiences will be appended to the list
  24840. items:
  24841. type: string
  24842. type: array
  24843. name:
  24844. description: The name of the ServiceAccount resource being referred to.
  24845. maxLength: 253
  24846. minLength: 1
  24847. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24848. type: string
  24849. namespace:
  24850. description: |-
  24851. Namespace of the resource being referred to.
  24852. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24853. maxLength: 63
  24854. minLength: 1
  24855. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24856. type: string
  24857. required:
  24858. - name
  24859. type: object
  24860. type: object
  24861. path:
  24862. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  24863. type: string
  24864. region:
  24865. description: AWS region
  24866. type: string
  24867. role:
  24868. description: This is the AWS role to be assumed before talking to vault
  24869. type: string
  24870. secretRef:
  24871. description: Specify credentials in a Secret object
  24872. properties:
  24873. accessKeyIDSecretRef:
  24874. description: The AccessKeyID is used for authentication
  24875. properties:
  24876. key:
  24877. description: |-
  24878. A key in the referenced Secret.
  24879. Some instances of this field may be defaulted, in others it may be required.
  24880. maxLength: 253
  24881. minLength: 1
  24882. pattern: ^[-._a-zA-Z0-9]+$
  24883. type: string
  24884. name:
  24885. description: The name of the Secret resource being referred to.
  24886. maxLength: 253
  24887. minLength: 1
  24888. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24889. type: string
  24890. namespace:
  24891. description: |-
  24892. The namespace of the Secret resource being referred to.
  24893. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24894. maxLength: 63
  24895. minLength: 1
  24896. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24897. type: string
  24898. type: object
  24899. secretAccessKeySecretRef:
  24900. description: The SecretAccessKey is used for authentication
  24901. properties:
  24902. key:
  24903. description: |-
  24904. A key in the referenced Secret.
  24905. Some instances of this field may be defaulted, in others it may be required.
  24906. maxLength: 253
  24907. minLength: 1
  24908. pattern: ^[-._a-zA-Z0-9]+$
  24909. type: string
  24910. name:
  24911. description: The name of the Secret resource being referred to.
  24912. maxLength: 253
  24913. minLength: 1
  24914. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24915. type: string
  24916. namespace:
  24917. description: |-
  24918. The namespace of the Secret resource being referred to.
  24919. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24920. maxLength: 63
  24921. minLength: 1
  24922. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24923. type: string
  24924. type: object
  24925. sessionTokenSecretRef:
  24926. description: |-
  24927. The SessionToken used for authentication
  24928. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  24929. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  24930. properties:
  24931. key:
  24932. description: |-
  24933. A key in the referenced Secret.
  24934. Some instances of this field may be defaulted, in others it may be required.
  24935. maxLength: 253
  24936. minLength: 1
  24937. pattern: ^[-._a-zA-Z0-9]+$
  24938. type: string
  24939. name:
  24940. description: The name of the Secret resource being referred to.
  24941. maxLength: 253
  24942. minLength: 1
  24943. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24944. type: string
  24945. namespace:
  24946. description: |-
  24947. The namespace of the Secret resource being referred to.
  24948. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24949. maxLength: 63
  24950. minLength: 1
  24951. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24952. type: string
  24953. type: object
  24954. type: object
  24955. vaultAwsIamServerID:
  24956. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  24957. type: string
  24958. vaultRole:
  24959. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  24960. type: string
  24961. required:
  24962. - vaultRole
  24963. type: object
  24964. jwt:
  24965. description: |-
  24966. Jwt authenticates with Vault by passing role and JWT token using the
  24967. JWT/OIDC authentication method
  24968. properties:
  24969. kubernetesServiceAccountToken:
  24970. description: |-
  24971. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  24972. a token for with the `TokenRequest` API.
  24973. properties:
  24974. audiences:
  24975. description: |-
  24976. Optional audiences field that will be used to request a temporary Kubernetes service
  24977. account token for the service account referenced by `serviceAccountRef`.
  24978. Defaults to a single audience `vault` it not specified.
  24979. Deprecated: use serviceAccountRef.Audiences instead
  24980. items:
  24981. type: string
  24982. type: array
  24983. expirationSeconds:
  24984. description: |-
  24985. Optional expiration time in seconds that will be used to request a temporary
  24986. Kubernetes service account token for the service account referenced by
  24987. `serviceAccountRef`.
  24988. Deprecated: this will be removed in the future.
  24989. Defaults to 10 minutes.
  24990. type: integer
  24991. serviceAccountRef:
  24992. description: Service account field containing the name of a kubernetes ServiceAccount.
  24993. properties:
  24994. audiences:
  24995. description: |-
  24996. Audience specifies the `aud` claim for the service account token
  24997. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24998. then this audiences will be appended to the list
  24999. items:
  25000. type: string
  25001. type: array
  25002. name:
  25003. description: The name of the ServiceAccount resource being referred to.
  25004. maxLength: 253
  25005. minLength: 1
  25006. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25007. type: string
  25008. namespace:
  25009. description: |-
  25010. Namespace of the resource being referred to.
  25011. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25012. maxLength: 63
  25013. minLength: 1
  25014. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25015. type: string
  25016. required:
  25017. - name
  25018. type: object
  25019. required:
  25020. - serviceAccountRef
  25021. type: object
  25022. path:
  25023. default: jwt
  25024. description: |-
  25025. Path where the JWT authentication backend is mounted
  25026. in Vault, e.g: "jwt"
  25027. type: string
  25028. role:
  25029. description: |-
  25030. Role is a JWT role to authenticate using the JWT/OIDC Vault
  25031. authentication method
  25032. type: string
  25033. secretRef:
  25034. description: |-
  25035. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  25036. authenticate with Vault using the JWT/OIDC authentication method.
  25037. properties:
  25038. key:
  25039. description: |-
  25040. A key in the referenced Secret.
  25041. Some instances of this field may be defaulted, in others it may be required.
  25042. maxLength: 253
  25043. minLength: 1
  25044. pattern: ^[-._a-zA-Z0-9]+$
  25045. type: string
  25046. name:
  25047. description: The name of the Secret resource being referred to.
  25048. maxLength: 253
  25049. minLength: 1
  25050. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25051. type: string
  25052. namespace:
  25053. description: |-
  25054. The namespace of the Secret resource being referred to.
  25055. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25056. maxLength: 63
  25057. minLength: 1
  25058. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25059. type: string
  25060. type: object
  25061. required:
  25062. - path
  25063. type: object
  25064. kubernetes:
  25065. description: |-
  25066. Kubernetes authenticates with Vault by passing the ServiceAccount
  25067. token stored in the named Secret resource to the Vault server.
  25068. properties:
  25069. mountPath:
  25070. default: kubernetes
  25071. description: |-
  25072. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  25073. "kubernetes"
  25074. type: string
  25075. role:
  25076. description: |-
  25077. A required field containing the Vault Role to assume. A Role binds a
  25078. Kubernetes ServiceAccount with a set of Vault policies.
  25079. type: string
  25080. secretRef:
  25081. description: |-
  25082. Optional secret field containing a Kubernetes ServiceAccount JWT used
  25083. for authenticating with Vault. If a name is specified without a key,
  25084. `token` is the default. If one is not specified, the one bound to
  25085. the controller will be used.
  25086. properties:
  25087. key:
  25088. description: |-
  25089. A key in the referenced Secret.
  25090. Some instances of this field may be defaulted, in others it may be required.
  25091. maxLength: 253
  25092. minLength: 1
  25093. pattern: ^[-._a-zA-Z0-9]+$
  25094. type: string
  25095. name:
  25096. description: The name of the Secret resource being referred to.
  25097. maxLength: 253
  25098. minLength: 1
  25099. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25100. type: string
  25101. namespace:
  25102. description: |-
  25103. The namespace of the Secret resource being referred to.
  25104. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25105. maxLength: 63
  25106. minLength: 1
  25107. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25108. type: string
  25109. type: object
  25110. serviceAccountRef:
  25111. description: |-
  25112. Optional service account field containing the name of a kubernetes ServiceAccount.
  25113. If the service account is specified, the service account secret token JWT will be used
  25114. for authenticating with Vault. If the service account selector is not supplied,
  25115. the secretRef will be used instead.
  25116. properties:
  25117. audiences:
  25118. description: |-
  25119. Audience specifies the `aud` claim for the service account token
  25120. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25121. then this audiences will be appended to the list
  25122. items:
  25123. type: string
  25124. type: array
  25125. name:
  25126. description: The name of the ServiceAccount resource being referred to.
  25127. maxLength: 253
  25128. minLength: 1
  25129. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25130. type: string
  25131. namespace:
  25132. description: |-
  25133. Namespace of the resource being referred to.
  25134. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25135. maxLength: 63
  25136. minLength: 1
  25137. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25138. type: string
  25139. required:
  25140. - name
  25141. type: object
  25142. required:
  25143. - mountPath
  25144. - role
  25145. type: object
  25146. ldap:
  25147. description: |-
  25148. Ldap authenticates with Vault by passing username/password pair using
  25149. the LDAP authentication method
  25150. properties:
  25151. path:
  25152. default: ldap
  25153. description: |-
  25154. Path where the LDAP authentication backend is mounted
  25155. in Vault, e.g: "ldap"
  25156. type: string
  25157. secretRef:
  25158. description: |-
  25159. SecretRef to a key in a Secret resource containing password for the LDAP
  25160. user used to authenticate with Vault using the LDAP authentication
  25161. method
  25162. properties:
  25163. key:
  25164. description: |-
  25165. A key in the referenced Secret.
  25166. Some instances of this field may be defaulted, in others it may be required.
  25167. maxLength: 253
  25168. minLength: 1
  25169. pattern: ^[-._a-zA-Z0-9]+$
  25170. type: string
  25171. name:
  25172. description: The name of the Secret resource being referred to.
  25173. maxLength: 253
  25174. minLength: 1
  25175. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25176. type: string
  25177. namespace:
  25178. description: |-
  25179. The namespace of the Secret resource being referred to.
  25180. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25181. maxLength: 63
  25182. minLength: 1
  25183. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25184. type: string
  25185. type: object
  25186. username:
  25187. description: |-
  25188. Username is an LDAP username used to authenticate using the LDAP Vault
  25189. authentication method
  25190. type: string
  25191. required:
  25192. - path
  25193. - username
  25194. type: object
  25195. namespace:
  25196. description: |-
  25197. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  25198. Namespaces is a set of features within Vault Enterprise that allows
  25199. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  25200. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  25201. This will default to Vault.Namespace field if set, or empty otherwise
  25202. type: string
  25203. tokenSecretRef:
  25204. description: TokenSecretRef authenticates with Vault by presenting a token.
  25205. properties:
  25206. key:
  25207. description: |-
  25208. A key in the referenced Secret.
  25209. Some instances of this field may be defaulted, in others it may be required.
  25210. maxLength: 253
  25211. minLength: 1
  25212. pattern: ^[-._a-zA-Z0-9]+$
  25213. type: string
  25214. name:
  25215. description: The name of the Secret resource being referred to.
  25216. maxLength: 253
  25217. minLength: 1
  25218. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25219. type: string
  25220. namespace:
  25221. description: |-
  25222. The namespace of the Secret resource being referred to.
  25223. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25224. maxLength: 63
  25225. minLength: 1
  25226. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25227. type: string
  25228. type: object
  25229. userPass:
  25230. description: UserPass authenticates with Vault by passing username/password pair
  25231. properties:
  25232. path:
  25233. default: userpass
  25234. description: |-
  25235. Path where the UserPassword authentication backend is mounted
  25236. in Vault, e.g: "userpass"
  25237. type: string
  25238. secretRef:
  25239. description: |-
  25240. SecretRef to a key in a Secret resource containing password for the
  25241. user used to authenticate with Vault using the UserPass authentication
  25242. method
  25243. properties:
  25244. key:
  25245. description: |-
  25246. A key in the referenced Secret.
  25247. Some instances of this field may be defaulted, in others it may be required.
  25248. maxLength: 253
  25249. minLength: 1
  25250. pattern: ^[-._a-zA-Z0-9]+$
  25251. type: string
  25252. name:
  25253. description: The name of the Secret resource being referred to.
  25254. maxLength: 253
  25255. minLength: 1
  25256. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25257. type: string
  25258. namespace:
  25259. description: |-
  25260. The namespace of the Secret resource being referred to.
  25261. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25262. maxLength: 63
  25263. minLength: 1
  25264. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25265. type: string
  25266. type: object
  25267. username:
  25268. description: |-
  25269. Username is a username used to authenticate using the UserPass Vault
  25270. authentication method
  25271. type: string
  25272. required:
  25273. - path
  25274. - username
  25275. type: object
  25276. type: object
  25277. caBundle:
  25278. description: |-
  25279. PEM encoded CA bundle used to validate Vault server certificate. Only used
  25280. if the Server URL is using HTTPS protocol. This parameter is ignored for
  25281. plain HTTP protocol connection. If not set the system root certificates
  25282. are used to validate the TLS connection.
  25283. format: byte
  25284. type: string
  25285. caProvider:
  25286. description: The provider for the CA bundle to use to validate Vault server certificate.
  25287. properties:
  25288. key:
  25289. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  25290. maxLength: 253
  25291. minLength: 1
  25292. pattern: ^[-._a-zA-Z0-9]+$
  25293. type: string
  25294. name:
  25295. description: The name of the object located at the provider type.
  25296. maxLength: 253
  25297. minLength: 1
  25298. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25299. type: string
  25300. namespace:
  25301. description: |-
  25302. The namespace the Provider type is in.
  25303. Can only be defined when used in a ClusterSecretStore.
  25304. maxLength: 63
  25305. minLength: 1
  25306. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25307. type: string
  25308. type:
  25309. description: The type of provider to use such as "Secret", or "ConfigMap".
  25310. enum:
  25311. - Secret
  25312. - ConfigMap
  25313. type: string
  25314. required:
  25315. - name
  25316. - type
  25317. type: object
  25318. forwardInconsistent:
  25319. description: |-
  25320. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  25321. leader instead of simply retrying within a loop. This can increase performance if
  25322. the option is enabled serverside.
  25323. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  25324. type: boolean
  25325. headers:
  25326. additionalProperties:
  25327. type: string
  25328. description: Headers to be added in Vault request
  25329. type: object
  25330. namespace:
  25331. description: |-
  25332. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  25333. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  25334. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  25335. type: string
  25336. path:
  25337. description: |-
  25338. Path is the mount path of the Vault KV backend endpoint, e.g:
  25339. "secret". The v2 KV secret engine version specific "/data" path suffix
  25340. for fetching secrets from Vault is optional and will be appended
  25341. if not present in specified path.
  25342. type: string
  25343. readYourWrites:
  25344. description: |-
  25345. ReadYourWrites ensures isolated read-after-write semantics by
  25346. providing discovered cluster replication states in each request.
  25347. More information about eventual consistency in Vault can be found here
  25348. https://www.vaultproject.io/docs/enterprise/consistency
  25349. type: boolean
  25350. server:
  25351. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  25352. type: string
  25353. tls:
  25354. description: |-
  25355. The configuration used for client side related TLS communication, when the Vault server
  25356. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  25357. This parameter is ignored for plain HTTP protocol connection.
  25358. It's worth noting this configuration is different from the "TLS certificates auth method",
  25359. which is available under the `auth.cert` section.
  25360. properties:
  25361. certSecretRef:
  25362. description: |-
  25363. CertSecretRef is a certificate added to the transport layer
  25364. when communicating with the Vault server.
  25365. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  25366. properties:
  25367. key:
  25368. description: |-
  25369. A key in the referenced Secret.
  25370. Some instances of this field may be defaulted, in others it may be required.
  25371. maxLength: 253
  25372. minLength: 1
  25373. pattern: ^[-._a-zA-Z0-9]+$
  25374. type: string
  25375. name:
  25376. description: The name of the Secret resource being referred to.
  25377. maxLength: 253
  25378. minLength: 1
  25379. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25380. type: string
  25381. namespace:
  25382. description: |-
  25383. The namespace of the Secret resource being referred to.
  25384. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25385. maxLength: 63
  25386. minLength: 1
  25387. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25388. type: string
  25389. type: object
  25390. keySecretRef:
  25391. description: |-
  25392. KeySecretRef to a key in a Secret resource containing client private key
  25393. added to the transport layer when communicating with the Vault server.
  25394. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  25395. properties:
  25396. key:
  25397. description: |-
  25398. A key in the referenced Secret.
  25399. Some instances of this field may be defaulted, in others it may be required.
  25400. maxLength: 253
  25401. minLength: 1
  25402. pattern: ^[-._a-zA-Z0-9]+$
  25403. type: string
  25404. name:
  25405. description: The name of the Secret resource being referred to.
  25406. maxLength: 253
  25407. minLength: 1
  25408. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25409. type: string
  25410. namespace:
  25411. description: |-
  25412. The namespace of the Secret resource being referred to.
  25413. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25414. maxLength: 63
  25415. minLength: 1
  25416. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25417. type: string
  25418. type: object
  25419. type: object
  25420. version:
  25421. default: v2
  25422. description: |-
  25423. Version is the Vault KV secret engine version. This can be either "v1" or
  25424. "v2". Version defaults to "v2".
  25425. enum:
  25426. - v1
  25427. - v2
  25428. type: string
  25429. required:
  25430. - server
  25431. type: object
  25432. webhook:
  25433. description: Webhook configures this store to sync secrets using a generic templated webhook
  25434. properties:
  25435. auth:
  25436. description: Auth specifies a authorization protocol. Only one protocol may be set.
  25437. maxProperties: 1
  25438. minProperties: 1
  25439. properties:
  25440. ntlm:
  25441. description: NTLMProtocol configures the store to use NTLM for auth
  25442. properties:
  25443. passwordSecret:
  25444. description: |-
  25445. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25446. In some instances, `key` is a required field.
  25447. properties:
  25448. key:
  25449. description: |-
  25450. A key in the referenced Secret.
  25451. Some instances of this field may be defaulted, in others it may be required.
  25452. maxLength: 253
  25453. minLength: 1
  25454. pattern: ^[-._a-zA-Z0-9]+$
  25455. type: string
  25456. name:
  25457. description: The name of the Secret resource being referred to.
  25458. maxLength: 253
  25459. minLength: 1
  25460. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25461. type: string
  25462. namespace:
  25463. description: |-
  25464. The namespace of the Secret resource being referred to.
  25465. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25466. maxLength: 63
  25467. minLength: 1
  25468. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25469. type: string
  25470. type: object
  25471. usernameSecret:
  25472. description: |-
  25473. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25474. In some instances, `key` is a required field.
  25475. properties:
  25476. key:
  25477. description: |-
  25478. A key in the referenced Secret.
  25479. Some instances of this field may be defaulted, in others it may be required.
  25480. maxLength: 253
  25481. minLength: 1
  25482. pattern: ^[-._a-zA-Z0-9]+$
  25483. type: string
  25484. name:
  25485. description: The name of the Secret resource being referred to.
  25486. maxLength: 253
  25487. minLength: 1
  25488. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25489. type: string
  25490. namespace:
  25491. description: |-
  25492. The namespace of the Secret resource being referred to.
  25493. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25494. maxLength: 63
  25495. minLength: 1
  25496. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25497. type: string
  25498. type: object
  25499. required:
  25500. - passwordSecret
  25501. - usernameSecret
  25502. type: object
  25503. type: object
  25504. body:
  25505. description: Body
  25506. type: string
  25507. caBundle:
  25508. description: |-
  25509. PEM encoded CA bundle used to validate webhook server certificate. Only used
  25510. if the Server URL is using HTTPS protocol. This parameter is ignored for
  25511. plain HTTP protocol connection. If not set the system root certificates
  25512. are used to validate the TLS connection.
  25513. format: byte
  25514. type: string
  25515. caProvider:
  25516. description: The provider for the CA bundle to use to validate webhook server certificate.
  25517. properties:
  25518. key:
  25519. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  25520. maxLength: 253
  25521. minLength: 1
  25522. pattern: ^[-._a-zA-Z0-9]+$
  25523. type: string
  25524. name:
  25525. description: The name of the object located at the provider type.
  25526. maxLength: 253
  25527. minLength: 1
  25528. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25529. type: string
  25530. namespace:
  25531. description: The namespace the Provider type is in.
  25532. maxLength: 63
  25533. minLength: 1
  25534. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25535. type: string
  25536. type:
  25537. description: The type of provider to use such as "Secret", or "ConfigMap".
  25538. enum:
  25539. - Secret
  25540. - ConfigMap
  25541. type: string
  25542. required:
  25543. - name
  25544. - type
  25545. type: object
  25546. headers:
  25547. additionalProperties:
  25548. type: string
  25549. description: Headers
  25550. type: object
  25551. method:
  25552. description: Webhook Method
  25553. type: string
  25554. result:
  25555. description: Result formatting
  25556. properties:
  25557. jsonPath:
  25558. description: Json path of return value
  25559. type: string
  25560. type: object
  25561. secrets:
  25562. description: |-
  25563. Secrets to fill in templates
  25564. These secrets will be passed to the templating function as key value pairs under the given name
  25565. items:
  25566. description: WebhookSecret defines a secret to be used in webhook templates.
  25567. properties:
  25568. name:
  25569. description: Name of this secret in templates
  25570. type: string
  25571. secretRef:
  25572. description: Secret ref to fill in credentials
  25573. properties:
  25574. key:
  25575. description: |-
  25576. A key in the referenced Secret.
  25577. Some instances of this field may be defaulted, in others it may be required.
  25578. maxLength: 253
  25579. minLength: 1
  25580. pattern: ^[-._a-zA-Z0-9]+$
  25581. type: string
  25582. name:
  25583. description: The name of the Secret resource being referred to.
  25584. maxLength: 253
  25585. minLength: 1
  25586. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25587. type: string
  25588. namespace:
  25589. description: |-
  25590. The namespace of the Secret resource being referred to.
  25591. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25592. maxLength: 63
  25593. minLength: 1
  25594. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25595. type: string
  25596. type: object
  25597. required:
  25598. - name
  25599. - secretRef
  25600. type: object
  25601. type: array
  25602. timeout:
  25603. description: Timeout
  25604. type: string
  25605. url:
  25606. description: Webhook url to call
  25607. type: string
  25608. required:
  25609. - result
  25610. - url
  25611. type: object
  25612. yandexcertificatemanager:
  25613. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  25614. properties:
  25615. apiEndpoint:
  25616. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  25617. type: string
  25618. auth:
  25619. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  25620. properties:
  25621. authorizedKeySecretRef:
  25622. description: The authorized key used for authentication
  25623. properties:
  25624. key:
  25625. description: |-
  25626. A key in the referenced Secret.
  25627. Some instances of this field may be defaulted, in others it may be required.
  25628. maxLength: 253
  25629. minLength: 1
  25630. pattern: ^[-._a-zA-Z0-9]+$
  25631. type: string
  25632. name:
  25633. description: The name of the Secret resource being referred to.
  25634. maxLength: 253
  25635. minLength: 1
  25636. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25637. type: string
  25638. namespace:
  25639. description: |-
  25640. The namespace of the Secret resource being referred to.
  25641. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25642. maxLength: 63
  25643. minLength: 1
  25644. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25645. type: string
  25646. type: object
  25647. type: object
  25648. caProvider:
  25649. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  25650. properties:
  25651. certSecretRef:
  25652. description: |-
  25653. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25654. In some instances, `key` is a required field.
  25655. properties:
  25656. key:
  25657. description: |-
  25658. A key in the referenced Secret.
  25659. Some instances of this field may be defaulted, in others it may be required.
  25660. maxLength: 253
  25661. minLength: 1
  25662. pattern: ^[-._a-zA-Z0-9]+$
  25663. type: string
  25664. name:
  25665. description: The name of the Secret resource being referred to.
  25666. maxLength: 253
  25667. minLength: 1
  25668. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25669. type: string
  25670. namespace:
  25671. description: |-
  25672. The namespace of the Secret resource being referred to.
  25673. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25674. maxLength: 63
  25675. minLength: 1
  25676. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25677. type: string
  25678. type: object
  25679. type: object
  25680. required:
  25681. - auth
  25682. type: object
  25683. yandexlockbox:
  25684. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  25685. properties:
  25686. apiEndpoint:
  25687. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  25688. type: string
  25689. auth:
  25690. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  25691. properties:
  25692. authorizedKeySecretRef:
  25693. description: The authorized key used for authentication
  25694. properties:
  25695. key:
  25696. description: |-
  25697. A key in the referenced Secret.
  25698. Some instances of this field may be defaulted, in others it may be required.
  25699. maxLength: 253
  25700. minLength: 1
  25701. pattern: ^[-._a-zA-Z0-9]+$
  25702. type: string
  25703. name:
  25704. description: The name of the Secret resource being referred to.
  25705. maxLength: 253
  25706. minLength: 1
  25707. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25708. type: string
  25709. namespace:
  25710. description: |-
  25711. The namespace of the Secret resource being referred to.
  25712. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25713. maxLength: 63
  25714. minLength: 1
  25715. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25716. type: string
  25717. type: object
  25718. type: object
  25719. caProvider:
  25720. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  25721. properties:
  25722. certSecretRef:
  25723. description: |-
  25724. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25725. In some instances, `key` is a required field.
  25726. properties:
  25727. key:
  25728. description: |-
  25729. A key in the referenced Secret.
  25730. Some instances of this field may be defaulted, in others it may be required.
  25731. maxLength: 253
  25732. minLength: 1
  25733. pattern: ^[-._a-zA-Z0-9]+$
  25734. type: string
  25735. name:
  25736. description: The name of the Secret resource being referred to.
  25737. maxLength: 253
  25738. minLength: 1
  25739. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25740. type: string
  25741. namespace:
  25742. description: |-
  25743. The namespace of the Secret resource being referred to.
  25744. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25745. maxLength: 63
  25746. minLength: 1
  25747. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25748. type: string
  25749. type: object
  25750. type: object
  25751. required:
  25752. - auth
  25753. type: object
  25754. type: object
  25755. providerRef:
  25756. description: ProviderRef references a provider configuration managed externally.
  25757. properties:
  25758. apiVersion:
  25759. description: APIVersion identifies the API schema version for the provider resource.
  25760. minLength: 1
  25761. type: string
  25762. kind:
  25763. description: Kind identifies the provider resource type referenced by this store.
  25764. minLength: 1
  25765. type: string
  25766. name:
  25767. description: Name is the provider resource name referenced by this store.
  25768. maxLength: 253
  25769. minLength: 1
  25770. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25771. type: string
  25772. namespace:
  25773. description: Namespace is the provider resource namespace referenced by this store.
  25774. maxLength: 63
  25775. minLength: 1
  25776. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25777. type: string
  25778. required:
  25779. - apiVersion
  25780. - kind
  25781. - name
  25782. type: object
  25783. refreshInterval:
  25784. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  25785. type: integer
  25786. retrySettings:
  25787. description: Used to configure HTTP retries on failures.
  25788. properties:
  25789. maxRetries:
  25790. description: MaxRetries is the maximum number of retry attempts.
  25791. format: int32
  25792. type: integer
  25793. retryInterval:
  25794. description: RetryInterval is the interval between retry attempts.
  25795. type: string
  25796. type: object
  25797. runtimeRef:
  25798. description: RuntimeRef points to runtime configuration for this store.
  25799. properties:
  25800. kind:
  25801. description: Kind identifies the runtime resource type referenced by this store.
  25802. enum:
  25803. - ProviderClass
  25804. - ClusterProviderClass
  25805. type: string
  25806. name:
  25807. description: Name is the runtime resource name referenced by this store.
  25808. maxLength: 253
  25809. minLength: 1
  25810. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25811. type: string
  25812. required:
  25813. - name
  25814. type: object
  25815. type: object
  25816. x-kubernetes-validations:
  25817. - message: exactly one of spec.provider or spec.providerRef must be set
  25818. rule: (has(self.provider) && !has(self.providerRef)) || (!has(self.provider) && has(self.providerRef))
  25819. - message: spec.runtimeRef must be empty when spec.provider is set
  25820. rule: '!(has(self.provider) && has(self.runtimeRef))'
  25821. - message: spec.runtimeRef is required when spec.providerRef is set
  25822. rule: '!has(self.providerRef) || has(self.runtimeRef)'
  25823. status:
  25824. description: SecretStoreStatus defines the observed state of the SecretStore.
  25825. properties:
  25826. capabilities:
  25827. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  25828. type: string
  25829. conditions:
  25830. items:
  25831. description: SecretStoreStatusCondition defines the observed condition of the SecretStore.
  25832. properties:
  25833. lastTransitionTime:
  25834. format: date-time
  25835. type: string
  25836. message:
  25837. type: string
  25838. reason:
  25839. type: string
  25840. status:
  25841. type: string
  25842. type:
  25843. description: SecretStoreConditionType represents the condition type of the SecretStore.
  25844. type: string
  25845. required:
  25846. - status
  25847. - type
  25848. type: object
  25849. type: array
  25850. type: object
  25851. type: object
  25852. served: false
  25853. storage: false
  25854. subresources:
  25855. status: {}
  25856. ---
  25857. apiVersion: apiextensions.k8s.io/v1
  25858. kind: CustomResourceDefinition
  25859. metadata:
  25860. annotations:
  25861. controller-gen.kubebuilder.io/version: v0.19.0
  25862. labels:
  25863. external-secrets.io/component: controller
  25864. name: acraccesstokens.generators.external-secrets.io
  25865. spec:
  25866. group: generators.external-secrets.io
  25867. names:
  25868. categories:
  25869. - external-secrets
  25870. - external-secrets-generators
  25871. kind: ACRAccessToken
  25872. listKind: ACRAccessTokenList
  25873. plural: acraccesstokens
  25874. singular: acraccesstoken
  25875. scope: Namespaced
  25876. versions:
  25877. - name: v1alpha1
  25878. schema:
  25879. openAPIV3Schema:
  25880. description: |-
  25881. ACRAccessToken returns an Azure Container Registry token
  25882. that can be used for pushing/pulling images.
  25883. Note: by default it will return an ACR Refresh Token with full access
  25884. (depending on the identity).
  25885. This can be scoped down to the repository level using .spec.scope.
  25886. In case scope is defined it will return an ACR Access Token.
  25887. See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
  25888. properties:
  25889. apiVersion:
  25890. description: |-
  25891. APIVersion defines the versioned schema of this representation of an object.
  25892. Servers should convert recognized schemas to the latest internal value, and
  25893. may reject unrecognized values.
  25894. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  25895. type: string
  25896. kind:
  25897. description: |-
  25898. Kind is a string value representing the REST resource this object represents.
  25899. Servers may infer this from the endpoint the client submits requests to.
  25900. Cannot be updated.
  25901. In CamelCase.
  25902. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  25903. type: string
  25904. metadata:
  25905. type: object
  25906. spec:
  25907. description: |-
  25908. ACRAccessTokenSpec defines how to generate the access token
  25909. e.g. how to authenticate and which registry to use.
  25910. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  25911. properties:
  25912. auth:
  25913. description: ACRAuth defines the authentication methods for Azure Container Registry.
  25914. properties:
  25915. managedIdentity:
  25916. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  25917. properties:
  25918. identityId:
  25919. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  25920. type: string
  25921. type: object
  25922. servicePrincipal:
  25923. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  25924. properties:
  25925. secretRef:
  25926. description: |-
  25927. AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.
  25928. It uses static credentials stored in a Kind=Secret.
  25929. properties:
  25930. clientId:
  25931. description: The Azure clientId of the service principle used for authentication.
  25932. properties:
  25933. key:
  25934. description: |-
  25935. A key in the referenced Secret.
  25936. Some instances of this field may be defaulted, in others it may be required.
  25937. maxLength: 253
  25938. minLength: 1
  25939. pattern: ^[-._a-zA-Z0-9]+$
  25940. type: string
  25941. name:
  25942. description: The name of the Secret resource being referred to.
  25943. maxLength: 253
  25944. minLength: 1
  25945. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25946. type: string
  25947. namespace:
  25948. description: |-
  25949. The namespace of the Secret resource being referred to.
  25950. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25951. maxLength: 63
  25952. minLength: 1
  25953. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25954. type: string
  25955. type: object
  25956. clientSecret:
  25957. description: The Azure ClientSecret of the service principle used for authentication.
  25958. properties:
  25959. key:
  25960. description: |-
  25961. A key in the referenced Secret.
  25962. Some instances of this field may be defaulted, in others it may be required.
  25963. maxLength: 253
  25964. minLength: 1
  25965. pattern: ^[-._a-zA-Z0-9]+$
  25966. type: string
  25967. name:
  25968. description: The name of the Secret resource being referred to.
  25969. maxLength: 253
  25970. minLength: 1
  25971. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25972. type: string
  25973. namespace:
  25974. description: |-
  25975. The namespace of the Secret resource being referred to.
  25976. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25977. maxLength: 63
  25978. minLength: 1
  25979. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25980. type: string
  25981. type: object
  25982. type: object
  25983. required:
  25984. - secretRef
  25985. type: object
  25986. workloadIdentity:
  25987. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  25988. properties:
  25989. serviceAccountRef:
  25990. description: |-
  25991. ServiceAccountRef specified the service account
  25992. that should be used when authenticating with WorkloadIdentity.
  25993. properties:
  25994. audiences:
  25995. description: |-
  25996. Audience specifies the `aud` claim for the service account token
  25997. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25998. then this audiences will be appended to the list
  25999. items:
  26000. type: string
  26001. type: array
  26002. name:
  26003. description: The name of the ServiceAccount resource being referred to.
  26004. maxLength: 253
  26005. minLength: 1
  26006. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26007. type: string
  26008. namespace:
  26009. description: |-
  26010. Namespace of the resource being referred to.
  26011. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26012. maxLength: 63
  26013. minLength: 1
  26014. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26015. type: string
  26016. required:
  26017. - name
  26018. type: object
  26019. type: object
  26020. type: object
  26021. environmentType:
  26022. default: PublicCloud
  26023. description: |-
  26024. EnvironmentType specifies the Azure cloud environment endpoints to use for
  26025. connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.
  26026. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  26027. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  26028. enum:
  26029. - PublicCloud
  26030. - USGovernmentCloud
  26031. - ChinaCloud
  26032. - GermanCloud
  26033. - AzureStackCloud
  26034. type: string
  26035. registry:
  26036. description: |-
  26037. the domain name of the ACR registry
  26038. e.g. foobarexample.azurecr.io
  26039. type: string
  26040. scope:
  26041. description: |-
  26042. Define the scope for the access token, e.g. pull/push access for a repository.
  26043. if not provided it will return a refresh token that has full scope.
  26044. Note: you need to pin it down to the repository level, there is no wildcard available.
  26045. examples:
  26046. repository:my-repository:pull,push
  26047. repository:my-repository:pull
  26048. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  26049. type: string
  26050. tenantId:
  26051. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  26052. type: string
  26053. required:
  26054. - auth
  26055. - registry
  26056. type: object
  26057. type: object
  26058. served: true
  26059. storage: true
  26060. subresources:
  26061. status: {}
  26062. ---
  26063. apiVersion: apiextensions.k8s.io/v1
  26064. kind: CustomResourceDefinition
  26065. metadata:
  26066. annotations:
  26067. controller-gen.kubebuilder.io/version: v0.19.0
  26068. labels:
  26069. external-secrets.io/component: controller
  26070. name: beyondtrustworkloadcredentialsdynamicsecrets.generators.external-secrets.io
  26071. spec:
  26072. group: generators.external-secrets.io
  26073. names:
  26074. categories:
  26075. - external-secrets
  26076. - external-secrets-generators
  26077. kind: BeyondtrustWorkloadCredentialsDynamicSecret
  26078. listKind: BeyondtrustWorkloadCredentialsDynamicSecretList
  26079. plural: beyondtrustworkloadcredentialsdynamicsecrets
  26080. singular: beyondtrustworkloadcredentialsdynamicsecret
  26081. scope: Namespaced
  26082. versions:
  26083. - name: v1alpha1
  26084. schema:
  26085. openAPIV3Schema:
  26086. description: |-
  26087. BeyondtrustWorkloadCredentialsDynamicSecret represents a generator that requests dynamic credentials from BeyondTrust Workload Credentials.
  26088. This generator calls the BeyondTrust Workload Credentials API to generate fresh, temporary credentials
  26089. (such as AWS STS credentials) each time an ExternalSecret is refreshed.
  26090. Dynamic secret definitions must be created in BeyondTrust Workload Credentials before they can be referenced.
  26091. For complete documentation, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26092. properties:
  26093. apiVersion:
  26094. description: |-
  26095. APIVersion defines the versioned schema of this representation of an object.
  26096. Servers should convert recognized schemas to the latest internal value, and
  26097. may reject unrecognized values.
  26098. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  26099. type: string
  26100. kind:
  26101. description: |-
  26102. Kind is a string value representing the REST resource this object represents.
  26103. Servers may infer this from the endpoint the client submits requests to.
  26104. Cannot be updated.
  26105. In CamelCase.
  26106. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  26107. type: string
  26108. metadata:
  26109. type: object
  26110. spec:
  26111. description: |-
  26112. BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator.
  26113. This generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials.
  26114. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26115. properties:
  26116. controller:
  26117. description: |-
  26118. Controller selects the controller that should handle this generator.
  26119. Leave empty to use the default controller.
  26120. type: string
  26121. provider:
  26122. description: |-
  26123. Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication,
  26124. server connection details, and the folder path to the dynamic secret definition.
  26125. The folderPath should point to a dynamic secret definition that has been created in
  26126. BeyondTrust Workload Credentials (e.g., "production/aws-temp").
  26127. For setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26128. properties:
  26129. auth:
  26130. description: |-
  26131. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  26132. Currently supports API key authentication via Kubernetes secret reference.
  26133. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  26134. properties:
  26135. apikey:
  26136. description: |-
  26137. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  26138. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  26139. properties:
  26140. token:
  26141. description: |-
  26142. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  26143. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  26144. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  26145. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  26146. properties:
  26147. key:
  26148. description: |-
  26149. A key in the referenced Secret.
  26150. Some instances of this field may be defaulted, in others it may be required.
  26151. maxLength: 253
  26152. minLength: 1
  26153. pattern: ^[-._a-zA-Z0-9]+$
  26154. type: string
  26155. name:
  26156. description: The name of the Secret resource being referred to.
  26157. maxLength: 253
  26158. minLength: 1
  26159. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26160. type: string
  26161. namespace:
  26162. description: |-
  26163. The namespace of the Secret resource being referred to.
  26164. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26165. maxLength: 63
  26166. minLength: 1
  26167. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26168. type: string
  26169. type: object
  26170. required:
  26171. - token
  26172. type: object
  26173. required:
  26174. - apikey
  26175. type: object
  26176. caBundle:
  26177. description: |-
  26178. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  26179. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  26180. If not set, the system's trusted root certificates are used.
  26181. format: byte
  26182. type: string
  26183. caProvider:
  26184. description: |-
  26185. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  26186. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  26187. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  26188. properties:
  26189. key:
  26190. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  26191. maxLength: 253
  26192. minLength: 1
  26193. pattern: ^[-._a-zA-Z0-9]+$
  26194. type: string
  26195. name:
  26196. description: The name of the object located at the provider type.
  26197. maxLength: 253
  26198. minLength: 1
  26199. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26200. type: string
  26201. namespace:
  26202. description: |-
  26203. The namespace the Provider type is in.
  26204. Can only be defined when used in a ClusterSecretStore.
  26205. maxLength: 63
  26206. minLength: 1
  26207. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26208. type: string
  26209. type:
  26210. description: The type of provider to use such as "Secret", or "ConfigMap".
  26211. enum:
  26212. - Secret
  26213. - ConfigMap
  26214. type: string
  26215. required:
  26216. - name
  26217. - type
  26218. type: object
  26219. folderPath:
  26220. description: |-
  26221. FolderPath specifies the default folder path for secret retrieval.
  26222. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  26223. Example: "production/database" or "dev/api-keys"
  26224. Leave empty to retrieve secrets from the root folder.
  26225. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  26226. type: string
  26227. server:
  26228. description: |-
  26229. Server configures the BeyondTrust Workload Credentials server connection details.
  26230. Includes the API URL and Site ID for your BeyondTrust instance.
  26231. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26232. properties:
  26233. apiUrl:
  26234. description: |-
  26235. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  26236. This should be the full URL to your BeyondTrust instance.
  26237. Example: https://api.beyondtrust.io/siie
  26238. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  26239. type: string
  26240. siteId:
  26241. description: |-
  26242. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  26243. This identifier is unique to your BeyondTrust Workload Credentials instance.
  26244. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  26245. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  26246. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26247. type: string
  26248. required:
  26249. - apiUrl
  26250. - siteId
  26251. type: object
  26252. required:
  26253. - auth
  26254. - server
  26255. type: object
  26256. retrySettings:
  26257. description: |-
  26258. RetrySettings configures exponential backoff for failed API requests.
  26259. If not specified, uses the default retry settings.
  26260. properties:
  26261. maxRetries:
  26262. type: integer
  26263. retryInterval:
  26264. type: string
  26265. type: object
  26266. required:
  26267. - provider
  26268. type: object
  26269. type: object
  26270. served: true
  26271. storage: true
  26272. subresources:
  26273. status: {}
  26274. ---
  26275. apiVersion: apiextensions.k8s.io/v1
  26276. kind: CustomResourceDefinition
  26277. metadata:
  26278. annotations:
  26279. controller-gen.kubebuilder.io/version: v0.19.0
  26280. labels:
  26281. external-secrets.io/component: controller
  26282. name: cloudsmithaccesstokens.generators.external-secrets.io
  26283. spec:
  26284. group: generators.external-secrets.io
  26285. names:
  26286. categories:
  26287. - external-secrets
  26288. - external-secrets-generators
  26289. kind: CloudsmithAccessToken
  26290. listKind: CloudsmithAccessTokenList
  26291. plural: cloudsmithaccesstokens
  26292. singular: cloudsmithaccesstoken
  26293. scope: Namespaced
  26294. versions:
  26295. - name: v1alpha1
  26296. schema:
  26297. openAPIV3Schema:
  26298. description: CloudsmithAccessToken generates Cloudsmith access token using OIDC authentication
  26299. properties:
  26300. apiVersion:
  26301. description: |-
  26302. APIVersion defines the versioned schema of this representation of an object.
  26303. Servers should convert recognized schemas to the latest internal value, and
  26304. may reject unrecognized values.
  26305. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  26306. type: string
  26307. kind:
  26308. description: |-
  26309. Kind is a string value representing the REST resource this object represents.
  26310. Servers may infer this from the endpoint the client submits requests to.
  26311. Cannot be updated.
  26312. In CamelCase.
  26313. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  26314. type: string
  26315. metadata:
  26316. type: object
  26317. spec:
  26318. description: CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication.
  26319. properties:
  26320. apiUrl:
  26321. description: APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io.
  26322. type: string
  26323. orgSlug:
  26324. description: OrgSlug is the organization slug in Cloudsmith
  26325. type: string
  26326. serviceAccountRef:
  26327. description: Name of the service account you are federating with
  26328. properties:
  26329. audiences:
  26330. description: |-
  26331. Audience specifies the `aud` claim for the service account token
  26332. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26333. then this audiences will be appended to the list
  26334. items:
  26335. type: string
  26336. type: array
  26337. name:
  26338. description: The name of the ServiceAccount resource being referred to.
  26339. maxLength: 253
  26340. minLength: 1
  26341. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26342. type: string
  26343. namespace:
  26344. description: |-
  26345. Namespace of the resource being referred to.
  26346. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26347. maxLength: 63
  26348. minLength: 1
  26349. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26350. type: string
  26351. required:
  26352. - name
  26353. type: object
  26354. serviceSlug:
  26355. description: ServiceSlug is the service slug in Cloudsmith for OIDC authentication
  26356. type: string
  26357. required:
  26358. - orgSlug
  26359. - serviceAccountRef
  26360. - serviceSlug
  26361. type: object
  26362. type: object
  26363. served: true
  26364. storage: true
  26365. subresources:
  26366. status: {}
  26367. ---
  26368. apiVersion: apiextensions.k8s.io/v1
  26369. kind: CustomResourceDefinition
  26370. metadata:
  26371. annotations:
  26372. controller-gen.kubebuilder.io/version: v0.19.0
  26373. labels:
  26374. external-secrets.io/component: controller
  26375. name: clustergenerators.generators.external-secrets.io
  26376. spec:
  26377. group: generators.external-secrets.io
  26378. names:
  26379. categories:
  26380. - external-secrets
  26381. - external-secrets-generators
  26382. kind: ClusterGenerator
  26383. listKind: ClusterGeneratorList
  26384. plural: clustergenerators
  26385. singular: clustergenerator
  26386. scope: Cluster
  26387. versions:
  26388. - name: v1alpha1
  26389. schema:
  26390. openAPIV3Schema:
  26391. description: ClusterGenerator represents a cluster-wide generator which can be referenced as part of `generatorRef` fields.
  26392. properties:
  26393. apiVersion:
  26394. description: |-
  26395. APIVersion defines the versioned schema of this representation of an object.
  26396. Servers should convert recognized schemas to the latest internal value, and
  26397. may reject unrecognized values.
  26398. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  26399. type: string
  26400. kind:
  26401. description: |-
  26402. Kind is a string value representing the REST resource this object represents.
  26403. Servers may infer this from the endpoint the client submits requests to.
  26404. Cannot be updated.
  26405. In CamelCase.
  26406. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  26407. type: string
  26408. metadata:
  26409. type: object
  26410. spec:
  26411. description: ClusterGeneratorSpec defines the desired state of a ClusterGenerator.
  26412. properties:
  26413. generator:
  26414. description: Generator the spec for this generator, must match the kind.
  26415. maxProperties: 1
  26416. minProperties: 1
  26417. properties:
  26418. acrAccessTokenSpec:
  26419. description: |-
  26420. ACRAccessTokenSpec defines how to generate the access token
  26421. e.g. how to authenticate and which registry to use.
  26422. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  26423. properties:
  26424. auth:
  26425. description: ACRAuth defines the authentication methods for Azure Container Registry.
  26426. properties:
  26427. managedIdentity:
  26428. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  26429. properties:
  26430. identityId:
  26431. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  26432. type: string
  26433. type: object
  26434. servicePrincipal:
  26435. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  26436. properties:
  26437. secretRef:
  26438. description: |-
  26439. AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.
  26440. It uses static credentials stored in a Kind=Secret.
  26441. properties:
  26442. clientId:
  26443. description: The Azure clientId of the service principle used for authentication.
  26444. properties:
  26445. key:
  26446. description: |-
  26447. A key in the referenced Secret.
  26448. Some instances of this field may be defaulted, in others it may be required.
  26449. maxLength: 253
  26450. minLength: 1
  26451. pattern: ^[-._a-zA-Z0-9]+$
  26452. type: string
  26453. name:
  26454. description: The name of the Secret resource being referred to.
  26455. maxLength: 253
  26456. minLength: 1
  26457. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26458. type: string
  26459. namespace:
  26460. description: |-
  26461. The namespace of the Secret resource being referred to.
  26462. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26463. maxLength: 63
  26464. minLength: 1
  26465. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26466. type: string
  26467. type: object
  26468. clientSecret:
  26469. description: The Azure ClientSecret of the service principle used for authentication.
  26470. properties:
  26471. key:
  26472. description: |-
  26473. A key in the referenced Secret.
  26474. Some instances of this field may be defaulted, in others it may be required.
  26475. maxLength: 253
  26476. minLength: 1
  26477. pattern: ^[-._a-zA-Z0-9]+$
  26478. type: string
  26479. name:
  26480. description: The name of the Secret resource being referred to.
  26481. maxLength: 253
  26482. minLength: 1
  26483. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26484. type: string
  26485. namespace:
  26486. description: |-
  26487. The namespace of the Secret resource being referred to.
  26488. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26489. maxLength: 63
  26490. minLength: 1
  26491. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26492. type: string
  26493. type: object
  26494. type: object
  26495. required:
  26496. - secretRef
  26497. type: object
  26498. workloadIdentity:
  26499. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  26500. properties:
  26501. serviceAccountRef:
  26502. description: |-
  26503. ServiceAccountRef specified the service account
  26504. that should be used when authenticating with WorkloadIdentity.
  26505. properties:
  26506. audiences:
  26507. description: |-
  26508. Audience specifies the `aud` claim for the service account token
  26509. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26510. then this audiences will be appended to the list
  26511. items:
  26512. type: string
  26513. type: array
  26514. name:
  26515. description: The name of the ServiceAccount resource being referred to.
  26516. maxLength: 253
  26517. minLength: 1
  26518. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26519. type: string
  26520. namespace:
  26521. description: |-
  26522. Namespace of the resource being referred to.
  26523. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26524. maxLength: 63
  26525. minLength: 1
  26526. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26527. type: string
  26528. required:
  26529. - name
  26530. type: object
  26531. type: object
  26532. type: object
  26533. environmentType:
  26534. default: PublicCloud
  26535. description: |-
  26536. EnvironmentType specifies the Azure cloud environment endpoints to use for
  26537. connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.
  26538. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  26539. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  26540. enum:
  26541. - PublicCloud
  26542. - USGovernmentCloud
  26543. - ChinaCloud
  26544. - GermanCloud
  26545. - AzureStackCloud
  26546. type: string
  26547. registry:
  26548. description: |-
  26549. the domain name of the ACR registry
  26550. e.g. foobarexample.azurecr.io
  26551. type: string
  26552. scope:
  26553. description: |-
  26554. Define the scope for the access token, e.g. pull/push access for a repository.
  26555. if not provided it will return a refresh token that has full scope.
  26556. Note: you need to pin it down to the repository level, there is no wildcard available.
  26557. examples:
  26558. repository:my-repository:pull,push
  26559. repository:my-repository:pull
  26560. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  26561. type: string
  26562. tenantId:
  26563. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  26564. type: string
  26565. required:
  26566. - auth
  26567. - registry
  26568. type: object
  26569. beyondtrustWorkloadCredentialsDynamicSecretSpec:
  26570. description: |-
  26571. BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator.
  26572. This generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials.
  26573. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26574. properties:
  26575. controller:
  26576. description: |-
  26577. Controller selects the controller that should handle this generator.
  26578. Leave empty to use the default controller.
  26579. type: string
  26580. provider:
  26581. description: |-
  26582. Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication,
  26583. server connection details, and the folder path to the dynamic secret definition.
  26584. The folderPath should point to a dynamic secret definition that has been created in
  26585. BeyondTrust Workload Credentials (e.g., "production/aws-temp").
  26586. For setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26587. properties:
  26588. auth:
  26589. description: |-
  26590. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  26591. Currently supports API key authentication via Kubernetes secret reference.
  26592. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  26593. properties:
  26594. apikey:
  26595. description: |-
  26596. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  26597. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  26598. properties:
  26599. token:
  26600. description: |-
  26601. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  26602. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  26603. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  26604. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  26605. properties:
  26606. key:
  26607. description: |-
  26608. A key in the referenced Secret.
  26609. Some instances of this field may be defaulted, in others it may be required.
  26610. maxLength: 253
  26611. minLength: 1
  26612. pattern: ^[-._a-zA-Z0-9]+$
  26613. type: string
  26614. name:
  26615. description: The name of the Secret resource being referred to.
  26616. maxLength: 253
  26617. minLength: 1
  26618. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26619. type: string
  26620. namespace:
  26621. description: |-
  26622. The namespace of the Secret resource being referred to.
  26623. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26624. maxLength: 63
  26625. minLength: 1
  26626. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26627. type: string
  26628. type: object
  26629. required:
  26630. - token
  26631. type: object
  26632. required:
  26633. - apikey
  26634. type: object
  26635. caBundle:
  26636. description: |-
  26637. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  26638. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  26639. If not set, the system's trusted root certificates are used.
  26640. format: byte
  26641. type: string
  26642. caProvider:
  26643. description: |-
  26644. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  26645. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  26646. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  26647. properties:
  26648. key:
  26649. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  26650. maxLength: 253
  26651. minLength: 1
  26652. pattern: ^[-._a-zA-Z0-9]+$
  26653. type: string
  26654. name:
  26655. description: The name of the object located at the provider type.
  26656. maxLength: 253
  26657. minLength: 1
  26658. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26659. type: string
  26660. namespace:
  26661. description: |-
  26662. The namespace the Provider type is in.
  26663. Can only be defined when used in a ClusterSecretStore.
  26664. maxLength: 63
  26665. minLength: 1
  26666. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26667. type: string
  26668. type:
  26669. description: The type of provider to use such as "Secret", or "ConfigMap".
  26670. enum:
  26671. - Secret
  26672. - ConfigMap
  26673. type: string
  26674. required:
  26675. - name
  26676. - type
  26677. type: object
  26678. folderPath:
  26679. description: |-
  26680. FolderPath specifies the default folder path for secret retrieval.
  26681. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  26682. Example: "production/database" or "dev/api-keys"
  26683. Leave empty to retrieve secrets from the root folder.
  26684. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  26685. type: string
  26686. server:
  26687. description: |-
  26688. Server configures the BeyondTrust Workload Credentials server connection details.
  26689. Includes the API URL and Site ID for your BeyondTrust instance.
  26690. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26691. properties:
  26692. apiUrl:
  26693. description: |-
  26694. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  26695. This should be the full URL to your BeyondTrust instance.
  26696. Example: https://api.beyondtrust.io/siie
  26697. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  26698. type: string
  26699. siteId:
  26700. description: |-
  26701. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  26702. This identifier is unique to your BeyondTrust Workload Credentials instance.
  26703. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  26704. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  26705. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26706. type: string
  26707. required:
  26708. - apiUrl
  26709. - siteId
  26710. type: object
  26711. required:
  26712. - auth
  26713. - server
  26714. type: object
  26715. retrySettings:
  26716. description: |-
  26717. RetrySettings configures exponential backoff for failed API requests.
  26718. If not specified, uses the default retry settings.
  26719. properties:
  26720. maxRetries:
  26721. type: integer
  26722. retryInterval:
  26723. type: string
  26724. type: object
  26725. required:
  26726. - provider
  26727. type: object
  26728. cloudsmithAccessTokenSpec:
  26729. description: CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication.
  26730. properties:
  26731. apiUrl:
  26732. description: APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io.
  26733. type: string
  26734. orgSlug:
  26735. description: OrgSlug is the organization slug in Cloudsmith
  26736. type: string
  26737. serviceAccountRef:
  26738. description: Name of the service account you are federating with
  26739. properties:
  26740. audiences:
  26741. description: |-
  26742. Audience specifies the `aud` claim for the service account token
  26743. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26744. then this audiences will be appended to the list
  26745. items:
  26746. type: string
  26747. type: array
  26748. name:
  26749. description: The name of the ServiceAccount resource being referred to.
  26750. maxLength: 253
  26751. minLength: 1
  26752. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26753. type: string
  26754. namespace:
  26755. description: |-
  26756. Namespace of the resource being referred to.
  26757. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26758. maxLength: 63
  26759. minLength: 1
  26760. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26761. type: string
  26762. required:
  26763. - name
  26764. type: object
  26765. serviceSlug:
  26766. description: ServiceSlug is the service slug in Cloudsmith for OIDC authentication
  26767. type: string
  26768. required:
  26769. - orgSlug
  26770. - serviceAccountRef
  26771. - serviceSlug
  26772. type: object
  26773. ecrAuthorizationTokenSpec:
  26774. description: ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token.
  26775. properties:
  26776. auth:
  26777. description: Auth defines how to authenticate with AWS
  26778. properties:
  26779. jwt:
  26780. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  26781. properties:
  26782. serviceAccountRef:
  26783. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  26784. properties:
  26785. audiences:
  26786. description: |-
  26787. Audience specifies the `aud` claim for the service account token
  26788. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26789. then this audiences will be appended to the list
  26790. items:
  26791. type: string
  26792. type: array
  26793. name:
  26794. description: The name of the ServiceAccount resource being referred to.
  26795. maxLength: 253
  26796. minLength: 1
  26797. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26798. type: string
  26799. namespace:
  26800. description: |-
  26801. Namespace of the resource being referred to.
  26802. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26803. maxLength: 63
  26804. minLength: 1
  26805. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26806. type: string
  26807. required:
  26808. - name
  26809. type: object
  26810. type: object
  26811. secretRef:
  26812. description: |-
  26813. AWSAuthSecretRef holds secret references for AWS credentials
  26814. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  26815. properties:
  26816. accessKeyIDSecretRef:
  26817. description: The AccessKeyID is used for authentication
  26818. properties:
  26819. key:
  26820. description: |-
  26821. A key in the referenced Secret.
  26822. Some instances of this field may be defaulted, in others it may be required.
  26823. maxLength: 253
  26824. minLength: 1
  26825. pattern: ^[-._a-zA-Z0-9]+$
  26826. type: string
  26827. name:
  26828. description: The name of the Secret resource being referred to.
  26829. maxLength: 253
  26830. minLength: 1
  26831. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26832. type: string
  26833. namespace:
  26834. description: |-
  26835. The namespace of the Secret resource being referred to.
  26836. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26837. maxLength: 63
  26838. minLength: 1
  26839. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26840. type: string
  26841. type: object
  26842. secretAccessKeySecretRef:
  26843. description: The SecretAccessKey is used for authentication
  26844. properties:
  26845. key:
  26846. description: |-
  26847. A key in the referenced Secret.
  26848. Some instances of this field may be defaulted, in others it may be required.
  26849. maxLength: 253
  26850. minLength: 1
  26851. pattern: ^[-._a-zA-Z0-9]+$
  26852. type: string
  26853. name:
  26854. description: The name of the Secret resource being referred to.
  26855. maxLength: 253
  26856. minLength: 1
  26857. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26858. type: string
  26859. namespace:
  26860. description: |-
  26861. The namespace of the Secret resource being referred to.
  26862. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26863. maxLength: 63
  26864. minLength: 1
  26865. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26866. type: string
  26867. type: object
  26868. sessionTokenSecretRef:
  26869. description: |-
  26870. The SessionToken used for authentication
  26871. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  26872. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  26873. properties:
  26874. key:
  26875. description: |-
  26876. A key in the referenced Secret.
  26877. Some instances of this field may be defaulted, in others it may be required.
  26878. maxLength: 253
  26879. minLength: 1
  26880. pattern: ^[-._a-zA-Z0-9]+$
  26881. type: string
  26882. name:
  26883. description: The name of the Secret resource being referred to.
  26884. maxLength: 253
  26885. minLength: 1
  26886. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26887. type: string
  26888. namespace:
  26889. description: |-
  26890. The namespace of the Secret resource being referred to.
  26891. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26892. maxLength: 63
  26893. minLength: 1
  26894. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26895. type: string
  26896. type: object
  26897. type: object
  26898. type: object
  26899. region:
  26900. description: Region specifies the region to operate in.
  26901. type: string
  26902. role:
  26903. description: |-
  26904. You can assume a role before making calls to the
  26905. desired AWS service.
  26906. type: string
  26907. scope:
  26908. description: |-
  26909. Scope specifies the ECR service scope.
  26910. Valid options are private and public.
  26911. type: string
  26912. required:
  26913. - region
  26914. type: object
  26915. fakeSpec:
  26916. description: FakeSpec contains the static data.
  26917. properties:
  26918. controller:
  26919. description: |-
  26920. Used to select the correct ESO controller (think: ingress.ingressClassName)
  26921. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  26922. type: string
  26923. data:
  26924. additionalProperties:
  26925. type: string
  26926. description: |-
  26927. Data defines the static data returned
  26928. by this generator.
  26929. type: object
  26930. type: object
  26931. gcrAccessTokenSpec:
  26932. description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.
  26933. properties:
  26934. auth:
  26935. description: Auth defines the means for authenticating with GCP
  26936. properties:
  26937. secretRef:
  26938. description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.
  26939. properties:
  26940. secretAccessKeySecretRef:
  26941. description: The SecretAccessKey is used for authentication
  26942. properties:
  26943. key:
  26944. description: |-
  26945. A key in the referenced Secret.
  26946. Some instances of this field may be defaulted, in others it may be required.
  26947. maxLength: 253
  26948. minLength: 1
  26949. pattern: ^[-._a-zA-Z0-9]+$
  26950. type: string
  26951. name:
  26952. description: The name of the Secret resource being referred to.
  26953. maxLength: 253
  26954. minLength: 1
  26955. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26956. type: string
  26957. namespace:
  26958. description: |-
  26959. The namespace of the Secret resource being referred to.
  26960. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26961. maxLength: 63
  26962. minLength: 1
  26963. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26964. type: string
  26965. type: object
  26966. type: object
  26967. workloadIdentity:
  26968. description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.
  26969. properties:
  26970. clusterLocation:
  26971. type: string
  26972. clusterName:
  26973. type: string
  26974. clusterProjectID:
  26975. type: string
  26976. serviceAccountRef:
  26977. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  26978. properties:
  26979. audiences:
  26980. description: |-
  26981. Audience specifies the `aud` claim for the service account token
  26982. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26983. then this audiences will be appended to the list
  26984. items:
  26985. type: string
  26986. type: array
  26987. name:
  26988. description: The name of the ServiceAccount resource being referred to.
  26989. maxLength: 253
  26990. minLength: 1
  26991. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26992. type: string
  26993. namespace:
  26994. description: |-
  26995. Namespace of the resource being referred to.
  26996. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26997. maxLength: 63
  26998. minLength: 1
  26999. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27000. type: string
  27001. required:
  27002. - name
  27003. type: object
  27004. required:
  27005. - clusterLocation
  27006. - clusterName
  27007. - serviceAccountRef
  27008. type: object
  27009. workloadIdentityFederation:
  27010. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  27011. properties:
  27012. audience:
  27013. description: |-
  27014. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  27015. If specified, Audience found in the external account credential config will be overridden with the configured value.
  27016. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  27017. type: string
  27018. awsSecurityCredentials:
  27019. description: |-
  27020. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  27021. when using the AWS metadata server is not an option.
  27022. properties:
  27023. awsCredentialsSecretRef:
  27024. description: |-
  27025. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  27026. Secret should be created with below names for keys
  27027. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  27028. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  27029. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  27030. properties:
  27031. name:
  27032. description: name of the secret.
  27033. maxLength: 253
  27034. minLength: 1
  27035. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27036. type: string
  27037. namespace:
  27038. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  27039. maxLength: 63
  27040. minLength: 1
  27041. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27042. type: string
  27043. required:
  27044. - name
  27045. type: object
  27046. region:
  27047. description: region is for configuring the AWS region to be used.
  27048. example: ap-south-1
  27049. maxLength: 50
  27050. minLength: 1
  27051. pattern: ^[a-z0-9-]+$
  27052. type: string
  27053. required:
  27054. - awsCredentialsSecretRef
  27055. - region
  27056. type: object
  27057. credConfig:
  27058. description: |-
  27059. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  27060. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  27061. serviceAccountRef must be used by providing operators service account details.
  27062. properties:
  27063. key:
  27064. description: key name holding the external account credential config.
  27065. maxLength: 253
  27066. minLength: 1
  27067. pattern: ^[-._a-zA-Z0-9]+$
  27068. type: string
  27069. name:
  27070. description: name of the configmap.
  27071. maxLength: 253
  27072. minLength: 1
  27073. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27074. type: string
  27075. namespace:
  27076. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  27077. maxLength: 63
  27078. minLength: 1
  27079. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27080. type: string
  27081. required:
  27082. - key
  27083. - name
  27084. type: object
  27085. externalTokenEndpoint:
  27086. description: |-
  27087. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  27088. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  27089. URL is having the expected value.
  27090. type: string
  27091. gcpServiceAccountEmail:
  27092. description: |-
  27093. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  27094. after Workload Identity Federation. Use this to grant access through the service account's
  27095. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  27096. service_account_impersonation_url in the external account JSON from credConfig;
  27097. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  27098. on that ServiceAccount.
  27099. example: my-gsa@my-project.iam.gserviceaccount.com
  27100. minLength: 1
  27101. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  27102. type: string
  27103. serviceAccountRef:
  27104. description: |-
  27105. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  27106. when Kubernetes is configured as provider in workload identity pool.
  27107. properties:
  27108. audiences:
  27109. description: |-
  27110. Audience specifies the `aud` claim for the service account token
  27111. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27112. then this audiences will be appended to the list
  27113. items:
  27114. type: string
  27115. type: array
  27116. name:
  27117. description: The name of the ServiceAccount resource being referred to.
  27118. maxLength: 253
  27119. minLength: 1
  27120. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27121. type: string
  27122. namespace:
  27123. description: |-
  27124. Namespace of the resource being referred to.
  27125. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27126. maxLength: 63
  27127. minLength: 1
  27128. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27129. type: string
  27130. required:
  27131. - name
  27132. type: object
  27133. type: object
  27134. type: object
  27135. projectID:
  27136. description: ProjectID defines which project to use to authenticate with
  27137. type: string
  27138. required:
  27139. - auth
  27140. - projectID
  27141. type: object
  27142. githubAccessTokenSpec:
  27143. description: GithubAccessTokenSpec defines the desired state to generate a GitHub access token.
  27144. properties:
  27145. appID:
  27146. type: string
  27147. auth:
  27148. description: Auth configures how ESO authenticates with a Github instance.
  27149. properties:
  27150. privateKey:
  27151. description: GithubSecretRef references a secret containing GitHub credentials.
  27152. properties:
  27153. secretRef:
  27154. description: |-
  27155. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  27156. In some instances, `key` is a required field.
  27157. properties:
  27158. key:
  27159. description: |-
  27160. A key in the referenced Secret.
  27161. Some instances of this field may be defaulted, in others it may be required.
  27162. maxLength: 253
  27163. minLength: 1
  27164. pattern: ^[-._a-zA-Z0-9]+$
  27165. type: string
  27166. name:
  27167. description: The name of the Secret resource being referred to.
  27168. maxLength: 253
  27169. minLength: 1
  27170. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27171. type: string
  27172. namespace:
  27173. description: |-
  27174. The namespace of the Secret resource being referred to.
  27175. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27176. maxLength: 63
  27177. minLength: 1
  27178. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27179. type: string
  27180. type: object
  27181. required:
  27182. - secretRef
  27183. type: object
  27184. required:
  27185. - privateKey
  27186. type: object
  27187. installID:
  27188. type: string
  27189. permissions:
  27190. additionalProperties:
  27191. type: string
  27192. description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
  27193. type: object
  27194. repositories:
  27195. description: |-
  27196. List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
  27197. is installed to.
  27198. items:
  27199. type: string
  27200. type: array
  27201. url:
  27202. description: URL configures the GitHub instance URL. Defaults to https://github.com/.
  27203. type: string
  27204. required:
  27205. - appID
  27206. - auth
  27207. - installID
  27208. type: object
  27209. grafanaSpec:
  27210. description: GrafanaSpec controls the behavior of the grafana generator.
  27211. properties:
  27212. auth:
  27213. description: |-
  27214. Auth is the authentication configuration to authenticate
  27215. against the Grafana instance.
  27216. properties:
  27217. basic:
  27218. description: |-
  27219. Basic auth credentials used to authenticate against the Grafana instance.
  27220. Note: you need a token which has elevated permissions to create service accounts.
  27221. See here for the documentation on basic roles offered by Grafana:
  27222. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  27223. properties:
  27224. password:
  27225. description: A basic auth password used to authenticate against the Grafana instance.
  27226. properties:
  27227. key:
  27228. description: The key where the token is found.
  27229. maxLength: 253
  27230. minLength: 1
  27231. pattern: ^[-._a-zA-Z0-9]+$
  27232. type: string
  27233. name:
  27234. description: The name of the Secret resource being referred to.
  27235. maxLength: 253
  27236. minLength: 1
  27237. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27238. type: string
  27239. type: object
  27240. username:
  27241. description: A basic auth username used to authenticate against the Grafana instance.
  27242. type: string
  27243. required:
  27244. - password
  27245. - username
  27246. type: object
  27247. token:
  27248. description: |-
  27249. A service account token used to authenticate against the Grafana instance.
  27250. Note: you need a token which has elevated permissions to create service accounts.
  27251. See here for the documentation on basic roles offered by Grafana:
  27252. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  27253. properties:
  27254. key:
  27255. description: The key where the token is found.
  27256. maxLength: 253
  27257. minLength: 1
  27258. pattern: ^[-._a-zA-Z0-9]+$
  27259. type: string
  27260. name:
  27261. description: The name of the Secret resource being referred to.
  27262. maxLength: 253
  27263. minLength: 1
  27264. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27265. type: string
  27266. type: object
  27267. type: object
  27268. serviceAccount:
  27269. description: |-
  27270. ServiceAccount is the configuration for the service account that
  27271. is supposed to be generated by the generator.
  27272. properties:
  27273. name:
  27274. description: Name is the name of the service account that will be created by ESO.
  27275. type: string
  27276. role:
  27277. description: |-
  27278. Role is the role of the service account.
  27279. See here for the documentation on basic roles offered by Grafana:
  27280. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  27281. type: string
  27282. required:
  27283. - name
  27284. - role
  27285. type: object
  27286. url:
  27287. description: URL is the URL of the Grafana instance.
  27288. type: string
  27289. required:
  27290. - auth
  27291. - serviceAccount
  27292. - url
  27293. type: object
  27294. mfaSpec:
  27295. description: MFASpec controls the behavior of the mfa generator.
  27296. properties:
  27297. algorithm:
  27298. description: Algorithm to use for encoding. Defaults to SHA1 as per the RFC.
  27299. type: string
  27300. length:
  27301. description: Length defines the token length. Defaults to 6 characters.
  27302. type: integer
  27303. secret:
  27304. description: Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from.
  27305. properties:
  27306. key:
  27307. description: |-
  27308. A key in the referenced Secret.
  27309. Some instances of this field may be defaulted, in others it may be required.
  27310. maxLength: 253
  27311. minLength: 1
  27312. pattern: ^[-._a-zA-Z0-9]+$
  27313. type: string
  27314. name:
  27315. description: The name of the Secret resource being referred to.
  27316. maxLength: 253
  27317. minLength: 1
  27318. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27319. type: string
  27320. namespace:
  27321. description: |-
  27322. The namespace of the Secret resource being referred to.
  27323. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27324. maxLength: 63
  27325. minLength: 1
  27326. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27327. type: string
  27328. type: object
  27329. timePeriod:
  27330. description: TimePeriod defines how long the token can be active. Defaults to 30 seconds.
  27331. type: integer
  27332. when:
  27333. description: When defines a time parameter that can be used to pin the origin time of the generated token.
  27334. format: date-time
  27335. type: string
  27336. required:
  27337. - secret
  27338. type: object
  27339. passwordSpec:
  27340. description: PasswordSpec controls the behavior of the password generator.
  27341. properties:
  27342. allowRepeat:
  27343. default: false
  27344. description: set AllowRepeat to true to allow repeating characters.
  27345. type: boolean
  27346. digits:
  27347. description: |-
  27348. Digits specifies the number of digits in the generated
  27349. password. If omitted it defaults to 25% of the length of the password
  27350. type: integer
  27351. encoding:
  27352. default: raw
  27353. description: |-
  27354. Encoding specifies the encoding of the generated password.
  27355. Valid values are:
  27356. - "raw" (default): no encoding
  27357. - "base64": standard base64 encoding
  27358. - "base64url": base64url encoding
  27359. - "base32": base32 encoding
  27360. - "hex": hexadecimal encoding
  27361. enum:
  27362. - base64
  27363. - base64url
  27364. - base32
  27365. - hex
  27366. - raw
  27367. type: string
  27368. length:
  27369. default: 24
  27370. description: |-
  27371. Length of the password to be generated.
  27372. Defaults to 24
  27373. type: integer
  27374. noUpper:
  27375. default: false
  27376. description: Set NoUpper to disable uppercase characters
  27377. type: boolean
  27378. secretKeys:
  27379. description: |-
  27380. SecretKeys defines the keys that will be populated with generated passwords.
  27381. Defaults to "password" when not set.
  27382. items:
  27383. type: string
  27384. minItems: 1
  27385. type: array
  27386. symbolCharacters:
  27387. description: |-
  27388. SymbolCharacters specifies the special characters that should be used
  27389. in the generated password.
  27390. type: string
  27391. symbols:
  27392. description: |-
  27393. Symbols specifies the number of symbol characters in the generated
  27394. password. If omitted it defaults to 25% of the length of the password
  27395. type: integer
  27396. required:
  27397. - allowRepeat
  27398. - length
  27399. - noUpper
  27400. type: object
  27401. quayAccessTokenSpec:
  27402. description: QuayAccessTokenSpec defines the desired state to generate a Quay access token.
  27403. properties:
  27404. robotAccount:
  27405. description: Name of the robot account you are federating with
  27406. type: string
  27407. serviceAccountRef:
  27408. description: Name of the service account you are federating with
  27409. properties:
  27410. audiences:
  27411. description: |-
  27412. Audience specifies the `aud` claim for the service account token
  27413. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27414. then this audiences will be appended to the list
  27415. items:
  27416. type: string
  27417. type: array
  27418. name:
  27419. description: The name of the ServiceAccount resource being referred to.
  27420. maxLength: 253
  27421. minLength: 1
  27422. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27423. type: string
  27424. namespace:
  27425. description: |-
  27426. Namespace of the resource being referred to.
  27427. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27428. maxLength: 63
  27429. minLength: 1
  27430. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27431. type: string
  27432. required:
  27433. - name
  27434. type: object
  27435. url:
  27436. description: URL configures the Quay instance URL. Defaults to quay.io.
  27437. type: string
  27438. required:
  27439. - robotAccount
  27440. - serviceAccountRef
  27441. type: object
  27442. sshKeySpec:
  27443. description: SSHKeySpec controls the behavior of the ssh key generator.
  27444. properties:
  27445. comment:
  27446. description: Comment specifies an optional comment for the SSH key
  27447. type: string
  27448. keySize:
  27449. description: |-
  27450. KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
  27451. For RSA keys: 2048, 3072, 4096
  27452. For ECDSA keys: 256, 384, 521
  27453. Ignored for ed25519 keys
  27454. maximum: 8192
  27455. minimum: 256
  27456. type: integer
  27457. keyType:
  27458. default: rsa
  27459. description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
  27460. enum:
  27461. - rsa
  27462. - ecdsa
  27463. - ed25519
  27464. type: string
  27465. type: object
  27466. stsSessionTokenSpec:
  27467. description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token.
  27468. properties:
  27469. auth:
  27470. description: Auth defines how to authenticate with AWS
  27471. properties:
  27472. jwt:
  27473. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  27474. properties:
  27475. serviceAccountRef:
  27476. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  27477. properties:
  27478. audiences:
  27479. description: |-
  27480. Audience specifies the `aud` claim for the service account token
  27481. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27482. then this audiences will be appended to the list
  27483. items:
  27484. type: string
  27485. type: array
  27486. name:
  27487. description: The name of the ServiceAccount resource being referred to.
  27488. maxLength: 253
  27489. minLength: 1
  27490. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27491. type: string
  27492. namespace:
  27493. description: |-
  27494. Namespace of the resource being referred to.
  27495. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27496. maxLength: 63
  27497. minLength: 1
  27498. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27499. type: string
  27500. required:
  27501. - name
  27502. type: object
  27503. type: object
  27504. secretRef:
  27505. description: |-
  27506. AWSAuthSecretRef holds secret references for AWS credentials
  27507. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  27508. properties:
  27509. accessKeyIDSecretRef:
  27510. description: The AccessKeyID is used for authentication
  27511. properties:
  27512. key:
  27513. description: |-
  27514. A key in the referenced Secret.
  27515. Some instances of this field may be defaulted, in others it may be required.
  27516. maxLength: 253
  27517. minLength: 1
  27518. pattern: ^[-._a-zA-Z0-9]+$
  27519. type: string
  27520. name:
  27521. description: The name of the Secret resource being referred to.
  27522. maxLength: 253
  27523. minLength: 1
  27524. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27525. type: string
  27526. namespace:
  27527. description: |-
  27528. The namespace of the Secret resource being referred to.
  27529. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27530. maxLength: 63
  27531. minLength: 1
  27532. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27533. type: string
  27534. type: object
  27535. secretAccessKeySecretRef:
  27536. description: The SecretAccessKey is used for authentication
  27537. properties:
  27538. key:
  27539. description: |-
  27540. A key in the referenced Secret.
  27541. Some instances of this field may be defaulted, in others it may be required.
  27542. maxLength: 253
  27543. minLength: 1
  27544. pattern: ^[-._a-zA-Z0-9]+$
  27545. type: string
  27546. name:
  27547. description: The name of the Secret resource being referred to.
  27548. maxLength: 253
  27549. minLength: 1
  27550. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27551. type: string
  27552. namespace:
  27553. description: |-
  27554. The namespace of the Secret resource being referred to.
  27555. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27556. maxLength: 63
  27557. minLength: 1
  27558. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27559. type: string
  27560. type: object
  27561. sessionTokenSecretRef:
  27562. description: |-
  27563. The SessionToken used for authentication
  27564. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  27565. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  27566. properties:
  27567. key:
  27568. description: |-
  27569. A key in the referenced Secret.
  27570. Some instances of this field may be defaulted, in others it may be required.
  27571. maxLength: 253
  27572. minLength: 1
  27573. pattern: ^[-._a-zA-Z0-9]+$
  27574. type: string
  27575. name:
  27576. description: The name of the Secret resource being referred to.
  27577. maxLength: 253
  27578. minLength: 1
  27579. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27580. type: string
  27581. namespace:
  27582. description: |-
  27583. The namespace of the Secret resource being referred to.
  27584. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27585. maxLength: 63
  27586. minLength: 1
  27587. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27588. type: string
  27589. type: object
  27590. type: object
  27591. type: object
  27592. region:
  27593. description: Region specifies the region to operate in.
  27594. type: string
  27595. requestParameters:
  27596. description: RequestParameters contains parameters that can be passed to the STS service.
  27597. properties:
  27598. serialNumber:
  27599. description: |-
  27600. SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
  27601. the GetSessionToken call.
  27602. Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
  27603. (such as arn:aws:iam::123456789012:mfa/user)
  27604. type: string
  27605. sessionDuration:
  27606. format: int32
  27607. type: integer
  27608. tokenCode:
  27609. description: TokenCode is the value provided by the MFA device, if MFA is required.
  27610. type: string
  27611. type: object
  27612. role:
  27613. description: |-
  27614. You can assume a role before making calls to the
  27615. desired AWS service.
  27616. type: string
  27617. required:
  27618. - region
  27619. type: object
  27620. uuidSpec:
  27621. description: UUIDSpec controls the behavior of the uuid generator.
  27622. type: object
  27623. vaultDynamicSecretSpec:
  27624. description: VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret.
  27625. properties:
  27626. allowEmptyResponse:
  27627. default: false
  27628. description: Do not fail if no secrets are found. Useful for requests where no data is expected.
  27629. type: boolean
  27630. controller:
  27631. description: |-
  27632. Used to select the correct ESO controller (think: ingress.ingressClassName)
  27633. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  27634. type: string
  27635. getParameters:
  27636. additionalProperties:
  27637. items:
  27638. type: string
  27639. type: array
  27640. description: |-
  27641. GetParameters are query-string parameters passed to Vault on GET calls.
  27642. Each key may map to multiple values, matching HTTP query-string semantics.
  27643. Ignored for non-GET methods; use Parameters for write bodies.
  27644. type: object
  27645. method:
  27646. description: Vault API method to use (GET/POST/other)
  27647. type: string
  27648. parameters:
  27649. description: Parameters to pass to Vault write (for non-GET methods)
  27650. x-kubernetes-preserve-unknown-fields: true
  27651. path:
  27652. description: Vault path to obtain the dynamic secret from
  27653. type: string
  27654. provider:
  27655. description: Vault provider common spec
  27656. properties:
  27657. auth:
  27658. description: Auth configures how secret-manager authenticates with the Vault server.
  27659. properties:
  27660. appRole:
  27661. description: |-
  27662. AppRole authenticates with Vault using the App Role auth mechanism,
  27663. with the role and secret stored in a Kubernetes Secret resource.
  27664. properties:
  27665. path:
  27666. default: approle
  27667. description: |-
  27668. Path where the App Role authentication backend is mounted
  27669. in Vault, e.g: "approle"
  27670. type: string
  27671. roleId:
  27672. description: |-
  27673. RoleID configured in the App Role authentication backend when setting
  27674. up the authentication backend in Vault.
  27675. type: string
  27676. roleRef:
  27677. description: |-
  27678. Reference to a key in a Secret that contains the App Role ID used
  27679. to authenticate with Vault.
  27680. The `key` field must be specified and denotes which entry within the Secret
  27681. resource is used as the app role id.
  27682. properties:
  27683. key:
  27684. description: |-
  27685. A key in the referenced Secret.
  27686. Some instances of this field may be defaulted, in others it may be required.
  27687. maxLength: 253
  27688. minLength: 1
  27689. pattern: ^[-._a-zA-Z0-9]+$
  27690. type: string
  27691. name:
  27692. description: The name of the Secret resource being referred to.
  27693. maxLength: 253
  27694. minLength: 1
  27695. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27696. type: string
  27697. namespace:
  27698. description: |-
  27699. The namespace of the Secret resource being referred to.
  27700. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27701. maxLength: 63
  27702. minLength: 1
  27703. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27704. type: string
  27705. type: object
  27706. secretRef:
  27707. description: |-
  27708. Reference to a key in a Secret that contains the App Role secret used
  27709. to authenticate with Vault.
  27710. The `key` field must be specified and denotes which entry within the Secret
  27711. resource is used as the app role secret.
  27712. properties:
  27713. key:
  27714. description: |-
  27715. A key in the referenced Secret.
  27716. Some instances of this field may be defaulted, in others it may be required.
  27717. maxLength: 253
  27718. minLength: 1
  27719. pattern: ^[-._a-zA-Z0-9]+$
  27720. type: string
  27721. name:
  27722. description: The name of the Secret resource being referred to.
  27723. maxLength: 253
  27724. minLength: 1
  27725. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27726. type: string
  27727. namespace:
  27728. description: |-
  27729. The namespace of the Secret resource being referred to.
  27730. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27731. maxLength: 63
  27732. minLength: 1
  27733. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27734. type: string
  27735. type: object
  27736. required:
  27737. - path
  27738. - secretRef
  27739. type: object
  27740. cert:
  27741. description: |-
  27742. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  27743. Cert authentication method
  27744. properties:
  27745. clientCert:
  27746. description: |-
  27747. ClientCert is a certificate to authenticate using the Cert Vault
  27748. authentication method
  27749. properties:
  27750. key:
  27751. description: |-
  27752. A key in the referenced Secret.
  27753. Some instances of this field may be defaulted, in others it may be required.
  27754. maxLength: 253
  27755. minLength: 1
  27756. pattern: ^[-._a-zA-Z0-9]+$
  27757. type: string
  27758. name:
  27759. description: The name of the Secret resource being referred to.
  27760. maxLength: 253
  27761. minLength: 1
  27762. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27763. type: string
  27764. namespace:
  27765. description: |-
  27766. The namespace of the Secret resource being referred to.
  27767. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27768. maxLength: 63
  27769. minLength: 1
  27770. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27771. type: string
  27772. type: object
  27773. path:
  27774. default: cert
  27775. description: |-
  27776. Path where the Certificate authentication backend is mounted
  27777. in Vault, e.g: "cert"
  27778. type: string
  27779. secretRef:
  27780. description: |-
  27781. SecretRef to a key in a Secret resource containing client private key to
  27782. authenticate with Vault using the Cert authentication method
  27783. properties:
  27784. key:
  27785. description: |-
  27786. A key in the referenced Secret.
  27787. Some instances of this field may be defaulted, in others it may be required.
  27788. maxLength: 253
  27789. minLength: 1
  27790. pattern: ^[-._a-zA-Z0-9]+$
  27791. type: string
  27792. name:
  27793. description: The name of the Secret resource being referred to.
  27794. maxLength: 253
  27795. minLength: 1
  27796. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27797. type: string
  27798. namespace:
  27799. description: |-
  27800. The namespace of the Secret resource being referred to.
  27801. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27802. maxLength: 63
  27803. minLength: 1
  27804. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27805. type: string
  27806. type: object
  27807. vaultRole:
  27808. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  27809. type: string
  27810. type: object
  27811. gcp:
  27812. description: |-
  27813. Gcp authenticates with Vault using Google Cloud Platform authentication method
  27814. GCP authentication method
  27815. properties:
  27816. location:
  27817. description: Location optionally defines a location/region for the secret
  27818. type: string
  27819. path:
  27820. default: gcp
  27821. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  27822. type: string
  27823. projectID:
  27824. description: Project ID of the Google Cloud Platform project
  27825. type: string
  27826. role:
  27827. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  27828. type: string
  27829. secretRef:
  27830. description: Specify credentials in a Secret object
  27831. properties:
  27832. secretAccessKeySecretRef:
  27833. description: The SecretAccessKey is used for authentication
  27834. properties:
  27835. key:
  27836. description: |-
  27837. A key in the referenced Secret.
  27838. Some instances of this field may be defaulted, in others it may be required.
  27839. maxLength: 253
  27840. minLength: 1
  27841. pattern: ^[-._a-zA-Z0-9]+$
  27842. type: string
  27843. name:
  27844. description: The name of the Secret resource being referred to.
  27845. maxLength: 253
  27846. minLength: 1
  27847. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27848. type: string
  27849. namespace:
  27850. description: |-
  27851. The namespace of the Secret resource being referred to.
  27852. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27853. maxLength: 63
  27854. minLength: 1
  27855. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27856. type: string
  27857. type: object
  27858. type: object
  27859. serviceAccountRef:
  27860. description: ServiceAccountRef to a service account for impersonation
  27861. properties:
  27862. audiences:
  27863. description: |-
  27864. Audience specifies the `aud` claim for the service account token
  27865. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27866. then this audiences will be appended to the list
  27867. items:
  27868. type: string
  27869. type: array
  27870. name:
  27871. description: The name of the ServiceAccount resource being referred to.
  27872. maxLength: 253
  27873. minLength: 1
  27874. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27875. type: string
  27876. namespace:
  27877. description: |-
  27878. Namespace of the resource being referred to.
  27879. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27880. maxLength: 63
  27881. minLength: 1
  27882. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27883. type: string
  27884. required:
  27885. - name
  27886. type: object
  27887. workloadIdentity:
  27888. description: Specify a service account with Workload Identity
  27889. properties:
  27890. clusterLocation:
  27891. description: |-
  27892. ClusterLocation is the location of the cluster
  27893. If not specified, it fetches information from the metadata server
  27894. type: string
  27895. clusterName:
  27896. description: |-
  27897. ClusterName is the name of the cluster
  27898. If not specified, it fetches information from the metadata server
  27899. type: string
  27900. clusterProjectID:
  27901. description: |-
  27902. ClusterProjectID is the project ID of the cluster
  27903. If not specified, it fetches information from the metadata server
  27904. type: string
  27905. serviceAccountRef:
  27906. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  27907. properties:
  27908. audiences:
  27909. description: |-
  27910. Audience specifies the `aud` claim for the service account token
  27911. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27912. then this audiences will be appended to the list
  27913. items:
  27914. type: string
  27915. type: array
  27916. name:
  27917. description: The name of the ServiceAccount resource being referred to.
  27918. maxLength: 253
  27919. minLength: 1
  27920. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27921. type: string
  27922. namespace:
  27923. description: |-
  27924. Namespace of the resource being referred to.
  27925. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27926. maxLength: 63
  27927. minLength: 1
  27928. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27929. type: string
  27930. required:
  27931. - name
  27932. type: object
  27933. required:
  27934. - serviceAccountRef
  27935. type: object
  27936. required:
  27937. - role
  27938. type: object
  27939. iam:
  27940. description: |-
  27941. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  27942. AWS IAM authentication method
  27943. properties:
  27944. externalID:
  27945. description: AWS External ID set on assumed IAM roles
  27946. type: string
  27947. jwt:
  27948. description: Specify a service account with IRSA enabled
  27949. properties:
  27950. serviceAccountRef:
  27951. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  27952. properties:
  27953. audiences:
  27954. description: |-
  27955. Audience specifies the `aud` claim for the service account token
  27956. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27957. then this audiences will be appended to the list
  27958. items:
  27959. type: string
  27960. type: array
  27961. name:
  27962. description: The name of the ServiceAccount resource being referred to.
  27963. maxLength: 253
  27964. minLength: 1
  27965. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27966. type: string
  27967. namespace:
  27968. description: |-
  27969. Namespace of the resource being referred to.
  27970. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27971. maxLength: 63
  27972. minLength: 1
  27973. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27974. type: string
  27975. required:
  27976. - name
  27977. type: object
  27978. type: object
  27979. path:
  27980. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  27981. type: string
  27982. region:
  27983. description: AWS region
  27984. type: string
  27985. role:
  27986. description: This is the AWS role to be assumed before talking to vault
  27987. type: string
  27988. secretRef:
  27989. description: Specify credentials in a Secret object
  27990. properties:
  27991. accessKeyIDSecretRef:
  27992. description: The AccessKeyID is used for authentication
  27993. properties:
  27994. key:
  27995. description: |-
  27996. A key in the referenced Secret.
  27997. Some instances of this field may be defaulted, in others it may be required.
  27998. maxLength: 253
  27999. minLength: 1
  28000. pattern: ^[-._a-zA-Z0-9]+$
  28001. type: string
  28002. name:
  28003. description: The name of the Secret resource being referred to.
  28004. maxLength: 253
  28005. minLength: 1
  28006. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28007. type: string
  28008. namespace:
  28009. description: |-
  28010. The namespace of the Secret resource being referred to.
  28011. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28012. maxLength: 63
  28013. minLength: 1
  28014. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28015. type: string
  28016. type: object
  28017. secretAccessKeySecretRef:
  28018. description: The SecretAccessKey is used for authentication
  28019. properties:
  28020. key:
  28021. description: |-
  28022. A key in the referenced Secret.
  28023. Some instances of this field may be defaulted, in others it may be required.
  28024. maxLength: 253
  28025. minLength: 1
  28026. pattern: ^[-._a-zA-Z0-9]+$
  28027. type: string
  28028. name:
  28029. description: The name of the Secret resource being referred to.
  28030. maxLength: 253
  28031. minLength: 1
  28032. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28033. type: string
  28034. namespace:
  28035. description: |-
  28036. The namespace of the Secret resource being referred to.
  28037. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28038. maxLength: 63
  28039. minLength: 1
  28040. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28041. type: string
  28042. type: object
  28043. sessionTokenSecretRef:
  28044. description: |-
  28045. The SessionToken used for authentication
  28046. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  28047. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  28048. properties:
  28049. key:
  28050. description: |-
  28051. A key in the referenced Secret.
  28052. Some instances of this field may be defaulted, in others it may be required.
  28053. maxLength: 253
  28054. minLength: 1
  28055. pattern: ^[-._a-zA-Z0-9]+$
  28056. type: string
  28057. name:
  28058. description: The name of the Secret resource being referred to.
  28059. maxLength: 253
  28060. minLength: 1
  28061. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28062. type: string
  28063. namespace:
  28064. description: |-
  28065. The namespace of the Secret resource being referred to.
  28066. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28067. maxLength: 63
  28068. minLength: 1
  28069. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28070. type: string
  28071. type: object
  28072. type: object
  28073. vaultAwsIamServerID:
  28074. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  28075. type: string
  28076. vaultRole:
  28077. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  28078. type: string
  28079. required:
  28080. - vaultRole
  28081. type: object
  28082. jwt:
  28083. description: |-
  28084. Jwt authenticates with Vault by passing role and JWT token using the
  28085. JWT/OIDC authentication method
  28086. properties:
  28087. kubernetesServiceAccountToken:
  28088. description: |-
  28089. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  28090. a token for with the `TokenRequest` API.
  28091. properties:
  28092. audiences:
  28093. description: |-
  28094. Optional audiences field that will be used to request a temporary Kubernetes service
  28095. account token for the service account referenced by `serviceAccountRef`.
  28096. Defaults to a single audience `vault` it not specified.
  28097. Deprecated: use serviceAccountRef.Audiences instead
  28098. items:
  28099. type: string
  28100. type: array
  28101. expirationSeconds:
  28102. description: |-
  28103. Optional expiration time in seconds that will be used to request a temporary
  28104. Kubernetes service account token for the service account referenced by
  28105. `serviceAccountRef`.
  28106. Deprecated: this will be removed in the future.
  28107. Defaults to 10 minutes.
  28108. type: integer
  28109. serviceAccountRef:
  28110. description: Service account field containing the name of a kubernetes ServiceAccount.
  28111. properties:
  28112. audiences:
  28113. description: |-
  28114. Audience specifies the `aud` claim for the service account token
  28115. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28116. then this audiences will be appended to the list
  28117. items:
  28118. type: string
  28119. type: array
  28120. name:
  28121. description: The name of the ServiceAccount resource being referred to.
  28122. maxLength: 253
  28123. minLength: 1
  28124. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28125. type: string
  28126. namespace:
  28127. description: |-
  28128. Namespace of the resource being referred to.
  28129. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28130. maxLength: 63
  28131. minLength: 1
  28132. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28133. type: string
  28134. required:
  28135. - name
  28136. type: object
  28137. required:
  28138. - serviceAccountRef
  28139. type: object
  28140. path:
  28141. default: jwt
  28142. description: |-
  28143. Path where the JWT authentication backend is mounted
  28144. in Vault, e.g: "jwt"
  28145. type: string
  28146. role:
  28147. description: |-
  28148. Role is a JWT role to authenticate using the JWT/OIDC Vault
  28149. authentication method
  28150. type: string
  28151. secretRef:
  28152. description: |-
  28153. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  28154. authenticate with Vault using the JWT/OIDC authentication method.
  28155. properties:
  28156. key:
  28157. description: |-
  28158. A key in the referenced Secret.
  28159. Some instances of this field may be defaulted, in others it may be required.
  28160. maxLength: 253
  28161. minLength: 1
  28162. pattern: ^[-._a-zA-Z0-9]+$
  28163. type: string
  28164. name:
  28165. description: The name of the Secret resource being referred to.
  28166. maxLength: 253
  28167. minLength: 1
  28168. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28169. type: string
  28170. namespace:
  28171. description: |-
  28172. The namespace of the Secret resource being referred to.
  28173. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28174. maxLength: 63
  28175. minLength: 1
  28176. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28177. type: string
  28178. type: object
  28179. required:
  28180. - path
  28181. type: object
  28182. kubernetes:
  28183. description: |-
  28184. Kubernetes authenticates with Vault by passing the ServiceAccount
  28185. token stored in the named Secret resource to the Vault server.
  28186. properties:
  28187. mountPath:
  28188. default: kubernetes
  28189. description: |-
  28190. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  28191. "kubernetes"
  28192. type: string
  28193. role:
  28194. description: |-
  28195. A required field containing the Vault Role to assume. A Role binds a
  28196. Kubernetes ServiceAccount with a set of Vault policies.
  28197. type: string
  28198. secretRef:
  28199. description: |-
  28200. Optional secret field containing a Kubernetes ServiceAccount JWT used
  28201. for authenticating with Vault. If a name is specified without a key,
  28202. `token` is the default. If one is not specified, the one bound to
  28203. the controller will be used.
  28204. properties:
  28205. key:
  28206. description: |-
  28207. A key in the referenced Secret.
  28208. Some instances of this field may be defaulted, in others it may be required.
  28209. maxLength: 253
  28210. minLength: 1
  28211. pattern: ^[-._a-zA-Z0-9]+$
  28212. type: string
  28213. name:
  28214. description: The name of the Secret resource being referred to.
  28215. maxLength: 253
  28216. minLength: 1
  28217. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28218. type: string
  28219. namespace:
  28220. description: |-
  28221. The namespace of the Secret resource being referred to.
  28222. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28223. maxLength: 63
  28224. minLength: 1
  28225. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28226. type: string
  28227. type: object
  28228. serviceAccountRef:
  28229. description: |-
  28230. Optional service account field containing the name of a kubernetes ServiceAccount.
  28231. If the service account is specified, the service account secret token JWT will be used
  28232. for authenticating with Vault. If the service account selector is not supplied,
  28233. the secretRef will be used instead.
  28234. properties:
  28235. audiences:
  28236. description: |-
  28237. Audience specifies the `aud` claim for the service account token
  28238. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28239. then this audiences will be appended to the list
  28240. items:
  28241. type: string
  28242. type: array
  28243. name:
  28244. description: The name of the ServiceAccount resource being referred to.
  28245. maxLength: 253
  28246. minLength: 1
  28247. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28248. type: string
  28249. namespace:
  28250. description: |-
  28251. Namespace of the resource being referred to.
  28252. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28253. maxLength: 63
  28254. minLength: 1
  28255. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28256. type: string
  28257. required:
  28258. - name
  28259. type: object
  28260. required:
  28261. - mountPath
  28262. - role
  28263. type: object
  28264. ldap:
  28265. description: |-
  28266. Ldap authenticates with Vault by passing username/password pair using
  28267. the LDAP authentication method
  28268. properties:
  28269. path:
  28270. default: ldap
  28271. description: |-
  28272. Path where the LDAP authentication backend is mounted
  28273. in Vault, e.g: "ldap"
  28274. type: string
  28275. secretRef:
  28276. description: |-
  28277. SecretRef to a key in a Secret resource containing password for the LDAP
  28278. user used to authenticate with Vault using the LDAP authentication
  28279. method
  28280. properties:
  28281. key:
  28282. description: |-
  28283. A key in the referenced Secret.
  28284. Some instances of this field may be defaulted, in others it may be required.
  28285. maxLength: 253
  28286. minLength: 1
  28287. pattern: ^[-._a-zA-Z0-9]+$
  28288. type: string
  28289. name:
  28290. description: The name of the Secret resource being referred to.
  28291. maxLength: 253
  28292. minLength: 1
  28293. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28294. type: string
  28295. namespace:
  28296. description: |-
  28297. The namespace of the Secret resource being referred to.
  28298. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28299. maxLength: 63
  28300. minLength: 1
  28301. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28302. type: string
  28303. type: object
  28304. username:
  28305. description: |-
  28306. Username is an LDAP username used to authenticate using the LDAP Vault
  28307. authentication method
  28308. type: string
  28309. required:
  28310. - path
  28311. - username
  28312. type: object
  28313. namespace:
  28314. description: |-
  28315. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  28316. Namespaces is a set of features within Vault Enterprise that allows
  28317. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  28318. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  28319. This will default to Vault.Namespace field if set, or empty otherwise
  28320. type: string
  28321. tokenSecretRef:
  28322. description: TokenSecretRef authenticates with Vault by presenting a token.
  28323. properties:
  28324. key:
  28325. description: |-
  28326. A key in the referenced Secret.
  28327. Some instances of this field may be defaulted, in others it may be required.
  28328. maxLength: 253
  28329. minLength: 1
  28330. pattern: ^[-._a-zA-Z0-9]+$
  28331. type: string
  28332. name:
  28333. description: The name of the Secret resource being referred to.
  28334. maxLength: 253
  28335. minLength: 1
  28336. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28337. type: string
  28338. namespace:
  28339. description: |-
  28340. The namespace of the Secret resource being referred to.
  28341. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28342. maxLength: 63
  28343. minLength: 1
  28344. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28345. type: string
  28346. type: object
  28347. userPass:
  28348. description: UserPass authenticates with Vault by passing username/password pair
  28349. properties:
  28350. path:
  28351. default: userpass
  28352. description: |-
  28353. Path where the UserPassword authentication backend is mounted
  28354. in Vault, e.g: "userpass"
  28355. type: string
  28356. secretRef:
  28357. description: |-
  28358. SecretRef to a key in a Secret resource containing password for the
  28359. user used to authenticate with Vault using the UserPass authentication
  28360. method
  28361. properties:
  28362. key:
  28363. description: |-
  28364. A key in the referenced Secret.
  28365. Some instances of this field may be defaulted, in others it may be required.
  28366. maxLength: 253
  28367. minLength: 1
  28368. pattern: ^[-._a-zA-Z0-9]+$
  28369. type: string
  28370. name:
  28371. description: The name of the Secret resource being referred to.
  28372. maxLength: 253
  28373. minLength: 1
  28374. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28375. type: string
  28376. namespace:
  28377. description: |-
  28378. The namespace of the Secret resource being referred to.
  28379. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28380. maxLength: 63
  28381. minLength: 1
  28382. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28383. type: string
  28384. type: object
  28385. username:
  28386. description: |-
  28387. Username is a username used to authenticate using the UserPass Vault
  28388. authentication method
  28389. type: string
  28390. required:
  28391. - path
  28392. - username
  28393. type: object
  28394. type: object
  28395. caBundle:
  28396. description: |-
  28397. PEM encoded CA bundle used to validate Vault server certificate. Only used
  28398. if the Server URL is using HTTPS protocol. This parameter is ignored for
  28399. plain HTTP protocol connection. If not set the system root certificates
  28400. are used to validate the TLS connection.
  28401. format: byte
  28402. type: string
  28403. caProvider:
  28404. description: The provider for the CA bundle to use to validate Vault server certificate.
  28405. properties:
  28406. key:
  28407. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  28408. maxLength: 253
  28409. minLength: 1
  28410. pattern: ^[-._a-zA-Z0-9]+$
  28411. type: string
  28412. name:
  28413. description: The name of the object located at the provider type.
  28414. maxLength: 253
  28415. minLength: 1
  28416. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28417. type: string
  28418. namespace:
  28419. description: |-
  28420. The namespace the Provider type is in.
  28421. Can only be defined when used in a ClusterSecretStore.
  28422. maxLength: 63
  28423. minLength: 1
  28424. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28425. type: string
  28426. type:
  28427. description: The type of provider to use such as "Secret", or "ConfigMap".
  28428. enum:
  28429. - Secret
  28430. - ConfigMap
  28431. type: string
  28432. required:
  28433. - name
  28434. - type
  28435. type: object
  28436. checkAndSet:
  28437. description: |-
  28438. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  28439. Only applies to Vault KV v2 stores. When enabled, write operations must include
  28440. the current version of the secret to prevent unintentional overwrites.
  28441. properties:
  28442. required:
  28443. description: |-
  28444. Required when true, all write operations must include a check-and-set parameter.
  28445. This helps prevent unintentional overwrites of secrets.
  28446. type: boolean
  28447. type: object
  28448. forwardInconsistent:
  28449. description: |-
  28450. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  28451. leader instead of simply retrying within a loop. This can increase performance if
  28452. the option is enabled serverside.
  28453. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  28454. type: boolean
  28455. headers:
  28456. additionalProperties:
  28457. type: string
  28458. description: Headers to be added in Vault request
  28459. type: object
  28460. namespace:
  28461. description: |-
  28462. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  28463. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  28464. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  28465. type: string
  28466. path:
  28467. description: |-
  28468. Path is the mount path of the Vault KV backend endpoint, e.g:
  28469. "secret". The v2 KV secret engine version specific "/data" path suffix
  28470. for fetching secrets from Vault is optional and will be appended
  28471. if not present in specified path.
  28472. type: string
  28473. readYourWrites:
  28474. description: |-
  28475. ReadYourWrites ensures isolated read-after-write semantics by
  28476. providing discovered cluster replication states in each request.
  28477. More information about eventual consistency in Vault can be found here
  28478. https://www.vaultproject.io/docs/enterprise/consistency
  28479. type: boolean
  28480. server:
  28481. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  28482. type: string
  28483. tls:
  28484. description: |-
  28485. The configuration used for client side related TLS communication, when the Vault server
  28486. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  28487. This parameter is ignored for plain HTTP protocol connection.
  28488. It's worth noting this configuration is different from the "TLS certificates auth method",
  28489. which is available under the `auth.cert` section.
  28490. properties:
  28491. certSecretRef:
  28492. description: |-
  28493. CertSecretRef is a certificate added to the transport layer
  28494. when communicating with the Vault server.
  28495. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  28496. properties:
  28497. key:
  28498. description: |-
  28499. A key in the referenced Secret.
  28500. Some instances of this field may be defaulted, in others it may be required.
  28501. maxLength: 253
  28502. minLength: 1
  28503. pattern: ^[-._a-zA-Z0-9]+$
  28504. type: string
  28505. name:
  28506. description: The name of the Secret resource being referred to.
  28507. maxLength: 253
  28508. minLength: 1
  28509. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28510. type: string
  28511. namespace:
  28512. description: |-
  28513. The namespace of the Secret resource being referred to.
  28514. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28515. maxLength: 63
  28516. minLength: 1
  28517. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28518. type: string
  28519. type: object
  28520. keySecretRef:
  28521. description: |-
  28522. KeySecretRef to a key in a Secret resource containing client private key
  28523. added to the transport layer when communicating with the Vault server.
  28524. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  28525. properties:
  28526. key:
  28527. description: |-
  28528. A key in the referenced Secret.
  28529. Some instances of this field may be defaulted, in others it may be required.
  28530. maxLength: 253
  28531. minLength: 1
  28532. pattern: ^[-._a-zA-Z0-9]+$
  28533. type: string
  28534. name:
  28535. description: The name of the Secret resource being referred to.
  28536. maxLength: 253
  28537. minLength: 1
  28538. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28539. type: string
  28540. namespace:
  28541. description: |-
  28542. The namespace of the Secret resource being referred to.
  28543. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28544. maxLength: 63
  28545. minLength: 1
  28546. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28547. type: string
  28548. type: object
  28549. type: object
  28550. version:
  28551. default: v2
  28552. description: |-
  28553. Version is the Vault KV secret engine version. This can be either "v1" or
  28554. "v2". Version defaults to "v2".
  28555. enum:
  28556. - v1
  28557. - v2
  28558. type: string
  28559. required:
  28560. - server
  28561. type: object
  28562. resultType:
  28563. default: Data
  28564. description: |-
  28565. Result type defines which data is returned from the generator.
  28566. By default, it is the "data" section of the Vault API response.
  28567. When using e.g. /auth/token/create the "data" section is empty but
  28568. the "auth" section contains the generated token.
  28569. Please refer to the vault docs regarding the result data structure.
  28570. Additionally, accessing the raw response is possibly by using "Raw" result type.
  28571. enum:
  28572. - Data
  28573. - Auth
  28574. - Raw
  28575. type: string
  28576. retrySettings:
  28577. description: Used to configure http retries if failed
  28578. properties:
  28579. maxRetries:
  28580. type: integer
  28581. retryInterval:
  28582. type: string
  28583. type: object
  28584. required:
  28585. - path
  28586. - provider
  28587. type: object
  28588. webhookSpec:
  28589. description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
  28590. properties:
  28591. auth:
  28592. description: Auth specifies a authorization protocol. Only one protocol may be set.
  28593. maxProperties: 1
  28594. minProperties: 1
  28595. properties:
  28596. ntlm:
  28597. description: NTLMProtocol configures the store to use NTLM for auth
  28598. properties:
  28599. passwordSecret:
  28600. description: |-
  28601. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  28602. In some instances, `key` is a required field.
  28603. properties:
  28604. key:
  28605. description: |-
  28606. A key in the referenced Secret.
  28607. Some instances of this field may be defaulted, in others it may be required.
  28608. maxLength: 253
  28609. minLength: 1
  28610. pattern: ^[-._a-zA-Z0-9]+$
  28611. type: string
  28612. name:
  28613. description: The name of the Secret resource being referred to.
  28614. maxLength: 253
  28615. minLength: 1
  28616. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28617. type: string
  28618. namespace:
  28619. description: |-
  28620. The namespace of the Secret resource being referred to.
  28621. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28622. maxLength: 63
  28623. minLength: 1
  28624. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28625. type: string
  28626. type: object
  28627. usernameSecret:
  28628. description: |-
  28629. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  28630. In some instances, `key` is a required field.
  28631. properties:
  28632. key:
  28633. description: |-
  28634. A key in the referenced Secret.
  28635. Some instances of this field may be defaulted, in others it may be required.
  28636. maxLength: 253
  28637. minLength: 1
  28638. pattern: ^[-._a-zA-Z0-9]+$
  28639. type: string
  28640. name:
  28641. description: The name of the Secret resource being referred to.
  28642. maxLength: 253
  28643. minLength: 1
  28644. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28645. type: string
  28646. namespace:
  28647. description: |-
  28648. The namespace of the Secret resource being referred to.
  28649. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28650. maxLength: 63
  28651. minLength: 1
  28652. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28653. type: string
  28654. type: object
  28655. required:
  28656. - passwordSecret
  28657. - usernameSecret
  28658. type: object
  28659. type: object
  28660. body:
  28661. description: Body
  28662. type: string
  28663. caBundle:
  28664. description: |-
  28665. PEM encoded CA bundle used to validate webhook server certificate. Only used
  28666. if the Server URL is using HTTPS protocol. This parameter is ignored for
  28667. plain HTTP protocol connection. If not set the system root certificates
  28668. are used to validate the TLS connection.
  28669. format: byte
  28670. type: string
  28671. caProvider:
  28672. description: The provider for the CA bundle to use to validate webhook server certificate.
  28673. properties:
  28674. key:
  28675. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  28676. maxLength: 253
  28677. minLength: 1
  28678. pattern: ^[-._a-zA-Z0-9]+$
  28679. type: string
  28680. name:
  28681. description: The name of the object located at the provider type.
  28682. maxLength: 253
  28683. minLength: 1
  28684. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28685. type: string
  28686. namespace:
  28687. description: The namespace the Provider type is in.
  28688. maxLength: 63
  28689. minLength: 1
  28690. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28691. type: string
  28692. type:
  28693. description: The type of provider to use such as "Secret", or "ConfigMap".
  28694. enum:
  28695. - Secret
  28696. - ConfigMap
  28697. type: string
  28698. required:
  28699. - name
  28700. - type
  28701. type: object
  28702. headers:
  28703. additionalProperties:
  28704. type: string
  28705. description: Headers
  28706. type: object
  28707. method:
  28708. description: Webhook Method
  28709. type: string
  28710. result:
  28711. description: Result formatting
  28712. properties:
  28713. jsonPath:
  28714. description: Json path of return value
  28715. type: string
  28716. type: object
  28717. secrets:
  28718. description: |-
  28719. Secrets to fill in templates
  28720. These secrets will be passed to the templating function as key value pairs under the given name
  28721. items:
  28722. description: WebhookSecret defines a secret reference that will be used in webhook templates.
  28723. properties:
  28724. name:
  28725. description: Name of this secret in templates
  28726. type: string
  28727. secretRef:
  28728. description: Secret ref to fill in credentials
  28729. properties:
  28730. key:
  28731. description: The key where the token is found.
  28732. maxLength: 253
  28733. minLength: 1
  28734. pattern: ^[-._a-zA-Z0-9]+$
  28735. type: string
  28736. name:
  28737. description: The name of the Secret resource being referred to.
  28738. maxLength: 253
  28739. minLength: 1
  28740. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28741. type: string
  28742. type: object
  28743. required:
  28744. - name
  28745. - secretRef
  28746. type: object
  28747. type: array
  28748. timeout:
  28749. description: Timeout
  28750. type: string
  28751. url:
  28752. description: Webhook url to call
  28753. type: string
  28754. required:
  28755. - result
  28756. - url
  28757. type: object
  28758. type: object
  28759. kind:
  28760. description: Kind the kind of this generator.
  28761. enum:
  28762. - ACRAccessToken
  28763. - BeyondtrustWorkloadCredentialsDynamicSecret
  28764. - CloudsmithAccessToken
  28765. - ECRAuthorizationToken
  28766. - Fake
  28767. - GCRAccessToken
  28768. - GithubAccessToken
  28769. - QuayAccessToken
  28770. - Password
  28771. - SSHKey
  28772. - STSSessionToken
  28773. - UUID
  28774. - VaultDynamicSecret
  28775. - Webhook
  28776. - Grafana
  28777. - MFA
  28778. type: string
  28779. required:
  28780. - generator
  28781. - kind
  28782. type: object
  28783. type: object
  28784. served: true
  28785. storage: true
  28786. subresources:
  28787. status: {}
  28788. ---
  28789. apiVersion: apiextensions.k8s.io/v1
  28790. kind: CustomResourceDefinition
  28791. metadata:
  28792. annotations:
  28793. controller-gen.kubebuilder.io/version: v0.19.0
  28794. labels:
  28795. external-secrets.io/component: controller
  28796. name: ecrauthorizationtokens.generators.external-secrets.io
  28797. spec:
  28798. group: generators.external-secrets.io
  28799. names:
  28800. categories:
  28801. - external-secrets
  28802. - external-secrets-generators
  28803. kind: ECRAuthorizationToken
  28804. listKind: ECRAuthorizationTokenList
  28805. plural: ecrauthorizationtokens
  28806. singular: ecrauthorizationtoken
  28807. scope: Namespaced
  28808. versions:
  28809. - name: v1alpha1
  28810. schema:
  28811. openAPIV3Schema:
  28812. description: |-
  28813. ECRAuthorizationToken uses the GetAuthorizationToken API to retrieve an authorization token.
  28814. The authorization token is valid for 12 hours.
  28815. The authorizationToken returned is a base64 encoded string that can be decoded
  28816. and used in a docker login command to authenticate to a registry.
  28817. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
  28818. properties:
  28819. apiVersion:
  28820. description: |-
  28821. APIVersion defines the versioned schema of this representation of an object.
  28822. Servers should convert recognized schemas to the latest internal value, and
  28823. may reject unrecognized values.
  28824. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28825. type: string
  28826. kind:
  28827. description: |-
  28828. Kind is a string value representing the REST resource this object represents.
  28829. Servers may infer this from the endpoint the client submits requests to.
  28830. Cannot be updated.
  28831. In CamelCase.
  28832. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28833. type: string
  28834. metadata:
  28835. type: object
  28836. spec:
  28837. description: ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token.
  28838. properties:
  28839. auth:
  28840. description: Auth defines how to authenticate with AWS
  28841. properties:
  28842. jwt:
  28843. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  28844. properties:
  28845. serviceAccountRef:
  28846. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  28847. properties:
  28848. audiences:
  28849. description: |-
  28850. Audience specifies the `aud` claim for the service account token
  28851. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28852. then this audiences will be appended to the list
  28853. items:
  28854. type: string
  28855. type: array
  28856. name:
  28857. description: The name of the ServiceAccount resource being referred to.
  28858. maxLength: 253
  28859. minLength: 1
  28860. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28861. type: string
  28862. namespace:
  28863. description: |-
  28864. Namespace of the resource being referred to.
  28865. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28866. maxLength: 63
  28867. minLength: 1
  28868. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28869. type: string
  28870. required:
  28871. - name
  28872. type: object
  28873. type: object
  28874. secretRef:
  28875. description: |-
  28876. AWSAuthSecretRef holds secret references for AWS credentials
  28877. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  28878. properties:
  28879. accessKeyIDSecretRef:
  28880. description: The AccessKeyID is used for authentication
  28881. properties:
  28882. key:
  28883. description: |-
  28884. A key in the referenced Secret.
  28885. Some instances of this field may be defaulted, in others it may be required.
  28886. maxLength: 253
  28887. minLength: 1
  28888. pattern: ^[-._a-zA-Z0-9]+$
  28889. type: string
  28890. name:
  28891. description: The name of the Secret resource being referred to.
  28892. maxLength: 253
  28893. minLength: 1
  28894. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28895. type: string
  28896. namespace:
  28897. description: |-
  28898. The namespace of the Secret resource being referred to.
  28899. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28900. maxLength: 63
  28901. minLength: 1
  28902. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28903. type: string
  28904. type: object
  28905. secretAccessKeySecretRef:
  28906. description: The SecretAccessKey is used for authentication
  28907. properties:
  28908. key:
  28909. description: |-
  28910. A key in the referenced Secret.
  28911. Some instances of this field may be defaulted, in others it may be required.
  28912. maxLength: 253
  28913. minLength: 1
  28914. pattern: ^[-._a-zA-Z0-9]+$
  28915. type: string
  28916. name:
  28917. description: The name of the Secret resource being referred to.
  28918. maxLength: 253
  28919. minLength: 1
  28920. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28921. type: string
  28922. namespace:
  28923. description: |-
  28924. The namespace of the Secret resource being referred to.
  28925. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28926. maxLength: 63
  28927. minLength: 1
  28928. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28929. type: string
  28930. type: object
  28931. sessionTokenSecretRef:
  28932. description: |-
  28933. The SessionToken used for authentication
  28934. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  28935. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  28936. properties:
  28937. key:
  28938. description: |-
  28939. A key in the referenced Secret.
  28940. Some instances of this field may be defaulted, in others it may be required.
  28941. maxLength: 253
  28942. minLength: 1
  28943. pattern: ^[-._a-zA-Z0-9]+$
  28944. type: string
  28945. name:
  28946. description: The name of the Secret resource being referred to.
  28947. maxLength: 253
  28948. minLength: 1
  28949. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28950. type: string
  28951. namespace:
  28952. description: |-
  28953. The namespace of the Secret resource being referred to.
  28954. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28955. maxLength: 63
  28956. minLength: 1
  28957. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28958. type: string
  28959. type: object
  28960. type: object
  28961. type: object
  28962. region:
  28963. description: Region specifies the region to operate in.
  28964. type: string
  28965. role:
  28966. description: |-
  28967. You can assume a role before making calls to the
  28968. desired AWS service.
  28969. type: string
  28970. scope:
  28971. description: |-
  28972. Scope specifies the ECR service scope.
  28973. Valid options are private and public.
  28974. type: string
  28975. required:
  28976. - region
  28977. type: object
  28978. type: object
  28979. served: true
  28980. storage: true
  28981. subresources:
  28982. status: {}
  28983. ---
  28984. apiVersion: apiextensions.k8s.io/v1
  28985. kind: CustomResourceDefinition
  28986. metadata:
  28987. annotations:
  28988. controller-gen.kubebuilder.io/version: v0.19.0
  28989. labels:
  28990. external-secrets.io/component: controller
  28991. name: fakes.generators.external-secrets.io
  28992. spec:
  28993. group: generators.external-secrets.io
  28994. names:
  28995. categories:
  28996. - external-secrets
  28997. - external-secrets-generators
  28998. kind: Fake
  28999. listKind: FakeList
  29000. plural: fakes
  29001. singular: fake
  29002. scope: Namespaced
  29003. versions:
  29004. - name: v1alpha1
  29005. schema:
  29006. openAPIV3Schema:
  29007. description: |-
  29008. Fake generator is used for testing. It lets you define
  29009. a static set of credentials that is always returned.
  29010. properties:
  29011. apiVersion:
  29012. description: |-
  29013. APIVersion defines the versioned schema of this representation of an object.
  29014. Servers should convert recognized schemas to the latest internal value, and
  29015. may reject unrecognized values.
  29016. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29017. type: string
  29018. kind:
  29019. description: |-
  29020. Kind is a string value representing the REST resource this object represents.
  29021. Servers may infer this from the endpoint the client submits requests to.
  29022. Cannot be updated.
  29023. In CamelCase.
  29024. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29025. type: string
  29026. metadata:
  29027. type: object
  29028. spec:
  29029. description: FakeSpec contains the static data.
  29030. properties:
  29031. controller:
  29032. description: |-
  29033. Used to select the correct ESO controller (think: ingress.ingressClassName)
  29034. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  29035. type: string
  29036. data:
  29037. additionalProperties:
  29038. type: string
  29039. description: |-
  29040. Data defines the static data returned
  29041. by this generator.
  29042. type: object
  29043. type: object
  29044. type: object
  29045. served: true
  29046. storage: true
  29047. subresources:
  29048. status: {}
  29049. ---
  29050. apiVersion: apiextensions.k8s.io/v1
  29051. kind: CustomResourceDefinition
  29052. metadata:
  29053. annotations:
  29054. controller-gen.kubebuilder.io/version: v0.19.0
  29055. labels:
  29056. external-secrets.io/component: controller
  29057. name: gcraccesstokens.generators.external-secrets.io
  29058. spec:
  29059. group: generators.external-secrets.io
  29060. names:
  29061. categories:
  29062. - external-secrets
  29063. - external-secrets-generators
  29064. kind: GCRAccessToken
  29065. listKind: GCRAccessTokenList
  29066. plural: gcraccesstokens
  29067. singular: gcraccesstoken
  29068. scope: Namespaced
  29069. versions:
  29070. - name: v1alpha1
  29071. schema:
  29072. openAPIV3Schema:
  29073. description: |-
  29074. GCRAccessToken generates an GCP access token
  29075. that can be used to authenticate with GCR.
  29076. properties:
  29077. apiVersion:
  29078. description: |-
  29079. APIVersion defines the versioned schema of this representation of an object.
  29080. Servers should convert recognized schemas to the latest internal value, and
  29081. may reject unrecognized values.
  29082. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29083. type: string
  29084. kind:
  29085. description: |-
  29086. Kind is a string value representing the REST resource this object represents.
  29087. Servers may infer this from the endpoint the client submits requests to.
  29088. Cannot be updated.
  29089. In CamelCase.
  29090. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29091. type: string
  29092. metadata:
  29093. type: object
  29094. spec:
  29095. description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.
  29096. properties:
  29097. auth:
  29098. description: Auth defines the means for authenticating with GCP
  29099. properties:
  29100. secretRef:
  29101. description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.
  29102. properties:
  29103. secretAccessKeySecretRef:
  29104. description: The SecretAccessKey is used for authentication
  29105. properties:
  29106. key:
  29107. description: |-
  29108. A key in the referenced Secret.
  29109. Some instances of this field may be defaulted, in others it may be required.
  29110. maxLength: 253
  29111. minLength: 1
  29112. pattern: ^[-._a-zA-Z0-9]+$
  29113. type: string
  29114. name:
  29115. description: The name of the Secret resource being referred to.
  29116. maxLength: 253
  29117. minLength: 1
  29118. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29119. type: string
  29120. namespace:
  29121. description: |-
  29122. The namespace of the Secret resource being referred to.
  29123. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29124. maxLength: 63
  29125. minLength: 1
  29126. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29127. type: string
  29128. type: object
  29129. type: object
  29130. workloadIdentity:
  29131. description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.
  29132. properties:
  29133. clusterLocation:
  29134. type: string
  29135. clusterName:
  29136. type: string
  29137. clusterProjectID:
  29138. type: string
  29139. serviceAccountRef:
  29140. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  29141. properties:
  29142. audiences:
  29143. description: |-
  29144. Audience specifies the `aud` claim for the service account token
  29145. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29146. then this audiences will be appended to the list
  29147. items:
  29148. type: string
  29149. type: array
  29150. name:
  29151. description: The name of the ServiceAccount resource being referred to.
  29152. maxLength: 253
  29153. minLength: 1
  29154. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29155. type: string
  29156. namespace:
  29157. description: |-
  29158. Namespace of the resource being referred to.
  29159. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29160. maxLength: 63
  29161. minLength: 1
  29162. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29163. type: string
  29164. required:
  29165. - name
  29166. type: object
  29167. required:
  29168. - clusterLocation
  29169. - clusterName
  29170. - serviceAccountRef
  29171. type: object
  29172. workloadIdentityFederation:
  29173. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  29174. properties:
  29175. audience:
  29176. description: |-
  29177. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  29178. If specified, Audience found in the external account credential config will be overridden with the configured value.
  29179. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  29180. type: string
  29181. awsSecurityCredentials:
  29182. description: |-
  29183. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  29184. when using the AWS metadata server is not an option.
  29185. properties:
  29186. awsCredentialsSecretRef:
  29187. description: |-
  29188. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  29189. Secret should be created with below names for keys
  29190. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  29191. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  29192. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  29193. properties:
  29194. name:
  29195. description: name of the secret.
  29196. maxLength: 253
  29197. minLength: 1
  29198. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29199. type: string
  29200. namespace:
  29201. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  29202. maxLength: 63
  29203. minLength: 1
  29204. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29205. type: string
  29206. required:
  29207. - name
  29208. type: object
  29209. region:
  29210. description: region is for configuring the AWS region to be used.
  29211. example: ap-south-1
  29212. maxLength: 50
  29213. minLength: 1
  29214. pattern: ^[a-z0-9-]+$
  29215. type: string
  29216. required:
  29217. - awsCredentialsSecretRef
  29218. - region
  29219. type: object
  29220. credConfig:
  29221. description: |-
  29222. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  29223. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  29224. serviceAccountRef must be used by providing operators service account details.
  29225. properties:
  29226. key:
  29227. description: key name holding the external account credential config.
  29228. maxLength: 253
  29229. minLength: 1
  29230. pattern: ^[-._a-zA-Z0-9]+$
  29231. type: string
  29232. name:
  29233. description: name of the configmap.
  29234. maxLength: 253
  29235. minLength: 1
  29236. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29237. type: string
  29238. namespace:
  29239. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  29240. maxLength: 63
  29241. minLength: 1
  29242. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29243. type: string
  29244. required:
  29245. - key
  29246. - name
  29247. type: object
  29248. externalTokenEndpoint:
  29249. description: |-
  29250. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  29251. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  29252. URL is having the expected value.
  29253. type: string
  29254. gcpServiceAccountEmail:
  29255. description: |-
  29256. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  29257. after Workload Identity Federation. Use this to grant access through the service account's
  29258. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  29259. service_account_impersonation_url in the external account JSON from credConfig;
  29260. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  29261. on that ServiceAccount.
  29262. example: my-gsa@my-project.iam.gserviceaccount.com
  29263. minLength: 1
  29264. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  29265. type: string
  29266. serviceAccountRef:
  29267. description: |-
  29268. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  29269. when Kubernetes is configured as provider in workload identity pool.
  29270. properties:
  29271. audiences:
  29272. description: |-
  29273. Audience specifies the `aud` claim for the service account token
  29274. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29275. then this audiences will be appended to the list
  29276. items:
  29277. type: string
  29278. type: array
  29279. name:
  29280. description: The name of the ServiceAccount resource being referred to.
  29281. maxLength: 253
  29282. minLength: 1
  29283. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29284. type: string
  29285. namespace:
  29286. description: |-
  29287. Namespace of the resource being referred to.
  29288. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29289. maxLength: 63
  29290. minLength: 1
  29291. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29292. type: string
  29293. required:
  29294. - name
  29295. type: object
  29296. type: object
  29297. type: object
  29298. projectID:
  29299. description: ProjectID defines which project to use to authenticate with
  29300. type: string
  29301. required:
  29302. - auth
  29303. - projectID
  29304. type: object
  29305. type: object
  29306. served: true
  29307. storage: true
  29308. subresources:
  29309. status: {}
  29310. ---
  29311. apiVersion: apiextensions.k8s.io/v1
  29312. kind: CustomResourceDefinition
  29313. metadata:
  29314. annotations:
  29315. controller-gen.kubebuilder.io/version: v0.19.0
  29316. labels:
  29317. external-secrets.io/component: controller
  29318. name: generatorstates.generators.external-secrets.io
  29319. spec:
  29320. group: generators.external-secrets.io
  29321. names:
  29322. categories:
  29323. - external-secrets
  29324. - external-secrets-generators
  29325. kind: GeneratorState
  29326. listKind: GeneratorStateList
  29327. plural: generatorstates
  29328. shortNames:
  29329. - gs
  29330. singular: generatorstate
  29331. scope: Namespaced
  29332. versions:
  29333. - additionalPrinterColumns:
  29334. - jsonPath: .spec.garbageCollectionDeadline
  29335. name: GC Deadline
  29336. type: string
  29337. - jsonPath: .metadata.creationTimestamp
  29338. name: Age
  29339. type: date
  29340. name: v1alpha1
  29341. schema:
  29342. openAPIV3Schema:
  29343. description: GeneratorState represents the state created and managed by a generator resource.
  29344. properties:
  29345. apiVersion:
  29346. description: |-
  29347. APIVersion defines the versioned schema of this representation of an object.
  29348. Servers should convert recognized schemas to the latest internal value, and
  29349. may reject unrecognized values.
  29350. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29351. type: string
  29352. kind:
  29353. description: |-
  29354. Kind is a string value representing the REST resource this object represents.
  29355. Servers may infer this from the endpoint the client submits requests to.
  29356. Cannot be updated.
  29357. In CamelCase.
  29358. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29359. type: string
  29360. metadata:
  29361. type: object
  29362. spec:
  29363. description: GeneratorStateSpec defines the desired state of a generator state resource.
  29364. properties:
  29365. garbageCollectionDeadline:
  29366. description: |-
  29367. GarbageCollectionDeadline is the time after which the generator state
  29368. will be deleted.
  29369. It is set by the controller which creates the generator state and
  29370. can be set configured by the user.
  29371. If the garbage collection deadline is not set the generator state will not be deleted.
  29372. format: date-time
  29373. type: string
  29374. resource:
  29375. description: |-
  29376. Resource is the generator manifest that produced the state.
  29377. It is a snapshot of the generator manifest at the time the state was produced.
  29378. This manifest will be used to delete the resource. Any configuration that is referenced
  29379. in the manifest should be available at the time of garbage collection. If that is not the case deletion will
  29380. be blocked by a finalizer.
  29381. x-kubernetes-preserve-unknown-fields: true
  29382. state:
  29383. description: State is the state that was produced by the generator implementation.
  29384. x-kubernetes-preserve-unknown-fields: true
  29385. required:
  29386. - resource
  29387. - state
  29388. type: object
  29389. status:
  29390. description: GeneratorStateStatus defines the observed state of a generator state resource.
  29391. properties:
  29392. conditions:
  29393. items:
  29394. description: GeneratorStateStatusCondition represents the observed condition of a generator state.
  29395. properties:
  29396. lastTransitionTime:
  29397. format: date-time
  29398. type: string
  29399. message:
  29400. type: string
  29401. reason:
  29402. type: string
  29403. status:
  29404. type: string
  29405. type:
  29406. description: GeneratorStateConditionType represents the type of condition for a generator state.
  29407. type: string
  29408. required:
  29409. - status
  29410. - type
  29411. type: object
  29412. type: array
  29413. type: object
  29414. type: object
  29415. served: true
  29416. storage: true
  29417. subresources: {}
  29418. ---
  29419. apiVersion: apiextensions.k8s.io/v1
  29420. kind: CustomResourceDefinition
  29421. metadata:
  29422. annotations:
  29423. controller-gen.kubebuilder.io/version: v0.19.0
  29424. labels:
  29425. external-secrets.io/component: controller
  29426. name: githubaccesstokens.generators.external-secrets.io
  29427. spec:
  29428. group: generators.external-secrets.io
  29429. names:
  29430. categories:
  29431. - external-secrets
  29432. - external-secrets-generators
  29433. kind: GithubAccessToken
  29434. listKind: GithubAccessTokenList
  29435. plural: githubaccesstokens
  29436. singular: githubaccesstoken
  29437. scope: Namespaced
  29438. versions:
  29439. - name: v1alpha1
  29440. schema:
  29441. openAPIV3Schema:
  29442. description: GithubAccessToken generates ghs_ accessToken
  29443. properties:
  29444. apiVersion:
  29445. description: |-
  29446. APIVersion defines the versioned schema of this representation of an object.
  29447. Servers should convert recognized schemas to the latest internal value, and
  29448. may reject unrecognized values.
  29449. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29450. type: string
  29451. kind:
  29452. description: |-
  29453. Kind is a string value representing the REST resource this object represents.
  29454. Servers may infer this from the endpoint the client submits requests to.
  29455. Cannot be updated.
  29456. In CamelCase.
  29457. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29458. type: string
  29459. metadata:
  29460. type: object
  29461. spec:
  29462. description: GithubAccessTokenSpec defines the desired state to generate a GitHub access token.
  29463. properties:
  29464. appID:
  29465. type: string
  29466. auth:
  29467. description: Auth configures how ESO authenticates with a Github instance.
  29468. properties:
  29469. privateKey:
  29470. description: GithubSecretRef references a secret containing GitHub credentials.
  29471. properties:
  29472. secretRef:
  29473. description: |-
  29474. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  29475. In some instances, `key` is a required field.
  29476. properties:
  29477. key:
  29478. description: |-
  29479. A key in the referenced Secret.
  29480. Some instances of this field may be defaulted, in others it may be required.
  29481. maxLength: 253
  29482. minLength: 1
  29483. pattern: ^[-._a-zA-Z0-9]+$
  29484. type: string
  29485. name:
  29486. description: The name of the Secret resource being referred to.
  29487. maxLength: 253
  29488. minLength: 1
  29489. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29490. type: string
  29491. namespace:
  29492. description: |-
  29493. The namespace of the Secret resource being referred to.
  29494. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29495. maxLength: 63
  29496. minLength: 1
  29497. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29498. type: string
  29499. type: object
  29500. required:
  29501. - secretRef
  29502. type: object
  29503. required:
  29504. - privateKey
  29505. type: object
  29506. installID:
  29507. type: string
  29508. permissions:
  29509. additionalProperties:
  29510. type: string
  29511. description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
  29512. type: object
  29513. repositories:
  29514. description: |-
  29515. List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
  29516. is installed to.
  29517. items:
  29518. type: string
  29519. type: array
  29520. url:
  29521. description: URL configures the GitHub instance URL. Defaults to https://github.com/.
  29522. type: string
  29523. required:
  29524. - appID
  29525. - auth
  29526. - installID
  29527. type: object
  29528. type: object
  29529. served: true
  29530. storage: true
  29531. subresources:
  29532. status: {}
  29533. ---
  29534. apiVersion: apiextensions.k8s.io/v1
  29535. kind: CustomResourceDefinition
  29536. metadata:
  29537. annotations:
  29538. controller-gen.kubebuilder.io/version: v0.19.0
  29539. labels:
  29540. external-secrets.io/component: controller
  29541. name: grafanas.generators.external-secrets.io
  29542. spec:
  29543. group: generators.external-secrets.io
  29544. names:
  29545. categories:
  29546. - external-secrets
  29547. - external-secrets-generators
  29548. kind: Grafana
  29549. listKind: GrafanaList
  29550. plural: grafanas
  29551. singular: grafana
  29552. scope: Namespaced
  29553. versions:
  29554. - name: v1alpha1
  29555. schema:
  29556. openAPIV3Schema:
  29557. description: Grafana represents a generator for Grafana service account tokens.
  29558. properties:
  29559. apiVersion:
  29560. description: |-
  29561. APIVersion defines the versioned schema of this representation of an object.
  29562. Servers should convert recognized schemas to the latest internal value, and
  29563. may reject unrecognized values.
  29564. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29565. type: string
  29566. kind:
  29567. description: |-
  29568. Kind is a string value representing the REST resource this object represents.
  29569. Servers may infer this from the endpoint the client submits requests to.
  29570. Cannot be updated.
  29571. In CamelCase.
  29572. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29573. type: string
  29574. metadata:
  29575. type: object
  29576. spec:
  29577. description: GrafanaSpec controls the behavior of the grafana generator.
  29578. properties:
  29579. auth:
  29580. description: |-
  29581. Auth is the authentication configuration to authenticate
  29582. against the Grafana instance.
  29583. properties:
  29584. basic:
  29585. description: |-
  29586. Basic auth credentials used to authenticate against the Grafana instance.
  29587. Note: you need a token which has elevated permissions to create service accounts.
  29588. See here for the documentation on basic roles offered by Grafana:
  29589. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  29590. properties:
  29591. password:
  29592. description: A basic auth password used to authenticate against the Grafana instance.
  29593. properties:
  29594. key:
  29595. description: The key where the token is found.
  29596. maxLength: 253
  29597. minLength: 1
  29598. pattern: ^[-._a-zA-Z0-9]+$
  29599. type: string
  29600. name:
  29601. description: The name of the Secret resource being referred to.
  29602. maxLength: 253
  29603. minLength: 1
  29604. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29605. type: string
  29606. type: object
  29607. username:
  29608. description: A basic auth username used to authenticate against the Grafana instance.
  29609. type: string
  29610. required:
  29611. - password
  29612. - username
  29613. type: object
  29614. token:
  29615. description: |-
  29616. A service account token used to authenticate against the Grafana instance.
  29617. Note: you need a token which has elevated permissions to create service accounts.
  29618. See here for the documentation on basic roles offered by Grafana:
  29619. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  29620. properties:
  29621. key:
  29622. description: The key where the token is found.
  29623. maxLength: 253
  29624. minLength: 1
  29625. pattern: ^[-._a-zA-Z0-9]+$
  29626. type: string
  29627. name:
  29628. description: The name of the Secret resource being referred to.
  29629. maxLength: 253
  29630. minLength: 1
  29631. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29632. type: string
  29633. type: object
  29634. type: object
  29635. serviceAccount:
  29636. description: |-
  29637. ServiceAccount is the configuration for the service account that
  29638. is supposed to be generated by the generator.
  29639. properties:
  29640. name:
  29641. description: Name is the name of the service account that will be created by ESO.
  29642. type: string
  29643. role:
  29644. description: |-
  29645. Role is the role of the service account.
  29646. See here for the documentation on basic roles offered by Grafana:
  29647. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  29648. type: string
  29649. required:
  29650. - name
  29651. - role
  29652. type: object
  29653. url:
  29654. description: URL is the URL of the Grafana instance.
  29655. type: string
  29656. required:
  29657. - auth
  29658. - serviceAccount
  29659. - url
  29660. type: object
  29661. type: object
  29662. served: true
  29663. storage: true
  29664. subresources:
  29665. status: {}
  29666. ---
  29667. apiVersion: apiextensions.k8s.io/v1
  29668. kind: CustomResourceDefinition
  29669. metadata:
  29670. annotations:
  29671. controller-gen.kubebuilder.io/version: v0.19.0
  29672. labels:
  29673. external-secrets.io/component: controller
  29674. name: mfas.generators.external-secrets.io
  29675. spec:
  29676. group: generators.external-secrets.io
  29677. names:
  29678. categories:
  29679. - external-secrets
  29680. - external-secrets-generators
  29681. kind: MFA
  29682. listKind: MFAList
  29683. plural: mfas
  29684. singular: mfa
  29685. scope: Namespaced
  29686. versions:
  29687. - name: v1alpha1
  29688. schema:
  29689. openAPIV3Schema:
  29690. description: MFA generates a new TOTP token that is compliant with RFC 6238.
  29691. properties:
  29692. apiVersion:
  29693. description: |-
  29694. APIVersion defines the versioned schema of this representation of an object.
  29695. Servers should convert recognized schemas to the latest internal value, and
  29696. may reject unrecognized values.
  29697. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29698. type: string
  29699. kind:
  29700. description: |-
  29701. Kind is a string value representing the REST resource this object represents.
  29702. Servers may infer this from the endpoint the client submits requests to.
  29703. Cannot be updated.
  29704. In CamelCase.
  29705. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29706. type: string
  29707. metadata:
  29708. type: object
  29709. spec:
  29710. description: MFASpec controls the behavior of the mfa generator.
  29711. properties:
  29712. algorithm:
  29713. description: Algorithm to use for encoding. Defaults to SHA1 as per the RFC.
  29714. type: string
  29715. length:
  29716. description: Length defines the token length. Defaults to 6 characters.
  29717. type: integer
  29718. secret:
  29719. description: Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from.
  29720. properties:
  29721. key:
  29722. description: |-
  29723. A key in the referenced Secret.
  29724. Some instances of this field may be defaulted, in others it may be required.
  29725. maxLength: 253
  29726. minLength: 1
  29727. pattern: ^[-._a-zA-Z0-9]+$
  29728. type: string
  29729. name:
  29730. description: The name of the Secret resource being referred to.
  29731. maxLength: 253
  29732. minLength: 1
  29733. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29734. type: string
  29735. namespace:
  29736. description: |-
  29737. The namespace of the Secret resource being referred to.
  29738. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29739. maxLength: 63
  29740. minLength: 1
  29741. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29742. type: string
  29743. type: object
  29744. timePeriod:
  29745. description: TimePeriod defines how long the token can be active. Defaults to 30 seconds.
  29746. type: integer
  29747. when:
  29748. description: When defines a time parameter that can be used to pin the origin time of the generated token.
  29749. format: date-time
  29750. type: string
  29751. required:
  29752. - secret
  29753. type: object
  29754. type: object
  29755. served: true
  29756. storage: true
  29757. subresources:
  29758. status: {}
  29759. ---
  29760. apiVersion: apiextensions.k8s.io/v1
  29761. kind: CustomResourceDefinition
  29762. metadata:
  29763. annotations:
  29764. controller-gen.kubebuilder.io/version: v0.19.0
  29765. labels:
  29766. external-secrets.io/component: controller
  29767. name: passwords.generators.external-secrets.io
  29768. spec:
  29769. group: generators.external-secrets.io
  29770. names:
  29771. categories:
  29772. - external-secrets
  29773. - external-secrets-generators
  29774. kind: Password
  29775. listKind: PasswordList
  29776. plural: passwords
  29777. singular: password
  29778. scope: Namespaced
  29779. versions:
  29780. - name: v1alpha1
  29781. schema:
  29782. openAPIV3Schema:
  29783. description: |-
  29784. Password generates a random password based on the
  29785. configuration parameters in spec.
  29786. You can specify the length, characterset and other attributes.
  29787. properties:
  29788. apiVersion:
  29789. description: |-
  29790. APIVersion defines the versioned schema of this representation of an object.
  29791. Servers should convert recognized schemas to the latest internal value, and
  29792. may reject unrecognized values.
  29793. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29794. type: string
  29795. kind:
  29796. description: |-
  29797. Kind is a string value representing the REST resource this object represents.
  29798. Servers may infer this from the endpoint the client submits requests to.
  29799. Cannot be updated.
  29800. In CamelCase.
  29801. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29802. type: string
  29803. metadata:
  29804. type: object
  29805. spec:
  29806. description: PasswordSpec controls the behavior of the password generator.
  29807. properties:
  29808. allowRepeat:
  29809. default: false
  29810. description: set AllowRepeat to true to allow repeating characters.
  29811. type: boolean
  29812. digits:
  29813. description: |-
  29814. Digits specifies the number of digits in the generated
  29815. password. If omitted it defaults to 25% of the length of the password
  29816. type: integer
  29817. encoding:
  29818. default: raw
  29819. description: |-
  29820. Encoding specifies the encoding of the generated password.
  29821. Valid values are:
  29822. - "raw" (default): no encoding
  29823. - "base64": standard base64 encoding
  29824. - "base64url": base64url encoding
  29825. - "base32": base32 encoding
  29826. - "hex": hexadecimal encoding
  29827. enum:
  29828. - base64
  29829. - base64url
  29830. - base32
  29831. - hex
  29832. - raw
  29833. type: string
  29834. length:
  29835. default: 24
  29836. description: |-
  29837. Length of the password to be generated.
  29838. Defaults to 24
  29839. type: integer
  29840. noUpper:
  29841. default: false
  29842. description: Set NoUpper to disable uppercase characters
  29843. type: boolean
  29844. secretKeys:
  29845. description: |-
  29846. SecretKeys defines the keys that will be populated with generated passwords.
  29847. Defaults to "password" when not set.
  29848. items:
  29849. type: string
  29850. minItems: 1
  29851. type: array
  29852. symbolCharacters:
  29853. description: |-
  29854. SymbolCharacters specifies the special characters that should be used
  29855. in the generated password.
  29856. type: string
  29857. symbols:
  29858. description: |-
  29859. Symbols specifies the number of symbol characters in the generated
  29860. password. If omitted it defaults to 25% of the length of the password
  29861. type: integer
  29862. required:
  29863. - allowRepeat
  29864. - length
  29865. - noUpper
  29866. type: object
  29867. type: object
  29868. served: true
  29869. storage: true
  29870. subresources:
  29871. status: {}
  29872. ---
  29873. apiVersion: apiextensions.k8s.io/v1
  29874. kind: CustomResourceDefinition
  29875. metadata:
  29876. annotations:
  29877. controller-gen.kubebuilder.io/version: v0.19.0
  29878. labels:
  29879. external-secrets.io/component: controller
  29880. name: quayaccesstokens.generators.external-secrets.io
  29881. spec:
  29882. group: generators.external-secrets.io
  29883. names:
  29884. categories:
  29885. - external-secrets
  29886. - external-secrets-generators
  29887. kind: QuayAccessToken
  29888. listKind: QuayAccessTokenList
  29889. plural: quayaccesstokens
  29890. singular: quayaccesstoken
  29891. scope: Namespaced
  29892. versions:
  29893. - name: v1alpha1
  29894. schema:
  29895. openAPIV3Schema:
  29896. description: QuayAccessToken generates Quay oauth token for pulling/pushing images
  29897. properties:
  29898. apiVersion:
  29899. description: |-
  29900. APIVersion defines the versioned schema of this representation of an object.
  29901. Servers should convert recognized schemas to the latest internal value, and
  29902. may reject unrecognized values.
  29903. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29904. type: string
  29905. kind:
  29906. description: |-
  29907. Kind is a string value representing the REST resource this object represents.
  29908. Servers may infer this from the endpoint the client submits requests to.
  29909. Cannot be updated.
  29910. In CamelCase.
  29911. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29912. type: string
  29913. metadata:
  29914. type: object
  29915. spec:
  29916. description: QuayAccessTokenSpec defines the desired state to generate a Quay access token.
  29917. properties:
  29918. robotAccount:
  29919. description: Name of the robot account you are federating with
  29920. type: string
  29921. serviceAccountRef:
  29922. description: Name of the service account you are federating with
  29923. properties:
  29924. audiences:
  29925. description: |-
  29926. Audience specifies the `aud` claim for the service account token
  29927. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29928. then this audiences will be appended to the list
  29929. items:
  29930. type: string
  29931. type: array
  29932. name:
  29933. description: The name of the ServiceAccount resource being referred to.
  29934. maxLength: 253
  29935. minLength: 1
  29936. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29937. type: string
  29938. namespace:
  29939. description: |-
  29940. Namespace of the resource being referred to.
  29941. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29942. maxLength: 63
  29943. minLength: 1
  29944. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29945. type: string
  29946. required:
  29947. - name
  29948. type: object
  29949. url:
  29950. description: URL configures the Quay instance URL. Defaults to quay.io.
  29951. type: string
  29952. required:
  29953. - robotAccount
  29954. - serviceAccountRef
  29955. type: object
  29956. type: object
  29957. served: true
  29958. storage: true
  29959. subresources:
  29960. status: {}
  29961. ---
  29962. apiVersion: apiextensions.k8s.io/v1
  29963. kind: CustomResourceDefinition
  29964. metadata:
  29965. annotations:
  29966. controller-gen.kubebuilder.io/version: v0.19.0
  29967. labels:
  29968. external-secrets.io/component: controller
  29969. name: sshkeys.generators.external-secrets.io
  29970. spec:
  29971. group: generators.external-secrets.io
  29972. names:
  29973. categories:
  29974. - external-secrets
  29975. - external-secrets-generators
  29976. kind: SSHKey
  29977. listKind: SSHKeyList
  29978. plural: sshkeys
  29979. singular: sshkey
  29980. scope: Namespaced
  29981. versions:
  29982. - name: v1alpha1
  29983. schema:
  29984. openAPIV3Schema:
  29985. description: SSHKey generates SSH key pairs.
  29986. properties:
  29987. apiVersion:
  29988. description: |-
  29989. APIVersion defines the versioned schema of this representation of an object.
  29990. Servers should convert recognized schemas to the latest internal value, and
  29991. may reject unrecognized values.
  29992. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29993. type: string
  29994. kind:
  29995. description: |-
  29996. Kind is a string value representing the REST resource this object represents.
  29997. Servers may infer this from the endpoint the client submits requests to.
  29998. Cannot be updated.
  29999. In CamelCase.
  30000. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30001. type: string
  30002. metadata:
  30003. type: object
  30004. spec:
  30005. description: SSHKeySpec controls the behavior of the ssh key generator.
  30006. properties:
  30007. comment:
  30008. description: Comment specifies an optional comment for the SSH key
  30009. type: string
  30010. keySize:
  30011. description: |-
  30012. KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
  30013. For RSA keys: 2048, 3072, 4096
  30014. For ECDSA keys: 256, 384, 521
  30015. Ignored for ed25519 keys
  30016. maximum: 8192
  30017. minimum: 256
  30018. type: integer
  30019. keyType:
  30020. default: rsa
  30021. description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
  30022. enum:
  30023. - rsa
  30024. - ecdsa
  30025. - ed25519
  30026. type: string
  30027. type: object
  30028. type: object
  30029. served: true
  30030. storage: true
  30031. subresources:
  30032. status: {}
  30033. ---
  30034. apiVersion: apiextensions.k8s.io/v1
  30035. kind: CustomResourceDefinition
  30036. metadata:
  30037. annotations:
  30038. controller-gen.kubebuilder.io/version: v0.19.0
  30039. labels:
  30040. external-secrets.io/component: controller
  30041. name: stssessiontokens.generators.external-secrets.io
  30042. spec:
  30043. group: generators.external-secrets.io
  30044. names:
  30045. categories:
  30046. - external-secrets
  30047. - external-secrets-generators
  30048. kind: STSSessionToken
  30049. listKind: STSSessionTokenList
  30050. plural: stssessiontokens
  30051. singular: stssessiontoken
  30052. scope: Namespaced
  30053. versions:
  30054. - name: v1alpha1
  30055. schema:
  30056. openAPIV3Schema:
  30057. description: |-
  30058. STSSessionToken uses the GetSessionToken API to retrieve an authorization token.
  30059. The authorization token is valid for 12 hours.
  30060. The authorizationToken returned is a base64 encoded string that can be decoded.
  30061. For more information, see GetSessionToken (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html).
  30062. properties:
  30063. apiVersion:
  30064. description: |-
  30065. APIVersion defines the versioned schema of this representation of an object.
  30066. Servers should convert recognized schemas to the latest internal value, and
  30067. may reject unrecognized values.
  30068. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  30069. type: string
  30070. kind:
  30071. description: |-
  30072. Kind is a string value representing the REST resource this object represents.
  30073. Servers may infer this from the endpoint the client submits requests to.
  30074. Cannot be updated.
  30075. In CamelCase.
  30076. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30077. type: string
  30078. metadata:
  30079. type: object
  30080. spec:
  30081. description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token.
  30082. properties:
  30083. auth:
  30084. description: Auth defines how to authenticate with AWS
  30085. properties:
  30086. jwt:
  30087. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  30088. properties:
  30089. serviceAccountRef:
  30090. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  30091. properties:
  30092. audiences:
  30093. description: |-
  30094. Audience specifies the `aud` claim for the service account token
  30095. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30096. then this audiences will be appended to the list
  30097. items:
  30098. type: string
  30099. type: array
  30100. name:
  30101. description: The name of the ServiceAccount resource being referred to.
  30102. maxLength: 253
  30103. minLength: 1
  30104. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30105. type: string
  30106. namespace:
  30107. description: |-
  30108. Namespace of the resource being referred to.
  30109. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30110. maxLength: 63
  30111. minLength: 1
  30112. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30113. type: string
  30114. required:
  30115. - name
  30116. type: object
  30117. type: object
  30118. secretRef:
  30119. description: |-
  30120. AWSAuthSecretRef holds secret references for AWS credentials
  30121. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  30122. properties:
  30123. accessKeyIDSecretRef:
  30124. description: The AccessKeyID is used for authentication
  30125. properties:
  30126. key:
  30127. description: |-
  30128. A key in the referenced Secret.
  30129. Some instances of this field may be defaulted, in others it may be required.
  30130. maxLength: 253
  30131. minLength: 1
  30132. pattern: ^[-._a-zA-Z0-9]+$
  30133. type: string
  30134. name:
  30135. description: The name of the Secret resource being referred to.
  30136. maxLength: 253
  30137. minLength: 1
  30138. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30139. type: string
  30140. namespace:
  30141. description: |-
  30142. The namespace of the Secret resource being referred to.
  30143. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30144. maxLength: 63
  30145. minLength: 1
  30146. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30147. type: string
  30148. type: object
  30149. secretAccessKeySecretRef:
  30150. description: The SecretAccessKey is used for authentication
  30151. properties:
  30152. key:
  30153. description: |-
  30154. A key in the referenced Secret.
  30155. Some instances of this field may be defaulted, in others it may be required.
  30156. maxLength: 253
  30157. minLength: 1
  30158. pattern: ^[-._a-zA-Z0-9]+$
  30159. type: string
  30160. name:
  30161. description: The name of the Secret resource being referred to.
  30162. maxLength: 253
  30163. minLength: 1
  30164. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30165. type: string
  30166. namespace:
  30167. description: |-
  30168. The namespace of the Secret resource being referred to.
  30169. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30170. maxLength: 63
  30171. minLength: 1
  30172. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30173. type: string
  30174. type: object
  30175. sessionTokenSecretRef:
  30176. description: |-
  30177. The SessionToken used for authentication
  30178. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  30179. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  30180. properties:
  30181. key:
  30182. description: |-
  30183. A key in the referenced Secret.
  30184. Some instances of this field may be defaulted, in others it may be required.
  30185. maxLength: 253
  30186. minLength: 1
  30187. pattern: ^[-._a-zA-Z0-9]+$
  30188. type: string
  30189. name:
  30190. description: The name of the Secret resource being referred to.
  30191. maxLength: 253
  30192. minLength: 1
  30193. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30194. type: string
  30195. namespace:
  30196. description: |-
  30197. The namespace of the Secret resource being referred to.
  30198. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30199. maxLength: 63
  30200. minLength: 1
  30201. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30202. type: string
  30203. type: object
  30204. type: object
  30205. type: object
  30206. region:
  30207. description: Region specifies the region to operate in.
  30208. type: string
  30209. requestParameters:
  30210. description: RequestParameters contains parameters that can be passed to the STS service.
  30211. properties:
  30212. serialNumber:
  30213. description: |-
  30214. SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
  30215. the GetSessionToken call.
  30216. Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
  30217. (such as arn:aws:iam::123456789012:mfa/user)
  30218. type: string
  30219. sessionDuration:
  30220. format: int32
  30221. type: integer
  30222. tokenCode:
  30223. description: TokenCode is the value provided by the MFA device, if MFA is required.
  30224. type: string
  30225. type: object
  30226. role:
  30227. description: |-
  30228. You can assume a role before making calls to the
  30229. desired AWS service.
  30230. type: string
  30231. required:
  30232. - region
  30233. type: object
  30234. type: object
  30235. served: true
  30236. storage: true
  30237. subresources:
  30238. status: {}
  30239. ---
  30240. apiVersion: apiextensions.k8s.io/v1
  30241. kind: CustomResourceDefinition
  30242. metadata:
  30243. annotations:
  30244. controller-gen.kubebuilder.io/version: v0.19.0
  30245. labels:
  30246. external-secrets.io/component: controller
  30247. name: uuids.generators.external-secrets.io
  30248. spec:
  30249. group: generators.external-secrets.io
  30250. names:
  30251. categories:
  30252. - external-secrets
  30253. - external-secrets-generators
  30254. kind: UUID
  30255. listKind: UUIDList
  30256. plural: uuids
  30257. singular: uuid
  30258. scope: Namespaced
  30259. versions:
  30260. - name: v1alpha1
  30261. schema:
  30262. openAPIV3Schema:
  30263. description: UUID generates a version 1 UUID (e56657e3-764f-11ef-a397-65231a88c216).
  30264. properties:
  30265. apiVersion:
  30266. description: |-
  30267. APIVersion defines the versioned schema of this representation of an object.
  30268. Servers should convert recognized schemas to the latest internal value, and
  30269. may reject unrecognized values.
  30270. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  30271. type: string
  30272. kind:
  30273. description: |-
  30274. Kind is a string value representing the REST resource this object represents.
  30275. Servers may infer this from the endpoint the client submits requests to.
  30276. Cannot be updated.
  30277. In CamelCase.
  30278. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30279. type: string
  30280. metadata:
  30281. type: object
  30282. spec:
  30283. description: UUIDSpec controls the behavior of the uuid generator.
  30284. type: object
  30285. type: object
  30286. served: true
  30287. storage: true
  30288. subresources:
  30289. status: {}
  30290. ---
  30291. apiVersion: apiextensions.k8s.io/v1
  30292. kind: CustomResourceDefinition
  30293. metadata:
  30294. annotations:
  30295. controller-gen.kubebuilder.io/version: v0.19.0
  30296. labels:
  30297. external-secrets.io/component: controller
  30298. name: vaultdynamicsecrets.generators.external-secrets.io
  30299. spec:
  30300. group: generators.external-secrets.io
  30301. names:
  30302. categories:
  30303. - external-secrets
  30304. - external-secrets-generators
  30305. kind: VaultDynamicSecret
  30306. listKind: VaultDynamicSecretList
  30307. plural: vaultdynamicsecrets
  30308. singular: vaultdynamicsecret
  30309. scope: Namespaced
  30310. versions:
  30311. - name: v1alpha1
  30312. schema:
  30313. openAPIV3Schema:
  30314. description: VaultDynamicSecret represents a generator that can create dynamic secrets from HashiCorp Vault.
  30315. properties:
  30316. apiVersion:
  30317. description: |-
  30318. APIVersion defines the versioned schema of this representation of an object.
  30319. Servers should convert recognized schemas to the latest internal value, and
  30320. may reject unrecognized values.
  30321. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  30322. type: string
  30323. kind:
  30324. description: |-
  30325. Kind is a string value representing the REST resource this object represents.
  30326. Servers may infer this from the endpoint the client submits requests to.
  30327. Cannot be updated.
  30328. In CamelCase.
  30329. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30330. type: string
  30331. metadata:
  30332. type: object
  30333. spec:
  30334. description: VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret.
  30335. properties:
  30336. allowEmptyResponse:
  30337. default: false
  30338. description: Do not fail if no secrets are found. Useful for requests where no data is expected.
  30339. type: boolean
  30340. controller:
  30341. description: |-
  30342. Used to select the correct ESO controller (think: ingress.ingressClassName)
  30343. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  30344. type: string
  30345. getParameters:
  30346. additionalProperties:
  30347. items:
  30348. type: string
  30349. type: array
  30350. description: |-
  30351. GetParameters are query-string parameters passed to Vault on GET calls.
  30352. Each key may map to multiple values, matching HTTP query-string semantics.
  30353. Ignored for non-GET methods; use Parameters for write bodies.
  30354. type: object
  30355. method:
  30356. description: Vault API method to use (GET/POST/other)
  30357. type: string
  30358. parameters:
  30359. description: Parameters to pass to Vault write (for non-GET methods)
  30360. x-kubernetes-preserve-unknown-fields: true
  30361. path:
  30362. description: Vault path to obtain the dynamic secret from
  30363. type: string
  30364. provider:
  30365. description: Vault provider common spec
  30366. properties:
  30367. auth:
  30368. description: Auth configures how secret-manager authenticates with the Vault server.
  30369. properties:
  30370. appRole:
  30371. description: |-
  30372. AppRole authenticates with Vault using the App Role auth mechanism,
  30373. with the role and secret stored in a Kubernetes Secret resource.
  30374. properties:
  30375. path:
  30376. default: approle
  30377. description: |-
  30378. Path where the App Role authentication backend is mounted
  30379. in Vault, e.g: "approle"
  30380. type: string
  30381. roleId:
  30382. description: |-
  30383. RoleID configured in the App Role authentication backend when setting
  30384. up the authentication backend in Vault.
  30385. type: string
  30386. roleRef:
  30387. description: |-
  30388. Reference to a key in a Secret that contains the App Role ID used
  30389. to authenticate with Vault.
  30390. The `key` field must be specified and denotes which entry within the Secret
  30391. resource is used as the app role id.
  30392. properties:
  30393. key:
  30394. description: |-
  30395. A key in the referenced Secret.
  30396. Some instances of this field may be defaulted, in others it may be required.
  30397. maxLength: 253
  30398. minLength: 1
  30399. pattern: ^[-._a-zA-Z0-9]+$
  30400. type: string
  30401. name:
  30402. description: The name of the Secret resource being referred to.
  30403. maxLength: 253
  30404. minLength: 1
  30405. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30406. type: string
  30407. namespace:
  30408. description: |-
  30409. The namespace of the Secret resource being referred to.
  30410. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30411. maxLength: 63
  30412. minLength: 1
  30413. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30414. type: string
  30415. type: object
  30416. secretRef:
  30417. description: |-
  30418. Reference to a key in a Secret that contains the App Role secret used
  30419. to authenticate with Vault.
  30420. The `key` field must be specified and denotes which entry within the Secret
  30421. resource is used as the app role secret.
  30422. properties:
  30423. key:
  30424. description: |-
  30425. A key in the referenced Secret.
  30426. Some instances of this field may be defaulted, in others it may be required.
  30427. maxLength: 253
  30428. minLength: 1
  30429. pattern: ^[-._a-zA-Z0-9]+$
  30430. type: string
  30431. name:
  30432. description: The name of the Secret resource being referred to.
  30433. maxLength: 253
  30434. minLength: 1
  30435. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30436. type: string
  30437. namespace:
  30438. description: |-
  30439. The namespace of the Secret resource being referred to.
  30440. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30441. maxLength: 63
  30442. minLength: 1
  30443. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30444. type: string
  30445. type: object
  30446. required:
  30447. - path
  30448. - secretRef
  30449. type: object
  30450. cert:
  30451. description: |-
  30452. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  30453. Cert authentication method
  30454. properties:
  30455. clientCert:
  30456. description: |-
  30457. ClientCert is a certificate to authenticate using the Cert Vault
  30458. authentication method
  30459. properties:
  30460. key:
  30461. description: |-
  30462. A key in the referenced Secret.
  30463. Some instances of this field may be defaulted, in others it may be required.
  30464. maxLength: 253
  30465. minLength: 1
  30466. pattern: ^[-._a-zA-Z0-9]+$
  30467. type: string
  30468. name:
  30469. description: The name of the Secret resource being referred to.
  30470. maxLength: 253
  30471. minLength: 1
  30472. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30473. type: string
  30474. namespace:
  30475. description: |-
  30476. The namespace of the Secret resource being referred to.
  30477. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30478. maxLength: 63
  30479. minLength: 1
  30480. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30481. type: string
  30482. type: object
  30483. path:
  30484. default: cert
  30485. description: |-
  30486. Path where the Certificate authentication backend is mounted
  30487. in Vault, e.g: "cert"
  30488. type: string
  30489. secretRef:
  30490. description: |-
  30491. SecretRef to a key in a Secret resource containing client private key to
  30492. authenticate with Vault using the Cert authentication method
  30493. properties:
  30494. key:
  30495. description: |-
  30496. A key in the referenced Secret.
  30497. Some instances of this field may be defaulted, in others it may be required.
  30498. maxLength: 253
  30499. minLength: 1
  30500. pattern: ^[-._a-zA-Z0-9]+$
  30501. type: string
  30502. name:
  30503. description: The name of the Secret resource being referred to.
  30504. maxLength: 253
  30505. minLength: 1
  30506. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30507. type: string
  30508. namespace:
  30509. description: |-
  30510. The namespace of the Secret resource being referred to.
  30511. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30512. maxLength: 63
  30513. minLength: 1
  30514. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30515. type: string
  30516. type: object
  30517. vaultRole:
  30518. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  30519. type: string
  30520. type: object
  30521. gcp:
  30522. description: |-
  30523. Gcp authenticates with Vault using Google Cloud Platform authentication method
  30524. GCP authentication method
  30525. properties:
  30526. location:
  30527. description: Location optionally defines a location/region for the secret
  30528. type: string
  30529. path:
  30530. default: gcp
  30531. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  30532. type: string
  30533. projectID:
  30534. description: Project ID of the Google Cloud Platform project
  30535. type: string
  30536. role:
  30537. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  30538. type: string
  30539. secretRef:
  30540. description: Specify credentials in a Secret object
  30541. properties:
  30542. secretAccessKeySecretRef:
  30543. description: The SecretAccessKey is used for authentication
  30544. properties:
  30545. key:
  30546. description: |-
  30547. A key in the referenced Secret.
  30548. Some instances of this field may be defaulted, in others it may be required.
  30549. maxLength: 253
  30550. minLength: 1
  30551. pattern: ^[-._a-zA-Z0-9]+$
  30552. type: string
  30553. name:
  30554. description: The name of the Secret resource being referred to.
  30555. maxLength: 253
  30556. minLength: 1
  30557. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30558. type: string
  30559. namespace:
  30560. description: |-
  30561. The namespace of the Secret resource being referred to.
  30562. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30563. maxLength: 63
  30564. minLength: 1
  30565. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30566. type: string
  30567. type: object
  30568. type: object
  30569. serviceAccountRef:
  30570. description: ServiceAccountRef to a service account for impersonation
  30571. properties:
  30572. audiences:
  30573. description: |-
  30574. Audience specifies the `aud` claim for the service account token
  30575. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30576. then this audiences will be appended to the list
  30577. items:
  30578. type: string
  30579. type: array
  30580. name:
  30581. description: The name of the ServiceAccount resource being referred to.
  30582. maxLength: 253
  30583. minLength: 1
  30584. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30585. type: string
  30586. namespace:
  30587. description: |-
  30588. Namespace of the resource being referred to.
  30589. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30590. maxLength: 63
  30591. minLength: 1
  30592. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30593. type: string
  30594. required:
  30595. - name
  30596. type: object
  30597. workloadIdentity:
  30598. description: Specify a service account with Workload Identity
  30599. properties:
  30600. clusterLocation:
  30601. description: |-
  30602. ClusterLocation is the location of the cluster
  30603. If not specified, it fetches information from the metadata server
  30604. type: string
  30605. clusterName:
  30606. description: |-
  30607. ClusterName is the name of the cluster
  30608. If not specified, it fetches information from the metadata server
  30609. type: string
  30610. clusterProjectID:
  30611. description: |-
  30612. ClusterProjectID is the project ID of the cluster
  30613. If not specified, it fetches information from the metadata server
  30614. type: string
  30615. serviceAccountRef:
  30616. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  30617. properties:
  30618. audiences:
  30619. description: |-
  30620. Audience specifies the `aud` claim for the service account token
  30621. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30622. then this audiences will be appended to the list
  30623. items:
  30624. type: string
  30625. type: array
  30626. name:
  30627. description: The name of the ServiceAccount resource being referred to.
  30628. maxLength: 253
  30629. minLength: 1
  30630. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30631. type: string
  30632. namespace:
  30633. description: |-
  30634. Namespace of the resource being referred to.
  30635. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30636. maxLength: 63
  30637. minLength: 1
  30638. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30639. type: string
  30640. required:
  30641. - name
  30642. type: object
  30643. required:
  30644. - serviceAccountRef
  30645. type: object
  30646. required:
  30647. - role
  30648. type: object
  30649. iam:
  30650. description: |-
  30651. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  30652. AWS IAM authentication method
  30653. properties:
  30654. externalID:
  30655. description: AWS External ID set on assumed IAM roles
  30656. type: string
  30657. jwt:
  30658. description: Specify a service account with IRSA enabled
  30659. properties:
  30660. serviceAccountRef:
  30661. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  30662. properties:
  30663. audiences:
  30664. description: |-
  30665. Audience specifies the `aud` claim for the service account token
  30666. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30667. then this audiences will be appended to the list
  30668. items:
  30669. type: string
  30670. type: array
  30671. name:
  30672. description: The name of the ServiceAccount resource being referred to.
  30673. maxLength: 253
  30674. minLength: 1
  30675. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30676. type: string
  30677. namespace:
  30678. description: |-
  30679. Namespace of the resource being referred to.
  30680. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30681. maxLength: 63
  30682. minLength: 1
  30683. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30684. type: string
  30685. required:
  30686. - name
  30687. type: object
  30688. type: object
  30689. path:
  30690. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  30691. type: string
  30692. region:
  30693. description: AWS region
  30694. type: string
  30695. role:
  30696. description: This is the AWS role to be assumed before talking to vault
  30697. type: string
  30698. secretRef:
  30699. description: Specify credentials in a Secret object
  30700. properties:
  30701. accessKeyIDSecretRef:
  30702. description: The AccessKeyID is used for authentication
  30703. properties:
  30704. key:
  30705. description: |-
  30706. A key in the referenced Secret.
  30707. Some instances of this field may be defaulted, in others it may be required.
  30708. maxLength: 253
  30709. minLength: 1
  30710. pattern: ^[-._a-zA-Z0-9]+$
  30711. type: string
  30712. name:
  30713. description: The name of the Secret resource being referred to.
  30714. maxLength: 253
  30715. minLength: 1
  30716. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30717. type: string
  30718. namespace:
  30719. description: |-
  30720. The namespace of the Secret resource being referred to.
  30721. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30722. maxLength: 63
  30723. minLength: 1
  30724. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30725. type: string
  30726. type: object
  30727. secretAccessKeySecretRef:
  30728. description: The SecretAccessKey is used for authentication
  30729. properties:
  30730. key:
  30731. description: |-
  30732. A key in the referenced Secret.
  30733. Some instances of this field may be defaulted, in others it may be required.
  30734. maxLength: 253
  30735. minLength: 1
  30736. pattern: ^[-._a-zA-Z0-9]+$
  30737. type: string
  30738. name:
  30739. description: The name of the Secret resource being referred to.
  30740. maxLength: 253
  30741. minLength: 1
  30742. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30743. type: string
  30744. namespace:
  30745. description: |-
  30746. The namespace of the Secret resource being referred to.
  30747. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30748. maxLength: 63
  30749. minLength: 1
  30750. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30751. type: string
  30752. type: object
  30753. sessionTokenSecretRef:
  30754. description: |-
  30755. The SessionToken used for authentication
  30756. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  30757. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  30758. properties:
  30759. key:
  30760. description: |-
  30761. A key in the referenced Secret.
  30762. Some instances of this field may be defaulted, in others it may be required.
  30763. maxLength: 253
  30764. minLength: 1
  30765. pattern: ^[-._a-zA-Z0-9]+$
  30766. type: string
  30767. name:
  30768. description: The name of the Secret resource being referred to.
  30769. maxLength: 253
  30770. minLength: 1
  30771. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30772. type: string
  30773. namespace:
  30774. description: |-
  30775. The namespace of the Secret resource being referred to.
  30776. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30777. maxLength: 63
  30778. minLength: 1
  30779. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30780. type: string
  30781. type: object
  30782. type: object
  30783. vaultAwsIamServerID:
  30784. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  30785. type: string
  30786. vaultRole:
  30787. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  30788. type: string
  30789. required:
  30790. - vaultRole
  30791. type: object
  30792. jwt:
  30793. description: |-
  30794. Jwt authenticates with Vault by passing role and JWT token using the
  30795. JWT/OIDC authentication method
  30796. properties:
  30797. kubernetesServiceAccountToken:
  30798. description: |-
  30799. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  30800. a token for with the `TokenRequest` API.
  30801. properties:
  30802. audiences:
  30803. description: |-
  30804. Optional audiences field that will be used to request a temporary Kubernetes service
  30805. account token for the service account referenced by `serviceAccountRef`.
  30806. Defaults to a single audience `vault` it not specified.
  30807. Deprecated: use serviceAccountRef.Audiences instead
  30808. items:
  30809. type: string
  30810. type: array
  30811. expirationSeconds:
  30812. description: |-
  30813. Optional expiration time in seconds that will be used to request a temporary
  30814. Kubernetes service account token for the service account referenced by
  30815. `serviceAccountRef`.
  30816. Deprecated: this will be removed in the future.
  30817. Defaults to 10 minutes.
  30818. type: integer
  30819. serviceAccountRef:
  30820. description: Service account field containing the name of a kubernetes ServiceAccount.
  30821. properties:
  30822. audiences:
  30823. description: |-
  30824. Audience specifies the `aud` claim for the service account token
  30825. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30826. then this audiences will be appended to the list
  30827. items:
  30828. type: string
  30829. type: array
  30830. name:
  30831. description: The name of the ServiceAccount resource being referred to.
  30832. maxLength: 253
  30833. minLength: 1
  30834. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30835. type: string
  30836. namespace:
  30837. description: |-
  30838. Namespace of the resource being referred to.
  30839. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30840. maxLength: 63
  30841. minLength: 1
  30842. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30843. type: string
  30844. required:
  30845. - name
  30846. type: object
  30847. required:
  30848. - serviceAccountRef
  30849. type: object
  30850. path:
  30851. default: jwt
  30852. description: |-
  30853. Path where the JWT authentication backend is mounted
  30854. in Vault, e.g: "jwt"
  30855. type: string
  30856. role:
  30857. description: |-
  30858. Role is a JWT role to authenticate using the JWT/OIDC Vault
  30859. authentication method
  30860. type: string
  30861. secretRef:
  30862. description: |-
  30863. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  30864. authenticate with Vault using the JWT/OIDC authentication method.
  30865. properties:
  30866. key:
  30867. description: |-
  30868. A key in the referenced Secret.
  30869. Some instances of this field may be defaulted, in others it may be required.
  30870. maxLength: 253
  30871. minLength: 1
  30872. pattern: ^[-._a-zA-Z0-9]+$
  30873. type: string
  30874. name:
  30875. description: The name of the Secret resource being referred to.
  30876. maxLength: 253
  30877. minLength: 1
  30878. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30879. type: string
  30880. namespace:
  30881. description: |-
  30882. The namespace of the Secret resource being referred to.
  30883. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30884. maxLength: 63
  30885. minLength: 1
  30886. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30887. type: string
  30888. type: object
  30889. required:
  30890. - path
  30891. type: object
  30892. kubernetes:
  30893. description: |-
  30894. Kubernetes authenticates with Vault by passing the ServiceAccount
  30895. token stored in the named Secret resource to the Vault server.
  30896. properties:
  30897. mountPath:
  30898. default: kubernetes
  30899. description: |-
  30900. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  30901. "kubernetes"
  30902. type: string
  30903. role:
  30904. description: |-
  30905. A required field containing the Vault Role to assume. A Role binds a
  30906. Kubernetes ServiceAccount with a set of Vault policies.
  30907. type: string
  30908. secretRef:
  30909. description: |-
  30910. Optional secret field containing a Kubernetes ServiceAccount JWT used
  30911. for authenticating with Vault. If a name is specified without a key,
  30912. `token` is the default. If one is not specified, the one bound to
  30913. the controller will be used.
  30914. properties:
  30915. key:
  30916. description: |-
  30917. A key in the referenced Secret.
  30918. Some instances of this field may be defaulted, in others it may be required.
  30919. maxLength: 253
  30920. minLength: 1
  30921. pattern: ^[-._a-zA-Z0-9]+$
  30922. type: string
  30923. name:
  30924. description: The name of the Secret resource being referred to.
  30925. maxLength: 253
  30926. minLength: 1
  30927. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30928. type: string
  30929. namespace:
  30930. description: |-
  30931. The namespace of the Secret resource being referred to.
  30932. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30933. maxLength: 63
  30934. minLength: 1
  30935. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30936. type: string
  30937. type: object
  30938. serviceAccountRef:
  30939. description: |-
  30940. Optional service account field containing the name of a kubernetes ServiceAccount.
  30941. If the service account is specified, the service account secret token JWT will be used
  30942. for authenticating with Vault. If the service account selector is not supplied,
  30943. the secretRef will be used instead.
  30944. properties:
  30945. audiences:
  30946. description: |-
  30947. Audience specifies the `aud` claim for the service account token
  30948. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30949. then this audiences will be appended to the list
  30950. items:
  30951. type: string
  30952. type: array
  30953. name:
  30954. description: The name of the ServiceAccount resource being referred to.
  30955. maxLength: 253
  30956. minLength: 1
  30957. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30958. type: string
  30959. namespace:
  30960. description: |-
  30961. Namespace of the resource being referred to.
  30962. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30963. maxLength: 63
  30964. minLength: 1
  30965. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30966. type: string
  30967. required:
  30968. - name
  30969. type: object
  30970. required:
  30971. - mountPath
  30972. - role
  30973. type: object
  30974. ldap:
  30975. description: |-
  30976. Ldap authenticates with Vault by passing username/password pair using
  30977. the LDAP authentication method
  30978. properties:
  30979. path:
  30980. default: ldap
  30981. description: |-
  30982. Path where the LDAP authentication backend is mounted
  30983. in Vault, e.g: "ldap"
  30984. type: string
  30985. secretRef:
  30986. description: |-
  30987. SecretRef to a key in a Secret resource containing password for the LDAP
  30988. user used to authenticate with Vault using the LDAP authentication
  30989. method
  30990. properties:
  30991. key:
  30992. description: |-
  30993. A key in the referenced Secret.
  30994. Some instances of this field may be defaulted, in others it may be required.
  30995. maxLength: 253
  30996. minLength: 1
  30997. pattern: ^[-._a-zA-Z0-9]+$
  30998. type: string
  30999. name:
  31000. description: The name of the Secret resource being referred to.
  31001. maxLength: 253
  31002. minLength: 1
  31003. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31004. type: string
  31005. namespace:
  31006. description: |-
  31007. The namespace of the Secret resource being referred to.
  31008. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31009. maxLength: 63
  31010. minLength: 1
  31011. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31012. type: string
  31013. type: object
  31014. username:
  31015. description: |-
  31016. Username is an LDAP username used to authenticate using the LDAP Vault
  31017. authentication method
  31018. type: string
  31019. required:
  31020. - path
  31021. - username
  31022. type: object
  31023. namespace:
  31024. description: |-
  31025. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  31026. Namespaces is a set of features within Vault Enterprise that allows
  31027. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  31028. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  31029. This will default to Vault.Namespace field if set, or empty otherwise
  31030. type: string
  31031. tokenSecretRef:
  31032. description: TokenSecretRef authenticates with Vault by presenting a token.
  31033. properties:
  31034. key:
  31035. description: |-
  31036. A key in the referenced Secret.
  31037. Some instances of this field may be defaulted, in others it may be required.
  31038. maxLength: 253
  31039. minLength: 1
  31040. pattern: ^[-._a-zA-Z0-9]+$
  31041. type: string
  31042. name:
  31043. description: The name of the Secret resource being referred to.
  31044. maxLength: 253
  31045. minLength: 1
  31046. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31047. type: string
  31048. namespace:
  31049. description: |-
  31050. The namespace of the Secret resource being referred to.
  31051. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31052. maxLength: 63
  31053. minLength: 1
  31054. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31055. type: string
  31056. type: object
  31057. userPass:
  31058. description: UserPass authenticates with Vault by passing username/password pair
  31059. properties:
  31060. path:
  31061. default: userpass
  31062. description: |-
  31063. Path where the UserPassword authentication backend is mounted
  31064. in Vault, e.g: "userpass"
  31065. type: string
  31066. secretRef:
  31067. description: |-
  31068. SecretRef to a key in a Secret resource containing password for the
  31069. user used to authenticate with Vault using the UserPass authentication
  31070. method
  31071. properties:
  31072. key:
  31073. description: |-
  31074. A key in the referenced Secret.
  31075. Some instances of this field may be defaulted, in others it may be required.
  31076. maxLength: 253
  31077. minLength: 1
  31078. pattern: ^[-._a-zA-Z0-9]+$
  31079. type: string
  31080. name:
  31081. description: The name of the Secret resource being referred to.
  31082. maxLength: 253
  31083. minLength: 1
  31084. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31085. type: string
  31086. namespace:
  31087. description: |-
  31088. The namespace of the Secret resource being referred to.
  31089. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31090. maxLength: 63
  31091. minLength: 1
  31092. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31093. type: string
  31094. type: object
  31095. username:
  31096. description: |-
  31097. Username is a username used to authenticate using the UserPass Vault
  31098. authentication method
  31099. type: string
  31100. required:
  31101. - path
  31102. - username
  31103. type: object
  31104. type: object
  31105. caBundle:
  31106. description: |-
  31107. PEM encoded CA bundle used to validate Vault server certificate. Only used
  31108. if the Server URL is using HTTPS protocol. This parameter is ignored for
  31109. plain HTTP protocol connection. If not set the system root certificates
  31110. are used to validate the TLS connection.
  31111. format: byte
  31112. type: string
  31113. caProvider:
  31114. description: The provider for the CA bundle to use to validate Vault server certificate.
  31115. properties:
  31116. key:
  31117. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  31118. maxLength: 253
  31119. minLength: 1
  31120. pattern: ^[-._a-zA-Z0-9]+$
  31121. type: string
  31122. name:
  31123. description: The name of the object located at the provider type.
  31124. maxLength: 253
  31125. minLength: 1
  31126. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31127. type: string
  31128. namespace:
  31129. description: |-
  31130. The namespace the Provider type is in.
  31131. Can only be defined when used in a ClusterSecretStore.
  31132. maxLength: 63
  31133. minLength: 1
  31134. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31135. type: string
  31136. type:
  31137. description: The type of provider to use such as "Secret", or "ConfigMap".
  31138. enum:
  31139. - Secret
  31140. - ConfigMap
  31141. type: string
  31142. required:
  31143. - name
  31144. - type
  31145. type: object
  31146. checkAndSet:
  31147. description: |-
  31148. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  31149. Only applies to Vault KV v2 stores. When enabled, write operations must include
  31150. the current version of the secret to prevent unintentional overwrites.
  31151. properties:
  31152. required:
  31153. description: |-
  31154. Required when true, all write operations must include a check-and-set parameter.
  31155. This helps prevent unintentional overwrites of secrets.
  31156. type: boolean
  31157. type: object
  31158. forwardInconsistent:
  31159. description: |-
  31160. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  31161. leader instead of simply retrying within a loop. This can increase performance if
  31162. the option is enabled serverside.
  31163. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  31164. type: boolean
  31165. headers:
  31166. additionalProperties:
  31167. type: string
  31168. description: Headers to be added in Vault request
  31169. type: object
  31170. namespace:
  31171. description: |-
  31172. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  31173. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  31174. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  31175. type: string
  31176. path:
  31177. description: |-
  31178. Path is the mount path of the Vault KV backend endpoint, e.g:
  31179. "secret". The v2 KV secret engine version specific "/data" path suffix
  31180. for fetching secrets from Vault is optional and will be appended
  31181. if not present in specified path.
  31182. type: string
  31183. readYourWrites:
  31184. description: |-
  31185. ReadYourWrites ensures isolated read-after-write semantics by
  31186. providing discovered cluster replication states in each request.
  31187. More information about eventual consistency in Vault can be found here
  31188. https://www.vaultproject.io/docs/enterprise/consistency
  31189. type: boolean
  31190. server:
  31191. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  31192. type: string
  31193. tls:
  31194. description: |-
  31195. The configuration used for client side related TLS communication, when the Vault server
  31196. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  31197. This parameter is ignored for plain HTTP protocol connection.
  31198. It's worth noting this configuration is different from the "TLS certificates auth method",
  31199. which is available under the `auth.cert` section.
  31200. properties:
  31201. certSecretRef:
  31202. description: |-
  31203. CertSecretRef is a certificate added to the transport layer
  31204. when communicating with the Vault server.
  31205. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  31206. properties:
  31207. key:
  31208. description: |-
  31209. A key in the referenced Secret.
  31210. Some instances of this field may be defaulted, in others it may be required.
  31211. maxLength: 253
  31212. minLength: 1
  31213. pattern: ^[-._a-zA-Z0-9]+$
  31214. type: string
  31215. name:
  31216. description: The name of the Secret resource being referred to.
  31217. maxLength: 253
  31218. minLength: 1
  31219. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31220. type: string
  31221. namespace:
  31222. description: |-
  31223. The namespace of the Secret resource being referred to.
  31224. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31225. maxLength: 63
  31226. minLength: 1
  31227. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31228. type: string
  31229. type: object
  31230. keySecretRef:
  31231. description: |-
  31232. KeySecretRef to a key in a Secret resource containing client private key
  31233. added to the transport layer when communicating with the Vault server.
  31234. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  31235. properties:
  31236. key:
  31237. description: |-
  31238. A key in the referenced Secret.
  31239. Some instances of this field may be defaulted, in others it may be required.
  31240. maxLength: 253
  31241. minLength: 1
  31242. pattern: ^[-._a-zA-Z0-9]+$
  31243. type: string
  31244. name:
  31245. description: The name of the Secret resource being referred to.
  31246. maxLength: 253
  31247. minLength: 1
  31248. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31249. type: string
  31250. namespace:
  31251. description: |-
  31252. The namespace of the Secret resource being referred to.
  31253. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31254. maxLength: 63
  31255. minLength: 1
  31256. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31257. type: string
  31258. type: object
  31259. type: object
  31260. version:
  31261. default: v2
  31262. description: |-
  31263. Version is the Vault KV secret engine version. This can be either "v1" or
  31264. "v2". Version defaults to "v2".
  31265. enum:
  31266. - v1
  31267. - v2
  31268. type: string
  31269. required:
  31270. - server
  31271. type: object
  31272. resultType:
  31273. default: Data
  31274. description: |-
  31275. Result type defines which data is returned from the generator.
  31276. By default, it is the "data" section of the Vault API response.
  31277. When using e.g. /auth/token/create the "data" section is empty but
  31278. the "auth" section contains the generated token.
  31279. Please refer to the vault docs regarding the result data structure.
  31280. Additionally, accessing the raw response is possibly by using "Raw" result type.
  31281. enum:
  31282. - Data
  31283. - Auth
  31284. - Raw
  31285. type: string
  31286. retrySettings:
  31287. description: Used to configure http retries if failed
  31288. properties:
  31289. maxRetries:
  31290. type: integer
  31291. retryInterval:
  31292. type: string
  31293. type: object
  31294. required:
  31295. - path
  31296. - provider
  31297. type: object
  31298. type: object
  31299. served: true
  31300. storage: true
  31301. subresources:
  31302. status: {}
  31303. ---
  31304. apiVersion: apiextensions.k8s.io/v1
  31305. kind: CustomResourceDefinition
  31306. metadata:
  31307. annotations:
  31308. controller-gen.kubebuilder.io/version: v0.19.0
  31309. labels:
  31310. external-secrets.io/component: controller
  31311. name: webhooks.generators.external-secrets.io
  31312. spec:
  31313. group: generators.external-secrets.io
  31314. names:
  31315. categories:
  31316. - external-secrets
  31317. - external-secrets-generators
  31318. kind: Webhook
  31319. listKind: WebhookList
  31320. plural: webhooks
  31321. singular: webhook
  31322. scope: Namespaced
  31323. versions:
  31324. - name: v1alpha1
  31325. schema:
  31326. openAPIV3Schema:
  31327. description: |-
  31328. Webhook connects to a third party API server to handle the secrets generation
  31329. configuration parameters in spec.
  31330. You can specify the server, the token, and additional body parameters.
  31331. See documentation for the full API specification for requests and responses.
  31332. properties:
  31333. apiVersion:
  31334. description: |-
  31335. APIVersion defines the versioned schema of this representation of an object.
  31336. Servers should convert recognized schemas to the latest internal value, and
  31337. may reject unrecognized values.
  31338. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  31339. type: string
  31340. kind:
  31341. description: |-
  31342. Kind is a string value representing the REST resource this object represents.
  31343. Servers may infer this from the endpoint the client submits requests to.
  31344. Cannot be updated.
  31345. In CamelCase.
  31346. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  31347. type: string
  31348. metadata:
  31349. type: object
  31350. spec:
  31351. description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
  31352. properties:
  31353. auth:
  31354. description: Auth specifies a authorization protocol. Only one protocol may be set.
  31355. maxProperties: 1
  31356. minProperties: 1
  31357. properties:
  31358. ntlm:
  31359. description: NTLMProtocol configures the store to use NTLM for auth
  31360. properties:
  31361. passwordSecret:
  31362. description: |-
  31363. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  31364. In some instances, `key` is a required field.
  31365. properties:
  31366. key:
  31367. description: |-
  31368. A key in the referenced Secret.
  31369. Some instances of this field may be defaulted, in others it may be required.
  31370. maxLength: 253
  31371. minLength: 1
  31372. pattern: ^[-._a-zA-Z0-9]+$
  31373. type: string
  31374. name:
  31375. description: The name of the Secret resource being referred to.
  31376. maxLength: 253
  31377. minLength: 1
  31378. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31379. type: string
  31380. namespace:
  31381. description: |-
  31382. The namespace of the Secret resource being referred to.
  31383. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31384. maxLength: 63
  31385. minLength: 1
  31386. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31387. type: string
  31388. type: object
  31389. usernameSecret:
  31390. description: |-
  31391. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  31392. In some instances, `key` is a required field.
  31393. properties:
  31394. key:
  31395. description: |-
  31396. A key in the referenced Secret.
  31397. Some instances of this field may be defaulted, in others it may be required.
  31398. maxLength: 253
  31399. minLength: 1
  31400. pattern: ^[-._a-zA-Z0-9]+$
  31401. type: string
  31402. name:
  31403. description: The name of the Secret resource being referred to.
  31404. maxLength: 253
  31405. minLength: 1
  31406. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31407. type: string
  31408. namespace:
  31409. description: |-
  31410. The namespace of the Secret resource being referred to.
  31411. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31412. maxLength: 63
  31413. minLength: 1
  31414. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31415. type: string
  31416. type: object
  31417. required:
  31418. - passwordSecret
  31419. - usernameSecret
  31420. type: object
  31421. type: object
  31422. body:
  31423. description: Body
  31424. type: string
  31425. caBundle:
  31426. description: |-
  31427. PEM encoded CA bundle used to validate webhook server certificate. Only used
  31428. if the Server URL is using HTTPS protocol. This parameter is ignored for
  31429. plain HTTP protocol connection. If not set the system root certificates
  31430. are used to validate the TLS connection.
  31431. format: byte
  31432. type: string
  31433. caProvider:
  31434. description: The provider for the CA bundle to use to validate webhook server certificate.
  31435. properties:
  31436. key:
  31437. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  31438. maxLength: 253
  31439. minLength: 1
  31440. pattern: ^[-._a-zA-Z0-9]+$
  31441. type: string
  31442. name:
  31443. description: The name of the object located at the provider type.
  31444. maxLength: 253
  31445. minLength: 1
  31446. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31447. type: string
  31448. namespace:
  31449. description: The namespace the Provider type is in.
  31450. maxLength: 63
  31451. minLength: 1
  31452. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31453. type: string
  31454. type:
  31455. description: The type of provider to use such as "Secret", or "ConfigMap".
  31456. enum:
  31457. - Secret
  31458. - ConfigMap
  31459. type: string
  31460. required:
  31461. - name
  31462. - type
  31463. type: object
  31464. headers:
  31465. additionalProperties:
  31466. type: string
  31467. description: Headers
  31468. type: object
  31469. method:
  31470. description: Webhook Method
  31471. type: string
  31472. result:
  31473. description: Result formatting
  31474. properties:
  31475. jsonPath:
  31476. description: Json path of return value
  31477. type: string
  31478. type: object
  31479. secrets:
  31480. description: |-
  31481. Secrets to fill in templates
  31482. These secrets will be passed to the templating function as key value pairs under the given name
  31483. items:
  31484. description: WebhookSecret defines a secret reference that will be used in webhook templates.
  31485. properties:
  31486. name:
  31487. description: Name of this secret in templates
  31488. type: string
  31489. secretRef:
  31490. description: Secret ref to fill in credentials
  31491. properties:
  31492. key:
  31493. description: The key where the token is found.
  31494. maxLength: 253
  31495. minLength: 1
  31496. pattern: ^[-._a-zA-Z0-9]+$
  31497. type: string
  31498. name:
  31499. description: The name of the Secret resource being referred to.
  31500. maxLength: 253
  31501. minLength: 1
  31502. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31503. type: string
  31504. type: object
  31505. required:
  31506. - name
  31507. - secretRef
  31508. type: object
  31509. type: array
  31510. timeout:
  31511. description: Timeout
  31512. type: string
  31513. url:
  31514. description: Webhook url to call
  31515. type: string
  31516. required:
  31517. - result
  31518. - url
  31519. type: object
  31520. type: object
  31521. served: true
  31522. storage: true
  31523. subresources:
  31524. status: {}
  31525. ---
  31526. apiVersion: apiextensions.k8s.io/v1
  31527. kind: CustomResourceDefinition
  31528. metadata:
  31529. annotations:
  31530. controller-gen.kubebuilder.io/version: v0.19.0
  31531. name: fakes.provider.external-secrets.io
  31532. spec:
  31533. group: provider.external-secrets.io
  31534. names:
  31535. categories:
  31536. - external-secrets
  31537. kind: Fake
  31538. listKind: FakeList
  31539. plural: fakes
  31540. shortNames:
  31541. - fake
  31542. singular: fake
  31543. scope: Namespaced
  31544. versions:
  31545. - name: v2alpha1
  31546. schema:
  31547. openAPIV3Schema:
  31548. description: |-
  31549. Fake defines the configuration for the Fake provider.
  31550. This provider returns static key-value pairs for testing purposes.
  31551. properties:
  31552. apiVersion:
  31553. description: |-
  31554. APIVersion defines the versioned schema of this representation of an object.
  31555. Servers should convert recognized schemas to the latest internal value, and
  31556. may reject unrecognized values.
  31557. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  31558. type: string
  31559. kind:
  31560. description: |-
  31561. Kind is a string value representing the REST resource this object represents.
  31562. Servers may infer this from the endpoint the client submits requests to.
  31563. Cannot be updated.
  31564. In CamelCase.
  31565. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  31566. type: string
  31567. metadata:
  31568. type: object
  31569. spec:
  31570. description: FakeProvider configures a fake provider that returns static values.
  31571. properties:
  31572. data:
  31573. items:
  31574. description: FakeProviderData defines a key-value pair with optional version for the fake provider.
  31575. properties:
  31576. key:
  31577. type: string
  31578. value:
  31579. type: string
  31580. version:
  31581. type: string
  31582. required:
  31583. - key
  31584. - value
  31585. type: object
  31586. type: array
  31587. validationResult:
  31588. description: ValidationResult is defined type for the number of validation results.
  31589. type: integer
  31590. required:
  31591. - data
  31592. type: object
  31593. type: object
  31594. served: true
  31595. storage: true
  31596. subresources:
  31597. status: {}
  31598. ---
  31599. apiVersion: apiextensions.k8s.io/v1
  31600. kind: CustomResourceDefinition
  31601. metadata:
  31602. annotations:
  31603. controller-gen.kubebuilder.io/version: v0.19.0
  31604. name: kubernetes.provider.external-secrets.io
  31605. spec:
  31606. group: provider.external-secrets.io
  31607. names:
  31608. categories:
  31609. - external-secrets
  31610. kind: Kubernetes
  31611. listKind: KubernetesList
  31612. plural: kubernetes
  31613. singular: kubernetes
  31614. scope: Namespaced
  31615. versions:
  31616. - name: v2alpha1
  31617. schema:
  31618. openAPIV3Schema:
  31619. description: |-
  31620. Kubernetes defines the configuration for the Kubernetes Secret provider.
  31621. This provider fetches secrets from Kubernetes Secrets in the same cluster.
  31622. It's primarily useful for testing and migration scenarios.
  31623. properties:
  31624. apiVersion:
  31625. description: |-
  31626. APIVersion defines the versioned schema of this representation of an object.
  31627. Servers should convert recognized schemas to the latest internal value, and
  31628. may reject unrecognized values.
  31629. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  31630. type: string
  31631. kind:
  31632. description: |-
  31633. Kind is a string value representing the REST resource this object represents.
  31634. Servers may infer this from the endpoint the client submits requests to.
  31635. Cannot be updated.
  31636. In CamelCase.
  31637. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  31638. type: string
  31639. metadata:
  31640. type: object
  31641. spec:
  31642. description: KubernetesProvider configures a store to sync secrets with a Kubernetes instance.
  31643. properties:
  31644. auth:
  31645. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  31646. maxProperties: 1
  31647. minProperties: 1
  31648. properties:
  31649. cert:
  31650. description: has both clientCert and clientKey as secretKeySelector
  31651. properties:
  31652. clientCert:
  31653. description: |-
  31654. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  31655. In some instances, `key` is a required field.
  31656. properties:
  31657. key:
  31658. description: |-
  31659. A key in the referenced Secret.
  31660. Some instances of this field may be defaulted, in others it may be required.
  31661. maxLength: 253
  31662. minLength: 1
  31663. pattern: ^[-._a-zA-Z0-9]+$
  31664. type: string
  31665. name:
  31666. description: The name of the Secret resource being referred to.
  31667. maxLength: 253
  31668. minLength: 1
  31669. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31670. type: string
  31671. namespace:
  31672. description: |-
  31673. The namespace of the Secret resource being referred to.
  31674. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31675. maxLength: 63
  31676. minLength: 1
  31677. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31678. type: string
  31679. type: object
  31680. clientKey:
  31681. description: |-
  31682. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  31683. In some instances, `key` is a required field.
  31684. properties:
  31685. key:
  31686. description: |-
  31687. A key in the referenced Secret.
  31688. Some instances of this field may be defaulted, in others it may be required.
  31689. maxLength: 253
  31690. minLength: 1
  31691. pattern: ^[-._a-zA-Z0-9]+$
  31692. type: string
  31693. name:
  31694. description: The name of the Secret resource being referred to.
  31695. maxLength: 253
  31696. minLength: 1
  31697. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31698. type: string
  31699. namespace:
  31700. description: |-
  31701. The namespace of the Secret resource being referred to.
  31702. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31703. maxLength: 63
  31704. minLength: 1
  31705. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31706. type: string
  31707. type: object
  31708. type: object
  31709. serviceAccount:
  31710. description: points to a service account that should be used for authentication
  31711. properties:
  31712. audiences:
  31713. description: |-
  31714. Audience specifies the `aud` claim for the service account token
  31715. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  31716. then this audiences will be appended to the list
  31717. items:
  31718. type: string
  31719. type: array
  31720. name:
  31721. description: The name of the ServiceAccount resource being referred to.
  31722. maxLength: 253
  31723. minLength: 1
  31724. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31725. type: string
  31726. namespace:
  31727. description: |-
  31728. Namespace of the resource being referred to.
  31729. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31730. maxLength: 63
  31731. minLength: 1
  31732. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31733. type: string
  31734. required:
  31735. - name
  31736. type: object
  31737. token:
  31738. description: use static token to authenticate with
  31739. properties:
  31740. bearerToken:
  31741. description: |-
  31742. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  31743. In some instances, `key` is a required field.
  31744. properties:
  31745. key:
  31746. description: |-
  31747. A key in the referenced Secret.
  31748. Some instances of this field may be defaulted, in others it may be required.
  31749. maxLength: 253
  31750. minLength: 1
  31751. pattern: ^[-._a-zA-Z0-9]+$
  31752. type: string
  31753. name:
  31754. description: The name of the Secret resource being referred to.
  31755. maxLength: 253
  31756. minLength: 1
  31757. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31758. type: string
  31759. namespace:
  31760. description: |-
  31761. The namespace of the Secret resource being referred to.
  31762. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31763. maxLength: 63
  31764. minLength: 1
  31765. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31766. type: string
  31767. type: object
  31768. type: object
  31769. type: object
  31770. authRef:
  31771. description: A reference to a secret that contains the auth information.
  31772. properties:
  31773. key:
  31774. description: |-
  31775. A key in the referenced Secret.
  31776. Some instances of this field may be defaulted, in others it may be required.
  31777. maxLength: 253
  31778. minLength: 1
  31779. pattern: ^[-._a-zA-Z0-9]+$
  31780. type: string
  31781. name:
  31782. description: The name of the Secret resource being referred to.
  31783. maxLength: 253
  31784. minLength: 1
  31785. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31786. type: string
  31787. namespace:
  31788. description: |-
  31789. The namespace of the Secret resource being referred to.
  31790. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31791. maxLength: 63
  31792. minLength: 1
  31793. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31794. type: string
  31795. type: object
  31796. remoteNamespace:
  31797. default: default
  31798. description: Remote namespace to fetch the secrets from
  31799. maxLength: 63
  31800. minLength: 1
  31801. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31802. type: string
  31803. server:
  31804. description: configures the Kubernetes server Address.
  31805. properties:
  31806. caBundle:
  31807. description: CABundle is a base64-encoded CA certificate
  31808. format: byte
  31809. type: string
  31810. caProvider:
  31811. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  31812. properties:
  31813. key:
  31814. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  31815. maxLength: 253
  31816. minLength: 1
  31817. pattern: ^[-._a-zA-Z0-9]+$
  31818. type: string
  31819. name:
  31820. description: The name of the object located at the provider type.
  31821. maxLength: 253
  31822. minLength: 1
  31823. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31824. type: string
  31825. namespace:
  31826. description: |-
  31827. The namespace the Provider type is in.
  31828. Can only be defined when used in a ClusterSecretStore.
  31829. maxLength: 63
  31830. minLength: 1
  31831. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31832. type: string
  31833. type:
  31834. description: The type of provider to use such as "Secret", or "ConfigMap".
  31835. enum:
  31836. - Secret
  31837. - ConfigMap
  31838. type: string
  31839. required:
  31840. - name
  31841. - type
  31842. type: object
  31843. url:
  31844. default: kubernetes.default
  31845. description: configures the Kubernetes server Address.
  31846. type: string
  31847. type: object
  31848. type: object
  31849. type: object
  31850. served: true
  31851. storage: true
  31852. subresources:
  31853. status: {}
  31854. ---
  31855. apiVersion: apiextensions.k8s.io/v1
  31856. kind: CustomResourceDefinition
  31857. metadata:
  31858. annotations:
  31859. controller-gen.kubebuilder.io/version: v0.19.0
  31860. name: parameterstores.provider.external-secrets.io
  31861. spec:
  31862. group: provider.external-secrets.io
  31863. names:
  31864. categories:
  31865. - externalsecrets
  31866. kind: ParameterStore
  31867. listKind: ParameterStoreList
  31868. plural: parameterstores
  31869. shortNames:
  31870. - ssm
  31871. singular: parameterstore
  31872. scope: Namespaced
  31873. versions:
  31874. - additionalPrinterColumns:
  31875. - jsonPath: .spec.region
  31876. name: Region
  31877. type: string
  31878. - jsonPath: .metadata.creationTimestamp
  31879. name: Age
  31880. type: date
  31881. name: v2alpha1
  31882. schema:
  31883. openAPIV3Schema:
  31884. description: ParameterStore is the Schema for AWS Parameter Store provider configuration.
  31885. properties:
  31886. apiVersion:
  31887. description: |-
  31888. APIVersion defines the versioned schema of this representation of an object.
  31889. Servers should convert recognized schemas to the latest internal value, and
  31890. may reject unrecognized values.
  31891. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  31892. type: string
  31893. kind:
  31894. description: |-
  31895. Kind is a string value representing the REST resource this object represents.
  31896. Servers may infer this from the endpoint the client submits requests to.
  31897. Cannot be updated.
  31898. In CamelCase.
  31899. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  31900. type: string
  31901. metadata:
  31902. type: object
  31903. spec:
  31904. description: ParameterStoreSpec defines the desired state of ParameterStore.
  31905. properties:
  31906. additionalRoles:
  31907. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  31908. items:
  31909. type: string
  31910. type: array
  31911. auth:
  31912. description: |-
  31913. Auth defines the information necessary to authenticate against AWS
  31914. if not set aws sdk will infer credentials from your environment
  31915. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  31916. properties:
  31917. jwt:
  31918. description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.
  31919. properties:
  31920. serviceAccountRef:
  31921. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  31922. properties:
  31923. audiences:
  31924. description: |-
  31925. Audience specifies the `aud` claim for the service account token
  31926. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  31927. then this audiences will be appended to the list
  31928. items:
  31929. type: string
  31930. type: array
  31931. name:
  31932. description: The name of the ServiceAccount resource being referred to.
  31933. maxLength: 253
  31934. minLength: 1
  31935. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31936. type: string
  31937. namespace:
  31938. description: |-
  31939. Namespace of the resource being referred to.
  31940. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31941. maxLength: 63
  31942. minLength: 1
  31943. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31944. type: string
  31945. required:
  31946. - name
  31947. type: object
  31948. type: object
  31949. secretRef:
  31950. description: |-
  31951. AWSAuthSecretRef holds secret references for AWS credentials
  31952. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  31953. properties:
  31954. accessKeyIDSecretRef:
  31955. description: The AccessKeyID is used for authentication
  31956. properties:
  31957. key:
  31958. description: |-
  31959. A key in the referenced Secret.
  31960. Some instances of this field may be defaulted, in others it may be required.
  31961. maxLength: 253
  31962. minLength: 1
  31963. pattern: ^[-._a-zA-Z0-9]+$
  31964. type: string
  31965. name:
  31966. description: The name of the Secret resource being referred to.
  31967. maxLength: 253
  31968. minLength: 1
  31969. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31970. type: string
  31971. namespace:
  31972. description: |-
  31973. The namespace of the Secret resource being referred to.
  31974. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31975. maxLength: 63
  31976. minLength: 1
  31977. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31978. type: string
  31979. type: object
  31980. secretAccessKeySecretRef:
  31981. description: The SecretAccessKey is used for authentication
  31982. properties:
  31983. key:
  31984. description: |-
  31985. A key in the referenced Secret.
  31986. Some instances of this field may be defaulted, in others it may be required.
  31987. maxLength: 253
  31988. minLength: 1
  31989. pattern: ^[-._a-zA-Z0-9]+$
  31990. type: string
  31991. name:
  31992. description: The name of the Secret resource being referred to.
  31993. maxLength: 253
  31994. minLength: 1
  31995. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31996. type: string
  31997. namespace:
  31998. description: |-
  31999. The namespace of the Secret resource being referred to.
  32000. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  32001. maxLength: 63
  32002. minLength: 1
  32003. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  32004. type: string
  32005. type: object
  32006. sessionTokenSecretRef:
  32007. description: |-
  32008. The SessionToken used for authentication
  32009. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  32010. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  32011. properties:
  32012. key:
  32013. description: |-
  32014. A key in the referenced Secret.
  32015. Some instances of this field may be defaulted, in others it may be required.
  32016. maxLength: 253
  32017. minLength: 1
  32018. pattern: ^[-._a-zA-Z0-9]+$
  32019. type: string
  32020. name:
  32021. description: The name of the Secret resource being referred to.
  32022. maxLength: 253
  32023. minLength: 1
  32024. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  32025. type: string
  32026. namespace:
  32027. description: |-
  32028. The namespace of the Secret resource being referred to.
  32029. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  32030. maxLength: 63
  32031. minLength: 1
  32032. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  32033. type: string
  32034. type: object
  32035. type: object
  32036. type: object
  32037. externalID:
  32038. description: AWS External ID set on assumed IAM roles
  32039. type: string
  32040. prefix:
  32041. description: Prefix adds a prefix to all retrieved values.
  32042. type: string
  32043. region:
  32044. description: AWS Region to be used for the provider
  32045. type: string
  32046. role:
  32047. description: Role is a Role ARN which the provider will assume
  32048. type: string
  32049. sessionTags:
  32050. description: AWS STS assume role session tags
  32051. items:
  32052. description: |-
  32053. Tag is a key-value pair that can be attached to an AWS resource.
  32054. see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
  32055. properties:
  32056. key:
  32057. type: string
  32058. value:
  32059. type: string
  32060. required:
  32061. - key
  32062. - value
  32063. type: object
  32064. type: array
  32065. transitiveTagKeys:
  32066. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  32067. items:
  32068. type: string
  32069. type: array
  32070. required:
  32071. - region
  32072. type: object
  32073. status:
  32074. description: ParameterStoreStatus defines the observed state of ParameterStore.
  32075. properties:
  32076. conditions:
  32077. description: Conditions represent the latest available observations of the resource's state.
  32078. items:
  32079. description: Condition contains details for one aspect of the current state of this API Resource.
  32080. properties:
  32081. lastTransitionTime:
  32082. description: |-
  32083. lastTransitionTime is the last time the condition transitioned from one status to another.
  32084. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
  32085. format: date-time
  32086. type: string
  32087. message:
  32088. description: |-
  32089. message is a human readable message indicating details about the transition.
  32090. This may be an empty string.
  32091. maxLength: 32768
  32092. type: string
  32093. observedGeneration:
  32094. description: |-
  32095. observedGeneration represents the .metadata.generation that the condition was set based upon.
  32096. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
  32097. with respect to the current state of the instance.
  32098. format: int64
  32099. minimum: 0
  32100. type: integer
  32101. reason:
  32102. description: |-
  32103. reason contains a programmatic identifier indicating the reason for the condition's last transition.
  32104. Producers of specific condition types may define expected values and meanings for this field,
  32105. and whether the values are considered a guaranteed API.
  32106. The value should be a CamelCase string.
  32107. This field may not be empty.
  32108. maxLength: 1024
  32109. minLength: 1
  32110. pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
  32111. type: string
  32112. status:
  32113. description: status of the condition, one of True, False, Unknown.
  32114. enum:
  32115. - "True"
  32116. - "False"
  32117. - Unknown
  32118. type: string
  32119. type:
  32120. description: type of condition in CamelCase or in foo.example.com/CamelCase.
  32121. maxLength: 316
  32122. pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
  32123. type: string
  32124. required:
  32125. - lastTransitionTime
  32126. - message
  32127. - reason
  32128. - status
  32129. - type
  32130. type: object
  32131. type: array
  32132. type: object
  32133. type: object
  32134. served: true
  32135. storage: true
  32136. subresources:
  32137. status: {}
  32138. ---
  32139. apiVersion: apiextensions.k8s.io/v1
  32140. kind: CustomResourceDefinition
  32141. metadata:
  32142. annotations:
  32143. controller-gen.kubebuilder.io/version: v0.19.0
  32144. name: secretsmanagers.provider.external-secrets.io
  32145. spec:
  32146. group: provider.external-secrets.io
  32147. names:
  32148. categories:
  32149. - externalsecrets
  32150. kind: SecretsManager
  32151. listKind: SecretsManagerList
  32152. plural: secretsmanagers
  32153. shortNames:
  32154. - sm
  32155. singular: secretsmanager
  32156. scope: Namespaced
  32157. versions:
  32158. - additionalPrinterColumns:
  32159. - jsonPath: .spec.region
  32160. name: Region
  32161. type: string
  32162. - jsonPath: .metadata.creationTimestamp
  32163. name: Age
  32164. type: date
  32165. name: v2alpha1
  32166. schema:
  32167. openAPIV3Schema:
  32168. description: SecretsManager is the Schema for AWS Secrets Manager provider configuration.
  32169. properties:
  32170. apiVersion:
  32171. description: |-
  32172. APIVersion defines the versioned schema of this representation of an object.
  32173. Servers should convert recognized schemas to the latest internal value, and
  32174. may reject unrecognized values.
  32175. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  32176. type: string
  32177. kind:
  32178. description: |-
  32179. Kind is a string value representing the REST resource this object represents.
  32180. Servers may infer this from the endpoint the client submits requests to.
  32181. Cannot be updated.
  32182. In CamelCase.
  32183. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  32184. type: string
  32185. metadata:
  32186. type: object
  32187. spec:
  32188. description: SecretsManagerSpec defines the desired state of SecretsManager.
  32189. properties:
  32190. additionalRoles:
  32191. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  32192. items:
  32193. type: string
  32194. type: array
  32195. auth:
  32196. description: |-
  32197. Auth defines the information necessary to authenticate against AWS
  32198. if not set aws sdk will infer credentials from your environment
  32199. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  32200. properties:
  32201. jwt:
  32202. description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.
  32203. properties:
  32204. serviceAccountRef:
  32205. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  32206. properties:
  32207. audiences:
  32208. description: |-
  32209. Audience specifies the `aud` claim for the service account token
  32210. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  32211. then this audiences will be appended to the list
  32212. items:
  32213. type: string
  32214. type: array
  32215. name:
  32216. description: The name of the ServiceAccount resource being referred to.
  32217. maxLength: 253
  32218. minLength: 1
  32219. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  32220. type: string
  32221. namespace:
  32222. description: |-
  32223. Namespace of the resource being referred to.
  32224. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  32225. maxLength: 63
  32226. minLength: 1
  32227. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  32228. type: string
  32229. required:
  32230. - name
  32231. type: object
  32232. type: object
  32233. secretRef:
  32234. description: |-
  32235. AWSAuthSecretRef holds secret references for AWS credentials
  32236. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  32237. properties:
  32238. accessKeyIDSecretRef:
  32239. description: The AccessKeyID is used for authentication
  32240. properties:
  32241. key:
  32242. description: |-
  32243. A key in the referenced Secret.
  32244. Some instances of this field may be defaulted, in others it may be required.
  32245. maxLength: 253
  32246. minLength: 1
  32247. pattern: ^[-._a-zA-Z0-9]+$
  32248. type: string
  32249. name:
  32250. description: The name of the Secret resource being referred to.
  32251. maxLength: 253
  32252. minLength: 1
  32253. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  32254. type: string
  32255. namespace:
  32256. description: |-
  32257. The namespace of the Secret resource being referred to.
  32258. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  32259. maxLength: 63
  32260. minLength: 1
  32261. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  32262. type: string
  32263. type: object
  32264. secretAccessKeySecretRef:
  32265. description: The SecretAccessKey is used for authentication
  32266. properties:
  32267. key:
  32268. description: |-
  32269. A key in the referenced Secret.
  32270. Some instances of this field may be defaulted, in others it may be required.
  32271. maxLength: 253
  32272. minLength: 1
  32273. pattern: ^[-._a-zA-Z0-9]+$
  32274. type: string
  32275. name:
  32276. description: The name of the Secret resource being referred to.
  32277. maxLength: 253
  32278. minLength: 1
  32279. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  32280. type: string
  32281. namespace:
  32282. description: |-
  32283. The namespace of the Secret resource being referred to.
  32284. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  32285. maxLength: 63
  32286. minLength: 1
  32287. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  32288. type: string
  32289. type: object
  32290. sessionTokenSecretRef:
  32291. description: |-
  32292. The SessionToken used for authentication
  32293. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  32294. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  32295. properties:
  32296. key:
  32297. description: |-
  32298. A key in the referenced Secret.
  32299. Some instances of this field may be defaulted, in others it may be required.
  32300. maxLength: 253
  32301. minLength: 1
  32302. pattern: ^[-._a-zA-Z0-9]+$
  32303. type: string
  32304. name:
  32305. description: The name of the Secret resource being referred to.
  32306. maxLength: 253
  32307. minLength: 1
  32308. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  32309. type: string
  32310. namespace:
  32311. description: |-
  32312. The namespace of the Secret resource being referred to.
  32313. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  32314. maxLength: 63
  32315. minLength: 1
  32316. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  32317. type: string
  32318. type: object
  32319. type: object
  32320. type: object
  32321. externalID:
  32322. description: AWS External ID set on assumed IAM roles
  32323. type: string
  32324. prefix:
  32325. description: Prefix adds a prefix to all retrieved values.
  32326. type: string
  32327. region:
  32328. description: AWS Region to be used for the provider
  32329. type: string
  32330. role:
  32331. description: Role is a Role ARN which the provider will assume
  32332. type: string
  32333. secretsManager:
  32334. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  32335. properties:
  32336. forceDeleteWithoutRecovery:
  32337. description: |-
  32338. Specifies whether to delete the secret without any recovery window. You
  32339. can't use both this parameter and RecoveryWindowInDays in the same call.
  32340. If you don't use either, then by default Secrets Manager uses a 30 day
  32341. recovery window.
  32342. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  32343. type: boolean
  32344. recoveryWindowInDays:
  32345. description: |-
  32346. The number of days from 7 to 30 that Secrets Manager waits before
  32347. permanently deleting the secret. You can't use both this parameter and
  32348. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  32349. then by default Secrets Manager uses a 30-day recovery window.
  32350. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  32351. type: integer
  32352. type: object
  32353. sessionTags:
  32354. description: AWS STS assume role session tags
  32355. items:
  32356. description: |-
  32357. Tag is a key-value pair that can be attached to an AWS resource.
  32358. see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
  32359. properties:
  32360. key:
  32361. type: string
  32362. value:
  32363. type: string
  32364. required:
  32365. - key
  32366. - value
  32367. type: object
  32368. type: array
  32369. transitiveTagKeys:
  32370. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  32371. items:
  32372. type: string
  32373. type: array
  32374. required:
  32375. - region
  32376. type: object
  32377. status:
  32378. description: SecretsManagerStatus defines the observed state of SecretsManager.
  32379. properties:
  32380. conditions:
  32381. description: Conditions represent the latest available observations of the resource's state.
  32382. items:
  32383. description: Condition contains details for one aspect of the current state of this API Resource.
  32384. properties:
  32385. lastTransitionTime:
  32386. description: |-
  32387. lastTransitionTime is the last time the condition transitioned from one status to another.
  32388. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
  32389. format: date-time
  32390. type: string
  32391. message:
  32392. description: |-
  32393. message is a human readable message indicating details about the transition.
  32394. This may be an empty string.
  32395. maxLength: 32768
  32396. type: string
  32397. observedGeneration:
  32398. description: |-
  32399. observedGeneration represents the .metadata.generation that the condition was set based upon.
  32400. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
  32401. with respect to the current state of the instance.
  32402. format: int64
  32403. minimum: 0
  32404. type: integer
  32405. reason:
  32406. description: |-
  32407. reason contains a programmatic identifier indicating the reason for the condition's last transition.
  32408. Producers of specific condition types may define expected values and meanings for this field,
  32409. and whether the values are considered a guaranteed API.
  32410. The value should be a CamelCase string.
  32411. This field may not be empty.
  32412. maxLength: 1024
  32413. minLength: 1
  32414. pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
  32415. type: string
  32416. status:
  32417. description: status of the condition, one of True, False, Unknown.
  32418. enum:
  32419. - "True"
  32420. - "False"
  32421. - Unknown
  32422. type: string
  32423. type:
  32424. description: type of condition in CamelCase or in foo.example.com/CamelCase.
  32425. maxLength: 316
  32426. pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
  32427. type: string
  32428. required:
  32429. - lastTransitionTime
  32430. - message
  32431. - reason
  32432. - status
  32433. - type
  32434. type: object
  32435. type: array
  32436. type: object
  32437. type: object
  32438. served: true
  32439. storage: true
  32440. subresources:
  32441. status: {}